rancher-partner-charts/charts/hashicorp/consul/templates/terminating-gateways-deploy...

340 lines
15 KiB
YAML

{{- if .Values.terminatingGateways.enabled }}
{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}}
{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }}
{{ template "consul.validateRequiredCloudSecretsExist" . }}
{{ template "consul.validateCloudSecretKeys" . }}
{{- $root := . }}
{{- $defaults := .Values.terminatingGateways.defaults }}
{{- $names := dict }}
{{- $gateways := .Values.terminatingGateways.gateways }}
{{- range $outerTerminatingIndex, $outerTerminatingVal := $gateways }}
{{- range $innerTerminatingIndex, $innerTerminatingVal := $gateways }}
{{- if (and (ne $outerTerminatingIndex $innerTerminatingIndex) (eq $outerTerminatingVal.name $innerTerminatingVal.name)) }}
{{ fail (cat "terminating gateways must have unique names but found duplicate name" $innerTerminatingVal.name) }}
{{ end -}}
{{ end -}}
{{- range $outerIngressIndex, $outerIngressVal := $root.Values.ingressGateways.gateways }}
{{- if (eq $outerTerminatingVal.name $outerIngressVal.name) }}
{{ fail (cat "terminating gateways cannot have duplicate names of any ingress gateways but found duplicate name" $outerTerminatingVal.name) }}
{{ end -}}
{{ end -}}
{{ end -}}
{{- range .Values.terminatingGateways.gateways }}
{{- if empty .name }}
# Check that name is not empty
{{ fail "Terminating gateway names cannot be empty"}}
{{ end -}}
{{- if hasKey $names .name }}
# Check that the name doesn't already exist
{{ fail "Terminating gateway names must be unique"}}
{{ end -}}
{{- /* Add the gateway name to the $names dict to ensure uniqueness */ -}}
{{- $_ := set $names .name .name }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "consul.fullname" $root }}-{{ .name }}
namespace: {{ $root.Release.Namespace }}
labels:
app: {{ template "consul.name" $root }}
chart: {{ template "consul.chart" $root }}
heritage: {{ $root.Release.Service }}
release: {{ $root.Release.Name }}
component: terminating-gateway
terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }}
{{- if $root.Values.global.extraLabels }}
{{- toYaml $root.Values.global.extraLabels | nindent 4 }}
{{- end }}
spec:
replicas: {{ default $defaults.replicas .replicas }}
selector:
matchLabels:
app: {{ template "consul.name" $root }}
chart: {{ template "consul.chart" $root }}
heritage: {{ $root.Release.Service }}
release: {{ $root.Release.Name }}
component: terminating-gateway
terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }}
template:
metadata:
labels:
app: {{ template "consul.name" $root }}
chart: {{ template "consul.chart" $root }}
heritage: {{ $root.Release.Service }}
release: {{ $root.Release.Name }}
component: terminating-gateway
terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }}
consul.hashicorp.com/connect-inject-managed-by: consul-k8s-endpoints-controller
{{- if $root.Values.global.extraLabels }}
{{- toYaml $root.Values.global.extraLabels | nindent 8 }}
{{- end }}
annotations:
"consul.hashicorp.com/connect-inject": "false"
"consul.hashicorp.com/gateway-kind": "terminating-gateway"
"consul.hashicorp.com/gateway-consul-service-name": "{{ .name }}"
{{- if $root.Values.global.enableConsulNamespaces }}
"consul.hashicorp.com/gateway-namespace": {{ (default $defaults.consulNamespace .consulNamespace) }}
{{- end }}
{{- if (and $root.Values.global.secretsBackend.vault.enabled $root.Values.global.tls.enabled) }}
"vault.hashicorp.com/agent-init-first": "true"
"vault.hashicorp.com/agent-inject": "true"
"vault.hashicorp.com/role": {{ $root.Values.global.secretsBackend.vault.consulCARole }}
"vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ $root.Values.global.tls.caCert.secretName }}
"vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" $root }}
{{- if and $root.Values.global.secretsBackend.vault.ca.secretName $root.Values.global.secretsBackend.vault.ca.secretKey }}
"vault.hashicorp.com/agent-extra-secret": {{ $root.Values.global.secretsBackend.vault.ca.secretName }}
"vault.hashicorp.com/ca-cert": /vault/custom/{{ $root.Values.global.secretsBackend.vault.ca.secretKey }}
{{- end }}
{{- if $root.Values.global.secretsBackend.vault.agentAnnotations }}
{{ tpl $root.Values.global.secretsBackend.vault.agentAnnotations $root | nindent 8 | trim }}
{{- end }}
{{- end }}
{{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }}
"prometheus.io/scrape": "true"
"prometheus.io/path": "/metrics"
"prometheus.io/port": "20200"
{{- end }}
{{- if $defaults.annotations }}
# We allow both default annotations and gateway-specific annotations
{{- tpl $defaults.annotations $root | nindent 8 }}
{{- end }}
{{- if .annotations }}
{{- tpl .annotations $root | nindent 8 }}
{{- end }}
spec:
{{- if (or $defaults.affinity .affinity) }}
affinity:
{{ tpl (default $defaults.affinity .affinity) $root | nindent 8 | trim }}
{{- end }}
{{- if (or $defaults.tolerations .tolerations) }}
tolerations:
{{ tpl (default $defaults.tolerations .tolerations) $root | nindent 8 | trim }}
{{- end }}
{{- if (or $defaults.topologySpreadConstraints .topologySpreadConstraints) }}
topologySpreadConstraints:
{{ tpl (default $defaults.topologySpreadConstraints .topologySpreadConstraints) $root | nindent 8 | trim }}
{{- end }}
terminationGracePeriodSeconds: 10
serviceAccountName: {{ template "consul.fullname" $root }}-{{ .name }}
volumes:
- name: consul-service
emptyDir:
medium: "Memory"
{{- range (default $defaults.extraVolumes .extraVolumes) }}
- name: userconfig-{{ .name }}
{{ .type }}:
{{- if (eq .type "configMap") }}
name: {{ .name }}
{{- else if (eq .type "secret") }}
secretName: {{ .name }}
{{- end }}
{{- with .items }}
items:
{{- range . }}
- key: {{.key}}
path: {{.path}}
{{- end }}
{{- end }}
{{- end }}
{{- if $root.Values.global.tls.enabled }}
{{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }}
- name: consul-ca-cert
secret:
{{- if $root.Values.global.tls.caCert.secretName }}
secretName: {{ $root.Values.global.tls.caCert.secretName }}
{{- else }}
secretName: {{ template "consul.fullname" $root }}-ca-cert
{{- end }}
items:
- key: {{ default "tls.crt" $root.Values.global.tls.caCert.secretKey }}
path: tls.crt
{{- end }}
{{- end }}
initContainers:
# terminating-gateway-init registers the terminating gateway service with Consul.
- name: terminating-gateway-init
image: {{ $root.Values.global.imageK8S }}
env:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
{{- include "consul.consulK8sConsulServerEnvVars" $root | nindent 10 }}
{{- if $root.Values.global.enableConsulNamespaces }}
- name: CONSUL_NAMESPACE
value: {{ (default $defaults.consulNamespace .consulNamespace) }}
{{- end }}
{{- if $root.Values.global.acls.manageSystemACLs }}
- name: CONSUL_LOGIN_AUTH_METHOD
value: {{ template "consul.fullname" $root }}-k8s-component-auth-method
- name: CONSUL_LOGIN_DATACENTER
value: {{ $root.Values.global.datacenter }}
- name: CONSUL_LOGIN_META
value: "component=terminating-gateway,pod=$(NAMESPACE)/$(POD_NAME)"
{{- end }}
- name: CONSUL_NODE_NAME
value: $(NODE_NAME)-virtual
command:
- "/bin/sh"
- "-ec"
- |
consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${NAMESPACE} \
-gateway-kind="terminating-gateway" \
-proxy-id-file=/consul/service/proxy-id \
-service-name={{ .name }} \
-log-level={{ default $root.Values.global.logLevel }} \
-log-json={{ $root.Values.global.logJSON }}
volumeMounts:
- name: consul-service
mountPath: /consul/service
{{- if $root.Values.global.tls.enabled }}
{{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }}
- name: consul-ca-cert
mountPath: /consul/tls/ca
readOnly: true
{{- end }}
{{- end }}
resources:
requests:
memory: "50Mi"
cpu: "50m"
limits:
memory: "50Mi"
cpu: "50m"
containers:
- name: terminating-gateway
image: {{ $root.Values.global.imageConsulDataplane | quote }}
volumeMounts:
- name: consul-service
mountPath: /consul/service
readOnly: true
{{- if $root.Values.global.tls.enabled }}
{{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }}
- name: consul-ca-cert
mountPath: /consul/tls/ca
readOnly: true
{{- end }}
{{- end }}
{{- range (default $defaults.extraVolumes .extraVolumes) }}
- name: userconfig-{{ .name }}
readOnly: true
mountPath: /consul/userconfig/{{ .name }}
{{- end }}
{{- if (default $defaults.resources .resources) }}
resources: {{ toYaml (default $defaults.resources .resources) | nindent 12 }}
{{- end }}
env:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: DP_CREDENTIAL_LOGIN_META1
value: pod=$(NAMESPACE)/$(POD_NAME)
- name: DP_CREDENTIAL_LOGIN_META2
value: component=terminating-gateway
- name: DP_SERVICE_NODE_NAME
value: $(NODE_NAME)-virtual
command:
- consul-dataplane
args:
{{- if $root.Values.externalServers.enabled }}
- -addresses={{ $root.Values.externalServers.hosts | first }}
{{- else }}
- -addresses={{ template "consul.fullname" $root }}-server.{{ $root.Release.Namespace }}.svc
{{- end }}
{{- if $root.Values.externalServers.enabled }}
- -grpc-port={{ $root.Values.externalServers.grpcPort }}
{{- else }}
- -grpc-port=8502
{{- end }}
- -proxy-service-id-path=/consul/service/proxy-id
{{- if $root.Values.global.enableConsulNamespaces }}
- -service-namespace={{ (default $defaults.consulNamespace .consulNamespace) }}
{{- end }}
{{- if and $root.Values.global.tls.enabled }}
{{- if (not (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots)) }}
{{- if $root.Values.global.secretsBackend.vault.enabled }}
- -ca-certs=/vault/secrets/serverca.crt
{{- else }}
- -ca-certs=/consul/tls/ca/tls.crt
{{- end }}
{{- end }}
{{- if and $root.Values.externalServers.enabled $root.Values.externalServers.tlsServerName }}
- -tls-server-name={{$root.Values.externalServers.tlsServerName }}
{{- else if $root.Values.global.cloud.enabled }}
- -tls-server-name=server.{{ $root.Values.global.datacenter}}.{{ $root.Values.global.domain}}
{{- end }}
{{- else }}
- -tls-disabled
{{- end }}
{{- if $root.Values.global.acls.manageSystemACLs }}
- -credential-type=login
- -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token
- -login-auth-method={{ template "consul.fullname" $root }}-k8s-component-auth-method
{{- if $root.Values.global.adminPartitions.enabled }}
- -login-partition={{ $root.Values.global.adminPartitions.name }}
{{- end }}
{{- end }}
{{- if $root.Values.global.adminPartitions.enabled }}
- -service-partition={{ $root.Values.global.adminPartitions.name }}
{{- end }}
- -log-level={{ default $root.Values.global.logLevel }}
- -log-json={{ $root.Values.global.logJSON }}
{{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }}
- -telemetry-prom-scrape-path=/metrics
{{- end }}
{{- if and $root.Values.externalServers.enabled $root.Values.externalServers.skipServerWatch }}
- -server-watch-disabled=true
{{- end }}
livenessProbe:
tcpSocket:
port: 8443
failureThreshold: 3
initialDelaySeconds: 30
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
readinessProbe:
tcpSocket:
port: 8443
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
ports:
- name: gateway
containerPort: 8443
{{- if (default $defaults.priorityClassName .priorityClassName) }}
priorityClassName: {{ (default $defaults.priorityClassName .priorityClassName) | quote }}
{{- end }}
{{- if (default $defaults.nodeSelector .nodeSelector) }}
nodeSelector:
{{ tpl (default $defaults.nodeSelector .nodeSelector) $root | indent 8 | trim }}
{{- end }}
---
{{- end }}
{{- end }}