mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-08-02 03:56:07 -04:00
move chart outside services
This commit is contained in:
Adrian Stobbe
parent
59d465c4be
commit
a172b6f881
30 changed files with 92 additions and 361 deletions
|
|
@ -0,0 +1 @@
|
|||
AWS Load Balancer controller installed!
|
||||
|
|
@ -0,0 +1,129 @@
|
|||
{{/* vim: set filetype=mustache: */}}
|
||||
{{/*
|
||||
Expand the name of the chart.
|
||||
*/}}
|
||||
{{- define "aws-load-balancer-controller.name" -}}
|
||||
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified app name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
If release name contains chart name it will be used as a full name.
|
||||
*/}}
|
||||
{{- define "aws-load-balancer-controller.fullname" -}}
|
||||
{{- if .Values.fullnameOverride -}}
|
||||
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
|
||||
{{- else -}}
|
||||
{{- $name := default .Chart.Name .Values.nameOverride -}}
|
||||
{{- if contains $name .Release.Name -}}
|
||||
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
|
||||
{{- else -}}
|
||||
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create chart name and version as used by the chart label.
|
||||
*/}}
|
||||
{{- define "aws-load-balancer-controller.chart" -}}
|
||||
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Chart name prefix for resource names
|
||||
Strip the "-controller" suffix from the default .Chart.Name if the nameOverride is not specified.
|
||||
This enables using a shorter name for the resources, for example aws-load-balancer-webhook.
|
||||
*/}}
|
||||
{{- define "aws-load-balancer-controller.namePrefix" -}}
|
||||
{{- $defaultNamePrefix := .Chart.Name | trimSuffix "-controller" -}}
|
||||
{{- default $defaultNamePrefix .Values.nameOverride | trunc 42 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Common labels
|
||||
*/}}
|
||||
{{- define "aws-load-balancer-controller.labels" -}}
|
||||
helm.sh/chart: {{ include "aws-load-balancer-controller.chart" . }}
|
||||
{{ include "aws-load-balancer-controller.selectorLabels" . }}
|
||||
{{- if .Chart.AppVersion }}
|
||||
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
|
||||
{{- end }}
|
||||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||
{{- if .Values.additionalLabels }}
|
||||
{{ toYaml .Values.additionalLabels }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Selector labels
|
||||
*/}}
|
||||
{{- define "aws-load-balancer-controller.selectorLabels" -}}
|
||||
app.kubernetes.io/name: {{ include "aws-load-balancer-controller.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create the name of the service account to use
|
||||
*/}}
|
||||
{{- define "aws-load-balancer-controller.serviceAccountName" -}}
|
||||
{{- if .Values.serviceAccount.create -}}
|
||||
{{ default (include "aws-load-balancer-controller.fullname" .) .Values.serviceAccount.name }}
|
||||
{{- else -}}
|
||||
{{ default "default" .Values.serviceAccount.name }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create the name of the webhook service
|
||||
*/}}
|
||||
{{- define "aws-load-balancer-controller.webhookService" -}}
|
||||
{{- printf "%s-webhook-service" (include "aws-load-balancer-controller.namePrefix" .) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create the name of the webhook cert secret
|
||||
*/}}
|
||||
{{- define "aws-load-balancer-controller.webhookCertSecret" -}}
|
||||
{{- printf "%s-tls" (include "aws-load-balancer-controller.namePrefix" .) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Generate certificates for webhook
|
||||
*/}}
|
||||
{{- define "aws-load-balancer-controller.webhookCerts" -}}
|
||||
{{- $serviceName := (include "aws-load-balancer-controller.webhookService" .) -}}
|
||||
{{- $secretName := (include "aws-load-balancer-controller.webhookCertSecret" .) -}}
|
||||
{{- $secret := lookup "v1" "Secret" .Release.Namespace $secretName -}}
|
||||
{{- if (and .Values.webhookTLS.caCert .Values.webhookTLS.cert .Values.webhookTLS.key) -}}
|
||||
caCert: {{ .Values.webhookTLS.caCert | b64enc }}
|
||||
clientCert: {{ .Values.webhookTLS.cert | b64enc }}
|
||||
clientKey: {{ .Values.webhookTLS.key | b64enc }}
|
||||
{{- else if and .Values.keepTLSSecret $secret -}}
|
||||
caCert: {{ index $secret.data "ca.crt" }}
|
||||
clientCert: {{ index $secret.data "tls.crt" }}
|
||||
clientKey: {{ index $secret.data "tls.key" }}
|
||||
{{- else -}}
|
||||
{{- $altNames := list (printf "%s.%s" $serviceName .Release.Namespace) (printf "%s.%s.svc" $serviceName .Release.Namespace) (printf "%s.%s.svc.%s" $serviceName .Release.Namespace .Values.cluster.dnsDomain) -}}
|
||||
{{- $ca := genCA "aws-load-balancer-controller-ca" 3650 -}}
|
||||
{{- $cert := genSignedCert (include "aws-load-balancer-controller.fullname" .) nil $altNames 3650 $ca -}}
|
||||
caCert: {{ $ca.Cert | b64enc }}
|
||||
clientCert: {{ $cert.Cert | b64enc }}
|
||||
clientKey: {{ $cert.Key | b64enc }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Convert map to comma separated key=value string
|
||||
*/}}
|
||||
{{- define "aws-load-balancer-controller.convertMapToCsv" -}}
|
||||
{{- range $key, $value := . -}} {{ $key }}={{ $value }}, {{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create the name of the ingressClassParams
|
||||
*/}}
|
||||
{{- define "aws-load-balancer-controller.ingressClassParamsName" -}}
|
||||
{{ default .Values.ingressClass .Values.ingressClassParams.name }}
|
||||
{{- end -}}
|
||||
|
|
@ -0,0 +1,215 @@
|
|||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ include "aws-load-balancer-controller.fullname" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
{{- if .Values.deploymentAnnotations }}
|
||||
annotations:
|
||||
{{- toYaml .Values.deploymentAnnotations | nindent 4 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
{{- include "aws-load-balancer-controller.labels" . | nindent 4 }}
|
||||
spec:
|
||||
replicas: {{ .Values.replicaCount }}
|
||||
selector:
|
||||
matchLabels:
|
||||
{{- include "aws-load-balancer-controller.selectorLabels" . | nindent 6 }}
|
||||
{{- with .Values.updateStrategy }}
|
||||
strategy:
|
||||
{{ toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{- include "aws-load-balancer-controller.selectorLabels" . | nindent 8 }}
|
||||
{{- if .Values.podLabels }}
|
||||
{{- toYaml .Values.podLabels | nindent 8 }}
|
||||
{{- end }}
|
||||
annotations:
|
||||
{{- if not .Values.serviceMonitor.enabled }}
|
||||
prometheus.io/scrape: "true"
|
||||
prometheus.io/port: "{{ (split ":" .Values.metricsBindAddr)._1 | default 8080 }}"
|
||||
{{- end}}
|
||||
{{- if .Values.podAnnotations }}
|
||||
{{- toYaml .Values.podAnnotations | nindent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- with .Values.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
serviceAccountName: {{ include "aws-load-balancer-controller.serviceAccountName" . }}
|
||||
volumes:
|
||||
- name: cert
|
||||
secret:
|
||||
defaultMode: 420
|
||||
secretName: {{ template "aws-load-balancer-controller.webhookCertSecret" . }}
|
||||
{{- with .Values.extraVolumes }}
|
||||
{{ toYaml . | nindent 6 }}
|
||||
{{- end }}
|
||||
securityContext:
|
||||
{{- toYaml .Values.podSecurityContext | nindent 8 }}
|
||||
{{- if .Values.hostNetwork }}
|
||||
hostNetwork: true
|
||||
{{- end }}
|
||||
{{- if .Values.dnsPolicy }}
|
||||
dnsPolicy: {{ .Values.dnsPolicy }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: {{ .Chart.Name }}
|
||||
args:
|
||||
- --cluster-name={{ required "Chart cannot be installed without a valid clusterName!" .Values.clusterName }}
|
||||
{{- if .Values.ingressClass }}
|
||||
- --ingress-class={{ .Values.ingressClass }}
|
||||
{{- end }}
|
||||
{{- if .Values.region }}
|
||||
- --aws-region={{ .Values.region }}
|
||||
{{- end }}
|
||||
{{- if .Values.vpcId }}
|
||||
- --aws-vpc-id={{ .Values.vpcId }}
|
||||
{{- end }}
|
||||
{{- if .Values.awsApiEndpoints }}
|
||||
- --aws-api-endpoints={{ .Values.awsApiEndpoints }}
|
||||
{{- end }}
|
||||
{{- if .Values.awsApiThrottle }}
|
||||
- --aws-api-throttle={{ join "," .Values.awsApiThrottle }}
|
||||
{{- end }}
|
||||
{{- if .Values.awsMaxRetries }}
|
||||
- --aws-max-retries={{ .Values.awsMaxRetries }}
|
||||
{{- end }}
|
||||
{{- if kindIs "bool" .Values.enablePodReadinessGateInject }}
|
||||
- --enable-pod-readiness-gate-inject={{ .Values.enablePodReadinessGateInject }}
|
||||
{{- end }}
|
||||
{{- if kindIs "bool" .Values.enableShield }}
|
||||
- --enable-shield={{ .Values.enableShield }}
|
||||
{{- end }}
|
||||
{{- if kindIs "bool" .Values.enableWaf }}
|
||||
- --enable-waf={{ .Values.enableWaf }}
|
||||
{{- end }}
|
||||
{{- if kindIs "bool" .Values.enableWafv2 }}
|
||||
- --enable-wafv2={{ .Values.enableWafv2 }}
|
||||
{{- end }}
|
||||
{{- if .Values.metricsBindAddr }}
|
||||
- --metrics-bind-addr={{ .Values.metricsBindAddr }}
|
||||
{{- end }}
|
||||
{{- if .Values.ingressMaxConcurrentReconciles }}
|
||||
- --ingress-max-concurrent-reconciles={{ .Values.ingressMaxConcurrentReconciles }}
|
||||
{{- end }}
|
||||
{{- if .Values.serviceMaxConcurrentReconciles }}
|
||||
- --service-max-concurrent-reconciles={{ .Values.serviceMaxConcurrentReconciles }}
|
||||
{{- end }}
|
||||
{{- if .Values.targetgroupbindingMaxConcurrentReconciles }}
|
||||
- --targetgroupbinding-max-concurrent-reconciles={{ .Values.targetgroupbindingMaxConcurrentReconciles }}
|
||||
{{- end }}
|
||||
{{- if .Values.targetgroupbindingMaxExponentialBackoffDelay }}
|
||||
- --targetgroupbinding-max-exponential-backoff-delay={{ .Values.targetgroupbindingMaxExponentialBackoffDelay }}
|
||||
{{- end }}
|
||||
{{- if .Values.logLevel }}
|
||||
- --log-level={{ .Values.logLevel }}
|
||||
{{- end }}
|
||||
{{- if .Values.webhookBindPort }}
|
||||
- --webhook-bind-port={{ .Values.webhookBindPort }}
|
||||
{{- end }}
|
||||
{{- if .Values.syncPeriod }}
|
||||
- --sync-period={{ .Values.syncPeriod }}
|
||||
{{- end }}
|
||||
{{- if .Values.watchNamespace }}
|
||||
- --watch-namespace={{ .Values.watchNamespace }}
|
||||
{{- end }}
|
||||
{{- if kindIs "bool" .Values.disableIngressClassAnnotation }}
|
||||
- --disable-ingress-class-annotation={{ .Values.disableIngressClassAnnotation }}
|
||||
{{- end }}
|
||||
{{- if kindIs "bool" .Values.disableIngressGroupNameAnnotation }}
|
||||
- --disable-ingress-group-name-annotation={{ .Values.disableIngressGroupNameAnnotation }}
|
||||
{{- end }}
|
||||
{{- if .Values.defaultSSLPolicy }}
|
||||
- --default-ssl-policy={{ .Values.defaultSSLPolicy }}
|
||||
{{- end }}
|
||||
{{- if .Values.externalManagedTags }}
|
||||
- --external-managed-tags={{ join "," .Values.externalManagedTags }}
|
||||
{{- end }}
|
||||
{{- if .Values.defaultTags }}
|
||||
- --default-tags={{ include "aws-load-balancer-controller.convertMapToCsv" .Values.defaultTags | trimSuffix "," }}
|
||||
{{- end }}
|
||||
{{- if kindIs "bool" .Values.enableEndpointSlices }}
|
||||
- --enable-endpoint-slices={{ .Values.enableEndpointSlices }}
|
||||
{{- end }}
|
||||
{{- if kindIs "bool" .Values.enableBackendSecurityGroup }}
|
||||
- --enable-backend-security-group={{ .Values.enableBackendSecurityGroup }}
|
||||
{{- end }}
|
||||
{{- if .Values.backendSecurityGroup }}
|
||||
- --backend-security-group={{ .Values.backendSecurityGroup }}
|
||||
{{- end }}
|
||||
{{- if kindIs "bool" .Values.disableRestrictedSecurityGroupRules }}
|
||||
- --disable-restricted-sg-rules={{ .Values.disableRestrictedSecurityGroupRules }}
|
||||
{{- end }}
|
||||
{{- if .Values.controllerConfig.featureGates }}
|
||||
- --feature-gates={{ include "aws-load-balancer-controller.convertMapToCsv" .Values.controllerConfig.featureGates | trimSuffix "," }}
|
||||
{{- end }}
|
||||
{{- if ne .Values.defaultTargetType "instance" }}
|
||||
- --default-target-type={{ .Values.defaultTargetType }}
|
||||
{{- end }}
|
||||
{{- if .Values.env }}
|
||||
env:
|
||||
{{- range $key, $value := .Values.env }}
|
||||
- name: {{ $key }}
|
||||
value: "{{ $value }}"
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
securityContext:
|
||||
{{- toYaml .Values.securityContext | nindent 10 }}
|
||||
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
||||
volumeMounts:
|
||||
- mountPath: /tmp/k8s-webhook-server/serving-certs
|
||||
name: cert
|
||||
readOnly: true
|
||||
{{- with .Values.extraVolumeMounts }}
|
||||
{{ toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: webhook-server
|
||||
containerPort: {{ .Values.webhookBindPort | default 9443 }}
|
||||
protocol: TCP
|
||||
- name: metrics-server
|
||||
containerPort: {{ (split ":" .Values.metricsBindAddr)._1 | default 8080 }}
|
||||
protocol: TCP
|
||||
resources:
|
||||
{{- toYaml .Values.resources | nindent 10 }}
|
||||
{{- with .Values.livenessProbe }}
|
||||
livenessProbe:
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
|
||||
{{- with .Values.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.affinity }}
|
||||
affinity:
|
||||
{{- toYaml .Values.affinity | nindent 8 }}
|
||||
{{- else if .Values.configureDefaultAffinity }}
|
||||
affinity:
|
||||
podAntiAffinity:
|
||||
preferredDuringSchedulingIgnoredDuringExecution:
|
||||
- weight: 100
|
||||
podAffinityTerm:
|
||||
labelSelector:
|
||||
matchExpressions:
|
||||
- key: app.kubernetes.io/name
|
||||
operator: In
|
||||
values:
|
||||
- {{ include "aws-load-balancer-controller.name" . }}
|
||||
topologyKey: kubernetes.io/hostname
|
||||
{{- end }}
|
||||
{{- with .Values.tolerations }}
|
||||
tolerations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.priorityClassName }}
|
||||
priorityClassName: {{ .Values.priorityClassName | quote }}
|
||||
{{- end }}
|
||||
{{- with .Values.topologySpreadConstraints }}
|
||||
topologySpreadConstraints:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,41 @@
|
|||
{{- /*
|
||||
[caution] AWSLoadBalancerController <= v2.4.2 expects referenced IngressClassParams to be created before IngressClass.
|
||||
We use a list here to force Helm create IngressClassParams(if any) before apply any IngressClass changes.
|
||||
*/}}
|
||||
{{- if .Values.createIngressClassResource }}
|
||||
apiVersion: v1
|
||||
kind: List
|
||||
metadata:
|
||||
name: ingress-class
|
||||
items:
|
||||
{{- if .Values.ingressClassParams.create }}
|
||||
- apiVersion: elbv2.k8s.aws/v1beta1
|
||||
kind: IngressClassParams
|
||||
metadata:
|
||||
name: {{ include "aws-load-balancer-controller.ingressClassParamsName" . }}
|
||||
labels:
|
||||
{{- include "aws-load-balancer-controller.labels" . | nindent 6 }}
|
||||
{{- with .Values.ingressClassParams.spec }}
|
||||
spec:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
- apiVersion: networking.k8s.io/v1
|
||||
kind: IngressClass
|
||||
metadata:
|
||||
name: {{ .Values.ingressClass }}
|
||||
labels:
|
||||
{{- include "aws-load-balancer-controller.labels" . | nindent 6 }}
|
||||
{{- if .Values.ingressClassConfig.default }}
|
||||
annotations:
|
||||
ingressclass.kubernetes.io/is-default-class: "true"
|
||||
{{- end }}
|
||||
spec:
|
||||
controller: ingress.k8s.aws/alb
|
||||
{{- if or .Values.ingressClassParams.name (and .Values.ingressClassParams.create .Values.ingressClassParams.spec) }}
|
||||
parameters:
|
||||
apiGroup: elbv2.k8s.aws
|
||||
kind: IngressClassParams
|
||||
name: {{ include "aws-load-balancer-controller.ingressClassParamsName" . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,14 @@
|
|||
{{- if and .Values.podDisruptionBudget (gt (int .Values.replicaCount) 1) }}
|
||||
apiVersion: policy/v1
|
||||
kind: PodDisruptionBudget
|
||||
metadata:
|
||||
name: {{ include "aws-load-balancer-controller.fullname" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{- include "aws-load-balancer-controller.labels" . | nindent 4 }}
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
{{- include "aws-load-balancer-controller.selectorLabels" . | nindent 6 }}
|
||||
{{- toYaml .Values.podDisruptionBudget | nindent 2 }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,104 @@
|
|||
{{- if .Values.rbac.create }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: {{ template "aws-load-balancer-controller.fullname" . }}-leader-election-role
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{- include "aws-load-balancer-controller.labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: [configmaps]
|
||||
verbs: [create]
|
||||
- apiGroups: [""]
|
||||
resources: [configmaps]
|
||||
resourceNames: [aws-load-balancer-controller-leader]
|
||||
verbs: [get, patch, update]
|
||||
- apiGroups:
|
||||
- "coordination.k8s.io"
|
||||
resources:
|
||||
- leases
|
||||
verbs:
|
||||
- create
|
||||
- apiGroups:
|
||||
- "coordination.k8s.io"
|
||||
resources:
|
||||
- leases
|
||||
resourceNames:
|
||||
- aws-load-balancer-controller-leader
|
||||
verbs:
|
||||
- get
|
||||
- update
|
||||
- patch
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: {{ template "aws-load-balancer-controller.fullname" . }}-leader-election-rolebinding
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{- include "aws-load-balancer-controller.labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: {{ template "aws-load-balancer-controller.fullname" . }}-leader-election-role
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ template "aws-load-balancer-controller.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ template "aws-load-balancer-controller.fullname" . }}-role
|
||||
labels:
|
||||
{{- include "aws-load-balancer-controller.labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: ["elbv2.k8s.aws"]
|
||||
resources: [targetgroupbindings]
|
||||
verbs: [create, delete, get, list, patch, update, watch]
|
||||
- apiGroups: ["elbv2.k8s.aws"]
|
||||
resources: [ingressclassparams]
|
||||
verbs: [get, list, watch]
|
||||
- apiGroups: [""]
|
||||
resources: [events]
|
||||
verbs: [create, patch]
|
||||
- apiGroups: [""]
|
||||
resources: [pods]
|
||||
verbs: [get, list, watch]
|
||||
- apiGroups: ["networking.k8s.io"]
|
||||
resources: [ingressclasses]
|
||||
verbs: [get, list, watch]
|
||||
- apiGroups: ["", "extensions", "networking.k8s.io"]
|
||||
resources: [services, ingresses]
|
||||
verbs: [get, list, patch, update, watch]
|
||||
- apiGroups: [""]
|
||||
resources: [nodes, namespaces, endpoints]
|
||||
verbs: [get, list, watch]
|
||||
{{- if .Values.clusterSecretsPermissions.allowAllSecrets }}
|
||||
- apiGroups: [""]
|
||||
resources: [secrets]
|
||||
verbs: [get, list, watch]
|
||||
{{- end }}
|
||||
- apiGroups: ["elbv2.k8s.aws", "", "extensions", "networking.k8s.io"]
|
||||
resources: [targetgroupbindings/status, pods/status, services/status, ingresses/status]
|
||||
verbs: [update, patch]
|
||||
- apiGroups: ["discovery.k8s.io"]
|
||||
resources: [endpointslices]
|
||||
verbs: [get, list, watch]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "aws-load-balancer-controller.fullname" . }}-rolebinding
|
||||
labels:
|
||||
{{- include "aws-load-balancer-controller.labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "aws-load-balancer-controller.fullname" . }}-role
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ template "aws-load-balancer-controller.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,41 @@
|
|||
{{- if.Values.serviceMonitor.enabled }}
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ template "aws-load-balancer-controller.fullname" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
{{- with .Values.serviceAnnotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
{{- include "aws-load-balancer-controller.labels" . | nindent 4 }}
|
||||
spec:
|
||||
ports:
|
||||
- port: 8080
|
||||
name: metrics-server
|
||||
targetPort: metrics-server
|
||||
selector:
|
||||
{{- include "aws-load-balancer-controller.selectorLabels" . | nindent 4 }}
|
||||
---
|
||||
{{- end }}
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ template "aws-load-balancer-controller.webhookService" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
{{- with .Values.serviceAnnotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
{{- include "aws-load-balancer-controller.labels" . | nindent 4 }}
|
||||
app.kubernetes.io/component: webhook
|
||||
prometheus.io/service-monitor: "false"
|
||||
spec:
|
||||
ports:
|
||||
- port: 443
|
||||
name: webhook-server
|
||||
targetPort: webhook-server
|
||||
selector:
|
||||
{{- include "aws-load-balancer-controller.selectorLabels" . | nindent 4 }}
|
||||
|
|
@ -0,0 +1,18 @@
|
|||
{{- if .Values.serviceAccount.create -}}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: {{ include "aws-load-balancer-controller.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{- include "aws-load-balancer-controller.labels" . | nindent 4 }}
|
||||
{{- with .Values.serviceAccount.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
|
||||
{{- with .Values.serviceAccount.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{ toYaml . }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
|
@ -0,0 +1,35 @@
|
|||
{{- if.Values.serviceMonitor.enabled -}}
|
||||
apiVersion: monitoring.coreos.com/v1
|
||||
kind: ServiceMonitor
|
||||
metadata:
|
||||
name: {{ include "aws-load-balancer-controller.fullname" . }}
|
||||
{{- if .Values.serviceMonitor.namespace }}
|
||||
namespace: {{ .Values.serviceMonitor.namespace }}
|
||||
{{- else }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
{{- end }}
|
||||
labels:
|
||||
{{- include "aws-load-balancer-controller.labels" . | nindent 4 }}
|
||||
{{- with .Values.serviceMonitor.additionalLabels }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
jobLabel: {{ .Release.Name }}
|
||||
namespaceSelector:
|
||||
matchNames:
|
||||
- {{ .Release.Namespace }}
|
||||
selector:
|
||||
matchLabels:
|
||||
{{- include "aws-load-balancer-controller.selectorLabels" . | nindent 6 }}
|
||||
matchExpressions:
|
||||
- key: prometheus.io/service-monitor
|
||||
operator: NotIn
|
||||
values:
|
||||
- "false"
|
||||
endpoints:
|
||||
- port: metrics-server
|
||||
path: /metrics
|
||||
{{- with .Values.serviceMonitor.interval }}
|
||||
interval: {{ . }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
|
@ -0,0 +1,240 @@
|
|||
{{ $tls := fromYaml ( include "aws-load-balancer-controller.webhookCerts" . ) }}
|
||||
---
|
||||
apiVersion: admissionregistration.k8s.io/v1
|
||||
kind: MutatingWebhookConfiguration
|
||||
metadata:
|
||||
{{- if $.Values.enableCertManager }}
|
||||
annotations:
|
||||
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ template "aws-load-balancer-controller.namePrefix" . }}-serving-cert
|
||||
{{- end }}
|
||||
name: {{ include "aws-load-balancer-controller.namePrefix" . }}-webhook
|
||||
labels:
|
||||
{{- include "aws-load-balancer-controller.labels" . | nindent 4 }}
|
||||
webhooks:
|
||||
- clientConfig:
|
||||
{{ if not $.Values.enableCertManager -}}
|
||||
caBundle: {{ $tls.caCert }}
|
||||
{{ end }}
|
||||
service:
|
||||
name: {{ template "aws-load-balancer-controller.webhookService" . }}
|
||||
namespace: {{ $.Release.Namespace }}
|
||||
path: /mutate-v1-pod
|
||||
failurePolicy: Fail
|
||||
name: mpod.elbv2.k8s.aws
|
||||
admissionReviewVersions:
|
||||
- v1beta1
|
||||
namespaceSelector:
|
||||
matchExpressions:
|
||||
{{ if .Values.webhookNamespaceSelectors }}
|
||||
{{ toYaml .Values.webhookNamespaceSelectors | nindent 4 }}
|
||||
{{ else }}
|
||||
- key: elbv2.k8s.aws/pod-readiness-gate-inject
|
||||
operator: In
|
||||
values:
|
||||
- enabled
|
||||
{{ end }}
|
||||
objectSelector:
|
||||
matchExpressions:
|
||||
- key: app.kubernetes.io/name
|
||||
operator: NotIn
|
||||
values:
|
||||
- {{ include "aws-load-balancer-controller.name" . }}
|
||||
{{- if .Values.objectSelector.matchExpressions }}
|
||||
{{- toYaml .Values.objectSelector.matchExpressions | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.objectSelector.matchLabels }}
|
||||
matchLabels:
|
||||
{{- toYaml .Values.objectSelector.matchLabels | nindent 6 }}
|
||||
{{- end }}
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
apiVersions:
|
||||
- v1
|
||||
operations:
|
||||
- CREATE
|
||||
resources:
|
||||
- pods
|
||||
sideEffects: None
|
||||
{{- if .Values.enableServiceMutatorWebhook }}
|
||||
- clientConfig:
|
||||
{{ if not $.Values.enableCertManager -}}
|
||||
caBundle: {{ $tls.caCert }}
|
||||
{{ end }}
|
||||
service:
|
||||
name: {{ template "aws-load-balancer-controller.webhookService" . }}
|
||||
namespace: {{ $.Release.Namespace }}
|
||||
path: /mutate-v1-service
|
||||
failurePolicy: Fail
|
||||
name: mservice.elbv2.k8s.aws
|
||||
admissionReviewVersions:
|
||||
- v1beta1
|
||||
objectSelector:
|
||||
matchExpressions:
|
||||
- key: app.kubernetes.io/name
|
||||
operator: NotIn
|
||||
values:
|
||||
- {{ include "aws-load-balancer-controller.name" . }}
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
apiVersions:
|
||||
- v1
|
||||
operations:
|
||||
- CREATE
|
||||
resources:
|
||||
- services
|
||||
sideEffects: None
|
||||
{{- end }}
|
||||
- clientConfig:
|
||||
{{ if not $.Values.enableCertManager -}}
|
||||
caBundle: {{ $tls.caCert }}
|
||||
{{ end }}
|
||||
service:
|
||||
name: {{ template "aws-load-balancer-controller.webhookService" . }}
|
||||
namespace: {{ $.Release.Namespace }}
|
||||
path: /mutate-elbv2-k8s-aws-v1beta1-targetgroupbinding
|
||||
failurePolicy: Fail
|
||||
name: mtargetgroupbinding.elbv2.k8s.aws
|
||||
admissionReviewVersions:
|
||||
- v1beta1
|
||||
rules:
|
||||
- apiGroups:
|
||||
- elbv2.k8s.aws
|
||||
apiVersions:
|
||||
- v1beta1
|
||||
operations:
|
||||
- CREATE
|
||||
- UPDATE
|
||||
resources:
|
||||
- targetgroupbindings
|
||||
sideEffects: None
|
||||
---
|
||||
apiVersion: admissionregistration.k8s.io/v1
|
||||
kind: ValidatingWebhookConfiguration
|
||||
metadata:
|
||||
{{- if $.Values.enableCertManager }}
|
||||
annotations:
|
||||
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ template "aws-load-balancer-controller.namePrefix" . }}-serving-cert
|
||||
{{- end }}
|
||||
name: {{ include "aws-load-balancer-controller.namePrefix" . }}-webhook
|
||||
labels:
|
||||
{{- include "aws-load-balancer-controller.labels" . | nindent 4 }}
|
||||
webhooks:
|
||||
- clientConfig:
|
||||
{{ if not $.Values.enableCertManager -}}
|
||||
caBundle: {{ $tls.caCert }}
|
||||
{{ end }}
|
||||
service:
|
||||
name: {{ template "aws-load-balancer-controller.webhookService" . }}
|
||||
namespace: {{ $.Release.Namespace }}
|
||||
path: /validate-elbv2-k8s-aws-v1beta1-ingressclassparams
|
||||
failurePolicy: Fail
|
||||
name: vingressclassparams.elbv2.k8s.aws
|
||||
admissionReviewVersions:
|
||||
- v1beta1
|
||||
objectSelector:
|
||||
matchExpressions:
|
||||
- key: app.kubernetes.io/name
|
||||
operator: NotIn
|
||||
values:
|
||||
- {{ include "aws-load-balancer-controller.name" . }}
|
||||
rules:
|
||||
- apiGroups:
|
||||
- elbv2.k8s.aws
|
||||
apiVersions:
|
||||
- v1beta1
|
||||
operations:
|
||||
- CREATE
|
||||
- UPDATE
|
||||
resources:
|
||||
- ingressclassparams
|
||||
sideEffects: None
|
||||
- clientConfig:
|
||||
{{ if not $.Values.enableCertManager -}}
|
||||
caBundle: {{ $tls.caCert }}
|
||||
{{ end }}
|
||||
service:
|
||||
name: {{ template "aws-load-balancer-controller.webhookService" . }}
|
||||
namespace: {{ $.Release.Namespace }}
|
||||
path: /validate-elbv2-k8s-aws-v1beta1-targetgroupbinding
|
||||
failurePolicy: Fail
|
||||
name: vtargetgroupbinding.elbv2.k8s.aws
|
||||
admissionReviewVersions:
|
||||
- v1beta1
|
||||
rules:
|
||||
- apiGroups:
|
||||
- elbv2.k8s.aws
|
||||
apiVersions:
|
||||
- v1beta1
|
||||
operations:
|
||||
- CREATE
|
||||
- UPDATE
|
||||
resources:
|
||||
- targetgroupbindings
|
||||
sideEffects: None
|
||||
- clientConfig:
|
||||
{{ if not $.Values.enableCertManager -}}
|
||||
caBundle: {{ $tls.caCert }}
|
||||
{{ end }}
|
||||
service:
|
||||
name: {{ template "aws-load-balancer-controller.webhookService" . }}
|
||||
namespace: {{ $.Release.Namespace }}
|
||||
path: /validate-networking-v1-ingress
|
||||
failurePolicy: Fail
|
||||
matchPolicy: Equivalent
|
||||
name: vingress.elbv2.k8s.aws
|
||||
admissionReviewVersions:
|
||||
- v1beta1
|
||||
rules:
|
||||
- apiGroups:
|
||||
- networking.k8s.io
|
||||
apiVersions:
|
||||
- v1
|
||||
operations:
|
||||
- CREATE
|
||||
- UPDATE
|
||||
resources:
|
||||
- ingresses
|
||||
sideEffects: None
|
||||
---
|
||||
{{- if not $.Values.enableCertManager }}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ template "aws-load-balancer-controller.webhookCertSecret" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ include "aws-load-balancer-controller.labels" . | indent 4 }}
|
||||
type: kubernetes.io/tls
|
||||
data:
|
||||
ca.crt: {{ $tls.caCert }}
|
||||
tls.crt: {{ $tls.clientCert }}
|
||||
tls.key: {{ $tls.clientKey }}
|
||||
{{- else }}
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: {{ template "aws-load-balancer-controller.namePrefix" . }}-serving-cert
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ include "aws-load-balancer-controller.labels" . | indent 4 }}
|
||||
spec:
|
||||
dnsNames:
|
||||
- {{ template "aws-load-balancer-controller.webhookService" . }}.{{ .Release.Namespace }}.svc
|
||||
- {{ template "aws-load-balancer-controller.webhookService" . }}.{{ .Release.Namespace }}.svc.{{ .Values.cluster.dnsDomain }}
|
||||
issuerRef:
|
||||
kind: Issuer
|
||||
name: {{ template "aws-load-balancer-controller.namePrefix" . }}-selfsigned-issuer
|
||||
secretName: {{ template "aws-load-balancer-controller.webhookCertSecret" . }}
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Issuer
|
||||
metadata:
|
||||
name: {{ template "aws-load-balancer-controller.namePrefix" . }}-selfsigned-issuer
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ include "aws-load-balancer-controller.labels" . | indent 4 }}
|
||||
spec:
|
||||
selfSigned: {}
|
||||
{{- end }}
|
||||
Loading…
Add table
Add a link
Reference in a new issue