andata
/
rancher-partner-charts
mirror of https://git.rancher.io/partner-charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Added chart versions: 

hashicorp/consul:
    - 1.5.3
  kuma/kuma:
    - 2.8.3
  new-relic/nri-bundle:
    - 5.0.91
  speedscale/speedscale-operator:
    - 2.2.342
  traefik/traefik:
    - 31.0.0
pull/1059/head
github-actions[bot] 2024-09-04 00:54:53 +00:00
parent 56843b3430
commit 4cc45d1ffa
913 changed files with 124120 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
assets/hashicorp/consul-1.5.3.tgz Normal file
View File

Binary file not shown.

BIN
assets/kuma/kuma-2.8.3.tgz Normal file
View File

Binary file not shown.

BIN
assets/new-relic/nri-bundle-5.0.91.tgz Normal file
View File

Binary file not shown.

BIN
assets/speedscale/speedscale-operator-2.2.342.tgz Normal file
View File

Binary file not shown.

BIN
assets/traefik/traefik-31.0.0.tgz Normal file
View File

Binary file not shown.

5
charts/hashicorp/consul/1.5.3/.helmignore Normal file
View File

@ -0,0 +1,5 @@
.git/
.terraform/
bin/
test/
crds/kustomization.yaml

37
charts/hashicorp/consul/1.5.3/Chart.yaml Normal file
View File

@ -0,0 +1,37 @@
annotations:
artifacthub.io/images: |
- name: consul
image: hashicorp/consul:1.19.2
- name: consul-k8s-control-plane
image: hashicorp/consul-k8s-control-plane:1.5.3
- name: consul-dataplane
image: hashicorp/consul-dataplane:1.5.3
- name: envoy
image: envoyproxy/envoy:v1.25.11
artifacthub.io/license: MPL-2.0
artifacthub.io/links: |
- name: Documentation
url: https://www.consul.io/docs/k8s
- name: hashicorp/consul
url: https://github.com/hashicorp/consul
- name: hashicorp/consul-k8s
url: https://github.com/hashicorp/consul-k8s
artifacthub.io/prerelease: "false"
artifacthub.io/signKey: |
fingerprint: C874011F0AB405110D02105534365D9472D7468F
url: https://keybase.io/hashicorp/pgp_keys.asc
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Hashicorp Consul
catalog.cattle.io/kube-version: '>=1.22.0-0'
catalog.cattle.io/release-name: consul
apiVersion: v2
appVersion: 1.19.2
description: Official HashiCorp Consul Chart
home: https://www.consul.io
icon: file://assets/icons/consul.png
kubeVersion: '>=1.22.0-0'
name: consul
sources:
- https://github.com/hashicorp/consul
- https://github.com/hashicorp/consul-k8s
version: 1.5.3

109
charts/hashicorp/consul/1.5.3/README.md Normal file
View File

@ -0,0 +1,109 @@
# Consul on Kubernetes Helm Chart
---
**We're looking for feedback on how folks are using Consul on Kubernetes. Please fill out our brief [survey](https://hashicorp.sjc1.qualtrics.com/jfe/form/SV_4MANbw1BUku7YhL)!**
## Overview
This is the Official HashiCorp Helm chart for installing and configuring Consul on Kubernetes. This chart supports multiple use cases of Consul on Kubernetes, depending on the values provided.
For full documentation on this Helm chart along with all the ways you can use Consul with Kubernetes, please see the Consul and Kubernetes documentation.
> :warning: **Please note**: We take Consul's security and our users' trust very seriously. If
you believe you have found a security issue in Consul K8s, _please responsibly disclose_
by contacting us at [security@hashicorp.com](mailto:security@hashicorp.com).
## Features
* [**Consul Service Mesh**](https://www.consul.io/docs/k8s/connect):
Run Consul Service Mesh on Kubernetes. This feature
injects Envoy sidecars and registers your Pods with Consul.
* [**Catalog Sync**](https://www.consul.io/docs/k8s/service-sync):
Sync Consul services into first-class Kubernetes services and vice versa.
This enables Kubernetes to easily access external services and for
non-Kubernetes nodes to easily discover and access Kubernetes services.
## Installation
`consul-k8s` is distributed in multiple forms:
* The recommended installation method is the official
[Consul Helm chart](https://github.com/hashicorp/consul-k8s/tree/main/charts/consul). This will
automatically configure the Consul and Kubernetes integration to run within
an existing Kubernetes cluster.
* A [Docker image `hashicorp/consul-k8s-control-plane`](https://hub.docker.com/r/hashicorp/consul-k8s-control-plane) is available. This can be used to manually run `consul-k8s-control-plane` within a scheduled environment.
* Consul K8s CLI, distributed as `consul-k8s`, can be used to install and uninstall Consul Kubernetes. See the [Consul K8s CLI Reference](https://www.consul.io/docs/k8s/k8s-cli) for more details on usage.
### Prerequisites
The following pre-requisites must be met before installing Consul on Kubernetes.
* **Kubernetes 1.27.x - 1.30.x** - This represents the earliest versions of Kubernetes tested.
It is possible that this chart works with earlier versions, but it is
untested.
* Helm install
* **Helm 3.6+** for Helm based installs.
* Consul K8s CLI based install
* `kubectl` configured to authenticate to a Kubernetes cluster with a valid `kubeconfig` file.
* `brew`, `yum`, or `apt` package manager on your local machine
### CLI
The Consul K8s CLI is the easiest way to get up and running with Consul on Kubernetes. See [Install Consul on K8s CLI](https://developer.hashicorp.com/consul/docs/k8s/installation/install-cli#install-the-cli) for more details on installation, and refer to
[Consul on Kubernetes CLI Reference](https://developer.hashicorp.com/consul/docs/k8s/k8s-cli) for more details on subcommands and a list of all available flags
for each subcommand.
1. Install the HashiCorp tap, which is a repository of all Homebrew packages for HashiCorp:
``` bash
brew tap hashicorp/tap
```
2. Install the Consul K8s CLI with hashicorp/tap/consul formula.
``` bash
brew install hashicorp/tap/consul-k8s
```
3. Issue the install subcommand to install Consul on Kubernetes:
``` bash
consul-k8s install
```
### Helm
The Helm chart is ideal for those who prefer to use Helm for automation for either the installation or upgrade of Consul on Kubernetes. The chart supports multiple use cases of Consul on Kubernetes, depending on the values provided. Detailed installation instructions for Consul on Kubernetes are found [here](https://www.consul.io/docs/k8s/installation/overview).
1. Add the HashiCorp Helm repository:
``` bash
helm repo add hashicorp https://helm.releases.hashicorp.com
```
2. Ensure you have access to the Consul Helm chart and you see the latest chart version listed. If you have previously added the
HashiCorp Helm repository, run `helm repo update`.
``` bash
helm search repo hashicorp/consul
```
3. Now you're ready to install Consul! To install Consul with the default configuration using Helm 3.2 run the following command below.
This will create a `consul` Kubernetes namespace if not already present, and install Consul on the dedicated namespace.
``` bash
helm install consul hashicorp/consul --set global.name=consul --create-namespace -n consul
Please see the many options supported in the `values.yaml`
file. These are also fully documented directly on the
[Consul website](https://www.consul.io/docs/platform/k8s/helm.html).
## Tutorials
You can find examples and complete tutorials on how to deploy Consul on
Kubernetes using Helm on the [HashiCorp Learn website](https://learn.hashicorp.com/collections/consul/kubernetes).

37
charts/hashicorp/consul/1.5.3/addons/gen.sh Normal file
View File

@ -0,0 +1,37 @@
#!/usr/bin/env bash
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
WD=$(dirname "$0")
WD=$(cd "$WD"; pwd)
set -eux
TEMPLATES="${WD}/../templates"
DASHBOARDS="${WD}/dashboards"
TMP=$(mktemp -d)
# create Prometheus template
helm template prometheus prometheus \
--repo https://prometheus-community.github.io/helm-charts \
--namespace "replace-me-namespace" \
--version 13.2.1 \
-f "${WD}/values/prometheus.yaml" \
> "${TEMPLATES}/prometheus.yaml"
# Find and replace `replace-me-namespace` with `{{ .Release.Namespace }}` in Prometheus template.
sed -i'.orig' 's/replace-me-namespace/{{ .Release.Namespace }}/g' "${TEMPLATES}/prometheus.yaml"
# Add a comment to the top of the template file mentioning that the file is auto-generated.
sed -i'.orig' '1i\
# This file is auto-generated, see addons/gen.sh
' "${TEMPLATES}/prometheus.yaml"
# Add `{{- if .Values.prometheus.enabled }} to the top of the Prometheus template to ensure it is only templated when enabled.
sed -i'.orig' '1i\
{{- if .Values.prometheus.enabled }}
' "${TEMPLATES}/prometheus.yaml"
# Add `{{- end }} to the bottom of the Prometheus template to ensure it is only templated when enabled (closes the `if` statement).
sed -i'.orig' -e '$a\
{{- end }}' "${TEMPLATES}/prometheus.yaml"
# Remove the `prometheus.yaml.orig` file that is created as a side-effect of the `sed` command on OS X.
rm "${TEMPLATES}/prometheus.yaml.orig"

21
charts/hashicorp/consul/1.5.3/addons/values/prometheus.yaml Normal file
View File

@ -0,0 +1,21 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# Disable non-essential components
alertmanager:
enabled: false
pushgateway:
enabled: false
kubeStateMetrics:
enabled: false
nodeExporter:
enabled: false
server:
podAnnotations:
"consul.hashicorp.com/connect-inject": "false"
persistentVolume:
enabled: false
readinessProbeInitialDelay: 0
# Speed up scraping a bit from the default
global:
scrape_interval: 15s

BIN
charts/hashicorp/consul/1.5.3/assets/icon.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 7.8 KiB

21
charts/hashicorp/consul/1.5.3/templates/NOTES.txt Normal file
View File

@ -0,0 +1,21 @@
Thank you for installing HashiCorp Consul!
Your release is named {{ .Release.Name }}.
To learn more about the release, run:
$ helm status {{ .Release.Name }} {{- if .Release.Namespace }} --namespace {{ .Release.Namespace }}{{ end }}
$ helm get all {{ .Release.Name }} {{- if .Release.Namespace }} --namespace {{ .Release.Namespace }}{{ end }}
Consul on Kubernetes Documentation:
https://www.consul.io/docs/platform/k8s
Consul on Kubernetes CLI Reference:
https://www.consul.io/docs/k8s/k8s-cli
{{- if (and .Values.global.acls.manageSystemACLs (gt (len .Values.server.extraConfig) 3)) }}
Warning: Defining server extraConfig potentially disrupts the automatic ACL
bootstrapping required settings. This may cause future issues if
there are conflicts.
{{- end }}

704
charts/hashicorp/consul/1.5.3/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,704 @@
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to
this (by the DNS naming spec). Supports the legacy fullnameOverride setting
as well as the global.name setting.
*/}}
{{- define "consul.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else if .Values.global.name -}}
{{- .Values.global.name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- define "consul.restrictedSecurityContext" -}}
{{- if not .Values.global.enablePodSecurityPolicies -}}
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
{{- if not .Values.global.openshift.enabled -}}
{{/*
We must set runAsUser or else the root user will be used in some cases and
containers will fail to start due to runAsNonRoot above (e.g.
tls-init-cleanup). On OpenShift, runAsUser is automatically. We pick user 100
because it is a non-root user id that exists in the consul, consul-dataplane,
and consul-k8s-control-plane images.
*/}}
runAsUser: 100
{{- end -}}
{{- end -}}
{{- end -}}
{{- define "consul.vaultSecretTemplate" -}}
|
{{ "{{" }}- with secret "{{ .secretName }}" -{{ "}}" }}
{{ "{{" }}- {{ printf ".Data.data.%s" .secretKey }} -{{ "}}" }}
{{ "{{" }}- end -{{ "}}" }}
{{- end -}}
{{- define "consul.vaultCATemplate" -}}
|
{{ "{{" }}- with secret "{{ .secretName }}" -{{ "}}" }}
{{ "{{" }}- .Data.certificate -{{ "}}" }}
{{ "{{" }}- end -{{ "}}" }}
{{- end -}}
{{- define "consul.serverTLSCATemplate" -}}
{{ include "consul.vaultCATemplate" .Values.global.tls.caCert }}
{{- end -}}
{{- define "consul.serverTLSCertTemplate" -}}
|
{{ "{{" }}- with secret "{{ .Values.server.serverCert.secretName }}" "{{ printf "common_name=server.%s.%s" .Values.global.datacenter .Values.global.domain }}"
"alt_names={{ include "consul.serverTLSAltNames" . }}" "ip_sans=127.0.0.1{{ include "consul.serverAdditionalIPSANs" . }}" -{{ "}}" }}
{{ "{{" }}- .Data.certificate -{{ "}}" }}
{{ "{{" }}- if .Data.ca_chain -{{ "}}" }}
{{ "{{" }}- $lastintermediatecertindex := len .Data.ca_chain | subtract 1 -{{ "}}" }}
{{ "{{" }} range $index, $cacert := .Data.ca_chain {{ "}}" }}
{{ "{{" }} if (lt $index $lastintermediatecertindex) {{ "}}" }}
{{ "{{" }} $cacert {{ "}}" }}
{{ "{{" }} end {{ "}}" }}
{{ "{{" }} end {{ "}}" }}
{{ "{{" }}- end -{{ "}}" }}
{{ "{{" }}- end -{{ "}}" }}
{{- end -}}
{{- define "consul.serverTLSKeyTemplate" -}}
|
{{ "{{" }}- with secret "{{ .Values.server.serverCert.secretName }}" "{{ printf "common_name=server.%s.%s" .Values.global.datacenter .Values.global.domain }}"
"alt_names={{ include "consul.serverTLSAltNames" . }}" "ip_sans=127.0.0.1{{ include "consul.serverAdditionalIPSANs" . }}" -{{ "}}" }}
{{ "{{" }}- .Data.private_key -{{ "}}" }}
{{ "{{" }}- end -{{ "}}" }}
{{- end -}}
{{- define "consul.connectInjectWebhookTLSCertTemplate" -}}
|
{{ "{{" }}- with secret "{{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }}" "{{- $name := include "consul.fullname" . -}}{{ printf "common_name=%s-connect-injector" $name }}"
"alt_names={{ include "consul.connectInjectorTLSAltNames" . }}" -{{ "}}" }}
{{ "{{" }}- .Data.certificate -{{ "}}" }}
{{ "{{" }}- end -{{ "}}" }}
{{- end -}}
{{- define "consul.connectInjectWebhookTLSKeyTemplate" -}}
|
{{ "{{" }}- with secret "{{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }}" "{{- $name := include "consul.fullname" . -}}{{ printf "common_name=%s-connect-injector" $name }}"
"alt_names={{ include "consul.connectInjectorTLSAltNames" . }}" -{{ "}}" }}
{{ "{{" }}- .Data.private_key -{{ "}}" }}
{{ "{{" }}- end -{{ "}}" }}
{{- end -}}
{{- define "consul.serverTLSAltNames" -}}
{{- $name := include "consul.fullname" . -}}
{{- $ns := .Release.Namespace -}}
{{ printf "localhost,%s-server,*.%s-server,*.%s-server.%s,%s-server.%s,*.%s-server.%s.svc,%s-server.%s.svc,*.server.%s.%s" $name $name $name $ns $name $ns $name $ns $name $ns (.Values.global.datacenter ) (.Values.global.domain) }}{{ include "consul.serverAdditionalDNSSANs" . }}
{{- end -}}
{{- define "consul.serverAdditionalDNSSANs" -}}
{{- if .Values.global.tls -}}{{- if .Values.global.tls.serverAdditionalDNSSANs -}}{{- range $san := .Values.global.tls.serverAdditionalDNSSANs }},{{ $san }} {{- end -}}{{- end -}}{{- end -}}
{{- end -}}
{{- define "consul.serverAdditionalIPSANs" -}}
{{- if .Values.global.tls -}}{{- if .Values.global.tls.serverAdditionalIPSANs -}}{{- range $san := .Values.global.tls.serverAdditionalIPSANs }},{{ $san }} {{- end -}}{{- end -}}{{- end -}}
{{- end -}}
{{- define "consul.connectInjectorTLSAltNames" -}}
{{- $name := include "consul.fullname" . -}}
{{- $ns := .Release.Namespace -}}
{{ printf "%s-connect-injector,%s-connect-injector.%s,%s-connect-injector.%s.svc,%s-connect-injector.%s.svc.cluster.local" $name $name $ns $name $ns $name $ns}}
{{- end -}}
{{- define "consul.vaultReplicationTokenTemplate" -}}
|
{{ "{{" }}- with secret "{{ .Values.global.acls.replicationToken.secretName }}" -{{ "}}" }}
{{ "{{" }}- {{ printf ".Data.data.%s" .Values.global.acls.replicationToken.secretKey }} -{{ "}}" }}
{{ "{{" }}- end -{{ "}}" }}
{{- end -}}
{{- define "consul.vaultReplicationTokenConfigTemplate" -}}
|
{{ "{{" }}- with secret "{{ .Values.global.acls.replicationToken.secretName }}" -{{ "}}" }}
acl { tokens { agent = "{{ "{{" }}- {{ printf ".Data.data.%s" .Values.global.acls.replicationToken.secretKey }} -{{ "}}" }}", replication = "{{ "{{" }}- {{ printf ".Data.data.%s" .Values.global.acls.replicationToken.secretKey }} -{{ "}}" }}" }}
{{ "{{" }}- end -{{ "}}" }}
{{- end -}}
{{- define "consul.vaultBootstrapTokenConfigTemplate" -}}
|
{{ "{{" }}- with secret "{{ .Values.global.acls.bootstrapToken.secretName }}" -{{ "}}" }}
acl { tokens { initial_management = "{{ "{{" }}- {{ printf ".Data.data.%s" .Values.global.acls.bootstrapToken.secretKey }} -{{ "}}" }}" }}
{{ "{{" }}- end -{{ "}}" }}
{{- end -}}
{{/*
Sets up the extra-from-values config file passed to consul and then uses sed to do any necessary
substitution for HOST_IP/POD_IP/HOSTNAME. Useful for dogstats telemetry. The output file
is passed to consul as a -config-file param on command line.
*/}}
{{- define "consul.extraconfig" -}}
cp /consul/tmp/extra-config/extra-from-values.json /consul/extra-config/extra-from-values.json
[ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /consul/extra-config/extra-from-values.json
[ -n "${POD_IP}" ] && sed -Ei "s|POD_IP|${POD_IP?}|g" /consul/extra-config/extra-from-values.json
[ -n "${HOSTNAME}" ] && sed -Ei "s|HOSTNAME|${HOSTNAME?}|g" /consul/extra-config/extra-from-values.json
{{- end -}}
{{/*
Cleanup server.extraConfig entries to avoid conflicting entries:
- server.enableAgentDebug:
- `enable_debug` should not exist in extraConfig
- metrics.disableAgentHostName:
- if global.metrics.enabled and global.metrics.enableAgentMetrics are enabled, `disable_hostname` should not exist in extraConfig
- metrics.enableHostMetrics:
- if global.metrics.enabled and global.metrics.enableAgentMetrics are enabled, `enable_host_metrics` should not exist in extraConfig
- metrics.prefixFilter
- if global.metrics.enabled and global.metrics.enableAgentMetrics are enabled, `prefix_filter` should not exist in extraConfig
- metrics.datadog.enabled:
- if global.metrics.datadog.enabled and global.metrics.datadog.dogstatsd.enabled, `dogstatsd_tags` and `dogstatsd_addr` should not exist in extraConfig
Usage: {{ template "consul.validateExtraConfig" . }}
*/}}
{{- define "consul.validateExtraConfig" -}}
{{- if (contains "enable_debug" .Values.server.extraConfig) }}{{ fail "The enable_debug key is present in extra-from-values.json. Use server.enableAgentDebug to set this value." }}{{- end }}
{{- if (contains "disable_hostname" .Values.server.extraConfig) }}{{ fail "The disable_hostname key is present in extra-from-values.json. Use global.metrics.disableAgentHostName to set this value." }}{{- end }}
{{- if (contains "enable_host_metrics" .Values.server.extraConfig) }}{{ fail "The enable_host_metrics key is present in extra-from-values.json. Use global.metrics.enableHostMetrics to set this value." }}{{- end }}
{{- if (contains "prefix_filter" .Values.server.extraConfig) }}{{ fail "The prefix_filter key is present in extra-from-values.json. Use global.metrics.prefix_filter to set this value." }}{{- end }}
{{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }}{{- if (and .Values.global.metrics.datadog.dogstatsd.enabled) }}{{- if (contains "dogstatsd_tags" .Values.server.extraConfig) }}{{ fail "The dogstatsd_tags key is present in extra-from-values.json. Use global.metrics.datadog.dogstatsd.dogstatsdTags to set this value." }}{{- end }}{{- end }}{{- if (and .Values.global.metrics.datadog.dogstatsd.enabled) }}{{- if (contains "dogstatsd_addr" .Values.server.extraConfig) }}{{ fail "The dogstatsd_addr key is present in extra-from-values.json. Use global.metrics.datadog.dogstatsd.dogstatsd_addr to set this value." }}{{- end }}{{- end }}{{- end }}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "consul.chart" -}}
{{- printf "%s-helm" .Chart.Name | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Expand the name of the chart.
*/}}
{{- define "consul.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Calculate max number of server pods that are allowed to be voluntarily disrupted.
When there's 1 server, this is set to 0 because this pod should not be disrupted. This is an edge
case and I'm not sure it makes a difference when there's only one server but that's what the previous config was and
I don't want to change it for this edge case.
Otherwise we've changed this to always be 1 as part of the move to set leave_on_terminate
to true. With leave_on_terminate set to true, whenever a server pod is stopped, the number of peers in raft
is reduced. If the number of servers is odd and the count is reduced by 1, the quorum size doesn't change,
but if it's reduced by more than 1, the quorum size can change so that's why this is now always hardcoded to 1.
*/}}
{{- define "consul.server.pdb.maxUnavailable" -}}
{{- if eq (int .Values.server.replicas) 1 -}}
{{ 0 }}
{{- else if .Values.server.disruptionBudget.maxUnavailable -}}
{{ .Values.server.disruptionBudget.maxUnavailable -}}
{{- else -}}
{{ 1 }}
{{- end -}}
{{- end -}}
{{- define "consul.server.autopilotMinQuorum" -}}
{{- add (div (int .Values.server.replicas) 2) 1 -}}
{{- end -}}
{{- define "consul.pdb.connectInject.maxUnavailable" -}}
{{- if eq (int .Values.connectInject.replicas) 1 -}}
{{ 0 }}
{{- else if .Values.connectInject.disruptionBudget.maxUnavailable -}}
{{ .Values.connectInject.disruptionBudget.maxUnavailable -}}
{{- else -}}
{{- if eq (int .Values.connectInject.replicas) 3 -}}
{{- 1 -}}
{{- else -}}
{{- sub (div (int .Values.connectInject.replicas) 2) 1 -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Inject extra environment vars in the format key:value, if populated
*/}}
{{- define "consul.extraEnvironmentVars" -}}
{{- if .extraEnvironmentVars -}}
{{- range $key, $value := .extraEnvironmentVars }}
- name: {{ $key }}
value: {{ $value | quote }}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Get Consul client CA to use when auto-encrypt is enabled.
This template is for an init container.
*/}}
{{- define "consul.getAutoEncryptClientCA" -}}
- name: get-auto-encrypt-client-ca
image: {{ .Values.global.imageK8S }}
{{ template "consul.imagePullPolicy" . }}
command:
- "/bin/sh"
- "-ec"
- |
consul-k8s-control-plane get-consul-client-ca \
-output-file=/consul/tls/client/ca/tls.crt \
-consul-api-timeout={{ .Values.global.consulAPITimeout }} \
{{- if .Values.global.cloud.enabled }}
-tls-server-name=server.{{.Values.global.datacenter}}.{{.Values.global.domain}} \
{{- end}}
{{- if .Values.externalServers.enabled }}
{{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}}
-server-addr={{ quote (first .Values.externalServers.hosts) }} \
-server-port={{ .Values.externalServers.httpsPort }} \
{{- if .Values.externalServers.tlsServerName }}
-tls-server-name={{ .Values.externalServers.tlsServerName }} \
{{- end }}
{{- else }}
-server-addr={{ template "consul.fullname" . }}-server \
-server-port=8501 \
{{- end }}
{{- if or (not .Values.externalServers.enabled) (and .Values.externalServers.enabled (not .Values.externalServers.useSystemRoots)) }}
{{- if .Values.global.secretsBackend.vault.enabled }}
-ca-file=/vault/secrets/serverca.crt
{{- else }}
-ca-file=/consul/tls/ca/tls.crt
{{- end }}
{{- end }}
volumeMounts:
{{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }}
{{- if not .Values.global.secretsBackend.vault.enabled }}
- name: consul-ca-cert
mountPath: /consul/tls/ca
{{- end }}
{{- end }}
- name: consul-auto-encrypt-ca-cert
mountPath: /consul/tls/client/ca
resources:
requests:
memory: "50Mi"
cpu: "50m"
limits:
memory: "50Mi"
cpu: "50m"
{{- end -}}
{{/*
Fails when a reserved name is passed in. This should be used to test against
Consul namespaces and partition names.
This template accepts an array that contains two elements. The first element
is the name that's being checked and the second is the name of the values.yaml
key that's setting the name.
Usage: {{ template "consul.reservedNamesFailer" (list .Values.key "key") }}
*/}}
{{- define "consul.reservedNamesFailer" -}}
{{- $name := index . 0 -}}
{{- $key := index . 1 -}}
{{- if or (eq "system" $name) (eq "universal" $name) (eq "operator" $name) (eq "root" $name) }}
{{- fail (cat "The name" $name "set for key" $key "is reserved by Consul for future use." ) }}
{{- end }}
{{- end -}}
{{/*
Fails when at least one but not all of the following have been set:
- global.secretsBackend.vault.connectInjectRole
- global.secretsBackend.vault.connectInject.tlsCert.secretName
- global.secretsBackend.vault.connectInject.caCert.secretName
The above values are needed in full to turn off web cert manager and allow
connect inject to manage its own webhook certs.
Usage: {{ template "consul.validateVaultWebhookCertConfiguration" . }}
*/}}
{{- define "consul.validateVaultWebhookCertConfiguration" -}}
{{- if or .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName}}
{{- if or (not .Values.global.secretsBackend.vault.connectInjectRole) (not .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) (not .Values.global.secretsBackend.vault.connectInject.caCert.secretName) }}
{{fail "When one of the following has been set, all must be set: global.secretsBackend.vault.connectInjectRole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName"}}
{{ end }}
{{ end }}
{{- end -}}
{{/*
Consul server environment variables for consul-k8s commands.
*/}}
{{- define "consul.consulK8sConsulServerEnvVars" -}}
- name: CONSUL_ADDRESSES
{{- if .Values.externalServers.enabled }}
value: {{ .Values.externalServers.hosts | first }}
{{- else }}
value: {{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc
{{- end }}
- name: CONSUL_GRPC_PORT
{{- if .Values.externalServers.enabled }}
value: "{{ .Values.externalServers.grpcPort }}"
{{- else }}
value: "8502"
{{- end }}
- name: CONSUL_HTTP_PORT
{{- if .Values.externalServers.enabled }}
value: "{{ .Values.externalServers.httpsPort }}"
{{- else if .Values.global.tls.enabled }}
value: "8501"
{{- else }}
value: "8500"
{{- end }}
- name: CONSUL_DATACENTER
value: {{ .Values.global.datacenter }}
- name: CONSUL_API_TIMEOUT
value: {{ .Values.global.consulAPITimeout }}
{{- if .Values.global.adminPartitions.enabled }}
- name: CONSUL_PARTITION
value: {{ .Values.global.adminPartitions.name }}
{{- if .Values.global.acls.manageSystemACLs }}
- name: CONSUL_LOGIN_PARTITION
value: {{ .Values.global.adminPartitions.name }}
{{- end }}
{{- end }}
{{- if .Values.global.tls.enabled }}
- name: CONSUL_USE_TLS
value: "true"
{{- if (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) }}
- name: CONSUL_CACERT_FILE
{{- if .Values.global.secretsBackend.vault.enabled }}
value: "/vault/secrets/serverca.crt"
{{- else }}
value: "/consul/tls/ca/tls.crt"
{{- end }}
{{- end }}
{{- if and .Values.externalServers.enabled .Values.externalServers.tlsServerName }}
- name: CONSUL_TLS_SERVER_NAME
value: {{ .Values.externalServers.tlsServerName }}
{{- else if .Values.global.cloud.enabled }}
- name: CONSUL_TLS_SERVER_NAME
value: server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}}
{{- end }}
{{- end }}
{{- if and .Values.externalServers.enabled .Values.externalServers.skipServerWatch }}
- name: CONSUL_SKIP_SERVER_WATCH
value: "true"
{{- end }}
{{- end -}}
{{/*
Fails global.cloud.enabled is true and one of the following secrets is nil or empty.
- global.cloud.resourceId.secretName
- global.cloud.clientId.secretName
- global.cloud.clientSecret.secretName
Usage: {{ template "consul.validateRequiredCloudSecretsExist" . }}
*/}}
{{- define "consul.validateRequiredCloudSecretsExist" -}}
{{- if (and .Values.global.cloud.enabled (or (not .Values.global.cloud.resourceId.secretName) (not .Values.global.cloud.clientId.secretName) (not .Values.global.cloud.clientSecret.secretName))) }}
{{fail "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set."}}
{{- end }}
{{- end -}}
{{/*
Fails global.cloud.enabled is true and one of the following secrets has either an empty secretName or secretKey.
- global.cloud.resourceId.secretName / secretKey
- global.cloud.clientId.secretName / secretKey
- global.cloud.clientSecret.secretName / secretKey
- global.cloud.authUrl.secretName / secretKey
- global.cloud.apiHost.secretName / secretKey
- global.cloud.scadaAddress.secretName / secretKey
Usage: {{ template "consul.validateCloudSecretKeys" . }}
*/}}
{{- define "consul.validateCloudSecretKeys" -}}
{{- if and .Values.global.cloud.enabled }}
{{- if or (and .Values.global.cloud.resourceId.secretName (not .Values.global.cloud.resourceId.secretKey)) (and .Values.global.cloud.resourceId.secretKey (not .Values.global.cloud.resourceId.secretName)) }}
{{fail "When either global.cloud.resourceId.secretName or global.cloud.resourceId.secretKey is defined, both must be set."}}
{{- end }}
{{- if or (and .Values.global.cloud.clientId.secretName (not .Values.global.cloud.clientId.secretKey)) (and .Values.global.cloud.clientId.secretKey (not .Values.global.cloud.clientId.secretName)) }}
{{fail "When either global.cloud.clientId.secretName or global.cloud.clientId.secretKey is defined, both must be set."}}
{{- end }}
{{- if or (and .Values.global.cloud.clientSecret.secretName (not .Values.global.cloud.clientSecret.secretKey)) (and .Values.global.cloud.clientSecret.secretKey (not .Values.global.cloud.clientSecret.secretName)) }}
{{fail "When either global.cloud.clientSecret.secretName or global.cloud.clientSecret.secretKey is defined, both must be set."}}
{{- end }}
{{- if or (and .Values.global.cloud.authUrl.secretName (not .Values.global.cloud.authUrl.secretKey)) (and .Values.global.cloud.authUrl.secretKey (not .Values.global.cloud.authUrl.secretName)) }}
{{fail "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set."}}
{{- end }}
{{- if or (and .Values.global.cloud.apiHost.secretName (not .Values.global.cloud.apiHost.secretKey)) (and .Values.global.cloud.apiHost.secretKey (not .Values.global.cloud.apiHost.secretName)) }}
{{fail "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set."}}
{{- end }}
{{- if or (and .Values.global.cloud.scadaAddress.secretName (not .Values.global.cloud.scadaAddress.secretKey)) (and .Values.global.cloud.scadaAddress.secretKey (not .Values.global.cloud.scadaAddress.secretName)) }}
{{fail "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set."}}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Fails if telemetryCollector.clientId or telemetryCollector.clientSecret exist and one of other secrets is nil or empty.
- telemetryCollector.cloud.clientId.secretName
- telemetryCollector.cloud.clientSecret.secretName
- global.cloud.resourceId.secretName
Usage: {{ template "consul.validateTelemetryCollectorCloud" . }}
*/}}
{{- define "consul.validateTelemetryCollectorCloud" -}}
{{- if (and .Values.telemetryCollector.cloud.clientId.secretName (and (not .Values.global.cloud.clientSecret.secretName) (not .Values.telemetryCollector.cloud.clientSecret.secretName))) }}
{{fail "When telemetryCollector.cloud.clientId.secretName is set, telemetryCollector.cloud.clientSecret.secretName must also be set." }}
{{- end }}
{{- if (and .Values.telemetryCollector.cloud.clientSecret.secretName (and (not .Values.global.cloud.clientId.secretName) (not .Values.telemetryCollector.cloud.clientId.secretName))) }}
{{fail "When telemetryCollector.cloud.clientSecret.secretName is set, telemetryCollector.cloud.clientId.secretName must also be set." }}
{{- end }}
{{- end }}
{{/**/}}
{{- define "consul.validateTelemetryCollectorCloudSecretKeys" -}}
{{- if or (and .Values.telemetryCollector.cloud.clientId.secretName (not .Values.telemetryCollector.cloud.clientId.secretKey)) (and .Values.telemetryCollector.cloud.clientId.secretKey (not .Values.telemetryCollector.cloud.clientId.secretName)) }}
{{fail "When either telemetryCollector.cloud.clientId.secretName or telemetryCollector.cloud.clientId.secretKey is defined, both must be set."}}
{{- end }}
{{- if or (and .Values.telemetryCollector.cloud.clientSecret.secretName (not .Values.telemetryCollector.cloud.clientSecret.secretKey)) (and .Values.telemetryCollector.cloud.clientSecret.secretKey (not .Values.telemetryCollector.cloud.clientSecret.secretName)) }}
{{fail "When either telemetryCollector.cloud.clientSecret.secretName or telemetryCollector.cloud.clientSecret.secretKey is defined, both must be set."}}
{{- end }}
{{- if or (and .Values.telemetryCollector.cloud.clientSecret.secretName .Values.telemetryCollector.cloud.clientSecret.secretKey .Values.telemetryCollector.cloud.clientId.secretName .Values.telemetryCollector.cloud.clientId.secretKey (not (or .Values.telemetryCollector.cloud.resourceId.secretName .Values.global.cloud.resourceId.secretName))) }}
{{fail "When telemetryCollector has clientId and clientSecret, telemetryCollector.cloud.resourceId.secretName or global.cloud.resourceId.secretName must be set"}}
{{- end }}
{{- if or (and .Values.telemetryCollector.cloud.clientSecret.secretName .Values.telemetryCollector.cloud.clientSecret.secretKey .Values.telemetryCollector.cloud.clientId.secretName .Values.telemetryCollector.cloud.clientId.secretKey (not (or .Values.telemetryCollector.cloud.resourceId.secretKey .Values.global.cloud.resourceId.secretKey))) }}
{{fail "When telemetryCollector has clientId and clientSecret, telemetryCollector.cloud.resourceId.secretKey or global.cloud.resourceId.secretKey must be set"}}
{{- end }}
{{- end -}}
{{/*
Fails if telemetryCollector.cloud.resourceId is set but differs from global.cloud.resourceId. This should never happen. Either one or both are set, but they should never differ.
If they differ, that implies we're configuring servers for one HCP Consul cluster but pushing envoy metrics for a different HCP Consul cluster. A user could set the same value
in two secrets (it's questionable whether resourceId should be a secret at all) but we won't know at this point, so we just check secret name+key.
Usage: {{ template "consul.validateTelemetryCollectorResourceId" . }}
*/}}
{{- define "consul.validateTelemetryCollectorResourceId" -}}
{{- if and (and .Values.telemetryCollector.cloud.resourceId.secretName .Values.global.cloud.resourceId.secretName) (not (eq .Values.telemetryCollector.cloud.resourceId.secretName .Values.global.cloud.resourceId.secretName)) }}
{{fail "When both global.cloud.resourceId.secretName and telemetryCollector.cloud.resourceId.secretName are set, they should be the same."}}
{{- end }}
{{- if and (and .Values.telemetryCollector.cloud.resourceId.secretKey .Values.global.cloud.resourceId.secretKey) (not (eq .Values.telemetryCollector.cloud.resourceId.secretKey .Values.global.cloud.resourceId.secretKey)) }}
{{fail "When both global.cloud.resourceId.secretKey and telemetryCollector.cloud.resourceId.secretKey are set, they should be the same."}}
{{- end }}
{{- end }}
{{/**/}}
{{/*
Fails if global.experiments.resourceAPIs is set along with any of these unsupported features.
- global.peering.enabled
- global.federation.enabled
- global.cloud.enabled
- client.enabled
- ui.enabled
- syncCatalog.enabled
- meshGateway.enabled
- ingressGateways.enabled
- terminatingGateways.enabled
Usage: {{ template "consul.validateResourceAPIs" . }}
*/}}
{{- define "consul.validateResourceAPIs" -}}
{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.global.peering.enabled ) }}
{{fail "When the value global.experiments.resourceAPIs is set, global.peering.enabled is currently unsupported."}}
{{- end }}
{{- if (and (mustHas "resource-apis" .Values.global.experiments) (not (mustHas "v2tenancy" .Values.global.experiments)) .Values.global.adminPartitions.enabled ) }}
{{fail "When the value global.experiments.resourceAPIs is set, global.experiments.v2tenancy must also be set to support global.adminPartitions.enabled."}}
{{- end }}
{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.global.federation.enabled ) }}
{{fail "When the value global.experiments.resourceAPIs is set, global.federation.enabled is currently unsupported."}}
{{- end }}
{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.global.cloud.enabled ) }}
{{fail "When the value global.experiments.resourceAPIs is set, global.cloud.enabled is currently unsupported."}}
{{- end }}
{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.client.enabled ) }}
{{fail "When the value global.experiments.resourceAPIs is set, client.enabled is currently unsupported."}}
{{- end }}
{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.ui.enabled ) }}
{{fail "When the value global.experiments.resourceAPIs is set, ui.enabled is currently unsupported."}}
{{- end }}
{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.syncCatalog.enabled ) }}
{{fail "When the value global.experiments.resourceAPIs is set, syncCatalog.enabled is currently unsupported."}}
{{- end }}
{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.ingressGateways.enabled ) }}
{{fail "When the value global.experiments.resourceAPIs is set, ingressGateways.enabled is currently unsupported."}}
{{- end }}
{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.terminatingGateways.enabled ) }}
{{fail "When the value global.experiments.resourceAPIs is set, terminatingGateways.enabled is currently unsupported."}}
{{- end }}
{{- end }}
{{/*
Validation for Consul Metrics configuration:
Fail if metrics.enabled=true and metrics.disableAgentHostName=true, but metrics.enableAgentMetrics=false
- metrics.enabled = true
- metrics.enableAgentMetrics = false
- metrics.disableAgentHostName = true
Fail if metrics.enableAgentMetrics=true and metrics.disableAgentHostName=true, but metrics.enabled=false
- metrics.enabled = false
- metrics.enableAgentMetrics = true
- metrics.disableAgentHostName = true
Fail if metrics.enabled=true and metrics.enableHostMetrics=true, but metrics.enableAgentMetrics=false
- metrics.enabled = true
- metrics.enableAgentMetrics = false
- metrics.enableHostMetrics = true
Fail if metrics.enableAgentMetrics=true and metrics.enableHostMetrics=true, but metrics.enabled=false
- metrics.enabled = false
- metrics.enableAgentMetrics = true
- metrics.enableHostMetrics = true
Usage: {{ template "consul.validateMetricsConfig" . }}
*/}}
{{- define "consul.validateMetricsConfig" -}}
{{- if and (not .Values.global.metrics.enableAgentMetrics) (and .Values.global.metrics.disableAgentHostName .Values.global.metrics.enabled )}}
{{fail "When enabling metrics (global.metrics.enabled) and disabling hostname emission from metrics (global.metrics.disableAgentHostName), global.metrics.enableAgentMetrics must be set to true"}}
{{- end }}
{{- if and (not .Values.global.metrics) (and .Values.global.metrics.disableAgentHostName .Values.global.metrics.enableAgentMetrics )}}
{{fail "When enabling Consul agent metrics (global.metrics.enableAgentMetrics) and disabling hostname emission from metrics (global.metrics.disableAgentHostName), global metrics enablement (global.metrics.enabled) must be set to true"}}
{{- end }}
{{- if and (not .Values.global.metrics.enableAgentMetrics) (and .Values.global.metrics.disableAgentHostName .Values.global.metrics.enabled )}}
{{fail "When disabling hostname emission from metrics (global.metrics.disableAgentHostName) and enabling global metrics (global.metrics.enabled), Consul agent metrics must be enabled(global.metrics.enableAgentMetrics=true)"}}
{{- end }}
{{- if and (not .Values.global.metrics.enabled) (and .Values.global.metrics.disableAgentHostName .Values.global.metrics.enableAgentMetrics)}}
{{fail "When enabling Consul agent metrics (global.metrics.enableAgentMetrics) and disabling hostname metrics emission (global.metrics.disableAgentHostName), global metrics must be enabled (global.metrics.enabled)."}}
{{- end }}
{{- end -}}
{{/*
Validation for Consul Datadog Integration deployment:
Fail if Datadog integration enabled and Consul server agent telemetry is not enabled.
- global.metrics.datadog.enabled=true
- global.metrics.enableAgentMetrics=false || global.metrics.enabled=false
Fail if Consul OpenMetrics (Prometheus) and DogStatsD metrics are both enabled and configured.
- global.metrics.datadog.dogstatsd.enabled (scrapes `/v1/agent/metrics?format=prometheus` via the `use_prometheus_endpoint` option)
- global.metrics.datadog.openMetricsPrometheus.enabled (scrapes `/v1/agent/metrics?format=prometheus`)
- see https://docs.datadoghq.com/integrations/consul/?tab=host#host for recommendation to not have both
Fail if Datadog OTLP forwarding is enabled and Consul Telemetry Collection is not enabled.
- global.metrics.datadog.otlp.enabled=true
- telemetryCollector.enabled=false
Fail if Consul Open Telemetry collector forwarding protocol is not one of either "http" or "grpc"
- global.metrics.datadog.otlp.protocol!="http" || global.metrics.datadog.otlp.protocol!="grpc"
Usage: {{ template "consul.validateDatadogConfiguration" . }}
*/}}
{{- define "consul.validateDatadogConfiguration" -}}
{{- if and .Values.global.metrics.datadog.enabled (or (not .Values.global.metrics.enableAgentMetrics) (not .Values.global.metrics.enabled) )}}
{{fail "When enabling datadog metrics collection, the /v1/agent/metrics is required to be accessible, therefore global.metrics.enableAgentMetrics and global.metrics.enabled must be also be enabled."}}
{{- end }}
{{- if and .Values.global.metrics.datadog.dogstatsd.enabled .Values.global.metrics.datadog.openMetricsPrometheus.enabled }}
{{fail "You must have one of DogStatsD (global.metrics.datadog.dogstatsd.enabled) or OpenMetrics (global.metrics.datadog.openMetricsPrometheus.enabled) enabled, not both as this is an unsupported configuration." }}
{{- end }}
{{- if and .Values.global.metrics.datadog.otlp.enabled (not .Values.telemetryCollector.enabled) }}
{{fail "Cannot enable Datadog OTLP metrics collection (global.metrics.datadog.otlp.enabled) without consul-telemetry-collector. Ensure Consul OTLP collection is enabled (telemetryCollector.enabled) and configured." }}
{{- end }}
{{- if and (ne ( lower .Values.global.metrics.datadog.otlp.protocol) "http") (ne ( lower .Values.global.metrics.datadog.otlp.protocol) "grpc") }}
{{fail "Valid values for global.metrics.datadog.otlp.protocol must be one of either \"http\" or \"grpc\"." }}
{{- end }}
{{- end -}}
{{/*
Sets the dogstatsd_addr field of the agent configuration dependent on the
socket transport type being used:
- "UDS" (Unix Domain Socket): prefixes "unix://" to URL and appends path to socket (i.e., unix:///var/run/datadog/dsd.socket)
- "UDP" (User Datagram Protocol): adds no prefix and appends dogstatsd port number to hostname/IP (i.e., 172.20.180.10:8125)
- global.metrics.enableDatadogIntegration.dogstatsd configuration
Usage: {{ template "consul.dogstatsdAaddressInfo" . }}
*/}}
{{- define "consul.dogstatsdAaddressInfo" -}}
{{- if (and .Values.global.metrics.datadog.enabled .Values.global.metrics.datadog.dogstatsd.enabled) }}
"dogstatsd_addr": "{{- if eq .Values.global.metrics.datadog.dogstatsd.socketTransportType "UDS" }}unix://{{ .Values.global.metrics.datadog.dogstatsd.dogstatsdAddr }}{{- else }}{{ .Values.global.metrics.datadog.dogstatsd.dogstatsdAddr | trimAll "\"" }}{{- if ne ( .Values.global.metrics.datadog.dogstatsd.dogstatsdPort | int ) 0 }}:{{ .Values.global.metrics.datadog.dogstatsd.dogstatsdPort | toString }}{{- end }}{{- end }}",{{- end }}
{{- end -}}
{{/*
Configures the metrics prefixing that's required to either allow or dissallow certaing RPC or gRPC server calls:
Usage: {{ template "consul.prefixFilter" . }}
*/}}
{{- define "consul.prefixFilter" -}}
{{- $allowList := .Values.global.metrics.prefixFilter.allowList }}
{{- $blockList := .Values.global.metrics.prefixFilter.blockList }}
{{- if and (not (empty $allowList)) (not (empty $blockList)) }}
"prefix_filter": [{{- range $index, $value := concat $allowList $blockList -}}
"{{- if (has $value $allowList) }}{{ printf "+%s" ($value | trimAll "\"") }}{{- else }}{{ printf "-%s" ($value | trimAll "\"") }}{{- end }}"{{- if lt $index (sub (len (concat $allowList $blockList)) 1) -}},{{- end -}}
{{- end -}}],
{{- else if not (empty $allowList) }}
"prefix_filter": [{{- range $index, $value := $allowList -}}
"{{ printf "+%s" ($value | trimAll "\"") }}"{{- if lt $index (sub (len $allowList) 1) -}},{{- end -}}
{{- end -}}],
{{- else if not (empty $blockList) }}
"prefix_filter": [{{- range $index, $value := $blockList -}}
"{{ printf "-%s" ($value | trimAll "\"") }}"{{- if lt $index (sub (len $blockList) 1) -}},{{- end -}}
{{- end -}}],
{{- end }}
{{- end -}}
{{/*
Retrieves the global consul/consul-enterprise version string for use with labels or tags.
Requirements for valid labels:
- a valid label must be an empty string or consist of
=> alphanumeric characters
=> '-', '_' or '.'
=> must start and end with an alphanumeric character
(e.g. 'MyValue', or 'my_value', or '12345', regex used for validation is
'(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?')
Usage: {{ template "consul.versionInfo" }}
*/}}
{{- define "consul.versionInfo" -}}
{{- $imageVersion := regexSplit ":" .Values.global.image -1 }}
{{- $versionInfo := printf "%s" (index $imageVersion 1 ) | trimSuffix "\"" }}
{{- $sanitizedVersion := "" }}
{{- $pattern := "^([A-Za-z0-9][-A-Za-z0-9_.]*[A-Za-z0-9])?$" }}
{{- if not (regexMatch $pattern $versionInfo) -}}
{{- $sanitizedVersion = regexReplaceAll "[^A-Za-z0-9-_.]|sha256" $versionInfo "" }}
{{- $sanitizedVersion = printf "%s" (trimSuffix "-" (trimPrefix "-" $sanitizedVersion)) -}}
{{- else }}
{{- $sanitizedVersion = $versionInfo }}
{{- end -}}
{{- printf "%s" $sanitizedVersion | trunc 63 | quote }}
{{- end -}}
{{/*
Sets the imagePullPolicy for all Consul images (consul, consul-dataplane, consul-k8s, consul-telemetry-collector)
Valid values are:
IfNotPresent
Always
Never
In the case of empty, see https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy for details
Usage: {{ template "consul.imagePullPolicy" . }} TODO: melisa should we name this differently ?
*/}}
{{- define "consul.imagePullPolicy" -}}
{{ if or (eq .Values.global.imagePullPolicy "IfNotPresent") (eq .Values.global.imagePullPolicy "Always") (eq .Values.global.imagePullPolicy "Never")}}imagePullPolicy: {{ .Values.global.imagePullPolicy }}
{{ else if eq .Values.global.imagePullPolicy "" }}
{{ else }}
{{fail "imagePullPolicy can only be IfNotPresent, Always, Never, or empty" }}
{{ end }}
{{- end -}}

18
charts/hashicorp/consul/1.5.3/templates/auth-method-clusterrole.yaml Normal file
View File

@ -0,0 +1,18 @@
{{- if .Values.global.acls.manageSystemACLs }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "consul.fullname" . }}-auth-method
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: auth-method
rules:
- apiGroups: [ "" ]
resources:
- serviceaccounts
verbs:
- get
{{- end }}

39
charts/hashicorp/consul/1.5.3/templates/auth-method-clusterrolebinding.yaml Normal file
View File

@ -0,0 +1,39 @@
{{- if .Values.global.acls.manageSystemACLs }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "consul.fullname" . }}-authdelegator
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: auth-method
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: "system:auth-delegator"
subjects:
- kind: ServiceAccount
name: {{ template "consul.fullname" . }}-auth-method
namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "consul.fullname" . }}-auth-method
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: auth-method
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "consul.fullname" . }}-auth-method
subjects:
- kind: ServiceAccount
name: {{ template "consul.fullname" . }}-auth-method
namespace: {{ .Release.Namespace }}
{{- end }}

16
charts/hashicorp/consul/1.5.3/templates/auth-method-secret.yaml Normal file
View File

@ -0,0 +1,16 @@
{{- if .Values.global.acls.manageSystemACLs }}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "consul.fullname" . }}-auth-method
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: auth-method
annotations:
kubernetes.io/service-account.name: {{ template "consul.fullname" . }}-auth-method
type: kubernetes.io/service-account-token
{{- end }}

19
charts/hashicorp/consul/1.5.3/templates/auth-method-serviceaccount.yaml Normal file
View File

@ -0,0 +1,19 @@
{{- if .Values.global.acls.manageSystemACLs }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "consul.fullname" . }}-auth-method
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: auth-method
{{- with .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range . }}
- name: {{ .name }}
{{- end }}
{{- end }}
{{- end }}

40
charts/hashicorp/consul/1.5.3/templates/client-config-configmap.yaml Normal file
View File

@ -0,0 +1,40 @@
{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }}
# ConfigMap with extra configuration specified directly to the chart
# for client agents only.
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "consul.fullname" . }}-client-config
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: client
data:
client.json: |-
{
{{- if and .Values.global.secretsBackend.vault.enabled }}
"auto_reload_config": true
{{- end }}
}
log-level.json: |-
{
{{- if .Values.client.logLevel }}
"log_level": "{{ .Values.client.logLevel | upper }}"
{{- end }}
}
central-config.json: |-
{
"enable_central_service_config": true
}
{{- if .Values.connectInject.enabled }}
{{/* We set check_update_interval to 0s so that check output is immediately viewable
in the UI. */}}
config.json: |-
{
"check_update_interval": "0s"
}
{{- end }}
{{- end }}

611
charts/hashicorp/consul/1.5.3/templates/client-daemonset.yaml Normal file
View File

@ -0,0 +1,611 @@
{{- if .Values.global.imageK8s }}{{ fail "global.imageK8s is not a valid key, use global.imageK8S (note the capital 'S')" }}{{ end -}}
{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }}
{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}}
{{- if (and .Values.global.adminPartitions.enabled $serverEnabled (ne .Values.global.adminPartitions.name "default"))}}{{ fail "global.adminPartitions.name has to be \"default\" in the server cluster" }}{{ end -}}
{{- if (and (not .Values.global.secretsBackend.vault.consulClientRole) .Values.global.secretsBackend.vault.enabled) }}{{ fail "global.secretsBackend.vault.consulClientRole must be provided if global.secretsBackend.vault.enabled=true." }}{{ end -}}
{{- if (and (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) (not .Values.global.tls.caCert.secretName)) }}{{ fail "global.tls.caCert.secretName must be provided if global.tls.enabled=true and global.secretsBackend.vault.enabled=true." }}{{ end -}}
{{- if (and (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) (not .Values.global.tls.enableAutoEncrypt)) }}{{ fail "global.tls.enableAutoEncrypt must be true if global.secretsBackend.vault.enabled=true and global.tls.enabled=true" }}{{ end -}}
{{- if (and (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) (not .Values.global.secretsBackend.vault.consulCARole)) }}{{ fail "global.secretsBackend.vault.consulCARole must be provided if global.secretsBackend.vault.enabled=true and global.tls.enabled=true" }}{{ end -}}
{{- if and .Values.global.federation.enabled .Values.global.adminPartitions.enabled }}{{ fail "If global.federation.enabled is true, global.adminPartitions.enabled must be false because they are mutually exclusive" }}{{ end }}
{{- if (and .Values.global.enterpriseLicense.secretName (not .Values.global.enterpriseLicense.secretKey)) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}}
{{- if (and (not .Values.global.enterpriseLicense.secretName) .Values.global.enterpriseLicense.secretKey) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}}
{{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}}
{{ template "consul.validateRequiredCloudSecretsExist" . }}
{{ template "consul.validateCloudSecretKeys" . }}
# DaemonSet to run the Consul clients on every node.
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: {{ template "consul.fullname" . }}-client
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: client
{{- if .Values.global.extraLabels }}
{{- toYaml .Values.global.extraLabels | nindent 4 }}
{{- end }}
spec:
{{- if .Values.client.updateStrategy }}
updateStrategy:
{{ tpl .Values.client.updateStrategy . | nindent 4 | trim }}
{{- end }}
selector:
matchLabels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
release: {{ .Release.Name }}
component: client
hasDNS: "true"
template:
metadata:
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
release: {{ .Release.Name }}
component: client
hasDNS: "true"
{{- if .Values.client.extraLabels }}
{{- toYaml .Values.client.extraLabels | nindent 8 }}
{{- end }}
{{- if .Values.global.extraLabels }}
{{- toYaml .Values.global.extraLabels | nindent 8 }}
{{- end }}
annotations:
{{- if .Values.global.secretsBackend.vault.enabled }}
"vault.hashicorp.com/agent-inject": "true"
"vault.hashicorp.com/agent-init-first": "true"
"vault.hashicorp.com/role": "{{ .Values.global.secretsBackend.vault.consulClientRole }}"
{{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }}
"vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}"
"vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}"
{{- end }}
{{- if .Values.global.gossipEncryption.secretName }}
{{- with .Values.global.gossipEncryption }}
"vault.hashicorp.com/agent-inject-secret-gossip.txt": {{ .secretName }}
"vault.hashicorp.com/agent-inject-template-gossip.txt": {{ template "consul.vaultSecretTemplate" . }}
{{- end }}
{{- end }}
{{- if .Values.global.tls.enabled }}
"vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }}
"vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }}
{{- end }}
{{- if .Values.global.secretsBackend.vault.agentAnnotations }}
{{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }}
{{- end }}
{{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}}
"vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}"
{{- end }}
{{- if and .Values.global.enterpriseLicense.secretName (not .Values.global.acls.manageSystemACLs) }}
{{- with .Values.global.enterpriseLicense }}
"vault.hashicorp.com/agent-inject-secret-enterpriselicense.txt": "{{ .secretName }}"
"vault.hashicorp.com/agent-inject-template-enterpriselicense.txt": {{ template "consul.vaultSecretTemplate" . }}
{{- end }}
{{- end }}
{{- end }}
"consul.hashicorp.com/connect-inject": "false"
"consul.hashicorp.com/mesh-inject": "false"
"consul.hashicorp.com/config-checksum": {{ print (include (print $.Template.BasePath "/client-config-configmap.yaml") .) (include (print $.Template.BasePath "/client-tmp-extra-config-configmap.yaml") .) | sha256sum }}
{{- if .Values.client.annotations }}
{{- tpl .Values.client.annotations . | nindent 8 }}
{{- end }}
{{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }}
"prometheus.io/scrape": "true"
{{- if not (hasKey (default "" .Values.client.annotations | fromYaml) "prometheus.io/path")}}
"prometheus.io/path": "/v1/agent/metrics"
{{- end }}
"prometheus.io/port": "8500"
{{- end }}
spec:
{{- if .Values.client.affinity }}
affinity:
{{ tpl .Values.client.affinity . | nindent 8 | trim }}
{{- end }}
{{- if .Values.client.tolerations }}
tolerations:
{{ tpl .Values.client.tolerations . | nindent 8 | trim }}
{{- end }}
terminationGracePeriodSeconds: 10
serviceAccountName: {{ template "consul.fullname" . }}-client
{{- if not .Values.global.openshift.enabled }}
securityContext:
{{- toYaml .Values.client.securityContext | nindent 8 -}}
{{- end }}
{{- if .Values.client.priorityClassName }}
priorityClassName: {{ .Values.client.priorityClassName | quote }}
{{- end }}
{{- if .Values.client.dnsPolicy }}
dnsPolicy: {{ .Values.client.dnsPolicy }}
{{- end }}
{{- if .Values.client.hostNetwork }}
hostNetwork: {{ .Values.client.hostNetwork }}
{{- end }}
volumes:
- name: data
{{- if .Values.client.dataDirectoryHostPath }}
hostPath:
path: {{ .Values.client.dataDirectoryHostPath }}
type: DirectoryOrCreate
{{- else }}
emptyDir: {}
{{- end }}
- name: config
configMap:
name: {{ template "consul.fullname" . }}-client-config
- name: extra-config
emptyDir: {}
- name: consul-data
emptyDir:
medium: "Memory"
- name: tmp-extra-config
configMap:
name: {{ template "consul.fullname" . }}-client-tmp-extra-config
{{- if .Values.global.tls.enabled }}
{{- if not .Values.global.secretsBackend.vault.enabled }}
- name: consul-ca-cert
secret:
{{- if .Values.global.tls.caCert.secretName }}
secretName: {{ .Values.global.tls.caCert.secretName }}
{{- else }}
secretName: {{ template "consul.fullname" . }}-ca-cert
{{- end }}
items:
- key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }}
path: tls.crt
{{- end }}
{{- if (and (not .Values.global.secretsBackend.vault.enabled) (not .Values.global.tls.enableAutoEncrypt)) }}
- name: consul-ca-key
secret:
{{- if .Values.global.tls.caKey.secretName }}
secretName: {{ .Values.global.tls.caKey.secretName }}
{{- else }}
secretName: {{ template "consul.fullname" . }}-ca-key
{{- end }}
items:
- key: {{ default "tls.key" .Values.global.tls.caKey.secretKey }}
path: tls.key
- name: consul-client-cert
emptyDir:
# We're using tmpfs here so that
# client certs are not written to disk
medium: "Memory"
{{- end }}
{{- end }}
{{- range .Values.client.extraVolumes }}
- name: userconfig-{{ .name }}
{{ .type }}:
{{- if (eq .type "configMap") }}
name: {{ .name }}
{{- else if (eq .type "secret") }}
secretName: {{ .name }}
{{- end }}
{{- end }}
{{- if .Values.global.acls.manageSystemACLs }}
- name: aclconfig
emptyDir: {}
{{- else }}
{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled)) }}
- name: consul-license
secret:
secretName: {{ .Values.global.enterpriseLicense.secretName }}
{{- end }}
{{- end }}
containers:
- name: consul
image: "{{ default .Values.global.image .Values.client.image }}"
{{ template "consul.imagePullPolicy" . }}
{{- if .Values.global.acls.manageSystemACLs }}
lifecycle:
preStop:
exec:
command:
- "/bin/consul"
- "logout"
{{- end }}
env:
{{- if .Values.global.acls.manageSystemACLs }}
- name: CONSUL_HTTP_TOKEN_FILE
value: "/consul/login/acl-token"
{{- end }}
- name: ADVERTISE_IP
valueFrom:
fieldRef:
{{- if .Values.client.exposeGossipPorts }}
{{- /* Clients will be exposed on their node's hostPort for external-to-k8s communication,
so they need to advertise their host ip instead of their pod ip. */}}
fieldPath: status.hostIP
{{- else }}
fieldPath: status.podIP
{{- end }}
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: NODE
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: CONSUL_DISABLE_PERM_MGMT
value: "true"
{{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }}
{{- if not .Values.global.secretsBackend.vault.enabled }}
- name: GOSSIP_KEY
valueFrom:
secretKeyRef:
{{- if .Values.global.gossipEncryption.autoGenerate }}
name: {{ template "consul.fullname" . }}-gossip-encryption-key
key: key
{{- else if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }}
name: {{ .Values.global.gossipEncryption.secretName }}
key: {{ .Values.global.gossipEncryption.secretKey }}
{{- end }}
{{- end }}
{{- end }}
{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.acls.manageSystemACLs)) }}
- name: CONSUL_LICENSE_PATH
{{- if .Values.global.secretsBackend.vault.enabled }}
value: /vault/secrets/enterpriselicense.txt
{{- else }}
value: /consul/license/{{ .Values.global.enterpriseLicense.secretKey }}
{{- end }}
{{- end }}
{{- if .Values.global.tls.enabled }}
- name: CONSUL_HTTP_ADDR
value: https://localhost:8501
{{- if .Values.global.tls.enableAutoEncrypt }}
- name: CONSUL_HTTP_SSL_VERIFY
value: "false"
{{- else }}
- name: CONSUL_CACERT
value: /consul/tls/ca/tls.crt
{{- end }}
{{- end }}
{{- include "consul.extraEnvironmentVars" .Values.client | nindent 12 }}
command:
- "/bin/sh"
- "-ec"
- |
CONSUL_FULLNAME="{{template "consul.fullname" . }}"
{{- if and .Values.global.secretsBackend.vault.enabled .Values.global.gossipEncryption.secretName }}
GOSSIP_KEY=`cat /vault/secrets/gossip.txt`
{{- end }}
{{ template "consul.extraconfig" }}
exec /usr/local/bin/docker-entrypoint.sh consul agent \
-node="${NODE}" \
-advertise="${ADVERTISE_IP}" \
-bind=0.0.0.0 \
-client=0.0.0.0 \
{{- range $k, $v := .Values.client.nodeMeta }}
-node-meta={{ $k }}:{{ $v }} \
{{- end }}
-hcl='leave_on_terminate = true' \
{{- if .Values.global.tls.enabled }}
{{- if .Values.global.peering.enabled }}
{{- if .Values.global.secretsBackend.vault.enabled }}
-hcl='tls { defaults { ca_file = "/vault/secrets/serverca.crt" }}' \
{{- else }}
-hcl='tls { defaults { ca_file = "/consul/tls/ca/tls.crt" }}' \
{{- end }}
{{- if .Values.global.tls.enableAutoEncrypt }}
-hcl='auto_encrypt = {tls = true}' \
-hcl="auto_encrypt = {ip_san = [\"$HOST_IP\",\"$POD_IP\"]}" \
-hcl='tls { grpc { use_auto_cert = true } }' \
{{- else }}
-hcl='tls { defaults { cert_file = "/consul/tls/client/tls.crt" }}' \
-hcl='tls { defaults { key_file = "/consul/tls/client/tls.key" }}' \
{{- end }}
{{- if .Values.global.tls.verify }}
-hcl='tls { defaults { verify_outgoing = true }}' \
{{- if not .Values.global.tls.enableAutoEncrypt }}
-hcl='tls { internal_rpc { verify_incoming = true }}' \
-hcl='tls { internal_rpc { verify_server_hostname = true }}' \
{{- end }}
{{- end }}
-hcl='ports { https = 8501 }' \
{{- if .Values.global.tls.httpsOnly }}
-hcl='ports { http = -1 }' \
{{- end }}
{{- else}}
{{- if .Values.global.secretsBackend.vault.enabled }}
-hcl='ca_file = "/vault/secrets/serverca.crt"' \
{{- else }}
-hcl='ca_file = "/consul/tls/ca/tls.crt"' \
{{- end }}
{{- if .Values.global.tls.enableAutoEncrypt }}
-hcl='auto_encrypt = {tls = true}' \
-hcl="auto_encrypt = {ip_san = [\"$HOST_IP\",\"$POD_IP\"]}" \
{{- else }}
-hcl='cert_file = "/consul/tls/client/tls.crt"' \
-hcl='key_file = "/consul/tls/client/tls.key"' \
{{- end }}
{{- if .Values.global.tls.verify }}
-hcl='verify_outgoing = true' \
{{- if not .Values.global.tls.enableAutoEncrypt }}
-hcl='verify_incoming_rpc = true' \
-hcl='verify_server_hostname = true' \
{{- end }}
{{- end }}
-hcl='ports { https = 8501 }' \
{{- if .Values.global.tls.httpsOnly }}
-hcl='ports { http = -1 }' \
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.client.grpc }}
{{- if .Values.global.tls.enabled }}
-hcl='ports { grpc = -1, grpc_tls = 8502 }' \
{{- else }}
-hcl='ports { grpc = 8502, grpc_tls = -1 }' \
{{- end }}
{{- end }}
{{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }}
-hcl='telemetry { prometheus_retention_time = "{{ .Values.global.metrics.agentMetricsRetentionTime }}" }' \
{{- end }}
{{- if .Values.global.adminPartitions.enabled }}
-hcl='partition = "{{ .Values.global.adminPartitions.name }}"' \
{{- end }}
-config-dir=/consul/config \
{{- if .Values.global.acls.manageSystemACLs }}
-config-dir=/consul/aclconfig \
{{- end }}
{{- /* Always include the extraVolumes at the end so that users can
override other Consul settings. The last -config-dir takes
precedence. */}}
{{- range .Values.client.extraVolumes }}
{{- if .load }}
-config-dir=/consul/userconfig/{{ .name }} \
{{- end }}
{{- end }}
-datacenter={{ .Values.global.datacenter }} \
-data-dir=/consul/data \
{{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }}
-encrypt="${GOSSIP_KEY}" \
{{- end }}
{{- if .Values.client.join }}
{{- range $value := .Values.client.join }}
-retry-join={{ quote $value }} \
{{- end }}
{{- else }}
{{- if .Values.server.enabled }}
{{- $serverSerfLANPort := .Values.server.ports.serflan.port -}}
{{- range $index := until (.Values.server.replicas | int) }}
-retry-join="${CONSUL_FULLNAME}-server-{{ $index }}.${CONSUL_FULLNAME}-server.${NAMESPACE}.svc:{{ $serverSerfLANPort }}" \
{{- end }}
{{- end }}
{{- end }}
{{- range $value := .Values.global.recursors }}
-recursor={{ quote $value }} \
{{- end }}
-config-dir=/consul/extra-config \
-domain={{ .Values.global.domain }}
volumeMounts:
- name: data
mountPath: /consul/data
- name: config
mountPath: /consul/config
- name: extra-config
mountPath: /consul/extra-config
- name: tmp-extra-config
mountPath: /consul/tmp/extra-config
- mountPath: /consul/login
name: consul-data
readOnly: true
{{- if .Values.global.tls.enabled }}
{{- if not .Values.global.secretsBackend.vault.enabled }}
- name: consul-ca-cert
mountPath: /consul/tls/ca
readOnly: true
{{- if not .Values.global.tls.enableAutoEncrypt }}
- name: consul-client-cert
mountPath: /consul/tls/client
readOnly: true
{{- end }}
{{- end }}
{{- end }}
{{- range .Values.client.extraVolumes }}
- name: userconfig-{{ .name }}
readOnly: true
mountPath: /consul/userconfig/{{ .name }}
{{- end }}
{{- if .Values.global.acls.manageSystemACLs }}
- name: aclconfig
mountPath: /consul/aclconfig
{{- else }}
{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled)) }}
- name: consul-license
mountPath: /consul/license
readOnly: true
{{- end }}
{{- end }}
ports:
{{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }}
- containerPort: 8500
hostPort: 8500
name: http
{{- end }}
{{- if .Values.global.tls.enabled }}
- containerPort: 8501
hostPort: 8501
name: https
{{- end }}
- containerPort: 8502
hostPort: 8502
name: grpc
- containerPort: 8301
{{- if .Values.client.exposeGossipPorts }}
hostPort: 8301
{{- end }}
protocol: "TCP"
name: serflan-tcp
- containerPort: 8301
{{- if .Values.client.exposeGossipPorts }}
hostPort: 8301
{{- end }}
protocol: "UDP"
name: serflan-udp
- containerPort: 8600
name: dns-tcp
protocol: "TCP"
- containerPort: 8600
name: dns-udp
protocol: "UDP"
readinessProbe:
# NOTE(mitchellh): when our HTTP status endpoints support the
# proper status codes, we should switch to that. This is temporary.
exec:
command:
- "/bin/sh"
- "-ec"
- |
{{- if .Values.global.tls.enabled }}
curl \
-k \
https://127.0.0.1:8501/v1/status/leader \
{{- else }}
curl http://127.0.0.1:8500/v1/status/leader \
{{- end }}
2>/dev/null | grep -E '".+"'
{{- if .Values.client.resources }}
resources:
{{- if eq (typeOf .Values.client.resources) "string" }}
{{ tpl .Values.client.resources . | nindent 12 | trim }}
{{- else }}
{{- toYaml .Values.client.resources | nindent 12 }}
{{- end }}
{{- end }}
{{- if not .Values.global.openshift.enabled }}
securityContext:
{{- toYaml .Values.client.containerSecurityContext.client | nindent 12 }}
{{- end }}
{{- if .Values.client.extraContainers }}
{{ toYaml .Values.client.extraContainers | nindent 8 }}
{{- end }}
{{- if (or .Values.global.acls.manageSystemACLs (and .Values.global.tls.enabled (not .Values.global.tls.enableAutoEncrypt))) }}
initContainers:
{{- if .Values.global.acls.manageSystemACLs }}
- name: client-acl-init
image: {{ .Values.global.imageK8S }}
{{ template "consul.imagePullPolicy" . }}
env:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
{{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }}
{{- if .Values.global.acls.manageSystemACLs }}
- name: CONSUL_LOGIN_AUTH_METHOD
value: {{ template "consul.fullname" . }}-k8s-component-auth-method
- name: CONSUL_LOGIN_META
value: "component=client,pod=$(NAMESPACE)/$(POD_NAME)"
{{- end }}
- name: CONSUL_LOGIN_DATACENTER
value: {{ .Values.global.datacenter }}
command:
- "/bin/sh"
- "-ec"
- |
exec consul-k8s-control-plane acl-init \
-log-level={{ default .Values.global.logLevel .Values.client.logLevel }} \
-log-json={{ .Values.global.logJSON }} \
-init-type="client"
volumeMounts:
- name: aclconfig
mountPath: /consul/aclconfig
- mountPath: /consul/login
name: consul-data
readOnly: false
{{- if (and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled) (not .Values.externalServers.useSystemRoots)) }}
- name: consul-ca-cert
mountPath: /consul/tls/ca
readOnly: false
{{- end }}
resources:
requests:
memory: "25Mi"
cpu: "50m"
limits:
memory: "25Mi"
cpu: "50m"
{{- if not .Values.global.openshift.enabled }}
securityContext:
{{- toYaml .Values.client.containerSecurityContext.aclInit | nindent 10 }}
{{- end }}
{{- end }}
{{- if and .Values.global.tls.enabled (not .Values.global.tls.enableAutoEncrypt) }}
- name: client-tls-init
image: "{{ default .Values.global.image .Values.client.image }}"
{{ template "consul.imagePullPolicy" . }}
env:
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
command:
- "/bin/sh"
- "-ec"
- |
cd /consul/tls/client
consul tls cert create -client \
-additional-ipaddress=${HOST_IP} \
-additional-ipaddress=${POD_IP} \
-dc={{ .Values.global.datacenter }} \
-domain={{ .Values.global.domain }} \
-ca=/consul/tls/ca/cert/tls.crt \
-key=/consul/tls/ca/key/tls.key
mv {{ .Values.global.datacenter }}-client-{{ .Values.global.domain }}-0.pem tls.crt
mv {{ .Values.global.datacenter }}-client-{{ .Values.global.domain }}-0-key.pem tls.key
volumeMounts:
{{- if not .Values.global.secretsBackend.vault.enabled }}
- name: consul-client-cert
mountPath: /consul/tls/client
- name: consul-ca-cert
mountPath: /consul/tls/ca/cert
readOnly: true
- name: consul-ca-key
mountPath: /consul/tls/ca/key
readOnly: true
{{- end }}
resources:
requests:
memory: "50Mi"
cpu: "50m"
limits:
memory: "50Mi"
cpu: "50m"
{{- if not .Values.global.openshift.enabled }}
securityContext:
{{- toYaml .Values.client.containerSecurityContext.tlsInit | nindent 10 }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.client.nodeSelector }}
nodeSelector:
{{ tpl .Values.client.nodeSelector . | indent 8 | trim }}
{{- end }}
{{- end }}

76
charts/hashicorp/consul/1.5.3/templates/client-podsecuritypolicy.yaml Normal file
View File

@ -0,0 +1,76 @@
{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled))) }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ template "consul.fullname" . }}-client
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: client
spec:
privileged: false
# Required to prevent escalations to root.
allowPrivilegeEscalation: false
# This is redundant with non-root + disallow privilege escalation,
# but we can provide it for defense in depth.
requiredDropCapabilities:
- ALL
# Allow core volume types.
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
{{- if .Values.client.dataDirectoryHostPath }}
- 'hostPath'
{{- end }}
{{- if .Values.client.hostNetwork }}
hostNetwork: {{ .Values.client.hostNetwork }}
{{- else }}
hostNetwork: false
{{- end }}
hostPorts:
{{- if (not (and .Values.global.tls.enabled .Values.global.tls.httpsOnly)) }}
# HTTP Port
- min: 8500
max: 8500
{{- end }}
{{- if .Values.global.tls.enabled }}
# HTTPS port
- min: 8501
max: 8501
{{- end }}
{{- if .Values.client.grpc }}
# gRPC Port
- min: 8502
max: 8502
{{- end }}
{{- if (or .Values.client.exposeGossipPorts .Values.client.hostNetwork) }}
- min: 8301
max: 8301
{{- end }}
{{- if .Values.client.hostNetwork }}
- min: 8600
max: 8600
{{- end }}
hostIPC: false
hostPID: false
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
readOnlyRootFilesystem: false
{{- if .Values.client.dataDirectoryHostPath }}
allowedHostPaths:
- pathPrefix: {{ .Values.client.dataDirectoryHostPath | quote }}
readOnly: false
{{- end }}
{{- end }}

43
charts/hashicorp/consul/1.5.3/templates/client-role.yaml Normal file
View File

@ -0,0 +1,43 @@
{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "consul.fullname" . }}-client
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: client
{{- if (or .Values.global.acls.manageSystemACLs .Values.global.enablePodSecurityPolicies .Values.global.openshift.enabled) }}
rules:
{{- if .Values.global.enablePodSecurityPolicies }}
- apiGroups: ["policy"]
resources: ["podsecuritypolicies"]
resourceNames:
- {{ template "consul.fullname" . }}-client
verbs:
- use
{{- end }}
{{- if .Values.global.acls.manageSystemACLs }}
- apiGroups: [""]
resources:
- secrets
resourceNames:
- {{ template "consul.fullname" . }}-client-acl-token
verbs:
- get
{{- end }}
{{- if .Values.global.openshift.enabled}}
- apiGroups: ["security.openshift.io"]
resources: ["securitycontextconstraints"]
resourceNames:
- {{ template "consul.fullname" . }}-client
verbs:
- use
{{- end}}
{{- else}}
rules: []
{{- end }}
{{- end }}

20
charts/hashicorp/consul/1.5.3/templates/client-rolebinding.yaml Normal file
View File

@ -0,0 +1,20 @@
{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "consul.fullname" . }}-client
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: client
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "consul.fullname" . }}-client
subjects:
- kind: ServiceAccount
name: {{ template "consul.fullname" . }}-client
{{- end }}

61
charts/hashicorp/consul/1.5.3/templates/client-securitycontextconstraints.yaml Normal file
View File

@ -0,0 +1,61 @@
{{- if (and .Values.global.openshift.enabled (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled))) }}
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
name: {{ template "consul.fullname" . }}-client
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: client
annotations:
kubernetes.io/description: {{ template "consul.fullname" . }}-client are the security context constraints required
to run the consul client.
# Iff. allowHostDirVolumePlugin is true, hostPath must be included in volumes (see below).
{{- if .Values.client.dataDirectoryHostPath }}
allowHostDirVolumePlugin: true
{{- else }}
allowHostDirVolumePlugin: false
{{- end}}
allowHostIPC: false
allowHostNetwork: {{ .Values.client.hostNetwork }}
allowHostPID: false
allowHostPorts: true
allowPrivilegeEscalation: true
allowPrivilegedContainer: false
allowedCapabilities: null
defaultAddCapabilities: null
fsGroup:
type: MustRunAs
groups: []
priority: null
readOnlyRootFilesystem: false
requiredDropCapabilities:
- KILL
- MKNOD
- SETUID
- SETGID
runAsUser:
type: MustRunAsRange
seLinuxContext:
type: MustRunAs
supplementalGroups:
type: MustRunAs
users: []
volumes:
# This list must be in alphabetical order to match the post-reconcile order enforced by OpenShift admission hooks.
# Furthermore, hostPath must be included explicitly if allowHostDirVolumePlugin is true, as it will otherwise be
# added by OpenShift. It must be excluded if allowHostDirVolumePlugin is false per OpenShift requirements.
# This avoids false positives in change detection by third-party diff tools (e.g. ArgoCD) that respect list order.
- configMap
- downwardAPI
- emptyDir
{{- if .Values.client.dataDirectoryHostPath }}
- hostPath
{{- end }}
- persistentVolumeClaim
- projected
- secret
{{- end}}

23
charts/hashicorp/consul/1.5.3/templates/client-serviceaccount.yaml Normal file
View File

@ -0,0 +1,23 @@
{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "consul.fullname" . }}-client
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: client
{{- if .Values.client.serviceAccount.annotations }}
annotations:
{{ tpl .Values.client.serviceAccount.annotations . | nindent 4 | trim }}
{{- end }}
{{- with .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range . }}
- name: {{ .name }}
{{- end }}
{{- end }}
{{- end }}

21
charts/hashicorp/consul/1.5.3/templates/client-tmp-extra-config-configmap.yaml Normal file
View File

@ -0,0 +1,21 @@
{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }}
# ConfigMap that is used as a temporary landing spot so that the container command
# in the client-daemonset where it needs to be transformed. ConfigMaps create
# read only volumes so it needs to be copied and transformed to the extra-config
# emptyDir volume where all final extra cofngi lives for use in consul. (locality-init
# also writes to extra-config volume.)
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "consul.fullname" . }}-client-tmp-extra-config
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: client
data:
extra-from-values.json: |-
{{ tpl .Values.client.extraConfig . | trimAll "\"" | indent 4 }}
{{- end }}

38
charts/hashicorp/consul/1.5.3/templates/cni-clusterrole.yaml Normal file
View File

@ -0,0 +1,38 @@
{{- if .Values.connectInject.cni.enabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "consul.fullname" . }}-cni
namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: cni
rules:
- apiGroups: [""]
resources:
- pods
verbs:
- get
- list
- watch
- patch
- update
- apiGroups: ["policy"]
resources:
- podsecuritypolicies
resourceNames:
- {{ template "consul.fullname" . }}-cni
verbs:
- use
{{- if .Values.global.openshift.enabled}}
- apiGroups: ["security.openshift.io"]
resources: ["securitycontextconstraints"]
resourceNames:
- {{ template "consul.fullname" . }}-cni
verbs:
- use
{{- end }}
{{- end }}

20
charts/hashicorp/consul/1.5.3/templates/cni-clusterrolebinding.yaml Normal file
View File

@ -0,0 +1,20 @@
{{- if .Values.connectInject.cni.enabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "consul.fullname" . }}-cni
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: cni
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "consul.fullname" . }}-cni
subjects:
- kind: ServiceAccount
name: {{ template "consul.fullname" . }}-cni
namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }}
{{- end }}

92
charts/hashicorp/consul/1.5.3/templates/cni-daemonset.yaml Normal file
View File

@ -0,0 +1,92 @@
{{- if (and (.Values.connectInject.cni.enabled) (not .Values.connectInject.enabled)) }}{{ fail "connectInject.enabled must be true if connectInject.cni.enabled is true" }}{{ end -}}
{{- if .Values.connectInject.cni.enabled }}
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: {{ template "consul.fullname" . }}-cni
namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: cni
{{- if .Values.global.extraLabels }}
{{- toYaml .Values.global.extraLabels | nindent 4 }}
{{- end }}
spec:
{{- if .Values.connectInject.cni.updateStrategy }}
updateStrategy:
{{ tpl .Values.connectInject.cni.updateStrategy . | nindent 4 | trim }}
{{- end }}
selector:
matchLabels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
release: {{ .Release.Name }}
component: cni
template:
metadata:
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
release: {{ .Release.Name }}
component: cni
{{- if .Values.global.extraLabels }}
{{- toYaml .Values.global.extraLabels | nindent 8 }}
{{- end }}
annotations:
consul.hashicorp.com/connect-inject: "false"
consul.hashicorp.com/mesh-inject: "false"
spec:
# consul-cni only runs on linux operating systems
nodeSelector:
kubernetes.io/os: linux
tolerations:
# Mark the pod as a critical add-on for rescheduling.
- key: CriticalAddonsOnly
operator: Exists
- effect: NoExecute
operator: Exists
# Tell kubernetes that this daemonset is critical so that it will be scheduled on a new node before other pods
priorityClassName: system-node-critical
serviceAccountName: {{ template "consul.fullname" . }}-cni
{{- if not .Values.global.openshift.enabled }}
securityContext:
{{- toYaml .Values.connectInject.cni.securityContext | nindent 8 -}}
{{- end }}
# Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
# deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
terminationGracePeriodSeconds: 10
containers:
# This container installs the consul CNI binaries and CNI network config file on each node
- name: install-cni
image: {{ .Values.global.imageK8S }}
{{ template "consul.imagePullPolicy" . }}
securityContext:
privileged: true
command:
- consul-k8s-control-plane
- install-cni
- -log-level={{ default .Values.global.logLevel .Values.connectInject.cni.logLevel }}
- -cni-bin-dir={{ .Values.connectInject.cni.cniBinDir }}
- -cni-net-dir={{ .Values.connectInject.cni.cniNetDir }}
- -multus={{ .Values.connectInject.cni.multus }}
{{- with .Values.connectInject.cni.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
volumeMounts:
- mountPath: {{ .Values.connectInject.cni.cniBinDir }}
name: cni-bin-dir
- mountPath: {{ .Values.connectInject.cni.cniNetDir }}
name: cni-net-dir
volumes:
# Used to install CNI.
- name: cni-bin-dir
hostPath:
path: {{ .Values.connectInject.cni.cniBinDir }}
- name: cni-net-dir
hostPath:
path: {{ .Values.connectInject.cni.cniNetDir }}
{{- end }}

25
charts/hashicorp/consul/1.5.3/templates/cni-networkattachmentdefinition.yaml Normal file
View File

@ -0,0 +1,25 @@
{{- if (and (.Values.connectInject.cni.enabled) (.Values.connectInject.cni.multus)) }}
apiVersion: "k8s.cni.cncf.io/v1"
kind: NetworkAttachmentDefinition
metadata:
name: {{ template "consul.fullname" . }}-cni
namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: cni
spec:
config: '{
"cniVersion": "0.3.1",
"type": "consul-cni",
"cni_bin_dir": "{{ .Values.connectInject.cni.cniBinDir }}",
"cni_net_dir": "{{ .Values.connectInject.cni.cniNetDir }}",
"kubeconfig": "ZZZ-consul-cni-kubeconfig",
"log_level": "{{ default .Values.global.logLevel .Values.connectInject.cni.logLevel }}",
"multus": true,
"name": "consul-cni",
"type": "consul-cni"
}'
{{- end }}

31
charts/hashicorp/consul/1.5.3/templates/cni-podsecuritypolicy.yaml Normal file
View File

@ -0,0 +1,31 @@
{{- if (and .Values.connectInject.cni.enabled .Values.global.enablePodSecurityPolicies) }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ template "consul.fullname" . }}-cni
namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: cni
spec:
privileged: true
# GKE requires that allowPrivilegeEscalation:true if privileged: true.
allowPrivilegeEscalation: true
volumes:
- hostPath
- secret
- emptyDir
hostNetwork: false
readOnlyRootFilesystem: false
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
{{- end }}

22
charts/hashicorp/consul/1.5.3/templates/cni-resourcequota.yaml Normal file
View File

@ -0,0 +1,22 @@
{{- if .Values.connectInject.cni.enabled }}
apiVersion: v1
kind: ResourceQuota
metadata:
name: {{ template "consul.fullname" . }}-cni
namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: cni
spec:
hard:
pods: {{ .Values.connectInject.cni.resourceQuota.pods | quote }}
scopeSelector:
matchExpressions:
- operator: In
scopeName: PriorityClass
values:
- system-node-critical
{{- end }}

55
charts/hashicorp/consul/1.5.3/templates/cni-securitycontextconstraints.yaml Normal file
View File

@ -0,0 +1,55 @@
{{- if (and (.Values.connectInject.cni.enabled) (.Values.global.openshift.enabled)) }}
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
name: {{ template "consul.fullname" . }}-cni
namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: cni
annotations:
kubernetes.io/description: {{ template "consul.fullname" . }}-cni are the security context constraints required
to run consul-cni.
# Iff. allowHostDirVolumePlugin is true, hostPath must be included in volumes (see below).
allowHostDirVolumePlugin: true
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: true
allowedCapabilities: null
defaultAddCapabilities: null
fsGroup:
type: MustRunAs
groups: []
priority: null
readOnlyRootFilesystem: false
requiredDropCapabilities:
- KILL
- MKNOD
- SETUID
- SETGID
runAsUser:
type: MustRunAsRange
seLinuxContext:
type: MustRunAs
supplementalGroups:
type: MustRunAs
users: []
volumes:
# This list must be in alphabetical order to match the post-reconcile order enforced by OpenShift admission hooks.
# Furthermore, hostPath must be included explicitly if allowHostDirVolumePlugin is true, as it will otherwise be
# added by OpenShift. It must be excluded if allowHostDirVolumePlugin is false per OpenShift requirements.
# This avoids false positives in change detection by third-party diff tools (e.g. ArgoCD) that respect list order.
- configMap
- downwardAPI
- emptyDir
- hostPath
- persistentVolumeClaim
- projected
- secret
{{- end }}

19
charts/hashicorp/consul/1.5.3/templates/cni-serviceaccount.yaml Normal file
View File

@ -0,0 +1,19 @@
{{- if .Values.connectInject.cni.enabled }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "consul.fullname" . }}-cni
namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: cni
{{- with .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range . }}
- name: {{ .name }}
{{- end }}
{{- end }}
{{- end}}

291
charts/hashicorp/consul/1.5.3/templates/connect-inject-clusterrole.yaml Normal file
View File

@ -0,0 +1,291 @@
{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }}
# The ClusterRole to enable the Connect injector to get, list, watch and patch MutatingWebhookConfiguration.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "consul.fullname" . }}-connect-injector
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: connect-injector
rules:
- apiGroups:
- consul.hashicorp.com
resources:
- servicedefaults
- serviceresolvers
- proxydefaults
- meshes
- exportedservices
- servicerouters
- servicesplitters
- serviceintentions
- ingressgateways
- terminatinggateways
- gatewayclassconfigs
- meshservices
- samenessgroups
- controlplanerequestlimits
- routeretryfilters
- routetimeoutfilters
- routeauthfilters
- gatewaypolicies
- registrations
{{- if .Values.global.peering.enabled }}
- peeringacceptors
- peeringdialers
{{- end }}
- jwtproviders
- routeauthfilters
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- consul.hashicorp.com
resources:
- servicedefaults/status
- serviceresolvers/status
- proxydefaults/status
- meshes/status
- exportedservices/status
- servicerouters/status
- servicesplitters/status
- serviceintentions/status
- ingressgateways/status
- terminatinggateways/status
- samenessgroups/status
- controlplanerequestlimits/status
- registrations/status
{{- if .Values.global.peering.enabled }}
- peeringacceptors/status
- peeringdialers/status
{{- end }}
- jwtproviders/status
- routeauthfilters/status
- gatewaypolicies/status
verbs:
- get
- patch
- update
{{- if (mustHas "resource-apis" .Values.global.experiments) }}
- apiGroups:
- auth.consul.hashicorp.com
resources:
- trafficpermissions
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- auth.consul.hashicorp.com
resources:
- trafficpermissions/status
verbs:
- get
- patch
- update
- apiGroups:
- mesh.consul.hashicorp.com
resources:
- gatewayclassconfigs
- gatewayclasses
- meshconfigurations
- grpcroutes
- httproutes
- meshgateways
- apigateways
- tcproutes
- proxyconfigurations
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- mesh.consul.hashicorp.com
resources:
- gatewayclassconfigs/status
- gatewayclasses/status
- meshconfigurations/status
- grpcroutes/status
- httproutes/status
- meshgateways/status
- apigateways/status
- tcproutes/status
- proxyconfigurations/status
verbs:
- get
- patch
- update
- apiGroups:
- multicluster.consul.hashicorp.com
resources:
- exportedservices
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- multicluster.consul.hashicorp.com
resources:
- exportedservices/status
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
{{- end }}
- apiGroups: [ "" ]
resources: [ "secrets", "serviceaccounts", "endpoints", "services", "namespaces", "nodes" ]
verbs:
- create
- get
- list
- watch
- delete
- update
- apiGroups: [ "rbac.authorization.k8s.io" ]
resources: [ "roles", "rolebindings" ]
verbs:
- get
- list
- watch
- delete
- create
- update
- apiGroups: [ "" ]
resources:
- pods
verbs:
- "get"
- "list"
- "watch"
- "update"
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- get
- list
- update
{{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName)}}
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
verbs:
- get
- list
- watch
- patch
{{- end }}
{{- if .Values.global.peering.enabled }}
- apiGroups: [ "" ]
resources: [ "secrets" ]
verbs:
- "get"
- "list"
- "watch"
- "create"
- "update"
- "delete"
{{- end }}
- apiGroups: [ "policy" ]
resources: [ "podsecuritypolicies" ]
verbs:
- use
- apiGroups:
- gateway.networking.k8s.io
resources:
- gatewayclasses
- gateways
- httproutes
- tcproutes
- referencegrants
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- gateway.networking.k8s.io
resources:
- gatewayclasses/finalizers
- gateways/finalizers
- httproutes/finalizers
- tcproutes/finalizers
verbs:
- update
- apiGroups:
- gateway.networking.k8s.io
resources:
- gatewayclasses/status
- gateways/status
- httproutes/status
- tcproutes/status
verbs:
- get
- patch
- update
- apiGroups:
- apps
resources:
- deployments
verbs:
- create
- get
- list
- update
- watch
- delete
- apiGroups:
- core
resources:
- services
verbs:
- watch
- list
- apiGroups: [ "" ]
resources: [ "secrets" ]
verbs:
- "get"
- "list"
- "watch"
{{- if .Values.global.openshift.enabled }}
- apiGroups:
- security.openshift.io
resources:
- securitycontextconstraints
resourceNames:
- {{ .Values.connectInject.apiGateway.managedGatewayClass.openshiftSCCName }}
verbs:
- use
{{- end }}
{{- end }}

20
charts/hashicorp/consul/1.5.3/templates/connect-inject-clusterrolebinding.yaml Normal file
View File

@ -0,0 +1,20 @@
{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "consul.fullname" . }}-connect-injector
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: connect-injector
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "consul.fullname" . }}-connect-injector
subjects:
- kind: ServiceAccount
name: {{ template "consul.fullname" . }}-connect-injector
namespace: {{ .Release.Namespace }}
{{- end }}

371
charts/hashicorp/consul/1.5.3/templates/connect-inject-deployment.yaml Normal file
View File

@ -0,0 +1,371 @@
{{- if and .Values.global.peering.enabled (not .Values.connectInject.enabled) }}{{ fail "setting global.peering.enabled to true requires connectInject.enabled to be true" }}{{ end }}
{{- if and .Values.global.peering.enabled (not .Values.global.tls.enabled) }}{{ fail "setting global.peering.enabled to true requires global.tls.enabled to be true" }}{{ end }}
{{- if and .Values.global.peering.enabled (not .Values.meshGateway.enabled) }}{{ fail "setting global.peering.enabled to true requires meshGateway.enabled to be true" }}{{ end }}
{{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }}
{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }}
{{ template "consul.validateVaultWebhookCertConfiguration" . }}
{{- template "consul.reservedNamesFailer" (list .Values.connectInject.consulNamespaces.consulDestinationNamespace "connectInject.consulNamespaces.consulDestinationNamespace") }}
{{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}}
{{- if and .Values.externalServers.enabled .Values.global.cloud.enabled }}
{{- if and (gt (len .Values.externalServers.hosts) 0) (regexMatch ".+.hashicorp.cloud$" ( first .Values.externalServers.hosts )) }}{{fail "global.cloud.enabled cannot be used in combination with an HCP-managed cluster address in externalServers.hosts. global.cloud.enabled is for linked self-managed clusters."}}{{- end }}
{{- end }}
{{- if and .Values.externalServers.skipServerWatch (not .Values.externalServers.enabled) }}{{ fail "externalServers.enabled must be set if externalServers.skipServerWatch is true" }}{{ end -}}
{{- $dnsEnabled := (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) -}}
{{- $dnsRedirectionEnabled := (or (and (ne (.Values.dns.enableRedirection | toString) "-") .Values.dns.enableRedirection) (and (eq (.Values.dns.enableRedirection | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) -}}
{{ template "consul.validateRequiredCloudSecretsExist" . }}
{{ template "consul.validateCloudSecretKeys" . }}
{{ template "consul.validateResourceAPIs" . }}
# The deployment for running the Connect sidecar injector
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "consul.fullname" . }}-connect-injector
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: connect-injector
{{- if .Values.global.extraLabels }}
{{- toYaml .Values.global.extraLabels | nindent 4 }}
{{- end }}
spec:
replicas: {{ .Values.connectInject.replicas }}
selector:
matchLabels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
release: {{ .Release.Name }}
component: connect-injector
template:
metadata:
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
release: {{ .Release.Name }}
component: connect-injector
{{- if .Values.connectInject.extraLabels }}
{{- toYaml .Values.connectInject.extraLabels | nindent 8 }}
{{- end }}
{{- if .Values.global.extraLabels }}
{{- toYaml .Values.global.extraLabels | nindent 8 }}
{{- end }}
annotations:
"consul.hashicorp.com/connect-inject": "false"
"consul.hashicorp.com/mesh-inject": "false"
{{- if .Values.connectInject.annotations }}
{{- tpl .Values.connectInject.annotations . | nindent 8 }}
{{- end }}
{{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }}
"vault.hashicorp.com/agent-init-first": "true"
"vault.hashicorp.com/agent-inject": "true"
{{- if .Values.global.secretsBackend.vault.connectInjectRole }}
"vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.connectInjectRole }}
{{ else }}
"vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }}
{{ end }}
"vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }}
"vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }}
{{- if .Values.global.secretsBackend.vault.connectInject.caCert.secretName }}
{{- with .Values.global.secretsBackend.vault.connectInject.caCert }}
"vault.hashicorp.com/agent-inject-secret-ca.crt": {{ .secretName }}
"vault.hashicorp.com/agent-inject-template-ca.crt": {{ template "consul.vaultCATemplate" . }}
"vault.hashicorp.com/secret-volume-path-ca.crt": "/vault/secrets/connect-injector/certs"
{{- end }}
{{- end }}
{{- if .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }}
"vault.hashicorp.com/agent-inject-secret-tls.crt": {{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }}
"vault.hashicorp.com/agent-inject-template-tls.crt": {{ include "consul.connectInjectWebhookTLSCertTemplate" . }}
"vault.hashicorp.com/secret-volume-path-tls.crt": "/vault/secrets/connect-injector/certs"
"vault.hashicorp.com/agent-inject-secret-tls.key": {{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }}
"vault.hashicorp.com/agent-inject-template-tls.key": {{ include "consul.connectInjectWebhookTLSKeyTemplate" . }}
"vault.hashicorp.com/secret-volume-path-tls.key": "/vault/secrets/connect-injector/certs"
{{- end }}
{{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }}
"vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}"
"vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}"
{{- end }}
{{- if .Values.global.secretsBackend.vault.agentAnnotations }}
{{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }}
{{- end }}
{{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}}
"vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}"
{{- end }}
{{- end }}
spec:
serviceAccountName: {{ template "consul.fullname" . }}-connect-injector
containers:
- name: sidecar-injector
image: "{{ default .Values.global.imageK8S .Values.connectInject.image }}"
{{ template "consul.imagePullPolicy" . }}
ports:
- containerPort: 8080
name: webhook-server
protocol: TCP
{{- include "consul.restrictedSecurityContext" . | nindent 10 }}
env:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
{{- include "consul.consulK8sConsulServerEnvVars" . | nindent 12 }}
{{- if .Values.global.acls.manageSystemACLs }}
- name: CONSUL_LOGIN_AUTH_METHOD
{{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }}
value: {{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }}
{{- else }}
value: {{ template "consul.fullname" . }}-k8s-component-auth-method
{{- end }}
- name: CONSUL_LOGIN_DATACENTER
{{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }}
value: {{ .Values.global.federation.primaryDatacenter }}
{{- else }}
value: {{ .Values.global.datacenter }}
{{- end }}
- name: CONSUL_LOGIN_META
value: "component=connect-injector,pod=$(NAMESPACE)/$(POD_NAME)"
{{- end }}
{{- if (and .Values.connectInject.aclInjectToken.secretName .Values.connectInject.aclInjectToken.secretKey) }}
- name: CONSUL_ACL_TOKEN
valueFrom:
secretKeyRef:
name: {{ .Values.connectInject.aclInjectToken.secretName }}
key: {{ .Values.connectInject.aclInjectToken.secretKey }}
{{- end }}
command:
- "/bin/sh"
- "-ec"
- |
exec consul-k8s-control-plane inject-connect \
{{- if .Values.global.federation.enabled }}
-enable-federation \
{{- end }}
-log-level={{ default .Values.global.logLevel .Values.connectInject.logLevel }} \
-log-json={{ .Values.global.logJSON }} \
-default-inject={{ .Values.connectInject.default }} \
-consul-image="{{ default .Values.global.image .Values.connectInject.imageConsul }}" \
-consul-dataplane-image="{{ .Values.global.imageConsulDataplane }}" \
-consul-k8s-image="{{ default .Values.global.imageK8S .Values.connectInject.image }}" \
-release-name="{{ .Release.Name }}" \
-release-namespace="{{ .Release.Namespace }}" \
-resource-prefix={{ template "consul.fullname" . }} \
-listen=:8080 \
{{- if (mustHas "resource-apis" .Values.global.experiments) }}
-enable-resource-apis=true \
{{- end }}
{{- if (mustHas "v2tenancy" .Values.global.experiments) }}
-enable-v2tenancy=true \
{{- end }}
{{- range $k, $v := .Values.connectInject.consulNode.meta }}
-node-meta={{ $k }}={{ $v }} \
{{- end }}
{{- if .Values.connectInject.transparentProxy.defaultEnabled }}
-default-enable-transparent-proxy=true \
{{- else }}
-default-enable-transparent-proxy=false \
{{- end }}
-enable-cni={{ .Values.connectInject.cni.enabled }} \
{{- if .Values.global.peering.enabled }}
-enable-peering=true \
{{- end }}
{{- if .Values.global.openshift.enabled }}
-enable-openshift \
{{- end }}
{{- if .Values.connectInject.transparentProxy.defaultOverwriteProbes }}
-transparent-proxy-default-overwrite-probes=true \
{{- else }}
-transparent-proxy-default-overwrite-probes=false \
{{- end }}
{{- if (and $dnsEnabled $dnsRedirectionEnabled) }}
-enable-consul-dns=true \
{{- end }}
{{- if .Values.global.openshift.enabled }}
-enable-openshift \
{{- end }}
{{- if (or (and (ne (.Values.connectInject.metrics.defaultEnabled | toString) "-") .Values.connectInject.metrics.defaultEnabled) (and (eq (.Values.connectInject.metrics.defaultEnabled | toString) "-") .Values.global.metrics.enabled)) }}
-default-enable-metrics=true \
{{- else }}
-default-enable-metrics=false \
{{- end }}
-enable-gateway-metrics={{ .Values.global.metrics.enableGatewayMetrics }} \
-default-enable-metrics-merging={{ .Values.connectInject.metrics.defaultEnableMerging }} \
-default-merged-metrics-port={{ .Values.connectInject.metrics.defaultMergedMetricsPort }} \
-default-prometheus-scrape-port={{ .Values.connectInject.metrics.defaultPrometheusScrapePort }} \
-default-prometheus-scrape-path="{{ .Values.connectInject.metrics.defaultPrometheusScrapePath }}" \
{{- if .Values.connectInject.envoyExtraArgs }}
-envoy-extra-args="{{ .Values.connectInject.envoyExtraArgs }}" \
{{- end }}
{{- if .Values.connectInject.overrideAuthMethodName }}
-acl-auth-method="{{ .Values.connectInject.overrideAuthMethodName }}" \
{{- else if .Values.global.acls.manageSystemACLs }}
-acl-auth-method="{{ template "consul.fullname" . }}-k8s-auth-method" \
{{- end }}
{{- range $value := .Values.connectInject.k8sAllowNamespaces }}
-allow-k8s-namespace="{{ $value }}" \
{{- end }}
{{- range $value := .Values.connectInject.k8sDenyNamespaces }}
-deny-k8s-namespace="{{ $value }}" \
{{- end }}
{{- if .Values.global.adminPartitions.enabled }}
-enable-partitions=true \
{{- end }}
{{- if .Values.global.enableConsulNamespaces }}
-enable-namespaces=true \
{{- if .Values.connectInject.consulNamespaces.consulDestinationNamespace }}
-consul-destination-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} \
{{- end }}
{{- if and .Values.global.enableConsulNamespaces .Values.connectInject.consulNamespaces.mirroringK8S }}
-enable-k8s-namespace-mirroring=true \
{{- if .Values.connectInject.consulNamespaces.mirroringK8SPrefix }}
-k8s-namespace-mirroring-prefix={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} \
{{- end }}
{{- end }}
{{- if .Values.global.acls.manageSystemACLs }}
-consul-cross-namespace-acl-policy=cross-namespace-policy \
{{- end }}
{{- end }}
{{- if and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }}
-tls-cert-dir=/vault/secrets/connect-injector/certs \
-enable-webhook-ca-update \
{{- else }}
-tls-cert-dir=/etc/connect-injector/certs \
{{- end }}
{{- $resources := .Values.connectInject.sidecarProxy.resources }}
{{- /* kindIs is used here to differentiate between null and 0 */}}
{{- if not (kindIs "invalid" $resources.limits.memory) }}
-default-sidecar-proxy-memory-limit={{ $resources.limits.memory }} \
{{- end }}
{{- if not (kindIs "invalid" $resources.requests.memory) }}
-default-sidecar-proxy-memory-request={{ $resources.requests.memory }} \
{{- end }}
{{- if not (kindIs "invalid" $resources.limits.cpu) }}
-default-sidecar-proxy-cpu-limit={{ $resources.limits.cpu }} \
{{- end }}
{{- if not (kindIs "invalid" $resources.requests.cpu) }}
-default-sidecar-proxy-cpu-request={{ $resources.requests.cpu }} \
{{- end }}
-default-envoy-proxy-concurrency={{ .Values.connectInject.sidecarProxy.concurrency }} \
{{- if .Values.connectInject.sidecarProxy.lifecycle.defaultEnabled }}
-default-enable-sidecar-proxy-lifecycle=true \
{{- else }}
-default-enable-sidecar-proxy-lifecycle=false \
{{- end }}
{{- if .Values.connectInject.sidecarProxy.lifecycle.defaultEnableShutdownDrainListeners }}
-default-enable-sidecar-proxy-lifecycle-shutdown-drain-listeners=true \
{{- else }}
-default-enable-sidecar-proxy-lifecycle-shutdown-drain-listeners=false \
{{- end }}
-default-sidecar-proxy-lifecycle-shutdown-grace-period-seconds={{ .Values.connectInject.sidecarProxy.lifecycle.defaultShutdownGracePeriodSeconds }} \
-default-sidecar-proxy-lifecycle-startup-grace-period-seconds={{ .Values.connectInject.sidecarProxy.lifecycle.defaultStartupGracePeriodSeconds }} \
-default-sidecar-proxy-lifecycle-graceful-port={{ .Values.connectInject.sidecarProxy.lifecycle.defaultGracefulPort }} \
-default-sidecar-proxy-lifecycle-graceful-shutdown-path="{{ .Values.connectInject.sidecarProxy.lifecycle.defaultGracefulShutdownPath }}" \
-default-sidecar-proxy-lifecycle-graceful-startup-path="{{ .Values.connectInject.sidecarProxy.lifecycle.defaultGracefulStartupPath }}" \
-default-sidecar-proxy-startup-failure-seconds={{ .Values.connectInject.sidecarProxy.defaultStartupFailureSeconds }} \
-default-sidecar-proxy-liveness-failure-seconds={{ .Values.connectInject.sidecarProxy.defaultLivenessFailureSeconds }} \
{{- if .Values.connectInject.initContainer }}
{{- $initResources := .Values.connectInject.initContainer.resources }}
{{- if not (kindIs "invalid" $initResources.limits.memory) }}
-init-container-memory-limit={{ $initResources.limits.memory }} \
{{- end }}
{{- if not (kindIs "invalid" $initResources.requests.memory) }}
-init-container-memory-request={{ $initResources.requests.memory }} \
{{- end }}
{{- if not (kindIs "invalid" $initResources.limits.cpu) }}
-init-container-cpu-limit={{ $initResources.limits.cpu }} \
{{- end }}
{{- if not (kindIs "invalid" $initResources.requests.cpu) }}
-init-container-cpu-request={{ $initResources.requests.cpu }} \
{{- end }}
{{- end }}
{{- if .Values.global.cloud.enabled }}
-tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} \
{{- end }}
{{- if and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt }}
-enable-auto-encrypt \
{{- end }}
-enable-telemetry-collector={{ .Values.global.metrics.enableTelemetryCollector}} \
startupProbe:
httpGet:
path: /readyz/ready
port: 9445
scheme: HTTP
initialDelaySeconds: 30
failureThreshold: 15
periodSeconds: 2
timeoutSeconds: 5
livenessProbe:
httpGet:
path: /readyz/ready
port: 9445
scheme: HTTP
failureThreshold: 2
initialDelaySeconds: 1
successThreshold: 1
timeoutSeconds: 5
readinessProbe:
httpGet:
path: /readyz/ready
port: 9445
scheme: HTTP
failureThreshold: 2
initialDelaySeconds: 2
successThreshold: 1
timeoutSeconds: 5
volumeMounts:
{{- if not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) }}
- name: certs
mountPath: /etc/connect-injector/certs
readOnly: true
{{- end }}
{{- if and .Values.global.tls.enabled (not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled))}}
- name: consul-ca-cert
mountPath: /consul/tls/ca
readOnly: true
{{- end }}
{{- with .Values.connectInject.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
volumes:
{{- if not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) }}
- name: certs
secret:
defaultMode: 420
secretName: {{ template "consul.fullname" . }}-connect-inject-webhook-cert
{{- end }}
{{- if .Values.global.tls.enabled }}
{{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }}
- name: consul-ca-cert
secret:
{{- if .Values.global.tls.caCert.secretName }}
secretName: {{ .Values.global.tls.caCert.secretName }}
{{- else }}
secretName: {{ template "consul.fullname" . }}-ca-cert
{{- end }}
items:
- key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }}
path: tls.crt
{{- end }}
{{- end }}
{{- if .Values.connectInject.priorityClassName }}
priorityClassName: {{ .Values.connectInject.priorityClassName | quote }}
{{- end }}
{{- if .Values.connectInject.nodeSelector }}
nodeSelector:
{{ tpl .Values.connectInject.nodeSelector . | indent 8 | trim }}
{{- end }}
{{- if .Values.connectInject.affinity }}
affinity:
{{ tpl .Values.connectInject.affinity . | indent 8 | trim }}
{{- end }}
{{- if .Values.connectInject.tolerations }}
tolerations:
{{ tpl .Values.connectInject.tolerations . | indent 8 | trim }}
{{- end }}
{{- end }}

41
charts/hashicorp/consul/1.5.3/templates/connect-inject-leader-election-role.yaml Normal file
View File

@ -0,0 +1,41 @@
{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "consul.fullname" . }}-connect-inject-leader-election
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: connect-injector
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- configmaps/status
verbs:
- get
- update
- patch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
{{- end }}

21
charts/hashicorp/consul/1.5.3/templates/connect-inject-leader-election-rolebinding.yaml Normal file
View File

@ -0,0 +1,21 @@
{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "consul.fullname" . }}-connect-inject-leader-election
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: connect-injector
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "consul.fullname" . }}-connect-inject-leader-election
subjects:
- kind: ServiceAccount
name: {{ template "consul.fullname" . }}-connect-injector
namespace: {{ .Release.Namespace }}
{{- end }}

381
charts/hashicorp/consul/1.5.3/templates/connect-inject-mutatingwebhookconfiguration.yaml Normal file
View File

@ -0,0 +1,381 @@
{{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }}
# The MutatingWebhookConfiguration to enable the Connect injector.
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: {{ template "consul.fullname" . }}-connect-injector
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: connect-injector
webhooks:
- clientConfig:
service:
name: {{ template "consul.fullname" . }}-connect-injector
namespace: {{ .Release.Namespace }}
path: /mutate-v1alpha1-proxydefaults
failurePolicy: Fail
admissionReviewVersions:
- "v1beta1"
- "v1"
name: mutate-proxydefaults.consul.hashicorp.com
rules:
- apiGroups:
- consul.hashicorp.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- proxydefaults
sideEffects: None
- clientConfig:
service:
name: {{ template "consul.fullname" . }}-connect-injector
namespace: {{ .Release.Namespace }}
path: /mutate-v1alpha1-mesh
failurePolicy: Fail
admissionReviewVersions:
- "v1beta1"
- "v1"
name: mutate-mesh.consul.hashicorp.com
rules:
- apiGroups:
- consul.hashicorp.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- meshes
sideEffects: None
- clientConfig:
service:
name: {{ template "consul.fullname" . }}-connect-injector
namespace: {{ .Release.Namespace }}
path: /mutate-v1alpha1-servicedefaults
failurePolicy: Fail
admissionReviewVersions:
- "v1beta1"
- "v1"
name: mutate-servicedefaults.consul.hashicorp.com
rules:
- apiGroups:
- consul.hashicorp.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- servicedefaults
sideEffects: None
- clientConfig:
service:
name: {{ template "consul.fullname" . }}-connect-injector
namespace: {{ .Release.Namespace }}
path: /mutate-v1alpha1-serviceresolver
failurePolicy: Fail
admissionReviewVersions:
- "v1beta1"
- "v1"
name: mutate-serviceresolver.consul.hashicorp.com
rules:
- apiGroups:
- consul.hashicorp.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- serviceresolvers
sideEffects: None
- clientConfig:
service:
name: {{ template "consul.fullname" . }}-connect-injector
namespace: {{ .Release.Namespace }}
path: /mutate-v1alpha1-servicerouter
failurePolicy: Fail
admissionReviewVersions:
- "v1beta1"
- "v1"
name: mutate-servicerouter.consul.hashicorp.com
rules:
- apiGroups:
- consul.hashicorp.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- servicerouters
sideEffects: None
- clientConfig:
service:
name: {{ template "consul.fullname" . }}-connect-injector
namespace: {{ .Release.Namespace }}
path: /mutate-v1alpha1-servicesplitter
failurePolicy: Fail
admissionReviewVersions:
- "v1beta1"
- "v1"
name: mutate-servicesplitter.consul.hashicorp.com
rules:
- apiGroups:
- consul.hashicorp.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- servicesplitters
sideEffects: None
- clientConfig:
service:
name: {{ template "consul.fullname" . }}-connect-injector
namespace: {{ .Release.Namespace }}
path: /mutate-v1alpha1-serviceintentions
failurePolicy: Fail
admissionReviewVersions:
- "v1beta1"
- "v1"
name: mutate-serviceintentions.consul.hashicorp.com
rules:
- apiGroups:
- consul.hashicorp.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- serviceintentions
sideEffects: None
- clientConfig:
service:
name: {{ template "consul.fullname" . }}-connect-injector
namespace: {{ .Release.Namespace }}
path: /mutate-v1alpha1-ingressgateway
failurePolicy: Fail
admissionReviewVersions:
- "v1beta1"
- "v1"
name: mutate-ingressgateway.consul.hashicorp.com
rules:
- apiGroups:
- consul.hashicorp.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- ingressgateways
sideEffects: None
- clientConfig:
service:
name: {{ template "consul.fullname" . }}-connect-injector
namespace: {{ .Release.Namespace }}
path: /mutate-v1alpha1-terminatinggateway
failurePolicy: Fail
admissionReviewVersions:
- "v1beta1"
- "v1"
name: mutate-terminatinggateway.consul.hashicorp.com
rules:
- apiGroups:
- consul.hashicorp.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- terminatinggateways
sideEffects: None
- clientConfig:
service:
name: {{ template "consul.fullname" . }}-connect-injector
namespace: {{ .Release.Namespace }}
path: /mutate-v1alpha1-exportedservices
failurePolicy: Fail
admissionReviewVersions:
- "v1beta1"
- "v1"
name: mutate-exportedservices.consul.hashicorp.com
rules:
- apiGroups:
- consul.hashicorp.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- exportedservices
sideEffects: None
- clientConfig:
service:
name: {{ template "consul.fullname" . }}-connect-injector
namespace: {{ .Release.Namespace }}
path: /mutate-v1alpha1-controlplanerequestlimits
failurePolicy: Fail
admissionReviewVersions:
- "v1beta1"
- "v1"
name: mutate-controlplanerequestlimit.consul.hashicorp.com
rules:
- apiGroups:
- consul.hashicorp.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- controlplanerequestlimits
sideEffects: None
- name: {{ template "consul.fullname" . }}-connect-injector.consul.hashicorp.com
# The webhook will fail scheduling all pods that are not part of consul if all replicas of the webhook are unhealthy.
objectSelector:
matchExpressions:
- key: app
operator: NotIn
values: [ {{ template "consul.name" . }} ]
failurePolicy: {{ .Values.connectInject.failurePolicy }}
sideEffects: None
admissionReviewVersions:
- "v1beta1"
- "v1"
clientConfig:
service:
name: {{ template "consul.fullname" . }}-connect-injector
namespace: {{ .Release.Namespace }}
path: "/mutate"
rules:
- operations: [ "CREATE" ]
apiGroups: [ "" ]
apiVersions: [ "v1" ]
resources: [ "pods" ]
{{- if .Values.connectInject.namespaceSelector }}
namespaceSelector:
{{ tpl .Values.connectInject.namespaceSelector . | indent 6 }}
{{- end }}
{{- if .Values.global.peering.enabled }}
- name: {{ template "consul.fullname" . }}-mutate-peeringacceptors.consul.hashicorp.com
clientConfig:
service:
name: {{ template "consul.fullname" . }}-connect-injector
namespace: {{ .Release.Namespace }}
path: "/mutate-v1alpha1-peeringacceptors"
rules:
- apiGroups:
- consul.hashicorp.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- peeringacceptors
failurePolicy: Fail
sideEffects: None
admissionReviewVersions:
- "v1beta1"
- "v1"
- name: {{ template "consul.fullname" . }}-mutate-peeringdialers.consul.hashicorp.com
clientConfig:
service:
name: {{ template "consul.fullname" . }}-connect-injector
namespace: {{ .Release.Namespace }}
path: "/mutate-v1alpha1-peeringdialers"
rules:
- apiGroups:
- consul.hashicorp.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- peeringdialers
failurePolicy: Fail
sideEffects: None
admissionReviewVersions:
- "v1beta1"
- "v1"
- admissionReviewVersions:
- v1beta1
- v1
clientConfig:
service:
name: {{ template "consul.fullname" . }}-connect-injector
namespace: {{ .Release.Namespace }}
path: /mutate-v1alpha1-samenessgroup
failurePolicy: Fail
name: mutate-samenessgroup.consul.hashicorp.com
rules:
- apiGroups:
- consul.hashicorp.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- samenessgroups
sideEffects: None
{{- if (mustHas "resource-apis" .Values.global.experiments) }}
- admissionReviewVersions:
- v1beta1
- v1
clientConfig:
service:
name: {{ template "consul.fullname" . }}-connect-injector
namespace: {{ .Release.Namespace }}
path: /mutate-v2beta1-trafficpermissions
failurePolicy: Fail
name: mutate-trafficpermissions.auth.consul.hashicorp.com
rules:
- apiGroups:
- auth.consul.hashicorp.com
apiVersions:
- v2beta1
operations:
- CREATE
- UPDATE
resources:
- trafficpermissions
sideEffects: None
{{- end }}
{{- end }}
- admissionReviewVersions:
- v1beta1
- v1
clientConfig:
service:
name: {{ template "consul.fullname" . }}-connect-injector
namespace: {{ .Release.Namespace }}
path: /mutate-v1alpha1-jwtprovider
failurePolicy: Fail
name: mutate-jwtprovider.consul.hashicorp.com
rules:
- apiGroups:
- consul.hashicorp.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- jwtproviders
sideEffects: None
{{- end }}

40
charts/hashicorp/consul/1.5.3/templates/connect-inject-podsecuritypolicy.yaml Normal file
View File

@ -0,0 +1,40 @@
{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled))) }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ template "consul.fullname" . }}-connect-injector
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: connect-injector
spec:
privileged: false
# Required to prevent escalations to root.
allowPrivilegeEscalation: false
# This is redundant with non-root + disallow privilege escalation,
# but we can provide it for defense in depth.
requiredDropCapabilities:
- ALL
# Allow core volume types.
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
readOnlyRootFilesystem: false
{{- end }}

23
charts/hashicorp/consul/1.5.3/templates/connect-inject-service.yaml Normal file
View File

@ -0,0 +1,23 @@
{{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }}
# The service for the Connect sidecar injector
apiVersion: v1
kind: Service
metadata:
name: {{ template "consul.fullname" . }}-connect-injector
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: connect-injector
spec:
ports:
- port: 443
targetPort: 8080
selector:
app: {{ template "consul.name" . }}
release: "{{ .Release.Name }}"
component: connect-injector
{{- end }}

23
charts/hashicorp/consul/1.5.3/templates/connect-inject-serviceaccount.yaml Normal file
View File

@ -0,0 +1,23 @@
{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "consul.fullname" . }}-connect-injector
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: connect-injector
{{- if .Values.connectInject.serviceAccount.annotations }}
annotations:
{{ tpl .Values.connectInject.serviceAccount.annotations . | nindent 4 | trim }}
{{- end }}
{{- with .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range . }}
- name: {{ .name }}
{{- end }}
{{- end }}
{{- end }}

47
charts/hashicorp/consul/1.5.3/templates/connect-inject-validatingwebhookconfiguration.yaml Normal file
View File

@ -0,0 +1,47 @@
{{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }}
# The ValidatingWebhookConfiguration to enable the Connect injector.
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: {{ template "consul.fullname" . }}-connect-injector
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: connect-injector
webhooks:
- name: validate-gatewaypolicy.consul.hashicorp.com
matchPolicy: Equivalent
rules:
- operations: [ "CREATE" , "UPDATE" ]
apiGroups: [ "consul.hashicorp.com" ]
apiVersions: [ "v1alpha1" ]
resources: [ "gatewaypolicies" ]
failurePolicy: Fail
sideEffects: None
admissionReviewVersions:
- v1
clientConfig:
service:
name: {{ template "consul.fullname" . }}-connect-injector
namespace: {{ .Release.Namespace }}
path: /validate-v1alpha1-gatewaypolicy
- name: validate-registration.consul.hashicorp.com
matchPolicy: Equivalent
rules:
- operations: [ "CREATE" , "UPDATE" ]
apiGroups: [ "consul.hashicorp.com" ]
apiVersions: [ "v1alpha1" ]
resources: [ "registrations" ]
failurePolicy: Fail
sideEffects: None
admissionReviewVersions:
- v1
clientConfig:
service:
name: {{ template "consul.fullname" . }}-connect-injector
namespace: {{ .Release.Namespace }}
path: /validate-v1alpha1-registration
{{- end }}

30
charts/hashicorp/consul/1.5.3/templates/connect-injector-disruptionbudget.yaml Normal file
View File

@ -0,0 +1,30 @@
{{- if (and .Values.connectInject.disruptionBudget.enabled (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled))) }}
# PodDisruptionBudget to prevent degrading the connectInject cluster through
# voluntary cluster changes.
{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }}
apiVersion: policy/v1
{{- else }}
apiVersion: policy/v1beta1
{{- end }}
kind: PodDisruptionBudget
metadata:
name: {{ template "consul.fullname" . }}-connect-injector
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: connect-injector
spec:
{{- if .Values.connectInject.disruptionBudget.minAvailable }}
minAvailable: {{ .Values.connectInject.disruptionBudget.minAvailable }}
{{- else }}
maxUnavailable: {{ template "consul.pdb.connectInject.maxUnavailable" . }}
{{- end }}
selector:
matchLabels:
app: {{ template "consul.name" . }}
release: "{{ .Release.Name }}"
component: connect-injector
{{- end }}

317
charts/hashicorp/consul/1.5.3/templates/crd-apigateways.yaml Normal file
View File

@ -0,0 +1,317 @@
{{- if .Values.connectInject.enabled }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: crd
name: apigateways.mesh.consul.hashicorp.com
spec:
group: mesh.consul.hashicorp.com
names:
kind: APIGateway
listKind: APIGatewayList
plural: apigateways
singular: apigateway
scope: Cluster
versions:
- additionalPrinterColumns:
- description: The sync status of the resource with Consul
jsonPath: .status.conditions[?(@.type=="Synced")].status
name: Synced
type: string
- description: The last successful synced time of the resource with Consul
jsonPath: .status.lastSyncedTime
name: Last Synced
type: date
- description: The age of the resource
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v2beta1
schema:
openAPIV3Schema:
description: APIGateway is the Schema for the API Gateway
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
properties:
gatewayClassName:
description: GatewayClassName is the name of the GatewayClass used
by the APIGateway
type: string
listeners:
items:
properties:
hostname:
description: |-
Hostname is the host name that a listener should be bound to, if
unspecified, the listener accepts requests for all hostnames.
type: string
name:
description: |-
Name is the name of the listener in a given gateway. This must be
unique within a gateway.
type: string
port:
format: int32
maximum: 65535
minimum: 0
type: integer
protocol:
description: |-
Protocol is the protocol that a listener should use, it must
either be "http" or "tcp"
type: string
tls:
description: TLS is the TLS settings for the listener.
properties:
certificates:
description: |-
Certificates is a set of references to certificates
that a gateway listener uses for TLS termination.
items:
description: |-
Reference identifies which resource a condition relates to, when it is not
the core resource itself.
properties:
name:
description: Name is the user-given name of the resource
(e.g. the "billing" service).
type: string
section:
description: Section identifies which part of the
resource the condition relates to.
type: string
tenancy:
description: |-
Tenancy identifies the tenancy units (i.e. partition, namespace) in which
the resource resides.
properties:
namespace:
description: |-
Namespace further isolates resources within a partition.
https://developer.hashicorp.com/consul/docs/enterprise/namespaces
When using the List and WatchList endpoints, provide the wildcard value "*"
to list resources across all namespaces.
type: string
partition:
description: |-
Partition is the topmost administrative boundary within a cluster.
https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions
When using the List and WatchList endpoints, provide the wildcard value "*"
to list resources across all partitions.
type: string
type: object
type:
description: Type identifies the resource's type.
properties:
group:
description: |-
Group describes the area of functionality to which this resource type
relates (e.g. "catalog", "authorization").
type: string
groupVersion:
description: |-
GroupVersion is incremented when sweeping or backward-incompatible changes
are made to the group's resource types.
type: string
kind:
description: Kind identifies the specific resource
type within the group.
type: string
type: object
type: object
type: array
tlsParameters:
description: TLSParameters contains optional configuration
for running TLS termination.
properties:
cipherSuites:
items:
enum:
- TLS_CIPHER_SUITE_ECDHE_ECDSA_AES128_GCM_SHA256
- TLS_CIPHER_SUITE_AES256_SHA
- TLS_CIPHER_SUITE_ECDHE_ECDSA_CHACHA20_POLY1305
- TLS_CIPHER_SUITE_ECDHE_RSA_AES128_GCM_SHA256
- TLS_CIPHER_SUITE_ECDHE_RSA_CHACHA20_POLY1305
- TLS_CIPHER_SUITE_ECDHE_ECDSA_AES128_SHA
- TLS_CIPHER_SUITE_ECDHE_RSA_AES128_SHA
- TLS_CIPHER_SUITE_AES128_GCM_SHA256
- TLS_CIPHER_SUITE_AES128_SHA
- TLS_CIPHER_SUITE_ECDHE_ECDSA_AES256_GCM_SHA384
- TLS_CIPHER_SUITE_ECDHE_RSA_AES256_GCM_SHA384
- TLS_CIPHER_SUITE_ECDHE_ECDSA_AES256_SHA
- TLS_CIPHER_SUITE_ECDHE_RSA_AES256_SHA
- TLS_CIPHER_SUITE_AES256_GCM_SHA384
format: int32
type: string
type: array
maxVersion:
enum:
- TLS_VERSION_AUTO
- TLS_VERSION_1_0
- TLS_VERSION_1_1
- TLS_VERSION_1_2
- TLS_VERSION_1_3
- TLS_VERSION_INVALID
- TLS_VERSION_UNSPECIFIED
format: int32
type: string
minVersion:
enum:
- TLS_VERSION_AUTO
- TLS_VERSION_1_0
- TLS_VERSION_1_1
- TLS_VERSION_1_2
- TLS_VERSION_1_3
- TLS_VERSION_INVALID
- TLS_VERSION_UNSPECIFIED
format: int32
type: string
type: object
type: object
type: object
minItems: 1
type: array
type: object
status:
properties:
addresses:
items:
properties:
type:
default: IPAddress
type: string
value:
type: string
required:
- type
- value
type: object
type: array
listeners:
items:
properties:
attachedRoutes:
format: int32
type: integer
name:
type: string
status:
properties:
conditions:
description: Conditions indicate the latest available observations
of a resource's current state.
items:
description: |-
Conditions define a readiness condition for a Consul resource.
See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
properties:
lastTransitionTime:
description: LastTransitionTime is the last time the
condition transitioned from one status to another.
format: date-time
type: string
message:
description: A human readable message indicating details
about the transition.
type: string
reason:
description: The reason for the condition's last transition.
type: string
status:
description: Status of the condition, one of True,
False, Unknown.
type: string
type:
description: Type of condition.
type: string
required:
- status
- type
type: object
type: array
lastSyncedTime:
description: LastSyncedTime is the last time the resource
successfully synced with Consul.
format: date-time
type: string
type: object
required:
- attachedRoutes
- name
type: object
type: array
status:
properties:
conditions:
description: Conditions indicate the latest available observations
of a resource's current state.
items:
description: |-
Conditions define a readiness condition for a Consul resource.
See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
properties:
lastTransitionTime:
description: LastTransitionTime is the last time the condition
transitioned from one status to another.
format: date-time
type: string
message:
description: A human readable message indicating details
about the transition.
type: string
reason:
description: The reason for the condition's last transition.
type: string
status:
description: Status of the condition, one of True, False,
Unknown.
type: string
type:
description: Type of condition.
type: string
required:
- status
- type
type: object
type: array
lastSyncedTime:
description: LastSyncedTime is the last time the resource successfully
synced with Consul.
format: date-time
type: string
type: object
type: object
type: object
served: true
storage: true
subresources:
status: {}
{{- end }}

201
charts/hashicorp/consul/1.5.3/templates/crd-controlplanerequestlimits.yaml Normal file
View File

@ -0,0 +1,201 @@
{{- if .Values.connectInject.enabled }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: crd
name: controlplanerequestlimits.consul.hashicorp.com
spec:
group: consul.hashicorp.com
names:
kind: ControlPlaneRequestLimit
listKind: ControlPlaneRequestLimitList
plural: controlplanerequestlimits
singular: controlplanerequestlimit
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: The sync status of the resource with Consul
jsonPath: .status.conditions[?(@.type=="Synced")].status
name: Synced
type: string
- description: The age of the resource
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: ControlPlaneRequestLimit is the Schema for the controlplanerequestlimits
API.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: ControlPlaneRequestLimitSpec defines the desired state of
ControlPlaneRequestLimit.
properties:
acl:
properties:
readRate:
type: number
writeRate:
type: number
type: object
catalog:
properties:
readRate:
type: number
writeRate:
type: number
type: object
configEntry:
properties:
readRate:
type: number
writeRate:
type: number
type: object
connectCA:
properties:
readRate:
type: number
writeRate:
type: number
type: object
coordinate:
properties:
readRate:
type: number
writeRate:
type: number
type: object
discoveryChain:
properties:
readRate:
type: number
writeRate:
type: number
type: object
health:
properties:
readRate:
type: number
writeRate:
type: number
type: object
intention:
properties:
readRate:
type: number
writeRate:
type: number
type: object
kv:
properties:
readRate:
type: number
writeRate:
type: number
type: object
mode:
type: string
preparedQuery:
properties:
readRate:
type: number
writeRate:
type: number
type: object
readRate:
type: number
session:
properties:
readRate:
type: number
writeRate:
type: number
type: object
tenancy:
properties:
readRate:
type: number
writeRate:
type: number
type: object
txn:
properties:
readRate:
type: number
writeRate:
type: number
type: object
writeRate:
type: number
type: object
status:
properties:
conditions:
description: Conditions indicate the latest available observations
of a resource's current state.
items:
description: |-
Conditions define a readiness condition for a Consul resource.
See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
properties:
lastTransitionTime:
description: LastTransitionTime is the last time the condition
transitioned from one status to another.
format: date-time
type: string
message:
description: A human readable message indicating details about
the transition.
type: string
reason:
description: The reason for the condition's last transition.
type: string
status:
description: Status of the condition, one of True, False, Unknown.
type: string
type:
description: Type of condition.
type: string
required:
- status
- type
type: object
type: array
lastSyncedTime:
description: LastSyncedTime is the last time the resource successfully
synced with Consul.
format: date-time
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}
{{- end }}

147
charts/hashicorp/consul/1.5.3/templates/crd-exportedservices-v1.yaml Normal file
View File

@ -0,0 +1,147 @@
{{- if .Values.connectInject.enabled }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: crd
name: exportedservices.consul.hashicorp.com
spec:
group: consul.hashicorp.com
names:
kind: ExportedServices
listKind: ExportedServicesList
plural: exportedservices
shortNames:
- exported-services
singular: exportedservices
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: The sync status of the resource with Consul
jsonPath: .status.conditions[?(@.type=="Synced")].status
name: Synced
type: string
- description: The last successful synced time of the resource with Consul
jsonPath: .status.lastSyncedTime
name: Last Synced
type: date
- description: The age of the resource
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: ExportedServices is the Schema for the exportedservices API
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: ExportedServicesSpec defines the desired state of ExportedServices.
properties:
services:
description: |-
Services is a list of services to be exported and the list of partitions
to expose them to.
items:
description: |-
ExportedService manages the exporting of a service in the local partition to
other partitions.
properties:
consumers:
description: Consumers is a list of downstream consumers of
the service to be exported.
items:
description: ServiceConsumer represents a downstream consumer
of the service to be exported.
properties:
partition:
description: Partition is the admin partition to export
the service to.
type: string
peer:
description: Peer is the name of the peer to export the
service to.
type: string
samenessGroup:
description: SamenessGroup is the name of the sameness
group to export the service to.
type: string
type: object
type: array
name:
description: Name is the name of the service to be exported.
type: string
namespace:
description: Namespace is the namespace to export the service
from.
type: string
type: object
type: array
type: object
status:
properties:
conditions:
description: Conditions indicate the latest available observations
of a resource's current state.
items:
description: |-
Conditions define a readiness condition for a Consul resource.
See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
properties:
lastTransitionTime:
description: LastTransitionTime is the last time the condition
transitioned from one status to another.
format: date-time
type: string
message:
description: A human readable message indicating details about
the transition.
type: string
reason:
description: The reason for the condition's last transition.
type: string
status:
description: Status of the condition, one of True, False, Unknown.
type: string
type:
description: Type of condition.
type: string
required:
- status
- type
type: object
type: array
lastSyncedTime:
description: LastSyncedTime is the last time the resource successfully
synced with Consul.
format: date-time
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}
{{- end }}

114
charts/hashicorp/consul/1.5.3/templates/crd-exportedservices.yaml Normal file
View File

@ -0,0 +1,114 @@
{{- if .Values.connectInject.enabled }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: crd
name: exportedservices.multicluster.consul.hashicorp.com
spec:
group: multicluster.consul.hashicorp.com
names:
kind: ExportedServices
listKind: ExportedServicesList
plural: exportedservices
singular: exportedservices
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: The sync status of the resource with Consul
jsonPath: .status.conditions[?(@.type=="Synced")].status
name: Synced
type: string
- description: The last successful synced time of the resource with Consul
jsonPath: .status.lastSyncedTime
name: Last Synced
type: date
- description: The age of the resource
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v2
schema:
openAPIV3Schema:
description: ExportedServices is the Schema for the Exported Services API
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
properties:
consumers:
items:
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
services:
items:
type: string
type: array
type: object
status:
properties:
conditions:
description: Conditions indicate the latest available observations
of a resource's current state.
items:
description: |-
Conditions define a readiness condition for a Consul resource.
See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
properties:
lastTransitionTime:
description: LastTransitionTime is the last time the condition
transitioned from one status to another.
format: date-time
type: string
message:
description: A human readable message indicating details about
the transition.
type: string
reason:
description: The reason for the condition's last transition.
type: string
status:
description: Status of the condition, one of True, False, Unknown.
type: string
type:
description: Type of condition.
type: string
required:
- status
- type
type: object
type: array
lastSyncedTime:
description: LastSyncedTime is the last time the resource successfully
synced with Consul.
format: date-time
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}
{{- end }}

232
charts/hashicorp/consul/1.5.3/templates/crd-gatewayclassconfigs-v1.yaml Normal file
View File

@ -0,0 +1,232 @@
{{- if .Values.connectInject.enabled }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: crd
name: gatewayclassconfigs.consul.hashicorp.com
spec:
group: consul.hashicorp.com
names:
kind: GatewayClassConfig
listKind: GatewayClassConfigList
plural: gatewayclassconfigs
singular: gatewayclassconfig
scope: Cluster
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: GatewayClassConfig defines the values that may be set on a GatewayClass
for Consul API Gateway.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Spec defines the desired state of GatewayClassConfig.
properties:
copyAnnotations:
description: Annotation Information to copy to services or deployments
properties:
service:
description: List of annotations to copy to the gateway service.
items:
type: string
type: array
type: object
deployment:
description: Deployment defines the deployment configuration for the
gateway.
properties:
defaultInstances:
default: 1
description: Number of gateway instances that should be deployed
by default
format: int32
maximum: 8
minimum: 1
type: integer
maxInstances:
default: 8
description: Max allowed number of gateway instances
format: int32
maximum: 8
minimum: 1
type: integer
minInstances:
default: 1
description: Minimum allowed number of gateway instances
format: int32
maximum: 8
minimum: 1
type: integer
resources:
description: Resources defines the resource requirements for the
gateway.
properties:
claims:
description: |-
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
properties:
name:
description: |-
Name must match the name of one entry in pod.spec.resourceClaims of
the Pod where this field is used. It makes that resource available
inside a container.
type: string
required:
- name
type: object
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
limits:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
description: |-
Limits describes the maximum amount of compute resources allowed.
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
type: object
requests:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
description: |-
Requests describes the minimum amount of compute resources required.
If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
otherwise to an implementation-defined value. Requests cannot exceed Limits.
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
type: object
type: object
type: object
mapPrivilegedContainerPorts:
description: The value to add to privileged ports ( ports < 1024)
for gateway containers
format: int32
type: integer
metrics:
description: Metrics defines how to configure the metrics for a gateway.
properties:
enabled:
description: |-
Enable metrics for this class of gateways. If unspecified, will inherit
behavior from the global Helm configuration.
type: boolean
path:
description: The path used for metrics.
type: string
port:
description: The port used for metrics.
format: int32
maximum: 65535
minimum: 1024
type: integer
type: object
nodeSelector:
additionalProperties:
type: string
description: |-
NodeSelector is a selector which must be true for the pod to fit on a node.
Selector which must match a node's labels for the pod to be scheduled on that node.
More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
type: object
openshiftSCCName:
description: The name of the OpenShift SecurityContextConstraints
resource for this gateway class to use.
type: string
podSecurityPolicy:
description: The name of an existing Kubernetes PodSecurityPolicy
to bind to the managed ServiceAccount if ACLs are managed.
type: string
serviceType:
description: Service Type string describes ingress methods for a service
enum:
- ClusterIP
- NodePort
- LoadBalancer
type: string
tolerations:
description: |-
Tolerations allow the scheduler to schedule nodes with matching taints.
More Info: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
items:
description: |-
The pod this Toleration is attached to tolerates any taint that matches
the triple <key,value,effect> using the matching operator <operator>.
properties:
effect:
description: |-
Effect indicates the taint effect to match. Empty means match all taint effects.
When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
type: string
key:
description: |-
Key is the taint key that the toleration applies to. Empty means match all taint keys.
If the key is empty, operator must be Exists; this combination means to match all values and all keys.
type: string
operator:
description: |-
Operator represents a key's relationship to the value.
Valid operators are Exists and Equal. Defaults to Equal.
Exists is equivalent to wildcard for value, so that a pod can
tolerate all taints of a particular category.
type: string
tolerationSeconds:
description: |-
TolerationSeconds represents the period of time the toleration (which must be
of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
it is not set, which means tolerate the taint forever (do not evict). Zero and
negative values will be treated as 0 (evict immediately) by the system.
format: int64
type: integer
value:
description: |-
Value is the taint value the toleration matches to.
If the operator is Exists, the value should be empty, otherwise just a regular string.
type: string
type: object
type: array
type: object
type: object
served: true
storage: true
{{- end }}

1729
charts/hashicorp/consul/1.5.3/templates/crd-gatewayclassconfigs.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

328
charts/hashicorp/consul/1.5.3/templates/crd-gatewayclasses-external.yaml Normal file
View File

@ -0,0 +1,328 @@
{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538
gateway.networking.k8s.io/bundle-version: v0.6.2
gateway.networking.k8s.io/channel: experimental
creationTimestamp: null
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: crd
name: gatewayclasses.gateway.networking.k8s.io
spec:
group: gateway.networking.k8s.io
names:
categories:
- gateway-api
kind: GatewayClass
listKind: GatewayClassList
plural: gatewayclasses
shortNames:
- gc
singular: gatewayclass
scope: Cluster
versions:
- additionalPrinterColumns:
- jsonPath: .spec.controllerName
name: Controller
type: string
- jsonPath: .status.conditions[?(@.type=="Accepted")].status
name: Accepted
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
- jsonPath: .spec.description
name: Description
priority: 1
type: string
deprecated: true
deprecationWarning: The v1alpha2 version of GatewayClass has been deprecated and will be removed in a future release of the API. Please upgrade to v1beta1.
name: v1alpha2
schema:
openAPIV3Schema:
description: "GatewayClass describes a class of Gateways available to the user for creating Gateway resources. \n It is recommended that this resource be used as a template for Gateways. This means that a Gateway is based on the state of the GatewayClass at the time it was created and changes to the GatewayClass or associated parameters are not propagated down to existing Gateways. This recommendation is intended to limit the blast radius of changes to GatewayClass or associated parameters. If implementations choose to propagate GatewayClass changes to existing Gateways, that MUST be clearly documented by the implementation. \n Whenever one or more Gateways are using a GatewayClass, implementations MUST add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the associated GatewayClass. This ensures that a GatewayClass associated with a Gateway is not deleted while in use. \n GatewayClass is a Cluster level resource."
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Spec defines the desired state of GatewayClass.
properties:
controllerName:
description: "ControllerName is the name of the controller that is managing Gateways of this class. The value of this field MUST be a domain prefixed path. \n Example: \"example.net/gateway-controller\". \n This field is not mutable and cannot be empty. \n Support: Core"
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
type: string
description:
description: Description helps describe a GatewayClass with more details.
maxLength: 64
type: string
parametersRef:
description: "ParametersRef is a reference to a resource that contains the configuration parameters corresponding to the GatewayClass. This is optional if the controller does not require any additional configuration. \n ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, or an implementation-specific custom resource. The resource can be cluster-scoped or namespace-scoped. \n If the referent cannot be found, the GatewayClass's \"InvalidParameters\" status condition will be true. \n Support: Implementation-specific"
properties:
group:
description: Group is the group of the referent.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: Kind is kind of the referent.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent.
maxLength: 253
minLength: 1
type: string
namespace:
description: Namespace is the namespace of the referent. This field is required when referring to a Namespace-scoped resource and MUST be unset when referring to a Cluster-scoped resource.
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- group
- kind
- name
type: object
required:
- controllerName
type: object
status:
default:
conditions:
- lastTransitionTime: "1970-01-01T00:00:00Z"
message: Waiting for controller
reason: Waiting
status: Unknown
type: Accepted
description: Status defines the current state of GatewayClass.
properties:
conditions:
default:
- lastTransitionTime: "1970-01-01T00:00:00Z"
message: Waiting for controller
reason: Pending
status: Unknown
type: Accepted
description: "Conditions is the current status from the controller for this GatewayClass. \n Controllers should prefer to publish conditions using values of GatewayClassConditionType for the type of each Condition."
items:
description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
maxItems: 8
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
type: object
required:
- spec
type: object
served: true
storage: false
subresources:
status: {}
- additionalPrinterColumns:
- jsonPath: .spec.controllerName
name: Controller
type: string
- jsonPath: .status.conditions[?(@.type=="Accepted")].status
name: Accepted
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
- jsonPath: .spec.description
name: Description
priority: 1
type: string
name: v1beta1
schema:
openAPIV3Schema:
description: "GatewayClass describes a class of Gateways available to the user for creating Gateway resources. \n It is recommended that this resource be used as a template for Gateways. This means that a Gateway is based on the state of the GatewayClass at the time it was created and changes to the GatewayClass or associated parameters are not propagated down to existing Gateways. This recommendation is intended to limit the blast radius of changes to GatewayClass or associated parameters. If implementations choose to propagate GatewayClass changes to existing Gateways, that MUST be clearly documented by the implementation. \n Whenever one or more Gateways are using a GatewayClass, implementations MUST add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the associated GatewayClass. This ensures that a GatewayClass associated with a Gateway is not deleted while in use. \n GatewayClass is a Cluster level resource."
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Spec defines the desired state of GatewayClass.
properties:
controllerName:
description: "ControllerName is the name of the controller that is managing Gateways of this class. The value of this field MUST be a domain prefixed path. \n Example: \"example.net/gateway-controller\". \n This field is not mutable and cannot be empty. \n Support: Core"
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
type: string
description:
description: Description helps describe a GatewayClass with more details.
maxLength: 64
type: string
parametersRef:
description: "ParametersRef is a reference to a resource that contains the configuration parameters corresponding to the GatewayClass. This is optional if the controller does not require any additional configuration. \n ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, or an implementation-specific custom resource. The resource can be cluster-scoped or namespace-scoped. \n If the referent cannot be found, the GatewayClass's \"InvalidParameters\" status condition will be true. \n Support: Implementation-specific"
properties:
group:
description: Group is the group of the referent.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: Kind is kind of the referent.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent.
maxLength: 253
minLength: 1
type: string
namespace:
description: Namespace is the namespace of the referent. This field is required when referring to a Namespace-scoped resource and MUST be unset when referring to a Cluster-scoped resource.
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- group
- kind
- name
type: object
required:
- controllerName
type: object
status:
default:
conditions:
- lastTransitionTime: "1970-01-01T00:00:00Z"
message: Waiting for controller
reason: Waiting
status: Unknown
type: Accepted
description: Status defines the current state of GatewayClass.
properties:
conditions:
default:
- lastTransitionTime: "1970-01-01T00:00:00Z"
message: Waiting for controller
reason: Pending
status: Unknown
type: Accepted
description: "Conditions is the current status from the controller for this GatewayClass. \n Controllers should prefer to publish conditions using values of GatewayClassConditionType for the type of each Condition."
items:
description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
maxItems: 8
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
{{- end }}

130
charts/hashicorp/consul/1.5.3/templates/crd-gatewayclasses.yaml Normal file
View File

@ -0,0 +1,130 @@
{{- if .Values.connectInject.enabled }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: crd
name: gatewayclasses.mesh.consul.hashicorp.com
spec:
group: mesh.consul.hashicorp.com
names:
kind: GatewayClass
listKind: GatewayClassList
plural: gatewayclasses
singular: gatewayclass
scope: Cluster
versions:
- additionalPrinterColumns:
- description: The age of the resource
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v2beta1
schema:
openAPIV3Schema:
description: GatewayClass is the Schema for the Gateway Class API
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
properties:
controllerName:
description: |-
ControllerName is the name of the Kubernetes controller
that manages Gateways of this class
type: string
description:
description: Description of GatewayClass
type: string
parametersRef:
description: |-
ParametersRef refers to a resource responsible for configuring
the behavior of the GatewayClass.
properties:
group:
description: The Kubernetes Group that the referred object belongs
to
type: string
kind:
description: The Kubernetes Kind that the referred object is
type: string
name:
description: The Name of the referred object
type: string
namespace:
description: The kubernetes namespace that the referred object
is in
type: string
required:
- name
type: object
required:
- controllerName
- parametersRef
type: object
status:
properties:
conditions:
description: Conditions indicate the latest available observations
of a resource's current state.
items:
description: |-
Conditions define a readiness condition for a Consul resource.
See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
properties:
lastTransitionTime:
description: LastTransitionTime is the last time the condition
transitioned from one status to another.
format: date-time
type: string
message:
description: A human readable message indicating details about
the transition.
type: string
reason:
description: The reason for the condition's last transition.
type: string
status:
description: Status of the condition, one of True, False, Unknown.
type: string
type:
description: Type of condition.
type: string
required:
- status
- type
type: object
type: array
lastSyncedTime:
description: LastSyncedTime is the last time the resource successfully
synced with Consul.
format: date-time
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}
{{- end }}

302
charts/hashicorp/consul/1.5.3/templates/crd-gatewaypolicies.yaml Normal file
View File

@ -0,0 +1,302 @@
{{- if .Values.connectInject.enabled }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: crd
name: gatewaypolicies.consul.hashicorp.com
spec:
group: consul.hashicorp.com
names:
kind: GatewayPolicy
listKind: GatewayPolicyList
plural: gatewaypolicies
singular: gatewaypolicy
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: The sync status of the resource with Consul
jsonPath: .status.conditions[?(@.type=="Synced")].status
name: Synced
type: string
- description: The last successful synced time of the resource with Consul
jsonPath: .status.lastSyncedTime
name: Last Synced
type: date
- description: The age of the resource
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: GatewayPolicy is the Schema for the gatewaypolicies API.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: GatewayPolicySpec defines the desired state of GatewayPolicy.
properties:
default:
properties:
jwt:
description: GatewayJWTRequirement holds the list of JWT providers
to be verified against.
properties:
providers:
description: Providers is a list of providers to consider
when verifying a JWT.
items:
description: GatewayJWTProvider holds the provider and claim
verification information.
properties:
name:
description: |-
Name is the name of the JWT provider. There MUST be a corresponding
"jwt-provider" config entry with this name.
type: string
verifyClaims:
description: VerifyClaims is a list of additional claims
to verify in a JWT's payload.
items:
description: GatewayJWTClaimVerification holds the
actual claim information to be verified.
properties:
path:
description: Path is the path to the claim in
the token JSON.
items:
type: string
type: array
value:
description: |-
Value is the expected value at the given path:
- If the type at the path is a list then we verify
that this value is contained in the list.
- If the type at the path is a string then we verify
that this value matches.
type: string
required:
- path
- value
type: object
type: array
required:
- name
type: object
type: array
required:
- providers
type: object
type: object
override:
properties:
jwt:
description: GatewayJWTRequirement holds the list of JWT providers
to be verified against.
properties:
providers:
description: Providers is a list of providers to consider
when verifying a JWT.
items:
description: GatewayJWTProvider holds the provider and claim
verification information.
properties:
name:
description: |-
Name is the name of the JWT provider. There MUST be a corresponding
"jwt-provider" config entry with this name.
type: string
verifyClaims:
description: VerifyClaims is a list of additional claims
to verify in a JWT's payload.
items:
description: GatewayJWTClaimVerification holds the
actual claim information to be verified.
properties:
path:
description: Path is the path to the claim in
the token JSON.
items:
type: string
type: array
value:
description: |-
Value is the expected value at the given path:
- If the type at the path is a list then we verify
that this value is contained in the list.
- If the type at the path is a string then we verify
that this value matches.
type: string
required:
- path
- value
type: object
type: array
required:
- name
type: object
type: array
required:
- providers
type: object
type: object
targetRef:
description: TargetRef identifies an API object to apply policy to.
properties:
group:
description: Group is the group of the target resource.
maxLength: 253
minLength: 1
type: string
kind:
description: Kind is kind of the target resource.
maxLength: 253
minLength: 1
type: string
name:
description: Name is the name of the target resource.
maxLength: 253
minLength: 1
type: string
namespace:
description: |-
Namespace is the namespace of the referent. When unspecified, the local
namespace is inferred. Even when policy targets a resource in a different
namespace, it may only apply to traffic originating from the same
namespace as the policy.
maxLength: 253
minLength: 1
type: string
sectionName:
description: SectionName refers to the listener targeted by this
policy.
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
required:
- group
- kind
- name
type: object
required:
- targetRef
type: object
status:
description: GatewayPolicyStatus defines the observed state of the gateway.
properties:
conditions:
description: |-
Conditions describe the current conditions of the Policy.
Known condition types are:
* "Accepted"
* "ResolvedRefs"
items:
description: "Condition contains details for one aspect of the current
state of this API Resource.\n---\nThis struct is intended for
direct use as an array at the field path .status.conditions. For
example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
observations of a foo's current state.\n\t // Known .status.conditions.type
are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
\ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
\ // other fields\n\t}"
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: |-
type of condition in CamelCase or in foo.example.com/CamelCase.
---
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
useful (see .node.status.conditions), the ability to deconflict is important.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
maxItems: 8
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
type: object
type: object
served: true
storage: true
subresources:
status: {}
{{- end }}

882
charts/hashicorp/consul/1.5.3/templates/crd-gateways-external.yaml Normal file
View File

@ -0,0 +1,882 @@
{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538
gateway.networking.k8s.io/bundle-version: v0.6.2
gateway.networking.k8s.io/channel: experimental
creationTimestamp: null
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: crd
name: gateways.gateway.networking.k8s.io
spec:
group: gateway.networking.k8s.io
names:
categories:
- gateway-api
kind: Gateway
listKind: GatewayList
plural: gateways
shortNames:
- gtw
singular: gateway
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.gatewayClassName
name: Class
type: string
- jsonPath: .status.addresses[*].value
name: Address
type: string
- jsonPath: .status.conditions[?(@.type=="Programmed")].status
name: Programmed
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
deprecated: true
deprecationWarning: The v1alpha2 version of Gateway has been deprecated and will be removed in a future release of the API. Please upgrade to v1beta1.
name: v1alpha2
schema:
openAPIV3Schema:
description: Gateway represents an instance of a service-traffic handling infrastructure by binding Listeners to a set of IP addresses.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Spec defines the desired state of Gateway.
properties:
addresses:
description: "Addresses requested for this Gateway. This is optional and behavior can depend on the implementation. If a value is set in the spec and the requested address is invalid or unavailable, the implementation MUST indicate this in the associated entry in GatewayStatus.Addresses. \n The Addresses field represents a request for the address(es) on the \"outside of the Gateway\", that traffic bound for this Gateway will use. This could be the IP address or hostname of an external load balancer or other networking infrastructure, or some other address that traffic will be sent to. \n The .listener.hostname field is used to route traffic that has already arrived at the Gateway to the correct in-cluster destination. \n If no Addresses are specified, the implementation MAY schedule the Gateway in an implementation-specific manner, assigning an appropriate set of Addresses. \n The implementation MUST bind all Listeners to every GatewayAddress that it assigns to the Gateway and add a corresponding entry in GatewayStatus.Addresses. \n Support: Extended"
items:
description: GatewayAddress describes an address that can be bound to a Gateway.
properties:
type:
default: IPAddress
description: Type of the address.
maxLength: 253
minLength: 1
pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
type: string
value:
description: "Value of the address. The validity of the values will depend on the type and support by the controller. \n Examples: `1.2.3.4`, `128::1`, `my-ip-address`."
maxLength: 253
minLength: 1
type: string
required:
- value
type: object
maxItems: 16
type: array
gatewayClassName:
description: GatewayClassName used for this Gateway. This is the name of a GatewayClass resource.
maxLength: 253
minLength: 1
type: string
listeners:
description: "Listeners associated with this Gateway. Listeners define logical endpoints that are bound on this Gateway's addresses. At least one Listener MUST be specified. \n Each listener in a Gateway must have a unique combination of Hostname, Port, and Protocol. \n An implementation MAY group Listeners by Port and then collapse each group of Listeners into a single Listener if the implementation determines that the Listeners in the group are \"compatible\". An implementation MAY also group together and collapse compatible Listeners belonging to different Gateways. \n For example, an implementation might consider Listeners to be compatible with each other if all of the following conditions are met: \n 1. Either each Listener within the group specifies the \"HTTP\" Protocol or each Listener within the group specifies either the \"HTTPS\" or \"TLS\" Protocol. \n 2. Each Listener within the group specifies a Hostname that is unique within the group. \n 3. As a special case, one Listener within a group may omit Hostname, in which case this Listener matches when no other Listener matches. \n If the implementation does collapse compatible Listeners, the hostname provided in the incoming client request MUST be matched to a Listener to find the correct set of Routes. The incoming hostname MUST be matched using the Hostname field for each Listener in order of most to least specific. That is, exact matches must be processed before wildcard matches. \n If this field specifies multiple Listeners that have the same Port value but are not compatible, the implementation must raise a \"Conflicted\" condition in the Listener status. \n Support: Core"
items:
description: Listener embodies the concept of a logical endpoint where a Gateway accepts network connections.
properties:
allowedRoutes:
default:
namespaces:
from: Same
description: "AllowedRoutes defines the types of routes that MAY be attached to a Listener and the trusted namespaces where those Route resources MAY be present. \n Although a client request may match multiple route rules, only one rule may ultimately receive the request. Matching precedence MUST be determined in order of the following criteria: \n * The most specific match as defined by the Route type. * The oldest Route based on creation timestamp. For example, a Route with a creation timestamp of \"2020-09-08 01:02:03\" is given precedence over a Route with a creation timestamp of \"2020-09-08 01:02:04\". * If everything else is equivalent, the Route appearing first in alphabetical order (namespace/name) should be given precedence. For example, foo/bar is given precedence over foo/baz. \n All valid rules within a Route attached to this Listener should be implemented. Invalid Route rules can be ignored (sometimes that will mean the full Route). If a Route rule transitions from valid to invalid, support for that Route rule should be dropped to ensure consistency. For example, even if a filter specified by a Route rule is invalid, the rest of the rules within that Route should still be supported. \n Support: Core"
properties:
kinds:
description: "Kinds specifies the groups and kinds of Routes that are allowed to bind to this Gateway Listener. When unspecified or empty, the kinds of Routes selected are determined using the Listener protocol. \n A RouteGroupKind MUST correspond to kinds of Routes that are compatible with the application protocol specified in the Listener's Protocol field. If an implementation does not support or recognize this resource type, it MUST set the \"ResolvedRefs\" condition to False for this Listener with the \"InvalidRouteKinds\" reason. \n Support: Core"
items:
description: RouteGroupKind indicates the group and kind of a Route resource.
properties:
group:
default: gateway.networking.k8s.io
description: Group is the group of the Route.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: Kind is the kind of the Route.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
required:
- kind
type: object
maxItems: 8
type: array
namespaces:
default:
from: Same
description: "Namespaces indicates namespaces from which Routes may be attached to this Listener. This is restricted to the namespace of this Gateway by default. \n Support: Core"
properties:
from:
default: Same
description: "From indicates where Routes will be selected for this Gateway. Possible values are: * All: Routes in all namespaces may be used by this Gateway. * Selector: Routes in namespaces selected by the selector may be used by this Gateway. * Same: Only Routes in the same namespace may be used by this Gateway. \n Support: Core"
enum:
- All
- Selector
- Same
type: string
selector:
description: "Selector must be specified when From is set to \"Selector\". In that case, only Routes in Namespaces matching this Selector will be selected by this Gateway. This field is ignored for other values of \"From\". \n Support: Core"
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
type: object
type: object
hostname:
description: "Hostname specifies the virtual hostname to match for protocol types that define this concept. When unspecified, all hostnames are matched. This field is ignored for protocols that don't require hostname based matching. \n Implementations MUST apply Hostname matching appropriately for each of the following protocols: \n * TLS: The Listener Hostname MUST match the SNI. * HTTP: The Listener Hostname MUST match the Host header of the request. * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP protocol layers as described above. If an implementation does not ensure that both the SNI and Host header match the Listener hostname, it MUST clearly document that. \n For HTTPRoute and TLSRoute resources, there is an interaction with the `spec.hostnames` array. When both listener and route specify hostnames, there MUST be an intersection between the values for a Route to be accepted. For more information, refer to the Route specific Hostnames documentation. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n Support: Core"
maxLength: 253
minLength: 1
pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
name:
description: "Name is the name of the Listener. This name MUST be unique within a Gateway. \n Support: Core"
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
port:
description: "Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules. \n Support: Core"
format: int32
maximum: 65535
minimum: 1
type: integer
protocol:
description: "Protocol specifies the network protocol this listener expects to receive. \n Support: Core"
maxLength: 255
minLength: 1
pattern: ^[a-zA-Z0-9]([-a-zSA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$
type: string
tls:
description: "TLS is the TLS configuration for the Listener. This field is required if the Protocol field is \"HTTPS\" or \"TLS\". It is invalid to set this field if the Protocol field is \"HTTP\", \"TCP\", or \"UDP\". \n The association of SNIs to Certificate defined in GatewayTLSConfig is defined based on the Hostname field for this listener. \n The GatewayClass MUST use the longest matching SNI out of all available certificates for any TLS handshake. \n Support: Core"
properties:
certificateRefs:
description: "CertificateRefs contains a series of references to Kubernetes objects that contains TLS certificates and private keys. These certificates are used to establish a TLS handshake for requests that match the hostname of the associated listener. \n A single CertificateRef to a Kubernetes Secret has \"Core\" support. Implementations MAY choose to support attaching multiple certificates to a Listener, but this behavior is implementation-specific. \n References to a resource in different namespace are invalid UNLESS there is a ReferenceGrant in the target namespace that allows the certificate to be attached. If a ReferenceGrant does not allow this reference, the \"ResolvedRefs\" condition MUST be set to False for this listener with the \"RefNotPermitted\" reason. \n This field is required to have at least one element when the mode is set to \"Terminate\" (default) and is optional otherwise. \n CertificateRefs can reference to standard Kubernetes resources, i.e. Secret, or implementation-specific custom resources. \n Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls \n Support: Implementation-specific (More than one reference or other resource types)"
items:
description: "SecretObjectReference identifies an API object including its namespace, defaulting to Secret. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. \n References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object."
properties:
group:
default: ""
description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Secret
description: Kind is kind of the referent. For example "HTTPRoute" or "Service".
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent.
maxLength: 253
minLength: 1
type: string
namespace:
description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- name
type: object
maxItems: 64
type: array
mode:
default: Terminate
description: "Mode defines the TLS behavior for the TLS session initiated by the client. There are two possible modes: \n - Terminate: The TLS session between the downstream client and the Gateway is terminated at the Gateway. This mode requires certificateRefs to be set and contain at least one element. - Passthrough: The TLS session is NOT terminated by the Gateway. This implies that the Gateway can't decipher the TLS stream except for the ClientHello message of the TLS protocol. CertificateRefs field is ignored in this mode. \n Support: Core"
enum:
- Terminate
- Passthrough
type: string
options:
additionalProperties:
description: AnnotationValue is the value of an annotation in Gateway API. This is used for validation of maps such as TLS options. This roughly matches Kubernetes annotation validation, although the length validation in that case is based on the entire size of the annotations struct.
maxLength: 4096
minLength: 0
type: string
description: "Options are a list of key/value pairs to enable extended TLS configuration for each implementation. For example, configuring the minimum TLS version or supported cipher suites. \n A set of common keys MAY be defined by the API in the future. To avoid any ambiguity, implementation-specific definitions MUST use domain-prefixed names, such as `example.com/my-custom-option`. Un-prefixed names are reserved for key names defined by Gateway API. \n Support: Implementation-specific"
maxProperties: 16
type: object
type: object
required:
- name
- port
- protocol
type: object
maxItems: 64
minItems: 1
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
required:
- gatewayClassName
- listeners
type: object
status:
default:
conditions:
- lastTransitionTime: "1970-01-01T00:00:00Z"
message: Waiting for controller
reason: NotReconciled
status: Unknown
type: Accepted
description: Status defines the current state of Gateway.
properties:
addresses:
description: Addresses lists the IP addresses that have actually been bound to the Gateway. These addresses may differ from the addresses in the Spec, e.g. if the Gateway automatically assigns an address from a reserved pool.
items:
description: GatewayAddress describes an address that can be bound to a Gateway.
properties:
type:
default: IPAddress
description: Type of the address.
maxLength: 253
minLength: 1
pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
type: string
value:
description: "Value of the address. The validity of the values will depend on the type and support by the controller. \n Examples: `1.2.3.4`, `128::1`, `my-ip-address`."
maxLength: 253
minLength: 1
type: string
required:
- value
type: object
maxItems: 16
type: array
conditions:
default:
- lastTransitionTime: "1970-01-01T00:00:00Z"
message: Waiting for controller
reason: Pending
status: Unknown
type: Accepted
- lastTransitionTime: "1970-01-01T00:00:00Z"
message: Waiting for controller
reason: Pending
status: Unknown
type: Programmed
description: "Conditions describe the current conditions of the Gateway. \n Implementations should prefer to express Gateway conditions using the `GatewayConditionType` and `GatewayConditionReason` constants so that operators and tools can converge on a common vocabulary to describe Gateway state. \n Known condition types are: \n * \"Accepted\" * \"Ready\""
items:
description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
maxItems: 8
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
listeners:
description: Listeners provide status for each unique listener port defined in the Spec.
items:
description: ListenerStatus is the status associated with a Listener.
properties:
attachedRoutes:
description: AttachedRoutes represents the total number of Routes that have been successfully attached to this Listener.
format: int32
type: integer
conditions:
description: Conditions describe the current condition of this listener.
items:
description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
maxItems: 8
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
name:
description: Name is the name of the Listener that this status corresponds to.
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
supportedKinds:
description: "SupportedKinds is the list indicating the Kinds supported by this listener. This MUST represent the kinds an implementation supports for that Listener configuration. \n If kinds are specified in Spec that are not supported, they MUST NOT appear in this list and an implementation MUST set the \"ResolvedRefs\" condition to \"False\" with the \"InvalidRouteKinds\" reason. If both valid and invalid Route kinds are specified, the implementation MUST reference the valid Route kinds that have been specified."
items:
description: RouteGroupKind indicates the group and kind of a Route resource.
properties:
group:
default: gateway.networking.k8s.io
description: Group is the group of the Route.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: Kind is the kind of the Route.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
required:
- kind
type: object
maxItems: 8
type: array
required:
- attachedRoutes
- conditions
- name
- supportedKinds
type: object
maxItems: 64
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
type: object
required:
- spec
type: object
served: true
storage: false
subresources:
status: {}
- additionalPrinterColumns:
- jsonPath: .spec.gatewayClassName
name: Class
type: string
- jsonPath: .status.addresses[*].value
name: Address
type: string
- jsonPath: .status.conditions[?(@.type=="Programmed")].status
name: Programmed
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1beta1
schema:
openAPIV3Schema:
description: Gateway represents an instance of a service-traffic handling infrastructure by binding Listeners to a set of IP addresses.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Spec defines the desired state of Gateway.
properties:
addresses:
description: "Addresses requested for this Gateway. This is optional and behavior can depend on the implementation. If a value is set in the spec and the requested address is invalid or unavailable, the implementation MUST indicate this in the associated entry in GatewayStatus.Addresses. \n The Addresses field represents a request for the address(es) on the \"outside of the Gateway\", that traffic bound for this Gateway will use. This could be the IP address or hostname of an external load balancer or other networking infrastructure, or some other address that traffic will be sent to. \n The .listener.hostname field is used to route traffic that has already arrived at the Gateway to the correct in-cluster destination. \n If no Addresses are specified, the implementation MAY schedule the Gateway in an implementation-specific manner, assigning an appropriate set of Addresses. \n The implementation MUST bind all Listeners to every GatewayAddress that it assigns to the Gateway and add a corresponding entry in GatewayStatus.Addresses. \n Support: Extended"
items:
description: GatewayAddress describes an address that can be bound to a Gateway.
properties:
type:
default: IPAddress
description: Type of the address.
maxLength: 253
minLength: 1
pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
type: string
value:
description: "Value of the address. The validity of the values will depend on the type and support by the controller. \n Examples: `1.2.3.4`, `128::1`, `my-ip-address`."
maxLength: 253
minLength: 1
type: string
required:
- value
type: object
maxItems: 16
type: array
gatewayClassName:
description: GatewayClassName used for this Gateway. This is the name of a GatewayClass resource.
maxLength: 253
minLength: 1
type: string
listeners:
description: "Listeners associated with this Gateway. Listeners define logical endpoints that are bound on this Gateway's addresses. At least one Listener MUST be specified. \n Each listener in a Gateway must have a unique combination of Hostname, Port, and Protocol. \n An implementation MAY group Listeners by Port and then collapse each group of Listeners into a single Listener if the implementation determines that the Listeners in the group are \"compatible\". An implementation MAY also group together and collapse compatible Listeners belonging to different Gateways. \n For example, an implementation might consider Listeners to be compatible with each other if all of the following conditions are met: \n 1. Either each Listener within the group specifies the \"HTTP\" Protocol or each Listener within the group specifies either the \"HTTPS\" or \"TLS\" Protocol. \n 2. Each Listener within the group specifies a Hostname that is unique within the group. \n 3. As a special case, one Listener within a group may omit Hostname, in which case this Listener matches when no other Listener matches. \n If the implementation does collapse compatible Listeners, the hostname provided in the incoming client request MUST be matched to a Listener to find the correct set of Routes. The incoming hostname MUST be matched using the Hostname field for each Listener in order of most to least specific. That is, exact matches must be processed before wildcard matches. \n If this field specifies multiple Listeners that have the same Port value but are not compatible, the implementation must raise a \"Conflicted\" condition in the Listener status. \n Support: Core"
items:
description: Listener embodies the concept of a logical endpoint where a Gateway accepts network connections.
properties:
allowedRoutes:
default:
namespaces:
from: Same
description: "AllowedRoutes defines the types of routes that MAY be attached to a Listener and the trusted namespaces where those Route resources MAY be present. \n Although a client request may match multiple route rules, only one rule may ultimately receive the request. Matching precedence MUST be determined in order of the following criteria: \n * The most specific match as defined by the Route type. * The oldest Route based on creation timestamp. For example, a Route with a creation timestamp of \"2020-09-08 01:02:03\" is given precedence over a Route with a creation timestamp of \"2020-09-08 01:02:04\". * If everything else is equivalent, the Route appearing first in alphabetical order (namespace/name) should be given precedence. For example, foo/bar is given precedence over foo/baz. \n All valid rules within a Route attached to this Listener should be implemented. Invalid Route rules can be ignored (sometimes that will mean the full Route). If a Route rule transitions from valid to invalid, support for that Route rule should be dropped to ensure consistency. For example, even if a filter specified by a Route rule is invalid, the rest of the rules within that Route should still be supported. \n Support: Core"
properties:
kinds:
description: "Kinds specifies the groups and kinds of Routes that are allowed to bind to this Gateway Listener. When unspecified or empty, the kinds of Routes selected are determined using the Listener protocol. \n A RouteGroupKind MUST correspond to kinds of Routes that are compatible with the application protocol specified in the Listener's Protocol field. If an implementation does not support or recognize this resource type, it MUST set the \"ResolvedRefs\" condition to False for this Listener with the \"InvalidRouteKinds\" reason. \n Support: Core"
items:
description: RouteGroupKind indicates the group and kind of a Route resource.
properties:
group:
default: gateway.networking.k8s.io
description: Group is the group of the Route.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: Kind is the kind of the Route.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
required:
- kind
type: object
maxItems: 8
type: array
namespaces:
default:
from: Same
description: "Namespaces indicates namespaces from which Routes may be attached to this Listener. This is restricted to the namespace of this Gateway by default. \n Support: Core"
properties:
from:
default: Same
description: "From indicates where Routes will be selected for this Gateway. Possible values are: * All: Routes in all namespaces may be used by this Gateway. * Selector: Routes in namespaces selected by the selector may be used by this Gateway. * Same: Only Routes in the same namespace may be used by this Gateway. \n Support: Core"
enum:
- All
- Selector
- Same
type: string
selector:
description: "Selector must be specified when From is set to \"Selector\". In that case, only Routes in Namespaces matching this Selector will be selected by this Gateway. This field is ignored for other values of \"From\". \n Support: Core"
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
type: object
type: object
hostname:
description: "Hostname specifies the virtual hostname to match for protocol types that define this concept. When unspecified, all hostnames are matched. This field is ignored for protocols that don't require hostname based matching. \n Implementations MUST apply Hostname matching appropriately for each of the following protocols: \n * TLS: The Listener Hostname MUST match the SNI. * HTTP: The Listener Hostname MUST match the Host header of the request. * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP protocol layers as described above. If an implementation does not ensure that both the SNI and Host header match the Listener hostname, it MUST clearly document that. \n For HTTPRoute and TLSRoute resources, there is an interaction with the `spec.hostnames` array. When both listener and route specify hostnames, there MUST be an intersection between the values for a Route to be accepted. For more information, refer to the Route specific Hostnames documentation. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n Support: Core"
maxLength: 253
minLength: 1
pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
name:
description: "Name is the name of the Listener. This name MUST be unique within a Gateway. \n Support: Core"
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
port:
description: "Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules. \n Support: Core"
format: int32
maximum: 65535
minimum: 1
type: integer
protocol:
description: "Protocol specifies the network protocol this listener expects to receive. \n Support: Core"
maxLength: 255
minLength: 1
pattern: ^[a-zA-Z0-9]([-a-zSA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$
type: string
tls:
description: "TLS is the TLS configuration for the Listener. This field is required if the Protocol field is \"HTTPS\" or \"TLS\". It is invalid to set this field if the Protocol field is \"HTTP\", \"TCP\", or \"UDP\". \n The association of SNIs to Certificate defined in GatewayTLSConfig is defined based on the Hostname field for this listener. \n The GatewayClass MUST use the longest matching SNI out of all available certificates for any TLS handshake. \n Support: Core"
properties:
certificateRefs:
description: "CertificateRefs contains a series of references to Kubernetes objects that contains TLS certificates and private keys. These certificates are used to establish a TLS handshake for requests that match the hostname of the associated listener. \n A single CertificateRef to a Kubernetes Secret has \"Core\" support. Implementations MAY choose to support attaching multiple certificates to a Listener, but this behavior is implementation-specific. \n References to a resource in different namespace are invalid UNLESS there is a ReferenceGrant in the target namespace that allows the certificate to be attached. If a ReferenceGrant does not allow this reference, the \"ResolvedRefs\" condition MUST be set to False for this listener with the \"RefNotPermitted\" reason. \n This field is required to have at least one element when the mode is set to \"Terminate\" (default) and is optional otherwise. \n CertificateRefs can reference to standard Kubernetes resources, i.e. Secret, or implementation-specific custom resources. \n Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls \n Support: Implementation-specific (More than one reference or other resource types)"
items:
description: "SecretObjectReference identifies an API object including its namespace, defaulting to Secret. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. \n References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object."
properties:
group:
default: ""
description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Secret
description: Kind is kind of the referent. For example "HTTPRoute" or "Service".
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent.
maxLength: 253
minLength: 1
type: string
namespace:
description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- name
type: object
maxItems: 64
type: array
mode:
default: Terminate
description: "Mode defines the TLS behavior for the TLS session initiated by the client. There are two possible modes: \n - Terminate: The TLS session between the downstream client and the Gateway is terminated at the Gateway. This mode requires certificateRefs to be set and contain at least one element. - Passthrough: The TLS session is NOT terminated by the Gateway. This implies that the Gateway can't decipher the TLS stream except for the ClientHello message of the TLS protocol. CertificateRefs field is ignored in this mode. \n Support: Core"
enum:
- Terminate
- Passthrough
type: string
options:
additionalProperties:
description: AnnotationValue is the value of an annotation in Gateway API. This is used for validation of maps such as TLS options. This roughly matches Kubernetes annotation validation, although the length validation in that case is based on the entire size of the annotations struct.
maxLength: 4096
minLength: 0
type: string
description: "Options are a list of key/value pairs to enable extended TLS configuration for each implementation. For example, configuring the minimum TLS version or supported cipher suites. \n A set of common keys MAY be defined by the API in the future. To avoid any ambiguity, implementation-specific definitions MUST use domain-prefixed names, such as `example.com/my-custom-option`. Un-prefixed names are reserved for key names defined by Gateway API. \n Support: Implementation-specific"
maxProperties: 16
type: object
type: object
required:
- name
- port
- protocol
type: object
maxItems: 64
minItems: 1
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
required:
- gatewayClassName
- listeners
type: object
status:
default:
conditions:
- lastTransitionTime: "1970-01-01T00:00:00Z"
message: Waiting for controller
reason: NotReconciled
status: Unknown
type: Accepted
description: Status defines the current state of Gateway.
properties:
addresses:
description: Addresses lists the IP addresses that have actually been bound to the Gateway. These addresses may differ from the addresses in the Spec, e.g. if the Gateway automatically assigns an address from a reserved pool.
items:
description: GatewayAddress describes an address that can be bound to a Gateway.
properties:
type:
default: IPAddress
description: Type of the address.
maxLength: 253
minLength: 1
pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
type: string
value:
description: "Value of the address. The validity of the values will depend on the type and support by the controller. \n Examples: `1.2.3.4`, `128::1`, `my-ip-address`."
maxLength: 253
minLength: 1
type: string
required:
- value
type: object
maxItems: 16
type: array
conditions:
default:
- lastTransitionTime: "1970-01-01T00:00:00Z"
message: Waiting for controller
reason: Pending
status: Unknown
type: Accepted
- lastTransitionTime: "1970-01-01T00:00:00Z"
message: Waiting for controller
reason: Pending
status: Unknown
type: Programmed
description: "Conditions describe the current conditions of the Gateway. \n Implementations should prefer to express Gateway conditions using the `GatewayConditionType` and `GatewayConditionReason` constants so that operators and tools can converge on a common vocabulary to describe Gateway state. \n Known condition types are: \n * \"Accepted\" * \"Ready\""
items:
description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
maxItems: 8
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
listeners:
description: Listeners provide status for each unique listener port defined in the Spec.
items:
description: ListenerStatus is the status associated with a Listener.
properties:
attachedRoutes:
description: AttachedRoutes represents the total number of Routes that have been successfully attached to this Listener.
format: int32
type: integer
conditions:
description: Conditions describe the current condition of this listener.
items:
description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
maxItems: 8
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
name:
description: Name is the name of the Listener that this status corresponds to.
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
supportedKinds:
description: "SupportedKinds is the list indicating the Kinds supported by this listener. This MUST represent the kinds an implementation supports for that Listener configuration. \n If kinds are specified in Spec that are not supported, they MUST NOT appear in this list and an implementation MUST set the \"ResolvedRefs\" condition to \"False\" with the \"InvalidRouteKinds\" reason. If both valid and invalid Route kinds are specified, the implementation MUST reference the valid Route kinds that have been specified."
items:
description: RouteGroupKind indicates the group and kind of a Route resource.
properties:
group:
default: gateway.networking.k8s.io
description: Group is the group of the Route.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: Kind is the kind of the Route.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
required:
- kind
type: object
maxItems: 8
type: array
required:
- attachedRoutes
- conditions
- name
- supportedKinds
type: object
maxItems: 64
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
{{- end }}

766
charts/hashicorp/consul/1.5.3/templates/crd-grpcroutes-external.yaml Normal file
View File

@ -0,0 +1,766 @@
{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538
gateway.networking.k8s.io/bundle-version: v0.6.2
gateway.networking.k8s.io/channel: experimental
creationTimestamp: null
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: crd
name: grpcroutes.gateway.networking.k8s.io
spec:
group: gateway.networking.k8s.io
names:
categories:
- gateway-api
kind: GRPCRoute
listKind: GRPCRouteList
plural: grpcroutes
singular: grpcroute
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.hostnames
name: Hostnames
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha2
schema:
openAPIV3Schema:
description: "GRPCRoute provides a way to route gRPC requests. This includes the capability to match requests by hostname, gRPC service, gRPC method, or HTTP/2 header. Filters can be used to specify additional processing steps. Backends specify where matching requests will be routed. \n GRPCRoute falls under extended support within the Gateway API. Within the following specification, the word \"MUST\" indicates that an implementation supporting GRPCRoute must conform to the indicated requirement, but an implementation not supporting this route type need not follow the requirement unless explicitly indicated. \n Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType` MUST accept HTTP/2 connections without an initial upgrade from HTTP/1.1, i.e. via ALPN. If the implementation does not support this, then it MUST set the \"Accepted\" condition to \"False\" for the affected listener with a reason of \"UnsupportedProtocol\". Implementations MAY also accept HTTP/2 connections with an upgrade from HTTP/1. \n Implementations supporting `GRPCRoute` with the `HTTP` `ProtocolType` MUST support HTTP/2 over cleartext TCP (h2c, https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial upgrade from HTTP/1.1, i.e. with prior knowledge (https://www.rfc-editor.org/rfc/rfc7540#section-3.4). If the implementation does not support this, then it MUST set the \"Accepted\" condition to \"False\" for the affected listener with a reason of \"UnsupportedProtocol\". Implementations MAY also accept HTTP/2 connections with an upgrade from HTTP/1, i.e. without prior knowledge. \n Support: Extended"
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Spec defines the desired state of GRPCRoute.
properties:
hostnames:
description: "Hostnames defines a set of hostnames to match against the GRPC Host header to select a GRPCRoute to process the request. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label MUST appear by itself as the first label. \n If a hostname is specified by both the Listener and GRPCRoute, there MUST be at least one intersecting hostname for the GRPCRoute to be attached to the Listener. For example: \n * A Listener with `test.example.com` as the hostname matches GRPCRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. * A Listener with `*.example.com` as the hostname matches GRPCRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, `test.example.com` and `*.example.com` would both match. On the other hand, `example.com` and `test.example.net` would not match. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n If both the Listener and GRPCRoute have specified hostnames, any GRPCRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the GRPCRoute specified `test.example.com` and `test.example.net`, `test.example.net` MUST NOT be considered for a match. \n If both the Listener and GRPCRoute have specified hostnames, and none match with the criteria above, then the GRPCRoute MUST NOT be accepted by the implementation. The implementation MUST raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. \n If a Route (A) of type HTTPRoute or GRPCRoute is attached to a Listener and that listener already has another Route (B) of the other type attached and the intersection of the hostnames of A and B is non-empty, then the implementation MUST accept exactly one of these two routes, determined by the following criteria, in order: \n * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by \"{namespace}/{name}\". \n The rejected Route MUST raise an 'Accepted' condition with a status of 'False' in the corresponding RouteParentStatus. \n Support: Core"
items:
description: "Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n Hostname can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). \n Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed."
maxLength: 253
minLength: 1
pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
maxItems: 16
type: array
parentRefs:
description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference."
items:
description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid."
properties:
group:
default: gateway.networking.k8s.io
description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core"
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Gateway
description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)"
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: "Name is the name of the referent. \n Support: Core"
maxLength: 253
minLength: 1
type: string
namespace:
description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n <gateway:experimental>"
format: int32
maximum: 65535
minimum: 1
type: integer
sectionName:
description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core"
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
required:
- name
type: object
maxItems: 32
type: array
rules:
default:
- matches:
- method:
type: Exact
description: Rules are a list of GRPC matchers, filters and actions.
items:
description: GRPCRouteRule defines the semantics for matching an gRPC request based on conditions (matches), processing it (filters), and forwarding the request to an API object (backendRefs).
properties:
backendRefs:
description: "BackendRefs defines the backend(s) where matching requests should be sent. \n Failure behavior here depends on how many BackendRefs are specified and how many are invalid. \n If *all* entries in BackendRefs are invalid, and there are also no filters specified in this route rule, *all* traffic which matches this rule MUST receive an `UNAVAILABLE` status. \n See the GRPCBackendRef definition for the rules about what makes a single GRPCBackendRef invalid. \n When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST be returned for requests that would have otherwise been routed to an invalid backend. If multiple backends are specified, and some are invalid, the proportion of requests that would otherwise have been routed to an invalid backend MUST receive an `UNAVAILABLE` status. \n For example, if two backends are specified with equal weights, and one is invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` status. Implementations may choose how that 50 percent is determined. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Core"
items:
description: GRPCBackendRef defines how a GRPCRoute forwards a gRPC request.
properties:
filters:
description: "Filters defined at this level MUST be executed if and only if the request is being forwarded to the backend defined here. \n Support: Implementation-specific (For broader support of filters, use the Filters field in GRPCRouteRule.)"
items:
description: GRPCRouteFilter defines processing steps that must be completed during the request or response lifecycle. GRPCRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter.
properties:
extensionRef:
description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific"
properties:
group:
description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: Kind is kind of the referent. For example "HTTPRoute" or "Service".
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent.
maxLength: 253
minLength: 1
type: string
required:
- group
- kind
- name
type: object
requestHeaderModifier:
description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core"
properties:
add:
description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz"
items:
description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
properties:
name:
description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent."
maxLength: 256
minLength: 1
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
description: Value is the value of HTTP Header to be matched.
maxLength: 4096
minLength: 1
type: string
required:
- name
- value
type: object
maxItems: 16
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
remove:
description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar"
items:
type: string
maxItems: 16
type: array
set:
description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar"
items:
description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
properties:
name:
description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent."
maxLength: 256
minLength: 1
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
description: Value is the value of HTTP Header to be matched.
maxLength: 4096
minLength: 1
type: string
required:
- name
- value
type: object
maxItems: 16
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
type: object
requestMirror:
description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended"
properties:
backendRef:
description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource"
properties:
group:
default: ""
description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Service
description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent.
maxLength: 253
minLength: 1
type: string
namespace:
description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field.
format: int32
maximum: 65535
minimum: 1
type: integer
required:
- name
type: object
required:
- backendRef
type: object
responseHeaderModifier:
description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n <gateway:experimental>"
properties:
add:
description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz"
items:
description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
properties:
name:
description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent."
maxLength: 256
minLength: 1
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
description: Value is the value of HTTP Header to be matched.
maxLength: 4096
minLength: 1
type: string
required:
- name
- value
type: object
maxItems: 16
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
remove:
description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar"
items:
type: string
maxItems: 16
type: array
set:
description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar"
items:
description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
properties:
name:
description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent."
maxLength: 256
minLength: 1
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
description: Value is the value of HTTP Header to be matched.
maxLength: 4096
minLength: 1
type: string
required:
- name
- value
type: object
maxItems: 16
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
type: object
type:
description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations supporting GRPCRoute MUST support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` MUST be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n "
enum:
- ResponseHeaderModifier
- RequestHeaderModifier
- RequestMirror
- ExtensionRef
type: string
required:
- type
type: object
maxItems: 16
type: array
group:
default: ""
description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Service
description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent.
maxLength: 253
minLength: 1
type: string
namespace:
description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field.
format: int32
maximum: 65535
minimum: 1
type: integer
weight:
default: 1
description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used."
format: int32
maximum: 1000000
minimum: 0
type: integer
required:
- name
type: object
maxItems: 16
type: array
filters:
description: "Filters define the filters that are applied to requests that match this rule. \n The effects of ordering of multiple behaviors are currently unspecified. This can change in the future based on feedback during the alpha stage. \n Conformance-levels at this level are defined based on the type of filter: \n - ALL core filters MUST be supported by all implementations that support GRPCRoute. - Implementers are encouraged to support extended filters. - Implementation-specific custom filters have no API guarantees across implementations. \n Specifying a core filter multiple times has unspecified or implementation-specific conformance. Support: Core"
items:
description: GRPCRouteFilter defines processing steps that must be completed during the request or response lifecycle. GRPCRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter.
properties:
extensionRef:
description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific"
properties:
group:
description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: Kind is kind of the referent. For example "HTTPRoute" or "Service".
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent.
maxLength: 253
minLength: 1
type: string
required:
- group
- kind
- name
type: object
requestHeaderModifier:
description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core"
properties:
add:
description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz"
items:
description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
properties:
name:
description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent."
maxLength: 256
minLength: 1
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
description: Value is the value of HTTP Header to be matched.
maxLength: 4096
minLength: 1
type: string
required:
- name
- value
type: object
maxItems: 16
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
remove:
description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar"
items:
type: string
maxItems: 16
type: array
set:
description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar"
items:
description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
properties:
name:
description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent."
maxLength: 256
minLength: 1
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
description: Value is the value of HTTP Header to be matched.
maxLength: 4096
minLength: 1
type: string
required:
- name
- value
type: object
maxItems: 16
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
type: object
requestMirror:
description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended"
properties:
backendRef:
description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource"
properties:
group:
default: ""
description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Service
description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent.
maxLength: 253
minLength: 1
type: string
namespace:
description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field.
format: int32
maximum: 65535
minimum: 1
type: integer
required:
- name
type: object
required:
- backendRef
type: object
responseHeaderModifier:
description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n <gateway:experimental>"
properties:
add:
description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz"
items:
description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
properties:
name:
description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent."
maxLength: 256
minLength: 1
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
description: Value is the value of HTTP Header to be matched.
maxLength: 4096
minLength: 1
type: string
required:
- name
- value
type: object
maxItems: 16
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
remove:
description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar"
items:
type: string
maxItems: 16
type: array
set:
description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar"
items:
description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
properties:
name:
description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent."
maxLength: 256
minLength: 1
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
description: Value is the value of HTTP Header to be matched.
maxLength: 4096
minLength: 1
type: string
required:
- name
- value
type: object
maxItems: 16
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
type: object
type:
description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations supporting GRPCRoute MUST support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` MUST be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n "
enum:
- ResponseHeaderModifier
- RequestHeaderModifier
- RequestMirror
- ExtensionRef
type: string
required:
- type
type: object
maxItems: 16
type: array
matches:
default:
- method:
type: Exact
description: "Matches define conditions used for matching the rule against incoming gRPC requests. Each match is independent, i.e. this rule will be matched if **any** one of the matches is satisfied. \n For example, take the following matches configuration: \n ``` matches: - method: service: foo.bar headers: values: version: 2 - method: service: foo.bar.v2 ``` \n For a request to match against this rule, it MUST satisfy EITHER of the two conditions: \n - service of foo.bar AND contains the header `version: 2` - service of foo.bar.v2 \n See the documentation for GRPCRouteMatch on how to specify multiple match conditions to be ANDed together. \n If no matches are specified, the implementation MUST match every gRPC request. \n Proxy or Load Balancer routing configuration generated from GRPCRoutes MUST prioritize rules based on the following criteria, continuing on ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes. Precedence MUST be given to the rule with the largest number of: \n * Characters in a matching non-wildcard hostname. * Characters in a matching hostname. * Characters in a matching service. * Characters in a matching method. * Header matches. \n If ties still exist across multiple Routes, matching precedence MUST be determined in order of the following criteria, continuing on ties: \n * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by \"{namespace}/{name}\". \n If ties still exist within the Route that has been given precedence, matching precedence MUST be granted to the first matching rule meeting the above criteria."
items:
description: "GRPCRouteMatch defines the predicate used to match requests to a given action. Multiple match types are ANDed together, i.e. the match will evaluate to true only if all conditions are satisfied. \n For example, the match below will match a gRPC request only if its service is `foo` AND it contains the `version: v1` header: \n ``` matches: - method: type: Exact service: \"foo\" headers: - name: \"version\" value \"v1\" \n ```"
properties:
headers:
description: Headers specifies gRPC request header matchers. Multiple match values are ANDed together, meaning, a request MUST match all the specified headers to select the route.
items:
description: GRPCHeaderMatch describes how to select a gRPC route by matching gRPC request headers.
properties:
name:
description: "Name is the name of the gRPC Header to be matched. \n If multiple entries specify equivalent header names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent."
maxLength: 256
minLength: 1
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
type:
default: Exact
description: Type specifies how to match against the value of the header.
enum:
- Exact
- RegularExpression
type: string
value:
description: Value is the value of the gRPC Header to be matched.
maxLength: 4096
minLength: 1
type: string
required:
- name
- value
type: object
maxItems: 16
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
method:
default:
type: Exact
description: Method specifies a gRPC request service/method matcher. If this field is not specified, all services and methods will match.
properties:
method:
description: "Value of the method to match against. If left empty or omitted, will match all services. \n At least one of Service and Method MUST be a non-empty string. \n A GRPC Method must be a valid Protobuf Method (https://protobuf.com/docs/language-spec#methods)."
maxLength: 1024
pattern: ^[A-Za-z_][A-Za-z_0-9]*$
type: string
service:
description: "Value of the service to match against. If left empty or omitted, will match any service. \n At least one of Service and Method MUST be a non-empty string. \n A GRPC Service must be a valid Protobuf Type Name (https://protobuf.com/docs/language-spec#type-references)."
maxLength: 1024
pattern: ^(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*$
type: string
type:
default: Exact
description: "Type specifies how to match against the service and/or method. Support: Core (Exact with service and method specified) \n Support: Implementation-specific (Exact with method specified but no service specified) \n Support: Implementation-specific (RegularExpression)"
enum:
- Exact
- RegularExpression
type: string
type: object
type: object
maxItems: 8
type: array
type: object
maxItems: 16
type: array
type: object
status:
description: Status defines the current state of GRPCRoute.
properties:
parents:
description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway."
items:
description: RouteParentStatus describes the status of a route with respect to an associated Parent.
properties:
conditions:
description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to."
items:
description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
maxItems: 8
minItems: 1
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
controllerName:
description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary."
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
type: string
parentRef:
description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of.
properties:
group:
default: gateway.networking.k8s.io
description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core"
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Gateway
description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)"
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: "Name is the name of the referent. \n Support: Core"
maxLength: 253
minLength: 1
type: string
namespace:
description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n <gateway:experimental>"
format: int32
maximum: 65535
minimum: 1
type: integer
sectionName:
description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core"
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
required:
- name
type: object
required:
- controllerName
- parentRef
type: object
maxItems: 32
type: array
required:
- parents
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
{{- end }}

669
charts/hashicorp/consul/1.5.3/templates/crd-grpcroutes.yaml Normal file
View File

@ -0,0 +1,669 @@
{{- if .Values.connectInject.enabled }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: crd
name: grpcroutes.mesh.consul.hashicorp.com
spec:
group: mesh.consul.hashicorp.com
names:
kind: GRPCRoute
listKind: GRPCRouteList
plural: grpcroutes
shortNames:
- grpc-route
singular: grpcroute
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: The sync status of the resource with Consul
jsonPath: .status.conditions[?(@.type=="Synced")].status
name: Synced
type: string
- description: The last successful synced time of the resource with Consul
jsonPath: .status.lastSyncedTime
name: Last Synced
type: date
- description: The age of the resource
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v2beta1
schema:
openAPIV3Schema:
description: GRPCRoute is the Schema for the GRPC Route API
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: |-
NOTE: this should align to the GAMMA/gateway-api version, or at least be
easily translatable.
https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.GRPCRoute
This is a Resource type.
properties:
hostnames:
description: |-
Hostnames are the hostnames for which this GRPCRoute should respond to requests.
This is only valid for north/south.
items:
type: string
type: array
parentRefs:
description: |-
ParentRefs references the resources (usually Services) that a Route wants
to be attached to.
It is invalid to reference an identical parent more than once. It is valid
to reference multiple distinct sections within the same parent resource.
items:
description: 'NOTE: roughly equivalent to structs.ResourceReference'
properties:
port:
description: |-
For east/west this is the name of the Consul Service port to direct traffic to
or empty to imply all.
For north/south this is TBD.
For more details on potential values of this field, see documentation for
Service.ServicePort.
type: string
ref:
description: |-
For east/west configuration, this should point to a Service.
For north/south it should point to a Gateway.
properties:
name:
description: Name is the user-given name of the resource
(e.g. the "billing" service).
type: string
section:
description: Section identifies which part of the resource
the condition relates to.
type: string
tenancy:
description: |-
Tenancy identifies the tenancy units (i.e. partition, namespace) in which
the resource resides.
properties:
namespace:
description: |-
Namespace further isolates resources within a partition.
https://developer.hashicorp.com/consul/docs/enterprise/namespaces
When using the List and WatchList endpoints, provide the wildcard value "*"
to list resources across all namespaces.
type: string
partition:
description: |-
Partition is the topmost administrative boundary within a cluster.
https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions
When using the List and WatchList endpoints, provide the wildcard value "*"
to list resources across all partitions.
type: string
type: object
type:
description: Type identifies the resource's type.
properties:
group:
description: |-
Group describes the area of functionality to which this resource type
relates (e.g. "catalog", "authorization").
type: string
groupVersion:
description: |-
GroupVersion is incremented when sweeping or backward-incompatible changes
are made to the group's resource types.
type: string
kind:
description: Kind identifies the specific resource type
within the group.
type: string
type: object
type: object
type: object
type: array
rules:
description: Rules are a list of GRPC matchers, filters and actions.
items:
properties:
backendRefs:
description: |-
BackendRefs defines the backend(s) where matching requests should be sent.
Failure behavior here depends on how many BackendRefs are specified and
how many are invalid.
If all entries in BackendRefs are invalid, and there are also no filters
specified in this route rule, all traffic which matches this rule MUST
receive a 500 status code.
See the GRPCBackendRef definition for the rules about what makes a single
GRPCBackendRef invalid.
When a GRPCBackendRef is invalid, 500 status codes MUST be returned for
requests that would have otherwise been routed to an invalid backend. If
multiple backends are specified, and some are invalid, the proportion of
requests that would otherwise have been routed to an invalid backend MUST
receive a 500 status code.
For example, if two backends are specified with equal weights, and one is
invalid, 50 percent of traffic must receive a 500. Implementations may
choose how that 50 percent is determined.
items:
properties:
backendRef:
properties:
datacenter:
type: string
port:
description: |-
For east/west this is the name of the Consul Service port to direct traffic to
or empty to imply using the same value as the parent ref.
For north/south this is TBD.
For more details on potential values of this field, see documentation for
Service.ServicePort.
type: string
ref:
description: For east/west configuration, this should
point to a Service.
properties:
name:
description: Name is the user-given name of the
resource (e.g. the "billing" service).
type: string
section:
description: Section identifies which part of
the resource the condition relates to.
type: string
tenancy:
description: |-
Tenancy identifies the tenancy units (i.e. partition, namespace) in which
the resource resides.
properties:
namespace:
description: |-
Namespace further isolates resources within a partition.
https://developer.hashicorp.com/consul/docs/enterprise/namespaces
When using the List and WatchList endpoints, provide the wildcard value "*"
to list resources across all namespaces.
type: string
partition:
description: |-
Partition is the topmost administrative boundary within a cluster.
https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions
When using the List and WatchList endpoints, provide the wildcard value "*"
to list resources across all partitions.
type: string
type: object
type:
description: Type identifies the resource's type.
properties:
group:
description: |-
Group describes the area of functionality to which this resource type
relates (e.g. "catalog", "authorization").
type: string
groupVersion:
description: |-
GroupVersion is incremented when sweeping or backward-incompatible changes
are made to the group's resource types.
type: string
kind:
description: Kind identifies the specific
resource type within the group.
type: string
type: object
type: object
type: object
filters:
description: |-
Filters defined at this level should be executed if and only if the
request is being forwarded to the backend defined here.
items:
properties:
requestHeaderModifier:
description: |-
RequestHeaderModifier defines a schema for a filter that modifies request
headers.
properties:
add:
description: |-
Add adds the given header(s) (name, value) to the request before the
action. It appends to any existing values associated with the header name.
items:
properties:
name:
type: string
value:
type: string
type: object
type: array
remove:
description: |-
Remove the given header(s) from the HTTP request before the action. The
value of Remove is a list of HTTP header names. Note that the header names
are case-insensitive (see
https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
items:
type: string
type: array
set:
description: |-
Set overwrites the request with the given header (name, value) before the
action.
items:
properties:
name:
type: string
value:
type: string
type: object
type: array
type: object
responseHeaderModifier:
description: |-
ResponseHeaderModifier defines a schema for a filter that modifies
response headers.
properties:
add:
description: |-
Add adds the given header(s) (name, value) to the request before the
action. It appends to any existing values associated with the header name.
items:
properties:
name:
type: string
value:
type: string
type: object
type: array
remove:
description: |-
Remove the given header(s) from the HTTP request before the action. The
value of Remove is a list of HTTP header names. Note that the header names
are case-insensitive (see
https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
items:
type: string
type: array
set:
description: |-
Set overwrites the request with the given header (name, value) before the
action.
items:
properties:
name:
type: string
value:
type: string
type: object
type: array
type: object
urlRewrite:
description: |-
URLRewrite defines a schema for a filter that modifies a request during
forwarding.
properties:
pathPrefix:
type: string
type: object
type: object
type: array
weight:
description: |-
Weight specifies the proportion of requests forwarded to the referenced
backend. This is computed as weight/(sum of all weights in this
BackendRefs list). For non-zero values, there may be some epsilon from the
exact proportion defined here depending on the precision an implementation
supports. Weight is not a percentage and the sum of weights does not need
to equal 100.
If only one backend is specified and it has a weight greater than 0, 100%
of the traffic is forwarded to that backend. If weight is set to 0, no
traffic should be forwarded for this entry. If unspecified, weight defaults
to 1.
format: int32
type: integer
type: object
type: array
filters:
items:
properties:
requestHeaderModifier:
description: |-
RequestHeaderModifier defines a schema for a filter that modifies request
headers.
properties:
add:
description: |-
Add adds the given header(s) (name, value) to the request before the
action. It appends to any existing values associated with the header name.
items:
properties:
name:
type: string
value:
type: string
type: object
type: array
remove:
description: |-
Remove the given header(s) from the HTTP request before the action. The
value of Remove is a list of HTTP header names. Note that the header names
are case-insensitive (see
https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
items:
type: string
type: array
set:
description: |-
Set overwrites the request with the given header (name, value) before the
action.
items:
properties:
name:
type: string
value:
type: string
type: object
type: array
type: object
responseHeaderModifier:
description: |-
ResponseHeaderModifier defines a schema for a filter that modifies
response headers.
properties:
add:
description: |-
Add adds the given header(s) (name, value) to the request before the
action. It appends to any existing values associated with the header name.
items:
properties:
name:
type: string
value:
type: string
type: object
type: array
remove:
description: |-
Remove the given header(s) from the HTTP request before the action. The
value of Remove is a list of HTTP header names. Note that the header names
are case-insensitive (see
https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
items:
type: string
type: array
set:
description: |-
Set overwrites the request with the given header (name, value) before the
action.
items:
properties:
name:
type: string
value:
type: string
type: object
type: array
type: object
urlRewrite:
description: |-
URLRewrite defines a schema for a filter that modifies a request during
forwarding.
properties:
pathPrefix:
type: string
type: object
type: object
type: array
matches:
items:
properties:
headers:
description: |-
Headers specifies gRPC request header matchers. Multiple match values are
ANDed together, meaning, a request MUST match all the specified headers to
select the route.
items:
properties:
name:
type: string
type:
description: |-
HeaderMatchType specifies the semantics of how HTTP header values should be
compared. Valid HeaderMatchType values, along with their conformance levels,
are:
Note that values may be added to this enum, implementations must ensure that
unknown values will not cause a crash.
Unknown values here must result in the implementation setting the Accepted
Condition for the Route to status: False, with a Reason of UnsupportedValue.
enum:
- HEADER_MATCH_TYPE_UNSPECIFIED
- HEADER_MATCH_TYPE_EXACT
- HEADER_MATCH_TYPE_REGEX
- HEADER_MATCH_TYPE_PRESENT
- HEADER_MATCH_TYPE_PREFIX
- HEADER_MATCH_TYPE_SUFFIX
format: int32
type: string
value:
type: string
type: object
type: array
method:
description: |-
Method specifies a gRPC request service/method matcher. If this field is
not specified, all services and methods will match.
properties:
method:
description: |-
Value of the method to match against. If left empty or omitted, will match
all services.
At least one of Service and Method MUST be a non-empty string.}
type: string
service:
description: |-
Value of the service to match against. If left empty or omitted, will
match any service.
At least one of Service and Method MUST be a non-empty string.
type: string
type:
description: |-
Type specifies how to match against the service and/or method. Support:
Core (Exact with service and method specified)
enum:
- GRPC_METHOD_MATCH_TYPE_UNSPECIFIED
- GRPC_METHOD_MATCH_TYPE_EXACT
- GRPC_METHOD_MATCH_TYPE_REGEX
format: int32
type: string
type: object
type: object
type: array
retries:
properties:
number:
description: |-
Number is the number of times to retry the request when a retryable
result occurs.
properties:
value:
description: The uint32 value.
format: int32
type: integer
type: object
onConditions:
description: |-
RetryOn allows setting envoy specific conditions when a request should
be automatically retried.
items:
type: string
type: array
onConnectFailure:
description: |-
RetryOnConnectFailure allows for connection failure errors to trigger a
retry.
type: boolean
onStatusCodes:
description: |-
RetryOnStatusCodes is a flat list of http response status codes that are
eligible for retry. This again should be feasible in any reasonable proxy.
items:
format: int32
type: integer
type: array
type: object
timeouts:
description: |-
HTTPRouteTimeouts defines timeouts that can be configured for an HTTPRoute
or GRPCRoute.
properties:
idle:
description: Idle specifies the total amount of time permitted
for the request stream to be idle.
format: duration
properties:
nanos:
description: |-
Signed fractions of a second at nanosecond resolution of the span
of time. Durations less than one second are represented with a 0
`seconds` field and a positive or negative `nanos` field. For durations
of one second or more, a non-zero value for the `nanos` field must be
of the same sign as the `seconds` field. Must be from -999,999,999
to +999,999,999 inclusive.
format: int32
type: integer
seconds:
description: |-
Signed seconds of the span of time. Must be from -315,576,000,000
to +315,576,000,000 inclusive. Note: these bounds are computed from:
60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years
format: int64
type: integer
type: object
request:
description: |-
RequestTimeout is the total amount of time permitted for the entire
downstream request (and retries) to be processed.
format: duration
properties:
nanos:
description: |-
Signed fractions of a second at nanosecond resolution of the span
of time. Durations less than one second are represented with a 0
`seconds` field and a positive or negative `nanos` field. For durations
of one second or more, a non-zero value for the `nanos` field must be
of the same sign as the `seconds` field. Must be from -999,999,999
to +999,999,999 inclusive.
format: int32
type: integer
seconds:
description: |-
Signed seconds of the span of time. Must be from -315,576,000,000
to +315,576,000,000 inclusive. Note: these bounds are computed from:
60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years
format: int64
type: integer
type: object
type: object
type: object
type: array
type: object
status:
properties:
conditions:
description: Conditions indicate the latest available observations
of a resource's current state.
items:
description: |-
Conditions define a readiness condition for a Consul resource.
See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
properties:
lastTransitionTime:
description: LastTransitionTime is the last time the condition
transitioned from one status to another.
format: date-time
type: string
message:
description: A human readable message indicating details about
the transition.
type: string
reason:
description: The reason for the condition's last transition.
type: string
status:
description: Status of the condition, one of True, False, Unknown.
type: string
type:
description: Type of condition.
type: string
required:
- status
- type
type: object
type: array
lastSyncedTime:
description: LastSyncedTime is the last time the resource successfully
synced with Consul.
format: date-time
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}
{{- end }}

1914
charts/hashicorp/consul/1.5.3/templates/crd-httproutes-external.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

726
charts/hashicorp/consul/1.5.3/templates/crd-httproutes.yaml Normal file
View File

@ -0,0 +1,726 @@
{{- if .Values.connectInject.enabled }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: crd
name: httproutes.mesh.consul.hashicorp.com
spec:
group: mesh.consul.hashicorp.com
names:
kind: HTTPRoute
listKind: HTTPRouteList
plural: httproutes
shortNames:
- http-route
singular: httproute
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: The sync status of the resource with Consul
jsonPath: .status.conditions[?(@.type=="Synced")].status
name: Synced
type: string
- description: The last successful synced time of the resource with Consul
jsonPath: .status.lastSyncedTime
name: Last Synced
type: date
- description: The age of the resource
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v2beta1
schema:
openAPIV3Schema:
description: HTTPRoute is the Schema for the HTTP Route API
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: |-
NOTE: this should align to the GAMMA/gateway-api version, or at least be
easily translatable.
https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.HTTPRoute
This is a Resource type.
properties:
hostnames:
description: |-
Hostnames are the hostnames for which this HTTPRoute should respond to requests.
This is only valid for north/south.
items:
type: string
type: array
parentRefs:
description: |-
ParentRefs references the resources (usually Services) that a Route wants
to be attached to.
It is invalid to reference an identical parent more than once. It is valid
to reference multiple distinct sections within the same parent resource.
items:
description: 'NOTE: roughly equivalent to structs.ResourceReference'
properties:
port:
description: |-
For east/west this is the name of the Consul Service port to direct traffic to
or empty to imply all.
For north/south this is TBD.
For more details on potential values of this field, see documentation for
Service.ServicePort.
type: string
ref:
description: |-
For east/west configuration, this should point to a Service.
For north/south it should point to a Gateway.
properties:
name:
description: Name is the user-given name of the resource
(e.g. the "billing" service).
type: string
section:
description: Section identifies which part of the resource
the condition relates to.
type: string
tenancy:
description: |-
Tenancy identifies the tenancy units (i.e. partition, namespace) in which
the resource resides.
properties:
namespace:
description: |-
Namespace further isolates resources within a partition.
https://developer.hashicorp.com/consul/docs/enterprise/namespaces
When using the List and WatchList endpoints, provide the wildcard value "*"
to list resources across all namespaces.
type: string
partition:
description: |-
Partition is the topmost administrative boundary within a cluster.
https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions
When using the List and WatchList endpoints, provide the wildcard value "*"
to list resources across all partitions.
type: string
type: object
type:
description: Type identifies the resource's type.
properties:
group:
description: |-
Group describes the area of functionality to which this resource type
relates (e.g. "catalog", "authorization").
type: string
groupVersion:
description: |-
GroupVersion is incremented when sweeping or backward-incompatible changes
are made to the group's resource types.
type: string
kind:
description: Kind identifies the specific resource type
within the group.
type: string
type: object
type: object
type: object
type: array
rules:
description: |-
Rules are a list of HTTP-based routing rules that this route should
use for constructing a routing table.
items:
description: |-
HTTPRouteRule specifies the routing rules used to determine what upstream
service an HTTP request is routed to.
properties:
backendRefs:
description: |-
BackendRefs defines the backend(s) where matching requests should be sent.
Failure behavior here depends on how many BackendRefs are specified and
how many are invalid.
If all entries in BackendRefs are invalid, and there are also no filters
specified in this route rule, all traffic which matches this rule MUST
receive a 500 status code.
See the HTTPBackendRef definition for the rules about what makes a single
HTTPBackendRef invalid.
When a HTTPBackendRef is invalid, 500 status codes MUST be returned for
requests that would have otherwise been routed to an invalid backend. If
multiple backends are specified, and some are invalid, the proportion of
requests that would otherwise have been routed to an invalid backend MUST
receive a 500 status code.
For example, if two backends are specified with equal weights, and one is
invalid, 50 percent of traffic must receive a 500. Implementations may
choose how that 50 percent is determined.
items:
properties:
backendRef:
properties:
datacenter:
type: string
port:
description: |-
For east/west this is the name of the Consul Service port to direct traffic to
or empty to imply using the same value as the parent ref.
For north/south this is TBD.
For more details on potential values of this field, see documentation for
Service.ServicePort.
type: string
ref:
description: For east/west configuration, this should
point to a Service.
properties:
name:
description: Name is the user-given name of the
resource (e.g. the "billing" service).
type: string
section:
description: Section identifies which part of
the resource the condition relates to.
type: string
tenancy:
description: |-
Tenancy identifies the tenancy units (i.e. partition, namespace) in which
the resource resides.
properties:
namespace:
description: |-
Namespace further isolates resources within a partition.
https://developer.hashicorp.com/consul/docs/enterprise/namespaces
When using the List and WatchList endpoints, provide the wildcard value "*"
to list resources across all namespaces.
type: string
partition:
description: |-
Partition is the topmost administrative boundary within a cluster.
https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions
When using the List and WatchList endpoints, provide the wildcard value "*"
to list resources across all partitions.
type: string
type: object
type:
description: Type identifies the resource's type.
properties:
group:
description: |-
Group describes the area of functionality to which this resource type
relates (e.g. "catalog", "authorization").
type: string
groupVersion:
description: |-
GroupVersion is incremented when sweeping or backward-incompatible changes
are made to the group's resource types.
type: string
kind:
description: Kind identifies the specific
resource type within the group.
type: string
type: object
type: object
type: object
filters:
description: |-
Filters defined at this level should be executed if and only if the
request is being forwarded to the backend defined here.
items:
properties:
requestHeaderModifier:
description: |-
RequestHeaderModifier defines a schema for a filter that modifies request
headers.
properties:
add:
description: |-
Add adds the given header(s) (name, value) to the request before the
action. It appends to any existing values associated with the header name.
items:
properties:
name:
type: string
value:
type: string
type: object
type: array
remove:
description: |-
Remove the given header(s) from the HTTP request before the action. The
value of Remove is a list of HTTP header names. Note that the header names
are case-insensitive (see
https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
items:
type: string
type: array
set:
description: |-
Set overwrites the request with the given header (name, value) before the
action.
items:
properties:
name:
type: string
value:
type: string
type: object
type: array
type: object
responseHeaderModifier:
description: |-
ResponseHeaderModifier defines a schema for a filter that modifies
response headers.
properties:
add:
description: |-
Add adds the given header(s) (name, value) to the request before the
action. It appends to any existing values associated with the header name.
items:
properties:
name:
type: string
value:
type: string
type: object
type: array
remove:
description: |-
Remove the given header(s) from the HTTP request before the action. The
value of Remove is a list of HTTP header names. Note that the header names
are case-insensitive (see
https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
items:
type: string
type: array
set:
description: |-
Set overwrites the request with the given header (name, value) before the
action.
items:
properties:
name:
type: string
value:
type: string
type: object
type: array
type: object
urlRewrite:
description: |-
URLRewrite defines a schema for a filter that modifies a request during
forwarding.
properties:
pathPrefix:
type: string
type: object
type: object
type: array
weight:
description: |-
Weight specifies the proportion of requests forwarded to the referenced
backend. This is computed as weight/(sum of all weights in this
BackendRefs list). For non-zero values, there may be some epsilon from the
exact proportion defined here depending on the precision an implementation
supports. Weight is not a percentage and the sum of weights does not need
to equal 100.
If only one backend is specified and it has a weight greater than 0, 100%
of the traffic is forwarded to that backend. If weight is set to 0, no
traffic should be forwarded for this entry. If unspecified, weight defaults
to 1.
format: int32
type: integer
type: object
type: array
filters:
items:
properties:
requestHeaderModifier:
description: |-
RequestHeaderModifier defines a schema for a filter that modifies request
headers.
properties:
add:
description: |-
Add adds the given header(s) (name, value) to the request before the
action. It appends to any existing values associated with the header name.
items:
properties:
name:
type: string
value:
type: string
type: object
type: array
remove:
description: |-
Remove the given header(s) from the HTTP request before the action. The
value of Remove is a list of HTTP header names. Note that the header names
are case-insensitive (see
https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
items:
type: string
type: array
set:
description: |-
Set overwrites the request with the given header (name, value) before the
action.
items:
properties:
name:
type: string
value:
type: string
type: object
type: array
type: object
responseHeaderModifier:
description: |-
ResponseHeaderModifier defines a schema for a filter that modifies
response headers.
properties:
add:
description: |-
Add adds the given header(s) (name, value) to the request before the
action. It appends to any existing values associated with the header name.
items:
properties:
name:
type: string
value:
type: string
type: object
type: array
remove:
description: |-
Remove the given header(s) from the HTTP request before the action. The
value of Remove is a list of HTTP header names. Note that the header names
are case-insensitive (see
https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
items:
type: string
type: array
set:
description: |-
Set overwrites the request with the given header (name, value) before the
action.
items:
properties:
name:
type: string
value:
type: string
type: object
type: array
type: object
urlRewrite:
description: |-
URLRewrite defines a schema for a filter that modifies a request during
forwarding.
properties:
pathPrefix:
type: string
type: object
type: object
type: array
matches:
items:
properties:
headers:
description: |-
Headers specifies HTTP request header matchers. Multiple match values are
ANDed together, meaning, a request must match all the specified headers to
select the route.
items:
properties:
invert:
description: 'NOTE: not in gamma; service-router
compat'
type: boolean
name:
description: |-
Name is the name of the HTTP Header to be matched. Name matching MUST be
case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
If multiple entries specify equivalent header names, only the first entry
with an equivalent name MUST be considered for a match. Subsequent entries
with an equivalent header name MUST be ignored. Due to the
case-insensitivity of header names, “foo” and “Foo” are considered
equivalent.
When a header is repeated in an HTTP request, it is
implementation-specific behavior as to how this is represented. Generally,
proxies should follow the guidance from the RFC:
https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding
processing a repeated header, with special handling for “Set-Cookie”.
type: string
type:
description: Type specifies how to match against
the value of the header.
enum:
- HEADER_MATCH_TYPE_UNSPECIFIED
- HEADER_MATCH_TYPE_EXACT
- HEADER_MATCH_TYPE_REGEX
- HEADER_MATCH_TYPE_PRESENT
- HEADER_MATCH_TYPE_PREFIX
- HEADER_MATCH_TYPE_SUFFIX
format: int32
type: string
value:
description: Value is the value of HTTP Header to
be matched.
type: string
type: object
type: array
method:
description: |-
Method specifies HTTP method matcher. When specified, this route will be
matched only if the request has the specified method.
type: string
path:
description: |-
Path specifies a HTTP request path matcher. If this field is not
specified, a default prefix match on the “/” path is provided.
properties:
type:
description: Type specifies how to match against the
path Value.
enum:
- PATH_MATCH_TYPE_UNSPECIFIED
- PATH_MATCH_TYPE_EXACT
- PATH_MATCH_TYPE_PREFIX
- PATH_MATCH_TYPE_REGEX
format: int32
type: string
value:
description: Value of the HTTP path to match against.
type: string
type: object
queryParams:
description: |-
QueryParams specifies HTTP query parameter matchers. Multiple match values
are ANDed together, meaning, a request must match all the specified query
parameters to select the route.
items:
properties:
name:
description: |-
Name is the name of the HTTP query param to be matched. This must be an
exact string match. (See
https://tools.ietf.org/html/rfc7230#section-2.7.3).
If multiple entries specify equivalent query param names, only the first
entry with an equivalent name MUST be considered for a match. Subsequent
entries with an equivalent query param name MUST be ignored.
If a query param is repeated in an HTTP request, the behavior is purposely
left undefined, since different data planes have different capabilities.
However, it is recommended that implementations should match against the
first value of the param if the data plane supports it, as this behavior
is expected in other load balancing contexts outside of the Gateway API.
Users SHOULD NOT route traffic based on repeated query params to guard
themselves against potential differences in the implementations.
type: string
type:
description: Type specifies how to match against
the value of the query parameter.
enum:
- QUERY_PARAM_MATCH_TYPE_UNSPECIFIED
- QUERY_PARAM_MATCH_TYPE_EXACT
- QUERY_PARAM_MATCH_TYPE_REGEX
- QUERY_PARAM_MATCH_TYPE_PRESENT
format: int32
type: string
value:
description: Value is the value of HTTP query param
to be matched.
type: string
type: object
type: array
type: object
type: array
retries:
properties:
number:
description: |-
Number is the number of times to retry the request when a retryable
result occurs.
properties:
value:
description: The uint32 value.
format: int32
type: integer
type: object
onConditions:
description: |-
RetryOn allows setting envoy specific conditions when a request should
be automatically retried.
items:
type: string
type: array
onConnectFailure:
description: |-
RetryOnConnectFailure allows for connection failure errors to trigger a
retry.
type: boolean
onStatusCodes:
description: |-
RetryOnStatusCodes is a flat list of http response status codes that are
eligible for retry. This again should be feasible in any reasonable proxy.
items:
format: int32
type: integer
type: array
type: object
timeouts:
description: |-
HTTPRouteTimeouts defines timeouts that can be configured for an HTTPRoute
or GRPCRoute.
properties:
idle:
description: Idle specifies the total amount of time permitted
for the request stream to be idle.
format: duration
properties:
nanos:
description: |-
Signed fractions of a second at nanosecond resolution of the span
of time. Durations less than one second are represented with a 0
`seconds` field and a positive or negative `nanos` field. For durations
of one second or more, a non-zero value for the `nanos` field must be
of the same sign as the `seconds` field. Must be from -999,999,999
to +999,999,999 inclusive.
format: int32
type: integer
seconds:
description: |-
Signed seconds of the span of time. Must be from -315,576,000,000
to +315,576,000,000 inclusive. Note: these bounds are computed from:
60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years
format: int64
type: integer
type: object
request:
description: |-
RequestTimeout is the total amount of time permitted for the entire
downstream request (and retries) to be processed.
format: duration
properties:
nanos:
description: |-
Signed fractions of a second at nanosecond resolution of the span
of time. Durations less than one second are represented with a 0
`seconds` field and a positive or negative `nanos` field. For durations
of one second or more, a non-zero value for the `nanos` field must be
of the same sign as the `seconds` field. Must be from -999,999,999
to +999,999,999 inclusive.
format: int32
type: integer
seconds:
description: |-
Signed seconds of the span of time. Must be from -315,576,000,000
to +315,576,000,000 inclusive. Note: these bounds are computed from:
60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years
format: int64
type: integer
type: object
type: object
type: object
type: array
type: object
status:
properties:
conditions:
description: Conditions indicate the latest available observations
of a resource's current state.
items:
description: |-
Conditions define a readiness condition for a Consul resource.
See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
properties:
lastTransitionTime:
description: LastTransitionTime is the last time the condition
transitioned from one status to another.
format: date-time
type: string
message:
description: A human readable message indicating details about
the transition.
type: string
reason:
description: The reason for the condition's last transition.
type: string
status:
description: Status of the condition, one of True, False, Unknown.
type: string
type:
description: Type of condition.
type: string
required:
- status
- type
type: object
type: array
lastSyncedTime:
description: LastSyncedTime is the last time the resource successfully
synced with Consul.
format: date-time
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}
{{- end }}

466
charts/hashicorp/consul/1.5.3/templates/crd-ingressgateways.yaml Normal file
View File

@ -0,0 +1,466 @@
{{- if .Values.connectInject.enabled }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: crd
name: ingressgateways.consul.hashicorp.com
spec:
group: consul.hashicorp.com
names:
kind: IngressGateway
listKind: IngressGatewayList
plural: ingressgateways
shortNames:
- ingress-gateway
singular: ingressgateway
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: The sync status of the resource with Consul
jsonPath: .status.conditions[?(@.type=="Synced")].status
name: Synced
type: string
- description: The last successful synced time of the resource with Consul
jsonPath: .status.lastSyncedTime
name: Last Synced
type: date
- description: The age of the resource
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: IngressGateway is the Schema for the ingressgateways API
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: IngressGatewaySpec defines the desired state of IngressGateway.
properties:
defaults:
description: Defaults is default configuration for all upstream services
properties:
maxConcurrentRequests:
description: |-
The maximum number of concurrent requests that
will be allowed at a single point in time. Use this to limit HTTP/2 traffic,
since HTTP/2 has many requests per connection.
format: int32
type: integer
maxConnections:
description: |-
The maximum number of connections a service instance
will be allowed to establish against the given upstream. Use this to limit
HTTP/1.1 traffic, since HTTP/1.1 has a request per connection.
format: int32
type: integer
maxPendingRequests:
description: |-
The maximum number of requests that will be queued
while waiting for a connection to be established.
format: int32
type: integer
passiveHealthCheck:
description: |-
PassiveHealthCheck configuration determines how upstream proxy instances will
be monitored for removal from the load balancing pool.
properties:
baseEjectionTime:
description: |-
The base time that a host is ejected for. The real time is equal to the base time
multiplied by the number of times the host has been ejected and is capped by
max_ejection_time (Default 300s). Defaults to 30s.
type: string
enforcingConsecutive5xx:
description: |-
EnforcingConsecutive5xx is the % chance that a host will be actually ejected
when an outlier status is detected through consecutive 5xx.
This setting can be used to disable ejection or to ramp it up slowly.
Ex. Setting this to 10 will make it a 10% chance that the host will be ejected.
format: int32
type: integer
interval:
description: |-
Interval between health check analysis sweeps. Each sweep may remove
hosts or return hosts to the pool. Ex. setting this to "10s" will set
the interval to 10 seconds.
type: string
maxEjectionPercent:
description: |-
The maximum % of an upstream cluster that can be ejected due to outlier detection.
Defaults to 10% but will eject at least one host regardless of the value.
format: int32
type: integer
maxFailures:
description: |-
MaxFailures is the count of consecutive failures that results in a host
being removed from the pool.
format: int32
type: integer
type: object
type: object
listeners:
description: |-
Listeners declares what ports the ingress gateway should listen on, and
what services to associated to those ports.
items:
description: IngressListener manages the configuration for a listener
on a specific port.
properties:
port:
description: Port declares the port on which the ingress gateway
should listen for traffic.
type: integer
protocol:
description: |-
Protocol declares what type of traffic this listener is expected to
receive. Depending on the protocol, a listener might support multiplexing
services over a single port, or additional discovery chain features. The
current supported values are: (tcp | http | http2 | grpc).
type: string
services:
description: |-
Services declares the set of services to which the listener forwards
traffic.
For "tcp" protocol listeners, only a single service is allowed.
For "http" listeners, multiple services can be declared.
items:
description: |-
IngressService manages configuration for services that are exposed to
ingress traffic.
properties:
hosts:
description: |-
Hosts is a list of hostnames which should be associated to this service on
the defined listener. Only allowed on layer 7 protocols, this will be used
to route traffic to the service by matching the Host header of the HTTP
request.
If a host is provided for a service that also has a wildcard specifier
defined, the host will override the wildcard-specifier-provided
"<service-name>.*" domain for that listener.
This cannot be specified when using the wildcard specifier, "*", or when
using a "tcp" listener.
items:
type: string
type: array
maxConcurrentRequests:
description: |-
The maximum number of concurrent requests that
will be allowed at a single point in time. Use this to limit HTTP/2 traffic,
since HTTP/2 has many requests per connection.
format: int32
type: integer
maxConnections:
description: |-
The maximum number of connections a service instance
will be allowed to establish against the given upstream. Use this to limit
HTTP/1.1 traffic, since HTTP/1.1 has a request per connection.
format: int32
type: integer
maxPendingRequests:
description: |-
The maximum number of requests that will be queued
while waiting for a connection to be established.
format: int32
type: integer
name:
description: |-
Name declares the service to which traffic should be forwarded.
This can either be a specific service, or the wildcard specifier,
"*". If the wildcard specifier is provided, the listener must be of "http"
protocol and means that the listener will forward traffic to all services.
A name can be specified on multiple listeners, and will be exposed on both
of the listeners.
type: string
namespace:
description: |-
Namespace is the namespace where the service is located.
Namespacing is a Consul Enterprise feature.
type: string
partition:
description: |-
Partition is the admin-partition where the service is located.
Partitioning is a Consul Enterprise feature.
type: string
passiveHealthCheck:
description: |-
PassiveHealthCheck configuration determines how upstream proxy instances will
be monitored for removal from the load balancing pool.
properties:
baseEjectionTime:
description: |-
The base time that a host is ejected for. The real time is equal to the base time
multiplied by the number of times the host has been ejected and is capped by
max_ejection_time (Default 300s). Defaults to 30s.
type: string
enforcingConsecutive5xx:
description: |-
EnforcingConsecutive5xx is the % chance that a host will be actually ejected
when an outlier status is detected through consecutive 5xx.
This setting can be used to disable ejection or to ramp it up slowly.
Ex. Setting this to 10 will make it a 10% chance that the host will be ejected.
format: int32
type: integer
interval:
description: |-
Interval between health check analysis sweeps. Each sweep may remove
hosts or return hosts to the pool. Ex. setting this to "10s" will set
the interval to 10 seconds.
type: string
maxEjectionPercent:
description: |-
The maximum % of an upstream cluster that can be ejected due to outlier detection.
Defaults to 10% but will eject at least one host regardless of the value.
format: int32
type: integer
maxFailures:
description: |-
MaxFailures is the count of consecutive failures that results in a host
being removed from the pool.
format: int32
type: integer
type: object
requestHeaders:
description: Allow HTTP header manipulation to be configured.
properties:
add:
additionalProperties:
type: string
description: |-
Add is a set of name -> value pairs that should be appended to the request
or response (i.e. allowing duplicates if the same header already exists).
type: object
remove:
description: |-
Remove is the set of header names that should be stripped from the request
or response.
items:
type: string
type: array
set:
additionalProperties:
type: string
description: |-
Set is a set of name -> value pairs that should be added to the request or
response, overwriting any existing header values of the same name.
type: object
type: object
responseHeaders:
description: |-
HTTPHeaderModifiers is a set of rules for HTTP header modification that
should be performed by proxies as the request passes through them. It can
operate on either request or response headers depending on the context in
which it is used.
properties:
add:
additionalProperties:
type: string
description: |-
Add is a set of name -> value pairs that should be appended to the request
or response (i.e. allowing duplicates if the same header already exists).
type: object
remove:
description: |-
Remove is the set of header names that should be stripped from the request
or response.
items:
type: string
type: array
set:
additionalProperties:
type: string
description: |-
Set is a set of name -> value pairs that should be added to the request or
response, overwriting any existing header values of the same name.
type: object
type: object
tls:
description: TLS allows specifying some TLS configuration
per listener.
properties:
sds:
description: SDS allows configuring TLS certificate
from an SDS service.
properties:
certResource:
description: CertResource is the SDS resource
name to request when fetching the certificate
from the SDS service.
type: string
clusterName:
description: |-
ClusterName is the SDS cluster name to connect to, to retrieve certificates.
This cluster must be specified in the Gateway's bootstrap configuration.
type: string
type: object
type: object
type: object
type: array
tls:
description: TLS config for this listener.
properties:
cipherSuites:
description: |-
Define a subset of cipher suites to restrict
Only applicable to connections negotiated via TLS 1.2 or earlier.
items:
type: string
type: array
enabled:
description: Indicates that TLS should be enabled for this
gateway service.
type: boolean
sds:
description: SDS allows configuring TLS certificate from
an SDS service.
properties:
certResource:
description: CertResource is the SDS resource name to
request when fetching the certificate from the SDS
service.
type: string
clusterName:
description: |-
ClusterName is the SDS cluster name to connect to, to retrieve certificates.
This cluster must be specified in the Gateway's bootstrap configuration.
type: string
type: object
tlsMaxVersion:
description: |-
TLSMaxVersion sets the default maximum TLS version supported. Must be greater than or equal to `TLSMinVersion`.
One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`.
If unspecified, Envoy will default to TLS 1.3 as a max version for incoming connections.
type: string
tlsMinVersion:
description: |-
TLSMinVersion sets the default minimum TLS version supported.
One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`.
If unspecified, Envoy v1.22.0 and newer will default to TLS 1.2 as a min version,
while older releases of Envoy default to TLS 1.0.
type: string
required:
- enabled
type: object
type: object
type: array
tls:
description: TLS holds the TLS configuration for this gateway.
properties:
cipherSuites:
description: |-
Define a subset of cipher suites to restrict
Only applicable to connections negotiated via TLS 1.2 or earlier.
items:
type: string
type: array
enabled:
description: Indicates that TLS should be enabled for this gateway
service.
type: boolean
sds:
description: SDS allows configuring TLS certificate from an SDS
service.
properties:
certResource:
description: CertResource is the SDS resource name to request
when fetching the certificate from the SDS service.
type: string
clusterName:
description: |-
ClusterName is the SDS cluster name to connect to, to retrieve certificates.
This cluster must be specified in the Gateway's bootstrap configuration.
type: string
type: object
tlsMaxVersion:
description: |-
TLSMaxVersion sets the default maximum TLS version supported. Must be greater than or equal to `TLSMinVersion`.
One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`.
If unspecified, Envoy will default to TLS 1.3 as a max version for incoming connections.
type: string
tlsMinVersion:
description: |-
TLSMinVersion sets the default minimum TLS version supported.
One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`.
If unspecified, Envoy v1.22.0 and newer will default to TLS 1.2 as a min version,
while older releases of Envoy default to TLS 1.0.
type: string
required:
- enabled
type: object
type: object
status:
properties:
conditions:
description: Conditions indicate the latest available observations
of a resource's current state.
items:
description: |-
Conditions define a readiness condition for a Consul resource.
See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
properties:
lastTransitionTime:
description: LastTransitionTime is the last time the condition
transitioned from one status to another.
format: date-time
type: string
message:
description: A human readable message indicating details about
the transition.
type: string
reason:
description: The reason for the condition's last transition.
type: string
status:
description: Status of the condition, one of True, False, Unknown.
type: string
type:
description: Type of condition.
type: string
required:
- status
- type
type: object
type: array
lastSyncedTime:
description: LastSyncedTime is the last time the resource successfully
synced with Consul.
format: date-time
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}
{{- end }}

375
charts/hashicorp/consul/1.5.3/templates/crd-jwtproviders.yaml Normal file
View File

@ -0,0 +1,375 @@
{{- if .Values.connectInject.enabled }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: crd
name: jwtproviders.consul.hashicorp.com
spec:
group: consul.hashicorp.com
names:
kind: JWTProvider
listKind: JWTProviderList
plural: jwtproviders
singular: jwtprovider
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: JWTProvider is the Schema for the jwtproviders API.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: JWTProviderSpec defines the desired state of JWTProvider
properties:
audiences:
description: |-
Audiences is the set of audiences the JWT is allowed to access.
If specified, all JWTs verified with this provider must address
at least one of these to be considered valid.
items:
type: string
type: array
cacheConfig:
description: |-
CacheConfig defines configuration for caching the validation
result for previously seen JWTs. Caching results can speed up
verification when individual tokens are expected to be handled
multiple times.
properties:
size:
description: |-
Size specifies the maximum number of JWT verification
results to cache.
Defaults to 0, meaning that JWT caching is disabled.
type: integer
type: object
clockSkewSeconds:
description: |-
ClockSkewSeconds specifies the maximum allowable time difference
from clock skew when validating the "exp" (Expiration) and "nbf"
(Not Before) claims.
Default value is 30 seconds.
type: integer
forwarding:
description: Forwarding defines rules for forwarding verified JWTs
to the backend.
properties:
headerName:
description: |-
HeaderName is a header name to use when forwarding a verified
JWT to the backend. The verified JWT could have been extracted
from any location (query param, header, or cookie).
The header value will be base64-URL-encoded, and will not be
padded unless PadForwardPayloadHeader is true.
type: string
padForwardPayloadHeader:
description: |-
PadForwardPayloadHeader determines whether padding should be added
to the base64 encoded token forwarded with ForwardPayloadHeader.
Default value is false.
type: boolean
type: object
issuer:
description: |-
Issuer is the entity that must have issued the JWT.
This value must match the "iss" claim of the token.
type: string
jsonWebKeySet:
description: |-
JSONWebKeySet defines a JSON Web Key Set, its location on disk, or the
means with which to fetch a key set from a remote server.
properties:
local:
description: Local specifies a local source for the key set.
properties:
filename:
description: |-
Filename configures a location on disk where the JWKS can be
found. If specified, the file must be present on the disk of ALL
proxies with intentions referencing this provider.
type: string
jwks:
description: JWKS contains a base64 encoded JWKS.
type: string
type: object
remote:
description: Remote specifies how to fetch a key set from a remote
server.
properties:
cacheDuration:
description: |-
CacheDuration is the duration after which cached keys
should be expired.
Default value is 5 minutes.
type: string
fetchAsynchronously:
description: |-
FetchAsynchronously indicates that the JWKS should be fetched
when a client request arrives. Client requests will be paused
until the JWKS is fetched.
If false, the proxy listener will wait for the JWKS to be
fetched before being activated.
Default value is false.
type: boolean
jwksCluster:
description: JWKSCluster defines how the specified Remote
JWKS URI is to be fetched.
properties:
connectTimeout:
description: |-
The timeout for new network connections to hosts in the cluster.
If not set, a default value of 5s will be used.
type: string
discoveryType:
description: |-
DiscoveryType refers to the service discovery type to use for resolving the cluster.
This defaults to STRICT_DNS.
Other options include STATIC, LOGICAL_DNS, EDS or ORIGINAL_DST.
type: string
tlsCertificates:
description: |-
TLSCertificates refers to the data containing certificate authority certificates to use
in verifying a presented peer certificate.
If not specified and a peer certificate is presented it will not be verified.
Must be either CaCertificateProviderInstance or TrustedCA.
properties:
caCertificateProviderInstance:
description: CaCertificateProviderInstance Certificate
provider instance for fetching TLS certificates.
properties:
certificateName:
description: |-
CertificateName is used to specify certificate instances or types. For example, "ROOTCA" to specify
a root-certificate (validation context) or "example.com" to specify a certificate for a
particular domain.
The default value is the empty string.
type: string
instanceName:
description: |-
InstanceName refers to the certificate provider instance name.
The default value is "default".
type: string
type: object
trustedCA:
description: |-
TrustedCA defines TLS certificate data containing certificate authority certificates
to use in verifying a presented peer certificate.
Exactly one of Filename, EnvironmentVariable, InlineString or InlineBytes must be specified.
properties:
environmentVariable:
type: string
filename:
type: string
inlineBytes:
format: byte
type: string
inlineString:
type: string
type: object
type: object
type: object
requestTimeoutMs:
description: |-
RequestTimeoutMs is the number of milliseconds to
time out when making a request for the JWKS.
type: integer
retryPolicy:
description: |-
RetryPolicy defines a retry policy for fetching JWKS.
There is no retry by default.
properties:
numRetries:
description: |-
NumRetries is the number of times to retry fetching the JWKS.
The retry strategy uses jittered exponential backoff with
a base interval of 1s and max of 10s.
Default value is 0.
type: integer
retryPolicyBackOff:
description: |-
Retry's backoff policy.
Defaults to Envoy's backoff policy.
properties:
baseInterval:
description: |-
BaseInterval to be used for the next back off computation.
The default value from envoy is 1s.
type: string
maxInterval:
description: |-
MaxInternal to be used to specify the maximum interval between retries.
Optional but should be greater or equal to BaseInterval.
Defaults to 10 times BaseInterval.
type: string
type: object
type: object
uri:
description: URI is the URI of the server to query for the
JWKS.
type: string
type: object
type: object
locations:
description: |-
Locations where the JWT will be present in requests.
Envoy will check all of these locations to extract a JWT.
If no locations are specified Envoy will default to:
1. Authorization header with Bearer schema:
"Authorization: Bearer <token>"
2. accessToken query parameter.
items:
description: |-
JWTLocation is a location where the JWT could be present in requests.
Only one of Header, QueryParam, or Cookie can be specified.
properties:
cookie:
description: Cookie defines how to extract a JWT from an HTTP
request cookie.
properties:
name:
description: Name is the name of the cookie containing the
token.
type: string
type: object
header:
description: Header defines how to extract a JWT from an HTTP
request header.
properties:
forward:
description: |-
Forward defines whether the header with the JWT should be
forwarded after the token has been verified. If false, the
header will not be forwarded to the backend.
Default value is false.
type: boolean
name:
description: Name is the name of the header containing the
token.
type: string
valuePrefix:
description: |-
ValuePrefix is an optional prefix that precedes the token in the
header value.
For example, "Bearer " is a standard value prefix for a header named
"Authorization", but the prefix is not part of the token itself:
"Authorization: Bearer <token>"
type: string
type: object
queryParam:
description: |-
QueryParam defines how to extract a JWT from an HTTP request
query parameter.
properties:
name:
description: Name is the name of the query param containing
the token.
type: string
type: object
type: object
type: array
type: object
status:
properties:
conditions:
description: Conditions indicate the latest available observations
of a resource's current state.
items:
description: |-
Conditions define a readiness condition for a Consul resource.
See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
properties:
lastTransitionTime:
description: LastTransitionTime is the last time the condition
transitioned from one status to another.
format: date-time
type: string
message:
description: A human readable message indicating details about
the transition.
type: string
reason:
description: The reason for the condition's last transition.
type: string
status:
description: Status of the condition, one of True, False, Unknown.
type: string
type:
description: Type of condition.
type: string
required:
- status
- type
type: object
type: array
lastSyncedTime:
description: LastSyncedTime is the last time the resource successfully
synced with Consul.
format: date-time
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}
{{- end }}

107
charts/hashicorp/consul/1.5.3/templates/crd-meshconfigurations.yaml Normal file
View File

@ -0,0 +1,107 @@
{{- if .Values.connectInject.enabled }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: crd
name: meshconfigurations.mesh.consul.hashicorp.com
spec:
group: mesh.consul.hashicorp.com
names:
kind: MeshConfiguration
listKind: MeshConfigurationList
plural: meshconfigurations
singular: meshconfiguration
scope: Cluster
versions:
- additionalPrinterColumns:
- description: The sync status of the resource with Consul
jsonPath: .status.conditions[?(@.type=="Synced")].status
name: Synced
type: string
- description: The last successful synced time of the resource with Consul
jsonPath: .status.lastSyncedTime
name: Last Synced
type: date
- description: The age of the resource
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v2beta1
schema:
openAPIV3Schema:
description: MeshConfiguration is the Schema for the Mesh Configuration
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: |-
MeshConfiguration is responsible for configuring the default behavior of Mesh Gateways.
This is a Resource type.
type: object
status:
properties:
conditions:
description: Conditions indicate the latest available observations
of a resource's current state.
items:
description: |-
Conditions define a readiness condition for a Consul resource.
See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
properties:
lastTransitionTime:
description: LastTransitionTime is the last time the condition
transitioned from one status to another.
format: date-time
type: string
message:
description: A human readable message indicating details about
the transition.
type: string
reason:
description: The reason for the condition's last transition.
type: string
status:
description: Status of the condition, one of True, False, Unknown.
type: string
type:
description: Type of condition.
type: string
required:
- status
- type
type: object
type: array
lastSyncedTime:
description: LastSyncedTime is the last time the resource successfully
synced with Consul.
format: date-time
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}
{{- end }}

214
charts/hashicorp/consul/1.5.3/templates/crd-meshes.yaml Normal file
View File

@ -0,0 +1,214 @@
{{- if .Values.connectInject.enabled }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: crd
name: meshes.consul.hashicorp.com
spec:
group: consul.hashicorp.com
names:
kind: Mesh
listKind: MeshList
plural: meshes
singular: mesh
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: The sync status of the resource with Consul
jsonPath: .status.conditions[?(@.type=="Synced")].status
name: Synced
type: string
- description: The last successful synced time of the resource with Consul
jsonPath: .status.lastSyncedTime
name: Last Synced
type: date
- description: The age of the resource
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: Mesh is the Schema for the mesh API
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: MeshSpec defines the desired state of Mesh.
properties:
allowEnablingPermissiveMutualTLS:
description: |-
AllowEnablingPermissiveMutualTLS must be true in order to allow setting
MutualTLSMode=permissive in either service-defaults or proxy-defaults.
type: boolean
http:
description: HTTP defines the HTTP configuration for the service mesh.
properties:
sanitizeXForwardedClientCert:
type: boolean
required:
- sanitizeXForwardedClientCert
type: object
peering:
description: Peering defines the peering configuration for the service
mesh.
properties:
peerThroughMeshGateways:
description: |-
PeerThroughMeshGateways determines whether peering traffic between
control planes should flow through mesh gateways. If enabled,
Consul servers will advertise mesh gateway addresses as their own.
Additionally, mesh gateways will configure themselves to expose
the local servers using a peering-specific SNI.
type: boolean
type: object
tls:
description: TLS defines the TLS configuration for the service mesh.
properties:
incoming:
description: |-
Incoming defines the TLS configuration for inbound mTLS connections targeting
the public listener on Connect and TerminatingGateway proxy kinds.
properties:
cipherSuites:
description: |-
CipherSuites sets the default list of TLS cipher suites to support when negotiating connections using TLS 1.2 or earlier.
If unspecified, Envoy will use a default server cipher list. The list of supported cipher suites can be seen in
https://github.com/hashicorp/consul/blob/v1.11.2/types/tls.go#L154-L169 and is dependent on underlying support in Envoy.
Future releases of Envoy may remove currently-supported but insecure cipher suites,
and future releases of Consul may add new supported cipher suites if any are added to Envoy.
items:
type: string
type: array
tlsMaxVersion:
description: |-
TLSMaxVersion sets the default maximum TLS version supported. Must be greater than or equal to `TLSMinVersion`.
One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`.
If unspecified, Envoy will default to TLS 1.3 as a max version for incoming connections.
type: string
tlsMinVersion:
description: |-
TLSMinVersion sets the default minimum TLS version supported.
One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`.
If unspecified, Envoy v1.22.0 and newer will default to TLS 1.2 as a min version,
while older releases of Envoy default to TLS 1.0.
type: string
type: object
outgoing:
description: |-
Outgoing defines the TLS configuration for outbound mTLS connections dialing upstreams
from Connect and IngressGateway proxy kinds.
properties:
cipherSuites:
description: |-
CipherSuites sets the default list of TLS cipher suites to support when negotiating connections using TLS 1.2 or earlier.
If unspecified, Envoy will use a default server cipher list. The list of supported cipher suites can be seen in
https://github.com/hashicorp/consul/blob/v1.11.2/types/tls.go#L154-L169 and is dependent on underlying support in Envoy.
Future releases of Envoy may remove currently-supported but insecure cipher suites,
and future releases of Consul may add new supported cipher suites if any are added to Envoy.
items:
type: string
type: array
tlsMaxVersion:
description: |-
TLSMaxVersion sets the default maximum TLS version supported. Must be greater than or equal to `TLSMinVersion`.
One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`.
If unspecified, Envoy will default to TLS 1.3 as a max version for incoming connections.
type: string
tlsMinVersion:
description: |-
TLSMinVersion sets the default minimum TLS version supported.
One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`.
If unspecified, Envoy v1.22.0 and newer will default to TLS 1.2 as a min version,
while older releases of Envoy default to TLS 1.0.
type: string
type: object
type: object
transparentProxy:
description: TransparentProxy controls the configuration specific
to proxies in "transparent" mode. Added in v1.10.0.
properties:
meshDestinationsOnly:
description: |-
MeshDestinationsOnly determines whether sidecar proxies operating in "transparent" mode can proxy traffic
to IP addresses not registered in Consul's catalog. If enabled, traffic will only be proxied to upstreams
with service registrations in the catalog.
type: boolean
type: object
validateClusters:
description: |-
ValidateClusters controls whether the clusters the route table refers to are validated. The default value is
false. When set to false and a route refers to a cluster that does not exist, the route table loads and routing
to a non-existent cluster results in a 404. When set to true and the route is set to a cluster that do not exist,
the route table will not load. For more information, refer to
[HTTP route configuration in the Envoy docs](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route.proto#envoy-v3-api-field-config-route-v3-routeconfiguration-validate-clusters)
for more details.
type: boolean
type: object
status:
properties:
conditions:
description: Conditions indicate the latest available observations
of a resource's current state.
items:
description: |-
Conditions define a readiness condition for a Consul resource.
See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
properties:
lastTransitionTime:
description: LastTransitionTime is the last time the condition
transitioned from one status to another.
format: date-time
type: string
message:
description: A human readable message indicating details about
the transition.
type: string
reason:
description: The reason for the condition's last transition.
type: string
status:
description: Status of the condition, one of True, False, Unknown.
type: string
type:
description: Type of condition.
type: string
required:
- status
- type
type: object
type: array
lastSyncedTime:
description: LastSyncedTime is the last time the resource successfully
synced with Consul.
format: date-time
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}
{{- end }}

140
charts/hashicorp/consul/1.5.3/templates/crd-meshgateways.yaml Normal file
View File

@ -0,0 +1,140 @@
{{- if .Values.connectInject.enabled }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: crd
name: meshgateways.mesh.consul.hashicorp.com
spec:
group: mesh.consul.hashicorp.com
names:
kind: MeshGateway
listKind: MeshGatewayList
plural: meshgateways
singular: meshgateway
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: The sync status of the resource with Consul
jsonPath: .status.conditions[?(@.type=="Synced")].status
name: Synced
type: string
- description: The last successful synced time of the resource with Consul
jsonPath: .status.lastSyncedTime
name: Last Synced
type: date
- description: The age of the resource
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v2beta1
schema:
openAPIV3Schema:
description: MeshGateway is the Schema for the Mesh Gateway API
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
properties:
gatewayClassName:
description: GatewayClassName is the name of the GatewayClass used
by the MeshGateway
type: string
listeners:
items:
properties:
name:
type: string
port:
format: int32
maximum: 65535
minimum: 0
type: integer
protocol:
enum:
- TCP
type: string
type: object
minItems: 1
type: array
workloads:
description: Selection of workloads to be configured as mesh gateways
properties:
filter:
type: string
names:
items:
type: string
type: array
prefixes:
items:
type: string
type: array
type: object
type: object
status:
properties:
conditions:
description: Conditions indicate the latest available observations
of a resource's current state.
items:
description: |-
Conditions define a readiness condition for a Consul resource.
See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
properties:
lastTransitionTime:
description: LastTransitionTime is the last time the condition
transitioned from one status to another.
format: date-time
type: string
message:
description: A human readable message indicating details about
the transition.
type: string
reason:
description: The reason for the condition's last transition.
type: string
status:
description: Status of the condition, one of True, False, Unknown.
type: string
type:
description: Type of condition.
type: string
required:
- status
- type
type: object
type: array
lastSyncedTime:
description: LastSyncedTime is the last time the resource successfully
synced with Consul.
format: date-time
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}
{{- end }}

61
charts/hashicorp/consul/1.5.3/templates/crd-meshservices.yaml Normal file
View File

@ -0,0 +1,61 @@
{{- if .Values.connectInject.enabled }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: crd
name: meshservices.consul.hashicorp.com
spec:
group: consul.hashicorp.com
names:
kind: MeshService
listKind: MeshServiceList
plural: meshservices
singular: meshservice
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: MeshService holds a reference to an externally managed Consul
Service Mesh service.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Spec defines the desired state of MeshService.
properties:
name:
description: Name holds the service name for a Consul service.
type: string
peer:
description: |-
Peer optionally specifies the name of the peer exporting the Consul service.
If not specified, the Consul service is assumed to be in the local datacenter.
type: string
type: object
type: object
served: true
storage: true
{{- end }}

152
charts/hashicorp/consul/1.5.3/templates/crd-peeringacceptors.yaml Normal file
View File

@ -0,0 +1,152 @@
{{- if and .Values.connectInject.enabled .Values.global.peering.enabled }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: crd
name: peeringacceptors.consul.hashicorp.com
spec:
group: consul.hashicorp.com
names:
kind: PeeringAcceptor
listKind: PeeringAcceptorList
plural: peeringacceptors
shortNames:
- peering-acceptor
singular: peeringacceptor
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: The sync status of the resource with Consul
jsonPath: .status.conditions[?(@.type=="Synced")].status
name: Synced
type: string
- description: The last successful synced time of the resource with Consul
jsonPath: .status.lastSyncedTime
name: Last Synced
type: date
- description: The age of the resource
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: PeeringAcceptor is the Schema for the peeringacceptors API.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: PeeringAcceptorSpec defines the desired state of PeeringAcceptor.
properties:
peer:
description: Peer describes the information needed to create a peering.
properties:
secret:
description: Secret describes how to store the generated peering
token.
properties:
backend:
description: 'Backend is where the generated secret is stored.
Currently supports the value: "kubernetes".'
type: string
key:
description: Key is the key of the secret generated.
type: string
name:
description: Name is the name of the secret generated.
type: string
type: object
type: object
required:
- peer
type: object
status:
description: PeeringAcceptorStatus defines the observed state of PeeringAcceptor.
properties:
conditions:
description: Conditions indicate the latest available observations
of a resource's current state.
items:
description: |-
Conditions define a readiness condition for a Consul resource.
See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
properties:
lastTransitionTime:
description: LastTransitionTime is the last time the condition
transitioned from one status to another.
format: date-time
type: string
message:
description: A human readable message indicating details about
the transition.
type: string
reason:
description: The reason for the condition's last transition.
type: string
status:
description: Status of the condition, one of True, False, Unknown.
type: string
type:
description: Type of condition.
type: string
required:
- status
- type
type: object
type: array
lastSyncedTime:
description: LastSyncedTime is the last time the resource successfully
synced with Consul.
format: date-time
type: string
latestPeeringVersion:
description: LatestPeeringVersion is the latest version of the resource
that was reconciled.
format: int64
type: integer
secret:
description: SecretRef shows the status of the secret.
properties:
backend:
description: 'Backend is where the generated secret is stored.
Currently supports the value: "kubernetes".'
type: string
key:
description: Key is the key of the secret generated.
type: string
name:
description: Name is the name of the secret generated.
type: string
resourceVersion:
description: ResourceVersion is the resource version for the secret.
type: string
type: object
type: object
type: object
served: true
storage: true
subresources:
status: {}
{{- end }}

152
charts/hashicorp/consul/1.5.3/templates/crd-peeringdialers.yaml Normal file
View File

@ -0,0 +1,152 @@
{{- if and .Values.connectInject.enabled .Values.global.peering.enabled }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: crd
name: peeringdialers.consul.hashicorp.com
spec:
group: consul.hashicorp.com
names:
kind: PeeringDialer
listKind: PeeringDialerList
plural: peeringdialers
shortNames:
- peering-dialer
singular: peeringdialer
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: The sync status of the resource with Consul
jsonPath: .status.conditions[?(@.type=="Synced")].status
name: Synced
type: string
- description: The last successful synced time of the resource with Consul
jsonPath: .status.lastSyncedTime
name: Last Synced
type: date
- description: The age of the resource
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: PeeringDialer is the Schema for the peeringdialers API.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: PeeringDialerSpec defines the desired state of PeeringDialer.
properties:
peer:
description: Peer describes the information needed to create a peering.
properties:
secret:
description: Secret describes how to store the generated peering
token.
properties:
backend:
description: 'Backend is where the generated secret is stored.
Currently supports the value: "kubernetes".'
type: string
key:
description: Key is the key of the secret generated.
type: string
name:
description: Name is the name of the secret generated.
type: string
type: object
type: object
required:
- peer
type: object
status:
description: PeeringDialerStatus defines the observed state of PeeringDialer.
properties:
conditions:
description: Conditions indicate the latest available observations
of a resource's current state.
items:
description: |-
Conditions define a readiness condition for a Consul resource.
See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
properties:
lastTransitionTime:
description: LastTransitionTime is the last time the condition
transitioned from one status to another.
format: date-time
type: string
message:
description: A human readable message indicating details about
the transition.
type: string
reason:
description: The reason for the condition's last transition.
type: string
status:
description: Status of the condition, one of True, False, Unknown.
type: string
type:
description: Type of condition.
type: string
required:
- status
- type
type: object
type: array
lastSyncedTime:
description: LastSyncedTime is the last time the resource successfully
synced with Consul.
format: date-time
type: string
latestPeeringVersion:
description: LatestPeeringVersion is the latest version of the resource
that was reconciled.
format: int64
type: integer
secret:
description: SecretRef shows the status of the secret.
properties:
backend:
description: 'Backend is where the generated secret is stored.
Currently supports the value: "kubernetes".'
type: string
key:
description: Key is the key of the secret generated.
type: string
name:
description: Name is the name of the secret generated.
type: string
resourceVersion:
description: ResourceVersion is the resource version for the secret.
type: string
type: object
type: object
type: object
served: true
storage: true
subresources:
status: {}
{{- end }}

426
charts/hashicorp/consul/1.5.3/templates/crd-proxyconfigurations.yaml Normal file
View File

@ -0,0 +1,426 @@
{{- if .Values.connectInject.enabled }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: crd
name: proxyconfigurations.mesh.consul.hashicorp.com
spec:
group: mesh.consul.hashicorp.com
names:
kind: ProxyConfiguration
listKind: ProxyConfigurationList
plural: proxyconfigurations
shortNames:
- proxy-configuration
singular: proxyconfiguration
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: The sync status of the resource with Consul
jsonPath: .status.conditions[?(@.type=="Synced")].status
name: Synced
type: string
- description: The last successful synced time of the resource with Consul
jsonPath: .status.lastSyncedTime
name: Last Synced
type: date
- description: The age of the resource
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v2beta1
schema:
openAPIV3Schema:
description: ProxyConfiguration is the Schema for the TCP Routes API
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: This is a Resource type.
properties:
bootstrapConfig:
description: |-
bootstrap_config is the configuration that requires proxies
to be restarted to be applied.
properties:
dogstatsdUrl:
type: string
overrideJsonTpl:
type: string
prometheusBindAddr:
type: string
readyBindAddr:
type: string
staticClustersJson:
type: string
staticListenersJson:
type: string
statsBindAddr:
type: string
statsConfigJson:
type: string
statsFlushInterval:
type: string
statsSinksJson:
type: string
statsTags:
items:
type: string
type: array
statsdUrl:
type: string
telemetryCollectorBindSocketDir:
type: string
tracingConfigJson:
type: string
type: object
dynamicConfig:
description: |-
dynamic_config is the configuration that could be changed
dynamically (i.e. without needing restart).
properties:
accessLogs:
description: AccessLogs configures the output and format of Envoy
access logs
properties:
disableListenerLogs:
description: |-
DisableListenerLogs turns off just listener logs for connections rejected by Envoy because they don't
have a matching listener filter.
type: boolean
enabled:
description: Enabled turns off all access logging
type: boolean
jsonFormat:
description: |-
The presence of one format string or the other implies the access log string encoding.
Defining both is invalid.
type: string
path:
description: Path is the output file to write logs
type: string
textFormat:
type: string
type:
description: 'Type selects the output for logs: "file", "stderr".
"stdout"'
enum:
- LOG_SINK_TYPE_DEFAULT
- LOG_SINK_TYPE_FILE
- LOG_SINK_TYPE_STDERR
- LOG_SINK_TYPE_STDOUT
format: int32
type: string
type: object
exposeConfig:
properties:
exposePaths:
items:
properties:
listenerPort:
format: int32
type: integer
localPathPort:
format: int32
type: integer
path:
type: string
protocol:
enum:
- EXPOSE_PATH_PROTOCOL_HTTP
- EXPOSE_PATH_PROTOCOL_HTTP2
format: int32
type: string
type: object
type: array
type: object
inboundConnections:
description: inbound_connections configures inbound connections
to the proxy.
properties:
balanceInboundConnections:
enum:
- BALANCE_CONNECTIONS_DEFAULT
- BALANCE_CONNECTIONS_EXACT
format: int32
type: string
maxInboundConnections:
format: int32
type: integer
type: object
listenerTracingJson:
type: string
localClusterJson:
type: string
localConnection:
additionalProperties:
description: Referenced by ProxyConfiguration
properties:
connectTimeout:
description: "A Duration represents a signed, fixed-length
span of time represented\nas a count of seconds and fractions
of seconds at nanosecond\nresolution. It is independent
of any calendar and concepts like \"day\"\nor \"month\".
It is related to Timestamp in that the difference between\ntwo
Timestamp values is a Duration and it can be added or
subtracted\nfrom a Timestamp. Range is approximately +-10,000
years.\n\n\n# Examples\n\n\nExample 1: Compute Duration
from two Timestamps in pseudo code.\n\n\n\tTimestamp start
= ...;\n\tTimestamp end = ...;\n\tDuration duration =
...;\n\n\n\tduration.seconds = end.seconds - start.seconds;\n\tduration.nanos
= end.nanos - start.nanos;\n\n\n\tif (duration.seconds
< 0 && duration.nanos > 0) {\n\t duration.seconds +=
1;\n\t duration.nanos -= 1000000000;\n\t} else if (duration.seconds
> 0 && duration.nanos < 0) {\n\t duration.seconds -=
1;\n\t duration.nanos += 1000000000;\n\t}\n\n\nExample
2: Compute Timestamp from Timestamp + Duration in pseudo
code.\n\n\n\tTimestamp start = ...;\n\tDuration duration
= ...;\n\tTimestamp end = ...;\n\n\n\tend.seconds = start.seconds
+ duration.seconds;\n\tend.nanos = start.nanos + duration.nanos;\n\n\n\tif
(end.nanos < 0) {\n\t end.seconds -= 1;\n\t end.nanos
+= 1000000000;\n\t} else if (end.nanos >= 1000000000)
{\n\t end.seconds += 1;\n\t end.nanos -= 1000000000;\n\t}\n\n\nExample
3: Compute Duration from datetime.timedelta in Python.\n\n\n\ttd
= datetime.timedelta(days=3, minutes=10)\n\tduration =
Duration()\n\tduration.FromTimedelta(td)\n\n\n# JSON Mapping\n\n\nIn
JSON format, the Duration type is encoded as a string
rather than an\nobject, where the string ends in the suffix
\"s\" (indicating seconds) and\nis preceded by the number
of seconds, with nanoseconds expressed as\nfractional
seconds. For example, 3 seconds with 0 nanoseconds should
be\nencoded in JSON format as \"3s\", while 3 seconds
and 1 nanosecond should\nbe expressed in JSON format as
\"3.000000001s\", and 3 seconds and 1\nmicrosecond should
be expressed in JSON format as \"3.000001s\"."
format: duration
properties:
nanos:
description: |-
Signed fractions of a second at nanosecond resolution of the span
of time. Durations less than one second are represented with a 0
`seconds` field and a positive or negative `nanos` field. For durations
of one second or more, a non-zero value for the `nanos` field must be
of the same sign as the `seconds` field. Must be from -999,999,999
to +999,999,999 inclusive.
format: int32
type: integer
seconds:
description: |-
Signed seconds of the span of time. Must be from -315,576,000,000
to +315,576,000,000 inclusive. Note: these bounds are computed from:
60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years
format: int64
type: integer
type: object
requestTimeout:
description: "A Duration represents a signed, fixed-length
span of time represented\nas a count of seconds and fractions
of seconds at nanosecond\nresolution. It is independent
of any calendar and concepts like \"day\"\nor \"month\".
It is related to Timestamp in that the difference between\ntwo
Timestamp values is a Duration and it can be added or
subtracted\nfrom a Timestamp. Range is approximately +-10,000
years.\n\n\n# Examples\n\n\nExample 1: Compute Duration
from two Timestamps in pseudo code.\n\n\n\tTimestamp start
= ...;\n\tTimestamp end = ...;\n\tDuration duration =
...;\n\n\n\tduration.seconds = end.seconds - start.seconds;\n\tduration.nanos
= end.nanos - start.nanos;\n\n\n\tif (duration.seconds
< 0 && duration.nanos > 0) {\n\t duration.seconds +=
1;\n\t duration.nanos -= 1000000000;\n\t} else if (duration.seconds
> 0 && duration.nanos < 0) {\n\t duration.seconds -=
1;\n\t duration.nanos += 1000000000;\n\t}\n\n\nExample
2: Compute Timestamp from Timestamp + Duration in pseudo
code.\n\n\n\tTimestamp start = ...;\n\tDuration duration
= ...;\n\tTimestamp end = ...;\n\n\n\tend.seconds = start.seconds
+ duration.seconds;\n\tend.nanos = start.nanos + duration.nanos;\n\n\n\tif
(end.nanos < 0) {\n\t end.seconds -= 1;\n\t end.nanos
+= 1000000000;\n\t} else if (end.nanos >= 1000000000)
{\n\t end.seconds += 1;\n\t end.nanos -= 1000000000;\n\t}\n\n\nExample
3: Compute Duration from datetime.timedelta in Python.\n\n\n\ttd
= datetime.timedelta(days=3, minutes=10)\n\tduration =
Duration()\n\tduration.FromTimedelta(td)\n\n\n# JSON Mapping\n\n\nIn
JSON format, the Duration type is encoded as a string
rather than an\nobject, where the string ends in the suffix
\"s\" (indicating seconds) and\nis preceded by the number
of seconds, with nanoseconds expressed as\nfractional
seconds. For example, 3 seconds with 0 nanoseconds should
be\nencoded in JSON format as \"3s\", while 3 seconds
and 1 nanosecond should\nbe expressed in JSON format as
\"3.000000001s\", and 3 seconds and 1\nmicrosecond should
be expressed in JSON format as \"3.000001s\"."
format: duration
properties:
nanos:
description: |-
Signed fractions of a second at nanosecond resolution of the span
of time. Durations less than one second are represented with a 0
`seconds` field and a positive or negative `nanos` field. For durations
of one second or more, a non-zero value for the `nanos` field must be
of the same sign as the `seconds` field. Must be from -999,999,999
to +999,999,999 inclusive.
format: int32
type: integer
seconds:
description: |-
Signed seconds of the span of time. Must be from -315,576,000,000
to +315,576,000,000 inclusive. Note: these bounds are computed from:
60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years
format: int64
type: integer
type: object
type: object
description: |-
local_connection is the configuration that should be used
to connect to the local application provided per-port.
The map keys should correspond to port names on the workload.
type: object
localWorkloadAddress:
description: |-
deprecated:
local_workload_address, local_workload_port, and local_workload_socket_path
are deprecated and are only needed for migration of existing resources.
Deprecated: Marked as deprecated in pbmesh/v2beta1/proxy_configuration.proto.
type: string
localWorkloadPort:
description: 'Deprecated: Marked as deprecated in pbmesh/v2beta1/proxy_configuration.proto.'
format: int32
type: integer
localWorkloadSocketPath:
description: 'Deprecated: Marked as deprecated in pbmesh/v2beta1/proxy_configuration.proto.'
type: string
meshGatewayMode:
enum:
- MESH_GATEWAY_MODE_UNSPECIFIED
- MESH_GATEWAY_MODE_NONE
- MESH_GATEWAY_MODE_LOCAL
- MESH_GATEWAY_MODE_REMOTE
format: int32
type: string
mode:
description: mode indicates the proxy's mode. This will default
to 'transparent'.
enum:
- PROXY_MODE_DEFAULT
- PROXY_MODE_TRANSPARENT
- PROXY_MODE_DIRECT
format: int32
type: string
mutualTlsMode:
enum:
- MUTUAL_TLS_MODE_DEFAULT
- MUTUAL_TLS_MODE_STRICT
- MUTUAL_TLS_MODE_PERMISSIVE
format: int32
type: string
publicListenerJson:
type: string
transparentProxy:
properties:
dialedDirectly:
description: |-
dialed_directly indicates whether this proxy should be dialed using original destination IP
in the connection rather than load balance between all endpoints.
type: boolean
outboundListenerPort:
description: |-
outbound_listener_port is the port for the proxy's outbound listener.
This defaults to 15001.
format: int32
type: integer
type: object
type: object
opaqueConfig:
description: |-
deprecated: prevent usage when using v2 APIs directly.
needed for backwards compatibility
Deprecated: Marked as deprecated in pbmesh/v2beta1/proxy_configuration.proto.
type: object
x-kubernetes-preserve-unknown-fields: true
workloads:
description: |-
Selection of workloads this proxy configuration should apply to.
These can be prefixes or specific workload names.
properties:
filter:
type: string
names:
items:
type: string
type: array
prefixes:
items:
type: string
type: array
type: object
type: object
status:
properties:
conditions:
description: Conditions indicate the latest available observations
of a resource's current state.
items:
description: |-
Conditions define a readiness condition for a Consul resource.
See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
properties:
lastTransitionTime:
description: LastTransitionTime is the last time the condition
transitioned from one status to another.
format: date-time
type: string
message:
description: A human readable message indicating details about
the transition.
type: string
reason:
description: The reason for the condition's last transition.
type: string
status:
description: Status of the condition, one of True, False, Unknown.
type: string
type:
description: Type of condition.
type: string
required:
- status
- type
type: object
type: array
lastSyncedTime:
description: LastSyncedTime is the last time the resource successfully
synced with Consul.
format: date-time
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}
{{- end }}

278
charts/hashicorp/consul/1.5.3/templates/crd-proxydefaults.yaml Normal file
View File

@ -0,0 +1,278 @@
{{- if .Values.connectInject.enabled }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: crd
name: proxydefaults.consul.hashicorp.com
spec:
group: consul.hashicorp.com
names:
kind: ProxyDefaults
listKind: ProxyDefaultsList
plural: proxydefaults
shortNames:
- proxy-defaults
singular: proxydefaults
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: The sync status of the resource with Consul
jsonPath: .status.conditions[?(@.type=="Synced")].status
name: Synced
type: string
- description: The last successful synced time of the resource with Consul
jsonPath: .status.lastSyncedTime
name: Last Synced
type: date
- description: The age of the resource
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: ProxyDefaults is the Schema for the proxydefaults API
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: ProxyDefaultsSpec defines the desired state of ProxyDefaults.
properties:
accessLogs:
description: AccessLogs controls all envoy instances' access logging
configuration.
properties:
disableListenerLogs:
description: |-
DisableListenerLogs turns off just listener logs for connections rejected by Envoy because they don't
have a matching listener filter.
type: boolean
enabled:
description: Enabled turns on all access logging
type: boolean
jsonFormat:
description: |-
JSONFormat is a JSON-formatted string of an Envoy access log format dictionary.
See for more info on formatting: https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#format-dictionaries
Defining JSONFormat and TextFormat is invalid.
type: string
path:
description: Path is the output file to write logs for file-type
logging
type: string
textFormat:
description: |-
TextFormat is a representation of Envoy access logs format.
See for more info on formatting: https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#format-strings
Defining JSONFormat and TextFormat is invalid.
type: string
type:
description: |-
Type selects the output for logs
one of "file", "stderr". "stdout"
type: string
type: object
config:
description: |-
Config is an arbitrary map of configuration values used by Connect proxies.
Any values that your proxy allows can be configured globally here.
Supports JSON config values. See https://www.consul.io/docs/connect/proxies/envoy#configuration-formatting
type: object
x-kubernetes-preserve-unknown-fields: true
envoyExtensions:
description: EnvoyExtensions are a list of extensions to modify Envoy
proxy configuration.
items:
description: EnvoyExtension has configuration for an extension that
patches Envoy resources.
properties:
arguments:
type: object
x-kubernetes-preserve-unknown-fields: true
name:
type: string
required:
type: boolean
type: object
type: array
expose:
description: Expose controls the default expose path configuration
for Envoy.
properties:
checks:
description: |-
Checks defines whether paths associated with Consul checks will be exposed.
This flag triggers exposing all HTTP and GRPC check paths registered for the service.
type: boolean
paths:
description: Paths is the list of paths exposed through the proxy.
items:
properties:
listenerPort:
description: ListenerPort defines the port of the proxy's
listener for exposed paths.
type: integer
localPathPort:
description: LocalPathPort is the port that the service
is listening on for the given path.
type: integer
path:
description: Path is the path to expose through the proxy,
ie. "/metrics".
type: string
protocol:
description: |-
Protocol describes the upstream's service protocol.
Valid values are "http" and "http2", defaults to "http".
type: string
type: object
type: array
type: object
failoverPolicy:
description: FailoverPolicy specifies the exact mechanism used for
failover.
properties:
mode:
description: |-
Mode specifies the type of failover that will be performed. Valid values are
"sequential", "" (equivalent to "sequential") and "order-by-locality".
type: string
regions:
description: |-
Regions is the ordered list of the regions of the failover targets.
Valid values can be "us-west-1", "us-west-2", and so on.
items:
type: string
type: array
type: object
meshGateway:
description: MeshGateway controls the default mesh gateway configuration
for this service.
properties:
mode:
description: |-
Mode is the mode that should be used for the upstream connection.
One of none, local, or remote.
type: string
type: object
mode:
description: |-
Mode can be one of "direct" or "transparent". "transparent" represents that inbound and outbound
application traffic is being captured and redirected through the proxy. This mode does not
enable the traffic redirection itself. Instead it signals Consul to configure Envoy as if
traffic is already being redirected. "direct" represents that the proxy's listeners must be
dialed directly by the local application and other proxies.
Note: This cannot be set using the CRD and should be set using annotations on the
services that are part of the mesh.
type: string
mutualTLSMode:
description: |-
MutualTLSMode controls whether mutual TLS is required for all incoming
connections when transparent proxy is enabled. This can be set to
"permissive" or "strict". "strict" is the default which requires mutual
TLS for incoming connections. In the insecure "permissive" mode,
connections to the sidecar proxy public listener port require mutual
TLS, but connections to the service port do not require mutual TLS and
are proxied to the application unmodified. Note: Intentions are not
enforced for non-mTLS connections. To keep your services secure, we
recommend using "strict" mode whenever possible and enabling
"permissive" mode only when necessary.
type: string
prioritizeByLocality:
description: |-
PrioritizeByLocality controls whether the locality of services within the
local partition will be used to prioritize connectivity.
properties:
mode:
description: |-
Mode specifies the type of prioritization that will be performed
when selecting nodes in the local partition.
Valid values are: "" (default "none"), "none", and "failover".
type: string
type: object
transparentProxy:
description: |-
TransparentProxy controls configuration specific to proxies in transparent mode.
Note: This cannot be set using the CRD and should be set using annotations on the
services that are part of the mesh.
properties:
dialedDirectly:
description: |-
DialedDirectly indicates whether transparent proxies can dial this proxy instance directly.
The discovery chain is not considered when dialing a service instance directly.
This setting is useful when addressing stateful services, such as a database cluster with a leader node.
type: boolean
outboundListenerPort:
description: |-
OutboundListenerPort is the port of the listener where outbound application
traffic is being redirected to.
type: integer
type: object
type: object
status:
properties:
conditions:
description: Conditions indicate the latest available observations
of a resource's current state.
items:
description: |-
Conditions define a readiness condition for a Consul resource.
See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
properties:
lastTransitionTime:
description: LastTransitionTime is the last time the condition
transitioned from one status to another.
format: date-time
type: string
message:
description: A human readable message indicating details about
the transition.
type: string
reason:
description: The reason for the condition's last transition.
type: string
status:
description: Status of the condition, one of True, False, Unknown.
type: string
type:
description: Type of condition.
type: string
required:
- status
- type
type: object
type: array
lastSyncedTime:
description: LastSyncedTime is the last time the resource successfully
synced with Consul.
format: date-time
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}
{{- end }}

208
charts/hashicorp/consul/1.5.3/templates/crd-referencegrants-external.yaml Normal file
View File

@ -0,0 +1,208 @@
{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538
gateway.networking.k8s.io/bundle-version: v0.6.2
gateway.networking.k8s.io/channel: experimental
creationTimestamp: null
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: crd
name: referencegrants.gateway.networking.k8s.io
spec:
group: gateway.networking.k8s.io
names:
categories:
- gateway-api
kind: ReferenceGrant
listKind: ReferenceGrantList
plural: referencegrants
shortNames:
- refgrant
singular: referencegrant
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha2
schema:
openAPIV3Schema:
description: "ReferenceGrant identifies kinds of resources in other namespaces that are trusted to reference the specified kinds of resources in the same namespace as the policy. \n Each ReferenceGrant can be used to represent a unique trust relationship. Additional Reference Grants can be used to add to the set of trusted sources of inbound references for the namespace they are defined within. \n All cross-namespace references in Gateway API (with the exception of cross-namespace Gateway-route attachment) require a ReferenceGrant. \n ReferenceGrant is a form of runtime verification allowing users to assert which cross-namespace object references are permitted. Implementations that support ReferenceGrant MUST NOT permit cross-namespace references which have no grant, and MUST respond to the removal of a grant by revoking the access that the grant allowed. \n Support: Core"
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Spec defines the desired state of ReferenceGrant.
properties:
from:
description: "From describes the trusted namespaces and kinds that can reference the resources described in \"To\". Each entry in this list MUST be considered to be an additional place that references can be valid from, or to put this another way, entries MUST be combined using OR. \n Support: Core"
items:
description: ReferenceGrantFrom describes trusted namespaces and kinds.
properties:
group:
description: "Group is the group of the referent. When empty, the Kubernetes core API group is inferred. \n Support: Core"
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: "Kind is the kind of the referent. Although implementations may support additional resources, the following types are part of the \"Core\" support level for this field. \n When used to permit a SecretObjectReference: \n * Gateway \n When used to permit a BackendObjectReference: \n * GRPCRoute * HTTPRoute * TCPRoute * TLSRoute * UDPRoute"
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
namespace:
description: "Namespace is the namespace of the referent. \n Support: Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- group
- kind
- namespace
type: object
maxItems: 16
minItems: 1
type: array
to:
description: "To describes the resources that may be referenced by the resources described in \"From\". Each entry in this list MUST be considered to be an additional place that references can be valid to, or to put this another way, entries MUST be combined using OR. \n Support: Core"
items:
description: ReferenceGrantTo describes what Kinds are allowed as targets of the references.
properties:
group:
description: "Group is the group of the referent. When empty, the Kubernetes core API group is inferred. \n Support: Core"
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: "Kind is the kind of the referent. Although implementations may support additional resources, the following types are part of the \"Core\" support level for this field: \n * Secret when used to permit a SecretObjectReference * Service when used to permit a BackendObjectReference"
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent. When unspecified, this policy refers to all resources of the specified Group and Kind in the local namespace.
maxLength: 253
minLength: 1
type: string
required:
- group
- kind
type: object
maxItems: 16
minItems: 1
type: array
required:
- from
- to
type: object
type: object
served: true
storage: true
subresources: {}
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1beta1
schema:
openAPIV3Schema:
description: "ReferenceGrant identifies kinds of resources in other namespaces that are trusted to reference the specified kinds of resources in the same namespace as the policy. \n Each ReferenceGrant can be used to represent a unique trust relationship. Additional Reference Grants can be used to add to the set of trusted sources of inbound references for the namespace they are defined within. \n All cross-namespace references in Gateway API (with the exception of cross-namespace Gateway-route attachment) require a ReferenceGrant. \n ReferenceGrant is a form of runtime verification allowing users to assert which cross-namespace object references are permitted. Implementations that support ReferenceGrant MUST NOT permit cross-namespace references which have no grant, and MUST respond to the removal of a grant by revoking the access that the grant allowed. \n Support: Core"
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Spec defines the desired state of ReferenceGrant.
properties:
from:
description: "From describes the trusted namespaces and kinds that can reference the resources described in \"To\". Each entry in this list MUST be considered to be an additional place that references can be valid from, or to put this another way, entries MUST be combined using OR. \n Support: Core"
items:
description: ReferenceGrantFrom describes trusted namespaces and kinds.
properties:
group:
description: "Group is the group of the referent. When empty, the Kubernetes core API group is inferred. \n Support: Core"
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: "Kind is the kind of the referent. Although implementations may support additional resources, the following types are part of the \"Core\" support level for this field. \n When used to permit a SecretObjectReference: \n * Gateway \n When used to permit a BackendObjectReference: \n * GRPCRoute * HTTPRoute * TCPRoute * TLSRoute * UDPRoute"
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
namespace:
description: "Namespace is the namespace of the referent. \n Support: Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- group
- kind
- namespace
type: object
maxItems: 16
minItems: 1
type: array
to:
description: "To describes the resources that may be referenced by the resources described in \"From\". Each entry in this list MUST be considered to be an additional place that references can be valid to, or to put this another way, entries MUST be combined using OR. \n Support: Core"
items:
description: ReferenceGrantTo describes what Kinds are allowed as targets of the references.
properties:
group:
description: "Group is the group of the referent. When empty, the Kubernetes core API group is inferred. \n Support: Core"
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: "Kind is the kind of the referent. Although implementations may support additional resources, the following types are part of the \"Core\" support level for this field: \n * Secret when used to permit a SecretObjectReference * Service when used to permit a BackendObjectReference"
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent. When unspecified, this policy refers to all resources of the specified Group and Kind in the local namespace.
maxLength: 253
minLength: 1
type: string
required:
- group
- kind
type: object
maxItems: 16
minItems: 1
type: array
required:
- from
- to
type: object
type: object
served: true
storage: false
subresources: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
{{- end }}

257
charts/hashicorp/consul/1.5.3/templates/crd-registrations.yaml Normal file
View File

@ -0,0 +1,257 @@
{{- if .Values.connectInject.enabled }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: crd
name: registrations.consul.hashicorp.com
spec:
group: consul.hashicorp.com
names:
kind: Registration
listKind: RegistrationList
plural: registrations
singular: registration
scope: Cluster
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: Registration defines the resource for working with service registrations.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Spec defines the desired state of Registration.
properties:
address:
type: string
check:
description: HealthCheck is used to represent a single check.
properties:
checkId:
type: string
definition:
description: |-
HealthCheckDefinition is used to store the details about
a health check's execution.
properties:
body:
type: string
deregisterCriticalServiceAfterDuration:
type: string
grpc:
type: string
grpcUseTLS:
type: boolean
header:
additionalProperties:
items:
type: string
type: array
type: object
http:
type: string
intervalDuration:
type: string
method:
type: string
osService:
type: string
tcp:
type: string
tcpUseTLS:
type: boolean
timeoutDuration:
type: string
tlsServerName:
type: string
tlsSkipVerify:
type: boolean
udp:
type: string
required:
- intervalDuration
type: object
exposedPort:
type: integer
name:
type: string
namespace:
type: string
node:
type: string
notes:
type: string
output:
type: string
partition:
type: string
serviceId:
type: string
serviceName:
type: string
status:
type: string
type:
type: string
required:
- checkId
- definition
- name
- serviceId
- serviceName
- status
type: object
datacenter:
type: string
id:
type: string
locality:
properties:
region:
type: string
zone:
type: string
type: object
node:
type: string
nodeMeta:
additionalProperties:
type: string
type: object
partition:
type: string
service:
properties:
address:
type: string
enableTagOverride:
type: boolean
id:
type: string
locality:
properties:
region:
type: string
zone:
type: string
type: object
meta:
additionalProperties:
type: string
type: object
name:
type: string
namespace:
type: string
partition:
type: string
port:
type: integer
socketPath:
type: string
taggedAddresses:
additionalProperties:
properties:
address:
type: string
port:
type: integer
required:
- address
- port
type: object
type: object
tags:
items:
type: string
type: array
weights:
properties:
passing:
type: integer
warning:
type: integer
required:
- passing
- warning
type: object
required:
- name
- port
type: object
skipNodeUpdate:
type: boolean
taggedAddresses:
additionalProperties:
type: string
type: object
type: object
status:
description: RegistrationStatus defines the observed state of Registration.
properties:
conditions:
description: Conditions indicate the latest available observations
of a resource's current state.
items:
description: |-
Conditions define a readiness condition for a Consul resource.
See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
properties:
lastTransitionTime:
description: LastTransitionTime is the last time the condition
transitioned from one status to another.
format: date-time
type: string
message:
description: A human readable message indicating details about
the transition.
type: string
reason:
description: The reason for the condition's last transition.
type: string
status:
description: Status of the condition, one of True, False, Unknown.
type: string
type:
description: Type of condition.
type: string
required:
- status
- type
type: object
type: array
lastSyncedTime:
description: LastSyncedTime is the last time the resource successfully
synced with Consul.
format: date-time
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}
{{- end }}

215
charts/hashicorp/consul/1.5.3/templates/crd-routeauthfilters.yaml Normal file
View File

@ -0,0 +1,215 @@
{{- if .Values.connectInject.enabled }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: crd
name: routeauthfilters.consul.hashicorp.com
spec:
group: consul.hashicorp.com
names:
kind: RouteAuthFilter
listKind: RouteAuthFilterList
plural: routeauthfilters
singular: routeauthfilter
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: The sync status of the resource with Consul
jsonPath: .status.conditions[?(@.type=="Synced")].status
name: Synced
type: string
- description: The last successful synced time of the resource with Consul
jsonPath: .status.lastSyncedTime
name: Last Synced
type: date
- description: The age of the resource
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: RouteAuthFilter is the Schema for the routeauthfilters API.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: RouteAuthFilterSpec defines the desired state of RouteAuthFilter.
properties:
jwt:
description: This re-uses the JWT requirement type from Gateway Policy
Types.
properties:
providers:
description: Providers is a list of providers to consider when
verifying a JWT.
items:
description: GatewayJWTProvider holds the provider and claim
verification information.
properties:
name:
description: |-
Name is the name of the JWT provider. There MUST be a corresponding
"jwt-provider" config entry with this name.
type: string
verifyClaims:
description: VerifyClaims is a list of additional claims
to verify in a JWT's payload.
items:
description: GatewayJWTClaimVerification holds the actual
claim information to be verified.
properties:
path:
description: Path is the path to the claim in the
token JSON.
items:
type: string
type: array
value:
description: |-
Value is the expected value at the given path:
- If the type at the path is a list then we verify
that this value is contained in the list.
- If the type at the path is a string then we verify
that this value matches.
type: string
required:
- path
- value
type: object
type: array
required:
- name
type: object
type: array
required:
- providers
type: object
type: object
status:
description: RouteAuthFilterStatus defines the observed state of the gateway.
properties:
conditions:
default:
- lastTransitionTime: "1970-01-01T00:00:00Z"
message: Waiting for controller
reason: Pending
status: Unknown
type: Accepted
- lastTransitionTime: "1970-01-01T00:00:00Z"
message: Waiting for controller
reason: Pending
status: Unknown
type: ResolvedRefs
description: |-
Conditions describe the current conditions of the Filter.
Known condition types are:
* "Accepted"
* "ResolvedRefs"
items:
description: "Condition contains details for one aspect of the current
state of this API Resource.\n---\nThis struct is intended for
direct use as an array at the field path .status.conditions. For
example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
observations of a foo's current state.\n\t // Known .status.conditions.type
are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
\ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
\ // other fields\n\t}"
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: |-
type of condition in CamelCase or in foo.example.com/CamelCase.
---
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
useful (see .node.status.conditions), the ability to deconflict is important.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
maxItems: 8
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
type: object
type: object
served: true
storage: true
subresources:
status: {}
{{- end }}

121
charts/hashicorp/consul/1.5.3/templates/crd-routeretryfilters.yaml Normal file
View File

@ -0,0 +1,121 @@
{{- if .Values.connectInject.enabled }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: crd
name: routeretryfilters.consul.hashicorp.com
spec:
group: consul.hashicorp.com
names:
kind: RouteRetryFilter
listKind: RouteRetryFilterList
plural: routeretryfilters
singular: routeretryfilter
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: The sync status of the resource with Consul
jsonPath: .status.conditions[?(@.type=="Synced")].status
name: Synced
type: string
- description: The last successful synced time of the resource with Consul
jsonPath: .status.lastSyncedTime
name: Last Synced
type: date
- description: The age of the resource
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: RouteRetryFilter is the Schema for the routeretryfilters API
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: RouteRetryFilterSpec defines the desired state of RouteRetryFilter.
properties:
numRetries:
format: int32
minimum: 0
type: integer
retryOn:
items:
type: string
type: array
retryOnConnectFailure:
type: boolean
retryOnStatusCodes:
items:
format: int32
type: integer
type: array
type: object
status:
properties:
conditions:
description: Conditions indicate the latest available observations
of a resource's current state.
items:
description: |-
Conditions define a readiness condition for a Consul resource.
See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
properties:
lastTransitionTime:
description: LastTransitionTime is the last time the condition
transitioned from one status to another.
format: date-time
type: string
message:
description: A human readable message indicating details about
the transition.
type: string
reason:
description: The reason for the condition's last transition.
type: string
status:
description: Status of the condition, one of True, False, Unknown.
type: string
type:
description: Type of condition.
type: string
required:
- status
- type
type: object
type: array
lastSyncedTime:
description: LastSyncedTime is the last time the resource successfully
synced with Consul.
format: date-time
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}
{{- end }}

113
charts/hashicorp/consul/1.5.3/templates/crd-routetimeoutfilters.yaml Normal file
View File

@ -0,0 +1,113 @@
{{- if .Values.connectInject.enabled }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: crd
name: routetimeoutfilters.consul.hashicorp.com
spec:
group: consul.hashicorp.com
names:
kind: RouteTimeoutFilter
listKind: RouteTimeoutFilterList
plural: routetimeoutfilters
singular: routetimeoutfilter
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: The sync status of the resource with Consul
jsonPath: .status.conditions[?(@.type=="Synced")].status
name: Synced
type: string
- description: The last successful synced time of the resource with Consul
jsonPath: .status.lastSyncedTime
name: Last Synced
type: date
- description: The age of the resource
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: RouteTimeoutFilter is the Schema for the httproutetimeoutfilters
API
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: RouteTimeoutFilterSpec defines the desired state of RouteTimeoutFilter.
properties:
idleTimeout:
format: duration
type: string
requestTimeout:
format: duration
type: string
type: object
status:
properties:
conditions:
description: Conditions indicate the latest available observations
of a resource's current state.
items:
description: |-
Conditions define a readiness condition for a Consul resource.
See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
properties:
lastTransitionTime:
description: LastTransitionTime is the last time the condition
transitioned from one status to another.
format: date-time
type: string
message:
description: A human readable message indicating details about
the transition.
type: string
reason:
description: The reason for the condition's last transition.
type: string
status:
description: Status of the condition, one of True, False, Unknown.
type: string
type:
description: Type of condition.
type: string
required:
- status
- type
type: object
type: array
lastSyncedTime:
description: LastSyncedTime is the last time the resource successfully
synced with Consul.
format: date-time
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}
{{- end }}

133
charts/hashicorp/consul/1.5.3/templates/crd-samenessgroups.yaml Normal file
View File

@ -0,0 +1,133 @@
{{- if .Values.connectInject.enabled }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: crd
name: samenessgroups.consul.hashicorp.com
spec:
group: consul.hashicorp.com
names:
kind: SamenessGroup
listKind: SamenessGroupList
plural: samenessgroups
shortNames:
- sameness-group
singular: samenessgroup
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: The sync status of the resource with Consul
jsonPath: .status.conditions[?(@.type=="Synced")].status
name: Synced
type: string
- description: The last successful synced time of the resource with Consul
jsonPath: .status.lastSyncedTime
name: Last Synced
type: date
- description: The age of the resource
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: SamenessGroup is the Schema for the samenessgroups API
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: SamenessGroupSpec defines the desired state of SamenessGroup.
properties:
defaultForFailover:
description: |-
DefaultForFailover indicates that upstream requests to members of the given sameness group will implicitly failover between members of this sameness group.
When DefaultForFailover is true, the local partition must be a member of the sameness group or IncludeLocal must be set to true.
type: boolean
includeLocal:
description: |-
IncludeLocal is used to include the local partition as the first member of the sameness group.
The local partition can only be a member of a single sameness group.
type: boolean
members:
description: |-
Members are the partitions and peers that are part of the sameness group.
If a member of a sameness group does not exist, it will be ignored.
items:
properties:
partition:
description: |-
The partitions and peers that are part of the sameness group.
A sameness group member cannot define both peer and partition at the same time.
type: string
peer:
type: string
type: object
type: array
type: object
status:
properties:
conditions:
description: Conditions indicate the latest available observations
of a resource's current state.
items:
description: |-
Conditions define a readiness condition for a Consul resource.
See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
properties:
lastTransitionTime:
description: LastTransitionTime is the last time the condition
transitioned from one status to another.
format: date-time
type: string
message:
description: A human readable message indicating details about
the transition.
type: string
reason:
description: The reason for the condition's last transition.
type: string
status:
description: Status of the condition, one of True, False, Unknown.
type: string
type:
description: Type of condition.
type: string
required:
- status
- type
type: object
type: array
lastSyncedTime:
description: LastSyncedTime is the last time the resource successfully
synced with Consul.
format: date-time
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}
{{- end }}

580
charts/hashicorp/consul/1.5.3/templates/crd-servicedefaults.yaml Normal file
View File

@ -0,0 +1,580 @@
{{- if .Values.connectInject.enabled }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: crd
name: servicedefaults.consul.hashicorp.com
spec:
group: consul.hashicorp.com
names:
kind: ServiceDefaults
listKind: ServiceDefaultsList
plural: servicedefaults
shortNames:
- service-defaults
singular: servicedefaults
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: The sync status of the resource with Consul
jsonPath: .status.conditions[?(@.type=="Synced")].status
name: Synced
type: string
- description: The last successful synced time of the resource with Consul
jsonPath: .status.lastSyncedTime
name: Last Synced
type: date
- description: The age of the resource
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: ServiceDefaults is the Schema for the servicedefaults API
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: ServiceDefaultsSpec defines the desired state of ServiceDefaults.
properties:
balanceInboundConnections:
description: |-
BalanceInboundConnections sets the strategy for allocating inbound connections to the service across
proxy threads. The only supported value is exact_balance. By default, no connection balancing is used.
Refer to the Envoy Connection Balance config for details.
type: string
destination:
description: |-
Destination is an address(es)/port combination that represents an endpoint
outside the mesh. This is only valid when the mesh is configured in "transparent"
mode. Destinations live outside of Consul's catalog, and because of this, they
do not require an artificial node to be created.
properties:
addresses:
description: |-
Addresses is a list of IPs and/or hostnames that can be dialed
and routed through a terminating gateway.
items:
type: string
type: array
port:
description: |-
Port is the port that can be dialed on any of the addresses in this
Destination.
format: int32
type: integer
type: object
envoyExtensions:
description: EnvoyExtensions are a list of extensions to modify Envoy
proxy configuration.
items:
description: EnvoyExtension has configuration for an extension that
patches Envoy resources.
properties:
arguments:
type: object
x-kubernetes-preserve-unknown-fields: true
name:
type: string
required:
type: boolean
type: object
type: array
expose:
description: Expose controls the default expose path configuration
for Envoy.
properties:
checks:
description: |-
Checks defines whether paths associated with Consul checks will be exposed.
This flag triggers exposing all HTTP and GRPC check paths registered for the service.
type: boolean
paths:
description: Paths is the list of paths exposed through the proxy.
items:
properties:
listenerPort:
description: ListenerPort defines the port of the proxy's
listener for exposed paths.
type: integer
localPathPort:
description: LocalPathPort is the port that the service
is listening on for the given path.
type: integer
path:
description: Path is the path to expose through the proxy,
ie. "/metrics".
type: string
protocol:
description: |-
Protocol describes the upstream's service protocol.
Valid values are "http" and "http2", defaults to "http".
type: string
type: object
type: array
type: object
externalSNI:
description: |-
ExternalSNI is an optional setting that allows for the TLS SNI value
to be changed to a non-connect value when federating with an external system.
type: string
localConnectTimeoutMs:
description: |-
LocalConnectTimeoutMs is the number of milliseconds allowed to make connections to the local application
instance before timing out. Defaults to 5000.
type: integer
localRequestTimeoutMs:
description: |-
LocalRequestTimeoutMs is the timeout for HTTP requests to the local application instance in milliseconds.
Applies to HTTP-based protocols only. If not specified, inherits the Envoy default for
route timeouts (15s).
type: integer
maxInboundConnections:
description: |-
MaxInboundConnections is the maximum number of concurrent inbound connections to
each service instance. Defaults to 0 (using consul's default) if not set.
type: integer
meshGateway:
description: MeshGateway controls the default mesh gateway configuration
for this service.
properties:
mode:
description: |-
Mode is the mode that should be used for the upstream connection.
One of none, local, or remote.
type: string
type: object
mode:
description: |-
Mode can be one of "direct" or "transparent". "transparent" represents that inbound and outbound
application traffic is being captured and redirected through the proxy. This mode does not
enable the traffic redirection itself. Instead it signals Consul to configure Envoy as if
traffic is already being redirected. "direct" represents that the proxy's listeners must be
dialed directly by the local application and other proxies.
Note: This cannot be set using the CRD and should be set using annotations on the
services that are part of the mesh.
type: string
mutualTLSMode:
description: |-
MutualTLSMode controls whether mutual TLS is required for all incoming
connections when transparent proxy is enabled. This can be set to
"permissive" or "strict". "strict" is the default which requires mutual
TLS for incoming connections. In the insecure "permissive" mode,
connections to the sidecar proxy public listener port require mutual
TLS, but connections to the service port do not require mutual TLS and
are proxied to the application unmodified. Note: Intentions are not
enforced for non-mTLS connections. To keep your services secure, we
recommend using "strict" mode whenever possible and enabling
"permissive" mode only when necessary.
type: string
protocol:
description: |-
Protocol sets the protocol of the service. This is used by Connect proxies for
things like observability features and to unlock usage of the
service-splitter and service-router config entries for a service.
type: string
rateLimits:
description: |-
RateLimits is rate limiting configuration that is applied to
inbound traffic for a service. Rate limiting is a Consul enterprise feature.
properties:
instanceLevel:
description: |-
InstanceLevel represents rate limit configuration
that is applied per service instance.
properties:
requestsMaxBurst:
description: |-
RequestsMaxBurst is the maximum number of requests that can be sent
in a burst. Should be equal to or greater than RequestsPerSecond.
If unset, defaults to RequestsPerSecond.
Internally, this is the maximum size of the token bucket used for rate limiting.
type: integer
requestsPerSecond:
description: |-
RequestsPerSecond is the average number of requests per second that can be
made without being throttled. This field is required if RequestsMaxBurst
is set. The allowed number of requests may exceed RequestsPerSecond up to
the value specified in RequestsMaxBurst.
Internally, this is the refill rate of the token bucket used for rate limiting.
type: integer
routes:
description: |-
Routes is a list of rate limits applied to specific routes.
For a given request, the first matching route will be applied, if any.
Overrides any top-level configuration.
items:
properties:
pathExact:
description: Exact path to match. Exactly one of PathExact,
PathPrefix, or PathRegex must be specified.
type: string
pathPrefix:
description: Prefix to match. Exactly one of PathExact,
PathPrefix, or PathRegex must be specified.
type: string
pathRegex:
description: Regex to match. Exactly one of PathExact,
PathPrefix, or PathRegex must be specified.
type: string
requestsMaxBurst:
description: |-
RequestsMaxBurst is the maximum number of requests that can be sent
in a burst. Should be equal to or greater than RequestsPerSecond. If unset,
defaults to RequestsPerSecond. Internally, this is the maximum size of the token
bucket used for rate limiting.
type: integer
requestsPerSecond:
description: |-
RequestsPerSecond is the average number of requests per
second that can be made without being throttled. This field is required
if RequestsMaxBurst is set. The allowed number of requests may exceed
RequestsPerSecond up to the value specified in RequestsMaxBurst.
Internally, this is the refill rate of the token bucket used for rate limiting.
type: integer
type: object
type: array
type: object
type: object
transparentProxy:
description: |-
TransparentProxy controls configuration specific to proxies in transparent mode.
Note: This cannot be set using the CRD and should be set using annotations on the
services that are part of the mesh.
properties:
dialedDirectly:
description: |-
DialedDirectly indicates whether transparent proxies can dial this proxy instance directly.
The discovery chain is not considered when dialing a service instance directly.
This setting is useful when addressing stateful services, such as a database cluster with a leader node.
type: boolean
outboundListenerPort:
description: |-
OutboundListenerPort is the port of the listener where outbound application
traffic is being redirected to.
type: integer
type: object
upstreamConfig:
description: |-
UpstreamConfig controls default configuration settings that apply across all upstreams,
and per-upstream configuration overrides. Note that per-upstream configuration applies
across all federated datacenters to the pairing of source and upstream destination services.
properties:
defaults:
description: |-
Defaults contains default configuration for all upstreams of a given
service. The name field must be empty.
properties:
connectTimeoutMs:
description: |-
ConnectTimeoutMs is the number of milliseconds to timeout making a new
connection to this upstream. Defaults to 5000 (5 seconds) if not set.
type: integer
envoyClusterJSON:
description: |-
EnvoyClusterJSON is a complete override ("escape hatch") for the upstream's
cluster. The Connect client TLS certificate and context will be injected
overriding any TLS settings present.
Note: This escape hatch is NOT compatible with the discovery chain and
will be ignored if a discovery chain is active.
type: string
envoyListenerJSON:
description: |-
EnvoyListenerJSON is a complete override ("escape hatch") for the upstream's
listener.
Note: This escape hatch is NOT compatible with the discovery chain and
will be ignored if a discovery chain is active.
type: string
limits:
description: |-
Limits are the set of limits that are applied to the proxy for a specific upstream of a
service instance.
properties:
maxConcurrentRequests:
description: |-
MaxConcurrentRequests is the maximum number of in-flight requests that will be allowed
to the upstream cluster at a point in time. This is mostly applicable to HTTP/2
clusters since all HTTP/1.1 requests are limited by MaxConnections.
type: integer
maxConnections:
description: |-
MaxConnections is the maximum number of connections the local proxy can
make to the upstream service.
type: integer
maxPendingRequests:
description: |-
MaxPendingRequests is the maximum number of requests that will be queued
waiting for an available connection. This is mostly applicable to HTTP/1.1
clusters since all HTTP/2 requests are streamed over a single
connection.
type: integer
type: object
meshGateway:
description: MeshGatewayConfig controls how Mesh Gateways
are configured and used.
properties:
mode:
description: |-
Mode is the mode that should be used for the upstream connection.
One of none, local, or remote.
type: string
type: object
name:
description: Name is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides
config entry.
type: string
namespace:
description: Namespace is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides
config entry.
type: string
partition:
description: Partition is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides
config entry.
type: string
passiveHealthCheck:
description: |-
PassiveHealthCheck configuration determines how upstream proxy instances will
be monitored for removal from the load balancing pool.
properties:
baseEjectionTime:
description: |-
The base time that a host is ejected for. The real time is equal to the base time
multiplied by the number of times the host has been ejected and is capped by
max_ejection_time (Default 300s). Defaults to 30s.
type: string
enforcingConsecutive5xx:
description: |-
EnforcingConsecutive5xx is the % chance that a host will be actually ejected
when an outlier status is detected through consecutive 5xx.
This setting can be used to disable ejection or to ramp it up slowly.
Ex. Setting this to 10 will make it a 10% chance that the host will be ejected.
format: int32
type: integer
interval:
description: |-
Interval between health check analysis sweeps. Each sweep may remove
hosts or return hosts to the pool. Ex. setting this to "10s" will set
the interval to 10 seconds.
type: string
maxEjectionPercent:
description: |-
The maximum % of an upstream cluster that can be ejected due to outlier detection.
Defaults to 10% but will eject at least one host regardless of the value.
format: int32
type: integer
maxFailures:
description: |-
MaxFailures is the count of consecutive failures that results in a host
being removed from the pool.
format: int32
type: integer
type: object
peer:
description: Peer is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides
config entry.
type: string
protocol:
description: |-
Protocol describes the upstream's service protocol. Valid values are "tcp",
"http" and "grpc". Anything else is treated as tcp. This enables protocol
aware features like per-request metrics and connection pooling, tracing,
routing etc.
type: string
type: object
overrides:
description: |-
Overrides is a slice of per-service configuration. The name field is
required.
items:
properties:
connectTimeoutMs:
description: |-
ConnectTimeoutMs is the number of milliseconds to timeout making a new
connection to this upstream. Defaults to 5000 (5 seconds) if not set.
type: integer
envoyClusterJSON:
description: |-
EnvoyClusterJSON is a complete override ("escape hatch") for the upstream's
cluster. The Connect client TLS certificate and context will be injected
overriding any TLS settings present.
Note: This escape hatch is NOT compatible with the discovery chain and
will be ignored if a discovery chain is active.
type: string
envoyListenerJSON:
description: |-
EnvoyListenerJSON is a complete override ("escape hatch") for the upstream's
listener.
Note: This escape hatch is NOT compatible with the discovery chain and
will be ignored if a discovery chain is active.
type: string
limits:
description: |-
Limits are the set of limits that are applied to the proxy for a specific upstream of a
service instance.
properties:
maxConcurrentRequests:
description: |-
MaxConcurrentRequests is the maximum number of in-flight requests that will be allowed
to the upstream cluster at a point in time. This is mostly applicable to HTTP/2
clusters since all HTTP/1.1 requests are limited by MaxConnections.
type: integer
maxConnections:
description: |-
MaxConnections is the maximum number of connections the local proxy can
make to the upstream service.
type: integer
maxPendingRequests:
description: |-
MaxPendingRequests is the maximum number of requests that will be queued
waiting for an available connection. This is mostly applicable to HTTP/1.1
clusters since all HTTP/2 requests are streamed over a single
connection.
type: integer
type: object
meshGateway:
description: MeshGatewayConfig controls how Mesh Gateways
are configured and used.
properties:
mode:
description: |-
Mode is the mode that should be used for the upstream connection.
One of none, local, or remote.
type: string
type: object
name:
description: Name is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides
config entry.
type: string
namespace:
description: Namespace is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides
config entry.
type: string
partition:
description: Partition is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides
config entry.
type: string
passiveHealthCheck:
description: |-
PassiveHealthCheck configuration determines how upstream proxy instances will
be monitored for removal from the load balancing pool.
properties:
baseEjectionTime:
description: |-
The base time that a host is ejected for. The real time is equal to the base time
multiplied by the number of times the host has been ejected and is capped by
max_ejection_time (Default 300s). Defaults to 30s.
type: string
enforcingConsecutive5xx:
description: |-
EnforcingConsecutive5xx is the % chance that a host will be actually ejected
when an outlier status is detected through consecutive 5xx.
This setting can be used to disable ejection or to ramp it up slowly.
Ex. Setting this to 10 will make it a 10% chance that the host will be ejected.
format: int32
type: integer
interval:
description: |-
Interval between health check analysis sweeps. Each sweep may remove
hosts or return hosts to the pool. Ex. setting this to "10s" will set
the interval to 10 seconds.
type: string
maxEjectionPercent:
description: |-
The maximum % of an upstream cluster that can be ejected due to outlier detection.
Defaults to 10% but will eject at least one host regardless of the value.
format: int32
type: integer
maxFailures:
description: |-
MaxFailures is the count of consecutive failures that results in a host
being removed from the pool.
format: int32
type: integer
type: object
peer:
description: Peer is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides
config entry.
type: string
protocol:
description: |-
Protocol describes the upstream's service protocol. Valid values are "tcp",
"http" and "grpc". Anything else is treated as tcp. This enables protocol
aware features like per-request metrics and connection pooling, tracing,
routing etc.
type: string
type: object
type: array
type: object
type: object
status:
properties:
conditions:
description: Conditions indicate the latest available observations
of a resource's current state.
items:
description: |-
Conditions define a readiness condition for a Consul resource.
See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
properties:
lastTransitionTime:
description: LastTransitionTime is the last time the condition
transitioned from one status to another.
format: date-time
type: string
message:
description: A human readable message indicating details about
the transition.
type: string
reason:
description: The reason for the condition's last transition.
type: string
status:
description: Status of the condition, one of True, False, Unknown.
type: string
type:
description: Type of condition.
type: string
required:
- status
- type
type: object
type: array
lastSyncedTime:
description: LastSyncedTime is the last time the resource successfully
synced with Consul.
format: date-time
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}
{{- end }}

310
charts/hashicorp/consul/1.5.3/templates/crd-serviceintentions.yaml Normal file
View File

@ -0,0 +1,310 @@
{{- if .Values.connectInject.enabled }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: crd
name: serviceintentions.consul.hashicorp.com
spec:
group: consul.hashicorp.com
names:
kind: ServiceIntentions
listKind: ServiceIntentionsList
plural: serviceintentions
shortNames:
- service-intentions
singular: serviceintentions
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: The sync status of the resource with Consul
jsonPath: .status.conditions[?(@.type=="Synced")].status
name: Synced
type: string
- description: The last successful synced time of the resource with Consul
jsonPath: .status.lastSyncedTime
name: Last Synced
type: date
- description: The age of the resource
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: ServiceIntentions is the Schema for the serviceintentions API
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: ServiceIntentionsSpec defines the desired state of ServiceIntentions.
properties:
destination:
description: Destination is the intention destination that will have
the authorization granted to.
properties:
name:
description: |-
Name is the destination of all intentions defined in this config entry.
This may be set to the wildcard character (*) to match
all services that don't otherwise have intentions defined.
type: string
namespace:
description: |-
Namespace specifies the namespace the config entry will apply to.
This may be set to the wildcard character (*) to match all services
in all namespaces that don't otherwise have intentions defined.
type: string
type: object
jwt:
description: JWT specifies the configuration to validate a JSON Web
Token for all incoming requests.
properties:
providers:
description: Providers is a list of providers to consider when
verifying a JWT.
items:
properties:
name:
description: |-
Name is the name of the JWT provider. There MUST be a corresponding
"jwt-provider" config entry with this name.
type: string
verifyClaims:
description: VerifyClaims is a list of additional claims
to verify in a JWT's payload.
items:
properties:
path:
description: Path is the path to the claim in the
token JSON.
items:
type: string
type: array
value:
description: |-
Value is the expected value at the given path. If the type at the path
is a list then we verify that this value is contained in the list. If
the type at the path is a string then we verify that this value matches.
type: string
type: object
type: array
type: object
type: array
type: object
sources:
description: |-
Sources is the list of all intention sources and the authorization granted to those sources.
The order of this list does not matter, but out of convenience Consul will always store this
reverse sorted by intention precedence, as that is the order that they will be evaluated at enforcement time.
items:
properties:
action:
description: |-
Action is required for an L4 intention, and should be set to one of
"allow" or "deny" for the action that should be taken if this intention matches a request.
type: string
description:
description: Description for the intention. This is not used
by Consul, but is presented in API responses to assist tooling.
type: string
name:
description: |-
Name is the source of the intention. This is the name of a
Consul service. The service doesn't need to be registered.
type: string
namespace:
description: Namespace is the namespace for the Name parameter.
type: string
partition:
description: Partition is the Admin Partition for the Name parameter.
type: string
peer:
description: Peer is the peer name for the Name parameter.
type: string
permissions:
description: |-
Permissions is the list of all additional L7 attributes that extend the intention match criteria.
Permission precedence is applied top to bottom. For any given request the first permission to match
in the list is terminal and stops further evaluation. As with L4 intentions, traffic that fails to
match any of the provided permissions in this intention will be subject to the default intention
behavior is defined by the default ACL policy. This should be omitted for an L4 intention
as it is mutually exclusive with the Action field.
items:
properties:
action:
description: |-
Action is one of "allow" or "deny" for the action that
should be taken if this permission matches a request.
type: string
http:
description: HTTP is a set of HTTP-specific authorization
criteria.
properties:
header:
description: |-
Header is a set of criteria that can match on HTTP request headers.
If more than one is configured all must match for the overall match to apply.
items:
properties:
exact:
description: Exact matches if the header with
the given name is this value.
type: string
invert:
description: Invert inverts the logic of the
match.
type: boolean
name:
description: Name is the name of the header
to match.
type: string
prefix:
description: Prefix matches if the header with
the given name has this prefix.
type: string
present:
description: Present matches if the header with
the given name is present with any value.
type: boolean
regex:
description: Regex matches if the header with
the given name matches this pattern.
type: string
suffix:
description: Suffix matches if the header with
the given name has this suffix.
type: string
type: object
type: array
methods:
description: |-
Methods is a list of HTTP methods for which this match applies. If unspecified
all HTTP methods are matched. If provided the names must be a valid method.
items:
type: string
type: array
pathExact:
description: PathExact is the exact path to match
on the HTTP request path.
type: string
pathPrefix:
description: PathPrefix is the path prefix to match
on the HTTP request path.
type: string
pathRegex:
description: PathRegex is the regular expression to
match on the HTTP request path.
type: string
type: object
jwt:
description: JWT specifies configuration to validate a
JSON Web Token for incoming requests.
properties:
providers:
description: Providers is a list of providers to consider
when verifying a JWT.
items:
properties:
name:
description: |-
Name is the name of the JWT provider. There MUST be a corresponding
"jwt-provider" config entry with this name.
type: string
verifyClaims:
description: VerifyClaims is a list of additional
claims to verify in a JWT's payload.
items:
properties:
path:
description: Path is the path to the claim
in the token JSON.
items:
type: string
type: array
value:
description: |-
Value is the expected value at the given path. If the type at the path
is a list then we verify that this value is contained in the list. If
the type at the path is a string then we verify that this value matches.
type: string
type: object
type: array
type: object
type: array
type: object
type: object
type: array
samenessGroup:
description: SamenessGroup is the name of the sameness group,
if applicable.
type: string
type: object
type: array
type: object
status:
properties:
conditions:
description: Conditions indicate the latest available observations
of a resource's current state.
items:
description: |-
Conditions define a readiness condition for a Consul resource.
See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
properties:
lastTransitionTime:
description: LastTransitionTime is the last time the condition
transitioned from one status to another.
format: date-time
type: string
message:
description: A human readable message indicating details about
the transition.
type: string
reason:
description: The reason for the condition's last transition.
type: string
status:
description: Status of the condition, one of True, False, Unknown.
type: string
type:
description: Type of condition.
type: string
required:
- status
- type
type: object
type: array
lastSyncedTime:
description: LastSyncedTime is the last time the resource successfully
synced with Consul.
format: date-time
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}
{{- end }}

372
charts/hashicorp/consul/1.5.3/templates/crd-serviceresolvers.yaml Normal file
View File

@ -0,0 +1,372 @@
{{- if .Values.connectInject.enabled }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: crd
name: serviceresolvers.consul.hashicorp.com
spec:
group: consul.hashicorp.com
names:
kind: ServiceResolver
listKind: ServiceResolverList
plural: serviceresolvers
shortNames:
- service-resolver
singular: serviceresolver
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: The sync status of the resource with Consul
jsonPath: .status.conditions[?(@.type=="Synced")].status
name: Synced
type: string
- description: The last successful synced time of the resource with Consul
jsonPath: .status.lastSyncedTime
name: Last Synced
type: date
- description: The age of the resource
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: ServiceResolver is the Schema for the serviceresolvers API
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: ServiceResolverSpec defines the desired state of ServiceResolver.
properties:
connectTimeout:
description: |-
ConnectTimeout is the timeout for establishing new network connections
to this service.
type: string
defaultSubset:
description: |-
DefaultSubset is the subset to use when no explicit subset is requested.
If empty the unnamed subset is used.
type: string
failover:
additionalProperties:
properties:
datacenters:
description: Datacenters is a fixed list of datacenters to try
during failover.
items:
type: string
type: array
namespace:
description: |-
Namespace is the namespace to resolve the requested service from to form
the failover group of instances. If empty the current namespace is used.
type: string
policy:
description: Policy specifies the exact mechanism used for failover.
properties:
mode:
description: |-
Mode specifies the type of failover that will be performed. Valid values are
"sequential", "" (equivalent to "sequential") and "order-by-locality".
type: string
regions:
description: |-
Regions is the ordered list of the regions of the failover targets.
Valid values can be "us-west-1", "us-west-2", and so on.
items:
type: string
type: array
type: object
samenessGroup:
description: SamenessGroup is the name of the sameness group
to try during failover.
type: string
service:
description: |-
Service is the service to resolve instead of the default as the failover
group of instances during failover.
type: string
serviceSubset:
description: |-
ServiceSubset is the named subset of the requested service to resolve as
the failover group of instances. If empty the default subset for the
requested service is used.
type: string
targets:
description: Targets specifies a fixed list of failover targets
to try during failover.
items:
properties:
datacenter:
description: Datacenter specifies the datacenter to try
during failover.
type: string
namespace:
description: Namespace specifies the namespace to try
during failover.
type: string
partition:
description: Partition specifies the partition to try
during failover.
type: string
peer:
description: Peer specifies the name of the cluster peer
to try during failover.
type: string
service:
description: Service specifies the name of the service
to try during failover.
type: string
serviceSubset:
description: ServiceSubset specifies the service subset
to try during failover.
type: string
type: object
type: array
type: object
description: |-
Failover controls when and how to reroute traffic to an alternate pool of
service instances.
The map is keyed by the service subset it applies to and the special
string "*" is a wildcard that applies to any subset not otherwise
specified here.
type: object
loadBalancer:
description: |-
LoadBalancer determines the load balancing policy and configuration for services
issuing requests to this upstream service.
properties:
hashPolicies:
description: |-
HashPolicies is a list of hash policies to use for hashing load balancing algorithms.
Hash policies are evaluated individually and combined such that identical lists
result in the same hash.
If no hash policies are present, or none are successfully evaluated,
then a random backend host will be selected.
items:
properties:
cookieConfig:
description: CookieConfig contains configuration for the
"cookie" hash policy type.
properties:
path:
description: Path is the path to set for the cookie.
type: string
session:
description: Session determines whether to generate
a session cookie with no expiration.
type: boolean
ttl:
description: TTL is the ttl for generated cookies. Cannot
be specified for session cookies.
type: string
type: object
field:
description: |-
Field is the attribute type to hash on.
Must be one of "header", "cookie", or "query_parameter".
Cannot be specified along with sourceIP.
type: string
fieldValue:
description: |-
FieldValue is the value to hash.
ie. header name, cookie name, URL query parameter name
Cannot be specified along with sourceIP.
type: string
sourceIP:
description: |-
SourceIP determines whether the hash should be of the source IP rather than of a field and field value.
Cannot be specified along with field or fieldValue.
type: boolean
terminal:
description: |-
Terminal will short circuit the computation of the hash when multiple hash policies are present.
If a hash is computed when a Terminal policy is evaluated,
then that hash will be used and subsequent hash policies will be ignored.
type: boolean
type: object
type: array
leastRequestConfig:
description: LeastRequestConfig contains configuration for the
"leastRequest" policy type.
properties:
choiceCount:
description: ChoiceCount determines the number of random healthy
hosts from which to select the one with the least requests.
format: int32
type: integer
type: object
policy:
description: Policy is the load balancing policy used to select
a host.
type: string
ringHashConfig:
description: RingHashConfig contains configuration for the "ringHash"
policy type.
properties:
maximumRingSize:
description: MaximumRingSize determines the maximum number
of entries in the hash ring.
format: int64
type: integer
minimumRingSize:
description: MinimumRingSize determines the minimum number
of entries in the hash ring.
format: int64
type: integer
type: object
type: object
prioritizeByLocality:
description: |-
PrioritizeByLocality controls whether the locality of services within the
local partition will be used to prioritize connectivity.
properties:
mode:
description: |-
Mode specifies the type of prioritization that will be performed
when selecting nodes in the local partition.
Valid values are: "" (default "none"), "none", and "failover".
type: string
type: object
redirect:
description: |-
Redirect when configured, all attempts to resolve the service this
resolver defines will be substituted for the supplied redirect
EXCEPT when the redirect has already been applied.
When substituting the supplied redirect, all other fields besides
Kind, Name, and Redirect will be ignored.
properties:
datacenter:
description: |-
Datacenter is the datacenter to resolve the service from instead of the
current one.
type: string
namespace:
description: |-
Namespace is the Consul namespace to resolve the service from instead of
the current namespace. If empty the current namespace is assumed.
type: string
partition:
description: |-
Partition is the Consul partition to resolve the service from instead of
the current partition. If empty the current partition is assumed.
type: string
peer:
description: |-
Peer is the name of the cluster peer to resolve the service from instead
of the current one.
type: string
samenessGroup:
description: SamenessGroup is the name of the sameness group to
resolve the service from instead of the current one.
type: string
service:
description: Service is a service to resolve instead of the current
service.
type: string
serviceSubset:
description: |-
ServiceSubset is a named subset of the given service to resolve instead
of one defined as that service's DefaultSubset If empty the default
subset is used.
type: string
type: object
requestTimeout:
description: |-
RequestTimeout is the timeout for receiving an HTTP response from this
service before the connection is terminated.
type: string
subsets:
additionalProperties:
properties:
filter:
description: |-
Filter is the filter expression to be used for selecting instances of the
requested service. If empty all healthy instances are returned. This
expression can filter on the same selectors as the Health API endpoint.
type: string
onlyPassing:
description: |-
OnlyPassing specifies the behavior of the resolver's health check
interpretation. If this is set to false, instances with checks in the
passing as well as the warning states will be considered healthy. If this
is set to true, only instances with checks in the passing state will be
considered healthy.
type: boolean
type: object
description: |-
Subsets is map of subset name to subset definition for all usable named
subsets of this service. The map key is the name of the subset and all
names must be valid DNS subdomain elements.
This may be empty, in which case only the unnamed default subset will
be usable.
type: object
type: object
status:
properties:
conditions:
description: Conditions indicate the latest available observations
of a resource's current state.
items:
description: |-
Conditions define a readiness condition for a Consul resource.
See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
properties:
lastTransitionTime:
description: LastTransitionTime is the last time the condition
transitioned from one status to another.
format: date-time
type: string
message:
description: A human readable message indicating details about
the transition.
type: string
reason:
description: The reason for the condition's last transition.
type: string
status:
description: Status of the condition, one of True, False, Unknown.
type: string
type:
description: Type of condition.
type: string
required:
- status
- type
type: object
type: array
lastSyncedTime:
description: LastSyncedTime is the last time the resource successfully
synced with Consul.
format: date-time
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}
{{- end }}

335
charts/hashicorp/consul/1.5.3/templates/crd-servicerouters.yaml Normal file
View File

@ -0,0 +1,335 @@
{{- if .Values.connectInject.enabled }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: crd
name: servicerouters.consul.hashicorp.com
spec:
group: consul.hashicorp.com
names:
kind: ServiceRouter
listKind: ServiceRouterList
plural: servicerouters
shortNames:
- service-router
singular: servicerouter
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: The sync status of the resource with Consul
jsonPath: .status.conditions[?(@.type=="Synced")].status
name: Synced
type: string
- description: The last successful synced time of the resource with Consul
jsonPath: .status.lastSyncedTime
name: Last Synced
type: date
- description: The age of the resource
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: ServiceRouter is the Schema for the servicerouters API
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: ServiceRouterSpec defines the desired state of ServiceRouter.
properties:
routes:
description: |-
Routes are the list of routes to consider when processing L7 requests.
The first route to match in the list is terminal and stops further
evaluation. Traffic that fails to match any of the provided routes will
be routed to the default service.
items:
properties:
destination:
description: Destination controls how to proxy the matching
request(s) to a service.
properties:
idleTimeout:
description: |-
IdleTimeout is total amount of time permitted
for the request stream to be idle.
type: string
namespace:
description: |-
Namespace is the Consul namespace to resolve the service from instead of
the current namespace. If empty the current namespace is assumed.
type: string
numRetries:
description: NumRetries is the number of times to retry
the request when a retryable result occurs
format: int32
type: integer
partition:
description: |-
Partition is the Consul partition to resolve the service from instead of
the current partition. If empty the current partition is assumed.
type: string
prefixRewrite:
description: |-
PrefixRewrite defines how to rewrite the HTTP request path before proxying
it to its final destination.
This requires that either match.http.pathPrefix or match.http.pathExact
be configured on this route.
type: string
requestHeaders:
description: Allow HTTP header manipulation to be configured.
properties:
add:
additionalProperties:
type: string
description: |-
Add is a set of name -> value pairs that should be appended to the request
or response (i.e. allowing duplicates if the same header already exists).
type: object
remove:
description: |-
Remove is the set of header names that should be stripped from the request
or response.
items:
type: string
type: array
set:
additionalProperties:
type: string
description: |-
Set is a set of name -> value pairs that should be added to the request or
response, overwriting any existing header values of the same name.
type: object
type: object
requestTimeout:
description: |-
RequestTimeout is the total amount of time permitted for the entire
downstream request (and retries) to be processed.
type: string
responseHeaders:
description: |-
HTTPHeaderModifiers is a set of rules for HTTP header modification that
should be performed by proxies as the request passes through them. It can
operate on either request or response headers depending on the context in
which it is used.
properties:
add:
additionalProperties:
type: string
description: |-
Add is a set of name -> value pairs that should be appended to the request
or response (i.e. allowing duplicates if the same header already exists).
type: object
remove:
description: |-
Remove is the set of header names that should be stripped from the request
or response.
items:
type: string
type: array
set:
additionalProperties:
type: string
description: |-
Set is a set of name -> value pairs that should be added to the request or
response, overwriting any existing header values of the same name.
type: object
type: object
retryOn:
description: |-
RetryOn is a flat list of conditions for Consul to retry requests based on the response from an upstream service.
Refer to the valid conditions here: https://developer.hashicorp.com/consul/docs/connect/config-entries/service-router#routes-destination-retryon
items:
type: string
type: array
retryOnConnectFailure:
description: RetryOnConnectFailure allows for connection
failure errors to trigger a retry.
type: boolean
retryOnStatusCodes:
description: RetryOnStatusCodes is a flat list of http response
status codes that are eligible for retry.
items:
format: int32
type: integer
type: array
service:
description: |-
Service is the service to resolve instead of the default service.
If empty then the default service name is used.
type: string
serviceSubset:
description: |-
ServiceSubset is a named subset of the given service to resolve instead
of the one defined as that service's DefaultSubset.
If empty, the default subset is used.
type: string
type: object
match:
description: |-
Match is a set of criteria that can match incoming L7 requests.
If empty or omitted it acts as a catch-all.
properties:
http:
description: HTTP is a set of http-specific match criteria.
properties:
caseInsensitive:
description: CaseInsensitive configures PathExact and
PathPrefix matches to ignore upper/lower casing.
type: boolean
header:
description: |-
Header is a set of criteria that can match on HTTP request headers.
If more than one is configured all must match for the overall match to apply.
items:
properties:
exact:
description: Exact will match if the header with
the given name is this value.
type: string
invert:
description: Invert inverts the logic of the match.
type: boolean
name:
description: Name is the name of the header to
match.
type: string
prefix:
description: Prefix will match if the header with
the given name has this prefix.
type: string
present:
description: Present will match if the header
with the given name is present with any value.
type: boolean
regex:
description: Regex will match if the header with
the given name matches this pattern.
type: string
suffix:
description: Suffix will match if the header with
the given name has this suffix.
type: string
required:
- name
type: object
type: array
methods:
description: |-
Methods is a list of HTTP methods for which this match applies.
If unspecified all http methods are matched.
items:
type: string
type: array
pathExact:
description: PathExact is an exact path to match on
the HTTP request path.
type: string
pathPrefix:
description: PathPrefix is a path prefix to match on
the HTTP request path.
type: string
pathRegex:
description: PathRegex is a regular expression to match
on the HTTP request path.
type: string
queryParam:
description: |-
QueryParam is a set of criteria that can match on HTTP query parameters.
If more than one is configured all must match for the overall match to apply.
items:
properties:
exact:
description: Exact will match if the query parameter
with the given name is this value.
type: string
name:
description: Name is the name of the query parameter
to match on.
type: string
present:
description: |-
Present will match if the query parameter with the given name is present
with any value.
type: boolean
regex:
description: Regex will match if the query parameter
with the given name matches this pattern.
type: string
required:
- name
type: object
type: array
type: object
type: object
type: object
type: array
type: object
status:
properties:
conditions:
description: Conditions indicate the latest available observations
of a resource's current state.
items:
description: |-
Conditions define a readiness condition for a Consul resource.
See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
properties:
lastTransitionTime:
description: LastTransitionTime is the last time the condition
transitioned from one status to another.
format: date-time
type: string
message:
description: A human readable message indicating details about
the transition.
type: string
reason:
description: The reason for the condition's last transition.
type: string
status:
description: Status of the condition, one of True, False, Unknown.
type: string
type:
description: Type of condition.
type: string
required:
- status
- type
type: object
type: array
lastSyncedTime:
description: LastSyncedTime is the last time the resource successfully
synced with Consul.
format: date-time
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}
{{- end }}

194
charts/hashicorp/consul/1.5.3/templates/crd-servicesplitters.yaml Normal file
View File

@ -0,0 +1,194 @@
{{- if .Values.connectInject.enabled }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: crd
name: servicesplitters.consul.hashicorp.com
spec:
group: consul.hashicorp.com
names:
kind: ServiceSplitter
listKind: ServiceSplitterList
plural: servicesplitters
shortNames:
- service-splitter
singular: servicesplitter
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: The sync status of the resource with Consul
jsonPath: .status.conditions[?(@.type=="Synced")].status
name: Synced
type: string
- description: The last successful synced time of the resource with Consul
jsonPath: .status.lastSyncedTime
name: Last Synced
type: date
- description: The age of the resource
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: ServiceSplitter is the Schema for the servicesplitters API
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: ServiceSplitterSpec defines the desired state of ServiceSplitter.
properties:
splits:
description: |-
Splits defines how much traffic to send to which set of service instances during a traffic split.
The sum of weights across all splits must add up to 100.
items:
properties:
namespace:
description: |-
Namespace is the Consul namespace to resolve the service from instead of
the current namespace. If empty the current namespace is assumed.
type: string
partition:
description: |-
Partition is the Consul partition to resolve the service from instead of
the current partition. If empty the current partition is assumed.
type: string
requestHeaders:
description: Allow HTTP header manipulation to be configured.
properties:
add:
additionalProperties:
type: string
description: |-
Add is a set of name -> value pairs that should be appended to the request
or response (i.e. allowing duplicates if the same header already exists).
type: object
remove:
description: |-
Remove is the set of header names that should be stripped from the request
or response.
items:
type: string
type: array
set:
additionalProperties:
type: string
description: |-
Set is a set of name -> value pairs that should be added to the request or
response, overwriting any existing header values of the same name.
type: object
type: object
responseHeaders:
description: |-
HTTPHeaderModifiers is a set of rules for HTTP header modification that
should be performed by proxies as the request passes through them. It can
operate on either request or response headers depending on the context in
which it is used.
properties:
add:
additionalProperties:
type: string
description: |-
Add is a set of name -> value pairs that should be appended to the request
or response (i.e. allowing duplicates if the same header already exists).
type: object
remove:
description: |-
Remove is the set of header names that should be stripped from the request
or response.
items:
type: string
type: array
set:
additionalProperties:
type: string
description: |-
Set is a set of name -> value pairs that should be added to the request or
response, overwriting any existing header values of the same name.
type: object
type: object
service:
description: Service is the service to resolve instead of the
default.
type: string
serviceSubset:
description: |-
ServiceSubset is a named subset of the given service to resolve instead of one defined
as that service's DefaultSubset. If empty the default subset is used.
type: string
weight:
description: |-
Weight is a value between 0 and 100 reflecting what portion of traffic should be directed to this split.
The smallest representable weight is 1/10000 or .01%.
type: number
type: object
type: array
type: object
status:
properties:
conditions:
description: Conditions indicate the latest available observations
of a resource's current state.
items:
description: |-
Conditions define a readiness condition for a Consul resource.
See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
properties:
lastTransitionTime:
description: LastTransitionTime is the last time the condition
transitioned from one status to another.
format: date-time
type: string
message:
description: A human readable message indicating details about
the transition.
type: string
reason:
description: The reason for the condition's last transition.
type: string
status:
description: Status of the condition, one of True, False, Unknown.
type: string
type:
description: Type of condition.
type: string
required:
- status
- type
type: object
type: array
lastSyncedTime:
description: LastSyncedTime is the last time the resource successfully
synced with Consul.
format: date-time
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}
{{- end }}

281
charts/hashicorp/consul/1.5.3/templates/crd-tcproutes-external.yaml Normal file
View File

@ -0,0 +1,281 @@
{{- if and .Values.connectInject.enabled (or .Values.connectInject.apiGateway.manageExternalCRDs .Values.connectInject.apiGateway.manageNonStandardCRDs ) }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538
gateway.networking.k8s.io/bundle-version: v0.6.2
gateway.networking.k8s.io/channel: experimental
creationTimestamp: null
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: crd
name: tcproutes.gateway.networking.k8s.io
spec:
group: gateway.networking.k8s.io
names:
categories:
- gateway-api
kind: TCPRoute
listKind: TCPRouteList
plural: tcproutes
singular: tcproute
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha2
schema:
openAPIV3Schema:
description: TCPRoute provides a way to route TCP requests. When combined with a Gateway listener, it can be used to forward connections on the port specified by the listener to a set of backends specified by the TCPRoute.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Spec defines the desired state of TCPRoute.
properties:
parentRefs:
description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference."
items:
description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid."
properties:
group:
default: gateway.networking.k8s.io
description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core"
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Gateway
description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)"
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: "Name is the name of the referent. \n Support: Core"
maxLength: 253
minLength: 1
type: string
namespace:
description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n <gateway:experimental>"
format: int32
maximum: 65535
minimum: 1
type: integer
sectionName:
description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core"
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
required:
- name
type: object
maxItems: 32
type: array
rules:
description: Rules are a list of TCP matchers and actions.
items:
description: TCPRouteRule is the configuration for a given rule.
properties:
backendRefs:
description: "BackendRefs defines the backend(s) where matching requests should be sent. If unspecified or invalid (refers to a non-existent resource or a Service with no endpoints), the underlying implementation MUST actively reject connection attempts to this backend. Connection rejections must respect weight; if an invalid backend is requested to have 80% of connections, then 80% of connections must be rejected instead. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Extended"
items:
description: "BackendRef defines how a Route should forward a request to a Kubernetes resource. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details."
properties:
group:
default: ""
description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Service
description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent.
maxLength: 253
minLength: 1
type: string
namespace:
description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field.
format: int32
maximum: 65535
minimum: 1
type: integer
weight:
default: 1
description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used."
format: int32
maximum: 1000000
minimum: 0
type: integer
required:
- name
type: object
maxItems: 16
minItems: 1
type: array
type: object
maxItems: 16
minItems: 1
type: array
required:
- rules
type: object
status:
description: Status defines the current state of TCPRoute.
properties:
parents:
description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway."
items:
description: RouteParentStatus describes the status of a route with respect to an associated Parent.
properties:
conditions:
description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to."
items:
description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
maxItems: 8
minItems: 1
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
controllerName:
description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary."
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
type: string
parentRef:
description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of.
properties:
group:
default: gateway.networking.k8s.io
description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core"
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Gateway
description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)"
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: "Name is the name of the referent. \n Support: Core"
maxLength: 253
minLength: 1
type: string
namespace:
description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n <gateway:experimental>"
format: int32
maximum: 65535
minimum: 1
type: integer
sectionName:
description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core"
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
required:
- name
type: object
required:
- controllerName
- parentRef
type: object
maxItems: 32
type: array
required:
- parents
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
{{- end }}

299
charts/hashicorp/consul/1.5.3/templates/crd-tcproutes.yaml Normal file
View File

@ -0,0 +1,299 @@
{{- if .Values.connectInject.enabled }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: crd
name: tcproutes.mesh.consul.hashicorp.com
spec:
group: mesh.consul.hashicorp.com
names:
kind: TCPRoute
listKind: TCPRouteList
plural: tcproutes
shortNames:
- tcp-route
singular: tcproute
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: The sync status of the resource with Consul
jsonPath: .status.conditions[?(@.type=="Synced")].status
name: Synced
type: string
- description: The last successful synced time of the resource with Consul
jsonPath: .status.lastSyncedTime
name: Last Synced
type: date
- description: The age of the resource
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v2beta1
schema:
openAPIV3Schema:
description: TCPRoute is the Schema for the TCP Route API
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: |-
NOTE: this should align to the GAMMA/gateway-api version, or at least be
easily translatable.
https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.TCPRoute
This is a Resource type.
properties:
parentRefs:
description: |-
ParentRefs references the resources (usually Services) that a Route wants
to be attached to.
It is invalid to reference an identical parent more than once. It is valid
to reference multiple distinct sections within the same parent resource.
items:
description: 'NOTE: roughly equivalent to structs.ResourceReference'
properties:
port:
description: |-
For east/west this is the name of the Consul Service port to direct traffic to
or empty to imply all.
For north/south this is TBD.
For more details on potential values of this field, see documentation for
Service.ServicePort.
type: string
ref:
description: |-
For east/west configuration, this should point to a Service.
For north/south it should point to a Gateway.
properties:
name:
description: Name is the user-given name of the resource
(e.g. the "billing" service).
type: string
section:
description: Section identifies which part of the resource
the condition relates to.
type: string
tenancy:
description: |-
Tenancy identifies the tenancy units (i.e. partition, namespace) in which
the resource resides.
properties:
namespace:
description: |-
Namespace further isolates resources within a partition.
https://developer.hashicorp.com/consul/docs/enterprise/namespaces
When using the List and WatchList endpoints, provide the wildcard value "*"
to list resources across all namespaces.
type: string
partition:
description: |-
Partition is the topmost administrative boundary within a cluster.
https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions
When using the List and WatchList endpoints, provide the wildcard value "*"
to list resources across all partitions.
type: string
type: object
type:
description: Type identifies the resource's type.
properties:
group:
description: |-
Group describes the area of functionality to which this resource type
relates (e.g. "catalog", "authorization").
type: string
groupVersion:
description: |-
GroupVersion is incremented when sweeping or backward-incompatible changes
are made to the group's resource types.
type: string
kind:
description: Kind identifies the specific resource type
within the group.
type: string
type: object
type: object
type: object
type: array
rules:
description: Rules are a list of TCP matchers and actions.
items:
properties:
backendRefs:
description: |-
BackendRefs defines the backend(s) where matching requests should be sent.
If unspecified or invalid (refers to a non-existent resource or a Service
with no endpoints), the underlying implementation MUST actively reject
connection attempts to this backend. Connection rejections must respect
weight; if an invalid backend is requested to have 80% of connections,
then 80% of connections must be rejected instead.
items:
properties:
backendRef:
properties:
datacenter:
type: string
port:
description: |-
For east/west this is the name of the Consul Service port to direct traffic to
or empty to imply using the same value as the parent ref.
For north/south this is TBD.
For more details on potential values of this field, see documentation for
Service.ServicePort.
type: string
ref:
description: For east/west configuration, this should
point to a Service.
properties:
name:
description: Name is the user-given name of the
resource (e.g. the "billing" service).
type: string
section:
description: Section identifies which part of
the resource the condition relates to.
type: string
tenancy:
description: |-
Tenancy identifies the tenancy units (i.e. partition, namespace) in which
the resource resides.
properties:
namespace:
description: |-
Namespace further isolates resources within a partition.
https://developer.hashicorp.com/consul/docs/enterprise/namespaces
When using the List and WatchList endpoints, provide the wildcard value "*"
to list resources across all namespaces.
type: string
partition:
description: |-
Partition is the topmost administrative boundary within a cluster.
https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions
When using the List and WatchList endpoints, provide the wildcard value "*"
to list resources across all partitions.
type: string
type: object
type:
description: Type identifies the resource's type.
properties:
group:
description: |-
Group describes the area of functionality to which this resource type
relates (e.g. "catalog", "authorization").
type: string
groupVersion:
description: |-
GroupVersion is incremented when sweeping or backward-incompatible changes
are made to the group's resource types.
type: string
kind:
description: Kind identifies the specific
resource type within the group.
type: string
type: object
type: object
type: object
weight:
description: |-
Weight specifies the proportion of requests forwarded to the referenced
backend. This is computed as weight/(sum of all weights in this
BackendRefs list). For non-zero values, there may be some epsilon from the
exact proportion defined here depending on the precision an implementation
supports. Weight is not a percentage and the sum of weights does not need
to equal 100.
If only one backend is specified and it has a weight greater than 0, 100%
of the traffic is forwarded to that backend. If weight is set to 0, no
traffic should be forwarded for this entry. If unspecified, weight defaults
to 1.
format: int32
type: integer
type: object
type: array
type: object
type: array
type: object
status:
properties:
conditions:
description: Conditions indicate the latest available observations
of a resource's current state.
items:
description: |-
Conditions define a readiness condition for a Consul resource.
See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
properties:
lastTransitionTime:
description: LastTransitionTime is the last time the condition
transitioned from one status to another.
format: date-time
type: string
message:
description: A human readable message indicating details about
the transition.
type: string
reason:
description: The reason for the condition's last transition.
type: string
status:
description: Status of the condition, one of True, False, Unknown.
type: string
type:
description: Type of condition.
type: string
required:
- status
- type
type: object
type: array
lastSyncedTime:
description: LastSyncedTime is the last time the resource successfully
synced with Consul.
format: date-time
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}
{{- end }}

148
charts/hashicorp/consul/1.5.3/templates/crd-terminatinggateways.yaml Normal file
View File

@ -0,0 +1,148 @@
{{- if .Values.connectInject.enabled }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: crd
name: terminatinggateways.consul.hashicorp.com
spec:
group: consul.hashicorp.com
names:
kind: TerminatingGateway
listKind: TerminatingGatewayList
plural: terminatinggateways
shortNames:
- terminating-gateway
singular: terminatinggateway
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: The sync status of the resource with Consul
jsonPath: .status.conditions[?(@.type=="Synced")].status
name: Synced
type: string
- description: The last successful synced time of the resource with Consul
jsonPath: .status.lastSyncedTime
name: Last Synced
type: date
- description: The age of the resource
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: TerminatingGateway is the Schema for the terminatinggateways
API
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: TerminatingGatewaySpec defines the desired state of TerminatingGateway.
properties:
services:
description: Services is a list of service names represented by the
terminating gateway.
items:
description: A LinkedService is a service represented by a terminating
gateway.
properties:
caFile:
description: |-
CAFile is the optional path to a CA certificate to use for TLS connections
from the gateway to the linked service.
type: string
certFile:
description: |-
CertFile is the optional path to a client certificate to use for TLS connections
from the gateway to the linked service.
type: string
disableAutoHostRewrite:
description: DisableAutoHostRewrite disables terminating gateways
auto host rewrite feature when set to true.
type: boolean
keyFile:
description: |-
KeyFile is the optional path to a private key to use for TLS connections
from the gateway to the linked service.
type: string
name:
description: Name is the name of the service, as defined in
Consul's catalog.
type: string
namespace:
description: The namespace the service is registered in.
type: string
sni:
description: SNI is the optional name to specify during the
TLS handshake with a linked service.
type: string
type: object
type: array
type: object
status:
properties:
conditions:
description: Conditions indicate the latest available observations
of a resource's current state.
items:
description: |-
Conditions define a readiness condition for a Consul resource.
See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
properties:
lastTransitionTime:
description: LastTransitionTime is the last time the condition
transitioned from one status to another.
format: date-time
type: string
message:
description: A human readable message indicating details about
the transition.
type: string
reason:
description: The reason for the condition's last transition.
type: string
status:
description: Status of the condition, one of True, False, Unknown.
type: string
type:
description: Type of condition.
type: string
required:
- status
- type
type: object
type: array
lastSyncedTime:
description: LastSyncedTime is the last time the resource successfully
synced with Consul.
format: date-time
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}
{{- end }}

291
charts/hashicorp/consul/1.5.3/templates/crd-tlsroutes-external.yaml Normal file
View File

@ -0,0 +1,291 @@
{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538
gateway.networking.k8s.io/bundle-version: v0.6.2
gateway.networking.k8s.io/channel: experimental
creationTimestamp: null
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: crd
name: tlsroutes.gateway.networking.k8s.io
spec:
group: gateway.networking.k8s.io
names:
categories:
- gateway-api
kind: TLSRoute
listKind: TLSRouteList
plural: tlsroutes
singular: tlsroute
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha2
schema:
openAPIV3Schema:
description: "The TLSRoute resource is similar to TCPRoute, but can be configured to match against TLS-specific metadata. This allows more flexibility in matching streams for a given TLS listener. \n If you need to forward traffic to a single target for a TLS listener, you could choose to use a TCPRoute with a TLS listener."
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Spec defines the desired state of TLSRoute.
properties:
hostnames:
description: "Hostnames defines a set of SNI names that should match against the SNI attribute of TLS ClientHello message in TLS handshake. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed in SNI names per RFC 6066. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n If a hostname is specified by both the Listener and TLSRoute, there must be at least one intersecting hostname for the TLSRoute to be attached to the Listener. For example: \n * A Listener with `test.example.com` as the hostname matches TLSRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. * A Listener with `*.example.com` as the hostname matches TLSRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, `test.example.com` and `*.example.com` would both match. On the other hand, `example.com` and `test.example.net` would not match. \n If both the Listener and TLSRoute have specified hostnames, any TLSRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the TLSRoute specified `test.example.com` and `test.example.net`, `test.example.net` must not be considered for a match. \n If both the Listener and TLSRoute have specified hostnames, and none match with the criteria above, then the TLSRoute is not accepted. The implementation must raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. \n Support: Core"
items:
description: "Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n Hostname can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). \n Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed."
maxLength: 253
minLength: 1
pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
maxItems: 16
type: array
parentRefs:
description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference."
items:
description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid."
properties:
group:
default: gateway.networking.k8s.io
description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core"
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Gateway
description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)"
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: "Name is the name of the referent. \n Support: Core"
maxLength: 253
minLength: 1
type: string
namespace:
description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n <gateway:experimental>"
format: int32
maximum: 65535
minimum: 1
type: integer
sectionName:
description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core"
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
required:
- name
type: object
maxItems: 32
type: array
rules:
description: Rules are a list of TLS matchers and actions.
items:
description: TLSRouteRule is the configuration for a given rule.
properties:
backendRefs:
description: "BackendRefs defines the backend(s) where matching requests should be sent. If unspecified or invalid (refers to a non-existent resource or a Service with no endpoints), the rule performs no forwarding; if no filters are specified that would result in a response being sent, the underlying implementation must actively reject request attempts to this backend, by rejecting the connection or returning a 500 status code. Request rejections must respect weight; if an invalid backend is requested to have 80% of requests, then 80% of requests must be rejected instead. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Extended"
items:
description: "BackendRef defines how a Route should forward a request to a Kubernetes resource. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details."
properties:
group:
default: ""
description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Service
description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent.
maxLength: 253
minLength: 1
type: string
namespace:
description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field.
format: int32
maximum: 65535
minimum: 1
type: integer
weight:
default: 1
description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used."
format: int32
maximum: 1000000
minimum: 0
type: integer
required:
- name
type: object
maxItems: 16
minItems: 1
type: array
type: object
maxItems: 16
minItems: 1
type: array
required:
- rules
type: object
status:
description: Status defines the current state of TLSRoute.
properties:
parents:
description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway."
items:
description: RouteParentStatus describes the status of a route with respect to an associated Parent.
properties:
conditions:
description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to."
items:
description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
maxItems: 8
minItems: 1
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
controllerName:
description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary."
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
type: string
parentRef:
description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of.
properties:
group:
default: gateway.networking.k8s.io
description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core"
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Gateway
description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)"
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: "Name is the name of the referent. \n Support: Core"
maxLength: 253
minLength: 1
type: string
namespace:
description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n <gateway:experimental>"
format: int32
maximum: 65535
minimum: 1
type: integer
sectionName:
description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core"
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
required:
- name
type: object
required:
- controllerName
- parentRef
type: object
maxItems: 32
type: array
required:
- parents
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
{{- end }}

280
charts/hashicorp/consul/1.5.3/templates/crd-trafficpermissions.yaml Normal file
View File

@ -0,0 +1,280 @@
{{- if .Values.connectInject.enabled }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: crd
name: trafficpermissions.auth.consul.hashicorp.com
spec:
group: auth.consul.hashicorp.com
names:
kind: TrafficPermissions
listKind: TrafficPermissionsList
plural: trafficpermissions
shortNames:
- traffic-permissions
singular: trafficpermissions
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: The sync status of the resource with Consul
jsonPath: .status.conditions[?(@.type=="Synced")].status
name: Synced
type: string
- description: The last successful synced time of the resource with Consul
jsonPath: .status.lastSyncedTime
name: Last Synced
type: date
- description: The age of the resource
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v2beta1
schema:
openAPIV3Schema:
description: TrafficPermissions is the Schema for the traffic-permissions
API
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: TrafficPermissions authorizes traffic between workloads in
a Consul service mesh.
properties:
action:
description: |-
Action can be either allow or deny for the entire object. It will default to allow.
Deny actions are available only in Consul Enterprise.
If action is allow, we will allow the connection if one of the rules in Rules matches, in other words, we will deny
all requests except for the ones that match Rules. If Consul is in default allow mode, then allow
actions have no effect without a deny permission as everything is allowed by default.
If action is deny, we will deny the connection if one of the rules in Rules match, in other words,
we will allow all requests except for the ones that match Rules. If Consul is default deny mode,
then deny permissions have no effect without an allow permission as everything is denied by default.
Action unspecified is reserved for compatibility with the addition of future actions.
enum:
- ACTION_ALLOW
- ACTION_DENY
- ACTION_UNKNOWN
format: int32
type: string
destination:
description: |-
Destination is a configuration of the destination proxies
where these traffic permissions should apply.
properties:
identityName:
type: string
type: object
permissions:
description: Permissions is a list of permissions to match on. They
are applied using OR semantics.
items:
description: Permissions is a list of permissions to match on.
properties:
destinationRules:
description: |-
DestinationRules is a list of rules to apply for matching sources in this Permission.
These rules are specific to the request or connection that is going to the destination(s)
selected by the TrafficPermissions resource.
items:
description: DestinationRule contains rules rules to apply
to the incoming connection.
properties:
exclude:
description: Exclude contains a list of rules to exclude
when evaluating rules for the incoming connection.
items:
properties:
headers:
items:
properties:
exact:
type: string
invert:
type: boolean
name:
type: string
prefix:
type: string
present:
type: boolean
regex:
type: string
suffix:
type: string
type: object
type: array
methods:
description: Methods is the list of HTTP methods.
items:
type: string
type: array
pathExact:
type: string
pathPrefix:
type: string
pathRegex:
type: string
portNames:
description: |-
PortNames is a list of workload ports to apply this rule to. The ports specified here
must be the ports used in the connection.
items:
type: string
type: array
type: object
type: array
headers:
items:
properties:
exact:
type: string
invert:
type: boolean
name:
type: string
prefix:
type: string
present:
type: boolean
regex:
type: string
suffix:
type: string
type: object
type: array
methods:
description: |-
Methods is the list of HTTP methods. If no methods are specified,
this rule will apply to all methods.
items:
type: string
type: array
pathExact:
type: string
pathPrefix:
type: string
pathRegex:
type: string
portNames:
items:
type: string
type: array
type: object
type: array
sources:
description: Sources is a list of sources in this traffic permission.
items:
description: |-
Source represents the source identity.
To specify any of the wildcard sources, the specific fields need to be omitted.
For example, for a wildcard namespace, identity_name should be omitted.
properties:
exclude:
description: Exclude is a list of sources to exclude from
this source.
items:
description: |-
ExcludeSource is almost the same as source but it prevents the addition of
matching sources.
properties:
identityName:
type: string
namespace:
type: string
partition:
type: string
peer:
type: string
samenessGroup:
type: string
type: object
type: array
identityName:
type: string
namespace:
type: string
partition:
type: string
peer:
type: string
samenessGroup:
type: string
type: object
type: array
type: object
type: array
type: object
status:
properties:
conditions:
description: Conditions indicate the latest available observations
of a resource's current state.
items:
description: |-
Conditions define a readiness condition for a Consul resource.
See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
properties:
lastTransitionTime:
description: LastTransitionTime is the last time the condition
transitioned from one status to another.
format: date-time
type: string
message:
description: A human readable message indicating details about
the transition.
type: string
reason:
description: The reason for the condition's last transition.
type: string
status:
description: Status of the condition, one of True, False, Unknown.
type: string
type:
description: Type of condition.
type: string
required:
- status
- type
type: object
type: array
lastSyncedTime:
description: LastSyncedTime is the last time the resource successfully
synced with Consul.
format: date-time
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}
{{- end }}

281
charts/hashicorp/consul/1.5.3/templates/crd-udproutes-external.yaml Normal file
View File

@ -0,0 +1,281 @@
{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538
gateway.networking.k8s.io/bundle-version: v0.6.2
gateway.networking.k8s.io/channel: experimental
creationTimestamp: null
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: crd
name: udproutes.gateway.networking.k8s.io
spec:
group: gateway.networking.k8s.io
names:
categories:
- gateway-api
kind: UDPRoute
listKind: UDPRouteList
plural: udproutes
singular: udproute
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha2
schema:
openAPIV3Schema:
description: UDPRoute provides a way to route UDP traffic. When combined with a Gateway listener, it can be used to forward traffic on the port specified by the listener to a set of backends specified by the UDPRoute.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Spec defines the desired state of UDPRoute.
properties:
parentRefs:
description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference."
items:
description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid."
properties:
group:
default: gateway.networking.k8s.io
description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core"
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Gateway
description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)"
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: "Name is the name of the referent. \n Support: Core"
maxLength: 253
minLength: 1
type: string
namespace:
description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n <gateway:experimental>"
format: int32
maximum: 65535
minimum: 1
type: integer
sectionName:
description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core"
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
required:
- name
type: object
maxItems: 32
type: array
rules:
description: Rules are a list of UDP matchers and actions.
items:
description: UDPRouteRule is the configuration for a given rule.
properties:
backendRefs:
description: "BackendRefs defines the backend(s) where matching requests should be sent. If unspecified or invalid (refers to a non-existent resource or a Service with no endpoints), the underlying implementation MUST actively reject connection attempts to this backend. Packet drops must respect weight; if an invalid backend is requested to have 80% of the packets, then 80% of packets must be dropped instead. \n Support: Core for Kubernetes Service Support: Implementation-specific for any other resource \n Support for weight: Extended"
items:
description: "BackendRef defines how a Route should forward a request to a Kubernetes resource. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details."
properties:
group:
default: ""
description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Service
description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent.
maxLength: 253
minLength: 1
type: string
namespace:
description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field.
format: int32
maximum: 65535
minimum: 1
type: integer
weight:
default: 1
description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used."
format: int32
maximum: 1000000
minimum: 0
type: integer
required:
- name
type: object
maxItems: 16
minItems: 1
type: array
type: object
maxItems: 16
minItems: 1
type: array
required:
- rules
type: object
status:
description: Status defines the current state of UDPRoute.
properties:
parents:
description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway."
items:
description: RouteParentStatus describes the status of a route with respect to an associated Parent.
properties:
conditions:
description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to."
items:
description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
maxItems: 8
minItems: 1
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
controllerName:
description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary."
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
type: string
parentRef:
description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of.
properties:
group:
default: gateway.networking.k8s.io
description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core"
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Gateway
description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)"
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: "Name is the name of the referent. \n Support: Core"
maxLength: 253
minLength: 1
type: string
namespace:
description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n <gateway:experimental>"
format: int32
maximum: 65535
minimum: 1
type: integer
sectionName:
description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core"
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
required:
- name
type: object
required:
- controllerName
- parentRef
type: object
maxItems: 32
type: array
required:
- parents
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
{{- end }}

147
charts/hashicorp/consul/1.5.3/templates/create-federation-secret-job.yaml Normal file
View File

@ -0,0 +1,147 @@
{{- if .Values.global.federation.createFederationSecret }}
{{- if not .Values.global.federation.enabled }}{{ fail "global.federation.enabled must be true when global.federation.createFederationSecret is true" }}{{ end }}
{{- if and (not .Values.global.acls.createReplicationToken) .Values.global.acls.manageSystemACLs }}{{ fail "global.acls.createReplicationToken must be true when global.acls.manageSystemACLs is true because the federation secret must include the replication token" }}{{ end }}
{{- if eq (int .Values.server.updatePartition) 0 }}
{{ template "consul.validateRequiredCloudSecretsExist" . }}
{{ template "consul.validateCloudSecretKeys" . }}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ template "consul.fullname" . }}-create-federation-secret
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: create-federation-secret
{{- if .Values.global.extraLabels }}
{{- toYaml .Values.global.extraLabels | nindent 4 }}
{{- end }}
annotations:
"helm.sh/hook": post-install,post-upgrade
{{- /* Hook weight needs to be 1 so that the service account is provisioned first */}}
"helm.sh/hook-weight": "1"
"helm.sh/hook-delete-policy": hook-succeeded
spec:
template:
metadata:
name: {{ template "consul.fullname" . }}-create-federation-secret
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
release: {{ .Release.Name }}
component: create-federation-secret
{{- if .Values.global.extraLabels }}
{{- toYaml .Values.global.extraLabels | nindent 8 }}
{{- end }}
annotations:
"consul.hashicorp.com/connect-inject": "false"
"consul.hashicorp.com/mesh-inject": "false"
spec:
restartPolicy: Never
serviceAccountName: {{ template "consul.fullname" . }}-create-federation-secret
{{- if .Values.client.tolerations }}
tolerations:
{{ tpl .Values.client.tolerations . | nindent 8 | trim }}
{{- end }}
{{- if .Values.client.priorityClassName }}
priorityClassName: {{ .Values.client.priorityClassName | quote }}
{{- end }}
{{- if .Values.client.nodeSelector }}
nodeSelector:
{{ tpl .Values.client.nodeSelector . | indent 8 | trim }}
{{- end }}
volumes:
{{- /* We can assume tls is enabled because there is a check in server-statefulset
that requires tls to be enabled if federation is enabled. */}}
- name: consul-ca-cert
secret:
{{- if .Values.global.tls.caCert.secretName }}
secretName: {{ .Values.global.tls.caCert.secretName }}
{{- else }}
secretName: {{ template "consul.fullname" . }}-ca-cert
{{- end }}
items:
- key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }}
path: tls.crt
- name: consul-ca-key
secret:
{{- if .Values.global.tls.caKey.secretName }}
secretName: {{ .Values.global.tls.caKey.secretName }}
{{- else }}
secretName: {{ template "consul.fullname" . }}-ca-key
{{- end }}
items:
- key: {{ default "tls.key" .Values.global.tls.caKey.secretKey }}
path: tls.key
{{- if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }}
- name: gossip-encryption-key
secret:
secretName: {{ .Values.global.gossipEncryption.secretName }}
items:
- key: {{ .Values.global.gossipEncryption.secretKey }}
path: gossip.key
{{- else if .Values.global.gossipEncryption.autoGenerate }}
- name: gossip-encryption-key
secret:
secretName: {{ template "consul.fullname" . }}-gossip-encryption-key
items:
- key: key
path: gossip.key
{{- end }}
containers:
- name: create-federation-secret
image: "{{ .Values.global.imageK8S }}"
{{ template "consul.imagePullPolicy" . }}
{{- include "consul.restrictedSecurityContext" . | nindent 10 }}
env:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: CONSUL_HTTP_ADDR
value: "https://{{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc:8501"
- name: CONSUL_CACERT
value: /consul/tls/ca/tls.crt
volumeMounts:
- name: consul-ca-cert
mountPath: /consul/tls/ca
readOnly: true
- name: consul-ca-key
mountPath: /consul/tls/server/ca
readOnly: true
{{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }}
- name: gossip-encryption-key
mountPath: /consul/gossip
readOnly: true
{{- end }}
command:
- "/bin/sh"
- "-ec"
- |
exec consul-k8s-control-plane create-federation-secret \
-log-level={{ default .Values.global.logLevel .Values.global.federation.logLevel }} \
-log-json={{ .Values.global.logJSON }} \
{{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }}
-gossip-key-file=/consul/gossip/gossip.key \
{{- end }}
{{- if .Values.global.acls.createReplicationToken }}
-export-replication-token=true \
{{- end }}
-mesh-gateway-service-name={{ .Values.meshGateway.consulServiceName }} \
-k8s-namespace="${NAMESPACE}" \
-resource-prefix="{{ template "consul.fullname" . }}" \
-server-ca-cert-file=/consul/tls/ca/tls.crt \
-server-ca-key-file=/consul/tls/server/ca/tls.key \
-consul-api-timeout={{ .Values.global.consulAPITimeout }}
resources:
requests:
memory: "50Mi"
cpu: "50m"
limits:
memory: "50Mi"
cpu: "50m"
{{- end }}
{{- end }}

42
charts/hashicorp/consul/1.5.3/templates/create-federation-secret-podsecuritypolicy.yaml Normal file
View File

@ -0,0 +1,42 @@
{{- if .Values.global.enablePodSecurityPolicies }}
{{- if .Values.global.federation.createFederationSecret }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ template "consul.fullname" . }}-create-federation-secret
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: create-federation-secret
annotations:
"helm.sh/hook": post-install,post-upgrade
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
spec:
privileged: false
# Required to prevent escalations to root.
allowPrivilegeEscalation: false
# This is redundant with non-root + disallow privilege escalation,
# but we can provide it for defense in depth.
requiredDropCapabilities:
- ALL
# Allow core volume types.
volumes:
- 'secret'
- 'emptyDir'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
readOnlyRootFilesystem: false
{{- end }}
{{- end }}

49
charts/hashicorp/consul/1.5.3/templates/create-federation-secret-role.yaml Normal file
View File

@ -0,0 +1,49 @@
{{- if .Values.global.federation.createFederationSecret }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "consul.fullname" . }}-create-federation-secret
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: create-federation-secret
annotations:
"helm.sh/hook": post-install,post-upgrade
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
rules:
{{/* Must have separate rule for create secret permissions vs update because
can't set resourceNames for create (https://github.com/kubernetes/kubernetes/issues/80295) */}}
- apiGroups: [""]
resources:
- secrets
verbs:
- create
- apiGroups: [""]
resources:
- secrets
resourceNames:
- {{ template "consul.fullname" . }}-federation
verbs:
- update
{{- if .Values.global.acls.manageSystemACLs }}
- apiGroups: [""]
resources:
- secrets
resourceNames:
- {{ template "consul.fullname" . }}-acl-replication-acl-token
verbs:
- get
{{- end }}
{{- if .Values.global.enablePodSecurityPolicies }}
- apiGroups: ["policy"]
resources:
- podsecuritypolicies
verbs:
- use
resourceNames:
- {{ template "consul.fullname" . }}-create-federation-secret
{{- end }}
{{- end }}

23
charts/hashicorp/consul/1.5.3/templates/create-federation-secret-rolebinding.yaml Normal file
View File

@ -0,0 +1,23 @@
{{- if .Values.global.federation.createFederationSecret }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "consul.fullname" . }}-create-federation-secret
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: create-federation-secret
annotations:
"helm.sh/hook": post-install,post-upgrade
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "consul.fullname" . }}-create-federation-secret
subjects:
- kind: ServiceAccount
name: {{ template "consul.fullname" . }}-create-federation-secret
{{- end }}

22
charts/hashicorp/consul/1.5.3/templates/create-federation-secret-serviceaccount.yaml Normal file
View File

@ -0,0 +1,22 @@
{{- if .Values.global.federation.createFederationSecret }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "consul.fullname" . }}-create-federation-secret
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: create-federation-secret
annotations:
"helm.sh/hook": post-install,post-upgrade
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
{{- with .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range . }}
- name: {{ .name }}
{{- end }}
{{- end }}
{{- end }}

38
charts/hashicorp/consul/1.5.3/templates/datadog-agent-role.yaml Normal file
View File

@ -0,0 +1,38 @@
{{- if .Values.global.metrics.datadog.enabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "consul.fullname" . }}-datadog-metrics
namespace: {{ .Release.Namespace }}
labels:
app: datadog
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: agent
{{- if (or (and .Values.global.openshift.enabled .Values.server.exposeGossipAndRPCPorts) .Values.global.enablePodSecurityPolicies) }}
{{- if .Values.global.enablePodSecurityPolicies }}
rules:
- apiGroups: ["policy"]
resources: ["podsecuritypolicies"]
resourceNames:
- {{ template "consul.fullname" . }}-datadog-metrics
verbs:
- use
{{- end }}
{{- if (and .Values.global.openshift.enabled .Values.server.exposeGossipAndRPCPorts ) }}
- apiGroups: ["security.openshift.io"]
resources: ["securitycontextconstraints"]
resourceNames:
- {{ template "consul.fullname" . }}-datadog-metrics
verbs:
- use
{{- end }}
{{- else}}
rules:
- apiGroups: [ "" ]
resources: [ "secrets" ]
resourceNames:
- {{ .Release.Namespace }}-datadog-agent-metrics-acl-token
verbs: [ "get", "watch", "list" ]
{{- end }}
{{- end }}

26
charts/hashicorp/consul/1.5.3/templates/datadog-agent-rolebinding.yaml Normal file
View File

@ -0,0 +1,26 @@
{{- if .Values.global.metrics.datadog.enabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "consul.fullname" . }}-datadog-metrics
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: agent
subjects:
- kind: ServiceAccount
apiGroup: ""
name: datadog-agent
namespace: datadog
- kind: ServiceAccount
apiGroup: ""
name: datadog-cluster-agent
namespace: datadog
roleRef:
kind: Role
name: {{ template "consul.fullname" . }}-datadog-metrics
apiGroup: ""
{{- end }}

41
charts/hashicorp/consul/1.5.3/templates/dns-service.yaml Normal file
View File

@ -0,0 +1,41 @@
{{- if (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) }}
# Service for Consul DNS.
apiVersion: v1
kind: Service
metadata:
name: {{ template "consul.fullname" . }}-dns
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: dns
{{- if .Values.dns.annotations }}
annotations:
{{ tpl .Values.dns.annotations . | nindent 4 | trim }}
{{- end }}
spec:
{{- if .Values.dns.type }}
type: {{ .Values.dns.type }}
{{- end }}
{{- if .Values.dns.clusterIP }}
clusterIP: {{ .Values.dns.clusterIP }}
{{- end }}
ports:
- name: dns-tcp
port: 53
protocol: "TCP"
targetPort: dns-tcp
- name: dns-udp
port: 53
protocol: "UDP"
targetPort: dns-udp
selector:
app: {{ template "consul.name" . }}
release: "{{ .Release.Name }}"
hasDNS: "true"
{{- if .Values.dns.additionalSpec }}
{{ tpl .Values.dns.additionalSpec . | nindent 2 | trim }}
{{- end }}
{{- end }}

147
charts/hashicorp/consul/1.5.3/templates/enterprise-license-job.yaml Normal file
View File

@ -0,0 +1,147 @@
{{- if .Values.server.enterpriseLicense }}{{ fail "server.enterpriseLicense has been moved to global.enterpriseLicense" }}{{ end -}}
{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }}
{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ template "consul.fullname" . }}-enterprise-license
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/managed-by: {{.Release.Service | quote }}
app.kubernetes.io/instance: {{.Release.Name | quote }}
helm.sh/chart: "{{.Chart.Name}}-{{.Chart.Version}}"
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: license
{{- if .Values.global.extraLabels }}
{{- toYaml .Values.global.extraLabels | nindent 4 }}
{{- end }}
annotations:
"helm.sh/hook": post-install,post-upgrade
"helm.sh/hook-weight": "100"
"helm.sh/hook-delete-policy": hook-succeeded
spec:
template:
metadata:
name: {{ template "consul.fullname" . }}-license
labels:
app.kubernetes.io/managed-by: {{.Release.Service | quote }}
app.kubernetes.io/instance: {{.Release.Name | quote }}
helm.sh/chart: "{{.Chart.Name}}-{{.Chart.Version}}"
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
release: {{ .Release.Name }}
component: license
{{- if .Values.global.extraLabels }}
{{- toYaml .Values.global.extraLabels | nindent 8 }}
{{- end }}
annotations:
"consul.hashicorp.com/connect-inject": "false"
"consul.hashicorp.com/mesh-inject": "false"
spec:
restartPolicy: Never
serviceAccountName: {{ template "consul.fullname" . }}-enterprise-license
{{- if .Values.global.tls.enabled }}
volumes:
- name: consul-ca-cert
secret:
{{- if .Values.global.tls.caCert.secretName }}
secretName: {{ .Values.global.tls.caCert.secretName }}
{{- else }}
secretName: {{ template "consul.fullname" . }}-ca-cert
{{- end }}
items:
- key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }}
path: tls.crt
{{- end }}
containers:
- name: apply-enterprise-license
image: "{{ default .Values.global.image .Values.server.image }}"
{{ template "consul.imagePullPolicy" . }}
env:
- name: ENTERPRISE_LICENSE
{{- if .Values.global.secretsBackend.vault.enabled }}
value: /vault/secrets/enterpriselicense.txt
{{- else }}
valueFrom:
secretKeyRef:
name: {{ .Values.global.enterpriseLicense.secretName }}
key: {{ .Values.global.enterpriseLicense.secretKey }}
{{- end }}
- name: CONSUL_HTTP_ADDR
{{- if .Values.global.tls.enabled }}
value: https://{{ template "consul.fullname" . }}-server:8501
{{- else }}
value: http://{{ template "consul.fullname" . }}-server:8500
{{- end }}
{{- if .Values.global.tls.enabled }}
- name: CONSUL_CACERT
value: /consul/tls/ca/tls.crt
{{- end}}
{{- if .Values.global.acls.manageSystemACLs }}
- name: CONSUL_HTTP_TOKEN
valueFrom:
secretKeyRef:
name: "{{ template "consul.fullname" . }}-enterprise-license-acl-token"
key: "token"
{{- end}}
command:
- "/bin/sh"
- "-c"
- |
# Create a script that we can execute with the timeout command.
mkdir -p /tmp/scripts/
cat > /tmp/scripts/apply-license.sh << 'EOF'
#!/bin/sh
while true; do
echo "Applying license..."
if consul license put "${ENTERPRISE_LICENSE}" 2>&1; then
echo "License applied successfully"
break
fi
echo "Retrying in 2s..."
sleep 2
done
EOF
chmod +x /tmp/scripts/apply-license.sh
# Time out after 20 minutes. Use || to support new timeout versions that don't accept -t
timeout -t 1200 /tmp/scripts/apply-license.sh 2> /dev/null || timeout 1200 /tmp/scripts/apply-license.sh 2> /dev/null
{{- if .Values.global.tls.enabled }}
volumeMounts:
- name: consul-ca-cert
mountPath: /consul/tls/ca
readOnly: true
{{- end }}
resources:
requests:
memory: "50Mi"
cpu: "50m"
limits:
memory: "50Mi"
cpu: "50m"
{{- if .Values.global.acls.manageSystemACLs }}
initContainers:
- name: ent-license-acl-init
image: {{ .Values.global.imageK8S }}
{{ template "consul.imagePullPolicy" . }}
command:
- "/bin/sh"
- "-ec"
- |
exec consul-k8s-control-plane acl-init \
-secret-name="{{ template "consul.fullname" . }}-enterprise-license-acl-token" \
-k8s-namespace={{ .Release.Namespace }} \
-consul-api-timeout={{ .Values.global.consulAPITimeout }}
resources:
requests:
memory: "25Mi"
cpu: "50m"
limits:
memory: "25Mi"
cpu: "50m"
{{- end }}
{{- end }}
{{- end }}

39
charts/hashicorp/consul/1.5.3/templates/enterprise-license-podsecuritypolicy.yaml Normal file
View File

@ -0,0 +1,39 @@
{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }}
{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }}
{{- if .Values.global.enablePodSecurityPolicies }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ template "consul.fullname" . }}-enterprise-license
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: license
spec:
privileged: false
# Allow core volume types.
volumes:
- 'secret'
allowPrivilegeEscalation: false
# This is redundant with non-root + disallow privilege escalation,
# but we can provide it for defense in depth.
requiredDropCapabilities:
- ALL
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
readOnlyRootFilesystem: false
{{- end }}
{{- end }}
{{- end }}

37
charts/hashicorp/consul/1.5.3/templates/enterprise-license-role.yaml Normal file
View File

@ -0,0 +1,37 @@
{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }}
{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "consul.fullname" . }}-enterprise-license
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: license
{{- if or .Values.global.acls.manageSystemACLs .Values.global.enablePodSecurityPolicies }}
rules:
{{- if .Values.global.acls.manageSystemACLs }}
- apiGroups: [""]
resources:
- secrets
resourceNames:
- {{ template "consul.fullname" . }}-enterprise-license-acl-token
verbs:
- get
{{- end }}
{{- if .Values.global.enablePodSecurityPolicies }}
- apiGroups: ["policy"]
resources: ["podsecuritypolicies"]
resourceNames:
- {{ template "consul.fullname" . }}-enterprise-license
verbs:
- use
{{- end }}
{{- else }}
rules: []
{{- end }}
{{- end }}
{{- end }}

22
charts/hashicorp/consul/1.5.3/templates/enterprise-license-rolebinding.yaml Normal file
View File

@ -0,0 +1,22 @@
{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }}
{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "consul.fullname" . }}-enterprise-license
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: license
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "consul.fullname" . }}-enterprise-license
subjects:
- kind: ServiceAccount
name: {{ template "consul.fullname" . }}-enterprise-license
{{- end }}
{{- end }}

21
charts/hashicorp/consul/1.5.3/templates/enterprise-license-serviceaccount.yaml Normal file
View File

@ -0,0 +1,21 @@
{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }}
{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "consul.fullname" . }}-enterprise-license
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: license
{{- with .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range . }}
- name: {{ .name }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

63
charts/hashicorp/consul/1.5.3/templates/expose-servers-service.yaml Normal file
View File

@ -0,0 +1,63 @@
{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}}
{{- $serverExposeServiceEnabled := (or (and (ne (.Values.server.exposeService.enabled | toString) "-") .Values.server.exposeService.enabled) (and (eq (.Values.server.exposeService.enabled | toString) "-") .Values.global.adminPartitions.enabled)) -}}
{{- if (and $serverEnabled $serverExposeServiceEnabled) }}
# Service with an external IP to reach Consul servers.
# Used for exposing gRPC port for peering and ports for client partitions to discover servers.
apiVersion: v1
kind: Service
metadata:
name: {{ template "consul.fullname" . }}-expose-servers
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: server
annotations:
{{- if .Values.server.exposeService.annotations }}
{{ tpl .Values.server.exposeService.annotations . | nindent 4 | trim }}
{{- end }}
spec:
type: "{{ .Values.server.exposeService.type }}"
ports:
{{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }}
- name: http
port: 8500
targetPort: 8500
{{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.http) }}
nodePort: {{ .Values.server.exposeService.nodePort.http }}
{{- end }}
{{- end }}
{{- if .Values.global.tls.enabled }}
- name: https
port: 8501
targetPort: 8501
{{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.https) }}
nodePort: {{ .Values.server.exposeService.nodePort.https }}
{{- end }}
{{- end }}
- name: serflan
port: 8301
targetPort: 8301
{{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.serf) }}
nodePort: {{ .Values.server.exposeService.nodePort.serf }}
{{- end }}
- name: rpc
port: 8300
targetPort: 8300
{{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.rpc) }}
nodePort: {{ .Values.server.exposeService.nodePort.rpc }}
{{- end }}
- name: grpc
port: 8502
targetPort: 8502
{{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.grpc) }}
nodePort: {{ .Values.server.exposeService.nodePort.grpc }}
{{- end }}
selector:
app: {{ template "consul.name" . }}
release: "{{ .Release.Name }}"
component: server
{{- end }}

44
charts/hashicorp/consul/1.5.3/templates/gateway-cleanup-clusterrole.yaml Normal file
View File

@ -0,0 +1,44 @@
{{- if .Values.connectInject.enabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "consul.fullname" . }}-gateway-cleanup
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: gateway-cleanup
rules:
- apiGroups:
- consul.hashicorp.com
resources:
- gatewayclassconfigs
verbs:
- get
- delete
- apiGroups:
- gateway.networking.k8s.io
resources:
- gatewayclasses
verbs:
- get
- delete
- apiGroups:
- mesh.consul.hashicorp.com
resources:
- gatewayclassconfigs
- gatewayclasses
- meshgateways
verbs:
- get
- delete
{{- if .Values.global.enablePodSecurityPolicies }}
- apiGroups: ["policy"]
resources: ["podsecuritypolicies"]
resourceNames:
- {{ template "consul.fullname" . }}-gateway-cleanup
verbs:
- use
{{- end }}
{{- end }}

Some files were not shown because too many files have changed in this diff Show More