andata
/
rancher-partner-charts
mirror of https://git.rancher.io/partner-charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add NSM assets/charts for v1.4.1

pull/433/head
Pamme Crandall 2022-05-26 16:04:17 -06:00
parent 6ef046d80a
commit 7f5f11b43e
48 changed files with 5660 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
assets/nginx-service-mesh/nginx-service-mesh-0.4.100.tgz Normal file
View File

Binary file not shown.

11
charts/nginx-service-mesh/nginx-service-mesh/0.4.100/Chart.yaml Normal file
View File

@ -0,0 +1,11 @@
annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: NGINX Service Mesh
catalog.cattle.io/release-name: nginx-service-mesh
apiVersion: v2
appVersion: 1.4.1
description: NGINX Service Mesh
icon: https://raw.githubusercontent.com/nginxinc/nginx-service-mesh/master/helm-chart/chart-icon.png
kubeVersion: '>= 1.18-0'
name: nginx-service-mesh
version: 0.4.100

11
charts/nginx-service-mesh/nginx-service-mesh/0.4.100/README.md Normal file
View File

@ -0,0 +1,11 @@
# NGINX Service Mesh
Before deploying NGINX Service Mesh, see the [Platform Guide](https://docs.nginx.com/nginx-service-mesh/get-started/kubernetes-platform/) to ensure your environment is properly configured. If [Persistent Storage](https://docs.nginx.com/nginx-service-mesh/get-started/kubernetes-platform/persistent-storage/) is not configured in your cluster, set the `mTLS.persistentStorage` field to `off`. Verify that no other service meshes exist in your Kubernetes cluster. It is advised to install NGINX Service Mesh in a dedicated namespace.
## Helm Installation and Configuration
For information on the configuration options and installation process when using Helm with NGINX Service Mesh, see the [Installation Guide](https://docs.nginx.com/nginx-service-mesh/get-started/install-with-helm/).
## Rancher users
When deploying NGINX Service Mesh via the Rancher Apps and Marketplace, the Helm value `rancher` is set to `true` by default. This value causes Pods in the `cattle-*`, `ingress-nginx`, and `cert-manager` namespaces to be ignored by the automatic sidecar injection webhook. If this behavior is not desired, the `rancher` value can be set to `false`, or the `injector.nsm.nginx.com/auto-inject` label can be manually removed from these namespaces.

21
charts/nginx-service-mesh/nginx-service-mesh/0.4.100/app-readme.md Normal file
View File

@ -0,0 +1,21 @@
# NGINX Service Mesh
[NGINX Service Mesh](https://docs.nginx.com/nginx-service-mesh/) is a fully integrated lightweight service mesh that leverages a data plane powered by NGINX Plus to manage container traffic in Kubernetes environments.
NGINX Service Mesh is supported in Rancher 2.5+ when deploying from the Apps and Marketplace. NGINX Service Mesh is not currently supported on k3s.
## Enabling telemetry
Telemetry can only be enabled by editing the configuration YAML directly in the Rancher UI. When installing NGINX Service Mesh, select the `Edit YAML` option. To enable telemetry, set the `tracing` object to `{}` and fill out the `telemetry` object.
The telemetry object expects a `samplerRatio`, and the `host` and `port` of your OTLP gRPC collector.
For example:
```yaml
tracing: {}
telemetry:
samplerRatio: 0.01
exporters:
otlp:
host: "my-otlp-collector-host"
port: 4317
```

BIN
charts/nginx-service-mesh/nginx-service-mesh/0.4.100/chart-icon.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 12 KiB

11
charts/nginx-service-mesh/nginx-service-mesh/0.4.100/configs/grafana-dashboard-conf.yaml Normal file
View File

@ -0,0 +1,11 @@
apiVersion: 1
providers:
- name: 'default'
orgId: 1
folder: ''
type: file
disableDeletion: true
editable: true
options:
path: /var/lib/grafana/dashboards
homeDashboardId: nginx-mesh-top

12
charts/nginx-service-mesh/nginx-service-mesh/0.4.100/configs/grafana-datasources-conf.yaml Normal file
View File

@ -0,0 +1,12 @@
apiVersion: 1
datasources:
- name: prometheus
type: prometheus
access: proxy
orgId: 1
url: http://{{ include "prometheus.address" . }}
isDefault: true
jsonData:
timeInterval: "5s"
version: 1
editable: true

697
charts/nginx-service-mesh/nginx-service-mesh/0.4.100/configs/grafana-top-dashboard.json Normal file
View File

@ -0,0 +1,697 @@
{
"annotations": {
"list": [
{
"builtIn": 1,
"datasource": "-- Grafana --",
"enable": true,
"hide": true,
"iconColor": "rgba(0, 211, 255, 1)",
"name": "Annotations & Alerts",
"type": "dashboard"
}
]
},
"editable": true,
"gnetId": null,
"graphTooltip": 0,
"id": null,
"links": [],
"panels": [
{
"cacheTimeout": null,
"colorBackground": false,
"colorValue": false,
"colors": [
"#299c46",
"rgba(237, 129, 40, 0.89)",
"#d44a3a"
],
"datasource": "prometheus",
"fieldConfig": {
"defaults": {},
"overrides": []
},
"format": "percentunit",
"gauge": {
"maxValue": 100,
"minValue": 0,
"show": false,
"thresholdLabels": false,
"thresholdMarkers": true
},
"gridPos": {
"h": 6,
"w": 8,
"x": 0,
"y": 0
},
"id": 4,
"interval": null,
"links": [],
"mappingType": 1,
"mappingTypes": [
{
"name": "value to text",
"value": 1
},
{
"name": "range to text",
"value": 2
}
],
"maxDataPoints": 100,
"nullPointMode": "connected",
"nullText": null,
"postfix": "",
"postfixFontSize": "50%",
"prefix": "",
"prefixFontSize": "50%",
"rangeMaps": [
{
"from": "null",
"text": "N/A",
"to": "null"
}
],
"sparkline": {
"fillColor": "rgba(31, 118, 189, 0.18)",
"full": true,
"lineColor": "rgb(31, 120, 193)",
"show": true
},
"tableColumn": "",
"targets": [
{
"expr": "sum(irate(nginxplus_upstream_server_responses{code=~\"1xx|2xx\"}[30s])) / sum(irate(nginxplus_upstream_server_responses[30s]))",
"format": "time_series",
"interval": "5s",
"intervalFactor": 1,
"refId": "A"
}
],
"thresholds": "",
"title": "GLOBAL SUCCESS RATE",
"type": "singlestat",
"valueFontSize": "80%",
"valueMaps": [
{
"op": "=",
"text": "N/A",
"value": "null"
}
],
"valueName": "current"
},
{
"cacheTimeout": null,
"colorBackground": false,
"colorValue": false,
"colors": [
"#299c46",
"rgba(237, 129, 40, 0.89)",
"#d44a3a"
],
"datasource": "prometheus",
"fieldConfig": {
"defaults": {},
"overrides": []
},
"format": "reqps",
"gauge": {
"maxValue": 100,
"minValue": 0,
"show": false,
"thresholdLabels": false,
"thresholdMarkers": true
},
"gridPos": {
"h": 6,
"w": 13,
"x": 8,
"y": 0
},
"id": 6,
"interval": null,
"links": [],
"mappingType": 1,
"mappingTypes": [
{
"name": "value to text",
"value": 1
},
{
"name": "range to text",
"value": 2
}
],
"maxDataPoints": 100,
"nullPointMode": "connected",
"nullText": null,
"postfix": "",
"postfixFontSize": "50%",
"prefix": "",
"prefixFontSize": "50%",
"rangeMaps": [
{
"from": "null",
"text": "N/A",
"to": "null"
}
],
"sparkline": {
"fillColor": "rgba(31, 118, 189, 0.18)",
"full": true,
"lineColor": "rgb(31, 120, 193)",
"show": true
},
"tableColumn": "",
"targets": [
{
"expr": "sum(irate(nginxplus_http_requests_total[30s]))",
"format": "time_series",
"interval": "5s",
"intervalFactor": 1,
"refId": "A"
}
],
"thresholds": "",
"title": "GLOBAL REQUEST VOLUME",
"type": "singlestat",
"valueFontSize": "80%",
"valueMaps": [
{
"op": "=",
"text": "N/A",
"value": "null"
}
],
"valueName": "current"
},
{
"cacheTimeout": null,
"colorBackground": false,
"colorValue": false,
"colors": [
"#299c46",
"rgba(237, 129, 40, 0.89)",
"#d44a3a"
],
"datasource": "prometheus",
"fieldConfig": {
"defaults": {},
"overrides": []
},
"format": "none",
"gauge": {
"maxValue": 100,
"minValue": 0,
"show": false,
"thresholdLabels": false,
"thresholdMarkers": true
},
"gridPos": {
"h": 6,
"w": 3,
"x": 21,
"y": 0
},
"id": 5,
"interval": null,
"links": [],
"mappingType": 1,
"mappingTypes": [
{
"name": "value to text",
"value": 1
},
{
"name": "range to text",
"value": 2
}
],
"maxDataPoints": 100,
"nullPointMode": "connected",
"nullText": null,
"postfix": "",
"postfixFontSize": "50%",
"prefix": "",
"prefixFontSize": "50%",
"rangeMaps": [
{
"from": "null",
"text": "N/A",
"to": "null"
}
],
"sparkline": {
"fillColor": "rgba(31, 118, 189, 0.18)",
"full": true,
"lineColor": "rgb(31, 120, 193)",
"show": false
},
"tableColumn": "",
"targets": [
{
"expr": "count(nginxplus_http_requests_total)",
"format": "time_series",
"interval": "5s",
"intervalFactor": 1,
"refId": "A"
}
],
"thresholds": "",
"title": "PODS MONITORED",
"type": "singlestat",
"valueFontSize": "200%",
"valueMaps": [
{
"op": "=",
"text": "N/A",
"value": "null"
}
],
"valueName": "current"
},
{
"aliasColors": {},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": "prometheus",
"fieldConfig": {
"defaults": {},
"overrides": []
},
"fill": 1,
"fillGradient": 0,
"gridPos": {
"h": 9,
"w": 12,
"x": 0,
"y": 6
},
"hiddenSeries": false,
"id": 2,
"legend": {
"avg": false,
"current": false,
"max": false,
"min": false,
"show": true,
"total": false,
"values": false
},
"lines": true,
"linewidth": 1,
"links": [],
"nullPointMode": "null",
"options": {
"alertThreshold": true
},
"percentage": false,
"pluginVersion": "8.3.4",
"pointradius": 5,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": false,
"steppedLine": false,
"targets": [
{
"expr": "irate(nginxplus_http_requests_total[30s])",
"format": "time_series",
"interval": "",
"intervalFactor": 1,
"refId": "A"
}
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "Request Volume",
"tooltip": {
"shared": true,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": []
},
"yaxes": [
{
"format": "reqps",
"label": null,
"logBase": 1,
"max": null,
"min": "0",
"show": true
},
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
}
],
"yaxis": {
"align": false,
"alignLevel": null
}
},
{
"aliasColors": {},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": "prometheus",
"fieldConfig": {
"defaults": {},
"overrides": []
},
"fill": 1,
"fillGradient": 0,
"gridPos": {
"h": 9,
"w": 12,
"x": 12,
"y": 6
},
"hiddenSeries": false,
"id": 123124,
"legend": {
"avg": false,
"current": false,
"max": false,
"min": false,
"show": true,
"total": false,
"values": false
},
"lines": true,
"linewidth": 1,
"links": [],
"nullPointMode": "null",
"options": {
"alertThreshold": true
},
"percentage": false,
"pluginVersion": "8.3.4",
"pointradius": 5,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": false,
"steppedLine": false,
"targets": [
{
"expr": "sum(irate(nginxplus_upstream_server_responses{code=~\"1xx|2xx\"}[30s])) by (app, version) / sum(irate(nginxplus_upstream_server_responses[30s])) by (app, version)",
"format": "time_series",
"instant": false,
"interval": "",
"intervalFactor": 1,
"legendFormat": "",
"refId": "A"
}
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "Pod Success",
"tooltip": {
"shared": true,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": []
},
"yaxes": [
{
"format": "percentunit",
"label": null,
"logBase": 1,
"max": "1",
"min": "0",
"show": true
},
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
}
],
"yaxis": {
"align": false,
"alignLevel": null
}
},
{
"aliasColors": {},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": null,
"description": "RSS used by NGINX Service Mesh sidecars",
"fieldConfig": {
"defaults": {},
"overrides": []
},
"fill": 1,
"fillGradient": 0,
"gridPos": {
"h": 8,
"w": 12,
"x": 0,
"y": 15
},
"hiddenSeries": false,
"id": 123126,
"legend": {
"avg": false,
"current": false,
"max": false,
"min": false,
"show": true,
"total": false,
"values": false
},
"lines": true,
"linewidth": 1,
"nullPointMode": "null",
"options": {
"alertThreshold": true
},
"percentage": false,
"pluginVersion": "8.3.4",
"pointradius": 2,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": false,
"steppedLine": false,
"targets": [
{
"expr": "nginxplus_workers_mem_rss",
"interval": "",
"legendFormat": "",
"refId": "A"
}
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "Sidecar Memory Usage (RSS)",
"tooltip": {
"shared": true,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": []
},
"yaxes": [
{
"format": "decbytes",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
},
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
}
],
"yaxis": {
"align": false,
"alignLevel": null
}
},
{
"aliasColors": {},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": null,
"description": "Private memory used by NGINX Service Mesh sidecars",
"fieldConfig": {
"defaults": {},
"overrides": []
},
"fill": 1,
"fillGradient": 0,
"gridPos": {
"h": 8,
"w": 12,
"x": 12,
"y": 15
},
"hiddenSeries": false,
"id": 123128,
"legend": {
"avg": false,
"current": false,
"max": false,
"min": false,
"show": true,
"total": false,
"values": false
},
"lines": true,
"linewidth": 1,
"nullPointMode": "null",
"options": {
"alertThreshold": true
},
"percentage": false,
"pluginVersion": "8.3.4",
"pointradius": 2,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": false,
"steppedLine": false,
"targets": [
{
"expr": "nginxplus_workers_mem_private",
"interval": "",
"legendFormat": "",
"refId": "A"
}
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "Sidecar Memory Usage (Private)",
"tooltip": {
"shared": true,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": []
},
"yaxes": [
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
},
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
}
],
"yaxis": {
"align": false,
"alignLevel": null
}
}
],
"refresh": "5s",
"schemaVersion": 27,
"style": "dark",
"tags": [],
"templating": {
"list": []
},
"time": {
"from": "now-5m",
"to": "now"
},
"timepicker": {
"refresh_intervals": [
"5s",
"10s",
"30s",
"1m",
"5m",
"15m",
"30m",
"1h",
"2h",
"1d"
],
"time_options": [
"5m",
"15m",
"1h",
"6h",
"12h",
"24h",
"2d",
"7d",
"30d"
]
},
"timezone": "",
"title": "NGINX Mesh Top",
"uid": "N3zQ72OWk",
"version": 1
}

15
charts/nginx-service-mesh/nginx-service-mesh/0.4.100/configs/grafana.ini Normal file
View File

@ -0,0 +1,15 @@
instance_name = nginx-mesh-grafana
[auth]
disable_login_form = true
[auth.anonymous]
enabled = true
org_role = Admin
[auth.basic]
enabled = false
[analytics]
check_for_updates = false
Events: <none>

11
charts/nginx-service-mesh/nginx-service-mesh/0.4.100/configs/k8s-workload-registrar.conf Normal file
View File

@ -0,0 +1,11 @@
log_level = "debug"
trust_domain = {{ quote .Values.mtls.trustDomain }}
server_socket_path = "/run/spire/sockets/spire-registration.sock"
cluster = "nginx-mesh"
pod_controller = true
add_svc_dns_name = true
mode = "crd"
webhook_enabled = true
webhook_cert_dir = "/tmp/k8s-webhook-server/serving-certs"
identity_template_label = "spiffe.io/spiffeid"
dns_name_templates = ["{{`{{ .Pod.Name}}`}}", "{{`{{ .Pod.ServiceAccount }}`}}.{{`{{ .Pod.Namespace }}`}}.svc"]

79
charts/nginx-service-mesh/nginx-service-mesh/0.4.100/configs/mesh-config.conf Normal file
View File

@ -0,0 +1,79 @@
{
"accessControlMode": {{ quote .Values.accessControlMode }},
"api": {
"address": {{ printf "nginx-mesh-api.%s" .Release.Namespace | quote }},
"containerPort": 8443,
"port": 443
},
"autoInjectorPort": 9443,
"environment": {{ quote .Values.environment }},
"isUDPEnabled": {{ .Values.enableUDP }},
"injection": {
"disabledNamespaces": [{{ range $idx, $elem := .Values.autoInjection.disabledNamespaces }}{{if $idx}},{{end}}{{quote .}}{{end}}],
"enabledNamespaces": [{{ range $idx, $elem := .Values.autoInjection.enabledNamespaces }}{{if $idx}},{{end}}{{quote .}}{{end}}],
"isAutoInjectEnabled": {{ not .Values.autoInjection.disable }}
},
"loadBalancingMethod": {{ quote .Values.nginxLBMethod }},
"mtls": {
"mode": {{ quote .Values.mtls.mode }},
"caTTL": {{ quote .Values.mtls.caTTL }},
"svidTTL": {{ quote .Values.mtls.svidTTL }},
"caKeyType": {{ quote .Values.mtls.caKeyType }}
},
"mtlsMode": {{ quote .Values.mtls.mode }},
"namespace": {{ quote .Release.Namespace }},
"nginxErrorLogLevel": {{ quote .Values.nginxErrorLogLevel }},
"nginxLogFormat": {{ quote .Values.nginxLogFormat }},
"prometheusAddress": {{ include "prometheus.address" . | quote }},
"proxy": {
"ports": {
"incoming": 8888,
"incomingGrpc": 8891,
"incomingGrpcPermissive": 8893,
"incomingNotInKeyval": 8903,
"incomingPermissive": 8890,
"incomingRedirect": 8901,
"incomingTcp": 8904,
"incomingTcpDeny": 8905,
"incomingTcpPermissive": 8907,
"outgoingUdp": 8908,
"incomingUdp": 8909,
"metrics": 8887,
"outgoing": 8889,
"outgoingDefaultEgress": 8894,
"outgoingGrpc": 8892,
"outgoingNotInKeyval": 8902,
"outgoingRedirect": 8900,
"outgoingTcp": 8906,
"plusApi": 8886,
"redirectHealthPort": 8895,
"redirectHealthPortHTTPS": 8896
},
"transparent": false
},
"registryKeyName": {{ if (include "docker-config-json" .) }}{{ include "registry-key-name" . | quote }}{{ else }}""{{ end }},
"sidecarImage": {
"image": {{ printf "%s/nginx-mesh-sidecar:%s" .Values.registry.server .Values.registry.imageTag | quote }},
"name": "nginx-mesh-sidecar"
},
"sidecarInitImage": {
"image": {{ printf "%s/nginx-mesh-init:%s" .Values.registry.server .Values.registry.imageTag | quote }},
"name": "nginx-mesh-init"
},
"tracing": {{if .Values.tracing }}{
"backend": {{ quote .Values.tracing.backend }},
"backendAddress": {{ include "tracing.address" . | quote }},
"isEnabled": {{ not .Values.tracing.disable }},
"sampleRate": {{ .Values.tracing.sampleRate }}
},{{ else }}{},{{ end }}
"telemetry": {{ if .Values.telemetry }}{
"exporters": {
"otlp": {
"host": {{ quote .Values.telemetry.exporters.otlp.host }},
"port": {{ .Values.telemetry.exporters.otlp.port }}
}
},
"samplerRatio": {{ .Values.telemetry.samplerRatio }}
},{{ else }}{},{{ end }}
"trustDomain": {{ quote .Values.mtls.trustDomain }}
}

8
charts/nginx-service-mesh/nginx-service-mesh/0.4.100/configs/nats.conf Normal file
View File

@ -0,0 +1,8 @@
pid_file: "/var/run/nats/nats.pid"
http: 8222
tls: {
ca_file: "/etc/ssl/ca.crt"
cert_file: "/etc/ssl/tls.crt"
key_file: "/etc/ssl/tls.key"
verify: true
}

72
charts/nginx-service-mesh/nginx-service-mesh/0.4.100/configs/prometheus-config.yaml Normal file
View File

@ -0,0 +1,72 @@
global:
scrape_interval: 10s
scrape_configs:
- job_name: 'nginx-mesh-sidecars'
kubernetes_sd_configs:
- role: pod
relabel_configs:
- source_labels: [__meta_kubernetes_pod_container_name]
action: keep
regex: nginx-mesh-sidecar
- action: labelmap
regex: __meta_kubernetes_pod_label_nsm_nginx_com_(.+)
- action: labeldrop
regex: __meta_kubernetes_pod_label_nsm_nginx_com_(.+)
- action: labelmap
regex: __meta_kubernetes_pod_label_(.+)
- source_labels: [__meta_kubernetes_namespace]
action: replace
target_label: namespace
- source_labels: [__meta_kubernetes_pod_name]
action: replace
target_label: pod
- job_name: 'nginx-plus-ingress'
kubernetes_sd_configs:
- role: pod
relabel_configs:
- source_labels: [__meta_kubernetes_pod_container_name]
action: keep
regex: nginx-plus-ingress
- source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape]
action: keep
regex: true
- source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]
action: replace
target_label: __address__
regex: (.+)(?::\d+);(\d+)
replacement: $1:$2
- source_labels: [__meta_kubernetes_namespace]
action: replace
target_label: namespace
- source_labels: [__meta_kubernetes_pod_name]
action: replace
target_label: pod
- action: labelmap
regex: __meta_kubernetes_pod_label_nsm_nginx_com_(.+)
- action: labeldrop
regex: __meta_kubernetes_pod_label_nsm_nginx_com_(.+)
- action: labelmap
regex: __meta_kubernetes_pod_label_(.+)
- action: labelmap
regex: __meta_kubernetes_pod_annotation_nsm_nginx_com_enable_(.+)
metric_relabel_configs:
- source_labels: [__name__]
regex: 'nginx_ingress_controller_upstream_server_response_latency_ms(.+)'
target_label: __name__
replacement: 'nginxplus_upstream_server_response_latency_ms$1'
- source_labels: [__name__]
regex: 'nginx_ingress_nginxplus(.+)'
target_label: __name__
replacement: 'nginxplus$1'
- source_labels: [service]
target_label: dst_service
- source_labels: [resource_namespace]
target_label: dst_namespace
- source_labels: [pod_owner]
regex: '(.+)\/(.+)'
target_label: dst_$1
replacement: $2
- action: labeldrop
regex: pod_owner
- source_labels: [pod_name]
target_label: dst_pod

33
charts/nginx-service-mesh/nginx-service-mesh/0.4.100/configs/spire-agent.conf Normal file
View File

@ -0,0 +1,33 @@
agent {
data_dir = "/run/spire"
log_level = "DEBUG"
server_address = "spire-server"
server_port = "8081"
socket_path = "/run/spire/sockets/agent.sock"
trust_bundle_path = "/run/spire/bundle/bundle.crt"
trust_domain = {{ quote .Values.mtls.trustDomain }}
}
plugins {
NodeAttestor "k8s_psat" {
plugin_data {
cluster = "nginx-mesh"
}
}
KeyManager "memory" {
plugin_data {
}
}
WorkloadAttestor "k8s" {
plugin_data {
skip_kubelet_verification = true
}
}
WorkloadAttestor "unix" {
plugin_data {
}
}
}

72
charts/nginx-service-mesh/nginx-service-mesh/0.4.100/configs/spire-server.conf Normal file
View File

@ -0,0 +1,72 @@
server {
bind_address = "0.0.0.0"
bind_port = "8081"
ca_key_type = {{ quote .Values.mtls.caKeyType }}
ca_ttl = {{ quote .Values.mtls.caTTL }}
data_dir = "/run/spire/data"
log_level = "DEBUG"
socket_path = "/run/spire/sockets/spire-registration.sock"
default_svid_ttl = {{ quote .Values.mtls.svidTTL }}
trust_domain = {{ quote .Values.mtls.trustDomain }}
ca_subject = {
country = ["US"],
organization = ["NGINX"],
common_name = "",
}
}
plugins {
DataStore "sql" {
plugin_data {
database_type = "sqlite3"
connection_string = "/run/spire/data/datastore.sqlite3"
}
}
NodeAttestor "k8s_psat" {
plugin_data {
clusters = {
"nginx-mesh" = {
service_account_allow_list = [{{ printf "%s:spire-agent" .Release.Namespace | quote }}]
}
}
}
}
Notifier "k8sbundle" {
plugin_data {
namespace = {{ quote .Release.Namespace }}
webhook_label = "spiffe.io/webhook"
api_service_label = "spiffe.io/apiservice"
}
}
KeyManager {{ quote .Values.mtls.spireServerKeyManager }} {
{{- if eq .Values.mtls.spireServerKeyManager "disk" }}
plugin_data {
keys_path = "/run/spire/data/keys.json"
}
{{- end }}
}
{{ if .Values.mtls.upstreamAuthority.awsPCA }}
{{ tpl (.Files.Get "configs/upstreamAuthority/aws-pca-ua.conf") . }}
{{ else if .Values.mtls.upstreamAuthority.awsSecret }}
{{ tpl (.Files.Get "configs/upstreamAuthority/aws-secret-ua.conf") . }}
{{ else if .Values.mtls.upstreamAuthority.disk }}
{{ tpl (.Files.Get "configs/upstreamAuthority/disk-ua.conf") . }}
{{ else if .Values.mtls.upstreamAuthority.vault }}
{{ tpl (.Files.Get "configs/upstreamAuthority/vault-ua.conf") . }}
{{ else if .Values.mtls.upstreamAuthority.certManager }}
{{ tpl (.Files.Get "configs/upstreamAuthority/cert-manager-ua.conf") . }}
{{ end }}
}
health_checks {
listener_enabled = true
bind_address = "0.0.0.0"
bind_port = "8082"
live_path = "/live"
ready_path = "/ready"
}

3
charts/nginx-service-mesh/nginx-service-mesh/0.4.100/configs/upstreamAuthority/aws-credentials.conf Normal file
View File

@ -0,0 +1,3 @@
[default]
aws_access_key_id = {{ .Values.mtls.upstreamAuthority.awsPCA.awsAccessKeyID }}
aws_secret_access_key = {{ .Values.mtls.upstreamAuthority.awsPCA.awsSecretAccessKey }}

16
charts/nginx-service-mesh/nginx-service-mesh/0.4.100/configs/upstreamAuthority/aws-pca-ua.conf Normal file
View File

@ -0,0 +1,16 @@
UpstreamAuthority "aws_pca" {
plugin_data {
region = {{ quote .Values.mtls.upstreamAuthority.awsPCA.region }}
certificate_authority_arn = {{ quote .Values.mtls.upstreamAuthority.awsPCA.certificateAuthorityArn }}
{{- if .Values.mtls.upstreamAuthority.awsPCA.caSigningTemplateArn }}
ca_signing_template_arn = {{ quote .Values.mtls.upstreamAuthority.awsPCA.caSigningTemplateArn }}{{ end }}
{{- if .Values.mtls.upstreamAuthority.awsPCA.signingAlgorithm }}
signing_algorithm = {{ quote .Values.mtls.upstreamAuthority.awsPCA.signingAlgorithm }}{{ end }}
{{- if .Values.mtls.upstreamAuthority.awsPCA.assumeRoleArn }}
assume_role_arn = {{ quote .Values.mtls.upstreamAuthority.awsPCA.assumeRoleArn }}{{end}}
{{- if .Values.mtls.upstreamAuthority.awsPCA.endpoint }}
endpoint = {{ quote .Values.mtls.upstreamAuthority.awsPCA.endpoint }}{{end}}
{{- if .Values.mtls.upstreamAuthority.awsPCA.supplementalBundlePath }}
supplemental_bundle_path = "/run/spire/config/upstreamBundle.crt"{{end}}
}
}

15
charts/nginx-service-mesh/nginx-service-mesh/0.4.100/configs/upstreamAuthority/aws-secret-ua.conf Normal file
View File

@ -0,0 +1,15 @@
UpstreamAuthority "awssecret" {
plugin_data {
region = {{ quote .Values.mtls.upstreamAuthority.awsSecret.region }}
cert_file_arn = {{ quote .Values.mtls.upstreamAuthority.awsSecret.certFileArn }}
key_file_arn = {{ quote .Values.mtls.upstreamAuthority.awsSecret.keyFileArn }}
{{- if .Values.mtls.upstreamAuthority.awsSecret.awsAccessKeyID }}
access_key_id = {{ quote .Values.mtls.upstreamAuthority.awsSecret.awsAccessKeyID }}{{ end }}
{{- if .Values.mtls.upstreamAuthority.awsSecret.awsSecretAccessKey }}
secret_access_key = {{ quote .Values.mtls.upstreamAuthority.awsSecret.awsSecretAccessKey }}{{ end }}
{{- if .Values.mtls.upstreamAuthority.awsSecret.awsSecretToken }}
secret_token = {{ quote .Values.mtls.upstreamAuthority.awsSecret.awsSecretToken }}{{ end }}
{{- if .Values.mtls.upstreamAuthority.awsSecret.assumeRoleArn }}
assume_role_arn = {{ quote .Values.mtls.upstreamAuthority.awsSecret.assumeRoleArn }}{{ end }}
}
}

12
charts/nginx-service-mesh/nginx-service-mesh/0.4.100/configs/upstreamAuthority/cert-manager-ua.conf Normal file
View File

@ -0,0 +1,12 @@
UpstreamAuthority "cert-manager" {
plugin_data {
namespace = {{ quote .Values.mtls.upstreamAuthority.certManager.namespace }}
issuer_name = {{ quote .Values.mtls.upstreamAuthority.certManager.issuerName }}
{{- if .Values.mtls.upstreamAuthority.certManager.issuerKind }}
issuer_kind = {{ quote .Values.mtls.upstreamAuthority.certManager.issuerKind }}{{ end }}
{{- if .Values.mtls.upstreamAuthority.certManager.issuerGroup }}
issuer_group = {{ quote .Values.mtls.upstreamAuthority.certManager.issuerGroup }}{{ end }}
{{- if .Values.mtls.upstreamAuthority.certManager.kubeConfig }}
kube_config_file = "/run/spire/secrets/cert-manager-kubeconfig"{{ end }}
}
}

8
charts/nginx-service-mesh/nginx-service-mesh/0.4.100/configs/upstreamAuthority/disk-ua.conf Normal file
View File

@ -0,0 +1,8 @@
UpstreamAuthority "disk" {
plugin_data {
cert_file_path = "/run/spire/config/upstreamCA.crt"
key_file_path = "/run/spire/secrets/upstreamCA.key"
{{- if .Values.mtls.upstreamAuthority.disk.bundle }}
bundle_file_path = "/run/spire/config/upstreamBundle.crt"{{ end }}
}
}

28
charts/nginx-service-mesh/nginx-service-mesh/0.4.100/configs/upstreamAuthority/vault-ua.conf Normal file
View File

@ -0,0 +1,28 @@
UpstreamAuthority "vault" {
plugin_data {
vault_addr = {{ quote .Values.mtls.upstreamAuthority.vault.vaultAddr }}
namespace = {{ quote .Values.mtls.upstreamAuthority.vault.namespace }}
ca_cert_path = "/run/spire/config/upstreamCA.crt"
{{- if .Values.mtls.upstreamAuthority.vault.pkiMountPoint }}
pki_mount_path = {{ quote .Values.mtls.upstreamAuthority.vault.pkiMountPoint }}{{ end }}
{{- if .Values.mtls.upstreamAuthority.vault.insecureSkipVerify }}
insecure_skip_verify = {{ .Values.mtls.upstreamAuthority.vault.insecureSkipVerify }}{{ end }}
{{- if .Values.mtls.upstreamAuthority.vault.certAuth}}
cert_auth = {
client_cert_path = "/run/spire/config/upstreamClient.crt"
client_key_path = "/run/spire/secrets/upstreamClient.key"
{{- if .Values.mtls.upstreamAuthority.vault.certAuth.certAuthRoleName }}
cert_auth_role_name = {{ quote .Values.mtls.upstreamAuthority.vault.certAuth.certAuthRoleName }}{{ end }}
{{- if .Values.mtls.upstreamAuthority.vault.certAuth.certAuthMountPoint }}
cert_auth_mount_point = {{ quote .Values.mtls.upstreamAuthority.vault.certAuth.certAuthMountPoint }}{{ end }}
}{{ end }}
{{- if .Values.mtls.upstreamAuthority.vault.tokenAuth }}
token_auth = {}{{ end }}
{{- if .Values.mtls.upstreamAuthority.vault.approleAuth }}
approle_auth = {
approle_id = {{ quote .Values.mtls.upstreamAuthority.vault.approleAuth.approleID }}
{{- if .Values.mtls.upstreamAuthority.vault.approleAuth.approleAuthMountPoint }}
approle_auth_mount_point = {{ quote .Values.mtls.upstreamAuthority.vault.approleAuth.approleAuthMountPoint }}{{ end }}
}{{ end }}
}
}

78
charts/nginx-service-mesh/nginx-service-mesh/0.4.100/crds/circuitbreaker.yaml Normal file
View File

@ -0,0 +1,78 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: circuitbreakers.specs.smi.nginx.com
labels:
app.kubernetes.io/part-of: nginx-service-mesh
spec:
group: specs.smi.nginx.com
scope: Namespaced
names:
kind: CircuitBreaker
listKind: CircuitBreakerList
shortNames:
- cb
plural: circuitbreakers
singular: circuitbreaker
versions:
- name: v1alpha1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
required:
- spec
properties:
spec:
description: Specifications of this circuit breaker.
type: object
required:
- destination
- errors
- timeoutSeconds
properties:
destination:
description: The destination of this circuit breaker.
type: object
required:
- name
- kind
properties:
kind:
description: Kind of the destination.
type: string
enum:
- Service
name:
description: Name of the destination.
type: string
minLength: 1
namespace:
description: Namespace of the destination.
type: string
errors:
description: The number of errors allowed within the timeout before
tripping the circuit.
type: integer
minimum: 0
timeoutSeconds:
description: The timeout window for errors to occur, and the amount
of time to wait before closing the circuit.
type: integer
minimum: 0
fallback:
description: The fallback Service to send traffic to when the circuit
is tripped.
type: object
properties:
service:
description: The fallback Service to send traffic to when the
circuit is tripped.
type: string
port:
description: The port of the fallback Service.
type: integer
minimum: 0
maximum: 65535

68
charts/nginx-service-mesh/nginx-service-mesh/0.4.100/crds/httproutegroup.yaml Normal file
View File

@ -0,0 +1,68 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: httproutegroups.specs.smi-spec.io
labels:
app.kubernetes.io/part-of: nginx-service-mesh
spec:
group: specs.smi-spec.io
scope: Namespaced
names:
kind: HTTPRouteGroup
shortNames:
- htr
plural: httproutegroups
singular: httproutegroup
versions:
- name: v1alpha3
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
required:
- matches
properties:
matches:
description: Match conditions of this route group.
type: array
items:
type: object
required:
- name
properties:
name:
description: Name of the HTTP route.
type: string
pathRegex:
description: URI path regex of the HTTP route.
type: string
methods:
description: The HTTP methods of this HTTP route.
type: array
items:
type: string
description: The HTTP method of this HTTP route.
enum:
- "*"
- GET
- HEAD
- PUT
- POST
- DELETE
- CONNECT
- OPTIONS
- TRACE
- PATCH
headers:
description: Header match conditions of this route.
type: array
items:
description: Header match condition of this route.
type: object
additionalProperties:
type: string

175
charts/nginx-service-mesh/nginx-service-mesh/0.4.100/crds/ratelimit.yaml Normal file
View File

@ -0,0 +1,175 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: ratelimits.specs.smi.nginx.com
labels:
app.kubernetes.io/part-of: nginx-service-mesh
spec:
group: specs.smi.nginx.com
scope: Namespaced
names:
kind: RateLimit
listKind: RateLimitList
shortNames:
- rl
plural: ratelimits
singular: ratelimit
versions:
- name: v1alpha1
served: true
storage: false
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
required:
- name
- destination
- rate
properties:
destination:
description: The destination of this rate limit.
type: object
required:
- name
- kind
properties:
kind:
description: Kind of the destination.
type: string
minLength: 1
name:
description: Name of the destination.
type: string
minLength: 1
namespace:
description: Namespace of the destination.
type: string
sources:
description: Sources of this rate limit.
type: array
items:
type: object
required:
- name
- kind
properties:
kind:
description: Kind of this source.
type: string
minLength: 1
name:
description: Name of this source.
type: string
minLength: 1
namespace:
description: Namespace of this source.
type: string
name:
description: Name of this rate limit spec.
type: string
minLength: 1
rate:
description: The allowed rate of traffic.
type: string
pattern: "^[0-9]+r/[s,m]$"
burst:
description: The number of requests to allow beyond the given rate.
type: integer
minimum: 0
delay:
description: The number of requests after which to delay requests.
x-kubernetes-int-or-string: true
- name: v1alpha2
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
required:
- name
- destination
- rate
properties:
destination:
description: The destination of this rate limit.
type: object
required:
- name
- kind
properties:
kind:
description: Kind of the destination.
type: string
minLength: 1
name:
description: Name of the destination.
type: string
minLength: 1
namespace:
description: Namespace of the destination.
type: string
sources:
description: Sources of this rate limit.
type: array
items:
type: object
required:
- name
- kind
properties:
kind:
description: Kind of this source.
type: string
minLength: 1
name:
description: Name of this source.
type: string
minLength: 1
namespace:
description: Namespace of this source.
type: string
name:
description: Name of this rate limit spec.
type: string
minLength: 1
rate:
description: The allowed rate of traffic.
type: string
pattern: "^[0-9]+r/[s,m]$"
burst:
description: The number of requests to allow beyond the given rate.
type: integer
minimum: 0
delay:
description: The number of requests after which to delay requests.
x-kubernetes-int-or-string: true
rules:
description: Routing rules of this rate limit.
type: array
items:
type: object
required:
- name
- kind
properties:
kind:
description: Kind of this routing rule.
type: string
enum:
- HTTPRouteGroup
name:
description: Name of this routing rule.
type: string
minLength: 1
matches:
description: Match conditions of this routing rule.
type: array
items:
type: string

107
charts/nginx-service-mesh/nginx-service-mesh/0.4.100/crds/spiffeid.spiffe.io_spiffeids.yaml Normal file
View File

@ -0,0 +1,107 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: spiffeids.spiffeid.spiffe.io
labels:
app.kubernetes.io/part-of: nginx-service-mesh
spec:
group: spiffeid.spiffe.io
names:
kind: SpiffeID
listKind: SpiffeIDList
plural: spiffeids
singular: spiffeid
scope: Namespaced
versions:
- name: v1beta1
served: true
storage: true
subresources:
status: {}
schema:
openAPIV3Schema:
description: SpiffeID is the Schema for the spiffeid API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: SpiffeIDSpec defines the desired state of SpiffeID
properties:
dnsNames:
items:
type: string
type: array
federatesWith:
items:
type: string
type: array
parentId:
type: string
selector:
properties:
arbitrary:
description: Arbitrary selectors
items:
type: string
type: array
containerImage:
description: Container image to match for this spiffe ID
type: string
containerName:
description: Container name to match for this spiffe ID
type: string
namespace:
description: Namespace to match for this spiffe ID
type: string
nodeName:
description: Node name to match for this spiffe ID
type: string
podLabel:
additionalProperties:
type: string
description: Pod label name/value to match for this spiffe ID
type: object
podName:
description: Pod name to match for this spiffe ID
type: string
podUid:
description: Pod UID to match for this spiffe ID
type: string
serviceAccount:
description: ServiceAccount to match for this spiffe ID
type: string
cluster:
description: The k8s_psat cluster name
type: string
agent_node_uid:
description: UID of the node
type: string
type: object
spiffeId:
type: string
required:
- parentId
- selector
- spiffeId
type: object
status:
description: SpiffeIDStatus defines the observed state of SpiffeID
properties:
entryId:
description: 'INSERT ADDITIONAL STATUS FIELD - define observed state
of cluster Important: Run "make" to regenerate code after modifying
this file'
type: string
type: object
type: object

23
charts/nginx-service-mesh/nginx-service-mesh/0.4.100/crds/tcproute.yaml Normal file
View File

@ -0,0 +1,23 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: tcproutes.specs.smi-spec.io
labels:
app.kubernetes.io/part-of: nginx-service-mesh
spec:
group: specs.smi-spec.io
scope: Namespaced
names:
kind: TCPRoute
shortNames:
- tr
plural: tcproutes
singular: tcproute
versions:
- name: v1alpha3
served: true
storage: true
schema:
openAPIV3Schema:
type: object

72
charts/nginx-service-mesh/nginx-service-mesh/0.4.100/crds/trafficsplit.yaml Normal file
View File

@ -0,0 +1,72 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: trafficsplits.split.smi-spec.io
labels:
app.kubernetes.io/part-of: nginx-service-mesh
spec:
group: split.smi-spec.io
scope: Namespaced
names:
kind: TrafficSplit
listKind: TrafficSplitList
shortNames:
- ts
plural: trafficsplits
singular: trafficsplit
versions:
- name: v1alpha3
served: true
storage: true
additionalPrinterColumns:
- name: Service
type: string
description: The apex service of this split.
jsonPath: .spec.service
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
required:
- service
- backends
properties:
service:
description: The apex service of this split.
type: string
matches:
description: The HTTP route groups that this traffic split should
match.
type: array
items:
type: object
required:
- kind
- name
properties:
kind:
description: Kind of the matching group.
type: string
enum:
- HTTPRouteGroup
name:
description: Name of the matching group.
type: string
backends:
description: The backend services of this split.
type: array
items:
type: object
required:
- service
- weight
properties:
service:
description: Name of the Kubernetes service.
type: string
weight:
description: Traffic weight value of this backend.
type: number

92
charts/nginx-service-mesh/nginx-service-mesh/0.4.100/crds/traffictarget.yaml Normal file
View File

@ -0,0 +1,92 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: traffictargets.access.smi-spec.io
labels:
app.kubernetes.io/part-of: nginx-service-mesh
spec:
group: access.smi-spec.io
scope: Namespaced
names:
kind: TrafficTarget
shortNames:
- tt
plural: traffictargets
singular: traffictarget
versions:
- name: v1alpha2
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
required:
- destination
properties:
destination:
description: The destination of this traffic target.
type: object
required:
- name
- kind
properties:
kind:
description: Kind of the destination.
type: string
name:
description: Name of the destination.
type: string
namespace:
description: Namespace of the destination.
type: string
port:
description: Port number of the destination.
type: number
rules:
description: Specifications of this traffic target.
type: array
items:
type: object
required:
- name
- kind
properties:
kind:
description: Kind of this spec.
type: string
enum:
- HTTPRouteGroup
- TCPRoute
name:
description: Name of this spec.
type: string
matches:
description: Match conditions of this spec.
type: array
items:
type: string
sources:
description: Sources of this traffic target.
type: array
items:
type: object
required:
- name
- kind
properties:
kind:
description: Kind of this source.
type: string
name:
description: Name of this source.
type: string
namespace:
description: Namespace of this source.
type: string
port:
description: Port number of the source.
type: number

213
charts/nginx-service-mesh/nginx-service-mesh/0.4.100/questions.yaml Normal file
View File

@ -0,0 +1,213 @@
questions:
- variable: useDefaultImages
default: true
description: "Use default image settings."
label: Use default images
type: boolean
show_subquestion_if: false
group: "Image Registry"
subquestions:
- variable: registry.server
default: "docker-registry.nginx.com/nsm"
description: "Hostname:port (if needed) for registry and path to images."
label: Image registry server
type: string
- variable: registry.imageTag
default: "1.4.1"
description: "Tag used for pulling images from registry."
label: Image tag
type: string
- variable: registry.key
default: ""
description: "Contents of your Google Cloud JSON key file. Cannot be used with username or password."
label: Image registry key
type: string
- variable: registry.username
default: ""
description: "Username for accessing private registry."
label: Image registry username
type: string
- variable: registry.password
default: ""
description: "Password for accessing private registry."
label: Image registry password
type: string
- variable: registry.disablePublicImages
default: false
description: "Do not pull third party images from public repositories. If true, registry.server is used for all images."
label: Disable public images
type: boolean
- variable: registry.imagePullPolicy
default: "IfNotPresent"
description: "Image pull policy."
label: Image pull policy
type: string
- variable: useMtlsDefaults
default: true
description: "Use default mTLS settings."
label: Use default mTLS settings
type: boolean
show_subquestion_if: false
group: "Mutual TLS"
subquestions:
- variable: mtls.mode
default: "permissive"
description: "mTLS mode for pod-to-pod communication."
label: mTLS mode
type: enum
options:
- "off"
- "permissive"
- "strict"
- variable: mtls.caTTL
default: "720h"
description: "The CA/signing key TTL in hours(h) or minutes(m)."
label: mTLS caTTL
type: string
- variable: mtls.svidTTL
default: "1h"
description: "The TTL of certificates issued to workloads in hours(h) or minutes(m)."
label: mTLS svidTTL
type: string
- variable: mtls.trustDomain
default: "example.org"
description: "The trust domain of the NGINX Service Mesh."
label: mTLS trust domain
type: string
- variable: mtls.persistentStorage
default: "on"
description: "Use persistent storage; 'on' assumes that a StorageClass exists."
label: mTLS persistent storage
type: enum
options:
- "on"
- "off"
- variable: mtls.spireServerKeyManager
default: "disk"
description: "Storage logic for SPIRE Server's private keys."
label: mTLS spire server key manager
type: enum
options:
- "disk"
- "memory"
- variable: mtls.caKeyType
default: "ec-p256"
description: "The key type used for the SPIRE Server CA."
label: mTLS ca key type
type: enum
options:
- "ec-p256"
- "ec-p384"
- "rsa-2048"
- "rsa-4096"
- variable: useTracingDefaults
default: true
description: "Use default tracing settings. If you would like to enable telemetry instead, please see the README for instructions."
label: Use default tracing settings
type: boolean
show_subquestion_if: false
group: "Tracing"
subquestions:
- variable: tracing.disable
default: false
description: "Disable tracing for all services. This option will be removed in version 1.5."
label: Disable tracing
type: boolean
- variable: tracing.address
default: ""
description: "The address of a tracing server deployed in your Kubernetes cluster."
label: Tracing address
type: string
- variable: tracing.backend
default: "jaeger"
description: "The tracing backend that you want to use."
label: Tracing backend
type: enum
options:
- "jaeger"
- "zipkin"
- "datadog"
- variable: tracing.sampleRate
default: 0.01
description: "The sample rate to use for tracing. Float between 0 and 1."
label: Tracing sample rate
type: float
- variable: autoInjection.disable
default: false
description: "Disable automatic sidecar injection upon resource creation."
label: Disable auto injection
type: boolean
group: "General Settings"
- variable: accessControlMode
default: "allow"
description: "Default access control mode for service-to-service communication."
label: Access control mode
type: enum
options:
- "allow"
- "deny"
group: "General Settings"
- variable: deployGrafana
default: true
description: "Deploy Grafana as a part of NGINX Service Mesh. This option will be removed in version 1.5."
label: Deploy Grafana
type: boolean
group: "General Settings"
- variable: nginxErrorLogLevel
default: "warn"
description: "NGINX error log level."
label: NGINX error log level.
type: enum
options:
- "debug"
- "info"
- "notice"
- "warn"
- "error"
- "crit"
- "alert"
- "emerg"
group: "General Settings"
- variable: nginxLogFormat
default: "default"
description: "NGINX log format."
label: NGINX log format.
type: enum
options:
- "default"
- "json"
group: "General Settings"
- variable: nginxLBMethod
default: "least_time"
description: "NGINX load balancing method."
label: NGINX load balancing method.
type: enum
options:
- "least_conn"
- "least_time"
- "least_time last_byte"
- "least_time last_byte inflight"
- "random"
- "random two"
- "random two least_conn"
- "random two least_time"
- "random two least_time=last_byte"
- "round_robin"
group: "General Settings"
- variable: prometheusAddress
description: "The address of a Prometheus server deployed in your Kubernetes cluster."
label: Prometheus address.
type: string
group: "General Settings"
- variable: enableUDP
description: "Enable UDP traffic proxying (beta). Linux kernel 4.18 or greater is required."
label: Enable UDP
type: boolean
default: false
group: "General Settings"
- variable: rancher
default: true
description: "Enables Rancher for NGINX Service Mesh (do not disable)."
label: Rancher
type: boolean
group: "General Settings"

1
charts/nginx-service-mesh/nginx-service-mesh/0.4.100/templates/NOTES.txt Normal file
View File

@ -0,0 +1 @@
NGINX Service Mesh has been installed. Ensure all NGINX Service Mesh Pods are in the Ready state before deploying your apps.

179
charts/nginx-service-mesh/nginx-service-mesh/0.4.100/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,179 @@
{{- define "jaeger.image-server" -}}
{{- if not .Values.registry.disablePublicImages }}jaegertracing{{ else }}{{ .Values.registry.server }}{{ end }}
{{- end }}
{{- define "zipkin.image-server" -}}
{{- if not .Values.registry.disablePublicImages }}openzipkin{{ else }}{{ .Values.registry.server }}{{ end }}
{{- end }}
{{- define "tracing.address" -}}
{{- if ne .Values.tracing.address "" -}}
{{ .Values.tracing.address }}
{{- else if eq .Values.tracing.backend "jaeger" -}}
jaeger.{{.Release.Namespace}}.svc.cluster.local:6831
{{- else if eq .Values.tracing.backend "zipkin" -}}
zipkin.{{.Release.Namespace}}.svc.cluster.local:9411
{{- end }}
{{- end }}
{{- define "prometheus.address" -}}
{{- if eq .Values.prometheusAddress "" -}}
prometheus.{{.Release.Namespace}}.svc.cluster.local:9090
{{- else -}}
{{ .Values.prometheusAddress }}
{{- end }}
{{- end }}
{{- define "prometheus.image-server" -}}
{{- if not .Values.registry.disablePublicImages }}prom{{ else }}{{ .Values.registry.server }}{{ end }}
{{- end }}
{{- define "grafana.image-server" -}}
{{- if not .Values.registry.disablePublicImages }}grafana{{ else }}{{ .Values.registry.server }}{{ end }}
{{- end }}
{{- define "nats.image-server" -}}
{{- if not .Values.registry.disablePublicImages }}{{ else }}{{ .Values.registry.server }}/{{ end }}
{{- end }}
{{- define "spire.image-server" -}}
{{- if not .Values.registry.disablePublicImages }}gcr.io/spiffe-io{{ else }}{{ .Values.registry.server }}{{ end }}
{{- end }}
{{- define "node-driver.image-server" -}}
{{- if not .Values.registry.disablePublicImages }}quay.io/k8scsi{{ else }}{{ .Values.registry.server }}{{ end }}
{{- end }}
{{- define "hook.image-server" -}}
{{- if not .Values.registry.disablePublicImages }}bitnami{{ else }}{{ .Values.registry.server }}{{ end }}
{{- end }}
{{- define "ubuntu.image-server" -}}
{{- if not .Values.registry.disablePublicImages }}{{ else }}{{ .Values.registry.server }}/{{ end }}
{{- end }}
{{- define "registry-key-name" -}}
nginx-mesh-registry-key
{{- end }}
{{- define "docker-config-json" -}}
{{- if (and (.Values.registry.username) (.Values.registry.password)) }}
{
"auths": {
{{ quote .Values.registry.server }}: {
"username": {{ quote .Values.registry.username }},
"password": {{ quote .Values.registry.password }},
"auth": {{ printf "%s:%s" .Values.registry.username .Values.registry.password | b64enc | quote }}
}
}
}
{{- else if (.Values.registry.key) }}
{
"auths": {
{{ quote .Values.registry.server }}: {
"username": "_json_key",
"password": {{ quote .Values.registry.key }}
}
}
}
{{- end }}
{{- end }}
{{/*
Define the name of the key where the Upstream Authority secret data is stored.
*/}}
{{- define "ua-secret-name" -}}
{{- if .Values.mtls.upstreamAuthority.awsPCA -}} {{- if .Values.mtls.upstreamAuthority.awsPCA.awsAccessKeyID -}}
credentials {{- end }}
{{- else if .Values.mtls.upstreamAuthority.disk -}}
upstreamCA.key
{{- else if .Values.mtls.upstreamAuthority.vault }}{{ if .Values.mtls.upstreamAuthority.vault.certAuth -}}
upstreamClient.key{{ end }}
{{- else if .Values.mtls.upstreamAuthority.certManager }}{{ if .Values.mtls.upstreamAuthority.certManager.kubeConfig -}}
cert-manager-kubeconfig{{ end }}
{{- end }}
{{- end }}
{{/*
Define the name of the mount path where the Upstream Authority secret data is stored.
*/}}
{{- define "ua-secret-mountpath" -}}
{{- if and .Values.mtls.upstreamAuthority.awsPCA -}} {{- if .Values.mtls.upstreamAuthority.awsPCA.awsAccessKeyID -}}
/root/.aws {{- end }}
{{- else if .Values.mtls.upstreamAuthority.disk -}}
/run/spire/secrets
{{- else if .Values.mtls.upstreamAuthority.vault }}{{ if .Values.mtls.upstreamAuthority.vault.certAuth -}}
/run/spire/secrets{{ end }}
{{- else if .Values.mtls.upstreamAuthority.certManager }}{{ if .Values.mtls.upstreamAuthority.certManager.kubeConfig -}}
/run/spire/secrets{{ end }}
{{- end }}
{{- end }}
{{/*
Define the upstream certificate to be used for the Upstream Authority.
*/}}
{{- define "ua-upstream-cert" -}}
{{- if .Values.mtls.upstreamAuthority.disk -}}
upstreamCA.crt: {{ quote .Values.mtls.upstreamAuthority.disk.cert }}
{{- else if .Values.mtls.upstreamAuthority.vault -}}
upstreamCA.crt: {{ quote .Values.mtls.upstreamAuthority.vault.caCert }}
{{- end }}
{{- end }}
{{/*
Define the upstream bundle to be used for the Upstream Authority.
*/}}
{{- define "ua-upstream-bundle" -}}
{{- if .Values.mtls.upstreamAuthority.disk }}{{ if .Values.mtls.upstreamAuthority.disk.bundle -}}
upstreamBundle.crt: {{ quote .Values.mtls.upstreamAuthority.disk.bundle }}{{ end }}
{{- else if .Values.mtls.upstreamAuthority.awsPCA }}{{ if .Values.mtls.upstreamAuthority.awsPCA.supplementalBundle -}}
upstreamBundle.crt: {{ quote .Values.mtls.upstreamAuthority.awsPCA.supplementalBundle }}{{ end }}
{{- end }}
{{- end }}
{{/*
Define the Upstream Authority value to be stored in the Secret.
*/}}
{{- define "ua-secret-value" -}}
{{- if .Values.mtls.upstreamAuthority.awsPCA -}}
{{ tpl (.Files.Get "configs/upstreamAuthority/aws-credentials.conf") . | b64enc }}
{{- else if .Values.mtls.upstreamAuthority.disk -}}
{{ .Values.mtls.upstreamAuthority.disk.key | b64enc }}
{{- else if .Values.mtls.upstreamAuthority.vault }}{{ if .Values.mtls.upstreamAuthority.vault.certAuth -}}
{{ .Values.mtls.upstreamAuthority.vault.certAuth.clientKey | b64enc }}{{ end }}
{{- else if .Values.mtls.upstreamAuthority.certManager }}{{ if .Values.mtls.upstreamAuthority.certManager.kubeConfig -}}
{{ .Values.mtls.upstreamAuthority.certManager.kubeConfig | b64enc }}{{ end }}
{{- end }}
{{- end }}
{{/*
Define variables associated with the Vault Upstream Authority.
*/}}
{{- define "ua-vault-env-name" -}}
{{- if .Values.mtls.upstreamAuthority.vault -}}
{{- if .Values.mtls.upstreamAuthority.vault.tokenAuth -}}
VAULT_TOKEN
{{- else if .Values.mtls.upstreamAuthority.vault.approleAuth -}}
VAULT_APPROLE_SECRET_ID
{{- end }}
{{- end }}
{{- end }}
{{- define "ua-vault-env-value" -}}
{{- if .Values.mtls.upstreamAuthority.vault -}}
{{- if .Values.mtls.upstreamAuthority.vault.tokenAuth -}}
{{ b64enc .Values.mtls.upstreamAuthority.vault.tokenAuth.token }}
{{- else if .Values.mtls.upstreamAuthority.vault.approleAuth -}}
{{ b64enc .Values.mtls.upstreamAuthority.vault.approleAuth.approleSecretID }}
{{- end }}
{{- end }}
{{- end }}
{{- define "ua-upstream-client-cert" -}}
{{- if .Values.mtls.upstreamAuthority.vault -}}
{{- if .Values.mtls.upstreamAuthority.vault.certAuth -}}
upstreamClient.crt: {{ quote .Values.mtls.upstreamAuthority.vault.certAuth.clientCert }}
{{- end }}
{{- end }}
{{- end }}

137
charts/nginx-service-mesh/nginx-service-mesh/0.4.100/templates/grafana.yaml Normal file
View File

@ -0,0 +1,137 @@
{{- if .Values.deployGrafana }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: grafana
labels:
app.kubernetes.io/part-of: nginx-service-mesh
imagePullSecrets:
- name: {{ include "registry-key-name" . }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: grafana.metrics.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
rules:
- apiGroups:
- ''
resources:
- services
- endpoints
- pods
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: grafana.metrics.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: grafana.metrics.builtin.nsm.nginx
subjects:
- kind: ServiceAccount
name: grafana
namespace: {{ .Release.Namespace }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: grafana-config
labels:
app.kubernetes.io/part-of: nginx-service-mesh
data:
dashboards.yaml: {{ .Files.Get "configs/grafana-dashboard-conf.yaml" | quote }}
datasources.yaml: {{ tpl (.Files.Get "configs/grafana-datasources-conf.yaml") . | quote }}
grafana.ini: {{ .Files.Get "configs/grafana.ini" | quote }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: grafana-dashboards
labels:
app.kubernetes.io/part-of: nginx-service-mesh
data:
top.json: {{ .Files.Get "configs/grafana-top-dashboard.json" | quote }}
---
apiVersion: v1
kind: Service
metadata:
name: grafana
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/part-of: nginx-service-mesh
spec:
selector:
app.kubernetes.io/name: grafana
app.kubernetes.io/part-of: nginx-service-mesh
type: ClusterIP
ports:
- port: 3000
targetPort: 3000
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: grafana
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/part-of: nginx-service-mesh
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: grafana
app.kubernetes.io/part-of: nginx-service-mesh
template:
metadata:
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/part-of: nginx-service-mesh
spec:
serviceAccountName: grafana
containers:
- name: grafana
image: {{ include "grafana.image-server" . }}/grafana:8.3.4
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
ports:
- containerPort: 3000
volumeMounts:
- name: grafana-config-volume
mountPath: "/etc/grafana"
- name: grafana-dashboard-volume
mountPath: "/var/lib/grafana/dashboards"
- name: grafana-dashboard-home
mountPath: "/usr/share/grafana/public/dashboards"
volumes:
- name: grafana-config-volume
configMap:
name: grafana-config
items:
- key: dashboards.yaml
path: provisioning/dashboards/dashboards.yaml
- key: datasources.yaml
path: provisioning/datasources/datasources.yaml
- key: grafana.ini
path: grafana.ini
- name: grafana-dashboard-volume
configMap:
name: grafana-dashboards
items:
- key: top.json
path: top.json
- name: grafana-dashboard-home
configMap:
name: grafana-dashboards
items:
- key: top.json
path: home.json
{{- end }}

60
charts/nginx-service-mesh/nginx-service-mesh/0.4.100/templates/jaeger.yaml Normal file
View File

@ -0,0 +1,60 @@
{{- if .Values.tracing }} {{ if (and (not .Values.tracing.disable) (eq .Values.tracing.backend "jaeger") (eq .Values.tracing.address "")) }}
---
apiVersion: v1
kind: Service
metadata:
name: jaeger
labels:
app.kubernetes.io/name: jaeger
app.kubernetes.io/part-of: nginx-service-mesh
spec:
selector:
app.kubernetes.io/name: jaeger
app.kubernetes.io/part-of: nginx-service-mesh
type: ClusterIP
ports:
- name: frontend
port: 16686
targetPort: 16686
- name: collector
port: 6831
targetPort: 6831
protocol: UDP
- name: collector-http
port: 14268
protocol: TCP
targetPort: 14268
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: jaeger
labels:
app.kubernetes.io/name: jaeger
app.kubernetes.io/part-of: nginx-service-mesh
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: jaeger
app.kubernetes.io/part-of: nginx-service-mesh
template:
metadata:
labels:
app.kubernetes.io/name: jaeger
app.kubernetes.io/part-of: nginx-service-mesh
annotations:
prometheus.io/scrape: 'true'
prometheus.io/port: '16686'
spec:
imagePullSecrets:
- name: {{ include "registry-key-name" . }}
containers:
- name: jaeger
image: {{ include "jaeger.image-server" . }}/all-in-one:1.31.0
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
ports:
- containerPort: 16686
- containerPort: 6831
protocol: UDP
{{- end }}{{- end }}

153
charts/nginx-service-mesh/nginx-service-mesh/0.4.100/templates/nats.yaml Normal file
View File

@ -0,0 +1,153 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: nats
labels:
app.kubernetes.io/part-of: nginx-service-mesh
imagePullSecrets:
- name: {{ include "registry-key-name" . }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: nats-config
labels:
app.kubernetes.io/part-of: nginx-service-mesh
data:
nats.conf: {{ .Files.Get "configs/nats.conf" | quote }}
---
apiVersion: v1
kind: Service
metadata:
name: nats-server
labels:
app.kubernetes.io/name: nats-server
app.kubernetes.io/part-of: nginx-service-mesh
spec:
selector:
app.kubernetes.io/name: nats-server
app.kubernetes.io/part-of: nginx-service-mesh
clusterIP: None
ports:
- name: client
port: 4222
- name: monitor
port: 8222
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nats-server
labels:
app.kubernetes.io/name: nats-server
app.kubernetes.io/part-of: nginx-service-mesh
spec:
selector:
matchLabels:
app.kubernetes.io/name: nats-server
app.kubernetes.io/part-of: nginx-service-mesh
replicas: 1
template:
metadata:
labels:
app.kubernetes.io/name: nats-server
app.kubernetes.io/part-of: nginx-service-mesh
spiffe.io/spiffeid: "true"
spec:
serviceAccountName: nats
volumes:
- name: config-volume
configMap:
name: nats-config
- name: pid
emptyDir: {}
- name: tls
emptyDir: {}
- name: spire-agent-socket
{{ if eq .Values.environment "openshift" -}}
csi:
driver: wlapi-mounter.spire.nginx.com
readOnly: true
{{- else -}}
hostPath:
path: "/run/spire/sockets"
type: DirectoryOrCreate
{{- end }}
shareProcessNamespace: true
terminationGracePeriodSeconds: 60
imagePullSecrets:
- name: {{ include "registry-key-name" . }}
initContainers:
- name: nginx-mesh-cert-reloader-init
image: {{ .Values.registry.server }}/nginx-mesh-cert-reloader:{{ .Values.registry.imageTag }}
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
volumeMounts:
- name: tls
mountPath: "/etc/ssl"
- name: spire-agent-socket
mountPath: "/run/spire/sockets"
containers:
- name: nginx-mesh-cert-reloader
image: {{ .Values.registry.server }}/nginx-mesh-cert-reloader:{{ .Values.registry.imageTag }}
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
args:
- "-pid"
- "/var/run/nats/nats.pid"
- "-is-daemon"
volumeMounts:
- name: pid
mountPath: "/var/run/nats"
- name: tls
mountPath: "/etc/ssl"
- name: spire-agent-socket
mountPath: "/run/spire/sockets"
- name: nats-server
image: {{ include "nats.image-server" . }}nats:2.7.2-alpine3.15
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
ports:
- containerPort: 4222
name: client
- containerPort: 8222
name: monitor
command:
- nats-server
- "--config"
- "/etc/nats-config/nats.conf"
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: CLUSTER_ADVERTISE
value: "$(POD_NAME).nats-server.$(POD_NAMESPACE).svc"
volumeMounts:
- name: config-volume
mountPath: "/etc/nats-config"
- name: pid
mountPath: "/var/run/nats"
- name: tls
mountPath: "/etc/ssl"
livenessProbe:
httpGet:
path: "/"
port: 8222
initialDelaySeconds: 10
timeoutSeconds: 5
readinessProbe:
httpGet:
path: "/"
port: 8222
initialDelaySeconds: 10
timeoutSeconds: 5
lifecycle:
preStop:
exec:
command:
- "/bin/sh"
- "-c"
- "/nats-server -sl=ldm=/var/run/nats/nats.pid && /bin/sleep 60"

548
charts/nginx-service-mesh/nginx-service-mesh/0.4.100/templates/nginx-mesh-api.yaml Normal file
View File

@ -0,0 +1,548 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: nginx-mesh-api
labels:
app.kubernetes.io/part-of: nginx-service-mesh
imagePullSecrets:
- name: {{ include "registry-key-name" . }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: nginx-mesh-api.internal.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
rules:
- apiGroups:
- ''
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- ''
resources:
- services
- endpoints
verbs:
- "*"
- apiGroups:
- ''
resources:
- secrets
- pods
verbs:
- create
- get
- list
- watch
- apiGroups:
- ''
resources:
- configmaps
verbs:
- get
- list
- watch
- update
- apiGroups:
- ''
resources:
- events
verbs:
- create
- patch
- apiGroups:
- apps
resources:
- replicasets
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- statefulsets
- deployments
- daemonsets
verbs:
- list
- watch
- apiGroups:
- split.smi-spec.io
resources:
- trafficsplits
verbs:
- "*"
- apiGroups:
- access.smi-spec.io
resources:
- traffictargets
verbs:
- "*"
- apiGroups:
- specs.smi-spec.io
- specs.smi.nginx.com
resources:
- httproutegroups
- tcproutes
- ratelimits
- circuitbreakers
verbs:
- "*"
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
resourceNames:
- sidecar-injector-webhook-cfg.internal.builtin.nsm.nginx
verbs:
- get
- update
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
resourceNames:
- validating-webhook-cfg.internal.builtin.nsm.nginx
verbs:
- get
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: nginx-mesh-api.internal.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: nginx-mesh-api.internal.builtin.nsm.nginx
subjects:
- kind: ServiceAccount
name: nginx-mesh-api
namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: nginx-mesh-api.internal.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
rules:
- apiGroups:
- apps
resources:
- statefulsets
- deployments
- daemonsets
resourceNames:
- spire-server
- spire-agent
verbs:
- get
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: nginx-mesh-api.internal.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: nginx-mesh-api.internal.builtin.nsm.nginx
subjects:
- kind: ServiceAccount
name: nginx-mesh-api
namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: nginx-mesh-api-svc.internal.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: nginx-mesh-api
namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: nginx-mesh-api-svc.internal.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: extension-apiserver-authentication-reader
subjects:
- kind: ServiceAccount
name: nginx-mesh-api
namespace: {{ .Release.Namespace }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: mesh-config
labels:
app.kubernetes.io/part-of: nginx-service-mesh
binaryData:
mesh-config.json: {{ tpl (.Files.Get "configs/mesh-config.conf") . | b64enc | quote }}
---
apiVersion: v1
kind: Service
metadata:
name: nginx-mesh-api
labels:
app.kubernetes.io/part-of: nginx-service-mesh
spec:
type: ClusterIP
ports:
- name: https
port: 443
targetPort: 8443
protocol: TCP
selector:
app.kubernetes.io/name: nginx-mesh-api
app.kubernetes.io/part-of: nginx-service-mesh
---
apiVersion: v1
kind: Service
metadata:
name: nginx-mesh-webhook
labels:
app.kubernetes.io/name: nginx-mesh-api
app.kubernetes.io/part-of: nginx-service-mesh
spec:
type: ClusterIP
ports:
- name: admission
port: 443
targetPort: 9443
protocol: TCP
selector:
app.kubernetes.io/name: nginx-mesh-api
app.kubernetes.io/part-of: nginx-service-mesh
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: sidecar-injector-webhook-cfg.internal.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
spiffe.io/webhook: "true"
webhooks:
- name: nginx-mesh-api.sidecar.injector
namespaceSelector:
matchExpressions:
- key: injector.nsm.nginx.com/auto-inject
operator: NotIn
values:
- 'false'
clientConfig:
service:
name: nginx-mesh-webhook
namespace: {{ .Release.Namespace }}
path: "/inject"
sideEffects: None
admissionReviewVersions:
- v1
- v1beta1
rules:
- apiGroups:
- ''
apiVersions:
- v1
operations:
- CREATE
resources:
- pods
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: validating-webhook-cfg.internal.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
spiffe.io/webhook: "true"
webhooks:
- name: nginx-mesh-api.policy.validator
clientConfig:
service:
name: nginx-mesh-webhook
namespace: {{ .Release.Namespace }}
path: "/validate"
sideEffects: None
admissionReviewVersions:
- v1
- v1beta1
rules:
- apiGroups:
- split.smi-spec.io
apiVersions:
- "*"
operations:
- CREATE
- UPDATE
- DELETE
resources:
- trafficsplits
- apiGroups:
- specs.smi-spec.io
apiVersions:
- "*"
operations:
- CREATE
- UPDATE
resources:
- httproutegroups
- apiGroups:
- specs.smi.nginx.com
apiVersions:
- "*"
operations:
- CREATE
- UPDATE
- DELETE
resources:
- circuitbreakers
- ratelimits
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-mesh-api
labels:
app.kubernetes.io/name: nginx-mesh-api
app.kubernetes.io/part-of: nginx-service-mesh
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: nginx-mesh-api
app.kubernetes.io/part-of: nginx-service-mesh
template:
metadata:
labels:
app.kubernetes.io/name: nginx-mesh-api
app.kubernetes.io/part-of: nginx-service-mesh
spiffe.io/spiffeid: "true"
spec:
serviceAccountName: nginx-mesh-api
containers:
- name: nginx-mesh-api
image: {{ .Values.registry.server }}/nginx-mesh-api:{{ .Values.registry.imageTag }}
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
args:
- "-meshconfig=/etc/config/mesh-config.json"
- "-logtostderr"
- "-v=3"
env:
- name: PULL_POLICY
value: {{ .Values.registry.imagePullPolicy }}
- name: MY_UID
valueFrom:
fieldRef:
fieldPath: metadata.uid
- name: MY_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: MY_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
securityContext:
runAsUser: 0
readinessProbe:
httpGet:
path: "/healthz"
port: 8081
initialDelaySeconds: 5
periodSeconds: 10
failureThreshold: 30
livenessProbe:
httpGet:
path: "/healthz"
port: 8081
initialDelaySeconds: 5
periodSeconds: 10
failureThreshold: 30
volumeMounts:
- name: config-volume
mountPath: "/etc/config"
- name: spire-agent-socket
mountPath: "/run/spire/sockets"
volumes:
- name: config-volume
configMap:
name: mesh-config
items:
- key: mesh-config.json
path: mesh-config.json
- name: spire-agent-socket
{{ if eq .Values.environment "openshift" -}}
csi:
driver: wlapi-mounter.spire.nginx.com
readOnly: true
{{- else -}}
hostPath:
path: "/run/spire/sockets"
type: DirectoryOrCreate
{{- end }}
---
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
labels:
app.kubernetes.io/part-of: nginx-service-mesh
spiffe.io/apiservice: "true"
name: v1alpha1.nsm.nginx.com
spec:
group: nsm.nginx.com
groupPriorityMinimum: 100
service:
name: nginx-mesh-api
namespace: {{ .Release.Namespace}}
port: 443
version: v1alpha1
versionPriority: 100
{{- if eq .Values.environment "openshift" }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: system:openshift:scc:nginx-mesh-api-permissions
labels:
app.kubernetes.io/part-of: nginx-service-mesh
rules:
- apiGroups:
- security.openshift.io
resources:
- securitycontextconstraints
resourceNames:
- nginx-mesh-api-permissions
verbs:
- use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: system:openshift:scc:nginx-mesh-api-permissions
labels:
app.kubernetes.io/part-of: nginx-service-mesh
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:openshift:scc:nginx-mesh-api-permissions
subjects:
- kind: ServiceAccount
name: nginx-mesh-api
namespace: {{ .Release.Namespace }}
---
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
name: nginx-mesh-api-permissions
labels:
app.kubernetes.io/part-of: nginx-service-mesh
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegedContainer: false
seLinuxContext:
type: MustRunAs
readOnlyRootFilesystem: false
runAsUser:
type: RunAsAny
fsGroup:
type: MustRunAs
volumes:
- configMap
- csi
- secret
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: system:openshift:scc:nginx-mesh-permissions
labels:
app.kubernetes.io/part-of: nginx-service-mesh
rules:
- apiGroups:
- security.openshift.io
resources:
- securitycontextconstraints
resourceNames:
- nginx-mesh-permissions
verbs:
- use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: system:openshift:scc:nginx-mesh-permissions
labels:
app.kubernetes.io/part-of: nginx-service-mesh
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:openshift:scc:nginx-mesh-permissions
subjects:
- kind: Group
name: system:authenticated
---
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
name: nginx-mesh-permissions
labels:
app.kubernetes.io/part-of: nginx-service-mesh
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegedContainer: false
allowedCapabilities:
- NET_ADMIN
- NET_RAW
- SYS_RESOURCE
- SYS_ADMIN
seLinuxContext:
type: RunAsAny
runAsUser:
type: RunAsAny
fsGroup:
type: MustRunAs
readOnlyRootFilesystem: false
requiredDropCapabilities:
- KILL
- MKNOD
- SETUID
- SETGID
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret
- csi
{{- end }}

164
charts/nginx-service-mesh/nginx-service-mesh/0.4.100/templates/nginx-mesh-metrics.yaml Normal file
View File

@ -0,0 +1,164 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: nginx-mesh-metrics
labels:
app.kubernetes.io/part-of: nginx-service-mesh
imagePullSecrets:
- name: {{ include "registry-key-name" . }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: nginx-mesh-metrics.internal.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
rules:
- apiGroups:
- ''
resources:
- pods
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: nginx-mesh-metrics.internal.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: nginx-mesh-metrics.internal.builtin.nsm.nginx
subjects:
- kind: ServiceAccount
name: nginx-mesh-metrics
namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: nginx-mesh-metrics-svc.internal.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: nginx-mesh-metrics
namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: nginx-mesh-metrics-svc.internal.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: extension-apiserver-authentication-reader
subjects:
- kind: ServiceAccount
name: nginx-mesh-metrics
namespace: {{ .Release.Namespace }}
---
apiVersion: v1
kind: Service
metadata:
name: nginx-mesh-metrics-svc
labels:
app.kubernetes.io/name: nginx-mesh-metrics
app.kubernetes.io/part-of: nginx-service-mesh
spec:
type: ClusterIP
ports:
- name: http
port: 443
targetPort: metrics
protocol: TCP
selector:
app.kubernetes.io/name: nginx-mesh-metrics
app.kubernetes.io/part-of: nginx-service-mesh
---
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
name: v1alpha1.metrics.smi-spec.io
labels:
app.kubernetes.io/name: nginx-mesh-metrics
app.kubernetes.io/part-of: nginx-service-mesh
spiffe.io/apiservice: "true"
spec:
service:
name: nginx-mesh-metrics-svc
namespace: {{ .Release.Namespace }}
group: metrics.smi-spec.io
version: v1alpha1
groupPriorityMinimum: 100
versionPriority: 100
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-mesh-metrics
labels:
app.kubernetes.io/name: nginx-mesh-metrics
app.kubernetes.io/part-of: nginx-service-mesh
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: nginx-mesh-metrics
app.kubernetes.io/part-of: nginx-service-mesh
template:
metadata:
labels:
app.kubernetes.io/name: nginx-mesh-metrics
app.kubernetes.io/part-of: nginx-service-mesh
spiffe.io/spiffeid: "true"
spec:
serviceAccountName: nginx-mesh-metrics
containers:
- name: nginx-mesh-metrics
image: {{ .Values.registry.server }}/nginx-mesh-metrics:{{ .Values.registry.imageTag }}
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
args:
- "--prometheus-address={{ include "prometheus.address" . }}"
readinessProbe:
httpGet:
scheme: HTTPS
path: "/liveness"
port: 8080
initialDelaySeconds: 5
periodSeconds: 10
failureThreshold: 30
livenessProbe:
httpGet:
scheme: HTTPS
path: "/liveness"
port: 8080
initialDelaySeconds: 5
periodSeconds: 10
failureThreshold: 30
ports:
- name: metrics
containerPort: 8080
volumeMounts:
- name: spire-agent-socket
mountPath: "/run/spire/sockets"
volumes:
- name: spire-agent-socket
{{ if eq .Values.environment "openshift" -}}
csi:
driver: wlapi-mounter.spire.nginx.com
readOnly: true
{{- else -}}
hostPath:
path: "/run/spire/sockets"
type: DirectoryOrCreate
{{- end }}

351
charts/nginx-service-mesh/nginx-service-mesh/0.4.100/templates/post-delete-hook.yaml Normal file
View File

@ -0,0 +1,351 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: post-delete
labels:
app.kubernetes.io/part-of: nginx-service-mesh
annotations:
"helm.sh/hook": post-delete
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
"helm.sh/hook-weight": "-5"
imagePullSecrets:
- name: {{ include "registry-key-name" . }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: post-delete.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
annotations:
"helm.sh/hook": post-delete
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
"helm.sh/hook-weight": "-5"
rules:
- apiGroups:
- ''
resources:
- namespaces
verbs:
- get
- list
- patch
- apiGroups:
- spiffeid.spiffe.io
resources:
- spiffeids
verbs:
- get
- list
- patch
- update
{{- if eq .Values.environment "openshift" }}
- apiGroups:
- security.openshift.io
resources:
- securitycontextconstraints
resourceNames:
- post-delete-permissions.builtin.nsm.nginx
verbs:
- use
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: post-delete.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
annotations:
"helm.sh/hook": post-delete
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
"helm.sh/hook-weight": "-5"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: post-delete.builtin.nsm.nginx
subjects:
- kind: ServiceAccount
name: post-delete
namespace: {{ .Release.Namespace }}
{{- if (include "docker-config-json" .) }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ include "registry-key-name" . }}
labels:
app.kubernetes.io/part-of: nginx-service-mesh
annotations:
"helm.sh/hook": post-delete
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
"helm.sh/hook-weight": "-5"
data:
.dockerconfigjson: {{ include "docker-config-json" . | b64enc }}
type: kubernetes.io/dockerconfigjson
{{- end }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: remove-spiffeids
labels:
app.kubernetes.io/part-of: nginx-service-mesh
annotations:
"helm.sh/hook": post-delete
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
"helm.sh/hook-weight": "0"
spec:
template:
metadata:
name: remove-spiffeids
spec:
restartPolicy: Never
serviceAccountName: post-delete
containers:
- name: remove-spiffeids
image: {{ include "hook.image-server" . }}/kubectl
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
securityContext:
runAsUser: 0
command:
- /bin/sh
- -c
- |
for ns in $(kubectl get ns | awk '{print $1}' | tail -n +2); do
if [ $(kubectl get spiffeids -n $ns 2>/dev/null | wc -l) -ne 0 ]; then
kubectl patch spiffeid $(kubectl get spiffeids -n $ns | awk '{print $1}' | tail -n +2) --type='merge' -p '{"metadata":{"finalizers":null}}' -n $ns
fi
done
---
apiVersion: batch/v1
kind: Job
metadata:
name: remove-namespace-label
labels:
app.kubernetes.io/part-of: nginx-service-mesh
annotations:
"helm.sh/hook": post-delete
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
"helm.sh/hook-weight": "0"
spec:
template:
metadata:
name: remove-namespace-label
spec:
restartPolicy: Never
serviceAccountName: post-delete
containers:
- name: remove-namespace-label
image: {{ include "hook.image-server" . }}/kubectl
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
securityContext:
runAsUser: 0
command:
- /bin/sh
- -c
- |
kubectl label namespace kube-system injector.nsm.nginx.com/auto-inject-
kubectl label namespace {{ .Release.Namespace }} injector.nsm.nginx.com/auto-inject- app.kubernetes.io/part-of-
{{- if .Values.rancher }}
kubectl label namespace ingress-nginx cert-manager injector.nsm.nginx.com/auto-inject-
for ns in $(kubectl get ns | awk '{print $1}' | tail -n +2); do
case "$ns" in
cattle-*) kubectl label namespace $ns injector.nsm.nginx.com/auto-inject- ;;
esac
done
{{- end }}
{{- if eq .Values.environment "openshift" }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: post-delete-csi
labels:
app.kubernetes.io/part-of: nginx-service-mesh
annotations:
"helm.sh/hook": post-delete
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
"helm.sh/hook-weight": "-5"
imagePullSecrets:
- name: {{ include "registry-key-name" . }}
---
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
name: post-delete-permissions.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
annotations:
"helm.sh/hook": post-delete
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
"helm.sh/hook-weight": "-5"
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegedContainer: false
seLinuxContext:
type: MustRunAs
runAsUser:
type: RunAsAny
readOnlyRootFilesystem: false
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: post-delete-csi.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
annotations:
"helm.sh/hook": post-delete
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
"helm.sh/hook-weight": "-5"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: post-delete-csi
namespace: {{ .Release.Namespace }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: csi-driver-cleanup
labels:
app.kubernetes.io/part-of: nginx-service-mesh
annotations:
"helm.sh/hook": post-delete
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
"helm.sh/hook-weight": "-5"
data:
sentinel.yaml: |
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: csi-driver-sentinel
labels:
app.kubernetes.io/part-of: nginx-service-mesh
imagePullSecrets:
- name: {{ include "registry-key-name" . }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: csi-driver-sentinel.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: csi-driver-sentinel
namespace: {{ .Release.Namespace }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: csi-driver-sentinel
labels:
app.kubernetes.io/part-of: nginx-service-mesh
spec:
ttlSecondsAfterFinished: 0
template:
spec:
restartPolicy: Never
serviceAccountName: csi-driver-sentinel
containers:
- name: csi-driver-sentinel
image: {{ include "hook.image-server" . }}/kubectl
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
command:
- /bin/sh
- -c
- |
while [ $(kubectl get pods -A -o=jsonpath='{.items[?(@.metadata.annotations.injector\.nsm\.nginx\.com/status=="injected")].metadata.name}' | wc -w) -gt 0 ]; do
sleep 5
done
kubectl delete daemonset spire-agent
kubectl delete serviceaccount spire-agent
kubectl delete clusterrole system:openshift:scc:nginx-mesh-spire-agent-permissions
kubectl delete rolebinding system:openshift:scc:nginx-mesh-spire-agent-permissions
kubectl delete scc nginx-mesh-spire-agent-permissions
kubectl delete secret {{ include "registry-key-name" . }}
kubectl delete serviceaccount csi-driver-sentinel
kubectl delete clusterrolebinding csi-driver-sentinel.builtin.nsm.nginx
{{- if (include "docker-config-json" .) }}
secret.yaml: |
---
apiVersion: v1
kind: Secret
metadata:
name: {{ include "registry-key-name" . }}
labels:
app.kubernetes.io/part-of: nginx-service-mesh
data:
.dockerconfigjson: {{ include "docker-config-json" . | b64enc }}
type: kubernetes.io/dockerconfigjson
{{- end }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: csi-driver-cleanup
labels:
app.kubernetes.io/part-of: nginx-service-mesh
annotations:
"helm.sh/hook": post-delete
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
"helm.sh/hook-weight": "5"
spec:
template:
metadata:
name: csi-driver-cleanup
spec:
restartPolicy: Never
serviceAccountName: post-delete-csi
containers:
- name: csi-driver-cleanup
image: {{ include "hook.image-server" . }}/kubectl
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
securityContext:
runAsUser: 0
command:
- /bin/sh
- -c
- |
res=$(kubectl get pods -o=jsonpath='{.items[?(@.metadata.annotations.injector\.nsm\.nginx\.com/status=="injected")].metadata.name}' -A | wc -w)
if [ $res -eq 0 ]; then
kubectl delete daemonset spire-agent
kubectl delete serviceaccount spire-agent
kubectl delete clusterrole system:openshift:scc:nginx-mesh-spire-agent-permissions
kubectl delete rolebinding system:openshift:scc:nginx-mesh-spire-agent-permissions
kubectl delete scc nginx-mesh-spire-agent-permissions
else
idx=$(kubectl get daemonset spire-agent -o json | jq '.spec.template.spec.containers | map(.name == "spire-agent") | index(true)')
kubectl patch daemonset spire-agent --type=json -p="[{'op': 'remove', 'path': '/spec/template/spec/containers/$idx'}]"
idx=$(kubectl get daemonset spire-agent -o json | jq '.spec.template.spec.initContainers | map(.name == "init") | index(true)')
kubectl patch daemonset spire-agent --type=json -p="[{'op': 'remove', 'path': '/spec/template/spec/initContainers/$idx'}]"
{{- if (include "docker-config-json" .) }}
kubectl get secret {{ include "registry-key-name" . }}
if [ $? != 0 ]; then
kubectl create -f /tmp/config/secret.yaml
fi
{{- end }}
kubectl create -f /tmp/config/sentinel.yaml
fi
volumeMounts:
- name: sentinel
mountPath: /tmp/config
volumes:
- name: sentinel
configMap:
name: csi-driver-cleanup
{{- end }}

79
charts/nginx-service-mesh/nginx-service-mesh/0.4.100/templates/pre-delete-hook.yaml Normal file
View File

@ -0,0 +1,79 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: pre-delete
labels:
app.kubernetes.io/part-of: nginx-service-mesh
annotations:
"helm.sh/hook": pre-delete
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
"helm.sh/hook-weight": "-5"
imagePullSecrets:
- name: {{ include "registry-key-name" . }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: pre-delete.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
annotations:
"helm.sh/hook": pre-delete
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
"helm.sh/hook-weight": "-5"
rules:
- apiGroups:
- nsm.nginx.com
resources:
- clear
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: pre-delete.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
annotations:
"helm.sh/hook": pre-delete
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
"helm.sh/hook-weight": "-5"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: pre-delete.builtin.nsm.nginx
subjects:
- kind: ServiceAccount
name: pre-delete
namespace: {{ .Release.Namespace }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: turn-proxies-transparent
labels:
app.kubernetes.io/part-of: nginx-service-mesh
annotations:
"helm.sh/hook": pre-delete
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
"helm.sh/hook-weight": "0"
spec:
template:
metadata:
name: turn-proxies-transparent
spec:
restartPolicy: Never
serviceAccountName: pre-delete
containers:
- name: turn-proxies-transparent
image: {{ include "hook.image-server" . }}/kubectl
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
command:
- /bin/sh
- -c
- |
echo "" | kubectl create --raw /apis/nsm.nginx.com/v1alpha1/clear -f -
exit 0
imagePullSecrets:
- name: {{ include "registry-key-name" . }}

138
charts/nginx-service-mesh/nginx-service-mesh/0.4.100/templates/pre-install-hook.yaml Normal file
View File

@ -0,0 +1,138 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: pre-install
labels:
app.kubernetes.io/part-of: nginx-service-mesh
annotations:
"helm.sh/hook": pre-install
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
"helm.sh/hook-weight": "-5"
imagePullSecrets:
- name: {{ include "registry-key-name" . }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: pre-install.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
annotations:
"helm.sh/hook": pre-install
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
"helm.sh/hook-weight": "-5"
rules:
- apiGroups:
- ''
resources:
- namespaces
verbs:
- get
- list
- patch
{{- if eq .Values.environment "openshift" }}
- apiGroups:
- security.openshift.io
resources:
- securitycontextconstraints
resourceNames:
- pre-install-permissions.builtin.nsm.nginx
verbs:
- use
---
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
name: pre-install-permissions.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
annotations:
"helm.sh/hook": pre-install
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
"helm.sh/hook-weight": "-5"
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegedContainer: false
seLinuxContext:
type: MustRunAs
runAsUser:
type: RunAsAny
readOnlyRootFilesystem: false
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: pre-install.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
annotations:
"helm.sh/hook": pre-install
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
"helm.sh/hook-weight": "-5"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: pre-install.builtin.nsm.nginx
subjects:
- kind: ServiceAccount
name: pre-install
namespace: {{ .Release.Namespace }}
{{- if (include "docker-config-json" .) }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ include "registry-key-name" . }}
labels:
app.kubernetes.io/part-of: nginx-service-mesh
annotations:
"helm.sh/hook": pre-install
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
"helm.sh/hook-weight": "-5"
data:
.dockerconfigjson: {{ include "docker-config-json" . | b64enc }}
type: kubernetes.io/dockerconfigjson
{{- end }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: label-namespace
labels:
app.kubernetes.io/part-of: nginx-service-mesh
annotations:
"helm.sh/hook": pre-install
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
"helm.sh/hook-weight": "0"
spec:
template:
metadata:
name: label-namespace
spec:
restartPolicy: Never
serviceAccountName: pre-install
containers:
- name: label-namespace
image: {{ include "hook.image-server" . }}/kubectl
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
securityContext:
runAsUser: 0
command:
- /bin/sh
- -c
- |
kubectl label namespace kube-system injector.nsm.nginx.com/auto-inject=false
kubectl label namespace {{ .Release.Namespace }} --overwrite injector.nsm.nginx.com/auto-inject=false app.kubernetes.io/part-of=nginx-service-mesh
{{- if .Values.rancher }}
kubectl label namespace ingress-nginx cert-manager injector.nsm.nginx.com/auto-inject=false
for ns in $(kubectl get ns | awk '{print $1}' | tail -n +2); do
case "$ns" in
cattle-*) kubectl label namespace $ns injector.nsm.nginx.com/auto-inject=false ;;
esac
done
{{- end }}

79
charts/nginx-service-mesh/nginx-service-mesh/0.4.100/templates/pre-upgrade-hook.yaml Normal file
View File

@ -0,0 +1,79 @@
{{- if eq .Values.environment "openshift" }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: pre-upgrade
labels:
app.kubernetes.io/part-of: nginx-service-mesh
annotations:
"helm.sh/hook": pre-upgrade
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
"helm.sh/hook-weight": "-5"
imagePullSecrets:
- name: {{ include "registry-key-name" . }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: pre-upgrade
labels:
app.kubernetes.io/part-of: nginx-service-mesh
annotations:
"helm.sh/hook": pre-upgrade
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
"helm.sh/hook-weight": "-5"
rules:
- apiGroups:
- apps
resources:
- daemonsets
verbs:
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: pre-upgrade
labels:
app.kubernetes.io/part-of: nginx-service-mesh
annotations:
"helm.sh/hook": pre-upgrade
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
"helm.sh/hook-weight": "-5"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: pre-upgrade
subjects:
- kind: ServiceAccount
name: pre-upgrade
namespace: {{ .Release.Namespace }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: delete-spire-agent
labels:
app.kubernetes.io/part-of: nginx-service-mesh
annotations:
"helm.sh/hook": pre-upgrade
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
"helm.sh/hook-weight": "0"
spec:
template:
metadata:
name: delete-spire-agent
spec:
restartPolicy: Never
serviceAccountName: pre-upgrade
containers:
- name: delete-spire-agent
image: {{ include "hook.image-server" . }}/kubectl
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
command:
- /bin/sh
- -c
- |
kubectl delete daemonset spire-agent
{{- end }}

114
charts/nginx-service-mesh/nginx-service-mesh/0.4.100/templates/prometheus.yaml Normal file
View File

@ -0,0 +1,114 @@
{{- if eq .Values.prometheusAddress "" }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: prometheus
labels:
app.kubernetes.io/part-of: nginx-service-mesh
imagePullSecrets:
- name: {{ include "registry-key-name" . }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: prometheus.metrics.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
rules:
- apiGroups:
- ''
resources:
- services
- endpoints
- pods
verbs:
- get
- list
- watch
- nonResourceURLs:
- "/metrics"
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: prometheus.metrics.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: prometheus.metrics.builtin.nsm.nginx
subjects:
- kind: ServiceAccount
name: prometheus
namespace: {{ .Release.Namespace }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: prometheus-configuration
labels:
app.kubernetes.io/part-of: nginx-service-mesh
binaryData:
prometheus.yaml: {{ .Files.Get "configs/prometheus-config.yaml" | b64enc }}
---
apiVersion: v1
kind: Service
metadata:
name: prometheus
labels:
app.kubernetes.io/name: prometheus
app.kubernetes.io/part-of: nginx-service-mesh
spec:
selector:
app.kubernetes.io/name: prometheus
app.kubernetes.io/part-of: nginx-service-mesh
type: ClusterIP
ports:
- port: 9090
targetPort: 9090
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: prometheus
labels:
app.kubernetes.io/name: prometheus
app.kubernetes.io/part-of: nginx-service-mesh
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: prometheus
app.kubernetes.io/part-of: nginx-service-mesh
template:
metadata:
labels:
app.kubernetes.io/name: prometheus
app.kubernetes.io/part-of: nginx-service-mesh
spec:
serviceAccountName: prometheus
containers:
- name: prometheus
image: {{ include "prometheus.image-server" . }}/prometheus:v2.33.1
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
args:
- "--config.file=/etc/prometheus/prometheus.yaml"
- "--storage.tsdb.path=/prometheus/"
ports:
- containerPort: 9090
volumeMounts:
- name: prometheus-config-volume
mountPath: "/etc/prometheus"
- name: prometheus-storage-volume
mountPath: "/prometheus/"
volumes:
- name: prometheus-config-volume
configMap:
name: prometheus-configuration
- name: prometheus-storage-volume
emptyDir: {}
{{- end }}

12
charts/nginx-service-mesh/nginx-service-mesh/0.4.100/templates/registry-key.yaml Normal file
View File

@ -0,0 +1,12 @@
{{- if (include "docker-config-json" .) }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ include "registry-key-name" . }}
labels:
app.kubernetes.io/part-of: nginx-service-mesh
data:
.dockerconfigjson: {{ include "docker-config-json" . | b64enc }}
type: kubernetes.io/dockerconfigjson
{{- end }}

307
charts/nginx-service-mesh/nginx-service-mesh/0.4.100/templates/spire-agent.yaml Normal file
View File

@ -0,0 +1,307 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: spire-agent
labels:
app.kubernetes.io/part-of: nginx-service-mesh
{{- if eq .Values.environment "openshift" }}
annotations:
"helm.sh/resource-policy": keep
{{- end }}
imagePullSecrets:
- name: {{ include "registry-key-name" . }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: spire-agent.security.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
rules:
- apiGroups:
- ''
resources:
- pods
- nodes
- nodes/proxy
verbs:
- get
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: spire-agent.security.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: spire-agent.security.builtin.nsm.nginx
subjects:
- kind: ServiceAccount
name: spire-agent
namespace: {{ .Release.Namespace }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: spire-agent
labels:
app.kubernetes.io/part-of: nginx-service-mesh
data:
agent.conf: {{ tpl (.Files.Get "configs/spire-agent.conf") . | quote }}
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: spire-agent
labels:
app.kubernetes.io/name: spire-agent
app.kubernetes.io/part-of: nginx-service-mesh
{{- if eq .Values.environment "openshift" }}
annotations:
"helm.sh/resource-policy": keep
{{- end }}
spec:
selector:
matchLabels:
app.kubernetes.io/name: spire-agent
app.kubernetes.io/part-of: nginx-service-mesh
template:
metadata:
labels:
app.kubernetes.io/name: spire-agent
app.kubernetes.io/part-of: nginx-service-mesh
spec:
serviceAccountName: spire-agent
hostPID: true
hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet
initContainers:
{{- if eq .Values.environment "openshift" }}
- name: set-context
image: {{ include "ubuntu.image-server" . }}ubuntu:20.04
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
command: ["chcon", "-Rt", "container_file_t", "wlapi/"]
volumeMounts:
- name: spire-agent-socket
mountPath: "/wlapi"
{{- end }}
- name: init
image: {{ include "hook.image-server" . }}/kubectl
command:
- /bin/sh
- -c
- |
while $(kubectl -n {{ .Release.Namespace }} wait --for=condition=Ready pod -l app.kubernetes.io/name=spire-server > /dev/null); [ $? -ne 0 ]; do
sleep 1
done
containers:
- name: spire-agent
image: {{ include "spire.image-server" . }}/spire-agent:1.2.0
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
args:
- "-config"
- "/run/spire/config/agent.conf"
env:
- name: MY_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
volumeMounts:
- name: spire-config
mountPath: "/run/spire/config"
readOnly: true
- name: spire-bundle
mountPath: "/run/spire/bundle"
- name: spire-agent-socket
mountPath: "/run/spire/sockets"
readOnly: false
- name: spire-token
mountPath: "/var/run/secrets/tokens"
livenessProbe:
exec:
command:
- "/opt/spire/bin/spire-agent"
- healthcheck
- "-shallow"
- "-socketPath"
- "/run/spire/sockets/agent.sock"
failureThreshold: 2
initialDelaySeconds: 15
periodSeconds: 60
timeoutSeconds: 3
readinessProbe:
exec:
command:
- "/opt/spire/bin/spire-agent"
- healthcheck
- "-socketPath"
- "/run/spire/sockets/agent.sock"
initialDelaySeconds: 5
periodSeconds: 5
{{ if eq .Values.environment "openshift" -}}
- name: nginx-mesh-csi-driver
image: {{ .Values.registry.server }}/nginx-mesh-csi-driver:{{ .Values.registry.imageTag }}
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
args:
- "--node-id-env"
- "MY_NODE_NAME"
- "--wlapi-socket-dir"
- "/wlapi"
- "--csi-socket-path"
- "/csi/csi.sock"
env:
- name: MY_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: MY_POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: MY_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
volumeMounts:
- name: spire-agent-socket
mountPath: /wlapi
readOnly: true
- name: csi-socket-dir
mountPath: /csi
- name: mountpoint-dir
mountPath: /var/lib/kubelet/pods
mountPropagation: Bidirectional
securityContext:
privileged: true
- name: node-driver-registrar
image: {{ include "node-driver.image-server" . }}/csi-node-driver-registrar:v2.0.1
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
args:
- "-csi-address"
- "/csi/csi.sock"
- "-kubelet-registration-path"
- "/var/lib/kubelet/plugins/agent.spire.csi.spiffe.io/csi.sock"
volumeMounts:
- name: csi-socket-dir
mountPath: /csi
- name: registration-dir
mountPath: /registration
{{- end }}
volumes:
- name: spire-config
configMap:
name: spire-agent
- name: spire-bundle
configMap:
name: spire-bundle
- name: spire-agent-socket
hostPath:
path: /run/spire/sockets
type: DirectoryOrCreate
{{ if eq .Values.environment "openshift" -}}
- name: csi-socket-dir
hostPath:
path: /var/lib/kubelet/plugins/agent.spire.csi.spiffe.io
type: DirectoryOrCreate
- name: mountpoint-dir
hostPath:
path: /var/lib/kubelet/pods
type: Directory
- name: registration-dir
hostPath:
path: /var/lib/kubelet/plugins_registry
type: Directory
{{- end }}
- name: spire-token
projected:
sources:
- serviceAccountToken:
audience: spire-server
expirationSeconds: 7200
path: spire-agent
{{- if eq .Values.environment "openshift" }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: system:openshift:scc:nginx-mesh-spire-agent-permissions
labels:
app.kubernetes.io/part-of: nginx-service-mesh
annotations:
"helm.sh/resource-policy": keep
rules:
- apiGroups:
- security.openshift.io
resources:
- securitycontextconstraints
resourceNames:
- nginx-mesh-spire-agent-permissions
verbs:
- use
- apiGroups:
- ''
resources:
- pods
verbs:
- get
- list
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: system:openshift:scc:nginx-mesh-spire-agent-permissions
labels:
app.kubernetes.io/part-of: nginx-service-mesh
annotations:
"helm.sh/resource-policy": keep
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:openshift:scc:nginx-mesh-spire-agent-permissions
subjects:
- kind: ServiceAccount
name: spire-agent
namespace: {{ .Release.Namespace }}
---
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
name: nginx-mesh-spire-agent-permissions
labels:
app.kubernetes.io/part-of: nginx-service-mesh
annotations:
"helm.sh/resource-policy": keep
allowHostDirVolumePlugin: true
allowHostIPC: false
allowHostPID: true
allowHostNetwork: true
allowHostPorts: false
allowPrivilegedContainer: true
seLinuxContext:
type: MustRunAs
readOnlyRootFilesystem: false
runAsUser:
type: RunAsAny
fsGroup:
type: MustRunAs
volumes:
- configMap
- hostPath
- projected
- secret
---
apiVersion: storage.k8s.io/v1
kind: CSIDriver
metadata:
name: wlapi-mounter.spire.nginx.com
spec:
attachRequired: false
podInfoOnMount: true
volumeLifecycleModes:
- Ephemeral
{{- end }}

434
charts/nginx-service-mesh/nginx-service-mesh/0.4.100/templates/spire-server.yaml Normal file
View File

@ -0,0 +1,434 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: spire-server
labels:
app.kubernetes.io/part-of: nginx-service-mesh
imagePullSecrets:
- name: {{ include "registry-key-name" . }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: spire-server.security.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
rules:
- apiGroups:
- ''
resources:
- pods
- nodes
verbs:
- get
- apiGroups:
- ''
resources:
- configmaps
resourceNames:
- spire-bundle
verbs:
- get
- patch
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- apiregistration.k8s.io
resources:
- apiservices
verbs:
- get
- list
- patch
- watch
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
verbs:
- get
- list
- patch
- watch
{{- if .Values.mtls.upstreamAuthority.certManager }}
- apiGroups:
- cert-manager.io
resources:
- certificaterequests
verbs:
- get
- list
- create
- delete
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: spire-server.security.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: spire-server.security.builtin.nsm.nginx
subjects:
- kind: ServiceAccount
name: spire-server
namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: k8s-workload-registrar.security.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
rules:
- apiGroups:
- ''
resources:
- endpoints
- pods
- nodes
verbs:
- get
- list
- watch
- apiGroups:
- spiffeid.spiffe.io
resources:
- spiffeids
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- spiffeid.spiffe.io
resources:
- spiffeids/status
verbs:
- get
- patch
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: k8s-workload-registrar.security.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: k8s-workload-registrar.security.builtin.nsm.nginx
subjects:
- kind: ServiceAccount
name: spire-server
namespace: {{ .Release.Namespace }}
{{- if (or (include "ua-secret-name" .) (include "ua-vault-env-name" .)) }}
---
apiVersion: v1
kind: Secret
metadata:
name: spire-server
labels:
app.kubernetes.io/part-of: nginx-service-mesh
type: Opaque
data:
{{- if (include "ua-secret-name" .) }}
{{ include "ua-secret-name" . }}: {{ include "ua-secret-value" . }}{{ end }}
{{- if (include "ua-vault-env-name" .) }}
{{ include "ua-vault-env-name" . }}: {{ include "ua-vault-env-value" . }}{{ end }}
{{- end }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: spire-bundle
labels:
app.kubernetes.io/part-of: nginx-service-mesh
---
apiVersion: v1
kind: ConfigMap
metadata:
name: spire-server
labels:
app.kubernetes.io/part-of: nginx-service-mesh
data:
server.conf: {{ tpl (.Files.Get "configs/spire-server.conf") . | quote }}
{{ if (include "ua-upstream-cert" .) -}}
{{ include "ua-upstream-cert" . }}{{ end }}
{{ if (include "ua-upstream-client-cert" .) -}}
{{ include "ua-upstream-client-cert" . }}{{ end }}
{{ if (include "ua-upstream-bundle" .) -}}
{{ include "ua-upstream-bundle" . }}{{ end }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: k8s-workload-registrar
labels:
app.kubernetes.io/part-of: nginx-service-mesh
data:
k8s-workload-registrar.conf: {{ tpl (.Files.Get "configs/k8s-workload-registrar.conf") . | quote }}
---
apiVersion: v1
kind: Service
metadata:
name: spire-server
labels:
app.kubernetes.io/name: spire-server
app.kubernetes.io/part-of: nginx-service-mesh
spec:
type: ClusterIP
ports:
- name: grpc
protocol: TCP
port: 8081
targetPort: 8081
selector:
app.kubernetes.io/name: spire-server
app.kubernetes.io/part-of: nginx-service-mesh
---
apiVersion: v1
kind: Service
metadata:
name: k8s-workload-registrar
labels:
app.kubernetes.io/name: k8s-workload-registrar
app.kubernetes.io/part-of: nginx-service-mesh
spec:
ports:
- name: webhook
protocol: TCP
port: 443
targetPort: 9443
selector:
app.kubernetes.io/name: spire-server
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: k8s-workload-registrar.security.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
spiffe.io/webhook: "true"
webhooks:
- name: k8s-workload-registrar.{{ .Release.Namespace }}.svc
clientConfig:
service:
name: k8s-workload-registrar
namespace: {{ .Release.Namespace }}
path: "/validate-spiffeid-spiffe-io-v1beta1-spiffeid"
sideEffects: None
admissionReviewVersions:
- v1
- v1beta1
rules:
- apiGroups:
- spiffeid.spiffe.io
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
- DELETE
resources:
- spiffeids
scope: Namespaced
---
apiVersion: apps/v1
{{- if eq .Values.mtls.persistentStorage "on" }}
kind: StatefulSet
{{- else }}
kind: Deployment
{{- end }}
metadata:
name: spire-server
labels:
app.kubernetes.io/name: spire-server
app.kubernetes.io/part-of: nginx-service-mesh
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: spire-server
app.kubernetes.io/part-of: nginx-service-mesh
{{- if eq .Values.mtls.persistentStorage "on" }}
serviceName: spire-server
{{- end }}
template:
metadata:
labels:
app.kubernetes.io/name: spire-server
app.kubernetes.io/part-of: nginx-service-mesh
spec:
serviceAccountName: spire-server
shareProcessNamespace: true
containers:
- name: spire-server
image: {{ include "spire.image-server" . }}/spire-server:1.2.0
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
args:
- '-config'
- /run/spire/config/server.conf
ports:
- name: spire-server
protocol: TCP
containerPort: 8081
{{- if (include "ua-vault-env-name" .) }}
env:
- name: {{ include "ua-vault-env-name" . }}
valueFrom:
secretKeyRef:
name: spire-server
key: {{ include "ua-vault-env-name" . }}
{{- end }}
volumeMounts:
- name: spire-config
mountPath: /run/spire/config
readOnly: true
{{- if (include "ua-secret-mountpath" .) }}
- name: spire-secrets
mountPath: {{ include "ua-secret-mountpath" . }}
readOnly: true
{{- end }}
{{- if eq .Values.mtls.persistentStorage "on" }}
- name: spire-data
mountPath: /run/spire/data
readOnly: false
{{- end }}
- name: spire-server-socket
mountPath: /run/spire/sockets
readOnly: false
livenessProbe:
httpGet:
port: 8082
path: /live
failureThreshold: 2
initialDelaySeconds: 15
periodSeconds: 60
timeoutSeconds: 3
readinessProbe:
httpGet:
port: 8082
path: /ready
initialDelaySeconds: 5
periodSeconds: 5
- name: k8s-workload-registrar
image: {{ include "spire.image-server" . }}/k8s-workload-registrar:1.2.0
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
args:
- '-config'
- /run/spire/config/k8s-workload-registrar.conf
ports:
- name: webhook
protocol: TCP
containerPort: 9443
env:
- name: MY_POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
volumeMounts:
- name: k8s-workload-registrar-config
mountPath: /run/spire/config
readOnly: true
- name: spire-server-socket
mountPath: /run/spire/sockets
readOnly: true
volumes:
- name: spire-config
configMap:
name: spire-server
{{- if (include "ua-secret-name" .) }}
- name: spire-secrets
secret:
secretName: spire-server
items:
- key: {{ include "ua-secret-name" . }}
path: {{ include "ua-secret-name" . }}
{{- end }}
- name: spire-server-socket
emptyDir: {}
- name: k8s-workload-registrar-config
configMap:
name: k8s-workload-registrar
{{- if eq .Values.mtls.persistentStorage "on" }}
volumeClaimTemplates:
- metadata:
name: spire-data
namespace: {{ .Release.Namespace }}
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
{{- end }}
{{- if eq .Values.environment "openshift" }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: system:openshift:scc:nginx-mesh-spire-server-permissions
labels:
app.kubernetes.io/part-of: nginx-service-mesh
rules:
- apiGroups:
- security.openshift.io
resources:
- securitycontextconstraints
resourceNames:
- nginx-mesh-spire-server-permissions
verbs:
- use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: system:openshift:scc:nginx-mesh-spire-server-permissions
labels:
app.kubernetes.io/part-of: nginx-service-mesh
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:openshift:scc:nginx-mesh-spire-server-permissions
subjects:
- kind: ServiceAccount
name: spire-server
namespace: {{ .Release.Namespace }}
---
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
name: nginx-mesh-spire-server-permissions
labels:
app.kubernetes.io/part-of: nginx-service-mesh
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegedContainer: false
seLinuxContext:
type: MustRunAs
readOnlyRootFilesystem: false
runAsUser:
type: RunAsAny
volumes:
- configMap
- secret
- emptyDir
- persistentVolumeClaim
{{- end }}

46
charts/nginx-service-mesh/nginx-service-mesh/0.4.100/templates/zipkin.yaml Normal file
View File

@ -0,0 +1,46 @@
{{- if .Values.tracing }} {{- if (and (not .Values.tracing.disable) (eq .Values.tracing.backend "zipkin") (eq .Values.tracing.address "")) }}
---
apiVersion: v1
kind: Service
metadata:
name: zipkin
labels:
app.kubernetes.io/name: zipkin
app.kubernetes.io/part-of: nginx-service-mesh
spec:
selector:
app.kubernetes.io/name: zipkin
app.kubernetes.io/part-of: nginx-service-mesh
type: ClusterIP
ports:
- port: 9411
targetPort: 9411
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: zipkin
labels:
app.kubernetes.io/name: zipkin
app.kubernetes.io/part-of: nginx-service-mesh
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: zipkin
app.kubernetes.io/part-of: nginx-service-mesh
template:
metadata:
labels:
app.kubernetes.io/name: zipkin
app.kubernetes.io/part-of: nginx-service-mesh
spec:
imagePullSecrets:
- name: {{ include "registry-key-name" . }}
containers:
- name: zipkin
image: {{ include "zipkin.image-server" . }}/zipkin:2.23.16
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
ports:
- containerPort: 9411
{{- end }}{{- end }}

614
charts/nginx-service-mesh/nginx-service-mesh/0.4.100/values.schema.json Normal file
View File

@ -0,0 +1,614 @@
{
"$schema": "https://json-schema.org/draft-07/schema#",
"title": "NGINX Service Mesh Values",
"type": "object",
"properties": {
"mtls": {
"type": "object",
"properties": {
"mode": {
"description": "mTLS mode for pod-to-pod communication",
"type": "string",
"enum": ["off", "permissive", "strict"],
"default": "permissive"
},
"caTTL": {
"description": "The CA/signing key TTL in hours(h) or minutes(m). Max value is 999999.",
"type": "string",
"pattern": "^[1-9][0-9]{0,5}(h|m)$",
"default": "720h"
},
"svidTTL": {
"description": "The TTL of certificates issued to workloads in hours(h) or minutes(m). Max value is 999999.",
"type": "string",
"pattern": "^[1-9][0-9]{0,5}(h|m)$",
"default": "1h"
},
"trustDomain": {
"description": "The trust domain of the NGINX Service Mesh",
"type": "string",
"default": "example.org"
},
"persistentStorage": {
"description": "Use persistent storage",
"type": "string",
"enum": ["on", "off"],
"default": "on"
},
"spireServerKeyManager": {
"description": "Storage logic for SPIRE Server's private keys",
"type": "string",
"enum": ["disk", "memory"],
"default": "disk"
},
"caKeyType": {
"description": "The key type used for the SPIRE Server CA",
"type": "string",
"enum": ["ec-p256", "ec-p384", "rsa-2048", "rsa-4096"],
"default": "ec-p256"
},
"upstreamAuthority": {
"description": "Upstream authority settings",
"type": "object",
"properties": {
"disk": {
"description": "Disk object",
"type": "object",
"properties": {
"cert": {
"description": "Contents of your PEM encoded certificate file",
"type": "string",
"minLength": 1
},
"key": {
"description": "Contents of your PEM encoded key file",
"type": "string",
"minLength": 1
},
"bundle": {
"description": "Contents of your CA bundle file",
"type": "string"
}
},
"required": ["cert", "key"]
},
"awsPCA": {
"description": "AWS PCA object",
"type": "object",
"properties": {
"region": {
"description": "AWS region to use",
"type": "string",
"minLength": 1
},
"certificateAuthorityArn": {
"description": "ARN of the upstream CA certificate",
"type": "string",
"minLength": 1
},
"awsAccessKeyID": {
"description": "AWS access key ID",
"type": "string"
},
"awsSecretAccessKey": {
"description": "AWS secret access key",
"type": "string"
},
"caSigningTemplateArn": {
"description": "ARN of the signing template to use for the server's CA",
"type": "string"
},
"signingAlgorithm": {
"description": "Signing algorithm to use for the server's CA",
"type": "string"
},
"assumeRoleArn": {
"description": " ARN of an IAM role to assume",
"type": "string"
},
"endpoint": {
"description": "Endpoint as hostname or fully-qualified URI that overrides the default endpoint",
"type": "string"
},
"supplementalBundle": {
"description": "Contents of a PEM encoded CA certificates file that should be additionally included in the bundle",
"type": "string"
}
},
"required": ["region", "certificateAuthorityArn"]
},
"awsSecret": {
"description": "AWS Secret object",
"type": "object",
"properties": {
"region": {
"description": "AWS region to use",
"type": "string",
"minLength": 1
},
"certFileArn": {
"description": "ARN of the upstream CA certificate",
"type": "string",
"minLength": 1
},
"keyFileArn": {
"description": "ARN of the upstream CA key file",
"type": "string",
"minLength": 1
},
"awsAccessKeyID": {
"description": "AWS access key ID",
"type": "string"
},
"awsSecretKeyID": {
"description": "AWS secret access key",
"type": "string"
},
"awsSecretToken": {
"description": "AWS secret token",
"type": "string"
},
"assumeRoleArn": {
"description": "ARN of role to assume",
"type": "string"
}
},
"required": ["region", "certFileArn", "keyFileArn"]
},
"vault": {
"description": "Vault object",
"type": "object",
"properties": {
"vaultAddr": {
"description": "URL of the Vault server",
"type": "string",
"minLength": 1
},
"namespace": {
"description": "Vault namespace",
"type": "string",
"minLength": 1
},
"caCert": {
"description": "Contents of a PEM encoded CA certificate file to verify the Vault server certificate",
"type": "string",
"minLength": 1
},
"pkiMountPoint": {
"description": "Name of the mount point where the PKI secret engine is mounted",
"type": "string",
"default": "pki"
},
"insecureSkipVerify": {
"description": "If true, vault client accepts any server certificates",
"type": "boolean",
"default": false
},
"certAuth": {
"description": "Client certificate authentication object",
"type": "object",
"properties": {
"clientCert": {
"description": "Contents of your client cert file",
"type": "string",
"minLength": 1
},
"clientKey": {
"description": "Contents of your client key file",
"type": "string",
"minLength": 1
},
"certAuthMountPoint": {
"description": "Name of the mount point where TLS certificate auth method is mounted",
"type": "string",
"default": "cert"
},
"certAuthRoleName": {
"description": "Name of the vault role. If given, the plugin authenticates against only the named role. Default to trying all roles.",
"type": "string"
}
},
"required": ["clientCert", "clientKey"]
},
"tokenAuth": {
"description": "Token authentication object",
"type": "object",
"properties": {
"token": {
"description": "Token string set into X-Vault-Token header",
"type": "string",
"minLength": 1
}
},
"required": ["token"]
},
"approleAuth": {
"description": "AppRole authentication object",
"type": "object",
"properties": {
"approleID": {
"description": "An identifier of AppRole",
"type": "string",
"minLength": 1
},
"approleSecretID": {
"description": "A credential of AppRole",
"type": "string",
"minLength": 1
},
"approleAuthMountPoint": {
"description": "Name of the mount point where the AppRole auth method is mounted",
"type": "string",
"default": "approle"
}
},
"required": ["approleID", "approleSecretID"]
}
},
"required": ["vaultAddr", "namespace", "caCert"],
"oneOf": [
{"required": ["certAuth"]},
{"required": ["tokenAuth"]},
{"required": ["approleAuth"]}
]
},
"certManager": {
"description": "Cert Manager object",
"type": "object",
"properties": {
"namespace": {
"description": "The namespace to create CertificateRequests for signing",
"type": "string",
"minLength": 1
},
"issuerName": {
"description": "The name of the issuer to reference in CertificateRequests",
"type": "string",
"minLength": 1
},
"issuerKind": {
"description": "The kind of the issuer to reference in CertificateRequests",
"type": "string",
"default": "Issuer"
},
"issuerGroup": {
"description": "The group of the issuer to reference in CertificateRequests",
"type": "string",
"default": "cert-manager.io"
},
"kubeConfig": {
"description": "Contents of the kubeconfig file used to connect to the Kubernetes cluster",
"type": "string"
}
},
"required": ["namespace", "issuerName"]
}
},
"oneOf": [
{"$ref": "#/definitions/emptyObject"},
{"required": ["disk"]},
{"required": ["awsPCA"]},
{"required": ["awsSecret"]},
{"required": ["vault"]},
{"required": ["certManager"]}
]
}
},
"required": ["mode", "caTTL", "svidTTL", "trustDomain", "persistentStorage", "spireServerKeyManager"]
},
"registry": {
"description": "NGINX Service Mesh image registry settings",
"type": "object",
"properties": {
"server": {
"description": "Hostname:port (if needed) for registry and path to images",
"type": "string",
"default": "docker-registry.nginx.com/nsm"
},
"imageTag": {
"description": "Tag used for pulling images from registry. ",
"type": "string",
"default": "1.4.1"
},
"key": {
"description": "Contents of your Google Cloud JSON key file",
"type": "string"
},
"username": {
"description": "Username for accessing private registry",
"type": "string"
},
"password": {
"description": "Password for accessing private registry",
"type": "string"
},
"disablePublicImages": {
"description": "Disable the pulling of third party images from public repositories",
"type": "boolean",
"default": false
},
"imagePullPolicy": {
"description": "Image pull policy",
"type": "string",
"enum": ["Never", "IfNotPresent", "Always"],
"default": "IfNotPresent"
}
},
"oneOf": [
{
"properties": {
"username": {"$ref": "#/definitions/nonEmptyString"},
"password": {"$ref": "#/definitions/nonEmptyString"},
"key": {"$ref": "#/definitions/emptyString"}
}
},
{
"properties": {
"key": {"$ref": "#/definitions/nonEmptyString"},
"username": {"$ref": "#/definitions/emptyString"},
"password": {"$ref": "#/definitions/emptyString"}
}
},
{
"properties": {
"key": {"$ref": "#/definitions/emptyString"},
"username": {"$ref": "#/definitions/emptyString"},
"password": {"$ref": "#/definitions/emptyString"}
}
}
],
"required": ["server", "imageTag", "disablePublicImages", "imagePullPolicy"]
},
"accessControlMode": {
"description": "Default access control mode for service-to-service communication",
"type": "string",
"enum": ["allow", "deny"]
},
"environment": {
"description": "Environment to deploy the mesh into",
"type": "string",
"enum": ["kubernetes", "openshift"]
},
"enableUDP": {
"description": "Enable UDP traffic proxying (beta). Linux kernel 4.18 or greater is required.",
"type": "boolean"
},
"deployGrafana": {
"description": "Deploy Grafana as a part of the NGINX Service Mesh",
"type": "boolean"
},
"nginxErrorLogLevel": {
"description": "NGINX error log level",
"type": "string",
"enum": ["debug", "info", "notice", "warn", "error", "crit", "alert", "emerg"]
},
"nginxLogFormat": {
"description": "NGINX log format",
"type": "string",
"enum": ["default", "json"]
},
"nginxLBMethod": {
"description": "NGINX load balancing method",
"type": "string",
"enum": ["least_conn", "least_time", "least_time last_byte", "least_time last_byte inflight", "random", "random two", "random two least_conn", "random two least_time", "random two least_time=last_byte", "round_robin"]
},
"prometheusAddress": {
"description": "The address of a Prometheus server deployed in your Kubernetes cluster",
"type": "string"
},
"autoInjection": {
"description": "NGINX Service Mesh auto-injection settings",
"type": "object",
"properties": {
"disable": {
"description": "Disable automatic sidecar injection upon resource creation",
"type": "boolean"
},
"disabledNamespaces": {
"description": "Disable automatic sidecar injection for specific namespace",
"type": "array",
"items": {
"type": "string"
}
},
"enabledNamespaces": {
"description": "Enable automatic sidecar injection for specific namespaces",
"type": "array",
"items": {
"type": "string"
}
}
},
"allOf": [
{
"if": {
"properties": {
"disable": {
"const": true
}
}
},
"then":{
"properties": {
"disabledNamespaces": {
"$ref": "#/definitions/emptyArray"
}
}
}
},
{
"if": {
"properties": {
"disable": {
"const": false
}
}
},
"then":{
"properties": {
"enabledNamespaces": {
"$ref": "#/definitions/emptyArray"
}
}
}
}
],
"required": ["disable"]
},
"tracing": {
"description": "NGINX Service Mesh tracing settings",
"type": "object",
"oneOf": [
{"$ref": "#/definitions/tracingConfig"},
{"$ref": "#/definitions/emptyObject"}
]
},
"telemetry":{
"description": "NGINX Service Mesh telemetry settings",
"type": "object",
"oneOf": [
{"$ref": "#/definitions/telemetryConfig"},
{"$ref": "#/definitions/emptyObject"}
]
}
},
"definitions": {
"nonEmptyString": {
"type": "string",
"minLength": 1
},
"emptyString": {
"type": "string",
"const": ""
},
"nonEmptyArray": {
"type": "array",
"minItems": 1
},
"emptyArray": {
"type": "array",
"maxItems": 0
},
"emptyObject": {
"type": "object",
"additionalProperties": false,
"properties": {}
},
"telemetryConfig": {
"properties": {
"samplerRatio": {
"description": "The percentage of traces that are processed and exported to the telemetry backend. Float between 0 and 1",
"type": "number",
"minimum": 0.0,
"maximum": 1.0
},
"exporters": {
"type": "object",
"properties": {
"otlp": {
"type": "object",
"description": "The configuration for an OTLP gRPC exporter",
"properties": {
"host": {
"description": "The host of the OpenTelemetry gRPC exporter to connect to",
"type": "string",
"minLength": 1
},
"port": {
"description": "The port of the OpenTelemetry gRPC exporter to connect to",
"type": "number",
"minimum": 0,
"maximum": 65535
}
},
"required": ["host", "port"]
}
}
}
},
"required": ["samplerRatio", "exporters"]
},
"tracingConfig": {
"properties": {
"disable": {
"description": "Disable tracing for all services",
"type": "boolean"
},
"sampleRate": {
"description": "The sample rate to use for tracing. Float between 0 and 1",
"type": "number",
"minimum": 0.0,
"maximum": 1.0
},
"backend": {
"description": "The tracing backend that you want to use",
"type": "string",
"enum": ["zipkin", "datadog", "jaeger"]
},
"address": {
"description": "The address of a tracing server deployed in your Kubernetes cluster",
"type": "string"
}
},
"required": ["disable", "sampleRate"],
"if": {
"properties": {
"backend": {
"const": "datadog"
}
}
},
"then": {
"properties": {
"address": {
"type": "string",
"minLength": 1
}
}
}
}
},
"oneOf": [
{
"properties": {
"telemetry": {
"$ref": "#/definitions/emptyObject"
},
"tracing": {
"$ref": "#/definitions/tracingConfig"
}
}
},
{
"properties": {
"telemetry": {
"$ref": "#/definitions/emptyObject"
},
"tracing": {
"$ref": "#/definitions/emptyObject"
}
}
},
{
"properties": {
"telemetry": {
"$ref": "#/definitions/telemetryConfig"
},
"tracing": {
"$ref": "#/definitions/emptyObject"
}
}
}
],
"required": [
"mtls",
"registry",
"accessControlMode",
"environment",
"deployGrafana",
"nginxErrorLogLevel",
"nginxLogFormat",
"nginxLBMethod",
"autoInjection"
]
}

266
charts/nginx-service-mesh/nginx-service-mesh/0.4.100/values.yaml Normal file
View File

@ -0,0 +1,266 @@
# NGINX Service Mesh image registry settings.
registry:
# Hostname:port (if needed) for registry and path to images.
# Affects: nginx-mesh-api, nginx-mesh-cert-reloader, nginx-mesh-init, nginx-mesh-metrics, nginx-mesh-sidecar
server: "docker-registry.nginx.com/nsm"
# Tag used for pulling images from registry
# Affects: nginx-mesh-api, nginx-mesh-cert-reloader, nginx-mesh-init, nginx-mesh-metrics, nginx-mesh-sidecar
imageTag: "1.4.1"
# Note: Currently only works with Google Cloud registry.
# Contents of your Google Cloud JSON key file. Can be set via "--set-file registry.key=<your-key-file>.json"
# Cannot be used with username or password.
key: ""
# Username for accessing private registry.
# Requires password to be set. Cannot be used with key.
username: ""
# Password for accessing private registry.
# Requires username to be set. Cannot be used with key.
password: ""
# Do not pull third party images from public repositories.
# If true, registry.server is used for all images.
disablePublicImages: false
# Image pull policy
# Valid values: Always, IfNotPresent, Never
imagePullPolicy: "IfNotPresent"
# Default access control mode for service-to-service communication.
# Valid values: allow, deny
accessControlMode: "allow"
# Environment to deploy the mesh into.
# Valid values: kubernetes, openshift
environment: "kubernetes"
# Enable UDP traffic proxying (beta). Linux kernel 4.18 or greater is required.
enableUDP: false
# Deploy Grafana as a part of the NGINX Service Mesh.
# Note: This configurable will be removed in version 1.5
# Valid values: true, false
deployGrafana: true
# NGINX error log level.
# Valid values: debug, info, notice, warn, error, crit, alert, emerg
nginxErrorLogLevel: "warn"
# NGINX log format.
# Valid values: default, json
nginxLogFormat: "default"
# NGINX load balancing method.
# Valid values: [least_conn, least_time, least_time last_byte, least_time last_byte inflight,
# random, random two, random two least_conn, random two least_time, random two least_time=last_byte, round_robin]
nginxLBMethod: "least_time"
# The address of a Prometheus server deployed in your Kubernetes cluster.
# Address should be in the format <service-name>.<namespace>:<service-port>.
prometheusAddress: ""
# NGINX Service Mesh auto-injection settings.
autoInjection:
# Disable automatic sidecar injection upon resource creation.
# Use the "enabledNamespaces" flag to enable automatic injection in select namespaces.
disable: false
# Disable automatic sidecar injection for specific namespaces.
# Cannot be used with "disable".
disabledNamespaces: []
# Enable automatic sidecar injection for specific namespaces.
# Must be used with "disable".
enabledNamespaces: []
# NGINX Service Mesh tracing settings.
# Cannot be set when telemetry is set.
# If deploying with tracing, make sure the telemetry object is set to {}.
tracing:
# Disable tracing for all services.
# Note: This configurable will be removed in version 1.5
disable: false
# The address of a tracing server deployed in your Kubernetes cluster.
# Address should be in the format <service-name>.<namespace>:<service_port>.
address: ""
# The tracing backend that you want to use.
# Valid values: datadog, jaeger, zipkin
backend: "jaeger"
# The sample rate to use for tracing. Float between 0 and 1.
sampleRate: 0.01
# NGINX Service Mesh telemetry settings.
# Cannot be set when tracing is set.
# To enable telemetry, uncomment the following object and set the tracing object to {}.
telemetry: {}
# # The percentage of traces that are processed and exported to the telemetry backend. Float between 0 and 1.
# samplerRatio: 0.01
# # The configuration of exporters to send telemetry data to.
# exporters:
# # The configuration for an OTLP gRPC exporter.
# otlp:
# # The host of the OpenTelemetry gRPC exporter to connect to. Must be accessible from within the cluster.
# host: ""
# # The port of the OpenTelemetry gRPC exporter to connect to.
# port: 4317
# Mutual TLS settings. See https://docs.nginx.com/nginx-service-mesh/guides/secure-traffic-mtls for more info.
mtls:
# mTLS mode for pod-to-pod communication.
# Valid values: off, permissive, strict
mode: "permissive"
# The CA/signing key TTL in hours(h) or minutes(m).
caTTL: "720h"
# The TTL of certificates issued to workloads in hours(h) or minutes(m).
svidTTL: "1h"
# The trust domain of NGINX Service Mesh.
trustDomain: "example.org"
# Use persistent storage; "on" assumes that a StorageClass exists.
# Valid values: on, off
persistentStorage: "on"
# Storage logic for SPIRE Server's private keys.
# Valid values: disk, memory
spireServerKeyManager: "disk"
# The key type used for the SPIRE Server CA.
# Valid values: ec-p256, ec-p384, rsa-2048, rsa-4096
caKeyType: "ec-p256"
## Upstream authority settings. If left empty, SPIRE is used as the upstream authority.
## Only uncomment and fill out the object pertinent to you (disk, awsPCA, awsSecret, vault, certManager).
upstreamAuthority: {}
# # Disk object (see https://github.com/spiffe/spire/blob/v1.0/doc/plugin_server_upstreamauthority_disk.md)
# disk:
# # Contents of your PEM encoded certificate file. Can be set via "--set-file mtls.upstreamAuthority.disk.cert=<cert-file-path>"
# cert: ""
# # Contents of your PEM encoded key file. Can be set via "--set-file mtls.upstreamAuthority.disk.key=<key-file-path>"
# key: ""
# # Optional; contents of your CA bundle file. Can be set via "--set-file mtls.upstreamAuthority.disk.bundle=<bundle-file-path>"
# bundle: ""
# # AWS PCA object (see https://github.com/spiffe/spire/blob/v1.0/doc/plugin_server_upstreamauthority_aws_pca.md)
# awsPCA:
# # AWS region to use
# region: ""
# # ARN of the upstream CA certificate
# certificateAuthorityArn: ""
# ## Optional auth fields
# ## See https://docs.nginx.com/nginx-service-mesh/guides/secure-traffic-mtls/#deploy-using-an-upstream-root-ca for instructions on configuring auth for aws_pca
# # AWS access key ID
# # This access key ID will be encoded, stored in a Kubernetes Secret, and mounted to the SPIRE server Pod
# awsAccessKeyID: ""
# # AWS secret access key
# # This secret access key will be encoded, stored in a Kubernetes Secret, and mounted to the SPIRE server Pod
# awsSecretAccessKey: ""
# # ARN of the signing template to use for the server's CA
# # ARN of an IAM role to assume
# # The SPIRE server will need permission to assume this IAM role. Either attach an IAM role to the EC2 instance with the capability to assume this role, or provide your AWS credentials
# assumeRoleArn: ""
# ## Other optional fields
# caSigningTemplateArn: ""
# # Signing algorithm to use for the server's CA
# signingAlgorithm: ""
# # Endpoint as hostname or fully-qualified URI that overrides the default endpoint
# endpoint: ""
# # Contents of a PEM encoded CA certificates file that should be additionally included in the bundle.
# # Can be set via "--set-file mtls.upstreamAuthority.awsPCA.supplementalBundle=<supplemental-bundle-file-path>"
# supplementalBundle: ""
# # AWS Secret object (see https://github.com/spiffe/spire/blob/v1.0/doc/plugin_server_upstreamauthority_awssecret.md)
# awsSecret:
# # AWS region to use
# region: ""
# # ARN of the upstream CA certificate
# certFileArn: ""
# # ARN of the upstream CA key file
# keyFileArn: ""
# ## Choose an appropriate auth method
# # AWS access key ID. This access key ID will be stored in plaintext in the Spire server configmap.
# # For other AWS authentication options see: (see https://github.com/spiffe/spire/blob/v1.0/doc/plugin_server_upstreamauthority_awssecret.md)
# awsAccessKeyID: ""
# # AWS secret access key. This secret access key ID will be stored in plaintext in the Spire server configmap.
# # For other AWS authentication options see: (see https://github.com/spiffe/spire/blob/v1.0/doc/plugin_server_upstreamauthority_awssecret.md)
# awsSecretAccessKey: ""
# # AWS secret token
# awsSecretToken: ""
# # ARN of role to assume
# assumeRoleArn: ""
# # Vault object (see https://github.com/spiffe/spire/blob/v0.12/doc/plugin_server_upstreamauthority_vault.md)
# vault:
# # URL of the Vault server
# vaultAddr: ""
# # Vault namespace
# namespace: ""
# # Contents of a PEM encoded CA certificate file to verify the Vault server certificate.
# # Can be set via "--set-file mtls.upstreamAuthority.vault.caCert=<ca-cert-file-path>"
# caCert: ""
# # Name of the mount point where the PKI secret engine is mounted
# pkiMountPoint: "pki"
# # If true, vault client accepts any server certificates
# insecureSkipVerify: false
# # Client Certificate Authentication
# certAuth:
# # Contents of your client cert file. Can be set via "--set-file mtls.upstreamAuthority.vault.certAuth.clientCert=<cert-file-path>"
# clientCert: ""
# # Contents of your client key file. Can be set via "--set-file mtls.upstreamAuthority.vault.certAuth.clientKey=<key-file-path>"
# clientKey: ""
# ## Optional fields
# # Name of the mount point where TLS certificate auth method is mounted
# certAuthMountPoint: "cert"
# # Name of the vault role. If given, the plugin authenticates against only the named role. Default to trying all roles.
# certAuthRoleName: ""
# # Token Authentication
# tokenAuth:
# # Token string set into "X-Vault-Token" header
# token: ""
# # AppRole Authentication
# approleAuth:
# # An identifier of AppRole
# approleID: ""
# # A credential of AppRole
# approleSecretID: ""
# # Name of the mount point where the AppRole auth method is mounted
# approleAuthMountPoint: "approle"
# # Cert Manager object (see https://github.com/spiffe/spire/blob/v1.0/doc/plugin_server_upstreamauthority_cert_manager.md)
# certManager:
# # The namespace to create CertificateRequests for signing.
# namespace: ""
# # The name of the issuer to reference in CertificateRequests.
# issuerName: ""
# ## Optional fields
# # The kind of the issuer to reference in CertificateRequests.
# issuerKind: "Issuer"
# # The group of the issuer to reference in CertificateRequests.
# issuerGroup: "cert-manager.io"
# # Contents of the kubeconfig file used to connect to the Kubernetes cluster. Empty file will attempt to use an in-cluster config.
# # Can be set via "--set-file mtls.upstreamAuthority.certManager.kubeConfig=<kube-config-file-path>".
# kubeConfig: ""

15
index.yaml
View File

@ -3158,6 +3158,21 @@ entries:
- assets/nginx-ingress/nginx-ingress-0.10.0.tgz
version: 0.10.0
nginx-service-mesh:
- annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: NGINX Service Mesh
catalog.cattle.io/release-name: nginx-service-mesh
apiVersion: v2
appVersion: 1.4.1
created: "2022-05-26T16:04:12.006459-06:00"
description: NGINX Service Mesh
digest: 8cb331eb85ab17caa1e02dc3cb3c3632d7931d13a4fb566c6ed1dbeeb2124095
icon: https://raw.githubusercontent.com/nginxinc/nginx-service-mesh/master/helm-chart/chart-icon.png
kubeVersion: '>= 1.18-0'
name: nginx-service-mesh
urls:
- assets/nginx-service-mesh/nginx-service-mesh-0.4.100.tgz
version: 0.4.100
- annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: NGINX Service Mesh