340 lines
15 KiB
YAML
340 lines
15 KiB
YAML
{{- if .Values.terminatingGateways.enabled }}
|
|
{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}}
|
|
{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }}
|
|
{{ template "consul.validateRequiredCloudSecretsExist" . }}
|
|
{{ template "consul.validateCloudSecretKeys" . }}
|
|
|
|
{{- $root := . }}
|
|
{{- $defaults := .Values.terminatingGateways.defaults }}
|
|
{{- $names := dict }}
|
|
|
|
{{- $gateways := .Values.terminatingGateways.gateways }}
|
|
{{- range $outerTerminatingIndex, $outerTerminatingVal := $gateways }}
|
|
|
|
{{- range $innerTerminatingIndex, $innerTerminatingVal := $gateways }}
|
|
{{- if (and (ne $outerTerminatingIndex $innerTerminatingIndex) (eq $outerTerminatingVal.name $innerTerminatingVal.name)) }}
|
|
{{ fail (cat "terminating gateways must have unique names but found duplicate name" $innerTerminatingVal.name) }}
|
|
{{ end -}}
|
|
{{ end -}}
|
|
|
|
{{- range $outerIngressIndex, $outerIngressVal := $root.Values.ingressGateways.gateways }}
|
|
{{- if (eq $outerTerminatingVal.name $outerIngressVal.name) }}
|
|
{{ fail (cat "terminating gateways cannot have duplicate names of any ingress gateways but found duplicate name" $outerTerminatingVal.name) }}
|
|
{{ end -}}
|
|
{{ end -}}
|
|
{{ end -}}
|
|
|
|
{{- range .Values.terminatingGateways.gateways }}
|
|
|
|
{{- if empty .name }}
|
|
# Check that name is not empty
|
|
{{ fail "Terminating gateway names cannot be empty"}}
|
|
{{ end -}}
|
|
{{- if hasKey $names .name }}
|
|
# Check that the name doesn't already exist
|
|
{{ fail "Terminating gateway names must be unique"}}
|
|
{{ end -}}
|
|
{{- /* Add the gateway name to the $names dict to ensure uniqueness */ -}}
|
|
{{- $_ := set $names .name .name }}
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: {{ template "consul.fullname" $root }}-{{ .name }}
|
|
namespace: {{ $root.Release.Namespace }}
|
|
labels:
|
|
app: {{ template "consul.name" $root }}
|
|
chart: {{ template "consul.chart" $root }}
|
|
heritage: {{ $root.Release.Service }}
|
|
release: {{ $root.Release.Name }}
|
|
component: terminating-gateway
|
|
terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }}
|
|
{{- if $root.Values.global.extraLabels }}
|
|
{{- toYaml $root.Values.global.extraLabels | nindent 4 }}
|
|
{{- end }}
|
|
spec:
|
|
replicas: {{ default $defaults.replicas .replicas }}
|
|
selector:
|
|
matchLabels:
|
|
app: {{ template "consul.name" $root }}
|
|
chart: {{ template "consul.chart" $root }}
|
|
heritage: {{ $root.Release.Service }}
|
|
release: {{ $root.Release.Name }}
|
|
component: terminating-gateway
|
|
terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }}
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: {{ template "consul.name" $root }}
|
|
chart: {{ template "consul.chart" $root }}
|
|
heritage: {{ $root.Release.Service }}
|
|
release: {{ $root.Release.Name }}
|
|
component: terminating-gateway
|
|
terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }}
|
|
consul.hashicorp.com/connect-inject-managed-by: consul-k8s-endpoints-controller
|
|
{{- if $root.Values.global.extraLabels }}
|
|
{{- toYaml $root.Values.global.extraLabels | nindent 8 }}
|
|
{{- end }}
|
|
annotations:
|
|
"consul.hashicorp.com/connect-inject": "false"
|
|
"consul.hashicorp.com/gateway-kind": "terminating-gateway"
|
|
"consul.hashicorp.com/gateway-consul-service-name": "{{ .name }}"
|
|
{{- if $root.Values.global.enableConsulNamespaces }}
|
|
"consul.hashicorp.com/gateway-namespace": {{ (default $defaults.consulNamespace .consulNamespace) }}
|
|
{{- end }}
|
|
{{- if (and $root.Values.global.secretsBackend.vault.enabled $root.Values.global.tls.enabled) }}
|
|
"vault.hashicorp.com/agent-init-first": "true"
|
|
"vault.hashicorp.com/agent-inject": "true"
|
|
"vault.hashicorp.com/role": {{ $root.Values.global.secretsBackend.vault.consulCARole }}
|
|
"vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ $root.Values.global.tls.caCert.secretName }}
|
|
"vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" $root }}
|
|
{{- if and $root.Values.global.secretsBackend.vault.ca.secretName $root.Values.global.secretsBackend.vault.ca.secretKey }}
|
|
"vault.hashicorp.com/agent-extra-secret": {{ $root.Values.global.secretsBackend.vault.ca.secretName }}
|
|
"vault.hashicorp.com/ca-cert": /vault/custom/{{ $root.Values.global.secretsBackend.vault.ca.secretKey }}
|
|
{{- end }}
|
|
{{- if $root.Values.global.secretsBackend.vault.agentAnnotations }}
|
|
{{ tpl $root.Values.global.secretsBackend.vault.agentAnnotations $root | nindent 8 | trim }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }}
|
|
"prometheus.io/scrape": "true"
|
|
"prometheus.io/path": "/metrics"
|
|
"prometheus.io/port": "20200"
|
|
{{- end }}
|
|
{{- if $defaults.annotations }}
|
|
# We allow both default annotations and gateway-specific annotations
|
|
{{- tpl $defaults.annotations $root | nindent 8 }}
|
|
{{- end }}
|
|
{{- if .annotations }}
|
|
{{- tpl .annotations $root | nindent 8 }}
|
|
{{- end }}
|
|
spec:
|
|
{{- if (or $defaults.affinity .affinity) }}
|
|
affinity:
|
|
{{ tpl (default $defaults.affinity .affinity) $root | nindent 8 | trim }}
|
|
{{- end }}
|
|
{{- if (or $defaults.tolerations .tolerations) }}
|
|
tolerations:
|
|
{{ tpl (default $defaults.tolerations .tolerations) $root | nindent 8 | trim }}
|
|
{{- end }}
|
|
{{- if (or $defaults.topologySpreadConstraints .topologySpreadConstraints) }}
|
|
topologySpreadConstraints:
|
|
{{ tpl (default $defaults.topologySpreadConstraints .topologySpreadConstraints) $root | nindent 8 | trim }}
|
|
{{- end }}
|
|
terminationGracePeriodSeconds: 10
|
|
serviceAccountName: {{ template "consul.fullname" $root }}-{{ .name }}
|
|
volumes:
|
|
- name: consul-service
|
|
emptyDir:
|
|
medium: "Memory"
|
|
{{- range (default $defaults.extraVolumes .extraVolumes) }}
|
|
- name: userconfig-{{ .name }}
|
|
{{ .type }}:
|
|
{{- if (eq .type "configMap") }}
|
|
name: {{ .name }}
|
|
{{- else if (eq .type "secret") }}
|
|
secretName: {{ .name }}
|
|
{{- end }}
|
|
{{- with .items }}
|
|
items:
|
|
{{- range . }}
|
|
- key: {{.key}}
|
|
path: {{.path}}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- if $root.Values.global.tls.enabled }}
|
|
{{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }}
|
|
- name: consul-ca-cert
|
|
secret:
|
|
{{- if $root.Values.global.tls.caCert.secretName }}
|
|
secretName: {{ $root.Values.global.tls.caCert.secretName }}
|
|
{{- else }}
|
|
secretName: {{ template "consul.fullname" $root }}-ca-cert
|
|
{{- end }}
|
|
items:
|
|
- key: {{ default "tls.crt" $root.Values.global.tls.caCert.secretKey }}
|
|
path: tls.crt
|
|
{{- end }}
|
|
{{- end }}
|
|
initContainers:
|
|
# terminating-gateway-init registers the terminating gateway service with Consul.
|
|
- name: terminating-gateway-init
|
|
image: {{ $root.Values.global.imageK8S }}
|
|
env:
|
|
- name: NAMESPACE
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.namespace
|
|
- name: POD_NAME
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.name
|
|
- name: NODE_NAME
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: spec.nodeName
|
|
{{- include "consul.consulK8sConsulServerEnvVars" $root | nindent 10 }}
|
|
{{- if $root.Values.global.enableConsulNamespaces }}
|
|
- name: CONSUL_NAMESPACE
|
|
value: {{ (default $defaults.consulNamespace .consulNamespace) }}
|
|
{{- end }}
|
|
{{- if $root.Values.global.acls.manageSystemACLs }}
|
|
- name: CONSUL_LOGIN_AUTH_METHOD
|
|
value: {{ template "consul.fullname" $root }}-k8s-component-auth-method
|
|
- name: CONSUL_LOGIN_DATACENTER
|
|
value: {{ $root.Values.global.datacenter }}
|
|
- name: CONSUL_LOGIN_META
|
|
value: "component=terminating-gateway,pod=$(NAMESPACE)/$(POD_NAME)"
|
|
{{- end }}
|
|
- name: CONSUL_NODE_NAME
|
|
value: $(NODE_NAME)-virtual
|
|
command:
|
|
- "/bin/sh"
|
|
- "-ec"
|
|
- |
|
|
consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${NAMESPACE} \
|
|
-gateway-kind="terminating-gateway" \
|
|
-proxy-id-file=/consul/service/proxy-id \
|
|
-service-name={{ .name }} \
|
|
-log-level={{ default $root.Values.global.logLevel }} \
|
|
-log-json={{ $root.Values.global.logJSON }}
|
|
volumeMounts:
|
|
- name: consul-service
|
|
mountPath: /consul/service
|
|
{{- if $root.Values.global.tls.enabled }}
|
|
{{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }}
|
|
- name: consul-ca-cert
|
|
mountPath: /consul/tls/ca
|
|
readOnly: true
|
|
{{- end }}
|
|
{{- end }}
|
|
resources:
|
|
requests:
|
|
memory: "50Mi"
|
|
cpu: "50m"
|
|
limits:
|
|
memory: "50Mi"
|
|
cpu: "50m"
|
|
containers:
|
|
- name: terminating-gateway
|
|
image: {{ $root.Values.global.imageConsulDataplane | quote }}
|
|
volumeMounts:
|
|
- name: consul-service
|
|
mountPath: /consul/service
|
|
readOnly: true
|
|
{{- if $root.Values.global.tls.enabled }}
|
|
{{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }}
|
|
- name: consul-ca-cert
|
|
mountPath: /consul/tls/ca
|
|
readOnly: true
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- range (default $defaults.extraVolumes .extraVolumes) }}
|
|
- name: userconfig-{{ .name }}
|
|
readOnly: true
|
|
mountPath: /consul/userconfig/{{ .name }}
|
|
{{- end }}
|
|
{{- if (default $defaults.resources .resources) }}
|
|
resources: {{ toYaml (default $defaults.resources .resources) | nindent 12 }}
|
|
{{- end }}
|
|
env:
|
|
- name: NAMESPACE
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.namespace
|
|
- name: POD_NAME
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.name
|
|
- name: NODE_NAME
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: spec.nodeName
|
|
- name: DP_CREDENTIAL_LOGIN_META1
|
|
value: pod=$(NAMESPACE)/$(POD_NAME)
|
|
- name: DP_CREDENTIAL_LOGIN_META2
|
|
value: component=terminating-gateway
|
|
- name: DP_SERVICE_NODE_NAME
|
|
value: $(NODE_NAME)-virtual
|
|
command:
|
|
- consul-dataplane
|
|
args:
|
|
{{- if $root.Values.externalServers.enabled }}
|
|
- -addresses={{ $root.Values.externalServers.hosts | first }}
|
|
{{- else }}
|
|
- -addresses={{ template "consul.fullname" $root }}-server.{{ $root.Release.Namespace }}.svc
|
|
{{- end }}
|
|
{{- if $root.Values.externalServers.enabled }}
|
|
- -grpc-port={{ $root.Values.externalServers.grpcPort }}
|
|
{{- else }}
|
|
- -grpc-port=8502
|
|
{{- end }}
|
|
- -proxy-service-id-path=/consul/service/proxy-id
|
|
{{- if $root.Values.global.enableConsulNamespaces }}
|
|
- -service-namespace={{ (default $defaults.consulNamespace .consulNamespace) }}
|
|
{{- end }}
|
|
{{- if and $root.Values.global.tls.enabled }}
|
|
{{- if (not (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots)) }}
|
|
{{- if $root.Values.global.secretsBackend.vault.enabled }}
|
|
- -ca-certs=/vault/secrets/serverca.crt
|
|
{{- else }}
|
|
- -ca-certs=/consul/tls/ca/tls.crt
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- if and $root.Values.externalServers.enabled $root.Values.externalServers.tlsServerName }}
|
|
- -tls-server-name={{$root.Values.externalServers.tlsServerName }}
|
|
{{- else if $root.Values.global.cloud.enabled }}
|
|
- -tls-server-name=server.{{ $root.Values.global.datacenter}}.{{ $root.Values.global.domain}}
|
|
{{- end }}
|
|
{{- else }}
|
|
- -tls-disabled
|
|
{{- end }}
|
|
{{- if $root.Values.global.acls.manageSystemACLs }}
|
|
- -credential-type=login
|
|
- -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token
|
|
- -login-auth-method={{ template "consul.fullname" $root }}-k8s-component-auth-method
|
|
{{- if $root.Values.global.adminPartitions.enabled }}
|
|
- -login-partition={{ $root.Values.global.adminPartitions.name }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- if $root.Values.global.adminPartitions.enabled }}
|
|
- -service-partition={{ $root.Values.global.adminPartitions.name }}
|
|
{{- end }}
|
|
- -log-level={{ default $root.Values.global.logLevel }}
|
|
- -log-json={{ $root.Values.global.logJSON }}
|
|
{{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }}
|
|
- -telemetry-prom-scrape-path=/metrics
|
|
{{- end }}
|
|
{{- if and $root.Values.externalServers.enabled $root.Values.externalServers.skipServerWatch }}
|
|
- -server-watch-disabled=true
|
|
{{- end }}
|
|
livenessProbe:
|
|
tcpSocket:
|
|
port: 8443
|
|
failureThreshold: 3
|
|
initialDelaySeconds: 30
|
|
periodSeconds: 10
|
|
successThreshold: 1
|
|
timeoutSeconds: 5
|
|
readinessProbe:
|
|
tcpSocket:
|
|
port: 8443
|
|
failureThreshold: 3
|
|
initialDelaySeconds: 10
|
|
periodSeconds: 10
|
|
successThreshold: 1
|
|
timeoutSeconds: 5
|
|
ports:
|
|
- name: gateway
|
|
containerPort: 8443
|
|
{{- if (default $defaults.priorityClassName .priorityClassName) }}
|
|
priorityClassName: {{ (default $defaults.priorityClassName .priorityClassName) | quote }}
|
|
{{- end }}
|
|
{{- if (default $defaults.nodeSelector .nodeSelector) }}
|
|
nodeSelector:
|
|
{{ tpl (default $defaults.nodeSelector .nodeSelector) $root | indent 8 | trim }}
|
|
{{- end }}
|
|
---
|
|
{{- end }}
|
|
{{- end }}
|