jiazhizhong/higress
1
0
Fork 0
mirror of https://github.com/alibaba/higress.git synced 2026-06-09 04:37:31 +08:00
Code Issues Packages Projects Releases Wiki Activity

feat: Remove redundant helm charts and add console as a dependency (#223)

Browse Source
This commit is contained in:
Kent Dong
2023-03-07 11:37:00 +08:00
committed by GitHub
parent 7e2c039fc2
commit 7f6b157a19
75 changed files with 27 additions and 16165 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
helm/core/templates/NOTES.txt Normal file
View File

@@ -0,0 +1,5 @@
Higress successfully installed!
To learn more about the release, try:
$ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
$ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}

89
helm/core/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,89 @@
{{- define "gateway.name" -}}
{{- .Values.gateway.name | default "higress-gateway" -}}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "gateway.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- define "gateway.labels" -}}
helm.sh/chart: {{ include "gateway.chart" . }}
{{ include "gateway.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/name: {{ include "gateway.name" . }}
{{- range $key, $val := .Values.gateway.labels }}
{{- if not (or (eq $key "app") (eq $key "higress")) }}
{{ $key | quote }}: {{ $val | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- define "gateway.selectorLabels" -}}
{{- if hasKey .Values.gateway.labels "app" }}
{{- with .Values.gateway.labels.app }}app: {{.|quote}}
{{- end}}
{{- else }}app: {{ include "gateway.name" . }}
{{- end }}
{{- if hasKey .Values.gateway.labels "higress" }}
{{- with .Values.gateway.labels.higress }}
higress: {{.|quote}}
{{- end}}
{{- else }}
higress: {{ .Release.Namespace }}-{{ include "gateway.name" . }}
{{- end }}
{{- end }}
{{- define "gateway.serviceAccountName" -}}
{{- if .Values.gateway.serviceAccount.create }}
{{- .Values.gateway.serviceAccount.name | default (include "gateway.name" .) }}
{{- else }}
{{- .Values.gateway.serviceAccount.name | default "default" }}
{{- end }}
{{- end }}
{{- define "controller.name" -}}
{{- .Values.controller.name | default "higress-controller" -}}
{{- end }}
{{- define "controller.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- define "controller.labels" -}}
helm.sh/chart: {{ include "controller.chart" . }}
{{ include "controller.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/name: {{ include "controller.name" . }}
{{- end }}
{{- define "controller.selectorLabels" -}}
{{- if hasKey .Values.controller.labels "app" }}
{{- with .Values.controller.labels.app }}app: {{.|quote}}
{{- end}}
{{- else }}app: {{ include "controller.name" . }}
{{- end }}
{{- if hasKey .Values.controller.labels "higress" }}
{{- with .Values.controller.labels.higress }}
higress: {{.|quote}}
{{- end}}
{{- else }}
higress: {{ include "controller.name" . }}
{{- end }}
{{- end }}
{{- define "controller.serviceAccountName" -}}
{{- if .Values.controller.serviceAccount.create }}
{{- .Values.controller.serviceAccount.name | default (include "controller.name" .) }}
{{- else }}
{{- .Values.controller.serviceAccount.name | default "default" }}
{{- end }}
{{- end }}

23
helm/core/templates/clusterrole.yaml Normal file
View File

@@ -0,0 +1,23 @@
{{- if .Values.gateway.rbac.enabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "gateway.serviceAccountName" . }}-{{ .Release.Namespace }}
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "gateway.serviceAccountName" . }}-{{ .Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "gateway.serviceAccountName" . }}-{{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: {{ include "gateway.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end }}

118
helm/core/templates/configmap.yaml Normal file
View File

@@ -0,0 +1,118 @@
{{- define "mesh" }}
# The trust domain corresponds to the trust root of a system.
# Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
trustDomain: "cluster.local"
accessLogEncoding: TEXT
accessLogFile: "/dev/stdout"
accessLogFormat: '{"authority":"%REQ(:AUTHORITY)%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","downstream_local_address":"%DOWNSTREAM_LOCAL_ADDRESS%","downstream_remote_address":"%DOWNSTREAM_REMOTE_ADDRESS%","duration":"%DURATION%","istio_policy_status":"%DYNAMIC_METADATA(istio.mixer:status)%","method":"%REQ(:METHOD)%","path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","protocol":"%PROTOCOL%","request_id":"%REQ(X-REQUEST-ID)%","requested_server_name":"%REQUESTED_SERVER_NAME%","response_code":"%RESPONSE_CODE%","response_flags":"%RESPONSE_FLAGS%","route_name":"%ROUTE_NAME%","start_time":"%START_TIME%","trace_id":"%REQ(X-B3-TRACEID)%","upstream_cluster":"%UPSTREAM_CLUSTER%","upstream_host":"%UPSTREAM_HOST%","upstream_local_address":"%UPSTREAM_LOCAL_ADDRESS%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_transport_failure_reason":"%UPSTREAM_TRANSPORT_FAILURE_REASON%","user_agent":"%REQ(USER-AGENT)%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%"}
'
dnsRefreshRate: 200s
enableAutoMtls: false
enablePrometheusMerge: false
protocolDetectionTimeout: 100ms
# The namespace to treat as the administrative root namespace for Istio configuration.
# When processing a leaf namespace Istio will search for declarations in that namespace first
# and if none are found it will search in the root namespace. Any matching declaration found in the root namespace
# is processed as if it were declared in the leaf namespace.
{{- if .Values.global.enableMesh }}
rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }}
{{- else }}
rootNamespace: {{ .Release.Namespace }}
{{- end }}
configSources:
- address: "xds://127.0.0.1:15051"
defaultConfig:
{{- if .Values.global.meshID }}
meshId: {{ .Values.global.meshID }}
{{- end }}
tracing:
{{- if eq .Values.global.proxy.tracer "lightstep" }}
lightstep:
# Address of the LightStep Satellite pool
address: {{ .Values.global.tracer.lightstep.address }}
# Access Token used to communicate with the Satellite pool
accessToken: {{ .Values.global.tracer.lightstep.accessToken }}
{{- else if eq .Values.global.proxy.tracer "zipkin" }}
zipkin:
# Address of the Zipkin collector
address: {{ .Values.global.tracer.zipkin.address | default (print "zipkin." .Release.Namespace ":9411") }}
{{- else if eq .Values.global.proxy.tracer "datadog" }}
datadog:
# Address of the Datadog Agent
address: {{ .Values.global.tracer.datadog.address | default "$(HOST_IP):8126" }}
{{- else if eq .Values.global.proxy.tracer "stackdriver" }}
stackdriver:
# enables trace output to stdout.
{{- if $.Values.global.tracer.stackdriver.debug }}
debug: {{ $.Values.global.tracer.stackdriver.debug }}
{{- end }}
{{- if $.Values.global.tracer.stackdriver.maxNumberOfAttributes }}
# The global default max number of attributes per span.
maxNumberOfAttributes: {{ $.Values.global.tracer.stackdriver.maxNumberOfAttributes | default "200" }}
{{- end }}
{{- if $.Values.global.tracer.stackdriver.maxNumberOfAnnotations }}
# The global default max number of annotation events per span.
maxNumberOfAnnotations: {{ $.Values.global.tracer.stackdriver.maxNumberOfAnnotations | default "200" }}
{{- end }}
{{- if $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents }}
# The global default max number of message events per span.
maxNumberOfMessageEvents: {{ $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents | default "200" }}
{{- end }}
{{- else if eq .Values.global.proxy.tracer "openCensusAgent" }}
{{/* Fill in openCensusAgent configuration from meshConfig so it isn't overwritten below */}}
{{ toYaml $.Values.meshConfig.defaultConfig.tracing | indent 8 }}
{{- else }}
{}
{{- end }}
{{- if .Values.global.remotePilotAddress }}
{{- if not .Values.global.externalIstiod }}
discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012
{{- else }}
discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012
{{- end }}
{{- else }}
{{- if .Values.global.enableMesh }}
discoveryAddress: {{ printf "istiod.%s.svc" .Values.global.istioNamespace }}:15012
{{- else }}
discoveryAddress: higress-controller.{{.Release.Namespace}}.svc:15012
{{- end }}
{{- end }}
proxyStatsMatcher:
inclusionRegexps:
- ".*"
{{- end }}
{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}}
{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}}
{{- $originalMesh := include "mesh" . | fromYaml }}
{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }}
apiVersion: v1
kind: ConfigMap
metadata:
name: higress-config
namespace: {{ .Release.Namespace }}
labels:
{{- include "gateway.labels" . | nindent 4 }}
data:
# Configuration file for the mesh networks to be used by the Split Horizon EDS.
meshNetworks: |-
{{- if .Values.global.meshNetworks }}
networks:
{{ toYaml .Values.global.meshNetworks | trim | indent 6 }}
{{- else }}
networks: {}
{{- end }}
mesh: |-
{{- if .Values.meshConfig }}
{{ $mesh | toYaml | indent 4 }}
{{- else }}
{{- include "mesh" . }}
{{- end }}
---

108
helm/core/templates/controller-clusterrole.yaml Normal file
View File

@@ -0,0 +1,108 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "controller.serviceAccountName" . }}-{{ .Release.Namespace }}
labels:
{{- include "controller.labels" . | nindent 4 }}
rules:
# ingress controller
- apiGroups: ["extensions", "networking.k8s.io"]
resources: ["ingresses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["extensions", "networking.k8s.io"]
resources: ["ingresses/status"]
verbs: ["*"]
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses", "ingressclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses/status"]
verbs: ["*"]
# required for CA's namespace controller
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create", "get", "list", "watch", "update"]
# Use for Kubernetes Service APIs
- apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
resources: ["*"]
verbs: ["get", "watch", "list"]
- apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
resources: ["*"] # TODO: should be on just */status but wildcard is not supported
verbs: ["update"]
# Needed for multicluster secret reading, possibly ingress certs in the future
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
- apiGroups: ["networking.higress.io"]
resources: ["mcpbridges"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["extensions.higress.io"]
resources: ["wasmplugins"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["services"]
verbs: ["get", "watch", "list", "update", "patch", "create", "delete"]
# auto-detect installed CRD definitions
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch"]
# discovery and routing
- apiGroups: [""]
resources: ["pods", "nodes", "services", "namespaces", "endpoints"]
verbs: ["get", "list", "watch"]
- apiGroups: ["discovery.k8s.io"]
resources: ["endpointslices"]
verbs: ["get", "list", "watch"]
# Istiod and bootstrap.
- apiGroups: ["certificates.k8s.io"]
resources:
- "certificatesigningrequests"
- "certificatesigningrequests/approval"
- "certificatesigningrequests/status"
verbs: ["update", "create", "get", "delete", "watch"]
- apiGroups: ["certificates.k8s.io"]
resources:
- "signers"
resourceNames:
- "kubernetes.io/legacy-unknown"
verbs: ["approve"]
# Used by Istiod to verify the JWT tokens
- apiGroups: ["authentication.k8s.io"]
resources: ["tokenreviews"]
verbs: ["create"]
# Used by Istiod to verify gateway SDS
- apiGroups: ["authorization.k8s.io"]
resources: ["subjectaccessreviews"]
verbs: ["create"]
# Used for MCS serviceexport management
- apiGroups: ["multicluster.x-k8s.io"]
resources: ["serviceexports"]
verbs: [ "get", "watch", "list", "create", "delete"]
# Used for MCS serviceimport management
- apiGroups: ["multicluster.x-k8s.io"]
resources: ["serviceimports"]
verbs: ["get", "watch", "list"]
# sidecar injection controller
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "update", "patch"]
# configuration validation webhook controller
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "update"]

15
helm/core/templates/controller-clusterrolebinding.yaml Normal file
View File

@@ -0,0 +1,15 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "controller.serviceAccountName" . }}-{{ .Release.Namespace }}
labels:
{{- include "controller.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "controller.serviceAccountName" . }}-{{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: {{ include "controller.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}

263
helm/core/templates/controller-deployment.yaml Normal file
View File

@@ -0,0 +1,263 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "controller.name" . }}
labels:
{{- include "controller.labels" . | nindent 4 }}
spec:
{{- if not .Values.controller.autoscaling.enabled }}
replicas: {{ .Values.controller.replicas }}
{{- end }}
selector:
matchLabels:
{{- include "controller.selectorLabels" . | nindent 6 }}
template:
metadata:
{{- with .Values.controller.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "controller.selectorLabels" . | nindent 8 }}
spec:
{{- with .Values.controller.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "controller.serviceAccountName" . }}
securityContext:
{{- toYaml .Values.controller.podSecurityContext | nindent 8 }}
containers:
{{- if not .Values.global.enableMesh }}
- name: discovery
{{- if contains "/" .Values.pilot.image }}
image: "{{ .Values.pilot.image }}"
{{- else }}
image: "{{ .Values.pilot.hub | default .Values.global.hub }}/{{ .Values.pilot.image | default "pilot" }}:{{ .Values.pilot.tag | default .Values.global.tag }}"
{{- end }}
{{- if .Values.global.imagePullPolicy }}
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
{{- end }}
args:
- "discovery"
- --monitoringAddr=:15014
{{- if .Values.global.logging.level }}
- --log_output_level={{ .Values.global.logging.level }}
{{- end}}
{{- if .Values.global.logAsJson }}
- --log_as_json
{{- end }}
- --domain
- {{ .Values.global.proxy.clusterDomain }}
{{- if .Values.global.oneNamespace }}
- "-a"
- {{ .Release.Namespace }}
{{- end }}
{{- if .Values.pilot.plugins }}
- --plugins={{ .Values.pilot.plugins }}
{{- end }}
- --keepaliveMaxServerConnectionAge
- "{{ .Values.pilot.keepaliveMaxServerConnectionAge }}"
ports:
- containerPort: 8080
protocol: TCP
- containerPort: 15010
protocol: TCP
- containerPort: 15017
protocol: TCP
readinessProbe:
httpGet:
path: /ready
port: 8080
initialDelaySeconds: 1
periodSeconds: 3
timeoutSeconds: 5
env:
- name: HIGRESS_CONTROLLER_SVC
value: "127.0.0.1"
- name: HIGRESS_CONTROLLER_PORT
value: "15051"
- name: REVISION
value: "{{ .Values.revision | default `default` }}"
- name: JWT_POLICY
value: {{ .Values.global.jwtPolicy }}
- name: PILOT_CERT_PROVIDER
value: "istiod"
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.serviceAccountName
- name: KUBECONFIG
value: /var/run/secrets/remote/config
{{- if .Values.pilot.env }}
{{- range $key, $val := .Values.pilot.env }}
- name: {{ $key }}
value: "{{ $val }}"
{{- end }}
{{- end }}
{{- if .Values.pilot.traceSampling }}
- name: PILOT_TRACE_SAMPLING
value: "{{ .Values.pilot.traceSampling }}"
{{- end }}
- name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND
value: "{{ .Values.pilot.enableProtocolSniffingForOutbound }}"
- name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND
value: "{{ .Values.pilot.enableProtocolSniffingForInbound }}"
- name: ISTIOD_ADDR
value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Release.Namespace }}.svc:15012
- name: PILOT_ENABLE_ANALYSIS
value: "{{ .Values.global.istiod.enableAnalysis }}"
- name: CLUSTER_ID
value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
{{- if not .Values.global.enableMesh }}
- name: CUSTOM_CA_CERT_NAME
value: "higress-ca-root-cert"
{{- end }}
{{- if not .Values.global.kind }}
resources:
{{- if .Values.pilot.resources }}
{{ toYaml .Values.pilot.resources | trim | indent 12 }}
{{- else }}
{{ toYaml .Values.global.defaultResources | trim | indent 12 }}
{{- end }}
{{- end }}
securityContext:
readOnlyRootFilesystem: true
runAsUser: 1337
runAsGroup: 1337
runAsNonRoot: true
capabilities:
drop:
- ALL
volumeMounts:
- name: config
mountPath: /etc/istio/config
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- name: istio-token
mountPath: /var/run/secrets/tokens
readOnly: true
{{- end }}
- name: local-certs
mountPath: /var/run/secrets/istio-dns
- name: cacerts
mountPath: /etc/cacerts
readOnly: true
- name: istio-kubeconfig
mountPath: /var/run/secrets/remote
readOnly: true
{{- if .Values.pilot.jwksResolverExtraRootCA }}
- name: extracacerts
mountPath: /cacerts
{{- end }}
{{- end }}
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.controller.securityContext | nindent 12 }}
image: "{{ .Values.hub }}/{{ .Values.controller.image }}:{{ .Values.controller.tag | default .Chart.AppVersion }}"
args:
- "serve"
- --gatewaySelectorKey=higress
- --gatewaySelectorValue={{ .Release.Namespace }}-{{ include "gateway.name" . }}
{{- if not .Values.enableStatus }}
- --enableStatus={{ .Values.enableStatus }}
{{- end }}
- --ingressClass={{ .Values.ingressClass }}
{{- if .Values.watchNamespace }}
- --watchNamespace={{ .Values.watchNamespace }}
{{- end }}
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.serviceAccountName
{{- if .Values.controller.env }}
{{- range $key, $val := .Values.controller.env }}
- name: {{ $key }}
value: "{{ $val }}"
{{- end }}
{{- end }}
ports:
{{- range $idx, $port := .Values.controller.ports }}
- name: {{ $port.name }}
containerPort: {{ $port.port }}
protocol: {{ $port.protocol }}
{{- end }}
readinessProbe:
{{- toYaml .Values.controller.probe | nindent 12 }}
{{- if not .Values.global.kind }}
resources:
{{- toYaml .Values.controller.resources | nindent 12 }}
{{- end }}
volumeMounts:
- name: log
mountPath: /var/log
{{- with .Values.controller.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
- name: log
emptyDir: {}
{{- if not .Values.global.enableMesh }}
- name: config
configMap:
name: higress-config
# Technically not needed on this pod - but it helps debugging/testing SDS
# Should be removed after everything works.
- emptyDir:
medium: Memory
name: local-certs
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- name: istio-token
projected:
sources:
- serviceAccountToken:
audience: {{ .Values.global.sds.token.aud }}
expirationSeconds: 43200
path: istio-token
# Optional: user-generated root
- name: cacerts
secret:
secretName: cacerts
optional: true
- name: istio-kubeconfig
secret:
secretName: istio-kubeconfig
optional: true
{{- if .Values.pilot.jwksResolverExtraRootCA }}
- name: extracacerts
configMap:
name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- end }}
{{- end }}
{{- end }}

13
helm/core/templates/controller-role.yaml Normal file
View File

@@ -0,0 +1,13 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "controller.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "controller.labels" . | nindent 4 }}
rules:
# For storing CA secret
- apiGroups: [""]
resources: ["secrets"]
# TODO lock this down to istio-ca-cert if not using the DNS cert mesh config
verbs: ["create", "get", "watch", "list", "update", "delete"]

15
helm/core/templates/controller-rolebinding.yaml Normal file
View File

@@ -0,0 +1,15 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "controller.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "controller.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "controller.serviceAccountName" . }}
subjects:
- kind: ServiceAccount
name: {{ include "controller.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}

27
helm/core/templates/controller-service.yaml Normal file
View File

@@ -0,0 +1,27 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "controller.name" . }}
labels:
{{- include "controller.labels" . | nindent 4 }}
spec:
type: {{ .Values.controller.service.type }}
ports:
{{- toYaml .Values.controller.ports | nindent 4 }}
{{- if not .Values.global.enableMesh }}
- port: 15010
name: grpc-xds # plaintext
protocol: TCP
- port: 15012
name: https-dns # mTLS with k8s-signed cert
protocol: TCP
- port: 443
name: https-webhook # validation and injection
targetPort: 15017
protocol: TCP
- port: 15014
name: http-monitoring # prometheus stats
protocol: TCP
{{- end }}
selector:
{{- include "controller.selectorLabels" . | nindent 4 }}

9
helm/core/templates/controller-serviceaccont.yaml Normal file
View File

@@ -0,0 +1,9 @@
{{- if .Values.controller.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "controller.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "controller.labels" . | nindent 4 }}
{{- end }}

252
helm/core/templates/deployment.yaml Normal file
View File

@@ -0,0 +1,252 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "gateway.name" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "gateway.labels" . | nindent 4}}
annotations:
{{- .Values.gateway.annotations | toYaml | nindent 4 }}
spec:
{{- if not .Values.gateway.autoscaling.enabled }}
{{- if not .Values.global.kind }}
replicas: {{ .Values.gateway.replicas }}
{{- else }}
replicas: 1
{{- end }}
{{- end }}
selector:
matchLabels:
{{- include "gateway.selectorLabels" . | nindent 6 }}
strategy:
rollingUpdate:
maxSurge: {{ .Values.gateway.rollingMaxSurge }}
{{- if .Values.global.kind }}
maxUnavailable: 100%
{{- else }}
maxUnavailable: {{ .Values.gateway.rollingMaxUnavailable }}
{{- end }}
template:
metadata:
annotations:
{{- if .Values.global.enableMesh }}
"enableMesh": "true"
{{- end }}
{{- if .Values.gateway.podAnnotations }}
{{- toYaml .Values.gateway.podAnnotations | nindent 8 }}
{{- end }}
labels:
sidecar.istio.io/inject: "false"
{{- with .Values.gateway.revision }}
istio.io/rev: {{ . }}
{{- end }}
{{- include "gateway.selectorLabels" . | nindent 8 }}
spec:
{{- with .Values.gateway.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "gateway.serviceAccountName" . }}
securityContext:
{{- if .Values.gateway.securityContext }}
{{- toYaml .Values.gateway.securityContext | nindent 8 }}
{{- else if and (not .Values.gateway.hostNetwork) (semverCompare ">=1.22-0" .Capabilities.KubeVersion.GitVersion) }}
# Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326
sysctls:
- name: net.ipv4.ip_unprivileged_port_start
value: "0"
{{- end }}
containers:
- name: higress-gateway
image: "{{ .Values.hub }}/{{ .Values.gateway.image }}:{{ .Values.gateway.tag | default .Chart.AppVersion }}"
args:
- proxy
- router
- --domain
- $(POD_NAMESPACE).svc.cluster.local
- --proxyLogLevel=warning
- --proxyComponentLogLevel=misc:error
- --log_output_level=all:info
- --serviceCluster=higress-gateway
securityContext:
{{- if .Values.gateway.containerSecurityContext }}
{{- toYaml .Values.gateway.containerSecurityContext | nindent 12 }}
{{- else if and (not .Values.gateway.hostNetwork) (semverCompare ">=1.22-0" .Capabilities.KubeVersion.GitVersion) }}
# Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326
capabilities:
drop:
- ALL
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: true
runAsUser: 1337
runAsGroup: 1337
runAsNonRoot: true
{{- else }}
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
runAsUser: 0
runAsGroup: 1337
runAsNonRoot: false
allowPrivilegeEscalation: true
readOnlyRootFilesystem: true
{{- end }}
env:
- name: NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: HOST_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.hostIP
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: PROXY_XDS_VIA_AGENT
value: "true"
- name: ENABLE_INGRESS_GATEWAY_SDS
value: "false"
- name: JWT_POLICY
value: {{ .Values.global.jwtPolicy }}
- name: ISTIO_META_HTTP10
value: "1"
- name: ISTIO_META_CLUSTER_ID
value: "{{ $.Values.clusterName | default `Kubernetes` }}"
- name: INSTANCE_NAME
value: "higress-gateway"
{{- with .Values.gateway.networkGateway }}
- name: ISTIO_META_REQUESTED_NETWORK_VIEW
value: "{{.}}"
{{- end }}
{{- range $key, $val := .Values.env }}
- name: {{ $key }}
value: {{ $val | quote }}
{{- end }}
ports:
- containerPort: 15090
protocol: TCP
name: http-envoy-prom
{{- if .Values.global.kind }}
- containerPort: 80
hostPort: 80
name: http
protocol: TCP
- containerPort: 443
hostPort: 443
name: https
protocol: TCP
{{- end }}
readinessProbe:
failureThreshold: 30
httpGet:
path: /healthz/ready
port: 15021
scheme: HTTP
initialDelaySeconds: 1
periodSeconds: 2
successThreshold: 1
timeoutSeconds: 3
{{- if not .Values.global.kind }}
resources:
{{- toYaml .Values.gateway.resources | nindent 12 }}
{{- end }}
volumeMounts:
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- name: istio-token
mountPath: /var/run/secrets/tokens
readOnly: true
{{- end }}
- name: config
mountPath: /etc/istio/config
- name: istio-ca-root-cert
mountPath: /var/run/secrets/istio
- name: istio-data
mountPath: /var/lib/istio/data
- name: podinfo
mountPath: /etc/istio/pod
- name: proxy-socket
mountPath: /etc/istio/proxy
{{- if .Values.gateway.hostNetwork }}
hostNetwork: {{ .Values.gateway.hostNetwork }}
dnsPolicy: ClusterFirstWithHostNet
{{- end }}
{{- with .Values.gateway.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.gateway.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.gateway.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- name: istio-token
projected:
sources:
- serviceAccountToken:
audience: istio-ca
expirationSeconds: 43200
path: istio-token
{{- end }}
- name: istio-ca-root-cert
configMap:
{{- if .Values.global.enableMesh }}
name: istio-ca-root-cert
{{- else }}
name: higress-ca-root-cert
{{- end }}
- name: config
configMap:
name: higress-config
- name: istio-data
emptyDir: {}
- name: proxy-socket
emptyDir: {}
- name: podinfo
downwardAPI:
defaultMode: 420
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.labels
path: labels
- fieldRef:
apiVersion: v1
fieldPath: metadata.annotations
path: annotations
- path: cpu-request
resourceFieldRef:
containerName: higress-gateway
divisor: 1m
resource: requests.cpu
- path: cpu-limit
resourceFieldRef:
containerName: higress-gateway
divisor: 1m
resource: limits.cpu

55
helm/core/templates/hpa.yaml Normal file
View File

@@ -0,0 +1,55 @@
{{- if .Values.gateway.autoscaling.enabled }}
{{- if not .Values.global.autoscalingv2API }}
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
name: {{ include "gateway.name" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "gateway.labels" . | nindent 4 }}
annotations:
{{- .Values.gateway.annotations | toYaml | nindent 4 }}
spec:
minReplicas: {{ .Values.gateway.autoscaling.minReplicas }}
maxReplicas: {{ .Values.gateway.autoscaling.maxReplicas }}
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ include "gateway.name" . }}
metrics:
- type: Resource
resource:
name: cpu
targetAverageUtilization: {{ .Values.gateway.autoscaling.targetCPUUtilizationPercentage }}
---
{{- else }}
{{- if (semverCompare ">=1.23-0" .Capabilities.KubeVersion.GitVersion)}}
apiVersion: autoscaling/v2
{{- else }}
apiVersion: autoscaling/v2beta2
{{- end }}
kind: HorizontalPodAutoscaler
metadata:
name: {{ include "gateway.name" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "gateway.labels" . | nindent 4 }}
annotations:
{{- .Values.gateway.annotations | toYaml | nindent 4 }}
spec:
minReplicas: {{ .Values.gateway.autoscaling.minReplicas }}
maxReplicas: {{ .Values.gateway.autoscaling.maxReplicas }}
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ include "gateway.name" . }}
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: {{ .Values.gateway.autoscaling.targetCPUUtilizationPercentage }}
---
{{- end }}
{{- end }}

25
helm/core/templates/role.yaml Normal file
View File

@@ -0,0 +1,25 @@
{{/*Set up roles for Istio Gateway. Not required for gateway-api*/}}
{{- if .Values.gateway.rbac.enabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "gateway.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "gateway.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "gateway.serviceAccountName" . }}
subjects:
- kind: ServiceAccount
name: {{ include "gateway.serviceAccountName" . }}
{{- end }}

45
helm/core/templates/service.yaml Normal file
View File

@@ -0,0 +1,45 @@
{{- if not (eq .Values.gateway.service.type "None") }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "gateway.name" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "gateway.labels" . | nindent 4 }}
{{- with .Values.gateway.networkGateway }}
topology.istio.io/network: "{{.}}"
{{- end }}
annotations:
{{- merge (deepCopy .Values.gateway.service.annotations) .Values.gateway.annotations | toYaml | nindent 4 }}
spec:
{{- with .Values.gateway.service.loadBalancerIP }}
loadBalancerIP: "{{ . }}"
{{- end }}
{{- with .Values.gateway.service.loadBalancerSourceRanges }}
loadBalancerSourceRanges:
{{ toYaml . | indent 4 }}
{{- end }}
{{- with .Values.gateway.service.externalTrafficPolicy }}
externalTrafficPolicy: "{{ . }}"
{{- end }}
type: {{ .Values.gateway.service.type }}
ports:
{{- if .Values.gateway.networkGateway }}
- name: status-port
port: 15021
targetPort: 15021
- name: tls
port: 15443
targetPort: 15443
- name: tls-istiod
port: 15012
targetPort: 15012
- name: tls-webhook
port: 15017
targetPort: 15017
{{- else }}
{{ .Values.gateway.service.ports | toYaml | indent 4 }}
{{- end }}
selector:
{{- include "gateway.selectorLabels" . | nindent 4 }}
{{- end }}

13
helm/core/templates/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,13 @@
{{- if .Values.gateway.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "gateway.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "gateway.labels" . | nindent 4 }}
{{- with .Values.gateway.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}