{{- $container_port := .Values.gateway.service.internalPort | default 8000 -}} {{- $service_port := .Values.gateway.service.externalPort -}} {{- $admin_port := default 8877 .Values.service.gatewayAdminPort -}} --- apiVersion: v1 kind: Service metadata: namespace: {{ $.Release.Namespace }} labels: service: gateway {{ include "helm.labels" . | indent 4 }} name: gateway {{- if not (include "k10.capability.gateway" $) }} annotations: getambassador.io/config: | --- apiVersion: getambassador.io/v3alpha1 kind: AuthService name: authentication auth_service: "auth-svc:8000" path_prefix: "/v0/authz" ambassador_id: [ {{ include "k10.ambassadorId" . }} ] allowed_authorization_headers: - x-cluster-name allowed_request_headers: - "x-forwarded-access-token" --- apiVersion: getambassador.io/v3alpha1 kind: Host name: ambassadorhost hostname: "*" ambassador_id: [ {{ include "k10.ambassadorId" . }} ] {{- if .Values.secrets.tlsSecret }} tlsSecret: name: {{ .Values.secrets.tlsSecret }} {{- else if and .Values.secrets.apiTlsCrt .Values.secrets.apiTlsKey }} tlsSecret: name: gateway-certs {{- end }} requestPolicy: insecure: action: Route --- apiVersion: getambassador.io/v3alpha1 kind: Listener name: ambassadorlistener port: {{ $container_port }} securityModel: XFP protocol: HTTPS hostBinding: namespace: from: SELF ambassador_id: [ {{ include "k10.ambassadorId" . }} ] --- {{- if (eq "endpoint" .Values.apigateway.serviceResolver) }} apiVersion: getambassador.io/v3alpha1 kind: KubernetesEndpointResolver name: endpoint ambassador_id: [ {{ include "k10.ambassadorId" . }} ] --- {{- end }} apiVersion: getambassador.io/v3alpha1 kind: Module name: ambassador config: service_port: {{ $container_port }} {{- if .Values.global.network.enable_ipv6 }} enable_ipv6: true {{- end }} ambassador_id: [ {{ include "k10.ambassadorId" . }} ] {{- if (eq "endpoint" .Values.apigateway.serviceResolver) }} resolver: endpoint load_balancer: policy: round_robin {{- end }} {{- end }} spec: ports: - name: http port: {{ $service_port }} targetPort: {{ $container_port }} selector: service: gateway --- {{- if not (include "k10.capability.gateway" $) }} {{- if .Values.gateway.exposeAdminPort }} apiVersion: v1 kind: Service metadata: namespace: {{ $.Release.Namespace }} name: gateway-admin labels: service: gateway {{ include "helm.labels" . | indent 4 }} spec: ports: - name: metrics port: {{ $admin_port }} targetPort: {{ $admin_port }} selector: service: gateway --- {{- end }} {{- end }} apiVersion: apps/v1 kind: Deployment metadata: namespace: {{ $.Release.Namespace }} labels: {{ include "helm.labels" . | indent 4 }} component: gateway name: gateway spec: replicas: 1 selector: matchLabels: service: gateway template: metadata: annotations: checksum/config: {{ include (print .Template.BasePath "/k10-config.yaml") . | sha256sum }} checksum/secret: {{ include (print .Template.BasePath "/secrets.yaml") . | sha256sum }} labels: service: gateway component: gateway {{ include "helm.labels" . | indent 8 }} {{- include "k10.azMarketPlace.billingIdentifier" . }} {{- if (include "k10.capability.gateway" $) }} spec: serviceAccountName: {{ template "serviceAccountName" . }} {{- dict "main" . "k10_deployment_name" "gateway" | include "k10.priorityClassName" | indent 6}} {{- include "k10.imagePullSecrets" . | indent 6 }} containers: - name: gateway {{- dict "main" . "k10_service" "gateway" | include "serviceImage" | indent 8 }} resources: limits: cpu: {{ .Values.gateway.resources.limits.cpu | quote }} memory: {{ .Values.gateway.resources.limits.memory | quote }} requests: cpu: {{ .Values.gateway.resources.requests.cpu | quote }} memory: {{ .Values.gateway.resources.requests.memory | quote }} env: - name: LOG_LEVEL valueFrom: configMapKeyRef: name: k10-config key: loglevel - name: VERSION valueFrom: configMapKeyRef: name: k10-config key: version {{- if .Values.fips.enabled }} {{- include "k10.enforceFIPSEnvironmentVariables" . | indent 10 }} {{- end }} {{- with $capabilities := include "k10.capabilities" . }} - name: K10_CAPABILITIES value: {{ $capabilities | quote }} {{- end }} {{- with $capabilities_mask := include "k10.capabilities_mask" . }} - name: K10_CAPABILITIES_MASK value: {{ $capabilities_mask | quote }} {{- end }} envFrom: - configMapRef: name: k10-gateway livenessProbe: httpGet: path: /healthz port: {{ $container_port }} initialDelaySeconds: 5 readinessProbe: httpGet: path: /healthz port: {{ $container_port }} restartPolicy: Always {{- else }} spec: serviceAccountName: {{ template "serviceAccountName" . }} {{- dict "main" . "k10_deployment_name" "gateway" | include "k10.priorityClassName" | indent 6}} {{- include "k10.imagePullSecrets" . | indent 6 }} containers: - name: ambassador image: {{ include "get.emissaryImage" . }} resources: limits: cpu: {{ .Values.gateway.resources.limits.cpu | quote }} memory: {{ .Values.gateway.resources.limits.memory | quote }} requests: cpu: {{ .Values.gateway.resources.requests.cpu | quote }} memory: {{ .Values.gateway.resources.requests.memory | quote }} env: - name: AMBASSADOR_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: AMBASSADOR_SINGLE_NAMESPACE value: "true" - name: SCOUT_DISABLE value: "1" - name: "AMBASSADOR_VERIFY_SSL_FALSE" value: {{ .Values.gateway.insecureDisableSSLVerify | quote }} - name: AMBASSADOR_ID value: {{ include "k10.ambassadorId" . }} {{- if .Values.global.network.enable_ipv6}} - name: AMBASSADOR_ENVOY_BIND_ADDRESS value: '::' - name: AMBASSADOR_DIAGD_BIND_ADDREASS value: '[::]' {{- end }} livenessProbe: httpGet: path: /ambassador/v0/check_alive port: {{ $admin_port }} initialDelaySeconds: 30 periodSeconds: 3 readinessProbe: httpGet: path: /ambassador/v0/check_ready port: {{ $admin_port }} initialDelaySeconds: 30 periodSeconds: 3 restartPolicy: Always {{- end }}