archive-gh-me/laf
1
0
Fork 0
mirror of https://github.com/labring/laf.git synced 2026-02-01 16:57:03 +00:00
Code Issues Projects Releases Wiki Activity

deploy: add apisix chart;

Browse Source
This commit is contained in:
maslow 2022-11-16 01:28:24 +08:00 committed by Maslow
parent f84124df8f
commit 6128ad1be7
91 changed files with 11585 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
deploy/charts/apisix/.helmignore Normal file
View File

@ -0,0 +1,20 @@
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

12
deploy/charts/apisix/Chart.lock Normal file
View File

@ -0,0 +1,12 @@
dependencies:
- name: etcd
repository: https://charts.bitnami.com/bitnami
version: 8.3.4
- name: apisix-dashboard
repository: https://charts.apiseven.com
version: 0.6.1
- name: apisix-ingress-controller
repository: https://charts.apiseven.com
version: 0.10.1
digest: sha256:32791ba5c895ce7864bae161f6e71970c1b017174337e0c5e7d3754f7958889b
generated: "2022-11-08T13:24:13.766319+08:00"

28
deploy/charts/apisix/Chart.yaml Normal file
View File

@ -0,0 +1,28 @@
annotations:
artifacthub.io/prerelease: "false"
apiVersion: v2
appVersion: 2.15.0
dependencies:
- condition: etcd.enabled
name: etcd
repository: https://charts.bitnami.com/bitnami
version: 8.3.4
- alias: dashboard
condition: dashboard.enabled
name: apisix-dashboard
repository: https://charts.apiseven.com
version: 0.6.1
- alias: ingress-controller
condition: ingress-controller.enabled
name: apisix-ingress-controller
repository: https://charts.apiseven.com
version: 0.10.1
description: A Helm chart for Apache APISIX
icon: https://apache.org/logos/res/apisix/apisix.png
maintainers:
- name: tao12345666333
name: apisix
sources:
- https://github.com/apache/apisix-helm-chart
type: application
version: 0.11.2

289
deploy/charts/apisix/README.md Normal file
View File

@ -0,0 +1,289 @@
## Apache APISIX for Kubernetes
Apache APISIX is a dynamic, real-time, high-performance API gateway.
APISIX provides rich traffic management features such as load balancing, dynamic upstream, canary release, circuit breaking, authentication, observability, and more.
You can use Apache APISIX to handle traditional north-south traffic, as well as east-west traffic between services. It can also be used as a [k8s ingress controller](https://github.com/apache/apisix-ingress-controller/).
This chart bootstraps all the components needed to run Apache APISIX on a Kubernetes Cluster using [Helm](https://helm.sh).
## Prerequisites
* Kubernetes v1.14+
* Helm v3+
## Install
To install the chart with the release name `my-apisix`:
```sh
helm repo add apisix https://charts.apiseven.com
helm repo update
helm install [RELEASE_NAME] apisix/apisix --namespace ingress-apisix --create-namespace
```
## Uninstall
To uninstall/delete a Helm release `my-apisix`:
```sh
helm delete [RELEASE_NAME] --namespace ingress-apisix
```
The command removes all the Kubernetes components associated with the chart and deletes the release.
## Parameters
The following tables lists the configurable parameters of the apisix chart and their default values per section/component:
### Global parameters
| Parameter | Description | Default |
|---------------------------|-------------------------------------------------|---------------------------------------------------------|
| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) |
### apisix parameters
| Parameter | Description | Default |
|---------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------|
| `apisix.enabled` | Enable or disable Apache APISIX itself | `true` |
| `apisix.enableIPv6` | Enable nginx IPv6 resolver | `true` |
| `apisix.hostNetwork` | Use the host's network namespace | `false` |
| `apisix.enableCustomizedConfig` | Enable full customized `config.yaml` | `false` |
| `apisix.customizedConfig` | If `apisix.enableCustomizedConfig` is true, full customized `config.yaml`. Please note that other settings about APISIX config will be ignored | `{}` |
| `apisix.image.repository` | Apache APISIX image repository | `apache/apisix` |
| `apisix.image.tag` | Apache APISIX image tag | `{TAG_NAME}` (the latest Apache APISIX image tag) |
| `apisix.image.pullPolicy` | Apache APISIX image pull policy | `IfNotPresent` |
| `apisix.kind` | Apache APISIX kind use a `DaemonSet` or `Deployment` | `Deployment` |
| `apisix.replicaCount` | Apache APISIX deploy replica count,kind is DaemonSet,replicaCount not become effective | `1` |
| `apisix.podAnnotations` | Annotations to add to each pod | `{}` |
| `apisix.priorityClassName` | Set [priorityClassName](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#pod-priority) for Apache APISIX pods | `""` |
| `apisix.podSecurityContext` | Set the securityContext for Apache APISIX pods | `{}` |
| `apisix.securityContext` | Set the securityContext for Apache APISIX container | `{}` |
| `apisix.podDisruptionBudget.enabled` | Enable or disable podDisruptionBudget | `false` |
| `apisix.podDisruptionBudget.minAvailable` | Set the `minAvailable` of podDisruptionBudget. You can specify only one of `maxUnavailable` and `minAvailable` in a single PodDisruptionBudget. See [Specifying a Disruption Budget for your Application](https://kubernetes.io/docs/tasks/run-application/configure-pdb/#specifying-a-poddisruptionbudget) for more details | `Not set` |
| `apisix.podDisruptionBudget.maxUnavailable` | Set the maxUnavailable of podDisruptionBudget | `1` |
| `apisix.resources` | Set pod resource requests & limits | `{}` |
| `apisix.nodeSelector` | Node labels for Apache APISIX pod assignment | `{}` |
| `apisix.tolerations` | List of node taints to tolerate | `{}` |
| `apisix.affinity` | Set affinity for Apache APISIX deploy | `{}` |
| `apisix.setIDFromPodUID` | Whether to use the Pod UID as the APISIX instance id, see [apache/apisix#5417](https://github.com/apache/apisix/issues/5417) to decide whether you should enable this setting) | `false` |
| `apisix.enableServerTokens` | Set the `enable_server_tokens` (Whether the APISIX version number should be shown in Server header) | `Not Set` |
| `apisix.customLuaSharedDicts` | Add custom [lua_shared_dict](https://github.com/openresty/lua-nginx-module#toc88) settings, click [here](https://github.com/apache/apisix-helm-chart/blob/master/charts/apisix/values.yaml#L27-L30) to learn the format of a shared dict | `[]` |
| `apisix.pluginAttrs` | Set APISIX plugin attributes, see [config-default.yaml](https://github.com/apache/apisix/blob/master/conf/config-default.yaml#L376) for more details | `{}` |
| `apisix.luaModuleHook.enabled` | Whether to add a custom lua module | `false` |
| `apisix.luaModuleHook.luaPath` | Configure `LUA_PATH` so that your own lua module codes can be located | `""` |
| `apisix.luaModuleHook.hookPoint` | The entrypoint of your lua module, use Lua require syntax, like `"module.say_hello"` | `""` |
| `apisix.luaModuleHook.configMapRef.name` | Name of the ConfigMap where the lua module codes store | "" |
| `apisix.luaModuleHook.configMapRef.mounts[].key` | Name of the ConfigMap key, for setting the mapping relationship between ConfigMap key and the lua module code path. | `""` |
| `apisix.luaModuleHook.configMapRef.mounts[].path` | Filepath of the plugin code, for setting the mapping relationship between ConfigMap key and the lua module code path. | `""` |
| `apisix.httpRouter` | HTTP routing strategy. See [APISIX Router](https://apisix.apache.org/docs/apisix/terminology/router/) for the detail. | `[]` |
| `extraVolumes` | Additional `volume`, See [Kubernetes Volumes](https://kubernetes.io/docs/concepts/storage/volumes/) for the detail. | `[]` |
| `extraVolumeMounts` | Additional `volumeMounts`, See [Kubernetes Volumes](https://kubernetes.io/docs/concepts/storage/volumes/) for the detail. | `[]` |
| `extraInitContainers` | Additional `initContainers`, See [Kubernetes initContainers](https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) for the detail. | `[]` |
### gateway parameters
Apache APISIX service parameters, this determines how users can access itself.
| Parameter | Description | Default |
|---------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------|
| `gateway.type` | Apache APISIX service type for user access itself | `NodePort` |
| `gateway.externalTrafficPolicy` | Setting how the Service route external traffic | `Cluster` |
| `gateway.http` | Apache APISIX service settings for http | |
| `gateway.tls` | Apache APISIX service settings for tls | |
| `gateway.tls.existingCASecret` | Specifies the name of Secret contains trusted CA certificates in the PEM format used to verify the certificate when APISIX needs to do SSL/TLS handshaking with external services (e.g. etcd) | `""` |
| `gateway.tls.certCAFilename` | Filename be used in the `gateway.tls.existingCASecret` | `""` |
| `gateway.tls.sslProtocols` | TLS protocols allowed to use. | `"TLSv1.2 TLSv1.3"` |
| `gateway.stream` | Apache APISIX service settings for stream | |
| `gateway.ingress` | Using ingress access Apache APISIX service | |
| `gateway.ingress.annotations` | Ingress annotations | `[]` |
| `gateway.ingress.className` | `ingressClassName` replaces `annotations kubernetes.io/ingress.class`, required Kubernetes `>=1.18` | |
### admin parameters
| Parameter | Description | Default |
|----------------------------|----------------------------------------------------------------------------------|---------------------------------------------------------|
| `admin.enabled` | Enable or disable Apache APISIX admin API | `true` |
| `admin.port` | which port to use for Apache APISIX admin API | `9180` |
| `admin.servicePort` | Service port to use for Apache APISIX admin API | `9180` |
| `admin.type` | Apache APISIX admin API service type | `ClusterIP` |
| `admin.externalIPs` | IPs for which nodes in the cluster will also accept traffic for the servic | `[]` |
| `admin.cors` | Apache APISIX admin API support CORS response headers | `true` |
| `admin.credentials.admin` | Apache APISIX admin API admin role credentials | `edd1c9f034335f136f87ad84b625c8f1` |
| `admin.credentials.viewer` | Apache APISIX admin API viewer role credentials | `4054f7cf07e344346cd3f287985e76a2` |
| `admin.allow.ipList` | The client IP CIDR allowed to access Apache APISIX Admin API service | `["127.0.0.1/24"]` |
### custom configuration snippet parameters
| Parameter | Description | Default |
|----------------------------------|----------------------------------------------------------------------------------------------------|---------|
| `configurationSnippet.main` | Add custom Nginx configuration (main block) to nginx.conf | `{}` |
| `configurationSnippet.httpStart` | Add custom Nginx configuration (http block) to nginx.conf | `{}` |
| `configurationSnippet.httpEnd` | Add custom Nginx configuration (http block) to nginx.conf, will be put at the bottom of http block | `{}` |
| `configurationSnippet.httpSrv` | Add custom Nginx configuration (server block) to nginx.conf | `{}` |
| `configurationSnippet.httpAdmin` | Add custom Nginx configuration (Admin API server block) to nginx.conf | `{}` |
| `configurationSnippet.stream` | Add custom Nginx configuration (stream block) to nginx.conf | `{}` |
### etcd parameters
| Parameter | Description | Default |
|---------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------|
| `etcd.enabled` | use built-in etcd | `true` |
| `etcd.host` | if `etcd.enabled` is false, use external etcd, support multiple address, if your etcd cluster enables TLS, please use https scheme, e.g. https://127.0.0.1:2379. | `["http://etcd.host:2379"]` |
| `etcd.prefix` | apisix configurations prefix | `/apisix` |
| `etcd.timeout` | Set the timeout value in seconds for subsequent socket operations from apisix to etcd cluster | `30` |
| `etcd.auth.rbac.create` | Switch to enable RBAC authentication | `false` |
| `etcd.auth.rbac.user` | root username for etcd | `""` |
| `etcd.auth.rbac.password` | root password for etcd | `""` |
| `etcd.auth.tls.enabled` | enable etcd client certificate | `false` |
| `etcd.auth.tls.existingSecret` | name of the secret contains etcd client cert | `""` |
| `etcd.auth.tls.certFilename` | etcd client cert filename using in `etcd.auth.tls.existingSecret` | `""` |
| `etcd.auth.tls.certKeyFilename` | etcd client cert key filename using in `etcd.auth.tls.existingSecret` | `""` |
| `etcd.auth.tls.verify` | whether to verify the etcd endpoint certificate when setup a TLS connection to etcd | `true` |
| `etcd.auth.tls.sni` | specify the TLS [Server Name Indication](https://en.wikipedia.org/wiki/Server_Name_Indication) extension, the ETCD endpoint hostname will be used when this setting is unset. | `""` |
If etcd.enabled is true, set more values of bitnami/etcd helm chart use etcd as prefix.
### plugins and stream_plugins parameters
Default enabled plugins. See [configmap template](https://github.com/apache/apisix-helm-chart/blob/master/charts/apisix/templates/configmap.yaml) for details.
### external plugin parameters
| Parameter | Description | Default |
|---------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------|
| `extPlugin.enabled` | Enable External Plugins. See [external plugin](https://apisix.apache.org/docs/apisix/next/external-plugin/) | `false` |
| `extPlugin.cmd` | the command and its arguements to run as a subprocess | `{}` |
### wasm plugin parameters
| Parameter | Description | Default |
|---------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------|
| `wasmPlugins.enabled` | Enable Wasm Plugins. See [wasm plugin](https://apisix.apache.org/docs/apisix/next/wasm/) | `false` |
| `wasmPlugins.plugins[].name` | Set wasm plugin name | `""` |
| `wasmPlugins.plugins[].priority` | Set wasm plugin priority | `7999` |
| `wasmPlugins.plugins[].file` | Set path to wasm plugin | `""` |
| `wasmPlugins.plugins[].http_request_phase` | Set which http request phase for the plugin to run in | `access` |
Note:
- the easiest way to include your wasm custom plugin is to rebuild the apisix image with those custom plugins included within the directory you define and later on gets referenced to `wasmPlugins.plugins[].file`
- otherwise you could use `extraVolumes` and `extraVolumeMounts` option to include your plugin by creating your plugin via `ConfigMap` and mount it to apisix pod like example below
```
#... more options omitted ...
ingress-controller:
enabled: true
dashboard:
enabled: true
# assuming you install apisix in `apisix` namespace,
# create the plugin by this command and had the wasm plugin
# kubectl create configmap --namespace apisix --from-file=./wasm_plugin_x.wasm wasm-plugin-x
# Note: there are also size limitation on `ConfigMap`
# these options are kubernetes
# Volume and VolumeMount api objects
extraVolumes:
- name: wasm-plugin-x
configMap:
name: wasm-plugin-x
items:
- key: wasm_plugin_x.wasm
path: wasm_plugin_x.wasm
extraVolumeMounts:
- name: wasm-plugin-x
mountPath: /var/local/wasm-plugins/ # later on reference to `wasmPlugins.plugins[].file` as its value
readOnly: true
#... more options omitted ...
```
### custom plugin parameters
| Parameter | Description | Default |
|---------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------|
| `apisix.customPlugins.enabled` | Whether to configure some custom plugins | `false` |
| `apisix.customPlugins.luaPath` | Configure `LUA_PATH` so that custom plugin codes can be located | `""` |
| `apisix.customPlugins.plugins[].name` | Custom plugin name | `""` |
| `apisix.customPlugins.plugins[].attrs` | Custom plugin attributes | `{}` |
| `apisix.customPlugins.plugins[].configMap.name` | Name of the ConfigMap where the plugin codes store | `""` |
| `apisix.customPlugins.plugins[].configMap.mounts[].key` | Name of the ConfigMap key, for setting the mapping relationship between ConfigMap key and the plugin code path. | `""` |
| `apisix.customPlugins.plugins[].configMap.mounts[].path` | Filepath of the plugin code, for setting the mapping relationship between ConfigMap key and the plugin code path. | `""` |
### discovery parameters
| Parameter | Description | Default |
|---------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------|
| `discovery.enabled` | Enable or disable Apache APISIX integration service discovery | `false` |
| `discovery.registry` | Registry is the same to the one in APISIX [config-default.yaml](https://github.com/apache/apisix/blob/master/conf/config-default.yaml#L281), and refer to such file for more setting details. also refer to [this documentation for integration service discovery](https://apisix.apache.org/docs/apisix/discovery) | nil |
If you have enabled this feature, here is an example:
```yaml
discovery:
enabled: true
registry:
eureka:
host:
- "http://${username}:${password}@${eureka_host1}:${eureka_port1}"
- "http://${username}:${password}@${eureka_host2}:${eureka_port2}"
prefix: "/eureka/"
fetch_interval: 30
weight: 100
timeout:
connect: 2000
send: 2000
read: 5000
```
### logs parameters
| Parameter | Description | Default |
|---------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------|
| `logs.enableAccessLog` | Enable access log or not, default true | `true` |
| `logs.accessLog` | Access log path | `/dev/stdout` |
| `logs.accessLogFormat` | Access log format | `$remote_addr - $remote_user [$time_local] $http_host \"$request\" $status $body_bytes_sent $request_time \"$http_referer\" \"$http_user_agent\" $upstream_addr $upstream_status $upstream_response_time \"$upstream_scheme://$upstream_host$upstream_uri\"` |
| `logs.accessLogFormatEscape` | Allows setting json or default characters escaping in variables | `default` |
| `logs.errorLog` | Error log path | `/dev/stderr` |
| `logs.errorLogLevel` | Error log level | `warn` |
### dashboard parameters
Configurations for apisix-dashboard sub chart.
### ingress-controller parameters
Configurations for Apache APISIX ingress-controller sub chart.
### serviceMonitor parameters
| Parameter | Description | Default |
| ------------------------------ | ------------------------------------------------------------ | ---------------------------- |
| `serviceMonitor.enabled` | Enable or disable Apache APISIX serviceMonitor | `false` |
| `serviceMonitor.namespace` | Namespace where the serviceMonitor is deployed | `""` |
| `serviceMonitor.interval` | Interval at which metrics should be scraped | `15s` |
| `serviceMonitor.path` | Path of the Prometheus metrics endpoint | `/apisix/prometheus/metrics` |
| `serviceMonitor.containerPort` | Container port which Prometheus metrics are exposed | `9091` |
| `serviceMonitor.labels` | ServiceMonitor extra labels | `{}` |
| `serviceMonitor.annotations` | ServiceMonitor annotations | `{}` |
### initContainers parameters
| Parameter | Description | Default |
|--------------------------------|----------------------|-----------|
| `initContainer.image` | Init container image | `busybox` |
| `initContainer.tag` | Init container tag | `1.28` |
### vault integration parameters
| Parameter | Description | Default |
|----------------------------|--------------------------------------------------------------------------------------------------|---------------------------------------------------------|
| `vault.enabled` | Enable or disable the vault integration | `false` |
| `vault.host` | The host address where the vault server is running. | |
| `vault.timeout` | HTTP timeout for each request. | |
| `vault.token` | The generated token from vault instance that can grant access to read data from the vault. | |
| `vault.prefix` | Prefix allows you to better enforcement of policies. | |

23
deploy/charts/apisix/charts/apisix-dashboard/.helmignore Normal file
View File

@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

9
deploy/charts/apisix/charts/apisix-dashboard/Chart.yaml Normal file
View File

@ -0,0 +1,9 @@
apiVersion: v2
appVersion: 2.13.0
description: A Helm chart for Apache APISIX Dashboard
icon: https://apache.org/logos/res/apisix/apisix.png
maintainers:
- name: tao12345666333
name: apisix-dashboard
type: application
version: 0.6.1

118
deploy/charts/apisix/charts/apisix-dashboard/README.md Normal file
View File

@ -0,0 +1,118 @@
# Apache APISIX Dashboard
[APISIX Dashboard](https://github.com/apache/apisix-dashboard/) is designed to make it as easy as possible for users to operate Apache APISIX through a frontend interface.
This chart bootstraps an apisix-dashboard deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
## Prerequisites
APISIX Dashboard requires Kubernetes version 1.14+.
## Get Repo Info
```console
helm repo add apisix https://charts.apiseven.com
helm repo update
```
## Install Chart
**Important:** only helm3 is supported
```console
helm install [RELEASE_NAME] apisix/apisix-dashboard --namespace ingress-apisix --create-namespace
```
The command deploys apisix-dashboard on the Kubernetes cluster in the default configuration.
_See [configuration](#configuration) below._
_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._
## Uninstall Chart
```console
helm uninstall [RELEASE_NAME] --namespace ingress-apisix
```
This removes all the Kubernetes components associated with the chart and deletes the release.
_See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall/) for command documentation._
## Upgrading Chart
```console
helm upgrade [RELEASE_NAME] [CHART] --install
```
_See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documentation._
## Parameters
The following tables lists the configurable parameters of the apisix-dashboard chart and their default values per section/component:
### Common parameters
| Name | Description | Value |
| ------------------ | ------------------------------------------------------------------------------------------------- | ------------------------ |
| `nameOverride` | String to partially override apisix-dashboard.fullname template (will maintain the release name) | `nil` |
| `fullnameOverride` | String to fully override apisix-dashboard.fullname template | `nil` |
| `imagePullSecrets` | Docker registry secret names as an array | `[]` |
| `image.repository` | Apache APISIX Dashboard image repository | `apache/apisix-dashboard`|
| `image.tag` | Apache APISIX Dashboard image tag (immutable tags are recommended) | `2.10.1-alpine` |
| `image.pullPolicy` | Apache APISIX Dashboard image pull policy | `IfNotPresent` |
### Apache APISIX Dashboard configurable parameters
| Name | Description | Value |
| ------------------------------------ | ----------------------------------------------------------------------------------------- | --------------- |
| `config.conf.listen.host` | The address on which the `Manager API` should listen. The default value is 0.0.0.0, if want to specify, please enable it. This value accepts IPv4, IPv6, and hostname. | `0.0.0.0` |
| `config.conf.listen.port` | The port on which the `Manager API` should listen. | `9000` |
| `config.authentication.secert` | Secret for jwt token generation | `secert` |
| `config.authentication.expireTime` | JWT token expire time, in second | `3600` |
| `config.authentication.users` | Specifies username and password for login `manager api`. | `[{username: admin, password: admin}]` |
| `config.conf.etcd.endpoints` | Supports defining multiple etcd host addresses for an etcd cluster | `apisix-etcd:2379` |
| `config.conf.etcd.prefix` | Apache APISIX config's prefix in etcd, /apisix by default | `/apisix` |
| `config.conf.etcd.username` | Specifies etcd basic auth username if enable etcd auth | `~` |
| `config.conf.etcd.password` | Specifies etcd basic auth password if enable etcd auth | `~` |
| `config.conf.log.accessLog.filePath` | Access log path | `/dev/stdout` |
| `config.conf.log.errorLog.filePath` | Error log path | `/dev/stderr` |
| `config.conf.log.errorLog.level` | Error log level. Supports levels, lower to higher: debug, info, warn, error, panic, fatal | `warn` |
### Deployment parameters
| Name | Description | Value |
| ----------------------------------------------- | ----------------------------------------------------------------------------------------- | --------------- |
| `replicaCount` | Number of Apache APISIX Dashboard nodes | `1` |
| `podAnnotations` | Apache APISIX Dashboard Pod annotations | `{}` |
| `nodeSelector` | Node labels for pod assignment | `{}` |
| `tolerations` | Tolerations for pod assignment | `[]` |
| `resources.limits` | The resources limits for Apache APISIX Dashboard containers | `{}` |
| `resources.requests` | The requested resources for Apache APISIX Dashboardcontainers | `{}` |
| `podSecurityContext` | Set the securityContext for Apache APISIX Dashboard pods | `{}` |
| `securityContext` | Set the securityContext for Apache APISIX Dashboard container | `{}` |
| `autoscaling.enabled` | Enable autoscaling for Apache APISIX Dashboard deployment | `false` |
| `autoscaling.minReplicas` | Minimum number of replicas to scale back | `1` |
| `autoscaling.maxReplicas` | Maximum number of replicas to scale out | `100` |
| `autoscaling.targetCPUUtilizationPercentage` | Target CPU utilization percentage | `80` |
| `autoscaling.targetMemoryUtilizationPercentage` | Target Memory utilization percentage | `nil` |
### Traffic Exposure parameters
| Name | Description | Value |
| ------------------------------- |--------------------------------------------------------------------------------------------------|-------------|
| `service.type` | Service type | `ClusterIP` |
| `service.port` | Service HTTP port | `80` |
| `ingress.enabled` | Set to true to enable ingress record generation | `false` |
| `ingress.annotations` | Ingress annotations | `{}` |
| `ingress.hosts` | The list of hostnames to be covered with this ingress record. | `[]` |
| `ingress.tls` | Create TLS Secret | `false` |
| `ingress.className` | `ingressClassName` replace `annotations kubernetes.io/ingress.class`, required kubernetes 1.18>= | `apisix` |
### RBAC parameters
| Name | Description | Value |
| ---------------------------- | --------------------------------------------------------------------------------------------------------------------- | ------ |
| `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` |
| `serviceAccount.name` | The name of the ServiceAccount to use. If not set and create is true, a name is generated using the fullname template | `nil` |
| `serviceAccount.annotations` | Annotations to add to the ServiceAccount Metadata | `{}` |

22
deploy/charts/apisix/charts/apisix-dashboard/templates/NOTES.txt Normal file
View File

@ -0,0 +1,22 @@
1. Get the application URL by running these commands:
{{- if .Values.ingress.enabled }}
{{- range $host := .Values.ingress.hosts }}
{{- range .paths }}
http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ . }}
{{- end }}
{{- end }}
{{- else if contains "NodePort" .Values.service.type }}
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "apisix-dashboard.fullname" . }})
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORT
{{- else if contains "LoadBalancer" .Values.service.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "apisix-dashboard.fullname" . }}'
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "apisix-dashboard.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
echo http://$SERVICE_IP:{{ .Values.service.port }}
{{- else if contains "ClusterIP" .Values.service.type }}
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "apisix-dashboard.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
echo "Visit http://127.0.0.1:8080 to use your application"
kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
{{- end }}

78
deploy/charts/apisix/charts/apisix-dashboard/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,78 @@
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
{{/*
Expand the name of the chart.
*/}}
{{- define "apisix-dashboard.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "apisix-dashboard.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "apisix-dashboard.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "apisix-dashboard.labels" -}}
helm.sh/chart: {{ include "apisix-dashboard.chart" . }}
{{ include "apisix-dashboard.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "apisix-dashboard.selectorLabels" -}}
app.kubernetes.io/name: {{ include "apisix-dashboard.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "apisix-dashboard.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "apisix-dashboard.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}

63
deploy/charts/apisix/charts/apisix-dashboard/templates/configmap.yaml Normal file
View File

@ -0,0 +1,63 @@
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "apisix-dashboard.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "apisix-dashboard.labels" . | nindent 4 }}
data:
conf.yaml: |-
{{- with .Values.config.conf }}
conf:
listen:
host: {{ .listen.host }}
port: {{ .listen.port }}
{{- with .etcd }}
etcd:
prefix: {{ .prefix | quote }}
endpoints:
{{- range .endpoints }}
- {{ . }}
{{- end }}
{{- if .username }}
username: {{ .username }}
{{- end }}
{{- if .password }}
password: {{ .password }}
{{- end }}
{{- end }}
{{- with .log }}
log:
error_log:
level: {{ .errorLog.level }}
file_path: {{ .errorLog.filePath }}
access_log:
file_path: {{ .accessLog.filePath }}
{{- end }}
{{- end }}
{{- with .Values.config.authentication }}
authentication:
secret: {{ .secret }}
expire_time: {{ .expireTime }}
users:
{{- range .users }}
- username: {{ .username }}
password: {{ .password }}
{{- end }}
{{- end }}

87
deploy/charts/apisix/charts/apisix-dashboard/templates/deployment.yaml Normal file
View File

@ -0,0 +1,87 @@
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "apisix-dashboard.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "apisix-dashboard.labels" . | nindent 4 }}
spec:
{{- if not .Values.autoscaling.enabled }}
replicas: {{ .Values.replicaCount }}
{{- end }}
selector:
matchLabels:
{{- include "apisix-dashboard.selectorLabels" . | nindent 6 }}
template:
metadata:
annotations:
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
{{- with .Values.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "apisix-dashboard.selectorLabels" . | nindent 8 }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "apisix-dashboard.serviceAccountName" . }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
containers:
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
ports:
- name: http
containerPort: {{ .Values.config.conf.listen.port }}
protocol: TCP
livenessProbe:
httpGet:
path: /ping
port: http
readinessProbe:
httpGet:
path: /ping
port: http
resources:
{{- toYaml .Values.resources | nindent 12 }}
volumeMounts:
- mountPath: /usr/local/apisix-dashboard/conf/conf.yaml
name: apisix-dashboard-config
subPath: conf.yaml
volumes:
- configMap:
name: {{ include "apisix-dashboard.fullname" . }}
name: apisix-dashboard-config
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

45
deploy/charts/apisix/charts/apisix-dashboard/templates/hpa.yaml Normal file
View File

@ -0,0 +1,45 @@
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
{{- if .Values.autoscaling.enabled }}
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
name: {{ include "apisix-dashboard.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "apisix-dashboard.labels" . | nindent 4 }}
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ include "apisix-dashboard.fullname" . }}
minReplicas: {{ .Values.autoscaling.minReplicas }}
maxReplicas: {{ .Values.autoscaling.maxReplicas }}
metrics:
{{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
- type: Resource
resource:
name: cpu
targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
{{- end }}
{{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
- type: Resource
resource:
name: memory
targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
{{- end }}
{{- end }}

72
deploy/charts/apisix/charts/apisix-dashboard/templates/ingress.yaml Normal file
View File

@ -0,0 +1,72 @@
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
{{- if .Values.ingress.enabled -}}
{{- $fullName := include "apisix-dashboard.fullname" . -}}
{{- $svcPort := .Values.service.port -}}
{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.Version }}
apiVersion: networking.k8s.io/v1
{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.Version }}
apiVersion: networking.k8s.io/v1beta1
{{- else -}}
apiVersion: extensions/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ $fullName }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "apisix-dashboard.labels" . | nindent 4 }}
{{- with .Values.ingress.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if .Values.ingress.className }}
ingressClassName: {{ .Values.ingress.className }}
{{- end }}
{{- if .Values.ingress.tls }}
tls:
{{- range .Values.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .paths }}
- path: {{ . }}
{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.Version }}
pathType: ImplementationSpecific
backend:
service:
name: {{ $fullName }}
port:
number: {{ $svcPort }}
{{- else -}}
backend:
serviceName: {{ $fullName }}
servicePort: {{ $svcPort }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

32
deploy/charts/apisix/charts/apisix-dashboard/templates/service.yaml Normal file
View File

@ -0,0 +1,32 @@
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
apiVersion: v1
kind: Service
metadata:
name: {{ include "apisix-dashboard.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "apisix-dashboard.labels" . | nindent 4 }}
spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.port }}
targetPort: http
protocol: TCP
name: http
selector:
{{- include "apisix-dashboard.selectorLabels" . | nindent 4 }}

29
deploy/charts/apisix/charts/apisix-dashboard/templates/serviceaccount.yaml Normal file
View File

@ -0,0 +1,29 @@
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
{{- if .Values.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "apisix-dashboard.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "apisix-dashboard.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

15
deploy/charts/apisix/charts/apisix-dashboard/templates/tests/test-connection.yaml Normal file
View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: "{{ include "apisix-dashboard.fullname" . }}-test-connection"
labels:
{{- include "apisix-dashboard.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": test
spec:
containers:
- name: wget
image: busybox
command: ['wget']
args: ['{{ include "apisix-dashboard.fullname" . }}:{{ .Values.service.port }}']
restartPolicy: Never

130
deploy/charts/apisix/charts/apisix-dashboard/values.yaml Normal file
View File

@ -0,0 +1,130 @@
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Default values for apisix-dashboard.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
replicaCount: 1
image:
repository: apache/apisix-dashboard
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion.
tag: 2.13-alpine
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
serviceAccount:
# Specifies whether a service account should be created
create: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
podAnnotations: {}
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
config:
conf:
listen:
host: 0.0.0.0
port: 9000
etcd:
# Supports defining multiple etcd host addresses for an etcd cluster
endpoints:
- apisix-etcd:2379
# apisix configurations prefix
prefix: "/apisix"
# Etcd basic auth info
username: ~
password: ~
log:
errorLog:
level: warn
filePath: /dev/stderr
accessLog:
filePath: /dev/stdout
authentication:
secret: secret
expireTime: 3600
users:
- username: admin
password: admin
service:
type: ClusterIP
port: 80
ingress:
enabled: false
# Kubernetes 1.18+ support ingressClassName attribute
className: ""
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
# domain access apisix example:
# hosts:
# - host: apisix-dashboard.local
# paths:
# - /*
hosts:
- host: apisix-dashboard.local
paths: []
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 100
targetCPUUtilizationPercentage: 80
# targetMemoryUtilizationPercentage: 80
nodeSelector: {}
tolerations: []
affinity: {}

23
deploy/charts/apisix/charts/apisix-ingress-controller/.helmignore Normal file
View File

@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

18
deploy/charts/apisix/charts/apisix-ingress-controller/Chart.yaml Normal file
View File

@ -0,0 +1,18 @@
annotations:
artifacthub.io/prerelease: "false"
apiVersion: v2
appVersion: 1.5.0
description: Apache APISIX Ingress Controller for Kubernetes
icon: https://apache.org/logos/res/apisix/apisix.png
keywords:
- ingress
- apisix
- nginx
- crd
maintainers:
- name: tao12345666333
name: apisix-ingress-controller
sources:
- https://github.com/apache/apisix-helm-chart
type: application
version: 0.10.1

98
deploy/charts/apisix/charts/apisix-ingress-controller/README.md Normal file
View File

@ -0,0 +1,98 @@
# Apache APISIX ingress controller
[APISIX Ingress controller](https://github.com/apache/apisix-ingress-controller/) for Kubernetes using Apache APISIX as a high performance reverse proxy and load balancer.
If you have installed multiple ingress controller, add the `kubernetes.io/ingress.class: apisix` annotation to your Ingress resources.
This chart bootstraps an apisix-ingress-controller deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
## Prerequisites
Apisix ingress controller requires Kubernetes version 1.16+.
## Get Repo Info
```console
helm repo add apisix https://charts.apiseven.com
helm repo update
```
## Install Chart
**Important:** only helm3 is supported
```console
helm install [RELEASE_NAME] apisix/apisix-ingress-controller --namespace ingress-apisix --create-namespace
```
The command deploys apisix-ingress-controller on the Kubernetes cluster in the default configuration.
_See [configuration](#configuration) below._
_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._
## Uninstall Chart
```console
helm uninstall [RELEASE_NAME] --namespace ingress-apisix
```
This removes all the Kubernetes components associated with the chart and deletes the release.
_See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall/) for command documentation._
## Upgrading Chart
```console
helm upgrade [RELEASE_NAME] [CHART] --install
```
_See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documentation._
## Configuration
See [Customizing the Chart Before Installing](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing). To see all configurable options with detailed comments, visit the chart's [values.yaml](./values.yaml), or run these configuration commands:
```console
helm show values apisix/apisix-ingress-controller
```
### Security context
A security context provides us with a way to define privilege and access control for a Pod or even at the container level.
Check [here](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#securitycontext-v1-core) to see the SecurityContext resource with more detail.
Check also [here](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) to see a full explanation and some examples to configure the security context.
Right below you have an example of the security context configuration. In this case, we define that all the processes in the container will run with user ID 1000.
```yaml
...
spec:
securityContext:
runAsUser: 1000
runAsGroup: 3000
...
```
The same for the group definition, where we define the primary group of 3000 for all processes.
**It's quite important to know, if the `runAsGroup` is omited, the primary group will be root(0)**, which in some cases goes against some security policies.
To define this configuration at the **pod level**, you need to set:
```yaml
--set podSecurityContext.runAsUser=«VALUE»
--set podSecurityContext.runAsGroup=«VALUE»
...
```
The same for container level, you need to set:
```yaml
--set securityContext.runAsUser=«VALUE»
--set SecurityContext.runAsGroup=«VALUE»
...
```

3472
deploy/charts/apisix/charts/apisix-ingress-controller/crds/customresourcedefinitions.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

5
deploy/charts/apisix/charts/apisix-ingress-controller/templates/NOTES.txt Normal file
View File

@ -0,0 +1,5 @@
Get the application URL by running these commands:
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "apisix-ingress-controller.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
echo "Visit http://127.0.0.1:8080 to use your application"
kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT

84
deploy/charts/apisix/charts/apisix-ingress-controller/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,84 @@
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
{{/*
Expand the name of the chart.
*/}}
{{- define "apisix-ingress-controller.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "apisix-ingress-controller.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "apisix-ingress-controller.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "apisix-ingress-controller.labels" -}}
helm.sh/chart: {{ include "apisix-ingress-controller.chart" . }}
{{ include "apisix-ingress-controller.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "apisix-ingress-controller.selectorLabels" -}}
app.kubernetes.io/name: {{ include "apisix-ingress-controller.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "apisix-ingress-controller.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "apisix-ingress-controller.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
{{- define "apisix-ingress-controller.namespace" -}}
{{- default .Release.Namespace .Values.namespace -}}
{{- end -}}

71
deploy/charts/apisix/charts/apisix-ingress-controller/templates/configmap.yaml Normal file
View File

@ -0,0 +1,71 @@
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
apiVersion: v1
data:
config.yaml: |
# log options
log_level: {{ .Values.config.logLevel | quote }}
log_output: {{ .Values.config.logOutput | quote }}
cert_file: {{ .Values.config.certFile | quote }}
key_file: {{ .Values.config.keyFile | quote }}
http_listen: {{ .Values.config.httpListen | quote }}
https_listen: {{ .Values.config.httpsListen | quote }}
ingress_publish_service: {{ .Values.config.ingressPublishService }}
{{- if gt (len .Values.config.ingressStatusAddress) 0 }}
ingress_status_address:
{{- range .Values.config.ingressStatusAddress }}
- {{ . | quote }}
{{- end }}
{{- end }}
enable_profiling: {{ .Values.config.enableProfiling }}
apisix-resource-sync-interval: {{ .Values.config.apisixResourceSyncInterval }}
kubernetes:
kubeconfig: {{ .Values.config.kubernetes.kubeconfig | quote }}
resync_interval: {{ .Values.config.kubernetes.resyncInterval | quote }}
{{- if gt (len .Values.config.kubernetes.appNamespaces) 0 }}
app_namespaces:
{{- range .Values.config.kubernetes.appNamespaces }}
- {{ . | quote }}
{{- end }}
{{- end }}
{{- if gt (len .Values.config.kubernetes.namespaceSelector) 0 }}
namespace_selector:
{{- range .Values.config.kubernetes.namespaceSelector }}
- {{ . | quote }}
{{- end }}
{{- end }}
election_id: {{ .Values.config.kubernetes.electionId | quote }}
ingress_class: {{ .Values.config.kubernetes.ingressClass | quote }}
ingress_version: {{ .Values.config.kubernetes.ingressVersion | quote }}
watch_endpointslices: {{ .Values.config.kubernetes.watchEndpointSlices }}
apisix_route_version: {{ .Values.config.kubernetes.apisixRouteVersion | quote }}
enable_gateway_api: {{ .Values.config.kubernetes.enableGatewayAPI }}
apisix:
{{ if .Values.config.apisix.serviceFullname }}
default_cluster_base_url: http://{{ .Values.config.apisix.serviceFullname }}:{{ .Values.config.apisix.servicePort }}/apisix/admin
{{ else }}
default_cluster_base_url: http://{{ .Values.config.apisix.serviceName }}.{{ .Values.config.apisix.serviceNamespace }}.svc.{{ .Values.clusterDomain }}:{{ .Values.config.apisix.servicePort }}/apisix/admin
{{ end}}
default_cluster_admin_key: {{ .Values.config.apisix.adminKey | quote }}
default_cluster_name: {{ .Values.config.apisix.clusterName | quote }}
kind: ConfigMap
metadata:
name: {{ .Release.Name }}-configmap
namespace: {{ .Release.Namespace }}
labels:
{{- include "apisix-ingress-controller.labels" . | nindent 4 }}

108
deploy/charts/apisix/charts/apisix-ingress-controller/templates/deployment.yaml Normal file
View File

@ -0,0 +1,108 @@
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "apisix-ingress-controller.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "apisix-ingress-controller.labels" . | nindent 4 }}
spec:
{{- if not .Values.autoscaling.enabled }}
replicas: {{ .Values.replicaCount }}
{{- end }}
selector:
matchLabels:
{{- include "apisix-ingress-controller.selectorLabels" . | nindent 6 }}
template:
metadata:
annotations:
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
{{- with .Values.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "apisix-ingress-controller.selectorLabels" . | nindent 8 }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "apisix-ingress-controller.serviceAccountName" . }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
volumes:
- name: configuration
configMap:
name: {{ .Release.Name }}-configmap
items:
- key: config.yaml
path: config.yaml
initContainers:
- name: wait-apisix-admin
image: {{ .Values.initContainer.image }}:{{ .Values.initContainer.tag }}
{{ if .Values.config.apisix.serviceFullname }}
command: ['sh', '-c', "until nc -z {{ .Values.config.apisix.serviceFullname }} {{ .Values.config.apisix.servicePort }} ; do echo waiting for apisix-admin; sleep 2; done;"]
{{ else }}
command: ['sh', '-c', "until nc -z {{ .Values.config.apisix.serviceName }}.{{ .Values.config.apisix.serviceNamespace }}.svc.{{ .Values.clusterDomain }} {{ .Values.config.apisix.servicePort }} ; do echo waiting for apisix-admin; sleep 2; done;"]
{{ end}}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
containers:
- name: {{ .Chart.Name }}
command:
- /ingress-apisix/apisix-ingress-controller
- ingress
- --config-path
- /ingress-apisix/conf/config.yaml
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
ports:
- name: http
containerPort: {{ (.Values.config.httpListen | split ":")._1 }}
protocol: TCP
livenessProbe:
httpGet:
path: /healthz
port: {{ (.Values.config.httpListen | split ":")._1 }}
readinessProbe:
httpGet:
path: /healthz
port: {{ (.Values.config.httpListen | split ":")._1 }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
volumeMounts:
- mountPath: /ingress-apisix/conf
name: configuration
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

45
deploy/charts/apisix/charts/apisix-ingress-controller/templates/hpa.yaml Normal file
View File

@ -0,0 +1,45 @@
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
{{- if .Values.autoscaling.enabled }}
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
name: {{ include "apisix-ingress-controller.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "apisix-ingress-controller.labels" . | nindent 4 }}
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ include "apisix-ingress-controller.fullname" . }}
minReplicas: {{ .Values.autoscaling.minReplicas }}
maxReplicas: {{ .Values.autoscaling.maxReplicas }}
metrics:
{{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
- type: Resource
resource:
name: cpu
targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
{{- end }}
{{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
- type: Resource
resource:
name: memory
targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
{{- end }}
{{- end }}

135
deploy/charts/apisix/charts/apisix-ingress-controller/templates/rbac.yaml Normal file
View File

@ -0,0 +1,135 @@
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
{{- if .Values.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ .Release.Name }}-clusterrole
rules:
- apiGroups:
- ""
resources:
- events
verbs:
- "*"
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- pods
- services
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- apisix.apache.org
resources:
- apisixroutes
- apisixroutes/status
- apisixupstreams
- apisixupstreams/status
- apisixtlses
- apisixtlses/status
- apisixclusterconfigs
- apisixclusterconfigs/status
- apisixconsumers
- apisixconsumers/status
- apisixpluginconfigs
- apisixpluginconfigs/status
verbs:
- '*'
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- '*'
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- list
- watch
- apiGroups:
- gateway.networking.k8s.io
resources:
- httproutes
- tlsroutes
- gateways
- gatewayclasses
verbs:
- get
- list
- watch
- apiGroups:
- gateway.networking.k8s.io
resources:
- httproutes/status
- tlsroutes/status
- gateways/status
- gatewayclasses/status
verbs:
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ .Release.Name }}-clusterrolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ .Release.Name }}-clusterrole
subjects:
- kind: ServiceAccount
name: {{ include "apisix-ingress-controller.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end }}

24
deploy/charts/apisix/charts/apisix-ingress-controller/templates/service-account.yaml Normal file
View File

@ -0,0 +1,24 @@
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
{{- if .Values.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "apisix-ingress-controller.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
{{- end }}

32
deploy/charts/apisix/charts/apisix-ingress-controller/templates/service.yaml Normal file
View File

@ -0,0 +1,32 @@
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
apiVersion: v1
kind: Service
metadata:
name: {{ include "apisix-ingress-controller.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "apisix-ingress-controller.labels" . | nindent 4 }}
spec:
type: ClusterIP
ports:
- port: {{ .Values.service.port }}
targetPort: {{ (.Values.config.httpListen | split ":")._1 }}
protocol: TCP
name: http
selector:
{{- include "apisix-ingress-controller.selectorLabels" . | nindent 4 }}

46
deploy/charts/apisix/charts/apisix-ingress-controller/templates/servicemonitor.yaml Normal file
View File

@ -0,0 +1,46 @@
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
{{- if and ( .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" ) .Values.serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ template "apisix-ingress-controller.fullname" . }}
{{- if .Values.serviceMonitor.namespace }}
namespace: {{ .Values.serviceMonitor.namespace }}
{{- end }}
{{- if .Values.serviceMonitor.labels }}
labels: {{- toYaml .Values.serviceMonitor.labels | nindent 4 }}
{{- end }}
{{- if .Values.serviceMonitor.annotations }}
annotations: {{- toYaml .Values.serviceMonitor.annotations | nindent 4 }}
{{- end }}
spec:
endpoints:
- targetPort: http
scheme: http
{{- if .Values.serviceMonitor.interval }}
interval: {{ .Values.serviceMonitor.interval }}
{{- end }}
namespaceSelector:
matchNames:
- {{ template "apisix-ingress-controller.namespace" . }}
selector:
matchLabels:
{{- include "apisix-ingress-controller.labels" . | nindent 6 }}
{{- end }}

172
deploy/charts/apisix/charts/apisix-ingress-controller/values.yaml Normal file
View File

@ -0,0 +1,172 @@
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Default values for apisix-ingress-controller.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
#
nameOverride: ""
fullnameOverride: ""
rbac:
# Specifies whether RBAC resources should be created
create: true
serviceAccount:
# Specifies whether a ServiceAccount should be created
create: true
# The name of the ServiceAccount to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
# Whether automounting API credentials for a service account
automountServiceAccountToken: true
replicaCount: 1
image:
repository: apache/apisix-ingress-controller
pullPolicy: IfNotPresent
tag: "1.5.0"
podAnnotations: {}
imagePullSecrets: []
clusterDomain: cluster.local
service:
port: 80
config:
# the error log level, default is info, optional values are:
# debug
# info
# warn
# error
# panic
# fatal
logLevel: "info"
# the output file path of error log, default is stderr, when
# the file path is "stderr" or "stdout", logs are marshalled
# plainly, which is more readable for human; otherwise logs
# are marshalled in JSON format, which can be parsed by
# programs easily.
logOutput: "stderr"
# the TLS certificate file path.
certFile: "/etc/webhook/certs/cert.pem"
# the TLS key file path.
keyFile: "/etc/webhook/certs/key.pem"
# the HTTP Server listen address, default is ":8080"
httpListen: ":8080"
# the HTTPS Server listen address, default is ":8443"
httpsListen: ":8443"
# the controller will use the Endpoint of this Service to
# update the status information of the Ingress resource.
# The format is "namespace/svc-name" to solve the situation that
# the data plane and the controller are not deployed in the same namespace.
ingressPublishService: ""
ingressStatusAddress: []
# enable profiling via web interfaces host:port/debug/pprof, default is true.
enableProfiling: true
# Default interval for synchronizing Kubernetes resources to APISIX
apisixResourceSyncInterval: "300s"
# Kubernetes related configurations.
kubernetes:
# the Kubernetes configuration file path, default is "", so the in-cluster
# configuration will be used.
kubeconfig: ""
# how long should apisix-ingress-controller re-synchronizes with Kubernetes,
# default is 6h,
resyncInterval: "6h"
# namespace list that controller will watch for resources,
# by default all namespaces (represented by "*") are watched.
appNamespaces: ["*"]
# namespace_selector represent basis for selecting managed namespaces.
# the field is support since version 1.4.0
# For example, "apisix.ingress=watching", so ingress will watching the namespaces which labels "apisix.ingress=watching"
namespaceSelector: [""]
# the election id for the controller leader campaign,
# only the leader will watch and delivery resource changes,
# other instances (as candidates) stand by.
electionId: "ingress-apisix-leader"
# The class of an Ingress object is set using the field IngressClassName in
# Kubernetes clusters version v1.18.0 or higher or the annotation
# "kubernetes.io/ingress.class" (deprecated).
ingressClass: "apisix"
# the supported ingress api group version, can be "networking/v1beta1",
# "networking/v1" (for Kubernetes version v1.19.0 or higher), and
# "extensions/v1beta1", default is "networking/v1".
ingressVersion: "networking/v1"
# whether to watch EndpointSlices rather than Endpoints.
watchEndpointSlices: false
# the supported apisixroute api group version, can be "apisix.apache.org/v2"
# "apisix.apache.org/v2beta3" or "apisix.apache.org/v2beta2"
apisixRouteVersion: "apisix.apache.org/v2"
# whether to enable support for Gateway API.
# Note: This feature is currently under development and may not work as expected.
# It is not recommended to use it in a production environment.
# Before we announce support for it to reach Beta level or GA.
enableGatewayAPI: false
# APISIX related configurations.
apisix:
# Enabling this value, overrides serviceName and serviceNamespace.
# serviceFullname: "apisix-admin.apisix.svc.local"
serviceName: apisix-admin
serviceNamespace: ingress-apisix
servicePort: 9180
adminKey: "edd1c9f034335f136f87ad84b625c8f1"
clusterName: "default"
resources: {}
initContainer:
image: busybox
tag: 1.28
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 100
targetCPUUtilizationPercentage: 80
# targetMemoryUtilizationPercentage: 80
nodeSelector: {}
tolerations: []
# namespace: "ingress-apisix"
serviceMonitor:
enabled: false
namespace: "monitoring"
interval: 15s
# @param serviceMonitor.labels ServiceMonitor extra labels
labels: {}
# @param serviceMonitor.annotations ServiceMonitor annotations
annotations: {}
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000

21
deploy/charts/apisix/charts/etcd/.helmignore Normal file
View File

@ -0,0 +1,21 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj

6
deploy/charts/apisix/charts/etcd/Chart.lock Normal file
View File

@ -0,0 +1,6 @@
dependencies:
- name: common
repository: https://charts.bitnami.com/bitnami
version: 1.16.0
digest: sha256:f41cb9ff725b7c9fa2725634196a6813566d630342f86a74903ed114b282c8c0
generated: "2022-06-06T13:24:27.058697276Z"

29
deploy/charts/apisix/charts/etcd/Chart.yaml Normal file
View File

@ -0,0 +1,29 @@
annotations:
category: Database
apiVersion: v2
appVersion: 3.5.4
dependencies:
- name: common
repository: https://charts.bitnami.com/bitnami
tags:
- bitnami-common
version: 1.x.x
description: etcd is a distributed key-value store designed to securely store data
across a cluster. etcd is widely used in production on account of its reliability,
fault-tolerance and ease of use.
home: https://github.com/bitnami/charts/tree/master/bitnami/etcd
icon: https://bitnami.com/assets/stacks/etcd/img/etcd-stack-220x234.png
keywords:
- etcd
- cluster
- database
- cache
- key-value
maintainers:
- name: Bitnami
url: https://github.com/bitnami/charts
name: etcd
sources:
- https://github.com/bitnami/bitnami-docker-etcd
- https://coreos.com/etcd/
version: 8.3.4

540
deploy/charts/apisix/charts/etcd/README.md Normal file
View File

@ -0,0 +1,540 @@
<!--- app-name: Etcd -->
# Etcd packaged by Bitnami
etcd is a distributed key-value store designed to securely store data across a cluster. etcd is widely used in production on account of its reliability, fault-tolerance and ease of use.
[Overview of Etcd](https://etcd.io/)
Trademarks: This software listing is packaged by Bitnami. The respective trademarks mentioned in the offering are owned by the respective companies, and use of them does not imply any affiliation or endorsement.
## TL;DR
```console
$ helm repo add bitnami https://charts.bitnami.com/bitnami
$ helm install my-release bitnami/etcd
```
## Introduction
This chart bootstraps a [etcd](https://github.com/bitnami/bitnami-docker-etcd) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters.
## Prerequisites
- Kubernetes 1.19+
- Helm 3.2.0+
- PV provisioner support in the underlying infrastructure
## Installing the Chart
To install the chart with the release name `my-release`:
```console
$ helm repo add bitnami https://charts.bitnami.com/bitnami
$ helm install my-release bitnami/etcd
```
These commands deploy etcd on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation.
> **Tip**: List all releases using `helm list`
## Uninstalling the Chart
To uninstall/delete the `my-release` deployment:
```console
$ helm delete my-release
```
The command removes all the Kubernetes components associated with the chart and deletes the release.
## Parameters
### Global parameters
| Name | Description | Value |
| ------------------------- | ----------------------------------------------- | ----- |
| `global.imageRegistry` | Global Docker image registry | `""` |
| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` |
| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` |
### Common parameters
| Name | Description | Value |
| ------------------------ | -------------------------------------------------------------------------------------------- | --------------- |
| `kubeVersion` | Force target Kubernetes version (using Helm capabilities if not set) | `""` |
| `nameOverride` | String to partially override common.names.fullname template (will maintain the release name) | `""` |
| `fullnameOverride` | String to fully override common.names.fullname template | `""` |
| `commonLabels` | Labels to add to all deployed objects | `{}` |
| `commonAnnotations` | Annotations to add to all deployed objects | `{}` |
| `clusterDomain` | Default Kubernetes cluster domain | `cluster.local` |
| `extraDeploy` | Array of extra objects to deploy with the release | `[]` |
| `diagnosticMode.enabled` | Enable diagnostic mode (all probes will be disabled and the command will be overridden) | `false` |
| `diagnosticMode.command` | Command to override all containers in the deployment | `["sleep"]` |
| `diagnosticMode.args` | Args to override all containers in the deployment | `["infinity"]` |
### etcd parameters
| Name | Description | Value |
| -------------------------------------- | ----------------------------------------------------------------------------------------------- | -------------------- |
| `image.registry` | etcd image registry | `docker.io` |
| `image.repository` | etcd image name | `bitnami/etcd` |
| `image.tag` | etcd image tag | `3.5.4-debian-11-r3` |
| `image.pullPolicy` | etcd image pull policy | `IfNotPresent` |
| `image.pullSecrets` | etcd image pull secrets | `[]` |
| `image.debug` | Enable image debug mode | `false` |
| `auth.rbac.create` | Switch to enable RBAC authentication | `true` |
| `auth.rbac.allowNoneAuthentication` | Allow to use etcd without configuring RBAC authentication | `true` |
| `auth.rbac.rootPassword` | Root user password. The root user is always `root` | `""` |
| `auth.rbac.existingSecret` | Name of the existing secret containing credentials for the root user | `""` |
| `auth.rbac.existingSecretPasswordKey` | Name of key containing password to be retrieved from the existing secret | `""` |
| `auth.token.type` | Authentication token type. Allowed values: 'simple' or 'jwt' | `jwt` |
| `auth.token.privateKey.filename` | Name of the file containing the private key for signing the JWT token | `jwt-token.pem` |
| `auth.token.privateKey.existingSecret` | Name of the existing secret containing the private key for signing the JWT token | `""` |
| `auth.token.signMethod` | JWT token sign method | `RS256` |
| `auth.token.ttl` | JWT token TTL | `10m` |
| `auth.client.secureTransport` | Switch to encrypt client-to-server communications using TLS certificates | `false` |
| `auth.client.useAutoTLS` | Switch to automatically create the TLS certificates | `false` |
| `auth.client.existingSecret` | Name of the existing secret containing the TLS certificates for client-to-server communications | `""` |
| `auth.client.enableAuthentication` | Switch to enable host authentication using TLS certificates. Requires existing secret | `false` |
| `auth.client.certFilename` | Name of the file containing the client certificate | `cert.pem` |
| `auth.client.certKeyFilename` | Name of the file containing the client certificate private key | `key.pem` |
| `auth.client.caFilename` | Name of the file containing the client CA certificate | `""` |
| `auth.peer.secureTransport` | Switch to encrypt server-to-server communications using TLS certificates | `false` |
| `auth.peer.useAutoTLS` | Switch to automatically create the TLS certificates | `false` |
| `auth.peer.existingSecret` | Name of the existing secret containing the TLS certificates for server-to-server communications | `""` |
| `auth.peer.enableAuthentication` | Switch to enable host authentication using TLS certificates. Requires existing secret | `false` |
| `auth.peer.certFilename` | Name of the file containing the peer certificate | `cert.pem` |
| `auth.peer.certKeyFilename` | Name of the file containing the peer certificate private key | `key.pem` |
| `auth.peer.caFilename` | Name of the file containing the peer CA certificate | `""` |
| `autoCompactionMode` | Auto compaction mode, by default periodic. Valid values: "periodic", "revision". | `""` |
| `autoCompactionRetention` | Auto compaction retention for mvcc key value store in hour, by default 0, means disabled | `""` |
| `initialClusterState` | Initial cluster state. Allowed values: 'new' or 'existing' | `""` |
| `maxProcs` | Limits the number of operating system threads that can execute user-level | `""` |
| `removeMemberOnContainerTermination` | Use a PreStop hook to remove the etcd members from the etcd cluster on container termination | `true` |
| `configuration` | etcd configuration. Specify content for etcd.conf.yml | `""` |
| `existingConfigmap` | Existing ConfigMap with etcd configuration | `""` |
| `extraEnvVars` | Extra environment variables to be set on etcd container | `[]` |
| `extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars | `""` |
| `extraEnvVarsSecret` | Name of existing Secret containing extra env vars | `""` |
| `command` | Default container command (useful when using custom images) | `[]` |
| `args` | Default container args (useful when using custom images) | `[]` |
### etcd statefulset parameters
| Name | Description | Value |
| -------------------------------------------------- | ----------------------------------------------------------------------------------------- | --------------- |
| `replicaCount` | Number of etcd replicas to deploy | `1` |
| `updateStrategy.type` | Update strategy type, can be set to RollingUpdate or OnDelete. | `RollingUpdate` |
| `podManagementPolicy` | Pod management policy for the etcd statefulset | `Parallel` |
| `hostAliases` | etcd pod host aliases | `[]` |
| `lifecycleHooks` | Override default etcd container hooks | `{}` |
| `containerPorts.client` | Client port to expose at container level | `2379` |
| `containerPorts.peer` | Peer port to expose at container level | `2380` |
| `podSecurityContext.enabled` | Enabled etcd pods' Security Context | `true` |
| `podSecurityContext.fsGroup` | Set etcd pod's Security Context fsGroup | `1001` |
| `containerSecurityContext.enabled` | Enabled etcd containers' Security Context | `true` |
| `containerSecurityContext.runAsUser` | Set etcd container's Security Context runAsUser | `1001` |
| `containerSecurityContext.runAsNonRoot` | Set etcd container's Security Context runAsNonRoot | `true` |
| `resources.limits` | The resources limits for the etcd container | `{}` |
| `resources.requests` | The requested resources for the etcd container | `{}` |
| `livenessProbe.enabled` | Enable livenessProbe | `true` |
| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `60` |
| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `30` |
| `livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` |
| `livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `5` |
| `livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
| `readinessProbe.enabled` | Enable readinessProbe | `true` |
| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `60` |
| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` |
| `readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` |
| `readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `5` |
| `readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
| `startupProbe.enabled` | Enable startupProbe | `false` |
| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `0` |
| `startupProbe.periodSeconds` | Period seconds for startupProbe | `10` |
| `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` |
| `startupProbe.failureThreshold` | Failure threshold for startupProbe | `60` |
| `startupProbe.successThreshold` | Success threshold for startupProbe | `1` |
| `customLivenessProbe` | Override default liveness probe | `{}` |
| `customReadinessProbe` | Override default readiness probe | `{}` |
| `customStartupProbe` | Override default startup probe | `{}` |
| `extraVolumes` | Optionally specify extra list of additional volumes for etcd pods | `[]` |
| `extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for etcd container(s) | `[]` |
| `initContainers` | Add additional init containers to the etcd pods | `[]` |
| `sidecars` | Add additional sidecar containers to the etcd pods | `[]` |
| `podAnnotations` | Annotations for etcd pods | `{}` |
| `podLabels` | Extra labels for etcd pods | `{}` |
| `podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` |
| `nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `nodeAffinityPreset.key` | Node label key to match. Ignored if `affinity` is set. | `""` |
| `nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set. | `[]` |
| `affinity` | Affinity for pod assignment | `{}` |
| `nodeSelector` | Node labels for pod assignment | `{}` |
| `tolerations` | Tolerations for pod assignment | `[]` |
| `terminationGracePeriodSeconds` | Seconds the pod needs to gracefully terminate | `""` |
| `schedulerName` | Name of the k8s scheduler (other than default) | `""` |
| `priorityClassName` | Name of the priority class to be used by etcd pods | `""` |
| `runtimeClassName` | Name of the runtime class to be used by pod(s) | `""` |
| `topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `[]` |
| `persistentVolumeClaimRetentionPolicy.enabled` | Controls if and how PVCs are deleted during the lifecycle of a StatefulSet | `false` |
| `persistentVolumeClaimRetentionPolicy.whenScaled` | Volume retention behavior when the replica count of the StatefulSet is reduced | `Retain` |
| `persistentVolumeClaimRetentionPolicy.whenDeleted` | Volume retention behavior that applies when the StatefulSet is deleted | `Retain` |
### Traffic exposure parameters
| Name | Description | Value |
| ---------------------------------- | ---------------------------------------------------------------------------------- | ----------- |
| `service.type` | Kubernetes Service type | `ClusterIP` |
| `service.enabled` | create second service if equal true | `true` |
| `service.clusterIP` | Kubernetes service Cluster IP | `""` |
| `service.ports.client` | etcd client port | `2379` |
| `service.ports.peer` | etcd peer port | `2380` |
| `service.nodePorts.client` | Specify the nodePort client value for the LoadBalancer and NodePort service types. | `""` |
| `service.nodePorts.peer` | Specify the nodePort peer value for the LoadBalancer and NodePort service types. | `""` |
| `service.clientPortNameOverride` | etcd client port name override | `""` |
| `service.peerPortNameOverride` | etcd peer port name override | `""` |
| `service.loadBalancerIP` | loadBalancerIP for the etcd service (optional, cloud specific) | `""` |
| `service.loadBalancerSourceRanges` | Load Balancer source ranges | `[]` |
| `service.externalIPs` | External IPs | `[]` |
| `service.externalTrafficPolicy` | %%MAIN_CONTAINER_NAME%% service external traffic policy | `Cluster` |
| `service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` |
| `service.annotations` | Additional annotations for the etcd service | `{}` |
| `service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` |
| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` |
### Persistence parameters
| Name | Description | Value |
| -------------------------- | --------------------------------------------------------------- | ------------------- |
| `persistence.enabled` | If true, use a Persistent Volume Claim. If false, use emptyDir. | `true` |
| `persistence.storageClass` | Persistent Volume Storage Class | `""` |
| `persistence.annotations` | Annotations for the PVC | `{}` |
| `persistence.accessModes` | Persistent Volume Access Modes | `["ReadWriteOnce"]` |
| `persistence.size` | PVC Storage Request for etcd data volume | `8Gi` |
| `persistence.selector` | Selector to match an existing Persistent Volume | `{}` |
### Volume Permissions parameters
| Name | Description | Value |
| -------------------------------------- | -------------------------------------------------------------------------------------------------------------------- | ----------------------- |
| `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume(s) mountpoint to `runAsUser:fsGroup` | `false` |
| `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` |
| `volumePermissions.image.repository` | Init container volume-permissions image name | `bitnami/bitnami-shell` |
| `volumePermissions.image.tag` | Init container volume-permissions image tag | `11-debian-11-r3` |
| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` |
| `volumePermissions.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` |
| `volumePermissions.resources.limits` | Init container volume-permissions resource limits | `{}` |
| `volumePermissions.resources.requests` | Init container volume-permissions resource requests | `{}` |
### Network Policy parameters
| Name | Description | Value |
| --------------------------------------- | ---------------------------------------------------------- | ------- |
| `networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `false` |
| `networkPolicy.allowExternal` | Don't require client label for connections | `true` |
| `networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` |
| `networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` |
| `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` |
| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` |
### Metrics parameters
| Name | Description | Value |
| ----------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------- | ------------ |
| `metrics.enabled` | Expose etcd metrics | `false` |
| `metrics.podAnnotations` | Annotations for the Prometheus metrics on etcd pods | `{}` |
| `metrics.podMonitor.enabled` | Create PodMonitor Resource for scraping metrics using PrometheusOperator | `false` |
| `metrics.podMonitor.namespace` | Namespace in which Prometheus is running | `monitoring` |
| `metrics.podMonitor.interval` | Specify the interval at which metrics should be scraped | `30s` |
| `metrics.podMonitor.scrapeTimeout` | Specify the timeout after which the scrape is ended | `30s` |
| `metrics.podMonitor.additionalLabels` | Additional labels that can be used so PodMonitors will be discovered by Prometheus | `{}` |
| `metrics.podMonitor.scheme` | Scheme to use for scraping | `http` |
| `metrics.podMonitor.tlsConfig` | TLS configuration used for scrape endpoints used by Prometheus | `{}` |
| `metrics.podMonitor.relabelings` | Prometheus relabeling rules | `[]` |
| `metrics.prometheusRule.enabled` | Create a Prometheus Operator PrometheusRule (also requires `metrics.enabled` to be `true` and `metrics.prometheusRule.rules`) | `false` |
| `metrics.prometheusRule.namespace` | Namespace for the PrometheusRule Resource (defaults to the Release Namespace) | `""` |
| `metrics.prometheusRule.additionalLabels` | Additional labels that can be used so PrometheusRule will be discovered by Prometheus | `{}` |
| `metrics.prometheusRule.rules` | Prometheus Rule definitions | `[]` |
### Snapshotting parameters
| Name | Description | Value |
| ----------------------------------------------- | ----------------------------------------------------------------------- | -------------- |
| `startFromSnapshot.enabled` | Initialize new cluster recovering an existing snapshot | `false` |
| `startFromSnapshot.existingClaim` | Existing PVC containing the etcd snapshot | `""` |
| `startFromSnapshot.snapshotFilename` | Snapshot filename | `""` |
| `disasterRecovery.enabled` | Enable auto disaster recovery by periodically snapshotting the keyspace | `false` |
| `disasterRecovery.cronjob.schedule` | Schedule in Cron format to save snapshots | `*/30 * * * *` |
| `disasterRecovery.cronjob.historyLimit` | Number of successful finished jobs to retain | `1` |
| `disasterRecovery.cronjob.snapshotHistoryLimit` | Number of etcd snapshots to retain, tagged by date | `1` |
| `disasterRecovery.cronjob.podAnnotations` | Pod annotations for cronjob pods | `{}` |
| `disasterRecovery.cronjob.resources.limits` | Cronjob container resource limits | `{}` |
| `disasterRecovery.cronjob.resources.requests` | Cronjob container resource requests | `{}` |
| `disasterRecovery.cronjob.nodeSelector` | Node labels for cronjob pods assignment | `{}` |
| `disasterRecovery.cronjob.tolerations` | Tolerations for cronjob pods assignment | `[]` |
| `disasterRecovery.pvc.existingClaim` | A manually managed Persistent Volume and Claim | `""` |
| `disasterRecovery.pvc.size` | PVC Storage Request | `2Gi` |
| `disasterRecovery.pvc.storageClassName` | Storage Class for snapshots volume | `nfs` |
### Service account parameters
| Name | Description | Value |
| --------------------------------------------- | ------------------------------------------------------------ | ------- |
| `serviceAccount.create` | Enable/disable service account creation | `false` |
| `serviceAccount.name` | Name of the service account to create or use | `""` |
| `serviceAccount.automountServiceAccountToken` | Enable/disable auto mounting of service account token | `true` |
| `serviceAccount.annotations` | Additional annotations to be included on the service account | `{}` |
| `serviceAccount.labels` | Additional labels to be included on the service account | `{}` |
### Other parameters
| Name | Description | Value |
| -------------------- | -------------------------------------------------------------- | ------ |
| `pdb.create` | Enable/disable a Pod Disruption Budget creation | `true` |
| `pdb.minAvailable` | Minimum number/percentage of pods that should remain scheduled | `51%` |
| `pdb.maxUnavailable` | Maximum number/percentage of pods that may be made unavailable | `""` |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
```console
$ helm install my-release \
--set auth.rbac.rootPassword=secretpassword bitnami/etcd
```
The above command sets the etcd `root` account password to `secretpassword`.
> NOTE: Once this chart is deployed, it is not possible to change the application's access credentials, such as usernames or passwords, using Helm. To change these application credentials after deployment, delete any persistent volumes (PVs) used by the chart and re-deploy it, or use the application's built-in administrative tools if available.
Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,
```console
$ helm install my-release -f values.yaml bitnami/etcd
```
> **Tip**: You can use the default [values.yaml](values.yaml)
## Configuration and installation details
### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/)
It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image.
Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist.
### Cluster configuration
The Bitnami etcd chart can be used to bootstrap an etcd cluster, easy to scale and with available features to implement disaster recovery.
Refer to the [chart documentation](https://docs.bitnami.com/kubernetes/infrastructure/etcd/get-started/understand-default-configuration/) for more information about all these details.
### Enable security for etcd
The etcd chart can be configured with Role-based access control and TLS encryption to improve its security.
[Learn more about security in the chart documentation](https://docs.bitnami.com/kubernetes/infrastructure/etcd/administration/enable-security/).
### Persistence
The [Bitnami etcd](https://github.com/bitnami/bitnami-docker-etcd) image stores the etcd data at the `/bitnami/etcd` path of the container. Persistent Volume Claims are used to keep the data across statefulsets.
The chart mounts a [Persistent Volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/) volume at this location. The volume is created using dynamic volume provisioning by default. An existing PersistentVolumeClaim can also be defined for this purpose.
If you encounter errors when working with persistent volumes, refer to our [troubleshooting guide for persistent volumes](https://docs.bitnami.com/kubernetes/faq/troubleshooting/troubleshooting-persistence-volumes/).
### Backup and restore the etcd keyspace
The Bitnami etcd chart provides mechanisms to bootstrap the etcd cluster restoring an existing snapshot before initializing.
[Learn more about backup/restore features in the chart documentation](https://docs.bitnami.com/kubernetes/infrastructure/etcd/administration/backup-restore/).
### Exposing etcd metrics
The metrics exposed by etcd can be exposed to be scraped by Prometheus. This can be done by adding the required annotations for Prometheus to discover the metrics endpoints or creating a PodMonitor entry if you are using the Prometheus Operator.
[Learn more about exposing metrics in the chart documentation](https://docs.bitnami.com/kubernetes/infrastructure/etcd/administration/enable-metrics/).
### Using custom configuration
In order to use custom configuration parameters, two options are available:
- Using environment variables: etcd allows setting environment variables that map to configuration settings. In order to set extra environment variables, you can use the `extraEnvVars` property. Alternatively, you can use a ConfigMap or a Secret with the environment variables using the `extraEnvVarsCM` or the `extraEnvVarsSecret` properties.
```yaml
extraEnvVars:
- name: ETCD_AUTO_COMPACTION_RETENTION
value: "0"
- name: ETCD_HEARTBEAT_INTERVAL
value: "150"
```
- Using a custom `etcd.conf.yml`: The etcd chart allows mounting a custom `etcd.conf.yml` file as ConfigMap. In order to so, you can use the `configuration` property. Alternatively, you can use an existing ConfigMap using the `existingConfigmap` parameter.
### Auto Compaction
Since etcd keeps an exact history of its keyspace, this history should be periodically compacted to avoid performance degradation and eventual storage space exhaustion. Compacting the keyspace history drops all information about keys superseded prior to a given keyspace revision. The space used by these keys then becomes available for additional writes to the keyspace.
`autoCompactionMode`, by default periodic. Valid values: "periodic", "revision".
- 'periodic' for duration based retention, defaulting to hours if no time unit is provided (e.g. "5m").
- 'revision' for revision number based retention.
`autoCompactionRetention` for mvcc key value store in hour, by default 0, means disabled.
You can enable auto compaction by using following parameters:
```console
autoCompactionMode=periodic
autoCompactionRetention=10m
```
### Sidecars and Init Containers
If you have a need for additional containers to run within the same pod as the etcd app (e.g. an additional metrics or logging exporter), you can do so via the `sidecars` config parameter. Simply define your container according to the Kubernetes container spec.
```yaml
sidecars:
- name: your-image-name
image: your-image
imagePullPolicy: Always
ports:
- name: portname
containerPort: 1234
```
Similarly, you can add extra init containers using the `initContainers` parameter.
```yaml
initContainers:
- name: your-image-name
image: your-image
imagePullPolicy: Always
ports:
- name: portname
containerPort: 1234
```
### Deploying extra resources
There are cases where you may want to deploy extra objects, such a ConfigMap containing your app's configuration or some extra deployment with a micro service used by your app. For covering this case, the chart allows adding the full specification of other objects using the `extraDeploy` parameter.
### Setting Pod's affinity
This chart allows you to set your custom affinity using the `affinity` parameter. Find more information about Pod's affinity in the [kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity).
As an alternative, you can use of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/master/bitnami/common#affinities) chart. To do so, set the `podAffinityPreset`, `podAntiAffinityPreset`, or `nodeAffinityPreset` parameters.
## Troubleshooting
Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues).
## Upgrading
### To 8.0.0
This version reverts the change in the previous major bump ([7.0.0](https://github.com/bitnami/charts/tree/master/bitnami/etcd#to-700)). Now the default `etcd` branch is `3.5` again once confirmed by the [etcd developers](https://github.com/etcd-io/etcd/tree/main/CHANGELOG#production-recommendation) that this version is production-ready once solved the data corruption issue.
### To 7.0.0
This version changes the default `etcd` branch to `3.4` as suggested by [etcd developers](https://github.com/etcd-io/etcd/tree/main/CHANGELOG#production-recommendation). In order to migrate the data follow the official etcd instructions.
### To 6.0.0
This version introduces several features and performance improvements:
- The statefulset can now be scaled using `kubectl scale` command. Using `helm upgrade` to recalculate available endpoints is no longer needed.
- The scripts used for bootstrapping, runtime reconfiguration, and disaster recovery have been refactored and moved to the etcd container (see [this PR](https://github.com/bitnami/bitnami-docker-etcd/pull/13)) with two purposes: removing technical debt & improving the stability.
- Several parameters were reorganized to simplify the structure and follow the same standard used on other Bitnami charts:
- `etcd.initialClusterState` is renamed to `initialClusterState`.
- `statefulset.replicaCount` is renamed to `replicaCount`.
- `statefulset.podManagementPolicy` is renamed to `podManagementPolicy`.
- `statefulset.updateStrategy` and `statefulset.rollingUpdatePartition` are merged into `updateStrategy`.
- `securityContext.*` is deprecated in favor of `podSecurityContext` and `containerSecurityContext`.
- `configFileConfigMap` is deprecated in favor of `configuration` and `existingConfigmap`.
- `envVarsConfigMap` is deprecated in favor of `extraEnvVars`, `extraEnvVarsCM` and `extraEnvVarsSecret`.
- `allowNoneAuthentication` is renamed to `auth.rbac.allowNoneAuthentication`.
- New parameters/features were added:
- `extraDeploy` to deploy any extra desired object.
- `initContainers` and `sidecars` to define custom init containers and sidecars.
- `extraVolumes` and `extraVolumeMounts` to define custom volumes and mount points.
- Probes can be now customized, and support to startup probes is added.
- LifecycleHooks can be customized using `lifecycleHooks` parameter.
- The default command/args can be customized using `command` and `args` parameters.
- Metrics integration with Prometheus Operator does no longer use a ServiceMonitor object, but a PodMonitor instead.
Consequences:
- Backwards compatibility is not guaranteed unless you adapt you **values.yaml** according to the changes described above.
### To 5.2.0
This version introduces `bitnami/common`, a [library chart](https://helm.sh/docs/topics/library_charts/#helm) as a dependency. More documentation about this new utility could be found [here](https://github.com/bitnami/charts/tree/master/bitnami/common#bitnami-common-library-chart). Please, make sure that you have updated the chart dependencies before executing any upgrade.
### To 5.0.0
[On November 13, 2020, Helm v2 support formally ended](https://github.com/helm/charts#status-of-the-project). This major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL.
[Learn more about this change and related upgrade considerations](https://docs.bitnami.com/kubernetes/infrastructure/etcd/administration/upgrade-helm3/).
### To 4.4.14
In this release we addressed a vulnerability that showed the `ETCD_ROOT_PASSWORD` environment variable in the application logs. Users are advised to update immediately. More information in [this issue](https://github.com/bitnami/charts/issues/1901).
### To 3.0.0
Backwards compatibility is not guaranteed. The following notables changes were included:
- **etcdctl** uses v3 API.
- Adds support for auto disaster recovery.
- Labels are adapted to follow the Helm charts best practices.
To upgrade from previous charts versions, create a snapshot of the keyspace and restore it in a new etcd cluster. Only v3 API data can be restored.
You can use the command below to upgrade your chart by starting a new cluster using an existing snapshot, available in an existing PVC, to initialize the members:
```console
$ helm install new-release bitnami/etcd \
--set statefulset.replicaCount=3 \
--set persistence.enabled=true \
--set persistence.size=8Gi \
--set startFromSnapshot.enabled=true \
--set startFromSnapshot.existingClaim=my-claim \
--set startFromSnapshot.snapshotFilename=my-snapshot.db
```
### To 1.0.0
Backwards compatibility is not guaranteed unless you modify the labels used on the chart's deployments.
Use the workaround below to upgrade from versions previous to 1.0.0. The following example assumes that the release name is etcd:
```console
$ kubectl delete statefulset etcd --cascade=false
```
## License
Copyright &copy; 2022 Bitnami
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

22
deploy/charts/apisix/charts/etcd/charts/common/.helmignore Normal file
View File

@ -0,0 +1,22 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

23
deploy/charts/apisix/charts/etcd/charts/common/Chart.yaml Normal file
View File

@ -0,0 +1,23 @@
annotations:
category: Infrastructure
apiVersion: v2
appVersion: 1.16.0
description: A Library Helm Chart for grouping common logic between bitnami charts.
This chart is not deployable by itself.
home: https://github.com/bitnami/charts/tree/master/bitnami/common
icon: https://bitnami.com/downloads/logos/bitnami-mark.png
keywords:
- common
- helper
- template
- function
- bitnami
maintainers:
- name: Bitnami
url: https://github.com/bitnami/charts
name: common
sources:
- https://github.com/bitnami/charts
- https://www.bitnami.com/
type: library
version: 1.16.0

350
deploy/charts/apisix/charts/etcd/charts/common/README.md Normal file
View File

@ -0,0 +1,350 @@
# Bitnami Common Library Chart
A [Helm Library Chart](https://helm.sh/docs/topics/library_charts/#helm) for grouping common logic between bitnami charts.
## TL;DR
```yaml
dependencies:
- name: common
version: 1.x.x
repository: https://charts.bitnami.com/bitnami
```
```bash
$ helm dependency update
```
```yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "common.names.fullname" . }}
data:
myvalue: "Hello World"
```
## Introduction
This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager.
Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment and management of Helm Charts in clusters. This Helm chart has been tested on top of [Bitnami Kubernetes Production Runtime](https://kubeprod.io/) (BKPR). Deploy BKPR to get automated TLS certificates, logging and monitoring for your applications.
## Prerequisites
- Kubernetes 1.19+
- Helm 3.2.0+
## Parameters
The following table lists the helpers available in the library which are scoped in different sections.
### Affinities
| Helper identifier | Description | Expected Input |
|-------------------------------|------------------------------------------------------|------------------------------------------------|
| `common.affinities.nodes.soft` | Return a soft nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` |
| `common.affinities.nodes.hard` | Return a hard nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` |
| `common.affinities.pods.soft` | Return a soft podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` |
| `common.affinities.pods.hard` | Return a hard podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` |
### Capabilities
| Helper identifier | Description | Expected Input |
|------------------------------------------------|------------------------------------------------------------------------------------------------|-------------------|
| `common.capabilities.kubeVersion` | Return the target Kubernetes version (using client default if .Values.kubeVersion is not set). | `.` Chart context |
| `common.capabilities.cronjob.apiVersion` | Return the appropriate apiVersion for cronjob. | `.` Chart context |
| `common.capabilities.deployment.apiVersion` | Return the appropriate apiVersion for deployment. | `.` Chart context |
| `common.capabilities.statefulset.apiVersion` | Return the appropriate apiVersion for statefulset. | `.` Chart context |
| `common.capabilities.ingress.apiVersion` | Return the appropriate apiVersion for ingress. | `.` Chart context |
| `common.capabilities.rbac.apiVersion` | Return the appropriate apiVersion for RBAC resources. | `.` Chart context |
| `common.capabilities.crd.apiVersion` | Return the appropriate apiVersion for CRDs. | `.` Chart context |
| `common.capabilities.policy.apiVersion` | Return the appropriate apiVersion for podsecuritypolicy. | `.` Chart context |
| `common.capabilities.networkPolicy.apiVersion` | Return the appropriate apiVersion for networkpolicy. | `.` Chart context |
| `common.capabilities.apiService.apiVersion` | Return the appropriate apiVersion for APIService. | `.` Chart context |
| `common.capabilities.hpa.apiVersion` | Return the appropriate apiVersion for Horizontal Pod Autoscaler | `.` Chart context |
| `common.capabilities.supportsHelmVersion` | Returns true if the used Helm version is 3.3+ | `.` Chart context |
### Errors
| Helper identifier | Description | Expected Input |
|-----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------|
| `common.errors.upgrade.passwords.empty` | It will ensure required passwords are given when we are upgrading a chart. If `validationErrors` is not empty it will throw an error and will stop the upgrade action. | `dict "validationErrors" (list $validationError00 $validationError01) "context" $` |
### Images
| Helper identifier | Description | Expected Input |
|-----------------------------|------------------------------------------------------|---------------------------------------------------------------------------------------------------------|
| `common.images.image` | Return the proper and full image name | `dict "imageRoot" .Values.path.to.the.image "global" $`, see [ImageRoot](#imageroot) for the structure. |
| `common.images.pullSecrets` | Return the proper Docker Image Registry Secret Names (deprecated: use common.images.renderPullSecrets instead) | `dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global` |
| `common.images.renderPullSecrets` | Return the proper Docker Image Registry Secret Names (evaluates values as templates) | `dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "context" $` |
### Ingress
| Helper identifier | Description | Expected Input |
|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `common.ingress.backend` | Generate a proper Ingress backend entry depending on the API version | `dict "serviceName" "foo" "servicePort" "bar"`, see the [Ingress deprecation notice](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) for the syntax differences |
| `common.ingress.supportsPathType` | Prints "true" if the pathType field is supported | `.` Chart context |
| `common.ingress.supportsIngressClassname` | Prints "true" if the ingressClassname field is supported | `.` Chart context |
| `common.ingress.certManagerRequest` | Prints "true" if required cert-manager annotations for TLS signed certificates are set in the Ingress annotations | `dict "annotations" .Values.path.to.the.ingress.annotations` |
### Labels
| Helper identifier | Description | Expected Input |
|-----------------------------|-----------------------------------------------------------------------------|-------------------|
| `common.labels.standard` | Return Kubernetes standard labels | `.` Chart context |
| `common.labels.matchLabels` | Labels to use on `deploy.spec.selector.matchLabels` and `svc.spec.selector` | `.` Chart context |
### Names
| Helper identifier | Description | Expected Input |
|-----------------------------------|-----------------------------------------------------------------------|-------------------|
| `common.names.name` | Expand the name of the chart or use `.Values.nameOverride` | `.` Chart context |
| `common.names.fullname` | Create a default fully qualified app name. | `.` Chart context |
| `common.names.namespace` | Allow the release namespace to be overridden | `.` Chart context |
| `common.names.fullname.namespace` | Create a fully qualified app name adding the installation's namespace | `.` Chart context |
| `common.names.chart` | Chart name plus version | `.` Chart context |
### Secrets
| Helper identifier | Description | Expected Input |
|---------------------------|--------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `common.secrets.name` | Generate the name of the secret. | `dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $` see [ExistingSecret](#existingsecret) for the structure. |
| `common.secrets.key` | Generate secret key. | `dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName"` see [ExistingSecret](#existingsecret) for the structure. |
| `common.passwords.manage` | Generate secret password or retrieve one if already created. | `dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "context" $`, length, strong and chartNAme fields are optional. |
| `common.secrets.exists` | Returns whether a previous generated secret already exists. | `dict "secret" "secret-name" "context" $` |
### Storage
| Helper identifier | Description | Expected Input |
|-------------------------------|---------------------------------------|---------------------------------------------------------------------------------------------------------------------|
| `common.storage.class` | Return the proper Storage Class | `dict "persistence" .Values.path.to.the.persistence "global" $`, see [Persistence](#persistence) for the structure. |
### TplValues
| Helper identifier | Description | Expected Input |
|---------------------------|----------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------|
| `common.tplvalues.render` | Renders a value that contains template | `dict "value" .Values.path.to.the.Value "context" $`, value is the value should rendered as template, context frequently is the chart context `$` or `.` |
### Utils
| Helper identifier | Description | Expected Input |
|--------------------------------|------------------------------------------------------------------------------------------|------------------------------------------------------------------------|
| `common.utils.fieldToEnvVar` | Build environment variable name given a field. | `dict "field" "my-password"` |
| `common.utils.secret.getvalue` | Print instructions to get a secret value. | `dict "secret" "secret-name" "field" "secret-value-field" "context" $` |
| `common.utils.getValueFromKey` | Gets a value from `.Values` object given its key path | `dict "key" "path.to.key" "context" $` |
| `common.utils.getKeyFromList` | Returns first `.Values` key with a defined value or first of the list if all non-defined | `dict "keys" (list "path.to.key1" "path.to.key2") "context" $` |
### Validations
| Helper identifier | Description | Expected Input |
|--------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `common.validations.values.single.empty` | Validate a value must not be empty. | `dict "valueKey" "path.to.value" "secret" "secret.name" "field" "my-password" "subchart" "subchart" "context" $` secret, field and subchart are optional. In case they are given, the helper will generate a how to get instruction. See [ValidateValue](#validatevalue) |
| `common.validations.values.multiple.empty` | Validate a multiple values must not be empty. It returns a shared error for all the values. | `dict "required" (list $validateValueConf00 $validateValueConf01) "context" $`. See [ValidateValue](#validatevalue) |
| `common.validations.values.mariadb.passwords` | This helper will ensure required password for MariaDB are not empty. It returns a shared error for all the values. | `dict "secret" "mariadb-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mariadb chart and the helper. |
| `common.validations.values.mysql.passwords` | This helper will ensure required password for MySQL are not empty. It returns a shared error for all the values. | `dict "secret" "mysql-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mysql chart and the helper. |
| `common.validations.values.postgresql.passwords` | This helper will ensure required password for PostgreSQL are not empty. It returns a shared error for all the values. | `dict "secret" "postgresql-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use postgresql chart and the helper. |
| `common.validations.values.redis.passwords` | This helper will ensure required password for Redis&reg; are not empty. It returns a shared error for all the values. | `dict "secret" "redis-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use redis chart and the helper. |
| `common.validations.values.cassandra.passwords` | This helper will ensure required password for Cassandra are not empty. It returns a shared error for all the values. | `dict "secret" "cassandra-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use cassandra chart and the helper. |
| `common.validations.values.mongodb.passwords` | This helper will ensure required password for MongoDB&reg; are not empty. It returns a shared error for all the values. | `dict "secret" "mongodb-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mongodb chart and the helper. |
### Warnings
| Helper identifier | Description | Expected Input |
|------------------------------|----------------------------------|------------------------------------------------------------|
| `common.warnings.rollingTag` | Warning about using rolling tag. | `ImageRoot` see [ImageRoot](#imageroot) for the structure. |
## Special input schemas
### ImageRoot
```yaml
registry:
type: string
description: Docker registry where the image is located
example: docker.io
repository:
type: string
description: Repository and image name
example: bitnami/nginx
tag:
type: string
description: image tag
example: 1.16.1-debian-10-r63
pullPolicy:
type: string
description: Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
pullSecrets:
type: array
items:
type: string
description: Optionally specify an array of imagePullSecrets (evaluated as templates).
debug:
type: boolean
description: Set to true if you would like to see extra information on logs
example: false
## An instance would be:
# registry: docker.io
# repository: bitnami/nginx
# tag: 1.16.1-debian-10-r63
# pullPolicy: IfNotPresent
# debug: false
```
### Persistence
```yaml
enabled:
type: boolean
description: Whether enable persistence.
example: true
storageClass:
type: string
description: Ghost data Persistent Volume Storage Class, If set to "-", storageClassName: "" which disables dynamic provisioning.
example: "-"
accessMode:
type: string
description: Access mode for the Persistent Volume Storage.
example: ReadWriteOnce
size:
type: string
description: Size the Persistent Volume Storage.
example: 8Gi
path:
type: string
description: Path to be persisted.
example: /bitnami
## An instance would be:
# enabled: true
# storageClass: "-"
# accessMode: ReadWriteOnce
# size: 8Gi
# path: /bitnami
```
### ExistingSecret
```yaml
name:
type: string
description: Name of the existing secret.
example: mySecret
keyMapping:
description: Mapping between the expected key name and the name of the key in the existing secret.
type: object
## An instance would be:
# name: mySecret
# keyMapping:
# password: myPasswordKey
```
#### Example of use
When we store sensitive data for a deployment in a secret, some times we want to give to users the possibility of using theirs existing secrets.
```yaml
# templates/secret.yaml
---
apiVersion: v1
kind: Secret
metadata:
name: {{ include "common.names.fullname" . }}
labels:
app: {{ include "common.names.fullname" . }}
type: Opaque
data:
password: {{ .Values.password | b64enc | quote }}
# templates/dpl.yaml
---
...
env:
- name: PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "common.secrets.name" (dict "existingSecret" .Values.existingSecret "context" $) }}
key: {{ include "common.secrets.key" (dict "existingSecret" .Values.existingSecret "key" "password") }}
...
# values.yaml
---
name: mySecret
keyMapping:
password: myPasswordKey
```
### ValidateValue
#### NOTES.txt
```console
{{- $validateValueConf00 := (dict "valueKey" "path.to.value00" "secret" "secretName" "field" "password-00") -}}
{{- $validateValueConf01 := (dict "valueKey" "path.to.value01" "secret" "secretName" "field" "password-01") -}}
{{ include "common.validations.values.multiple.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }}
```
If we force those values to be empty we will see some alerts
```console
$ helm install test mychart --set path.to.value00="",path.to.value01=""
'path.to.value00' must not be empty, please add '--set path.to.value00=$PASSWORD_00' to the command. To get the current value:
export PASSWORD_00=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-00}" | base64 -d)
'path.to.value01' must not be empty, please add '--set path.to.value01=$PASSWORD_01' to the command. To get the current value:
export PASSWORD_01=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-01}" | base64 -d)
```
## Upgrading
### To 1.0.0
[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL.
**What changes were introduced in this major version?**
- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field.
- Use `type: library`. [Here](https://v3.helm.sh/docs/faq/#library-chart-support) you can find more information.
- The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Charts
**Considerations when upgrading to this version**
- If you want to upgrade to this version from a previous one installed with Helm v3, you shouldn't face any issues
- If you want to upgrade to this version using Helm v2, this scenario is not supported as this version doesn't support Helm v2 anymore
- If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3
**Useful links**
- https://docs.bitnami.com/tutorials/resolve-helm2-helm3-post-migration-issues/
- https://helm.sh/docs/topics/v2_v3_migration/
- https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/
## License
Copyright &copy; 2022 Bitnami
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

102
deploy/charts/apisix/charts/etcd/charts/common/templates/_affinities.tpl Normal file
View File

@ -0,0 +1,102 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Return a soft nodeAffinity definition
{{ include "common.affinities.nodes.soft" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}}
*/}}
{{- define "common.affinities.nodes.soft" -}}
preferredDuringSchedulingIgnoredDuringExecution:
- preference:
matchExpressions:
- key: {{ .key }}
operator: In
values:
{{- range .values }}
- {{ . | quote }}
{{- end }}
weight: 1
{{- end -}}
{{/*
Return a hard nodeAffinity definition
{{ include "common.affinities.nodes.hard" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}}
*/}}
{{- define "common.affinities.nodes.hard" -}}
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: {{ .key }}
operator: In
values:
{{- range .values }}
- {{ . | quote }}
{{- end }}
{{- end -}}
{{/*
Return a nodeAffinity definition
{{ include "common.affinities.nodes" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}}
*/}}
{{- define "common.affinities.nodes" -}}
{{- if eq .type "soft" }}
{{- include "common.affinities.nodes.soft" . -}}
{{- else if eq .type "hard" }}
{{- include "common.affinities.nodes.hard" . -}}
{{- end -}}
{{- end -}}
{{/*
Return a soft podAffinity/podAntiAffinity definition
{{ include "common.affinities.pods.soft" (dict "component" "FOO" "extraMatchLabels" .Values.extraMatchLabels "context" $) -}}
*/}}
{{- define "common.affinities.pods.soft" -}}
{{- $component := default "" .component -}}
{{- $extraMatchLabels := default (dict) .extraMatchLabels -}}
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 10 }}
{{- if not (empty $component) }}
{{ printf "app.kubernetes.io/component: %s" $component }}
{{- end }}
{{- range $key, $value := $extraMatchLabels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
namespaces:
- {{ .context.Release.Namespace | quote }}
topologyKey: kubernetes.io/hostname
weight: 1
{{- end -}}
{{/*
Return a hard podAffinity/podAntiAffinity definition
{{ include "common.affinities.pods.hard" (dict "component" "FOO" "extraMatchLabels" .Values.extraMatchLabels "context" $) -}}
*/}}
{{- define "common.affinities.pods.hard" -}}
{{- $component := default "" .component -}}
{{- $extraMatchLabels := default (dict) .extraMatchLabels -}}
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 8 }}
{{- if not (empty $component) }}
{{ printf "app.kubernetes.io/component: %s" $component }}
{{- end }}
{{- range $key, $value := $extraMatchLabels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
namespaces:
- {{ .context.Release.Namespace | quote }}
topologyKey: kubernetes.io/hostname
{{- end -}}
{{/*
Return a podAffinity/podAntiAffinity definition
{{ include "common.affinities.pods" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}}
*/}}
{{- define "common.affinities.pods" -}}
{{- if eq .type "soft" }}
{{- include "common.affinities.pods.soft" . -}}
{{- else if eq .type "hard" }}
{{- include "common.affinities.pods.hard" . -}}
{{- end -}}
{{- end -}}

154
deploy/charts/apisix/charts/etcd/charts/common/templates/_capabilities.tpl Normal file
View File

@ -0,0 +1,154 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Return the target Kubernetes version
*/}}
{{- define "common.capabilities.kubeVersion" -}}
{{- if .Values.global }}
{{- if .Values.global.kubeVersion }}
{{- .Values.global.kubeVersion -}}
{{- else }}
{{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}}
{{- end -}}
{{- else }}
{{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for poddisruptionbudget.
*/}}
{{- define "common.capabilities.policy.apiVersion" -}}
{{- if semverCompare "<1.21-0" (include "common.capabilities.kubeVersion" .) -}}
{{- print "policy/v1beta1" -}}
{{- else -}}
{{- print "policy/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for networkpolicy.
*/}}
{{- define "common.capabilities.networkPolicy.apiVersion" -}}
{{- if semverCompare "<1.7-0" (include "common.capabilities.kubeVersion" .) -}}
{{- print "extensions/v1beta1" -}}
{{- else -}}
{{- print "networking.k8s.io/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for cronjob.
*/}}
{{- define "common.capabilities.cronjob.apiVersion" -}}
{{- if semverCompare "<1.21-0" (include "common.capabilities.kubeVersion" .) -}}
{{- print "batch/v1beta1" -}}
{{- else -}}
{{- print "batch/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for deployment.
*/}}
{{- define "common.capabilities.deployment.apiVersion" -}}
{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}}
{{- print "extensions/v1beta1" -}}
{{- else -}}
{{- print "apps/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for statefulset.
*/}}
{{- define "common.capabilities.statefulset.apiVersion" -}}
{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}}
{{- print "apps/v1beta1" -}}
{{- else -}}
{{- print "apps/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for ingress.
*/}}
{{- define "common.capabilities.ingress.apiVersion" -}}
{{- if .Values.ingress -}}
{{- if .Values.ingress.apiVersion -}}
{{- .Values.ingress.apiVersion -}}
{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}}
{{- print "extensions/v1beta1" -}}
{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}}
{{- print "networking.k8s.io/v1beta1" -}}
{{- else -}}
{{- print "networking.k8s.io/v1" -}}
{{- end }}
{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}}
{{- print "extensions/v1beta1" -}}
{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}}
{{- print "networking.k8s.io/v1beta1" -}}
{{- else -}}
{{- print "networking.k8s.io/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for RBAC resources.
*/}}
{{- define "common.capabilities.rbac.apiVersion" -}}
{{- if semverCompare "<1.17-0" (include "common.capabilities.kubeVersion" .) -}}
{{- print "rbac.authorization.k8s.io/v1beta1" -}}
{{- else -}}
{{- print "rbac.authorization.k8s.io/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for CRDs.
*/}}
{{- define "common.capabilities.crd.apiVersion" -}}
{{- if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}}
{{- print "apiextensions.k8s.io/v1beta1" -}}
{{- else -}}
{{- print "apiextensions.k8s.io/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for APIService.
*/}}
{{- define "common.capabilities.apiService.apiVersion" -}}
{{- if semverCompare "<1.10-0" (include "common.capabilities.kubeVersion" .) -}}
{{- print "apiregistration.k8s.io/v1beta1" -}}
{{- else -}}
{{- print "apiregistration.k8s.io/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for Horizontal Pod Autoscaler.
*/}}
{{- define "common.capabilities.hpa.apiVersion" -}}
{{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .context) -}}
{{- if .beta2 -}}
{{- print "autoscaling/v2beta2" -}}
{{- else -}}
{{- print "autoscaling/v2beta1" -}}
{{- end -}}
{{- else -}}
{{- print "autoscaling/v2" -}}
{{- end -}}
{{- end -}}
{{/*
Returns true if the used Helm version is 3.3+.
A way to check the used Helm version was not introduced until version 3.3.0 with .Capabilities.HelmVersion, which contains an additional "{}}" structure.
This check is introduced as a regexMatch instead of {{ if .Capabilities.HelmVersion }} because checking for the key HelmVersion in <3.3 results in a "interface not found" error.
**To be removed when the catalog's minimun Helm version is 3.3**
*/}}
{{- define "common.capabilities.supportsHelmVersion" -}}
{{- if regexMatch "{(v[0-9])*[^}]*}}$" (.Capabilities | toString ) }}
{{- true -}}
{{- end -}}
{{- end -}}

23
deploy/charts/apisix/charts/etcd/charts/common/templates/_errors.tpl Normal file
View File

@ -0,0 +1,23 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Through error when upgrading using empty passwords values that must not be empty.
Usage:
{{- $validationError00 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password00" "secret" "secretName" "field" "password-00") -}}
{{- $validationError01 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password01" "secret" "secretName" "field" "password-01") -}}
{{ include "common.errors.upgrade.passwords.empty" (dict "validationErrors" (list $validationError00 $validationError01) "context" $) }}
Required password params:
- validationErrors - String - Required. List of validation strings to be return, if it is empty it won't throw error.
- context - Context - Required. Parent context.
*/}}
{{- define "common.errors.upgrade.passwords.empty" -}}
{{- $validationErrors := join "" .validationErrors -}}
{{- if and $validationErrors .context.Release.IsUpgrade -}}
{{- $errorString := "\nPASSWORDS ERROR: You must provide your current passwords when upgrading the release." -}}
{{- $errorString = print $errorString "\n Note that even after reinstallation, old credentials may be needed as they may be kept in persistent volume claims." -}}
{{- $errorString = print $errorString "\n Further information can be obtained at https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues/#credential-errors-while-upgrading-chart-releases" -}}
{{- $errorString = print $errorString "\n%s" -}}
{{- printf $errorString $validationErrors | fail -}}
{{- end -}}
{{- end -}}

75
deploy/charts/apisix/charts/etcd/charts/common/templates/_images.tpl Normal file
View File

@ -0,0 +1,75 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Return the proper image name
{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" $) }}
*/}}
{{- define "common.images.image" -}}
{{- $registryName := .imageRoot.registry -}}
{{- $repositoryName := .imageRoot.repository -}}
{{- $tag := .imageRoot.tag | toString -}}
{{- if .global }}
{{- if .global.imageRegistry }}
{{- $registryName = .global.imageRegistry -}}
{{- end -}}
{{- end -}}
{{- if $registryName }}
{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
{{- else -}}
{{- printf "%s:%s" $repositoryName $tag -}}
{{- end -}}
{{- end -}}
{{/*
Return the proper Docker Image Registry Secret Names (deprecated: use common.images.renderPullSecrets instead)
{{ include "common.images.pullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global) }}
*/}}
{{- define "common.images.pullSecrets" -}}
{{- $pullSecrets := list }}
{{- if .global }}
{{- range .global.imagePullSecrets -}}
{{- $pullSecrets = append $pullSecrets . -}}
{{- end -}}
{{- end -}}
{{- range .images -}}
{{- range .pullSecrets -}}
{{- $pullSecrets = append $pullSecrets . -}}
{{- end -}}
{{- end -}}
{{- if (not (empty $pullSecrets)) }}
imagePullSecrets:
{{- range $pullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Return the proper Docker Image Registry Secret Names evaluating values as templates
{{ include "common.images.renderPullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "context" $) }}
*/}}
{{- define "common.images.renderPullSecrets" -}}
{{- $pullSecrets := list }}
{{- $context := .context }}
{{- if $context.Values.global }}
{{- range $context.Values.global.imagePullSecrets -}}
{{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}}
{{- end -}}
{{- end -}}
{{- range .images -}}
{{- range .pullSecrets -}}
{{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}}
{{- end -}}
{{- end -}}
{{- if (not (empty $pullSecrets)) }}
imagePullSecrets:
{{- range $pullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
{{- end -}}

68
deploy/charts/apisix/charts/etcd/charts/common/templates/_ingress.tpl Normal file
View File

@ -0,0 +1,68 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Generate backend entry that is compatible with all Kubernetes API versions.
Usage:
{{ include "common.ingress.backend" (dict "serviceName" "backendName" "servicePort" "backendPort" "context" $) }}
Params:
- serviceName - String. Name of an existing service backend
- servicePort - String/Int. Port name (or number) of the service. It will be translated to different yaml depending if it is a string or an integer.
- context - Dict - Required. The context for the template evaluation.
*/}}
{{- define "common.ingress.backend" -}}
{{- $apiVersion := (include "common.capabilities.ingress.apiVersion" .context) -}}
{{- if or (eq $apiVersion "extensions/v1beta1") (eq $apiVersion "networking.k8s.io/v1beta1") -}}
serviceName: {{ .serviceName }}
servicePort: {{ .servicePort }}
{{- else -}}
service:
name: {{ .serviceName }}
port:
{{- if typeIs "string" .servicePort }}
name: {{ .servicePort }}
{{- else if or (typeIs "int" .servicePort) (typeIs "float64" .servicePort) }}
number: {{ .servicePort | int }}
{{- end }}
{{- end -}}
{{- end -}}
{{/*
Print "true" if the API pathType field is supported
Usage:
{{ include "common.ingress.supportsPathType" . }}
*/}}
{{- define "common.ingress.supportsPathType" -}}
{{- if (semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .)) -}}
{{- print "false" -}}
{{- else -}}
{{- print "true" -}}
{{- end -}}
{{- end -}}
{{/*
Returns true if the ingressClassname field is supported
Usage:
{{ include "common.ingress.supportsIngressClassname" . }}
*/}}
{{- define "common.ingress.supportsIngressClassname" -}}
{{- if semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .) -}}
{{- print "false" -}}
{{- else -}}
{{- print "true" -}}
{{- end -}}
{{- end -}}
{{/*
Return true if cert-manager required annotations for TLS signed
certificates are set in the Ingress annotations
Ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations
Usage:
{{ include "common.ingress.certManagerRequest" ( dict "annotations" .Values.path.to.the.ingress.annotations ) }}
*/}}
{{- define "common.ingress.certManagerRequest" -}}
{{ if or (hasKey .annotations "cert-manager.io/cluster-issuer") (hasKey .annotations "cert-manager.io/issuer") }}
{{- true -}}
{{- end -}}
{{- end -}}

18
deploy/charts/apisix/charts/etcd/charts/common/templates/_labels.tpl Normal file
View File

@ -0,0 +1,18 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Kubernetes standard labels
*/}}
{{- define "common.labels.standard" -}}
app.kubernetes.io/name: {{ include "common.names.name" . }}
helm.sh/chart: {{ include "common.names.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}
{{/*
Labels to use on deploy.spec.selector.matchLabels and svc.spec.selector
*/}}
{{- define "common.labels.matchLabels" -}}
app.kubernetes.io/name: {{ include "common.names.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end -}}

70
deploy/charts/apisix/charts/etcd/charts/common/templates/_names.tpl Normal file
View File

@ -0,0 +1,70 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "common.names.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "common.names.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "common.names.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create a default fully qualified dependency name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
Usage:
{{ include "common.names.dependency.fullname" (dict "chartName" "dependency-chart-name" "chartValues" .Values.dependency-chart "context" $) }}
*/}}
{{- define "common.names.dependency.fullname" -}}
{{- if .chartValues.fullnameOverride -}}
{{- .chartValues.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .chartName .chartValues.nameOverride -}}
{{- if contains $name .context.Release.Name -}}
{{- .context.Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .context.Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Allow the release namespace to be overridden for multi-namespace deployments in combined charts.
*/}}
{{- define "common.names.namespace" -}}
{{- if .Values.namespaceOverride -}}
{{- .Values.namespaceOverride -}}
{{- else -}}
{{- .Release.Namespace -}}
{{- end -}}
{{- end -}}
{{/*
Create a fully qualified app name adding the installation's namespace.
*/}}
{{- define "common.names.fullname.namespace" -}}
{{- printf "%s-%s" (include "common.names.fullname" .) (include "common.names.namespace" .) | trunc 63 | trimSuffix "-" -}}
{{- end -}}

140
deploy/charts/apisix/charts/etcd/charts/common/templates/_secrets.tpl Normal file
View File

@ -0,0 +1,140 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Generate secret name.
Usage:
{{ include "common.secrets.name" (dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $) }}
Params:
- existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user
to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility.
+info: https://github.com/bitnami/charts/tree/master/bitnami/common#existingsecret
- defaultNameSuffix - String - Optional. It is used only if we have several secrets in the same deployment.
- context - Dict - Required. The context for the template evaluation.
*/}}
{{- define "common.secrets.name" -}}
{{- $name := (include "common.names.fullname" .context) -}}
{{- if .defaultNameSuffix -}}
{{- $name = printf "%s-%s" $name .defaultNameSuffix | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- with .existingSecret -}}
{{- if not (typeIs "string" .) -}}
{{- with .name -}}
{{- $name = . -}}
{{- end -}}
{{- else -}}
{{- $name = . -}}
{{- end -}}
{{- end -}}
{{- printf "%s" $name -}}
{{- end -}}
{{/*
Generate secret key.
Usage:
{{ include "common.secrets.key" (dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName") }}
Params:
- existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user
to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility.
+info: https://github.com/bitnami/charts/tree/master/bitnami/common#existingsecret
- key - String - Required. Name of the key in the secret.
*/}}
{{- define "common.secrets.key" -}}
{{- $key := .key -}}
{{- if .existingSecret -}}
{{- if not (typeIs "string" .existingSecret) -}}
{{- if .existingSecret.keyMapping -}}
{{- $key = index .existingSecret.keyMapping $.key -}}
{{- end -}}
{{- end }}
{{- end -}}
{{- printf "%s" $key -}}
{{- end -}}
{{/*
Generate secret password or retrieve one if already created.
Usage:
{{ include "common.secrets.passwords.manage" (dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "context" $) }}
Params:
- secret - String - Required - Name of the 'Secret' resource where the password is stored.
- key - String - Required - Name of the key in the secret.
- providedValues - List<String> - Required - The path to the validating value in the values.yaml, e.g: "mysql.password". Will pick first parameter with a defined value.
- length - int - Optional - Length of the generated random password.
- strong - Boolean - Optional - Whether to add symbols to the generated random password.
- chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart.
- context - Context - Required - Parent context.
The order in which this function returns a secret password:
1. Already existing 'Secret' resource
(If a 'Secret' resource is found under the name provided to the 'secret' parameter to this function and that 'Secret' resource contains a key with the name passed as the 'key' parameter to this function then the value of this existing secret password will be returned)
2. Password provided via the values.yaml
(If one of the keys passed to the 'providedValues' parameter to this function is a valid path to a key in the values.yaml and has a value, the value of the first key with a value will be returned)
3. Randomly generated secret password
(A new random secret password with the length specified in the 'length' parameter will be generated and returned)
*/}}
{{- define "common.secrets.passwords.manage" -}}
{{- $password := "" }}
{{- $subchart := "" }}
{{- $chartName := default "" .chartName }}
{{- $passwordLength := default 10 .length }}
{{- $providedPasswordKey := include "common.utils.getKeyFromList" (dict "keys" .providedValues "context" $.context) }}
{{- $providedPasswordValue := include "common.utils.getValueFromKey" (dict "key" $providedPasswordKey "context" $.context) }}
{{- $secretData := (lookup "v1" "Secret" $.context.Release.Namespace .secret).data }}
{{- if $secretData }}
{{- if hasKey $secretData .key }}
{{- $password = index $secretData .key }}
{{- else }}
{{- printf "\nPASSWORDS ERROR: The secret \"%s\" does not contain the key \"%s\"\n" .secret .key | fail -}}
{{- end -}}
{{- else if $providedPasswordValue }}
{{- $password = $providedPasswordValue | toString | b64enc | quote }}
{{- else }}
{{- if .context.Values.enabled }}
{{- $subchart = $chartName }}
{{- end -}}
{{- $requiredPassword := dict "valueKey" $providedPasswordKey "secret" .secret "field" .key "subchart" $subchart "context" $.context -}}
{{- $requiredPasswordError := include "common.validations.values.single.empty" $requiredPassword -}}
{{- $passwordValidationErrors := list $requiredPasswordError -}}
{{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" $passwordValidationErrors "context" $.context) -}}
{{- if .strong }}
{{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }}
{{- $password = randAscii $passwordLength }}
{{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }}
{{- $password = printf "%s%s" $subStr $password | toString | shuffle | b64enc | quote }}
{{- else }}
{{- $password = randAlphaNum $passwordLength | b64enc | quote }}
{{- end }}
{{- end -}}
{{- printf "%s" $password -}}
{{- end -}}
{{/*
Returns whether a previous generated secret already exists
Usage:
{{ include "common.secrets.exists" (dict "secret" "secret-name" "context" $) }}
Params:
- secret - String - Required - Name of the 'Secret' resource where the password is stored.
- context - Context - Required - Parent context.
*/}}
{{- define "common.secrets.exists" -}}
{{- $secret := (lookup "v1" "Secret" $.context.Release.Namespace .secret) }}
{{- if $secret }}
{{- true -}}
{{- end -}}
{{- end -}}

23
deploy/charts/apisix/charts/etcd/charts/common/templates/_storage.tpl Normal file
View File

@ -0,0 +1,23 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Return the proper Storage Class
{{ include "common.storage.class" ( dict "persistence" .Values.path.to.the.persistence "global" $) }}
*/}}
{{- define "common.storage.class" -}}
{{- $storageClass := .persistence.storageClass -}}
{{- if .global -}}
{{- if .global.storageClass -}}
{{- $storageClass = .global.storageClass -}}
{{- end -}}
{{- end -}}
{{- if $storageClass -}}
{{- if (eq "-" $storageClass) -}}
{{- printf "storageClassName: \"\"" -}}
{{- else }}
{{- printf "storageClassName: %s" $storageClass -}}
{{- end -}}
{{- end -}}
{{- end -}}

13
deploy/charts/apisix/charts/etcd/charts/common/templates/_tplvalues.tpl Normal file
View File

@ -0,0 +1,13 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Renders a value that contains template.
Usage:
{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $) }}
*/}}
{{- define "common.tplvalues.render" -}}
{{- if typeIs "string" .value }}
{{- tpl .value .context }}
{{- else }}
{{- tpl (.value | toYaml) .context }}
{{- end }}
{{- end -}}

62
deploy/charts/apisix/charts/etcd/charts/common/templates/_utils.tpl Normal file
View File

@ -0,0 +1,62 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Print instructions to get a secret value.
Usage:
{{ include "common.utils.secret.getvalue" (dict "secret" "secret-name" "field" "secret-value-field" "context" $) }}
*/}}
{{- define "common.utils.secret.getvalue" -}}
{{- $varname := include "common.utils.fieldToEnvVar" . -}}
export {{ $varname }}=$(kubectl get secret --namespace {{ .context.Release.Namespace | quote }} {{ .secret }} -o jsonpath="{.data.{{ .field }}}" | base64 -d)
{{- end -}}
{{/*
Build env var name given a field
Usage:
{{ include "common.utils.fieldToEnvVar" dict "field" "my-password" }}
*/}}
{{- define "common.utils.fieldToEnvVar" -}}
{{- $fieldNameSplit := splitList "-" .field -}}
{{- $upperCaseFieldNameSplit := list -}}
{{- range $fieldNameSplit -}}
{{- $upperCaseFieldNameSplit = append $upperCaseFieldNameSplit ( upper . ) -}}
{{- end -}}
{{ join "_" $upperCaseFieldNameSplit }}
{{- end -}}
{{/*
Gets a value from .Values given
Usage:
{{ include "common.utils.getValueFromKey" (dict "key" "path.to.key" "context" $) }}
*/}}
{{- define "common.utils.getValueFromKey" -}}
{{- $splitKey := splitList "." .key -}}
{{- $value := "" -}}
{{- $latestObj := $.context.Values -}}
{{- range $splitKey -}}
{{- if not $latestObj -}}
{{- printf "please review the entire path of '%s' exists in values" $.key | fail -}}
{{- end -}}
{{- $value = ( index $latestObj . ) -}}
{{- $latestObj = $value -}}
{{- end -}}
{{- printf "%v" (default "" $value) -}}
{{- end -}}
{{/*
Returns first .Values key with a defined value or first of the list if all non-defined
Usage:
{{ include "common.utils.getKeyFromList" (dict "keys" (list "path.to.key1" "path.to.key2") "context" $) }}
*/}}
{{- define "common.utils.getKeyFromList" -}}
{{- $key := first .keys -}}
{{- $reverseKeys := reverse .keys }}
{{- range $reverseKeys }}
{{- $value := include "common.utils.getValueFromKey" (dict "key" . "context" $.context ) }}
{{- if $value -}}
{{- $key = . }}
{{- end -}}
{{- end -}}
{{- printf "%s" $key -}}
{{- end -}}

14
deploy/charts/apisix/charts/etcd/charts/common/templates/_warnings.tpl Normal file
View File

@ -0,0 +1,14 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Warning about using rolling tag.
Usage:
{{ include "common.warnings.rollingTag" .Values.path.to.the.imageRoot }}
*/}}
{{- define "common.warnings.rollingTag" -}}
{{- if and (contains "bitnami/" .repository) (not (.tag | toString | regexFind "-r\\d+$|sha256:")) }}
WARNING: Rolling tag detected ({{ .repository }}:{{ .tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment.
+info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/
{{- end }}
{{- end -}}

72
deploy/charts/apisix/charts/etcd/charts/common/templates/validations/_cassandra.tpl Normal file
View File

@ -0,0 +1,72 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Validate Cassandra required passwords are not empty.
Usage:
{{ include "common.validations.values.cassandra.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
Params:
- secret - String - Required. Name of the secret where Cassandra values are stored, e.g: "cassandra-passwords-secret"
- subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false
*/}}
{{- define "common.validations.values.cassandra.passwords" -}}
{{- $existingSecret := include "common.cassandra.values.existingSecret" . -}}
{{- $enabled := include "common.cassandra.values.enabled" . -}}
{{- $dbUserPrefix := include "common.cassandra.values.key.dbUser" . -}}
{{- $valueKeyPassword := printf "%s.password" $dbUserPrefix -}}
{{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}}
{{- $requiredPasswords := list -}}
{{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "cassandra-password" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredPassword -}}
{{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right value for existingSecret.
Usage:
{{ include "common.cassandra.values.existingSecret" (dict "context" $) }}
Params:
- subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false
*/}}
{{- define "common.cassandra.values.existingSecret" -}}
{{- if .subchart -}}
{{- .context.Values.cassandra.dbUser.existingSecret | quote -}}
{{- else -}}
{{- .context.Values.dbUser.existingSecret | quote -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right value for enabled cassandra.
Usage:
{{ include "common.cassandra.values.enabled" (dict "context" $) }}
*/}}
{{- define "common.cassandra.values.enabled" -}}
{{- if .subchart -}}
{{- printf "%v" .context.Values.cassandra.enabled -}}
{{- else -}}
{{- printf "%v" (not .context.Values.enabled) -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right value for the key dbUser
Usage:
{{ include "common.cassandra.values.key.dbUser" (dict "subchart" "true" "context" $) }}
Params:
- subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false
*/}}
{{- define "common.cassandra.values.key.dbUser" -}}
{{- if .subchart -}}
cassandra.dbUser
{{- else -}}
dbUser
{{- end -}}
{{- end -}}

103
deploy/charts/apisix/charts/etcd/charts/common/templates/validations/_mariadb.tpl Normal file
View File

@ -0,0 +1,103 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Validate MariaDB required passwords are not empty.
Usage:
{{ include "common.validations.values.mariadb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
Params:
- secret - String - Required. Name of the secret where MariaDB values are stored, e.g: "mysql-passwords-secret"
- subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false
*/}}
{{- define "common.validations.values.mariadb.passwords" -}}
{{- $existingSecret := include "common.mariadb.values.auth.existingSecret" . -}}
{{- $enabled := include "common.mariadb.values.enabled" . -}}
{{- $architecture := include "common.mariadb.values.architecture" . -}}
{{- $authPrefix := include "common.mariadb.values.key.auth" . -}}
{{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}}
{{- $valueKeyUsername := printf "%s.username" $authPrefix -}}
{{- $valueKeyPassword := printf "%s.password" $authPrefix -}}
{{- $valueKeyReplicationPassword := printf "%s.replicationPassword" $authPrefix -}}
{{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}}
{{- $requiredPasswords := list -}}
{{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mariadb-root-password" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}}
{{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }}
{{- if not (empty $valueUsername) -}}
{{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mariadb-password" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredPassword -}}
{{- end -}}
{{- if (eq $architecture "replication") -}}
{{- $requiredReplicationPassword := dict "valueKey" $valueKeyReplicationPassword "secret" .secret "field" "mariadb-replication-password" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredReplicationPassword -}}
{{- end -}}
{{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right value for existingSecret.
Usage:
{{ include "common.mariadb.values.auth.existingSecret" (dict "context" $) }}
Params:
- subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false
*/}}
{{- define "common.mariadb.values.auth.existingSecret" -}}
{{- if .subchart -}}
{{- .context.Values.mariadb.auth.existingSecret | quote -}}
{{- else -}}
{{- .context.Values.auth.existingSecret | quote -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right value for enabled mariadb.
Usage:
{{ include "common.mariadb.values.enabled" (dict "context" $) }}
*/}}
{{- define "common.mariadb.values.enabled" -}}
{{- if .subchart -}}
{{- printf "%v" .context.Values.mariadb.enabled -}}
{{- else -}}
{{- printf "%v" (not .context.Values.enabled) -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right value for architecture
Usage:
{{ include "common.mariadb.values.architecture" (dict "subchart" "true" "context" $) }}
Params:
- subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false
*/}}
{{- define "common.mariadb.values.architecture" -}}
{{- if .subchart -}}
{{- .context.Values.mariadb.architecture -}}
{{- else -}}
{{- .context.Values.architecture -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right value for the key auth
Usage:
{{ include "common.mariadb.values.key.auth" (dict "subchart" "true" "context" $) }}
Params:
- subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false
*/}}
{{- define "common.mariadb.values.key.auth" -}}
{{- if .subchart -}}
mariadb.auth
{{- else -}}
auth
{{- end -}}
{{- end -}}

108
deploy/charts/apisix/charts/etcd/charts/common/templates/validations/_mongodb.tpl Normal file
View File

@ -0,0 +1,108 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Validate MongoDB&reg; required passwords are not empty.
Usage:
{{ include "common.validations.values.mongodb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
Params:
- secret - String - Required. Name of the secret where MongoDB&reg; values are stored, e.g: "mongodb-passwords-secret"
- subchart - Boolean - Optional. Whether MongoDB&reg; is used as subchart or not. Default: false
*/}}
{{- define "common.validations.values.mongodb.passwords" -}}
{{- $existingSecret := include "common.mongodb.values.auth.existingSecret" . -}}
{{- $enabled := include "common.mongodb.values.enabled" . -}}
{{- $authPrefix := include "common.mongodb.values.key.auth" . -}}
{{- $architecture := include "common.mongodb.values.architecture" . -}}
{{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}}
{{- $valueKeyUsername := printf "%s.username" $authPrefix -}}
{{- $valueKeyDatabase := printf "%s.database" $authPrefix -}}
{{- $valueKeyPassword := printf "%s.password" $authPrefix -}}
{{- $valueKeyReplicaSetKey := printf "%s.replicaSetKey" $authPrefix -}}
{{- $valueKeyAuthEnabled := printf "%s.enabled" $authPrefix -}}
{{- $authEnabled := include "common.utils.getValueFromKey" (dict "key" $valueKeyAuthEnabled "context" .context) -}}
{{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") (eq $authEnabled "true") -}}
{{- $requiredPasswords := list -}}
{{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mongodb-root-password" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}}
{{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }}
{{- $valueDatabase := include "common.utils.getValueFromKey" (dict "key" $valueKeyDatabase "context" .context) }}
{{- if and $valueUsername $valueDatabase -}}
{{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mongodb-password" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredPassword -}}
{{- end -}}
{{- if (eq $architecture "replicaset") -}}
{{- $requiredReplicaSetKey := dict "valueKey" $valueKeyReplicaSetKey "secret" .secret "field" "mongodb-replica-set-key" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredReplicaSetKey -}}
{{- end -}}
{{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right value for existingSecret.
Usage:
{{ include "common.mongodb.values.auth.existingSecret" (dict "context" $) }}
Params:
- subchart - Boolean - Optional. Whether MongoDb is used as subchart or not. Default: false
*/}}
{{- define "common.mongodb.values.auth.existingSecret" -}}
{{- if .subchart -}}
{{- .context.Values.mongodb.auth.existingSecret | quote -}}
{{- else -}}
{{- .context.Values.auth.existingSecret | quote -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right value for enabled mongodb.
Usage:
{{ include "common.mongodb.values.enabled" (dict "context" $) }}
*/}}
{{- define "common.mongodb.values.enabled" -}}
{{- if .subchart -}}
{{- printf "%v" .context.Values.mongodb.enabled -}}
{{- else -}}
{{- printf "%v" (not .context.Values.enabled) -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right value for the key auth
Usage:
{{ include "common.mongodb.values.key.auth" (dict "subchart" "true" "context" $) }}
Params:
- subchart - Boolean - Optional. Whether MongoDB&reg; is used as subchart or not. Default: false
*/}}
{{- define "common.mongodb.values.key.auth" -}}
{{- if .subchart -}}
mongodb.auth
{{- else -}}
auth
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right value for architecture
Usage:
{{ include "common.mongodb.values.architecture" (dict "subchart" "true" "context" $) }}
Params:
- subchart - Boolean - Optional. Whether MongoDB&reg; is used as subchart or not. Default: false
*/}}
{{- define "common.mongodb.values.architecture" -}}
{{- if .subchart -}}
{{- .context.Values.mongodb.architecture -}}
{{- else -}}
{{- .context.Values.architecture -}}
{{- end -}}
{{- end -}}

103
deploy/charts/apisix/charts/etcd/charts/common/templates/validations/_mysql.tpl Normal file
View File

@ -0,0 +1,103 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Validate MySQL required passwords are not empty.
Usage:
{{ include "common.validations.values.mysql.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
Params:
- secret - String - Required. Name of the secret where MySQL values are stored, e.g: "mysql-passwords-secret"
- subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false
*/}}
{{- define "common.validations.values.mysql.passwords" -}}
{{- $existingSecret := include "common.mysql.values.auth.existingSecret" . -}}
{{- $enabled := include "common.mysql.values.enabled" . -}}
{{- $architecture := include "common.mysql.values.architecture" . -}}
{{- $authPrefix := include "common.mysql.values.key.auth" . -}}
{{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}}
{{- $valueKeyUsername := printf "%s.username" $authPrefix -}}
{{- $valueKeyPassword := printf "%s.password" $authPrefix -}}
{{- $valueKeyReplicationPassword := printf "%s.replicationPassword" $authPrefix -}}
{{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}}
{{- $requiredPasswords := list -}}
{{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mysql-root-password" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}}
{{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }}
{{- if not (empty $valueUsername) -}}
{{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mysql-password" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredPassword -}}
{{- end -}}
{{- if (eq $architecture "replication") -}}
{{- $requiredReplicationPassword := dict "valueKey" $valueKeyReplicationPassword "secret" .secret "field" "mysql-replication-password" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredReplicationPassword -}}
{{- end -}}
{{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right value for existingSecret.
Usage:
{{ include "common.mysql.values.auth.existingSecret" (dict "context" $) }}
Params:
- subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false
*/}}
{{- define "common.mysql.values.auth.existingSecret" -}}
{{- if .subchart -}}
{{- .context.Values.mysql.auth.existingSecret | quote -}}
{{- else -}}
{{- .context.Values.auth.existingSecret | quote -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right value for enabled mysql.
Usage:
{{ include "common.mysql.values.enabled" (dict "context" $) }}
*/}}
{{- define "common.mysql.values.enabled" -}}
{{- if .subchart -}}
{{- printf "%v" .context.Values.mysql.enabled -}}
{{- else -}}
{{- printf "%v" (not .context.Values.enabled) -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right value for architecture
Usage:
{{ include "common.mysql.values.architecture" (dict "subchart" "true" "context" $) }}
Params:
- subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false
*/}}
{{- define "common.mysql.values.architecture" -}}
{{- if .subchart -}}
{{- .context.Values.mysql.architecture -}}
{{- else -}}
{{- .context.Values.architecture -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right value for the key auth
Usage:
{{ include "common.mysql.values.key.auth" (dict "subchart" "true" "context" $) }}
Params:
- subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false
*/}}
{{- define "common.mysql.values.key.auth" -}}
{{- if .subchart -}}
mysql.auth
{{- else -}}
auth
{{- end -}}
{{- end -}}

129
deploy/charts/apisix/charts/etcd/charts/common/templates/validations/_postgresql.tpl Normal file
View File

@ -0,0 +1,129 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Validate PostgreSQL required passwords are not empty.
Usage:
{{ include "common.validations.values.postgresql.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
Params:
- secret - String - Required. Name of the secret where postgresql values are stored, e.g: "postgresql-passwords-secret"
- subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false
*/}}
{{- define "common.validations.values.postgresql.passwords" -}}
{{- $existingSecret := include "common.postgresql.values.existingSecret" . -}}
{{- $enabled := include "common.postgresql.values.enabled" . -}}
{{- $valueKeyPostgresqlPassword := include "common.postgresql.values.key.postgressPassword" . -}}
{{- $valueKeyPostgresqlReplicationEnabled := include "common.postgresql.values.key.replicationPassword" . -}}
{{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}}
{{- $requiredPasswords := list -}}
{{- $requiredPostgresqlPassword := dict "valueKey" $valueKeyPostgresqlPassword "secret" .secret "field" "postgresql-password" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlPassword -}}
{{- $enabledReplication := include "common.postgresql.values.enabled.replication" . -}}
{{- if (eq $enabledReplication "true") -}}
{{- $requiredPostgresqlReplicationPassword := dict "valueKey" $valueKeyPostgresqlReplicationEnabled "secret" .secret "field" "postgresql-replication-password" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlReplicationPassword -}}
{{- end -}}
{{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to decide whether evaluate global values.
Usage:
{{ include "common.postgresql.values.use.global" (dict "key" "key-of-global" "context" $) }}
Params:
- key - String - Required. Field to be evaluated within global, e.g: "existingSecret"
*/}}
{{- define "common.postgresql.values.use.global" -}}
{{- if .context.Values.global -}}
{{- if .context.Values.global.postgresql -}}
{{- index .context.Values.global.postgresql .key | quote -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right value for existingSecret.
Usage:
{{ include "common.postgresql.values.existingSecret" (dict "context" $) }}
*/}}
{{- define "common.postgresql.values.existingSecret" -}}
{{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "existingSecret" "context" .context) -}}
{{- if .subchart -}}
{{- default (.context.Values.postgresql.existingSecret | quote) $globalValue -}}
{{- else -}}
{{- default (.context.Values.existingSecret | quote) $globalValue -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right value for enabled postgresql.
Usage:
{{ include "common.postgresql.values.enabled" (dict "context" $) }}
*/}}
{{- define "common.postgresql.values.enabled" -}}
{{- if .subchart -}}
{{- printf "%v" .context.Values.postgresql.enabled -}}
{{- else -}}
{{- printf "%v" (not .context.Values.enabled) -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right value for the key postgressPassword.
Usage:
{{ include "common.postgresql.values.key.postgressPassword" (dict "subchart" "true" "context" $) }}
Params:
- subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false
*/}}
{{- define "common.postgresql.values.key.postgressPassword" -}}
{{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "postgresqlUsername" "context" .context) -}}
{{- if not $globalValue -}}
{{- if .subchart -}}
postgresql.postgresqlPassword
{{- else -}}
postgresqlPassword
{{- end -}}
{{- else -}}
global.postgresql.postgresqlPassword
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right value for enabled.replication.
Usage:
{{ include "common.postgresql.values.enabled.replication" (dict "subchart" "true" "context" $) }}
Params:
- subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false
*/}}
{{- define "common.postgresql.values.enabled.replication" -}}
{{- if .subchart -}}
{{- printf "%v" .context.Values.postgresql.replication.enabled -}}
{{- else -}}
{{- printf "%v" .context.Values.replication.enabled -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right value for the key replication.password.
Usage:
{{ include "common.postgresql.values.key.replicationPassword" (dict "subchart" "true" "context" $) }}
Params:
- subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false
*/}}
{{- define "common.postgresql.values.key.replicationPassword" -}}
{{- if .subchart -}}
postgresql.replication.password
{{- else -}}
replication.password
{{- end -}}
{{- end -}}

76
deploy/charts/apisix/charts/etcd/charts/common/templates/validations/_redis.tpl Normal file
View File

@ -0,0 +1,76 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Validate Redis&reg; required passwords are not empty.
Usage:
{{ include "common.validations.values.redis.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
Params:
- secret - String - Required. Name of the secret where redis values are stored, e.g: "redis-passwords-secret"
- subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false
*/}}
{{- define "common.validations.values.redis.passwords" -}}
{{- $enabled := include "common.redis.values.enabled" . -}}
{{- $valueKeyPrefix := include "common.redis.values.keys.prefix" . -}}
{{- $standarizedVersion := include "common.redis.values.standarized.version" . }}
{{- $existingSecret := ternary (printf "%s%s" $valueKeyPrefix "auth.existingSecret") (printf "%s%s" $valueKeyPrefix "existingSecret") (eq $standarizedVersion "true") }}
{{- $existingSecretValue := include "common.utils.getValueFromKey" (dict "key" $existingSecret "context" .context) }}
{{- $valueKeyRedisPassword := ternary (printf "%s%s" $valueKeyPrefix "auth.password") (printf "%s%s" $valueKeyPrefix "password") (eq $standarizedVersion "true") }}
{{- $valueKeyRedisUseAuth := ternary (printf "%s%s" $valueKeyPrefix "auth.enabled") (printf "%s%s" $valueKeyPrefix "usePassword") (eq $standarizedVersion "true") }}
{{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}}
{{- $requiredPasswords := list -}}
{{- $useAuth := include "common.utils.getValueFromKey" (dict "key" $valueKeyRedisUseAuth "context" .context) -}}
{{- if eq $useAuth "true" -}}
{{- $requiredRedisPassword := dict "valueKey" $valueKeyRedisPassword "secret" .secret "field" "redis-password" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredRedisPassword -}}
{{- end -}}
{{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right value for enabled redis.
Usage:
{{ include "common.redis.values.enabled" (dict "context" $) }}
*/}}
{{- define "common.redis.values.enabled" -}}
{{- if .subchart -}}
{{- printf "%v" .context.Values.redis.enabled -}}
{{- else -}}
{{- printf "%v" (not .context.Values.enabled) -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right prefix path for the values
Usage:
{{ include "common.redis.values.key.prefix" (dict "subchart" "true" "context" $) }}
Params:
- subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false
*/}}
{{- define "common.redis.values.keys.prefix" -}}
{{- if .subchart -}}redis.{{- else -}}{{- end -}}
{{- end -}}
{{/*
Checks whether the redis chart's includes the standarizations (version >= 14)
Usage:
{{ include "common.redis.values.standarized.version" (dict "context" $) }}
*/}}
{{- define "common.redis.values.standarized.version" -}}
{{- $standarizedAuth := printf "%s%s" (include "common.redis.values.keys.prefix" .) "auth" -}}
{{- $standarizedAuthValues := include "common.utils.getValueFromKey" (dict "key" $standarizedAuth "context" .context) }}
{{- if $standarizedAuthValues -}}
{{- true -}}
{{- end -}}
{{- end -}}

46
deploy/charts/apisix/charts/etcd/charts/common/templates/validations/_validations.tpl Normal file
View File

@ -0,0 +1,46 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Validate values must not be empty.
Usage:
{{- $validateValueConf00 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-00") -}}
{{- $validateValueConf01 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-01") -}}
{{ include "common.validations.values.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }}
Validate value params:
- valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password"
- secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret"
- field - String - Optional. Name of the field in the secret data, e.g: "mysql-password"
*/}}
{{- define "common.validations.values.multiple.empty" -}}
{{- range .required -}}
{{- include "common.validations.values.single.empty" (dict "valueKey" .valueKey "secret" .secret "field" .field "context" $.context) -}}
{{- end -}}
{{- end -}}
{{/*
Validate a value must not be empty.
Usage:
{{ include "common.validations.value.empty" (dict "valueKey" "mariadb.password" "secret" "secretName" "field" "my-password" "subchart" "subchart" "context" $) }}
Validate value params:
- valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password"
- secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret"
- field - String - Optional. Name of the field in the secret data, e.g: "mysql-password"
- subchart - String - Optional - Name of the subchart that the validated password is part of.
*/}}
{{- define "common.validations.values.single.empty" -}}
{{- $value := include "common.utils.getValueFromKey" (dict "key" .valueKey "context" .context) }}
{{- $subchart := ternary "" (printf "%s." .subchart) (empty .subchart) }}
{{- if not $value -}}
{{- $varname := "my-value" -}}
{{- $getCurrentValue := "" -}}
{{- if and .secret .field -}}
{{- $varname = include "common.utils.fieldToEnvVar" . -}}
{{- $getCurrentValue = printf " To get the current value:\n\n %s\n" (include "common.utils.secret.getvalue" .) -}}
{{- end -}}
{{- printf "\n '%s' must not be empty, please add '--set %s%s=$%s' to the command.%s" .valueKey $subchart .valueKey $varname $getCurrentValue -}}
{{- end -}}
{{- end -}}

5
deploy/charts/apisix/charts/etcd/charts/common/values.yaml Normal file
View File

@ -0,0 +1,5 @@
## bitnami/common
## It is required by CI/CD tools and processes.
## @skip exampleValue
##
exampleValue: common-chart

119
deploy/charts/apisix/charts/etcd/templates/NOTES.txt Normal file
View File

@ -0,0 +1,119 @@
CHART NAME: {{ .Chart.Name }}
CHART VERSION: {{ .Chart.Version }}
APP VERSION: {{ .Chart.AppVersion }}
{{- if and (eq .Values.service.type "LoadBalancer") .Values.auth.rbac.allowNoneAuthentication }}
-------------------------------------------------------------------------------
WARNING
By specifying "service.type=LoadBalancer", "auth.rbac.enabled=false" and
"auth.rbac.allowNoneAuthentication=true" you have most likely exposed the etcd
service externally without any authentication mechanism.
For security reasons, we strongly suggest that you switch to "ClusterIP" or
"NodePort". As alternative, you can also switch to "auth.rbac.enabled=true"
providing a valid password on "auth.rbac.rootPassword" parameter.
-------------------------------------------------------------------------------
{{- end }}
** Please be patient while the chart is being deployed **
{{- if .Values.diagnosticMode.enabled }}
The chart has been deployed in diagnostic mode. All probes have been disabled and the command has been overwritten with:
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 4 }}
args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 4 }}
Get the list of pods by executing:
kubectl get pods --namespace {{ .Release.Namespace }} -l app.kubernetes.io/instance={{ .Release.Name }}
Access the pod you want to debug by executing
kubectl exec --namespace {{ .Release.Namespace }} -ti <NAME OF THE POD> -- bash
In order to replicate the container startup scripts execute this command:
/opt/bitnami/scripts/etcd/entrypoint.sh /opt/bitnami/scripts/etcd/run.sh
{{- else }}
etcd can be accessed via port {{ coalesce .Values.service.ports.client .Values.service.port }} on the following DNS name from within your cluster:
{{ template "common.names.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}
To create a pod that you can use as a etcd client run the following command:
kubectl run {{ template "common.names.fullname" . }}-client --restart='Never' --image {{ template "etcd.image" . }}{{- if or .Values.auth.rbac.create .Values.auth.rbac.enabled }} --env ROOT_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "common.names.fullname" . }} -o jsonpath="{.data.etcd-root-password}" | base64 -d){{- end }} --env ETCDCTL_ENDPOINTS="{{ template "common.names.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}:{{ coalesce .Values.service.ports.client .Values.service.port }}" --namespace {{ .Release.Namespace }} --command -- sleep infinity
Then, you can set/get a key using the commands below:
kubectl exec --namespace {{ .Release.Namespace }} -it {{ template "common.names.fullname" . }}-client -- bash
{{- $etcdAuthOptions := include "etcd.authOptions" . }}
etcdctl {{ $etcdAuthOptions }} put /message Hello
etcdctl {{ $etcdAuthOptions }} get /message
To connect to your etcd server from outside the cluster execute the following commands:
{{- if contains "NodePort" .Values.service.type }}
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "common.names.fullname" . }})
echo "etcd URL: http://$NODE_IP:$NODE_PORT/"
{{- else if contains "LoadBalancer" .Values.service.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "common.names.fullname" . }}'
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "common.names.fullname" . }} --template "{{ "{{ range (index .status.loadBalancer.ingress 0) }}{{ . }}{{ end }}" }}")
echo "etcd URL: http://$SERVICE_IP:{{ coalesce .Values.service.ports.client .Values.service.port }}/"
{{- else if contains "ClusterIP" .Values.service.type }}
kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ template "common.names.fullname" . }} {{ coalesce .Values.service.ports.client .Values.service.port }}:{{ coalesce .Values.service.ports.client .Values.service.port }} &
echo "etcd URL: http://127.0.0.1:{{ coalesce .Values.service.ports.client .Values.service.port }}"
{{- end }}
{{- if or .Values.auth.rbac.create .Values.auth.rbac.enabled }}
* As rbac is enabled you should add the flag `--user root:$ETCD_ROOT_PASSWORD` to the etcdctl commands. Use the command below to export the password:
export ETCD_ROOT_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "common.names.fullname" . }} -o jsonpath="{.data.etcd-root-password}" | base64 -d)
{{- end }}
{{- if .Values.auth.client.secureTransport }}
{{- if .Values.auth.client.useAutoTLS }}
* As TLS is enabled you should add the flag `--cert-file /bitnami/etcd/data/fixtures/client/cert.pem --key-file /bitnami/etcd/data/fixtures/client/key.pem` to the etcdctl commands.
{{- else }}
* As TLS is enabled you should add the flag `--cert-file /opt/bitnami/etcd/certs/client/{{ .Values.auth.client.certFilename }} --key-file /opt/bitnami/etcd/certs/client/{{ .Values.auth.client.certKeyFilename }}` to the etcdctl commands.
{{- end }}
* You should also export a proper etcdctl endpoint using the https schema. Eg.
export ETCDCTL_ENDPOINTS=https://{{ template "common.names.fullname" . }}-0:{{ coalesce .Values.service.ports.client .Values.service.port }}
{{- end }}
{{- if .Values.auth.client.enableAuthentication }}
* As TLS host authentication is enabled you should add the flag `--ca-file /opt/bitnami/etcd/certs/client/{{ .Values.auth.client.caFilename | default "ca.crt" }}` to the etcdctl commands.
{{- end }}
{{- end }}
{{- include "common.warnings.rollingTag" .Values.image }}
{{- include "common.warnings.rollingTag" .Values.volumePermissions.image }}
{{- include "etcd.validateValues" . }}
{{- $requiredPassword := list -}}
{{- $secretName := include "etcd.secretName" . -}}
{{- if and (or .Values.auth.rbac.create .Values.auth.rbac.enabled) (not .Values.auth.rbac.existingSecret) -}}
{{- $requiredEtcdPassword := dict "valueKey" "auth.rbac.rootPassword" "secret" $secretName "field" "etcd-root-password" -}}
{{- $requiredPassword = append $requiredPassword $requiredEtcdPassword -}}
{{- end -}}
{{- $requiredEtcdPasswordErrors := include "common.validations.values.multiple.empty" (dict "required" $requiredPassword "context" $) -}}
{{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" (list $requiredEtcdPasswordErrors) "context" $) -}}

194
deploy/charts/apisix/charts/etcd/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,194 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Return the proper etcd image name
*/}}
{{- define "etcd.image" -}}
{{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) }}
{{- end -}}
{{/*
Return the proper image name (for the init container volume-permissions image)
*/}}
{{- define "etcd.volumePermissions.image" -}}
{{ include "common.images.image" (dict "imageRoot" .Values.volumePermissions.image "global" .Values.global) }}
{{- end -}}
{{/*
Return the proper Docker Image Registry Secret Names
*/}}
{{- define "etcd.imagePullSecrets" -}}
{{ include "common.images.pullSecrets" (dict "images" (list .Values.image .Values.volumePermissions.image) "global" .Values.global) }}
{{- end -}}
{{/*
Return the proper etcd peer protocol
*/}}
{{- define "etcd.peerProtocol" -}}
{{- if .Values.auth.peer.secureTransport -}}
{{- print "https" -}}
{{- else -}}
{{- print "http" -}}
{{- end -}}
{{- end -}}
{{/*
Return the proper etcd client protocol
*/}}
{{- define "etcd.clientProtocol" -}}
{{- if .Values.auth.client.secureTransport -}}
{{- print "https" -}}
{{- else -}}
{{- print "http" -}}
{{- end -}}
{{- end -}}
{{/*
Return the proper etcdctl authentication options
*/}}
{{- define "etcd.authOptions" -}}
{{- $rbacOption := "--user root:$ROOT_PASSWORD" -}}
{{- $certsOption := " --cert $ETCD_CERT_FILE --key $ETCD_KEY_FILE" -}}
{{- $autoCertsOption := " --cert /bitnami/etcd/data/fixtures/client/cert.pem --key /bitnami/etcd/data/fixtures/client/key.pem" -}}
{{- $caOption := " --cacert $ETCD_TRUSTED_CA_FILE" -}}
{{- if or .Values.auth.rbac.create .Values.auth.rbac.enabled -}}
{{- printf "%s" $rbacOption -}}
{{- end -}}
{{- if and .Values.auth.client.secureTransport .Values.auth.client.useAutoTLS -}}
{{- printf "%s" $autoCertsOption -}}
{{- else if and .Values.auth.client.secureTransport (not .Values.auth.client.useAutoTLS) -}}
{{- printf "%s" $certsOption -}}
{{- if .Values.auth.client.enableAuthentication -}}
{{- printf "%s" $caOption -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Return the etcd configuration configmap
*/}}
{{- define "etcd.configmapName" -}}
{{- if .Values.existingConfigmap -}}
{{- printf "%s" (tpl .Values.existingConfigmap $) -}}
{{- else -}}
{{- printf "%s-configuration" (include "common.names.fullname" .) -}}
{{- end -}}
{{- end -}}
{{/*
Return true if a configmap object should be created
*/}}
{{- define "etcd.createConfigmap" -}}
{{- if and .Values.configuration (not .Values.existingConfigmap) }}
{{- true -}}
{{- end -}}
{{- end -}}
{{/*
Return the secret with etcd credentials
*/}}
{{- define "etcd.secretName" -}}
{{- if .Values.auth.rbac.existingSecret -}}
{{- printf "%s" .Values.auth.rbac.existingSecret -}}
{{- else -}}
{{- printf "%s" (include "common.names.fullname" .) -}}
{{- end -}}
{{- end -}}
{{/*
Get the secret password key to be retrieved from etcd secret.
*/}}
{{- define "etcd.secretPasswordKey" -}}
{{- if and .Values.auth.rbac.existingSecret .Values.auth.rbac.existingSecretPasswordKey -}}
{{- printf "%s" .Values.auth.rbac.existingSecretPasswordKey -}}
{{- else -}}
{{- printf "etcd-root-password" -}}
{{- end -}}
{{- end -}}
{{/*
Return true if a secret object should be created for the etcd token private key
*/}}
{{- define "etcd.token.createSecret" -}}
{{- if and (eq .Values.auth.token.type "jwt") (empty .Values.auth.token.privateKey.existingSecret) }}
{{- true -}}
{{- end -}}
{{- end -}}
{{/*
Return the secret with etcd token private key
*/}}
{{- define "etcd.token.secretName" -}}
{{- if .Values.auth.token.privateKey.existingSecret -}}
{{- printf "%s" .Values.auth.token.privateKey.existingSecret -}}
{{- else -}}
{{- printf "%s-jwt-token" (include "common.names.fullname" .) -}}
{{- end -}}
{{- end -}}
{{/*
Return the proper Disaster Recovery PVC name
*/}}
{{- define "etcd.disasterRecovery.pvc.name" -}}
{{- if .Values.disasterRecovery.pvc.existingClaim -}}
{{- printf "%s" (tpl .Values.disasterRecovery.pvc.existingClaim $) -}}
{{- else if .Values.startFromSnapshot.existingClaim -}}
{{- printf "%s" (tpl .Values.startFromSnapshot.existingClaim $) -}}
{{- else -}}
{{- printf "%s-snapshotter" (include "common.names.fullname" .) }}
{{- end -}}
{{- end -}}
{{/*
Create the name of the service account to use
*/}}
{{- define "etcd.serviceAccountName" -}}
{{- if .Values.serviceAccount.create -}}
{{ default (include "common.names.fullname" .) .Values.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Compile all warnings into a single message, and call fail.
*/}}
{{- define "etcd.validateValues" -}}
{{- $messages := list -}}
{{- $messages := append $messages (include "etcd.validateValues.startFromSnapshot.existingClaim" .) -}}
{{- $messages := append $messages (include "etcd.validateValues.startFromSnapshot.snapshotFilename" .) -}}
{{- $messages := append $messages (include "etcd.validateValues.disasterRecovery" .) -}}
{{- $messages := without $messages "" -}}
{{- $message := join "\n" $messages -}}
{{- if $message -}}
{{- printf "\nVALUES VALIDATION:\n%s" $message | fail -}}
{{- end -}}
{{- end -}}
{{/* Validate values of etcd - an existing claim must be provided when startFromSnapshot is enabled */}}
{{- define "etcd.validateValues.startFromSnapshot.existingClaim" -}}
{{- if and .Values.startFromSnapshot.enabled (not .Values.startFromSnapshot.existingClaim) -}}
etcd: startFromSnapshot.existingClaim
An existing claim must be provided when startFromSnapshot is enabled!!
Please provide it (--set startFromSnapshot.existingClaim="xxxx")
{{- end -}}
{{- end -}}
{{/* Validate values of etcd - the snapshot filename must be provided when startFromSnapshot is enabled */}}
{{- define "etcd.validateValues.startFromSnapshot.snapshotFilename" -}}
{{- if and .Values.startFromSnapshot.enabled (not .Values.startFromSnapshot.snapshotFilename) -}}
etcd: startFromSnapshot.snapshotFilename
The snapshot filename must be provided when startFromSnapshot is enabled!!
Please provide it (--set startFromSnapshot.snapshotFilename="xxxx")
{{- end -}}
{{- end -}}
{{/* Validate values of etcd - persistence must be enabled when disasterRecovery is enabled */}}
{{- define "etcd.validateValues.disasterRecovery" -}}
{{- if and .Values.disasterRecovery.enabled (not .Values.persistence.enabled) -}}
etcd: disasterRecovery
Persistence must be enabled when disasterRecovery is enabled!!
Please enable persistence (--set persistence.enabled=true)
{{- end -}}
{{- end -}}

17
deploy/charts/apisix/charts/etcd/templates/configmap.yaml Normal file
View File

@ -0,0 +1,17 @@
{{- if (include "etcd.createConfigmap" .) }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ printf "%s-configuration" (include "common.names.fullname" .) }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
data:
etcd.conf.yml: |-
{{- include "common.tplvalues.render" ( dict "value" .Values.configuration "context" $ ) | nindent 4 }}
{{- end }}

132
deploy/charts/apisix/charts/etcd/templates/cronjob.yaml Normal file
View File

@ -0,0 +1,132 @@
{{- if .Values.disasterRecovery.enabled -}}
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: {{ printf "%s-snapshotter" (include "common.names.fullname" .) }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
concurrencyPolicy: Forbid
schedule: {{ .Values.disasterRecovery.cronjob.schedule | quote }}
successfulJobsHistoryLimit: {{ .Values.disasterRecovery.cronjob.historyLimit }}
jobTemplate:
spec:
template:
metadata:
labels: {{- include "common.labels.standard" . | nindent 12 }}
app.kubernetes.io/component: snapshotter
{{- if .Values.disasterRecovery.cronjob.podAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.disasterRecovery.cronjob.podAnnotations "context" $) | nindent 12 }}
{{- end }}
spec:
{{- if .Values.disasterRecovery.cronjob.nodeSelector }}
nodeSelector: {{- toYaml .Values.disasterRecovery.cronjob.nodeSelector | nindent 12 }}
{{- end }}
{{- if .Values.disasterRecovery.cronjob.tolerations }}
tolerations: {{- toYaml .Values.disasterRecovery.cronjob.tolerations | nindent 12 }}
{{- end }}
{{- include "etcd.imagePullSecrets" . | nindent 10 }}
restartPolicy: OnFailure
{{- if .Values.podSecurityContext.enabled }}
securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 12 }}
{{- end }}
{{- if and .Values.volumePermissions.enabled (or .Values.podSecurityContext.enabled .Values.containerSecurityContext.enabled) }}
initContainers:
- name: volume-permissions
image: {{ include "etcd.volumePermissions.image" . }}
imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
command:
- /bin/bash
- -ec
- |
chown -R {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }} /snapshots
securityContext:
runAsUser: 0
{{- if .Values.volumePermissions.resources }}
resources: {{- include "common.tplvalues.render" (dict "value" .Values.volumePermissions.resources "context" $) | nindent 16 }}
{{- end }}
volumeMounts:
- name: snapshot-volume
mountPath: /snapshots
{{- end }}
containers:
- name: etcd-snapshotter
image: {{ include "etcd.image" . }}
imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
{{- if .Values.containerSecurityContext.enabled }}
securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 16 }}
{{- end }}
{{- if .Values.diagnosticMode.enabled }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }}
{{- else }}
command:
- /opt/bitnami/scripts/etcd/snapshot.sh
{{- end }}
env:
- name: BITNAMI_DEBUG
value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }}
- name: ETCDCTL_API
value: "3"
- name: ETCD_ON_K8S
value: "yes"
- name: MY_STS_NAME
value: {{ include "common.names.fullname" . | quote }}
{{- $releaseNamespace := .Release.Namespace }}
{{- $etcdFullname := include "common.names.fullname" . }}
{{- $etcdHeadlessServiceName := printf "%s-%s" $etcdFullname "headless" }}
{{- $clusterDomain := .Values.clusterDomain }}
- name: ETCD_CLUSTER_DOMAIN
value: {{ printf "%s.%s.svc.%s" $etcdHeadlessServiceName $releaseNamespace $clusterDomain | quote }}
- name: ETCD_SNAPSHOT_HISTORY_LIMIT
value: {{ .Values.disasterRecovery.cronjob.snapshotHistoryLimit | quote }}
{{- if .Values.auth.client.secureTransport }}
- name: ETCD_CERT_FILE
value: "/opt/bitnami/etcd/certs/client/{{ .Values.auth.client.certFilename }}"
- name: ETCD_KEY_FILE
value: "/opt/bitnami/etcd/certs/client/{{ .Values.auth.client.certKeyFilename }}"
{{- if .Values.auth.client.enableAuthentication }}
- name: ETCD_CLIENT_CERT_AUTH
value: "true"
- name: ETCD_TRUSTED_CA_FILE
value: "/opt/bitnami/etcd/certs/client/{{ .Values.auth.client.caFilename | default "ca.crt" }}"
{{- else if .Values.auth.client.caFilename }}
- name: ETCD_TRUSTED_CA_FILE
value: "/opt/bitnami/etcd/certs/client/{{ .Values.auth.client.caFilename | default "ca.crt" }}"
{{- end }}
{{- end }}
{{- if or .Values.auth.rbac.create .Values.auth.rbac.enabled }}
- name: ETCD_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "etcd.secretName" . }}
key: {{ include "etcd.secretPasswordKey" . }}
{{- end }}
{{- if .Values.disasterRecovery.cronjob.resources }}
resources: {{- toYaml .Values.disasterRecovery.cronjob.resources | nindent 16 }}
{{- end }}
volumeMounts:
- name: snapshot-volume
mountPath: /snapshots
{{- if .Values.auth.client.secureTransport }}
- name: certs
mountPath: /opt/bitnami/etcd/certs/client
readOnly: true
{{- end }}
volumes:
{{- if .Values.auth.client.secureTransport }}
- name: certs
secret:
secretName: {{ required "A secret containinig the client certificates is required" (tpl .Values.auth.client.existingSecret .) }}
defaultMode: 256
{{- end }}
- name: snapshot-volume
persistentVolumeClaim:
claimName: {{ include "etcd.disasterRecovery.pvc.name" . }}
{{- end }}

4
deploy/charts/apisix/charts/etcd/templates/extra-list.yaml Normal file
View File

@ -0,0 +1,4 @@
{{- range .Values.extraDeploy }}
---
{{ include "common.tplvalues.render" (dict "value" . "context" $) }}
{{- end }}

81
deploy/charts/apisix/charts/etcd/templates/networkpolicy.yaml Normal file
View File

@ -0,0 +1,81 @@
{{- if .Values.networkPolicy.enabled }}
kind: NetworkPolicy
apiVersion: {{ template "common.capabilities.networkPolicy.apiVersion" . }}
metadata:
name: {{ template "common.names.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
podSelector:
matchLabels: {{- include "common.labels.standard" . | nindent 6 }}
{{- if .Values.podLabels }}
{{- include "common.tplvalues.render" (dict "value" .Values.podLabels "context" $) | nindent 6 }}
{{- end }}
policyTypes:
- Ingress
- Egress
egress:
# Allow dns resolution
- ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
# Allow outbound connections to other cluster pods
- ports:
- port: {{ .Values.containerPorts.client }}
- port: {{ .Values.containerPorts.peer }}
to:
- podSelector:
matchLabels: {{- include "common.labels.standard" . | nindent 14 }}
{{- if .Values.podLabels }}
{{- include "common.tplvalues.render" (dict "value" .Values.podLabels "context" $) | nindent 14 }}
{{- end }}
{{- if .Values.networkPolicy.extraEgress }}
{{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraEgress "context" $ ) | nindent 4 }}
{{- end }}
ingress:
# Allow inbound connections
- ports:
- port: {{ .Values.containerPorts.client }}
- port: {{ .Values.containerPorts.peer }}
{{- if not .Values.networkPolicy.allowExternal }}
from:
- podSelector:
matchLabels:
{{ template "common.names.fullname" . }}-client: "true"
- podSelector:
matchLabels: {{- include "common.labels.standard" . | nindent 14 }}
{{- if .Values.podLabels }}
{{- include "common.tplvalues.render" (dict "value" .Values.podLabels "context" $) | nindent 14 }}
{{- end }}
{{- if .Values.networkPolicy.ingressNSMatchLabels }}
- namespaceSelector:
matchLabels:
{{- range $key, $value := .Values.networkPolicy.ingressNSMatchLabels }}
{{ $key | quote }}: {{ $value | quote }}
{{- end }}
{{- if .Values.networkPolicy.ingressNSPodMatchLabels }}
podSelector:
matchLabels:
{{- range $key, $value := .Values.networkPolicy.ingressNSPodMatchLabels }}
{{ $key | quote }}: {{ $value | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.metrics.enabled }}
# Allow prometheus scrapes for metrics
- ports:
- port: 2379
{{- end }}
{{- if .Values.networkPolicy.extraIngress }}
{{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraIngress "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}

23
deploy/charts/apisix/charts/etcd/templates/pdb.yaml Normal file
View File

@ -0,0 +1,23 @@
{{- if .Values.pdb.create }}
apiVersion: {{ include "common.capabilities.policy.apiVersion" . }}
kind: PodDisruptionBudget
metadata:
name: {{ include "common.names.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
{{- if .Values.pdb.minAvailable }}
minAvailable: {{ .Values.pdb.minAvailable }}
{{- end }}
{{- if .Values.pdb.maxUnavailable }}
maxUnavailable: {{ .Values.pdb.maxUnavailable }}
{{- end }}
selector:
matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }}
{{- end }}

42
deploy/charts/apisix/charts/etcd/templates/podmonitor.yaml Normal file
View File

@ -0,0 +1,42 @@
{{- if and .Values.metrics.enabled .Values.metrics.podMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: PodMonitor
metadata:
name: {{ include "common.names.fullname" . }}
namespace: {{ ternary .Values.metrics.podMonitor.namespace .Release.Namespace (not (empty .Values.metrics.podMonitor.namespace)) }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.metrics.podMonitor.additionalLabels }}
{{- include "common.tplvalues.render" (dict "value" .Values.metrics.podMonitor.additionalLabels "context" $) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
podMetricsEndpoints:
- port: client
path: /metrics
{{- if .Values.metrics.podMonitor.interval }}
interval: {{ .Values.metrics.podMonitor.interval }}
{{- end }}
{{- if .Values.metrics.podMonitor.scrapeTimeout }}
scrapeTimeout: {{ .Values.metrics.podMonitor.scrapeTimeout }}
{{- end }}
{{- if .Values.metrics.podMonitor.scheme }}
scheme: {{ .Values.metrics.podMonitor.scheme }}
{{- end }}
{{- if .Values.metrics.podMonitor.tlsConfig }}
tlsConfig: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.podMonitor.tlsConfig "context" $ ) | nindent 8 }}
{{- end }}
{{- if .Values.metrics.podMonitor.relabelings }}
relabelings:
{{- include "common.tplvalues.render" (dict "value" .Values.metrics.podMonitor.relabelings "context" $) | nindent 8 }}
{{- end }}
namespaceSelector:
matchNames:
- {{ .Release.Namespace }}
selector:
matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }}
{{- end }}

26
deploy/charts/apisix/charts/etcd/templates/prometheusrule.yaml Normal file
View File

@ -0,0 +1,26 @@
{{- if and .Values.metrics.enabled .Values.metrics.prometheusRule.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: {{ include "common.names.fullname" . }}
{{- if .Values.metrics.prometheusRule.namespace }}
namespace: {{ .Values.metrics.prometheusRule.namespace }}
{{- else }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: metrics
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.metrics.prometheusRule.additionalLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.metrics.prometheusRule.additionalLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
groups:
- name: {{ include "common.names.fullname" . }}
rules: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.prometheusRule.rules "context" $ ) | nindent 6 }}
{{- end }}

21
deploy/charts/apisix/charts/etcd/templates/secrets.yaml Normal file
View File

@ -0,0 +1,21 @@
{{- if and (or .Values.auth.rbac.create .Values.auth.rbac.enabled) (not .Values.auth.rbac.existingSecret) -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "common.names.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: Opaque
data:
{{- if .Values.auth.rbac.rootPassword }}
etcd-root-password: {{ .Values.auth.rbac.rootPassword | b64enc | quote }}
{{- else }}
etcd-root-password: {{ randAlphaNum 10 | b64enc | quote }}
{{- end }}
{{- end }}

24
deploy/charts/apisix/charts/etcd/templates/serviceaccount.yaml Normal file
View File

@ -0,0 +1,24 @@
{{- if .Values.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
metadata:
name: {{ include "etcd.serviceAccountName" . }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.serviceAccount.labels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.serviceAccount.labels "context" $ ) | nindent 4 }}
{{- end }}
{{- if or .Values.commonAnnotations .Values.serviceAccount.annotations }}
annotations:
{{- if .Values.commonAnnotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.serviceAccount.annotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.serviceAccount.annotations "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}

21
deploy/charts/apisix/charts/etcd/templates/snapshot-pvc.yaml Normal file
View File

@ -0,0 +1,21 @@
{{- if and .Values.disasterRecovery.enabled (not .Values.disasterRecovery.pvc.existingClaim) (not .Values.startFromSnapshot.enabled) -}}
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: {{ printf "%s-snapshotter" (include "common.names.fullname" .) }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: {{ .Values.disasterRecovery.pvc.size | quote }}
storageClassName: {{ .Values.disasterRecovery.pvc.storageClassName | quote }}
{{- end -}}

416
deploy/charts/apisix/charts/etcd/templates/statefulset.yaml Normal file
View File

@ -0,0 +1,416 @@
apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }}
kind: StatefulSet
metadata:
name: {{ include "common.names.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }}
serviceName: {{ printf "%s-headless" (include "common.names.fullname" .) }}
podManagementPolicy: {{ .Values.podManagementPolicy }}
updateStrategy: {{- include "common.tplvalues.render" (dict "value" .Values.updateStrategy "context" $ ) | nindent 4 }}
template:
metadata:
labels: {{- include "common.labels.standard" . | nindent 8 }}
{{- if .Values.podLabels }}
{{- include "common.tplvalues.render" (dict "value" .Values.podLabels "context" $) | nindent 8 }}
{{- end }}
annotations:
{{- if .Values.podAnnotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.podAnnotations "context" $) | nindent 8 }}
{{- end }}
{{- if and .Values.metrics.enabled .Values.metrics.podAnnotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.metrics.podAnnotations "context" $) | nindent 8 }}
{{- end }}
{{- if (include "etcd.createConfigmap" .) }}
checksum/configuration: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
{{- end }}
{{- if (include "etcd.token.createSecret" .) }}
checksum/token-secret: {{ include (print $.Template.BasePath "/token-secrets.yaml") . | sha256sum }}
{{- end }}
spec:
{{- include "etcd.imagePullSecrets" . | nindent 6 }}
{{- if .Values.hostAliases }}
hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.affinity }}
affinity: {{- include "common.tplvalues.render" (dict "value" .Values.affinity "context" $) | nindent 8 }}
{{- else }}
affinity:
podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAffinityPreset "context" $) | nindent 10 }}
podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAntiAffinityPreset "context" $) | nindent 10 }}
nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.nodeAffinityPreset.type "key" .Values.nodeAffinityPreset.key "values" .Values.nodeAffinityPreset.values) | nindent 10 }}
{{- end }}
{{- if .Values.nodeSelector }}
nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.nodeSelector "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.tolerations }}
tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.terminationGracePeriodSeconds }}
terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
{{- end }}
{{- if .Values.schedulerName }}
schedulerName: {{ .Values.schedulerName }}
{{- end }}
{{- if .Values.topologySpreadConstraints }}
topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.topologySpreadConstraints "context" .) | nindent 8 }}
{{- end }}
{{- if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName }}
{{- end }}
{{- if .Values.runtimeClassName }}
runtimeClassName: {{ .Values.runtimeClassName }}
{{- end }}
{{- if .Values.podSecurityContext.enabled }}
securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "etcd.serviceAccountName" $ | quote }}
{{- if or .Values.initContainers (and .Values.volumePermissions.enabled .Values.persistence.enabled) }}
initContainers:
{{- if .Values.initContainers }}
{{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }}
{{- end }}
{{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }}
- name: volume-permissions
image: {{ include "etcd.volumePermissions.image" . }}
imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
command:
- /bin/bash
- -ec
- |
chown -R {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }} /bitnami/etcd
securityContext:
runAsUser: 0
{{- if .Values.volumePermissions.resources }}
resources: {{- include "common.tplvalues.render" (dict "value" .Values.volumePermissions.resources "context" $) | nindent 12 }}
{{- end }}
volumeMounts:
- name: data
mountPath: /bitnami/etcd
{{- end }}
{{- end }}
containers:
{{- $replicaCount := int .Values.replicaCount }}
{{- $peerPort := int .Values.containerPorts.peer }}
{{- $etcdFullname := include "common.names.fullname" . }}
{{- $releaseNamespace := .Release.Namespace }}
{{- $etcdHeadlessServiceName := printf "%s-%s" $etcdFullname "headless" }}
{{- $clusterDomain := .Values.clusterDomain }}
{{- $etcdPeerProtocol := include "etcd.peerProtocol" . }}
{{- $etcdClientProtocol := include "etcd.clientProtocol" . }}
- name: etcd
image: {{ include "etcd.image" . }}
imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
{{- if .Values.containerSecurityContext.enabled }}
securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }}
{{- end }}
{{- if .Values.diagnosticMode.enabled }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
{{- else if .Values.command }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.command "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.diagnosticMode.enabled }}
args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }}
{{- else if .Values.args }}
args: {{- include "common.tplvalues.render" (dict "value" .Values.args "context" $) | nindent 12 }}
{{- end }}
env:
- name: BITNAMI_DEBUG
value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }}
- name: MY_POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: MY_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: MY_STS_NAME
value: {{ include "common.names.fullname" . | quote }}
- name: ETCDCTL_API
value: "3"
- name: ETCD_ON_K8S
value: "yes"
- name: ETCD_START_FROM_SNAPSHOT
value: {{ ternary "yes" "no" .Values.startFromSnapshot.enabled | quote }}
- name: ETCD_DISASTER_RECOVERY
value: {{ ternary "yes" "no" .Values.disasterRecovery.enabled | quote }}
- name: ETCD_NAME
value: "$(MY_POD_NAME)"
- name: ETCD_DATA_DIR
value: "/bitnami/etcd/data"
- name: ETCD_LOG_LEVEL
value: {{ ternary "debug" "info" .Values.image.debug | quote }}
- name: ALLOW_NONE_AUTHENTICATION
value: {{ ternary "yes" "no" (and (not (or .Values.auth.rbac.create .Values.auth.rbac.enabled)) .Values.auth.rbac.allowNoneAuthentication) | quote }}
{{- if or .Values.auth.rbac.create .Values.auth.rbac.enabled }}
- name: ETCD_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "etcd.secretName" . }}
key: {{ include "etcd.secretPasswordKey" . }}
{{- end }}
- name: ETCD_AUTH_TOKEN
{{- if eq .Values.auth.token.type "jwt" }}
value: {{ printf "jwt,priv-key=/opt/bitnami/etcd/certs/token/%s,sign-method=%s,ttl=%s" .Values.auth.token.privateKey.filename .Values.auth.token.signMethod .Values.auth.token.ttl | quote }}
{{- else if eq .Values.auth.token.type "simple" }}
value: "simple"
{{- end }}
- name: ETCD_ADVERTISE_CLIENT_URLS
value: "{{ $etcdClientProtocol }}://$(MY_POD_NAME).{{ $etcdHeadlessServiceName }}.{{ .Release.Namespace }}.svc.{{ $clusterDomain }}:{{ .Values.containerPorts.client }},{{ $etcdClientProtocol }}://{{ $etcdFullname }}.{{ .Release.Namespace }}.svc.{{ $clusterDomain }}:{{ coalesce .Values.service.ports.client .Values.service.port }}"
- name: ETCD_LISTEN_CLIENT_URLS
value: "{{ $etcdClientProtocol }}://0.0.0.0:{{ .Values.containerPorts.client }}"
- name: ETCD_INITIAL_ADVERTISE_PEER_URLS
value: "{{ $etcdPeerProtocol }}://$(MY_POD_NAME).{{ $etcdHeadlessServiceName }}.{{ .Release.Namespace }}.svc.{{ $clusterDomain }}:{{ .Values.containerPorts.peer }}"
- name: ETCD_LISTEN_PEER_URLS
value: "{{ $etcdPeerProtocol }}://0.0.0.0:{{ .Values.containerPorts.peer }}"
{{- if .Values.autoCompactionMode }}
- name: ETCD_AUTO_COMPACTION_MODE
value: {{ .Values.autoCompactionMode | quote }}
{{- end }}
{{- if .Values.autoCompactionRetention }}
- name: ETCD_AUTO_COMPACTION_RETENTION
value: {{ .Values.autoCompactionRetention | quote }}
{{- end }}
{{- if .Values.maxProcs }}
- name: GOMAXPROCS
value: {{ .Values.maxProcs }}
{{- end }}
{{- if gt $replicaCount 1 }}
- name: ETCD_INITIAL_CLUSTER_TOKEN
value: "etcd-cluster-k8s"
- name: ETCD_INITIAL_CLUSTER_STATE
value: {{ default (ternary "new" "existing" .Release.IsInstall) .Values.initialClusterState | quote }}
{{- $initialCluster := list }}
{{- range $e, $i := until $replicaCount }}
{{- $initialCluster = append $initialCluster (printf "%s-%d=%s://%s-%d.%s.%s.svc.%s:%d" $etcdFullname $i $etcdPeerProtocol $etcdFullname $i $etcdHeadlessServiceName $releaseNamespace $clusterDomain $peerPort) }}
{{- end }}
- name: ETCD_INITIAL_CLUSTER
value: {{ join "," $initialCluster | quote }}
{{- end }}
- name: ETCD_CLUSTER_DOMAIN
value: {{ printf "%s.%s.svc.%s" $etcdHeadlessServiceName $releaseNamespace $clusterDomain | quote }}
{{- if and .Values.auth.client.secureTransport .Values.auth.client.useAutoTLS }}
- name: ETCD_AUTO_TLS
value: "true"
{{- else if .Values.auth.client.secureTransport }}
- name: ETCD_CERT_FILE
value: "/opt/bitnami/etcd/certs/client/{{ .Values.auth.client.certFilename }}"
- name: ETCD_KEY_FILE
value: "/opt/bitnami/etcd/certs/client/{{ .Values.auth.client.certKeyFilename }}"
{{- if .Values.auth.client.enableAuthentication }}
- name: ETCD_CLIENT_CERT_AUTH
value: "true"
- name: ETCD_TRUSTED_CA_FILE
value: "/opt/bitnami/etcd/certs/client/{{ .Values.auth.client.caFilename | default "ca.crt" }}"
{{- else if .Values.auth.client.caFilename }}
- name: ETCD_TRUSTED_CA_FILE
value: "/opt/bitnami/etcd/certs/client/{{ .Values.auth.client.caFilename | default "ca.crt" }}"
{{- end }}
{{- end }}
{{- if and .Values.auth.peer.secureTransport .Values.auth.peer.useAutoTLS }}
- name: ETCD_PEER_AUTO_TLS
value: "true"
{{- else if .Values.auth.peer.secureTransport }}
- name: ETCD_PEER_CERT_FILE
value: "/opt/bitnami/etcd/certs/peer/{{ .Values.auth.peer.certFilename }}"
- name: ETCD_PEER_KEY_FILE
value: "/opt/bitnami/etcd/certs/peer/{{ .Values.auth.peer.certKeyFilename }}"
{{- if .Values.auth.peer.enableAuthentication }}
- name: ETCD_PEER_CLIENT_CERT_AUTH
value: "true"
- name: ETCD_PEER_TRUSTED_CA_FILE
value: "/opt/bitnami/etcd/certs/peer/{{ .Values.auth.peer.caFilename | default "ca.crt" }}"
{{- else if .Values.auth.peer.caFilename }}
- name: ETCD_PEER_TRUSTED_CA_FILE
value: "/opt/bitnami/etcd/certs/peer/{{ .Values.auth.peer.caFilename | default "ca.crt" }}"
{{- end }}
{{- end }}
{{- if .Values.startFromSnapshot.enabled }}
- name: ETCD_INIT_SNAPSHOT_FILENAME
value: {{ .Values.startFromSnapshot.snapshotFilename | quote }}
- name: ETCD_INIT_SNAPSHOTS_DIR
value: {{ ternary "/snapshots" "/init-snapshot" (and .Values.disasterRecovery.enabled (not .Values.disasterRecovery.pvc.existingClaim)) | quote }}
{{- end }}
{{- if .Values.extraEnvVars }}
{{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }}
{{- end }}
envFrom:
{{- if .Values.extraEnvVarsCM }}
- configMapRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsCM "context" $) }}
{{- end }}
{{- if .Values.extraEnvVarsSecret }}
- secretRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsSecret "context" $) }}
{{- end }}
ports:
- name: client
containerPort: {{ .Values.containerPorts.client }}
protocol: TCP
- name: peer
containerPort: {{ .Values.containerPorts.peer }}
protocol: TCP
{{- if not .Values.diagnosticMode.enabled }}
{{- if .Values.livenessProbe.enabled }}
livenessProbe:
exec:
command:
- /opt/bitnami/scripts/etcd/healthcheck.sh
initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }}
successThreshold: {{ .Values.livenessProbe.successThreshold }}
failureThreshold: {{ .Values.livenessProbe.failureThreshold }}
{{- else if .Values.customLivenessProbe }}
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customLivenessProbe "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.readinessProbe.enabled }}
readinessProbe:
exec:
command:
- /opt/bitnami/scripts/etcd/healthcheck.sh
initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
{{- else if .Values.customReadinessProbe }}
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.startupProbe.enabled }}
startupProbe:
exec:
command:
- /opt/bitnami/scripts/etcd/healthcheck.sh
initialDelaySeconds: {{ .Values.startupProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.startupProbe.periodSeconds }}
timeoutSeconds: {{ .Values.startupProbe.timeoutSeconds }}
successThreshold: {{ .Values.startupProbe.successThreshold }}
failureThreshold: {{ .Values.startupProbe.failureThreshold }}
{{- else if .Values.customStartupProbe }}
startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customStartupProbe "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.lifecycleHooks }}
lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.lifecycleHooks "context" $) | nindent 12 }}
{{- else if and (gt $replicaCount 1) .Values.removeMemberOnContainerTermination }}
lifecycle:
preStop:
exec:
command:
- /opt/bitnami/scripts/etcd/prestop.sh
{{- end }}
{{- end }}
{{- if .Values.resources }}
resources: {{- include "common.tplvalues.render" (dict "value" .Values.resources "context" $) | nindent 12 }}
{{- end }}
volumeMounts:
- name: data
mountPath: /bitnami/etcd
{{- if eq .Values.auth.token.type "jwt" }}
- name: etcd-jwt-token
mountPath: /opt/bitnami/etcd/certs/token/
readOnly: true
{{- end }}
{{- if or (and .Values.startFromSnapshot.enabled (not .Values.disasterRecovery.enabled)) (and .Values.disasterRecovery.enabled .Values.startFromSnapshot.enabled .Values.disasterRecovery.pvc.existingClaim) }}
- name: init-snapshot-volume
mountPath: /init-snapshot
{{- end }}
{{- if or .Values.disasterRecovery.enabled (and .Values.disasterRecovery.enabled .Values.startFromSnapshot.enabled) }}
- name: snapshot-volume
mountPath: /snapshots
{{- end }}
{{- if or .Values.configuration .Values.existingConfigmap }}
- name: etcd-config
mountPath: /opt/bitnami/etcd/conf/
{{- end }}
{{- if or .Values.auth.client.enableAuthentication (and .Values.auth.client.secureTransport (not .Values.auth.client.useAutoTLS )) }}
- name: etcd-client-certs
mountPath: /opt/bitnami/etcd/certs/client/
readOnly: true
{{- end }}
{{- if or .Values.auth.peer.enableAuthentication (and .Values.auth.peer.secureTransport (not .Values.auth.peer.useAutoTLS )) }}
- name: etcd-peer-certs
mountPath: /opt/bitnami/etcd/certs/peer/
readOnly: true
{{- end }}
{{- if .Values.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.sidecars }}
{{- include "common.tplvalues.render" (dict "value" .Values.sidecars "context" $) | nindent 8 }}
{{- end }}
volumes:
{{- if eq .Values.auth.token.type "jwt" }}
- name: etcd-jwt-token
secret:
secretName: {{ include "etcd.token.secretName" . }}
defaultMode: 256
{{- end }}
{{- if or (and .Values.startFromSnapshot.enabled (not .Values.disasterRecovery.enabled)) (and .Values.disasterRecovery.enabled .Values.startFromSnapshot.enabled .Values.disasterRecovery.pvc.existingClaim) }}
- name: init-snapshot-volume
persistentVolumeClaim:
claimName: {{ .Values.startFromSnapshot.existingClaim }}
{{- end }}
{{- if or .Values.disasterRecovery.enabled (and .Values.disasterRecovery.enabled .Values.startFromSnapshot.enabled) }}
- name: snapshot-volume
persistentVolumeClaim:
claimName: {{ include "etcd.disasterRecovery.pvc.name" . }}
{{- end }}
{{- if or .Values.configuration .Values.existingConfigmap }}
- name: etcd-config
configMap:
name: {{ include "etcd.configmapName" . }}
{{- end }}
{{- if or .Values.auth.client.enableAuthentication (and .Values.auth.client.secureTransport (not .Values.auth.client.useAutoTLS )) }}
- name: etcd-client-certs
secret:
secretName: {{ required "A secret containing the client certificates is required" (tpl .Values.auth.client.existingSecret .) }}
defaultMode: 256
{{- end }}
{{- if or .Values.auth.peer.enableAuthentication (and .Values.auth.peer.secureTransport (not .Values.auth.peer.useAutoTLS )) }}
- name: etcd-peer-certs
secret:
secretName: {{ required "A secret containing the peer certificates is required" (tpl .Values.auth.peer.existingSecret .) }}
defaultMode: 256
{{- end }}
{{- if .Values.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }}
{{- end }}
{{- if not .Values.persistence.enabled }}
- name: data
emptyDir: {}
{{- else }}
{{- if .Values.persistentVolumeClaimRetentionPolicy.enabled }}
persistentVolumeClaimRetentionPolicy:
whenDeleted: {{ .Values.persistentVolumeClaimRetentionPolicy.whenDeleted }}
whenScaled: {{ .Values.persistentVolumeClaimRetentionPolicy.whenScaled }}
{{- end }}
volumeClaimTemplates:
- metadata:
name: data
{{- if .Values.persistence.annotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.persistence.annotations "context" $) | nindent 10 }}
{{- end }}
spec:
accessModes:
{{- range .Values.persistence.accessModes }}
- {{ . | quote }}
{{- end }}
resources:
requests:
storage: {{ .Values.persistence.size | quote }}
{{- if .Values.persistence.selector }}
selector: {{- include "common.tplvalues.render" ( dict "value" .Values.persistence.selector "context" $) | nindent 10 }}
{{- end }}
{{ include "common.storage.class" (dict "persistence" .Values.persistence "global" .Values.global) }}
{{- end }}

42
deploy/charts/apisix/charts/etcd/templates/svc-headless.yaml Normal file
View File

@ -0,0 +1,42 @@
apiVersion: v1
kind: Service
metadata:
name: {{ printf "%s-headless" (include "common.names.fullname" .) }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
annotations:
service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
{{- if .Values.commonAnnotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
type: ClusterIP
clusterIP: None
publishNotReadyAddresses: true
ports:
{{- if .Values.service.clientPortNameOverride }}
{{- if .Values.auth.client.secureTransport }}
- name: {{ .Values.service.clientPortNameOverride }}-ssl
{{- else }}
- name: {{ .Values.service.clientPortNameOverride }}
{{- end }}
{{- else }}
- name: client
{{- end }}
port: {{ .Values.containerPorts.client }}
targetPort: client
{{- if .Values.service.peerPortNameOverride }}
{{- if .Values.auth.peer.secureTransport }}
- name: {{ .Values.service.peerPortNameOverride }}-ssl
{{- else }}
- name: {{ .Values.service.peerPortNameOverride }}
{{- end }}
{{- else }}
- name: peer
{{- end }}
port: {{ .Values.containerPorts.peer }}
targetPort: peer
selector: {{- include "common.labels.matchLabels" . | nindent 4 }}

62
deploy/charts/apisix/charts/etcd/templates/svc.yaml Normal file
View File

@ -0,0 +1,62 @@
{{- if .Values.service.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "common.names.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
annotations:
{{- if .Values.service.annotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.service.annotations "context" $) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
type: {{ .Values.service.type }}
{{- if and .Values.service.clusterIP (eq .Values.service.type "ClusterIP") }}
clusterIP: {{ .Values.service.clusterIP }}
{{- end }}
{{- if (or (eq .Values.service.type "LoadBalancer") (eq .Values.service.type "NodePort")) }}
externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy | quote }}
{{- end }}
{{- if and (eq .Values.service.type "LoadBalancer") (not (empty .Values.service.loadBalancerIP)) }}
loadBalancerIP: {{ .Values.service.loadBalancerIP }}
{{- end }}
{{- if and (eq .Values.service.type "LoadBalancer") (not (empty .Values.service.loadBalancerSourceRanges)) }}
loadBalancerSourceRanges: {{- toYaml .Values.service.loadBalancerSourceRanges | nindent 4 }}
{{- end }}
{{- if .Values.service.externalIPs }}
externalIPs: {{- toYaml .Values.service.externalIPs | nindent 4 }}
{{- end }}
{{- if .Values.service.sessionAffinity }}
sessionAffinity: {{ .Values.service.sessionAffinity }}
{{- end }}
{{- if .Values.service.sessionAffinityConfig }}
sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.service.sessionAffinityConfig "context" $) | nindent 4 }}
{{- end }}
ports:
- name: {{ default "client" .Values.service.clientPortNameOverride | quote }}
port: {{ coalesce .Values.service.ports.client .Values.service.port }}
targetPort: client
{{- if and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) (not (empty (coalesce .Values.service.nodePorts.client .Values.service.nodePorts.clientPort))) }}
nodePort: {{ coalesce .Values.service.nodePorts.client .Values.service.nodePorts.clientPort }}
{{- else if eq .Values.service.type "ClusterIP" }}
nodePort: null
{{- end }}
- name: {{ default "peer" .Values.service.peerPortNameOverride | quote }}
port: {{ coalesce .Values.service.ports.peer .Values.service.peerPort }}
targetPort: peer
{{- if and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) (not (empty (coalesce .Values.service.nodePorts.peer .Values.service.nodePorts.peerPort))) }}
nodePort: {{ coalesce .Values.service.nodePorts.peer .Values.service.nodePorts.peerPort }}
{{- else if eq .Values.service.type "ClusterIP" }}
nodePort: null
{{- end }}
{{- if .Values.service.extraPorts }}
{{- include "common.tplvalues.render" (dict "value" .Values.service.extraPorts "context" $) | nindent 4 }}
{{- end }}
selector: {{- include "common.labels.matchLabels" . | nindent 4 }}
{{- end }}

14
deploy/charts/apisix/charts/etcd/templates/token-secrets.yaml Normal file
View File

@ -0,0 +1,14 @@
{{- if (include "etcd.token.createSecret" .) }}
apiVersion: v1
kind: Secret
metadata:
name: {{ printf "%s-jwt-token" (include "common.names.fullname" .) }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: Opaque
data:
jwt-token.pem: {{ genPrivateKey "rsa" | b64enc | quote }}
{{- end }}

869
deploy/charts/apisix/charts/etcd/values.yaml Normal file
View File

@ -0,0 +1,869 @@
## @section Global parameters
## Global Docker image parameters
## Please, note that this will override the image parameters, including dependencies, configured to use the global value
## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass
##
## @param global.imageRegistry Global Docker image registry
## @param global.imagePullSecrets [array] Global Docker registry secret names as an array
## @param global.storageClass Global StorageClass for Persistent Volume(s)
##
global:
imageRegistry: ""
## E.g.
## imagePullSecrets:
## - myRegistryKeySecretName
##
imagePullSecrets: []
storageClass: ""
## @section Common parameters
##
## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set)
##
kubeVersion: ""
## @param nameOverride String to partially override common.names.fullname template (will maintain the release name)
##
nameOverride: ""
## @param fullnameOverride String to fully override common.names.fullname template
##
fullnameOverride: ""
## @param commonLabels [object] Labels to add to all deployed objects
##
commonLabels: {}
## @param commonAnnotations [object] Annotations to add to all deployed objects
##
commonAnnotations: {}
## @param clusterDomain Default Kubernetes cluster domain
##
clusterDomain: cluster.local
## @param extraDeploy [array] Array of extra objects to deploy with the release
##
extraDeploy: []
## Enable diagnostic mode in the deployment
##
diagnosticMode:
## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden)
##
enabled: false
## @param diagnosticMode.command Command to override all containers in the deployment
##
command:
- sleep
## @param diagnosticMode.args Args to override all containers in the deployment
##
args:
- infinity
## @section etcd parameters
##
## Bitnami etcd image version
## ref: https://hub.docker.com/r/bitnami/etcd/tags/
## @param image.registry etcd image registry
## @param image.repository etcd image name
## @param image.tag etcd image tag
## @param image.pullPolicy etcd image pull policy
## @param image.pullSecrets [array] etcd image pull secrets
## @param image.debug Enable image debug mode
##
image:
registry: docker.io
repository: bitnami/etcd
tag: 3.5.4-debian-11-r14
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
##
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
## e.g:
## pullSecrets:
## - myRegistryKeySecretName
##
pullSecrets: []
## Set to true if you would like to see extra information on logs
##
debug: false
## Authentication parameters
##
auth:
## Role-based access control parameters
## ref: https://etcd.io/docs/current/op-guide/authentication/
##
rbac:
## @param auth.rbac.create Switch to enable RBAC authentication
##
create: true
## @param auth.rbac.allowNoneAuthentication Allow to use etcd without configuring RBAC authentication
##
allowNoneAuthentication: true
## @param auth.rbac.rootPassword Root user password. The root user is always `root`
##
rootPassword: ""
## @param auth.rbac.existingSecret Name of the existing secret containing credentials for the root user
##
existingSecret: ""
## @param auth.rbac.existingSecretPasswordKey Name of key containing password to be retrieved from the existing secret
##
existingSecretPasswordKey: ""
## Authentication token
## ref: https://etcd.io/docs/latest/learning/design-auth-v3/#two-types-of-tokens-simple-and-jwt
##
token:
## @param auth.token.type Authentication token type. Allowed values: 'simple' or 'jwt'
## ref: https://etcd.io/docs/latest/op-guide/configuration/#--auth-token
##
type: jwt
## @param auth.token.privateKey.filename Name of the file containing the private key for signing the JWT token
## @param auth.token.privateKey.existingSecret Name of the existing secret containing the private key for signing the JWT token
## NOTE: Ignored if auth.token.type=simple
## NOTE: A secret containing a private key will be auto-generated if an existing one is not provided.
##
privateKey:
filename: jwt-token.pem
existingSecret: ""
## @param auth.token.signMethod JWT token sign method
## NOTE: Ignored if auth.token.type=simple
##
signMethod: RS256
## @param auth.token.ttl JWT token TTL
## NOTE: Ignored if auth.token.type=simple
##
ttl: 10m
## TLS authentication for client-to-server communications
## ref: https://etcd.io/docs/current/op-guide/security/
##
client:
## @param auth.client.secureTransport Switch to encrypt client-to-server communications using TLS certificates
##
secureTransport: false
## @param auth.client.useAutoTLS Switch to automatically create the TLS certificates
##
useAutoTLS: false
## @param auth.client.existingSecret Name of the existing secret containing the TLS certificates for client-to-server communications
##
existingSecret: ""
## @param auth.client.enableAuthentication Switch to enable host authentication using TLS certificates. Requires existing secret
##
enableAuthentication: false
## @param auth.client.certFilename Name of the file containing the client certificate
##
certFilename: cert.pem
## @param auth.client.certKeyFilename Name of the file containing the client certificate private key
##
certKeyFilename: key.pem
## @param auth.client.caFilename Name of the file containing the client CA certificate
## If not specified and `auth.client.enableAuthentication=true` or `auth.rbac.enabled=true`, the default is is `ca.crt`
##
caFilename: ""
## TLS authentication for server-to-server communications
## ref: https://etcd.io/docs/current/op-guide/security/
##
peer:
## @param auth.peer.secureTransport Switch to encrypt server-to-server communications using TLS certificates
##
secureTransport: false
## @param auth.peer.useAutoTLS Switch to automatically create the TLS certificates
##
useAutoTLS: false
## @param auth.peer.existingSecret Name of the existing secret containing the TLS certificates for server-to-server communications
##
existingSecret: ""
## @param auth.peer.enableAuthentication Switch to enable host authentication using TLS certificates. Requires existing secret
##
enableAuthentication: false
## @param auth.peer.certFilename Name of the file containing the peer certificate
##
certFilename: cert.pem
## @param auth.peer.certKeyFilename Name of the file containing the peer certificate private key
##
certKeyFilename: key.pem
## @param auth.peer.caFilename Name of the file containing the peer CA certificate
## If not specified and `auth.peer.enableAuthentication=true` or `rbac.enabled=true`, the default is is `ca.crt`
##
caFilename: ""
## @param autoCompactionMode Auto compaction mode, by default periodic. Valid values: "periodic", "revision".
## - 'periodic' for duration based retention, defaulting to hours if no time unit is provided (e.g. 5m).
## - 'revision' for revision number based retention.
##
autoCompactionMode: ""
## @param autoCompactionRetention Auto compaction retention for mvcc key value store in hour, by default 0, means disabled
##
autoCompactionRetention: ""
## @param initialClusterState Initial cluster state. Allowed values: 'new' or 'existing'
## If this values is not set, the default values below are set:
## - 'new': when installing the chart ('helm install ...')
## - 'existing': when upgrading the chart ('helm upgrade ...')
##
initialClusterState: ""
## @param maxProcs Limits the number of operating system threads that can execute user-level
## Go code simultaneously by setting GOMAXPROCS environment variable
## ref: https://golang.org/pkg/runtime
##
maxProcs: ""
## @param removeMemberOnContainerTermination Use a PreStop hook to remove the etcd members from the etcd cluster on container termination
## they the containers are terminated
## NOTE: Ignored if lifecycleHooks is set or replicaCount=1
##
removeMemberOnContainerTermination: true
## @param configuration etcd configuration. Specify content for etcd.conf.yml
## e.g:
## configuration: |-
## foo: bar
## baz:
##
configuration: ""
## @param existingConfigmap Existing ConfigMap with etcd configuration
## NOTE: When it's set the configuration parameter is ignored
##
existingConfigmap: ""
## @param extraEnvVars [array] Extra environment variables to be set on etcd container
## e.g:
## extraEnvVars:
## - name: FOO
## value: "bar"
##
extraEnvVars: []
## @param extraEnvVarsCM Name of existing ConfigMap containing extra env vars
##
extraEnvVarsCM: ""
## @param extraEnvVarsSecret Name of existing Secret containing extra env vars
##
extraEnvVarsSecret: ""
## @param command [array] Default container command (useful when using custom images)
##
command: []
## @param args [array] Default container args (useful when using custom images)
##
args: []
## @section etcd statefulset parameters
##
## @param replicaCount Number of etcd replicas to deploy
##
replicaCount: 1
## Update strategy
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
## @param updateStrategy.type Update strategy type, can be set to RollingUpdate or OnDelete.
##
updateStrategy:
type: RollingUpdate
## @param podManagementPolicy Pod management policy for the etcd statefulset
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#pod-management-policies
##
podManagementPolicy: Parallel
## @param hostAliases [array] etcd pod host aliases
## ref: https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
##
hostAliases: []
## @param lifecycleHooks [object] Override default etcd container hooks
##
lifecycleHooks: {}
## etcd container ports to open
## @param containerPorts.client Client port to expose at container level
## @param containerPorts.peer Peer port to expose at container level
##
containerPorts:
client: 2379
peer: 2380
## etcd pods' Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param podSecurityContext.enabled Enabled etcd pods' Security Context
## @param podSecurityContext.fsGroup Set etcd pod's Security Context fsGroup
##
podSecurityContext:
enabled: true
fsGroup: 1001
## etcd containers' SecurityContext
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
## @param containerSecurityContext.enabled Enabled etcd containers' Security Context
## @param containerSecurityContext.runAsUser Set etcd container's Security Context runAsUser
## @param containerSecurityContext.runAsNonRoot Set etcd container's Security Context runAsNonRoot
##
containerSecurityContext:
enabled: true
runAsUser: 1001
runAsNonRoot: true
## etcd containers' resource requests and limits
## ref: https://kubernetes.io/docs/user-guide/compute-resources/
## We usually recommend not to specify default resources and to leave this as a conscious
## choice for the user. This also increases chances charts run on environments with little
## resources, such as Minikube. If you do want to specify resources, uncomment the following
## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
## @param resources.limits [object] The resources limits for the etcd container
## @param resources.requests [object] The requested resources for the etcd container
##
resources:
## Example:
## limits:
## cpu: 500m
## memory: 1Gi
##
limits: {}
requests: {}
## Configure extra options for liveness probe
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
## @param livenessProbe.enabled Enable livenessProbe
## @param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
## @param livenessProbe.periodSeconds Period seconds for livenessProbe
## @param livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
## @param livenessProbe.failureThreshold Failure threshold for livenessProbe
## @param livenessProbe.successThreshold Success threshold for livenessProbe
##
livenessProbe:
enabled: true
initialDelaySeconds: 60
periodSeconds: 30
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 5
## Configure extra options for readiness probe
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
## @param readinessProbe.enabled Enable readinessProbe
## @param readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
## @param readinessProbe.periodSeconds Period seconds for readinessProbe
## @param readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
## @param readinessProbe.failureThreshold Failure threshold for readinessProbe
## @param readinessProbe.successThreshold Success threshold for readinessProbe
##
readinessProbe:
enabled: true
initialDelaySeconds: 60
periodSeconds: 10
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 5
## Configure extra options for liveness probe
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
## @param startupProbe.enabled Enable startupProbe
## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
## @param startupProbe.periodSeconds Period seconds for startupProbe
## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe
## @param startupProbe.failureThreshold Failure threshold for startupProbe
## @param startupProbe.successThreshold Success threshold for startupProbe
##
startupProbe:
enabled: false
initialDelaySeconds: 0
periodSeconds: 10
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 60
## @param customLivenessProbe [object] Override default liveness probe
##
customLivenessProbe: {}
## @param customReadinessProbe [object] Override default readiness probe
##
customReadinessProbe: {}
## @param customStartupProbe [object] Override default startup probe
##
customStartupProbe: {}
## @param extraVolumes [array] Optionally specify extra list of additional volumes for etcd pods
##
extraVolumes: []
## @param extraVolumeMounts [array] Optionally specify extra list of additional volumeMounts for etcd container(s)
##
extraVolumeMounts: []
## @param initContainers [array] Add additional init containers to the etcd pods
## e.g:
## initContainers:
## - name: your-image-name
## image: your-image
## imagePullPolicy: Always
## ports:
## - name: portname
## containerPort: 1234
##
initContainers: []
## @param sidecars [array] Add additional sidecar containers to the etcd pods
## e.g:
## sidecars:
## - name: your-image-name
## image: your-image
## imagePullPolicy: Always
## ports:
## - name: portname
## containerPort: 1234
##
sidecars: []
## @param podAnnotations [object] Annotations for etcd pods
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
##
podAnnotations: {}
## @param podLabels [object] Extra labels for etcd pods
## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
##
podLabels: {}
## @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
##
podAffinityPreset: ""
## @param podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
##
podAntiAffinityPreset: soft
## Node affinity preset
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
## @param nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
## @param nodeAffinityPreset.key Node label key to match. Ignored if `affinity` is set.
## @param nodeAffinityPreset.values [array] Node label values to match. Ignored if `affinity` is set.
##
nodeAffinityPreset:
type: ""
## e.g:
## key: "kubernetes.io/e2e-az-name"
##
key: ""
## e.g:
## values:
## - e2e-az1
## - e2e-az2
##
values: []
## @param affinity [object] Affinity for pod assignment
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set
##
affinity: {}
## @param nodeSelector [object] Node labels for pod assignment
## Ref: https://kubernetes.io/docs/user-guide/node-selection/
##
nodeSelector: {}
## @param tolerations [array] Tolerations for pod assignment
## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
##
tolerations: []
## @param terminationGracePeriodSeconds Seconds the pod needs to gracefully terminate
## ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution
##
terminationGracePeriodSeconds: ""
## @param schedulerName Name of the k8s scheduler (other than default)
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
##
schedulerName: ""
## @param priorityClassName Name of the priority class to be used by etcd pods
## Priority class needs to be created beforehand
## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
##
priorityClassName: ""
## @param runtimeClassName Name of the runtime class to be used by pod(s)
## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/
##
runtimeClassName: ""
## @param topologySpreadConstraints Topology Spread Constraints for pod assignment
## https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
## The value is evaluated as a template
##
topologySpreadConstraints: []
## persistentVolumeClaimRetentionPolicy
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention
## @param persistentVolumeClaimRetentionPolicy.enabled Controls if and how PVCs are deleted during the lifecycle of a StatefulSet
## @param persistentVolumeClaimRetentionPolicy.whenScaled Volume retention behavior when the replica count of the StatefulSet is reduced
## @param persistentVolumeClaimRetentionPolicy.whenDeleted Volume retention behavior that applies when the StatefulSet is deleted
persistentVolumeClaimRetentionPolicy:
enabled: false
whenScaled: Retain
whenDeleted: Retain
## @section Traffic exposure parameters
##
service:
## @param service.type Kubernetes Service type
##
type: ClusterIP
## @param service.enabled create second service if equal true
##
enabled: true
## @param service.clusterIP Kubernetes service Cluster IP
## e.g.:
## clusterIP: None
##
clusterIP: ""
## @param service.ports.client etcd client port
## @param service.ports.peer etcd peer port
##
ports:
client: 2379
peer: 2380
## @param service.nodePorts.client Specify the nodePort client value for the LoadBalancer and NodePort service types.
## @param service.nodePorts.peer Specify the nodePort peer value for the LoadBalancer and NodePort service types.
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
##
nodePorts:
client: ""
peer: ""
## @param service.clientPortNameOverride etcd client port name override
##
clientPortNameOverride: ""
## @param service.peerPortNameOverride etcd peer port name override
##
peerPortNameOverride: ""
## @param service.loadBalancerIP loadBalancerIP for the etcd service (optional, cloud specific)
## ref: https://kubernetes.io/docs/user-guide/services/#type-loadbalancer
##
loadBalancerIP: ""
## @param service.loadBalancerSourceRanges [array] Load Balancer source ranges
## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
## e.g:
## loadBalancerSourceRanges:
## - 10.10.10.0/24
##
loadBalancerSourceRanges: []
## @param service.externalIPs [array] External IPs
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
##
externalIPs: []
## @param service.externalTrafficPolicy %%MAIN_CONTAINER_NAME%% service external traffic policy
## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
##
externalTrafficPolicy: Cluster
## @param service.extraPorts Extra ports to expose (normally used with the `sidecar` value)
##
extraPorts: []
## @param service.annotations [object] Additional annotations for the etcd service
##
annotations: {}
## @param service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP"
## If "ClientIP", consecutive client requests will be directed to the same Pod
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
##
sessionAffinity: None
## @param service.sessionAffinityConfig Additional settings for the sessionAffinity
## sessionAffinityConfig:
## clientIP:
## timeoutSeconds: 300
##
sessionAffinityConfig: {}
## @section Persistence parameters
##
## Enable persistence using Persistent Volume Claims
## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/
##
persistence:
## @param persistence.enabled If true, use a Persistent Volume Claim. If false, use emptyDir.
##
enabled: true
## @param persistence.storageClass Persistent Volume Storage Class
## If defined, storageClassName: <storageClass>
## If set to "-", storageClassName: "", which disables dynamic provisioning
## If undefined (the default) or set to null, no storageClassName spec is
## set, choosing the default provisioner. (gp2 on AWS, standard on
## GKE, AWS & OpenStack)
##
storageClass: ""
##
## @param persistence.annotations [object] Annotations for the PVC
##
annotations: {}
## @param persistence.accessModes Persistent Volume Access Modes
##
accessModes:
- ReadWriteOnce
## @param persistence.size PVC Storage Request for etcd data volume
##
size: 8Gi
## @param persistence.selector [object] Selector to match an existing Persistent Volume
## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/#selector
##
selector: {}
## @section Volume Permissions parameters
##
## Init containers parameters:
## volumePermissions: Change the owner and group of the persistent volume mountpoint to runAsUser:fsGroup values from the securityContext section.
##
volumePermissions:
## @param volumePermissions.enabled Enable init container that changes the owner and group of the persistent volume(s) mountpoint to `runAsUser:fsGroup`
##
enabled: false
## @param volumePermissions.image.registry Init container volume-permissions image registry
## @param volumePermissions.image.repository Init container volume-permissions image name
## @param volumePermissions.image.tag Init container volume-permissions image tag
## @param volumePermissions.image.pullPolicy Init container volume-permissions image pull policy
## @param volumePermissions.image.pullSecrets [array] Specify docker-registry secret names as an array
##
image:
registry: docker.io
repository: bitnami/bitnami-shell
tag: 11-debian-11-r14
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
## e.g:
## pullSecrets:
## - myRegistryKeySecretName
##
pullSecrets: []
## Init container' resource requests and limits
## ref: https://kubernetes.io/docs/user-guide/compute-resources/
## We usually recommend not to specify default resources and to leave this as a conscious
## choice for the user. This also increases chances charts run on environments with little
## resources, such as Minikube. If you do want to specify resources, uncomment the following
## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
## @param volumePermissions.resources.limits [object] Init container volume-permissions resource limits
## @param volumePermissions.resources.requests [object] Init container volume-permissions resource requests
##
resources:
## Example:
## limits:
## cpu: 500m
## memory: 1Gi
##
limits: {}
requests: {}
## @section Network Policy parameters
## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
##
networkPolicy:
## @param networkPolicy.enabled Enable creation of NetworkPolicy resources
##
enabled: false
## @param networkPolicy.allowExternal Don't require client label for connections
## When set to false, only pods with the correct client label will have network access to the ports
## etcd is listening on. When true, etcd will accept connections from any source
## (with the correct destination port).
##
allowExternal: true
## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
## e.g:
## extraIngress:
## - ports:
## - port: 1234
## from:
## - podSelector:
## - matchLabels:
## - role: frontend
## - podSelector:
## - matchExpressions:
## - key: role
## operator: In
## values:
## - frontend
##
extraIngress: []
## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
## e.g:
## extraEgress:
## - ports:
## - port: 1234
## to:
## - podSelector:
## - matchLabels:
## - role: frontend
## - podSelector:
## - matchExpressions:
## - key: role
## operator: In
## values:
## - frontend
##
extraEgress: []
## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
##
ingressNSMatchLabels: {}
ingressNSPodMatchLabels: {}
## @section Metrics parameters
##
metrics:
## @param metrics.enabled Expose etcd metrics
##
enabled: false
## @param metrics.podAnnotations [object] Annotations for the Prometheus metrics on etcd pods
##
podAnnotations:
prometheus.io/scrape: "true"
prometheus.io/port: "{{ .Values.containerPorts.client }}"
## Prometheus Service Monitor
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
##
podMonitor:
## @param metrics.podMonitor.enabled Create PodMonitor Resource for scraping metrics using PrometheusOperator
##
enabled: false
## @param metrics.podMonitor.namespace Namespace in which Prometheus is running
##
namespace: monitoring
## @param metrics.podMonitor.interval Specify the interval at which metrics should be scraped
##
interval: 30s
## @param metrics.podMonitor.scrapeTimeout Specify the timeout after which the scrape is ended
##
scrapeTimeout: 30s
## @param metrics.podMonitor.additionalLabels [object] Additional labels that can be used so PodMonitors will be discovered by Prometheus
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#prometheusspec
##
additionalLabels: {}
## @param metrics.podMonitor.scheme Scheme to use for scraping
##
scheme: http
## @param metrics.podMonitor.tlsConfig [object] TLS configuration used for scrape endpoints used by Prometheus
## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#tlsconfig
## e.g:
## tlsConfig:
## ca:
## secret:
## name: existingSecretName
##
tlsConfig: {}
## @param metrics.podMonitor.relabelings [array] Prometheus relabeling rules
##
relabelings: []
## Prometheus Operator PrometheusRule configuration
##
prometheusRule:
## @param metrics.prometheusRule.enabled Create a Prometheus Operator PrometheusRule (also requires `metrics.enabled` to be `true` and `metrics.prometheusRule.rules`)
##
enabled: false
## @param metrics.prometheusRule.namespace Namespace for the PrometheusRule Resource (defaults to the Release Namespace)
##
namespace: ""
## @param metrics.prometheusRule.additionalLabels Additional labels that can be used so PrometheusRule will be discovered by Prometheus
##
additionalLabels: {}
## @param metrics.prometheusRule.rules Prometheus Rule definitions
# - alert: ETCD has no leader
# annotations:
# summary: "ETCD has no leader"
# description: "pod {{`{{`}} $labels.pod {{`}}`}} state error, can't connect leader"
# for: 1m
# expr: etcd_server_has_leader == 0
# labels:
# severity: critical
# group: PaaS
##
rules: []
## @section Snapshotting parameters
##
## Start a new etcd cluster recovering the data from an existing snapshot before bootstrapping
##
startFromSnapshot:
## @param startFromSnapshot.enabled Initialize new cluster recovering an existing snapshot
##
enabled: false
## @param startFromSnapshot.existingClaim Existing PVC containing the etcd snapshot
##
existingClaim: ""
## @param startFromSnapshot.snapshotFilename Snapshot filename
##
snapshotFilename: ""
## Enable auto disaster recovery by periodically snapshotting the keyspace:
## - It creates a cronjob to periodically snapshotting the keyspace
## - It also creates a ReadWriteMany PVC to store the snapshots
## If the cluster permanently loses more than (N-1)/2 members, it tries to
## recover itself from the last available snapshot.
##
disasterRecovery:
## @param disasterRecovery.enabled Enable auto disaster recovery by periodically snapshotting the keyspace
##
enabled: false
cronjob:
## @param disasterRecovery.cronjob.schedule Schedule in Cron format to save snapshots
## See https://en.wikipedia.org/wiki/Cron
##
schedule: "*/30 * * * *"
## @param disasterRecovery.cronjob.historyLimit Number of successful finished jobs to retain
##
historyLimit: 1
## @param disasterRecovery.cronjob.snapshotHistoryLimit Number of etcd snapshots to retain, tagged by date
##
snapshotHistoryLimit: 1
## @param disasterRecovery.cronjob.podAnnotations [object] Pod annotations for cronjob pods
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
##
podAnnotations: {}
## Configure resource requests and limits for snapshotter containers
## ref: https://kubernetes.io/docs/user-guide/compute-resources/
## We usually recommend not to specify default resources and to leave this as a conscious
## choice for the user. This also increases chances charts run on environments with little
## resources, such as Minikube. If you do want to specify resources, uncomment the following
## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
## @param disasterRecovery.cronjob.resources.limits [object] Cronjob container resource limits
## @param disasterRecovery.cronjob.resources.requests [object] Cronjob container resource requests
##
resources:
## Example:
## limits:
## cpu: 500m
## memory: 1Gi
##
limits: {}
requests: {}
## @param disasterRecovery.cronjob.nodeSelector Node labels for cronjob pods assignment
## Ref: https://kubernetes.io/docs/user-guide/node-selection/
##
nodeSelector: {}
## @param disasterRecovery.cronjob.tolerations Tolerations for cronjob pods assignment
## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
##
tolerations: []
pvc:
## @param disasterRecovery.pvc.existingClaim A manually managed Persistent Volume and Claim
## If defined, PVC must be created manually before volume will be bound
## The value is evaluated as a template, so, for example, the name can depend on .Release or .Chart
##
existingClaim: ""
## @param disasterRecovery.pvc.size PVC Storage Request
##
size: 2Gi
## @param disasterRecovery.pvc.storageClassName Storage Class for snapshots volume
##
storageClassName: nfs
## @section Service account parameters
##
serviceAccount:
## @param serviceAccount.create Enable/disable service account creation
##
create: false
## @param serviceAccount.name Name of the service account to create or use
##
name: ""
## @param serviceAccount.automountServiceAccountToken Enable/disable auto mounting of service account token
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server
##
automountServiceAccountToken: true
## @param serviceAccount.annotations [object] Additional annotations to be included on the service account
##
annotations: {}
## @param serviceAccount.labels [object] Additional labels to be included on the service account
##
labels: {}
## @section Other parameters
##
## etcd Pod Disruption Budget configuration
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
##
pdb:
## @param pdb.create Enable/disable a Pod Disruption Budget creation
##
create: true
## @param pdb.minAvailable Minimum number/percentage of pods that should remain scheduled
##
minAvailable: 51%
## @param pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable
##
maxUnavailable: ""

21
deploy/charts/apisix/templates/NOTES.txt Normal file
View File

@ -0,0 +1,21 @@
1. Get the application URL by running these commands:
{{- if .Values.gateway.ingress.enabled }}
{{- range $host := .Values.gateway.ingress.hosts }}
{{- range .paths }}
http{{ if $.Values.gateway.ingress.tls }}s{{ end }}://{{ $host.host }}{{ . }}
{{- end }}
{{- end }}
{{- else if contains "NodePort" .Values.gateway.type }}
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "apisix.fullname" . }}-gateway)
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORT
{{- else if contains "LoadBalancer" .Values.gateway.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "apisix.fullname" . }}-gateway'
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "apisix.fullname" . }}-gateway --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
echo http://$SERVICE_IP:{{ .Values.gateway.http.servicePort }}
{{- else if contains "ClusterIP" .Values.gateway.type }}
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "apisix.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
echo "Visit http://127.0.0.1:8080 to use your application"
kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:80
{{- end }}

109
deploy/charts/apisix/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,109 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "apisix.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "apisix.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "apisix.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "apisix.labels" -}}
helm.sh/chart: {{ include "apisix.chart" . }}
{{ include "apisix.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "apisix.selectorLabels" -}}
app.kubernetes.io/name: {{ include "apisix.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "apisix.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "apisix.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
{{/*
Renders a value that contains template.
Usage:
{{ include "apisix.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $) }}
*/}}
{{- define "apisix.tplvalues.render" -}}
{{- if typeIs "string" .value }}
{{- tpl .value .context }}
{{- else }}
{{- tpl (.value | toYaml) .context }}
{{- end }}
{{- end -}}
{{- define "apisix.basePluginAttrs" -}}
{{- if .Values.serviceMonitor.enabled }}
prometheus:
export_addr:
ip: 0.0.0.0
port: {{ .Values.serviceMonitor.containerPort }}
export_uri: {{ .Values.serviceMonitor.path }}
metric_prefix: {{ .Values.serviceMonitor.metricPrefix }}
{{- end }}
{{- if .Values.customPlugins.enabled }}
{{- range $plugin := .Values.customPlugins.plugins }}
{{- if $plugin.attrs }}
{{ $plugin.name }}: {{- $plugin.attrs | toYaml | nindent 2 }}
{{- end }}
{{- end }}
{{- end }}
{{- end -}}
{{- define "apisix.pluginAttrs" -}}
{{- merge .Values.pluginAttrs (include "apisix.basePluginAttrs" . | fromYaml) | toYaml -}}
{{- end -}}
{{/*
Scheme to use while connecting etcd
*/}}
{{- define "apisix.etcd.auth.scheme" -}}
{{- if .Values.etcd.auth.tls.enabled }}
{{- "https" }}
{{- else }}
{{- "http" }}
{{- end }}
{{- end }}

199
deploy/charts/apisix/templates/_pod.tpl Normal file
View File

@ -0,0 +1,199 @@
{{- define "apisix.podTemplate" -}}
metadata:
annotations:
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
{{- if .Values.apisix.podAnnotations }}
{{- range $key, $value := $.Values.apisix.podAnnotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
labels:
{{- include "apisix.selectorLabels" . | nindent 4 }}
spec:
{{- with .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range $.Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
serviceAccountName: {{ include "apisix.serviceAccountName" . }}
{{- with .Values.apisix.podSecurityContext }}
securityContext:
{{- . | toYaml | nindent 4 }}
{{- end }}
{{- with .Values.apisix.priorityClassName }}
priorityClassName: {{ . }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
{{- with .Values.apisix.securityContext }}
securityContext:
{{- . | toYaml | nindent 8 }}
{{- end }}
image: "{{ .Values.apisix.image.repository }}:{{ default .Chart.AppVersion .Values.apisix.image.tag }}"
imagePullPolicy: {{ .Values.apisix.image.pullPolicy }}
env:
{{- if .Values.apisix.timezone }}
- name: TZ
value: {{ .Values.apisix.timezone }}
{{- end }}
{{- if .Values.apisix.extraEnvVars }}
{{- include "apisix.tplvalues.render" (dict "value" .Values.apisix.extraEnvVars "context" $) | nindent 8 }}
{{- end }}
ports:
- name: http
containerPort: {{ .Values.gateway.http.containerPort }}
protocol: TCP
- name: tls
containerPort: {{ .Values.gateway.tls.containerPort }}
protocol: TCP
{{- if .Values.admin.enabled }}
- name: admin
containerPort: {{ .Values.admin.port }}
protocol: TCP
{{- end }}
{{- if .Values.serviceMonitor.enabled }}
- name: prometheus
containerPort: {{ .Values.serviceMonitor.containerPort }}
protocol: TCP
{{- end }}
{{- if and .Values.gateway.stream.enabled (or (gt (len .Values.gateway.stream.tcp) 0) (gt (len .Values.gateway.stream.udp) 0)) }}
{{- with .Values.gateway.stream }}
{{- if (gt (len .tcp) 0) }}
{{- range $index, $port := .tcp }}
- name: proxy-tcp-{{ $index | toString }}
containerPort: {{ $port }}
protocol: TCP
{{- end }}
{{- end }}
{{- if (gt (len .udp) 0) }}
{{- range $index, $port := .udp }}
- name: proxy-udp-{{ $index | toString }}
containerPort: {{ $port }}
protocol: UDP
{{- end }}
{{- end }}
{{- end }}
{{- end }}
readinessProbe:
failureThreshold: 6
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
tcpSocket:
port: {{ .Values.gateway.http.containerPort }}
timeoutSeconds: 1
lifecycle:
preStop:
exec:
command:
- /bin/sh
- -c
- "sleep 30"
volumeMounts:
{{- if .Values.apisix.setIDFromPodUID }}
- mountPath: /usr/local/apisix/conf/apisix.uid
name: id
subPath: apisix.uid
{{- end }}
- mountPath: /usr/local/apisix/conf/config.yaml
name: apisix-config
subPath: config.yaml
{{- if and .Values.gateway.tls.enabled .Values.gateway.tls.existingCASecret }}
- mountPath: /usr/local/apisix/conf/ssl/{{ .Values.gateway.tls.certCAFilename }}
name: ssl
subPath: {{ .Values.gateway.tls.certCAFilename }}
{{- end }}
{{- if .Values.etcd.auth.tls.enabled }}
- mountPath: /etcd-ssl
name: etcd-ssl
{{- end }}
{{- if .Values.customPlugins.enabled }}
{{- range $plugin := .Values.customPlugins.plugins }}
{{- range $mount := $plugin.configMap.mounts }}
- mountPath: {{ $mount.path }}
name: plugin-{{ $plugin.configMap.name }}
subPath: {{ $mount.key }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.apisix.luaModuleHook.enabled }}
{{- range $mount := .Values.apisix.luaModuleHook.configMapRef.mounts }}
- mountPath: {{ $mount.path }}
name: lua-module-hook
subPath: {{ $mount.key }}
{{- end }}
{{- end }}
{{- if .Values.extraVolumeMounts }}
{{- toYaml .Values.extraVolumeMounts | nindent 8 }}
{{- end }}
resources:
{{- toYaml .Values.apisix.resources | nindent 8 }}
{{- if .Values.apisix.hostNetwork }}
hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet
{{- end }}
hostNetwork: {{ .Values.apisix.hostNetwork }}
initContainers:
{{- if .Values.etcd.enabled }}
- name: wait-etcd
image: {{ .Values.initContainer.image }}:{{ .Values.initContainer.tag }}
{{- if .Values.etcd.fullnameOverride }}
command: ['sh', '-c', "until nc -z {{ .Values.etcd.fullnameOverride }} {{ .Values.etcd.service.port }}; do echo waiting for etcd `date`; sleep 2; done;"]
{{ else }}
command: ['sh', '-c', "until nc -z {{ .Release.Name }}-etcd.{{ .Release.Namespace }}.svc.{{ .Values.etcd.clusterDomain }} {{ .Values.etcd.service.port }}; do echo waiting for etcd `date`; sleep 2; done;"]
{{- end }}
{{- end }}
{{- if .Values.extraInitContainers }}
{{- toYaml .Values.extraInitContainers | nindent 4 }}
{{- end }}
volumes:
- configMap:
name: {{ include "apisix.fullname" . }}
name: apisix-config
{{- if and .Values.gateway.tls.enabled .Values.gateway.tls.existingCASecret }}
- secret:
secretName: {{ .Values.gateway.tls.existingCASecret | quote }}
name: ssl
{{- end }}
{{- if .Values.etcd.auth.tls.enabled }}
- secret:
secretName: {{ .Values.etcd.auth.tls.existingSecret | quote }}
name: etcd-ssl
{{- end }}
{{- if .Values.apisix.setIDFromPodUID }}
- downwardAPI:
items:
- path: "apisix.uid"
fieldRef:
fieldPath: metadata.uid
name: id
{{- end }}
{{- if .Values.customPlugins.enabled }}
{{- range $plugin := .Values.customPlugins.plugins }}
- name: plugin-{{ $plugin.configMap.name }}
configMap:
name: {{ $plugin.configMap.name }}
{{- end }}
{{- end }}
{{- if .Values.apisix.luaModuleHook.enabled }}
- name: lua-module-hook
configMap:
name: {{ .Values.apisix.luaModuleHook.configMapRef.name }}
{{- end }}
{{- if .Values.extraVolumes }}
{{- toYaml .Values.extraVolumes | nindent 4 }}
{{- end }}
{{- with .Values.apisix.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.apisix.affinity }}
affinity:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.apisix.tolerations }}
tolerations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end -}}

26
deploy/charts/apisix/templates/clusterrole.yaml Normal file
View File

@ -0,0 +1,26 @@
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
{{- if .Values.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "apisix.fullname" . }}
rules:
- apiGroups: [""]
resources: ["endpoints"]
verbs: ["get", "list", "watch"]
{{- end }}

30
deploy/charts/apisix/templates/clusterrolebinding.yaml Normal file
View File

@ -0,0 +1,30 @@
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
{{- if .Values.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "apisix.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ include "apisix.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
roleRef:
kind: ClusterRole
name: {{ include "apisix.fullname" . }}
apiGroup: rbac.authorization.k8s.io
{{- end }}

376
deploy/charts/apisix/templates/configmap.yaml Normal file
View File

@ -0,0 +1,376 @@
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
{{- $isBeta := (semverCompare ">=2.99.0" .Values.apisix.image.tag) }}
{{- if .Values.apisix.enabled }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "apisix.fullname" . }}
namespace: {{ .Release.Namespace }}
data:
config.yaml: |-
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
{{- if .Values.apisix.enableCustomizedConfig }}
{{- range $key, $value := .Values.apisix.customizedConfig }}
{{ $key }}:
{{- include "apisix.tplvalues.render" (dict "value" $value "context" $) | nindent 6 }}
{{- end }}
{{- else }}
apisix: # universal configurations
node_listen: {{ .Values.gateway.http.containerPort }} # APISIX listening port
enable_heartbeat: true
enable_admin: {{ .Values.admin.enabled }}
enable_admin_cors: {{ .Values.admin.cors }}
enable_debug: false
{{- if or .Values.customPlugins.enabled .Values.apisix.luaModuleHook.enabled }}
extra_lua_path: {{ .Values.customPlugins.luaPath }};{{ .Values.apisix.luaModuleHook.luaPath }}
{{- end }}
{{- if .Values.apisix.luaModuleHook.enabled }}
lua_module_hook: {{ .Values.apisix.luaModuleHook.hookPoint | quote }}
{{- end }}
enable_dev_mode: false # Sets nginx worker_processes to 1 if set to true
enable_reuseport: true # Enable nginx SO_REUSEPORT switch if set to true.
enable_ipv6: {{ .Values.apisix.enableIPv6 }} # Enable nginx IPv6 resolver
enable_server_tokens: {{ .Values.apisix.enableServerTokens }} # Whether the APISIX version number should be shown in Server header
# proxy_protocol: # Proxy Protocol configuration
# listen_http_port: 9181 # The port with proxy protocol for http, it differs from node_listen and admin_listen.
# # This port can only receive http request with proxy protocol, but node_listen & admin_listen
# # can only receive http request. If you enable proxy protocol, you must use this port to
# # receive http request with proxy protocol
# listen_https_port: 9182 # The port with proxy protocol for https
# enable_tcp_pp: true # Enable the proxy protocol for tcp proxy, it works for stream_proxy.tcp option
# enable_tcp_pp_to_upstream: true # Enables the proxy protocol to the upstream server
proxy_cache: # Proxy Caching configuration
cache_ttl: 10s # The default caching time if the upstream does not specify the cache time
zones: # The parameters of a cache
- name: disk_cache_one # The name of the cache, administrator can be specify
# which cache to use by name in the admin api
memory_size: 50m # The size of shared memory, it's used to store the cache index
disk_size: 1G # The size of disk, it's used to store the cache data
disk_path: "/tmp/disk_cache_one" # The path to store the cache data
cache_levels: "1:2" # The hierarchy levels of a cache
# - name: disk_cache_two
# memory_size: 50m
# disk_size: 1G
# disk_path: "/tmp/disk_cache_two"
# cache_levels: "1:2"
{{- if not $isBeta }}
config_center: etcd # etcd: use etcd to store the config value
# yaml: fetch the config value from local yaml file `/your_path/conf/apisix.yaml`
allow_admin: # http://nginx.org/en/docs/http/ngx_http_access_module.html#allow
{{- if .Values.admin.allow.ipList }}
{{- range $ips := .Values.admin.allow.ipList }}
- {{ $ips }}
{{- end }}
{{- else }}
- 0.0.0.0/0
{{- end}}
{{- if or (index .Values "ingress-controller" "enabled") .Values.dashboard.enabled }}
- 0.0.0.0/0
{{- end}}
# - "::/64"
{{- if .Values.admin.enabled }}
port_admin: {{ .Values.admin.port }}
{{- end }}
# Default token when use API to call for Admin API.
# *NOTE*: Highly recommended to modify this value to protect APISIX's Admin API.
# Disabling this configuration item means that the Admin API does not
# require any authentication.
admin_key:
# admin: can everything for configuration data
- name: "admin"
key: {{ .Values.admin.credentials.admin }}
role: admin
# viewer: only can view configuration data
- name: "viewer"
key: {{ .Values.admin.credentials.viewer }}
role: viewer
{{- end }}
router:
http: {{ .Values.apisix.httpRouter }} # radixtree_uri: match route by uri(base on radixtree)
# radixtree_host_uri: match route by host + uri(base on radixtree)
# radixtree_uri_with_parameter: match route by uri with parameters
ssl: 'radixtree_sni' # radixtree_sni: match route by SNI(base on radixtree)
{{- if or (index .Values "ingress-controller" "enabled") (and .Values.gateway.stream.enabled (or (gt (len .Values.gateway.stream.tcp) 0) (gt (len .Values.gateway.stream.udp) 0))) }}
stream_proxy: # TCP/UDP proxy
only: {{ .Values.gateway.stream.only }}
{{- if or (index .Values "ingress-controller" "enabled") (gt (len .Values.gateway.stream.tcp) 0) }}
tcp: # TCP proxy port list
{{- if gt (len .Values.gateway.stream.tcp) 0}}
{{- range .Values.gateway.stream.tcp }}
- {{ . }}
{{- end }}
{{- else}}
- 9100
{{- end }}
{{- end }}
{{- if or (index .Values "ingress-controller" "enabled") (gt (len .Values.gateway.stream.udp) 0) }}
udp: # UDP proxy port list
{{- if gt (len .Values.gateway.stream.udp) 0}}
{{- range .Values.gateway.stream.udp }}
- {{ . }}
{{- end }}
{{- else}}
- 9200
{{- end }}
{{- end }}
{{- end }}
# dns_resolver:
# {{- range $resolver := .Values.dns.resolvers }}
# - {{ $resolver }}
# {{- end }}
dns_resolver_valid: {{.Values.dns.validity}}
resolver_timeout: {{.Values.dns.timeout}}
ssl:
enable: {{ .Values.gateway.tls.enabled }}
listen:
- port: {{ .Values.gateway.tls.containerPort }}
enable_http2: {{ .Values.gateway.tls.http2.enabled }}
ssl_protocols: {{ .Values.gateway.tls.sslProtocols | quote }}
ssl_ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
{{- if and .Values.gateway.tls.enabled .Values.gateway.tls.existingCASecret }}
ssl_trusted_certificate: "/usr/local/apisix/conf/ssl/{{ .Values.gateway.tls.certCAFilename }}"
{{- end }}
nginx_config: # config for render the template to genarate nginx.conf
error_log: "{{ .Values.logs.errorLog }}"
error_log_level: "{{ .Values.logs.errorLogLevel }}" # warn,error
worker_processes: "{{ .Values.nginx.workerProcesses }}"
enable_cpu_affinity: {{ and true .Values.nginx.enableCPUAffinity }}
worker_rlimit_nofile: {{ default "20480" .Values.nginx.workerRlimitNofile }} # the number of files a worker process can open, should be larger than worker_connections
event:
worker_connections: {{ default "10620" .Values.nginx.workerConnections }}
{{- with .Values.nginx.envs }}
envs:
{{- range $env := . }}
- {{ $env }}
{{- end }}
{{- end }}
http:
enable_access_log: {{ .Values.logs.enableAccessLog }}
{{- if .Values.logs.enableAccessLog }}
access_log: "{{ .Values.logs.accessLog }}"
access_log_format: "{{ .Values.logs.accessLogFormat }}"
access_log_format_escape: {{ .Values.logs.accessLogFormatEscape }}
{{- end }}
keepalive_timeout: 60s # timeout during which a keep-alive client connection will stay open on the server side.
client_header_timeout: 60s # timeout for reading client request header, then 408 (Request Time-out) error is returned to the client
client_body_timeout: 60s # timeout for reading client request body, then 408 (Request Time-out) error is returned to the client
send_timeout: 10s # timeout for transmitting a response to the client.then the connection is closed
underscores_in_headers: "on" # default enables the use of underscores in client request header fields
real_ip_header: "X-Real-IP" # http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header
real_ip_from: # http://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from
- 127.0.0.1
- 'unix:'
{{- if .Values.apisix.customLuaSharedDicts }}
custom_lua_shared_dict: # add custom shared cache to nginx.conf
{{- range $dict := .Values.apisix.customLuaSharedDicts }}
{{ $dict.name }}: {{ $dict.size }}
{{- end }}
{{- end }}
{{- if .Values.configurationSnippet.main }}
main_configuration_snippet: {{- toYaml .Values.configurationSnippet.main | indent 6 }}
{{- end }}
{{- if .Values.configurationSnippet.httpStart }}
http_configuration_snippet: {{- toYaml .Values.configurationSnippet.httpStart | indent 6 }}
{{- end }}
{{- if .Values.configurationSnippet.httpEnd }}
http_end_configuration_snippet: {{- toYaml .Values.configurationSnippet.httpEnd | indent 6 }}
{{- end }}
{{- if .Values.configurationSnippet.httpSrv }}
http_server_configuration_snippet: {{- toYaml .Values.configurationSnippet.httpSrv | indent 6 }}
{{- end }}
{{- if .Values.configurationSnippet.httpAdmin }}
http_admin_configuration_snippet: {{ toYaml .Values.configurationSnippet.httpAdmin | indent 6 }}
{{- end }}
{{- if .Values.configurationSnippet.stream }}
stream_configuration_snippet: {{- toYaml .Values.configurationSnippet.stream | indent 6 }}
{{- end }}
{{- if not $isBeta }}
etcd:
{{- if .Values.etcd.enabled }}
host: # it's possible to define multiple etcd hosts addresses of the same etcd cluster.
{{- if .Values.etcd.fullnameOverride }}
- "{{ include "apisix.etcd.auth.scheme" . }}://{{ .Values.etcd.fullnameOverride }}:{{ .Values.etcd.service.port }}"
{{- else }}
- "{{ include "apisix.etcd.auth.scheme" . }}://{{ .Release.Name }}-etcd.{{ .Release.Namespace }}.svc.{{ .Values.etcd.clusterDomain }}:{{ .Values.etcd.service.port }}"
{{- end}}
{{- else }}
host: # it's possible to define multiple etcd hosts addresses of the same etcd cluster.
{{- range $value := .Values.etcd.host }}
- "{{ $value }}" # multiple etcd address
{{- end}}
{{- end }}
prefix: {{ .Values.etcd.prefix | quote }} # apisix configurations prefix
timeout: {{ .Values.etcd.timeout }} # 30 seconds
{{- if .Values.etcd.auth.rbac.create }}
user: {{ .Values.etcd.auth.rbac.user | quote }}
password: {{ .Values.etcd.auth.rbac.password | quote }}
{{- end }}
{{- if .Values.etcd.auth.tls.enabled }}
tls:
cert: "/etcd-ssl/{{ .Values.etcd.auth.tls.certFilename }}"
key: "/etcd-ssl/{{ .Values.etcd.auth.tls.certKeyFilename }}"
verify: {{ .Values.etcd.auth.tls.verify }}
sni: "{{ .Values.etcd.auth.tls.sni }}"
{{- end }}
{{- end }}
{{- if .Values.discovery.enabled }}
discovery:
{{- range $key, $value := .Values.discovery.registry }}
{{ $key }}:
{{- include "apisix.tplvalues.render" (dict "value" $value "context" $) | nindent 8 }}
{{- end }}
{{- end }}
{{- if .Values.vault.enabled }}
vault:
host: {{ .Values.vault.host }}
timeout: {{ .Values.vault.timeout }}
token: {{ .Values.vault.token }}
prefix: {{ .Values.vault.prefix }}
{{- end }}
{{- if .Values.plugins }}
plugins: # plugin list
{{- range $plugin := .Values.plugins }}
- {{ $plugin }}
{{- end }}
{{- if .Values.customPlugins.enabled }}
{{- range $plugin := .Values.customPlugins.plugins }}
- {{ $plugin.name }}
{{- end }}
{{- end }}
{{- end }}
stream_plugins:
{{- range $plugin := .Values.stream_plugins }}
- {{ $plugin }}
{{- end }}
{{- if .Values.extPlugin.enabled }}
ext-plugin:
cmd:
{{- range $arg := .Values.extPlugin.cmd }}
- {{ $arg }}
{{- end }}
{{- end }}
{{- if or .Values.pluginAttrs .Values.customPlugins.enabled .Values.serviceMonitor.enabled}}
{{- $pluginAttrs := include "apisix.pluginAttrs" . -}}
{{- if gt (len ($pluginAttrs | fromYaml)) 0 }}
plugin_attr: {{- $pluginAttrs | nindent 6 }}
{{- end }}
{{- end }}
{{- if .Values.wasmPlugins.enabled }}
wasm:
plugins:
{{- toYaml .Values.wasmPlugins.plugins | nindent 8 }}
{{- end }}
{{- if $isBeta }}
deployment:
role: traditional
role_traditional:
config_provider: etcd
admin:
allow_admin: # http://nginx.org/en/docs/http/ngx_http_access_module.html#allow
{{- if .Values.admin.allow.ipList }}
{{- range $ips := .Values.admin.allow.ipList }}
- {{ $ips }}
{{- end }}
{{- else }}
- 0.0.0.0/0
{{- end}}
{{- if or (index .Values "ingress-controller" "enabled") .Values.dashboard.enabled }}
- 0.0.0.0/0
{{- end}}
# - "::/64"
{{- if .Values.admin.enabled }}
admin_listen:
ip: 0.0.0.0
port: {{ .Values.admin.port }}
{{- end }}
# Default token when use API to call for Admin API.
# *NOTE*: Highly recommended to modify this value to protect APISIX's Admin API.
# Disabling this configuration item means that the Admin API does not
# require any authentication.
admin_key:
# admin: can everything for configuration data
- name: "admin"
key: {{ .Values.admin.credentials.admin }}
role: admin
# viewer: only can view configuration data
- name: "viewer"
key: {{ .Values.admin.credentials.viewer }}
role: viewer
etcd:
{{- if .Values.etcd.enabled }}
host: # it's possible to define multiple etcd hosts addresses of the same etcd cluster.
{{- if .Values.etcd.fullnameOverride }}
- "{{ include "apisix.etcd.auth.scheme" . }}://{{ .Values.etcd.fullnameOverride }}:{{ .Values.etcd.service.port }}"
{{- else }}
- "{{ include "apisix.etcd.auth.scheme" . }}://{{ .Release.Name }}-etcd.{{ .Release.Namespace }}.svc.{{ .Values.etcd.clusterDomain }}:{{ .Values.etcd.service.port }}"
{{- end}}
{{- else }}
host: # it's possible to define multiple etcd hosts addresses of the same etcd cluster.
{{- range $value := .Values.etcd.host }}
- "{{ $value }}" # multiple etcd address
{{- end}}
{{- end }}
prefix: {{ .Values.etcd.prefix | quote }} # configuration prefix in etcd
timeout: {{ .Values.etcd.timeout }} # 30 seconds
{{- if .Values.etcd.auth.rbac.create }}
user: {{ .Values.etcd.auth.rbac.user | quote }}
password: {{ .Values.etcd.auth.rbac.password | quote }}
{{- end }}
{{- if .Values.etcd.auth.tls.enabled }}
tls:
cert: "/etcd-ssl/{{ .Values.etcd.auth.tls.certFilename }}"
key: "/etcd-ssl/{{ .Values.etcd.auth.tls.certKeyFilename }}"
verify: {{ .Values.etcd.auth.tls.verify }}
sni: "{{ .Values.etcd.auth.tls.sni }}"
{{- end }}
{{- end }}
{{- end }}
{{- end }}

33
deploy/charts/apisix/templates/daemonset.yaml Normal file
View File

@ -0,0 +1,33 @@
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
{{- if and (.Values.apisix.enabled) (eq .Values.apisix.kind "DaemonSet") }}
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: {{ include "apisix.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "apisix.labels" . | nindent 4 }}
spec:
selector:
matchLabels:
{{- include "apisix.selectorLabels" . | nindent 6 }}
{{- if .Values.updateStrategy }}
updateStrategy: {{ toYaml .Values.updateStrategy | nindent 4 }}
{{- end }}
template:
{{- include "apisix.podTemplate" . | nindent 4 }}
{{- end }}

36
deploy/charts/apisix/templates/deployment.yaml Normal file
View File

@ -0,0 +1,36 @@
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
{{- if and (.Values.apisix.enabled) (eq .Values.apisix.kind "Deployment") }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "apisix.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "apisix.labels" . | nindent 4 }}
spec:
{{- if not .Values.autoscaling.enabled }}
replicas: {{ .Values.apisix.replicaCount }}
{{- end }}
selector:
matchLabels:
{{- include "apisix.selectorLabels" . | nindent 6 }}
{{- if .Values.updateStrategy }}
strategy: {{ toYaml .Values.updateStrategy | nindent 4 }}
{{- end }}
template:
{{- include "apisix.podTemplate" . | nindent 4 }}
{{- end }}

45
deploy/charts/apisix/templates/hpa.yaml Normal file
View File

@ -0,0 +1,45 @@
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
{{- if (and .Values.apisix.enabled .Values.autoscaling.enabled) }}
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
name: {{ include "apisix.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "apisix.labels" . | nindent 4 }}
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ include "apisix.fullname" . }}
minReplicas: {{ .Values.autoscaling.minReplicas }}
maxReplicas: {{ .Values.autoscaling.maxReplicas }}
metrics:
{{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
- type: Resource
resource:
name: cpu
targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
{{- end }}
{{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
- type: Resource
resource:
name: memory
targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
{{- end }}
{{- end }}

76
deploy/charts/apisix/templates/ingress.yaml Normal file
View File

@ -0,0 +1,76 @@
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
{{- if (and .Values.apisix.enabled .Values.gateway.ingress.enabled) -}}
{{- $fullName := include "apisix.fullname" . -}}
{{- $svcPort := .Values.gateway.http.servicePort -}}
{{- if and .Values.gateway.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
{{- if not (hasKey .Values.gateway.ingress.annotations "kubernetes.io/ingress.class") }}
{{- $_ := set .Values.gateway.ingress.annotations "kubernetes.io/ingress.class" .Values.gateway.ingress.className}}
{{- end }}
{{- end }}
{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.Version }}
apiVersion: networking.k8s.io/v1
{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.Version }}
apiVersion: networking.k8s.io/v1beta1
{{- else -}}
apiVersion: extensions/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ $fullName }}
labels:
{{- include "apisix.labels" . | nindent 4 }}
{{- with .Values.gateway.ingress.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if and .Values.gateway.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
ingressClassName: {{ .Values.gateway.ingress.className }}
{{- end }}
{{- if .Values.gateway.ingress.tls }}
tls:
{{- range .Values.gateway.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.gateway.ingress.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .paths }}
- path: {{ . }}
{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.Version }}
pathType: ImplementationSpecific
backend:
service:
name: {{ $fullName }}-gateway
port:
number: {{ $svcPort }}
{{- else -}}
backend:
serviceName: {{ $fullName }}-gateway
servicePort: {{ $svcPort }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

34
deploy/charts/apisix/templates/pdb.yaml Normal file
View File

@ -0,0 +1,34 @@
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
{{- if (and .Values.apisix.enabled .Values.apisix.podDisruptionBudget.enabled) }}
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: {{ include "apisix.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "apisix.labels" . | nindent 4 }}
spec:
{{- if .Values.apisix.podDisruptionBudget.minAvailable }}
minAvailable: {{ .Values.apisix.podDisruptionBudget.minAvailable }}
{{- else }}
maxUnavailable: {{ .Values.apisix.podDisruptionBudget.maxUnavailable }}
{{- end }}
selector:
matchLabels:
{{- include "apisix.selectorLabels" . | nindent 6 }}
{{- end }}

58
deploy/charts/apisix/templates/service-admin.yaml Normal file
View File

@ -0,0 +1,58 @@
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
{{ if (and .Values.apisix.enabled .Values.admin.enabled) }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "apisix.fullname" . }}-admin
namespace: {{ .Release.Namespace }}
annotations:
{{- range $key, $value := .Values.admin.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
labels:
{{- include "apisix.labels" . | nindent 4 }}
app.kubernetes.io/service: apisix-admin
spec:
type: {{ .Values.admin.type }}
{{- if eq .Values.admin.type "LoadBalancer" }}
{{- if .Values.admin.loadBalancerIP }}
loadBalancerIP: {{ .Values.admin.loadBalancerIP }}
{{- end }}
{{- if .Values.admin.loadBalancerSourceRanges }}
loadBalancerSourceRanges:
{{- range $cidr := .Values.admin.loadBalancerSourceRanges }}
- {{ $cidr }}
{{- end }}
{{- end }}
{{- end }}
{{- if gt (len .Values.admin.externalIPs) 0 }}
externalIPs:
{{- range $ip := .Values.admin.externalIPs }}
- {{ $ip }}
{{- end }}
{{- end }}
ports:
- name: apisix-admin
port: {{ .Values.admin.servicePort }}
targetPort: {{ .Values.admin.port }}
{{- if (and (eq .Values.admin.type "NodePort") (not (empty .Values.admin.nodePort))) }}
nodePort: {{ .Values.admin.nodePort }}
{{- end }}
protocol: TCP
selector:
{{- include "apisix.selectorLabels" . | nindent 4 }}
{{ end }}

91
deploy/charts/apisix/templates/service-gateway.yaml Normal file
View File

@ -0,0 +1,91 @@
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
{{- if .Values.apisix.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "apisix.fullname" . }}-gateway
namespace: {{ .Release.Namespace }}
annotations:
{{- range $key, $value := .Values.gateway.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
labels:
{{- include "apisix.labels" . | nindent 4 }}
app.kubernetes.io/service: apisix-gateway
spec:
type: {{ .Values.gateway.type }}
externalTrafficPolicy: {{ .Values.gateway.externalTrafficPolicy }}
{{- if eq .Values.gateway.type "LoadBalancer" }}
{{- if .Values.gateway.loadBalancerIP }}
loadBalancerIP: {{ .Values.gateway.loadBalancerIP }}
{{- end }}
{{- if .Values.gateway.loadBalancerSourceRanges }}
loadBalancerSourceRanges:
{{- range $cidr := .Values.gateway.loadBalancerSourceRanges }}
- {{ $cidr }}
{{- end }}
{{- end }}
{{- end }}
{{- if gt (len .Values.gateway.externalIPs) 0 }}
externalIPs:
{{- range $ip := .Values.gateway.externalIPs }}
- {{ $ip }}
{{- end }}
{{- end }}
ports:
{{- if .Values.gateway.http.enabled }}
- name: apisix-gateway
port: {{ .Values.gateway.http.servicePort }}
targetPort: {{ .Values.gateway.http.containerPort }}
{{- if (and (eq .Values.gateway.type "NodePort") (not (empty .Values.gateway.http.nodePort))) }}
nodePort: {{ .Values.gateway.http.nodePort }}
{{- end }}
protocol: TCP
{{- end }}
{{- if or .Values.gateway.tls.enabled }}
- name: apisix-gateway-tls
port: {{ .Values.gateway.tls.servicePort }}
targetPort: {{ .Values.gateway.tls.containerPort }}
{{- if (and (eq .Values.gateway.type "NodePort") (not (empty .Values.gateway.tls.nodePort))) }}
nodePort: {{ .Values.gateway.tls.nodePort }}
{{- end }}
protocol: TCP
{{- end }}
{{- if and .Values.gateway.stream.enabled (or (gt (len .Values.gateway.stream.tcp) 0) (gt (len .Values.gateway.stream.udp) 0)) }}
{{- with .Values.gateway.stream }}
{{- if (gt (len .tcp) 0) }}
{{- range $index, $port := .tcp }}
- name: proxy-tcp-{{ $index | toString }}
port: {{ $port }}
targetPort: {{ $port }}
protocol: TCP
{{- end }}
{{- end }}
{{- if (gt (len .udp) 0) }}
{{- range $index, $port := .udp }}
- name: proxy-udp-{{ $index | toString }}
port: {{ $port }}
targetPort: {{ $port }}
protocol: UDP
{{- end }}
{{- end }}
{{- end }}
{{- end }}
selector:
{{- include "apisix.selectorLabels" . | nindent 4 }}
{{- end }}

44
deploy/charts/apisix/templates/service-monitor.yaml Normal file
View File

@ -0,0 +1,44 @@
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
{{- if .Values.serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ .Values.serviceMonitor.name | default (include "apisix.fullname" .) }}
namespace: {{ .Values.serviceMonitor.namespace | default .Release.Namespace }}
labels:
{{- include "apisix.labels" . | nindent 4 }}
{{- if .Values.serviceMonitor.labels }}
{{- toYaml .Values.serviceMonitor.labels | nindent 4 }}
{{- end }}
{{- if .Values.serviceMonitor.annotations }}
annotations: {{- toYaml .Values.serviceMonitor.annotations | nindent 4 }}
{{- end }}
spec:
namespaceSelector:
matchNames:
- {{ .Values.serviceMonitor.namespace | default .Release.Namespace }}
selector:
matchLabels:
{{- include "apisix.labels" . | nindent 6 }}
app.kubernetes.io/service: apisix-gateway
endpoints:
- scheme: http
targetPort: prometheus
path: {{ .Values.serviceMonitor.path }}
interval: {{ .Values.serviceMonitor.interval }}
{{- end }}

29
deploy/charts/apisix/templates/serviceaccount.yaml Normal file
View File

@ -0,0 +1,29 @@
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
{{- if .Values.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "apisix.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "apisix.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

471
deploy/charts/apisix/values.yaml Normal file
View File

@ -0,0 +1,471 @@
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
global:
# e.g.
# imagePullSecrets:
# - my-registry-secrets
# - other-registry-secrets
#
imagePullSecrets: []
apisix:
# Enable or disable Apache APISIX itself
# Set it to false and ingress-controller.enabled=true will deploy only ingress-controller
enabled: true
# Enable nginx IPv6 resolver
enableIPv6: true
# Whether the APISIX version number should be shown in Server header
enableServerTokens: true
# Use Pod metadata.uid as the APISIX id.
setIDFromPodUID: false
customLuaSharedDicts: []
# - name: foo
# size: 10k
# - name: bar
# size: 1m
luaModuleHook:
enabled: false
# extend lua_package_path to load third party code
luaPath: ""
# the hook module which will be used to inject third party code into APISIX
# use the lua require style like: "module.say_hello"
hookPoint: ""
# configmap that stores the codes
configMapRef:
name: ""
# mounts decides how to mount the codes to the container.
mounts:
- key: ""
path: ""
# Defines how apisix handles routing:
# - radixtree_uri: match route by uri(base on radixtree)
# - radixtree_host_uri: match route by host + uri(base on radixtree)
# - radixtree_uri_with_parameter: match route by uri with parameters
httpRouter: radixtree_uri
enableCustomizedConfig: false
customizedConfig: {}
image:
repository: apache/apisix
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion.
tag: 2.15.0-alpine
# Use a `DaemonSet` or `Deployment`
kind: Deployment
# kind is DaemonSet, replicaCount not become effective
replicaCount: 1
priorityClassName: ""
podAnnotations: {}
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
# See https://kubernetes.io/docs/tasks/run-application/configure-pdb/ for more details
podDisruptionBudget:
enabled: false
minAvailable: 90%
maxUnavailable: 1
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
hostNetwork: false
nodeSelector: {}
tolerations: []
affinity: {}
# timezone is the timezone where apisix uses.
# For example: "UTC" or "Asia/Shanghai"
# This value will be set on apisix container's environment variable TZ.
# You may need to set the timezone to be consistent with your local time zone,
# otherwise the apisix's logs may used to retrieve event maybe in wrong timezone.
timezone: ""
# extraEnvVars An array to add extra env vars
# e.g:
# extraEnvVars:
# - name: FOO
# value: "bar"
# - name: FOO2
# valueFrom:
# secretKeyRef:
# name: SECRET_NAME
# key: KEY
extraEnvVars: []
nameOverride: ""
fullnameOverride: ""
serviceAccount:
create: false
annotations: {}
name: ""
rbac:
create: false
gateway:
type: NodePort
# If you want to keep the client source IP, you can set this to Local.
# ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
externalTrafficPolicy: Cluster
# type: LoadBalancer
# annotations:
# service.beta.kubernetes.io/aws-load-balancer-type: nlb
externalIPs: []
http:
enabled: true
servicePort: 80
containerPort: 9080
tls:
enabled: false
servicePort: 443
containerPort: 9443
existingCASecret: ""
certCAFilename: ""
http2:
enabled: true
sslProtocols: "TLSv1.2 TLSv1.3"
# L4 proxy (TCP/UDP)
stream:
enabled: false
only: false
tcp: []
udp: []
ingress:
enabled: false
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
hosts:
- host: apisix.local
paths: []
tls: []
# - secretName: apisix-tls
# hosts:
# - chart-example.local
admin:
# Enable Admin API
enabled: true
# admin service type
type: ClusterIP
# loadBalancerIP: a.b.c.d
# loadBalancerSourceRanges:
# - "143.231.0.0/16"
externalIPs: []
#
port: 9180
servicePort: 9180
# Admin API support CORS response headers
cors: true
# Admin API credentials
credentials:
admin: edd1c9f034335f136f87ad84b625c8f1
viewer: 4054f7cf07e344346cd3f287985e76a2
allow:
# The client IP CIDR allowed to access Apache APISIX Admin API service.
ipList:
- 127.0.0.1/24
- 10.0.0.1/8
- 100.0.0.1/8
nginx:
workerRlimitNofile: "20480"
workerConnections: "10620"
workerProcesses: auto
enableCPUAffinity: true
envs: []
# APISIX plugins to be enabled
plugins:
- api-breaker
- authz-keycloak
- basic-auth
- batch-requests
- consumer-restriction
- cors
- echo
- fault-injection
- file-logger
- grpc-transcode
- hmac-auth
- http-logger
- ip-restriction
- ua-restriction
- jwt-auth
- kafka-logger
- key-auth
- limit-conn
- limit-count
- limit-req
- node-status
- openid-connect
- authz-casbin
- prometheus
- proxy-cache
- proxy-mirror
- proxy-rewrite
- redirect
- referer-restriction
- request-id
- request-validation
- response-rewrite
- serverless-post-function
- serverless-pre-function
- sls-logger
- syslog
- tcp-logger
- udp-logger
- uri-blocker
- wolf-rbac
- zipkin
- traffic-split
- gzip
- real-ip
- ext-plugin-pre-req
- ext-plugin-post-req
stream_plugins:
- mqtt-proxy
- ip-restriction
- limit-conn
pluginAttrs: {}
extPlugin:
enabled: false
cmd: ["/path/to/apisix-plugin-runner/runner", "run"]
wasmPlugins:
enabled: false
plugins: []
# customPlugins allows you to mount your own HTTP plugins.
customPlugins:
enabled: false
# the lua_path that tells APISIX where it can find plugins,
# note the last ';' is required.
luaPath: "/opts/custom_plugins/?.lua"
plugins:
# plugin name.
- name: ""
# plugin attrs
attrs: {}
# plugin codes can be saved inside configmap object.
configMap:
# name of configmap.
name: ""
# since keys in configmap is flat, mountPath allows to define the mount
# path, so that plugin codes can be mounted hierarchically.
mounts:
- key: ""
path: ""
- key: ""
path: ""
updateStrategy: {}
# type: RollingUpdate
extraVolumes: []
# - name: extras
# emptyDir: {}
extraVolumeMounts: []
# - name: extras
# mountPath: /usr/share/extras
# readOnly: true
extraInitContainers: []
# - name: init-myservice
# image: busybox:1.28
# command: ['sh', '-c', "until nslookup myservice.$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace).svc.cluster.local; do echo waiting for myservice; sleep 2; done"]
discovery:
enabled: false
registry: {}
# Integration service discovery registry. E.g eureka\dns\nacos\consul_kv
# reference:
# https://apisix.apache.org/docs/apisix/discovery/#configuration-for-eureka
# https://apisix.apache.org/docs/apisix/discovery/dns/#service-discovery-via-dns
# https://apisix.apache.org/docs/apisix/discovery/consul_kv/#configuration-for-consul-kv
# https://apisix.apache.org/docs/apisix/discovery/nacos/#configuration-for-nacos
# https://apisix.apache.org/docs/apisix/discovery/kubernetes/#configuration
#
# an eureka example:
# ```
# eureka:
# host:
# - "http://${username}:${password}@${eureka_host1}:${eureka_port1}"
# - "http://${username}:${password}@${eureka_host2}:${eureka_port2}"
# prefix: "/eureka/"
# fetch_interval: 30
# weight: 100
# timeout:
# connect: 2000
# send: 2000
# read: 5000
# ```
#
# the minimal Kubernetes example:
# ```
# kubernetes: {}
# ```
#
# The prerequisites for the above minimal Kubernetes example:
# 1. [Optional] Set `.serviceAccount.create` to `true` to create a dedicated ServiceAccount.
# It is recommended to do so, otherwise the default ServiceAccount "default" will be used.
# 2. [Required] Set `.rbac.create` to `true` to create and bind the necessary RBAC resources.
# This grants the ServiceAccount in use to List-Watch Kubernetes Endpoints resources.
# 3. [Required] Include the following environment variables in `.nginx.envs` to pass them into
# nginx worker processes (https://nginx.org/en/docs/ngx_core_module.html#env):
# - KUBERNETES_SERVICE_HOST
# - KUBERNETES_SERVICE_PORT
# This is for allowing the default `host` and `port` of `.discovery.registry.kubernetes.service`.
# access log and error log configuration
logs:
enableAccessLog: true
accessLog: "/dev/stdout"
accessLogFormat: '$remote_addr - $remote_user [$time_local] $http_host \"$request\" $status $body_bytes_sent $request_time \"$http_referer\" \"$http_user_agent\" $upstream_addr $upstream_status $upstream_response_time \"$upstream_scheme://$upstream_host$upstream_uri\"'
accessLogFormatEscape: default
errorLog: "/dev/stderr"
errorLogLevel: "warn"
dns:
resolvers:
- 127.0.0.1
- 172.20.0.10
- 114.114.114.114
- 223.5.5.5
- 1.1.1.1
- 8.8.8.8
validity: 30
timeout: 5
initContainer:
image: busybox
tag: 1.28
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 100
targetCPUUtilizationPercentage: 80
targetMemoryUtilizationPercentage: 80
# Custom configuration snippet.
configurationSnippet:
main: |
httpStart: |
httpEnd: |
httpSrv: |
httpAdmin: |
stream: |
# Observability configuration.
# ref: https://apisix.apache.org/docs/apisix/plugins/prometheus/
serviceMonitor:
enabled: false
# namespace where the serviceMonitor is deployed, by default, it is the same as the namespace of the apisix
namespace: ""
# name of the serviceMonitor, by default, it is the same as the apisix fullname
name: ""
# interval at which metrics should be scraped
interval: 15s
# path of the metrics endpoint
path: /apisix/prometheus/metrics
# prefix of the metrics
metricPrefix: apisix_
# container port where the metrics are exposed
containerPort: 9091
# @param serviceMonitor.labels ServiceMonitor extra labels
labels: {}
# @param serviceMonitor.annotations ServiceMonitor annotations
annotations: {}
# etcd configuration
# use the FQDN address or the IP of the etcd
etcd:
# install etcd(v3) by default, set false if do not want to install etcd(v3) together
enabled: true
host:
# host or ip e.g. http://172.20.128.89:2379
- http://etcd.host:2379
prefix: "/apisix"
timeout: 30
# if etcd.enabled is true, set more values of bitnami/etcd helm chart
auth:
rbac:
# No authentication by default
create: false
user: ""
password: ""
tls:
enabled: false
existingSecret: ""
certFilename: ""
certKeyFilename: ""
verify: true
sni: ""
service:
port: 2379
replicaCount: 3
dashboard:
enabled: false
ingress-controller:
enabled: false
vault:
enabled: false
host: ""
timeout: 10
token: ""
prefix: ""