rancher-partner-charts/charts/kasten/k10/7.0.701/templates/gateway.yaml

{{- $container_port := .Values.gateway.service.internalPort | default 8000 -}}
{{- $service_port := .Values.gateway.service.externalPort -}}
{{- $admin_port := default 8877 .Values.service.gatewayAdminPort -}}
---
apiVersion: v1
kind: Service
metadata:
  namespace: {{ $.Release.Namespace }}
  labels:
    service: gateway
{{ include "helm.labels" . | indent 4 }}
  name: gateway
  {{- if not (include "k10.capability.gateway" $) }}
  annotations:
    getambassador.io/config: |
      ---
      apiVersion: getambassador.io/v3alpha1
      kind:  AuthService
      name:  authentication
      auth_service: "auth-svc:8000"
      path_prefix: "/v0/authz"
      ambassador_id: [ {{ include "k10.ambassadorId" . }} ]
      allowed_authorization_headers:
      - x-cluster-name
      allowed_request_headers:
      - "x-forwarded-access-token"
      ---
      apiVersion: getambassador.io/v3alpha1
      kind: Host
      name: ambassadorhost
      hostname: "*"
      ambassador_id: [ {{ include "k10.ambassadorId" . }} ]
      {{- if .Values.secrets.tlsSecret }}
      tlsSecret:
        name: {{ .Values.secrets.tlsSecret }}
      {{- else if and .Values.secrets.apiTlsCrt .Values.secrets.apiTlsKey }}
      tlsSecret:
        name: gateway-certs
      {{- end }}
      requestPolicy:
        insecure:
          action: Route
      ---
      apiVersion: getambassador.io/v3alpha1
      kind: Listener
      name: ambassadorlistener
      port: {{ $container_port }}
      securityModel: XFP
      protocol: HTTPS
      hostBinding:
        namespace:
          from: SELF
      ambassador_id: [ {{ include "k10.ambassadorId" . }} ]
      ---
      {{- if (eq "endpoint" .Values.apigateway.serviceResolver) }}
      apiVersion: getambassador.io/v3alpha1
      kind: KubernetesEndpointResolver
      name: endpoint
      ambassador_id: [ {{ include "k10.ambassadorId" . }} ]
      ---
      {{- end }}
      apiVersion: getambassador.io/v3alpha1
      kind:  Module
      name:  ambassador
      config:
        diagnostics:
          enabled: false
        service_port: {{ $container_port }}
      {{- if .Values.global.network.enable_ipv6 }}
        enable_ipv6: true
      {{- end }}
      ambassador_id: [ {{ include "k10.ambassadorId" . }} ]
        {{- if (eq "endpoint" .Values.apigateway.serviceResolver) }}
        resolver: endpoint
        load_balancer:
          policy: round_robin
        {{- end }}      
  {{- end }}
spec:
  ports:
  - name: http
    port: {{ $service_port }}
    targetPort: {{ $container_port }}
  selector:
    service: gateway
---
{{- if not (include "k10.capability.gateway" $) }}
{{- if .Values.gateway.exposeAdminPort }}
apiVersion: v1
kind: Service
metadata:
  namespace: {{ $.Release.Namespace }}
  name: gateway-admin
  labels:
    service: gateway
  annotations:
    getambassador.io/config: |
      apiVersion: getambassador.io/v3alpha1
      kind:  Module
      name:  ambassador
      config:
        diagnostics:
          enabled: false      
{{ include "helm.labels" . | indent 4 }}
spec:
  ports:
  - name: metrics
    port: {{ $admin_port }}
    targetPort: {{ $admin_port }}
  selector:
    service: gateway
---
{{- end }}
{{- end }}
apiVersion: apps/v1
kind: Deployment
metadata:
  namespace: {{ $.Release.Namespace }}
  labels:
{{ include "helm.labels" . | indent 4 }}
    component: gateway
  name: gateway
spec:
  replicas: 1
  selector:
    matchLabels:
      service: gateway
  template:
    metadata:
      annotations:
        checksum/config: {{ include (print .Template.BasePath "/k10-config.yaml") . | sha256sum }}
        checksum/secret: {{ include (print .Template.BasePath "/secrets.yaml") . | sha256sum }}
      labels:
        service: gateway
        component: gateway
{{ include "helm.labels" . | indent 8 }}
{{- include "k10.azMarketPlace.billingIdentifier" . }}
{{- if (include "k10.capability.gateway" $) }}
    spec:
      serviceAccountName: {{ template "serviceAccountName" . }}
      {{- dict "main" . "k10_deployment_name" "gateway" | include "k10.priorityClassName" | indent 6}}
      {{- include "k10.imagePullSecrets" . | indent 6 }}
      containers:
      - name: gateway
        {{- dict "main" . "k10_service" "gateway" | include "serviceImage" | indent 8 }}
        resources:
          limits:
            cpu: {{ .Values.gateway.resources.limits.cpu | quote }}
            memory: {{ .Values.gateway.resources.limits.memory | quote }}
          requests:
            cpu: {{ .Values.gateway.resources.requests.cpu | quote }}
            memory: {{ .Values.gateway.resources.requests.memory | quote }}
        env:
          - name: LOG_LEVEL
            valueFrom:
              configMapKeyRef:
                name: k10-config
                key: loglevel
          - name: VERSION
            valueFrom:
              configMapKeyRef:
                name: k10-config
                key: version
{{- if .Values.fips.enabled }}
          {{- include "k10.enforceFIPSEnvironmentVariables" . | indent 10 }}
{{- end }}
          {{- with $capabilities := include "k10.capabilities" . }}
          - name: K10_CAPABILITIES
            value: {{ $capabilities | quote }}
          {{- end }}
          {{- with $capabilities_mask := include "k10.capabilities_mask" . }}
          - name: K10_CAPABILITIES_MASK
            value: {{ $capabilities_mask | quote }}
          {{- end }}
        envFrom:
        - configMapRef:
            name: k10-gateway
        livenessProbe:
          httpGet:
            path: /healthz
            port: {{ $container_port }}
          initialDelaySeconds: 5
        readinessProbe:
          httpGet:
            path: /healthz
            port: {{ $container_port }}
      restartPolicy: Always
{{- else }}
    spec:
      serviceAccountName: {{ template "serviceAccountName" . }}
      {{- dict "main" . "k10_deployment_name" "gateway" | include "k10.priorityClassName" | indent 6}}
      {{- include "k10.imagePullSecrets" . | indent 6 }}
      containers:
      - name: ambassador
        image: {{ include "get.emissaryImage" . }}
        resources:
          limits:
            cpu: {{ .Values.gateway.resources.limits.cpu | quote }}
            memory: {{ .Values.gateway.resources.limits.memory | quote }}
          requests:
            cpu: {{ .Values.gateway.resources.requests.cpu | quote }}
            memory: {{ .Values.gateway.resources.requests.memory | quote }}
        env:
        - name: AMBASSADOR_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        - name: AMBASSADOR_SINGLE_NAMESPACE
          value: "true"
        - name: SCOUT_DISABLE
          value: "1"
        - name: "AMBASSADOR_VERIFY_SSL_FALSE"
          value: {{ .Values.gateway.insecureDisableSSLVerify | quote }}
        - name: AMBASSADOR_ID
          value: {{ include "k10.ambassadorId" . }}
{{- if .Values.global.network.enable_ipv6}}
        - name: AMBASSADOR_ENVOY_BIND_ADDRESS
          value: '::'
        - name: AMBASSADOR_DIAGD_BIND_ADDREASS
          value: '[::]'
{{- end }}
        livenessProbe:
          httpGet:
            path: /ambassador/v0/check_alive
            port: {{ $admin_port }}
          initialDelaySeconds: 30
          periodSeconds: 3
        readinessProbe:
          httpGet:
            path: /ambassador/v0/check_ready
            port: {{ $admin_port }}
          initialDelaySeconds: 30
          periodSeconds: 3
      restartPolicy: Always
{{- end }}