From 64f4764315c16adae80e017d1f598b7faa1bc647 Mon Sep 17 00:00:00 2001 From: Spyros Synodinos Date: Thu, 19 Dec 2024 13:36:23 +0200 Subject: [PATCH] revert broken chart --- diffs/helm__envoy-gateway__values.yaml.patch | 17 +- helm/envoy-gateway/README.md | 49 ++- helm/envoy-gateway/templates/NOTES.txt | 6 +- helm/envoy-gateway/templates/_helpers.tpl | 5 +- helm/envoy-gateway/templates/certgen-cnp.yaml | 43 +++ .../templates/certgen-netpol.yaml | 44 +++ .../envoy-gateway/templates/certgen-rbac.yaml | 8 +- helm/envoy-gateway/templates/certgen.yaml | 2 +- .../templates/envoy-gateway-cnp.yaml | 41 ++ .../templates/envoy-gateway-config.yaml | 2 +- .../templates/envoy-gateway-deployment.yaml | 2 +- .../templates/envoy-gateway-netpol.yaml | 45 +++ .../envoy-gateway-poddisruptionbudget.yaml | 2 +- .../templates/envoy-gateway-rbac.yaml | 4 +- .../templates/envoy-gateway-service.yaml | 2 +- .../envoy-gateway-serviceaccount.yaml | 2 +- .../templates/infra-manager-rbac.yaml | 6 +- .../templates/leader-election-rbac.yaml | 6 +- helm/envoy-gateway/templates/namespace.yaml | 4 +- helm/envoy-gateway/values.schema.json | 362 ++++++++++++++++++ helm/envoy-gateway/values.yaml | 17 +- .../000-namespace-values.patch | 222 ----------- sync/patches/namespace-values/patch.sh | 17 - 23 files changed, 620 insertions(+), 288 deletions(-) create mode 100644 helm/envoy-gateway/templates/certgen-cnp.yaml create mode 100644 helm/envoy-gateway/templates/certgen-netpol.yaml create mode 100644 helm/envoy-gateway/templates/envoy-gateway-cnp.yaml create mode 100644 helm/envoy-gateway/templates/envoy-gateway-netpol.yaml create mode 100644 helm/envoy-gateway/values.schema.json delete mode 100644 sync/patches/namespace-values/000-namespace-values.patch delete mode 100755 sync/patches/namespace-values/patch.sh diff --git a/diffs/helm__envoy-gateway__values.yaml.patch b/diffs/helm__envoy-gateway__values.yaml.patch index 5c52c66..e9f3718 100644 --- a/diffs/helm__envoy-gateway__values.yaml.patch +++ b/diffs/helm__envoy-gateway__values.yaml.patch @@ -1,8 +1,17 @@ diff --git a/vendor/gateway-helm/values.yaml b/helm/envoy-gateway/values.yaml -index 56cf308..7979274 100644 +index 56cf308..b81476e 100644 --- a/vendor/gateway-helm/values.yaml +++ b/helm/envoy-gateway/values.yaml -@@ -22,11 +22,15 @@ podDisruptionBudget: +@@ -18,15 +18,24 @@ global: + pullPolicy: IfNotPresent + # List of secrets in the same namespace of the component that can be used to pull images from private repositories. + pullSecrets: [] ++ ++name: envoy-gateway ++namespace: envoy-gateway-system ++serviceType: managed ++ + podDisruptionBudget: minAvailable: 0 # maxUnavailable: 1 @@ -20,7 +29,7 @@ index 56cf308..7979274 100644 imagePullPolicy: "" imagePullSecrets: [] resources: -@@ -44,6 +48,7 @@ deployment: +@@ -44,6 +53,7 @@ deployment: runAsNonRoot: true runAsGroup: 65532 runAsUser: 65532 @@ -28,7 +37,7 @@ index 56cf308..7979274 100644 seccompProfile: type: RuntimeDefault ports: -@@ -88,11 +93,15 @@ createNamespace: false +@@ -88,11 +98,15 @@ createNamespace: false kubernetesClusterDomain: cluster.local diff --git a/helm/envoy-gateway/README.md b/helm/envoy-gateway/README.md index 5d9cecf..1bbdc66 100644 --- a/helm/envoy-gateway/README.md +++ b/helm/envoy-gateway/README.md @@ -1,17 +1,8 @@ -# gateway-helm - -![Version: v0.0.0-latest](https://img.shields.io/badge/Version-v0.0.0--latest-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square) +# envoy-gateway The Helm chart for Envoy Gateway -**Homepage:** - -## Maintainers - -| Name | Email | Url | -| ---- | ------ | --- | -| envoy-gateway-steering-committee | | | -| envoy-gateway-maintainers | | | +**Homepage:** ## Source Code @@ -59,13 +50,30 @@ To uninstall the chart: | Key | Type | Default | Description | |-----|------|---------|-------------| -| certgen | object | `{"job":{"affinity":{},"annotations":{},"nodeSelector":{},"resources":{},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}},"tolerations":[],"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. | +| certgen.job.affinity | object | `{}` | | +| certgen.job.annotations | object | `{}` | | +| certgen.job.nodeSelector | object | `{}` | | +| certgen.job.resources.limits.memory | string | `"500Mi"` | | +| certgen.job.resources.requests.cpu | string | `"50m"` | | +| certgen.job.resources.requests.memory | string | `"100Mi"` | | +| certgen.job.securityContext.allowPrivilegeEscalation | bool | `false` | | +| certgen.job.securityContext.capabilities.drop[0] | string | `"ALL"` | | +| certgen.job.securityContext.privileged | bool | `false` | | +| certgen.job.securityContext.readOnlyRootFilesystem | bool | `true` | | +| certgen.job.securityContext.runAsGroup | int | `65534` | | +| certgen.job.securityContext.runAsNonRoot | bool | `true` | | +| certgen.job.securityContext.runAsUser | int | `65534` | | +| certgen.job.securityContext.seccompProfile.type | string | `"RuntimeDefault"` | | +| certgen.job.tolerations | list | `[]` | | +| certgen.job.ttlSecondsAfterFinished | int | `30` | | +| certgen.rbac.annotations | object | `{}` | | +| certgen.rbac.labels | object | `{}` | | | config.envoyGateway.gateway.controllerName | string | `"gateway.envoyproxy.io/gatewayclass-controller"` | | | config.envoyGateway.logging.level.default | string | `"info"` | | | config.envoyGateway.provider.type | string | `"Kubernetes"` | | | createNamespace | bool | `false` | | -| deployment.envoyGateway.image.repository | string | `""` | | -| deployment.envoyGateway.image.tag | string | `""` | | +| deployment.envoyGateway.image.name | string | `"envoyproxy-gateway"` | | +| deployment.envoyGateway.image.tag | string | `"v1.2.1"` | | | deployment.envoyGateway.imagePullPolicy | string | `""` | | | deployment.envoyGateway.imagePullSecrets | list | `[]` | | | deployment.envoyGateway.resources.limits.memory | string | `"1024Mi"` | | @@ -74,6 +82,7 @@ To uninstall the chart: | deployment.envoyGateway.securityContext.allowPrivilegeEscalation | bool | `false` | | | deployment.envoyGateway.securityContext.capabilities.drop[0] | string | `"ALL"` | | | deployment.envoyGateway.securityContext.privileged | bool | `false` | | +| deployment.envoyGateway.securityContext.readOnlyRootFilesystem | bool | `true` | | | deployment.envoyGateway.securityContext.runAsGroup | int | `65532` | | | deployment.envoyGateway.securityContext.runAsNonRoot | bool | `true` | | | deployment.envoyGateway.securityContext.runAsUser | int | `65532` | | @@ -99,13 +108,21 @@ To uninstall the chart: | deployment.ports[3].targetPort | int | `19001` | | | deployment.priorityClassName | string | `nil` | | | deployment.replicas | int | `1` | | -| global.images.envoyGateway.image | string | `nil` | | -| global.images.envoyGateway.pullPolicy | string | `nil` | | +| global.images.envoyGateway.image | string | `"docker.io/envoyproxy/gateway:v1.2.1"` | | +| global.images.envoyGateway.pullPolicy | string | `"IfNotPresent"` | | | global.images.envoyGateway.pullSecrets | list | `[]` | | | global.images.ratelimit.image | string | `"docker.io/envoyproxy/ratelimit:master"` | | | global.images.ratelimit.pullPolicy | string | `"IfNotPresent"` | | | global.images.ratelimit.pullSecrets | list | `[]` | | +| image.registry | string | `"gsoci.azurecr.io"` | | +| image.repository | string | `"giantswarm"` | | | kubernetesClusterDomain | string | `"cluster.local"` | | +| name | string | `"envoy-gateway"` | | +| namespace | string | `"envoy-gateway-system"` | | | podDisruptionBudget.minAvailable | int | `0` | | | service.annotations | object | `{}` | | +| serviceType | string | `"managed"` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/helm/envoy-gateway/templates/NOTES.txt b/helm/envoy-gateway/templates/NOTES.txt index 7de9cfb..595c49b 100644 --- a/helm/envoy-gateway/templates/NOTES.txt +++ b/helm/envoy-gateway/templates/NOTES.txt @@ -8,12 +8,12 @@ Thank you for installing Envoy Gateway! 🎉 Your release is named: {{ .Release.Name }}. 🎉 -Your release is in namespace: '{{ .Values.namespace }}. 🎉 +Your release is in namespace: {{ .Release.Namespace }}. 🎉 To learn more about the release, try: - $ helm status {{ .Release.Name }} -n '{{ .Values.namespace }} - $ helm get all {{ .Release.Name }} -n '{{ .Values.namespace }} + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} To have a quickstart of Envoy Gateway, please refer to https://gateway.envoyproxy.io/latest/tasks/quickstart. diff --git a/helm/envoy-gateway/templates/_helpers.tpl b/helm/envoy-gateway/templates/_helpers.tpl index d9aefc2..2645585 100644 --- a/helm/envoy-gateway/templates/_helpers.tpl +++ b/helm/envoy-gateway/templates/_helpers.tpl @@ -40,6 +40,7 @@ helm.sh/chart: {{ include "eg.chart" . }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} app.kubernetes.io/managed-by: {{ .Release.Service }} +application.giantswarm.io/team: {{ index .Chart.Annotations "application.giantswarm.io/team" | quote }} {{- end }} {{/* @@ -65,8 +66,8 @@ Create the name of the service account to use The name of the Envoy Gateway image. */}} {{- define "eg.image" -}} -{{- if .Values.deployment.envoyGateway.image.repository }} -{{- .Values.deployment.envoyGateway.image.repository }}:{{ .Values.deployment.envoyGateway.image.tag | default .Values.global.images.envoyGateway.tag | default .Chart.AppVersion }} +{{- if .Values.image.registry }} +{{- .Values.image.registry }}/{{- .Values.image.repository }}/{{- .Values.deployment.envoyGateway.image.name }}:{{ .Values.deployment.envoyGateway.image.tag | default .Chart.AppVersion }} {{- else if .Values.global.images.envoyGateway.image }} {{- .Values.global.images.envoyGateway.image }} {{- else }} diff --git a/helm/envoy-gateway/templates/certgen-cnp.yaml b/helm/envoy-gateway/templates/certgen-cnp.yaml new file mode 100644 index 0000000..2af4f5c --- /dev/null +++ b/helm/envoy-gateway/templates/certgen-cnp.yaml @@ -0,0 +1,43 @@ +--- +apiVersion: "cilium.io/v2" +kind: CiliumNetworkPolicy +metadata: + name: {{ include "eg.fullname" . }}-certgen + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/hook-weight": "-10" + "helm.sh/hook-delete-policy": "before-hook-creation" + labels: + app.kubernetes.io/component: "certgen" + {{- include "eg.labels" . | nindent 4 }} +spec: + endpointSelector: + matchLabels: + app.kubernetes.io/component: "certgen" + {{- include "eg.selectorLabels" . | nindent 6 }} + egress: + - toEntities: + - kube-apiserver + - toEndpoints: + - matchLabels: + k8s:io.kubernetes.pod.namespace: default + k8s:k8s-app: kubernetes + toPorts: + - ports: + - port: "443" + protocol: TCP + - toEndpoints: + - matchLabels: + k8s:component: kube-apiserver + k8s:tier: control-plane + - toEndpoints: + - matchLabels: + k8s:io.kubernetes.pod.namespace: kube-system + k8s:k8s-app: kube-dns + toPorts: + - ports: + - port: "53" + protocol: UDP + - port: "53" + protocol: TCP diff --git a/helm/envoy-gateway/templates/certgen-netpol.yaml b/helm/envoy-gateway/templates/certgen-netpol.yaml new file mode 100644 index 0000000..0e9f09a --- /dev/null +++ b/helm/envoy-gateway/templates/certgen-netpol.yaml @@ -0,0 +1,44 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "eg.fullname" . }}-certgen + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/hook-weight": "-10" + "helm.sh/hook-delete-policy": "before-hook-creation" + labels: + app.kubernetes.io/component: "certgen" + {{- include "eg.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + app.kubernetes.io/component: "certgen" + {{- include "eg.selectorLabels" . | nindent 6 }} + policyTypes: + - Ingress + - Egress + egress: + - to: + - namespaceSelector: {} + podSelector: + matchLabels: + component: kube-apiserver + tier: control-plane + - to: + - ipBlock: + cidr: 172.31.0.1/32 + ports: + - port: 443 + protocol: TCP + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + to: + - namespaceSelector: {} + podSelector: + matchLabels: + k8s-app: kube-dns diff --git a/helm/envoy-gateway/templates/certgen-rbac.yaml b/helm/envoy-gateway/templates/certgen-rbac.yaml index 13da07d..81bf1a8 100644 --- a/helm/envoy-gateway/templates/certgen-rbac.yaml +++ b/helm/envoy-gateway/templates/certgen-rbac.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "eg.fullname" . }}-certgen - namespace: '{{ .Values.namespace }}' + namespace: '{{ .Release.Namespace }}' labels: {{- include "eg.labels" . | nindent 4 }} {{- if .Values.certgen.rbac.labels }} @@ -18,7 +18,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ include "eg.fullname" . }}-certgen - namespace: '{{ .Values.namespace }}' + namespace: '{{ .Release.Namespace }}' labels: {{- include "eg.labels" . | nindent 4 }} {{- if .Values.certgen.rbac.labels }} @@ -43,7 +43,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ include "eg.fullname" . }}-certgen - namespace: '{{ .Values.namespace }}' + namespace: '{{ .Release.Namespace }}' labels: {{- include "eg.labels" . | nindent 4 }} {{- if .Values.certgen.rbac.labels }} @@ -61,4 +61,4 @@ roleRef: subjects: - kind: ServiceAccount name: '{{ include "eg.fullname" . }}-certgen' - namespace: '{{ .Values.namespace }}' + namespace: '{{ .Release.Namespace }}' diff --git a/helm/envoy-gateway/templates/certgen.yaml b/helm/envoy-gateway/templates/certgen.yaml index d5ef920..f98c414 100644 --- a/helm/envoy-gateway/templates/certgen.yaml +++ b/helm/envoy-gateway/templates/certgen.yaml @@ -2,7 +2,7 @@ apiVersion: batch/v1 kind: Job metadata: name: {{ include "eg.fullname" . }}-certgen - namespace: '{{ .Values.namespace }}' + namespace: '{{ .Release.Namespace }}' labels: {{- include "eg.labels" . | nindent 4 }} annotations: diff --git a/helm/envoy-gateway/templates/envoy-gateway-cnp.yaml b/helm/envoy-gateway/templates/envoy-gateway-cnp.yaml new file mode 100644 index 0000000..a44b6ee --- /dev/null +++ b/helm/envoy-gateway/templates/envoy-gateway-cnp.yaml @@ -0,0 +1,41 @@ +--- +apiVersion: "cilium.io/v2" +kind: CiliumNetworkPolicy +metadata: + name: {{ include "eg.fullname" . }} + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/hook-weight": "-10" + "helm.sh/hook-delete-policy": "before-hook-creation" + labels: + control-plane: envoy-gateway + {{- include "eg.labels" . | nindent 4 }} +spec: + endpointSelector: + matchLabels: + control-plane: envoy-gateway + {{- include "eg.selectorLabels" . | nindent 6 }} + egress: + - toEntities: + - kube-apiserver + - cluster + - toEndpoints: + - matchLabels: + k8s:io.kubernetes.pod.namespace: kube-system + k8s-app: kube-dns + toPorts: + - ports: + - port: "53" + protocol: UDP + - port: "53" + protocol: TCP + ingress: + - fromEntities: + - cluster + toPorts: + - ports: + {{- range .Values.deployment.envoyGateway.ports }} + - port: {{ printf "\"%d\"" .port }} + protocol: TCP + {{- end }} diff --git a/helm/envoy-gateway/templates/envoy-gateway-config.yaml b/helm/envoy-gateway/templates/envoy-gateway-config.yaml index d654bc2..8fc1d2d 100644 --- a/helm/envoy-gateway/templates/envoy-gateway-config.yaml +++ b/helm/envoy-gateway/templates/envoy-gateway-config.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: envoy-gateway-config - namespace: '{{ .Values.namespace }}' + namespace: '{{ .Release.Namespace }}' labels: {{- include "eg.labels" . | nindent 4 }} data: diff --git a/helm/envoy-gateway/templates/envoy-gateway-deployment.yaml b/helm/envoy-gateway/templates/envoy-gateway-deployment.yaml index d4c4bcc..7746dd2 100644 --- a/helm/envoy-gateway/templates/envoy-gateway-deployment.yaml +++ b/helm/envoy-gateway/templates/envoy-gateway-deployment.yaml @@ -2,7 +2,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: envoy-gateway - namespace: '{{ .Values.namespace }}' + namespace: '{{ .Release.Namespace }}' labels: control-plane: envoy-gateway {{- include "eg.labels" . | nindent 4 }} diff --git a/helm/envoy-gateway/templates/envoy-gateway-netpol.yaml b/helm/envoy-gateway/templates/envoy-gateway-netpol.yaml new file mode 100644 index 0000000..9d9049d --- /dev/null +++ b/helm/envoy-gateway/templates/envoy-gateway-netpol.yaml @@ -0,0 +1,45 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "eg.fullname" . }} + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/hook-weight": "-10" + "helm.sh/hook-delete-policy": "before-hook-creation" + labels: + control-plane: envoy-gateway + {{- include "eg.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + control-plane: envoy-gateway + {{- include "eg.selectorLabels" . | nindent 6 }} + policyTypes: + - Ingress + - Egress + egress: + - to: + - namespaceSelector: {} + podSelector: + matchLabels: + k8s-app: kube-apiserver + - to: + - namespaceSelector: {} + podSelector: + matchLabels: + k8s-app: kube-dns + ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + ingress: + - ports: + {{- range .Values.deployment.envoyGateway.ports }} + - port: {{ .port }} + protocol: TCP + {{- end }} + from: + - namespaceSelector: {} diff --git a/helm/envoy-gateway/templates/envoy-gateway-poddisruptionbudget.yaml b/helm/envoy-gateway/templates/envoy-gateway-poddisruptionbudget.yaml index 6cc5d7f..8e0bca0 100644 --- a/helm/envoy-gateway/templates/envoy-gateway-poddisruptionbudget.yaml +++ b/helm/envoy-gateway/templates/envoy-gateway-poddisruptionbudget.yaml @@ -3,7 +3,7 @@ apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: envoy-gateway - namespace: '{{ .Values.namespace }}' + namespace: '{{ .Release.Namespace }}' spec: {{- if and .Values.podDisruptionBudget.minAvailable }} minAvailable: {{ .Values.podDisruptionBudget.minAvailable }} diff --git a/helm/envoy-gateway/templates/envoy-gateway-rbac.yaml b/helm/envoy-gateway/templates/envoy-gateway-rbac.yaml index 79a8a13..5d975b8 100644 --- a/helm/envoy-gateway/templates/envoy-gateway-rbac.yaml +++ b/helm/envoy-gateway/templates/envoy-gateway-rbac.yaml @@ -55,7 +55,7 @@ roleRef: subjects: - kind: ServiceAccount name: 'envoy-gateway' - namespace: {{ .Values.namespace }}' + namespace: '{{ .Release.Namespace }}' {{ else }} --- apiVersion: rbac.authorization.k8s.io/v1 @@ -78,5 +78,5 @@ roleRef: subjects: - kind: ServiceAccount name: 'envoy-gateway' - namespace: {{ .Values.namespace }}' + namespace: '{{ .Release.Namespace }}' {{ end }} diff --git a/helm/envoy-gateway/templates/envoy-gateway-service.yaml b/helm/envoy-gateway/templates/envoy-gateway-service.yaml index 1c06244..39b30ea 100644 --- a/helm/envoy-gateway/templates/envoy-gateway-service.yaml +++ b/helm/envoy-gateway/templates/envoy-gateway-service.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: Service metadata: name: envoy-gateway - namespace: '{{ .Values.namespace }}' + namespace: '{{ .Release.Namespace }}' {{- with .Values.service.annotations }} annotations: {{- toYaml . | nindent 4 }} diff --git a/helm/envoy-gateway/templates/envoy-gateway-serviceaccount.yaml b/helm/envoy-gateway/templates/envoy-gateway-serviceaccount.yaml index e0f2207..23af6fe 100644 --- a/helm/envoy-gateway/templates/envoy-gateway-serviceaccount.yaml +++ b/helm/envoy-gateway/templates/envoy-gateway-serviceaccount.yaml @@ -2,6 +2,6 @@ apiVersion: v1 kind: ServiceAccount metadata: name: envoy-gateway - namespace: '{{ .Values.namespace }}' + namespace: '{{ .Release.Namespace }}' labels: {{- include "eg.labels" . | nindent 4 }} diff --git a/helm/envoy-gateway/templates/infra-manager-rbac.yaml b/helm/envoy-gateway/templates/infra-manager-rbac.yaml index 664852a..74c0ec6 100644 --- a/helm/envoy-gateway/templates/infra-manager-rbac.yaml +++ b/helm/envoy-gateway/templates/infra-manager-rbac.yaml @@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ include "eg.fullname" . }}-infra-manager - namespace: '{{ .Values.namespace }}' + namespace: '{{ .Release.Namespace }}' labels: {{- include "eg.labels" . | nindent 4 }} rules: @@ -46,7 +46,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ include "eg.fullname" . }}-infra-manager - namespace: '{{ .Values.namespace }}' + namespace: '{{ .Release.Namespace }}' labels: {{- include "eg.labels" . | nindent 4 }} roleRef: @@ -56,4 +56,4 @@ roleRef: subjects: - kind: ServiceAccount name: 'envoy-gateway' - namespace: '{{ .Values.namespace }}' + namespace: '{{ .Release.Namespace }}' diff --git a/helm/envoy-gateway/templates/leader-election-rbac.yaml b/helm/envoy-gateway/templates/leader-election-rbac.yaml index 0be9502..5b59f34 100644 --- a/helm/envoy-gateway/templates/leader-election-rbac.yaml +++ b/helm/envoy-gateway/templates/leader-election-rbac.yaml @@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ include "eg.fullname" . }}-leader-election-role - namespace: '{{ .Values.namespace }}' + namespace: '{{ .Release.Namespace }}' labels: {{- include "eg.labels" . | nindent 4 }} rules: @@ -42,7 +42,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ include "eg.fullname" . }}-leader-election-rolebinding - namespace: '{{ .Values.namespace }}' + namespace: '{{ .Release.Namespace }}' labels: {{- include "eg.labels" . | nindent 4 }} roleRef: @@ -52,4 +52,4 @@ roleRef: subjects: - kind: ServiceAccount name: 'envoy-gateway' - namespace: '{{ .Values.namespace }}' + namespace: '{{ .Release.Namespace }}' diff --git a/helm/envoy-gateway/templates/namespace.yaml b/helm/envoy-gateway/templates/namespace.yaml index c68c79a..0361b22 100644 --- a/helm/envoy-gateway/templates/namespace.yaml +++ b/helm/envoy-gateway/templates/namespace.yaml @@ -2,5 +2,5 @@ apiVersion: v1 kind: Namespace metadata: - name: '{{ .Values.namespace }}' -{{ end }} + name: '{{ .Release.Namespace }}' +{{ end }} diff --git a/helm/envoy-gateway/values.schema.json b/helm/envoy-gateway/values.schema.json new file mode 100644 index 0000000..ca9733c --- /dev/null +++ b/helm/envoy-gateway/values.schema.json @@ -0,0 +1,362 @@ +{ + "$schema": "http://json-schema.org/schema#", + "type": "object", + "properties": { + "certgen": { + "type": "object", + "properties": { + "job": { + "type": "object", + "properties": { + "affinity": { + "type": "object" + }, + "annotations": { + "type": "object" + }, + "nodeSelector": { + "type": "object" + }, + "resources": { + "type": "object", + "properties": { + "limits": { + "type": "object", + "properties": { + "memory": { + "type": "string" + } + } + }, + "requests": { + "type": "object", + "properties": { + "cpu": { + "type": "string" + }, + "memory": { + "type": "string" + } + } + } + } + }, + "securityContext": { + "type": "object", + "properties": { + "allowPrivilegeEscalation": { + "type": "boolean" + }, + "capabilities": { + "type": "object", + "properties": { + "drop": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "privileged": { + "type": "boolean" + }, + "readOnlyRootFilesystem": { + "type": "boolean" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + }, + "seccompProfile": { + "type": "object", + "properties": { + "type": { + "type": "string" + } + } + } + } + }, + "tolerations": { + "type": "array" + }, + "ttlSecondsAfterFinished": { + "type": "integer" + } + } + }, + "rbac": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "labels": { + "type": "object" + } + } + } + } + }, + "config": { + "type": "object", + "properties": { + "envoyGateway": { + "type": "object", + "properties": { + "gateway": { + "type": "object", + "properties": { + "controllerName": { + "type": "string" + } + } + }, + "logging": { + "type": "object", + "properties": { + "level": { + "type": "object", + "properties": { + "default": { + "type": "string" + } + } + } + } + }, + "provider": { + "type": "object", + "properties": { + "type": { + "type": "string" + } + } + } + } + } + } + }, + "createNamespace": { + "type": "boolean" + }, + "deployment": { + "type": "object", + "properties": { + "envoyGateway": { + "type": "object", + "properties": { + "image": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + }, + "imagePullPolicy": { + "type": "string" + }, + "imagePullSecrets": { + "type": "array" + }, + "resources": { + "type": "object", + "properties": { + "limits": { + "type": "object", + "properties": { + "memory": { + "type": "string" + } + } + }, + "requests": { + "type": "object", + "properties": { + "cpu": { + "type": "string" + }, + "memory": { + "type": "string" + } + } + } + } + }, + "securityContext": { + "type": "object", + "properties": { + "allowPrivilegeEscalation": { + "type": "boolean" + }, + "capabilities": { + "type": "object", + "properties": { + "drop": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "privileged": { + "type": "boolean" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + }, + "readOnlyRootFilesystem": { + "type": "boolean" + }, + "seccompProfile": { + "type": "object", + "properties": { + "type": { + "type": "string" + } + } + } + } + } + } + }, + "pod": { + "type": "object", + "properties": { + "affinity": { + "type": "object" + }, + "annotations": { + "type": "object", + "properties": { + "prometheus.io/port": { + "type": "string" + }, + "prometheus.io/scrape": { + "type": "string" + } + } + }, + "labels": { + "type": "object" + }, + "nodeSelector": { + "type": "object" + }, + "tolerations": { + "type": "array" + }, + "topologySpreadConstraints": { + "type": "array" + } + } + }, + "ports": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "port": { + "type": "integer" + }, + "targetPort": { + "type": "integer" + } + } + } + }, + "priorityClassName": { + "type": "null" + }, + "replicas": { + "type": "integer" + } + } + }, + "global": { + "type": "object", + "properties": { + "images": { + "type": "object", + "properties": { + "envoyGateway": { + "type": "object", + "properties": { + "image": { + "type": "string" + }, + "pullPolicy": { + "type": "string" + }, + "pullSecrets": { + "type": "array" + } + } + }, + "ratelimit": { + "type": "object", + "properties": { + "image": { + "type": "string" + }, + "pullPolicy": { + "type": "string" + }, + "pullSecrets": { + "type": "array" + } + } + } + } + } + } + }, + "image": { + "type": "object", + "properties": { + "registry": { + "type": "string" + } + } + }, + "kubernetesClusterDomain": { + "type": "string" + }, + "podDisruptionBudget": { + "type": "object", + "properties": { + "minAvailable": { + "type": "integer" + } + } + }, + "service": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + } + } + } + } +} diff --git a/helm/envoy-gateway/values.yaml b/helm/envoy-gateway/values.yaml index d3585af..b81476e 100644 --- a/helm/envoy-gateway/values.yaml +++ b/helm/envoy-gateway/values.yaml @@ -27,11 +27,15 @@ podDisruptionBudget: minAvailable: 0 # maxUnavailable: 1 +image: + registry: gsoci.azurecr.io + repository: giantswarm + deployment: envoyGateway: image: - repository: "" - tag: "" + name: envoyproxy-gateway + tag: 'v1.2.1' imagePullPolicy: "" imagePullSecrets: [] resources: @@ -49,6 +53,7 @@ deployment: runAsNonRoot: true runAsGroup: 65532 runAsUser: 65532 + readOnlyRootFilesystem: true seccompProfile: type: RuntimeDefault ports: @@ -93,11 +98,15 @@ createNamespace: false kubernetesClusterDomain: cluster.local -# -- Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. certgen: job: annotations: {} - resources: {} + resources: + requests: + cpu: 50m + memory: 100Mi + limits: + memory: 500Mi affinity: {} tolerations: [] nodeSelector: {} diff --git a/sync/patches/namespace-values/000-namespace-values.patch b/sync/patches/namespace-values/000-namespace-values.patch deleted file mode 100644 index 5293a3c..0000000 --- a/sync/patches/namespace-values/000-namespace-values.patch +++ /dev/null @@ -1,222 +0,0 @@ -diff --git b/vendor/gateway-helm/templates/NOTES.txt a/helm/envoy-gateway/templates/NOTES.txt -index 595c49b..7de9cfb 100644 ---- b/vendor/gateway-helm/templates/NOTES.txt -+++ a/helm/envoy-gateway/templates/NOTES.txt -@@ -8,12 +8,12 @@ Thank you for installing Envoy Gateway! 🎉 - - Your release is named: {{ .Release.Name }}. 🎉 - --Your release is in namespace: {{ .Release.Namespace }}. 🎉 -+Your release is in namespace: '{{ .Values.namespace }}. 🎉 - - To learn more about the release, try: - -- $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} -- $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} -+ $ helm status {{ .Release.Name }} -n '{{ .Values.namespace }} -+ $ helm get all {{ .Release.Name }} -n '{{ .Values.namespace }} - - To have a quickstart of Envoy Gateway, please refer to https://gateway.envoyproxy.io/latest/tasks/quickstart. - -diff --git b/vendor/gateway-helm/templates/certgen-rbac.yaml a/helm/envoy-gateway/templates/certgen-rbac.yaml -index 81bf1a8..13da07d 100644 ---- b/vendor/gateway-helm/templates/certgen-rbac.yaml -+++ a/helm/envoy-gateway/templates/certgen-rbac.yaml -@@ -2,7 +2,7 @@ apiVersion: v1 - kind: ServiceAccount - metadata: - name: {{ include "eg.fullname" . }}-certgen -- namespace: '{{ .Release.Namespace }}' -+ namespace: '{{ .Values.namespace }}' - labels: - {{- include "eg.labels" . | nindent 4 }} - {{- if .Values.certgen.rbac.labels }} -@@ -18,7 +18,7 @@ apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - name: {{ include "eg.fullname" . }}-certgen -- namespace: '{{ .Release.Namespace }}' -+ namespace: '{{ .Values.namespace }}' - labels: - {{- include "eg.labels" . | nindent 4 }} - {{- if .Values.certgen.rbac.labels }} -@@ -43,7 +43,7 @@ apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - name: {{ include "eg.fullname" . }}-certgen -- namespace: '{{ .Release.Namespace }}' -+ namespace: '{{ .Values.namespace }}' - labels: - {{- include "eg.labels" . | nindent 4 }} - {{- if .Values.certgen.rbac.labels }} -@@ -61,4 +61,4 @@ roleRef: - subjects: - - kind: ServiceAccount - name: '{{ include "eg.fullname" . }}-certgen' -- namespace: '{{ .Release.Namespace }}' -+ namespace: '{{ .Values.namespace }}' -diff --git b/vendor/gateway-helm/templates/certgen.yaml a/helm/envoy-gateway/templates/certgen.yaml -index f98c414..d5ef920 100644 ---- b/vendor/gateway-helm/templates/certgen.yaml -+++ a/helm/envoy-gateway/templates/certgen.yaml -@@ -2,7 +2,7 @@ apiVersion: batch/v1 - kind: Job - metadata: - name: {{ include "eg.fullname" . }}-certgen -- namespace: '{{ .Release.Namespace }}' -+ namespace: '{{ .Values.namespace }}' - labels: - {{- include "eg.labels" . | nindent 4 }} - annotations: -diff --git b/vendor/gateway-helm/templates/envoy-gateway-config.yaml a/helm/envoy-gateway/templates/envoy-gateway-config.yaml -index 8fc1d2d..d654bc2 100644 ---- b/vendor/gateway-helm/templates/envoy-gateway-config.yaml -+++ a/helm/envoy-gateway/templates/envoy-gateway-config.yaml -@@ -2,7 +2,7 @@ apiVersion: v1 - kind: ConfigMap - metadata: - name: envoy-gateway-config -- namespace: '{{ .Release.Namespace }}' -+ namespace: '{{ .Values.namespace }}' - labels: - {{- include "eg.labels" . | nindent 4 }} - data: -diff --git b/vendor/gateway-helm/templates/envoy-gateway-deployment.yaml a/helm/envoy-gateway/templates/envoy-gateway-deployment.yaml -index 7746dd2..d4c4bcc 100644 ---- b/vendor/gateway-helm/templates/envoy-gateway-deployment.yaml -+++ a/helm/envoy-gateway/templates/envoy-gateway-deployment.yaml -@@ -2,7 +2,7 @@ apiVersion: apps/v1 - kind: Deployment - metadata: - name: envoy-gateway -- namespace: '{{ .Release.Namespace }}' -+ namespace: '{{ .Values.namespace }}' - labels: - control-plane: envoy-gateway - {{- include "eg.labels" . | nindent 4 }} -diff --git b/vendor/gateway-helm/templates/envoy-gateway-poddisruptionbudget.yaml a/helm/envoy-gateway/templates/envoy-gateway-poddisruptionbudget.yaml -index 8e0bca0..6cc5d7f 100644 ---- b/vendor/gateway-helm/templates/envoy-gateway-poddisruptionbudget.yaml -+++ a/helm/envoy-gateway/templates/envoy-gateway-poddisruptionbudget.yaml -@@ -3,7 +3,7 @@ apiVersion: policy/v1 - kind: PodDisruptionBudget - metadata: - name: envoy-gateway -- namespace: '{{ .Release.Namespace }}' -+ namespace: '{{ .Values.namespace }}' - spec: - {{- if and .Values.podDisruptionBudget.minAvailable }} - minAvailable: {{ .Values.podDisruptionBudget.minAvailable }} -diff --git b/vendor/gateway-helm/templates/envoy-gateway-rbac.yaml a/helm/envoy-gateway/templates/envoy-gateway-rbac.yaml -index 5d975b8..79a8a13 100644 ---- b/vendor/gateway-helm/templates/envoy-gateway-rbac.yaml -+++ a/helm/envoy-gateway/templates/envoy-gateway-rbac.yaml -@@ -55,7 +55,7 @@ roleRef: - subjects: - - kind: ServiceAccount - name: 'envoy-gateway' -- namespace: '{{ .Release.Namespace }}' -+ namespace: {{ .Values.namespace }}' - {{ else }} - --- - apiVersion: rbac.authorization.k8s.io/v1 -@@ -78,5 +78,5 @@ roleRef: - subjects: - - kind: ServiceAccount - name: 'envoy-gateway' -- namespace: '{{ .Release.Namespace }}' -+ namespace: {{ .Values.namespace }}' - {{ end }} -diff --git b/vendor/gateway-helm/templates/envoy-gateway-service.yaml a/helm/envoy-gateway/templates/envoy-gateway-service.yaml -index 39b30ea..1c06244 100644 ---- b/vendor/gateway-helm/templates/envoy-gateway-service.yaml -+++ a/helm/envoy-gateway/templates/envoy-gateway-service.yaml -@@ -2,7 +2,7 @@ apiVersion: v1 - kind: Service - metadata: - name: envoy-gateway -- namespace: '{{ .Release.Namespace }}' -+ namespace: '{{ .Values.namespace }}' - {{- with .Values.service.annotations }} - annotations: - {{- toYaml . | nindent 4 }} -diff --git b/vendor/gateway-helm/templates/envoy-gateway-serviceaccount.yaml a/helm/envoy-gateway/templates/envoy-gateway-serviceaccount.yaml -index 23af6fe..e0f2207 100644 ---- b/vendor/gateway-helm/templates/envoy-gateway-serviceaccount.yaml -+++ a/helm/envoy-gateway/templates/envoy-gateway-serviceaccount.yaml -@@ -2,6 +2,6 @@ apiVersion: v1 - kind: ServiceAccount - metadata: - name: envoy-gateway -- namespace: '{{ .Release.Namespace }}' -+ namespace: '{{ .Values.namespace }}' - labels: - {{- include "eg.labels" . | nindent 4 }} -diff --git b/vendor/gateway-helm/templates/infra-manager-rbac.yaml a/helm/envoy-gateway/templates/infra-manager-rbac.yaml -index 74c0ec6..664852a 100644 ---- b/vendor/gateway-helm/templates/infra-manager-rbac.yaml -+++ a/helm/envoy-gateway/templates/infra-manager-rbac.yaml -@@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - name: {{ include "eg.fullname" . }}-infra-manager -- namespace: '{{ .Release.Namespace }}' -+ namespace: '{{ .Values.namespace }}' - labels: - {{- include "eg.labels" . | nindent 4 }} - rules: -@@ -46,7 +46,7 @@ apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - name: {{ include "eg.fullname" . }}-infra-manager -- namespace: '{{ .Release.Namespace }}' -+ namespace: '{{ .Values.namespace }}' - labels: - {{- include "eg.labels" . | nindent 4 }} - roleRef: -@@ -56,4 +56,4 @@ roleRef: - subjects: - - kind: ServiceAccount - name: 'envoy-gateway' -- namespace: '{{ .Release.Namespace }}' -+ namespace: '{{ .Values.namespace }}' -diff --git b/vendor/gateway-helm/templates/leader-election-rbac.yaml a/helm/envoy-gateway/templates/leader-election-rbac.yaml -index 5b59f34..0be9502 100644 ---- b/vendor/gateway-helm/templates/leader-election-rbac.yaml -+++ a/helm/envoy-gateway/templates/leader-election-rbac.yaml -@@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - name: {{ include "eg.fullname" . }}-leader-election-role -- namespace: '{{ .Release.Namespace }}' -+ namespace: '{{ .Values.namespace }}' - labels: - {{- include "eg.labels" . | nindent 4 }} - rules: -@@ -42,7 +42,7 @@ apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - name: {{ include "eg.fullname" . }}-leader-election-rolebinding -- namespace: '{{ .Release.Namespace }}' -+ namespace: '{{ .Values.namespace }}' - labels: - {{- include "eg.labels" . | nindent 4 }} - roleRef: -@@ -52,4 +52,4 @@ roleRef: - subjects: - - kind: ServiceAccount - name: 'envoy-gateway' -- namespace: '{{ .Release.Namespace }}' -+ namespace: '{{ .Values.namespace }}' -diff --git b/vendor/gateway-helm/templates/namespace.yaml a/helm/envoy-gateway/templates/namespace.yaml -index 0361b22..c68c79a 100644 ---- b/vendor/gateway-helm/templates/namespace.yaml -+++ a/helm/envoy-gateway/templates/namespace.yaml -@@ -2,5 +2,5 @@ - apiVersion: v1 - kind: Namespace - metadata: -- name: '{{ .Release.Namespace }}' --{{ end }} -+ name: '{{ .Values.namespace }}' -+{{ end }} diff --git a/sync/patches/namespace-values/patch.sh b/sync/patches/namespace-values/patch.sh deleted file mode 100755 index 85bdeac..0000000 --- a/sync/patches/namespace-values/patch.sh +++ /dev/null @@ -1,17 +0,0 @@ -#!/usr/bin/env bash - -set -o errexit -set -o nounset -set -o pipefail - -repo_dir=$(git rev-parse --show-toplevel) ; readonly repo_dir -script_dir=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) ; readonly script_dir - -cd "${repo_dir}" - -readonly script_dir_rel=".${script_dir#"${repo_dir}"}" - -set -x -git apply "${script_dir_rel}/000-team-label.patch" - -{ set +x; } 2>/dev/null