Add NSM assets/charts

pull/171/head
Saylor Berman 2021-10-11 10:20:49 -06:00
parent 6584189d24
commit f2c0e05099
45 changed files with 4501 additions and 0 deletions

View File

@ -0,0 +1,11 @@
annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: NGINX Service Mesh
catalog.cattle.io/release-name: nginx-service-mesh
apiVersion: v2
appVersion: 1.2.1
description: NGINX Service Mesh
icon: https://raw.githubusercontent.com/nginxinc/nginx-service-mesh/master/helm-chart/chart-icon.png
kubeVersion: 1.16-0 - 1.21-0
name: nginx-service-mesh
version: 0.2.100

View File

@ -0,0 +1,11 @@
# NGINX Service Mesh
Before deploying NGINX Service Mesh, see the [Platform Guide](https://docs.nginx.com/nginx-service-mesh/get-started/kubernetes-platform/) to ensure your environment is properly configured. If [Persistent Storage](https://docs.nginx.com/nginx-service-mesh/get-started/kubernetes-platform/persistent-storage/) is not configured in your cluster, set the `mTLS.persistentStorage` field to `off`. Verify that no other service meshes exist in your Kubernetes cluster. It is advised to install NGINX Service Mesh in a dedicated namespace.
## Helm Installation and Configuration
For information on the configuration options and installation process when using Helm with NGINX Service Mesh, see the [Installation Guide](https://docs.nginx.com/nginx-service-mesh/get-started/install-with-helm/).
## Rancher users
When deploying NGINX Service Mesh via the Rancher Apps and Marketplace, the Helm value `rancher` is set to `true` by default. This value causes Pods in the `cattle-*`, `ingress-nginx`, and `cert-manager` namespaces to be ignored by the automatic sidecar injection webhook. If this behavior is not desired, the `rancher` value can be set to `false`, or the `injector.nsm.nginx.com/auto-inject` label can be manually removed from these namespaces.

View File

@ -0,0 +1,5 @@
# NGINX Service Mesh
[NGINX Service Mesh](https://docs.nginx.com/nginx-service-mesh/) is a fully integrated lightweight service mesh that leverages a data plane powered by NGINX Plus to manage container traffic in Kubernetes environments.
NGINX Service Mesh is currently only supported in Rancher 2.6+ when deploying from the Apps and Marketplace. NGINX Service Mesh is not currently supported on k3s.

Binary file not shown.

After

Width:  |  Height:  |  Size: 12 KiB

View File

@ -0,0 +1,11 @@
apiVersion: 1
providers:
- name: 'default'
orgId: 1
folder: ''
type: file
disableDeletion: true
editable: true
options:
path: /var/lib/grafana/dashboards
homeDashboardId: nginx-mesh-top

View File

@ -0,0 +1,12 @@
apiVersion: 1
datasources:
- name: prometheus
type: prometheus
access: proxy
orgId: 1
url: http://{{ include "prometheus.address" . }}
isDefault: true
jsonData:
timeInterval: "5s"
version: 1
editable: true

View File

@ -0,0 +1,697 @@
{
"annotations": {
"list": [
{
"builtIn": 1,
"datasource": "-- Grafana --",
"enable": true,
"hide": true,
"iconColor": "rgba(0, 211, 255, 1)",
"name": "Annotations & Alerts",
"type": "dashboard"
}
]
},
"editable": true,
"gnetId": null,
"graphTooltip": 0,
"id": null,
"links": [],
"panels": [
{
"cacheTimeout": null,
"colorBackground": false,
"colorValue": false,
"colors": [
"#299c46",
"rgba(237, 129, 40, 0.89)",
"#d44a3a"
],
"datasource": "prometheus",
"fieldConfig": {
"defaults": {},
"overrides": []
},
"format": "percentunit",
"gauge": {
"maxValue": 100,
"minValue": 0,
"show": false,
"thresholdLabels": false,
"thresholdMarkers": true
},
"gridPos": {
"h": 6,
"w": 8,
"x": 0,
"y": 0
},
"id": 4,
"interval": null,
"links": [],
"mappingType": 1,
"mappingTypes": [
{
"name": "value to text",
"value": 1
},
{
"name": "range to text",
"value": 2
}
],
"maxDataPoints": 100,
"nullPointMode": "connected",
"nullText": null,
"postfix": "",
"postfixFontSize": "50%",
"prefix": "",
"prefixFontSize": "50%",
"rangeMaps": [
{
"from": "null",
"text": "N/A",
"to": "null"
}
],
"sparkline": {
"fillColor": "rgba(31, 118, 189, 0.18)",
"full": true,
"lineColor": "rgb(31, 120, 193)",
"show": true
},
"tableColumn": "",
"targets": [
{
"expr": "sum(irate(nginxplus_upstream_server_responses{code=~\"1xx|2xx\"}[30s])) / sum(irate(nginxplus_upstream_server_responses[30s]))",
"format": "time_series",
"interval": "5s",
"intervalFactor": 1,
"refId": "A"
}
],
"thresholds": "",
"title": "GLOBAL SUCCESS RATE",
"type": "singlestat",
"valueFontSize": "80%",
"valueMaps": [
{
"op": "=",
"text": "N/A",
"value": "null"
}
],
"valueName": "current"
},
{
"cacheTimeout": null,
"colorBackground": false,
"colorValue": false,
"colors": [
"#299c46",
"rgba(237, 129, 40, 0.89)",
"#d44a3a"
],
"datasource": "prometheus",
"fieldConfig": {
"defaults": {},
"overrides": []
},
"format": "reqps",
"gauge": {
"maxValue": 100,
"minValue": 0,
"show": false,
"thresholdLabels": false,
"thresholdMarkers": true
},
"gridPos": {
"h": 6,
"w": 13,
"x": 8,
"y": 0
},
"id": 6,
"interval": null,
"links": [],
"mappingType": 1,
"mappingTypes": [
{
"name": "value to text",
"value": 1
},
{
"name": "range to text",
"value": 2
}
],
"maxDataPoints": 100,
"nullPointMode": "connected",
"nullText": null,
"postfix": "",
"postfixFontSize": "50%",
"prefix": "",
"prefixFontSize": "50%",
"rangeMaps": [
{
"from": "null",
"text": "N/A",
"to": "null"
}
],
"sparkline": {
"fillColor": "rgba(31, 118, 189, 0.18)",
"full": true,
"lineColor": "rgb(31, 120, 193)",
"show": true
},
"tableColumn": "",
"targets": [
{
"expr": "sum(irate(nginxplus_http_requests_total[30s]))",
"format": "time_series",
"interval": "5s",
"intervalFactor": 1,
"refId": "A"
}
],
"thresholds": "",
"title": "GLOBAL REQUEST VOLUME",
"type": "singlestat",
"valueFontSize": "80%",
"valueMaps": [
{
"op": "=",
"text": "N/A",
"value": "null"
}
],
"valueName": "current"
},
{
"cacheTimeout": null,
"colorBackground": false,
"colorValue": false,
"colors": [
"#299c46",
"rgba(237, 129, 40, 0.89)",
"#d44a3a"
],
"datasource": "prometheus",
"fieldConfig": {
"defaults": {},
"overrides": []
},
"format": "none",
"gauge": {
"maxValue": 100,
"minValue": 0,
"show": false,
"thresholdLabels": false,
"thresholdMarkers": true
},
"gridPos": {
"h": 6,
"w": 3,
"x": 21,
"y": 0
},
"id": 5,
"interval": null,
"links": [],
"mappingType": 1,
"mappingTypes": [
{
"name": "value to text",
"value": 1
},
{
"name": "range to text",
"value": 2
}
],
"maxDataPoints": 100,
"nullPointMode": "connected",
"nullText": null,
"postfix": "",
"postfixFontSize": "50%",
"prefix": "",
"prefixFontSize": "50%",
"rangeMaps": [
{
"from": "null",
"text": "N/A",
"to": "null"
}
],
"sparkline": {
"fillColor": "rgba(31, 118, 189, 0.18)",
"full": true,
"lineColor": "rgb(31, 120, 193)",
"show": false
},
"tableColumn": "",
"targets": [
{
"expr": "count(nginxplus_http_requests_total)",
"format": "time_series",
"interval": "5s",
"intervalFactor": 1,
"refId": "A"
}
],
"thresholds": "",
"title": "PODS MONITORED",
"type": "singlestat",
"valueFontSize": "200%",
"valueMaps": [
{
"op": "=",
"text": "N/A",
"value": "null"
}
],
"valueName": "current"
},
{
"aliasColors": {},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": "prometheus",
"fieldConfig": {
"defaults": {},
"overrides": []
},
"fill": 1,
"fillGradient": 0,
"gridPos": {
"h": 9,
"w": 12,
"x": 0,
"y": 6
},
"hiddenSeries": false,
"id": 2,
"legend": {
"avg": false,
"current": false,
"max": false,
"min": false,
"show": true,
"total": false,
"values": false
},
"lines": true,
"linewidth": 1,
"links": [],
"nullPointMode": "null",
"options": {
"alertThreshold": true
},
"percentage": false,
"pluginVersion": "8.1.7",
"pointradius": 5,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": false,
"steppedLine": false,
"targets": [
{
"expr": "irate(nginxplus_http_requests_total[30s])",
"format": "time_series",
"interval": "",
"intervalFactor": 1,
"refId": "A"
}
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "Request Volume",
"tooltip": {
"shared": true,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": []
},
"yaxes": [
{
"format": "reqps",
"label": null,
"logBase": 1,
"max": null,
"min": "0",
"show": true
},
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
}
],
"yaxis": {
"align": false,
"alignLevel": null
}
},
{
"aliasColors": {},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": "prometheus",
"fieldConfig": {
"defaults": {},
"overrides": []
},
"fill": 1,
"fillGradient": 0,
"gridPos": {
"h": 9,
"w": 12,
"x": 12,
"y": 6
},
"hiddenSeries": false,
"id": 123124,
"legend": {
"avg": false,
"current": false,
"max": false,
"min": false,
"show": true,
"total": false,
"values": false
},
"lines": true,
"linewidth": 1,
"links": [],
"nullPointMode": "null",
"options": {
"alertThreshold": true
},
"percentage": false,
"pluginVersion": "8.1.7",
"pointradius": 5,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": false,
"steppedLine": false,
"targets": [
{
"expr": "sum(irate(nginxplus_upstream_server_responses{code=~\"1xx|2xx\"}[30s])) by (app, version) / sum(irate(nginxplus_upstream_server_responses[30s])) by (app, version)",
"format": "time_series",
"instant": false,
"interval": "",
"intervalFactor": 1,
"legendFormat": "",
"refId": "A"
}
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "Pod Success",
"tooltip": {
"shared": true,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": []
},
"yaxes": [
{
"format": "percentunit",
"label": null,
"logBase": 1,
"max": "1",
"min": "0",
"show": true
},
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
}
],
"yaxis": {
"align": false,
"alignLevel": null
}
},
{
"aliasColors": {},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": null,
"description": "RSS used by NGINX Service Mesh sidecars",
"fieldConfig": {
"defaults": {},
"overrides": []
},
"fill": 1,
"fillGradient": 0,
"gridPos": {
"h": 8,
"w": 12,
"x": 0,
"y": 15
},
"hiddenSeries": false,
"id": 123126,
"legend": {
"avg": false,
"current": false,
"max": false,
"min": false,
"show": true,
"total": false,
"values": false
},
"lines": true,
"linewidth": 1,
"nullPointMode": "null",
"options": {
"alertThreshold": true
},
"percentage": false,
"pluginVersion": "8.1.7",
"pointradius": 2,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": false,
"steppedLine": false,
"targets": [
{
"expr": "nginxplus_workers_mem_rss",
"interval": "",
"legendFormat": "",
"refId": "A"
}
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "Sidecar Memory Usage (RSS)",
"tooltip": {
"shared": true,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": []
},
"yaxes": [
{
"format": "decbytes",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
},
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
}
],
"yaxis": {
"align": false,
"alignLevel": null
}
},
{
"aliasColors": {},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": null,
"description": "Private memory used by NGINX Service Mesh sidecars",
"fieldConfig": {
"defaults": {},
"overrides": []
},
"fill": 1,
"fillGradient": 0,
"gridPos": {
"h": 8,
"w": 12,
"x": 12,
"y": 15
},
"hiddenSeries": false,
"id": 123128,
"legend": {
"avg": false,
"current": false,
"max": false,
"min": false,
"show": true,
"total": false,
"values": false
},
"lines": true,
"linewidth": 1,
"nullPointMode": "null",
"options": {
"alertThreshold": true
},
"percentage": false,
"pluginVersion": "8.1.7",
"pointradius": 2,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": false,
"steppedLine": false,
"targets": [
{
"expr": "nginxplus_workers_mem_private",
"interval": "",
"legendFormat": "",
"refId": "A"
}
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "Sidecar Memory Usage (Private)",
"tooltip": {
"shared": true,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": []
},
"yaxes": [
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
},
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
}
],
"yaxis": {
"align": false,
"alignLevel": null
}
}
],
"refresh": "5s",
"schemaVersion": 27,
"style": "dark",
"tags": [],
"templating": {
"list": []
},
"time": {
"from": "now-5m",
"to": "now"
},
"timepicker": {
"refresh_intervals": [
"5s",
"10s",
"30s",
"1m",
"5m",
"15m",
"30m",
"1h",
"2h",
"1d"
],
"time_options": [
"5m",
"15m",
"1h",
"6h",
"12h",
"24h",
"2d",
"7d",
"30d"
]
},
"timezone": "",
"title": "NGINX Mesh Top",
"uid": "N3zQ72OWk",
"version": 1
}

View File

@ -0,0 +1,15 @@
instance_name = nginx-mesh-grafana
[auth]
disable_login_form = true
[auth.anonymous]
enabled = true
org_role = Admin
[auth.basic]
enabled = false
[analytics]
check_for_updates = false
Events: <none>

View File

@ -0,0 +1,9 @@
log_level = "debug"
trust_domain = {{ quote .Values.mtls.trustDomain }}
server_socket_path = "/run/spire/sockets/spire-registration.sock"
cluster = "nginx-mesh"
pod_controller = true
add_svc_dns_name = true
mode = "crd"
webhook_enabled = true
webhook_cert_dir = "/tmp/k8s-webhook-server/serving-certs"

View File

@ -0,0 +1,60 @@
{
"accessControlMode": {{ quote .Values.accessControlMode }},
"api": {
"address": {{ printf "nginx-mesh-api.%s" .Release.Namespace }},
"containerPort": 8443,
"port": 443
},
"autoInjectorPort": 9443,
"injection": {
"disabledNamespaces": {{ .Values.autoInjection.disabledNamespaces }},
"enabledNamespaces": {{ .Values.autoInjection.enabledNamespaces }},
"isAutoInjectEnabled": {{ not .Values.autoInjection.disable }}
},
"loadBalancingMethod": {{ quote .Values.nginxLBMethod }},
"mtlsMode": {{ quote .Values.mtls.mode }},
"namespace": {{ quote .Release.Namespace }},
"nginxErrorLogLevel": {{ quote .Values.nginxErrorLogLevel }},
"nginxLogFormat": {{ quote .Values.nginxLogFormat }},
"prometheusAddress": {{ include "prometheus.address" . | quote }},
"proxy": {
"ports": {
"incoming": 8888,
"incomingGrpc": 8891,
"incomingGrpcPermissive": 8893,
"incomingNotInKeyval": 8903,
"incomingPermissive": 8890,
"incomingRedirect": 8901,
"incomingTcp": 8904,
"incomingTcpDeny": 8905,
"incomingTcpPermissive": 8907,
"metrics": 8887,
"outgoing": 8889,
"outgoingDefaultEgress": 8894,
"outgoingGrpc": 8892,
"outgoingNotInKeyval": 8902,
"outgoingRedirect": 8900,
"outgoingTcp": 8906,
"plusApi": 8886,
"redirectHealthPort": 8895,
"redirectHealthPortHTTPS": 8896
},
"transparent": false
},
"registryKeyName": {{ if (include "docker-config-json" .) }}{{ include "registry-key-name" . | quote }}{{ else }}""{{ end }},
"sidecarImage": {
"image": {{ printf "%s/nginx-mesh-sidecar:%s" .Values.registry.server .Values.registry.imageTag }},
"name": "nginx-mesh-sidecar"
},
"sidecarInitImage": {
"image": {{ printf "%s/nginx-mesh-init:%s" .Values.registry.server .Values.registry.imageTag }},
"name": "nginx-mesh-init"
},
"tracing": {
"backend": {{ quote .Values.tracing.backend }},
"backendAddress": {{ include "tracing.address" . | quote }},
"isEnabled": {{ not .Values.tracing.disable }},
"sampleRate": {{ .Values.tracing.sampleRate }}
},
"trustDomain": {{ quote .Values.mtls.trustDomain }}
}

View File

@ -0,0 +1,8 @@
pid_file: "/var/run/nats/nats.pid"
http: 8222
tls: {
ca_file: "/etc/ssl/ca.crt"
cert_file: "/etc/ssl/tls.crt"
key_file: "/etc/ssl/tls.key"
verify: true
}

View File

@ -0,0 +1,72 @@
global:
scrape_interval: 10s
scrape_configs:
- job_name: 'nginx-mesh-sidecars'
kubernetes_sd_configs:
- role: pod
relabel_configs:
- source_labels: [__meta_kubernetes_pod_container_name]
action: keep
regex: nginx-mesh-sidecar
- action: labelmap
regex: __meta_kubernetes_pod_label_nsm_nginx_com_(.+)
- action: labeldrop
regex: __meta_kubernetes_pod_label_nsm_nginx_com_(.+)
- action: labelmap
regex: __meta_kubernetes_pod_label_(.+)
- source_labels: [__meta_kubernetes_namespace]
action: replace
target_label: namespace
- source_labels: [__meta_kubernetes_pod_name]
action: replace
target_label: pod
- job_name: 'nginx-plus-ingress'
kubernetes_sd_configs:
- role: pod
relabel_configs:
- source_labels: [__meta_kubernetes_pod_container_name]
action: keep
regex: nginx-plus-ingress
- source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape]
action: keep
regex: true
- source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]
action: replace
target_label: __address__
regex: (.+)(?::\d+);(\d+)
replacement: $1:$2
- source_labels: [__meta_kubernetes_namespace]
action: replace
target_label: namespace
- source_labels: [__meta_kubernetes_pod_name]
action: replace
target_label: pod
- action: labelmap
regex: __meta_kubernetes_pod_label_nsm_nginx_com_(.+)
- action: labeldrop
regex: __meta_kubernetes_pod_label_nsm_nginx_com_(.+)
- action: labelmap
regex: __meta_kubernetes_pod_label_(.+)
- action: labelmap
regex: __meta_kubernetes_pod_annotation_nsm_nginx_com_enable_(.+)
metric_relabel_configs:
- source_labels: [__name__]
regex: 'nginx_ingress_controller_upstream_server_response_latency_ms(.+)'
target_label: __name__
replacement: 'nginxplus_upstream_server_response_latency_ms$1'
- source_labels: [__name__]
regex: 'nginx_ingress_nginxplus(.+)'
target_label: __name__
replacement: 'nginxplus$1'
- source_labels: [service]
target_label: dst_service
- source_labels: [resource_namespace]
target_label: dst_namespace
- source_labels: [pod_owner]
regex: '(.+)\/(.+)'
target_label: dst_$1
replacement: $2
- action: labeldrop
regex: pod_owner
- source_labels: [pod_name]
target_label: dst_pod

View File

@ -0,0 +1,33 @@
agent {
data_dir = "/run/spire"
log_level = "DEBUG"
server_address = "spire-server"
server_port = "8081"
socket_path = "/run/spire/sockets/agent.sock"
trust_bundle_path = "/run/spire/bundle/bundle.crt"
trust_domain = {{ quote .Values.mtls.trustDomain }}
}
plugins {
NodeAttestor "k8s_psat" {
plugin_data {
cluster = "nginx-mesh"
}
}
KeyManager "memory" {
plugin_data {
}
}
WorkloadAttestor "k8s" {
plugin_data {
skip_kubelet_verification = true
}
}
WorkloadAttestor "unix" {
plugin_data {
}
}
}

View File

@ -0,0 +1,61 @@
server {
bind_address = "0.0.0.0"
bind_port = "8081"
ca_ttl = {{ quote .Values.mtls.caTTL }}
data_dir = "/run/spire/data"
log_level = "DEBUG"
socket_path = "/run/spire/sockets/spire-registration.sock"
default_svid_ttl = {{ quote .Values.mtls.svidTTL }}
trust_domain = {{ quote .Values.mtls.trustDomain }}
ca_subject = {
country = ["US"],
organization = ["NGINX"],
common_name = "",
}
}
plugins {
DataStore "sql" {
plugin_data {
database_type = "sqlite3"
connection_string = "/run/spire/data/datastore.sqlite3"
}
}
NodeAttestor "k8s_psat" {
plugin_data {
clusters = {
"nginx-mesh" = {
service_account_allow_list = [{{ printf "%s:spire-agent" .Release.Namespace | quote }}]
}
}
}
}
Notifier "k8sbundle" {
plugin_data {
namespace = {{ quote .Release.Namespace }}
webhook_label = "spiffe.io/webhook"
api_service_label = "spiffe.io/apiservice"
}
}
KeyManager {{ quote .Values.mtls.spireServerKeyManager }} {
{{- if eq .Values.mtls.spireServerKeyManager "disk" }}
plugin_data {
keys_path = "/run/spire/data/keys.json"
}
{{- end }}
}
{{ if .Values.mtls.upstreamAuthority.awsPCA }}
{{ tpl (.Files.Get "configs/upstreamAuthority/aws-pca-ua.conf") . }}
{{ else if .Values.mtls.upstreamAuthority.awsSecret }}
{{ tpl (.Files.Get "configs/upstreamAuthority/aws-secret-ua.conf") . }}
{{ else if .Values.mtls.upstreamAuthority.disk }}
{{ tpl (.Files.Get "configs/upstreamAuthority/disk-ua.conf") . }}
{{ else if .Values.mtls.upstreamAuthority.vault }}
{{ tpl (.Files.Get "configs/upstreamAuthority/vault-ua.conf") . }}
{{ end }}
}

View File

@ -0,0 +1,3 @@
[default]
aws_access_key_id = {{ .Values.mtls.upstreamAuthority.awsPCA.awsAccessKeyID }}
aws_secret_access_key = {{ .Values.mtls.upstreamAuthority.awsPCA.awsSecretAccessKey }}

View File

@ -0,0 +1,16 @@
UpstreamAuthority "aws_pca" {
plugin_data {
region = {{ quote .Values.mtls.upstreamAuthority.awsPCA.region }}
certificate_authority_arn = {{ quote .Values.mtls.upstreamAuthority.awsPCA.certificateAuthorityArn }}
{{- if .Values.mtls.upstreamAuthority.awsPCA.caSigningTemplateArn }}
ca_signing_template_arn = {{ quote .Values.mtls.upstreamAuthority.awsPCA.caSigningTemplateArn }}{{ end }}
{{- if .Values.mtls.upstreamAuthority.awsPCA.signingAlgorithm }}
signing_algorithm = {{ quote .Values.mtls.upstreamAuthority.awsPCA.signingAlgorithm }}{{ end }}
{{- if .Values.mtls.upstreamAuthority.awsPCA.assumeRoleArn }}
assume_role_arn = {{ quote .Values.mtls.upstreamAuthority.awsPCA.assumeRoleArn }}{{end}}
{{- if .Values.mtls.upstreamAuthority.awsPCA.endpoint }}
endpoint = {{ quote .Values.mtls.upstreamAuthority.awsPCA.endpoint }}{{end}}
{{- if .Values.mtls.upstreamAuthority.awsPCA.supplementalBundlePath }}
supplemental_bundle_path = "/run/spire/config/upstreamBundle.crt"{{end}}
}
}

View File

@ -0,0 +1,15 @@
UpstreamAuthority "awssecret" {
plugin_data {
region = {{ quote .Values.mtls.upstreamAuthority.awsSecret.region }}
cert_file_arn = {{ quote .Values.mtls.upstreamAuthority.awsSecret.certFileArn }}
key_file_arn = {{ quote .Values.mtls.upstreamAuthority.awsSecret.keyFileArn }}
{{- if .Values.mtls.upstreamAuthority.awsSecret.awsAccessKeyID }}
access_key_id = {{ quote .Values.mtls.upstreamAuthority.awsSecret.awsAccessKeyID }}{{ end }}
{{- if .Values.mtls.upstreamAuthority.awsSecret.awsSecretAccessKey }}
secret_access_key = {{ quote .Values.mtls.upstreamAuthority.awsSecret.awsSecretAccessKey }}{{ end }}
{{- if .Values.mtls.upstreamAuthority.awsSecret.awsSecretToken }}
secret_token = {{ quote .Values.mtls.upstreamAuthority.awsSecret.awsSecretToken }}{{ end }}
{{- if .Values.mtls.upstreamAuthority.awsSecret.assumeRoleArn }}
assume_role_arn = {{ quote .Values.mtls.upstreamAuthority.awsSecret.assumeRoleArn }}{{ end }}
}
}

View File

@ -0,0 +1,8 @@
UpstreamAuthority "disk" {
plugin_data {
cert_file_path = "/run/spire/config/upstreamCA.crt"
key_file_path = "/run/spire/secrets/upstreamCA.key"
{{- if .Values.mtls.upstreamAuthority.disk.bundle }}
bundle_file_path = "/run/spire/config/upstreamBundle.crt"{{ end }}
}
}

View File

@ -0,0 +1,28 @@
UpstreamAuthority "vault" {
plugin_data {
vault_addr = {{ quote .Values.mtls.upstreamAuthority.vault.vaultAddr }}
namespace = {{ quote .Values.mtls.upstreamAuthority.vault.namespace }}
ca_cert_path = "/run/spire/config/upstreamCA.crt"
{{- if .Values.mtls.upstreamAuthority.vault.pkiMountPoint }}
pki_mount_path = {{ quote .Values.mtls.upstreamAuthority.vault.pkiMountPoint }}{{ end }}
{{- if .Values.mtls.upstreamAuthority.vault.insecureSkipVerify }}
insecure_skip_verify = {{ .Values.mtls.upstreamAuthority.vault.insecureSkipVerify }}{{ end }}
{{- if .Values.mtls.upstreamAuthority.vault.certAuth}}
cert_auth = {
client_cert_path = "/run/spire/config/upstreamClient.crt"
client_key_path = "/run/spire/secrets/upstreamClient.key"
{{- if .Values.mtls.upstreamAuthority.vault.certAuth.certAuthRoleName }}
cert_auth_role_name = {{ quote .Values.mtls.upstreamAuthority.vault.certAuth.certAuthRoleName }}{{ end }}
{{- if .Values.mtls.upstreamAuthority.vault.certAuth.certAuthMountPoint }}
cert_auth_mount_point = {{ quote .Values.mtls.upstreamAuthority.vault.certAuth.certAuthMountPoint }}{{ end }}
}{{ end }}
{{- if .Values.mtls.upstreamAuthority.vault.tokenAuth }}
token_auth = {}{{ end }}
{{- if .Values.mtls.upstreamAuthority.vault.approleAuth }}
approle_auth = {
approle_id = {{ quote .Values.mtls.upstreamAuthority.vault.approleAuth.approleID }}
{{- if .Values.mtls.upstreamAuthority.vault.approleAuth.approleAuthMountPoint }}
approle_auth_mount_point = {{ quote .Values.mtls.upstreamAuthority.vault.approleAuth.approleAuthMountPoint }}{{ end }}
}{{ end }}
}
}

View File

@ -0,0 +1,78 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: circuitbreakers.specs.smi.nginx.com
labels:
app.kubernetes.io/part-of: nginx-service-mesh
spec:
group: specs.smi.nginx.com
scope: Namespaced
names:
kind: CircuitBreaker
listKind: CircuitBreakerList
shortNames:
- cb
plural: circuitbreakers
singular: circuitbreaker
versions:
- name: v1alpha1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
required:
- spec
properties:
spec:
description: Specifications of this circuit breaker.
type: object
required:
- destination
- errors
- timeoutSeconds
properties:
destination:
description: The destination of this circuit breaker.
type: object
required:
- name
- kind
properties:
kind:
description: Kind of the destination.
type: string
enum:
- Service
name:
description: Name of the destination.
type: string
minLength: 1
namespace:
description: Namespace of the destination.
type: string
errors:
description: The number of errors allowed within the timeout before
tripping the circuit.
type: integer
minimum: 0
timeoutSeconds:
description: The timeout window for errors to occur, and the amount
of time to wait before closing the circuit.
type: integer
minimum: 0
fallback:
description: The fallback Service to send traffic to when the circuit
is tripped.
type: object
properties:
service:
description: The fallback Service to send traffic to when the
circuit is tripped.
type: string
port:
description: The port of the fallback Service.
type: integer
minimum: 0
maximum: 65535

View File

@ -0,0 +1,68 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: httproutegroups.specs.smi-spec.io
labels:
app.kubernetes.io/part-of: nginx-service-mesh
spec:
group: specs.smi-spec.io
scope: Namespaced
names:
kind: HTTPRouteGroup
shortNames:
- htr
plural: httproutegroups
singular: httproutegroup
versions:
- name: v1alpha3
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
required:
- matches
properties:
matches:
description: Match conditions of this route group.
type: array
items:
type: object
required:
- name
properties:
name:
description: Name of the HTTP route.
type: string
pathRegex:
description: URI path regex of the HTTP route.
type: string
methods:
description: The HTTP methods of this HTTP route.
type: array
items:
type: string
description: The HTTP method of this HTTP route.
enum:
- "*"
- GET
- HEAD
- PUT
- POST
- DELETE
- CONNECT
- OPTIONS
- TRACE
- PATCH
headers:
description: Header match conditions of this route.
type: array
items:
description: Header match condition of this route.
type: object
additionalProperties:
type: string

View File

@ -0,0 +1,175 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: ratelimits.specs.smi.nginx.com
labels:
app.kubernetes.io/part-of: nginx-service-mesh
spec:
group: specs.smi.nginx.com
scope: Namespaced
names:
kind: RateLimit
listKind: RateLimitList
shortNames:
- rl
plural: ratelimits
singular: ratelimit
versions:
- name: v1alpha1
served: true
storage: false
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
required:
- name
- destination
- rate
properties:
destination:
description: The destination of this rate limit.
type: object
required:
- name
- kind
properties:
kind:
description: Kind of the destination.
type: string
minLength: 1
name:
description: Name of the destination.
type: string
minLength: 1
namespace:
description: Namespace of the destination.
type: string
sources:
description: Sources of this rate limit.
type: array
items:
type: object
required:
- name
- kind
properties:
kind:
description: Kind of this source.
type: string
minLength: 1
name:
description: Name of this source.
type: string
minLength: 1
namespace:
description: Namespace of this source.
type: string
name:
description: Name of this rate limit spec.
type: string
minLength: 1
rate:
description: The allowed rate of traffic.
type: string
pattern: "^[0-9]+r/[s,m]$"
burst:
description: The number of requests to allow beyond the given rate.
type: integer
minimum: 0
delay:
description: The number of requests after which to delay requests.
x-kubernetes-int-or-string: true
- name: v1alpha2
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
required:
- name
- destination
- rate
properties:
destination:
description: The destination of this rate limit.
type: object
required:
- name
- kind
properties:
kind:
description: Kind of the destination.
type: string
minLength: 1
name:
description: Name of the destination.
type: string
minLength: 1
namespace:
description: Namespace of the destination.
type: string
sources:
description: Sources of this rate limit.
type: array
items:
type: object
required:
- name
- kind
properties:
kind:
description: Kind of this source.
type: string
minLength: 1
name:
description: Name of this source.
type: string
minLength: 1
namespace:
description: Namespace of this source.
type: string
name:
description: Name of this rate limit spec.
type: string
minLength: 1
rate:
description: The allowed rate of traffic.
type: string
pattern: "^[0-9]+r/[s,m]$"
burst:
description: The number of requests to allow beyond the given rate.
type: integer
minimum: 0
delay:
description: The number of requests after which to delay requests.
x-kubernetes-int-or-string: true
rules:
description: Routing rules of this rate limit.
type: array
items:
type: object
required:
- name
- kind
properties:
kind:
description: Kind of this routing rule.
type: string
enum:
- HTTPRouteGroup
name:
description: Name of this routing rule.
type: string
minLength: 1
matches:
description: Match conditions of this routing rule.
type: array
items:
type: string

View File

@ -0,0 +1,23 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: tcproutes.specs.smi-spec.io
labels:
app.kubernetes.io/part-of: nginx-service-mesh
spec:
group: specs.smi-spec.io
scope: Namespaced
names:
kind: TCPRoute
shortNames:
- tr
plural: tcproutes
singular: tcproute
versions:
- name: v1alpha3
served: true
storage: true
schema:
openAPIV3Schema:
type: object

View File

@ -0,0 +1,72 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: trafficsplits.split.smi-spec.io
labels:
app.kubernetes.io/part-of: nginx-service-mesh
spec:
group: split.smi-spec.io
scope: Namespaced
names:
kind: TrafficSplit
listKind: TrafficSplitList
shortNames:
- ts
plural: trafficsplits
singular: trafficsplit
versions:
- name: v1alpha3
served: true
storage: true
additionalPrinterColumns:
- name: Service
type: string
description: The apex service of this split.
jsonPath: .spec.service
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
required:
- service
- backends
properties:
service:
description: The apex service of this split.
type: string
matches:
description: The HTTP route groups that this traffic split should
match.
type: array
items:
type: object
required:
- kind
- name
properties:
kind:
description: Kind of the matching group.
type: string
enum:
- HTTPRouteGroup
name:
description: Name of the matching group.
type: string
backends:
description: The backend services of this split.
type: array
items:
type: object
required:
- service
- weight
properties:
service:
description: Name of the Kubernetes service.
type: string
weight:
description: Traffic weight value of this backend.
type: number

View File

@ -0,0 +1,92 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: traffictargets.access.smi-spec.io
labels:
app.kubernetes.io/part-of: nginx-service-mesh
spec:
group: access.smi-spec.io
scope: Namespaced
names:
kind: TrafficTarget
shortNames:
- tt
plural: traffictargets
singular: traffictarget
versions:
- name: v1alpha2
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
required:
- destination
properties:
destination:
description: The destination of this traffic target.
type: object
required:
- name
- kind
properties:
kind:
description: Kind of the destination.
type: string
name:
description: Name of the destination.
type: string
namespace:
description: Namespace of the destination.
type: string
port:
description: Port number of the destination.
type: number
rules:
description: Specifications of this traffic target.
type: array
items:
type: object
required:
- name
- kind
properties:
kind:
description: Kind of this spec.
type: string
enum:
- HTTPRouteGroup
- TCPRoute
name:
description: Name of this spec.
type: string
matches:
description: Match conditions of this spec.
type: array
items:
type: string
sources:
description: Sources of this traffic target.
type: array
items:
type: object
required:
- name
- kind
properties:
kind:
description: Kind of this source.
type: string
name:
description: Name of this source.
type: string
namespace:
description: Namespace of this source.
type: string
port:
description: Port number of the source.
type: number

View File

@ -0,0 +1,197 @@
questions:
- variable: useDefaultImages
default: true
description: "Use default image settings."
label: Use default images
type: boolean
show_subquestion_if: false
group: "Image Registry"
subquestions:
- variable: registry.server
default: "docker-registry.nginx.com/nsm"
description: "Hostname:port (if needed) for registry and path to images."
label: Image registry server
type: string
- variable: registry.imageTag
default: "1.2.1"
description: "Tag used for pulling images from registry."
label: Image tag
type: string
- variable: registry.key
default: ""
description: "Contents of your Google Cloud JSON key file. Cannot be used with username or password."
label: Image registry key
type: string
- variable: registry.username
default: ""
description: "Username for accessing private registry."
label: Image registry username
type: string
- variable: registry.password
default: ""
description: "Password for accessing private registry."
label: Image registry password
type: string
- variable: registry.disablePublicImages
default: false
description: "Do not pull third party images from public repositories. If true, registry.server is used for all images."
label: Disable public images
type: boolean
- variable: registry.imagePullPolicy
default: "IfNotPresent"
description: "Image pull policy."
label: Image pull policy
type: string
- variable: useMtlsDefaults
default: true
description: "Use default mTLS settings."
label: Use default mTLS settings
type: boolean
show_subquestion_if: false
group: "Mutual TLS"
subquestions:
- variable: mtls.mode
default: "permissive"
description: "mTLS mode for pod-to-pod communication."
label: mTLS mode
type: enum
options:
- "off"
- "permissive"
- "strict"
- variable: mtls.caTTL
default: "720h"
description: "The CA/signing key TTL in hours(h) or minutes(m)."
label: mTLS caTTL
type: string
- variable: mtls.svidTTL
default: "1h"
description: "The TTL of certificates issued to workloads in hours(h) or minutes(m)."
label: mTLS svidTTL
type: string
- variable: mtls.trustDomain
default: "example.org"
description: "The trust domain of the NGINX Service Mesh."
label: mTLS trust domain
type: string
- variable: mtls.persistentStorage
default: "on"
description: "Use persistent storage; 'on' assumes that a StorageClass exists."
label: mTLS persistent storage
type: enum
options:
- "on"
- "off"
- variable: mtls.spireServerKeyManager
default: "disk"
description: "Storage logic for Spire Server's private keys."
label: mTLS spire server key manager
type: enum
options:
- "disk"
- "memory"
- variable: useTracingDefaults
default: true
description: "Use default tracing settings."
label: Use default tracing settings
type: boolean
show_subquestion_if: false
group: "Tracing"
subquestions:
- variable: tracing.disable
default: false
description: "Disable tracing for all services."
label: Disable tracing
type: boolean
- variable: tracing.address
default: ""
description: "The address of a tracing server deployed in your Kubernetes cluster."
label: Tracing address
type: string
- variable: tracing.backend
default: "jaeger"
description: "The tracing backend that you want to use."
label: Tracing backend
type: enum
options:
- "jaeger"
- "zipkin"
- "datadog"
- variable: tracing.sampleRate
default: 0.01
description: "The sample rate to use for tracing. Float between 0 and 1."
label: Tracing sample rate
type: float
- variable: autoInjection.disable
default: false
description: "Disable automatic sidecar injection upon resource creation."
label: Disable auto injection
type: boolean
group: "General Settings"
- variable: accessControlMode
default: "allow"
description: "Default access control mode for service-to-service communication."
label: Access control mode
type: enum
options:
- "allow"
- "deny"
group: "General Settings"
- variable: deployGrafana
default: true
description: "Deploy Grafana as a part of NGINX Service Mesh."
label: Deploy Grafana
type: boolean
group: "General Settings"
- variable: nginxErrorLogLevel
default: "warn"
description: "NGINX error log level."
label: NGINX error log level.
type: enum
options:
- "debug"
- "info"
- "notice"
- "warn"
- "error"
- "crit"
- "alert"
- "emerg"
group: "General Settings"
- variable: nginxLogFormat
default: "default"
description: "NGINX log format."
label: NGINX log format.
type: enum
options:
- "default"
- "json"
group: "General Settings"
- variable: nginxLBMethod
default: "least_time"
description: "NGINX load balancing method."
label: NGINX load balancing method.
type: enum
options:
- "least_conn"
- "least_time"
- "least_time last_byte"
- "least_time last_byte inflight"
- "random"
- "random two"
- "random two least_conn"
- "random two least_time"
- "random two least_time=last_byte"
- "round_robin"
group: "General Settings"
- variable: prometheusAddress
description: "The address of a Prometheus server deployed in your Kubernetes cluster."
label: Prometheus address.
type: string
group: "General Settings"
- variable: rancher
default: true
description: "Enables Rancher for NGINX Service Mesh (do not disable)."
label: Rancher
type: boolean
group: "General Settings"

View File

@ -0,0 +1 @@
NGINX Service Mesh has been installed. Ensure all NGINX Service Mesh Pods are in the Ready state before deploying your apps.

View File

@ -0,0 +1,165 @@
{{- define "jaeger.image-server" -}}
{{- if not .Values.registry.disablePublicImages }}jaegertracing{{ else }}{{ .Values.registry.server }}{{ end }}
{{- end }}
{{- define "zipkin.image-server" -}}
{{- if not .Values.registry.disablePublicImages }}openzipkin{{ else }}{{ .Values.registry.server }}{{ end }}
{{- end }}
{{- define "tracing.address" -}}
{{- if ne .Values.tracing.address "" -}}
{{ .Values.tracing.address }}
{{- else if eq .Values.tracing.backend "jaeger" -}}
jaeger.{{.Release.Namespace}}.svc.cluster.local:6831
{{- else if eq .Values.tracing.backend "zipkin" -}}
zipkin.{{.Release.Namespace}}.svc.cluster.local:9411
{{- end }}
{{- end }}
{{- define "prometheus.address" -}}
{{- if eq .Values.prometheusAddress "" -}}
prometheus.{{.Release.Namespace}}.svc.cluster.local:9090
{{- else -}}
{{ .Values.prometheusAddress }}
{{- end }}
{{- end }}
{{- define "prometheus.image-server" -}}
{{- if not .Values.registry.disablePublicImages }}prom{{ else }}{{ .Values.registry.server }}{{ end }}
{{- end }}
{{- define "grafana.image-server" -}}
{{- if not .Values.registry.disablePublicImages }}grafana{{ else }}{{ .Values.registry.server }}{{ end }}
{{- end }}
{{- define "nats.image-server" -}}
{{- if not .Values.registry.disablePublicImages }}{{ else }}{{ .Values.registry.server }}/{{ end }}
{{- end }}
{{- define "spire.image-server" -}}
{{- if not .Values.registry.disablePublicImages }}gcr.io/spiffe-io{{ else }}{{ .Values.registry.server }}{{ end }}
{{- end }}
{{- define "hook.image-server" -}}
{{- if not .Values.registry.disablePublicImages }}bitnami{{ else }}{{ .Values.registry.server }}{{ end }}
{{- end }}
{{- define "registry-key-name" -}}
nginx-mesh-registry-key
{{- end }}
{{- define "docker-config-json" -}}
{{- if (and (.Values.registry.username) (.Values.registry.password)) }}
{
"auths": {
{{ quote .Values.registry.server }}: {
"username": {{ quote .Values.registry.username }},
"password": {{ quote .Values.registry.password }},
"auth": {{ printf "%s:%s" .Values.registry.username .Values.registry.password | b64enc | quote }}
}
}
}
{{- else if (.Values.registry.key) }}
{
"auths": {
{{ quote .Values.registry.server }}: {
"username": "_json_key",
"password": {{ quote .Values.registry.key }}
}
}
}
{{- end }}
{{- end }}
{{/*
Define the name of the key where the Upstream Authority secret data is stored.
*/}}
{{- define "ua-secret-name" -}}
{{- if .Values.mtls.upstreamAuthority.awsPCA -}}
credentials
{{- else if .Values.mtls.upstreamAuthority.disk -}}
upstreamCA.key
{{- else if .Values.mtls.upstreamAuthority.vault }}{{ if .Values.mtls.upstreamAuthority.vault.certAuth -}}
upstreamClient.key{{ end }}
{{- end }}
{{- end }}
{{/*
Define the name of the mount path where the Upstream Authority secret data is stored.
*/}}
{{- define "ua-secret-mountpath" -}}
{{- if .Values.mtls.upstreamAuthority.awsPCA -}}
/root/.aws
{{- else if .Values.mtls.upstreamAuthority.disk -}}
/run/spire/secrets
{{- else if .Values.mtls.upstreamAuthority.vault }}{{ if .Values.mtls.upstreamAuthority.vault.certAuth -}}
/run/spire/secrets{{ end }}
{{- end }}
{{- end }}
{{/*
Define the upstream certificate to be used for the Upstream Authority.
*/}}
{{- define "ua-upstream-cert" -}}
{{- if .Values.mtls.upstreamAuthority.disk -}}
upstreamCA.crt: {{ quote .Values.mtls.upstreamAuthority.disk.cert }}
{{- else if .Values.mtls.upstreamAuthority.vault -}}
upstreamCA.crt: {{ quote .Values.mtls.upstreamAuthority.vault.caCert }}
{{- end }}
{{- end }}
{{/*
Define the upstream bundle to be used for the Upstream Authority.
*/}}
{{- define "ua-upstream-bundle" -}}
{{- if .Values.mtls.upstreamAuthority.disk }}{{ if .Values.mtls.upstreamAuthority.disk.bundle -}}
upstreamBundle.crt: {{ quote .Values.mtls.upstreamAuthority.disk.bundle }}{{ end }}
{{- else if .Values.mtls.upstreamAuthority.awsPCA }}{{ if .Values.mtls.upstreamAuthority.awsPCA.supplementalBundle -}}
upstreamBundle.crt: {{ quote .Values.mtls.upstreamAuthority.awsPCA.supplementalBundle }}{{ end }}
{{- end }}
{{- end }}
{{/*
Define the Upstream Authority key to be stored in the Secret.
*/}}
{{- define "ua-upstream-key" -}}
{{- if .Values.mtls.upstreamAuthority.awsPCA -}}
{{ tpl (.Files.Get "configs/upstreamAuthority/aws-credentials.conf") . | b64enc }}
{{- else if .Values.mtls.upstreamAuthority.disk -}}
{{ .Values.mtls.upstreamAuthority.disk.key | b64enc }}
{{- else if .Values.mtls.upstreamAuthority.vault }}{{ if .Values.mtls.upstreamAuthority.vault.certAuth -}}
{{ .Values.mtls.upstreamAuthority.vault.certAuth.clientKey | b64enc }}{{ end }}
{{- end }}
{{- end }}
{{/*
Define variables associated with the Vault Upstream Authority.
*/}}
{{- define "ua-vault-env-name" -}}
{{- if .Values.mtls.upstreamAuthority.vault -}}
{{- if .Values.mtls.upstreamAuthority.vault.tokenAuth -}}
VAULT_TOKEN
{{- else if .Values.mtls.upstreamAuthority.vault.approleAuth -}}
VAULT_APPROLE_SECRET_ID
{{- end }}
{{- end }}
{{- end }}
{{- define "ua-vault-env-value" -}}
{{- if .Values.mtls.upstreamAuthority.vault -}}
{{- if .Values.mtls.upstreamAuthority.vault.tokenAuth -}}
{{ b64enc .Values.mtls.upstreamAuthority.vault.tokenAuth.token }}
{{- else if .Values.mtls.upstreamAuthority.vault.approleAuth -}}
{{ b64enc .Values.mtls.upstreamAuthority.vault.approleAuth.approleSecretID }}
{{- end }}
{{- end }}
{{- end }}
{{- define "ua-upstream-client-cert" -}}
{{- if .Values.mtls.upstreamAuthority.vault -}}
{{- if .Values.mtls.upstreamAuthority.vault.certAuth -}}
upstreamClient.crt: {{ quote .Values.mtls.upstreamAuthority.vault.certAuth.clientCert }}
{{- end }}
{{- end }}
{{- end }}

View File

@ -0,0 +1,137 @@
{{- if .Values.deployGrafana }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: grafana
labels:
app.kubernetes.io/part-of: nginx-service-mesh
imagePullSecrets:
- name: {{ include "registry-key-name" . }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: grafana.metrics.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
rules:
- apiGroups:
- ''
resources:
- services
- endpoints
- pods
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: grafana.metrics.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: grafana.metrics.builtin.nsm.nginx
subjects:
- kind: ServiceAccount
name: grafana
namespace: {{ .Release.Namespace }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: grafana-config
labels:
app.kubernetes.io/part-of: nginx-service-mesh
data:
dashboards.yaml: {{ .Files.Get "configs/grafana-dashboard-conf.yaml" | quote }}
datasources.yaml: {{ tpl (.Files.Get "configs/grafana-datasources-conf.yaml") . | quote }}
grafana.ini: {{ .Files.Get "configs/grafana.ini" | quote }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: grafana-dashboards
labels:
app.kubernetes.io/part-of: nginx-service-mesh
data:
top.json: {{ .Files.Get "configs/grafana-top-dashboard.json" | quote }}
---
apiVersion: v1
kind: Service
metadata:
name: grafana
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/part-of: nginx-service-mesh
spec:
selector:
app.kubernetes.io/name: grafana
app.kubernetes.io/part-of: nginx-service-mesh
type: ClusterIP
ports:
- port: 3000
targetPort: 3000
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: grafana
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/part-of: nginx-service-mesh
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: grafana
app.kubernetes.io/part-of: nginx-service-mesh
template:
metadata:
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/part-of: nginx-service-mesh
spec:
serviceAccountName: grafana
containers:
- name: grafana
image: {{ include "grafana.image-server" . }}/grafana:8.1.7
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
ports:
- containerPort: 3000
volumeMounts:
- name: grafana-config-volume
mountPath: "/etc/grafana"
- name: grafana-dashboard-volume
mountPath: "/var/lib/grafana/dashboards"
- name: grafana-dashboard-home
mountPath: "/usr/share/grafana/public/dashboards"
volumes:
- name: grafana-config-volume
configMap:
name: grafana-config
items:
- key: dashboards.yaml
path: provisioning/dashboards/dashboards.yaml
- key: datasources.yaml
path: provisioning/datasources/datasources.yaml
- key: grafana.ini
path: grafana.ini
- name: grafana-dashboard-volume
configMap:
name: grafana-dashboards
items:
- key: top.json
path: top.json
- name: grafana-dashboard-home
configMap:
name: grafana-dashboards
items:
- key: top.json
path: home.json
{{- end }}

View File

@ -0,0 +1,56 @@
{{- if (and (not .Values.tracing.disable) (eq .Values.tracing.backend "jaeger") (eq .Values.tracing.address "")) }}
---
apiVersion: v1
kind: Service
metadata:
name: jaeger
labels:
app.kubernetes.io/name: jaeger
app.kubernetes.io/part-of: nginx-service-mesh
spec:
selector:
app.kubernetes.io/name: jaeger
app.kubernetes.io/part-of: nginx-service-mesh
type: ClusterIP
ports:
- name: frontend
port: 16686
targetPort: 16686
- name: collector
port: 6831
targetPort: 6831
protocol: UDP
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: jaeger
labels:
app.kubernetes.io/name: jaeger
app.kubernetes.io/part-of: nginx-service-mesh
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: jaeger
app.kubernetes.io/part-of: nginx-service-mesh
template:
metadata:
labels:
app.kubernetes.io/name: jaeger
app.kubernetes.io/part-of: nginx-service-mesh
annotations:
prometheus.io/scrape: 'true'
prometheus.io/port: '16686'
spec:
imagePullSecrets:
- name: {{ include "registry-key-name" . }}
containers:
- name: jaeger
image: {{ include "jaeger.image-server" . }}/all-in-one:1.26.0
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
ports:
- containerPort: 16686
- containerPort: 6831
protocol: UDP
{{- end }}

View File

@ -0,0 +1,146 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: nats
labels:
app.kubernetes.io/part-of: nginx-service-mesh
imagePullSecrets:
- name: {{ include "registry-key-name" . }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: nats-config
labels:
app.kubernetes.io/part-of: nginx-service-mesh
data:
nats.conf: {{ .Files.Get "configs/nats.conf" | quote }}
---
apiVersion: v1
kind: Service
metadata:
name: nats-server
labels:
app.kubernetes.io/name: nats-server
app.kubernetes.io/part-of: nginx-service-mesh
spec:
selector:
app.kubernetes.io/name: nats-server
app.kubernetes.io/part-of: nginx-service-mesh
clusterIP: None
ports:
- name: client
port: 4222
- name: monitor
port: 8222
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nats-server
labels:
app.kubernetes.io/name: nats-server
app.kubernetes.io/part-of: nginx-service-mesh
spec:
selector:
matchLabels:
app.kubernetes.io/name: nats-server
app.kubernetes.io/part-of: nginx-service-mesh
replicas: 1
template:
metadata:
labels:
app.kubernetes.io/name: nats-server
app.kubernetes.io/part-of: nginx-service-mesh
spec:
serviceAccountName: nats
volumes:
- name: config-volume
configMap:
name: nats-config
- name: pid
emptyDir: {}
- name: tls
emptyDir: {}
- hostPath:
path: "/run/spire/sockets"
type: DirectoryOrCreate
name: spire-agent-socket
shareProcessNamespace: true
terminationGracePeriodSeconds: 60
imagePullSecrets:
- name: {{ include "registry-key-name" . }}
initContainers:
- name: nginx-mesh-cert-reloader-init
image: {{ .Values.registry.server }}/nginx-mesh-cert-reloader:{{ .Values.registry.imageTag }}
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
volumeMounts:
- name: tls
mountPath: "/etc/ssl"
- name: spire-agent-socket
mountPath: "/run/spire/sockets"
containers:
- name: nginx-mesh-cert-reloader
image: {{ .Values.registry.server }}/nginx-mesh-cert-reloader:{{ .Values.registry.imageTag }}
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
args:
- "-pid"
- "/var/run/nats/nats.pid"
- "-is-daemon"
volumeMounts:
- name: pid
mountPath: "/var/run/nats"
- name: tls
mountPath: "/etc/ssl"
- name: spire-agent-socket
mountPath: "/run/spire/sockets"
- name: nats-server
image: {{ include "nats.image-server" . }}nats:2.4.0-alpine3.14
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
ports:
- containerPort: 4222
name: client
- containerPort: 8222
name: monitor
command:
- nats-server
- "--config"
- "/etc/nats-config/nats.conf"
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: CLUSTER_ADVERTISE
value: "$(POD_NAME).nats-server.$(POD_NAMESPACE).svc"
volumeMounts:
- name: config-volume
mountPath: "/etc/nats-config"
- name: pid
mountPath: "/var/run/nats"
- name: tls
mountPath: "/etc/ssl"
livenessProbe:
httpGet:
path: "/"
port: 8222
initialDelaySeconds: 10
timeoutSeconds: 5
readinessProbe:
httpGet:
path: "/"
port: 8222
initialDelaySeconds: 10
timeoutSeconds: 5
lifecycle:
preStop:
exec:
command:
- "/bin/sh"
- "-c"
- "/nats-server -sl=ldm=/var/run/nats/nats.pid && /bin/sleep 60"

View File

@ -0,0 +1,323 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: nginx-mesh-api
labels:
app.kubernetes.io/part-of: nginx-service-mesh
imagePullSecrets:
- name: {{ include "registry-key-name" . }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: nginx-mesh-api.internal.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
rules:
- apiGroups:
- ''
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- ''
resources:
- services
- endpoints
verbs:
- "*"
- apiGroups:
- ''
resources:
- secrets
- pods
verbs:
- create
- get
- list
- watch
- apiGroups:
- ''
resources:
- configmaps
verbs:
- get
- list
- watch
- update
- apiGroups:
- ''
resources:
- events
verbs:
- create
- patch
- apiGroups:
- apps
resources:
- replicasets
verbs:
- get
- list
- watch
- apiGroups:
- split.smi-spec.io
resources:
- trafficsplits
verbs:
- "*"
- apiGroups:
- access.smi-spec.io
resources:
- traffictargets
verbs:
- "*"
- apiGroups:
- specs.smi-spec.io
- specs.smi.nginx.com
resources:
- httproutegroups
- tcproutes
- ratelimits
- circuitbreakers
verbs:
- "*"
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
resourceNames:
- sidecar-injector-webhook-cfg.internal.builtin.nsm.nginx
verbs:
- get
- update
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
resourceNames:
- validating-webhook-cfg.internal.builtin.nsm.nginx
verbs:
- get
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: nginx-mesh-api.internal.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: nginx-mesh-api.internal.builtin.nsm.nginx
subjects:
- kind: ServiceAccount
name: nginx-mesh-api
namespace: {{ .Release.Namespace }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: mesh-config
labels:
app.kubernetes.io/part-of: nginx-service-mesh
binaryData:
mesh-config.json: {{ tpl (.Files.Get "configs/mesh-config.conf") . | b64enc | quote }}
---
apiVersion: v1
kind: Service
metadata:
name: nginx-mesh-api
labels:
app.kubernetes.io/part-of: nginx-service-mesh
spec:
type: ClusterIP
ports:
- name: https
port: 443
targetPort: 8443
protocol: TCP
selector:
app.kubernetes.io/name: nginx-mesh-api
app.kubernetes.io/part-of: nginx-service-mesh
---
apiVersion: v1
kind: Service
metadata:
name: nginx-mesh-webhook
labels:
app.kubernetes.io/name: nginx-mesh-api
app.kubernetes.io/part-of: nginx-service-mesh
spec:
type: ClusterIP
ports:
- name: admission
port: 443
targetPort: 9443
protocol: TCP
selector:
app.kubernetes.io/name: nginx-mesh-api
app.kubernetes.io/part-of: nginx-service-mesh
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: sidecar-injector-webhook-cfg.internal.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
spiffe.io/webhook: "true"
webhooks:
- name: nginx-mesh-api.sidecar.injector
namespaceSelector:
matchExpressions:
- key: injector.nsm.nginx.com/auto-inject
operator: NotIn
values:
- 'false'
clientConfig:
service:
name: nginx-mesh-webhook
namespace: {{ .Release.Namespace }}
path: "/inject"
sideEffects: None
admissionReviewVersions:
- v1
- v1beta1
rules:
- apiGroups:
- ''
apiVersions:
- v1
operations:
- CREATE
resources:
- pods
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: validating-webhook-cfg.internal.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
spiffe.io/webhook: "true"
webhooks:
- name: nginx-mesh-api.policy.validator
clientConfig:
service:
name: nginx-mesh-webhook
namespace: {{ .Release.Namespace }}
path: "/validate"
sideEffects: None
admissionReviewVersions:
- v1
- v1beta1
rules:
- apiGroups:
- split.smi-spec.io
apiVersions:
- "*"
operations:
- CREATE
- UPDATE
- DELETE
resources:
- trafficsplits
- apiGroups:
- specs.smi-spec.io
apiVersions:
- "*"
operations:
- CREATE
- UPDATE
resources:
- httproutegroups
- apiGroups:
- specs.smi.nginx.com
apiVersions:
- "*"
operations:
- CREATE
- UPDATE
- DELETE
resources:
- circuitbreakers
- ratelimits
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-mesh-api
labels:
app.kubernetes.io/name: nginx-mesh-api
app.kubernetes.io/part-of: nginx-service-mesh
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: nginx-mesh-api
app.kubernetes.io/part-of: nginx-service-mesh
template:
metadata:
labels:
app.kubernetes.io/name: nginx-mesh-api
app.kubernetes.io/part-of: nginx-service-mesh
spec:
serviceAccountName: nginx-mesh-api
containers:
- name: nginx-mesh-api
image: {{ .Values.registry.server }}/nginx-mesh-api:{{ .Values.registry.imageTag }}
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
args:
- "-meshconfig=/etc/config/mesh-config.json"
- "-logtostderr"
- "-v=3"
env:
- name: PULL_POLICY
value: {{ .Values.registry.imagePullPolicy }}
- name: MY_UID
valueFrom:
fieldRef:
fieldPath: metadata.uid
- name: MY_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: MY_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
readinessProbe:
httpGet:
path: "/healthz"
port: 8081
initialDelaySeconds: 5
periodSeconds: 10
failureThreshold: 30
livenessProbe:
httpGet:
path: "/healthz"
port: 8081
initialDelaySeconds: 5
periodSeconds: 10
failureThreshold: 30
volumeMounts:
- name: config-volume
mountPath: "/etc/config"
- name: spire-agent-socket
mountPath: "/run/spire/sockets"
volumes:
- name: config-volume
configMap:
name: mesh-config
items:
- key: mesh-config.json
path: mesh-config.json
- name: spire-agent-socket
hostPath:
path: "/run/spire/sockets"
type: DirectoryOrCreate

View File

@ -0,0 +1,157 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: nginx-mesh-metrics
labels:
app.kubernetes.io/part-of: nginx-service-mesh
imagePullSecrets:
- name: {{ include "registry-key-name" . }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: nginx-mesh-metrics.internal.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
rules:
- apiGroups:
- ''
resources:
- pods
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: nginx-mesh-metrics.internal.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: nginx-mesh-metrics.internal.builtin.nsm.nginx
subjects:
- kind: ServiceAccount
name: nginx-mesh-metrics
namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: nginx-mesh-metrics-svc.internal.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: nginx-mesh-metrics
namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: nginx-mesh-metrics-svc.internal.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: extension-apiserver-authentication-reader
subjects:
- kind: ServiceAccount
name: nginx-mesh-metrics
namespace: {{ .Release.Namespace }}
---
apiVersion: v1
kind: Service
metadata:
name: nginx-mesh-metrics-svc
labels:
app.kubernetes.io/name: nginx-mesh-metrics
app.kubernetes.io/part-of: nginx-service-mesh
spec:
type: ClusterIP
ports:
- name: http
port: 443
targetPort: metrics
protocol: TCP
selector:
app.kubernetes.io/name: nginx-mesh-metrics
app.kubernetes.io/part-of: nginx-service-mesh
---
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
name: v1alpha1.metrics.smi-spec.io
labels:
app.kubernetes.io/name: nginx-mesh-metrics
app.kubernetes.io/part-of: nginx-service-mesh
spiffe.io/apiservice: "true"
spec:
service:
name: nginx-mesh-metrics-svc
namespace: {{ .Release.Namespace }}
group: metrics.smi-spec.io
version: v1alpha1
groupPriorityMinimum: 100
versionPriority: 100
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-mesh-metrics
labels:
app.kubernetes.io/name: nginx-mesh-metrics
app.kubernetes.io/part-of: nginx-service-mesh
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: nginx-mesh-metrics
app.kubernetes.io/part-of: nginx-service-mesh
template:
metadata:
labels:
app.kubernetes.io/name: nginx-mesh-metrics
app.kubernetes.io/part-of: nginx-service-mesh
spec:
serviceAccountName: nginx-mesh-metrics
containers:
- name: nginx-mesh-metrics
image: {{ .Values.registry.server }}/nginx-mesh-metrics:{{ .Values.registry.imageTag }}
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
args:
- "--prometheus-address={{ include "prometheus.address" . }}"
readinessProbe:
httpGet:
scheme: HTTPS
path: "/liveness"
port: 8080
initialDelaySeconds: 5
periodSeconds: 10
failureThreshold: 30
livenessProbe:
httpGet:
scheme: HTTPS
path: "/liveness"
port: 8080
initialDelaySeconds: 5
periodSeconds: 10
failureThreshold: 30
ports:
- name: metrics
containerPort: 8080
volumeMounts:
- name: spire-agent-socket
mountPath: "/run/spire/sockets"
volumes:
- name: spire-agent-socket
hostPath:
path: "/run/spire/sockets"
type: DirectoryOrCreate

View File

@ -0,0 +1,144 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: post-delete
labels:
app.kubernetes.io/part-of: nginx-service-mesh
annotations:
"helm.sh/hook": post-delete
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
"helm.sh/hook-weight": "-5"
imagePullSecrets:
- name: {{ include "registry-key-name" . }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: post-delete.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
annotations:
"helm.sh/hook": post-delete
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
"helm.sh/hook-weight": "-5"
rules:
- apiGroups:
- ''
resources:
- namespaces
verbs:
- get
- list
- patch
- apiGroups:
- spiffeid.spiffe.io
resources:
- spiffeids
verbs:
- get
- list
- patch
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: post-delete.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
annotations:
"helm.sh/hook": post-delete
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
"helm.sh/hook-weight": "-5"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: post-delete.builtin.nsm.nginx
subjects:
- kind: ServiceAccount
name: post-delete
namespace: {{ .Release.Namespace }}
{{- if (include "docker-config-json" .) }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ include "registry-key-name" . }}
labels:
app.kubernetes.io/part-of: nginx-service-mesh
annotations:
"helm.sh/hook": post-delete
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
"helm.sh/hook-weight": "-5"
data:
.dockerconfigjson: {{ include "docker-config-json" . | b64enc }}
type: kubernetes.io/dockerconfigjson
{{- end }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: remove-spiffeids
labels:
app.kubernetes.io/part-of: nginx-service-mesh
annotations:
"helm.sh/hook": post-delete
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
"helm.sh/hook-weight": "0"
spec:
template:
metadata:
name: remove-spiffeids
spec:
restartPolicy: Never
serviceAccountName: post-delete
containers:
- name: remove-spiffeids
image: {{ include "hook.image-server" . }}/kubectl
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
command:
- /bin/sh
- -c
- |
for ns in $(kubectl get ns | awk '{print $1}' | tail -n +2); do
if [ $(kubectl get spiffeids -n $ns 2>/dev/null | wc -l) -ne 0 ]; then
kubectl patch spiffeid $(kubectl get spiffeids -n $ns | awk '{print $1}' | tail -n +2) --type='merge' -p '{"metadata":{"finalizers":null}}' -n $ns
fi
done
---
apiVersion: batch/v1
kind: Job
metadata:
name: remove-namespace-label
labels:
app.kubernetes.io/part-of: nginx-service-mesh
annotations:
"helm.sh/hook": post-delete
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
"helm.sh/hook-weight": "0"
spec:
template:
metadata:
name: remove-namespace-label
spec:
restartPolicy: Never
serviceAccountName: post-delete
containers:
- name: remove-namespace-label
image: {{ include "hook.image-server" . }}/kubectl
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
command:
- /bin/sh
- -c
- |
kubectl label namespace kube-system injector.nsm.nginx.com/auto-inject-
kubectl label namespace {{ .Release.Namespace }} injector.nsm.nginx.com/auto-inject- app.kubernetes.io/part-of-
{{- if .Values.rancher }}
kubectl label namespace ingress-nginx cert-manager injector.nsm.nginx.com/auto-inject-
for ns in $(kubectl get ns | awk '{print $1}' | tail -n +2); do
case "$ns" in
cattle-*) kubectl label namespace $ns injector.nsm.nginx.com/auto-inject- ;;
esac
done
{{- end }}

View File

@ -0,0 +1,29 @@
---
apiVersion: batch/v1
kind: Job
metadata:
name: turn-proxies-transparent
labels:
app.kubernetes.io/part-of: nginx-service-mesh
annotations:
"helm.sh/hook": pre-delete
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
"helm.sh/hook-weight": "0"
spec:
template:
metadata:
name: turn-proxies-transparent
spec:
restartPolicy: Never
containers:
- name: turn-proxies-transparent
image: {{ include "hook.image-server" . }}/kubectl
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
command:
- /bin/sh
- -c
- |
curl -m 30 -k https://nginx-mesh-api.{{ .Release.Namespace }}.svc:443/clear -X POST
exit 0
imagePullSecrets:
- name: {{ include "registry-key-name" . }}

View File

@ -0,0 +1,104 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: pre-install
labels:
app.kubernetes.io/part-of: nginx-service-mesh
annotations:
"helm.sh/hook": pre-install
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
"helm.sh/hook-weight": "-5"
imagePullSecrets:
- name: {{ include "registry-key-name" . }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: pre-install.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
annotations:
"helm.sh/hook": pre-install
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
"helm.sh/hook-weight": "-5"
rules:
- apiGroups:
- ''
resources:
- namespaces
verbs:
- get
- list
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: pre-install.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
annotations:
"helm.sh/hook": pre-install
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
"helm.sh/hook-weight": "-5"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: pre-install.builtin.nsm.nginx
subjects:
- kind: ServiceAccount
name: pre-install
namespace: {{ .Release.Namespace }}
{{- if (include "docker-config-json" .) }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ include "registry-key-name" . }}
labels:
app.kubernetes.io/part-of: nginx-service-mesh
annotations:
"helm.sh/hook": pre-install
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
"helm.sh/hook-weight": "-5"
data:
.dockerconfigjson: {{ include "docker-config-json" . | b64enc }}
type: kubernetes.io/dockerconfigjson
{{- end }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: label-namespace
labels:
app.kubernetes.io/part-of: nginx-service-mesh
annotations:
"helm.sh/hook": pre-install
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
"helm.sh/hook-weight": "0"
spec:
template:
metadata:
name: label-namespace
spec:
restartPolicy: Never
serviceAccountName: pre-install
containers:
- name: label-namespace
image: {{ include "hook.image-server" . }}/kubectl
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
command:
- /bin/sh
- -c
- |
kubectl label namespace kube-system injector.nsm.nginx.com/auto-inject=false
kubectl label namespace {{ .Release.Namespace }} injector.nsm.nginx.com/auto-inject=false app.kubernetes.io/part-of=nginx-service-mesh
{{- if .Values.rancher }}
kubectl label namespace ingress-nginx cert-manager injector.nsm.nginx.com/auto-inject=false
for ns in $(kubectl get ns | awk '{print $1}' | tail -n +2); do
case "$ns" in
cattle-*) kubectl label namespace $ns injector.nsm.nginx.com/auto-inject=false ;;
esac
done
{{- end }}

View File

@ -0,0 +1,114 @@
{{- if eq .Values.prometheusAddress "" }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: prometheus
labels:
app.kubernetes.io/part-of: nginx-service-mesh
imagePullSecrets:
- name: {{ include "registry-key-name" . }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: prometheus.metrics.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
rules:
- apiGroups:
- ''
resources:
- services
- endpoints
- pods
verbs:
- get
- list
- watch
- nonResourceURLs:
- "/metrics"
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: prometheus.metrics.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: prometheus.metrics.builtin.nsm.nginx
subjects:
- kind: ServiceAccount
name: prometheus
namespace: {{ .Release.Namespace }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: prometheus-configuration
labels:
app.kubernetes.io/part-of: nginx-service-mesh
binaryData:
prometheus.yaml: {{ .Files.Get "configs/prometheus-config.yaml" | b64enc }}
---
apiVersion: v1
kind: Service
metadata:
name: prometheus
labels:
app.kubernetes.io/name: prometheus
app.kubernetes.io/part-of: nginx-service-mesh
spec:
selector:
app.kubernetes.io/name: prometheus
app.kubernetes.io/part-of: nginx-service-mesh
type: ClusterIP
ports:
- port: 9090
targetPort: 9090
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: prometheus
labels:
app.kubernetes.io/name: prometheus
app.kubernetes.io/part-of: nginx-service-mesh
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: prometheus
app.kubernetes.io/part-of: nginx-service-mesh
template:
metadata:
labels:
app.kubernetes.io/name: prometheus
app.kubernetes.io/part-of: nginx-service-mesh
spec:
serviceAccountName: prometheus
containers:
- name: prometheus
image: {{ include "prometheus.image-server" . }}/prometheus:v2.20.1
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
args:
- "--config.file=/etc/prometheus/prometheus.yaml"
- "--storage.tsdb.path=/prometheus/"
ports:
- containerPort: 9090
volumeMounts:
- name: prometheus-config-volume
mountPath: "/etc/prometheus"
- name: prometheus-storage-volume
mountPath: "/prometheus/"
volumes:
- name: prometheus-config-volume
configMap:
name: prometheus-configuration
- name: prometheus-storage-volume
emptyDir: {}
{{- end }}

View File

@ -0,0 +1,12 @@
{{- if (include "docker-config-json" .) }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ include "registry-key-name" . }}
labels:
app.kubernetes.io/part-of: nginx-service-mesh
data:
.dockerconfigjson: {{ include "docker-config-json" . | b64enc }}
type: kubernetes.io/dockerconfigjson
{{- end }}

View File

@ -0,0 +1,141 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: spire-agent
labels:
app.kubernetes.io/part-of: nginx-service-mesh
imagePullSecrets:
- name: {{ include "registry-key-name" . }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: spire-agent.security.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
rules:
- apiGroups:
- ''
resources:
- pods
- nodes
- nodes/proxy
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: spire-agent.security.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: spire-agent.security.builtin.nsm.nginx
subjects:
- kind: ServiceAccount
name: spire-agent
namespace: {{ .Release.Namespace }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: spire-agent
labels:
app.kubernetes.io/part-of: nginx-service-mesh
data:
agent.conf: {{ tpl (.Files.Get "configs/spire-agent.conf") . | quote }}
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: spire-agent
labels:
app.kubernetes.io/name: spire-agent
app.kubernetes.io/part-of: nginx-service-mesh
spec:
selector:
matchLabels:
app.kubernetes.io/name: spire-agent
app.kubernetes.io/part-of: nginx-service-mesh
template:
metadata:
labels:
app.kubernetes.io/name: spire-agent
app.kubernetes.io/part-of: nginx-service-mesh
spec:
serviceAccountName: spire-agent
hostPID: true
hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet
initContainers:
- name: init
image: {{ include "spire.image-server" . }}/wait-for-it
args:
- "-t"
- '30'
- spire-server:8081
containers:
- name: spire-agent
image: {{ include "spire.image-server" . }}/spire-agent:1.0.2
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
args:
- "-config"
- "/run/spire/config/agent.conf"
env:
- name: MY_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
volumeMounts:
- name: spire-config
mountPath: "/run/spire/config"
readOnly: true
- name: spire-bundle
mountPath: "/run/spire/bundle"
- name: spire-agent-socket
mountPath: "/run/spire/sockets"
readOnly: false
- name: spire-token
mountPath: "/var/run/secrets/tokens"
livenessProbe:
exec:
command:
- "/opt/spire/bin/spire-agent"
- healthcheck
- "-shallow"
- "-socketPath"
- "/run/spire/sockets/agent.sock"
failureThreshold: 2
initialDelaySeconds: 15
periodSeconds: 60
timeoutSeconds: 3
readinessProbe:
exec:
command:
- "/opt/spire/bin/spire-agent"
- healthcheck
- "-socketPath"
- "/run/spire/sockets/agent.sock"
initialDelaySeconds: 5
periodSeconds: 5
volumes:
- name: spire-config
configMap:
name: spire-agent
- name: spire-bundle
configMap:
name: spire-bundle
- name: spire-agent-socket
hostPath:
path: "/run/spire/sockets"
type: DirectoryOrCreate
- name: spire-token
projected:
sources:
- serviceAccountToken:
audience: spire-server
expirationSeconds: 7200
path: spire-agent

View File

@ -0,0 +1,466 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: spire-server
labels:
app.kubernetes.io/part-of: nginx-service-mesh
imagePullSecrets:
- name: {{ include "registry-key-name" . }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: spire-server.security.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
rules:
- apiGroups:
- ''
resources:
- pods
- nodes
verbs:
- get
- apiGroups:
- ''
resources:
- configmaps
resourceNames:
- spire-bundle
verbs:
- get
- patch
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- apiregistration.k8s.io
resources:
- apiservices
verbs:
- get
- list
- patch
- watch
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
verbs:
- get
- list
- patch
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: spire-server.security.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: spire-server.security.builtin.nsm.nginx
subjects:
- kind: ServiceAccount
name: spire-server
namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: k8s-workload-registrar.security.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
rules:
- apiGroups:
- ''
resources:
- endpoints
- pods
- nodes
verbs:
- get
- list
- watch
- apiGroups:
- spiffeid.spiffe.io
resources:
- spiffeids
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- spiffeid.spiffe.io
resources:
- spiffeids/status
verbs:
- get
- patch
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: k8s-workload-registrar.security.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: k8s-workload-registrar.security.builtin.nsm.nginx
subjects:
- kind: ServiceAccount
name: spire-server
namespace: {{ .Release.Namespace }}
{{- if (or (include "ua-secret-name" .) (include "ua-vault-env-name" .)) }}
---
apiVersion: v1
kind: Secret
metadata:
name: spire-server
labels:
app.kubernetes.io/part-of: nginx-service-mesh
type: Opaque
data:
{{- if (include "ua-secret-name" .) }}
{{ include "ua-secret-name" . }}: {{ include "ua-upstream-key" . }}{{ end }}
{{- if (include "ua-vault-env-name" .) }}
{{ include "ua-vault-env-name" . }}: {{ include "ua-vault-env-value" . }}{{ end }}
{{- end }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: spire-bundle
labels:
app.kubernetes.io/part-of: nginx-service-mesh
---
apiVersion: v1
kind: ConfigMap
metadata:
name: spire-server
labels:
app.kubernetes.io/part-of: nginx-service-mesh
data:
server.conf: {{ tpl (.Files.Get "configs/spire-server.conf") . | quote }}
{{ if (include "ua-upstream-cert" .) -}}
{{ include "ua-upstream-cert" . }}{{ end }}
{{ if (include "ua-upstream-client-cert" .) -}}
{{ include "ua-upstream-client-cert" . }}{{ end }}
{{ if (include "ua-upstream-bundle" .) -}}
{{ include "ua-upstream-bundle" . }}{{ end }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: k8s-workload-registrar
labels:
app.kubernetes.io/part-of: nginx-service-mesh
data:
k8s-workload-registrar.conf: {{ tpl (.Files.Get "configs/k8s-workload-registrar.conf") . | quote }}
---
{{- $caKey := genPrivateKey "ecdsa"}}
{{- $caCrt := genCAWithKey "K8S WORKLOAD REGISTRAR CA" 9999 $caKey }}
{{- $serverKey := genPrivateKey "ecdsa" }}
{{- $serverCrt := genSignedCertWithKey "K8S WORKLOAD REGISTRAR SERVER" nil (list (printf "k8s-workload-registrar.%s.svc" .Release.Namespace )) 9999 $caCrt $serverKey }}
apiVersion: v1
kind: Secret
metadata:
name: k8s-workload-registrar-secret
labels:
app.kubernetes.io/part-of: nginx-service-mesh
type: Opaque
data:
tls.crt: {{ b64enc $serverCrt.Cert | quote }}
tls.key: {{ b64enc $serverKey | quote }}
---
apiVersion: v1
kind: Service
metadata:
name: spire-server
labels:
app.kubernetes.io/name: spire-server
app.kubernetes.io/part-of: nginx-service-mesh
spec:
type: ClusterIP
ports:
- name: grpc
protocol: TCP
port: 8081
targetPort: 8081
selector:
app.kubernetes.io/name: spire-server
app.kubernetes.io/part-of: nginx-service-mesh
---
apiVersion: v1
kind: Service
metadata:
name: k8s-workload-registrar
labels:
app.kubernetes.io/name: k8s-workload-registrar
app.kubernetes.io/part-of: nginx-service-mesh
spec:
ports:
- name: webhook
protocol: TCP
port: 443
targetPort: 9443
selector:
app.kubernetes.io/name: spire-server
---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
name: k8s-workload-registrar.security.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
webhooks:
- name: k8s-workload-registrar.{{ .Release.Namespace }}.svc
clientConfig:
caBundle: {{ b64enc $caCrt.Cert | quote }}
service:
name: k8s-workload-registrar
namespace: {{ .Release.Namespace }}
path: "/validate-spiffeid-spiffe-io-v1beta1-spiffeid"
rules:
- apiGroups:
- spiffeid.spiffe.io
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
- DELETE
resources:
- spiffeids
scope: Namespaced
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: spiffeids.spiffeid.spiffe.io
labels:
app.kubernetes.io/part-of: nginx-service-mesh
spec:
group: spiffeid.spiffe.io
scope: Namespaced
names:
kind: SpiffeID
listKind: SpiffeIDList
plural: spiffeids
singular: spiffeid
versions:
- name: v1beta1
served: true
storage: true
subresources:
status: {}
schema:
openAPIV3Schema:
type: object
properties:
apiVersion:
type: string
kind:
type: string
metadata:
type: object
spec:
type: object
properties:
dnsNames:
type: array
items:
type: string
parentId:
type: string
selector:
type: object
properties:
arbitrary:
items:
type: string
type: array
containerImage:
type: string
containerName:
type: string
namespace:
type: string
nodeName:
type: string
podLabel:
additionalProperties:
type: string
type: object
podName:
type: string
podUid:
type: string
serviceAccount:
type: string
cluster:
type: string
agent_node_uid:
type: string
spiffeId:
type: string
required:
- parentId
- selector
- spiffeId
status:
type: object
properties:
entryId:
type: string
---
apiVersion: apps/v1
{{- if eq .Values.mtls.persistentStorage "on" }}
kind: StatefulSet
{{- else }}
kind: Deployment
{{- end }}
metadata:
name: spire-server
labels:
app.kubernetes.io/name: spire-server
app.kubernetes.io/part-of: nginx-service-mesh
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: spire-server
app.kubernetes.io/part-of: nginx-service-mesh
{{- if eq .Values.mtls.persistentStorage "on" }}
serviceName: spire-server
{{- end }}
template:
metadata:
labels:
app.kubernetes.io/name: spire-server
app.kubernetes.io/part-of: nginx-service-mesh
spec:
serviceAccountName: spire-server
shareProcessNamespace: true
containers:
- name: spire-server
image: {{ include "spire.image-server" . }}/spire-server:1.0.2
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
args:
- '-config'
- /run/spire/config/server.conf
ports:
- name: spire-server
protocol: TCP
containerPort: 8081
{{- if (include "ua-vault-env-name" .) }}
env:
- name: {{ include "ua-vault-env-name" . }}
valueFrom:
secretKeyRef:
name: spire-server
key: {{ include "ua-vault-env-name" . }}
{{- end }}
volumeMounts:
- name: spire-config
mountPath: /run/spire/config
readOnly: true
{{- if (include "ua-secret-mountpath" .) }}
- name: spire-secrets
mountPath: {{ include "ua-secret-mountpath" . }}
readOnly: true
{{- end }}
{{- if eq .Values.mtls.persistentStorage "on" }}
- name: spire-data
mountPath: /run/spire/data
readOnly: false
{{- end }}
- name: spire-server-socket
mountPath: /run/spire/sockets
readOnly: false
livenessProbe:
exec:
command:
- /opt/spire/bin/spire-server
- healthcheck
- '-shallow'
- '-registrationUDSPath'
- /run/spire/sockets/spire-registration.sock
failureThreshold: 2
initialDelaySeconds: 15
periodSeconds: 60
timeoutSeconds: 3
readinessProbe:
exec:
command:
- /opt/spire/bin/spire-server
- healthcheck
- '-registrationUDSPath'
- /run/spire/sockets/spire-registration.sock
initialDelaySeconds: 5
periodSeconds: 5
- name: k8s-workload-registrar
image: {{ include "spire.image-server" . }}/k8s-workload-registrar:1.0.2
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
args:
- '-config'
- /run/spire/config/k8s-workload-registrar.conf
ports:
- name: webhook
protocol: TCP
containerPort: 9443
volumeMounts:
- name: k8s-workload-registrar-config
mountPath: /run/spire/config
readOnly: true
- name: k8s-workload-registrar-secret
mountPath: /tmp/k8s-webhook-server/serving-certs
readOnly: true
- name: spire-server-socket
mountPath: /run/spire/sockets
readOnly: true
volumes:
- name: spire-config
configMap:
name: spire-server
{{- if (include "ua-secret-name" .) }}
- name: spire-secrets
secret:
secretName: spire-server
items:
- key: {{ include "ua-secret-name" . }}
path: {{ include "ua-secret-name" . }}
{{- end }}
- name: spire-server-socket
emptyDir: {}
- name: k8s-workload-registrar-config
configMap:
name: k8s-workload-registrar
- name: k8s-workload-registrar-secret
secret:
secretName: k8s-workload-registrar-secret
{{- if eq .Values.mtls.persistentStorage "on" }}
volumeClaimTemplates:
- metadata:
name: spire-data
namespace: {{ .Release.Namespace }}
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
{{- end }}

View File

@ -0,0 +1,46 @@
{{- if (and (not .Values.tracing.disable) (eq .Values.tracing.backend "zipkin") (eq .Values.tracing.address "")) }}
---
apiVersion: v1
kind: Service
metadata:
name: zipkin
labels:
app.kubernetes.io/name: zipkin
app.kubernetes.io/part-of: nginx-service-mesh
spec:
selector:
app.kubernetes.io/name: zipkin
app.kubernetes.io/part-of: nginx-service-mesh
type: ClusterIP
ports:
- port: 9411
targetPort: 9411
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: zipkin
labels:
app.kubernetes.io/name: zipkin
app.kubernetes.io/part-of: nginx-service-mesh
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: zipkin
app.kubernetes.io/part-of: nginx-service-mesh
template:
metadata:
labels:
app.kubernetes.io/name: zipkin
app.kubernetes.io/part-of: nginx-service-mesh
spec:
imagePullSecrets:
- name: {{ include "registry-key-name" . }}
containers:
- name: zipkin
image: {{ include "zipkin.image-server" . }}/zipkin:2.21
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
ports:
- containerPort: 9411
{{- end }}

View File

@ -0,0 +1,455 @@
{
"$schema": "https://json-schema.org/draft-07/schema#",
"title": "NGINX Service Mesh Values",
"type": "object",
"properties": {
"mtls": {
"type": "object",
"properties": {
"mode": {
"description": "mTLS mode for pod-to-pod communication",
"type": "string",
"enum": ["off", "permissive", "strict"],
"default": "permissive"
},
"caTTL": {
"description": "The CA/signing key TTL in hours(h) or minutes(m)",
"type": "string",
"pattern": "[0-9]*(h|m)",
"default": "720h"
},
"svidTTL": {
"description": "The TTL of certificates issued to workloads in hours(h) or minutes(m)",
"type": "string",
"pattern": "[0-9]*(h|m)",
"default": "1h"
},
"trustDomain": {
"description": "The trust domain of the NGINX Service Mesh",
"type": "string",
"default": "example.org"
},
"persistentStorage": {
"description": "Use persistent storage",
"type": "string",
"enum": ["on", "off"],
"default": "on"
},
"spireServerKeyManager": {
"description": "Storage logic for Spire Server's private keys",
"type": "string",
"enum": ["disk", "memory"],
"default": "disk"
},
"upstreamAuthority": {
"description": "Upstream authority settings",
"type": "object",
"properties": {
"disk": {
"description": "Disk object",
"type": "object",
"properties": {
"cert": {
"description": "Contents of your PEM encoded certificate file",
"type": "string",
"minLength": 1
},
"key": {
"description": "Contents of your PEM encoded key file",
"type": "string",
"minLength": 1
},
"bundle": {
"description": "Contents of your CA bundle file",
"type": "string"
}
},
"required": ["cert", "key"]
},
"awsPCA": {
"description": "AWS PCA object",
"type": "object",
"properties": {
"region": {
"description": "AWS region to use",
"type": "string",
"minLength": 1
},
"certificateAuthorityArn": {
"description": "ARN of the upstream CA certificate",
"type": "string",
"minLength": 1
},
"awsAccessKeyID": {
"description": "AWS access key ID",
"type": "string",
"minLength": 1
},
"awsSecretAccessKey": {
"description": "AWS secret access key",
"type": "string",
"minLength": 1
},
"caSigningTemplateArn": {
"description": "ARN of the signing template to use for the server's CA",
"type": "string"
},
"signingAlgorithm": {
"description": "Signing algorithm to use for the server's CA",
"type": "string"
},
"assumeRoleArn": {
"description": " ARN of an IAM role to assume",
"type": "string"
},
"endpoint": {
"description": "Endpoint as hostname or fully-qualified URI that overrides the default endpoint",
"type": "string"
},
"supplementalBundle": {
"description": "Contents of a PEM encoded CA certificates file that should be additionally included in the bundle",
"type": "string"
}
},
"required": ["region", "certificateAuthorityArn", "awsAccessKeyID", "awsSecretAccessKey"]
},
"awsSecret": {
"description": "AWS Secret object",
"type": "object",
"properties": {
"region": {
"description": "AWS region to use",
"type": "string",
"minLength": 1
},
"certFileArn": {
"description": "ARN of the upstream CA certificate",
"type": "string",
"minLength": 1
},
"keyFileArn": {
"description": "ARN of the upstream CA key file",
"type": "string",
"minLength": 1
},
"awsAccessKeyID": {
"description": "AWS access key ID",
"type": "string"
},
"awsSecretKeyID": {
"description": "AWS secret access key",
"type": "string"
},
"awsSecretToken": {
"description": "AWS secret token",
"type": "string"
},
"assumeRoleArn": {
"description": "ARN of role to assume",
"type": "string"
}
},
"required": ["region", "certFileArn", "keyFileArn"]
},
"vault": {
"description": "Vault object",
"type": "object",
"properties": {
"vaultAddr": {
"description": "URL of the Vault server",
"type": "string",
"minLength": 1
},
"namespace": {
"description": "Vault namespace",
"type": "string",
"minLength": 1
},
"caCert": {
"description": "Contents of a PEM encoded CA certificate file to verify the Vault server certificate",
"type": "string",
"minLength": 1
},
"pkiMountPoint": {
"description": "Name of the mount point where the PKI secret engine is mounted",
"type": "string",
"default": "pki"
},
"insecureSkipVerify": {
"description": "If true, vault client accepts any server certificates",
"type": "boolean",
"default": false
},
"certAuth": {
"description": "Client certificate authentication object",
"type": "object",
"properties": {
"clientCert": {
"description": "Contents of your client cert file",
"type": "string",
"minLength": 1
},
"clientKey": {
"description": "Contents of your client key file",
"type": "string",
"minLength": 1
},
"certAuthMountPoint": {
"description": "Name of the mount point where TLS certificate auth method is mounted",
"type": "string",
"default": "cert"
},
"certAuthRoleName": {
"description": "Name of the vault role. If given, the plugin authenticates against only the named role. Default to trying all roles.",
"type": "string"
}
},
"required": ["clientCert", "clientKey"]
},
"tokenAuth": {
"description": "Token authentication object",
"type": "object",
"properties": {
"token": {
"description": "Token string set into X-Vault-Token header",
"type": "string",
"minLength": 1
}
},
"required": ["token"]
},
"approleAuth": {
"description": "AppRole authentication object",
"type": "object",
"properties": {
"approleID": {
"description": "An identifier of AppRole",
"type": "string",
"minLength": 1
},
"approleSecretID": {
"description": "A credential of AppRole",
"type": "string",
"minLength": 1
},
"approleAuthMountPoint": {
"description": "Name of the mount point where the AppRole auth method is mounted",
"type": "string",
"default": "approle"
}
},
"required": ["approleID", "approleSecretID"]
}
},
"required": ["vaultAddr", "namespace", "caCert"],
"oneOf": [
{"required": ["certAuth"]},
{"required": ["tokenAuth"]},
{"required": ["approleAuth"]}
]
}
},
"oneOf": [
{"const": {}},
{"required": ["disk"]},
{"required": ["awsPCA"]},
{"required": ["awsSecret"]},
{"required": ["vault"]}
]
}
},
"required": ["mode", "caTTL", "svidTTL", "trustDomain", "persistentStorage", "spireServerKeyManager"]
},
"registry": {
"description": "NGINX Service Mesh image registry settings",
"type": "object",
"properties": {
"server": {
"description": "Hostname:port (if needed) for registry and path to images",
"type": "string",
"default": "docker-registry.nginx.com/nsm"
},
"imageTag": {
"description": "Tag used for pulling images from registry. ",
"type": "string",
"default": "1.1.0"
},
"key": {
"description": "Contents of your Google Cloud JSON key file",
"type": "string"
},
"username": {
"description": "Username for accessing private registry",
"type": "string"
},
"password": {
"description": "Password for accessing private registry",
"type": "string"
},
"disablePublicImages": {
"description": "Disable the pulling of third party images from public repositories",
"type": "boolean",
"default": false
},
"imagePullPolicy": {
"description": "Image pull policy",
"type": "string",
"enum": ["Never", "IfNotPresent", "Always"],
"default": "IfNotPresent"
}
},
"oneOf": [
{
"properties": {
"key": {"$ref": "#/definitions/emptyString"},
"username": {"$ref": "#/definitions/emptyString"},
"password": {"$ref": "#/definitions/emptyString"}
}
},
{
"properties": {
"key": {"$ref": "#/definitions/nonEmptyString"},
"username": {"$ref": "#/definitions/emptyString"},
"password": {"$ref": "#/definitions/emptyString"}
}
},
{
"properties": {
"username": {"$ref": "#/definitions/nonEmptyString"},
"password": {"$ref": "#/definitions/nonEmptyString"},
"key": {"$ref": "#/definitions/emptyString"}
}
}
],
"required": ["server", "imageTag", "disablePublicImages", "imagePullPolicy"]
},
"accessControlMode": {
"description": "Default access control mode for service-to-service communication",
"type": "string",
"enum": ["allow", "deny"]
},
"deployGrafana": {
"description": "Deploy Grafana as a part of the NGINX Service Mesh",
"type": "boolean"
},
"nginxErrorLogLevel": {
"description": "NGINX error log level",
"type": "string",
"enum": ["debug", "info", "notice", "warn", "error", "crit", "alert", "emerg"]
},
"nginxLogFormat": {
"description": "NGINX log format",
"type": "string",
"enum": ["default", "json"]
},
"nginxLBMethod": {
"description": "NGINX load balancing method",
"type": "string",
"enum": ["least_conn", "least_time", "least_time last_byte", "least_time last_byte inflight", "random", "random two", "random two least_conn", "random two least_time", "random two least_time=last_byte", "round_robin"]
},
"prometheusAddress": {
"description": "The address of a Prometheus server deployed in your Kubernetes cluster",
"type": "string"
},
"autoInjection": {
"description": "NGINX Service Mesh auto-injection settings",
"type": "object",
"properties": {
"disable": {
"description": "Disable automatic sidecar injection upon resource creation",
"type": "boolean"
},
"disabledNamespaces": {
"description": "Disable automatic sidecar injection for specific namespace",
"type": "array",
"items": {
"type": "string"
}
},
"enabledNamespaces": {
"description": "Enable automatic sidecar injection for specific namespaces",
"type": "array",
"items": {
"type": "string"
}
}
},
"oneOf": [
{
"properties": {
"disabledNamespaces": {"$ref": "#/definitions/nonEmptyArray"},
"disable": {"const": false}
}
},
{
"properties": {
"enabledNamespaces": {"$ref": "#/definitions/nonEmptyArray"},
"disable": {"const": true}
}
},
{
"properties": {
"enabledNamespaces": {"$ref": "#/definitions/emptyArray"},
"disabledNamespaces": {"$ref": "#/definitions/emptyArray"}
}
}
],
"required": ["disable"]
},
"tracing": {
"description": "NGINX Service Mesh tracing settings",
"type": "object",
"properties": {
"disable": {
"description": "Disable tracing for all services",
"type": "boolean"
},
"address": {
"description": "The address of a tracing server deploying in your Kubernetes cluster",
"type": "string"
},
"backend": {
"description": "The tracing backend that you want to use",
"type": "string",
"enum": ["datadog", "jaeger", "zipkin"]
},
"sampleRate": {
"description": "The sample rate to use for tracing. Float between 0 and 1",
"type": "number",
"minimum": 0.0,
"maximum": 1.0
}
},
"required": ["disable", "sampleRate"]
}
},
"definitions": {
"nonEmptyString": {
"type": "string",
"minLength": 1
},
"emptyString": {
"type": "string",
"const": ""
},
"nonEmptyArray": {
"type": "array",
"minItems": 1
},
"emptyArray": {
"type": "array",
"maxItems": 0
}
},
"required": [
"mtls",
"registry",
"accessControlMode",
"deployGrafana",
"nginxErrorLogLevel",
"nginxLogFormat",
"nginxLBMethod",
"autoInjection",
"tracing"
]
}

View File

@ -0,0 +1,209 @@
# NGINX Service Mesh image registry settings.
registry:
# Hostname:port (if needed) for registry and path to images.
# Affects: nginx-mesh-api, nginx-mesh-cert-reloader, nginx-mesh-init, nginx-mesh-metrics, nginx-mesh-sidecar
server: "docker-registry.nginx.com/nsm"
# Tag used for pulling images from registry
# Affects: nginx-mesh-api, nginx-mesh-cert-reloader, nginx-mesh-init, nginx-mesh-metrics, nginx-mesh-sidecar
imageTag: "1.2.1"
# Note: Currently only works with Google Cloud registry.
# Contents of your Google Cloud JSON key file. Can be set via "--set-file registry.key=<your-key-file>.json"
# Cannot be used with username or password.
key: ""
# Username for accessing private registry.
# Requires password to be set. Cannot be used with key.
username: ""
# Password for accessing private registry.
# Requires username to be set. Cannot be used with key.
password: ""
# Do not pull third party images from public repositories.
# If true, registry.server is used for all images.
disablePublicImages: false
# Image pull policy
# Valid values: Always, IfNotPresent, Never
imagePullPolicy: "IfNotPresent"
# Default access control mode for service-to-service communication.
# Valid values: allow, deny
accessControlMode: "allow"
# Deploy Grafana as a part of the NGINX Service Mesh.
# Valid values: true, false
deployGrafana: true
# NGINX error log level.
# Valid values: debug, info, notice, warn, error, crit, alert, emerg
nginxErrorLogLevel: "warn"
# NGINX log format.
# Valid values: default, json
nginxLogFormat: "default"
# NGINX load balancing method.
# Valid values: [least_conn, least_time, least_time last_byte, least_time last_byte inflight,
# random, random two, random two least_conn, random two least_time, random two least_time=last_byte, round_robin]
nginxLBMethod: "least_time"
# The address of a Prometheus server deployed in your Kubernetes cluster.
# Address should be in the format <service-name>.<namespace>:<service-port>.
prometheusAddress: ""
# NGINX Service Mesh auto-injection settings.
autoInjection:
# Disable automatic sidecar injection upon resource creation.
# Use the "enabledNamespaces" flag to enable automatic injection in select namespaces.
disable: false
# Disable automatic sidecar injection for specific namespaces.
# Cannot be used with "disable".
disabledNamespaces: []
# Enable automatic sidecar injection for specific namespaces.
# Must be used with "disable".
enabledNamespaces: []
# NGINX Service Mesh tracing settings.
tracing:
# Disable tracing for all services.
disable: false
# The address of a tracing server deployed in your Kubernetes cluster.
# Address should be in the format <service-name>.<namespace>:<service_port>.
address: ""
# The tracing backend that you want to use.
# Valid values: datadog, jaeger, zipkin
backend: "jaeger"
# The sample rate to use for tracing. Float between 0 and 1.
sampleRate: 0.01
# Mutual TLS settings. See https://docs.nginx.com/nginx-service-mesh/guides/secure-traffic-mtls for more info.
mtls:
# mTLS mode for pod-to-pod communication.
# Valid values: off, permissive, strict
mode: "permissive"
# The CA/signing key TTL in hours(h) or minutes(m).
caTTL: "720h"
# The TTL of certificates issued to workloads in hours(h) or minutes(m).
svidTTL: "1h"
# The trust domain of NGINX Service Mesh.
trustDomain: "example.org"
# Use persistent storage; "on" assumes that a StorageClass exists.
# Valid values: on, off
persistentStorage: "on"
# Storage logic for Spire Server's private keys.
# Valid values: disk, memory
spireServerKeyManager: "disk"
## Upstream authority settings. If left empty, SPIRE is used as the upstream authority.
## Only uncomment and fill out the object pertinent to you (disk, awsPCA, awsSecret, vault).
upstreamAuthority: {}
# # Disk object (see https://github.com/spiffe/spire/blob/v0.12/doc/plugin_server_upstreamauthority_disk.md)
# disk:
# # Contents of your PEM encoded certificate file. Can be set via "--set-file mtls.upstreamAuthority.disk.cert=<cert-file-path>"
# cert: ""
# # Contents of your PEM encoded key file. Can be set via "--set-file mtls.upstreamAuthority.disk.key=<key-file-path>"
# key: ""
# # Optional; contents of your CA bundle file. Can be set via "--set-file mtls.upstreamAuthority.disk.bundle=<bundle-file-path>"
# bundle: ""
# # AWS PCA object (see https://github.com/spiffe/spire/blob/v0.12/doc/plugin_server_upstreamauthority_aws_pca.md)
# awsPCA:
# # AWS region to use
# region: ""
# # ARN of the upstream CA certificate
# certificateAuthorityArn: ""
# # AWS access key ID
# awsAccessKeyID: ""
# # AWS secret access key
# awsSecretAccessKey: ""
# ## Optional fields
# # ARN of the signing template to use for the server's CA
# caSigningTemplateArn: ""
# # Signing algorithm to use for the server's CA
# signingAlgorithm: ""
# # ARN of an IAM role to assume
# assumeRoleArn: ""
# # Endpoint as hostname or fully-qualified URI that overrides the default endpoint
# endpoint: ""
# # Contents of a PEM encoded CA certificates file that should be additionally included in the bundle.
# # Can be set via "--set-file mtls.upstreamAuthority.awsPCA.supplementalBundle=<supplemental-bundle-file-path>"
# supplementalBundle: ""
# # AWS Secret object (see https://github.com/spiffe/spire/blob/v0.12/doc/plugin_server_upstreamauthority_awssecret.md)
# awsSecret:
# # AWS region to use
# region: ""
# # ARN of the upstream CA certificate
# certFileArn: ""
# # ARN of the upstream CA key file
# keyFileArn: ""
# ## Choose an appropriate auth method
# # AWS access key ID
# awsAccessKeyID: ""
# # AWS secret access key
# awsSecretAccessKey: ""
# # AWS secret token
# awsSecretToken: ""
# # ARN of role to assume
# assumeRoleArn: ""
# # Vault object (see https://github.com/spiffe/spire/blob/v0.12/doc/plugin_server_upstreamauthority_vault.md)
# vault:
# # URL of the Vault server
# vaultAddr: ""
# # Vault namespace
# namespace: ""
# # Contents of a PEM encoded CA certificate file to verify the Vault server certificate.
# # Can be set via "--set-file mtls.upstreamAuthority.vault.caCert=<ca-cert-file-path>"
# caCert: ""
# # Name of the mount point where the PKI secret engine is mounted
# pkiMountPoint: "pki"
# # If true, vault client accepts any server certificates
# insecureSkipVerify: false
# # Client Certificate Authentication
# certAuth:
# # Contents of your client cert file. Can be set via "--set-file mtls.upstreamAuthority.vault.certAuth.clientCert=<cert-file-path>"
# clientCert: ""
# # Contents of your client key file. Can be set via "--set-file mtls.upstreamAuthority.vault.certAuth.clientKey=<key-file-path>"
# clientKey: ""
# ## Optional fields
# # Name of the mount point where TLS certificate auth method is mounted
# certAuthMountPoint: "cert"
# # Name of the vault role. If given, the plugin authenticates against only the named role. Default to trying all roles.
# certAuthRoleName: ""
# # Token Authentication
# tokenAuth:
# # Token string set into "X-Vault-Token" header
# token: ""
# # AppRole Authentication
# approleAuth:
# # An identifier of AppRole
# approleID: ""
# # A credential of AppRole
# approleSecretID: ""
# # Name of the mount point where the AppRole auth method is mounted
# approleAuthMountPoint: "approle"

View File

@ -1340,6 +1340,22 @@ entries:
urls: urls:
- assets/nginx-ingress/nginx-ingress-0.10.0.tgz - assets/nginx-ingress/nginx-ingress-0.10.0.tgz
version: 0.10.0 version: 0.10.0
nginx-service-mesh:
- annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: NGINX Service Mesh
catalog.cattle.io/release-name: nginx-service-mesh
apiVersion: v2
appVersion: 1.2.1
created: "2021-10-11T10:18:55.101934-06:00"
description: NGINX Service Mesh
digest: 75ef707cadb314629a881a4f1f2b9862e62e3930dbed27c4ec56a9f380cc1759
icon: https://raw.githubusercontent.com/nginxinc/nginx-service-mesh/master/helm-chart/chart-icon.png
kubeVersion: 1.16-0 - 1.21-0
name: nginx-service-mesh
urls:
- assets/nginx-service-mesh/nginx-service-mesh-0.2.100.tgz
version: 0.2.100
nutanix-csi-storage: nutanix-csi-storage:
- annotations: - annotations:
catalog.cattle.io/certified: partner catalog.cattle.io/certified: partner