revert broken chart

giantswarm · Dec 19, 2024 · 64f4764 · 64f4764
1 parent 3fab174
commit 64f4764
Show file tree

Hide file tree

Showing 23 changed files with 620 additions and 288 deletions.
diff --git a/diffs/helm__envoy-gateway__values.yaml.patch b/diffs/helm__envoy-gateway__values.yaml.patch
@@ -1,8 +1,17 @@
 diff --git a/vendor/gateway-helm/values.yaml b/helm/envoy-gateway/values.yaml
-index 56cf308..7979274 100644
+index 56cf308..b81476e 100644
 --- a/vendor/gateway-helm/values.yaml
 +++ b/helm/envoy-gateway/values.yaml
-@@ -22,11 +22,15 @@ podDisruptionBudget:
+@@ -18,15 +18,24 @@ global:
+       pullPolicy: IfNotPresent
+       # List of secrets in the same namespace of the component that can be used to pull images from private repositories.
+       pullSecrets: []
++
++name: envoy-gateway
++namespace: envoy-gateway-system
++serviceType: managed
++
+ podDisruptionBudget:
    minAvailable: 0
    # maxUnavailable: 1
 
@@ -20,15 +29,15 @@ index 56cf308..7979274 100644
      imagePullPolicy: ""
      imagePullSecrets: []
      resources:
-@@ -44,6 +48,7 @@ deployment:
+@@ -44,6 +53,7 @@ deployment:
        runAsNonRoot: true
        runAsGroup: 65532
        runAsUser: 65532
 +      readOnlyRootFilesystem: true
        seccompProfile:
          type: RuntimeDefault
    ports:
-@@ -88,11 +93,15 @@ createNamespace: false
+@@ -88,11 +98,15 @@ createNamespace: false
 
  kubernetesClusterDomain: cluster.local
 

diff --git a/helm/envoy-gateway/README.md b/helm/envoy-gateway/README.md
@@ -1,17 +1,8 @@
-# gateway-helm
-
-![Version: v0.0.0-latest](https://img.shields.io/badge/Version-v0.0.0--latest-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square)
+# envoy-gateway
 
 The Helm chart for Envoy Gateway
 
-**Homepage:** <https://gateway.envoyproxy.io/>
-
-## Maintainers
-
-| Name | Email | Url |
-| ---- | ------ | --- |
-| envoy-gateway-steering-committee |  | <https://github.com/envoyproxy/gateway/blob/main/GOVERNANCE.md> |
-| envoy-gateway-maintainers |  | <https://github.com/envoyproxy/gateway/blob/main/CODEOWNERS> |
+**Homepage:** <https://github.com/giantswarm/envoy-gateway-app>
 
 ## Source Code
 
@@ -59,13 +50,30 @@ To uninstall the chart:
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| certgen | object | `{"job":{"affinity":{},"annotations":{},"nodeSelector":{},"resources":{},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}},"tolerations":[],"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. |
+| certgen.job.affinity | object | `{}` |  |
+| certgen.job.annotations | object | `{}` |  |
+| certgen.job.nodeSelector | object | `{}` |  |
+| certgen.job.resources.limits.memory | string | `"500Mi"` |  |
+| certgen.job.resources.requests.cpu | string | `"50m"` |  |
+| certgen.job.resources.requests.memory | string | `"100Mi"` |  |
+| certgen.job.securityContext.allowPrivilegeEscalation | bool | `false` |  |
+| certgen.job.securityContext.capabilities.drop[0] | string | `"ALL"` |  |
+| certgen.job.securityContext.privileged | bool | `false` |  |
+| certgen.job.securityContext.readOnlyRootFilesystem | bool | `true` |  |
+| certgen.job.securityContext.runAsGroup | int | `65534` |  |
+| certgen.job.securityContext.runAsNonRoot | bool | `true` |  |
+| certgen.job.securityContext.runAsUser | int | `65534` |  |
+| certgen.job.securityContext.seccompProfile.type | string | `"RuntimeDefault"` |  |
+| certgen.job.tolerations | list | `[]` |  |
+| certgen.job.ttlSecondsAfterFinished | int | `30` |  |
+| certgen.rbac.annotations | object | `{}` |  |
+| certgen.rbac.labels | object | `{}` |  |
 | config.envoyGateway.gateway.controllerName | string | `"gateway.envoyproxy.io/gatewayclass-controller"` |  |
 | config.envoyGateway.logging.level.default | string | `"info"` |  |
 | config.envoyGateway.provider.type | string | `"Kubernetes"` |  |
 | createNamespace | bool | `false` |  |
-| deployment.envoyGateway.image.repository | string | `""` |  |
-| deployment.envoyGateway.image.tag | string | `""` |  |
+| deployment.envoyGateway.image.name | string | `"envoyproxy-gateway"` |  |
+| deployment.envoyGateway.image.tag | string | `"v1.2.1"` |  |
 | deployment.envoyGateway.imagePullPolicy | string | `""` |  |
 | deployment.envoyGateway.imagePullSecrets | list | `[]` |  |
 | deployment.envoyGateway.resources.limits.memory | string | `"1024Mi"` |  |
@@ -74,6 +82,7 @@ To uninstall the chart:
 | deployment.envoyGateway.securityContext.allowPrivilegeEscalation | bool | `false` |  |
 | deployment.envoyGateway.securityContext.capabilities.drop[0] | string | `"ALL"` |  |
 | deployment.envoyGateway.securityContext.privileged | bool | `false` |  |
+| deployment.envoyGateway.securityContext.readOnlyRootFilesystem | bool | `true` |  |
 | deployment.envoyGateway.securityContext.runAsGroup | int | `65532` |  |
 | deployment.envoyGateway.securityContext.runAsNonRoot | bool | `true` |  |
 | deployment.envoyGateway.securityContext.runAsUser | int | `65532` |  |
@@ -99,13 +108,21 @@ To uninstall the chart:
 | deployment.ports[3].targetPort | int | `19001` |  |
 | deployment.priorityClassName | string | `nil` |  |
 | deployment.replicas | int | `1` |  |
-| global.images.envoyGateway.image | string | `nil` |  |
-| global.images.envoyGateway.pullPolicy | string | `nil` |  |
+| global.images.envoyGateway.image | string | `"docker.io/envoyproxy/gateway:v1.2.1"` |  |
+| global.images.envoyGateway.pullPolicy | string | `"IfNotPresent"` |  |
 | global.images.envoyGateway.pullSecrets | list | `[]` |  |
 | global.images.ratelimit.image | string | `"docker.io/envoyproxy/ratelimit:master"` |  |
 | global.images.ratelimit.pullPolicy | string | `"IfNotPresent"` |  |
 | global.images.ratelimit.pullSecrets | list | `[]` |  |
+| image.registry | string | `"gsoci.azurecr.io"` |  |
+| image.repository | string | `"giantswarm"` |  |
 | kubernetesClusterDomain | string | `"cluster.local"` |  |
+| name | string | `"envoy-gateway"` |  |
+| namespace | string | `"envoy-gateway-system"` |  |
 | podDisruptionBudget.minAvailable | int | `0` |  |
 | service.annotations | object | `{}` |  |
+| serviceType | string | `"managed"` |  |
+
+----------------------------------------------
+Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0)
 
diff --git a/helm/envoy-gateway/templates/NOTES.txt b/helm/envoy-gateway/templates/NOTES.txt
@@ -8,12 +8,12 @@ Thank you for installing Envoy Gateway! 🎉
 
 Your release is named: {{ .Release.Name }}. 🎉
 
-Your release is in namespace: '{{ .Values.namespace }}. 🎉
+Your release is in namespace: {{ .Release.Namespace }}. 🎉
 
 To learn more about the release, try:
 
-  $ helm status {{ .Release.Name }} -n '{{ .Values.namespace }}
-  $ helm get all {{ .Release.Name }} -n '{{ .Values.namespace }}
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
 
 To have a quickstart of Envoy Gateway, please refer to https://gateway.envoyproxy.io/latest/tasks/quickstart.
 

diff --git a/helm/envoy-gateway/templates/_helpers.tpl b/helm/envoy-gateway/templates/_helpers.tpl
@@ -40,6 +40,7 @@ helm.sh/chart: {{ include "eg.chart" . }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
+application.giantswarm.io/team: {{ index .Chart.Annotations "application.giantswarm.io/team" | quote }}
 {{- end }}
 
 {{/*
@@ -65,8 +66,8 @@ Create the name of the service account to use
 The name of the Envoy Gateway image.
 */}}
 {{- define "eg.image" -}}
-{{- if .Values.deployment.envoyGateway.image.repository }}
-{{- .Values.deployment.envoyGateway.image.repository }}:{{ .Values.deployment.envoyGateway.image.tag | default .Values.global.images.envoyGateway.tag | default .Chart.AppVersion }}
+{{- if .Values.image.registry }}
+{{- .Values.image.registry }}/{{- .Values.image.repository }}/{{- .Values.deployment.envoyGateway.image.name }}:{{ .Values.deployment.envoyGateway.image.tag | default .Chart.AppVersion }}
 {{- else if .Values.global.images.envoyGateway.image }}
 {{- .Values.global.images.envoyGateway.image }}
 {{- else }}

diff --git a/helm/envoy-gateway/templates/certgen-cnp.yaml b/helm/envoy-gateway/templates/certgen-cnp.yaml
@@ -0,0 +1,43 @@
+---
+apiVersion: "cilium.io/v2"
+kind: CiliumNetworkPolicy
+metadata:
+  name: {{ include "eg.fullname" . }}-certgen
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": "pre-install,pre-upgrade"
+    "helm.sh/hook-weight": "-10"
+    "helm.sh/hook-delete-policy": "before-hook-creation"
+  labels:
+    app.kubernetes.io/component: "certgen"
+    {{- include "eg.labels" . | nindent 4 }}
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/component: "certgen"
+      {{- include "eg.selectorLabels" . | nindent 6 }}
+  egress:
+    - toEntities:
+        - kube-apiserver
+    - toEndpoints:
+        - matchLabels:
+            k8s:io.kubernetes.pod.namespace: default
+            k8s:k8s-app: kubernetes
+      toPorts:
+        - ports:
+            - port: "443"
+              protocol: TCP
+    - toEndpoints:
+        - matchLabels:
+            k8s:component: kube-apiserver
+            k8s:tier: control-plane
+    - toEndpoints:
+        - matchLabels:
+            k8s:io.kubernetes.pod.namespace: kube-system
+            k8s:k8s-app: kube-dns
+      toPorts:
+        - ports:
+            - port: "53"
+              protocol: UDP
+            - port: "53"
+              protocol: TCP
diff --git a/helm/envoy-gateway/templates/certgen-netpol.yaml b/helm/envoy-gateway/templates/certgen-netpol.yaml
@@ -0,0 +1,44 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "eg.fullname" . }}-certgen
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": "pre-install,pre-upgrade"
+    "helm.sh/hook-weight": "-10"
+    "helm.sh/hook-delete-policy": "before-hook-creation"
+  labels:
+    app.kubernetes.io/component: "certgen"
+    {{- include "eg.labels" . | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/component: "certgen"
+      {{- include "eg.selectorLabels" . | nindent 6 }}
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - to:
+        - namespaceSelector: {}
+          podSelector:
+            matchLabels:
+              component: kube-apiserver
+              tier: control-plane
+    - to:
+        - ipBlock:
+            cidr: 172.31.0.1/32
+      ports:
+        - port: 443
+          protocol: TCP
+    - ports:
+        - port: 53
+          protocol: UDP
+        - port: 53
+          protocol: TCP
+      to:
+        - namespaceSelector: {}
+          podSelector:
+            matchLabels:
+              k8s-app: kube-dns
diff --git a/helm/envoy-gateway/templates/certgen-rbac.yaml b/helm/envoy-gateway/templates/certgen-rbac.yaml
@@ -2,7 +2,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ include "eg.fullname" . }}-certgen
-  namespace: '{{ .Values.namespace }}'
+  namespace: '{{ .Release.Namespace }}'
   labels:
   {{- include "eg.labels" . | nindent 4 }}
   {{- if .Values.certgen.rbac.labels }}
@@ -18,7 +18,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: {{ include "eg.fullname" . }}-certgen
-  namespace: '{{ .Values.namespace }}'
+  namespace: '{{ .Release.Namespace }}'
   labels:
   {{- include "eg.labels" . | nindent 4 }}
   {{- if .Values.certgen.rbac.labels }}
@@ -43,7 +43,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: {{ include "eg.fullname" . }}-certgen
-  namespace: '{{ .Values.namespace }}'
+  namespace: '{{ .Release.Namespace }}'
   labels:
   {{- include "eg.labels" . | nindent 4 }}
   {{- if .Values.certgen.rbac.labels }}
@@ -61,4 +61,4 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: '{{ include "eg.fullname" . }}-certgen'
-  namespace: '{{ .Values.namespace }}'
+  namespace: '{{ .Release.Namespace }}'
diff --git a/helm/envoy-gateway/templates/certgen.yaml b/helm/envoy-gateway/templates/certgen.yaml
@@ -2,7 +2,7 @@ apiVersion: batch/v1
 kind: Job
 metadata:
   name: {{ include "eg.fullname" . }}-certgen
-  namespace: '{{ .Values.namespace }}'
+  namespace: '{{ .Release.Namespace }}'
   labels:
   {{- include "eg.labels" . | nindent 4 }}
   annotations:

diff --git a/helm/envoy-gateway/templates/envoy-gateway-cnp.yaml b/helm/envoy-gateway/templates/envoy-gateway-cnp.yaml
@@ -0,0 +1,41 @@
+---
+apiVersion: "cilium.io/v2"
+kind: CiliumNetworkPolicy
+metadata:
+  name: {{ include "eg.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": "pre-install,pre-upgrade"
+    "helm.sh/hook-weight": "-10"
+    "helm.sh/hook-delete-policy": "before-hook-creation"
+  labels:
+    control-plane: envoy-gateway
+    {{- include "eg.labels" . | nindent 4 }}
+spec:
+  endpointSelector:
+    matchLabels:
+      control-plane: envoy-gateway
+      {{- include "eg.selectorLabels" . | nindent 6 }}
+  egress:
+    - toEntities:
+        - kube-apiserver
+        - cluster
+    - toEndpoints:
+        - matchLabels:
+            k8s:io.kubernetes.pod.namespace: kube-system
+            k8s-app: kube-dns
+      toPorts:
+        - ports:
+            - port: "53"
+              protocol: UDP
+            - port: "53"
+              protocol: TCP
+  ingress:
+    - fromEntities:
+        - cluster
+      toPorts:
+        - ports:
+            {{- range .Values.deployment.envoyGateway.ports }}
+            - port: {{ printf "\"%d\"" .port }}
+              protocol: TCP
+            {{- end }}
diff --git a/helm/envoy-gateway/templates/envoy-gateway-config.yaml b/helm/envoy-gateway/templates/envoy-gateway-config.yaml
@@ -2,7 +2,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: envoy-gateway-config
-  namespace: '{{ .Values.namespace }}'
+  namespace: '{{ .Release.Namespace }}'
   labels:
   {{- include "eg.labels" . | nindent 4 }}
 data:

diff --git a/helm/envoy-gateway/templates/envoy-gateway-deployment.yaml b/helm/envoy-gateway/templates/envoy-gateway-deployment.yaml
@@ -2,7 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: envoy-gateway
-  namespace: '{{ .Values.namespace }}'
+  namespace: '{{ .Release.Namespace }}'
   labels:
     control-plane: envoy-gateway
   {{- include "eg.labels" . | nindent 4 }}

diff --git a/helm/envoy-gateway/templates/envoy-gateway-netpol.yaml b/helm/envoy-gateway/templates/envoy-gateway-netpol.yaml
@@ -0,0 +1,45 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "eg.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": "pre-install,pre-upgrade"
+    "helm.sh/hook-weight": "-10"
+    "helm.sh/hook-delete-policy": "before-hook-creation"
+  labels:
+    control-plane: envoy-gateway
+    {{- include "eg.labels" . | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      control-plane: envoy-gateway
+      {{- include "eg.selectorLabels" . | nindent 6 }}
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - to:
+        - namespaceSelector: {}
+          podSelector:
+            matchLabels:
+              k8s-app: kube-apiserver
+    - to:
+        - namespaceSelector: {}
+          podSelector:
+            matchLabels:
+              k8s-app: kube-dns
+      ports:
+        - port: 53
+          protocol: UDP
+        - port: 53
+          protocol: TCP
+  ingress:
+    - ports:
+        {{- range .Values.deployment.envoyGateway.ports }}
+        - port: {{ .port }}
+          protocol: TCP
+        {{- end }}
+      from:
+        - namespaceSelector: {}