diff --git a/assets/haproxy/haproxy-1.12.100.tgz b/assets/haproxy/haproxy-1.12.100.tgz new file mode 100644 index 000000000..4eca84851 Binary files /dev/null and b/assets/haproxy/haproxy-1.12.100.tgz differ diff --git a/assets/index.yaml b/assets/index.yaml index 9354cee37..9ff56b91b 100644 --- a/assets/index.yaml +++ b/assets/index.yaml @@ -361,6 +361,33 @@ entries: - assets/dynatrace-oneagent-operator/dynatrace-oneagent-operator-0.8.000.tgz version: 0.8.000 haproxy: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/release-name: haproxy + apiVersion: v1 + appVersion: 1.5.1 + created: "2021-04-13T23:45:40.966157742Z" + description: A Helm chart for HAProxy Kubernetes Ingress Controller + digest: 29aa101f4851cac5b94d2de40c961d0f24c90bb361c0bf1bc17d3244ddf92046 + home: https://github.com/haproxytech/helm-charts/tree/master/kubernetes-ingress + icon: http://www.haproxy.org/img/HAProxyCommunityEdition_60px.png + keywords: + - ingress + - haproxy + kubeVersion: '>=1.12.0-0' + maintainers: + - email: mmhedhbi@haproxy.com + name: Moemen Mhedhbi + - email: bassmann@haproxy.com + name: Baptiste Assmann + - email: dkorunic@haproxy.com + name: Dinko Korunic + name: haproxy + sources: + - https://github.com/haproxytech/kubernetes-ingress + urls: + - assets/haproxy/haproxy-1.12.100.tgz + version: 1.12.100 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/release-name: haproxy @@ -633,4 +660,4 @@ entries: urls: - assets/sysdig/sysdig-1.9.200.tgz version: 1.9.200 -generated: "2021-03-09T00:13:50.360291665Z" +generated: "2021-04-13T23:45:40.963701127Z" diff --git a/charts/haproxy/Chart.yaml b/charts/haproxy/Chart.yaml index e84a638f1..51c2d51bb 100644 --- a/charts/haproxy/Chart.yaml +++ b/charts/haproxy/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v1 -appVersion: 1.4.6 +appVersion: 1.5.1 description: A Helm chart for HAProxy Kubernetes Ingress Controller home: https://github.com/haproxytech/helm-charts/tree/master/kubernetes-ingress icon: http://www.haproxy.org/img/HAProxyCommunityEdition_60px.png @@ -17,7 +17,7 @@ maintainers: name: haproxy sources: - https://github.com/haproxytech/kubernetes-ingress -version: 1.4.300 +version: 1.12.100 annotations: catalog.cattle.io/certified: partner catalog.cattle.io/release-name: haproxy diff --git a/charts/haproxy/README.md b/charts/haproxy/README.md index 73e4e2fcb..d4f04dbb8 100644 --- a/charts/haproxy/README.md +++ b/charts/haproxy/README.md @@ -14,8 +14,8 @@ This chart bootstraps an HAProxy kubernetes-ingress deployment/daemonset on a [K ### Prerequisites - - Kubernetes 1.12+ - - Helm 2.9+ +- Kubernetes 1.12+ +- Helm 2.9+ ## Before you begin @@ -111,9 +111,9 @@ helm install my-ingress3 haproxytech/kubernetes-ingress \ --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-cross-zone-load-balancing-enabled"="true" ``` -***NOTE***: With helm `--set` it is needed to put quotes and escape dots in the annotation key and commas in the value string. +***NOTE***: With helm `--set` it is needed to put quotes and escape dots in the annotation key and commas in the value string. -### Installing with Horizontal Pod Autoscaler +### Installing with Horizontal Pod Autoscaler [HPA](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) automatically scales number of replicas in Deployment or Replication Controller and adjusts replica count. Therefore we want to unset default replicaCount for controller and defaultBackend by setting corresponding key values to null: @@ -123,6 +123,15 @@ helm install my-ingress4 haproxytech/kubernetes-ingress \ --set defaultBackend.replicaCount=null ``` +### Installing the ServiceMonitor + +If you're using the [Prometheus Operator](https://github.com/prometheus-operator/prometheus-operator), you can automatically install the `ServiceMonitor` definition in order to automate the scraping options according to your needs. + +```console +helm install my-ingress5 haproxytech/kubernetes-ingress \ + --set "controller.serviceMonitor.enabled=true" +``` + ### Using values from YAML file As opposed to using many `--set` invocations, much simpler approach is to define value overrides in a separate YAML file and specify them when invoking Helm: @@ -172,7 +181,7 @@ helm upgrade my-release haproxytech/kubernetes-ingress To uninstall/delete the *my-release* deployment: ```console -helm delete kubernetes-ingress +helm delete my-release ``` ## Debugging diff --git a/charts/haproxy/ci/daemonset-disableddefaultbackend-values.yaml b/charts/haproxy/ci/daemonset-disableddefaultbackend-values.yaml new file mode 100644 index 000000000..3a1687a33 --- /dev/null +++ b/charts/haproxy/ci/daemonset-disableddefaultbackend-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet +defaultBackend: + enabled: false diff --git a/charts/haproxy/ci/deployment-disableddefaultbackend-values.yaml b/charts/haproxy/ci/deployment-disableddefaultbackend-values.yaml new file mode 100644 index 000000000..ba2a61ebe --- /dev/null +++ b/charts/haproxy/ci/deployment-disableddefaultbackend-values.yaml @@ -0,0 +1,2 @@ +defaultBackend: + enabled: false diff --git a/charts/haproxy/ci/deployment-hpa-values.yaml b/charts/haproxy/ci/deployment-hpa-values.yaml new file mode 100644 index 000000000..0c8326236 --- /dev/null +++ b/charts/haproxy/ci/deployment-hpa-values.yaml @@ -0,0 +1,14 @@ +controller: + kind: Deployment + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + +defaultBackend: + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 2 + targetCPUUtilizationPercentage: 50 diff --git a/charts/haproxy/ci/deployment-psp-values.yaml b/charts/haproxy/ci/deployment-psp-values.yaml new file mode 100644 index 000000000..7aae8605d --- /dev/null +++ b/charts/haproxy/ci/deployment-psp-values.yaml @@ -0,0 +1,2 @@ +podSecurityPolicy: + enabled: true diff --git a/charts/haproxy/templates/_helpers.tpl b/charts/haproxy/templates/_helpers.tpl index 23a9063ef..5a1e28588 100644 --- a/charts/haproxy/templates/_helpers.tpl +++ b/charts/haproxy/templates/_helpers.tpl @@ -46,7 +46,7 @@ Create chart name and version as used by the chart label. {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} {{- end -}} -{kubernetes-ingress.publishServicePath{/* +{{/* Encode an imagePullSecret string. */}} {{- define "kubernetes-ingress.imagePullSecret" }} @@ -120,4 +120,11 @@ Construct the syslog-server annotation {{- end -}} {{- end -}} +{{/* +Create a default fully qualified ServiceMonitor name. +*/}} +{{- define "kubernetes-ingress.serviceMonitorName" -}} +{{- default (include "kubernetes-ingress.fullname" .) .Values.controller.serviceMonitor.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + {{/* vim: set filetype=mustache: */}} diff --git a/charts/haproxy/templates/clusterrole.yaml b/charts/haproxy/templates/clusterrole.yaml index 89cb9f829..4f9b4734a 100644 --- a/charts/haproxy/templates/clusterrole.yaml +++ b/charts/haproxy/templates/clusterrole.yaml @@ -41,21 +41,20 @@ rules: - watch - apiGroups: - "extensions" + - "networking.k8s.io" resources: - ingresses - ingresses/status + - ingressclasses verbs: - get - list - watch - - update - apiGroups: - - "networking.k8s.io/v1beta1" + - "extensions" + - "networking.k8s.io" resources: - - ingresses - ingresses/status verbs: - - get - - list - - watch + - update {{- end -}} diff --git a/charts/haproxy/templates/controller-daemonset.yaml b/charts/haproxy/templates/controller-daemonset.yaml index 7260d3227..e892c4b8d 100644 --- a/charts/haproxy/templates/controller-daemonset.yaml +++ b/charts/haproxy/templates/controller-daemonset.yaml @@ -29,6 +29,9 @@ metadata: app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.extraLabels }} +{{ toYaml .Values.controller.extraLabels | indent 4 }} + {{- end }} spec: minReadySeconds: 0 updateStrategy: @@ -53,12 +56,21 @@ spec: {{- end }} spec: serviceAccountName: {{ template "kubernetes-ingress.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} {{- if $useHostNetwork }} hostNetwork: true {{- end }} +{{- if .Values.controller.dnsConfig }} + dnsConfig: +{{ toYaml .Values.controller.dnsConfig | indent 8 }} +{{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} {{- if .Values.controller.imageCredentials.registry }} imagePullSecrets: - name: {{ template "kubernetes-ingress.fullname" . }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} {{- end }} containers: - name: {{ template "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} @@ -67,13 +79,15 @@ spec: args: {{- if and .Values.controller.defaultTLSSecret.enabled -}} {{- if .Values.controller.defaultTLSSecret.secret }} - - --default-ssl-certificate={{ .Values.controller.defaultTLSSecret.secret }} + - --default-ssl-certificate={{ .Release.Namespace }}/{{ .Values.controller.defaultTLSSecret.secret }} {{- else }} - --default-ssl-certificate={{ .Release.Namespace }}/{{ template "kubernetes-ingress.defaultTLSSecret.fullname" . }} {{- end }} {{- end }} - --configmap={{ .Release.Namespace }}/{{ template "kubernetes-ingress.fullname" . }} +{{- if .Values.defaultBackend.enabled }} - --default-backend-service={{ .Release.Namespace }}/{{ template "kubernetes-ingress.defaultBackend.fullname" . }} +{{- end }} {{- if .Values.controller.ingressClass }} - --ingress.class={{ .Values.controller.ingressClass }} {{- end }} @@ -86,6 +100,16 @@ spec: {{- range .Values.controller.extraArgs }} - {{ . }} {{- end }} + {{- if .Values.controller.unprivileged }} + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- end }} ports: {{- range $key, $value := .Values.controller.containerPort }} - name: {{ $key }} @@ -123,6 +147,16 @@ spec: periodSeconds: {{ .Values.controller.readinessProbe.periodSeconds }} successThreshold: {{ .Values.controller.readinessProbe.successThreshold }} timeoutSeconds: {{ .Values.controller.readinessProbe.timeoutSeconds }} + startupProbe: + failureThreshold: {{ .Values.controller.startupProbe.failureThreshold }} + httpGet: + path: {{ .Values.controller.startupProbe.path }} + port: {{ .Values.controller.startupProbe.port }} + scheme: {{ .Values.controller.startupProbe.scheme }} + initialDelaySeconds: {{ .Values.controller.startupProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.controller.startupProbe.periodSeconds }} + successThreshold: {{ .Values.controller.startupProbe.successThreshold }} + timeoutSeconds: {{ .Values.controller.startupProbe.timeoutSeconds }} env: - name: POD_NAME valueFrom: @@ -132,11 +166,58 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + {{- range .Values.controller.extraEnvs }} + - name: "{{ .name }}" + value: "{{ .value }}" + {{- end }} resources: {{- toYaml .Values.controller.resources | nindent 12 }} - {{- with.Values.controller.initContainers }} + {{- if .Values.controller.lifecycle }} + lifecycle: + {{- if eq "string" (printf "%T" .Values.controller.lifecycle) }} +{{ tpl .Values.controller.lifecycle . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.lifecycle | indent 12 }} + {{- end }} + {{- end }} + {{- if .Values.controller.extraVolumeMounts }} + volumeMounts: + {{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }} +{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }} + {{- end }} + {{- end}} + {{- if .Values.controller.extraContainers }} + {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }} +{{ tpl .Values.controller.extraContainers . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraContainers | indent 8 }} + {{- end }} + {{- end }} + {{- if .Values.controller.extraVolumes }} + volumes: + {{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }} +{{ tpl .Values.controller.extraVolumes . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraVolumes | indent 8 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.unprivileged .Values.controller.initContainers }} initContainers: - {{- toYaml . | nindent 8 }} + {{- if .Values.controller.unprivileged }} + - name: sysctl + image: busybox:musl + command: + - /bin/sh + - -c + - sysctl -w net.ipv4.ip_unprivileged_port_start=0 + securityContext: + privileged: true + {{- end }} + {{- with.Values.controller.initContainers }} + {{- toYaml . | nindent 8 }} + {{- end }} {{- end }} {{- with .Values.controller.nodeSelector }} nodeSelector: diff --git a/charts/haproxy/templates/controller-defaultcertsecret.yaml b/charts/haproxy/templates/controller-defaultcertsecret.yaml index bb97b1e05..b409c7b25 100644 --- a/charts/haproxy/templates/controller-defaultcertsecret.yaml +++ b/charts/haproxy/templates/controller-defaultcertsecret.yaml @@ -14,6 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. */}} +{{- if .Values.controller.defaultTLSSecret.enabled }} apiVersion: v1 kind: Secret type: kubernetes.io/tls @@ -31,3 +32,4 @@ metadata: "helm.sh/hook-delete-policy": "before-hook-creation" data: {{ ( include "kubernetes-ingress.gen-certs" . ) | indent 2 }} +{{- end }} \ No newline at end of file diff --git a/charts/haproxy/templates/controller-deployment.yaml b/charts/haproxy/templates/controller-deployment.yaml index 7fd2aae2e..2868add91 100644 --- a/charts/haproxy/templates/controller-deployment.yaml +++ b/charts/haproxy/templates/controller-deployment.yaml @@ -26,8 +26,11 @@ metadata: app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.extraLabels }} +{{ toYaml .Values.controller.extraLabels | indent 4 }} + {{- end }} spec: - {{- if not ( kindIs "invalid" .Values.controller.replicaCount) }} + {{- if not .Values.controller.autoscaling.enabled }} replicas: {{ .Values.controller.replicaCount }} {{- end }} selector: @@ -52,9 +55,18 @@ spec: {{- end }} spec: serviceAccountName: {{ template "kubernetes-ingress.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} +{{- if .Values.controller.dnsConfig }} + dnsConfig: +{{ toYaml .Values.controller.dnsConfig | indent 8 }} +{{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} {{- if .Values.controller.imageCredentials.registry }} imagePullSecrets: - name: {{ template "kubernetes-ingress.fullname" . }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} {{- end }} containers: - name: {{ template "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} @@ -62,12 +74,14 @@ spec: imagePullPolicy: {{ .Values.controller.image.pullPolicy }} args: {{- if .Values.controller.defaultTLSSecret.secret }} - - --default-ssl-certificate={{ .Values.controller.defaultTLSSecret.secret }} + - --default-ssl-certificate={{ .Release.Namespace }}/{{ .Values.controller.defaultTLSSecret.secret }} {{- else }} - --default-ssl-certificate={{ .Release.Namespace }}/{{ template "kubernetes-ingress.defaultTLSSecret.fullname" . }} {{- end }} - --configmap={{ .Release.Namespace }}/{{ template "kubernetes-ingress.fullname" . }} +{{- if .Values.defaultBackend.enabled }} - --default-backend-service={{ .Release.Namespace }}/{{ template "kubernetes-ingress.defaultBackend.fullname" . }} +{{- end }} {{- if .Values.controller.ingressClass }} - --ingress.class={{ .Values.controller.ingressClass }} {{- end }} @@ -80,6 +94,16 @@ spec: {{- range .Values.controller.extraArgs }} - {{ . }} {{- end }} + {{- if .Values.controller.unprivileged }} + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- end }} ports: {{- range $key, $value := .Values.controller.containerPort }} - name: {{ $key }} @@ -88,7 +112,7 @@ spec: {{- end }} {{- range .Values.controller.service.tcpPorts }} - name: {{ .name }}-tcp - containerPort: {{ .port }} + containerPort: {{ .targetPort }} protocol: TCP {{- end }} livenessProbe: @@ -111,6 +135,16 @@ spec: periodSeconds: {{ .Values.controller.readinessProbe.periodSeconds }} successThreshold: {{ .Values.controller.readinessProbe.successThreshold }} timeoutSeconds: {{ .Values.controller.readinessProbe.timeoutSeconds }} + startupProbe: + failureThreshold: {{ .Values.controller.startupProbe.failureThreshold }} + httpGet: + path: {{ .Values.controller.startupProbe.path }} + port: {{ .Values.controller.startupProbe.port }} + scheme: {{ .Values.controller.startupProbe.scheme }} + initialDelaySeconds: {{ .Values.controller.startupProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.controller.startupProbe.periodSeconds }} + successThreshold: {{ .Values.controller.startupProbe.successThreshold }} + timeoutSeconds: {{ .Values.controller.startupProbe.timeoutSeconds }} env: - name: POD_NAME valueFrom: @@ -120,11 +154,58 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + {{- range .Values.controller.extraEnvs }} + - name: {{ .name }} + value: {{ .value }} + {{- end }} resources: {{- toYaml .Values.controller.resources | nindent 12 }} - {{- with.Values.controller.initContainers }} + {{- if .Values.controller.lifecycle }} + lifecycle: + {{- if eq "string" (printf "%T" .Values.controller.lifecycle) }} +{{ tpl .Values.controller.lifecycle . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.lifecycle | indent 12 }} + {{- end }} + {{- end }} + {{- if .Values.controller.extraVolumeMounts }} + volumeMounts: + {{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }} +{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }} + {{- end }} + {{- end}} + {{- if .Values.controller.extraContainers }} + {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }} +{{ tpl .Values.controller.extraContainers . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraContainers | indent 8 }} + {{- end }} + {{- end }} + {{- if .Values.controller.extraVolumes }} + volumes: + {{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }} +{{ tpl .Values.controller.extraVolumes . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraVolumes | indent 8 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.unprivileged .Values.controller.initContainers }} initContainers: - {{- toYaml . | nindent 8 }} + {{- if .Values.controller.unprivileged }} + - name: sysctl + image: busybox:musl + command: + - /bin/sh + - -c + - sysctl -w net.ipv4.ip_unprivileged_port_start=0 + securityContext: + privileged: true + {{- end }} + {{- with.Values.controller.initContainers }} + {{- toYaml . | nindent 8 }} + {{- end }} {{- end }} {{- with .Values.controller.nodeSelector }} nodeSelector: diff --git a/charts/haproxy/templates/controller-hpa.yaml b/charts/haproxy/templates/controller-hpa.yaml new file mode 100644 index 000000000..102b23439 --- /dev/null +++ b/charts/haproxy/templates/controller-hpa.yaml @@ -0,0 +1,49 @@ +{{/* +Copyright 2020 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.autoscaling.enabled }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ template "kubernetes-ingress.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ template "kubernetes-ingress.fullname" . }} + minReplicas: {{ .Values.controller.autoscaling.minReplicas }} + maxReplicas: {{ .Values.controller.autoscaling.maxReplicas }} + metrics: + {{- if .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + targetAverageUtilization: {{ .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/haproxy/templates/controller-podsecuritypolicy.yaml b/charts/haproxy/templates/controller-podsecuritypolicy.yaml index 77d220f3a..7851e2acf 100644 --- a/charts/haproxy/templates/controller-podsecuritypolicy.yaml +++ b/charts/haproxy/templates/controller-podsecuritypolicy.yaml @@ -32,16 +32,21 @@ metadata: app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/version: {{ .Chart.AppVersion }} name: {{ template "kubernetes-ingress.fullname" . }} + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' + apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' + apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' spec: allowPrivilegeEscalation: false allowedCapabilities: - - NET_BIND_SERVICE + - NET_BIND_SERVICE defaultAllowPrivilegeEscalation: false fsGroup: - ranges: - - max: 65535 - min: 1 rule: MustRunAs + ranges: + - max: 65535 + min: 1 {{- if $useHostNetwork }} hostNetwork: true {{- end }} @@ -64,12 +69,12 @@ spec: seLinux: rule: RunAsAny supplementalGroups: - ranges: - - max: 65535 - min: 1 rule: MustRunAs + ranges: + - max: 65535 + min: 1 volumes: - - configMap - - downwardAPI - - secret + - configMap + - downwardAPI + - secret {{- end }} diff --git a/charts/haproxy/templates/controller-service.yaml b/charts/haproxy/templates/controller-service.yaml index 2fa164137..eb2eea381 100644 --- a/charts/haproxy/templates/controller-service.yaml +++ b/charts/haproxy/templates/controller-service.yaml @@ -14,6 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. */}} +{{- if .Values.controller.service.enabled }} apiVersion: v1 kind: Service metadata: @@ -97,4 +98,4 @@ spec: {{ toYaml .Values.controller.service.loadBalancerSourceRanges | indent 4 }} {{- end }} {{- end }} - +{{- end }} diff --git a/charts/haproxy/templates/controller-servicemonitor.yaml b/charts/haproxy/templates/controller-servicemonitor.yaml new file mode 100644 index 000000000..0f4c2c3af --- /dev/null +++ b/charts/haproxy/templates/controller-servicemonitor.yaml @@ -0,0 +1,41 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "kubernetes-ingress.serviceMonitorName" . }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.serviceMonitor.extraLabels }} + {{ toYaml .Values.controller.serviceMonitor.extraLabels | nindent 4 }} + {{- end }} +spec: + endpoints: + {{ .Values.controller.serviceMonitor.endpoints | toYaml | nindent 4 }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + selector: + matchLabels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/templates/default-backend-deployment.yaml b/charts/haproxy/templates/default-backend-deployment.yaml index 3dd04e012..9331f5f35 100644 --- a/charts/haproxy/templates/default-backend-deployment.yaml +++ b/charts/haproxy/templates/default-backend-deployment.yaml @@ -14,6 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. */}} +{{- if .Values.defaultBackend.enabled }} apiVersion: apps/v1 kind: Deployment metadata: @@ -26,7 +27,7 @@ metadata: app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/version: {{ .Chart.AppVersion }} spec: - {{- if not (kindIs "invalid" .Values.defaultBackend.replicaCount) }} + {{- if not .Values.defaultBackend.autoscaling.enabled }} replicas: {{ .Values.defaultBackend.replicaCount }} {{- end }} selector: @@ -46,6 +47,9 @@ spec: {{ toYaml .Values.defaultBackend.podAnnotations | indent 8 }} {{- end }} spec: +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} containers: - name: {{ template "kubernetes-ingress.name" . }}-{{ .Values.defaultBackend.name }} image: "{{ .Values.defaultBackend.image.repository }}:{{ .Values.defaultBackend.image.tag }}" @@ -54,6 +58,13 @@ spec: - name: http containerPort: {{ .Values.defaultBackend.containerPort }} protocol: TCP + {{- if .Values.defaultBackend.extraEnvs }} + env: + {{- range .Values.defaultBackend.extraEnvs }} + - name: "{{ .name }}" + value: "{{ .value }}" + {{- end }} + {{- end }} resources: {{- toYaml .Values.defaultBackend.resources | nindent 12 }} {{- with .Values.defaultBackend.nodeSelector }} @@ -65,7 +76,9 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} serviceAccountName: {{ template "kubernetes-ingress.defaultBackend.serviceAccountName" . }} + terminationGracePeriodSeconds: 60 {{- with .Values.defaultBackend.tolerations }} tolerations: {{- toYaml . | nindent 8 }} {{- end }} +{{- end }} diff --git a/charts/haproxy/templates/default-backend-hpa.yaml b/charts/haproxy/templates/default-backend-hpa.yaml new file mode 100644 index 000000000..0fd8a65b7 --- /dev/null +++ b/charts/haproxy/templates/default-backend-hpa.yaml @@ -0,0 +1,49 @@ +{{/* +Copyright 2020 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.defaultBackend.autoscaling.enabled .Values.defaultBackend.enabled }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ template "kubernetes-ingress.defaultBackend.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ template "kubernetes-ingress.defaultBackend.fullname" . }} + minReplicas: {{ .Values.defaultBackend.autoscaling.minReplicas }} + maxReplicas: {{ .Values.defaultBackend.autoscaling.maxReplicas }} + metrics: + {{- if .Values.defaultBackend.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ .Values.defaultBackend.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.defaultBackend.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + targetAverageUtilization: {{ .Values.defaultBackend.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/haproxy/templates/default-backend-podsecuritypolicy.yaml b/charts/haproxy/templates/default-backend-podsecuritypolicy.yaml index a31d60e8f..82397b57b 100644 --- a/charts/haproxy/templates/default-backend-podsecuritypolicy.yaml +++ b/charts/haproxy/templates/default-backend-podsecuritypolicy.yaml @@ -14,7 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. */}} -{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled }} +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: @@ -29,16 +29,21 @@ metadata: app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/version: {{ .Chart.AppVersion }} name: {{ template "kubernetes-ingress.defaultBackend.fullname" . }} + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' + apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' + apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' spec: allowPrivilegeEscalation: false allowedCapabilities: - - NET_BIND_SERVICE + - NET_BIND_SERVICE defaultAllowPrivilegeEscalation: false fsGroup: - ranges: - - max: 65535 - min: 1 rule: MustRunAs + ranges: + - max: 65535 + min: 1 hostNetwork: false hostIPC: false hostPID: false @@ -48,12 +53,12 @@ spec: seLinux: rule: RunAsAny supplementalGroups: - ranges: - - max: 65535 - min: 1 rule: MustRunAs + ranges: + - max: 65535 + min: 1 volumes: - - configMap - - downwardAPI - - secret + - configMap + - downwardAPI + - secret {{- end }} diff --git a/charts/haproxy/templates/default-backend-role.yaml b/charts/haproxy/templates/default-backend-role.yaml index 8ca2416ae..8475d04fc 100644 --- a/charts/haproxy/templates/default-backend-role.yaml +++ b/charts/haproxy/templates/default-backend-role.yaml @@ -14,7 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. */}} -{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled -}} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: diff --git a/charts/haproxy/templates/default-backend-rolebinding.yaml b/charts/haproxy/templates/default-backend-rolebinding.yaml index a27f80465..3a94e9418 100644 --- a/charts/haproxy/templates/default-backend-rolebinding.yaml +++ b/charts/haproxy/templates/default-backend-rolebinding.yaml @@ -14,7 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. */}} -{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled -}} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: diff --git a/charts/haproxy/templates/default-backend-service.yaml b/charts/haproxy/templates/default-backend-service.yaml index b3108ad61..6e0cf0e98 100644 --- a/charts/haproxy/templates/default-backend-service.yaml +++ b/charts/haproxy/templates/default-backend-service.yaml @@ -14,6 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. */}} +{{- if .Values.defaultBackend.enabled }} apiVersion: v1 kind: Service metadata: @@ -27,7 +28,7 @@ metadata: app.kubernetes.io/version: {{ .Chart.AppVersion }} spec: type: ClusterIP - clusterIP: None + clusterIP: None ports: - name: http port: {{ .Values.defaultBackend.service.port }} @@ -36,3 +37,4 @@ spec: selector: app.kubernetes.io/name: {{ template "kubernetes-ingress.defaultBackend.fullname" . }} app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/templates/default-backend-serviceaccount.yaml b/charts/haproxy/templates/default-backend-serviceaccount.yaml index 9a5e8169f..3c0853b14 100644 --- a/charts/haproxy/templates/default-backend-serviceaccount.yaml +++ b/charts/haproxy/templates/default-backend-serviceaccount.yaml @@ -14,7 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. */}} -{{- if and .Values.serviceAccount.create .Values.defaultBackend.serviceAccount.create -}} +{{- if and .Values.serviceAccount.create .Values.defaultBackend.serviceAccount.create .Values.defaultBackend.enabled -}} apiVersion: v1 kind: ServiceAccount metadata: diff --git a/charts/haproxy/values.yaml b/charts/haproxy/values.yaml index addf65446..0ca2b7932 100644 --- a/charts/haproxy/values.yaml +++ b/charts/haproxy/values.yaml @@ -1,5 +1,10 @@ controller: affinity: {} + autoscaling: + enabled: false + maxReplicas: 20 + minReplicas: 2 + targetCPUUtilizationPercentage: 80 config: {} containerPort: http: 80 @@ -15,7 +20,14 @@ controller: defaultTLSSecret: enabled: true secret: null + dnsConfig: {} + dnsPolicy: ClusterFirst extraArgs: [] + extraContainers: [] + extraEnvs: [] + extraLabels: {} + extraVolumeMounts: [] + extraVolumes: [] image: pullPolicy: IfNotPresent repository: haproxytech/kubernetes-ingress @@ -27,6 +39,7 @@ controller: ingressClass: null initContainers: [] kind: Deployment + lifecycle: {} livenessProbe: failureThreshold: 3 initialDelaySeconds: 0 @@ -43,6 +56,7 @@ controller: nodeSelector: {} podAnnotations: {} podLabels: {} + priorityClassName: "" publishService: enabled: false pathOverride: "" @@ -66,6 +80,7 @@ controller: http: true https: true stat: true + enabled: true externalIPs: [] healthCheckNodePort: 0 labels: {} @@ -82,11 +97,36 @@ controller: stat: stat tcpPorts: [] type: NodePort + serviceMonitor: + enabled: false + endpoints: + - path: /metrics + port: stat + scheme: http + extraLabels: {} + startupProbe: + failureThreshold: 20 + initialDelaySeconds: 0 + path: /healthz + periodSeconds: 1 + port: 1042 + scheme: HTTP + successThreshold: 1 + timeoutSeconds: 1 strategy: {} + terminationGracePeriodSeconds: 60 tolerations: [] + unprivileged: false defaultBackend: affinity: {} + autoscaling: + enabled: false + maxReplicas: 2 + minReplicas: 1 + targetCPUUtilizationPercentage: 80 containerPort: 8080 + enabled: true + extraEnvs: [] image: pullPolicy: IfNotPresent repository: k8s.gcr.io/defaultbackend-amd64 @@ -96,6 +136,7 @@ defaultBackend: nodeSelector: {} podAnnotations: {} podLabels: {} + priorityClassName: "" replicaCount: 2 resources: requests: diff --git a/index.yaml b/index.yaml index 9354cee37..9ff56b91b 100644 --- a/index.yaml +++ b/index.yaml @@ -361,6 +361,33 @@ entries: - assets/dynatrace-oneagent-operator/dynatrace-oneagent-operator-0.8.000.tgz version: 0.8.000 haproxy: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/release-name: haproxy + apiVersion: v1 + appVersion: 1.5.1 + created: "2021-04-13T23:45:40.966157742Z" + description: A Helm chart for HAProxy Kubernetes Ingress Controller + digest: 29aa101f4851cac5b94d2de40c961d0f24c90bb361c0bf1bc17d3244ddf92046 + home: https://github.com/haproxytech/helm-charts/tree/master/kubernetes-ingress + icon: http://www.haproxy.org/img/HAProxyCommunityEdition_60px.png + keywords: + - ingress + - haproxy + kubeVersion: '>=1.12.0-0' + maintainers: + - email: mmhedhbi@haproxy.com + name: Moemen Mhedhbi + - email: bassmann@haproxy.com + name: Baptiste Assmann + - email: dkorunic@haproxy.com + name: Dinko Korunic + name: haproxy + sources: + - https://github.com/haproxytech/kubernetes-ingress + urls: + - assets/haproxy/haproxy-1.12.100.tgz + version: 1.12.100 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/release-name: haproxy @@ -633,4 +660,4 @@ entries: urls: - assets/sysdig/sysdig-1.9.200.tgz version: 1.9.200 -generated: "2021-03-09T00:13:50.360291665Z" +generated: "2021-04-13T23:45:40.963701127Z" diff --git a/sha256sum/haproxy/haproxy.sum b/sha256sum/haproxy/haproxy.sum index d97c3373b..5b53229b9 100644 --- a/sha256sum/haproxy/haproxy.sum +++ b/sha256sum/haproxy/haproxy.sum @@ -1,4 +1,4 @@ -147d82b2b2f3880b668883eb0067fcfe5fa008200c141a21852d8378508871e2 packages/haproxy/haproxy.patch +0c2923b56401b95bfd0b80084a9dcc195afb92978179e3f5e4243812e6148ba7 packages/haproxy/haproxy.patch ef96856c7f2241f1a7e5df4e841ade5c0678f8599c359d8b86736fb3b9ba4b72 packages/haproxy/overlay/app-readme.md 45a217ebefb053d23ddbd48e7e12ecd8119a8d0e8b31246d521c97740b7d3a78 packages/haproxy/overlay/questions.yml -30f266384f60144b686ad8b4fa52eb6f8cf4d7037f753c47619c8651370bd6a2 packages/haproxy/package.yaml +5c75a8f608f9d22b26ab4849ebec07fdb9cd5663553aaedece920082a6b9332d packages/haproxy/package.yaml