Add NSM assets/charts for v1.4.1
parent
6ef046d80a
commit
7f5f11b43e
Binary file not shown.
|
@ -0,0 +1,11 @@
|
||||||
|
annotations:
|
||||||
|
catalog.cattle.io/certified: partner
|
||||||
|
catalog.cattle.io/display-name: NGINX Service Mesh
|
||||||
|
catalog.cattle.io/release-name: nginx-service-mesh
|
||||||
|
apiVersion: v2
|
||||||
|
appVersion: 1.4.1
|
||||||
|
description: NGINX Service Mesh
|
||||||
|
icon: https://raw.githubusercontent.com/nginxinc/nginx-service-mesh/master/helm-chart/chart-icon.png
|
||||||
|
kubeVersion: '>= 1.18-0'
|
||||||
|
name: nginx-service-mesh
|
||||||
|
version: 0.4.100
|
|
@ -0,0 +1,11 @@
|
||||||
|
# NGINX Service Mesh
|
||||||
|
|
||||||
|
Before deploying NGINX Service Mesh, see the [Platform Guide](https://docs.nginx.com/nginx-service-mesh/get-started/kubernetes-platform/) to ensure your environment is properly configured. If [Persistent Storage](https://docs.nginx.com/nginx-service-mesh/get-started/kubernetes-platform/persistent-storage/) is not configured in your cluster, set the `mTLS.persistentStorage` field to `off`. Verify that no other service meshes exist in your Kubernetes cluster. It is advised to install NGINX Service Mesh in a dedicated namespace.
|
||||||
|
|
||||||
|
## Helm Installation and Configuration
|
||||||
|
|
||||||
|
For information on the configuration options and installation process when using Helm with NGINX Service Mesh, see the [Installation Guide](https://docs.nginx.com/nginx-service-mesh/get-started/install-with-helm/).
|
||||||
|
|
||||||
|
## Rancher users
|
||||||
|
|
||||||
|
When deploying NGINX Service Mesh via the Rancher Apps and Marketplace, the Helm value `rancher` is set to `true` by default. This value causes Pods in the `cattle-*`, `ingress-nginx`, and `cert-manager` namespaces to be ignored by the automatic sidecar injection webhook. If this behavior is not desired, the `rancher` value can be set to `false`, or the `injector.nsm.nginx.com/auto-inject` label can be manually removed from these namespaces.
|
|
@ -0,0 +1,21 @@
|
||||||
|
# NGINX Service Mesh
|
||||||
|
|
||||||
|
[NGINX Service Mesh](https://docs.nginx.com/nginx-service-mesh/) is a fully integrated lightweight service mesh that leverages a data plane powered by NGINX Plus to manage container traffic in Kubernetes environments.
|
||||||
|
|
||||||
|
NGINX Service Mesh is supported in Rancher 2.5+ when deploying from the Apps and Marketplace. NGINX Service Mesh is not currently supported on k3s.
|
||||||
|
|
||||||
|
## Enabling telemetry
|
||||||
|
|
||||||
|
Telemetry can only be enabled by editing the configuration YAML directly in the Rancher UI. When installing NGINX Service Mesh, select the `Edit YAML` option. To enable telemetry, set the `tracing` object to `{}` and fill out the `telemetry` object.
|
||||||
|
The telemetry object expects a `samplerRatio`, and the `host` and `port` of your OTLP gRPC collector.
|
||||||
|
For example:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
tracing: {}
|
||||||
|
telemetry:
|
||||||
|
samplerRatio: 0.01
|
||||||
|
exporters:
|
||||||
|
otlp:
|
||||||
|
host: "my-otlp-collector-host"
|
||||||
|
port: 4317
|
||||||
|
```
|
Binary file not shown.
After Width: | Height: | Size: 12 KiB |
|
@ -0,0 +1,11 @@
|
||||||
|
apiVersion: 1
|
||||||
|
providers:
|
||||||
|
- name: 'default'
|
||||||
|
orgId: 1
|
||||||
|
folder: ''
|
||||||
|
type: file
|
||||||
|
disableDeletion: true
|
||||||
|
editable: true
|
||||||
|
options:
|
||||||
|
path: /var/lib/grafana/dashboards
|
||||||
|
homeDashboardId: nginx-mesh-top
|
|
@ -0,0 +1,12 @@
|
||||||
|
apiVersion: 1
|
||||||
|
datasources:
|
||||||
|
- name: prometheus
|
||||||
|
type: prometheus
|
||||||
|
access: proxy
|
||||||
|
orgId: 1
|
||||||
|
url: http://{{ include "prometheus.address" . }}
|
||||||
|
isDefault: true
|
||||||
|
jsonData:
|
||||||
|
timeInterval: "5s"
|
||||||
|
version: 1
|
||||||
|
editable: true
|
|
@ -0,0 +1,697 @@
|
||||||
|
{
|
||||||
|
"annotations": {
|
||||||
|
"list": [
|
||||||
|
{
|
||||||
|
"builtIn": 1,
|
||||||
|
"datasource": "-- Grafana --",
|
||||||
|
"enable": true,
|
||||||
|
"hide": true,
|
||||||
|
"iconColor": "rgba(0, 211, 255, 1)",
|
||||||
|
"name": "Annotations & Alerts",
|
||||||
|
"type": "dashboard"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"editable": true,
|
||||||
|
"gnetId": null,
|
||||||
|
"graphTooltip": 0,
|
||||||
|
"id": null,
|
||||||
|
"links": [],
|
||||||
|
"panels": [
|
||||||
|
{
|
||||||
|
"cacheTimeout": null,
|
||||||
|
"colorBackground": false,
|
||||||
|
"colorValue": false,
|
||||||
|
"colors": [
|
||||||
|
"#299c46",
|
||||||
|
"rgba(237, 129, 40, 0.89)",
|
||||||
|
"#d44a3a"
|
||||||
|
],
|
||||||
|
"datasource": "prometheus",
|
||||||
|
"fieldConfig": {
|
||||||
|
"defaults": {},
|
||||||
|
"overrides": []
|
||||||
|
},
|
||||||
|
"format": "percentunit",
|
||||||
|
"gauge": {
|
||||||
|
"maxValue": 100,
|
||||||
|
"minValue": 0,
|
||||||
|
"show": false,
|
||||||
|
"thresholdLabels": false,
|
||||||
|
"thresholdMarkers": true
|
||||||
|
},
|
||||||
|
"gridPos": {
|
||||||
|
"h": 6,
|
||||||
|
"w": 8,
|
||||||
|
"x": 0,
|
||||||
|
"y": 0
|
||||||
|
},
|
||||||
|
"id": 4,
|
||||||
|
"interval": null,
|
||||||
|
"links": [],
|
||||||
|
"mappingType": 1,
|
||||||
|
"mappingTypes": [
|
||||||
|
{
|
||||||
|
"name": "value to text",
|
||||||
|
"value": 1
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "range to text",
|
||||||
|
"value": 2
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"maxDataPoints": 100,
|
||||||
|
"nullPointMode": "connected",
|
||||||
|
"nullText": null,
|
||||||
|
"postfix": "",
|
||||||
|
"postfixFontSize": "50%",
|
||||||
|
"prefix": "",
|
||||||
|
"prefixFontSize": "50%",
|
||||||
|
"rangeMaps": [
|
||||||
|
{
|
||||||
|
"from": "null",
|
||||||
|
"text": "N/A",
|
||||||
|
"to": "null"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"sparkline": {
|
||||||
|
"fillColor": "rgba(31, 118, 189, 0.18)",
|
||||||
|
"full": true,
|
||||||
|
"lineColor": "rgb(31, 120, 193)",
|
||||||
|
"show": true
|
||||||
|
},
|
||||||
|
"tableColumn": "",
|
||||||
|
"targets": [
|
||||||
|
{
|
||||||
|
"expr": "sum(irate(nginxplus_upstream_server_responses{code=~\"1xx|2xx\"}[30s])) / sum(irate(nginxplus_upstream_server_responses[30s]))",
|
||||||
|
"format": "time_series",
|
||||||
|
"interval": "5s",
|
||||||
|
"intervalFactor": 1,
|
||||||
|
"refId": "A"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"thresholds": "",
|
||||||
|
"title": "GLOBAL SUCCESS RATE",
|
||||||
|
"type": "singlestat",
|
||||||
|
"valueFontSize": "80%",
|
||||||
|
"valueMaps": [
|
||||||
|
{
|
||||||
|
"op": "=",
|
||||||
|
"text": "N/A",
|
||||||
|
"value": "null"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"valueName": "current"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"cacheTimeout": null,
|
||||||
|
"colorBackground": false,
|
||||||
|
"colorValue": false,
|
||||||
|
"colors": [
|
||||||
|
"#299c46",
|
||||||
|
"rgba(237, 129, 40, 0.89)",
|
||||||
|
"#d44a3a"
|
||||||
|
],
|
||||||
|
"datasource": "prometheus",
|
||||||
|
"fieldConfig": {
|
||||||
|
"defaults": {},
|
||||||
|
"overrides": []
|
||||||
|
},
|
||||||
|
"format": "reqps",
|
||||||
|
"gauge": {
|
||||||
|
"maxValue": 100,
|
||||||
|
"minValue": 0,
|
||||||
|
"show": false,
|
||||||
|
"thresholdLabels": false,
|
||||||
|
"thresholdMarkers": true
|
||||||
|
},
|
||||||
|
"gridPos": {
|
||||||
|
"h": 6,
|
||||||
|
"w": 13,
|
||||||
|
"x": 8,
|
||||||
|
"y": 0
|
||||||
|
},
|
||||||
|
"id": 6,
|
||||||
|
"interval": null,
|
||||||
|
"links": [],
|
||||||
|
"mappingType": 1,
|
||||||
|
"mappingTypes": [
|
||||||
|
{
|
||||||
|
"name": "value to text",
|
||||||
|
"value": 1
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "range to text",
|
||||||
|
"value": 2
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"maxDataPoints": 100,
|
||||||
|
"nullPointMode": "connected",
|
||||||
|
"nullText": null,
|
||||||
|
"postfix": "",
|
||||||
|
"postfixFontSize": "50%",
|
||||||
|
"prefix": "",
|
||||||
|
"prefixFontSize": "50%",
|
||||||
|
"rangeMaps": [
|
||||||
|
{
|
||||||
|
"from": "null",
|
||||||
|
"text": "N/A",
|
||||||
|
"to": "null"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"sparkline": {
|
||||||
|
"fillColor": "rgba(31, 118, 189, 0.18)",
|
||||||
|
"full": true,
|
||||||
|
"lineColor": "rgb(31, 120, 193)",
|
||||||
|
"show": true
|
||||||
|
},
|
||||||
|
"tableColumn": "",
|
||||||
|
"targets": [
|
||||||
|
{
|
||||||
|
"expr": "sum(irate(nginxplus_http_requests_total[30s]))",
|
||||||
|
"format": "time_series",
|
||||||
|
"interval": "5s",
|
||||||
|
"intervalFactor": 1,
|
||||||
|
"refId": "A"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"thresholds": "",
|
||||||
|
"title": "GLOBAL REQUEST VOLUME",
|
||||||
|
"type": "singlestat",
|
||||||
|
"valueFontSize": "80%",
|
||||||
|
"valueMaps": [
|
||||||
|
{
|
||||||
|
"op": "=",
|
||||||
|
"text": "N/A",
|
||||||
|
"value": "null"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"valueName": "current"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"cacheTimeout": null,
|
||||||
|
"colorBackground": false,
|
||||||
|
"colorValue": false,
|
||||||
|
"colors": [
|
||||||
|
"#299c46",
|
||||||
|
"rgba(237, 129, 40, 0.89)",
|
||||||
|
"#d44a3a"
|
||||||
|
],
|
||||||
|
"datasource": "prometheus",
|
||||||
|
"fieldConfig": {
|
||||||
|
"defaults": {},
|
||||||
|
"overrides": []
|
||||||
|
},
|
||||||
|
"format": "none",
|
||||||
|
"gauge": {
|
||||||
|
"maxValue": 100,
|
||||||
|
"minValue": 0,
|
||||||
|
"show": false,
|
||||||
|
"thresholdLabels": false,
|
||||||
|
"thresholdMarkers": true
|
||||||
|
},
|
||||||
|
"gridPos": {
|
||||||
|
"h": 6,
|
||||||
|
"w": 3,
|
||||||
|
"x": 21,
|
||||||
|
"y": 0
|
||||||
|
},
|
||||||
|
"id": 5,
|
||||||
|
"interval": null,
|
||||||
|
"links": [],
|
||||||
|
"mappingType": 1,
|
||||||
|
"mappingTypes": [
|
||||||
|
{
|
||||||
|
"name": "value to text",
|
||||||
|
"value": 1
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "range to text",
|
||||||
|
"value": 2
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"maxDataPoints": 100,
|
||||||
|
"nullPointMode": "connected",
|
||||||
|
"nullText": null,
|
||||||
|
"postfix": "",
|
||||||
|
"postfixFontSize": "50%",
|
||||||
|
"prefix": "",
|
||||||
|
"prefixFontSize": "50%",
|
||||||
|
"rangeMaps": [
|
||||||
|
{
|
||||||
|
"from": "null",
|
||||||
|
"text": "N/A",
|
||||||
|
"to": "null"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"sparkline": {
|
||||||
|
"fillColor": "rgba(31, 118, 189, 0.18)",
|
||||||
|
"full": true,
|
||||||
|
"lineColor": "rgb(31, 120, 193)",
|
||||||
|
"show": false
|
||||||
|
},
|
||||||
|
"tableColumn": "",
|
||||||
|
"targets": [
|
||||||
|
{
|
||||||
|
"expr": "count(nginxplus_http_requests_total)",
|
||||||
|
"format": "time_series",
|
||||||
|
"interval": "5s",
|
||||||
|
"intervalFactor": 1,
|
||||||
|
"refId": "A"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"thresholds": "",
|
||||||
|
"title": "PODS MONITORED",
|
||||||
|
"type": "singlestat",
|
||||||
|
"valueFontSize": "200%",
|
||||||
|
"valueMaps": [
|
||||||
|
{
|
||||||
|
"op": "=",
|
||||||
|
"text": "N/A",
|
||||||
|
"value": "null"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"valueName": "current"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"aliasColors": {},
|
||||||
|
"bars": false,
|
||||||
|
"dashLength": 10,
|
||||||
|
"dashes": false,
|
||||||
|
"datasource": "prometheus",
|
||||||
|
"fieldConfig": {
|
||||||
|
"defaults": {},
|
||||||
|
"overrides": []
|
||||||
|
},
|
||||||
|
"fill": 1,
|
||||||
|
"fillGradient": 0,
|
||||||
|
"gridPos": {
|
||||||
|
"h": 9,
|
||||||
|
"w": 12,
|
||||||
|
"x": 0,
|
||||||
|
"y": 6
|
||||||
|
},
|
||||||
|
"hiddenSeries": false,
|
||||||
|
"id": 2,
|
||||||
|
"legend": {
|
||||||
|
"avg": false,
|
||||||
|
"current": false,
|
||||||
|
"max": false,
|
||||||
|
"min": false,
|
||||||
|
"show": true,
|
||||||
|
"total": false,
|
||||||
|
"values": false
|
||||||
|
},
|
||||||
|
"lines": true,
|
||||||
|
"linewidth": 1,
|
||||||
|
"links": [],
|
||||||
|
"nullPointMode": "null",
|
||||||
|
"options": {
|
||||||
|
"alertThreshold": true
|
||||||
|
},
|
||||||
|
"percentage": false,
|
||||||
|
"pluginVersion": "8.3.4",
|
||||||
|
"pointradius": 5,
|
||||||
|
"points": false,
|
||||||
|
"renderer": "flot",
|
||||||
|
"seriesOverrides": [],
|
||||||
|
"spaceLength": 10,
|
||||||
|
"stack": false,
|
||||||
|
"steppedLine": false,
|
||||||
|
"targets": [
|
||||||
|
{
|
||||||
|
"expr": "irate(nginxplus_http_requests_total[30s])",
|
||||||
|
"format": "time_series",
|
||||||
|
"interval": "",
|
||||||
|
"intervalFactor": 1,
|
||||||
|
"refId": "A"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"thresholds": [],
|
||||||
|
"timeFrom": null,
|
||||||
|
"timeRegions": [],
|
||||||
|
"timeShift": null,
|
||||||
|
"title": "Request Volume",
|
||||||
|
"tooltip": {
|
||||||
|
"shared": true,
|
||||||
|
"sort": 0,
|
||||||
|
"value_type": "individual"
|
||||||
|
},
|
||||||
|
"type": "graph",
|
||||||
|
"xaxis": {
|
||||||
|
"buckets": null,
|
||||||
|
"mode": "time",
|
||||||
|
"name": null,
|
||||||
|
"show": true,
|
||||||
|
"values": []
|
||||||
|
},
|
||||||
|
"yaxes": [
|
||||||
|
{
|
||||||
|
"format": "reqps",
|
||||||
|
"label": null,
|
||||||
|
"logBase": 1,
|
||||||
|
"max": null,
|
||||||
|
"min": "0",
|
||||||
|
"show": true
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"format": "short",
|
||||||
|
"label": null,
|
||||||
|
"logBase": 1,
|
||||||
|
"max": null,
|
||||||
|
"min": null,
|
||||||
|
"show": true
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"yaxis": {
|
||||||
|
"align": false,
|
||||||
|
"alignLevel": null
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"aliasColors": {},
|
||||||
|
"bars": false,
|
||||||
|
"dashLength": 10,
|
||||||
|
"dashes": false,
|
||||||
|
"datasource": "prometheus",
|
||||||
|
"fieldConfig": {
|
||||||
|
"defaults": {},
|
||||||
|
"overrides": []
|
||||||
|
},
|
||||||
|
"fill": 1,
|
||||||
|
"fillGradient": 0,
|
||||||
|
"gridPos": {
|
||||||
|
"h": 9,
|
||||||
|
"w": 12,
|
||||||
|
"x": 12,
|
||||||
|
"y": 6
|
||||||
|
},
|
||||||
|
"hiddenSeries": false,
|
||||||
|
"id": 123124,
|
||||||
|
"legend": {
|
||||||
|
"avg": false,
|
||||||
|
"current": false,
|
||||||
|
"max": false,
|
||||||
|
"min": false,
|
||||||
|
"show": true,
|
||||||
|
"total": false,
|
||||||
|
"values": false
|
||||||
|
},
|
||||||
|
"lines": true,
|
||||||
|
"linewidth": 1,
|
||||||
|
"links": [],
|
||||||
|
"nullPointMode": "null",
|
||||||
|
"options": {
|
||||||
|
"alertThreshold": true
|
||||||
|
},
|
||||||
|
"percentage": false,
|
||||||
|
"pluginVersion": "8.3.4",
|
||||||
|
"pointradius": 5,
|
||||||
|
"points": false,
|
||||||
|
"renderer": "flot",
|
||||||
|
"seriesOverrides": [],
|
||||||
|
"spaceLength": 10,
|
||||||
|
"stack": false,
|
||||||
|
"steppedLine": false,
|
||||||
|
"targets": [
|
||||||
|
{
|
||||||
|
"expr": "sum(irate(nginxplus_upstream_server_responses{code=~\"1xx|2xx\"}[30s])) by (app, version) / sum(irate(nginxplus_upstream_server_responses[30s])) by (app, version)",
|
||||||
|
"format": "time_series",
|
||||||
|
"instant": false,
|
||||||
|
"interval": "",
|
||||||
|
"intervalFactor": 1,
|
||||||
|
"legendFormat": "",
|
||||||
|
"refId": "A"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"thresholds": [],
|
||||||
|
"timeFrom": null,
|
||||||
|
"timeRegions": [],
|
||||||
|
"timeShift": null,
|
||||||
|
"title": "Pod Success",
|
||||||
|
"tooltip": {
|
||||||
|
"shared": true,
|
||||||
|
"sort": 0,
|
||||||
|
"value_type": "individual"
|
||||||
|
},
|
||||||
|
"type": "graph",
|
||||||
|
"xaxis": {
|
||||||
|
"buckets": null,
|
||||||
|
"mode": "time",
|
||||||
|
"name": null,
|
||||||
|
"show": true,
|
||||||
|
"values": []
|
||||||
|
},
|
||||||
|
"yaxes": [
|
||||||
|
{
|
||||||
|
"format": "percentunit",
|
||||||
|
"label": null,
|
||||||
|
"logBase": 1,
|
||||||
|
"max": "1",
|
||||||
|
"min": "0",
|
||||||
|
"show": true
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"format": "short",
|
||||||
|
"label": null,
|
||||||
|
"logBase": 1,
|
||||||
|
"max": null,
|
||||||
|
"min": null,
|
||||||
|
"show": true
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"yaxis": {
|
||||||
|
"align": false,
|
||||||
|
"alignLevel": null
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"aliasColors": {},
|
||||||
|
"bars": false,
|
||||||
|
"dashLength": 10,
|
||||||
|
"dashes": false,
|
||||||
|
"datasource": null,
|
||||||
|
"description": "RSS used by NGINX Service Mesh sidecars",
|
||||||
|
"fieldConfig": {
|
||||||
|
"defaults": {},
|
||||||
|
"overrides": []
|
||||||
|
},
|
||||||
|
"fill": 1,
|
||||||
|
"fillGradient": 0,
|
||||||
|
"gridPos": {
|
||||||
|
"h": 8,
|
||||||
|
"w": 12,
|
||||||
|
"x": 0,
|
||||||
|
"y": 15
|
||||||
|
},
|
||||||
|
"hiddenSeries": false,
|
||||||
|
"id": 123126,
|
||||||
|
"legend": {
|
||||||
|
"avg": false,
|
||||||
|
"current": false,
|
||||||
|
"max": false,
|
||||||
|
"min": false,
|
||||||
|
"show": true,
|
||||||
|
"total": false,
|
||||||
|
"values": false
|
||||||
|
},
|
||||||
|
"lines": true,
|
||||||
|
"linewidth": 1,
|
||||||
|
"nullPointMode": "null",
|
||||||
|
"options": {
|
||||||
|
"alertThreshold": true
|
||||||
|
},
|
||||||
|
"percentage": false,
|
||||||
|
"pluginVersion": "8.3.4",
|
||||||
|
"pointradius": 2,
|
||||||
|
"points": false,
|
||||||
|
"renderer": "flot",
|
||||||
|
"seriesOverrides": [],
|
||||||
|
"spaceLength": 10,
|
||||||
|
"stack": false,
|
||||||
|
"steppedLine": false,
|
||||||
|
"targets": [
|
||||||
|
{
|
||||||
|
"expr": "nginxplus_workers_mem_rss",
|
||||||
|
"interval": "",
|
||||||
|
"legendFormat": "",
|
||||||
|
"refId": "A"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"thresholds": [],
|
||||||
|
"timeFrom": null,
|
||||||
|
"timeRegions": [],
|
||||||
|
"timeShift": null,
|
||||||
|
"title": "Sidecar Memory Usage (RSS)",
|
||||||
|
"tooltip": {
|
||||||
|
"shared": true,
|
||||||
|
"sort": 0,
|
||||||
|
"value_type": "individual"
|
||||||
|
},
|
||||||
|
"type": "graph",
|
||||||
|
"xaxis": {
|
||||||
|
"buckets": null,
|
||||||
|
"mode": "time",
|
||||||
|
"name": null,
|
||||||
|
"show": true,
|
||||||
|
"values": []
|
||||||
|
},
|
||||||
|
"yaxes": [
|
||||||
|
{
|
||||||
|
"format": "decbytes",
|
||||||
|
"label": null,
|
||||||
|
"logBase": 1,
|
||||||
|
"max": null,
|
||||||
|
"min": null,
|
||||||
|
"show": true
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"format": "short",
|
||||||
|
"label": null,
|
||||||
|
"logBase": 1,
|
||||||
|
"max": null,
|
||||||
|
"min": null,
|
||||||
|
"show": true
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"yaxis": {
|
||||||
|
"align": false,
|
||||||
|
"alignLevel": null
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"aliasColors": {},
|
||||||
|
"bars": false,
|
||||||
|
"dashLength": 10,
|
||||||
|
"dashes": false,
|
||||||
|
"datasource": null,
|
||||||
|
"description": "Private memory used by NGINX Service Mesh sidecars",
|
||||||
|
"fieldConfig": {
|
||||||
|
"defaults": {},
|
||||||
|
"overrides": []
|
||||||
|
},
|
||||||
|
"fill": 1,
|
||||||
|
"fillGradient": 0,
|
||||||
|
"gridPos": {
|
||||||
|
"h": 8,
|
||||||
|
"w": 12,
|
||||||
|
"x": 12,
|
||||||
|
"y": 15
|
||||||
|
},
|
||||||
|
"hiddenSeries": false,
|
||||||
|
"id": 123128,
|
||||||
|
"legend": {
|
||||||
|
"avg": false,
|
||||||
|
"current": false,
|
||||||
|
"max": false,
|
||||||
|
"min": false,
|
||||||
|
"show": true,
|
||||||
|
"total": false,
|
||||||
|
"values": false
|
||||||
|
},
|
||||||
|
"lines": true,
|
||||||
|
"linewidth": 1,
|
||||||
|
"nullPointMode": "null",
|
||||||
|
"options": {
|
||||||
|
"alertThreshold": true
|
||||||
|
},
|
||||||
|
"percentage": false,
|
||||||
|
"pluginVersion": "8.3.4",
|
||||||
|
"pointradius": 2,
|
||||||
|
"points": false,
|
||||||
|
"renderer": "flot",
|
||||||
|
"seriesOverrides": [],
|
||||||
|
"spaceLength": 10,
|
||||||
|
"stack": false,
|
||||||
|
"steppedLine": false,
|
||||||
|
"targets": [
|
||||||
|
{
|
||||||
|
"expr": "nginxplus_workers_mem_private",
|
||||||
|
"interval": "",
|
||||||
|
"legendFormat": "",
|
||||||
|
"refId": "A"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"thresholds": [],
|
||||||
|
"timeFrom": null,
|
||||||
|
"timeRegions": [],
|
||||||
|
"timeShift": null,
|
||||||
|
"title": "Sidecar Memory Usage (Private)",
|
||||||
|
"tooltip": {
|
||||||
|
"shared": true,
|
||||||
|
"sort": 0,
|
||||||
|
"value_type": "individual"
|
||||||
|
},
|
||||||
|
"type": "graph",
|
||||||
|
"xaxis": {
|
||||||
|
"buckets": null,
|
||||||
|
"mode": "time",
|
||||||
|
"name": null,
|
||||||
|
"show": true,
|
||||||
|
"values": []
|
||||||
|
},
|
||||||
|
"yaxes": [
|
||||||
|
{
|
||||||
|
"format": "short",
|
||||||
|
"label": null,
|
||||||
|
"logBase": 1,
|
||||||
|
"max": null,
|
||||||
|
"min": null,
|
||||||
|
"show": true
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"format": "short",
|
||||||
|
"label": null,
|
||||||
|
"logBase": 1,
|
||||||
|
"max": null,
|
||||||
|
"min": null,
|
||||||
|
"show": true
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"yaxis": {
|
||||||
|
"align": false,
|
||||||
|
"alignLevel": null
|
||||||
|
}
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"refresh": "5s",
|
||||||
|
"schemaVersion": 27,
|
||||||
|
"style": "dark",
|
||||||
|
"tags": [],
|
||||||
|
"templating": {
|
||||||
|
"list": []
|
||||||
|
},
|
||||||
|
"time": {
|
||||||
|
"from": "now-5m",
|
||||||
|
"to": "now"
|
||||||
|
},
|
||||||
|
"timepicker": {
|
||||||
|
"refresh_intervals": [
|
||||||
|
"5s",
|
||||||
|
"10s",
|
||||||
|
"30s",
|
||||||
|
"1m",
|
||||||
|
"5m",
|
||||||
|
"15m",
|
||||||
|
"30m",
|
||||||
|
"1h",
|
||||||
|
"2h",
|
||||||
|
"1d"
|
||||||
|
],
|
||||||
|
"time_options": [
|
||||||
|
"5m",
|
||||||
|
"15m",
|
||||||
|
"1h",
|
||||||
|
"6h",
|
||||||
|
"12h",
|
||||||
|
"24h",
|
||||||
|
"2d",
|
||||||
|
"7d",
|
||||||
|
"30d"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"timezone": "",
|
||||||
|
"title": "NGINX Mesh Top",
|
||||||
|
"uid": "N3zQ72OWk",
|
||||||
|
"version": 1
|
||||||
|
}
|
|
@ -0,0 +1,15 @@
|
||||||
|
instance_name = nginx-mesh-grafana
|
||||||
|
|
||||||
|
[auth]
|
||||||
|
disable_login_form = true
|
||||||
|
|
||||||
|
[auth.anonymous]
|
||||||
|
enabled = true
|
||||||
|
org_role = Admin
|
||||||
|
|
||||||
|
[auth.basic]
|
||||||
|
enabled = false
|
||||||
|
|
||||||
|
[analytics]
|
||||||
|
check_for_updates = false
|
||||||
|
Events: <none>
|
|
@ -0,0 +1,11 @@
|
||||||
|
log_level = "debug"
|
||||||
|
trust_domain = {{ quote .Values.mtls.trustDomain }}
|
||||||
|
server_socket_path = "/run/spire/sockets/spire-registration.sock"
|
||||||
|
cluster = "nginx-mesh"
|
||||||
|
pod_controller = true
|
||||||
|
add_svc_dns_name = true
|
||||||
|
mode = "crd"
|
||||||
|
webhook_enabled = true
|
||||||
|
webhook_cert_dir = "/tmp/k8s-webhook-server/serving-certs"
|
||||||
|
identity_template_label = "spiffe.io/spiffeid"
|
||||||
|
dns_name_templates = ["{{`{{ .Pod.Name}}`}}", "{{`{{ .Pod.ServiceAccount }}`}}.{{`{{ .Pod.Namespace }}`}}.svc"]
|
|
@ -0,0 +1,79 @@
|
||||||
|
{
|
||||||
|
"accessControlMode": {{ quote .Values.accessControlMode }},
|
||||||
|
"api": {
|
||||||
|
"address": {{ printf "nginx-mesh-api.%s" .Release.Namespace | quote }},
|
||||||
|
"containerPort": 8443,
|
||||||
|
"port": 443
|
||||||
|
},
|
||||||
|
"autoInjectorPort": 9443,
|
||||||
|
"environment": {{ quote .Values.environment }},
|
||||||
|
"isUDPEnabled": {{ .Values.enableUDP }},
|
||||||
|
"injection": {
|
||||||
|
"disabledNamespaces": [{{ range $idx, $elem := .Values.autoInjection.disabledNamespaces }}{{if $idx}},{{end}}{{quote .}}{{end}}],
|
||||||
|
"enabledNamespaces": [{{ range $idx, $elem := .Values.autoInjection.enabledNamespaces }}{{if $idx}},{{end}}{{quote .}}{{end}}],
|
||||||
|
"isAutoInjectEnabled": {{ not .Values.autoInjection.disable }}
|
||||||
|
},
|
||||||
|
"loadBalancingMethod": {{ quote .Values.nginxLBMethod }},
|
||||||
|
"mtls": {
|
||||||
|
"mode": {{ quote .Values.mtls.mode }},
|
||||||
|
"caTTL": {{ quote .Values.mtls.caTTL }},
|
||||||
|
"svidTTL": {{ quote .Values.mtls.svidTTL }},
|
||||||
|
"caKeyType": {{ quote .Values.mtls.caKeyType }}
|
||||||
|
},
|
||||||
|
"mtlsMode": {{ quote .Values.mtls.mode }},
|
||||||
|
"namespace": {{ quote .Release.Namespace }},
|
||||||
|
"nginxErrorLogLevel": {{ quote .Values.nginxErrorLogLevel }},
|
||||||
|
"nginxLogFormat": {{ quote .Values.nginxLogFormat }},
|
||||||
|
"prometheusAddress": {{ include "prometheus.address" . | quote }},
|
||||||
|
"proxy": {
|
||||||
|
"ports": {
|
||||||
|
"incoming": 8888,
|
||||||
|
"incomingGrpc": 8891,
|
||||||
|
"incomingGrpcPermissive": 8893,
|
||||||
|
"incomingNotInKeyval": 8903,
|
||||||
|
"incomingPermissive": 8890,
|
||||||
|
"incomingRedirect": 8901,
|
||||||
|
"incomingTcp": 8904,
|
||||||
|
"incomingTcpDeny": 8905,
|
||||||
|
"incomingTcpPermissive": 8907,
|
||||||
|
"outgoingUdp": 8908,
|
||||||
|
"incomingUdp": 8909,
|
||||||
|
"metrics": 8887,
|
||||||
|
"outgoing": 8889,
|
||||||
|
"outgoingDefaultEgress": 8894,
|
||||||
|
"outgoingGrpc": 8892,
|
||||||
|
"outgoingNotInKeyval": 8902,
|
||||||
|
"outgoingRedirect": 8900,
|
||||||
|
"outgoingTcp": 8906,
|
||||||
|
"plusApi": 8886,
|
||||||
|
"redirectHealthPort": 8895,
|
||||||
|
"redirectHealthPortHTTPS": 8896
|
||||||
|
},
|
||||||
|
"transparent": false
|
||||||
|
},
|
||||||
|
"registryKeyName": {{ if (include "docker-config-json" .) }}{{ include "registry-key-name" . | quote }}{{ else }}""{{ end }},
|
||||||
|
"sidecarImage": {
|
||||||
|
"image": {{ printf "%s/nginx-mesh-sidecar:%s" .Values.registry.server .Values.registry.imageTag | quote }},
|
||||||
|
"name": "nginx-mesh-sidecar"
|
||||||
|
},
|
||||||
|
"sidecarInitImage": {
|
||||||
|
"image": {{ printf "%s/nginx-mesh-init:%s" .Values.registry.server .Values.registry.imageTag | quote }},
|
||||||
|
"name": "nginx-mesh-init"
|
||||||
|
},
|
||||||
|
"tracing": {{if .Values.tracing }}{
|
||||||
|
"backend": {{ quote .Values.tracing.backend }},
|
||||||
|
"backendAddress": {{ include "tracing.address" . | quote }},
|
||||||
|
"isEnabled": {{ not .Values.tracing.disable }},
|
||||||
|
"sampleRate": {{ .Values.tracing.sampleRate }}
|
||||||
|
},{{ else }}{},{{ end }}
|
||||||
|
"telemetry": {{ if .Values.telemetry }}{
|
||||||
|
"exporters": {
|
||||||
|
"otlp": {
|
||||||
|
"host": {{ quote .Values.telemetry.exporters.otlp.host }},
|
||||||
|
"port": {{ .Values.telemetry.exporters.otlp.port }}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"samplerRatio": {{ .Values.telemetry.samplerRatio }}
|
||||||
|
},{{ else }}{},{{ end }}
|
||||||
|
"trustDomain": {{ quote .Values.mtls.trustDomain }}
|
||||||
|
}
|
|
@ -0,0 +1,8 @@
|
||||||
|
pid_file: "/var/run/nats/nats.pid"
|
||||||
|
http: 8222
|
||||||
|
tls: {
|
||||||
|
ca_file: "/etc/ssl/ca.crt"
|
||||||
|
cert_file: "/etc/ssl/tls.crt"
|
||||||
|
key_file: "/etc/ssl/tls.key"
|
||||||
|
verify: true
|
||||||
|
}
|
|
@ -0,0 +1,72 @@
|
||||||
|
global:
|
||||||
|
scrape_interval: 10s
|
||||||
|
scrape_configs:
|
||||||
|
- job_name: 'nginx-mesh-sidecars'
|
||||||
|
kubernetes_sd_configs:
|
||||||
|
- role: pod
|
||||||
|
relabel_configs:
|
||||||
|
- source_labels: [__meta_kubernetes_pod_container_name]
|
||||||
|
action: keep
|
||||||
|
regex: nginx-mesh-sidecar
|
||||||
|
- action: labelmap
|
||||||
|
regex: __meta_kubernetes_pod_label_nsm_nginx_com_(.+)
|
||||||
|
- action: labeldrop
|
||||||
|
regex: __meta_kubernetes_pod_label_nsm_nginx_com_(.+)
|
||||||
|
- action: labelmap
|
||||||
|
regex: __meta_kubernetes_pod_label_(.+)
|
||||||
|
- source_labels: [__meta_kubernetes_namespace]
|
||||||
|
action: replace
|
||||||
|
target_label: namespace
|
||||||
|
- source_labels: [__meta_kubernetes_pod_name]
|
||||||
|
action: replace
|
||||||
|
target_label: pod
|
||||||
|
- job_name: 'nginx-plus-ingress'
|
||||||
|
kubernetes_sd_configs:
|
||||||
|
- role: pod
|
||||||
|
relabel_configs:
|
||||||
|
- source_labels: [__meta_kubernetes_pod_container_name]
|
||||||
|
action: keep
|
||||||
|
regex: nginx-plus-ingress
|
||||||
|
- source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape]
|
||||||
|
action: keep
|
||||||
|
regex: true
|
||||||
|
- source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]
|
||||||
|
action: replace
|
||||||
|
target_label: __address__
|
||||||
|
regex: (.+)(?::\d+);(\d+)
|
||||||
|
replacement: $1:$2
|
||||||
|
- source_labels: [__meta_kubernetes_namespace]
|
||||||
|
action: replace
|
||||||
|
target_label: namespace
|
||||||
|
- source_labels: [__meta_kubernetes_pod_name]
|
||||||
|
action: replace
|
||||||
|
target_label: pod
|
||||||
|
- action: labelmap
|
||||||
|
regex: __meta_kubernetes_pod_label_nsm_nginx_com_(.+)
|
||||||
|
- action: labeldrop
|
||||||
|
regex: __meta_kubernetes_pod_label_nsm_nginx_com_(.+)
|
||||||
|
- action: labelmap
|
||||||
|
regex: __meta_kubernetes_pod_label_(.+)
|
||||||
|
- action: labelmap
|
||||||
|
regex: __meta_kubernetes_pod_annotation_nsm_nginx_com_enable_(.+)
|
||||||
|
metric_relabel_configs:
|
||||||
|
- source_labels: [__name__]
|
||||||
|
regex: 'nginx_ingress_controller_upstream_server_response_latency_ms(.+)'
|
||||||
|
target_label: __name__
|
||||||
|
replacement: 'nginxplus_upstream_server_response_latency_ms$1'
|
||||||
|
- source_labels: [__name__]
|
||||||
|
regex: 'nginx_ingress_nginxplus(.+)'
|
||||||
|
target_label: __name__
|
||||||
|
replacement: 'nginxplus$1'
|
||||||
|
- source_labels: [service]
|
||||||
|
target_label: dst_service
|
||||||
|
- source_labels: [resource_namespace]
|
||||||
|
target_label: dst_namespace
|
||||||
|
- source_labels: [pod_owner]
|
||||||
|
regex: '(.+)\/(.+)'
|
||||||
|
target_label: dst_$1
|
||||||
|
replacement: $2
|
||||||
|
- action: labeldrop
|
||||||
|
regex: pod_owner
|
||||||
|
- source_labels: [pod_name]
|
||||||
|
target_label: dst_pod
|
|
@ -0,0 +1,33 @@
|
||||||
|
agent {
|
||||||
|
data_dir = "/run/spire"
|
||||||
|
log_level = "DEBUG"
|
||||||
|
server_address = "spire-server"
|
||||||
|
server_port = "8081"
|
||||||
|
socket_path = "/run/spire/sockets/agent.sock"
|
||||||
|
trust_bundle_path = "/run/spire/bundle/bundle.crt"
|
||||||
|
trust_domain = {{ quote .Values.mtls.trustDomain }}
|
||||||
|
}
|
||||||
|
|
||||||
|
plugins {
|
||||||
|
NodeAttestor "k8s_psat" {
|
||||||
|
plugin_data {
|
||||||
|
cluster = "nginx-mesh"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
KeyManager "memory" {
|
||||||
|
plugin_data {
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
WorkloadAttestor "k8s" {
|
||||||
|
plugin_data {
|
||||||
|
skip_kubelet_verification = true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
WorkloadAttestor "unix" {
|
||||||
|
plugin_data {
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,72 @@
|
||||||
|
server {
|
||||||
|
bind_address = "0.0.0.0"
|
||||||
|
bind_port = "8081"
|
||||||
|
ca_key_type = {{ quote .Values.mtls.caKeyType }}
|
||||||
|
ca_ttl = {{ quote .Values.mtls.caTTL }}
|
||||||
|
data_dir = "/run/spire/data"
|
||||||
|
log_level = "DEBUG"
|
||||||
|
socket_path = "/run/spire/sockets/spire-registration.sock"
|
||||||
|
default_svid_ttl = {{ quote .Values.mtls.svidTTL }}
|
||||||
|
trust_domain = {{ quote .Values.mtls.trustDomain }}
|
||||||
|
ca_subject = {
|
||||||
|
country = ["US"],
|
||||||
|
organization = ["NGINX"],
|
||||||
|
common_name = "",
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
plugins {
|
||||||
|
DataStore "sql" {
|
||||||
|
plugin_data {
|
||||||
|
database_type = "sqlite3"
|
||||||
|
connection_string = "/run/spire/data/datastore.sqlite3"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
NodeAttestor "k8s_psat" {
|
||||||
|
plugin_data {
|
||||||
|
clusters = {
|
||||||
|
"nginx-mesh" = {
|
||||||
|
service_account_allow_list = [{{ printf "%s:spire-agent" .Release.Namespace | quote }}]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
Notifier "k8sbundle" {
|
||||||
|
plugin_data {
|
||||||
|
namespace = {{ quote .Release.Namespace }}
|
||||||
|
webhook_label = "spiffe.io/webhook"
|
||||||
|
api_service_label = "spiffe.io/apiservice"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
KeyManager {{ quote .Values.mtls.spireServerKeyManager }} {
|
||||||
|
{{- if eq .Values.mtls.spireServerKeyManager "disk" }}
|
||||||
|
plugin_data {
|
||||||
|
keys_path = "/run/spire/data/keys.json"
|
||||||
|
}
|
||||||
|
{{- end }}
|
||||||
|
}
|
||||||
|
|
||||||
|
{{ if .Values.mtls.upstreamAuthority.awsPCA }}
|
||||||
|
{{ tpl (.Files.Get "configs/upstreamAuthority/aws-pca-ua.conf") . }}
|
||||||
|
{{ else if .Values.mtls.upstreamAuthority.awsSecret }}
|
||||||
|
{{ tpl (.Files.Get "configs/upstreamAuthority/aws-secret-ua.conf") . }}
|
||||||
|
{{ else if .Values.mtls.upstreamAuthority.disk }}
|
||||||
|
{{ tpl (.Files.Get "configs/upstreamAuthority/disk-ua.conf") . }}
|
||||||
|
{{ else if .Values.mtls.upstreamAuthority.vault }}
|
||||||
|
{{ tpl (.Files.Get "configs/upstreamAuthority/vault-ua.conf") . }}
|
||||||
|
{{ else if .Values.mtls.upstreamAuthority.certManager }}
|
||||||
|
{{ tpl (.Files.Get "configs/upstreamAuthority/cert-manager-ua.conf") . }}
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
health_checks {
|
||||||
|
listener_enabled = true
|
||||||
|
bind_address = "0.0.0.0"
|
||||||
|
bind_port = "8082"
|
||||||
|
live_path = "/live"
|
||||||
|
ready_path = "/ready"
|
||||||
|
}
|
|
@ -0,0 +1,3 @@
|
||||||
|
[default]
|
||||||
|
aws_access_key_id = {{ .Values.mtls.upstreamAuthority.awsPCA.awsAccessKeyID }}
|
||||||
|
aws_secret_access_key = {{ .Values.mtls.upstreamAuthority.awsPCA.awsSecretAccessKey }}
|
|
@ -0,0 +1,16 @@
|
||||||
|
UpstreamAuthority "aws_pca" {
|
||||||
|
plugin_data {
|
||||||
|
region = {{ quote .Values.mtls.upstreamAuthority.awsPCA.region }}
|
||||||
|
certificate_authority_arn = {{ quote .Values.mtls.upstreamAuthority.awsPCA.certificateAuthorityArn }}
|
||||||
|
{{- if .Values.mtls.upstreamAuthority.awsPCA.caSigningTemplateArn }}
|
||||||
|
ca_signing_template_arn = {{ quote .Values.mtls.upstreamAuthority.awsPCA.caSigningTemplateArn }}{{ end }}
|
||||||
|
{{- if .Values.mtls.upstreamAuthority.awsPCA.signingAlgorithm }}
|
||||||
|
signing_algorithm = {{ quote .Values.mtls.upstreamAuthority.awsPCA.signingAlgorithm }}{{ end }}
|
||||||
|
{{- if .Values.mtls.upstreamAuthority.awsPCA.assumeRoleArn }}
|
||||||
|
assume_role_arn = {{ quote .Values.mtls.upstreamAuthority.awsPCA.assumeRoleArn }}{{end}}
|
||||||
|
{{- if .Values.mtls.upstreamAuthority.awsPCA.endpoint }}
|
||||||
|
endpoint = {{ quote .Values.mtls.upstreamAuthority.awsPCA.endpoint }}{{end}}
|
||||||
|
{{- if .Values.mtls.upstreamAuthority.awsPCA.supplementalBundlePath }}
|
||||||
|
supplemental_bundle_path = "/run/spire/config/upstreamBundle.crt"{{end}}
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,15 @@
|
||||||
|
UpstreamAuthority "awssecret" {
|
||||||
|
plugin_data {
|
||||||
|
region = {{ quote .Values.mtls.upstreamAuthority.awsSecret.region }}
|
||||||
|
cert_file_arn = {{ quote .Values.mtls.upstreamAuthority.awsSecret.certFileArn }}
|
||||||
|
key_file_arn = {{ quote .Values.mtls.upstreamAuthority.awsSecret.keyFileArn }}
|
||||||
|
{{- if .Values.mtls.upstreamAuthority.awsSecret.awsAccessKeyID }}
|
||||||
|
access_key_id = {{ quote .Values.mtls.upstreamAuthority.awsSecret.awsAccessKeyID }}{{ end }}
|
||||||
|
{{- if .Values.mtls.upstreamAuthority.awsSecret.awsSecretAccessKey }}
|
||||||
|
secret_access_key = {{ quote .Values.mtls.upstreamAuthority.awsSecret.awsSecretAccessKey }}{{ end }}
|
||||||
|
{{- if .Values.mtls.upstreamAuthority.awsSecret.awsSecretToken }}
|
||||||
|
secret_token = {{ quote .Values.mtls.upstreamAuthority.awsSecret.awsSecretToken }}{{ end }}
|
||||||
|
{{- if .Values.mtls.upstreamAuthority.awsSecret.assumeRoleArn }}
|
||||||
|
assume_role_arn = {{ quote .Values.mtls.upstreamAuthority.awsSecret.assumeRoleArn }}{{ end }}
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,12 @@
|
||||||
|
UpstreamAuthority "cert-manager" {
|
||||||
|
plugin_data {
|
||||||
|
namespace = {{ quote .Values.mtls.upstreamAuthority.certManager.namespace }}
|
||||||
|
issuer_name = {{ quote .Values.mtls.upstreamAuthority.certManager.issuerName }}
|
||||||
|
{{- if .Values.mtls.upstreamAuthority.certManager.issuerKind }}
|
||||||
|
issuer_kind = {{ quote .Values.mtls.upstreamAuthority.certManager.issuerKind }}{{ end }}
|
||||||
|
{{- if .Values.mtls.upstreamAuthority.certManager.issuerGroup }}
|
||||||
|
issuer_group = {{ quote .Values.mtls.upstreamAuthority.certManager.issuerGroup }}{{ end }}
|
||||||
|
{{- if .Values.mtls.upstreamAuthority.certManager.kubeConfig }}
|
||||||
|
kube_config_file = "/run/spire/secrets/cert-manager-kubeconfig"{{ end }}
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,8 @@
|
||||||
|
UpstreamAuthority "disk" {
|
||||||
|
plugin_data {
|
||||||
|
cert_file_path = "/run/spire/config/upstreamCA.crt"
|
||||||
|
key_file_path = "/run/spire/secrets/upstreamCA.key"
|
||||||
|
{{- if .Values.mtls.upstreamAuthority.disk.bundle }}
|
||||||
|
bundle_file_path = "/run/spire/config/upstreamBundle.crt"{{ end }}
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,28 @@
|
||||||
|
UpstreamAuthority "vault" {
|
||||||
|
plugin_data {
|
||||||
|
vault_addr = {{ quote .Values.mtls.upstreamAuthority.vault.vaultAddr }}
|
||||||
|
namespace = {{ quote .Values.mtls.upstreamAuthority.vault.namespace }}
|
||||||
|
ca_cert_path = "/run/spire/config/upstreamCA.crt"
|
||||||
|
{{- if .Values.mtls.upstreamAuthority.vault.pkiMountPoint }}
|
||||||
|
pki_mount_path = {{ quote .Values.mtls.upstreamAuthority.vault.pkiMountPoint }}{{ end }}
|
||||||
|
{{- if .Values.mtls.upstreamAuthority.vault.insecureSkipVerify }}
|
||||||
|
insecure_skip_verify = {{ .Values.mtls.upstreamAuthority.vault.insecureSkipVerify }}{{ end }}
|
||||||
|
{{- if .Values.mtls.upstreamAuthority.vault.certAuth}}
|
||||||
|
cert_auth = {
|
||||||
|
client_cert_path = "/run/spire/config/upstreamClient.crt"
|
||||||
|
client_key_path = "/run/spire/secrets/upstreamClient.key"
|
||||||
|
{{- if .Values.mtls.upstreamAuthority.vault.certAuth.certAuthRoleName }}
|
||||||
|
cert_auth_role_name = {{ quote .Values.mtls.upstreamAuthority.vault.certAuth.certAuthRoleName }}{{ end }}
|
||||||
|
{{- if .Values.mtls.upstreamAuthority.vault.certAuth.certAuthMountPoint }}
|
||||||
|
cert_auth_mount_point = {{ quote .Values.mtls.upstreamAuthority.vault.certAuth.certAuthMountPoint }}{{ end }}
|
||||||
|
}{{ end }}
|
||||||
|
{{- if .Values.mtls.upstreamAuthority.vault.tokenAuth }}
|
||||||
|
token_auth = {}{{ end }}
|
||||||
|
{{- if .Values.mtls.upstreamAuthority.vault.approleAuth }}
|
||||||
|
approle_auth = {
|
||||||
|
approle_id = {{ quote .Values.mtls.upstreamAuthority.vault.approleAuth.approleID }}
|
||||||
|
{{- if .Values.mtls.upstreamAuthority.vault.approleAuth.approleAuthMountPoint }}
|
||||||
|
approle_auth_mount_point = {{ quote .Values.mtls.upstreamAuthority.vault.approleAuth.approleAuthMountPoint }}{{ end }}
|
||||||
|
}{{ end }}
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,78 @@
|
||||||
|
---
|
||||||
|
apiVersion: apiextensions.k8s.io/v1
|
||||||
|
kind: CustomResourceDefinition
|
||||||
|
metadata:
|
||||||
|
name: circuitbreakers.specs.smi.nginx.com
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
spec:
|
||||||
|
group: specs.smi.nginx.com
|
||||||
|
scope: Namespaced
|
||||||
|
names:
|
||||||
|
kind: CircuitBreaker
|
||||||
|
listKind: CircuitBreakerList
|
||||||
|
shortNames:
|
||||||
|
- cb
|
||||||
|
plural: circuitbreakers
|
||||||
|
singular: circuitbreaker
|
||||||
|
versions:
|
||||||
|
- name: v1alpha1
|
||||||
|
served: true
|
||||||
|
storage: true
|
||||||
|
schema:
|
||||||
|
openAPIV3Schema:
|
||||||
|
type: object
|
||||||
|
required:
|
||||||
|
- spec
|
||||||
|
properties:
|
||||||
|
spec:
|
||||||
|
description: Specifications of this circuit breaker.
|
||||||
|
type: object
|
||||||
|
required:
|
||||||
|
- destination
|
||||||
|
- errors
|
||||||
|
- timeoutSeconds
|
||||||
|
properties:
|
||||||
|
destination:
|
||||||
|
description: The destination of this circuit breaker.
|
||||||
|
type: object
|
||||||
|
required:
|
||||||
|
- name
|
||||||
|
- kind
|
||||||
|
properties:
|
||||||
|
kind:
|
||||||
|
description: Kind of the destination.
|
||||||
|
type: string
|
||||||
|
enum:
|
||||||
|
- Service
|
||||||
|
name:
|
||||||
|
description: Name of the destination.
|
||||||
|
type: string
|
||||||
|
minLength: 1
|
||||||
|
namespace:
|
||||||
|
description: Namespace of the destination.
|
||||||
|
type: string
|
||||||
|
errors:
|
||||||
|
description: The number of errors allowed within the timeout before
|
||||||
|
tripping the circuit.
|
||||||
|
type: integer
|
||||||
|
minimum: 0
|
||||||
|
timeoutSeconds:
|
||||||
|
description: The timeout window for errors to occur, and the amount
|
||||||
|
of time to wait before closing the circuit.
|
||||||
|
type: integer
|
||||||
|
minimum: 0
|
||||||
|
fallback:
|
||||||
|
description: The fallback Service to send traffic to when the circuit
|
||||||
|
is tripped.
|
||||||
|
type: object
|
||||||
|
properties:
|
||||||
|
service:
|
||||||
|
description: The fallback Service to send traffic to when the
|
||||||
|
circuit is tripped.
|
||||||
|
type: string
|
||||||
|
port:
|
||||||
|
description: The port of the fallback Service.
|
||||||
|
type: integer
|
||||||
|
minimum: 0
|
||||||
|
maximum: 65535
|
|
@ -0,0 +1,68 @@
|
||||||
|
---
|
||||||
|
apiVersion: apiextensions.k8s.io/v1
|
||||||
|
kind: CustomResourceDefinition
|
||||||
|
metadata:
|
||||||
|
name: httproutegroups.specs.smi-spec.io
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
spec:
|
||||||
|
group: specs.smi-spec.io
|
||||||
|
scope: Namespaced
|
||||||
|
names:
|
||||||
|
kind: HTTPRouteGroup
|
||||||
|
shortNames:
|
||||||
|
- htr
|
||||||
|
plural: httproutegroups
|
||||||
|
singular: httproutegroup
|
||||||
|
versions:
|
||||||
|
- name: v1alpha3
|
||||||
|
served: true
|
||||||
|
storage: true
|
||||||
|
schema:
|
||||||
|
openAPIV3Schema:
|
||||||
|
type: object
|
||||||
|
properties:
|
||||||
|
spec:
|
||||||
|
type: object
|
||||||
|
required:
|
||||||
|
- matches
|
||||||
|
properties:
|
||||||
|
matches:
|
||||||
|
description: Match conditions of this route group.
|
||||||
|
type: array
|
||||||
|
items:
|
||||||
|
type: object
|
||||||
|
required:
|
||||||
|
- name
|
||||||
|
properties:
|
||||||
|
name:
|
||||||
|
description: Name of the HTTP route.
|
||||||
|
type: string
|
||||||
|
pathRegex:
|
||||||
|
description: URI path regex of the HTTP route.
|
||||||
|
type: string
|
||||||
|
methods:
|
||||||
|
description: The HTTP methods of this HTTP route.
|
||||||
|
type: array
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
description: The HTTP method of this HTTP route.
|
||||||
|
enum:
|
||||||
|
- "*"
|
||||||
|
- GET
|
||||||
|
- HEAD
|
||||||
|
- PUT
|
||||||
|
- POST
|
||||||
|
- DELETE
|
||||||
|
- CONNECT
|
||||||
|
- OPTIONS
|
||||||
|
- TRACE
|
||||||
|
- PATCH
|
||||||
|
headers:
|
||||||
|
description: Header match conditions of this route.
|
||||||
|
type: array
|
||||||
|
items:
|
||||||
|
description: Header match condition of this route.
|
||||||
|
type: object
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
|
@ -0,0 +1,175 @@
|
||||||
|
---
|
||||||
|
apiVersion: apiextensions.k8s.io/v1
|
||||||
|
kind: CustomResourceDefinition
|
||||||
|
metadata:
|
||||||
|
name: ratelimits.specs.smi.nginx.com
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
spec:
|
||||||
|
group: specs.smi.nginx.com
|
||||||
|
scope: Namespaced
|
||||||
|
names:
|
||||||
|
kind: RateLimit
|
||||||
|
listKind: RateLimitList
|
||||||
|
shortNames:
|
||||||
|
- rl
|
||||||
|
plural: ratelimits
|
||||||
|
singular: ratelimit
|
||||||
|
versions:
|
||||||
|
- name: v1alpha1
|
||||||
|
served: true
|
||||||
|
storage: false
|
||||||
|
schema:
|
||||||
|
openAPIV3Schema:
|
||||||
|
type: object
|
||||||
|
properties:
|
||||||
|
spec:
|
||||||
|
type: object
|
||||||
|
required:
|
||||||
|
- name
|
||||||
|
- destination
|
||||||
|
- rate
|
||||||
|
properties:
|
||||||
|
destination:
|
||||||
|
description: The destination of this rate limit.
|
||||||
|
type: object
|
||||||
|
required:
|
||||||
|
- name
|
||||||
|
- kind
|
||||||
|
properties:
|
||||||
|
kind:
|
||||||
|
description: Kind of the destination.
|
||||||
|
type: string
|
||||||
|
minLength: 1
|
||||||
|
name:
|
||||||
|
description: Name of the destination.
|
||||||
|
type: string
|
||||||
|
minLength: 1
|
||||||
|
namespace:
|
||||||
|
description: Namespace of the destination.
|
||||||
|
type: string
|
||||||
|
sources:
|
||||||
|
description: Sources of this rate limit.
|
||||||
|
type: array
|
||||||
|
items:
|
||||||
|
type: object
|
||||||
|
required:
|
||||||
|
- name
|
||||||
|
- kind
|
||||||
|
properties:
|
||||||
|
kind:
|
||||||
|
description: Kind of this source.
|
||||||
|
type: string
|
||||||
|
minLength: 1
|
||||||
|
name:
|
||||||
|
description: Name of this source.
|
||||||
|
type: string
|
||||||
|
minLength: 1
|
||||||
|
namespace:
|
||||||
|
description: Namespace of this source.
|
||||||
|
type: string
|
||||||
|
name:
|
||||||
|
description: Name of this rate limit spec.
|
||||||
|
type: string
|
||||||
|
minLength: 1
|
||||||
|
rate:
|
||||||
|
description: The allowed rate of traffic.
|
||||||
|
type: string
|
||||||
|
pattern: "^[0-9]+r/[s,m]$"
|
||||||
|
burst:
|
||||||
|
description: The number of requests to allow beyond the given rate.
|
||||||
|
type: integer
|
||||||
|
minimum: 0
|
||||||
|
delay:
|
||||||
|
description: The number of requests after which to delay requests.
|
||||||
|
x-kubernetes-int-or-string: true
|
||||||
|
- name: v1alpha2
|
||||||
|
served: true
|
||||||
|
storage: true
|
||||||
|
schema:
|
||||||
|
openAPIV3Schema:
|
||||||
|
type: object
|
||||||
|
properties:
|
||||||
|
spec:
|
||||||
|
type: object
|
||||||
|
required:
|
||||||
|
- name
|
||||||
|
- destination
|
||||||
|
- rate
|
||||||
|
properties:
|
||||||
|
destination:
|
||||||
|
description: The destination of this rate limit.
|
||||||
|
type: object
|
||||||
|
required:
|
||||||
|
- name
|
||||||
|
- kind
|
||||||
|
properties:
|
||||||
|
kind:
|
||||||
|
description: Kind of the destination.
|
||||||
|
type: string
|
||||||
|
minLength: 1
|
||||||
|
name:
|
||||||
|
description: Name of the destination.
|
||||||
|
type: string
|
||||||
|
minLength: 1
|
||||||
|
namespace:
|
||||||
|
description: Namespace of the destination.
|
||||||
|
type: string
|
||||||
|
sources:
|
||||||
|
description: Sources of this rate limit.
|
||||||
|
type: array
|
||||||
|
items:
|
||||||
|
type: object
|
||||||
|
required:
|
||||||
|
- name
|
||||||
|
- kind
|
||||||
|
properties:
|
||||||
|
kind:
|
||||||
|
description: Kind of this source.
|
||||||
|
type: string
|
||||||
|
minLength: 1
|
||||||
|
name:
|
||||||
|
description: Name of this source.
|
||||||
|
type: string
|
||||||
|
minLength: 1
|
||||||
|
namespace:
|
||||||
|
description: Namespace of this source.
|
||||||
|
type: string
|
||||||
|
name:
|
||||||
|
description: Name of this rate limit spec.
|
||||||
|
type: string
|
||||||
|
minLength: 1
|
||||||
|
rate:
|
||||||
|
description: The allowed rate of traffic.
|
||||||
|
type: string
|
||||||
|
pattern: "^[0-9]+r/[s,m]$"
|
||||||
|
burst:
|
||||||
|
description: The number of requests to allow beyond the given rate.
|
||||||
|
type: integer
|
||||||
|
minimum: 0
|
||||||
|
delay:
|
||||||
|
description: The number of requests after which to delay requests.
|
||||||
|
x-kubernetes-int-or-string: true
|
||||||
|
rules:
|
||||||
|
description: Routing rules of this rate limit.
|
||||||
|
type: array
|
||||||
|
items:
|
||||||
|
type: object
|
||||||
|
required:
|
||||||
|
- name
|
||||||
|
- kind
|
||||||
|
properties:
|
||||||
|
kind:
|
||||||
|
description: Kind of this routing rule.
|
||||||
|
type: string
|
||||||
|
enum:
|
||||||
|
- HTTPRouteGroup
|
||||||
|
name:
|
||||||
|
description: Name of this routing rule.
|
||||||
|
type: string
|
||||||
|
minLength: 1
|
||||||
|
matches:
|
||||||
|
description: Match conditions of this routing rule.
|
||||||
|
type: array
|
||||||
|
items:
|
||||||
|
type: string
|
|
@ -0,0 +1,107 @@
|
||||||
|
---
|
||||||
|
apiVersion: apiextensions.k8s.io/v1
|
||||||
|
kind: CustomResourceDefinition
|
||||||
|
metadata:
|
||||||
|
name: spiffeids.spiffeid.spiffe.io
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
spec:
|
||||||
|
group: spiffeid.spiffe.io
|
||||||
|
names:
|
||||||
|
kind: SpiffeID
|
||||||
|
listKind: SpiffeIDList
|
||||||
|
plural: spiffeids
|
||||||
|
singular: spiffeid
|
||||||
|
scope: Namespaced
|
||||||
|
versions:
|
||||||
|
- name: v1beta1
|
||||||
|
served: true
|
||||||
|
storage: true
|
||||||
|
subresources:
|
||||||
|
status: {}
|
||||||
|
schema:
|
||||||
|
openAPIV3Schema:
|
||||||
|
description: SpiffeID is the Schema for the spiffeid API
|
||||||
|
properties:
|
||||||
|
apiVersion:
|
||||||
|
description: 'APIVersion defines the versioned schema of this representation
|
||||||
|
of an object. Servers should convert recognized schemas to the latest
|
||||||
|
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
||||||
|
type: string
|
||||||
|
kind:
|
||||||
|
description: 'Kind is a string value representing the REST resource this
|
||||||
|
object represents. Servers may infer this from the endpoint the client
|
||||||
|
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
||||||
|
type: string
|
||||||
|
metadata:
|
||||||
|
type: object
|
||||||
|
spec:
|
||||||
|
description: SpiffeIDSpec defines the desired state of SpiffeID
|
||||||
|
properties:
|
||||||
|
dnsNames:
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
federatesWith:
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
parentId:
|
||||||
|
type: string
|
||||||
|
selector:
|
||||||
|
properties:
|
||||||
|
arbitrary:
|
||||||
|
description: Arbitrary selectors
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
containerImage:
|
||||||
|
description: Container image to match for this spiffe ID
|
||||||
|
type: string
|
||||||
|
containerName:
|
||||||
|
description: Container name to match for this spiffe ID
|
||||||
|
type: string
|
||||||
|
namespace:
|
||||||
|
description: Namespace to match for this spiffe ID
|
||||||
|
type: string
|
||||||
|
nodeName:
|
||||||
|
description: Node name to match for this spiffe ID
|
||||||
|
type: string
|
||||||
|
podLabel:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: Pod label name/value to match for this spiffe ID
|
||||||
|
type: object
|
||||||
|
podName:
|
||||||
|
description: Pod name to match for this spiffe ID
|
||||||
|
type: string
|
||||||
|
podUid:
|
||||||
|
description: Pod UID to match for this spiffe ID
|
||||||
|
type: string
|
||||||
|
serviceAccount:
|
||||||
|
description: ServiceAccount to match for this spiffe ID
|
||||||
|
type: string
|
||||||
|
cluster:
|
||||||
|
description: The k8s_psat cluster name
|
||||||
|
type: string
|
||||||
|
agent_node_uid:
|
||||||
|
description: UID of the node
|
||||||
|
type: string
|
||||||
|
type: object
|
||||||
|
spiffeId:
|
||||||
|
type: string
|
||||||
|
required:
|
||||||
|
- parentId
|
||||||
|
- selector
|
||||||
|
- spiffeId
|
||||||
|
type: object
|
||||||
|
status:
|
||||||
|
description: SpiffeIDStatus defines the observed state of SpiffeID
|
||||||
|
properties:
|
||||||
|
entryId:
|
||||||
|
description: 'INSERT ADDITIONAL STATUS FIELD - define observed state
|
||||||
|
of cluster Important: Run "make" to regenerate code after modifying
|
||||||
|
this file'
|
||||||
|
type: string
|
||||||
|
type: object
|
||||||
|
type: object
|
|
@ -0,0 +1,23 @@
|
||||||
|
---
|
||||||
|
apiVersion: apiextensions.k8s.io/v1
|
||||||
|
kind: CustomResourceDefinition
|
||||||
|
metadata:
|
||||||
|
name: tcproutes.specs.smi-spec.io
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
spec:
|
||||||
|
group: specs.smi-spec.io
|
||||||
|
scope: Namespaced
|
||||||
|
names:
|
||||||
|
kind: TCPRoute
|
||||||
|
shortNames:
|
||||||
|
- tr
|
||||||
|
plural: tcproutes
|
||||||
|
singular: tcproute
|
||||||
|
versions:
|
||||||
|
- name: v1alpha3
|
||||||
|
served: true
|
||||||
|
storage: true
|
||||||
|
schema:
|
||||||
|
openAPIV3Schema:
|
||||||
|
type: object
|
|
@ -0,0 +1,72 @@
|
||||||
|
---
|
||||||
|
apiVersion: apiextensions.k8s.io/v1
|
||||||
|
kind: CustomResourceDefinition
|
||||||
|
metadata:
|
||||||
|
name: trafficsplits.split.smi-spec.io
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
spec:
|
||||||
|
group: split.smi-spec.io
|
||||||
|
scope: Namespaced
|
||||||
|
names:
|
||||||
|
kind: TrafficSplit
|
||||||
|
listKind: TrafficSplitList
|
||||||
|
shortNames:
|
||||||
|
- ts
|
||||||
|
plural: trafficsplits
|
||||||
|
singular: trafficsplit
|
||||||
|
versions:
|
||||||
|
- name: v1alpha3
|
||||||
|
served: true
|
||||||
|
storage: true
|
||||||
|
additionalPrinterColumns:
|
||||||
|
- name: Service
|
||||||
|
type: string
|
||||||
|
description: The apex service of this split.
|
||||||
|
jsonPath: .spec.service
|
||||||
|
schema:
|
||||||
|
openAPIV3Schema:
|
||||||
|
type: object
|
||||||
|
properties:
|
||||||
|
spec:
|
||||||
|
type: object
|
||||||
|
required:
|
||||||
|
- service
|
||||||
|
- backends
|
||||||
|
properties:
|
||||||
|
service:
|
||||||
|
description: The apex service of this split.
|
||||||
|
type: string
|
||||||
|
matches:
|
||||||
|
description: The HTTP route groups that this traffic split should
|
||||||
|
match.
|
||||||
|
type: array
|
||||||
|
items:
|
||||||
|
type: object
|
||||||
|
required:
|
||||||
|
- kind
|
||||||
|
- name
|
||||||
|
properties:
|
||||||
|
kind:
|
||||||
|
description: Kind of the matching group.
|
||||||
|
type: string
|
||||||
|
enum:
|
||||||
|
- HTTPRouteGroup
|
||||||
|
name:
|
||||||
|
description: Name of the matching group.
|
||||||
|
type: string
|
||||||
|
backends:
|
||||||
|
description: The backend services of this split.
|
||||||
|
type: array
|
||||||
|
items:
|
||||||
|
type: object
|
||||||
|
required:
|
||||||
|
- service
|
||||||
|
- weight
|
||||||
|
properties:
|
||||||
|
service:
|
||||||
|
description: Name of the Kubernetes service.
|
||||||
|
type: string
|
||||||
|
weight:
|
||||||
|
description: Traffic weight value of this backend.
|
||||||
|
type: number
|
|
@ -0,0 +1,92 @@
|
||||||
|
---
|
||||||
|
apiVersion: apiextensions.k8s.io/v1
|
||||||
|
kind: CustomResourceDefinition
|
||||||
|
metadata:
|
||||||
|
name: traffictargets.access.smi-spec.io
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
spec:
|
||||||
|
group: access.smi-spec.io
|
||||||
|
scope: Namespaced
|
||||||
|
names:
|
||||||
|
kind: TrafficTarget
|
||||||
|
shortNames:
|
||||||
|
- tt
|
||||||
|
plural: traffictargets
|
||||||
|
singular: traffictarget
|
||||||
|
versions:
|
||||||
|
- name: v1alpha2
|
||||||
|
served: true
|
||||||
|
storage: true
|
||||||
|
schema:
|
||||||
|
openAPIV3Schema:
|
||||||
|
type: object
|
||||||
|
properties:
|
||||||
|
spec:
|
||||||
|
type: object
|
||||||
|
required:
|
||||||
|
- destination
|
||||||
|
properties:
|
||||||
|
destination:
|
||||||
|
description: The destination of this traffic target.
|
||||||
|
type: object
|
||||||
|
required:
|
||||||
|
- name
|
||||||
|
- kind
|
||||||
|
properties:
|
||||||
|
kind:
|
||||||
|
description: Kind of the destination.
|
||||||
|
type: string
|
||||||
|
name:
|
||||||
|
description: Name of the destination.
|
||||||
|
type: string
|
||||||
|
namespace:
|
||||||
|
description: Namespace of the destination.
|
||||||
|
type: string
|
||||||
|
port:
|
||||||
|
description: Port number of the destination.
|
||||||
|
type: number
|
||||||
|
rules:
|
||||||
|
description: Specifications of this traffic target.
|
||||||
|
type: array
|
||||||
|
items:
|
||||||
|
type: object
|
||||||
|
required:
|
||||||
|
- name
|
||||||
|
- kind
|
||||||
|
properties:
|
||||||
|
kind:
|
||||||
|
description: Kind of this spec.
|
||||||
|
type: string
|
||||||
|
enum:
|
||||||
|
- HTTPRouteGroup
|
||||||
|
- TCPRoute
|
||||||
|
name:
|
||||||
|
description: Name of this spec.
|
||||||
|
type: string
|
||||||
|
matches:
|
||||||
|
description: Match conditions of this spec.
|
||||||
|
type: array
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
sources:
|
||||||
|
description: Sources of this traffic target.
|
||||||
|
type: array
|
||||||
|
items:
|
||||||
|
type: object
|
||||||
|
required:
|
||||||
|
- name
|
||||||
|
- kind
|
||||||
|
properties:
|
||||||
|
kind:
|
||||||
|
description: Kind of this source.
|
||||||
|
type: string
|
||||||
|
name:
|
||||||
|
description: Name of this source.
|
||||||
|
type: string
|
||||||
|
namespace:
|
||||||
|
description: Namespace of this source.
|
||||||
|
type: string
|
||||||
|
port:
|
||||||
|
description: Port number of the source.
|
||||||
|
type: number
|
|
@ -0,0 +1,213 @@
|
||||||
|
questions:
|
||||||
|
- variable: useDefaultImages
|
||||||
|
default: true
|
||||||
|
description: "Use default image settings."
|
||||||
|
label: Use default images
|
||||||
|
type: boolean
|
||||||
|
show_subquestion_if: false
|
||||||
|
group: "Image Registry"
|
||||||
|
subquestions:
|
||||||
|
- variable: registry.server
|
||||||
|
default: "docker-registry.nginx.com/nsm"
|
||||||
|
description: "Hostname:port (if needed) for registry and path to images."
|
||||||
|
label: Image registry server
|
||||||
|
type: string
|
||||||
|
- variable: registry.imageTag
|
||||||
|
default: "1.4.1"
|
||||||
|
description: "Tag used for pulling images from registry."
|
||||||
|
label: Image tag
|
||||||
|
type: string
|
||||||
|
- variable: registry.key
|
||||||
|
default: ""
|
||||||
|
description: "Contents of your Google Cloud JSON key file. Cannot be used with username or password."
|
||||||
|
label: Image registry key
|
||||||
|
type: string
|
||||||
|
- variable: registry.username
|
||||||
|
default: ""
|
||||||
|
description: "Username for accessing private registry."
|
||||||
|
label: Image registry username
|
||||||
|
type: string
|
||||||
|
- variable: registry.password
|
||||||
|
default: ""
|
||||||
|
description: "Password for accessing private registry."
|
||||||
|
label: Image registry password
|
||||||
|
type: string
|
||||||
|
- variable: registry.disablePublicImages
|
||||||
|
default: false
|
||||||
|
description: "Do not pull third party images from public repositories. If true, registry.server is used for all images."
|
||||||
|
label: Disable public images
|
||||||
|
type: boolean
|
||||||
|
- variable: registry.imagePullPolicy
|
||||||
|
default: "IfNotPresent"
|
||||||
|
description: "Image pull policy."
|
||||||
|
label: Image pull policy
|
||||||
|
type: string
|
||||||
|
- variable: useMtlsDefaults
|
||||||
|
default: true
|
||||||
|
description: "Use default mTLS settings."
|
||||||
|
label: Use default mTLS settings
|
||||||
|
type: boolean
|
||||||
|
show_subquestion_if: false
|
||||||
|
group: "Mutual TLS"
|
||||||
|
subquestions:
|
||||||
|
- variable: mtls.mode
|
||||||
|
default: "permissive"
|
||||||
|
description: "mTLS mode for pod-to-pod communication."
|
||||||
|
label: mTLS mode
|
||||||
|
type: enum
|
||||||
|
options:
|
||||||
|
- "off"
|
||||||
|
- "permissive"
|
||||||
|
- "strict"
|
||||||
|
- variable: mtls.caTTL
|
||||||
|
default: "720h"
|
||||||
|
description: "The CA/signing key TTL in hours(h) or minutes(m)."
|
||||||
|
label: mTLS caTTL
|
||||||
|
type: string
|
||||||
|
- variable: mtls.svidTTL
|
||||||
|
default: "1h"
|
||||||
|
description: "The TTL of certificates issued to workloads in hours(h) or minutes(m)."
|
||||||
|
label: mTLS svidTTL
|
||||||
|
type: string
|
||||||
|
- variable: mtls.trustDomain
|
||||||
|
default: "example.org"
|
||||||
|
description: "The trust domain of the NGINX Service Mesh."
|
||||||
|
label: mTLS trust domain
|
||||||
|
type: string
|
||||||
|
- variable: mtls.persistentStorage
|
||||||
|
default: "on"
|
||||||
|
description: "Use persistent storage; 'on' assumes that a StorageClass exists."
|
||||||
|
label: mTLS persistent storage
|
||||||
|
type: enum
|
||||||
|
options:
|
||||||
|
- "on"
|
||||||
|
- "off"
|
||||||
|
- variable: mtls.spireServerKeyManager
|
||||||
|
default: "disk"
|
||||||
|
description: "Storage logic for SPIRE Server's private keys."
|
||||||
|
label: mTLS spire server key manager
|
||||||
|
type: enum
|
||||||
|
options:
|
||||||
|
- "disk"
|
||||||
|
- "memory"
|
||||||
|
- variable: mtls.caKeyType
|
||||||
|
default: "ec-p256"
|
||||||
|
description: "The key type used for the SPIRE Server CA."
|
||||||
|
label: mTLS ca key type
|
||||||
|
type: enum
|
||||||
|
options:
|
||||||
|
- "ec-p256"
|
||||||
|
- "ec-p384"
|
||||||
|
- "rsa-2048"
|
||||||
|
- "rsa-4096"
|
||||||
|
- variable: useTracingDefaults
|
||||||
|
default: true
|
||||||
|
description: "Use default tracing settings. If you would like to enable telemetry instead, please see the README for instructions."
|
||||||
|
label: Use default tracing settings
|
||||||
|
type: boolean
|
||||||
|
show_subquestion_if: false
|
||||||
|
group: "Tracing"
|
||||||
|
subquestions:
|
||||||
|
- variable: tracing.disable
|
||||||
|
default: false
|
||||||
|
description: "Disable tracing for all services. This option will be removed in version 1.5."
|
||||||
|
label: Disable tracing
|
||||||
|
type: boolean
|
||||||
|
- variable: tracing.address
|
||||||
|
default: ""
|
||||||
|
description: "The address of a tracing server deployed in your Kubernetes cluster."
|
||||||
|
label: Tracing address
|
||||||
|
type: string
|
||||||
|
- variable: tracing.backend
|
||||||
|
default: "jaeger"
|
||||||
|
description: "The tracing backend that you want to use."
|
||||||
|
label: Tracing backend
|
||||||
|
type: enum
|
||||||
|
options:
|
||||||
|
- "jaeger"
|
||||||
|
- "zipkin"
|
||||||
|
- "datadog"
|
||||||
|
- variable: tracing.sampleRate
|
||||||
|
default: 0.01
|
||||||
|
description: "The sample rate to use for tracing. Float between 0 and 1."
|
||||||
|
label: Tracing sample rate
|
||||||
|
type: float
|
||||||
|
- variable: autoInjection.disable
|
||||||
|
default: false
|
||||||
|
description: "Disable automatic sidecar injection upon resource creation."
|
||||||
|
label: Disable auto injection
|
||||||
|
type: boolean
|
||||||
|
group: "General Settings"
|
||||||
|
- variable: accessControlMode
|
||||||
|
default: "allow"
|
||||||
|
description: "Default access control mode for service-to-service communication."
|
||||||
|
label: Access control mode
|
||||||
|
type: enum
|
||||||
|
options:
|
||||||
|
- "allow"
|
||||||
|
- "deny"
|
||||||
|
group: "General Settings"
|
||||||
|
- variable: deployGrafana
|
||||||
|
default: true
|
||||||
|
description: "Deploy Grafana as a part of NGINX Service Mesh. This option will be removed in version 1.5."
|
||||||
|
label: Deploy Grafana
|
||||||
|
type: boolean
|
||||||
|
group: "General Settings"
|
||||||
|
- variable: nginxErrorLogLevel
|
||||||
|
default: "warn"
|
||||||
|
description: "NGINX error log level."
|
||||||
|
label: NGINX error log level.
|
||||||
|
type: enum
|
||||||
|
options:
|
||||||
|
- "debug"
|
||||||
|
- "info"
|
||||||
|
- "notice"
|
||||||
|
- "warn"
|
||||||
|
- "error"
|
||||||
|
- "crit"
|
||||||
|
- "alert"
|
||||||
|
- "emerg"
|
||||||
|
group: "General Settings"
|
||||||
|
- variable: nginxLogFormat
|
||||||
|
default: "default"
|
||||||
|
description: "NGINX log format."
|
||||||
|
label: NGINX log format.
|
||||||
|
type: enum
|
||||||
|
options:
|
||||||
|
- "default"
|
||||||
|
- "json"
|
||||||
|
group: "General Settings"
|
||||||
|
- variable: nginxLBMethod
|
||||||
|
default: "least_time"
|
||||||
|
description: "NGINX load balancing method."
|
||||||
|
label: NGINX load balancing method.
|
||||||
|
type: enum
|
||||||
|
options:
|
||||||
|
- "least_conn"
|
||||||
|
- "least_time"
|
||||||
|
- "least_time last_byte"
|
||||||
|
- "least_time last_byte inflight"
|
||||||
|
- "random"
|
||||||
|
- "random two"
|
||||||
|
- "random two least_conn"
|
||||||
|
- "random two least_time"
|
||||||
|
- "random two least_time=last_byte"
|
||||||
|
- "round_robin"
|
||||||
|
group: "General Settings"
|
||||||
|
- variable: prometheusAddress
|
||||||
|
description: "The address of a Prometheus server deployed in your Kubernetes cluster."
|
||||||
|
label: Prometheus address.
|
||||||
|
type: string
|
||||||
|
group: "General Settings"
|
||||||
|
- variable: enableUDP
|
||||||
|
description: "Enable UDP traffic proxying (beta). Linux kernel 4.18 or greater is required."
|
||||||
|
label: Enable UDP
|
||||||
|
type: boolean
|
||||||
|
default: false
|
||||||
|
group: "General Settings"
|
||||||
|
- variable: rancher
|
||||||
|
default: true
|
||||||
|
description: "Enables Rancher for NGINX Service Mesh (do not disable)."
|
||||||
|
label: Rancher
|
||||||
|
type: boolean
|
||||||
|
group: "General Settings"
|
|
@ -0,0 +1 @@
|
||||||
|
NGINX Service Mesh has been installed. Ensure all NGINX Service Mesh Pods are in the Ready state before deploying your apps.
|
|
@ -0,0 +1,179 @@
|
||||||
|
{{- define "jaeger.image-server" -}}
|
||||||
|
{{- if not .Values.registry.disablePublicImages }}jaegertracing{{ else }}{{ .Values.registry.server }}{{ end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- define "zipkin.image-server" -}}
|
||||||
|
{{- if not .Values.registry.disablePublicImages }}openzipkin{{ else }}{{ .Values.registry.server }}{{ end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- define "tracing.address" -}}
|
||||||
|
{{- if ne .Values.tracing.address "" -}}
|
||||||
|
{{ .Values.tracing.address }}
|
||||||
|
{{- else if eq .Values.tracing.backend "jaeger" -}}
|
||||||
|
jaeger.{{.Release.Namespace}}.svc.cluster.local:6831
|
||||||
|
{{- else if eq .Values.tracing.backend "zipkin" -}}
|
||||||
|
zipkin.{{.Release.Namespace}}.svc.cluster.local:9411
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- define "prometheus.address" -}}
|
||||||
|
{{- if eq .Values.prometheusAddress "" -}}
|
||||||
|
prometheus.{{.Release.Namespace}}.svc.cluster.local:9090
|
||||||
|
{{- else -}}
|
||||||
|
{{ .Values.prometheusAddress }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- define "prometheus.image-server" -}}
|
||||||
|
{{- if not .Values.registry.disablePublicImages }}prom{{ else }}{{ .Values.registry.server }}{{ end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- define "grafana.image-server" -}}
|
||||||
|
{{- if not .Values.registry.disablePublicImages }}grafana{{ else }}{{ .Values.registry.server }}{{ end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- define "nats.image-server" -}}
|
||||||
|
{{- if not .Values.registry.disablePublicImages }}{{ else }}{{ .Values.registry.server }}/{{ end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- define "spire.image-server" -}}
|
||||||
|
{{- if not .Values.registry.disablePublicImages }}gcr.io/spiffe-io{{ else }}{{ .Values.registry.server }}{{ end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- define "node-driver.image-server" -}}
|
||||||
|
{{- if not .Values.registry.disablePublicImages }}quay.io/k8scsi{{ else }}{{ .Values.registry.server }}{{ end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- define "hook.image-server" -}}
|
||||||
|
{{- if not .Values.registry.disablePublicImages }}bitnami{{ else }}{{ .Values.registry.server }}{{ end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- define "ubuntu.image-server" -}}
|
||||||
|
{{- if not .Values.registry.disablePublicImages }}{{ else }}{{ .Values.registry.server }}/{{ end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- define "registry-key-name" -}}
|
||||||
|
nginx-mesh-registry-key
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- define "docker-config-json" -}}
|
||||||
|
{{- if (and (.Values.registry.username) (.Values.registry.password)) }}
|
||||||
|
{
|
||||||
|
"auths": {
|
||||||
|
{{ quote .Values.registry.server }}: {
|
||||||
|
"username": {{ quote .Values.registry.username }},
|
||||||
|
"password": {{ quote .Values.registry.password }},
|
||||||
|
"auth": {{ printf "%s:%s" .Values.registry.username .Values.registry.password | b64enc | quote }}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
{{- else if (.Values.registry.key) }}
|
||||||
|
{
|
||||||
|
"auths": {
|
||||||
|
{{ quote .Values.registry.server }}: {
|
||||||
|
"username": "_json_key",
|
||||||
|
"password": {{ quote .Values.registry.key }}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Define the name of the key where the Upstream Authority secret data is stored.
|
||||||
|
*/}}
|
||||||
|
{{- define "ua-secret-name" -}}
|
||||||
|
{{- if .Values.mtls.upstreamAuthority.awsPCA -}} {{- if .Values.mtls.upstreamAuthority.awsPCA.awsAccessKeyID -}}
|
||||||
|
credentials {{- end }}
|
||||||
|
{{- else if .Values.mtls.upstreamAuthority.disk -}}
|
||||||
|
upstreamCA.key
|
||||||
|
{{- else if .Values.mtls.upstreamAuthority.vault }}{{ if .Values.mtls.upstreamAuthority.vault.certAuth -}}
|
||||||
|
upstreamClient.key{{ end }}
|
||||||
|
{{- else if .Values.mtls.upstreamAuthority.certManager }}{{ if .Values.mtls.upstreamAuthority.certManager.kubeConfig -}}
|
||||||
|
cert-manager-kubeconfig{{ end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Define the name of the mount path where the Upstream Authority secret data is stored.
|
||||||
|
*/}}
|
||||||
|
{{- define "ua-secret-mountpath" -}}
|
||||||
|
{{- if and .Values.mtls.upstreamAuthority.awsPCA -}} {{- if .Values.mtls.upstreamAuthority.awsPCA.awsAccessKeyID -}}
|
||||||
|
/root/.aws {{- end }}
|
||||||
|
{{- else if .Values.mtls.upstreamAuthority.disk -}}
|
||||||
|
/run/spire/secrets
|
||||||
|
{{- else if .Values.mtls.upstreamAuthority.vault }}{{ if .Values.mtls.upstreamAuthority.vault.certAuth -}}
|
||||||
|
/run/spire/secrets{{ end }}
|
||||||
|
{{- else if .Values.mtls.upstreamAuthority.certManager }}{{ if .Values.mtls.upstreamAuthority.certManager.kubeConfig -}}
|
||||||
|
/run/spire/secrets{{ end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Define the upstream certificate to be used for the Upstream Authority.
|
||||||
|
*/}}
|
||||||
|
{{- define "ua-upstream-cert" -}}
|
||||||
|
{{- if .Values.mtls.upstreamAuthority.disk -}}
|
||||||
|
upstreamCA.crt: {{ quote .Values.mtls.upstreamAuthority.disk.cert }}
|
||||||
|
{{- else if .Values.mtls.upstreamAuthority.vault -}}
|
||||||
|
upstreamCA.crt: {{ quote .Values.mtls.upstreamAuthority.vault.caCert }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Define the upstream bundle to be used for the Upstream Authority.
|
||||||
|
*/}}
|
||||||
|
{{- define "ua-upstream-bundle" -}}
|
||||||
|
{{- if .Values.mtls.upstreamAuthority.disk }}{{ if .Values.mtls.upstreamAuthority.disk.bundle -}}
|
||||||
|
upstreamBundle.crt: {{ quote .Values.mtls.upstreamAuthority.disk.bundle }}{{ end }}
|
||||||
|
{{- else if .Values.mtls.upstreamAuthority.awsPCA }}{{ if .Values.mtls.upstreamAuthority.awsPCA.supplementalBundle -}}
|
||||||
|
upstreamBundle.crt: {{ quote .Values.mtls.upstreamAuthority.awsPCA.supplementalBundle }}{{ end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Define the Upstream Authority value to be stored in the Secret.
|
||||||
|
*/}}
|
||||||
|
{{- define "ua-secret-value" -}}
|
||||||
|
{{- if .Values.mtls.upstreamAuthority.awsPCA -}}
|
||||||
|
{{ tpl (.Files.Get "configs/upstreamAuthority/aws-credentials.conf") . | b64enc }}
|
||||||
|
{{- else if .Values.mtls.upstreamAuthority.disk -}}
|
||||||
|
{{ .Values.mtls.upstreamAuthority.disk.key | b64enc }}
|
||||||
|
{{- else if .Values.mtls.upstreamAuthority.vault }}{{ if .Values.mtls.upstreamAuthority.vault.certAuth -}}
|
||||||
|
{{ .Values.mtls.upstreamAuthority.vault.certAuth.clientKey | b64enc }}{{ end }}
|
||||||
|
{{- else if .Values.mtls.upstreamAuthority.certManager }}{{ if .Values.mtls.upstreamAuthority.certManager.kubeConfig -}}
|
||||||
|
{{ .Values.mtls.upstreamAuthority.certManager.kubeConfig | b64enc }}{{ end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Define variables associated with the Vault Upstream Authority.
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- define "ua-vault-env-name" -}}
|
||||||
|
{{- if .Values.mtls.upstreamAuthority.vault -}}
|
||||||
|
{{- if .Values.mtls.upstreamAuthority.vault.tokenAuth -}}
|
||||||
|
VAULT_TOKEN
|
||||||
|
{{- else if .Values.mtls.upstreamAuthority.vault.approleAuth -}}
|
||||||
|
VAULT_APPROLE_SECRET_ID
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- define "ua-vault-env-value" -}}
|
||||||
|
{{- if .Values.mtls.upstreamAuthority.vault -}}
|
||||||
|
{{- if .Values.mtls.upstreamAuthority.vault.tokenAuth -}}
|
||||||
|
{{ b64enc .Values.mtls.upstreamAuthority.vault.tokenAuth.token }}
|
||||||
|
{{- else if .Values.mtls.upstreamAuthority.vault.approleAuth -}}
|
||||||
|
{{ b64enc .Values.mtls.upstreamAuthority.vault.approleAuth.approleSecretID }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- define "ua-upstream-client-cert" -}}
|
||||||
|
{{- if .Values.mtls.upstreamAuthority.vault -}}
|
||||||
|
{{- if .Values.mtls.upstreamAuthority.vault.certAuth -}}
|
||||||
|
upstreamClient.crt: {{ quote .Values.mtls.upstreamAuthority.vault.certAuth.clientCert }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,137 @@
|
||||||
|
{{- if .Values.deployGrafana }}
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: grafana
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
imagePullSecrets:
|
||||||
|
- name: {{ include "registry-key-name" . }}
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: grafana.metrics.builtin.nsm.nginx
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- ''
|
||||||
|
resources:
|
||||||
|
- services
|
||||||
|
- endpoints
|
||||||
|
- pods
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- list
|
||||||
|
- watch
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: grafana.metrics.builtin.nsm.nginx
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: grafana.metrics.builtin.nsm.nginx
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: grafana
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: grafana-config
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
data:
|
||||||
|
dashboards.yaml: {{ .Files.Get "configs/grafana-dashboard-conf.yaml" | quote }}
|
||||||
|
datasources.yaml: {{ tpl (.Files.Get "configs/grafana-datasources-conf.yaml") . | quote }}
|
||||||
|
grafana.ini: {{ .Files.Get "configs/grafana.ini" | quote }}
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: grafana-dashboards
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
data:
|
||||||
|
top.json: {{ .Files.Get "configs/grafana-top-dashboard.json" | quote }}
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: grafana
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: grafana
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
spec:
|
||||||
|
selector:
|
||||||
|
app.kubernetes.io/name: grafana
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
type: ClusterIP
|
||||||
|
ports:
|
||||||
|
- port: 3000
|
||||||
|
targetPort: 3000
|
||||||
|
---
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: grafana
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: grafana
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
spec:
|
||||||
|
replicas: 1
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app.kubernetes.io/name: grafana
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: grafana
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
spec:
|
||||||
|
serviceAccountName: grafana
|
||||||
|
containers:
|
||||||
|
- name: grafana
|
||||||
|
image: {{ include "grafana.image-server" . }}/grafana:8.3.4
|
||||||
|
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
|
||||||
|
ports:
|
||||||
|
- containerPort: 3000
|
||||||
|
volumeMounts:
|
||||||
|
- name: grafana-config-volume
|
||||||
|
mountPath: "/etc/grafana"
|
||||||
|
- name: grafana-dashboard-volume
|
||||||
|
mountPath: "/var/lib/grafana/dashboards"
|
||||||
|
- name: grafana-dashboard-home
|
||||||
|
mountPath: "/usr/share/grafana/public/dashboards"
|
||||||
|
volumes:
|
||||||
|
- name: grafana-config-volume
|
||||||
|
configMap:
|
||||||
|
name: grafana-config
|
||||||
|
items:
|
||||||
|
- key: dashboards.yaml
|
||||||
|
path: provisioning/dashboards/dashboards.yaml
|
||||||
|
- key: datasources.yaml
|
||||||
|
path: provisioning/datasources/datasources.yaml
|
||||||
|
- key: grafana.ini
|
||||||
|
path: grafana.ini
|
||||||
|
- name: grafana-dashboard-volume
|
||||||
|
configMap:
|
||||||
|
name: grafana-dashboards
|
||||||
|
items:
|
||||||
|
- key: top.json
|
||||||
|
path: top.json
|
||||||
|
- name: grafana-dashboard-home
|
||||||
|
configMap:
|
||||||
|
name: grafana-dashboards
|
||||||
|
items:
|
||||||
|
- key: top.json
|
||||||
|
path: home.json
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,60 @@
|
||||||
|
{{- if .Values.tracing }} {{ if (and (not .Values.tracing.disable) (eq .Values.tracing.backend "jaeger") (eq .Values.tracing.address "")) }}
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: jaeger
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: jaeger
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
spec:
|
||||||
|
selector:
|
||||||
|
app.kubernetes.io/name: jaeger
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
type: ClusterIP
|
||||||
|
ports:
|
||||||
|
- name: frontend
|
||||||
|
port: 16686
|
||||||
|
targetPort: 16686
|
||||||
|
- name: collector
|
||||||
|
port: 6831
|
||||||
|
targetPort: 6831
|
||||||
|
protocol: UDP
|
||||||
|
- name: collector-http
|
||||||
|
port: 14268
|
||||||
|
protocol: TCP
|
||||||
|
targetPort: 14268
|
||||||
|
---
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: jaeger
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: jaeger
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
spec:
|
||||||
|
replicas: 1
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app.kubernetes.io/name: jaeger
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: jaeger
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
annotations:
|
||||||
|
prometheus.io/scrape: 'true'
|
||||||
|
prometheus.io/port: '16686'
|
||||||
|
spec:
|
||||||
|
imagePullSecrets:
|
||||||
|
- name: {{ include "registry-key-name" . }}
|
||||||
|
containers:
|
||||||
|
- name: jaeger
|
||||||
|
image: {{ include "jaeger.image-server" . }}/all-in-one:1.31.0
|
||||||
|
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
|
||||||
|
ports:
|
||||||
|
- containerPort: 16686
|
||||||
|
- containerPort: 6831
|
||||||
|
protocol: UDP
|
||||||
|
{{- end }}{{- end }}
|
|
@ -0,0 +1,153 @@
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: nats
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
imagePullSecrets:
|
||||||
|
- name: {{ include "registry-key-name" . }}
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: nats-config
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
data:
|
||||||
|
nats.conf: {{ .Files.Get "configs/nats.conf" | quote }}
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: nats-server
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: nats-server
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
spec:
|
||||||
|
selector:
|
||||||
|
app.kubernetes.io/name: nats-server
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
clusterIP: None
|
||||||
|
ports:
|
||||||
|
- name: client
|
||||||
|
port: 4222
|
||||||
|
- name: monitor
|
||||||
|
port: 8222
|
||||||
|
---
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: nats-server
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: nats-server
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
spec:
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app.kubernetes.io/name: nats-server
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
replicas: 1
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: nats-server
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
spiffe.io/spiffeid: "true"
|
||||||
|
spec:
|
||||||
|
serviceAccountName: nats
|
||||||
|
volumes:
|
||||||
|
- name: config-volume
|
||||||
|
configMap:
|
||||||
|
name: nats-config
|
||||||
|
- name: pid
|
||||||
|
emptyDir: {}
|
||||||
|
- name: tls
|
||||||
|
emptyDir: {}
|
||||||
|
- name: spire-agent-socket
|
||||||
|
{{ if eq .Values.environment "openshift" -}}
|
||||||
|
csi:
|
||||||
|
driver: wlapi-mounter.spire.nginx.com
|
||||||
|
readOnly: true
|
||||||
|
{{- else -}}
|
||||||
|
hostPath:
|
||||||
|
path: "/run/spire/sockets"
|
||||||
|
type: DirectoryOrCreate
|
||||||
|
{{- end }}
|
||||||
|
shareProcessNamespace: true
|
||||||
|
terminationGracePeriodSeconds: 60
|
||||||
|
imagePullSecrets:
|
||||||
|
- name: {{ include "registry-key-name" . }}
|
||||||
|
initContainers:
|
||||||
|
- name: nginx-mesh-cert-reloader-init
|
||||||
|
image: {{ .Values.registry.server }}/nginx-mesh-cert-reloader:{{ .Values.registry.imageTag }}
|
||||||
|
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
|
||||||
|
volumeMounts:
|
||||||
|
- name: tls
|
||||||
|
mountPath: "/etc/ssl"
|
||||||
|
- name: spire-agent-socket
|
||||||
|
mountPath: "/run/spire/sockets"
|
||||||
|
containers:
|
||||||
|
- name: nginx-mesh-cert-reloader
|
||||||
|
image: {{ .Values.registry.server }}/nginx-mesh-cert-reloader:{{ .Values.registry.imageTag }}
|
||||||
|
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
|
||||||
|
args:
|
||||||
|
- "-pid"
|
||||||
|
- "/var/run/nats/nats.pid"
|
||||||
|
- "-is-daemon"
|
||||||
|
volumeMounts:
|
||||||
|
- name: pid
|
||||||
|
mountPath: "/var/run/nats"
|
||||||
|
- name: tls
|
||||||
|
mountPath: "/etc/ssl"
|
||||||
|
- name: spire-agent-socket
|
||||||
|
mountPath: "/run/spire/sockets"
|
||||||
|
- name: nats-server
|
||||||
|
image: {{ include "nats.image-server" . }}nats:2.7.2-alpine3.15
|
||||||
|
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
|
||||||
|
ports:
|
||||||
|
- containerPort: 4222
|
||||||
|
name: client
|
||||||
|
- containerPort: 8222
|
||||||
|
name: monitor
|
||||||
|
command:
|
||||||
|
- nats-server
|
||||||
|
- "--config"
|
||||||
|
- "/etc/nats-config/nats.conf"
|
||||||
|
env:
|
||||||
|
- name: POD_NAME
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.name
|
||||||
|
- name: POD_NAMESPACE
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.namespace
|
||||||
|
- name: CLUSTER_ADVERTISE
|
||||||
|
value: "$(POD_NAME).nats-server.$(POD_NAMESPACE).svc"
|
||||||
|
volumeMounts:
|
||||||
|
- name: config-volume
|
||||||
|
mountPath: "/etc/nats-config"
|
||||||
|
- name: pid
|
||||||
|
mountPath: "/var/run/nats"
|
||||||
|
- name: tls
|
||||||
|
mountPath: "/etc/ssl"
|
||||||
|
livenessProbe:
|
||||||
|
httpGet:
|
||||||
|
path: "/"
|
||||||
|
port: 8222
|
||||||
|
initialDelaySeconds: 10
|
||||||
|
timeoutSeconds: 5
|
||||||
|
readinessProbe:
|
||||||
|
httpGet:
|
||||||
|
path: "/"
|
||||||
|
port: 8222
|
||||||
|
initialDelaySeconds: 10
|
||||||
|
timeoutSeconds: 5
|
||||||
|
lifecycle:
|
||||||
|
preStop:
|
||||||
|
exec:
|
||||||
|
command:
|
||||||
|
- "/bin/sh"
|
||||||
|
- "-c"
|
||||||
|
- "/nats-server -sl=ldm=/var/run/nats/nats.pid && /bin/sleep 60"
|
|
@ -0,0 +1,548 @@
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: nginx-mesh-api
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
imagePullSecrets:
|
||||||
|
- name: {{ include "registry-key-name" . }}
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: nginx-mesh-api.internal.builtin.nsm.nginx
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- ''
|
||||||
|
resources:
|
||||||
|
- namespaces
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- list
|
||||||
|
- watch
|
||||||
|
- apiGroups:
|
||||||
|
- ''
|
||||||
|
resources:
|
||||||
|
- services
|
||||||
|
- endpoints
|
||||||
|
verbs:
|
||||||
|
- "*"
|
||||||
|
- apiGroups:
|
||||||
|
- ''
|
||||||
|
resources:
|
||||||
|
- secrets
|
||||||
|
- pods
|
||||||
|
verbs:
|
||||||
|
- create
|
||||||
|
- get
|
||||||
|
- list
|
||||||
|
- watch
|
||||||
|
- apiGroups:
|
||||||
|
- ''
|
||||||
|
resources:
|
||||||
|
- configmaps
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- list
|
||||||
|
- watch
|
||||||
|
- update
|
||||||
|
- apiGroups:
|
||||||
|
- ''
|
||||||
|
resources:
|
||||||
|
- events
|
||||||
|
verbs:
|
||||||
|
- create
|
||||||
|
- patch
|
||||||
|
- apiGroups:
|
||||||
|
- apps
|
||||||
|
resources:
|
||||||
|
- replicasets
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- list
|
||||||
|
- watch
|
||||||
|
- apiGroups:
|
||||||
|
- apps
|
||||||
|
resources:
|
||||||
|
- statefulsets
|
||||||
|
- deployments
|
||||||
|
- daemonsets
|
||||||
|
verbs:
|
||||||
|
- list
|
||||||
|
- watch
|
||||||
|
- apiGroups:
|
||||||
|
- split.smi-spec.io
|
||||||
|
resources:
|
||||||
|
- trafficsplits
|
||||||
|
verbs:
|
||||||
|
- "*"
|
||||||
|
- apiGroups:
|
||||||
|
- access.smi-spec.io
|
||||||
|
resources:
|
||||||
|
- traffictargets
|
||||||
|
verbs:
|
||||||
|
- "*"
|
||||||
|
- apiGroups:
|
||||||
|
- specs.smi-spec.io
|
||||||
|
- specs.smi.nginx.com
|
||||||
|
resources:
|
||||||
|
- httproutegroups
|
||||||
|
- tcproutes
|
||||||
|
- ratelimits
|
||||||
|
- circuitbreakers
|
||||||
|
verbs:
|
||||||
|
- "*"
|
||||||
|
- apiGroups:
|
||||||
|
- admissionregistration.k8s.io
|
||||||
|
resources:
|
||||||
|
- mutatingwebhookconfigurations
|
||||||
|
resourceNames:
|
||||||
|
- sidecar-injector-webhook-cfg.internal.builtin.nsm.nginx
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- update
|
||||||
|
- apiGroups:
|
||||||
|
- admissionregistration.k8s.io
|
||||||
|
resources:
|
||||||
|
- validatingwebhookconfigurations
|
||||||
|
resourceNames:
|
||||||
|
- validating-webhook-cfg.internal.builtin.nsm.nginx
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- update
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: nginx-mesh-api.internal.builtin.nsm.nginx
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: nginx-mesh-api.internal.builtin.nsm.nginx
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: nginx-mesh-api
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: Role
|
||||||
|
metadata:
|
||||||
|
name: nginx-mesh-api.internal.builtin.nsm.nginx
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- apps
|
||||||
|
resources:
|
||||||
|
- statefulsets
|
||||||
|
- deployments
|
||||||
|
- daemonsets
|
||||||
|
resourceNames:
|
||||||
|
- spire-server
|
||||||
|
- spire-agent
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- patch
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: RoleBinding
|
||||||
|
metadata:
|
||||||
|
name: nginx-mesh-api.internal.builtin.nsm.nginx
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: Role
|
||||||
|
name: nginx-mesh-api.internal.builtin.nsm.nginx
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: nginx-mesh-api
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: nginx-mesh-api-svc.internal.builtin.nsm.nginx
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: system:auth-delegator
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: nginx-mesh-api
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: RoleBinding
|
||||||
|
metadata:
|
||||||
|
name: nginx-mesh-api-svc.internal.builtin.nsm.nginx
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: Role
|
||||||
|
name: extension-apiserver-authentication-reader
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: nginx-mesh-api
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: mesh-config
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
binaryData:
|
||||||
|
mesh-config.json: {{ tpl (.Files.Get "configs/mesh-config.conf") . | b64enc | quote }}
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: nginx-mesh-api
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
spec:
|
||||||
|
type: ClusterIP
|
||||||
|
ports:
|
||||||
|
- name: https
|
||||||
|
port: 443
|
||||||
|
targetPort: 8443
|
||||||
|
protocol: TCP
|
||||||
|
selector:
|
||||||
|
app.kubernetes.io/name: nginx-mesh-api
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: nginx-mesh-webhook
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: nginx-mesh-api
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
spec:
|
||||||
|
type: ClusterIP
|
||||||
|
ports:
|
||||||
|
- name: admission
|
||||||
|
port: 443
|
||||||
|
targetPort: 9443
|
||||||
|
protocol: TCP
|
||||||
|
selector:
|
||||||
|
app.kubernetes.io/name: nginx-mesh-api
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
---
|
||||||
|
apiVersion: admissionregistration.k8s.io/v1
|
||||||
|
kind: MutatingWebhookConfiguration
|
||||||
|
metadata:
|
||||||
|
name: sidecar-injector-webhook-cfg.internal.builtin.nsm.nginx
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
spiffe.io/webhook: "true"
|
||||||
|
webhooks:
|
||||||
|
- name: nginx-mesh-api.sidecar.injector
|
||||||
|
namespaceSelector:
|
||||||
|
matchExpressions:
|
||||||
|
- key: injector.nsm.nginx.com/auto-inject
|
||||||
|
operator: NotIn
|
||||||
|
values:
|
||||||
|
- 'false'
|
||||||
|
clientConfig:
|
||||||
|
service:
|
||||||
|
name: nginx-mesh-webhook
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
path: "/inject"
|
||||||
|
sideEffects: None
|
||||||
|
admissionReviewVersions:
|
||||||
|
- v1
|
||||||
|
- v1beta1
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- ''
|
||||||
|
apiVersions:
|
||||||
|
- v1
|
||||||
|
operations:
|
||||||
|
- CREATE
|
||||||
|
resources:
|
||||||
|
- pods
|
||||||
|
---
|
||||||
|
apiVersion: admissionregistration.k8s.io/v1
|
||||||
|
kind: ValidatingWebhookConfiguration
|
||||||
|
metadata:
|
||||||
|
name: validating-webhook-cfg.internal.builtin.nsm.nginx
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
spiffe.io/webhook: "true"
|
||||||
|
webhooks:
|
||||||
|
- name: nginx-mesh-api.policy.validator
|
||||||
|
clientConfig:
|
||||||
|
service:
|
||||||
|
name: nginx-mesh-webhook
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
path: "/validate"
|
||||||
|
sideEffects: None
|
||||||
|
admissionReviewVersions:
|
||||||
|
- v1
|
||||||
|
- v1beta1
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- split.smi-spec.io
|
||||||
|
apiVersions:
|
||||||
|
- "*"
|
||||||
|
operations:
|
||||||
|
- CREATE
|
||||||
|
- UPDATE
|
||||||
|
- DELETE
|
||||||
|
resources:
|
||||||
|
- trafficsplits
|
||||||
|
- apiGroups:
|
||||||
|
- specs.smi-spec.io
|
||||||
|
apiVersions:
|
||||||
|
- "*"
|
||||||
|
operations:
|
||||||
|
- CREATE
|
||||||
|
- UPDATE
|
||||||
|
resources:
|
||||||
|
- httproutegroups
|
||||||
|
- apiGroups:
|
||||||
|
- specs.smi.nginx.com
|
||||||
|
apiVersions:
|
||||||
|
- "*"
|
||||||
|
operations:
|
||||||
|
- CREATE
|
||||||
|
- UPDATE
|
||||||
|
- DELETE
|
||||||
|
resources:
|
||||||
|
- circuitbreakers
|
||||||
|
- ratelimits
|
||||||
|
---
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: nginx-mesh-api
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: nginx-mesh-api
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
spec:
|
||||||
|
replicas: 1
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app.kubernetes.io/name: nginx-mesh-api
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: nginx-mesh-api
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
spiffe.io/spiffeid: "true"
|
||||||
|
spec:
|
||||||
|
serviceAccountName: nginx-mesh-api
|
||||||
|
containers:
|
||||||
|
- name: nginx-mesh-api
|
||||||
|
image: {{ .Values.registry.server }}/nginx-mesh-api:{{ .Values.registry.imageTag }}
|
||||||
|
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
|
||||||
|
args:
|
||||||
|
- "-meshconfig=/etc/config/mesh-config.json"
|
||||||
|
- "-logtostderr"
|
||||||
|
- "-v=3"
|
||||||
|
env:
|
||||||
|
- name: PULL_POLICY
|
||||||
|
value: {{ .Values.registry.imagePullPolicy }}
|
||||||
|
- name: MY_UID
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.uid
|
||||||
|
- name: MY_POD_NAME
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.name
|
||||||
|
- name: MY_NAMESPACE
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.namespace
|
||||||
|
securityContext:
|
||||||
|
runAsUser: 0
|
||||||
|
readinessProbe:
|
||||||
|
httpGet:
|
||||||
|
path: "/healthz"
|
||||||
|
port: 8081
|
||||||
|
initialDelaySeconds: 5
|
||||||
|
periodSeconds: 10
|
||||||
|
failureThreshold: 30
|
||||||
|
livenessProbe:
|
||||||
|
httpGet:
|
||||||
|
path: "/healthz"
|
||||||
|
port: 8081
|
||||||
|
initialDelaySeconds: 5
|
||||||
|
periodSeconds: 10
|
||||||
|
failureThreshold: 30
|
||||||
|
volumeMounts:
|
||||||
|
- name: config-volume
|
||||||
|
mountPath: "/etc/config"
|
||||||
|
- name: spire-agent-socket
|
||||||
|
mountPath: "/run/spire/sockets"
|
||||||
|
volumes:
|
||||||
|
- name: config-volume
|
||||||
|
configMap:
|
||||||
|
name: mesh-config
|
||||||
|
items:
|
||||||
|
- key: mesh-config.json
|
||||||
|
path: mesh-config.json
|
||||||
|
- name: spire-agent-socket
|
||||||
|
{{ if eq .Values.environment "openshift" -}}
|
||||||
|
csi:
|
||||||
|
driver: wlapi-mounter.spire.nginx.com
|
||||||
|
readOnly: true
|
||||||
|
{{- else -}}
|
||||||
|
hostPath:
|
||||||
|
path: "/run/spire/sockets"
|
||||||
|
type: DirectoryOrCreate
|
||||||
|
{{- end }}
|
||||||
|
---
|
||||||
|
apiVersion: apiregistration.k8s.io/v1
|
||||||
|
kind: APIService
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
spiffe.io/apiservice: "true"
|
||||||
|
name: v1alpha1.nsm.nginx.com
|
||||||
|
spec:
|
||||||
|
group: nsm.nginx.com
|
||||||
|
groupPriorityMinimum: 100
|
||||||
|
service:
|
||||||
|
name: nginx-mesh-api
|
||||||
|
namespace: {{ .Release.Namespace}}
|
||||||
|
port: 443
|
||||||
|
version: v1alpha1
|
||||||
|
versionPriority: 100
|
||||||
|
{{- if eq .Values.environment "openshift" }}
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: system:openshift:scc:nginx-mesh-api-permissions
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- security.openshift.io
|
||||||
|
resources:
|
||||||
|
- securitycontextconstraints
|
||||||
|
resourceNames:
|
||||||
|
- nginx-mesh-api-permissions
|
||||||
|
verbs:
|
||||||
|
- use
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: RoleBinding
|
||||||
|
metadata:
|
||||||
|
name: system:openshift:scc:nginx-mesh-api-permissions
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: system:openshift:scc:nginx-mesh-api-permissions
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: nginx-mesh-api
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
---
|
||||||
|
apiVersion: security.openshift.io/v1
|
||||||
|
kind: SecurityContextConstraints
|
||||||
|
metadata:
|
||||||
|
name: nginx-mesh-api-permissions
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
allowHostDirVolumePlugin: false
|
||||||
|
allowHostIPC: false
|
||||||
|
allowHostNetwork: false
|
||||||
|
allowHostPID: false
|
||||||
|
allowHostPorts: false
|
||||||
|
allowPrivilegedContainer: false
|
||||||
|
seLinuxContext:
|
||||||
|
type: MustRunAs
|
||||||
|
readOnlyRootFilesystem: false
|
||||||
|
runAsUser:
|
||||||
|
type: RunAsAny
|
||||||
|
fsGroup:
|
||||||
|
type: MustRunAs
|
||||||
|
volumes:
|
||||||
|
- configMap
|
||||||
|
- csi
|
||||||
|
- secret
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: system:openshift:scc:nginx-mesh-permissions
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- security.openshift.io
|
||||||
|
resources:
|
||||||
|
- securitycontextconstraints
|
||||||
|
resourceNames:
|
||||||
|
- nginx-mesh-permissions
|
||||||
|
verbs:
|
||||||
|
- use
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: system:openshift:scc:nginx-mesh-permissions
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: system:openshift:scc:nginx-mesh-permissions
|
||||||
|
subjects:
|
||||||
|
- kind: Group
|
||||||
|
name: system:authenticated
|
||||||
|
---
|
||||||
|
apiVersion: security.openshift.io/v1
|
||||||
|
kind: SecurityContextConstraints
|
||||||
|
metadata:
|
||||||
|
name: nginx-mesh-permissions
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
allowHostDirVolumePlugin: false
|
||||||
|
allowHostIPC: false
|
||||||
|
allowHostNetwork: false
|
||||||
|
allowHostPID: false
|
||||||
|
allowHostPorts: false
|
||||||
|
allowPrivilegedContainer: false
|
||||||
|
allowedCapabilities:
|
||||||
|
- NET_ADMIN
|
||||||
|
- NET_RAW
|
||||||
|
- SYS_RESOURCE
|
||||||
|
- SYS_ADMIN
|
||||||
|
seLinuxContext:
|
||||||
|
type: RunAsAny
|
||||||
|
runAsUser:
|
||||||
|
type: RunAsAny
|
||||||
|
fsGroup:
|
||||||
|
type: MustRunAs
|
||||||
|
readOnlyRootFilesystem: false
|
||||||
|
requiredDropCapabilities:
|
||||||
|
- KILL
|
||||||
|
- MKNOD
|
||||||
|
- SETUID
|
||||||
|
- SETGID
|
||||||
|
volumes:
|
||||||
|
- configMap
|
||||||
|
- downwardAPI
|
||||||
|
- emptyDir
|
||||||
|
- persistentVolumeClaim
|
||||||
|
- projected
|
||||||
|
- secret
|
||||||
|
- csi
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,164 @@
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: nginx-mesh-metrics
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
imagePullSecrets:
|
||||||
|
- name: {{ include "registry-key-name" . }}
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: nginx-mesh-metrics.internal.builtin.nsm.nginx
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- ''
|
||||||
|
resources:
|
||||||
|
- pods
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: nginx-mesh-metrics.internal.builtin.nsm.nginx
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: nginx-mesh-metrics.internal.builtin.nsm.nginx
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: nginx-mesh-metrics
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: nginx-mesh-metrics-svc.internal.builtin.nsm.nginx
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: system:auth-delegator
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: nginx-mesh-metrics
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: RoleBinding
|
||||||
|
metadata:
|
||||||
|
name: nginx-mesh-metrics-svc.internal.builtin.nsm.nginx
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: Role
|
||||||
|
name: extension-apiserver-authentication-reader
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: nginx-mesh-metrics
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: nginx-mesh-metrics-svc
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: nginx-mesh-metrics
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
spec:
|
||||||
|
type: ClusterIP
|
||||||
|
ports:
|
||||||
|
- name: http
|
||||||
|
port: 443
|
||||||
|
targetPort: metrics
|
||||||
|
protocol: TCP
|
||||||
|
selector:
|
||||||
|
app.kubernetes.io/name: nginx-mesh-metrics
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
---
|
||||||
|
apiVersion: apiregistration.k8s.io/v1
|
||||||
|
kind: APIService
|
||||||
|
metadata:
|
||||||
|
name: v1alpha1.metrics.smi-spec.io
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: nginx-mesh-metrics
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
spiffe.io/apiservice: "true"
|
||||||
|
spec:
|
||||||
|
service:
|
||||||
|
name: nginx-mesh-metrics-svc
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
group: metrics.smi-spec.io
|
||||||
|
version: v1alpha1
|
||||||
|
groupPriorityMinimum: 100
|
||||||
|
versionPriority: 100
|
||||||
|
---
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: nginx-mesh-metrics
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: nginx-mesh-metrics
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
spec:
|
||||||
|
replicas: 1
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app.kubernetes.io/name: nginx-mesh-metrics
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: nginx-mesh-metrics
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
spiffe.io/spiffeid: "true"
|
||||||
|
spec:
|
||||||
|
serviceAccountName: nginx-mesh-metrics
|
||||||
|
containers:
|
||||||
|
- name: nginx-mesh-metrics
|
||||||
|
image: {{ .Values.registry.server }}/nginx-mesh-metrics:{{ .Values.registry.imageTag }}
|
||||||
|
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
|
||||||
|
args:
|
||||||
|
- "--prometheus-address={{ include "prometheus.address" . }}"
|
||||||
|
readinessProbe:
|
||||||
|
httpGet:
|
||||||
|
scheme: HTTPS
|
||||||
|
path: "/liveness"
|
||||||
|
port: 8080
|
||||||
|
initialDelaySeconds: 5
|
||||||
|
periodSeconds: 10
|
||||||
|
failureThreshold: 30
|
||||||
|
livenessProbe:
|
||||||
|
httpGet:
|
||||||
|
scheme: HTTPS
|
||||||
|
path: "/liveness"
|
||||||
|
port: 8080
|
||||||
|
initialDelaySeconds: 5
|
||||||
|
periodSeconds: 10
|
||||||
|
failureThreshold: 30
|
||||||
|
ports:
|
||||||
|
- name: metrics
|
||||||
|
containerPort: 8080
|
||||||
|
volumeMounts:
|
||||||
|
- name: spire-agent-socket
|
||||||
|
mountPath: "/run/spire/sockets"
|
||||||
|
volumes:
|
||||||
|
- name: spire-agent-socket
|
||||||
|
{{ if eq .Values.environment "openshift" -}}
|
||||||
|
csi:
|
||||||
|
driver: wlapi-mounter.spire.nginx.com
|
||||||
|
readOnly: true
|
||||||
|
{{- else -}}
|
||||||
|
hostPath:
|
||||||
|
path: "/run/spire/sockets"
|
||||||
|
type: DirectoryOrCreate
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,351 @@
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: post-delete
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
annotations:
|
||||||
|
"helm.sh/hook": post-delete
|
||||||
|
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
|
||||||
|
"helm.sh/hook-weight": "-5"
|
||||||
|
imagePullSecrets:
|
||||||
|
- name: {{ include "registry-key-name" . }}
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: post-delete.builtin.nsm.nginx
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
annotations:
|
||||||
|
"helm.sh/hook": post-delete
|
||||||
|
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
|
||||||
|
"helm.sh/hook-weight": "-5"
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- ''
|
||||||
|
resources:
|
||||||
|
- namespaces
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- list
|
||||||
|
- patch
|
||||||
|
- apiGroups:
|
||||||
|
- spiffeid.spiffe.io
|
||||||
|
resources:
|
||||||
|
- spiffeids
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- list
|
||||||
|
- patch
|
||||||
|
- update
|
||||||
|
{{- if eq .Values.environment "openshift" }}
|
||||||
|
- apiGroups:
|
||||||
|
- security.openshift.io
|
||||||
|
resources:
|
||||||
|
- securitycontextconstraints
|
||||||
|
resourceNames:
|
||||||
|
- post-delete-permissions.builtin.nsm.nginx
|
||||||
|
verbs:
|
||||||
|
- use
|
||||||
|
{{- end }}
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: post-delete.builtin.nsm.nginx
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
annotations:
|
||||||
|
"helm.sh/hook": post-delete
|
||||||
|
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
|
||||||
|
"helm.sh/hook-weight": "-5"
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: post-delete.builtin.nsm.nginx
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: post-delete
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
{{- if (include "docker-config-json" .) }}
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: {{ include "registry-key-name" . }}
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
annotations:
|
||||||
|
"helm.sh/hook": post-delete
|
||||||
|
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
|
||||||
|
"helm.sh/hook-weight": "-5"
|
||||||
|
data:
|
||||||
|
.dockerconfigjson: {{ include "docker-config-json" . | b64enc }}
|
||||||
|
type: kubernetes.io/dockerconfigjson
|
||||||
|
{{- end }}
|
||||||
|
---
|
||||||
|
apiVersion: batch/v1
|
||||||
|
kind: Job
|
||||||
|
metadata:
|
||||||
|
name: remove-spiffeids
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
annotations:
|
||||||
|
"helm.sh/hook": post-delete
|
||||||
|
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
|
||||||
|
"helm.sh/hook-weight": "0"
|
||||||
|
spec:
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
name: remove-spiffeids
|
||||||
|
spec:
|
||||||
|
restartPolicy: Never
|
||||||
|
serviceAccountName: post-delete
|
||||||
|
containers:
|
||||||
|
- name: remove-spiffeids
|
||||||
|
image: {{ include "hook.image-server" . }}/kubectl
|
||||||
|
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
|
||||||
|
securityContext:
|
||||||
|
runAsUser: 0
|
||||||
|
command:
|
||||||
|
- /bin/sh
|
||||||
|
- -c
|
||||||
|
- |
|
||||||
|
for ns in $(kubectl get ns | awk '{print $1}' | tail -n +2); do
|
||||||
|
if [ $(kubectl get spiffeids -n $ns 2>/dev/null | wc -l) -ne 0 ]; then
|
||||||
|
kubectl patch spiffeid $(kubectl get spiffeids -n $ns | awk '{print $1}' | tail -n +2) --type='merge' -p '{"metadata":{"finalizers":null}}' -n $ns
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
---
|
||||||
|
apiVersion: batch/v1
|
||||||
|
kind: Job
|
||||||
|
metadata:
|
||||||
|
name: remove-namespace-label
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
annotations:
|
||||||
|
"helm.sh/hook": post-delete
|
||||||
|
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
|
||||||
|
"helm.sh/hook-weight": "0"
|
||||||
|
spec:
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
name: remove-namespace-label
|
||||||
|
spec:
|
||||||
|
restartPolicy: Never
|
||||||
|
serviceAccountName: post-delete
|
||||||
|
containers:
|
||||||
|
- name: remove-namespace-label
|
||||||
|
image: {{ include "hook.image-server" . }}/kubectl
|
||||||
|
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
|
||||||
|
securityContext:
|
||||||
|
runAsUser: 0
|
||||||
|
command:
|
||||||
|
- /bin/sh
|
||||||
|
- -c
|
||||||
|
- |
|
||||||
|
kubectl label namespace kube-system injector.nsm.nginx.com/auto-inject-
|
||||||
|
kubectl label namespace {{ .Release.Namespace }} injector.nsm.nginx.com/auto-inject- app.kubernetes.io/part-of-
|
||||||
|
{{- if .Values.rancher }}
|
||||||
|
kubectl label namespace ingress-nginx cert-manager injector.nsm.nginx.com/auto-inject-
|
||||||
|
for ns in $(kubectl get ns | awk '{print $1}' | tail -n +2); do
|
||||||
|
case "$ns" in
|
||||||
|
cattle-*) kubectl label namespace $ns injector.nsm.nginx.com/auto-inject- ;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
{{- end }}
|
||||||
|
{{- if eq .Values.environment "openshift" }}
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: post-delete-csi
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
annotations:
|
||||||
|
"helm.sh/hook": post-delete
|
||||||
|
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
|
||||||
|
"helm.sh/hook-weight": "-5"
|
||||||
|
imagePullSecrets:
|
||||||
|
- name: {{ include "registry-key-name" . }}
|
||||||
|
---
|
||||||
|
apiVersion: security.openshift.io/v1
|
||||||
|
kind: SecurityContextConstraints
|
||||||
|
metadata:
|
||||||
|
name: post-delete-permissions.builtin.nsm.nginx
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
annotations:
|
||||||
|
"helm.sh/hook": post-delete
|
||||||
|
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
|
||||||
|
"helm.sh/hook-weight": "-5"
|
||||||
|
allowHostDirVolumePlugin: false
|
||||||
|
allowHostIPC: false
|
||||||
|
allowHostNetwork: false
|
||||||
|
allowHostPID: false
|
||||||
|
allowHostPorts: false
|
||||||
|
allowPrivilegedContainer: false
|
||||||
|
seLinuxContext:
|
||||||
|
type: MustRunAs
|
||||||
|
runAsUser:
|
||||||
|
type: RunAsAny
|
||||||
|
readOnlyRootFilesystem: false
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: post-delete-csi.builtin.nsm.nginx
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
annotations:
|
||||||
|
"helm.sh/hook": post-delete
|
||||||
|
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
|
||||||
|
"helm.sh/hook-weight": "-5"
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: cluster-admin
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: post-delete-csi
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: csi-driver-cleanup
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
annotations:
|
||||||
|
"helm.sh/hook": post-delete
|
||||||
|
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
|
||||||
|
"helm.sh/hook-weight": "-5"
|
||||||
|
data:
|
||||||
|
sentinel.yaml: |
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: csi-driver-sentinel
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
imagePullSecrets:
|
||||||
|
- name: {{ include "registry-key-name" . }}
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: csi-driver-sentinel.builtin.nsm.nginx
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: cluster-admin
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: csi-driver-sentinel
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
---
|
||||||
|
apiVersion: batch/v1
|
||||||
|
kind: Job
|
||||||
|
metadata:
|
||||||
|
name: csi-driver-sentinel
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
spec:
|
||||||
|
ttlSecondsAfterFinished: 0
|
||||||
|
template:
|
||||||
|
spec:
|
||||||
|
restartPolicy: Never
|
||||||
|
serviceAccountName: csi-driver-sentinel
|
||||||
|
containers:
|
||||||
|
- name: csi-driver-sentinel
|
||||||
|
image: {{ include "hook.image-server" . }}/kubectl
|
||||||
|
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
|
||||||
|
command:
|
||||||
|
- /bin/sh
|
||||||
|
- -c
|
||||||
|
- |
|
||||||
|
while [ $(kubectl get pods -A -o=jsonpath='{.items[?(@.metadata.annotations.injector\.nsm\.nginx\.com/status=="injected")].metadata.name}' | wc -w) -gt 0 ]; do
|
||||||
|
sleep 5
|
||||||
|
done
|
||||||
|
kubectl delete daemonset spire-agent
|
||||||
|
kubectl delete serviceaccount spire-agent
|
||||||
|
kubectl delete clusterrole system:openshift:scc:nginx-mesh-spire-agent-permissions
|
||||||
|
kubectl delete rolebinding system:openshift:scc:nginx-mesh-spire-agent-permissions
|
||||||
|
kubectl delete scc nginx-mesh-spire-agent-permissions
|
||||||
|
kubectl delete secret {{ include "registry-key-name" . }}
|
||||||
|
kubectl delete serviceaccount csi-driver-sentinel
|
||||||
|
kubectl delete clusterrolebinding csi-driver-sentinel.builtin.nsm.nginx
|
||||||
|
{{- if (include "docker-config-json" .) }}
|
||||||
|
secret.yaml: |
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: {{ include "registry-key-name" . }}
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
data:
|
||||||
|
.dockerconfigjson: {{ include "docker-config-json" . | b64enc }}
|
||||||
|
type: kubernetes.io/dockerconfigjson
|
||||||
|
{{- end }}
|
||||||
|
---
|
||||||
|
apiVersion: batch/v1
|
||||||
|
kind: Job
|
||||||
|
metadata:
|
||||||
|
name: csi-driver-cleanup
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
annotations:
|
||||||
|
"helm.sh/hook": post-delete
|
||||||
|
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
|
||||||
|
"helm.sh/hook-weight": "5"
|
||||||
|
spec:
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
name: csi-driver-cleanup
|
||||||
|
spec:
|
||||||
|
restartPolicy: Never
|
||||||
|
serviceAccountName: post-delete-csi
|
||||||
|
containers:
|
||||||
|
- name: csi-driver-cleanup
|
||||||
|
image: {{ include "hook.image-server" . }}/kubectl
|
||||||
|
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
|
||||||
|
securityContext:
|
||||||
|
runAsUser: 0
|
||||||
|
command:
|
||||||
|
- /bin/sh
|
||||||
|
- -c
|
||||||
|
- |
|
||||||
|
res=$(kubectl get pods -o=jsonpath='{.items[?(@.metadata.annotations.injector\.nsm\.nginx\.com/status=="injected")].metadata.name}' -A | wc -w)
|
||||||
|
if [ $res -eq 0 ]; then
|
||||||
|
kubectl delete daemonset spire-agent
|
||||||
|
kubectl delete serviceaccount spire-agent
|
||||||
|
kubectl delete clusterrole system:openshift:scc:nginx-mesh-spire-agent-permissions
|
||||||
|
kubectl delete rolebinding system:openshift:scc:nginx-mesh-spire-agent-permissions
|
||||||
|
kubectl delete scc nginx-mesh-spire-agent-permissions
|
||||||
|
else
|
||||||
|
idx=$(kubectl get daemonset spire-agent -o json | jq '.spec.template.spec.containers | map(.name == "spire-agent") | index(true)')
|
||||||
|
kubectl patch daemonset spire-agent --type=json -p="[{'op': 'remove', 'path': '/spec/template/spec/containers/$idx'}]"
|
||||||
|
idx=$(kubectl get daemonset spire-agent -o json | jq '.spec.template.spec.initContainers | map(.name == "init") | index(true)')
|
||||||
|
kubectl patch daemonset spire-agent --type=json -p="[{'op': 'remove', 'path': '/spec/template/spec/initContainers/$idx'}]"
|
||||||
|
{{- if (include "docker-config-json" .) }}
|
||||||
|
kubectl get secret {{ include "registry-key-name" . }}
|
||||||
|
if [ $? != 0 ]; then
|
||||||
|
kubectl create -f /tmp/config/secret.yaml
|
||||||
|
fi
|
||||||
|
{{- end }}
|
||||||
|
kubectl create -f /tmp/config/sentinel.yaml
|
||||||
|
fi
|
||||||
|
volumeMounts:
|
||||||
|
- name: sentinel
|
||||||
|
mountPath: /tmp/config
|
||||||
|
volumes:
|
||||||
|
- name: sentinel
|
||||||
|
configMap:
|
||||||
|
name: csi-driver-cleanup
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,79 @@
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: pre-delete
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
annotations:
|
||||||
|
"helm.sh/hook": pre-delete
|
||||||
|
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
|
||||||
|
"helm.sh/hook-weight": "-5"
|
||||||
|
imagePullSecrets:
|
||||||
|
- name: {{ include "registry-key-name" . }}
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: pre-delete.builtin.nsm.nginx
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
annotations:
|
||||||
|
"helm.sh/hook": pre-delete
|
||||||
|
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
|
||||||
|
"helm.sh/hook-weight": "-5"
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- nsm.nginx.com
|
||||||
|
resources:
|
||||||
|
- clear
|
||||||
|
verbs:
|
||||||
|
- create
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: pre-delete.builtin.nsm.nginx
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
annotations:
|
||||||
|
"helm.sh/hook": pre-delete
|
||||||
|
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
|
||||||
|
"helm.sh/hook-weight": "-5"
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: pre-delete.builtin.nsm.nginx
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: pre-delete
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
---
|
||||||
|
apiVersion: batch/v1
|
||||||
|
kind: Job
|
||||||
|
metadata:
|
||||||
|
name: turn-proxies-transparent
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
annotations:
|
||||||
|
"helm.sh/hook": pre-delete
|
||||||
|
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
|
||||||
|
"helm.sh/hook-weight": "0"
|
||||||
|
spec:
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
name: turn-proxies-transparent
|
||||||
|
spec:
|
||||||
|
restartPolicy: Never
|
||||||
|
serviceAccountName: pre-delete
|
||||||
|
containers:
|
||||||
|
- name: turn-proxies-transparent
|
||||||
|
image: {{ include "hook.image-server" . }}/kubectl
|
||||||
|
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
|
||||||
|
command:
|
||||||
|
- /bin/sh
|
||||||
|
- -c
|
||||||
|
- |
|
||||||
|
echo "" | kubectl create --raw /apis/nsm.nginx.com/v1alpha1/clear -f -
|
||||||
|
exit 0
|
||||||
|
imagePullSecrets:
|
||||||
|
- name: {{ include "registry-key-name" . }}
|
|
@ -0,0 +1,138 @@
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: pre-install
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
annotations:
|
||||||
|
"helm.sh/hook": pre-install
|
||||||
|
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
|
||||||
|
"helm.sh/hook-weight": "-5"
|
||||||
|
imagePullSecrets:
|
||||||
|
- name: {{ include "registry-key-name" . }}
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: pre-install.builtin.nsm.nginx
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
annotations:
|
||||||
|
"helm.sh/hook": pre-install
|
||||||
|
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
|
||||||
|
"helm.sh/hook-weight": "-5"
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- ''
|
||||||
|
resources:
|
||||||
|
- namespaces
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- list
|
||||||
|
- patch
|
||||||
|
{{- if eq .Values.environment "openshift" }}
|
||||||
|
- apiGroups:
|
||||||
|
- security.openshift.io
|
||||||
|
resources:
|
||||||
|
- securitycontextconstraints
|
||||||
|
resourceNames:
|
||||||
|
- pre-install-permissions.builtin.nsm.nginx
|
||||||
|
verbs:
|
||||||
|
- use
|
||||||
|
---
|
||||||
|
apiVersion: security.openshift.io/v1
|
||||||
|
kind: SecurityContextConstraints
|
||||||
|
metadata:
|
||||||
|
name: pre-install-permissions.builtin.nsm.nginx
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
annotations:
|
||||||
|
"helm.sh/hook": pre-install
|
||||||
|
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
|
||||||
|
"helm.sh/hook-weight": "-5"
|
||||||
|
allowHostDirVolumePlugin: false
|
||||||
|
allowHostIPC: false
|
||||||
|
allowHostNetwork: false
|
||||||
|
allowHostPID: false
|
||||||
|
allowHostPorts: false
|
||||||
|
allowPrivilegedContainer: false
|
||||||
|
seLinuxContext:
|
||||||
|
type: MustRunAs
|
||||||
|
runAsUser:
|
||||||
|
type: RunAsAny
|
||||||
|
readOnlyRootFilesystem: false
|
||||||
|
{{- end }}
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: pre-install.builtin.nsm.nginx
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
annotations:
|
||||||
|
"helm.sh/hook": pre-install
|
||||||
|
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
|
||||||
|
"helm.sh/hook-weight": "-5"
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: pre-install.builtin.nsm.nginx
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: pre-install
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
{{- if (include "docker-config-json" .) }}
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: {{ include "registry-key-name" . }}
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
annotations:
|
||||||
|
"helm.sh/hook": pre-install
|
||||||
|
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
|
||||||
|
"helm.sh/hook-weight": "-5"
|
||||||
|
data:
|
||||||
|
.dockerconfigjson: {{ include "docker-config-json" . | b64enc }}
|
||||||
|
type: kubernetes.io/dockerconfigjson
|
||||||
|
{{- end }}
|
||||||
|
---
|
||||||
|
apiVersion: batch/v1
|
||||||
|
kind: Job
|
||||||
|
metadata:
|
||||||
|
name: label-namespace
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
annotations:
|
||||||
|
"helm.sh/hook": pre-install
|
||||||
|
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
|
||||||
|
"helm.sh/hook-weight": "0"
|
||||||
|
spec:
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
name: label-namespace
|
||||||
|
spec:
|
||||||
|
restartPolicy: Never
|
||||||
|
serviceAccountName: pre-install
|
||||||
|
containers:
|
||||||
|
- name: label-namespace
|
||||||
|
image: {{ include "hook.image-server" . }}/kubectl
|
||||||
|
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
|
||||||
|
securityContext:
|
||||||
|
runAsUser: 0
|
||||||
|
command:
|
||||||
|
- /bin/sh
|
||||||
|
- -c
|
||||||
|
- |
|
||||||
|
kubectl label namespace kube-system injector.nsm.nginx.com/auto-inject=false
|
||||||
|
kubectl label namespace {{ .Release.Namespace }} --overwrite injector.nsm.nginx.com/auto-inject=false app.kubernetes.io/part-of=nginx-service-mesh
|
||||||
|
{{- if .Values.rancher }}
|
||||||
|
kubectl label namespace ingress-nginx cert-manager injector.nsm.nginx.com/auto-inject=false
|
||||||
|
for ns in $(kubectl get ns | awk '{print $1}' | tail -n +2); do
|
||||||
|
case "$ns" in
|
||||||
|
cattle-*) kubectl label namespace $ns injector.nsm.nginx.com/auto-inject=false ;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,79 @@
|
||||||
|
{{- if eq .Values.environment "openshift" }}
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: pre-upgrade
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
annotations:
|
||||||
|
"helm.sh/hook": pre-upgrade
|
||||||
|
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
|
||||||
|
"helm.sh/hook-weight": "-5"
|
||||||
|
imagePullSecrets:
|
||||||
|
- name: {{ include "registry-key-name" . }}
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: Role
|
||||||
|
metadata:
|
||||||
|
name: pre-upgrade
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
annotations:
|
||||||
|
"helm.sh/hook": pre-upgrade
|
||||||
|
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
|
||||||
|
"helm.sh/hook-weight": "-5"
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- apps
|
||||||
|
resources:
|
||||||
|
- daemonsets
|
||||||
|
verbs:
|
||||||
|
- delete
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: RoleBinding
|
||||||
|
metadata:
|
||||||
|
name: pre-upgrade
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
annotations:
|
||||||
|
"helm.sh/hook": pre-upgrade
|
||||||
|
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
|
||||||
|
"helm.sh/hook-weight": "-5"
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: Role
|
||||||
|
name: pre-upgrade
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: pre-upgrade
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
---
|
||||||
|
apiVersion: batch/v1
|
||||||
|
kind: Job
|
||||||
|
metadata:
|
||||||
|
name: delete-spire-agent
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
annotations:
|
||||||
|
"helm.sh/hook": pre-upgrade
|
||||||
|
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
|
||||||
|
"helm.sh/hook-weight": "0"
|
||||||
|
spec:
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
name: delete-spire-agent
|
||||||
|
spec:
|
||||||
|
restartPolicy: Never
|
||||||
|
serviceAccountName: pre-upgrade
|
||||||
|
containers:
|
||||||
|
- name: delete-spire-agent
|
||||||
|
image: {{ include "hook.image-server" . }}/kubectl
|
||||||
|
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
|
||||||
|
command:
|
||||||
|
- /bin/sh
|
||||||
|
- -c
|
||||||
|
- |
|
||||||
|
kubectl delete daemonset spire-agent
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,114 @@
|
||||||
|
{{- if eq .Values.prometheusAddress "" }}
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: prometheus
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
imagePullSecrets:
|
||||||
|
- name: {{ include "registry-key-name" . }}
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: prometheus.metrics.builtin.nsm.nginx
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- ''
|
||||||
|
resources:
|
||||||
|
- services
|
||||||
|
- endpoints
|
||||||
|
- pods
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- list
|
||||||
|
- watch
|
||||||
|
- nonResourceURLs:
|
||||||
|
- "/metrics"
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: prometheus.metrics.builtin.nsm.nginx
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: prometheus.metrics.builtin.nsm.nginx
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: prometheus
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: prometheus-configuration
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
binaryData:
|
||||||
|
prometheus.yaml: {{ .Files.Get "configs/prometheus-config.yaml" | b64enc }}
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: prometheus
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: prometheus
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
spec:
|
||||||
|
selector:
|
||||||
|
app.kubernetes.io/name: prometheus
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
type: ClusterIP
|
||||||
|
ports:
|
||||||
|
- port: 9090
|
||||||
|
targetPort: 9090
|
||||||
|
---
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: prometheus
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: prometheus
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
spec:
|
||||||
|
replicas: 1
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app.kubernetes.io/name: prometheus
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: prometheus
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
spec:
|
||||||
|
serviceAccountName: prometheus
|
||||||
|
containers:
|
||||||
|
- name: prometheus
|
||||||
|
image: {{ include "prometheus.image-server" . }}/prometheus:v2.33.1
|
||||||
|
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
|
||||||
|
args:
|
||||||
|
- "--config.file=/etc/prometheus/prometheus.yaml"
|
||||||
|
- "--storage.tsdb.path=/prometheus/"
|
||||||
|
ports:
|
||||||
|
- containerPort: 9090
|
||||||
|
volumeMounts:
|
||||||
|
- name: prometheus-config-volume
|
||||||
|
mountPath: "/etc/prometheus"
|
||||||
|
- name: prometheus-storage-volume
|
||||||
|
mountPath: "/prometheus/"
|
||||||
|
volumes:
|
||||||
|
- name: prometheus-config-volume
|
||||||
|
configMap:
|
||||||
|
name: prometheus-configuration
|
||||||
|
- name: prometheus-storage-volume
|
||||||
|
emptyDir: {}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,12 @@
|
||||||
|
{{- if (include "docker-config-json" .) }}
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: {{ include "registry-key-name" . }}
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
data:
|
||||||
|
.dockerconfigjson: {{ include "docker-config-json" . | b64enc }}
|
||||||
|
type: kubernetes.io/dockerconfigjson
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,307 @@
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: spire-agent
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
{{- if eq .Values.environment "openshift" }}
|
||||||
|
annotations:
|
||||||
|
"helm.sh/resource-policy": keep
|
||||||
|
{{- end }}
|
||||||
|
imagePullSecrets:
|
||||||
|
- name: {{ include "registry-key-name" . }}
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: spire-agent.security.builtin.nsm.nginx
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- ''
|
||||||
|
resources:
|
||||||
|
- pods
|
||||||
|
- nodes
|
||||||
|
- nodes/proxy
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- list
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: spire-agent.security.builtin.nsm.nginx
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: spire-agent.security.builtin.nsm.nginx
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: spire-agent
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: spire-agent
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
data:
|
||||||
|
agent.conf: {{ tpl (.Files.Get "configs/spire-agent.conf") . | quote }}
|
||||||
|
---
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: DaemonSet
|
||||||
|
metadata:
|
||||||
|
name: spire-agent
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: spire-agent
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
{{- if eq .Values.environment "openshift" }}
|
||||||
|
annotations:
|
||||||
|
"helm.sh/resource-policy": keep
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app.kubernetes.io/name: spire-agent
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: spire-agent
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
spec:
|
||||||
|
serviceAccountName: spire-agent
|
||||||
|
hostPID: true
|
||||||
|
hostNetwork: true
|
||||||
|
dnsPolicy: ClusterFirstWithHostNet
|
||||||
|
initContainers:
|
||||||
|
{{- if eq .Values.environment "openshift" }}
|
||||||
|
- name: set-context
|
||||||
|
image: {{ include "ubuntu.image-server" . }}ubuntu:20.04
|
||||||
|
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
|
||||||
|
command: ["chcon", "-Rt", "container_file_t", "wlapi/"]
|
||||||
|
volumeMounts:
|
||||||
|
- name: spire-agent-socket
|
||||||
|
mountPath: "/wlapi"
|
||||||
|
{{- end }}
|
||||||
|
- name: init
|
||||||
|
image: {{ include "hook.image-server" . }}/kubectl
|
||||||
|
command:
|
||||||
|
- /bin/sh
|
||||||
|
- -c
|
||||||
|
- |
|
||||||
|
while $(kubectl -n {{ .Release.Namespace }} wait --for=condition=Ready pod -l app.kubernetes.io/name=spire-server > /dev/null); [ $? -ne 0 ]; do
|
||||||
|
sleep 1
|
||||||
|
done
|
||||||
|
containers:
|
||||||
|
- name: spire-agent
|
||||||
|
image: {{ include "spire.image-server" . }}/spire-agent:1.2.0
|
||||||
|
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
|
||||||
|
args:
|
||||||
|
- "-config"
|
||||||
|
- "/run/spire/config/agent.conf"
|
||||||
|
env:
|
||||||
|
- name: MY_NODE_NAME
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: spec.nodeName
|
||||||
|
volumeMounts:
|
||||||
|
- name: spire-config
|
||||||
|
mountPath: "/run/spire/config"
|
||||||
|
readOnly: true
|
||||||
|
- name: spire-bundle
|
||||||
|
mountPath: "/run/spire/bundle"
|
||||||
|
- name: spire-agent-socket
|
||||||
|
mountPath: "/run/spire/sockets"
|
||||||
|
readOnly: false
|
||||||
|
- name: spire-token
|
||||||
|
mountPath: "/var/run/secrets/tokens"
|
||||||
|
livenessProbe:
|
||||||
|
exec:
|
||||||
|
command:
|
||||||
|
- "/opt/spire/bin/spire-agent"
|
||||||
|
- healthcheck
|
||||||
|
- "-shallow"
|
||||||
|
- "-socketPath"
|
||||||
|
- "/run/spire/sockets/agent.sock"
|
||||||
|
failureThreshold: 2
|
||||||
|
initialDelaySeconds: 15
|
||||||
|
periodSeconds: 60
|
||||||
|
timeoutSeconds: 3
|
||||||
|
readinessProbe:
|
||||||
|
exec:
|
||||||
|
command:
|
||||||
|
- "/opt/spire/bin/spire-agent"
|
||||||
|
- healthcheck
|
||||||
|
- "-socketPath"
|
||||||
|
- "/run/spire/sockets/agent.sock"
|
||||||
|
initialDelaySeconds: 5
|
||||||
|
periodSeconds: 5
|
||||||
|
{{ if eq .Values.environment "openshift" -}}
|
||||||
|
- name: nginx-mesh-csi-driver
|
||||||
|
image: {{ .Values.registry.server }}/nginx-mesh-csi-driver:{{ .Values.registry.imageTag }}
|
||||||
|
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
|
||||||
|
args:
|
||||||
|
- "--node-id-env"
|
||||||
|
- "MY_NODE_NAME"
|
||||||
|
- "--wlapi-socket-dir"
|
||||||
|
- "/wlapi"
|
||||||
|
- "--csi-socket-path"
|
||||||
|
- "/csi/csi.sock"
|
||||||
|
env:
|
||||||
|
- name: MY_POD_NAME
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.name
|
||||||
|
- name: MY_POD_NAMESPACE
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.namespace
|
||||||
|
- name: MY_NODE_NAME
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: spec.nodeName
|
||||||
|
volumeMounts:
|
||||||
|
- name: spire-agent-socket
|
||||||
|
mountPath: /wlapi
|
||||||
|
readOnly: true
|
||||||
|
- name: csi-socket-dir
|
||||||
|
mountPath: /csi
|
||||||
|
- name: mountpoint-dir
|
||||||
|
mountPath: /var/lib/kubelet/pods
|
||||||
|
mountPropagation: Bidirectional
|
||||||
|
securityContext:
|
||||||
|
privileged: true
|
||||||
|
- name: node-driver-registrar
|
||||||
|
image: {{ include "node-driver.image-server" . }}/csi-node-driver-registrar:v2.0.1
|
||||||
|
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
|
||||||
|
args:
|
||||||
|
- "-csi-address"
|
||||||
|
- "/csi/csi.sock"
|
||||||
|
- "-kubelet-registration-path"
|
||||||
|
- "/var/lib/kubelet/plugins/agent.spire.csi.spiffe.io/csi.sock"
|
||||||
|
volumeMounts:
|
||||||
|
- name: csi-socket-dir
|
||||||
|
mountPath: /csi
|
||||||
|
- name: registration-dir
|
||||||
|
mountPath: /registration
|
||||||
|
{{- end }}
|
||||||
|
volumes:
|
||||||
|
- name: spire-config
|
||||||
|
configMap:
|
||||||
|
name: spire-agent
|
||||||
|
- name: spire-bundle
|
||||||
|
configMap:
|
||||||
|
name: spire-bundle
|
||||||
|
- name: spire-agent-socket
|
||||||
|
hostPath:
|
||||||
|
path: /run/spire/sockets
|
||||||
|
type: DirectoryOrCreate
|
||||||
|
{{ if eq .Values.environment "openshift" -}}
|
||||||
|
- name: csi-socket-dir
|
||||||
|
hostPath:
|
||||||
|
path: /var/lib/kubelet/plugins/agent.spire.csi.spiffe.io
|
||||||
|
type: DirectoryOrCreate
|
||||||
|
- name: mountpoint-dir
|
||||||
|
hostPath:
|
||||||
|
path: /var/lib/kubelet/pods
|
||||||
|
type: Directory
|
||||||
|
- name: registration-dir
|
||||||
|
hostPath:
|
||||||
|
path: /var/lib/kubelet/plugins_registry
|
||||||
|
type: Directory
|
||||||
|
{{- end }}
|
||||||
|
- name: spire-token
|
||||||
|
projected:
|
||||||
|
sources:
|
||||||
|
- serviceAccountToken:
|
||||||
|
audience: spire-server
|
||||||
|
expirationSeconds: 7200
|
||||||
|
path: spire-agent
|
||||||
|
{{- if eq .Values.environment "openshift" }}
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: system:openshift:scc:nginx-mesh-spire-agent-permissions
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
annotations:
|
||||||
|
"helm.sh/resource-policy": keep
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- security.openshift.io
|
||||||
|
resources:
|
||||||
|
- securitycontextconstraints
|
||||||
|
resourceNames:
|
||||||
|
- nginx-mesh-spire-agent-permissions
|
||||||
|
verbs:
|
||||||
|
- use
|
||||||
|
- apiGroups:
|
||||||
|
- ''
|
||||||
|
resources:
|
||||||
|
- pods
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- list
|
||||||
|
- patch
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: RoleBinding
|
||||||
|
metadata:
|
||||||
|
name: system:openshift:scc:nginx-mesh-spire-agent-permissions
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
annotations:
|
||||||
|
"helm.sh/resource-policy": keep
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: system:openshift:scc:nginx-mesh-spire-agent-permissions
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: spire-agent
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
---
|
||||||
|
apiVersion: security.openshift.io/v1
|
||||||
|
kind: SecurityContextConstraints
|
||||||
|
metadata:
|
||||||
|
name: nginx-mesh-spire-agent-permissions
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
annotations:
|
||||||
|
"helm.sh/resource-policy": keep
|
||||||
|
allowHostDirVolumePlugin: true
|
||||||
|
allowHostIPC: false
|
||||||
|
allowHostPID: true
|
||||||
|
allowHostNetwork: true
|
||||||
|
allowHostPorts: false
|
||||||
|
allowPrivilegedContainer: true
|
||||||
|
seLinuxContext:
|
||||||
|
type: MustRunAs
|
||||||
|
readOnlyRootFilesystem: false
|
||||||
|
runAsUser:
|
||||||
|
type: RunAsAny
|
||||||
|
fsGroup:
|
||||||
|
type: MustRunAs
|
||||||
|
volumes:
|
||||||
|
- configMap
|
||||||
|
- hostPath
|
||||||
|
- projected
|
||||||
|
- secret
|
||||||
|
---
|
||||||
|
apiVersion: storage.k8s.io/v1
|
||||||
|
kind: CSIDriver
|
||||||
|
metadata:
|
||||||
|
name: wlapi-mounter.spire.nginx.com
|
||||||
|
spec:
|
||||||
|
attachRequired: false
|
||||||
|
podInfoOnMount: true
|
||||||
|
volumeLifecycleModes:
|
||||||
|
- Ephemeral
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,434 @@
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: spire-server
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
imagePullSecrets:
|
||||||
|
- name: {{ include "registry-key-name" . }}
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: spire-server.security.builtin.nsm.nginx
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- ''
|
||||||
|
resources:
|
||||||
|
- pods
|
||||||
|
- nodes
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- apiGroups:
|
||||||
|
- ''
|
||||||
|
resources:
|
||||||
|
- configmaps
|
||||||
|
resourceNames:
|
||||||
|
- spire-bundle
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- patch
|
||||||
|
- apiGroups:
|
||||||
|
- authentication.k8s.io
|
||||||
|
resources:
|
||||||
|
- tokenreviews
|
||||||
|
verbs:
|
||||||
|
- create
|
||||||
|
- apiGroups:
|
||||||
|
- apiregistration.k8s.io
|
||||||
|
resources:
|
||||||
|
- apiservices
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- list
|
||||||
|
- patch
|
||||||
|
- watch
|
||||||
|
- apiGroups:
|
||||||
|
- admissionregistration.k8s.io
|
||||||
|
resources:
|
||||||
|
- mutatingwebhookconfigurations
|
||||||
|
- validatingwebhookconfigurations
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- list
|
||||||
|
- patch
|
||||||
|
- watch
|
||||||
|
{{- if .Values.mtls.upstreamAuthority.certManager }}
|
||||||
|
- apiGroups:
|
||||||
|
- cert-manager.io
|
||||||
|
resources:
|
||||||
|
- certificaterequests
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- list
|
||||||
|
- create
|
||||||
|
- delete
|
||||||
|
{{- end }}
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: spire-server.security.builtin.nsm.nginx
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: spire-server.security.builtin.nsm.nginx
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: spire-server
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: k8s-workload-registrar.security.builtin.nsm.nginx
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- ''
|
||||||
|
resources:
|
||||||
|
- endpoints
|
||||||
|
- pods
|
||||||
|
- nodes
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- list
|
||||||
|
- watch
|
||||||
|
- apiGroups:
|
||||||
|
- spiffeid.spiffe.io
|
||||||
|
resources:
|
||||||
|
- spiffeids
|
||||||
|
verbs:
|
||||||
|
- create
|
||||||
|
- delete
|
||||||
|
- get
|
||||||
|
- list
|
||||||
|
- patch
|
||||||
|
- update
|
||||||
|
- watch
|
||||||
|
- apiGroups:
|
||||||
|
- spiffeid.spiffe.io
|
||||||
|
resources:
|
||||||
|
- spiffeids/status
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- patch
|
||||||
|
- update
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: k8s-workload-registrar.security.builtin.nsm.nginx
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: k8s-workload-registrar.security.builtin.nsm.nginx
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: spire-server
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
{{- if (or (include "ua-secret-name" .) (include "ua-vault-env-name" .)) }}
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: spire-server
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
type: Opaque
|
||||||
|
data:
|
||||||
|
{{- if (include "ua-secret-name" .) }}
|
||||||
|
{{ include "ua-secret-name" . }}: {{ include "ua-secret-value" . }}{{ end }}
|
||||||
|
{{- if (include "ua-vault-env-name" .) }}
|
||||||
|
{{ include "ua-vault-env-name" . }}: {{ include "ua-vault-env-value" . }}{{ end }}
|
||||||
|
{{- end }}
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: spire-bundle
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: spire-server
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
data:
|
||||||
|
server.conf: {{ tpl (.Files.Get "configs/spire-server.conf") . | quote }}
|
||||||
|
{{ if (include "ua-upstream-cert" .) -}}
|
||||||
|
{{ include "ua-upstream-cert" . }}{{ end }}
|
||||||
|
{{ if (include "ua-upstream-client-cert" .) -}}
|
||||||
|
{{ include "ua-upstream-client-cert" . }}{{ end }}
|
||||||
|
{{ if (include "ua-upstream-bundle" .) -}}
|
||||||
|
{{ include "ua-upstream-bundle" . }}{{ end }}
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: k8s-workload-registrar
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
data:
|
||||||
|
k8s-workload-registrar.conf: {{ tpl (.Files.Get "configs/k8s-workload-registrar.conf") . | quote }}
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: spire-server
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: spire-server
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
spec:
|
||||||
|
type: ClusterIP
|
||||||
|
ports:
|
||||||
|
- name: grpc
|
||||||
|
protocol: TCP
|
||||||
|
port: 8081
|
||||||
|
targetPort: 8081
|
||||||
|
selector:
|
||||||
|
app.kubernetes.io/name: spire-server
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: k8s-workload-registrar
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: k8s-workload-registrar
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
spec:
|
||||||
|
ports:
|
||||||
|
- name: webhook
|
||||||
|
protocol: TCP
|
||||||
|
port: 443
|
||||||
|
targetPort: 9443
|
||||||
|
selector:
|
||||||
|
app.kubernetes.io/name: spire-server
|
||||||
|
---
|
||||||
|
apiVersion: admissionregistration.k8s.io/v1
|
||||||
|
kind: ValidatingWebhookConfiguration
|
||||||
|
metadata:
|
||||||
|
name: k8s-workload-registrar.security.builtin.nsm.nginx
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
spiffe.io/webhook: "true"
|
||||||
|
webhooks:
|
||||||
|
- name: k8s-workload-registrar.{{ .Release.Namespace }}.svc
|
||||||
|
clientConfig:
|
||||||
|
service:
|
||||||
|
name: k8s-workload-registrar
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
path: "/validate-spiffeid-spiffe-io-v1beta1-spiffeid"
|
||||||
|
sideEffects: None
|
||||||
|
admissionReviewVersions:
|
||||||
|
- v1
|
||||||
|
- v1beta1
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- spiffeid.spiffe.io
|
||||||
|
apiVersions:
|
||||||
|
- v1beta1
|
||||||
|
operations:
|
||||||
|
- CREATE
|
||||||
|
- UPDATE
|
||||||
|
- DELETE
|
||||||
|
resources:
|
||||||
|
- spiffeids
|
||||||
|
scope: Namespaced
|
||||||
|
---
|
||||||
|
apiVersion: apps/v1
|
||||||
|
{{- if eq .Values.mtls.persistentStorage "on" }}
|
||||||
|
kind: StatefulSet
|
||||||
|
{{- else }}
|
||||||
|
kind: Deployment
|
||||||
|
{{- end }}
|
||||||
|
metadata:
|
||||||
|
name: spire-server
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: spire-server
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
spec:
|
||||||
|
replicas: 1
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app.kubernetes.io/name: spire-server
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
{{- if eq .Values.mtls.persistentStorage "on" }}
|
||||||
|
serviceName: spire-server
|
||||||
|
{{- end }}
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: spire-server
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
spec:
|
||||||
|
serviceAccountName: spire-server
|
||||||
|
shareProcessNamespace: true
|
||||||
|
containers:
|
||||||
|
- name: spire-server
|
||||||
|
image: {{ include "spire.image-server" . }}/spire-server:1.2.0
|
||||||
|
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
|
||||||
|
args:
|
||||||
|
- '-config'
|
||||||
|
- /run/spire/config/server.conf
|
||||||
|
ports:
|
||||||
|
- name: spire-server
|
||||||
|
protocol: TCP
|
||||||
|
containerPort: 8081
|
||||||
|
{{- if (include "ua-vault-env-name" .) }}
|
||||||
|
env:
|
||||||
|
- name: {{ include "ua-vault-env-name" . }}
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: spire-server
|
||||||
|
key: {{ include "ua-vault-env-name" . }}
|
||||||
|
{{- end }}
|
||||||
|
volumeMounts:
|
||||||
|
- name: spire-config
|
||||||
|
mountPath: /run/spire/config
|
||||||
|
readOnly: true
|
||||||
|
{{- if (include "ua-secret-mountpath" .) }}
|
||||||
|
- name: spire-secrets
|
||||||
|
mountPath: {{ include "ua-secret-mountpath" . }}
|
||||||
|
readOnly: true
|
||||||
|
{{- end }}
|
||||||
|
{{- if eq .Values.mtls.persistentStorage "on" }}
|
||||||
|
- name: spire-data
|
||||||
|
mountPath: /run/spire/data
|
||||||
|
readOnly: false
|
||||||
|
{{- end }}
|
||||||
|
- name: spire-server-socket
|
||||||
|
mountPath: /run/spire/sockets
|
||||||
|
readOnly: false
|
||||||
|
livenessProbe:
|
||||||
|
httpGet:
|
||||||
|
port: 8082
|
||||||
|
path: /live
|
||||||
|
failureThreshold: 2
|
||||||
|
initialDelaySeconds: 15
|
||||||
|
periodSeconds: 60
|
||||||
|
timeoutSeconds: 3
|
||||||
|
readinessProbe:
|
||||||
|
httpGet:
|
||||||
|
port: 8082
|
||||||
|
path: /ready
|
||||||
|
initialDelaySeconds: 5
|
||||||
|
periodSeconds: 5
|
||||||
|
- name: k8s-workload-registrar
|
||||||
|
image: {{ include "spire.image-server" . }}/k8s-workload-registrar:1.2.0
|
||||||
|
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
|
||||||
|
args:
|
||||||
|
- '-config'
|
||||||
|
- /run/spire/config/k8s-workload-registrar.conf
|
||||||
|
ports:
|
||||||
|
- name: webhook
|
||||||
|
protocol: TCP
|
||||||
|
containerPort: 9443
|
||||||
|
env:
|
||||||
|
- name: MY_POD_NAMESPACE
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.namespace
|
||||||
|
volumeMounts:
|
||||||
|
- name: k8s-workload-registrar-config
|
||||||
|
mountPath: /run/spire/config
|
||||||
|
readOnly: true
|
||||||
|
- name: spire-server-socket
|
||||||
|
mountPath: /run/spire/sockets
|
||||||
|
readOnly: true
|
||||||
|
volumes:
|
||||||
|
- name: spire-config
|
||||||
|
configMap:
|
||||||
|
name: spire-server
|
||||||
|
{{- if (include "ua-secret-name" .) }}
|
||||||
|
- name: spire-secrets
|
||||||
|
secret:
|
||||||
|
secretName: spire-server
|
||||||
|
items:
|
||||||
|
- key: {{ include "ua-secret-name" . }}
|
||||||
|
path: {{ include "ua-secret-name" . }}
|
||||||
|
{{- end }}
|
||||||
|
- name: spire-server-socket
|
||||||
|
emptyDir: {}
|
||||||
|
- name: k8s-workload-registrar-config
|
||||||
|
configMap:
|
||||||
|
name: k8s-workload-registrar
|
||||||
|
{{- if eq .Values.mtls.persistentStorage "on" }}
|
||||||
|
volumeClaimTemplates:
|
||||||
|
- metadata:
|
||||||
|
name: spire-data
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
spec:
|
||||||
|
accessModes:
|
||||||
|
- ReadWriteOnce
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
storage: 1Gi
|
||||||
|
{{- end }}
|
||||||
|
{{- if eq .Values.environment "openshift" }}
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: system:openshift:scc:nginx-mesh-spire-server-permissions
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- security.openshift.io
|
||||||
|
resources:
|
||||||
|
- securitycontextconstraints
|
||||||
|
resourceNames:
|
||||||
|
- nginx-mesh-spire-server-permissions
|
||||||
|
verbs:
|
||||||
|
- use
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: RoleBinding
|
||||||
|
metadata:
|
||||||
|
name: system:openshift:scc:nginx-mesh-spire-server-permissions
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: system:openshift:scc:nginx-mesh-spire-server-permissions
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: spire-server
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
---
|
||||||
|
apiVersion: security.openshift.io/v1
|
||||||
|
kind: SecurityContextConstraints
|
||||||
|
metadata:
|
||||||
|
name: nginx-mesh-spire-server-permissions
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
allowHostDirVolumePlugin: false
|
||||||
|
allowHostIPC: false
|
||||||
|
allowHostNetwork: false
|
||||||
|
allowHostPID: false
|
||||||
|
allowHostPorts: false
|
||||||
|
allowPrivilegedContainer: false
|
||||||
|
seLinuxContext:
|
||||||
|
type: MustRunAs
|
||||||
|
readOnlyRootFilesystem: false
|
||||||
|
runAsUser:
|
||||||
|
type: RunAsAny
|
||||||
|
volumes:
|
||||||
|
- configMap
|
||||||
|
- secret
|
||||||
|
- emptyDir
|
||||||
|
- persistentVolumeClaim
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,46 @@
|
||||||
|
{{- if .Values.tracing }} {{- if (and (not .Values.tracing.disable) (eq .Values.tracing.backend "zipkin") (eq .Values.tracing.address "")) }}
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: zipkin
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: zipkin
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
spec:
|
||||||
|
selector:
|
||||||
|
app.kubernetes.io/name: zipkin
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
type: ClusterIP
|
||||||
|
ports:
|
||||||
|
- port: 9411
|
||||||
|
targetPort: 9411
|
||||||
|
---
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: zipkin
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: zipkin
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
spec:
|
||||||
|
replicas: 1
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app.kubernetes.io/name: zipkin
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: zipkin
|
||||||
|
app.kubernetes.io/part-of: nginx-service-mesh
|
||||||
|
spec:
|
||||||
|
imagePullSecrets:
|
||||||
|
- name: {{ include "registry-key-name" . }}
|
||||||
|
containers:
|
||||||
|
- name: zipkin
|
||||||
|
image: {{ include "zipkin.image-server" . }}/zipkin:2.23.16
|
||||||
|
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
|
||||||
|
ports:
|
||||||
|
- containerPort: 9411
|
||||||
|
{{- end }}{{- end }}
|
|
@ -0,0 +1,614 @@
|
||||||
|
{
|
||||||
|
"$schema": "https://json-schema.org/draft-07/schema#",
|
||||||
|
"title": "NGINX Service Mesh Values",
|
||||||
|
"type": "object",
|
||||||
|
"properties": {
|
||||||
|
"mtls": {
|
||||||
|
"type": "object",
|
||||||
|
"properties": {
|
||||||
|
"mode": {
|
||||||
|
"description": "mTLS mode for pod-to-pod communication",
|
||||||
|
"type": "string",
|
||||||
|
"enum": ["off", "permissive", "strict"],
|
||||||
|
"default": "permissive"
|
||||||
|
},
|
||||||
|
"caTTL": {
|
||||||
|
"description": "The CA/signing key TTL in hours(h) or minutes(m). Max value is 999999.",
|
||||||
|
"type": "string",
|
||||||
|
"pattern": "^[1-9][0-9]{0,5}(h|m)$",
|
||||||
|
"default": "720h"
|
||||||
|
},
|
||||||
|
"svidTTL": {
|
||||||
|
"description": "The TTL of certificates issued to workloads in hours(h) or minutes(m). Max value is 999999.",
|
||||||
|
"type": "string",
|
||||||
|
"pattern": "^[1-9][0-9]{0,5}(h|m)$",
|
||||||
|
"default": "1h"
|
||||||
|
},
|
||||||
|
"trustDomain": {
|
||||||
|
"description": "The trust domain of the NGINX Service Mesh",
|
||||||
|
"type": "string",
|
||||||
|
"default": "example.org"
|
||||||
|
},
|
||||||
|
"persistentStorage": {
|
||||||
|
"description": "Use persistent storage",
|
||||||
|
"type": "string",
|
||||||
|
"enum": ["on", "off"],
|
||||||
|
"default": "on"
|
||||||
|
},
|
||||||
|
"spireServerKeyManager": {
|
||||||
|
"description": "Storage logic for SPIRE Server's private keys",
|
||||||
|
"type": "string",
|
||||||
|
"enum": ["disk", "memory"],
|
||||||
|
"default": "disk"
|
||||||
|
},
|
||||||
|
"caKeyType": {
|
||||||
|
"description": "The key type used for the SPIRE Server CA",
|
||||||
|
"type": "string",
|
||||||
|
"enum": ["ec-p256", "ec-p384", "rsa-2048", "rsa-4096"],
|
||||||
|
"default": "ec-p256"
|
||||||
|
},
|
||||||
|
"upstreamAuthority": {
|
||||||
|
"description": "Upstream authority settings",
|
||||||
|
"type": "object",
|
||||||
|
"properties": {
|
||||||
|
"disk": {
|
||||||
|
"description": "Disk object",
|
||||||
|
"type": "object",
|
||||||
|
"properties": {
|
||||||
|
"cert": {
|
||||||
|
"description": "Contents of your PEM encoded certificate file",
|
||||||
|
"type": "string",
|
||||||
|
"minLength": 1
|
||||||
|
},
|
||||||
|
"key": {
|
||||||
|
"description": "Contents of your PEM encoded key file",
|
||||||
|
"type": "string",
|
||||||
|
"minLength": 1
|
||||||
|
},
|
||||||
|
"bundle": {
|
||||||
|
"description": "Contents of your CA bundle file",
|
||||||
|
"type": "string"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"required": ["cert", "key"]
|
||||||
|
},
|
||||||
|
"awsPCA": {
|
||||||
|
"description": "AWS PCA object",
|
||||||
|
"type": "object",
|
||||||
|
"properties": {
|
||||||
|
"region": {
|
||||||
|
"description": "AWS region to use",
|
||||||
|
"type": "string",
|
||||||
|
"minLength": 1
|
||||||
|
},
|
||||||
|
"certificateAuthorityArn": {
|
||||||
|
"description": "ARN of the upstream CA certificate",
|
||||||
|
"type": "string",
|
||||||
|
"minLength": 1
|
||||||
|
},
|
||||||
|
"awsAccessKeyID": {
|
||||||
|
"description": "AWS access key ID",
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
"awsSecretAccessKey": {
|
||||||
|
"description": "AWS secret access key",
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
"caSigningTemplateArn": {
|
||||||
|
"description": "ARN of the signing template to use for the server's CA",
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
"signingAlgorithm": {
|
||||||
|
"description": "Signing algorithm to use for the server's CA",
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
"assumeRoleArn": {
|
||||||
|
"description": " ARN of an IAM role to assume",
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
"endpoint": {
|
||||||
|
"description": "Endpoint as hostname or fully-qualified URI that overrides the default endpoint",
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
"supplementalBundle": {
|
||||||
|
"description": "Contents of a PEM encoded CA certificates file that should be additionally included in the bundle",
|
||||||
|
"type": "string"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"required": ["region", "certificateAuthorityArn"]
|
||||||
|
},
|
||||||
|
"awsSecret": {
|
||||||
|
"description": "AWS Secret object",
|
||||||
|
"type": "object",
|
||||||
|
"properties": {
|
||||||
|
"region": {
|
||||||
|
"description": "AWS region to use",
|
||||||
|
"type": "string",
|
||||||
|
"minLength": 1
|
||||||
|
},
|
||||||
|
"certFileArn": {
|
||||||
|
"description": "ARN of the upstream CA certificate",
|
||||||
|
"type": "string",
|
||||||
|
"minLength": 1
|
||||||
|
},
|
||||||
|
"keyFileArn": {
|
||||||
|
"description": "ARN of the upstream CA key file",
|
||||||
|
"type": "string",
|
||||||
|
"minLength": 1
|
||||||
|
},
|
||||||
|
"awsAccessKeyID": {
|
||||||
|
"description": "AWS access key ID",
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
"awsSecretKeyID": {
|
||||||
|
"description": "AWS secret access key",
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
"awsSecretToken": {
|
||||||
|
"description": "AWS secret token",
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
"assumeRoleArn": {
|
||||||
|
"description": "ARN of role to assume",
|
||||||
|
"type": "string"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"required": ["region", "certFileArn", "keyFileArn"]
|
||||||
|
},
|
||||||
|
"vault": {
|
||||||
|
"description": "Vault object",
|
||||||
|
"type": "object",
|
||||||
|
"properties": {
|
||||||
|
"vaultAddr": {
|
||||||
|
"description": "URL of the Vault server",
|
||||||
|
"type": "string",
|
||||||
|
"minLength": 1
|
||||||
|
},
|
||||||
|
"namespace": {
|
||||||
|
"description": "Vault namespace",
|
||||||
|
"type": "string",
|
||||||
|
"minLength": 1
|
||||||
|
},
|
||||||
|
"caCert": {
|
||||||
|
"description": "Contents of a PEM encoded CA certificate file to verify the Vault server certificate",
|
||||||
|
"type": "string",
|
||||||
|
"minLength": 1
|
||||||
|
},
|
||||||
|
"pkiMountPoint": {
|
||||||
|
"description": "Name of the mount point where the PKI secret engine is mounted",
|
||||||
|
"type": "string",
|
||||||
|
"default": "pki"
|
||||||
|
},
|
||||||
|
"insecureSkipVerify": {
|
||||||
|
"description": "If true, vault client accepts any server certificates",
|
||||||
|
"type": "boolean",
|
||||||
|
"default": false
|
||||||
|
},
|
||||||
|
"certAuth": {
|
||||||
|
"description": "Client certificate authentication object",
|
||||||
|
"type": "object",
|
||||||
|
"properties": {
|
||||||
|
"clientCert": {
|
||||||
|
"description": "Contents of your client cert file",
|
||||||
|
"type": "string",
|
||||||
|
"minLength": 1
|
||||||
|
},
|
||||||
|
"clientKey": {
|
||||||
|
"description": "Contents of your client key file",
|
||||||
|
"type": "string",
|
||||||
|
"minLength": 1
|
||||||
|
},
|
||||||
|
"certAuthMountPoint": {
|
||||||
|
"description": "Name of the mount point where TLS certificate auth method is mounted",
|
||||||
|
"type": "string",
|
||||||
|
"default": "cert"
|
||||||
|
},
|
||||||
|
"certAuthRoleName": {
|
||||||
|
"description": "Name of the vault role. If given, the plugin authenticates against only the named role. Default to trying all roles.",
|
||||||
|
"type": "string"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"required": ["clientCert", "clientKey"]
|
||||||
|
},
|
||||||
|
"tokenAuth": {
|
||||||
|
"description": "Token authentication object",
|
||||||
|
"type": "object",
|
||||||
|
"properties": {
|
||||||
|
"token": {
|
||||||
|
"description": "Token string set into X-Vault-Token header",
|
||||||
|
"type": "string",
|
||||||
|
"minLength": 1
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"required": ["token"]
|
||||||
|
},
|
||||||
|
"approleAuth": {
|
||||||
|
"description": "AppRole authentication object",
|
||||||
|
"type": "object",
|
||||||
|
"properties": {
|
||||||
|
"approleID": {
|
||||||
|
"description": "An identifier of AppRole",
|
||||||
|
"type": "string",
|
||||||
|
"minLength": 1
|
||||||
|
},
|
||||||
|
"approleSecretID": {
|
||||||
|
"description": "A credential of AppRole",
|
||||||
|
"type": "string",
|
||||||
|
"minLength": 1
|
||||||
|
},
|
||||||
|
"approleAuthMountPoint": {
|
||||||
|
"description": "Name of the mount point where the AppRole auth method is mounted",
|
||||||
|
"type": "string",
|
||||||
|
"default": "approle"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"required": ["approleID", "approleSecretID"]
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"required": ["vaultAddr", "namespace", "caCert"],
|
||||||
|
"oneOf": [
|
||||||
|
{"required": ["certAuth"]},
|
||||||
|
{"required": ["tokenAuth"]},
|
||||||
|
{"required": ["approleAuth"]}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"certManager": {
|
||||||
|
"description": "Cert Manager object",
|
||||||
|
"type": "object",
|
||||||
|
"properties": {
|
||||||
|
"namespace": {
|
||||||
|
"description": "The namespace to create CertificateRequests for signing",
|
||||||
|
"type": "string",
|
||||||
|
"minLength": 1
|
||||||
|
},
|
||||||
|
"issuerName": {
|
||||||
|
"description": "The name of the issuer to reference in CertificateRequests",
|
||||||
|
"type": "string",
|
||||||
|
"minLength": 1
|
||||||
|
},
|
||||||
|
"issuerKind": {
|
||||||
|
"description": "The kind of the issuer to reference in CertificateRequests",
|
||||||
|
"type": "string",
|
||||||
|
"default": "Issuer"
|
||||||
|
},
|
||||||
|
"issuerGroup": {
|
||||||
|
"description": "The group of the issuer to reference in CertificateRequests",
|
||||||
|
"type": "string",
|
||||||
|
"default": "cert-manager.io"
|
||||||
|
},
|
||||||
|
"kubeConfig": {
|
||||||
|
"description": "Contents of the kubeconfig file used to connect to the Kubernetes cluster",
|
||||||
|
"type": "string"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"required": ["namespace", "issuerName"]
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"oneOf": [
|
||||||
|
{"$ref": "#/definitions/emptyObject"},
|
||||||
|
{"required": ["disk"]},
|
||||||
|
{"required": ["awsPCA"]},
|
||||||
|
{"required": ["awsSecret"]},
|
||||||
|
{"required": ["vault"]},
|
||||||
|
{"required": ["certManager"]}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"required": ["mode", "caTTL", "svidTTL", "trustDomain", "persistentStorage", "spireServerKeyManager"]
|
||||||
|
},
|
||||||
|
"registry": {
|
||||||
|
"description": "NGINX Service Mesh image registry settings",
|
||||||
|
"type": "object",
|
||||||
|
"properties": {
|
||||||
|
"server": {
|
||||||
|
"description": "Hostname:port (if needed) for registry and path to images",
|
||||||
|
"type": "string",
|
||||||
|
"default": "docker-registry.nginx.com/nsm"
|
||||||
|
},
|
||||||
|
"imageTag": {
|
||||||
|
"description": "Tag used for pulling images from registry. ",
|
||||||
|
"type": "string",
|
||||||
|
"default": "1.4.1"
|
||||||
|
},
|
||||||
|
"key": {
|
||||||
|
"description": "Contents of your Google Cloud JSON key file",
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
"username": {
|
||||||
|
"description": "Username for accessing private registry",
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
"password": {
|
||||||
|
"description": "Password for accessing private registry",
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
"disablePublicImages": {
|
||||||
|
"description": "Disable the pulling of third party images from public repositories",
|
||||||
|
"type": "boolean",
|
||||||
|
"default": false
|
||||||
|
},
|
||||||
|
"imagePullPolicy": {
|
||||||
|
"description": "Image pull policy",
|
||||||
|
"type": "string",
|
||||||
|
"enum": ["Never", "IfNotPresent", "Always"],
|
||||||
|
"default": "IfNotPresent"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"oneOf": [
|
||||||
|
{
|
||||||
|
"properties": {
|
||||||
|
"username": {"$ref": "#/definitions/nonEmptyString"},
|
||||||
|
"password": {"$ref": "#/definitions/nonEmptyString"},
|
||||||
|
"key": {"$ref": "#/definitions/emptyString"}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"properties": {
|
||||||
|
"key": {"$ref": "#/definitions/nonEmptyString"},
|
||||||
|
"username": {"$ref": "#/definitions/emptyString"},
|
||||||
|
"password": {"$ref": "#/definitions/emptyString"}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"properties": {
|
||||||
|
"key": {"$ref": "#/definitions/emptyString"},
|
||||||
|
"username": {"$ref": "#/definitions/emptyString"},
|
||||||
|
"password": {"$ref": "#/definitions/emptyString"}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"required": ["server", "imageTag", "disablePublicImages", "imagePullPolicy"]
|
||||||
|
},
|
||||||
|
"accessControlMode": {
|
||||||
|
"description": "Default access control mode for service-to-service communication",
|
||||||
|
"type": "string",
|
||||||
|
"enum": ["allow", "deny"]
|
||||||
|
},
|
||||||
|
"environment": {
|
||||||
|
"description": "Environment to deploy the mesh into",
|
||||||
|
"type": "string",
|
||||||
|
"enum": ["kubernetes", "openshift"]
|
||||||
|
},
|
||||||
|
"enableUDP": {
|
||||||
|
"description": "Enable UDP traffic proxying (beta). Linux kernel 4.18 or greater is required.",
|
||||||
|
"type": "boolean"
|
||||||
|
},
|
||||||
|
"deployGrafana": {
|
||||||
|
"description": "Deploy Grafana as a part of the NGINX Service Mesh",
|
||||||
|
"type": "boolean"
|
||||||
|
},
|
||||||
|
"nginxErrorLogLevel": {
|
||||||
|
"description": "NGINX error log level",
|
||||||
|
"type": "string",
|
||||||
|
"enum": ["debug", "info", "notice", "warn", "error", "crit", "alert", "emerg"]
|
||||||
|
},
|
||||||
|
"nginxLogFormat": {
|
||||||
|
"description": "NGINX log format",
|
||||||
|
"type": "string",
|
||||||
|
"enum": ["default", "json"]
|
||||||
|
},
|
||||||
|
"nginxLBMethod": {
|
||||||
|
"description": "NGINX load balancing method",
|
||||||
|
"type": "string",
|
||||||
|
"enum": ["least_conn", "least_time", "least_time last_byte", "least_time last_byte inflight", "random", "random two", "random two least_conn", "random two least_time", "random two least_time=last_byte", "round_robin"]
|
||||||
|
},
|
||||||
|
"prometheusAddress": {
|
||||||
|
"description": "The address of a Prometheus server deployed in your Kubernetes cluster",
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
"autoInjection": {
|
||||||
|
"description": "NGINX Service Mesh auto-injection settings",
|
||||||
|
"type": "object",
|
||||||
|
"properties": {
|
||||||
|
"disable": {
|
||||||
|
"description": "Disable automatic sidecar injection upon resource creation",
|
||||||
|
"type": "boolean"
|
||||||
|
},
|
||||||
|
"disabledNamespaces": {
|
||||||
|
"description": "Disable automatic sidecar injection for specific namespace",
|
||||||
|
"type": "array",
|
||||||
|
"items": {
|
||||||
|
"type": "string"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"enabledNamespaces": {
|
||||||
|
"description": "Enable automatic sidecar injection for specific namespaces",
|
||||||
|
"type": "array",
|
||||||
|
"items": {
|
||||||
|
"type": "string"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"allOf": [
|
||||||
|
{
|
||||||
|
"if": {
|
||||||
|
"properties": {
|
||||||
|
"disable": {
|
||||||
|
"const": true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"then":{
|
||||||
|
"properties": {
|
||||||
|
"disabledNamespaces": {
|
||||||
|
"$ref": "#/definitions/emptyArray"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"if": {
|
||||||
|
"properties": {
|
||||||
|
"disable": {
|
||||||
|
"const": false
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"then":{
|
||||||
|
"properties": {
|
||||||
|
"enabledNamespaces": {
|
||||||
|
"$ref": "#/definitions/emptyArray"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"required": ["disable"]
|
||||||
|
},
|
||||||
|
"tracing": {
|
||||||
|
"description": "NGINX Service Mesh tracing settings",
|
||||||
|
"type": "object",
|
||||||
|
"oneOf": [
|
||||||
|
{"$ref": "#/definitions/tracingConfig"},
|
||||||
|
{"$ref": "#/definitions/emptyObject"}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"telemetry":{
|
||||||
|
"description": "NGINX Service Mesh telemetry settings",
|
||||||
|
"type": "object",
|
||||||
|
"oneOf": [
|
||||||
|
{"$ref": "#/definitions/telemetryConfig"},
|
||||||
|
{"$ref": "#/definitions/emptyObject"}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"definitions": {
|
||||||
|
"nonEmptyString": {
|
||||||
|
"type": "string",
|
||||||
|
"minLength": 1
|
||||||
|
},
|
||||||
|
"emptyString": {
|
||||||
|
"type": "string",
|
||||||
|
"const": ""
|
||||||
|
},
|
||||||
|
"nonEmptyArray": {
|
||||||
|
"type": "array",
|
||||||
|
"minItems": 1
|
||||||
|
},
|
||||||
|
"emptyArray": {
|
||||||
|
"type": "array",
|
||||||
|
"maxItems": 0
|
||||||
|
},
|
||||||
|
"emptyObject": {
|
||||||
|
"type": "object",
|
||||||
|
"additionalProperties": false,
|
||||||
|
"properties": {}
|
||||||
|
},
|
||||||
|
"telemetryConfig": {
|
||||||
|
"properties": {
|
||||||
|
"samplerRatio": {
|
||||||
|
"description": "The percentage of traces that are processed and exported to the telemetry backend. Float between 0 and 1",
|
||||||
|
"type": "number",
|
||||||
|
"minimum": 0.0,
|
||||||
|
"maximum": 1.0
|
||||||
|
},
|
||||||
|
"exporters": {
|
||||||
|
"type": "object",
|
||||||
|
"properties": {
|
||||||
|
"otlp": {
|
||||||
|
"type": "object",
|
||||||
|
"description": "The configuration for an OTLP gRPC exporter",
|
||||||
|
"properties": {
|
||||||
|
"host": {
|
||||||
|
"description": "The host of the OpenTelemetry gRPC exporter to connect to",
|
||||||
|
"type": "string",
|
||||||
|
"minLength": 1
|
||||||
|
},
|
||||||
|
"port": {
|
||||||
|
"description": "The port of the OpenTelemetry gRPC exporter to connect to",
|
||||||
|
"type": "number",
|
||||||
|
"minimum": 0,
|
||||||
|
"maximum": 65535
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"required": ["host", "port"]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"required": ["samplerRatio", "exporters"]
|
||||||
|
},
|
||||||
|
"tracingConfig": {
|
||||||
|
"properties": {
|
||||||
|
"disable": {
|
||||||
|
"description": "Disable tracing for all services",
|
||||||
|
"type": "boolean"
|
||||||
|
},
|
||||||
|
"sampleRate": {
|
||||||
|
"description": "The sample rate to use for tracing. Float between 0 and 1",
|
||||||
|
"type": "number",
|
||||||
|
"minimum": 0.0,
|
||||||
|
"maximum": 1.0
|
||||||
|
},
|
||||||
|
"backend": {
|
||||||
|
"description": "The tracing backend that you want to use",
|
||||||
|
"type": "string",
|
||||||
|
"enum": ["zipkin", "datadog", "jaeger"]
|
||||||
|
},
|
||||||
|
"address": {
|
||||||
|
"description": "The address of a tracing server deployed in your Kubernetes cluster",
|
||||||
|
"type": "string"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"required": ["disable", "sampleRate"],
|
||||||
|
"if": {
|
||||||
|
"properties": {
|
||||||
|
"backend": {
|
||||||
|
"const": "datadog"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"then": {
|
||||||
|
"properties": {
|
||||||
|
"address": {
|
||||||
|
"type": "string",
|
||||||
|
"minLength": 1
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"oneOf": [
|
||||||
|
{
|
||||||
|
"properties": {
|
||||||
|
"telemetry": {
|
||||||
|
"$ref": "#/definitions/emptyObject"
|
||||||
|
},
|
||||||
|
"tracing": {
|
||||||
|
"$ref": "#/definitions/tracingConfig"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"properties": {
|
||||||
|
"telemetry": {
|
||||||
|
"$ref": "#/definitions/emptyObject"
|
||||||
|
},
|
||||||
|
"tracing": {
|
||||||
|
"$ref": "#/definitions/emptyObject"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"properties": {
|
||||||
|
"telemetry": {
|
||||||
|
"$ref": "#/definitions/telemetryConfig"
|
||||||
|
},
|
||||||
|
"tracing": {
|
||||||
|
"$ref": "#/definitions/emptyObject"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"required": [
|
||||||
|
"mtls",
|
||||||
|
"registry",
|
||||||
|
"accessControlMode",
|
||||||
|
"environment",
|
||||||
|
"deployGrafana",
|
||||||
|
"nginxErrorLogLevel",
|
||||||
|
"nginxLogFormat",
|
||||||
|
"nginxLBMethod",
|
||||||
|
"autoInjection"
|
||||||
|
]
|
||||||
|
}
|
|
@ -0,0 +1,266 @@
|
||||||
|
# NGINX Service Mesh image registry settings.
|
||||||
|
registry:
|
||||||
|
# Hostname:port (if needed) for registry and path to images.
|
||||||
|
# Affects: nginx-mesh-api, nginx-mesh-cert-reloader, nginx-mesh-init, nginx-mesh-metrics, nginx-mesh-sidecar
|
||||||
|
server: "docker-registry.nginx.com/nsm"
|
||||||
|
|
||||||
|
# Tag used for pulling images from registry
|
||||||
|
# Affects: nginx-mesh-api, nginx-mesh-cert-reloader, nginx-mesh-init, nginx-mesh-metrics, nginx-mesh-sidecar
|
||||||
|
imageTag: "1.4.1"
|
||||||
|
|
||||||
|
# Note: Currently only works with Google Cloud registry.
|
||||||
|
# Contents of your Google Cloud JSON key file. Can be set via "--set-file registry.key=<your-key-file>.json"
|
||||||
|
# Cannot be used with username or password.
|
||||||
|
key: ""
|
||||||
|
|
||||||
|
# Username for accessing private registry.
|
||||||
|
# Requires password to be set. Cannot be used with key.
|
||||||
|
username: ""
|
||||||
|
|
||||||
|
# Password for accessing private registry.
|
||||||
|
# Requires username to be set. Cannot be used with key.
|
||||||
|
password: ""
|
||||||
|
|
||||||
|
# Do not pull third party images from public repositories.
|
||||||
|
# If true, registry.server is used for all images.
|
||||||
|
disablePublicImages: false
|
||||||
|
|
||||||
|
# Image pull policy
|
||||||
|
# Valid values: Always, IfNotPresent, Never
|
||||||
|
imagePullPolicy: "IfNotPresent"
|
||||||
|
|
||||||
|
# Default access control mode for service-to-service communication.
|
||||||
|
# Valid values: allow, deny
|
||||||
|
accessControlMode: "allow"
|
||||||
|
|
||||||
|
# Environment to deploy the mesh into.
|
||||||
|
# Valid values: kubernetes, openshift
|
||||||
|
environment: "kubernetes"
|
||||||
|
|
||||||
|
# Enable UDP traffic proxying (beta). Linux kernel 4.18 or greater is required.
|
||||||
|
enableUDP: false
|
||||||
|
|
||||||
|
# Deploy Grafana as a part of the NGINX Service Mesh.
|
||||||
|
# Note: This configurable will be removed in version 1.5
|
||||||
|
# Valid values: true, false
|
||||||
|
deployGrafana: true
|
||||||
|
|
||||||
|
# NGINX error log level.
|
||||||
|
# Valid values: debug, info, notice, warn, error, crit, alert, emerg
|
||||||
|
nginxErrorLogLevel: "warn"
|
||||||
|
|
||||||
|
# NGINX log format.
|
||||||
|
# Valid values: default, json
|
||||||
|
nginxLogFormat: "default"
|
||||||
|
|
||||||
|
# NGINX load balancing method.
|
||||||
|
# Valid values: [least_conn, least_time, least_time last_byte, least_time last_byte inflight,
|
||||||
|
# random, random two, random two least_conn, random two least_time, random two least_time=last_byte, round_robin]
|
||||||
|
nginxLBMethod: "least_time"
|
||||||
|
|
||||||
|
# The address of a Prometheus server deployed in your Kubernetes cluster.
|
||||||
|
# Address should be in the format <service-name>.<namespace>:<service-port>.
|
||||||
|
prometheusAddress: ""
|
||||||
|
|
||||||
|
# NGINX Service Mesh auto-injection settings.
|
||||||
|
autoInjection:
|
||||||
|
# Disable automatic sidecar injection upon resource creation.
|
||||||
|
# Use the "enabledNamespaces" flag to enable automatic injection in select namespaces.
|
||||||
|
disable: false
|
||||||
|
|
||||||
|
# Disable automatic sidecar injection for specific namespaces.
|
||||||
|
# Cannot be used with "disable".
|
||||||
|
disabledNamespaces: []
|
||||||
|
|
||||||
|
# Enable automatic sidecar injection for specific namespaces.
|
||||||
|
# Must be used with "disable".
|
||||||
|
enabledNamespaces: []
|
||||||
|
|
||||||
|
# NGINX Service Mesh tracing settings.
|
||||||
|
# Cannot be set when telemetry is set.
|
||||||
|
# If deploying with tracing, make sure the telemetry object is set to {}.
|
||||||
|
tracing:
|
||||||
|
# Disable tracing for all services.
|
||||||
|
# Note: This configurable will be removed in version 1.5
|
||||||
|
disable: false
|
||||||
|
|
||||||
|
# The address of a tracing server deployed in your Kubernetes cluster.
|
||||||
|
# Address should be in the format <service-name>.<namespace>:<service_port>.
|
||||||
|
address: ""
|
||||||
|
|
||||||
|
# The tracing backend that you want to use.
|
||||||
|
# Valid values: datadog, jaeger, zipkin
|
||||||
|
backend: "jaeger"
|
||||||
|
|
||||||
|
# The sample rate to use for tracing. Float between 0 and 1.
|
||||||
|
sampleRate: 0.01
|
||||||
|
|
||||||
|
# NGINX Service Mesh telemetry settings.
|
||||||
|
# Cannot be set when tracing is set.
|
||||||
|
# To enable telemetry, uncomment the following object and set the tracing object to {}.
|
||||||
|
telemetry: {}
|
||||||
|
# # The percentage of traces that are processed and exported to the telemetry backend. Float between 0 and 1.
|
||||||
|
# samplerRatio: 0.01
|
||||||
|
# # The configuration of exporters to send telemetry data to.
|
||||||
|
# exporters:
|
||||||
|
# # The configuration for an OTLP gRPC exporter.
|
||||||
|
# otlp:
|
||||||
|
# # The host of the OpenTelemetry gRPC exporter to connect to. Must be accessible from within the cluster.
|
||||||
|
# host: ""
|
||||||
|
# # The port of the OpenTelemetry gRPC exporter to connect to.
|
||||||
|
# port: 4317
|
||||||
|
|
||||||
|
# Mutual TLS settings. See https://docs.nginx.com/nginx-service-mesh/guides/secure-traffic-mtls for more info.
|
||||||
|
mtls:
|
||||||
|
# mTLS mode for pod-to-pod communication.
|
||||||
|
# Valid values: off, permissive, strict
|
||||||
|
mode: "permissive"
|
||||||
|
|
||||||
|
# The CA/signing key TTL in hours(h) or minutes(m).
|
||||||
|
caTTL: "720h"
|
||||||
|
|
||||||
|
# The TTL of certificates issued to workloads in hours(h) or minutes(m).
|
||||||
|
svidTTL: "1h"
|
||||||
|
|
||||||
|
# The trust domain of NGINX Service Mesh.
|
||||||
|
trustDomain: "example.org"
|
||||||
|
|
||||||
|
# Use persistent storage; "on" assumes that a StorageClass exists.
|
||||||
|
# Valid values: on, off
|
||||||
|
persistentStorage: "on"
|
||||||
|
|
||||||
|
# Storage logic for SPIRE Server's private keys.
|
||||||
|
# Valid values: disk, memory
|
||||||
|
spireServerKeyManager: "disk"
|
||||||
|
|
||||||
|
# The key type used for the SPIRE Server CA.
|
||||||
|
# Valid values: ec-p256, ec-p384, rsa-2048, rsa-4096
|
||||||
|
caKeyType: "ec-p256"
|
||||||
|
|
||||||
|
## Upstream authority settings. If left empty, SPIRE is used as the upstream authority.
|
||||||
|
## Only uncomment and fill out the object pertinent to you (disk, awsPCA, awsSecret, vault, certManager).
|
||||||
|
upstreamAuthority: {}
|
||||||
|
|
||||||
|
# # Disk object (see https://github.com/spiffe/spire/blob/v1.0/doc/plugin_server_upstreamauthority_disk.md)
|
||||||
|
# disk:
|
||||||
|
# # Contents of your PEM encoded certificate file. Can be set via "--set-file mtls.upstreamAuthority.disk.cert=<cert-file-path>"
|
||||||
|
# cert: ""
|
||||||
|
# # Contents of your PEM encoded key file. Can be set via "--set-file mtls.upstreamAuthority.disk.key=<key-file-path>"
|
||||||
|
# key: ""
|
||||||
|
# # Optional; contents of your CA bundle file. Can be set via "--set-file mtls.upstreamAuthority.disk.bundle=<bundle-file-path>"
|
||||||
|
# bundle: ""
|
||||||
|
|
||||||
|
# # AWS PCA object (see https://github.com/spiffe/spire/blob/v1.0/doc/plugin_server_upstreamauthority_aws_pca.md)
|
||||||
|
# awsPCA:
|
||||||
|
# # AWS region to use
|
||||||
|
# region: ""
|
||||||
|
# # ARN of the upstream CA certificate
|
||||||
|
# certificateAuthorityArn: ""
|
||||||
|
|
||||||
|
# ## Optional auth fields
|
||||||
|
# ## See https://docs.nginx.com/nginx-service-mesh/guides/secure-traffic-mtls/#deploy-using-an-upstream-root-ca for instructions on configuring auth for aws_pca
|
||||||
|
|
||||||
|
# # AWS access key ID
|
||||||
|
# # This access key ID will be encoded, stored in a Kubernetes Secret, and mounted to the SPIRE server Pod
|
||||||
|
# awsAccessKeyID: ""
|
||||||
|
# # AWS secret access key
|
||||||
|
# # This secret access key will be encoded, stored in a Kubernetes Secret, and mounted to the SPIRE server Pod
|
||||||
|
# awsSecretAccessKey: ""
|
||||||
|
# # ARN of the signing template to use for the server's CA
|
||||||
|
# # ARN of an IAM role to assume
|
||||||
|
# # The SPIRE server will need permission to assume this IAM role. Either attach an IAM role to the EC2 instance with the capability to assume this role, or provide your AWS credentials
|
||||||
|
# assumeRoleArn: ""
|
||||||
|
|
||||||
|
# ## Other optional fields
|
||||||
|
# caSigningTemplateArn: ""
|
||||||
|
# # Signing algorithm to use for the server's CA
|
||||||
|
# signingAlgorithm: ""
|
||||||
|
# # Endpoint as hostname or fully-qualified URI that overrides the default endpoint
|
||||||
|
# endpoint: ""
|
||||||
|
# # Contents of a PEM encoded CA certificates file that should be additionally included in the bundle.
|
||||||
|
# # Can be set via "--set-file mtls.upstreamAuthority.awsPCA.supplementalBundle=<supplemental-bundle-file-path>"
|
||||||
|
# supplementalBundle: ""
|
||||||
|
|
||||||
|
# # AWS Secret object (see https://github.com/spiffe/spire/blob/v1.0/doc/plugin_server_upstreamauthority_awssecret.md)
|
||||||
|
# awsSecret:
|
||||||
|
# # AWS region to use
|
||||||
|
# region: ""
|
||||||
|
# # ARN of the upstream CA certificate
|
||||||
|
# certFileArn: ""
|
||||||
|
# # ARN of the upstream CA key file
|
||||||
|
# keyFileArn: ""
|
||||||
|
|
||||||
|
# ## Choose an appropriate auth method
|
||||||
|
|
||||||
|
# # AWS access key ID. This access key ID will be stored in plaintext in the Spire server configmap.
|
||||||
|
# # For other AWS authentication options see: (see https://github.com/spiffe/spire/blob/v1.0/doc/plugin_server_upstreamauthority_awssecret.md)
|
||||||
|
# awsAccessKeyID: ""
|
||||||
|
# # AWS secret access key. This secret access key ID will be stored in plaintext in the Spire server configmap.
|
||||||
|
# # For other AWS authentication options see: (see https://github.com/spiffe/spire/blob/v1.0/doc/plugin_server_upstreamauthority_awssecret.md)
|
||||||
|
# awsSecretAccessKey: ""
|
||||||
|
# # AWS secret token
|
||||||
|
# awsSecretToken: ""
|
||||||
|
# # ARN of role to assume
|
||||||
|
# assumeRoleArn: ""
|
||||||
|
|
||||||
|
# # Vault object (see https://github.com/spiffe/spire/blob/v0.12/doc/plugin_server_upstreamauthority_vault.md)
|
||||||
|
# vault:
|
||||||
|
# # URL of the Vault server
|
||||||
|
# vaultAddr: ""
|
||||||
|
# # Vault namespace
|
||||||
|
# namespace: ""
|
||||||
|
# # Contents of a PEM encoded CA certificate file to verify the Vault server certificate.
|
||||||
|
# # Can be set via "--set-file mtls.upstreamAuthority.vault.caCert=<ca-cert-file-path>"
|
||||||
|
# caCert: ""
|
||||||
|
# # Name of the mount point where the PKI secret engine is mounted
|
||||||
|
# pkiMountPoint: "pki"
|
||||||
|
# # If true, vault client accepts any server certificates
|
||||||
|
# insecureSkipVerify: false
|
||||||
|
|
||||||
|
# # Client Certificate Authentication
|
||||||
|
# certAuth:
|
||||||
|
# # Contents of your client cert file. Can be set via "--set-file mtls.upstreamAuthority.vault.certAuth.clientCert=<cert-file-path>"
|
||||||
|
# clientCert: ""
|
||||||
|
# # Contents of your client key file. Can be set via "--set-file mtls.upstreamAuthority.vault.certAuth.clientKey=<key-file-path>"
|
||||||
|
# clientKey: ""
|
||||||
|
|
||||||
|
# ## Optional fields
|
||||||
|
|
||||||
|
# # Name of the mount point where TLS certificate auth method is mounted
|
||||||
|
# certAuthMountPoint: "cert"
|
||||||
|
# # Name of the vault role. If given, the plugin authenticates against only the named role. Default to trying all roles.
|
||||||
|
# certAuthRoleName: ""
|
||||||
|
|
||||||
|
# # Token Authentication
|
||||||
|
# tokenAuth:
|
||||||
|
# # Token string set into "X-Vault-Token" header
|
||||||
|
# token: ""
|
||||||
|
|
||||||
|
# # AppRole Authentication
|
||||||
|
# approleAuth:
|
||||||
|
# # An identifier of AppRole
|
||||||
|
# approleID: ""
|
||||||
|
# # A credential of AppRole
|
||||||
|
# approleSecretID: ""
|
||||||
|
|
||||||
|
# # Name of the mount point where the AppRole auth method is mounted
|
||||||
|
# approleAuthMountPoint: "approle"
|
||||||
|
|
||||||
|
# # Cert Manager object (see https://github.com/spiffe/spire/blob/v1.0/doc/plugin_server_upstreamauthority_cert_manager.md)
|
||||||
|
# certManager:
|
||||||
|
# # The namespace to create CertificateRequests for signing.
|
||||||
|
# namespace: ""
|
||||||
|
# # The name of the issuer to reference in CertificateRequests.
|
||||||
|
# issuerName: ""
|
||||||
|
|
||||||
|
# ## Optional fields
|
||||||
|
|
||||||
|
# # The kind of the issuer to reference in CertificateRequests.
|
||||||
|
# issuerKind: "Issuer"
|
||||||
|
|
||||||
|
# # The group of the issuer to reference in CertificateRequests.
|
||||||
|
# issuerGroup: "cert-manager.io"
|
||||||
|
|
||||||
|
# # Contents of the kubeconfig file used to connect to the Kubernetes cluster. Empty file will attempt to use an in-cluster config.
|
||||||
|
# # Can be set via "--set-file mtls.upstreamAuthority.certManager.kubeConfig=<kube-config-file-path>".
|
||||||
|
# kubeConfig: ""
|
15
index.yaml
15
index.yaml
|
@ -3158,6 +3158,21 @@ entries:
|
||||||
- assets/nginx-ingress/nginx-ingress-0.10.0.tgz
|
- assets/nginx-ingress/nginx-ingress-0.10.0.tgz
|
||||||
version: 0.10.0
|
version: 0.10.0
|
||||||
nginx-service-mesh:
|
nginx-service-mesh:
|
||||||
|
- annotations:
|
||||||
|
catalog.cattle.io/certified: partner
|
||||||
|
catalog.cattle.io/display-name: NGINX Service Mesh
|
||||||
|
catalog.cattle.io/release-name: nginx-service-mesh
|
||||||
|
apiVersion: v2
|
||||||
|
appVersion: 1.4.1
|
||||||
|
created: "2022-05-26T16:04:12.006459-06:00"
|
||||||
|
description: NGINX Service Mesh
|
||||||
|
digest: 8cb331eb85ab17caa1e02dc3cb3c3632d7931d13a4fb566c6ed1dbeeb2124095
|
||||||
|
icon: https://raw.githubusercontent.com/nginxinc/nginx-service-mesh/master/helm-chart/chart-icon.png
|
||||||
|
kubeVersion: '>= 1.18-0'
|
||||||
|
name: nginx-service-mesh
|
||||||
|
urls:
|
||||||
|
- assets/nginx-service-mesh/nginx-service-mesh-0.4.100.tgz
|
||||||
|
version: 0.4.100
|
||||||
- annotations:
|
- annotations:
|
||||||
catalog.cattle.io/certified: partner
|
catalog.cattle.io/certified: partner
|
||||||
catalog.cattle.io/display-name: NGINX Service Mesh
|
catalog.cattle.io/display-name: NGINX Service Mesh
|
||||||
|
|
Loading…
Reference in New Issue