diff --git a/assets/nginx-service-mesh/nginx-service-mesh-0.2.100.tgz b/assets/nginx-service-mesh/nginx-service-mesh-0.2.100.tgz new file mode 100644 index 000000000..5a444f85b Binary files /dev/null and b/assets/nginx-service-mesh/nginx-service-mesh-0.2.100.tgz differ diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/Chart.yaml b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/Chart.yaml new file mode 100644 index 000000000..851d386df --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/Chart.yaml @@ -0,0 +1,11 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: NGINX Service Mesh + catalog.cattle.io/release-name: nginx-service-mesh +apiVersion: v2 +appVersion: 1.2.1 +description: NGINX Service Mesh +icon: https://raw.githubusercontent.com/nginxinc/nginx-service-mesh/master/helm-chart/chart-icon.png +kubeVersion: 1.16-0 - 1.21-0 +name: nginx-service-mesh +version: 0.2.100 diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/README.md b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/README.md new file mode 100644 index 000000000..62bca1853 --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/README.md @@ -0,0 +1,11 @@ +# NGINX Service Mesh + +Before deploying NGINX Service Mesh, see the [Platform Guide](https://docs.nginx.com/nginx-service-mesh/get-started/kubernetes-platform/) to ensure your environment is properly configured. If [Persistent Storage](https://docs.nginx.com/nginx-service-mesh/get-started/kubernetes-platform/persistent-storage/) is not configured in your cluster, set the `mTLS.persistentStorage` field to `off`. Verify that no other service meshes exist in your Kubernetes cluster. It is advised to install NGINX Service Mesh in a dedicated namespace. + +## Helm Installation and Configuration + +For information on the configuration options and installation process when using Helm with NGINX Service Mesh, see the [Installation Guide](https://docs.nginx.com/nginx-service-mesh/get-started/install-with-helm/). + +## Rancher users + +When deploying NGINX Service Mesh via the Rancher Apps and Marketplace, the Helm value `rancher` is set to `true` by default. This value causes Pods in the `cattle-*`, `ingress-nginx`, and `cert-manager` namespaces to be ignored by the automatic sidecar injection webhook. If this behavior is not desired, the `rancher` value can be set to `false`, or the `injector.nsm.nginx.com/auto-inject` label can be manually removed from these namespaces. diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/app-readme.md b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/app-readme.md new file mode 100644 index 000000000..5f4fda928 --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/app-readme.md @@ -0,0 +1,5 @@ +# NGINX Service Mesh + +[NGINX Service Mesh](https://docs.nginx.com/nginx-service-mesh/) is a fully integrated lightweight service mesh that leverages a data plane powered by NGINX Plus to manage container traffic in Kubernetes environments. + +NGINX Service Mesh is currently only supported in Rancher 2.6+ when deploying from the Apps and Marketplace. NGINX Service Mesh is not currently supported on k3s. diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/chart-icon.png b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/chart-icon.png new file mode 100644 index 000000000..612ba3569 Binary files /dev/null and b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/chart-icon.png differ diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/configs/grafana-dashboard-conf.yaml b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/configs/grafana-dashboard-conf.yaml new file mode 100644 index 000000000..9ee1af722 --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/configs/grafana-dashboard-conf.yaml @@ -0,0 +1,11 @@ +apiVersion: 1 +providers: +- name: 'default' + orgId: 1 + folder: '' + type: file + disableDeletion: true + editable: true + options: + path: /var/lib/grafana/dashboards + homeDashboardId: nginx-mesh-top diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/configs/grafana-datasources-conf.yaml b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/configs/grafana-datasources-conf.yaml new file mode 100644 index 000000000..acce701bd --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/configs/grafana-datasources-conf.yaml @@ -0,0 +1,12 @@ +apiVersion: 1 +datasources: +- name: prometheus + type: prometheus + access: proxy + orgId: 1 + url: http://{{ include "prometheus.address" . }} + isDefault: true + jsonData: + timeInterval: "5s" +version: 1 +editable: true diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/configs/grafana-top-dashboard.json b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/configs/grafana-top-dashboard.json new file mode 100644 index 000000000..3b56a6f0a --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/configs/grafana-top-dashboard.json @@ -0,0 +1,697 @@ +{ + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": true, + "gnetId": null, + "graphTooltip": 0, + "id": null, + "links": [], + "panels": [ + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "#299c46", + "rgba(237, 129, 40, 0.89)", + "#d44a3a" + ], + "datasource": "prometheus", + "fieldConfig": { + "defaults": {}, + "overrides": [] + }, + "format": "percentunit", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 0 + }, + "id": 4, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(nginxplus_upstream_server_responses{code=~\"1xx|2xx\"}[30s])) / sum(irate(nginxplus_upstream_server_responses[30s]))", + "format": "time_series", + "interval": "5s", + "intervalFactor": 1, + "refId": "A" + } + ], + "thresholds": "", + "title": "GLOBAL SUCCESS RATE", + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "current" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "#299c46", + "rgba(237, 129, 40, 0.89)", + "#d44a3a" + ], + "datasource": "prometheus", + "fieldConfig": { + "defaults": {}, + "overrides": [] + }, + "format": "reqps", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 6, + "w": 13, + "x": 8, + "y": 0 + }, + "id": 6, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(nginxplus_http_requests_total[30s]))", + "format": "time_series", + "interval": "5s", + "intervalFactor": 1, + "refId": "A" + } + ], + "thresholds": "", + "title": "GLOBAL REQUEST VOLUME", + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "current" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "#299c46", + "rgba(237, 129, 40, 0.89)", + "#d44a3a" + ], + "datasource": "prometheus", + "fieldConfig": { + "defaults": {}, + "overrides": [] + }, + "format": "none", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 6, + "w": 3, + "x": 21, + "y": 0 + }, + "id": 5, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": false + }, + "tableColumn": "", + "targets": [ + { + "expr": "count(nginxplus_http_requests_total)", + "format": "time_series", + "interval": "5s", + "intervalFactor": 1, + "refId": "A" + } + ], + "thresholds": "", + "title": "PODS MONITORED", + "type": "singlestat", + "valueFontSize": "200%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "current" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "prometheus", + "fieldConfig": { + "defaults": {}, + "overrides": [] + }, + "fill": 1, + "fillGradient": 0, + "gridPos": { + "h": 9, + "w": 12, + "x": 0, + "y": 6 + }, + "hiddenSeries": false, + "id": 2, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "8.1.7", + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "irate(nginxplus_http_requests_total[30s])", + "format": "time_series", + "interval": "", + "intervalFactor": 1, + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Request Volume", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "reqps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "prometheus", + "fieldConfig": { + "defaults": {}, + "overrides": [] + }, + "fill": 1, + "fillGradient": 0, + "gridPos": { + "h": 9, + "w": 12, + "x": 12, + "y": 6 + }, + "hiddenSeries": false, + "id": 123124, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "8.1.7", + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(nginxplus_upstream_server_responses{code=~\"1xx|2xx\"}[30s])) by (app, version) / sum(irate(nginxplus_upstream_server_responses[30s])) by (app, version)", + "format": "time_series", + "instant": false, + "interval": "", + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Pod Success", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "percentunit", + "label": null, + "logBase": 1, + "max": "1", + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": null, + "description": "RSS used by NGINX Service Mesh sidecars", + "fieldConfig": { + "defaults": {}, + "overrides": [] + }, + "fill": 1, + "fillGradient": 0, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 15 + }, + "hiddenSeries": false, + "id": 123126, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "nullPointMode": "null", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "8.1.7", + "pointradius": 2, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "nginxplus_workers_mem_rss", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Sidecar Memory Usage (RSS)", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": null, + "description": "Private memory used by NGINX Service Mesh sidecars", + "fieldConfig": { + "defaults": {}, + "overrides": [] + }, + "fill": 1, + "fillGradient": 0, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 15 + }, + "hiddenSeries": false, + "id": 123128, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "nullPointMode": "null", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "8.1.7", + "pointradius": 2, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "nginxplus_workers_mem_private", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Sidecar Memory Usage (Private)", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + } + ], + "refresh": "5s", + "schemaVersion": 27, + "style": "dark", + "tags": [], + "templating": { + "list": [] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "", + "title": "NGINX Mesh Top", + "uid": "N3zQ72OWk", + "version": 1 + } diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/configs/grafana.ini b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/configs/grafana.ini new file mode 100644 index 000000000..4e289e198 --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/configs/grafana.ini @@ -0,0 +1,15 @@ +instance_name = nginx-mesh-grafana + +[auth] +disable_login_form = true + +[auth.anonymous] +enabled = true +org_role = Admin + +[auth.basic] +enabled = false + +[analytics] +check_for_updates = false +Events: diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/configs/k8s-workload-registrar.conf b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/configs/k8s-workload-registrar.conf new file mode 100644 index 000000000..cd3302bb4 --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/configs/k8s-workload-registrar.conf @@ -0,0 +1,9 @@ +log_level = "debug" +trust_domain = {{ quote .Values.mtls.trustDomain }} +server_socket_path = "/run/spire/sockets/spire-registration.sock" +cluster = "nginx-mesh" +pod_controller = true +add_svc_dns_name = true +mode = "crd" +webhook_enabled = true +webhook_cert_dir = "/tmp/k8s-webhook-server/serving-certs" diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/configs/mesh-config.conf b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/configs/mesh-config.conf new file mode 100644 index 000000000..f0989ecde --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/configs/mesh-config.conf @@ -0,0 +1,60 @@ +{ + "accessControlMode": {{ quote .Values.accessControlMode }}, + "api": { + "address": {{ printf "nginx-mesh-api.%s" .Release.Namespace }}, + "containerPort": 8443, + "port": 443 + }, + "autoInjectorPort": 9443, + "injection": { + "disabledNamespaces": {{ .Values.autoInjection.disabledNamespaces }}, + "enabledNamespaces": {{ .Values.autoInjection.enabledNamespaces }}, + "isAutoInjectEnabled": {{ not .Values.autoInjection.disable }} + }, + "loadBalancingMethod": {{ quote .Values.nginxLBMethod }}, + "mtlsMode": {{ quote .Values.mtls.mode }}, + "namespace": {{ quote .Release.Namespace }}, + "nginxErrorLogLevel": {{ quote .Values.nginxErrorLogLevel }}, + "nginxLogFormat": {{ quote .Values.nginxLogFormat }}, + "prometheusAddress": {{ include "prometheus.address" . | quote }}, + "proxy": { + "ports": { + "incoming": 8888, + "incomingGrpc": 8891, + "incomingGrpcPermissive": 8893, + "incomingNotInKeyval": 8903, + "incomingPermissive": 8890, + "incomingRedirect": 8901, + "incomingTcp": 8904, + "incomingTcpDeny": 8905, + "incomingTcpPermissive": 8907, + "metrics": 8887, + "outgoing": 8889, + "outgoingDefaultEgress": 8894, + "outgoingGrpc": 8892, + "outgoingNotInKeyval": 8902, + "outgoingRedirect": 8900, + "outgoingTcp": 8906, + "plusApi": 8886, + "redirectHealthPort": 8895, + "redirectHealthPortHTTPS": 8896 + }, + "transparent": false + }, + "registryKeyName": {{ if (include "docker-config-json" .) }}{{ include "registry-key-name" . | quote }}{{ else }}""{{ end }}, + "sidecarImage": { + "image": {{ printf "%s/nginx-mesh-sidecar:%s" .Values.registry.server .Values.registry.imageTag }}, + "name": "nginx-mesh-sidecar" + }, + "sidecarInitImage": { + "image": {{ printf "%s/nginx-mesh-init:%s" .Values.registry.server .Values.registry.imageTag }}, + "name": "nginx-mesh-init" + }, + "tracing": { + "backend": {{ quote .Values.tracing.backend }}, + "backendAddress": {{ include "tracing.address" . | quote }}, + "isEnabled": {{ not .Values.tracing.disable }}, + "sampleRate": {{ .Values.tracing.sampleRate }} + }, + "trustDomain": {{ quote .Values.mtls.trustDomain }} + } diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/configs/nats.conf b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/configs/nats.conf new file mode 100644 index 000000000..bea951208 --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/configs/nats.conf @@ -0,0 +1,8 @@ +pid_file: "/var/run/nats/nats.pid" +http: 8222 +tls: { + ca_file: "/etc/ssl/ca.crt" + cert_file: "/etc/ssl/tls.crt" + key_file: "/etc/ssl/tls.key" + verify: true +} diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/configs/prometheus-config.yaml b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/configs/prometheus-config.yaml new file mode 100644 index 000000000..b2d7ca0af --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/configs/prometheus-config.yaml @@ -0,0 +1,72 @@ +global: + scrape_interval: 10s +scrape_configs: +- job_name: 'nginx-mesh-sidecars' + kubernetes_sd_configs: + - role: pod + relabel_configs: + - source_labels: [__meta_kubernetes_pod_container_name] + action: keep + regex: nginx-mesh-sidecar + - action: labelmap + regex: __meta_kubernetes_pod_label_nsm_nginx_com_(.+) + - action: labeldrop + regex: __meta_kubernetes_pod_label_nsm_nginx_com_(.+) + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: pod +- job_name: 'nginx-plus-ingress' + kubernetes_sd_configs: + - role: pod + relabel_configs: + - source_labels: [__meta_kubernetes_pod_container_name] + action: keep + regex: nginx-plus-ingress + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape] + action: keep + regex: true + - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] + action: replace + target_label: __address__ + regex: (.+)(?::\d+);(\d+) + replacement: $1:$2 + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: pod + - action: labelmap + regex: __meta_kubernetes_pod_label_nsm_nginx_com_(.+) + - action: labeldrop + regex: __meta_kubernetes_pod_label_nsm_nginx_com_(.+) + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - action: labelmap + regex: __meta_kubernetes_pod_annotation_nsm_nginx_com_enable_(.+) + metric_relabel_configs: + - source_labels: [__name__] + regex: 'nginx_ingress_controller_upstream_server_response_latency_ms(.+)' + target_label: __name__ + replacement: 'nginxplus_upstream_server_response_latency_ms$1' + - source_labels: [__name__] + regex: 'nginx_ingress_nginxplus(.+)' + target_label: __name__ + replacement: 'nginxplus$1' + - source_labels: [service] + target_label: dst_service + - source_labels: [resource_namespace] + target_label: dst_namespace + - source_labels: [pod_owner] + regex: '(.+)\/(.+)' + target_label: dst_$1 + replacement: $2 + - action: labeldrop + regex: pod_owner + - source_labels: [pod_name] + target_label: dst_pod diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/configs/spire-agent.conf b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/configs/spire-agent.conf new file mode 100644 index 000000000..726af1573 --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/configs/spire-agent.conf @@ -0,0 +1,33 @@ +agent { + data_dir = "/run/spire" + log_level = "DEBUG" + server_address = "spire-server" + server_port = "8081" + socket_path = "/run/spire/sockets/agent.sock" + trust_bundle_path = "/run/spire/bundle/bundle.crt" + trust_domain = {{ quote .Values.mtls.trustDomain }} +} + +plugins { + NodeAttestor "k8s_psat" { + plugin_data { + cluster = "nginx-mesh" + } + } + + KeyManager "memory" { + plugin_data { + } + } + + WorkloadAttestor "k8s" { + plugin_data { + skip_kubelet_verification = true + } + } + + WorkloadAttestor "unix" { + plugin_data { + } + } +} diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/configs/spire-server.conf b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/configs/spire-server.conf new file mode 100644 index 000000000..97a575b41 --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/configs/spire-server.conf @@ -0,0 +1,61 @@ +server { + bind_address = "0.0.0.0" + bind_port = "8081" + ca_ttl = {{ quote .Values.mtls.caTTL }} + data_dir = "/run/spire/data" + log_level = "DEBUG" + socket_path = "/run/spire/sockets/spire-registration.sock" + default_svid_ttl = {{ quote .Values.mtls.svidTTL }} + trust_domain = {{ quote .Values.mtls.trustDomain }} + ca_subject = { + country = ["US"], + organization = ["NGINX"], + common_name = "", + } +} + +plugins { + DataStore "sql" { + plugin_data { + database_type = "sqlite3" + connection_string = "/run/spire/data/datastore.sqlite3" + } + } + + NodeAttestor "k8s_psat" { + plugin_data { + clusters = { + "nginx-mesh" = { + service_account_allow_list = [{{ printf "%s:spire-agent" .Release.Namespace | quote }}] + } + } + } + } + + Notifier "k8sbundle" { + plugin_data { + namespace = {{ quote .Release.Namespace }} + webhook_label = "spiffe.io/webhook" + api_service_label = "spiffe.io/apiservice" + } + } + + KeyManager {{ quote .Values.mtls.spireServerKeyManager }} { + {{- if eq .Values.mtls.spireServerKeyManager "disk" }} + plugin_data { + keys_path = "/run/spire/data/keys.json" + } + {{- end }} + } + + {{ if .Values.mtls.upstreamAuthority.awsPCA }} + {{ tpl (.Files.Get "configs/upstreamAuthority/aws-pca-ua.conf") . }} + {{ else if .Values.mtls.upstreamAuthority.awsSecret }} + {{ tpl (.Files.Get "configs/upstreamAuthority/aws-secret-ua.conf") . }} + {{ else if .Values.mtls.upstreamAuthority.disk }} + {{ tpl (.Files.Get "configs/upstreamAuthority/disk-ua.conf") . }} + {{ else if .Values.mtls.upstreamAuthority.vault }} + {{ tpl (.Files.Get "configs/upstreamAuthority/vault-ua.conf") . }} + {{ end }} + +} diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/configs/upstreamAuthority/aws-credentials.conf b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/configs/upstreamAuthority/aws-credentials.conf new file mode 100644 index 000000000..422c92265 --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/configs/upstreamAuthority/aws-credentials.conf @@ -0,0 +1,3 @@ +[default] +aws_access_key_id = {{ .Values.mtls.upstreamAuthority.awsPCA.awsAccessKeyID }} +aws_secret_access_key = {{ .Values.mtls.upstreamAuthority.awsPCA.awsSecretAccessKey }} diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/configs/upstreamAuthority/aws-pca-ua.conf b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/configs/upstreamAuthority/aws-pca-ua.conf new file mode 100644 index 000000000..a296cf881 --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/configs/upstreamAuthority/aws-pca-ua.conf @@ -0,0 +1,16 @@ +UpstreamAuthority "aws_pca" { + plugin_data { + region = {{ quote .Values.mtls.upstreamAuthority.awsPCA.region }} + certificate_authority_arn = {{ quote .Values.mtls.upstreamAuthority.awsPCA.certificateAuthorityArn }} + {{- if .Values.mtls.upstreamAuthority.awsPCA.caSigningTemplateArn }} + ca_signing_template_arn = {{ quote .Values.mtls.upstreamAuthority.awsPCA.caSigningTemplateArn }}{{ end }} + {{- if .Values.mtls.upstreamAuthority.awsPCA.signingAlgorithm }} + signing_algorithm = {{ quote .Values.mtls.upstreamAuthority.awsPCA.signingAlgorithm }}{{ end }} + {{- if .Values.mtls.upstreamAuthority.awsPCA.assumeRoleArn }} + assume_role_arn = {{ quote .Values.mtls.upstreamAuthority.awsPCA.assumeRoleArn }}{{end}} + {{- if .Values.mtls.upstreamAuthority.awsPCA.endpoint }} + endpoint = {{ quote .Values.mtls.upstreamAuthority.awsPCA.endpoint }}{{end}} + {{- if .Values.mtls.upstreamAuthority.awsPCA.supplementalBundlePath }} + supplemental_bundle_path = "/run/spire/config/upstreamBundle.crt"{{end}} + } +} diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/configs/upstreamAuthority/aws-secret-ua.conf b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/configs/upstreamAuthority/aws-secret-ua.conf new file mode 100644 index 000000000..5e8763aff --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/configs/upstreamAuthority/aws-secret-ua.conf @@ -0,0 +1,15 @@ +UpstreamAuthority "awssecret" { + plugin_data { + region = {{ quote .Values.mtls.upstreamAuthority.awsSecret.region }} + cert_file_arn = {{ quote .Values.mtls.upstreamAuthority.awsSecret.certFileArn }} + key_file_arn = {{ quote .Values.mtls.upstreamAuthority.awsSecret.keyFileArn }} + {{- if .Values.mtls.upstreamAuthority.awsSecret.awsAccessKeyID }} + access_key_id = {{ quote .Values.mtls.upstreamAuthority.awsSecret.awsAccessKeyID }}{{ end }} + {{- if .Values.mtls.upstreamAuthority.awsSecret.awsSecretAccessKey }} + secret_access_key = {{ quote .Values.mtls.upstreamAuthority.awsSecret.awsSecretAccessKey }}{{ end }} + {{- if .Values.mtls.upstreamAuthority.awsSecret.awsSecretToken }} + secret_token = {{ quote .Values.mtls.upstreamAuthority.awsSecret.awsSecretToken }}{{ end }} + {{- if .Values.mtls.upstreamAuthority.awsSecret.assumeRoleArn }} + assume_role_arn = {{ quote .Values.mtls.upstreamAuthority.awsSecret.assumeRoleArn }}{{ end }} + } +} diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/configs/upstreamAuthority/disk-ua.conf b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/configs/upstreamAuthority/disk-ua.conf new file mode 100644 index 000000000..87f402d41 --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/configs/upstreamAuthority/disk-ua.conf @@ -0,0 +1,8 @@ +UpstreamAuthority "disk" { + plugin_data { + cert_file_path = "/run/spire/config/upstreamCA.crt" + key_file_path = "/run/spire/secrets/upstreamCA.key" + {{- if .Values.mtls.upstreamAuthority.disk.bundle }} + bundle_file_path = "/run/spire/config/upstreamBundle.crt"{{ end }} + } +} diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/configs/upstreamAuthority/vault-ua.conf b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/configs/upstreamAuthority/vault-ua.conf new file mode 100644 index 000000000..744eb77fa --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/configs/upstreamAuthority/vault-ua.conf @@ -0,0 +1,28 @@ +UpstreamAuthority "vault" { + plugin_data { + vault_addr = {{ quote .Values.mtls.upstreamAuthority.vault.vaultAddr }} + namespace = {{ quote .Values.mtls.upstreamAuthority.vault.namespace }} + ca_cert_path = "/run/spire/config/upstreamCA.crt" + {{- if .Values.mtls.upstreamAuthority.vault.pkiMountPoint }} + pki_mount_path = {{ quote .Values.mtls.upstreamAuthority.vault.pkiMountPoint }}{{ end }} + {{- if .Values.mtls.upstreamAuthority.vault.insecureSkipVerify }} + insecure_skip_verify = {{ .Values.mtls.upstreamAuthority.vault.insecureSkipVerify }}{{ end }} + {{- if .Values.mtls.upstreamAuthority.vault.certAuth}} + cert_auth = { + client_cert_path = "/run/spire/config/upstreamClient.crt" + client_key_path = "/run/spire/secrets/upstreamClient.key" + {{- if .Values.mtls.upstreamAuthority.vault.certAuth.certAuthRoleName }} + cert_auth_role_name = {{ quote .Values.mtls.upstreamAuthority.vault.certAuth.certAuthRoleName }}{{ end }} + {{- if .Values.mtls.upstreamAuthority.vault.certAuth.certAuthMountPoint }} + cert_auth_mount_point = {{ quote .Values.mtls.upstreamAuthority.vault.certAuth.certAuthMountPoint }}{{ end }} + }{{ end }} + {{- if .Values.mtls.upstreamAuthority.vault.tokenAuth }} + token_auth = {}{{ end }} + {{- if .Values.mtls.upstreamAuthority.vault.approleAuth }} + approle_auth = { + approle_id = {{ quote .Values.mtls.upstreamAuthority.vault.approleAuth.approleID }} + {{- if .Values.mtls.upstreamAuthority.vault.approleAuth.approleAuthMountPoint }} + approle_auth_mount_point = {{ quote .Values.mtls.upstreamAuthority.vault.approleAuth.approleAuthMountPoint }}{{ end }} + }{{ end }} + } +} diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/crds/circuitbreaker.yaml b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/crds/circuitbreaker.yaml new file mode 100644 index 000000000..d5155fbb2 --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/crds/circuitbreaker.yaml @@ -0,0 +1,78 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: circuitbreakers.specs.smi.nginx.com + labels: + app.kubernetes.io/part-of: nginx-service-mesh +spec: + group: specs.smi.nginx.com + scope: Namespaced + names: + kind: CircuitBreaker + listKind: CircuitBreakerList + shortNames: + - cb + plural: circuitbreakers + singular: circuitbreaker + versions: + - name: v1alpha1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + description: Specifications of this circuit breaker. + type: object + required: + - destination + - errors + - timeoutSeconds + properties: + destination: + description: The destination of this circuit breaker. + type: object + required: + - name + - kind + properties: + kind: + description: Kind of the destination. + type: string + enum: + - Service + name: + description: Name of the destination. + type: string + minLength: 1 + namespace: + description: Namespace of the destination. + type: string + errors: + description: The number of errors allowed within the timeout before + tripping the circuit. + type: integer + minimum: 0 + timeoutSeconds: + description: The timeout window for errors to occur, and the amount + of time to wait before closing the circuit. + type: integer + minimum: 0 + fallback: + description: The fallback Service to send traffic to when the circuit + is tripped. + type: object + properties: + service: + description: The fallback Service to send traffic to when the + circuit is tripped. + type: string + port: + description: The port of the fallback Service. + type: integer + minimum: 0 + maximum: 65535 diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/crds/httproutegroup.yaml b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/crds/httproutegroup.yaml new file mode 100644 index 000000000..b1ee68f88 --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/crds/httproutegroup.yaml @@ -0,0 +1,68 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: httproutegroups.specs.smi-spec.io + labels: + app.kubernetes.io/part-of: nginx-service-mesh +spec: + group: specs.smi-spec.io + scope: Namespaced + names: + kind: HTTPRouteGroup + shortNames: + - htr + plural: httproutegroups + singular: httproutegroup + versions: + - name: v1alpha3 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + required: + - matches + properties: + matches: + description: Match conditions of this route group. + type: array + items: + type: object + required: + - name + properties: + name: + description: Name of the HTTP route. + type: string + pathRegex: + description: URI path regex of the HTTP route. + type: string + methods: + description: The HTTP methods of this HTTP route. + type: array + items: + type: string + description: The HTTP method of this HTTP route. + enum: + - "*" + - GET + - HEAD + - PUT + - POST + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + headers: + description: Header match conditions of this route. + type: array + items: + description: Header match condition of this route. + type: object + additionalProperties: + type: string diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/crds/ratelimit.yaml b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/crds/ratelimit.yaml new file mode 100644 index 000000000..95fe8433b --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/crds/ratelimit.yaml @@ -0,0 +1,175 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: ratelimits.specs.smi.nginx.com + labels: + app.kubernetes.io/part-of: nginx-service-mesh +spec: + group: specs.smi.nginx.com + scope: Namespaced + names: + kind: RateLimit + listKind: RateLimitList + shortNames: + - rl + plural: ratelimits + singular: ratelimit + versions: + - name: v1alpha1 + served: true + storage: false + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + required: + - name + - destination + - rate + properties: + destination: + description: The destination of this rate limit. + type: object + required: + - name + - kind + properties: + kind: + description: Kind of the destination. + type: string + minLength: 1 + name: + description: Name of the destination. + type: string + minLength: 1 + namespace: + description: Namespace of the destination. + type: string + sources: + description: Sources of this rate limit. + type: array + items: + type: object + required: + - name + - kind + properties: + kind: + description: Kind of this source. + type: string + minLength: 1 + name: + description: Name of this source. + type: string + minLength: 1 + namespace: + description: Namespace of this source. + type: string + name: + description: Name of this rate limit spec. + type: string + minLength: 1 + rate: + description: The allowed rate of traffic. + type: string + pattern: "^[0-9]+r/[s,m]$" + burst: + description: The number of requests to allow beyond the given rate. + type: integer + minimum: 0 + delay: + description: The number of requests after which to delay requests. + x-kubernetes-int-or-string: true + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + required: + - name + - destination + - rate + properties: + destination: + description: The destination of this rate limit. + type: object + required: + - name + - kind + properties: + kind: + description: Kind of the destination. + type: string + minLength: 1 + name: + description: Name of the destination. + type: string + minLength: 1 + namespace: + description: Namespace of the destination. + type: string + sources: + description: Sources of this rate limit. + type: array + items: + type: object + required: + - name + - kind + properties: + kind: + description: Kind of this source. + type: string + minLength: 1 + name: + description: Name of this source. + type: string + minLength: 1 + namespace: + description: Namespace of this source. + type: string + name: + description: Name of this rate limit spec. + type: string + minLength: 1 + rate: + description: The allowed rate of traffic. + type: string + pattern: "^[0-9]+r/[s,m]$" + burst: + description: The number of requests to allow beyond the given rate. + type: integer + minimum: 0 + delay: + description: The number of requests after which to delay requests. + x-kubernetes-int-or-string: true + rules: + description: Routing rules of this rate limit. + type: array + items: + type: object + required: + - name + - kind + properties: + kind: + description: Kind of this routing rule. + type: string + enum: + - HTTPRouteGroup + name: + description: Name of this routing rule. + type: string + minLength: 1 + matches: + description: Match conditions of this routing rule. + type: array + items: + type: string diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/crds/tcproute.yaml b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/crds/tcproute.yaml new file mode 100644 index 000000000..4f91f25a1 --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/crds/tcproute.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: tcproutes.specs.smi-spec.io + labels: + app.kubernetes.io/part-of: nginx-service-mesh +spec: + group: specs.smi-spec.io + scope: Namespaced + names: + kind: TCPRoute + shortNames: + - tr + plural: tcproutes + singular: tcproute + versions: + - name: v1alpha3 + served: true + storage: true + schema: + openAPIV3Schema: + type: object diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/crds/trafficsplit.yaml b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/crds/trafficsplit.yaml new file mode 100644 index 000000000..90ca7010a --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/crds/trafficsplit.yaml @@ -0,0 +1,72 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: trafficsplits.split.smi-spec.io + labels: + app.kubernetes.io/part-of: nginx-service-mesh +spec: + group: split.smi-spec.io + scope: Namespaced + names: + kind: TrafficSplit + listKind: TrafficSplitList + shortNames: + - ts + plural: trafficsplits + singular: trafficsplit + versions: + - name: v1alpha3 + served: true + storage: true + additionalPrinterColumns: + - name: Service + type: string + description: The apex service of this split. + jsonPath: .spec.service + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + required: + - service + - backends + properties: + service: + description: The apex service of this split. + type: string + matches: + description: The HTTP route groups that this traffic split should + match. + type: array + items: + type: object + required: + - kind + - name + properties: + kind: + description: Kind of the matching group. + type: string + enum: + - HTTPRouteGroup + name: + description: Name of the matching group. + type: string + backends: + description: The backend services of this split. + type: array + items: + type: object + required: + - service + - weight + properties: + service: + description: Name of the Kubernetes service. + type: string + weight: + description: Traffic weight value of this backend. + type: number diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/crds/traffictarget.yaml b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/crds/traffictarget.yaml new file mode 100644 index 000000000..24bae1428 --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/crds/traffictarget.yaml @@ -0,0 +1,92 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: traffictargets.access.smi-spec.io + labels: + app.kubernetes.io/part-of: nginx-service-mesh +spec: + group: access.smi-spec.io + scope: Namespaced + names: + kind: TrafficTarget + shortNames: + - tt + plural: traffictargets + singular: traffictarget + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + required: + - destination + properties: + destination: + description: The destination of this traffic target. + type: object + required: + - name + - kind + properties: + kind: + description: Kind of the destination. + type: string + name: + description: Name of the destination. + type: string + namespace: + description: Namespace of the destination. + type: string + port: + description: Port number of the destination. + type: number + rules: + description: Specifications of this traffic target. + type: array + items: + type: object + required: + - name + - kind + properties: + kind: + description: Kind of this spec. + type: string + enum: + - HTTPRouteGroup + - TCPRoute + name: + description: Name of this spec. + type: string + matches: + description: Match conditions of this spec. + type: array + items: + type: string + sources: + description: Sources of this traffic target. + type: array + items: + type: object + required: + - name + - kind + properties: + kind: + description: Kind of this source. + type: string + name: + description: Name of this source. + type: string + namespace: + description: Namespace of this source. + type: string + port: + description: Port number of the source. + type: number diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/questions.yaml b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/questions.yaml new file mode 100644 index 000000000..933e22c5f --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/questions.yaml @@ -0,0 +1,197 @@ +questions: +- variable: useDefaultImages + default: true + description: "Use default image settings." + label: Use default images + type: boolean + show_subquestion_if: false + group: "Image Registry" + subquestions: + - variable: registry.server + default: "docker-registry.nginx.com/nsm" + description: "Hostname:port (if needed) for registry and path to images." + label: Image registry server + type: string + - variable: registry.imageTag + default: "1.2.1" + description: "Tag used for pulling images from registry." + label: Image tag + type: string + - variable: registry.key + default: "" + description: "Contents of your Google Cloud JSON key file. Cannot be used with username or password." + label: Image registry key + type: string + - variable: registry.username + default: "" + description: "Username for accessing private registry." + label: Image registry username + type: string + - variable: registry.password + default: "" + description: "Password for accessing private registry." + label: Image registry password + type: string + - variable: registry.disablePublicImages + default: false + description: "Do not pull third party images from public repositories. If true, registry.server is used for all images." + label: Disable public images + type: boolean + - variable: registry.imagePullPolicy + default: "IfNotPresent" + description: "Image pull policy." + label: Image pull policy + type: string +- variable: useMtlsDefaults + default: true + description: "Use default mTLS settings." + label: Use default mTLS settings + type: boolean + show_subquestion_if: false + group: "Mutual TLS" + subquestions: + - variable: mtls.mode + default: "permissive" + description: "mTLS mode for pod-to-pod communication." + label: mTLS mode + type: enum + options: + - "off" + - "permissive" + - "strict" + - variable: mtls.caTTL + default: "720h" + description: "The CA/signing key TTL in hours(h) or minutes(m)." + label: mTLS caTTL + type: string + - variable: mtls.svidTTL + default: "1h" + description: "The TTL of certificates issued to workloads in hours(h) or minutes(m)." + label: mTLS svidTTL + type: string + - variable: mtls.trustDomain + default: "example.org" + description: "The trust domain of the NGINX Service Mesh." + label: mTLS trust domain + type: string + - variable: mtls.persistentStorage + default: "on" + description: "Use persistent storage; 'on' assumes that a StorageClass exists." + label: mTLS persistent storage + type: enum + options: + - "on" + - "off" + - variable: mtls.spireServerKeyManager + default: "disk" + description: "Storage logic for Spire Server's private keys." + label: mTLS spire server key manager + type: enum + options: + - "disk" + - "memory" +- variable: useTracingDefaults + default: true + description: "Use default tracing settings." + label: Use default tracing settings + type: boolean + show_subquestion_if: false + group: "Tracing" + subquestions: + - variable: tracing.disable + default: false + description: "Disable tracing for all services." + label: Disable tracing + type: boolean + - variable: tracing.address + default: "" + description: "The address of a tracing server deployed in your Kubernetes cluster." + label: Tracing address + type: string + - variable: tracing.backend + default: "jaeger" + description: "The tracing backend that you want to use." + label: Tracing backend + type: enum + options: + - "jaeger" + - "zipkin" + - "datadog" + - variable: tracing.sampleRate + default: 0.01 + description: "The sample rate to use for tracing. Float between 0 and 1." + label: Tracing sample rate + type: float +- variable: autoInjection.disable + default: false + description: "Disable automatic sidecar injection upon resource creation." + label: Disable auto injection + type: boolean + group: "General Settings" +- variable: accessControlMode + default: "allow" + description: "Default access control mode for service-to-service communication." + label: Access control mode + type: enum + options: + - "allow" + - "deny" + group: "General Settings" +- variable: deployGrafana + default: true + description: "Deploy Grafana as a part of NGINX Service Mesh." + label: Deploy Grafana + type: boolean + group: "General Settings" +- variable: nginxErrorLogLevel + default: "warn" + description: "NGINX error log level." + label: NGINX error log level. + type: enum + options: + - "debug" + - "info" + - "notice" + - "warn" + - "error" + - "crit" + - "alert" + - "emerg" + group: "General Settings" +- variable: nginxLogFormat + default: "default" + description: "NGINX log format." + label: NGINX log format. + type: enum + options: + - "default" + - "json" + group: "General Settings" +- variable: nginxLBMethod + default: "least_time" + description: "NGINX load balancing method." + label: NGINX load balancing method. + type: enum + options: + - "least_conn" + - "least_time" + - "least_time last_byte" + - "least_time last_byte inflight" + - "random" + - "random two" + - "random two least_conn" + - "random two least_time" + - "random two least_time=last_byte" + - "round_robin" + group: "General Settings" +- variable: prometheusAddress + description: "The address of a Prometheus server deployed in your Kubernetes cluster." + label: Prometheus address. + type: string + group: "General Settings" +- variable: rancher + default: true + description: "Enables Rancher for NGINX Service Mesh (do not disable)." + label: Rancher + type: boolean + group: "General Settings" diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/templates/NOTES.txt b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/templates/NOTES.txt new file mode 100644 index 000000000..ae929df6d --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/templates/NOTES.txt @@ -0,0 +1 @@ +NGINX Service Mesh has been installed. Ensure all NGINX Service Mesh Pods are in the Ready state before deploying your apps. diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/templates/_helpers.tpl b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/templates/_helpers.tpl new file mode 100644 index 000000000..e0c43f378 --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/templates/_helpers.tpl @@ -0,0 +1,165 @@ +{{- define "jaeger.image-server" -}} +{{- if not .Values.registry.disablePublicImages }}jaegertracing{{ else }}{{ .Values.registry.server }}{{ end }} +{{- end }} + +{{- define "zipkin.image-server" -}} +{{- if not .Values.registry.disablePublicImages }}openzipkin{{ else }}{{ .Values.registry.server }}{{ end }} +{{- end }} + +{{- define "tracing.address" -}} +{{- if ne .Values.tracing.address "" -}} +{{ .Values.tracing.address }} +{{- else if eq .Values.tracing.backend "jaeger" -}} +jaeger.{{.Release.Namespace}}.svc.cluster.local:6831 +{{- else if eq .Values.tracing.backend "zipkin" -}} +zipkin.{{.Release.Namespace}}.svc.cluster.local:9411 +{{- end }} +{{- end }} + +{{- define "prometheus.address" -}} +{{- if eq .Values.prometheusAddress "" -}} +prometheus.{{.Release.Namespace}}.svc.cluster.local:9090 +{{- else -}} +{{ .Values.prometheusAddress }} +{{- end }} +{{- end }} + +{{- define "prometheus.image-server" -}} +{{- if not .Values.registry.disablePublicImages }}prom{{ else }}{{ .Values.registry.server }}{{ end }} +{{- end }} + +{{- define "grafana.image-server" -}} +{{- if not .Values.registry.disablePublicImages }}grafana{{ else }}{{ .Values.registry.server }}{{ end }} +{{- end }} + +{{- define "nats.image-server" -}} +{{- if not .Values.registry.disablePublicImages }}{{ else }}{{ .Values.registry.server }}/{{ end }} +{{- end }} + +{{- define "spire.image-server" -}} +{{- if not .Values.registry.disablePublicImages }}gcr.io/spiffe-io{{ else }}{{ .Values.registry.server }}{{ end }} +{{- end }} + +{{- define "hook.image-server" -}} +{{- if not .Values.registry.disablePublicImages }}bitnami{{ else }}{{ .Values.registry.server }}{{ end }} +{{- end }} + +{{- define "registry-key-name" -}} +nginx-mesh-registry-key +{{- end }} + +{{- define "docker-config-json" -}} +{{- if (and (.Values.registry.username) (.Values.registry.password)) }} +{ + "auths": { + {{ quote .Values.registry.server }}: { + "username": {{ quote .Values.registry.username }}, + "password": {{ quote .Values.registry.password }}, + "auth": {{ printf "%s:%s" .Values.registry.username .Values.registry.password | b64enc | quote }} + } + } +} +{{- else if (.Values.registry.key) }} +{ + "auths": { + {{ quote .Values.registry.server }}: { + "username": "_json_key", + "password": {{ quote .Values.registry.key }} + } + } +} +{{- end }} +{{- end }} + +{{/* +Define the name of the key where the Upstream Authority secret data is stored. +*/}} +{{- define "ua-secret-name" -}} +{{- if .Values.mtls.upstreamAuthority.awsPCA -}} +credentials +{{- else if .Values.mtls.upstreamAuthority.disk -}} +upstreamCA.key +{{- else if .Values.mtls.upstreamAuthority.vault }}{{ if .Values.mtls.upstreamAuthority.vault.certAuth -}} +upstreamClient.key{{ end }} +{{- end }} +{{- end }} + +{{/* +Define the name of the mount path where the Upstream Authority secret data is stored. +*/}} +{{- define "ua-secret-mountpath" -}} +{{- if .Values.mtls.upstreamAuthority.awsPCA -}} +/root/.aws +{{- else if .Values.mtls.upstreamAuthority.disk -}} +/run/spire/secrets +{{- else if .Values.mtls.upstreamAuthority.vault }}{{ if .Values.mtls.upstreamAuthority.vault.certAuth -}} +/run/spire/secrets{{ end }} +{{- end }} +{{- end }} + +{{/* +Define the upstream certificate to be used for the Upstream Authority. +*/}} +{{- define "ua-upstream-cert" -}} +{{- if .Values.mtls.upstreamAuthority.disk -}} +upstreamCA.crt: {{ quote .Values.mtls.upstreamAuthority.disk.cert }} +{{- else if .Values.mtls.upstreamAuthority.vault -}} +upstreamCA.crt: {{ quote .Values.mtls.upstreamAuthority.vault.caCert }} +{{- end }} +{{- end }} + +{{/* +Define the upstream bundle to be used for the Upstream Authority. +*/}} +{{- define "ua-upstream-bundle" -}} +{{- if .Values.mtls.upstreamAuthority.disk }}{{ if .Values.mtls.upstreamAuthority.disk.bundle -}} +upstreamBundle.crt: {{ quote .Values.mtls.upstreamAuthority.disk.bundle }}{{ end }} +{{- else if .Values.mtls.upstreamAuthority.awsPCA }}{{ if .Values.mtls.upstreamAuthority.awsPCA.supplementalBundle -}} +upstreamBundle.crt: {{ quote .Values.mtls.upstreamAuthority.awsPCA.supplementalBundle }}{{ end }} +{{- end }} +{{- end }} + +{{/* +Define the Upstream Authority key to be stored in the Secret. +*/}} +{{- define "ua-upstream-key" -}} +{{- if .Values.mtls.upstreamAuthority.awsPCA -}} +{{ tpl (.Files.Get "configs/upstreamAuthority/aws-credentials.conf") . | b64enc }} +{{- else if .Values.mtls.upstreamAuthority.disk -}} +{{ .Values.mtls.upstreamAuthority.disk.key | b64enc }} +{{- else if .Values.mtls.upstreamAuthority.vault }}{{ if .Values.mtls.upstreamAuthority.vault.certAuth -}} +{{ .Values.mtls.upstreamAuthority.vault.certAuth.clientKey | b64enc }}{{ end }} +{{- end }} +{{- end }} + +{{/* +Define variables associated with the Vault Upstream Authority. +*/}} + +{{- define "ua-vault-env-name" -}} +{{- if .Values.mtls.upstreamAuthority.vault -}} +{{- if .Values.mtls.upstreamAuthority.vault.tokenAuth -}} +VAULT_TOKEN +{{- else if .Values.mtls.upstreamAuthority.vault.approleAuth -}} +VAULT_APPROLE_SECRET_ID +{{- end }} +{{- end }} +{{- end }} + +{{- define "ua-vault-env-value" -}} +{{- if .Values.mtls.upstreamAuthority.vault -}} +{{- if .Values.mtls.upstreamAuthority.vault.tokenAuth -}} +{{ b64enc .Values.mtls.upstreamAuthority.vault.tokenAuth.token }} +{{- else if .Values.mtls.upstreamAuthority.vault.approleAuth -}} +{{ b64enc .Values.mtls.upstreamAuthority.vault.approleAuth.approleSecretID }} +{{- end }} +{{- end }} +{{- end }} + +{{- define "ua-upstream-client-cert" -}} +{{- if .Values.mtls.upstreamAuthority.vault -}} +{{- if .Values.mtls.upstreamAuthority.vault.certAuth -}} +upstreamClient.crt: {{ quote .Values.mtls.upstreamAuthority.vault.certAuth.clientCert }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/templates/grafana.yaml b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/templates/grafana.yaml new file mode 100644 index 000000000..f7d3a0996 --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/templates/grafana.yaml @@ -0,0 +1,137 @@ +{{- if .Values.deployGrafana }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: grafana + labels: + app.kubernetes.io/part-of: nginx-service-mesh +imagePullSecrets: +- name: {{ include "registry-key-name" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: grafana.metrics.builtin.nsm.nginx + labels: + app.kubernetes.io/part-of: nginx-service-mesh +rules: +- apiGroups: + - '' + resources: + - services + - endpoints + - pods + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: grafana.metrics.builtin.nsm.nginx + labels: + app.kubernetes.io/part-of: nginx-service-mesh +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: grafana.metrics.builtin.nsm.nginx +subjects: +- kind: ServiceAccount + name: grafana + namespace: {{ .Release.Namespace }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: grafana-config + labels: + app.kubernetes.io/part-of: nginx-service-mesh +data: + dashboards.yaml: {{ .Files.Get "configs/grafana-dashboard-conf.yaml" | quote }} + datasources.yaml: {{ tpl (.Files.Get "configs/grafana-datasources-conf.yaml") . | quote }} + grafana.ini: {{ .Files.Get "configs/grafana.ini" | quote }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: grafana-dashboards + labels: + app.kubernetes.io/part-of: nginx-service-mesh +data: + top.json: {{ .Files.Get "configs/grafana-top-dashboard.json" | quote }} +--- +apiVersion: v1 +kind: Service +metadata: + name: grafana + labels: + app.kubernetes.io/name: grafana + app.kubernetes.io/part-of: nginx-service-mesh +spec: + selector: + app.kubernetes.io/name: grafana + app.kubernetes.io/part-of: nginx-service-mesh + type: ClusterIP + ports: + - port: 3000 + targetPort: 3000 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: grafana + labels: + app.kubernetes.io/name: grafana + app.kubernetes.io/part-of: nginx-service-mesh +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: grafana + app.kubernetes.io/part-of: nginx-service-mesh + template: + metadata: + labels: + app.kubernetes.io/name: grafana + app.kubernetes.io/part-of: nginx-service-mesh + spec: + serviceAccountName: grafana + containers: + - name: grafana + image: {{ include "grafana.image-server" . }}/grafana:8.1.7 + imagePullPolicy: {{ .Values.registry.imagePullPolicy }} + ports: + - containerPort: 3000 + volumeMounts: + - name: grafana-config-volume + mountPath: "/etc/grafana" + - name: grafana-dashboard-volume + mountPath: "/var/lib/grafana/dashboards" + - name: grafana-dashboard-home + mountPath: "/usr/share/grafana/public/dashboards" + volumes: + - name: grafana-config-volume + configMap: + name: grafana-config + items: + - key: dashboards.yaml + path: provisioning/dashboards/dashboards.yaml + - key: datasources.yaml + path: provisioning/datasources/datasources.yaml + - key: grafana.ini + path: grafana.ini + - name: grafana-dashboard-volume + configMap: + name: grafana-dashboards + items: + - key: top.json + path: top.json + - name: grafana-dashboard-home + configMap: + name: grafana-dashboards + items: + - key: top.json + path: home.json +{{- end }} diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/templates/jaeger.yaml b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/templates/jaeger.yaml new file mode 100644 index 000000000..36784672a --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/templates/jaeger.yaml @@ -0,0 +1,56 @@ +{{- if (and (not .Values.tracing.disable) (eq .Values.tracing.backend "jaeger") (eq .Values.tracing.address "")) }} +--- +apiVersion: v1 +kind: Service +metadata: + name: jaeger + labels: + app.kubernetes.io/name: jaeger + app.kubernetes.io/part-of: nginx-service-mesh +spec: + selector: + app.kubernetes.io/name: jaeger + app.kubernetes.io/part-of: nginx-service-mesh + type: ClusterIP + ports: + - name: frontend + port: 16686 + targetPort: 16686 + - name: collector + port: 6831 + targetPort: 6831 + protocol: UDP +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: jaeger + labels: + app.kubernetes.io/name: jaeger + app.kubernetes.io/part-of: nginx-service-mesh +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: jaeger + app.kubernetes.io/part-of: nginx-service-mesh + template: + metadata: + labels: + app.kubernetes.io/name: jaeger + app.kubernetes.io/part-of: nginx-service-mesh + annotations: + prometheus.io/scrape: 'true' + prometheus.io/port: '16686' + spec: + imagePullSecrets: + - name: {{ include "registry-key-name" . }} + containers: + - name: jaeger + image: {{ include "jaeger.image-server" . }}/all-in-one:1.26.0 + imagePullPolicy: {{ .Values.registry.imagePullPolicy }} + ports: + - containerPort: 16686 + - containerPort: 6831 + protocol: UDP +{{- end }} diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/templates/nats.yaml b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/templates/nats.yaml new file mode 100644 index 000000000..0e269620c --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/templates/nats.yaml @@ -0,0 +1,146 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: nats + labels: + app.kubernetes.io/part-of: nginx-service-mesh +imagePullSecrets: +- name: {{ include "registry-key-name" . }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: nats-config + labels: + app.kubernetes.io/part-of: nginx-service-mesh +data: + nats.conf: {{ .Files.Get "configs/nats.conf" | quote }} +--- +apiVersion: v1 +kind: Service +metadata: + name: nats-server + labels: + app.kubernetes.io/name: nats-server + app.kubernetes.io/part-of: nginx-service-mesh +spec: + selector: + app.kubernetes.io/name: nats-server + app.kubernetes.io/part-of: nginx-service-mesh + clusterIP: None + ports: + - name: client + port: 4222 + - name: monitor + port: 8222 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nats-server + labels: + app.kubernetes.io/name: nats-server + app.kubernetes.io/part-of: nginx-service-mesh +spec: + selector: + matchLabels: + app.kubernetes.io/name: nats-server + app.kubernetes.io/part-of: nginx-service-mesh + replicas: 1 + template: + metadata: + labels: + app.kubernetes.io/name: nats-server + app.kubernetes.io/part-of: nginx-service-mesh + spec: + serviceAccountName: nats + volumes: + - name: config-volume + configMap: + name: nats-config + - name: pid + emptyDir: {} + - name: tls + emptyDir: {} + - hostPath: + path: "/run/spire/sockets" + type: DirectoryOrCreate + name: spire-agent-socket + shareProcessNamespace: true + terminationGracePeriodSeconds: 60 + imagePullSecrets: + - name: {{ include "registry-key-name" . }} + initContainers: + - name: nginx-mesh-cert-reloader-init + image: {{ .Values.registry.server }}/nginx-mesh-cert-reloader:{{ .Values.registry.imageTag }} + imagePullPolicy: {{ .Values.registry.imagePullPolicy }} + volumeMounts: + - name: tls + mountPath: "/etc/ssl" + - name: spire-agent-socket + mountPath: "/run/spire/sockets" + containers: + - name: nginx-mesh-cert-reloader + image: {{ .Values.registry.server }}/nginx-mesh-cert-reloader:{{ .Values.registry.imageTag }} + imagePullPolicy: {{ .Values.registry.imagePullPolicy }} + args: + - "-pid" + - "/var/run/nats/nats.pid" + - "-is-daemon" + volumeMounts: + - name: pid + mountPath: "/var/run/nats" + - name: tls + mountPath: "/etc/ssl" + - name: spire-agent-socket + mountPath: "/run/spire/sockets" + - name: nats-server + image: {{ include "nats.image-server" . }}nats:2.4.0-alpine3.14 + imagePullPolicy: {{ .Values.registry.imagePullPolicy }} + ports: + - containerPort: 4222 + name: client + - containerPort: 8222 + name: monitor + command: + - nats-server + - "--config" + - "/etc/nats-config/nats.conf" + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CLUSTER_ADVERTISE + value: "$(POD_NAME).nats-server.$(POD_NAMESPACE).svc" + volumeMounts: + - name: config-volume + mountPath: "/etc/nats-config" + - name: pid + mountPath: "/var/run/nats" + - name: tls + mountPath: "/etc/ssl" + livenessProbe: + httpGet: + path: "/" + port: 8222 + initialDelaySeconds: 10 + timeoutSeconds: 5 + readinessProbe: + httpGet: + path: "/" + port: 8222 + initialDelaySeconds: 10 + timeoutSeconds: 5 + lifecycle: + preStop: + exec: + command: + - "/bin/sh" + - "-c" + - "/nats-server -sl=ldm=/var/run/nats/nats.pid && /bin/sleep 60" diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/templates/nginx-mesh-api.yaml b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/templates/nginx-mesh-api.yaml new file mode 100644 index 000000000..99cce3371 --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/templates/nginx-mesh-api.yaml @@ -0,0 +1,323 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: nginx-mesh-api + labels: + app.kubernetes.io/part-of: nginx-service-mesh +imagePullSecrets: +- name: {{ include "registry-key-name" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: nginx-mesh-api.internal.builtin.nsm.nginx + labels: + app.kubernetes.io/part-of: nginx-service-mesh +rules: +- apiGroups: + - '' + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - '' + resources: + - services + - endpoints + verbs: + - "*" +- apiGroups: + - '' + resources: + - secrets + - pods + verbs: + - create + - get + - list + - watch +- apiGroups: + - '' + resources: + - configmaps + verbs: + - get + - list + - watch + - update +- apiGroups: + - '' + resources: + - events + verbs: + - create + - patch +- apiGroups: + - apps + resources: + - replicasets + verbs: + - get + - list + - watch +- apiGroups: + - split.smi-spec.io + resources: + - trafficsplits + verbs: + - "*" +- apiGroups: + - access.smi-spec.io + resources: + - traffictargets + verbs: + - "*" +- apiGroups: + - specs.smi-spec.io + - specs.smi.nginx.com + resources: + - httproutegroups + - tcproutes + - ratelimits + - circuitbreakers + verbs: + - "*" +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + resourceNames: + - sidecar-injector-webhook-cfg.internal.builtin.nsm.nginx + verbs: + - get + - update +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + resourceNames: + - validating-webhook-cfg.internal.builtin.nsm.nginx + verbs: + - get + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: nginx-mesh-api.internal.builtin.nsm.nginx + labels: + app.kubernetes.io/part-of: nginx-service-mesh +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: nginx-mesh-api.internal.builtin.nsm.nginx +subjects: +- kind: ServiceAccount + name: nginx-mesh-api + namespace: {{ .Release.Namespace }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: mesh-config + labels: + app.kubernetes.io/part-of: nginx-service-mesh +binaryData: + mesh-config.json: {{ tpl (.Files.Get "configs/mesh-config.conf") . | b64enc | quote }} +--- +apiVersion: v1 +kind: Service +metadata: + name: nginx-mesh-api + labels: + app.kubernetes.io/part-of: nginx-service-mesh +spec: + type: ClusterIP + ports: + - name: https + port: 443 + targetPort: 8443 + protocol: TCP + selector: + app.kubernetes.io/name: nginx-mesh-api + app.kubernetes.io/part-of: nginx-service-mesh +--- +apiVersion: v1 +kind: Service +metadata: + name: nginx-mesh-webhook + labels: + app.kubernetes.io/name: nginx-mesh-api + app.kubernetes.io/part-of: nginx-service-mesh +spec: + type: ClusterIP + ports: + - name: admission + port: 443 + targetPort: 9443 + protocol: TCP + selector: + app.kubernetes.io/name: nginx-mesh-api + app.kubernetes.io/part-of: nginx-service-mesh +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: sidecar-injector-webhook-cfg.internal.builtin.nsm.nginx + labels: + app.kubernetes.io/part-of: nginx-service-mesh + spiffe.io/webhook: "true" +webhooks: +- name: nginx-mesh-api.sidecar.injector + namespaceSelector: + matchExpressions: + - key: injector.nsm.nginx.com/auto-inject + operator: NotIn + values: + - 'false' + clientConfig: + service: + name: nginx-mesh-webhook + namespace: {{ .Release.Namespace }} + path: "/inject" + sideEffects: None + admissionReviewVersions: + - v1 + - v1beta1 + rules: + - apiGroups: + - '' + apiVersions: + - v1 + operations: + - CREATE + resources: + - pods +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: validating-webhook-cfg.internal.builtin.nsm.nginx + labels: + app.kubernetes.io/part-of: nginx-service-mesh + spiffe.io/webhook: "true" +webhooks: +- name: nginx-mesh-api.policy.validator + clientConfig: + service: + name: nginx-mesh-webhook + namespace: {{ .Release.Namespace }} + path: "/validate" + sideEffects: None + admissionReviewVersions: + - v1 + - v1beta1 + rules: + - apiGroups: + - split.smi-spec.io + apiVersions: + - "*" + operations: + - CREATE + - UPDATE + - DELETE + resources: + - trafficsplits + - apiGroups: + - specs.smi-spec.io + apiVersions: + - "*" + operations: + - CREATE + - UPDATE + resources: + - httproutegroups + - apiGroups: + - specs.smi.nginx.com + apiVersions: + - "*" + operations: + - CREATE + - UPDATE + - DELETE + resources: + - circuitbreakers + - ratelimits +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx-mesh-api + labels: + app.kubernetes.io/name: nginx-mesh-api + app.kubernetes.io/part-of: nginx-service-mesh +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: nginx-mesh-api + app.kubernetes.io/part-of: nginx-service-mesh + template: + metadata: + labels: + app.kubernetes.io/name: nginx-mesh-api + app.kubernetes.io/part-of: nginx-service-mesh + spec: + serviceAccountName: nginx-mesh-api + containers: + - name: nginx-mesh-api + image: {{ .Values.registry.server }}/nginx-mesh-api:{{ .Values.registry.imageTag }} + imagePullPolicy: {{ .Values.registry.imagePullPolicy }} + args: + - "-meshconfig=/etc/config/mesh-config.json" + - "-logtostderr" + - "-v=3" + env: + - name: PULL_POLICY + value: {{ .Values.registry.imagePullPolicy }} + - name: MY_UID + valueFrom: + fieldRef: + fieldPath: metadata.uid + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: MY_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + readinessProbe: + httpGet: + path: "/healthz" + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + failureThreshold: 30 + livenessProbe: + httpGet: + path: "/healthz" + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + failureThreshold: 30 + volumeMounts: + - name: config-volume + mountPath: "/etc/config" + - name: spire-agent-socket + mountPath: "/run/spire/sockets" + volumes: + - name: config-volume + configMap: + name: mesh-config + items: + - key: mesh-config.json + path: mesh-config.json + - name: spire-agent-socket + hostPath: + path: "/run/spire/sockets" + type: DirectoryOrCreate diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/templates/nginx-mesh-metrics.yaml b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/templates/nginx-mesh-metrics.yaml new file mode 100644 index 000000000..b68f17b57 --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/templates/nginx-mesh-metrics.yaml @@ -0,0 +1,157 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: nginx-mesh-metrics + labels: + app.kubernetes.io/part-of: nginx-service-mesh +imagePullSecrets: +- name: {{ include "registry-key-name" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: nginx-mesh-metrics.internal.builtin.nsm.nginx + labels: + app.kubernetes.io/part-of: nginx-service-mesh +rules: +- apiGroups: + - '' + resources: + - pods + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: nginx-mesh-metrics.internal.builtin.nsm.nginx + labels: + app.kubernetes.io/part-of: nginx-service-mesh +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: nginx-mesh-metrics.internal.builtin.nsm.nginx +subjects: +- kind: ServiceAccount + name: nginx-mesh-metrics + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: nginx-mesh-metrics-svc.internal.builtin.nsm.nginx + labels: + app.kubernetes.io/part-of: nginx-service-mesh +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: +- kind: ServiceAccount + name: nginx-mesh-metrics + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: nginx-mesh-metrics-svc.internal.builtin.nsm.nginx + labels: + app.kubernetes.io/part-of: nginx-service-mesh +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: +- kind: ServiceAccount + name: nginx-mesh-metrics + namespace: {{ .Release.Namespace }} +--- +apiVersion: v1 +kind: Service +metadata: + name: nginx-mesh-metrics-svc + labels: + app.kubernetes.io/name: nginx-mesh-metrics + app.kubernetes.io/part-of: nginx-service-mesh +spec: + type: ClusterIP + ports: + - name: http + port: 443 + targetPort: metrics + protocol: TCP + selector: + app.kubernetes.io/name: nginx-mesh-metrics + app.kubernetes.io/part-of: nginx-service-mesh +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + name: v1alpha1.metrics.smi-spec.io + labels: + app.kubernetes.io/name: nginx-mesh-metrics + app.kubernetes.io/part-of: nginx-service-mesh + spiffe.io/apiservice: "true" +spec: + service: + name: nginx-mesh-metrics-svc + namespace: {{ .Release.Namespace }} + group: metrics.smi-spec.io + version: v1alpha1 + groupPriorityMinimum: 100 + versionPriority: 100 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx-mesh-metrics + labels: + app.kubernetes.io/name: nginx-mesh-metrics + app.kubernetes.io/part-of: nginx-service-mesh +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: nginx-mesh-metrics + app.kubernetes.io/part-of: nginx-service-mesh + template: + metadata: + labels: + app.kubernetes.io/name: nginx-mesh-metrics + app.kubernetes.io/part-of: nginx-service-mesh + spec: + serviceAccountName: nginx-mesh-metrics + containers: + - name: nginx-mesh-metrics + image: {{ .Values.registry.server }}/nginx-mesh-metrics:{{ .Values.registry.imageTag }} + imagePullPolicy: {{ .Values.registry.imagePullPolicy }} + args: + - "--prometheus-address={{ include "prometheus.address" . }}" + readinessProbe: + httpGet: + scheme: HTTPS + path: "/liveness" + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 10 + failureThreshold: 30 + livenessProbe: + httpGet: + scheme: HTTPS + path: "/liveness" + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 10 + failureThreshold: 30 + ports: + - name: metrics + containerPort: 8080 + volumeMounts: + - name: spire-agent-socket + mountPath: "/run/spire/sockets" + volumes: + - name: spire-agent-socket + hostPath: + path: "/run/spire/sockets" + type: DirectoryOrCreate diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/templates/post-delete-hook.yaml b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/templates/post-delete-hook.yaml new file mode 100644 index 000000000..61c2c7524 --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/templates/post-delete-hook.yaml @@ -0,0 +1,144 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: post-delete + labels: + app.kubernetes.io/part-of: nginx-service-mesh + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed + "helm.sh/hook-weight": "-5" +imagePullSecrets: +- name: {{ include "registry-key-name" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: post-delete.builtin.nsm.nginx + labels: + app.kubernetes.io/part-of: nginx-service-mesh + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed + "helm.sh/hook-weight": "-5" +rules: +- apiGroups: + - '' + resources: + - namespaces + verbs: + - get + - list + - patch +- apiGroups: + - spiffeid.spiffe.io + resources: + - spiffeids + verbs: + - get + - list + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: post-delete.builtin.nsm.nginx + labels: + app.kubernetes.io/part-of: nginx-service-mesh + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed + "helm.sh/hook-weight": "-5" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: post-delete.builtin.nsm.nginx +subjects: +- kind: ServiceAccount + name: post-delete + namespace: {{ .Release.Namespace }} +{{- if (include "docker-config-json" .) }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "registry-key-name" . }} + labels: + app.kubernetes.io/part-of: nginx-service-mesh + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed + "helm.sh/hook-weight": "-5" +data: + .dockerconfigjson: {{ include "docker-config-json" . | b64enc }} +type: kubernetes.io/dockerconfigjson +{{- end }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: remove-spiffeids + labels: + app.kubernetes.io/part-of: nginx-service-mesh + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed + "helm.sh/hook-weight": "0" +spec: + template: + metadata: + name: remove-spiffeids + spec: + restartPolicy: Never + serviceAccountName: post-delete + containers: + - name: remove-spiffeids + image: {{ include "hook.image-server" . }}/kubectl + imagePullPolicy: {{ .Values.registry.imagePullPolicy }} + command: + - /bin/sh + - -c + - | + for ns in $(kubectl get ns | awk '{print $1}' | tail -n +2); do + if [ $(kubectl get spiffeids -n $ns 2>/dev/null | wc -l) -ne 0 ]; then + kubectl patch spiffeid $(kubectl get spiffeids -n $ns | awk '{print $1}' | tail -n +2) --type='merge' -p '{"metadata":{"finalizers":null}}' -n $ns + fi + done +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: remove-namespace-label + labels: + app.kubernetes.io/part-of: nginx-service-mesh + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed + "helm.sh/hook-weight": "0" +spec: + template: + metadata: + name: remove-namespace-label + spec: + restartPolicy: Never + serviceAccountName: post-delete + containers: + - name: remove-namespace-label + image: {{ include "hook.image-server" . }}/kubectl + imagePullPolicy: {{ .Values.registry.imagePullPolicy }} + command: + - /bin/sh + - -c + - | + kubectl label namespace kube-system injector.nsm.nginx.com/auto-inject- + kubectl label namespace {{ .Release.Namespace }} injector.nsm.nginx.com/auto-inject- app.kubernetes.io/part-of- + {{- if .Values.rancher }} + kubectl label namespace ingress-nginx cert-manager injector.nsm.nginx.com/auto-inject- + for ns in $(kubectl get ns | awk '{print $1}' | tail -n +2); do + case "$ns" in + cattle-*) kubectl label namespace $ns injector.nsm.nginx.com/auto-inject- ;; + esac + done + {{- end }} diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/templates/pre-delete-hook.yaml b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/templates/pre-delete-hook.yaml new file mode 100644 index 000000000..f53286921 --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/templates/pre-delete-hook.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: turn-proxies-transparent + labels: + app.kubernetes.io/part-of: nginx-service-mesh + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed + "helm.sh/hook-weight": "0" +spec: + template: + metadata: + name: turn-proxies-transparent + spec: + restartPolicy: Never + containers: + - name: turn-proxies-transparent + image: {{ include "hook.image-server" . }}/kubectl + imagePullPolicy: {{ .Values.registry.imagePullPolicy }} + command: + - /bin/sh + - -c + - | + curl -m 30 -k https://nginx-mesh-api.{{ .Release.Namespace }}.svc:443/clear -X POST + exit 0 + imagePullSecrets: + - name: {{ include "registry-key-name" . }} diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/templates/pre-install-hook.yaml b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/templates/pre-install-hook.yaml new file mode 100644 index 000000000..11f102ca7 --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/templates/pre-install-hook.yaml @@ -0,0 +1,104 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: pre-install + labels: + app.kubernetes.io/part-of: nginx-service-mesh + annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed + "helm.sh/hook-weight": "-5" +imagePullSecrets: +- name: {{ include "registry-key-name" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: pre-install.builtin.nsm.nginx + labels: + app.kubernetes.io/part-of: nginx-service-mesh + annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed + "helm.sh/hook-weight": "-5" +rules: +- apiGroups: + - '' + resources: + - namespaces + verbs: + - get + - list + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: pre-install.builtin.nsm.nginx + labels: + app.kubernetes.io/part-of: nginx-service-mesh + annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed + "helm.sh/hook-weight": "-5" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: pre-install.builtin.nsm.nginx +subjects: +- kind: ServiceAccount + name: pre-install + namespace: {{ .Release.Namespace }} +{{- if (include "docker-config-json" .) }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "registry-key-name" . }} + labels: + app.kubernetes.io/part-of: nginx-service-mesh + annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed + "helm.sh/hook-weight": "-5" +data: + .dockerconfigjson: {{ include "docker-config-json" . | b64enc }} +type: kubernetes.io/dockerconfigjson +{{- end }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: label-namespace + labels: + app.kubernetes.io/part-of: nginx-service-mesh + annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed + "helm.sh/hook-weight": "0" +spec: + template: + metadata: + name: label-namespace + spec: + restartPolicy: Never + serviceAccountName: pre-install + containers: + - name: label-namespace + image: {{ include "hook.image-server" . }}/kubectl + imagePullPolicy: {{ .Values.registry.imagePullPolicy }} + command: + - /bin/sh + - -c + - | + kubectl label namespace kube-system injector.nsm.nginx.com/auto-inject=false + kubectl label namespace {{ .Release.Namespace }} injector.nsm.nginx.com/auto-inject=false app.kubernetes.io/part-of=nginx-service-mesh + {{- if .Values.rancher }} + kubectl label namespace ingress-nginx cert-manager injector.nsm.nginx.com/auto-inject=false + for ns in $(kubectl get ns | awk '{print $1}' | tail -n +2); do + case "$ns" in + cattle-*) kubectl label namespace $ns injector.nsm.nginx.com/auto-inject=false ;; + esac + done + {{- end }} diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/templates/prometheus.yaml b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/templates/prometheus.yaml new file mode 100644 index 000000000..25da2d6d6 --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/templates/prometheus.yaml @@ -0,0 +1,114 @@ +{{- if eq .Values.prometheusAddress "" }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: prometheus + labels: + app.kubernetes.io/part-of: nginx-service-mesh +imagePullSecrets: +- name: {{ include "registry-key-name" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: prometheus.metrics.builtin.nsm.nginx + labels: + app.kubernetes.io/part-of: nginx-service-mesh +rules: +- apiGroups: + - '' + resources: + - services + - endpoints + - pods + verbs: + - get + - list + - watch +- nonResourceURLs: + - "/metrics" + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: prometheus.metrics.builtin.nsm.nginx + labels: + app.kubernetes.io/part-of: nginx-service-mesh +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: prometheus.metrics.builtin.nsm.nginx +subjects: +- kind: ServiceAccount + name: prometheus + namespace: {{ .Release.Namespace }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: prometheus-configuration + labels: + app.kubernetes.io/part-of: nginx-service-mesh +binaryData: + prometheus.yaml: {{ .Files.Get "configs/prometheus-config.yaml" | b64enc }} +--- +apiVersion: v1 +kind: Service +metadata: + name: prometheus + labels: + app.kubernetes.io/name: prometheus + app.kubernetes.io/part-of: nginx-service-mesh +spec: + selector: + app.kubernetes.io/name: prometheus + app.kubernetes.io/part-of: nginx-service-mesh + type: ClusterIP + ports: + - port: 9090 + targetPort: 9090 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: prometheus + labels: + app.kubernetes.io/name: prometheus + app.kubernetes.io/part-of: nginx-service-mesh +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: prometheus + app.kubernetes.io/part-of: nginx-service-mesh + template: + metadata: + labels: + app.kubernetes.io/name: prometheus + app.kubernetes.io/part-of: nginx-service-mesh + spec: + serviceAccountName: prometheus + containers: + - name: prometheus + image: {{ include "prometheus.image-server" . }}/prometheus:v2.20.1 + imagePullPolicy: {{ .Values.registry.imagePullPolicy }} + args: + - "--config.file=/etc/prometheus/prometheus.yaml" + - "--storage.tsdb.path=/prometheus/" + ports: + - containerPort: 9090 + volumeMounts: + - name: prometheus-config-volume + mountPath: "/etc/prometheus" + - name: prometheus-storage-volume + mountPath: "/prometheus/" + volumes: + - name: prometheus-config-volume + configMap: + name: prometheus-configuration + - name: prometheus-storage-volume + emptyDir: {} +{{- end }} diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/templates/registry-key.yaml b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/templates/registry-key.yaml new file mode 100644 index 000000000..beee39c5e --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/templates/registry-key.yaml @@ -0,0 +1,12 @@ +{{- if (include "docker-config-json" .) }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "registry-key-name" . }} + labels: + app.kubernetes.io/part-of: nginx-service-mesh +data: + .dockerconfigjson: {{ include "docker-config-json" . | b64enc }} +type: kubernetes.io/dockerconfigjson +{{- end }} diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/templates/spire-agent.yaml b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/templates/spire-agent.yaml new file mode 100644 index 000000000..f553fae12 --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/templates/spire-agent.yaml @@ -0,0 +1,141 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: spire-agent + labels: + app.kubernetes.io/part-of: nginx-service-mesh +imagePullSecrets: +- name: {{ include "registry-key-name" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: spire-agent.security.builtin.nsm.nginx + labels: + app.kubernetes.io/part-of: nginx-service-mesh +rules: +- apiGroups: + - '' + resources: + - pods + - nodes + - nodes/proxy + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: spire-agent.security.builtin.nsm.nginx + labels: + app.kubernetes.io/part-of: nginx-service-mesh +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: spire-agent.security.builtin.nsm.nginx +subjects: +- kind: ServiceAccount + name: spire-agent + namespace: {{ .Release.Namespace }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: spire-agent + labels: + app.kubernetes.io/part-of: nginx-service-mesh +data: + agent.conf: {{ tpl (.Files.Get "configs/spire-agent.conf") . | quote }} +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: spire-agent + labels: + app.kubernetes.io/name: spire-agent + app.kubernetes.io/part-of: nginx-service-mesh +spec: + selector: + matchLabels: + app.kubernetes.io/name: spire-agent + app.kubernetes.io/part-of: nginx-service-mesh + template: + metadata: + labels: + app.kubernetes.io/name: spire-agent + app.kubernetes.io/part-of: nginx-service-mesh + spec: + serviceAccountName: spire-agent + hostPID: true + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + initContainers: + - name: init + image: {{ include "spire.image-server" . }}/wait-for-it + args: + - "-t" + - '30' + - spire-server:8081 + containers: + - name: spire-agent + image: {{ include "spire.image-server" . }}/spire-agent:1.0.2 + imagePullPolicy: {{ .Values.registry.imagePullPolicy }} + args: + - "-config" + - "/run/spire/config/agent.conf" + env: + - name: MY_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + volumeMounts: + - name: spire-config + mountPath: "/run/spire/config" + readOnly: true + - name: spire-bundle + mountPath: "/run/spire/bundle" + - name: spire-agent-socket + mountPath: "/run/spire/sockets" + readOnly: false + - name: spire-token + mountPath: "/var/run/secrets/tokens" + livenessProbe: + exec: + command: + - "/opt/spire/bin/spire-agent" + - healthcheck + - "-shallow" + - "-socketPath" + - "/run/spire/sockets/agent.sock" + failureThreshold: 2 + initialDelaySeconds: 15 + periodSeconds: 60 + timeoutSeconds: 3 + readinessProbe: + exec: + command: + - "/opt/spire/bin/spire-agent" + - healthcheck + - "-socketPath" + - "/run/spire/sockets/agent.sock" + initialDelaySeconds: 5 + periodSeconds: 5 + volumes: + - name: spire-config + configMap: + name: spire-agent + - name: spire-bundle + configMap: + name: spire-bundle + - name: spire-agent-socket + hostPath: + path: "/run/spire/sockets" + type: DirectoryOrCreate + - name: spire-token + projected: + sources: + - serviceAccountToken: + audience: spire-server + expirationSeconds: 7200 + path: spire-agent diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/templates/spire-server.yaml b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/templates/spire-server.yaml new file mode 100644 index 000000000..6048d49b0 --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/templates/spire-server.yaml @@ -0,0 +1,466 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: spire-server + labels: + app.kubernetes.io/part-of: nginx-service-mesh +imagePullSecrets: +- name: {{ include "registry-key-name" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: spire-server.security.builtin.nsm.nginx + labels: + app.kubernetes.io/part-of: nginx-service-mesh +rules: +- apiGroups: + - '' + resources: + - pods + - nodes + verbs: + - get +- apiGroups: + - '' + resources: + - configmaps + resourceNames: + - spire-bundle + verbs: + - get + - patch +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - apiregistration.k8s.io + resources: + - apiservices + verbs: + - get + - list + - patch + - watch +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - list + - patch + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: spire-server.security.builtin.nsm.nginx + labels: + app.kubernetes.io/part-of: nginx-service-mesh +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: spire-server.security.builtin.nsm.nginx +subjects: +- kind: ServiceAccount + name: spire-server + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: k8s-workload-registrar.security.builtin.nsm.nginx + labels: + app.kubernetes.io/part-of: nginx-service-mesh +rules: +- apiGroups: + - '' + resources: + - endpoints + - pods + - nodes + verbs: + - get + - list + - watch +- apiGroups: + - spiffeid.spiffe.io + resources: + - spiffeids + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - spiffeid.spiffe.io + resources: + - spiffeids/status + verbs: + - get + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: k8s-workload-registrar.security.builtin.nsm.nginx + labels: + app.kubernetes.io/part-of: nginx-service-mesh +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: k8s-workload-registrar.security.builtin.nsm.nginx +subjects: +- kind: ServiceAccount + name: spire-server + namespace: {{ .Release.Namespace }} +{{- if (or (include "ua-secret-name" .) (include "ua-vault-env-name" .)) }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: spire-server + labels: + app.kubernetes.io/part-of: nginx-service-mesh +type: Opaque +data: + {{- if (include "ua-secret-name" .) }} + {{ include "ua-secret-name" . }}: {{ include "ua-upstream-key" . }}{{ end }} + {{- if (include "ua-vault-env-name" .) }} + {{ include "ua-vault-env-name" . }}: {{ include "ua-vault-env-value" . }}{{ end }} +{{- end }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: spire-bundle + labels: + app.kubernetes.io/part-of: nginx-service-mesh +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: spire-server + labels: + app.kubernetes.io/part-of: nginx-service-mesh +data: + server.conf: {{ tpl (.Files.Get "configs/spire-server.conf") . | quote }} + {{ if (include "ua-upstream-cert" .) -}} + {{ include "ua-upstream-cert" . }}{{ end }} + {{ if (include "ua-upstream-client-cert" .) -}} + {{ include "ua-upstream-client-cert" . }}{{ end }} + {{ if (include "ua-upstream-bundle" .) -}} + {{ include "ua-upstream-bundle" . }}{{ end }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: k8s-workload-registrar + labels: + app.kubernetes.io/part-of: nginx-service-mesh +data: + k8s-workload-registrar.conf: {{ tpl (.Files.Get "configs/k8s-workload-registrar.conf") . | quote }} +--- +{{- $caKey := genPrivateKey "ecdsa"}} +{{- $caCrt := genCAWithKey "K8S WORKLOAD REGISTRAR CA" 9999 $caKey }} +{{- $serverKey := genPrivateKey "ecdsa" }} +{{- $serverCrt := genSignedCertWithKey "K8S WORKLOAD REGISTRAR SERVER" nil (list (printf "k8s-workload-registrar.%s.svc" .Release.Namespace )) 9999 $caCrt $serverKey }} +apiVersion: v1 +kind: Secret +metadata: + name: k8s-workload-registrar-secret + labels: + app.kubernetes.io/part-of: nginx-service-mesh +type: Opaque +data: + tls.crt: {{ b64enc $serverCrt.Cert | quote }} + tls.key: {{ b64enc $serverKey | quote }} +--- +apiVersion: v1 +kind: Service +metadata: + name: spire-server + labels: + app.kubernetes.io/name: spire-server + app.kubernetes.io/part-of: nginx-service-mesh +spec: + type: ClusterIP + ports: + - name: grpc + protocol: TCP + port: 8081 + targetPort: 8081 + selector: + app.kubernetes.io/name: spire-server + app.kubernetes.io/part-of: nginx-service-mesh +--- +apiVersion: v1 +kind: Service +metadata: + name: k8s-workload-registrar + labels: + app.kubernetes.io/name: k8s-workload-registrar + app.kubernetes.io/part-of: nginx-service-mesh +spec: + ports: + - name: webhook + protocol: TCP + port: 443 + targetPort: 9443 + selector: + app.kubernetes.io/name: spire-server +--- +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: ValidatingWebhookConfiguration +metadata: + name: k8s-workload-registrar.security.builtin.nsm.nginx + labels: + app.kubernetes.io/part-of: nginx-service-mesh +webhooks: +- name: k8s-workload-registrar.{{ .Release.Namespace }}.svc + clientConfig: + caBundle: {{ b64enc $caCrt.Cert | quote }} + service: + name: k8s-workload-registrar + namespace: {{ .Release.Namespace }} + path: "/validate-spiffeid-spiffe-io-v1beta1-spiffeid" + rules: + - apiGroups: + - spiffeid.spiffe.io + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - spiffeids + scope: Namespaced +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: spiffeids.spiffeid.spiffe.io + labels: + app.kubernetes.io/part-of: nginx-service-mesh +spec: + group: spiffeid.spiffe.io + scope: Namespaced + names: + kind: SpiffeID + listKind: SpiffeIDList + plural: spiffeids + singular: spiffeid + versions: + - name: v1beta1 + served: true + storage: true + subresources: + status: {} + schema: + openAPIV3Schema: + type: object + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + type: object + properties: + dnsNames: + type: array + items: + type: string + parentId: + type: string + selector: + type: object + properties: + arbitrary: + items: + type: string + type: array + containerImage: + type: string + containerName: + type: string + namespace: + type: string + nodeName: + type: string + podLabel: + additionalProperties: + type: string + type: object + podName: + type: string + podUid: + type: string + serviceAccount: + type: string + cluster: + type: string + agent_node_uid: + type: string + spiffeId: + type: string + required: + - parentId + - selector + - spiffeId + status: + type: object + properties: + entryId: + type: string +--- +apiVersion: apps/v1 +{{- if eq .Values.mtls.persistentStorage "on" }} +kind: StatefulSet +{{- else }} +kind: Deployment +{{- end }} +metadata: + name: spire-server + labels: + app.kubernetes.io/name: spire-server + app.kubernetes.io/part-of: nginx-service-mesh +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: spire-server + app.kubernetes.io/part-of: nginx-service-mesh + {{- if eq .Values.mtls.persistentStorage "on" }} + serviceName: spire-server + {{- end }} + template: + metadata: + labels: + app.kubernetes.io/name: spire-server + app.kubernetes.io/part-of: nginx-service-mesh + spec: + serviceAccountName: spire-server + shareProcessNamespace: true + containers: + - name: spire-server + image: {{ include "spire.image-server" . }}/spire-server:1.0.2 + imagePullPolicy: {{ .Values.registry.imagePullPolicy }} + args: + - '-config' + - /run/spire/config/server.conf + ports: + - name: spire-server + protocol: TCP + containerPort: 8081 + {{- if (include "ua-vault-env-name" .) }} + env: + - name: {{ include "ua-vault-env-name" . }} + valueFrom: + secretKeyRef: + name: spire-server + key: {{ include "ua-vault-env-name" . }} + {{- end }} + volumeMounts: + - name: spire-config + mountPath: /run/spire/config + readOnly: true + {{- if (include "ua-secret-mountpath" .) }} + - name: spire-secrets + mountPath: {{ include "ua-secret-mountpath" . }} + readOnly: true + {{- end }} + {{- if eq .Values.mtls.persistentStorage "on" }} + - name: spire-data + mountPath: /run/spire/data + readOnly: false + {{- end }} + - name: spire-server-socket + mountPath: /run/spire/sockets + readOnly: false + livenessProbe: + exec: + command: + - /opt/spire/bin/spire-server + - healthcheck + - '-shallow' + - '-registrationUDSPath' + - /run/spire/sockets/spire-registration.sock + failureThreshold: 2 + initialDelaySeconds: 15 + periodSeconds: 60 + timeoutSeconds: 3 + readinessProbe: + exec: + command: + - /opt/spire/bin/spire-server + - healthcheck + - '-registrationUDSPath' + - /run/spire/sockets/spire-registration.sock + initialDelaySeconds: 5 + periodSeconds: 5 + - name: k8s-workload-registrar + image: {{ include "spire.image-server" . }}/k8s-workload-registrar:1.0.2 + imagePullPolicy: {{ .Values.registry.imagePullPolicy }} + args: + - '-config' + - /run/spire/config/k8s-workload-registrar.conf + ports: + - name: webhook + protocol: TCP + containerPort: 9443 + volumeMounts: + - name: k8s-workload-registrar-config + mountPath: /run/spire/config + readOnly: true + - name: k8s-workload-registrar-secret + mountPath: /tmp/k8s-webhook-server/serving-certs + readOnly: true + - name: spire-server-socket + mountPath: /run/spire/sockets + readOnly: true + volumes: + - name: spire-config + configMap: + name: spire-server + {{- if (include "ua-secret-name" .) }} + - name: spire-secrets + secret: + secretName: spire-server + items: + - key: {{ include "ua-secret-name" . }} + path: {{ include "ua-secret-name" . }} + {{- end }} + - name: spire-server-socket + emptyDir: {} + - name: k8s-workload-registrar-config + configMap: + name: k8s-workload-registrar + - name: k8s-workload-registrar-secret + secret: + secretName: k8s-workload-registrar-secret + {{- if eq .Values.mtls.persistentStorage "on" }} + volumeClaimTemplates: + - metadata: + name: spire-data + namespace: {{ .Release.Namespace }} + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + {{- end }} diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/templates/zipkin.yaml b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/templates/zipkin.yaml new file mode 100644 index 000000000..aeedc8f26 --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/templates/zipkin.yaml @@ -0,0 +1,46 @@ +{{- if (and (not .Values.tracing.disable) (eq .Values.tracing.backend "zipkin") (eq .Values.tracing.address "")) }} +--- +apiVersion: v1 +kind: Service +metadata: + name: zipkin + labels: + app.kubernetes.io/name: zipkin + app.kubernetes.io/part-of: nginx-service-mesh +spec: + selector: + app.kubernetes.io/name: zipkin + app.kubernetes.io/part-of: nginx-service-mesh + type: ClusterIP + ports: + - port: 9411 + targetPort: 9411 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: zipkin + labels: + app.kubernetes.io/name: zipkin + app.kubernetes.io/part-of: nginx-service-mesh +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: zipkin + app.kubernetes.io/part-of: nginx-service-mesh + template: + metadata: + labels: + app.kubernetes.io/name: zipkin + app.kubernetes.io/part-of: nginx-service-mesh + spec: + imagePullSecrets: + - name: {{ include "registry-key-name" . }} + containers: + - name: zipkin + image: {{ include "zipkin.image-server" . }}/zipkin:2.21 + imagePullPolicy: {{ .Values.registry.imagePullPolicy }} + ports: + - containerPort: 9411 +{{- end }} diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/values.schema.json b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/values.schema.json new file mode 100644 index 000000000..3783d041b --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/values.schema.json @@ -0,0 +1,455 @@ +{ + "$schema": "https://json-schema.org/draft-07/schema#", + "title": "NGINX Service Mesh Values", + "type": "object", + "properties": { + "mtls": { + "type": "object", + "properties": { + "mode": { + "description": "mTLS mode for pod-to-pod communication", + "type": "string", + "enum": ["off", "permissive", "strict"], + "default": "permissive" + }, + "caTTL": { + "description": "The CA/signing key TTL in hours(h) or minutes(m)", + "type": "string", + "pattern": "[0-9]*(h|m)", + "default": "720h" + }, + "svidTTL": { + "description": "The TTL of certificates issued to workloads in hours(h) or minutes(m)", + "type": "string", + "pattern": "[0-9]*(h|m)", + "default": "1h" + }, + "trustDomain": { + "description": "The trust domain of the NGINX Service Mesh", + "type": "string", + "default": "example.org" + }, + "persistentStorage": { + "description": "Use persistent storage", + "type": "string", + "enum": ["on", "off"], + "default": "on" + }, + "spireServerKeyManager": { + "description": "Storage logic for Spire Server's private keys", + "type": "string", + "enum": ["disk", "memory"], + "default": "disk" + }, + "upstreamAuthority": { + "description": "Upstream authority settings", + "type": "object", + "properties": { + "disk": { + "description": "Disk object", + "type": "object", + "properties": { + "cert": { + "description": "Contents of your PEM encoded certificate file", + "type": "string", + "minLength": 1 + }, + "key": { + "description": "Contents of your PEM encoded key file", + "type": "string", + "minLength": 1 + }, + "bundle": { + "description": "Contents of your CA bundle file", + "type": "string" + } + }, + "required": ["cert", "key"] + }, + "awsPCA": { + "description": "AWS PCA object", + "type": "object", + "properties": { + "region": { + "description": "AWS region to use", + "type": "string", + "minLength": 1 + }, + "certificateAuthorityArn": { + "description": "ARN of the upstream CA certificate", + "type": "string", + "minLength": 1 + }, + "awsAccessKeyID": { + "description": "AWS access key ID", + "type": "string", + "minLength": 1 + }, + "awsSecretAccessKey": { + "description": "AWS secret access key", + "type": "string", + "minLength": 1 + }, + "caSigningTemplateArn": { + "description": "ARN of the signing template to use for the server's CA", + "type": "string" + }, + "signingAlgorithm": { + "description": "Signing algorithm to use for the server's CA", + "type": "string" + }, + "assumeRoleArn": { + "description": " ARN of an IAM role to assume", + "type": "string" + }, + "endpoint": { + "description": "Endpoint as hostname or fully-qualified URI that overrides the default endpoint", + "type": "string" + }, + "supplementalBundle": { + "description": "Contents of a PEM encoded CA certificates file that should be additionally included in the bundle", + "type": "string" + } + }, + "required": ["region", "certificateAuthorityArn", "awsAccessKeyID", "awsSecretAccessKey"] + }, + "awsSecret": { + "description": "AWS Secret object", + "type": "object", + "properties": { + "region": { + "description": "AWS region to use", + "type": "string", + "minLength": 1 + }, + "certFileArn": { + "description": "ARN of the upstream CA certificate", + "type": "string", + "minLength": 1 + }, + "keyFileArn": { + "description": "ARN of the upstream CA key file", + "type": "string", + "minLength": 1 + }, + "awsAccessKeyID": { + "description": "AWS access key ID", + "type": "string" + }, + "awsSecretKeyID": { + "description": "AWS secret access key", + "type": "string" + }, + "awsSecretToken": { + "description": "AWS secret token", + "type": "string" + }, + "assumeRoleArn": { + "description": "ARN of role to assume", + "type": "string" + } + }, + "required": ["region", "certFileArn", "keyFileArn"] + }, + "vault": { + "description": "Vault object", + "type": "object", + "properties": { + "vaultAddr": { + "description": "URL of the Vault server", + "type": "string", + "minLength": 1 + }, + "namespace": { + "description": "Vault namespace", + "type": "string", + "minLength": 1 + }, + "caCert": { + "description": "Contents of a PEM encoded CA certificate file to verify the Vault server certificate", + "type": "string", + "minLength": 1 + }, + "pkiMountPoint": { + "description": "Name of the mount point where the PKI secret engine is mounted", + "type": "string", + "default": "pki" + }, + "insecureSkipVerify": { + "description": "If true, vault client accepts any server certificates", + "type": "boolean", + "default": false + }, + "certAuth": { + "description": "Client certificate authentication object", + "type": "object", + "properties": { + "clientCert": { + "description": "Contents of your client cert file", + "type": "string", + "minLength": 1 + }, + "clientKey": { + "description": "Contents of your client key file", + "type": "string", + "minLength": 1 + }, + "certAuthMountPoint": { + "description": "Name of the mount point where TLS certificate auth method is mounted", + "type": "string", + "default": "cert" + }, + "certAuthRoleName": { + "description": "Name of the vault role. If given, the plugin authenticates against only the named role. Default to trying all roles.", + "type": "string" + } + }, + "required": ["clientCert", "clientKey"] + }, + "tokenAuth": { + "description": "Token authentication object", + "type": "object", + "properties": { + "token": { + "description": "Token string set into X-Vault-Token header", + "type": "string", + "minLength": 1 + } + }, + "required": ["token"] + }, + "approleAuth": { + "description": "AppRole authentication object", + "type": "object", + "properties": { + "approleID": { + "description": "An identifier of AppRole", + "type": "string", + "minLength": 1 + }, + "approleSecretID": { + "description": "A credential of AppRole", + "type": "string", + "minLength": 1 + }, + "approleAuthMountPoint": { + "description": "Name of the mount point where the AppRole auth method is mounted", + "type": "string", + "default": "approle" + } + }, + "required": ["approleID", "approleSecretID"] + } + }, + "required": ["vaultAddr", "namespace", "caCert"], + "oneOf": [ + {"required": ["certAuth"]}, + {"required": ["tokenAuth"]}, + {"required": ["approleAuth"]} + ] + } + }, + "oneOf": [ + {"const": {}}, + {"required": ["disk"]}, + {"required": ["awsPCA"]}, + {"required": ["awsSecret"]}, + {"required": ["vault"]} + ] + } + }, + "required": ["mode", "caTTL", "svidTTL", "trustDomain", "persistentStorage", "spireServerKeyManager"] + }, + "registry": { + "description": "NGINX Service Mesh image registry settings", + "type": "object", + "properties": { + "server": { + "description": "Hostname:port (if needed) for registry and path to images", + "type": "string", + "default": "docker-registry.nginx.com/nsm" + }, + "imageTag": { + "description": "Tag used for pulling images from registry. ", + "type": "string", + "default": "1.1.0" + }, + "key": { + "description": "Contents of your Google Cloud JSON key file", + "type": "string" + }, + "username": { + "description": "Username for accessing private registry", + "type": "string" + }, + "password": { + "description": "Password for accessing private registry", + "type": "string" + }, + "disablePublicImages": { + "description": "Disable the pulling of third party images from public repositories", + "type": "boolean", + "default": false + }, + "imagePullPolicy": { + "description": "Image pull policy", + "type": "string", + "enum": ["Never", "IfNotPresent", "Always"], + "default": "IfNotPresent" + } + }, + "oneOf": [ + { + "properties": { + "key": {"$ref": "#/definitions/emptyString"}, + "username": {"$ref": "#/definitions/emptyString"}, + "password": {"$ref": "#/definitions/emptyString"} + } + }, + { + "properties": { + "key": {"$ref": "#/definitions/nonEmptyString"}, + "username": {"$ref": "#/definitions/emptyString"}, + "password": {"$ref": "#/definitions/emptyString"} + } + }, + { + "properties": { + "username": {"$ref": "#/definitions/nonEmptyString"}, + "password": {"$ref": "#/definitions/nonEmptyString"}, + "key": {"$ref": "#/definitions/emptyString"} + } + } + ], + "required": ["server", "imageTag", "disablePublicImages", "imagePullPolicy"] + }, + "accessControlMode": { + "description": "Default access control mode for service-to-service communication", + "type": "string", + "enum": ["allow", "deny"] + }, + "deployGrafana": { + "description": "Deploy Grafana as a part of the NGINX Service Mesh", + "type": "boolean" + }, + "nginxErrorLogLevel": { + "description": "NGINX error log level", + "type": "string", + "enum": ["debug", "info", "notice", "warn", "error", "crit", "alert", "emerg"] + }, + "nginxLogFormat": { + "description": "NGINX log format", + "type": "string", + "enum": ["default", "json"] + }, + "nginxLBMethod": { + "description": "NGINX load balancing method", + "type": "string", + "enum": ["least_conn", "least_time", "least_time last_byte", "least_time last_byte inflight", "random", "random two", "random two least_conn", "random two least_time", "random two least_time=last_byte", "round_robin"] + }, + "prometheusAddress": { + "description": "The address of a Prometheus server deployed in your Kubernetes cluster", + "type": "string" + }, + "autoInjection": { + "description": "NGINX Service Mesh auto-injection settings", + "type": "object", + "properties": { + "disable": { + "description": "Disable automatic sidecar injection upon resource creation", + "type": "boolean" + }, + "disabledNamespaces": { + "description": "Disable automatic sidecar injection for specific namespace", + "type": "array", + "items": { + "type": "string" + } + }, + "enabledNamespaces": { + "description": "Enable automatic sidecar injection for specific namespaces", + "type": "array", + "items": { + "type": "string" + } + } + }, + "oneOf": [ + { + "properties": { + "disabledNamespaces": {"$ref": "#/definitions/nonEmptyArray"}, + "disable": {"const": false} + } + }, + { + "properties": { + "enabledNamespaces": {"$ref": "#/definitions/nonEmptyArray"}, + "disable": {"const": true} + } + }, + { + "properties": { + "enabledNamespaces": {"$ref": "#/definitions/emptyArray"}, + "disabledNamespaces": {"$ref": "#/definitions/emptyArray"} + } + } + ], + "required": ["disable"] + }, + "tracing": { + "description": "NGINX Service Mesh tracing settings", + "type": "object", + "properties": { + "disable": { + "description": "Disable tracing for all services", + "type": "boolean" + }, + "address": { + "description": "The address of a tracing server deploying in your Kubernetes cluster", + "type": "string" + }, + "backend": { + "description": "The tracing backend that you want to use", + "type": "string", + "enum": ["datadog", "jaeger", "zipkin"] + }, + "sampleRate": { + "description": "The sample rate to use for tracing. Float between 0 and 1", + "type": "number", + "minimum": 0.0, + "maximum": 1.0 + } + }, + "required": ["disable", "sampleRate"] + } + }, + "definitions": { + "nonEmptyString": { + "type": "string", + "minLength": 1 + }, + "emptyString": { + "type": "string", + "const": "" + }, + "nonEmptyArray": { + "type": "array", + "minItems": 1 + }, + "emptyArray": { + "type": "array", + "maxItems": 0 + } + }, + "required": [ + "mtls", + "registry", + "accessControlMode", + "deployGrafana", + "nginxErrorLogLevel", + "nginxLogFormat", + "nginxLBMethod", + "autoInjection", + "tracing" + ] +} diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/values.yaml b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/values.yaml new file mode 100644 index 000000000..05cd5384b --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.2.100/values.yaml @@ -0,0 +1,209 @@ +# NGINX Service Mesh image registry settings. +registry: + # Hostname:port (if needed) for registry and path to images. + # Affects: nginx-mesh-api, nginx-mesh-cert-reloader, nginx-mesh-init, nginx-mesh-metrics, nginx-mesh-sidecar + server: "docker-registry.nginx.com/nsm" + + # Tag used for pulling images from registry + # Affects: nginx-mesh-api, nginx-mesh-cert-reloader, nginx-mesh-init, nginx-mesh-metrics, nginx-mesh-sidecar + imageTag: "1.2.1" + + # Note: Currently only works with Google Cloud registry. + # Contents of your Google Cloud JSON key file. Can be set via "--set-file registry.key=.json" + # Cannot be used with username or password. + key: "" + + # Username for accessing private registry. + # Requires password to be set. Cannot be used with key. + username: "" + + # Password for accessing private registry. + # Requires username to be set. Cannot be used with key. + password: "" + + # Do not pull third party images from public repositories. + # If true, registry.server is used for all images. + disablePublicImages: false + + # Image pull policy + # Valid values: Always, IfNotPresent, Never + imagePullPolicy: "IfNotPresent" + +# Default access control mode for service-to-service communication. +# Valid values: allow, deny +accessControlMode: "allow" + +# Deploy Grafana as a part of the NGINX Service Mesh. +# Valid values: true, false +deployGrafana: true + +# NGINX error log level. +# Valid values: debug, info, notice, warn, error, crit, alert, emerg +nginxErrorLogLevel: "warn" + +# NGINX log format. +# Valid values: default, json +nginxLogFormat: "default" + +# NGINX load balancing method. +# Valid values: [least_conn, least_time, least_time last_byte, least_time last_byte inflight, +# random, random two, random two least_conn, random two least_time, random two least_time=last_byte, round_robin] +nginxLBMethod: "least_time" + +# The address of a Prometheus server deployed in your Kubernetes cluster. +# Address should be in the format .:. +prometheusAddress: "" + +# NGINX Service Mesh auto-injection settings. +autoInjection: + # Disable automatic sidecar injection upon resource creation. + # Use the "enabledNamespaces" flag to enable automatic injection in select namespaces. + disable: false + + # Disable automatic sidecar injection for specific namespaces. + # Cannot be used with "disable". + disabledNamespaces: [] + + # Enable automatic sidecar injection for specific namespaces. + # Must be used with "disable". + enabledNamespaces: [] + +# NGINX Service Mesh tracing settings. +tracing: + # Disable tracing for all services. + disable: false + + # The address of a tracing server deployed in your Kubernetes cluster. + # Address should be in the format .:. + address: "" + + # The tracing backend that you want to use. + # Valid values: datadog, jaeger, zipkin + backend: "jaeger" + + # The sample rate to use for tracing. Float between 0 and 1. + sampleRate: 0.01 + +# Mutual TLS settings. See https://docs.nginx.com/nginx-service-mesh/guides/secure-traffic-mtls for more info. +mtls: + # mTLS mode for pod-to-pod communication. + # Valid values: off, permissive, strict + mode: "permissive" + + # The CA/signing key TTL in hours(h) or minutes(m). + caTTL: "720h" + + # The TTL of certificates issued to workloads in hours(h) or minutes(m). + svidTTL: "1h" + + # The trust domain of NGINX Service Mesh. + trustDomain: "example.org" + + # Use persistent storage; "on" assumes that a StorageClass exists. + # Valid values: on, off + persistentStorage: "on" + + # Storage logic for Spire Server's private keys. + # Valid values: disk, memory + spireServerKeyManager: "disk" + + ## Upstream authority settings. If left empty, SPIRE is used as the upstream authority. + ## Only uncomment and fill out the object pertinent to you (disk, awsPCA, awsSecret, vault). + upstreamAuthority: {} + + # # Disk object (see https://github.com/spiffe/spire/blob/v0.12/doc/plugin_server_upstreamauthority_disk.md) + # disk: + # # Contents of your PEM encoded certificate file. Can be set via "--set-file mtls.upstreamAuthority.disk.cert=" + # cert: "" + # # Contents of your PEM encoded key file. Can be set via "--set-file mtls.upstreamAuthority.disk.key=" + # key: "" + # # Optional; contents of your CA bundle file. Can be set via "--set-file mtls.upstreamAuthority.disk.bundle=" + # bundle: "" + + # # AWS PCA object (see https://github.com/spiffe/spire/blob/v0.12/doc/plugin_server_upstreamauthority_aws_pca.md) + # awsPCA: + # # AWS region to use + # region: "" + # # ARN of the upstream CA certificate + # certificateAuthorityArn: "" + # # AWS access key ID + # awsAccessKeyID: "" + # # AWS secret access key + # awsSecretAccessKey: "" + + # ## Optional fields + + # # ARN of the signing template to use for the server's CA + # caSigningTemplateArn: "" + # # Signing algorithm to use for the server's CA + # signingAlgorithm: "" + # # ARN of an IAM role to assume + # assumeRoleArn: "" + # # Endpoint as hostname or fully-qualified URI that overrides the default endpoint + # endpoint: "" + # # Contents of a PEM encoded CA certificates file that should be additionally included in the bundle. + # # Can be set via "--set-file mtls.upstreamAuthority.awsPCA.supplementalBundle=" + # supplementalBundle: "" + + # # AWS Secret object (see https://github.com/spiffe/spire/blob/v0.12/doc/plugin_server_upstreamauthority_awssecret.md) + # awsSecret: + # # AWS region to use + # region: "" + # # ARN of the upstream CA certificate + # certFileArn: "" + # # ARN of the upstream CA key file + # keyFileArn: "" + + # ## Choose an appropriate auth method + + # # AWS access key ID + # awsAccessKeyID: "" + # # AWS secret access key + # awsSecretAccessKey: "" + # # AWS secret token + # awsSecretToken: "" + # # ARN of role to assume + # assumeRoleArn: "" + + # # Vault object (see https://github.com/spiffe/spire/blob/v0.12/doc/plugin_server_upstreamauthority_vault.md) + # vault: + # # URL of the Vault server + # vaultAddr: "" + # # Vault namespace + # namespace: "" + # # Contents of a PEM encoded CA certificate file to verify the Vault server certificate. + # # Can be set via "--set-file mtls.upstreamAuthority.vault.caCert=" + # caCert: "" + # # Name of the mount point where the PKI secret engine is mounted + # pkiMountPoint: "pki" + # # If true, vault client accepts any server certificates + # insecureSkipVerify: false + + # # Client Certificate Authentication + # certAuth: + # # Contents of your client cert file. Can be set via "--set-file mtls.upstreamAuthority.vault.certAuth.clientCert=" + # clientCert: "" + # # Contents of your client key file. Can be set via "--set-file mtls.upstreamAuthority.vault.certAuth.clientKey=" + # clientKey: "" + + # ## Optional fields + + # # Name of the mount point where TLS certificate auth method is mounted + # certAuthMountPoint: "cert" + # # Name of the vault role. If given, the plugin authenticates against only the named role. Default to trying all roles. + # certAuthRoleName: "" + + # # Token Authentication + # tokenAuth: + # # Token string set into "X-Vault-Token" header + # token: "" + + # # AppRole Authentication + # approleAuth: + # # An identifier of AppRole + # approleID: "" + # # A credential of AppRole + # approleSecretID: "" + + # # Name of the mount point where the AppRole auth method is mounted + # approleAuthMountPoint: "approle" diff --git a/index.yaml b/index.yaml index ae9aacdfd..f39e5bcd1 100755 --- a/index.yaml +++ b/index.yaml @@ -1395,6 +1395,22 @@ entries: urls: - assets/nginx-ingress/nginx-ingress-0.10.0.tgz version: 0.10.0 + nginx-service-mesh: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: NGINX Service Mesh + catalog.cattle.io/release-name: nginx-service-mesh + apiVersion: v2 + appVersion: 1.2.1 + created: "2021-10-11T10:18:55.101934-06:00" + description: NGINX Service Mesh + digest: 75ef707cadb314629a881a4f1f2b9862e62e3930dbed27c4ec56a9f380cc1759 + icon: https://raw.githubusercontent.com/nginxinc/nginx-service-mesh/master/helm-chart/chart-icon.png + kubeVersion: 1.16-0 - 1.21-0 + name: nginx-service-mesh + urls: + - assets/nginx-service-mesh/nginx-service-mesh-0.2.100.tgz + version: 0.2.100 nutanix-csi-storage: - annotations: artifacthub.io/changes: | diff --git a/packages/nginx-service-mesh/generated-changes/overlay/app-readme.md b/packages/nginx-service-mesh/generated-changes/overlay/app-readme.md new file mode 100644 index 000000000..5f4fda928 --- /dev/null +++ b/packages/nginx-service-mesh/generated-changes/overlay/app-readme.md @@ -0,0 +1,5 @@ +# NGINX Service Mesh + +[NGINX Service Mesh](https://docs.nginx.com/nginx-service-mesh/) is a fully integrated lightweight service mesh that leverages a data plane powered by NGINX Plus to manage container traffic in Kubernetes environments. + +NGINX Service Mesh is currently only supported in Rancher 2.6+ when deploying from the Apps and Marketplace. NGINX Service Mesh is not currently supported on k3s. diff --git a/packages/nginx-service-mesh/generated-changes/overlay/questions.yaml b/packages/nginx-service-mesh/generated-changes/overlay/questions.yaml new file mode 100644 index 000000000..933e22c5f --- /dev/null +++ b/packages/nginx-service-mesh/generated-changes/overlay/questions.yaml @@ -0,0 +1,197 @@ +questions: +- variable: useDefaultImages + default: true + description: "Use default image settings." + label: Use default images + type: boolean + show_subquestion_if: false + group: "Image Registry" + subquestions: + - variable: registry.server + default: "docker-registry.nginx.com/nsm" + description: "Hostname:port (if needed) for registry and path to images." + label: Image registry server + type: string + - variable: registry.imageTag + default: "1.2.1" + description: "Tag used for pulling images from registry." + label: Image tag + type: string + - variable: registry.key + default: "" + description: "Contents of your Google Cloud JSON key file. Cannot be used with username or password." + label: Image registry key + type: string + - variable: registry.username + default: "" + description: "Username for accessing private registry." + label: Image registry username + type: string + - variable: registry.password + default: "" + description: "Password for accessing private registry." + label: Image registry password + type: string + - variable: registry.disablePublicImages + default: false + description: "Do not pull third party images from public repositories. If true, registry.server is used for all images." + label: Disable public images + type: boolean + - variable: registry.imagePullPolicy + default: "IfNotPresent" + description: "Image pull policy." + label: Image pull policy + type: string +- variable: useMtlsDefaults + default: true + description: "Use default mTLS settings." + label: Use default mTLS settings + type: boolean + show_subquestion_if: false + group: "Mutual TLS" + subquestions: + - variable: mtls.mode + default: "permissive" + description: "mTLS mode for pod-to-pod communication." + label: mTLS mode + type: enum + options: + - "off" + - "permissive" + - "strict" + - variable: mtls.caTTL + default: "720h" + description: "The CA/signing key TTL in hours(h) or minutes(m)." + label: mTLS caTTL + type: string + - variable: mtls.svidTTL + default: "1h" + description: "The TTL of certificates issued to workloads in hours(h) or minutes(m)." + label: mTLS svidTTL + type: string + - variable: mtls.trustDomain + default: "example.org" + description: "The trust domain of the NGINX Service Mesh." + label: mTLS trust domain + type: string + - variable: mtls.persistentStorage + default: "on" + description: "Use persistent storage; 'on' assumes that a StorageClass exists." + label: mTLS persistent storage + type: enum + options: + - "on" + - "off" + - variable: mtls.spireServerKeyManager + default: "disk" + description: "Storage logic for Spire Server's private keys." + label: mTLS spire server key manager + type: enum + options: + - "disk" + - "memory" +- variable: useTracingDefaults + default: true + description: "Use default tracing settings." + label: Use default tracing settings + type: boolean + show_subquestion_if: false + group: "Tracing" + subquestions: + - variable: tracing.disable + default: false + description: "Disable tracing for all services." + label: Disable tracing + type: boolean + - variable: tracing.address + default: "" + description: "The address of a tracing server deployed in your Kubernetes cluster." + label: Tracing address + type: string + - variable: tracing.backend + default: "jaeger" + description: "The tracing backend that you want to use." + label: Tracing backend + type: enum + options: + - "jaeger" + - "zipkin" + - "datadog" + - variable: tracing.sampleRate + default: 0.01 + description: "The sample rate to use for tracing. Float between 0 and 1." + label: Tracing sample rate + type: float +- variable: autoInjection.disable + default: false + description: "Disable automatic sidecar injection upon resource creation." + label: Disable auto injection + type: boolean + group: "General Settings" +- variable: accessControlMode + default: "allow" + description: "Default access control mode for service-to-service communication." + label: Access control mode + type: enum + options: + - "allow" + - "deny" + group: "General Settings" +- variable: deployGrafana + default: true + description: "Deploy Grafana as a part of NGINX Service Mesh." + label: Deploy Grafana + type: boolean + group: "General Settings" +- variable: nginxErrorLogLevel + default: "warn" + description: "NGINX error log level." + label: NGINX error log level. + type: enum + options: + - "debug" + - "info" + - "notice" + - "warn" + - "error" + - "crit" + - "alert" + - "emerg" + group: "General Settings" +- variable: nginxLogFormat + default: "default" + description: "NGINX log format." + label: NGINX log format. + type: enum + options: + - "default" + - "json" + group: "General Settings" +- variable: nginxLBMethod + default: "least_time" + description: "NGINX load balancing method." + label: NGINX load balancing method. + type: enum + options: + - "least_conn" + - "least_time" + - "least_time last_byte" + - "least_time last_byte inflight" + - "random" + - "random two" + - "random two least_conn" + - "random two least_time" + - "random two least_time=last_byte" + - "round_robin" + group: "General Settings" +- variable: prometheusAddress + description: "The address of a Prometheus server deployed in your Kubernetes cluster." + label: Prometheus address. + type: string + group: "General Settings" +- variable: rancher + default: true + description: "Enables Rancher for NGINX Service Mesh (do not disable)." + label: Rancher + type: boolean + group: "General Settings" diff --git a/packages/nginx-service-mesh/generated-changes/patch/Chart.yaml.patch b/packages/nginx-service-mesh/generated-changes/patch/Chart.yaml.patch new file mode 100644 index 000000000..638b12209 --- /dev/null +++ b/packages/nginx-service-mesh/generated-changes/patch/Chart.yaml.patch @@ -0,0 +1,10 @@ +--- charts-original/Chart.yaml ++++ charts/Chart.yaml +@@ -5,3 +5,7 @@ + kubeVersion: 1.16-0 - 1.21-0 + name: nginx-service-mesh + version: 0.2.1 ++annotations: ++ catalog.cattle.io/certified: partner ++ catalog.cattle.io/release-name: nginx-service-mesh ++ catalog.cattle.io/display-name: NGINX Service Mesh diff --git a/packages/nginx-service-mesh/package.yaml b/packages/nginx-service-mesh/package.yaml new file mode 100644 index 000000000..062593cca --- /dev/null +++ b/packages/nginx-service-mesh/package.yaml @@ -0,0 +1,2 @@ +url: https://raw.githubusercontent.com/nginxinc/helm-charts/master/stable/nginx-service-mesh-0.2.1.tgz +packageVersion: 00 \ No newline at end of file