├── README.md ├── app-configs ├── Production │ └── colors-production.default.yaml ├── README.md └── Staging │ ├── colors-staging.default.yaml │ ├── demo-app.demo-app.yaml │ └── guestbook-staging.appset.yaml └── manifests ├── README.md ├── ambassador ├── README.md └── base │ ├── .helmignore │ ├── CHANGELOG.md │ ├── CONTRIBUTING.md │ ├── Chart.yaml │ ├── Makefile │ ├── README.md │ ├── ci │ ├── 01-psp-values.yaml │ ├── 02-oss-values.yaml │ ├── 05-auth-disabled-values.yaml │ ├── 06-hpa-values.yaml │ ├── 08-single-namespace-values.yaml │ ├── 09-redis-false-values.yaml │ ├── 12-daemonset-values.yaml │ ├── 13-rl-disabled-values.yaml │ ├── 14-deployment-labels.yaml │ ├── 15-test-resolvers.yaml │ ├── common.sh │ ├── push_chart.sh │ └── tests │ │ └── manifests │ │ ├── backend.yaml │ │ ├── ci-default-values.yaml │ │ ├── helm-init.yaml │ │ ├── helm2-values.yaml │ │ └── tls.yaml │ ├── crds │ ├── filter.yaml │ ├── filterpolicy.yaml │ ├── getambassador.io_authservices.yaml │ ├── getambassador.io_consulresolvers.yaml │ ├── getambassador.io_devportals.yaml │ ├── getambassador.io_hosts.yaml │ ├── getambassador.io_kubernetesendpointresolvers.yaml │ ├── getambassador.io_kubernetesserviceresolvers.yaml │ ├── getambassador.io_logservices.yaml │ ├── getambassador.io_mappings.yaml │ ├── getambassador.io_modules.yaml │ ├── getambassador.io_ratelimitservices.yaml │ ├── getambassador.io_tcpmappings.yaml │ ├── getambassador.io_tlscontexts.yaml │ ├── getambassador.io_tracingservices.yaml │ ├── project.yaml │ ├── projectcontroller.yaml │ ├── projectrevision.yaml │ └── ratelimit.yaml │ ├── ct.yaml │ ├── templates │ ├── NOTES.txt │ ├── _helpers.tpl │ ├── admin-service.yaml │ ├── aes-agent.yaml │ ├── aes-authservice.yaml │ ├── aes-injector.yaml │ ├── aes-internal.yaml │ ├── aes-ratelimit.yaml │ ├── aes-redis.yaml │ ├── aes-resolvers.yaml │ ├── aes-secret.yaml │ ├── config.yaml │ ├── crd-delete.yaml │ ├── crds-rbac.yaml │ ├── crds.yaml │ ├── deployment.yaml │ ├── exporter-config.yaml │ ├── hpa.yaml │ ├── pdb.yaml │ ├── podsecuritypolicy.yaml │ ├── projects-rbac.yaml │ ├── projects.yaml │ ├── rbac.yaml │ ├── service.yaml │ ├── serviceaccount.yaml │ ├── servicemonitor.yaml │ ├── tests │ │ └── test-ready.yaml │ ├── traffic-agent-rbac.yaml │ └── traffic-manager.yaml │ └── values.yaml ├── canary-app-timed ├── README.md └── base │ ├── host.yaml │ ├── mapping.yaml │ ├── resolver.yaml │ ├── rollout.yaml │ └── service.yaml └── colors ├── README.md ├── base ├── host.yaml ├── kustomization.yaml ├── mapping.yaml ├── resolver.yaml ├── rollout.yaml └── service.yaml ├── production ├── kustomization.yaml └── prod.yaml └── staging ├── kustomization.yaml └── staging.yaml /README.md: -------------------------------------------------------------------------------- 1 | # OSS Applications 2 | 3 | This is a GitOps repo that acts as the source of truth for the open source team at Codefresh demoing GitOps apps. 4 | 5 | # Directory Structure 6 | 7 | ```bash 8 | ├── README.md 9 | ├── app-configs 10 | │   ├── Production 11 | │   ├── Staging 12 | │   └── README.md 13 | └── manifests 14 | ├── README.md 15 | └── application-name 16 | ├── base 17 | ├── production 18 | └── staging 19 | ``` 20 | 21 | 22 | # Useful Links about Codefresh, Argo, and GitOps 23 | * [Codefresh GitOps](https://codefresh.io/product/) 24 | * [About Argo CD](https://codefresh.io/learn/argo-cd/) 25 | * [About Argo Rollouts](https://codefresh.io/learn/argo-rollouts/) 26 | * [About GitOps Directory Structures](https://codefresh.io/blog/how-to-model-your-gitops-environments-and-promote-releases-between-them/) 27 | * [Open GitOps](https://opengitops.dev/) 28 | * [GitOps Certification and Training for Argo CD](https://codefresh.io/argo/get-certified) -------------------------------------------------------------------------------- /app-configs/Production/colors-production.default.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: colors-prod-91322 5 | spec: 6 | project: default 7 | source: 8 | path: manifests/colors/production 9 | repoURL: 'https://github.com/todaywasawesome/oss-apps.git' 10 | targetRevision: HEAD 11 | destination: 12 | name: oss-prod 13 | namespace: colors 14 | syncPolicy: 15 | automated: 16 | prune: true 17 | selfHeal: true 18 | syncOptions: 19 | - PrunePropagationPolicy=foreground 20 | - Replace=false 21 | - PruneLast=false 22 | - Validate=true 23 | - CreateNamespace=true 24 | - ApplyOutOfSyncOnly=false -------------------------------------------------------------------------------- /app-configs/README.md: -------------------------------------------------------------------------------- 1 | # Application Configurations 2 | 3 | This folder contains sub-folders that each represent a target environment. Each target environment can have additional sub-folders for namespaces, team organization, or grouping app of apps etc. All app configs added to the staging and production will be automatically deployed. -------------------------------------------------------------------------------- /app-configs/Staging/colors-staging.default.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: color-staging-91322 5 | spec: 6 | project: default 7 | source: 8 | path: manifests/colors/staging 9 | repoURL: 'https://github.com/todaywasawesome/oss-apps.git' 10 | targetRevision: HEAD 11 | destination: 12 | name: oss-staging 13 | namespace: colors 14 | syncPolicy: 15 | automated: 16 | prune: true 17 | selfHeal: true 18 | syncOptions: 19 | - PrunePropagationPolicy=foreground 20 | - Replace=false 21 | - PruneLast=false 22 | - Validate=true 23 | - CreateNamespace=true 24 | - ApplyOutOfSyncOnly=false -------------------------------------------------------------------------------- /app-configs/Staging/demo-app.demo-app.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: autopilotdemo-app-staging-91322 5 | spec: 6 | project: default 7 | source: 8 | path: examples/demo-app 9 | repoURL: https://github.com/argoproj-labs/argocd-autopilot/ 10 | targetRevision: HEAD 11 | destination: 12 | name: oss-staging 13 | namespace: demo-app 14 | syncPolicy: 15 | automated: 16 | prune: true 17 | selfHeal: true 18 | syncOptions: 19 | - PrunePropagationPolicy=foreground 20 | - Replace=false 21 | - PruneLast=false 22 | - Validate=true 23 | - CreateNamespace=true 24 | - ApplyOutOfSyncOnly=false 25 | -------------------------------------------------------------------------------- /app-configs/Staging/guestbook-staging.appset.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: ApplicationSet 3 | metadata: 4 | name: guestbook-staging-91322 5 | spec: 6 | generators: 7 | - list: 8 | elements: 9 | - cluster: prod 10 | name: oss-staging 11 | template: 12 | metadata: 13 | name: '{{cluster}}-guestbook' 14 | spec: 15 | project: default 16 | destination: 17 | name: '{{name}}' 18 | namespace: '{{cluster}}-guestbook' 19 | source: 20 | repoURL: https://github.com/argoproj/argo-cd.git 21 | targetRevision: HEAD 22 | path: applicationset/examples/list-generator/guestbook/engineering-prod 23 | syncPolicy: 24 | automated: 25 | prune: true 26 | selfHeal: true 27 | syncOptions: 28 | - CreateNamespace=true 29 | - PruneLast=false 30 | - Validate=true -------------------------------------------------------------------------------- /manifests/README.md: -------------------------------------------------------------------------------- 1 | # Manifests 2 | 3 | Each folder contains all of these manifests and needed materials to deploy an application to dev, staging, or production with folders for each enviornment. -------------------------------------------------------------------------------- /manifests/ambassador/README.md: -------------------------------------------------------------------------------- 1 | #Ambassador 2 | app repo: https://github.com/codefresh-contrib/gitops-certification-examples/tree/main/ambassador-chart 3 | 4 | ## About Ambassador 5 | This chart bootstraps an [Ambassador deployment](https://www.getambassador.io/) on a Kubernetes cluster using the Helm package manager. -------------------------------------------------------------------------------- /manifests/ambassador/base/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | .vscode/ 23 | OWNERS 24 | -------------------------------------------------------------------------------- /manifests/ambassador/base/CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # Change Log 2 | 3 | This file documents all notable changes to Ambassador Helm Chart. The release 4 | numbering uses [semantic versioning](http://semver.org). 5 | 6 | ## Next Release 7 | 8 | ## v6.6.3 9 | 10 | - Update Ambassador to version 1.12.3: [CHANGELOG](https://github.com/datawire/ambassador/blob/master/CHANGELOG.md) 11 | 12 | ## v6.6.2 13 | 14 | - Update Ambassador to version 1.12.2: [CHANGELOG](https://github.com/datawire/ambassador/blob/master/CHANGELOG.md) 15 | 16 | ## v6.6.1 17 | 18 | - Fix metadata field in ConsulRevoler 19 | - Make resolvers available to OSS 20 | 21 | ## v6.6.0 22 | 23 | - Update Ambassador to version 1.12.1: [CHANGELOG](https://github.com/datawire/ambassador/blob/master/CHANGELOG.md) 24 | - Feature: Apply Ambassador Agent deployment by default to enable Service Catalog reporting (https://app.getambassador.io) 25 | 26 | ## v6.5.22 27 | 28 | - Bugfix: Disable the cloud agent by default. The agent will be enabled in 6.6.0. 29 | - Bugfix: Adds a check to prevent the cloud agent from being installed if AES version is less than 1.12.0 30 | 31 | ## v6.5.21 32 | 33 | - Update Ambassador to version 1.12.0: [CHANGELOG](https://github.com/datawire/ambassador/blob/master/CHANGELOG.md) 34 | - Feature: Add support for the ambassador-agent, reporting to Service Catalog (https://app.getambassador.io) 35 | - Feature: All services are automatically instrumented with discovery annotations. 36 | 37 | ## v6.5.20 38 | 39 | - Update Ambassador to version v1.11.2: [CHANGELOG](https://github.com/datawire/ambassador/blob/master/CHANGELOG.md) 40 | 41 | ## v6.5.19 42 | 43 | - Make all `livenessProbe` and `readinessProbe` configurations available to the values file 44 | 45 | ## v6.5.18 46 | 47 | - Update Ambassador to version v1.11.1: [CHANGELOG](https://github.com/datawire/ambassador/blob/master/CHANGELOG.md) 48 | 49 | ## v6.5.17 50 | 51 | - Update Ambassador to version v1.11.0: [CHANGELOG](https://github.com/datawire/ambassador/blob/master/CHANGELOG.md) 52 | - Bugfix: Fix Mapping definition to correctly support labels in use. 53 | 54 | ## v6.5.16 55 | 56 | - Bugfix: Ambassador CRD cleanup will now execute as expected. 57 | 58 | ## v6.5.15 59 | 60 | - Bugfix: Ambassador RBAC now includes permissions for IngressClasses. 61 | 62 | ## v6.5.14 63 | 64 | - Update for Ambassador v1.10.0 65 | 66 | ## v6.5.13 67 | 68 | - Update for Ambassador v1.9.1 69 | 70 | ## v6.5.12 71 | 72 | - Feature: Add ability to configure `terminationGracePeriodSeconds` for the Ambassador container 73 | - Update for Ambassador v1.9.0 74 | 75 | ## v6.5.11 76 | 77 | - Feature: add affinity and tolerations support for redis pods 78 | 79 | ## v6.5.10 80 | 81 | - Update Ambassador to version 1.8.1: [CHANGELOG](https://github.com/datawire/ambassador/blob/master/CHANGELOG.md) 82 | 83 | ## v6.5.9 84 | 85 | - Update Ambassador to version 1.8.0: [CHANGELOG](https://github.com/datawire/ambassador/blob/master/CHANGELOG.md) 86 | - Bugfix: The RBAC for AES now grants permission to "patch" Events.v1.core. Previously it granted "create" but not "patch". 87 | 88 | ## v6.5.8 89 | 90 | - Update Ambassador to version 1.7.4: [CHANGELOG](https://github.com/datawire/ambassador/blob/master/CHANGELOG.md) 91 | 92 | ## v6.5.7 93 | 94 | - Update Ambassador to version 1.7.3: [CHANGELOG](https://github.com/datawire/ambassador/blob/master/CHANGELOG.md) 95 | - The BusyBox image image used by `test-ready` is now configurable (thanks, [Alan Silva](https://github.com/OmegaVVeapon)!) 96 | 97 | ## v6.5.6 98 | 99 | - Update Ambassador to version 1.7.2: [CHANGELOG](https://github.com/datawire/ambassador/blob/master/CHANGELOG.md) 100 | - Feature: Allow overriding the namespace for the release using the values file: [ambassador-chart/#122](https://github.com/datawire/ambassador-chart/pull/122) 101 | 102 | ## v6.5.5 103 | 104 | - Allow hyphens in service annotations: [CHANGELOG](https://github.com/datawire/ambassador/blob/master/CHANGELOG.md) 105 | 106 | ## v6.5.4 107 | 108 | - Upgrade Ambassador to version 1.7.1: [CHANGELOG](https://github.com/datawire/ambassador/blob/master/CHANGELOG.md) 109 | 110 | ## v6.5.3 111 | 112 | - Upgrade Ambassador to version 1.7.0: [CHANGELOG](https://github.com/datawire/ambassador/blob/master/CHANGELOG.md) 113 | 114 | ## v6.5.2 115 | 116 | - Feature: Add support for DaemonSet/Deployment labels: [ambassador-chart/#114](https://github.com/datawire/ambassador-chart/pull/114) 117 | - Upgrade Ambassador to version 1.6.2: [CHANGELOG](https://github.com/datawire/ambassador/blob/master/CHANGELOG.md) 118 | 119 | ## v6.5.1 120 | 121 | - Upgrade Ambassador to version 1.6.1: [CHANGELOG](https://github.com/datawire/ambassador/blob/master/CHANGELOG.md) 122 | 123 | ## v6.5.0 124 | 125 | - Upgrade Ambassador to version 1.6.0: [CHANGELOG}](https://github.com/datawire/ambassador/blob/master/CHANGELOG.md) 126 | 127 | ## v6.4.10 128 | 129 | - Feature: Allow specifying annotations for the license-key-secret: [ambassador-chart/#106](https://github.com/datawire/ambassador-chart/issues/106) 130 | - Feature: Annotation for keeping the AES secret on removal: [ambassador-chart/#110](https://github.com/datawire/ambassador-chart/issues/110) 131 | - Fix: do not mount the secret if we do not want a secret: [ambassador-chart/#103](https://github.com/datawire/ambassador-chart/issues/103) 132 | - Internal CI refactorings. 133 | 134 | ## v6.4.9 135 | 136 | - BugFix: Cannot specify podSecurityPolicies: [ambassador-chart/#97](https://github.com/datawire/ambassador-chart/issues/97) 137 | 138 | ## v6.4.8 139 | 140 | - Upgrade Ambassador to version 1.5.5: [CHANGELOG](https://github.com/datawire/ambassador/blob/master/CHANGELOG.md) 141 | 142 | ## v6.4.7 143 | 144 | - BugFix: Registry service is now using the proper `app.kubernetes.io/name` 145 | - BugFix: Restore ability to set `REDIS` env vars in `env` instead of `redisEnv` 146 | - Feature: Add `envRaw` to support supplying raw yaml for environment variables. Deprecates `redisEnv`. 147 | 148 | ## v6.4.6 149 | 150 | - Upgrade Ambassador to version 1.5.4: [CHANGELOG](https://github.com/datawire/ambassador/blob/master/CHANGELOG.md) 151 | - Added support setting external IPs for the ambassador service (thanks, [Jason Smith](https://github.com/jasons42)!) 152 | 153 | ## v6.4.5 154 | 155 | - Upgrade Ambassador to version 1.5.3: [CHANGELOG](https://github.com/datawire/ambassador/blob/master/CHANGELOG.md) 156 | 157 | ## v6.4.4 158 | 159 | - Feature flag for enabling or disabling the [`Project` registry](https://www.getambassador.io/docs/latest/topics/using/projects/) 160 | - redisEnv for setting environment variables to control how Ambassador interacts with redis. See [redis environment](https://www.getambassador.io/docs/latest/topics/running/environment/#redis) 161 | 162 | ## v6.4.3 163 | 164 | - Upgrade Ambassador to version 1.5.2: [CHANGELOG](https://github.com/datawire/ambassador/blob/master/CHANGELOG.md) 165 | 166 | ## v6.4.2 167 | 168 | - Upgrade Ambassador to version 1.5.1: [CHANGELOG](https://github.com/datawire/ambassador/blob/master/CHANGELOG.md) 169 | 170 | ## v6.4.1 171 | 172 | - BugFix: The `PodSecurityPolicy` should not be created by default since it is a cluster-wide resource that should only be created once. 173 | 174 | If you would like to use the default `PodSecurityPolicy`, make sure to unset `security.podSecurityPolicy` it in all other releases. 175 | 176 | ## v6.4.0 177 | 178 | - Upgrade Ambassador to version 1.5.0: [CHANGELOG](https://github.com/datawire/ambassador/blob/master/CHANGELOG.md) 179 | - AuthService and RateLimitService are now installed in the same namespace as Ambassador. 180 | - Changes RBAC permissions to better support single-namespace installations and detecting getambassador.io CRDs. 181 | - Add option to install Service Preview components (traffic-manager, traffic-agent). 182 | - Add option to install ambassador-injector, alongside Service Preview. 183 | - Add additional security policy configurations. 184 | 185 | `securityContext` has been deprecated in favor of `security` which allows you to set container and pod security contexts as well as a default `PodSecurityPolicy`. 186 | 187 | ## v6.3.6 188 | 189 | - Switch from Quay.io to DockerHub 190 | 191 | ## v6.3.5 192 | 193 | - Upgrade Ambassador to version 1.4.3: [CHANGELOG}](https://github.com/datawire/ambassador/blob/master/CHANGELOG.md) 194 | 195 | ## v6.3.4 196 | 197 | - Minor bug fixes 198 | 199 | ## v6.3.3 200 | 201 | - Add extra labels to ServiceMonitor: [CHANGELOG}](https://github.com/datawire/ambassador/blob/master/CHANGELOG.md) 202 | 203 | ## v6.3.2 204 | 205 | - Upgrade Ambassador to version 1.4.2: [CHANGELOG}](https://github.com/datawire/ambassador/blob/master/CHANGELOG.md) 206 | 207 | ## v6.3.1 208 | 209 | - Upgrade Ambassador to version 1.4.1: [CHANGELOG}](https://github.com/datawire/ambassador/blob/master/CHANGELOG.md) 210 | 211 | ## v6.3.0 212 | 213 | - Adds: Option to create a ServiceMonitor for scraping via Prometheus Operator 214 | 215 | ## v6.2.5 216 | 217 | - Upgrade Ambassador to version 1.4.0: [CHANGELOG}](https://github.com/datawire/ambassador/blob/master/CHANGELOG.md) 218 | 219 | ## v6.2.4 220 | 221 | - Fix typing so that Helm3 doesn't complain (thanks, [Fabrice Rabaute](https://github.com/jfrabaute)!) 222 | 223 | ## v6.2.3 224 | 225 | - Upgrade Ambassador to version 1.3.2. 226 | - Use explicit types for things like ports, so that things like `helm .. --set service.ports[0].port=80` will be integers instead of ending up as strings 227 | 228 | ## v6.2.2 229 | 230 | - Upgrade Ambassador to version 1.3.1. 231 | - Remove unnecessary `version` field from CRDs. 232 | - Add static label to AES resources, to better support `edgectl install` 233 | 234 | ## v6.2.1 235 | 236 | - Upgrade Ambassador to version 1.3.0. 237 | 238 | ## v6.2.0 239 | 240 | - Add option to not create DevPortal routes 241 | 242 | ## v6.1.5 243 | 244 | - Upgrade Ambassador to version 1.2.2. 245 | 246 | ## v6.1.4 247 | 248 | - Upgrade from Ambassador 1.2.0 to 1.2.1. 249 | 250 | ## v6.1.3 251 | 252 | - Upgrade from Ambassador 1.1.1 to 1.2.0. 253 | 254 | ## v6.1.2 255 | 256 | - Upgrade from Ambassador 1.1.0 to 1.1.1. 257 | 258 | ## v6.1.1 259 | 260 | Minor Improvements: 261 | 262 | - Adds: Option to override the name of the RBAC resources 263 | 264 | ## v6.1.0 265 | 266 | Minor improvements including: 267 | 268 | - Adds: Option to set `restartPolicy` 269 | - Adds: Option to give the AES license key secret a custom name 270 | - Fixes: Assumption that the AES will be installed only from the `datawire/aes` repository. The `enableAES` flag now configures whether the AES is installed. 271 | - Clarification on how to install OSS 272 | 273 | ## v6.0.0 274 | 275 | Introduces Ambassador Edge Stack being installed by default. 276 | 277 | ### Breaking changes 278 | 279 | Ambassador Pro support has been removed in 6.0.0. Please upgrade to the Ambassador Edge Stack. 280 | 281 | ## v5.0.0 282 | 283 | ### Breaking changes 284 | 285 | **Note** If upgrading an existing helm 2 installation no action is needed, previously installed CRDs will not be modified. 286 | 287 | - Helm 3 support for CRDs was added. Specifically, the CRD templates were moved to non-templated files in the `/crds` directory, and to keep Helm 2 support they are globbed from there by `/templates/crds.yaml`. However, because Helm 3 CRDs are not templated, the labels for new installations have necessarily changed 288 | 289 | ## v4.0.0 290 | 291 | ### Breaking Changes 292 | 293 | - Introduces the performance tuned and certified build of open source Ambassador, Ambassador core 294 | - The license key is now stored and read from a Kubernetes secret by default 295 | - Added `.Values.pro.licenseKey.secret.enabled` `.Values.pro.licenseKey.secret.create` fields to allow multiple releases in the same namespace to use the same license key secret. 296 | 297 | ### Minor Changes 298 | 299 | - Introduces the ability to configure resource limits for both Ambassador Pro and it's redis instance 300 | - Introduces the ability to configure additional `AuthService` options (see [AuthService documentation](https://www.getambassador.io/reference/services/auth-service/)) 301 | - The ambassador-pro-auth `AuthService` and ambassador-pro-ratelimit `RateLimitService` and now created as CRDs when `.Values.crds.enabled: true` 302 | - Fixed misnamed selector for redis instance that failed in an edge case 303 | - Exposes annotations for redis deployment and service 304 | 305 | ## v3.0.0 306 | 307 | ### Breaking Changes 308 | 309 | - The default annotation has been removed. The service port will be set dynamically to 8080 or 8443 for http and https respectively. 310 | - `service.http`, `service.https`, and `additionalTCPPort` has been replaced with `service.ports`. 311 | - `rbac.namespaced` has been removed. Use `scope.singleNamespace` instead. 312 | 313 | ### Minor Changes 314 | 315 | - Ambassador Pro will pick up when `AMBASSADOR_ID` is set in `.Values.env` [[#15025]](https://github.com/helm/charts/issues/15025). 316 | - `{{release name}}-admins` has been renamed to `{{release name}}-admin` to match YAML install templates 317 | - RBAC configuration has been updated to allow for CRD use when `scope.singleNamespace: true`. [[ambassador/#1576]](https://github.com/datawire/ambassador/issues/1576) 318 | - RBAC configuration now allows for multiple Ambassadors to use CRDs. Set `crds.enabled` in releases that expect CRDs [[ambassador/#1679]](https://github.com/datawire/ambassador/issues/1679) 319 | 320 | ## v2.6.0 321 | 322 | ### Minor Changes 323 | 324 | - Add ambassador CRDs! 325 | - Update ambassador to 0.70.0 326 | 327 | ## v2.5.1 328 | 329 | ### Minor Changes 330 | 331 | - Update ambassador to 0.61.1 332 | 333 | ## v2.5.0 334 | 335 | ### Minor Changes 336 | 337 | - Add support for autoscaling using HPA, see `autoscaling` values. 338 | 339 | ## v2.4.1 340 | 341 | ### Minor Changes 342 | 343 | - Update ambassador to 0.61.0 344 | 345 | ## v2.4.0 346 | 347 | ### Minor Changes 348 | 349 | - Allow configuring `hostNetwork` and `dnsPolicy` 350 | 351 | ## v2.3.1 352 | 353 | ### Minor Changes 354 | 355 | - Adds HOST_IP environment variable 356 | 357 | ## v2.3.0 358 | 359 | ### Minor Changes 360 | 361 | - Adds support for init containers using `initContainers` and pod labels `podLabels` 362 | 363 | ## v2.2.5 364 | 365 | ### Minor Changes 366 | 367 | - Update ambassador to 0.60.3 368 | 369 | ## v2.2.4 370 | 371 | ### Minor Changes 372 | 373 | - Add support for Ambassador PRO [see readme](https://github.com/helm/charts/blob/master/stable/ambassador/README.md#ambassador-pro) 374 | 375 | ## v2.2.3 376 | 377 | ### Minor Changes 378 | 379 | - Update ambassador to 0.60.2 380 | 381 | ## v2.2.2 382 | 383 | ### Minor Changes 384 | 385 | - Update ambassador to 0.60.1 386 | 387 | ## v2.2.1 388 | 389 | ### Minor Changes 390 | 391 | - Fix RBAC for ambassador 0.60.0 392 | 393 | ## v2.2.0 394 | 395 | ### Minor Changes 396 | 397 | - Update ambassador to 0.60.0 398 | 399 | ## v2.1.0 400 | 401 | ### Minor Changes 402 | 403 | - Added `scope.singleNamespace` for configuring ambassador to run in single namespace 404 | 405 | ## v2.0.2 406 | 407 | ### Minor Changes 408 | 409 | - Update ambassador to 0.53.1 410 | 411 | ## v2.0.1 412 | 413 | ### Minor Changes 414 | 415 | - Update ambassador to 0.52.0 416 | 417 | ## v2.0.0 418 | 419 | ### Major Changes 420 | 421 | - Removed `ambassador.id` and `namespace.single` in favor of setting environment variables. 422 | 423 | ## v1.1.5 424 | 425 | ### Minor Changes 426 | 427 | - Update ambassador to 0.50.3 428 | 429 | ## v1.1.4 430 | 431 | ### Minor Changes 432 | 433 | - support targetPort specification 434 | 435 | ## v1.1.3 436 | 437 | ### Minor Changes 438 | 439 | - Update ambassador to 0.50.2 440 | 441 | ## v1.1.2 442 | 443 | ### Minor Changes 444 | 445 | - Add additional chart maintainer 446 | 447 | ## v1.1.1 448 | 449 | ### Minor Changes 450 | 451 | - Default replicas -> 3 452 | 453 | ## v1.1.0 454 | 455 | ### Minor Changes 456 | 457 | - Allow RBAC to be namespaced (`rbac.namespaced`) 458 | 459 | ## v1.0.0 460 | 461 | ### Major Changes 462 | 463 | - First release of Ambassador Helm Chart in helm/charts 464 | - For migration see [Migrating from datawire/ambassador chart](https://github.com/helm/charts/tree/master/stable/ambassador#migrating-from-datawireambassador-chart-chart-version-0400-or-0500) 465 | -------------------------------------------------------------------------------- /manifests/ambassador/base/CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing to the Ambassador Helm Chart 2 | 3 | This Helm chart is used to install The Ambassador Edge Stack (AES) and is 4 | maintained by Datawire. 5 | 6 | ## Developing 7 | 8 | All work on the helm chart should be done in a separate branch off `master` and 9 | contributed with a Pull Request targeting `master`. 10 | 11 | **Note**: All updates to the chart require you update the `version` in 12 | `Chart.yaml`. 13 | 14 | ## Testing 15 | 16 | The `ci/` directory contains scripts that will be run on PRs to `master`. 17 | 18 | - `ci/run_tests.sh` will run the tests of the chart. 19 | 20 | ## Releasing 21 | 22 | Releasing a new chart is done by pushing a tag to `master`. Travis will then 23 | run the tests and push the chart to `https://getambassador.io/helm`. 24 | -------------------------------------------------------------------------------- /manifests/ambassador/base/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | appVersion: 1.12.3 3 | description: A Helm chart for Datawire Ambassador 4 | home: https://www.getambassador.io/ 5 | icon: https://www.getambassador.io/images/logo.png 6 | keywords: 7 | - api gateway 8 | - ambassador 9 | - datawire 10 | - envoy 11 | maintainers: 12 | - email: markus@maga.se 13 | name: flydiverny 14 | - email: flynn@datawire.io 15 | name: kflynn 16 | - email: nkrause@datawire.io 17 | name: nbkrause 18 | - email: lukeshu@datawire.io 19 | name: lukeshu 20 | name: ambassador 21 | sources: 22 | - https://github.com/datawire/ambassador 23 | - https://github.com/prometheus/statsd_exporter 24 | version: 6.6.3 25 | -------------------------------------------------------------------------------- /manifests/ambassador/base/Makefile: -------------------------------------------------------------------------------- 1 | HELM_TEST_IMAGE = quay.io/helmpack/chart-testing:v3.0.0-rc.1 2 | K3D_CLUSTER_NAME = helm-chart-test-cluster 3 | CHART_DIR := $(patsubst %/,%,$(dir $(abspath $(lastword $(MAKEFILE_LIST))))) 4 | KUBECONFIG := /tmp/kubeconfig/k3dconfig 5 | CT_EXEC = docker run --rm -v $(KUBECONFIG):/root/.kube/config -v $(CHART_DIR):/charts --network host $(HELM_TEST_IMAGE) ct 6 | K3D_EXEC := KUBECONFIG=$(KUBECONFIG) k3d 7 | 8 | test-chart: lint-chart preflight-chart-test chart-create-cluster 9 | $(CT_EXEC) install --config /charts/ct.yaml && \ 10 | $(MAKE) chart-delete-cluster 11 | .PHONY: test-chart 12 | 13 | lint-chart: preflight-kubeconfig 14 | $(CT_EXEC) lint --config /charts/ct.yaml 15 | .PHONY: lint-chart 16 | 17 | preflight-chart-test: preflight-kubeconfig 18 | # check if k3d is installed 19 | @if ! command -v k3d 2> /dev/null ; then \ 20 | printf 'k3d not installed, plz do that'; \ 21 | false; \ 22 | fi 23 | .PHONY: preflight-chart-test 24 | 25 | preflight-kubeconfig: 26 | mkdir -p `dirname $(KUBECONFIG)` 27 | touch $(KUBECONFIG) 28 | .PHONY: preflight-kubeconfig 29 | 30 | chart-create-cluster: preflight-kubeconfig 31 | $(MAKE) chart-delete-cluster || true 32 | $(K3D_EXEC) cluster create $(K3D_CLUSTER_NAME) --k3s-server-arg "--no-deploy=traefik" 33 | .PHONY: chart-create-cluster 34 | 35 | chart-delete-cluster: 36 | $(K3D_EXEC) cluster delete $(K3D_CLUSTER_NAME) 37 | .PHONY: chart-delete-cluster 38 | -------------------------------------------------------------------------------- /manifests/ambassador/base/ci/01-psp-values.yaml: -------------------------------------------------------------------------------- 1 | security: 2 | # Security Context for all containers in the pod. 3 | # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#podsecuritycontext-v1-core 4 | podSecurityContext: 5 | runAsUser: 8888 6 | # Security Context for the Ambassador container specifically 7 | # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#securitycontext-v1-core 8 | containerSecurityContext: 9 | allowPrivilegeEscalation: false 10 | # A basic PodSecurityPolicy to ensure Ambassador is running with appropriate security permissions 11 | # https://kubernetes.io/docs/concepts/policy/pod-security-policy/ 12 | # 13 | # A set of reasonable defaults is outlined below. This is not created by default as it should only 14 | # be created by a one Release. If you want to use the PodSecurityPolicy in the chart, create it in 15 | # the "master" Release and then leave it unset in all others. Set the `rbac.podSecurityPolicies` 16 | # in all non-"master" Releases. 17 | podSecurityPolicy: 18 | # Add AppArmor and Seccomp annotations 19 | # https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor 20 | annotations: 21 | seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default 22 | spec: 23 | seLinux: 24 | rule: RunAsAny 25 | supplementalGroups: 26 | rule: 'MustRunAs' 27 | ranges: 28 | # Forbid adding the root group. 29 | - min: 1 30 | max: 65535 31 | fsGroup: 32 | rule: 'MustRunAs' 33 | ranges: 34 | # Forbid adding the root group. 35 | - min: 1 36 | max: 65535 37 | privileged: false 38 | allowPrivilegeEscalation: false 39 | runAsUser: 40 | rule: MustRunAsNonRoot 41 | -------------------------------------------------------------------------------- /manifests/ambassador/base/ci/02-oss-values.yaml: -------------------------------------------------------------------------------- 1 | # install the Ambassador API Gateway 2 | image: 3 | repository: docker.io/datawire/ambassador 4 | tag: 1.5.5 5 | pullPolicy: IfNotPresent 6 | 7 | enableAES: false 8 | 9 | deploymentStrategy: 10 | type: Recreate 11 | -------------------------------------------------------------------------------- /manifests/ambassador/base/ci/05-auth-disabled-values.yaml: -------------------------------------------------------------------------------- 1 | service: 2 | type: NodePort 3 | 4 | authService: 5 | create: false 6 | 7 | deploymentStrategy: 8 | type: Recreate 9 | -------------------------------------------------------------------------------- /manifests/ambassador/base/ci/06-hpa-values.yaml: -------------------------------------------------------------------------------- 1 | deploymentStrategy: 2 | type: Recreate 3 | 4 | service: 5 | type: NodePort 6 | 7 | autoscaling: 8 | enabled: true 9 | -------------------------------------------------------------------------------- /manifests/ambassador/base/ci/08-single-namespace-values.yaml: -------------------------------------------------------------------------------- 1 | service: 2 | type: NodePort 3 | 4 | deploymentStrategy: 5 | type: Recreate 6 | 7 | ## This does not work. Waiting on fix for APro code watching for all namespaces 8 | ## 9 | 10 | # scope: 11 | # singleNamespace: true 12 | 13 | env: 14 | AMBASSADOR_SINGLE_NAMESPACE: true 15 | -------------------------------------------------------------------------------- /manifests/ambassador/base/ci/09-redis-false-values.yaml: -------------------------------------------------------------------------------- 1 | service: 2 | type: NodePort 3 | 4 | redis: 5 | enabled: false 6 | # Annotations for Ambassador Pro's redis instance. 7 | 8 | deploymentStrategy: 9 | type: Recreate 10 | -------------------------------------------------------------------------------- /manifests/ambassador/base/ci/12-daemonset-values.yaml: -------------------------------------------------------------------------------- 1 | service: 2 | type: NodePort 3 | 4 | deploymentStrategy: 5 | type: RollingUpdate 6 | 7 | daemonSet: true 8 | -------------------------------------------------------------------------------- /manifests/ambassador/base/ci/13-rl-disabled-values.yaml: -------------------------------------------------------------------------------- 1 | service: 2 | type: NodePort 3 | 4 | rateLimit: 5 | create: false 6 | 7 | deploymentStrategy: 8 | type: Recreate 9 | -------------------------------------------------------------------------------- /manifests/ambassador/base/ci/14-deployment-labels.yaml: -------------------------------------------------------------------------------- 1 | deploymentLabels: 2 | label: foo 3 | label2: bar 4 | -------------------------------------------------------------------------------- /manifests/ambassador/base/ci/15-test-resolvers.yaml: -------------------------------------------------------------------------------- 1 | resolvers: 2 | endpoint: 3 | create: true 4 | name: endpoint-foo 5 | 6 | consul: 7 | create: true 8 | name: consul-foo 9 | spec: 10 | address: ${HOST_IP} 11 | datacenter: dc1 -------------------------------------------------------------------------------- /manifests/ambassador/base/ci/common.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # some executables 4 | EXE_KUBECTL=${KUBECTL:-$HOME/bin/kubectl} 5 | EXE_HELM2=${HELM2:-$HOME/bin/helm2} 6 | EXE_HELM3=${HELM3:-$HOME/bin/helm} 7 | EXE_KUBERNAUT=${KUBERNAUT:-$HOME/bin/kubernaut} 8 | 9 | ####################################################################################################### 10 | 11 | alias echo_on="{ set -x; }" 12 | alias echo_off="{ set +x; } 2>/dev/null" 13 | 14 | RED='\033[1;31m' 15 | GRN='\033[1;32m' 16 | YEL='\033[1;33m' 17 | BLU='\033[1;34m' 18 | WHT='\033[1;37m' 19 | MGT='\033[1;95m' 20 | CYA='\033[1;96m' 21 | END='\033[0m' 22 | BLOCK='\033[1;47m' 23 | 24 | log() { >&2 printf "${BLOCK}>>>${END} $1\n"; } 25 | 26 | info() { log "${BLU}$1${END}"; } 27 | highlight() { log "${MGT}$1${END}"; } 28 | 29 | failed() { 30 | if [ -z "$1" ] ; then 31 | log "${RED}failed!!!${END}" 32 | else 33 | log "${RED}$1${END}" 34 | fi 35 | } 36 | 37 | passed() { 38 | if [ -z "$1" ] ; then 39 | log "${GRN}done!${END}" 40 | else 41 | log "${GRN}$1${END}" 42 | fi 43 | } 44 | 45 | bye() { 46 | log "${BLU}$1... exiting${END}" 47 | exit 0 48 | } 49 | 50 | warn() { log "${RED}!!! WARNING !!! $1 ${END}"; } 51 | 52 | abort() { 53 | log "${RED}FATAL: $1${END}" 54 | exit 1 55 | } 56 | 57 | command_exists() { 58 | [ -x "$1" ] || command -v $1 >/dev/null 2>/dev/null 59 | } 60 | 61 | replace_env_file() { 62 | info "Replacing env in $1..." 63 | [ -f "$1" ] || abort "$1 does not exist" 64 | envsubst < "$1" > "$2" 65 | } 66 | 67 | # checks that a URL is available, with an optional error message 68 | check_url() { 69 | command_exists curl || abort "curl is not installed" 70 | curl -L --silent -k --output /dev/null --fail "$1" 71 | } 72 | 73 | kill_background() { 74 | info "(Stopping background job)" 75 | kill $! 76 | wait $! 2>/dev/null 77 | } 78 | 79 | WAIT_TIMEOUT=60 80 | 81 | wait_url() { 82 | local url="$1" 83 | i=0 84 | info "Waiting for $url (max $WAIT_TIMEOUT seconds)" 85 | until [ $i -gt $WAIT_TIMEOUT ] || check_url $url ; do 86 | info "... still waiting for $url ($i secs passed)" 87 | i=$((i+1)) 88 | sleep 1 89 | done 90 | [ $i -gt $WAIT_TIMEOUT ] && return 1 91 | return 0 92 | } 93 | 94 | wait_pod_running() { 95 | command_exists "$EXE_KUBECTL" || abort "no kubectl available in $EXE_KUBECTL" 96 | i=0 97 | info "Waiting for pod with $@" 98 | while [ $i -gt $WAIT_TIMEOUT ] || [ "$($EXE_KUBECTL get po $@ -o jsonpath='{.items[0].status.phase}')" != 'Running' ] ; do 99 | info "... still waiting ($i secs passed)" 100 | i=$((i+1)) 101 | sleep 1 102 | done 103 | [ $i -gt $WAIT_TIMEOUT ] && return 1 104 | return 0 105 | } 106 | 107 | wait_pod_missing() { 108 | command_exists "$EXE_KUBECTL" || abort "no kubectl available in $EXE_KUBECTL" 109 | i=0 110 | info "Waiting for pod with $@ to disappear" 111 | while [ $i -gt $WAIT_TIMEOUT ] || [ "$($EXE_KUBECTL get po $@ -o name)" != '' ] ; do 112 | info "... still waiting ($i secs passed)" 113 | i=$((i+1)) 114 | sleep 1 115 | done 116 | [ $i -gt $WAIT_TIMEOUT ] && return 1 117 | return 0 118 | } 119 | 120 | cleanup () { 121 | info "Cleaning up..." 122 | 123 | $EXE_KUBECTL delete -f $MANIFESTS_DIR/backend.yaml 124 | kill_background 125 | 126 | $EXE_HELM3 uninstall ambassador > /dev/null 127 | $EXE_HELM2 del --purge "ambassador-helm2" 128 | 129 | wait_pod_missing "-l app.kubernetes.io/instance=ambassador" || abort "pod still running" 130 | passed "helm 3 chart uninstalled" 131 | 132 | wait_pod_missing "-l app.kubernetes.io/instance=ambassador-helm2" || abort "pod still running" 133 | passed "helm 2 chart uninstalled" 134 | 135 | rm -rf "$VALUES_DIR" 136 | } 137 | -------------------------------------------------------------------------------- /manifests/ambassador/base/ci/push_chart.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -e 4 | 5 | CURR_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" 6 | [ -d "$CURR_DIR" ] || { echo "FATAL: no current dir (maybe running in zsh?)"; exit 1; } 7 | TOP_DIR=$CURR_DIR/.. 8 | 9 | # shellcheck source=common.sh 10 | source "$CURR_DIR/common.sh" 11 | 12 | ######################################################################################### 13 | if ! command -v helm 2> /dev/null ; then 14 | info "Helm doesn't exist, installing helm" 15 | curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 16 | chmod 700 get_helm.sh 17 | ./get_helm.sh --version v3.4.1 18 | fi 19 | 20 | info "Pushing Helm Chart" 21 | helm package $TOP_DIR 22 | 23 | # Get name of package 24 | export CHART_PACKAGE=$(ls *.tgz) 25 | 26 | curl -o tmp.yaml -k -L https://getambassador.io/helm/index.yaml 27 | 28 | thisversion=$(grep version charts/ambassador/Chart.yaml | awk ' { print $2 }') 29 | 30 | if [[ $(grep -c "version: $thisversion" tmp.yaml || true) != 0 ]]; then 31 | failed "Chart version $thisversion is already in the index" 32 | exit 1 33 | fi 34 | 35 | helm repo index . --url https://getambassador.io/helm --merge tmp.yaml 36 | 37 | if [ -z "$AWS_BUCKET" ] ; then 38 | AWS_BUCKET=datawire-static-files 39 | fi 40 | 41 | [ -n "$AWS_ACCESS_KEY_ID" ] || abort "AWS_ACCESS_KEY_ID is not set" 42 | [ -n "$AWS_SECRET_ACCESS_KEY" ] || abort "AWS_SECRET_ACCESS_KEY is not set" 43 | 44 | info "Pushing chart to S3 bucket $AWS_BUCKET" 45 | for f in "$CHART_PACKAGE" "index.yaml" ; do 46 | aws s3api put-object \ 47 | --bucket "$AWS_BUCKET" \ 48 | --key "ambassador/$f" \ 49 | --body "$f" && passed "... ambassador/$f pushed" 50 | done 51 | 52 | info "Cleaning up..." 53 | rm tmp.yaml index.yaml "$CHART_PACKAGE" 54 | 55 | exit 0 56 | -------------------------------------------------------------------------------- /manifests/ambassador/base/ci/tests/manifests/backend.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: getambassador.io/v1 3 | kind: Mapping 4 | metadata: 5 | name: quote-backend 6 | spec: 7 | prefix: /backend/ 8 | service: quote 9 | --- 10 | apiVersion: v1 11 | kind: Service 12 | metadata: 13 | name: quote 14 | spec: 15 | ports: 16 | - name: http 17 | port: 80 18 | targetPort: 8080 19 | selector: 20 | app: quote 21 | --- 22 | apiVersion: apps/v1 23 | kind: Deployment 24 | metadata: 25 | name: quote 26 | spec: 27 | replicas: 1 28 | selector: 29 | matchLabels: 30 | app: quote 31 | strategy: 32 | type: RollingUpdate 33 | template: 34 | metadata: 35 | labels: 36 | app: quote 37 | spec: 38 | containers: 39 | - name: backend 40 | image: datawire/quote:0.4.0 41 | ports: 42 | - name: http 43 | containerPort: 8080 44 | resources: 45 | limits: 46 | cpu: "0.1" 47 | memory: 100Mi 48 | -------------------------------------------------------------------------------- /manifests/ambassador/base/ci/tests/manifests/ci-default-values.yaml: -------------------------------------------------------------------------------- 1 | #env: 2 | # AMBASSADOR_SINGLE_NAMESPACE: true 3 | # AMBASSADOR_NO_KUBEWATCH: no_kubewatch 4 | 5 | deploymentStrategy: 6 | type: Recreate 7 | 8 | service: 9 | type: NodePort 10 | -------------------------------------------------------------------------------- /manifests/ambassador/base/ci/tests/manifests/helm-init.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: tiller 5 | namespace: kube-system 6 | --- 7 | apiVersion: rbac.authorization.k8s.io/v1 8 | kind: ClusterRoleBinding 9 | metadata: 10 | name: tiller 11 | roleRef: 12 | apiGroup: rbac.authorization.k8s.io 13 | kind: ClusterRole 14 | name: cluster-admin 15 | subjects: 16 | - kind: ServiceAccount 17 | name: tiller 18 | namespace: kube-system 19 | -------------------------------------------------------------------------------- /manifests/ambassador/base/ci/tests/manifests/helm2-values.yaml: -------------------------------------------------------------------------------- 1 | service: 2 | type: NodePort 3 | 4 | crds: 5 | create: false 6 | 7 | -------------------------------------------------------------------------------- /manifests/ambassador/base/ci/tests/manifests/tls.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | data: 4 | tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNzRENDQVpnQ0NRRHVzSjFYNE54NjJEQU5CZ2txaGtpRzl3MEJBUXNGQURBYU1SZ3dGZ1lEVlFRRERBOWgKYldKaGMzTmhaRzl5TFdObGNuUXdIaGNOTVRreE1qRXpNakV3TXpBNVdoY05NakF4TWpFeU1qRXdNekE1V2pBYQpNUmd3RmdZRFZRUUREQTloYldKaGMzTmhaRzl5TFdObGNuUXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCCkR3QXdnZ0VLQW9JQkFRQzJjcms1OTk0dklURnZpUGNJRjJpd3R0dVdpajFTeUZNSzVpbERieFByMmJCL3RmbDYKcmRwVUFlWkkrMTVDR2VHbi80ZitwRlFXODdwZ2ZvbDhlL3lCSTUvWStpdVIrQUY1bzhQV2h4aHBJdVk3RXdVbgpyT3ZJajcxaUZWa1Q4akRYZW9RWWdKalQ1MWh4SisyelVLZ3VtZDB6L05USEwrQndFbHZ4Z1ZuWlhUdlhsVGFiClBoWloyK3dZdDQvSnozN3lBMHJwNURKeTg5SStQNmVRSmNseUVyWmsvRUNuRFBxTlhDK1VyclVySXBsNkRScHUKdGZWOE9KM3BJZWc2YjBWQi9TQnRPNzFhMThkaXFPclFVREU5MEFOSWJsYWp0ODN5M0FIc29SNytpVGI0QXFvVwpiNG5LcVV1bEQ2QU0xVUg0TzR0SExIM05SemVOL1E1ZUtVb0ZBZ01CQUFFd0RRWUpLb1pJaHZjTkFRRUxCUUFECmdnRUJBQ045b050OVJXT2JOTTBmajg1cm9GUG1zRE1UWElFOU5SNmpDMjV1SGtpY0lnamtGd043NTFkTnQxT0YKZWZLSkFzTDlSWmZUNmVmMUMxOFlnWE1xbTF5Yis0Q1VWWU9RZW96MlgweEdyT1lLZUhPM0hqamNqcXZ1cUxTeApTQ2duVlM1NkhqZU15MzJBNnIxcUhBL1FsYkkraGJFbHN0MVNwYnFSOG95dE9oUzZpNFNWbWxacWxBRkx5WFRRCjZ6Nm5wc25lTmdXMXhkdDN2UkpleXVFWEFZL0Z0eUxmZnkxdk5uODhhTkg2Y2Z2eWJjaHNkaWlRNnVXTnowVGMKeVVodGZUYWFRVjA1d21KZEJ3ZmJndXF0UjFxbXdyNCtzcjA0MEhoQ0pSVmlRUUdHa2VWSVU5ZHFPY0ZkZk5FTQo5NmczU01YWGRrcVhBYzFFb2hZdEthMWwvNTA9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K 5 | tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBdG5LNU9mZmVMeUV4YjRqM0NCZG9zTGJibG9vOVVzaFRDdVlwUTI4VDY5bXdmN1g1CmVxM2FWQUhtU1B0ZVFobmhwLytIL3FSVUZ2TzZZSDZKZkh2OGdTT2YyUG9ya2ZnQmVhUEQxb2NZYVNMbU94TUYKSjZ6cnlJKzlZaFZaRS9JdzEzcUVHSUNZMCtkWWNTZnRzMUNvTHBuZE0velV4eS9nY0JKYjhZRloyVjA3MTVVMgptejRXV2R2c0dMZVB5YzkrOGdOSzZlUXljdlBTUGorbmtDWEpjaEsyWlB4QXB3ejZqVnd2bEs2MUt5S1plZzBhCmJyWDFmRGlkNlNIb09tOUZRZjBnYlR1OVd0ZkhZcWpxMEZBeFBkQURTRzVXbzdmTjh0d0I3S0VlL29rMitBS3EKRm0rSnlxbExwUStnRE5WQitEdUxSeXg5elVjM2pmME9YaWxLQlFJREFRQUJBb0lCQUVOQy9qaDV3Z2E4QlA2cQpqdkFEdVV2VXpoV3N0empxczNyRUtaZzd2aXRvSU9La1V1cEFaOG9xdlJ4UTE0b2xBb1V0OXBRUlB4TUxIYjN2ClNINkZNeXprMWt4bXhtTlUvQzQ5Q3Jqdkt6ZXZieE4rU3BzNjY5NFA1L0RlRCs0RGpyQVI4ZHNhcGIwUmdCQ1AKZU5sdnRlRWdSbVdoSTB5ZndPMXdSMGM4dWNRaE5GcjNNd0lMQ1FES0Zpa2NDSi9GV0FmNXc4ZGFnYnBYTXAxawo3ci9ya1BFcVh6NnRxam04eWZZWlRoaGIwUE5LcSsxOGdkaCtLeTZPL1RnTVZ2d1BLVkIrZUhoQmJZY2R6VGYxCmxia3pVeUFhZmR3VlBTTnhVOWhzSzBqNExWZG83YlVkajZySHNXTlBWcm1Ib1VsUnNjcno2aDhPZlQ0bU9WTi8KRmhtcEhvRUNnWUVBNlVENVlWMUJrWEg4S21WRjhiVGVGVGlTY1IvRGI4TVlRY3NLNzQrNEg5aEFmbjR3d3ZWeQpidi9kL2NsOWZHY0xXN0w1QWM1WWRxNlNWZGFHRVZpVzVOTy8xV0wwN3JjaG8xZTRaSzlPemJiUllNWW51cWRHCmF5eGhoUks0R25ubzZXMTlMWWc1d1F3TUJvUzNSbFVxUWN3UU1ESiszMVc4emwrazdpODk0dVVDZ1lFQXlEMXIKZHVMSGRMcG9UWEd2ZjZIVk9HQ1pWczQvSXg1M1B1WnRXY1FkYkc5MDZNWHRwdldWdDN1ek8rVVd2WGJIWHBSMQpjZWVrUHRucTI4a1BFT2oyd3NoVFRQQ05OT0dUWE01SzREbTVjNjVaeWY0WVJjQ0NZNEpSSUNqWHExeE9uc21nCk8ydTZiYlVQWE9veXFmVllWK0wwK25zcHNLOUNCd0ZaMjJqMXVLRUNnWUVBbzcyZTBzQ2FaTFcxcFRWT3NteWIKY2g0eWZ3TWpPUE9sdFpvSlpUNW9yTUlzRkNBVnJ1YUtuRzAxc3hDYzdKV1JuWiszdVpMVyt3bDFaSmlocU0rZApyYWtRQTRYaUZ5bXJqWFRvMXBWU0pvcnQxSmVHRUR1WTdXZE1WaFJiOVFvYmZMSUZxODd6YkJjKzRkeU1vK3pwCkt5TkxRZXBRc2dzSDdYK3EwaUdMdWhrQ2dZQUlYQWdRZm9jMUtGTVNhSnliQjNhUFUva1MxcWxzSGVsOGhzSXAKN1RZTlFObnduZEsrRmFLYWRsK1ZNSXN5ZmJMMUQ5MlhVOFJYbTJGaXE1SWxjcFJhcldKTTQvNEJKeW12eGl6NgpEMjdlbFhqS0pnRjlaL3dKaTNjM2tIendlbm9OeHYwWmZmWGFmcVNWakhGeEJ2MFpMakJzQkpoSStBZ1pvc1ROCmxDUXVBUUtCZ1FESHVxNUVseU1RS2NZWm5tRlN6T2ZYWXNJYm8rZEJJTlEyNnB0OFdacGMydnpsNkNrQXV3TWwKQU9jRllrbjBXSnVJRXRubnhPT3Rwcnh0VGRIWGIvOWZWY090Unp2TitvVjN2OVNEalZjWTRESWp3MXlpMkt1Vwp6MmV1N1lCNExlbG13TFlHMEJUMWp0ejJJREUxYW85MzgybEpWV2J4Y1dsdHArWTFCRWhkdmc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= 6 | kind: Secret 7 | metadata: 8 | name: self-signed-cert 9 | type: kubernetes.io/tls 10 | --- 11 | apiVersion: getambassador.io/v1 12 | kind: TLSContext 13 | metadata: 14 | name: tls 15 | spec: 16 | hosts: ["*"] 17 | secret: self-signed-cert 18 | 19 | -------------------------------------------------------------------------------- /manifests/ambassador/base/crds/filter.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apiextensions.k8s.io/v1beta1 2 | kind: CustomResourceDefinition 3 | metadata: 4 | annotations: 5 | helm.sh/hook: crd-install 6 | labels: 7 | app.kubernetes.io/name: ambassador 8 | product: aes 9 | name: filters.getambassador.io 10 | spec: 11 | group: getambassador.io 12 | names: 13 | categories: 14 | - ambassador-crds 15 | kind: Filter 16 | plural: filters 17 | shortNames: 18 | - fil 19 | singular: filter 20 | scope: Namespaced 21 | versions: 22 | - name: v1beta2 23 | served: true 24 | storage: false 25 | - name: v2 26 | served: true 27 | storage: true 28 | -------------------------------------------------------------------------------- /manifests/ambassador/base/crds/filterpolicy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apiextensions.k8s.io/v1beta1 2 | kind: CustomResourceDefinition 3 | metadata: 4 | annotations: 5 | helm.sh/hook: crd-install 6 | labels: 7 | app.kubernetes.io/name: ambassador 8 | product: aes 9 | name: filterpolicies.getambassador.io 10 | spec: 11 | group: getambassador.io 12 | names: 13 | categories: 14 | - ambassador-crds 15 | kind: FilterPolicy 16 | plural: filterpolicies 17 | shortNames: 18 | - fp 19 | singular: filterpolicy 20 | scope: Namespaced 21 | versions: 22 | - name: v1beta2 23 | served: true 24 | storage: false 25 | - name: v2 26 | served: true 27 | storage: true 28 | -------------------------------------------------------------------------------- /manifests/ambassador/base/crds/getambassador.io_authservices.yaml: -------------------------------------------------------------------------------- 1 | # GENERATED FILE: edits made by hand will not be preserved. 2 | --- 3 | apiVersion: apiextensions.k8s.io/v1beta1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | annotations: 7 | controller-gen.kubebuilder.io/version: v0.3.1-0.20200517180335-820a4a27ea84 8 | helm.sh/hook: crd-install 9 | labels: 10 | app.kubernetes.io/name: ambassador 11 | product: aes 12 | name: authservices.getambassador.io 13 | spec: 14 | group: getambassador.io 15 | names: 16 | categories: 17 | - ambassador-crds 18 | kind: AuthService 19 | listKind: AuthServiceList 20 | plural: authservices 21 | singular: authservice 22 | scope: Namespaced 23 | validation: 24 | openAPIV3Schema: 25 | description: AuthService is the Schema for the authservices API 26 | properties: 27 | apiVersion: 28 | description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 29 | type: string 30 | kind: 31 | description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 32 | type: string 33 | metadata: 34 | type: object 35 | spec: 36 | description: AuthServiceSpec defines the desired state of AuthService 37 | properties: 38 | add_auth_headers: 39 | additionalProperties: 40 | oneOf: 41 | - type: string 42 | - type: boolean 43 | type: object 44 | add_linkerd_headers: 45 | type: boolean 46 | allow_request_body: 47 | type: boolean 48 | allowed_authorization_headers: 49 | items: 50 | type: string 51 | type: array 52 | allowed_request_headers: 53 | items: 54 | type: string 55 | type: array 56 | ambassador_id: 57 | description: "AmbassadorID declares which Ambassador instances should pay attention to this resource. May either be a string or a list of strings. If no value is provided, the default is: \n ambassador_id: - \"default\"" 58 | items: 59 | type: string 60 | oneOf: 61 | - type: string 62 | - type: array 63 | auth_service: 64 | type: string 65 | failure_mode_allow: 66 | type: boolean 67 | include_body: 68 | properties: 69 | allow_partial: 70 | type: boolean 71 | max_bytes: 72 | description: These aren't pointer types because they are required. 73 | type: integer 74 | required: 75 | - allow_partial 76 | - max_bytes 77 | type: object 78 | path_prefix: 79 | type: string 80 | proto: 81 | enum: 82 | - http 83 | - grpc 84 | type: string 85 | protocol_version: 86 | enum: 87 | - v2 88 | - v2alpha 89 | type: string 90 | status_on_error: 91 | description: Why isn't this just an int?? 92 | properties: 93 | code: 94 | type: integer 95 | type: object 96 | timeout_ms: 97 | type: integer 98 | tls: 99 | oneOf: 100 | - type: string 101 | - type: boolean 102 | required: 103 | - auth_service 104 | type: object 105 | type: object 106 | version: null 107 | versions: 108 | - name: v2 109 | served: true 110 | storage: true 111 | - name: v1 112 | served: true 113 | storage: false 114 | -------------------------------------------------------------------------------- /manifests/ambassador/base/crds/getambassador.io_consulresolvers.yaml: -------------------------------------------------------------------------------- 1 | # GENERATED FILE: edits made by hand will not be preserved. 2 | --- 3 | apiVersion: apiextensions.k8s.io/v1beta1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | annotations: 7 | controller-gen.kubebuilder.io/version: v0.3.1-0.20200517180335-820a4a27ea84 8 | helm.sh/hook: crd-install 9 | labels: 10 | app.kubernetes.io/name: ambassador 11 | product: aes 12 | name: consulresolvers.getambassador.io 13 | spec: 14 | group: getambassador.io 15 | names: 16 | categories: 17 | - ambassador-crds 18 | kind: ConsulResolver 19 | listKind: ConsulResolverList 20 | plural: consulresolvers 21 | singular: consulresolver 22 | scope: Namespaced 23 | validation: 24 | openAPIV3Schema: 25 | description: ConsulResolver is the Schema for the ConsulResolver API 26 | properties: 27 | apiVersion: 28 | description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 29 | type: string 30 | kind: 31 | description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 32 | type: string 33 | metadata: 34 | type: object 35 | spec: 36 | description: ConsulResolver tells Ambassador to use Consul to resolve services. In addition to the AmbassadorID, it needs information about which Consul server and DC to use. 37 | properties: 38 | address: 39 | type: string 40 | ambassador_id: 41 | description: "AmbassadorID declares which Ambassador instances should pay attention to this resource. May either be a string or a list of strings. If no value is provided, the default is: \n ambassador_id: - \"default\"" 42 | items: 43 | type: string 44 | oneOf: 45 | - type: string 46 | - type: array 47 | datacenter: 48 | type: string 49 | type: object 50 | type: object 51 | version: null 52 | versions: 53 | - name: v2 54 | served: true 55 | storage: true 56 | - name: v1 57 | served: true 58 | storage: false 59 | -------------------------------------------------------------------------------- /manifests/ambassador/base/crds/getambassador.io_devportals.yaml: -------------------------------------------------------------------------------- 1 | # GENERATED FILE: edits made by hand will not be preserved. 2 | --- 3 | apiVersion: apiextensions.k8s.io/v1beta1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | annotations: 7 | controller-gen.kubebuilder.io/version: v0.3.1-0.20200517180335-820a4a27ea84 8 | helm.sh/hook: crd-install 9 | labels: 10 | app.kubernetes.io/name: ambassador 11 | product: aes 12 | name: devportals.getambassador.io 13 | spec: 14 | group: getambassador.io 15 | names: 16 | categories: 17 | - ambassador-crds 18 | kind: DevPortal 19 | listKind: DevPortalList 20 | plural: devportals 21 | singular: devportal 22 | scope: Namespaced 23 | validation: 24 | openAPIV3Schema: 25 | description: "DevPortal is the Schema for the DevPortals API \n DevPortal resources specify the `what` and `how` is shown in a DevPortal: \n * `what` is in a DevPortal can be controlled with - a `selector`, that can be used for filtering `Mappings`. - a `docs` listing of (services, url) * `how` is a pointer to some `contents` (a checkout of a Git repository with go-templates/markdown/css). \n Multiple `DevPortal`s can exist in the cluster, and the Dev Portal server will show them at different endpoints. A `DevPortal` resource with a special name, `ambassador`, will be used for configuring the default Dev Portal (served at `/docs/` by default)." 26 | properties: 27 | apiVersion: 28 | description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 29 | type: string 30 | kind: 31 | description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 32 | type: string 33 | metadata: 34 | type: object 35 | spec: 36 | description: DevPortalSpec defines the desired state of DevPortal 37 | properties: 38 | ambassador_id: 39 | description: "AmbassadorID declares which Ambassador instances should pay attention to this resource. May either be a string or a list of strings. If no value is provided, the default is: \n ambassador_id: - \"default\"" 40 | items: 41 | type: string 42 | oneOf: 43 | - type: string 44 | - type: array 45 | content: 46 | description: Content specifies where the content shown in the DevPortal come from 47 | properties: 48 | branch: 49 | type: string 50 | dir: 51 | type: string 52 | url: 53 | type: string 54 | type: object 55 | default: 56 | description: Default must be true when this is the default DevPortal 57 | type: boolean 58 | docs: 59 | description: Docs is a static docs definition 60 | items: 61 | description: 'DevPortalDocsSpec is a static documentation definition: instead of using a Selector for finding documentation for services, users can provide a static list of : tuples. These services will be shown in the Dev Portal with the documentation obtained from this URL.' 62 | properties: 63 | service: 64 | description: Service is the service being documented 65 | type: string 66 | url: 67 | description: URL is the URL used for obtaining docs 68 | type: string 69 | type: object 70 | type: array 71 | selector: 72 | description: Selector is used for choosing what is shown in the DevPortal 73 | properties: 74 | matchLabels: 75 | additionalProperties: 76 | type: string 77 | description: MatchLabels specifies the list of labels that must be present in Mappings for being present in this DevPortal. 78 | type: object 79 | matchNamespaces: 80 | description: MatchNamespaces is a list of namespaces that will be included in this DevPortal. 81 | items: 82 | type: string 83 | type: array 84 | type: object 85 | type: object 86 | type: object 87 | version: null 88 | versions: 89 | - name: v2 90 | served: true 91 | storage: true 92 | -------------------------------------------------------------------------------- /manifests/ambassador/base/crds/getambassador.io_hosts.yaml: -------------------------------------------------------------------------------- 1 | # GENERATED FILE: edits made by hand will not be preserved. 2 | --- 3 | apiVersion: apiextensions.k8s.io/v1beta1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | annotations: 7 | controller-gen.kubebuilder.io/version: v0.3.1-0.20200517180335-820a4a27ea84 8 | helm.sh/hook: crd-install 9 | labels: 10 | app.kubernetes.io/name: ambassador 11 | product: aes 12 | name: hosts.getambassador.io 13 | spec: 14 | additionalPrinterColumns: 15 | - JSONPath: .spec.hostname 16 | name: Hostname 17 | type: string 18 | - JSONPath: .status.state 19 | name: State 20 | type: string 21 | - JSONPath: .status.phaseCompleted 22 | name: Phase Completed 23 | type: string 24 | - JSONPath: .status.phasePending 25 | name: Phase Pending 26 | type: string 27 | - JSONPath: .metadata.creationTimestamp 28 | name: Age 29 | type: date 30 | group: getambassador.io 31 | names: 32 | categories: 33 | - ambassador-crds 34 | kind: Host 35 | listKind: HostList 36 | plural: hosts 37 | singular: host 38 | scope: Namespaced 39 | subresources: 40 | status: {} 41 | validation: 42 | openAPIV3Schema: 43 | description: Host is the Schema for the hosts API 44 | properties: 45 | apiVersion: 46 | description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 47 | type: string 48 | kind: 49 | description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 50 | type: string 51 | metadata: 52 | type: object 53 | spec: 54 | description: HostSpec defines the desired state of Host 55 | properties: 56 | acmeProvider: 57 | description: Specifies whether/who to talk ACME with to automatically manage the $tlsSecret. 58 | properties: 59 | authority: 60 | description: Specifies who to talk ACME with to get certs. Defaults to Let's Encrypt; if "none" (case-insensitive), do not try to do ACME for this Host. 61 | type: string 62 | email: 63 | type: string 64 | privateKeySecret: 65 | description: "Specifies the Kubernetes Secret to use to store the private key of the ACME account (essentially, where to store the auto-generated password for the auto-created ACME account). You should not normally need to set this--the default value is based on a combination of the ACME authority being registered wit and the email address associated with the account. \n Note that this is a native-Kubernetes-style core.v1.LocalObjectReference, not an Ambassador-style `{name}.{namespace}` string. Because we're opinionated, it does not support referencing a Secret in another namespace (because most native Kubernetes resources don't support that), but if we ever abandon that opinion and decide to support non-local references it, it would be by adding a `namespace:` field by changing it from a core.v1.LocalObjectReference to a core.v1.SecretReference, not by adopting the `{name}.{namespace}` notation." 66 | properties: 67 | name: 68 | description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' 69 | type: string 70 | type: object 71 | registration: 72 | description: This is normally set automatically 73 | type: string 74 | type: object 75 | ambassador_id: 76 | description: Common to all Ambassador objects (and optional). 77 | items: 78 | type: string 79 | oneOf: 80 | - type: string 81 | - type: array 82 | ambassadorId: 83 | description: A compatibility alias for "ambassador_id"; because Host used to be specified with protobuf, and jsonpb allowed either "ambassador_id" or "ambassadorId", and even though we didn't tell people about "ambassadorId" it's what the web policy console generated because of jsonpb. So Hosts with 'ambassadorId' exist in the wild. 84 | items: 85 | type: string 86 | oneOf: 87 | - type: string 88 | - type: array 89 | hostname: 90 | description: Hostname by which the Ambassador can be reached. 91 | type: string 92 | previewUrl: 93 | description: Configuration for the Preview URL feature of Service Preview. Defaults to preview URLs not enabled. 94 | properties: 95 | enabled: 96 | description: Is the Preview URL feature enabled? 97 | type: boolean 98 | type: 99 | description: What type of Preview URL is allowed? 100 | enum: 101 | - Path 102 | type: string 103 | type: object 104 | requestPolicy: 105 | description: Request policy definition. 106 | properties: 107 | insecure: 108 | properties: 109 | action: 110 | enum: 111 | - Redirect 112 | - Reject 113 | - Route 114 | type: string 115 | additionalPort: 116 | type: integer 117 | type: object 118 | type: object 119 | selector: 120 | description: Selector by which we can find further configuration. Defaults to hostname=$hostname 121 | properties: 122 | matchExpressions: 123 | description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 124 | items: 125 | description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 126 | properties: 127 | key: 128 | description: key is the label key that the selector applies to. 129 | type: string 130 | operator: 131 | description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 132 | type: string 133 | values: 134 | description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 135 | items: 136 | type: string 137 | type: array 138 | required: 139 | - key 140 | - operator 141 | type: object 142 | type: array 143 | matchLabels: 144 | additionalProperties: 145 | type: string 146 | description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 147 | type: object 148 | type: object 149 | tls: 150 | description: TLS configuration. It is not valid to specify both `tlsContext` and `tls`. 151 | properties: 152 | alpn_protocols: 153 | type: string 154 | ca_secret: 155 | type: string 156 | cacert_chain_file: 157 | type: string 158 | cert_chain_file: 159 | type: string 160 | cert_required: 161 | type: boolean 162 | cipher_suites: 163 | items: 164 | type: string 165 | type: array 166 | ecdh_curves: 167 | items: 168 | type: string 169 | type: array 170 | max_tls_version: 171 | type: string 172 | min_tls_version: 173 | type: string 174 | private_key_file: 175 | type: string 176 | redirect_cleartext_from: 177 | type: integer 178 | sni: 179 | type: string 180 | type: object 181 | tlsContext: 182 | description: "Name of the TLSContext the Host resource is linked with. It is not valid to specify both `tlsContext` and `tls`. \n Note that this is a native-Kubernetes-style core.v1.LocalObjectReference, not an Ambassador-style `{name}.{namespace}` string. Because we're opinionated, it does not support referencing a Secret in another namespace (because most native Kubernetes resources don't support that), but if we ever abandon that opinion and decide to support non-local references it, it would be by adding a `namespace:` field by changing it from a core.v1.LocalObjectReference to a core.v1.SecretReference, not by adopting the `{name}.{namespace}` notation." 183 | properties: 184 | name: 185 | description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' 186 | type: string 187 | type: object 188 | tlsSecret: 189 | description: "Name of the Kubernetes secret into which to save generated certificates. If ACME is enabled (see $acmeProvider), then the default is $hostname; otherwise the default is \"\". If the value is \"\", then we do not do TLS for this Host. \n Note that this is a native-Kubernetes-style core.v1.LocalObjectReference, not an Ambassador-style `{name}.{namespace}` string. Because we're opinionated, it does not support referencing a Secret in another namespace (because most native Kubernetes resources don't support that), but if we ever abandon that opinion and decide to support non-local references it, it would be by adding a `namespace:` field by changing it from a core.v1.LocalObjectReference to a core.v1.SecretReference, not by adopting the `{name}.{namespace}` notation." 190 | properties: 191 | name: 192 | description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' 193 | type: string 194 | type: object 195 | type: object 196 | status: 197 | description: HostStatus defines the observed state of Host 198 | properties: 199 | errorBackoff: 200 | type: string 201 | errorReason: 202 | description: errorReason, errorTimestamp, and errorBackoff are valid when state==Error. 203 | type: string 204 | errorTimestamp: 205 | format: date-time 206 | type: string 207 | phaseCompleted: 208 | description: phaseCompleted and phasePending are valid when state==Pending or state==Error. 209 | enum: 210 | - NA 211 | - DefaultsFilled 212 | - ACMEUserPrivateKeyCreated 213 | - ACMEUserRegistered 214 | - ACMECertificateChallenge 215 | type: string 216 | phasePending: 217 | description: phaseCompleted and phasePending are valid when state==Pending or state==Error. 218 | enum: 219 | - NA 220 | - DefaultsFilled 221 | - ACMEUserPrivateKeyCreated 222 | - ACMEUserRegistered 223 | - ACMECertificateChallenge 224 | type: string 225 | state: 226 | enum: 227 | - Initial 228 | - Pending 229 | - Ready 230 | - Error 231 | type: string 232 | tlsCertificateSource: 233 | enum: 234 | - Unknown 235 | - None 236 | - Other 237 | - ACME 238 | type: string 239 | type: object 240 | type: object 241 | version: null 242 | versions: 243 | - name: v2 244 | served: true 245 | storage: true 246 | -------------------------------------------------------------------------------- /manifests/ambassador/base/crds/getambassador.io_kubernetesendpointresolvers.yaml: -------------------------------------------------------------------------------- 1 | # GENERATED FILE: edits made by hand will not be preserved. 2 | --- 3 | apiVersion: apiextensions.k8s.io/v1beta1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | annotations: 7 | controller-gen.kubebuilder.io/version: v0.3.1-0.20200517180335-820a4a27ea84 8 | helm.sh/hook: crd-install 9 | labels: 10 | app.kubernetes.io/name: ambassador 11 | product: aes 12 | name: kubernetesendpointresolvers.getambassador.io 13 | spec: 14 | group: getambassador.io 15 | names: 16 | categories: 17 | - ambassador-crds 18 | kind: KubernetesEndpointResolver 19 | listKind: KubernetesEndpointResolverList 20 | plural: kubernetesendpointresolvers 21 | singular: kubernetesendpointresolver 22 | scope: Namespaced 23 | validation: 24 | openAPIV3Schema: 25 | description: KubernetesEndpointResolver is the Schema for the kubernetesendpointresolver API 26 | properties: 27 | apiVersion: 28 | description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 29 | type: string 30 | kind: 31 | description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 32 | type: string 33 | metadata: 34 | type: object 35 | spec: 36 | description: KubernetesEndpointResolver tells Ambassador to use Kubernetes Endpoints resources to resolve services. It actually has no spec other than the AmbassadorID. 37 | properties: 38 | ambassador_id: 39 | description: "AmbassadorID declares which Ambassador instances should pay attention to this resource. May either be a string or a list of strings. If no value is provided, the default is: \n ambassador_id: - \"default\"" 40 | items: 41 | type: string 42 | oneOf: 43 | - type: string 44 | - type: array 45 | type: object 46 | type: object 47 | version: null 48 | versions: 49 | - name: v2 50 | served: true 51 | storage: true 52 | - name: v1 53 | served: true 54 | storage: false 55 | -------------------------------------------------------------------------------- /manifests/ambassador/base/crds/getambassador.io_kubernetesserviceresolvers.yaml: -------------------------------------------------------------------------------- 1 | # GENERATED FILE: edits made by hand will not be preserved. 2 | --- 3 | apiVersion: apiextensions.k8s.io/v1beta1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | annotations: 7 | controller-gen.kubebuilder.io/version: v0.3.1-0.20200517180335-820a4a27ea84 8 | helm.sh/hook: crd-install 9 | labels: 10 | app.kubernetes.io/name: ambassador 11 | product: aes 12 | name: kubernetesserviceresolvers.getambassador.io 13 | spec: 14 | group: getambassador.io 15 | names: 16 | categories: 17 | - ambassador-crds 18 | kind: KubernetesServiceResolver 19 | listKind: KubernetesServiceResolverList 20 | plural: kubernetesserviceresolvers 21 | singular: kubernetesserviceresolver 22 | scope: Namespaced 23 | validation: 24 | openAPIV3Schema: 25 | description: KubernetesServiceResolver is the Schema for the kubernetesserviceresolver API 26 | properties: 27 | apiVersion: 28 | description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 29 | type: string 30 | kind: 31 | description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 32 | type: string 33 | metadata: 34 | type: object 35 | spec: 36 | description: KubernetesServiceResolver tells Ambassador to use Kubernetes Service resources to resolve services. It actually has no spec other than the AmbassadorID. 37 | properties: 38 | ambassador_id: 39 | description: "AmbassadorID declares which Ambassador instances should pay attention to this resource. May either be a string or a list of strings. If no value is provided, the default is: \n ambassador_id: - \"default\"" 40 | items: 41 | type: string 42 | oneOf: 43 | - type: string 44 | - type: array 45 | type: object 46 | type: object 47 | version: null 48 | versions: 49 | - name: v2 50 | served: true 51 | storage: true 52 | - name: v1 53 | served: true 54 | storage: false 55 | -------------------------------------------------------------------------------- /manifests/ambassador/base/crds/getambassador.io_logservices.yaml: -------------------------------------------------------------------------------- 1 | # GENERATED FILE: edits made by hand will not be preserved. 2 | --- 3 | apiVersion: apiextensions.k8s.io/v1beta1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | annotations: 7 | controller-gen.kubebuilder.io/version: v0.3.1-0.20200517180335-820a4a27ea84 8 | helm.sh/hook: crd-install 9 | labels: 10 | app.kubernetes.io/name: ambassador 11 | product: aes 12 | name: logservices.getambassador.io 13 | spec: 14 | group: getambassador.io 15 | names: 16 | categories: 17 | - ambassador-crds 18 | kind: LogService 19 | listKind: LogServiceList 20 | plural: logservices 21 | singular: logservice 22 | scope: Namespaced 23 | validation: 24 | openAPIV3Schema: 25 | description: LogService is the Schema for the logservices API 26 | properties: 27 | apiVersion: 28 | description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 29 | type: string 30 | kind: 31 | description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 32 | type: string 33 | metadata: 34 | type: object 35 | spec: 36 | description: LogServiceSpec defines the desired state of LogService 37 | properties: 38 | ambassador_id: 39 | description: "AmbassadorID declares which Ambassador instances should pay attention to this resource. May either be a string or a list of strings. If no value is provided, the default is: \n ambassador_id: - \"default\"" 40 | items: 41 | type: string 42 | oneOf: 43 | - type: string 44 | - type: array 45 | driver: 46 | enum: 47 | - tcp 48 | - http 49 | type: string 50 | driver_config: 51 | properties: 52 | additional_log_headers: 53 | items: 54 | properties: 55 | during_request: 56 | type: boolean 57 | during_response: 58 | type: boolean 59 | during_trailer: 60 | type: boolean 61 | header_name: 62 | type: string 63 | type: object 64 | type: array 65 | type: object 66 | flush_interval_byte_size: 67 | type: integer 68 | flush_interval_time: 69 | type: integer 70 | grpc: 71 | type: boolean 72 | service: 73 | type: string 74 | type: object 75 | type: object 76 | version: null 77 | versions: 78 | - name: v2 79 | served: true 80 | storage: true 81 | - name: v1 82 | served: true 83 | storage: false 84 | -------------------------------------------------------------------------------- /manifests/ambassador/base/crds/getambassador.io_modules.yaml: -------------------------------------------------------------------------------- 1 | # GENERATED FILE: edits made by hand will not be preserved. 2 | --- 3 | apiVersion: apiextensions.k8s.io/v1beta1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | annotations: 7 | controller-gen.kubebuilder.io/version: v0.3.1-0.20200517180335-820a4a27ea84 8 | helm.sh/hook: crd-install 9 | labels: 10 | app.kubernetes.io/name: ambassador 11 | product: aes 12 | name: modules.getambassador.io 13 | spec: 14 | group: getambassador.io 15 | names: 16 | categories: 17 | - ambassador-crds 18 | kind: Module 19 | listKind: ModuleList 20 | plural: modules 21 | singular: module 22 | scope: Namespaced 23 | validation: 24 | openAPIV3Schema: 25 | description: "A Module defines system-wide configuration. The type of module is controlled by the .metadata.name; valid names are \"ambassador\" or \"tls\". \n https://www.getambassador.io/docs/latest/topics/running/ambassador/#the-ambassador-module https://www.getambassador.io/docs/latest/topics/running/tls/#tls-module-deprecated" 26 | properties: 27 | apiVersion: 28 | description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 29 | type: string 30 | kind: 31 | description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 32 | type: string 33 | metadata: 34 | type: object 35 | spec: 36 | properties: 37 | ambassador_id: 38 | description: "AmbassadorID declares which Ambassador instances should pay attention to this resource. May either be a string or a list of strings. If no value is provided, the default is: \n ambassador_id: - \"default\"" 39 | items: 40 | type: string 41 | oneOf: 42 | - type: string 43 | - type: array 44 | config: 45 | type: object 46 | type: object 47 | type: object 48 | version: null 49 | versions: 50 | - name: v2 51 | served: true 52 | storage: true 53 | - name: v1 54 | served: true 55 | storage: false 56 | -------------------------------------------------------------------------------- /manifests/ambassador/base/crds/getambassador.io_ratelimitservices.yaml: -------------------------------------------------------------------------------- 1 | # GENERATED FILE: edits made by hand will not be preserved. 2 | --- 3 | apiVersion: apiextensions.k8s.io/v1beta1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | annotations: 7 | controller-gen.kubebuilder.io/version: v0.3.1-0.20200517180335-820a4a27ea84 8 | helm.sh/hook: crd-install 9 | labels: 10 | app.kubernetes.io/name: ambassador 11 | product: aes 12 | name: ratelimitservices.getambassador.io 13 | spec: 14 | group: getambassador.io 15 | names: 16 | categories: 17 | - ambassador-crds 18 | kind: RateLimitService 19 | listKind: RateLimitServiceList 20 | plural: ratelimitservices 21 | singular: ratelimitservice 22 | scope: Namespaced 23 | validation: 24 | openAPIV3Schema: 25 | description: RateLimitService is the Schema for the ratelimitservices API 26 | properties: 27 | apiVersion: 28 | description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 29 | type: string 30 | kind: 31 | description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 32 | type: string 33 | metadata: 34 | type: object 35 | spec: 36 | description: RateLimitServiceSpec defines the desired state of RateLimitService 37 | properties: 38 | ambassador_id: 39 | description: Common to all Ambassador objects. 40 | items: 41 | type: string 42 | oneOf: 43 | - type: string 44 | - type: array 45 | domain: 46 | type: string 47 | protocol_version: 48 | enum: 49 | - v2 50 | - v2alpha 51 | type: string 52 | service: 53 | type: string 54 | timeout_ms: 55 | type: integer 56 | tls: 57 | oneOf: 58 | - type: string 59 | - type: boolean 60 | required: 61 | - service 62 | type: object 63 | type: object 64 | version: null 65 | versions: 66 | - name: v2 67 | served: true 68 | storage: true 69 | - name: v1 70 | served: true 71 | storage: false 72 | -------------------------------------------------------------------------------- /manifests/ambassador/base/crds/getambassador.io_tcpmappings.yaml: -------------------------------------------------------------------------------- 1 | # GENERATED FILE: edits made by hand will not be preserved. 2 | --- 3 | apiVersion: apiextensions.k8s.io/v1beta1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | annotations: 7 | controller-gen.kubebuilder.io/version: v0.3.1-0.20200517180335-820a4a27ea84 8 | helm.sh/hook: crd-install 9 | labels: 10 | app.kubernetes.io/name: ambassador 11 | product: aes 12 | name: tcpmappings.getambassador.io 13 | spec: 14 | group: getambassador.io 15 | names: 16 | categories: 17 | - ambassador-crds 18 | kind: TCPMapping 19 | listKind: TCPMappingList 20 | plural: tcpmappings 21 | singular: tcpmapping 22 | scope: Namespaced 23 | validation: 24 | openAPIV3Schema: 25 | description: TCPMapping is the Schema for the tcpmappings API 26 | properties: 27 | apiVersion: 28 | description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 29 | type: string 30 | kind: 31 | description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 32 | type: string 33 | metadata: 34 | type: object 35 | spec: 36 | description: TCPMappingSpec defines the desired state of TCPMapping 37 | properties: 38 | address: 39 | type: string 40 | ambassador_id: 41 | description: "AmbassadorID declares which Ambassador instances should pay attention to this resource. May either be a string or a list of strings. If no value is provided, the default is: \n ambassador_id: - \"default\"" 42 | items: 43 | type: string 44 | oneOf: 45 | - type: string 46 | - type: array 47 | circuit_breakers: 48 | items: 49 | properties: 50 | max_connections: 51 | type: integer 52 | max_pending_requests: 53 | type: integer 54 | max_requests: 55 | type: integer 56 | max_retries: 57 | type: integer 58 | priority: 59 | enum: 60 | - default 61 | - high 62 | type: string 63 | type: object 64 | type: array 65 | cluster_tag: 66 | type: string 67 | enable_ipv4: 68 | type: boolean 69 | enable_ipv6: 70 | type: boolean 71 | host: 72 | type: string 73 | idle_timeout_ms: 74 | description: 'FIXME(lukeshu): Surely this should be an ''int''?' 75 | type: string 76 | port: 77 | description: Port isn't a pointer because it's required. 78 | type: integer 79 | resolver: 80 | type: string 81 | service: 82 | type: string 83 | tls: 84 | oneOf: 85 | - type: string 86 | - type: boolean 87 | weight: 88 | type: integer 89 | required: 90 | - port 91 | - service 92 | type: object 93 | type: object 94 | version: null 95 | versions: 96 | - name: v2 97 | served: true 98 | storage: true 99 | - name: v1 100 | served: true 101 | storage: false 102 | -------------------------------------------------------------------------------- /manifests/ambassador/base/crds/getambassador.io_tlscontexts.yaml: -------------------------------------------------------------------------------- 1 | # GENERATED FILE: edits made by hand will not be preserved. 2 | --- 3 | apiVersion: apiextensions.k8s.io/v1beta1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | annotations: 7 | controller-gen.kubebuilder.io/version: v0.3.1-0.20200517180335-820a4a27ea84 8 | helm.sh/hook: crd-install 9 | labels: 10 | app.kubernetes.io/name: ambassador 11 | product: aes 12 | name: tlscontexts.getambassador.io 13 | spec: 14 | group: getambassador.io 15 | names: 16 | categories: 17 | - ambassador-crds 18 | kind: TLSContext 19 | listKind: TLSContextList 20 | plural: tlscontexts 21 | singular: tlscontext 22 | scope: Namespaced 23 | validation: 24 | openAPIV3Schema: 25 | description: TLSContext is the Schema for the tlscontexts API 26 | properties: 27 | apiVersion: 28 | description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 29 | type: string 30 | kind: 31 | description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 32 | type: string 33 | metadata: 34 | type: object 35 | spec: 36 | description: TLSContextSpec defines the desired state of TLSContext 37 | properties: 38 | alpn_protocols: 39 | type: string 40 | ambassador_id: 41 | description: "AmbassadorID declares which Ambassador instances should pay attention to this resource. May either be a string or a list of strings. If no value is provided, the default is: \n ambassador_id: - \"default\"" 42 | items: 43 | type: string 44 | oneOf: 45 | - type: string 46 | - type: array 47 | ca_secret: 48 | type: string 49 | cacert_chain_file: 50 | type: string 51 | cert_chain_file: 52 | type: string 53 | cert_required: 54 | type: boolean 55 | cipher_suites: 56 | items: 57 | type: string 58 | type: array 59 | ecdh_curves: 60 | items: 61 | type: string 62 | type: array 63 | hosts: 64 | items: 65 | type: string 66 | type: array 67 | max_tls_version: 68 | enum: 69 | - v1.0 70 | - v1.1 71 | - v1.2 72 | - v1.3 73 | type: string 74 | min_tls_version: 75 | enum: 76 | - v1.0 77 | - v1.1 78 | - v1.2 79 | - v1.3 80 | type: string 81 | private_key_file: 82 | type: string 83 | redirect_cleartext_from: 84 | type: integer 85 | secret: 86 | type: string 87 | secret_namespacing: 88 | type: boolean 89 | sni: 90 | type: string 91 | type: object 92 | type: object 93 | version: null 94 | versions: 95 | - name: v2 96 | served: true 97 | storage: true 98 | - name: v1 99 | served: true 100 | storage: false 101 | -------------------------------------------------------------------------------- /manifests/ambassador/base/crds/getambassador.io_tracingservices.yaml: -------------------------------------------------------------------------------- 1 | # GENERATED FILE: edits made by hand will not be preserved. 2 | --- 3 | apiVersion: apiextensions.k8s.io/v1beta1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | annotations: 7 | controller-gen.kubebuilder.io/version: v0.3.1-0.20200517180335-820a4a27ea84 8 | helm.sh/hook: crd-install 9 | labels: 10 | app.kubernetes.io/name: ambassador 11 | product: aes 12 | name: tracingservices.getambassador.io 13 | spec: 14 | group: getambassador.io 15 | names: 16 | categories: 17 | - ambassador-crds 18 | kind: TracingService 19 | listKind: TracingServiceList 20 | plural: tracingservices 21 | singular: tracingservice 22 | scope: Namespaced 23 | validation: 24 | openAPIV3Schema: 25 | description: TracingService is the Schema for the tracingservices API 26 | properties: 27 | apiVersion: 28 | description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 29 | type: string 30 | kind: 31 | description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 32 | type: string 33 | metadata: 34 | type: object 35 | spec: 36 | description: TracingServiceSpec defines the desired state of TracingService 37 | properties: 38 | ambassador_id: 39 | description: "AmbassadorID declares which Ambassador instances should pay attention to this resource. May either be a string or a list of strings. If no value is provided, the default is: \n ambassador_id: - \"default\"" 40 | items: 41 | type: string 42 | oneOf: 43 | - type: string 44 | - type: array 45 | config: 46 | properties: 47 | access_token_file: 48 | type: string 49 | collector_cluster: 50 | type: string 51 | collector_endpoint: 52 | type: string 53 | collector_endpoint_version: 54 | enum: 55 | - HTTP_JSON_V1 56 | - HTTP_JSON 57 | - HTTP_PROTO 58 | type: string 59 | collector_hostname: 60 | type: string 61 | service_name: 62 | type: string 63 | shared_span_context: 64 | type: boolean 65 | trace_id_128bit: 66 | type: boolean 67 | type: object 68 | driver: 69 | enum: 70 | - lightstep 71 | - zipkin 72 | - datadog 73 | type: string 74 | sampling: 75 | properties: 76 | client: 77 | type: integer 78 | overall: 79 | type: integer 80 | random: 81 | type: integer 82 | type: object 83 | service: 84 | type: string 85 | tag_headers: 86 | items: 87 | type: string 88 | type: array 89 | required: 90 | - driver 91 | - service 92 | type: object 93 | type: object 94 | version: null 95 | versions: 96 | - name: v2 97 | served: true 98 | storage: true 99 | - name: v1 100 | served: true 101 | storage: false 102 | -------------------------------------------------------------------------------- /manifests/ambassador/base/crds/project.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apiextensions.k8s.io/v1beta1 2 | kind: CustomResourceDefinition 3 | metadata: 4 | annotations: 5 | helm.sh/hook: crd-install 6 | labels: 7 | app.kubernetes.io/name: ambassador 8 | product: aes 9 | name: projects.getambassador.io 10 | spec: 11 | additionalPrinterColumns: 12 | - JSONPath: .spec.prefix 13 | name: Prefix 14 | type: string 15 | - JSONPath: .spec.githubRepo 16 | name: Repo 17 | type: string 18 | - JSONPath: .metadata.creationTimestamp 19 | name: Age 20 | type: date 21 | group: getambassador.io 22 | names: 23 | categories: 24 | - ambassador-crds 25 | kind: Project 26 | plural: projects 27 | singular: project 28 | scope: Namespaced 29 | subresources: 30 | status: {} 31 | versions: 32 | - name: v2 33 | served: true 34 | storage: true 35 | -------------------------------------------------------------------------------- /manifests/ambassador/base/crds/projectcontroller.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apiextensions.k8s.io/v1beta1 2 | kind: CustomResourceDefinition 3 | metadata: 4 | annotations: 5 | helm.sh/hook: crd-install 6 | labels: 7 | app.kubernetes.io/name: ambassador 8 | product: aes 9 | name: projectcontrollers.getambassador.io 10 | spec: 11 | group: getambassador.io 12 | names: 13 | categories: 14 | - ambassador-crds 15 | kind: ProjectController 16 | plural: projectcontrollers 17 | singular: projectcontroller 18 | scope: Namespaced 19 | subresources: 20 | status: {} 21 | versions: 22 | - name: v2 23 | served: true 24 | storage: true 25 | -------------------------------------------------------------------------------- /manifests/ambassador/base/crds/projectrevision.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apiextensions.k8s.io/v1beta1 2 | kind: CustomResourceDefinition 3 | metadata: 4 | annotations: 5 | helm.sh/hook: crd-install 6 | labels: 7 | app.kubernetes.io/name: ambassador 8 | product: aes 9 | name: projectrevisions.getambassador.io 10 | spec: 11 | additionalPrinterColumns: 12 | - JSONPath: .spec.project.name 13 | name: Project 14 | type: string 15 | - JSONPath: .spec.ref 16 | name: Ref 17 | type: string 18 | - JSONPath: .spec.rev 19 | name: Rev 20 | type: string 21 | - JSONPath: .status.phase 22 | name: Status 23 | type: string 24 | - JSONPath: .metadata.creationTimestamp 25 | name: Age 26 | type: date 27 | group: getambassador.io 28 | names: 29 | categories: 30 | - ambassador-crds 31 | kind: ProjectRevision 32 | plural: projectrevisions 33 | singular: projectrevision 34 | scope: Namespaced 35 | subresources: 36 | status: {} 37 | versions: 38 | - name: v2 39 | served: true 40 | storage: true 41 | -------------------------------------------------------------------------------- /manifests/ambassador/base/crds/ratelimit.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apiextensions.k8s.io/v1beta1 2 | kind: CustomResourceDefinition 3 | metadata: 4 | annotations: 5 | helm.sh/hook: crd-install 6 | labels: 7 | app.kubernetes.io/name: ambassador 8 | product: aes 9 | name: ratelimits.getambassador.io 10 | spec: 11 | group: getambassador.io 12 | names: 13 | categories: 14 | - ambassador-crds 15 | kind: RateLimit 16 | plural: ratelimits 17 | shortNames: 18 | - rl 19 | singular: ratelimit 20 | scope: Namespaced 21 | versions: 22 | - name: v1beta1 23 | served: true 24 | storage: false 25 | - name: v2 26 | served: true 27 | storage: true 28 | -------------------------------------------------------------------------------- /manifests/ambassador/base/ct.yaml: -------------------------------------------------------------------------------- 1 | # See https://github.com/helm/chart-testing 2 | 3 | # note: all the values files in ci/*-values.yaml will 4 | # be tested automatically. For each configuration, 5 | # all the tests in templates/tests/*.yaml 6 | # will be checked. 7 | 8 | ################################################ 9 | # github 10 | ################################################ 11 | 12 | remote: origin 13 | 14 | ################################################ 15 | # chart 16 | ################################################ 17 | 18 | charts: 19 | - /charts/ 20 | chart-dirs: 21 | - /charts/ 22 | chart-repos: 23 | - datawire=https://getambassador.io 24 | 25 | helm-extra-args: --timeout 600s 26 | 27 | # namespace: ambassador 28 | # release-label: release 29 | 30 | ################################################ 31 | # checks and validations 32 | ################################################ 33 | 34 | validate-maintainers: false 35 | validate-chart-schema: true 36 | validate-yaml: true 37 | # check-version-increment: true 38 | -------------------------------------------------------------------------------- /manifests/ambassador/base/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | ------------------------------------------------------------------------------- 2 | {{- if .Values.enableAES }} 3 | Congratulations! You have successfully installed The Ambassador Edge Stack! 4 | 5 | {{- if empty .Values.licenseKey.value }} 6 | ------------------------------------------------------------------------------- 7 | NOTE: You are currently running The Ambassador Edge Stack in EVALUATION MODE. 8 | 9 | Request a free community license key at https://SERVICE_IP/edge_stack_admin/#dashboard 10 | to unlock all the features of The Ambassador Edge Stack and update the value of 11 | licenseKey.value in your values.yaml file. 12 | {{- end }} 13 | 14 | {{- if or .Values.authService.create .Values.rateLimit.create }} 15 | ------------------------------------------------------------------------------- 16 | WARNING: 17 | 18 | With your installation of the Ambassador Edge Stack, you have created a: 19 | {{ if .Values.authService.create }} 20 | - AuthService named {{include "ambassador.fullname" .}}-auth 21 | {{ end }} {{ if .Values.rateLimit.create }} 22 | - RateLimitService named {{include "ambassador.fullname" .}}-ratelimit 23 | {{ end }} 24 | in the {{ include "ambassador.namespace" . }} namespace. 25 | 26 | Please ensure there is not another of these resources configured in your cluster. 27 | If there is, please either remove the old resource or run 28 | 29 | helm upgrade {{ .Release.Name }} -n {{ .Release.Namespace }} --set authService.create=false --set RateLimit.create=false 30 | 31 | {{- end }} 32 | {{- else }} 33 | Congratulations! You've successfully installed Ambassador! 34 | 35 | ------------------------------------------------------------------------------- 36 | To get the IP address of Ambassador, run the following commands: 37 | 38 | {{- if contains "NodePort" .Values.service.type }} 39 | export NODE_PORT=$(kubectl get --namespace {{ include "ambassador.namespace" .}} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "ambassador.fullname" . }}) 40 | export NODE_IP=$(kubectl get nodes --namespace {{ include "ambassador.namespace" .}} -o jsonpath="{.items[0].status.addresses[0].address}") 41 | echo http://$NODE_IP:$NODE_PORT 42 | {{- else if contains "LoadBalancer" .Values.service.type }} 43 | NOTE: It may take a few minutes for the LoadBalancer IP to be available. 44 | You can watch the status of by running 'kubectl get svc -w --namespace {{ include "ambassador.namespace" .}} {{ include "ambassador.fullname" . }}' 45 | 46 | On GKE/Azure: 47 | export SERVICE_IP=$(kubectl get svc --namespace {{ include "ambassador.namespace" .}} {{ include "ambassador.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') 48 | 49 | On AWS: 50 | export SERVICE_IP=$(kubectl get svc --namespace {{ include "ambassador.namespace" .}} {{ include "ambassador.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].hostname}') 51 | 52 | echo http://$SERVICE_IP:{{ .Values.service.port }} 53 | {{- else if contains "ClusterIP" .Values.service.type }} 54 | export POD_NAME=$(kubectl get pods --namespace {{ include "ambassador.namespace" .}} -l "app={{ include "ambassador.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") 55 | echo "Visit http://127.0.0.1:8080 to use your application" 56 | kubectl port-forward $POD_NAME 8080:80 57 | {{- end }} 58 | {{- end }} 59 | 60 | For help, visit our Slack at https://d6e.co/slack or view the documentation online at https://www.getambassador.io. 61 | -------------------------------------------------------------------------------- /manifests/ambassador/base/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* vim: set filetype=mustache: */}} 2 | {{/* 3 | Expand the name of the chart. 4 | */}} 5 | {{- define "ambassador.name" -}} 6 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} 7 | {{- end -}} 8 | 9 | {{/* 10 | Create a default fully qualified app name. 11 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 12 | If release name contains chart name it will be used as a full name. 13 | */}} 14 | {{- define "ambassador.fullname" -}} 15 | {{- if .Values.fullnameOverride -}} 16 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} 17 | {{- else -}} 18 | {{- $name := default .Chart.Name .Values.nameOverride -}} 19 | {{- if contains $name .Release.Name -}} 20 | {{- .Release.Name | trunc 63 | trimSuffix "-" -}} 21 | {{- else -}} 22 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} 23 | {{- end -}} 24 | {{- end -}} 25 | {{- end -}} 26 | 27 | {{/* 28 | Create chart namespace based on override value. 29 | */}} 30 | {{- define "ambassador.namespace" -}} 31 | {{- if .Values.namespaceOverride -}} 32 | {{- .Values.namespaceOverride -}} 33 | {{- else -}} 34 | {{- .Release.Namespace -}} 35 | {{- end -}} 36 | {{- end -}} 37 | 38 | {{/* 39 | Create chart name and version as used by the chart label. 40 | */}} 41 | {{- define "ambassador.chart" -}} 42 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} 43 | {{- end -}} 44 | 45 | {{/* 46 | Create the name of the service account to use 47 | */}} 48 | {{- define "ambassador.serviceAccountName" -}} 49 | {{- if .Values.serviceAccount.create -}} 50 | {{ default (include "ambassador.fullname" .) .Values.serviceAccount.name }} 51 | {{- else -}} 52 | {{ default "default" .Values.serviceAccount.name }} 53 | {{- end -}} 54 | {{- end -}} 55 | 56 | {{/* 57 | Create the name of the RBAC to use 58 | */}} 59 | {{- define "ambassador.rbacName" -}} 60 | {{ default (include "ambassador.fullname" .) .Values.rbac.nameOverride }} 61 | {{- end -}} 62 | 63 | {{/* 64 | Define the http port of the Ambassador service 65 | */}} 66 | {{- define "ambassador.servicePort" -}} 67 | {{- range .Values.service.ports -}} 68 | {{- if (eq .name "http") -}} 69 | {{ default .port }} 70 | {{- end -}} 71 | {{- end -}} 72 | {{- end -}} 73 | -------------------------------------------------------------------------------- /manifests/ambassador/base/templates/admin-service.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.adminService.create -}} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: {{ include "ambassador.fullname" . }}-admin 6 | namespace: {{ include "ambassador.namespace" . }} 7 | labels: 8 | app.kubernetes.io/name: {{ include "ambassador.name" . }} 9 | helm.sh/chart: {{ include "ambassador.chart" . }} 10 | app.kubernetes.io/instance: {{ .Release.Name }} 11 | app.kubernetes.io/part-of: {{ .Release.Name }} 12 | {{- if .Values.deploymentTool }} 13 | app.kubernetes.io/managed-by: {{ .Values.deploymentTool }} 14 | {{- else }} 15 | app.kubernetes.io/managed-by: {{ .Release.Service }} 16 | {{- end }} 17 | # Hard-coded label for Prometheus Operator ServiceMonitor 18 | service: ambassador-admin 19 | product: aes 20 | annotations: 21 | a8r.io/owner: "Ambassador Labs" 22 | a8r.io/repository: github.com/datawire/ambassador 23 | a8r.io/description: "The Ambassador Edge Stack admin service for internal use and health checks." 24 | a8r.io/documentation: https://www.getambassador.io/docs/latest/ 25 | a8r.io/chat: http://d6e.co/slack 26 | a8r.io/bugs: https://github.com/datawire/ambassador/issues 27 | a8r.io/support: https://www.getambassador.io/about-us/support/ 28 | a8r.io/dependencies: "None" 29 | {{- with .Values.adminService.annotations }} 30 | {{- toYaml . | nindent 4 }} 31 | {{- end }} 32 | spec: 33 | type: {{ .Values.adminService.type }} 34 | ports: 35 | - port: {{ .Values.adminService.port }} 36 | targetPort: admin 37 | protocol: TCP 38 | name: ambassador-admin 39 | {{- if (and (eq .Values.adminService.type "NodePort") (not (empty .Values.adminService.nodePort))) }} 40 | nodePort: {{ int .Values.adminService.nodePort }} 41 | {{- end }} 42 | - port: {{ .Values.adminService.snapshotPort }} 43 | targetPort: {{ .Values.adminService.snapshotPort }} 44 | protocol: TCP 45 | name: ambassador-snapshot 46 | selector: 47 | app.kubernetes.io/name: {{ include "ambassador.name" . }} 48 | app.kubernetes.io/instance: {{ .Release.Name }} 49 | {{- if eq .Values.adminService.type "LoadBalancer" }} 50 | {{- if not (empty .Values.adminService.loadBalancerIP) }} 51 | loadBalancerIP: {{ .Values.adminService.loadBalancerIP | quote }} 52 | {{- end }} 53 | {{- if not (empty .Values.adminService.loadBalancerSourceRanges) }} 54 | loadBalancerSourceRanges: 55 | {{- toYaml .Values.adminService.loadBalancerSourceRanges | nindent 4 }} 56 | {{- end }} 57 | {{- end }} 58 | {{- end -}} 59 | -------------------------------------------------------------------------------- /manifests/ambassador/base/templates/aes-agent.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.agent.enabled .Values.enableAES }} 2 | {{- if ne (semver "1.12.0" | (semver .Values.image.tag).Compare) -1 }} 3 | --- 4 | apiVersion: v1 5 | kind: ServiceAccount 6 | metadata: 7 | name: {{ include "ambassador.fullname" . }}-agent 8 | namespace: {{ include "ambassador.namespace" . }} 9 | labels: 10 | app.kubernetes.io/name: {{ include "ambassador.name" . }}-agent 11 | app.kubernetes.io/part-of: {{ .Release.Name }} 12 | helm.sh/chart: {{ include "ambassador.chart" . }} 13 | app.kubernetes.io/instance: {{ .Release.Name }} 14 | {{- if .Values.deploymentTool }} 15 | app.kubernetes.io/managed-by: {{ .Values.deploymentTool }} 16 | {{- else }} 17 | app.kubernetes.io/managed-by: {{ .Release.Service }} 18 | {{- end }} 19 | product: aes 20 | --- 21 | apiVersion: rbac.authorization.k8s.io/v1beta1 22 | kind: RoleBinding 23 | metadata: 24 | name: {{ include "ambassador.fullname" . }}-agent-config 25 | namespace: {{ include "ambassador.namespace" . }} 26 | labels: 27 | app.kubernetes.io/name: {{ include "ambassador.name" . }}-agent 28 | app.kubernetes.io/part-of: {{ .Release.Name }} 29 | helm.sh/chart: {{ include "ambassador.chart" . }} 30 | app.kubernetes.io/instance: {{ .Release.Name }} 31 | {{- if .Values.deploymentTool }} 32 | app.kubernetes.io/managed-by: {{ .Values.deploymentTool }} 33 | {{- else }} 34 | app.kubernetes.io/managed-by: {{ .Release.Service }} 35 | {{- end }} 36 | product: aes 37 | roleRef: 38 | apiGroup: rbac.authorization.k8s.io 39 | kind: Role 40 | name: {{ include "ambassador.fullname" . }}-agent-config 41 | subjects: 42 | - kind: ServiceAccount 43 | name: {{ include "ambassador.fullname" . }}-agent 44 | namespace: {{ include "ambassador.namespace" . }} 45 | --- 46 | apiVersion: rbac.authorization.k8s.io/v1beta1 47 | kind: Role 48 | metadata: 49 | name: {{ include "ambassador.fullname" . }}-agent-config 50 | namespace: {{ include "ambassador.namespace" . }} 51 | labels: 52 | app.kubernetes.io/name: {{ include "ambassador.name" . }}-agent 53 | app.kubernetes.io/part-of: {{ .Release.Name }} 54 | helm.sh/chart: {{ include "ambassador.chart" . }} 55 | app.kubernetes.io/instance: {{ .Release.Name }} 56 | {{- if .Values.deploymentTool }} 57 | app.kubernetes.io/managed-by: {{ .Values.deploymentTool }} 58 | {{- else }} 59 | app.kubernetes.io/managed-by: {{ .Release.Service }} 60 | {{- end }} 61 | product: aes 62 | rules: 63 | - apiGroups: [""] 64 | resources: [ "configmaps" ] 65 | verbs: [ "get", "list", "watch" ] 66 | --- 67 | apiVersion: rbac.authorization.k8s.io/v1beta1 68 | kind: ClusterRoleBinding 69 | metadata: 70 | name: {{ include "ambassador.fullname" . }}-agent 71 | labels: 72 | app.kubernetes.io/name: {{ include "ambassador.name" . }}-agent 73 | app.kubernetes.io/part-of: {{ .Release.Name }} 74 | helm.sh/chart: {{ include "ambassador.chart" . }} 75 | app.kubernetes.io/instance: {{ .Release.Name }} 76 | {{- if .Values.deploymentTool }} 77 | app.kubernetes.io/managed-by: {{ .Values.deploymentTool }} 78 | {{- else }} 79 | app.kubernetes.io/managed-by: {{ .Release.Service }} 80 | {{- end }} 81 | product: aes 82 | roleRef: 83 | apiGroup: rbac.authorization.k8s.io 84 | kind: ClusterRole 85 | name: {{ include "ambassador.fullname" . }}-agent 86 | subjects: 87 | - kind: ServiceAccount 88 | name: {{ include "ambassador.fullname" . }}-agent 89 | namespace: {{ include "ambassador.namespace" . }} 90 | --- 91 | apiVersion: rbac.authorization.k8s.io/v1beta1 92 | kind: ClusterRole 93 | metadata: 94 | name: {{ include "ambassador.fullname" . }}-agent 95 | labels: 96 | app.kubernetes.io/name: {{ include "ambassador.name" . }}-agent 97 | app.kubernetes.io/part-of: {{ .Release.Name }} 98 | helm.sh/chart: {{ include "ambassador.chart" . }} 99 | app.kubernetes.io/instance: {{ .Release.Name }} 100 | {{- if .Values.deploymentTool }} 101 | app.kubernetes.io/managed-by: {{ .Values.deploymentTool }} 102 | {{- else }} 103 | app.kubernetes.io/managed-by: {{ .Release.Service }} 104 | {{- end }} 105 | product: aes 106 | rules: 107 | - apiGroups: [""] 108 | resources: [ "pods" ] 109 | verbs: [ "get", "list", "watch" ] 110 | 111 | {{ if ne .Values.agent.cloudConnectToken "" }} 112 | --- 113 | apiVersion: v1 114 | kind: ConfigMap 115 | metadata: 116 | name: {{ include "ambassador.fullname" . }}-agent-cloud-token 117 | namespace: {{ include "ambassador.namespace" . }} 118 | labels: 119 | app.kubernetes.io/name: {{ include "ambassador.name" . }}-agent-cloud-token 120 | app.kubernetes.io/part-of: {{ .Release.Name }} 121 | helm.sh/chart: {{ include "ambassador.chart" . }} 122 | app.kubernetes.io/instance: {{ .Release.Name }} 123 | {{- if .Values.deploymentTool }} 124 | app.kubernetes.io/managed-by: {{ .Values.deploymentTool }} 125 | {{- else }} 126 | app.kubernetes.io/managed-by: {{ .Release.Service }} 127 | {{- end }} 128 | product: aes 129 | data: 130 | CLOUD_CONNECT_TOKEN: {{ .Values.agent.cloudConnectToken }} 131 | {{ end }} 132 | 133 | --- 134 | apiVersion: apps/v1 135 | kind: Deployment 136 | metadata: 137 | name: {{ include "ambassador.fullname" . }}-agent 138 | namespace: {{ include "ambassador.namespace" . }} 139 | labels: 140 | app.kubernetes.io/name: {{ include "ambassador.fullname" . }}-agent 141 | app.kubernetes.io/part-of: {{ .Release.Name }} 142 | helm.sh/chart: {{ include "ambassador.chart" . }} 143 | app.kubernetes.io/instance: {{ .Release.Name }} 144 | {{- if .Values.deploymentTool }} 145 | app.kubernetes.io/managed-by: {{ .Values.deploymentTool }} 146 | {{- else }} 147 | app.kubernetes.io/managed-by: {{ .Release.Service }} 148 | {{- end }} 149 | product: aes 150 | spec: 151 | replicas: 1 152 | selector: 153 | matchLabels: 154 | app.kubernetes.io/name: {{ include "ambassador.fullname" . }}-agent 155 | app.kubernetes.io/instance: {{ .Release.Name }} 156 | template: 157 | metadata: 158 | labels: 159 | app.kubernetes.io/name: {{ include "ambassador.fullname" . }}-agent 160 | app.kubernetes.io/part-of: {{ .Release.Name }} 161 | helm.sh/chart: {{ include "ambassador.chart" . }} 162 | app.kubernetes.io/instance: {{ .Release.Name }} 163 | {{- if .Values.deploymentTool }} 164 | app.kubernetes.io/managed-by: {{ .Values.deploymentTool }} 165 | {{- else }} 166 | app.kubernetes.io/managed-by: {{ .Release.Service }} 167 | {{- end }} 168 | product: aes 169 | spec: 170 | serviceAccountName: {{ include "ambassador.fullname" . }}-agent 171 | containers: 172 | - name: agent 173 | image: "{{ .Values.agent.image.repository | default .Values.image.repository }}:{{ .Values.agent.image.tag | default .Values.image.tag }}" 174 | imagePullPolicy: {{ .Values.image.pullPolicy }} 175 | command: [ "agent" ] 176 | env: 177 | - name: AGENT_NAMESPACE 178 | valueFrom: 179 | fieldRef: 180 | fieldPath: metadata.namespace 181 | - name: AGENT_CONFIG_RESOURCE_NAME 182 | value: {{ include "ambassador.fullname" . }}-agent-cloud-token 183 | - name: RPC_CONNECTION_ADDRESS 184 | value: {{ .Values.agent.rpcAddress }} 185 | - name: AES_SNAPSHOT_URL 186 | value: "http://{{ include "ambassador.fullname" . }}-admin.{{ include "ambassador.namespace" . }}:{{ .Values.adminService.snapshotPort }}/snapshot-external" 187 | {{- end }} 188 | {{- end }} 189 | -------------------------------------------------------------------------------- /manifests/ambassador/base/templates/aes-authservice.yaml: -------------------------------------------------------------------------------- 1 | {{ if and .Values.authService.create .Values.enableAES }} 2 | --- 3 | apiVersion: getambassador.io/v2 4 | kind: AuthService 5 | metadata: 6 | name: {{ include "ambassador.fullname" . }}-auth 7 | namespace: {{ include "ambassador.namespace" . }} 8 | labels: 9 | app.kubernetes.io/name: {{ include "ambassador.name" . }} 10 | app.kubernetes.io/part-of: {{ .Release.Name }} 11 | helm.sh/chart: {{ include "ambassador.chart" . }} 12 | app.kubernetes.io/instance: {{ .Release.Name }} 13 | {{- if .Values.deploymentTool }} 14 | app.kubernetes.io/managed-by: {{ .Values.deploymentTool }} 15 | {{- else }} 16 | app.kubernetes.io/managed-by: {{ .Release.Service }} 17 | {{- end }} 18 | app.kubernetes.io/component: {{ include "ambassador.name" . }}-auth 19 | product: aes 20 | spec: 21 | proto: grpc 22 | {{- if .Values.env }} 23 | {{- if hasKey .Values.env "AMBASSADOR_ID" }} 24 | ambassador_id: {{ .Values.env.AMBASSADOR_ID | quote }} 25 | {{- end }} 26 | {{- end }} 27 | auth_service: 127.0.0.1:8500 28 | {{- if .Values.authService.optional_configurations }} 29 | {{- toYaml .Values.authService.optional_configurations | nindent 2}} 30 | {{- end }} 31 | {{ end }} -------------------------------------------------------------------------------- /manifests/ambassador/base/templates/aes-injector.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.enableAES .Values.servicePreview.enabled .Values.servicePreview.trafficAgent.injector.enabled }} 2 | --- 3 | apiVersion: apps/v1 4 | kind: Deployment 5 | metadata: 6 | name: {{ include "ambassador.fullname" . }}-injector 7 | namespace: {{ include "ambassador.namespace" . }} 8 | labels: 9 | app.kubernetes.io/name: {{ include "ambassador.fullname" . }}-injector 10 | app.kubernetes.io/part-of: {{ .Release.Name }} 11 | helm.sh/chart: {{ include "ambassador.chart" . }} 12 | app.kubernetes.io/instance: {{ .Release.Name }} 13 | {{- if .Values.deploymentTool }} 14 | app.kubernetes.io/managed-by: {{ .Values.deploymentTool }} 15 | {{- else }} 16 | app.kubernetes.io/managed-by: {{ .Release.Service }} 17 | {{- end }} 18 | product: aes 19 | spec: 20 | replicas: 1 21 | selector: 22 | matchLabels: 23 | app.kubernetes.io/name: {{ include "ambassador.fullname" . }}-injector 24 | app.kubernetes.io/instance: {{ .Release.Name }} 25 | template: 26 | metadata: 27 | labels: 28 | app.kubernetes.io/name: {{ include "ambassador.fullname" . }}-injector 29 | app.kubernetes.io/part-of: {{ .Release.Name }} 30 | helm.sh/chart: {{ include "ambassador.chart" . }} 31 | app.kubernetes.io/instance: {{ .Release.Name }} 32 | {{- if .Values.deploymentTool }} 33 | app.kubernetes.io/managed-by: {{ .Values.deploymentTool }} 34 | {{- else }} 35 | app.kubernetes.io/managed-by: {{ .Release.Service }} 36 | {{- end }} 37 | product: aes 38 | spec: 39 | containers: 40 | - name: webhook 41 | image: "{{ .Values.servicePreview.trafficAgent.image.repository | default .Values.image.repository }}:{{ .Values.servicePreview.trafficAgent.image.tag | default .Values.image.tag }}" 42 | imagePullPolicy: {{ .Values.image.pullPolicy }} 43 | command: [ "aes-injector" ] 44 | env: 45 | - name: AGENT_MANAGER_NAMESPACE 46 | value: "{{ include "ambassador.namespace" . }}" 47 | - name: TRAFFIC_AGENT_IMAGE 48 | value: "{{ .Values.servicePreview.trafficAgent.image.repository | default .Values.image.repository }}:{{ .Values.servicePreview.trafficAgent.image.tag | default .Values.image.tag }}" 49 | - name: TRAFFIC_AGENT_AGENT_LISTEN_PORT 50 | value: "{{ .Values.servicePreview.trafficAgent.port }}" 51 | {{- if .Values.servicePreview.trafficAgent.singleNamespace }} 52 | - name: TRAFFIC_AGENT_SERVICE_ACCOUNT_NAME 53 | value: "{{ .Values.servicePreview.trafficAgent.serviceAccountName }}" 54 | {{- end }} 55 | ports: 56 | - containerPort: 8443 57 | name: https 58 | livenessProbe: 59 | httpGet: 60 | path: /healthz 61 | port: https 62 | scheme: HTTPS 63 | volumeMounts: 64 | - mountPath: /var/run/secrets/tls 65 | name: tls 66 | readOnly: true 67 | volumes: 68 | - name: tls 69 | secret: 70 | secretName: {{ include "ambassador.fullname" . }}-injector-tls 71 | --- 72 | apiVersion: v1 73 | kind: Service 74 | metadata: 75 | name: {{ include "ambassador.fullname" . }}-injector 76 | namespace: {{ include "ambassador.namespace" . }} 77 | labels: 78 | app.kubernetes.io/name: {{ include "ambassador.fullname" . }}-injector 79 | app.kubernetes.io/part-of: {{ .Release.Name }} 80 | helm.sh/chart: {{ include "ambassador.chart" . }} 81 | app.kubernetes.io/instance: {{ .Release.Name }} 82 | {{- if .Values.deploymentTool }} 83 | app.kubernetes.io/managed-by: {{ .Values.deploymentTool }} 84 | {{- else }} 85 | app.kubernetes.io/managed-by: {{ .Release.Service }} 86 | {{- end }} 87 | annotations: 88 | a8r.io/owner: "Ambassador Labs" 89 | a8r.io/repository: github.com/datawire/ambassador 90 | a8r.io/description: "The Ambassador Edge Stack Service Preview Traffic Agent Sidecar injector." 91 | a8r.io/documentation: https://www.getambassador.io/docs/latest/ 92 | a8r.io/chat: http://d6e.co/slack 93 | a8r.io/bugs: https://github.com/datawire/ambassador/issues 94 | a8r.io/support: https://www.getambassador.io/about-us/support/ 95 | a8r.io/dependencies: "None" 96 | spec: 97 | type: ClusterIP 98 | selector: 99 | app.kubernetes.io/name: {{ include "ambassador.fullname" . }}-injector 100 | app.kubernetes.io/instance: {{ .Release.Name }} 101 | ports: 102 | - name: {{ include "ambassador.fullname" . }}-injector 103 | port: 443 104 | targetPort: https 105 | --- 106 | kind: Secret 107 | apiVersion: v1 108 | metadata: 109 | name: {{ include "ambassador.fullname" . }}-injector-tls 110 | namespace: {{ include "ambassador.namespace" . }} 111 | labels: 112 | app.kubernetes.io/name: {{ include "ambassador.fullname" . }}-injector-tls 113 | app.kubernetes.io/part-of: {{ .Release.Name }} 114 | helm.sh/chart: {{ include "ambassador.chart" . }} 115 | app.kubernetes.io/instance: {{ .Release.Name }} 116 | {{- if .Values.deploymentTool }} 117 | app.kubernetes.io/managed-by: {{ .Values.deploymentTool }} 118 | {{- else }} 119 | app.kubernetes.io/managed-by: {{ .Release.Service }} 120 | {{- end }} 121 | product: aes 122 | type: Opaque 123 | data: 124 | {{ $ca := genCA (printf "%s-injector.%s.svc" (include "ambassador.fullname" .) (include "ambassador.namespace" .)) 365 -}} 125 | crt.pem: {{ ternary (b64enc $ca.Cert) (b64enc (trim .Values.servicePreview.trafficAgent.injector.crtPEM)) (empty .Values.servicePreview.trafficAgent.injector.crtPEM) }} 126 | key.pem: {{ ternary (b64enc $ca.Key) (b64enc (trim .Values.servicePreview.trafficAgent.injector.keyPEM)) (empty .Values.servicePreview.trafficAgent.injector.keyPEM) }} 127 | --- 128 | apiVersion: admissionregistration.k8s.io/v1beta1 129 | kind: MutatingWebhookConfiguration 130 | metadata: 131 | name: {{ include "ambassador.fullname" . }}-injector-webhook-config 132 | labels: 133 | app.kubernetes.io/name: {{ include "ambassador.fullname" . }}-injector-webhook-config 134 | app.kubernetes.io/part-of: {{ .Release.Name }} 135 | helm.sh/chart: {{ include "ambassador.chart" . }} 136 | app.kubernetes.io/instance: {{ .Release.Name }} 137 | {{- if .Values.deploymentTool }} 138 | app.kubernetes.io/managed-by: {{ .Values.deploymentTool }} 139 | {{- else }} 140 | app.kubernetes.io/managed-by: {{ .Release.Service }} 141 | {{- end }} 142 | product: aes 143 | webhooks: 144 | - name: {{ include "ambassador.fullname" . }}-injector.getambassador.io 145 | clientConfig: 146 | service: 147 | name: {{ include "ambassador.fullname" . }}-injector 148 | namespace: {{ include "ambassador.namespace" . }} 149 | path: "/traffic-agent" 150 | caBundle: {{ ternary (b64enc $ca.Cert) (b64enc (trim .Values.servicePreview.trafficAgent.injector.crtPEM)) (empty .Values.servicePreview.trafficAgent.injector.crtPEM) }} 151 | failurePolicy: Ignore 152 | rules: 153 | - operations: ["CREATE"] 154 | apiGroups: [""] 155 | apiVersions: ["v1"] 156 | resources: ["pods"] 157 | {{- end }} -------------------------------------------------------------------------------- /manifests/ambassador/base/templates/aes-internal.yaml: -------------------------------------------------------------------------------- 1 | {{ if and .Values.createDevPortalMappings .Values.enableAES }} 2 | --- 3 | # Configure DevPortal 4 | apiVersion: getambassador.io/v2 5 | kind: Mapping 6 | metadata: 7 | # This Mapping name is referenced by convention, it's important to leave as-is. 8 | name: {{ include "ambassador.fullname" . }}-devportal 9 | labels: 10 | app.kubernetes.io/name: {{ include "ambassador.name" . }} 11 | app.kubernetes.io/part-of: {{ .Release.Name }} 12 | helm.sh/chart: {{ include "ambassador.chart" . }} 13 | app.kubernetes.io/instance: {{ .Release.Name }} 14 | {{- if .Values.deploymentTool }} 15 | app.kubernetes.io/managed-by: {{ .Values.deploymentTool }} 16 | {{- else }} 17 | app.kubernetes.io/managed-by: {{ .Release.Service }} 18 | {{- end }} 19 | app.kubernetes.io/component: {{ include "ambassador.name" . }}-devportal 20 | product: aes 21 | spec: 22 | {{- if .Values.env }} 23 | {{- if hasKey .Values.env "AMBASSADOR_ID" }} 24 | ambassador_id: {{ .Values.env.AMBASSADOR_ID | quote }} 25 | {{- end }} 26 | {{- end }} 27 | prefix: /documentation/ 28 | rewrite: "/docs/" 29 | service: "127.0.0.1:8500" 30 | --- 31 | apiVersion: getambassador.io/v2 32 | kind: Mapping 33 | metadata: 34 | name: {{ include "ambassador.fullname" . }}-devportal-assets 35 | labels: 36 | app.kubernetes.io/name: {{ include "ambassador.name" . }} 37 | app.kubernetes.io/part-of: {{ .Release.Name }} 38 | helm.sh/chart: {{ include "ambassador.chart" . }} 39 | app.kubernetes.io/instance: {{ .Release.Name }} 40 | {{- if .Values.deploymentTool }} 41 | app.kubernetes.io/managed-by: {{ .Values.deploymentTool }} 42 | {{- else }} 43 | app.kubernetes.io/managed-by: {{ .Release.Service }} 44 | {{- end }} 45 | app.kubernetes.io/component: {{ include "ambassador.name" . }}-devportal-assets 46 | product: aes 47 | spec: 48 | {{- if .Values.env }} 49 | {{- if hasKey .Values.env "AMBASSADOR_ID" }} 50 | ambassador_id: {{ .Values.env.AMBASSADOR_ID | quote }} 51 | {{- end }} 52 | {{- end }} 53 | prefix: /documentation/(assets|styles)/(.*)(.css) 54 | prefix_regex: true 55 | regex_rewrite: 56 | pattern: /documentation/(.*) 57 | substitution: /docs/\1 58 | service: "127.0.0.1:8500" 59 | add_response_headers: 60 | cache-control: 61 | value: "public, max-age=3600, immutable" 62 | append: false 63 | --- 64 | apiVersion: getambassador.io/v2 65 | kind: Mapping 66 | metadata: 67 | # This Mapping name is what the demo uses. Sigh. 68 | name: {{ include "ambassador.fullname" . }}-devportal-demo 69 | labels: 70 | app.kubernetes.io/name: {{ include "ambassador.name" . }} 71 | app.kubernetes.io/part-of: {{ .Release.Name }} 72 | helm.sh/chart: {{ include "ambassador.chart" . }} 73 | app.kubernetes.io/instance: {{ .Release.Name }} 74 | {{- if .Values.deploymentTool }} 75 | app.kubernetes.io/managed-by: {{ .Values.deploymentTool }} 76 | {{- else }} 77 | app.kubernetes.io/managed-by: {{ .Release.Service }} 78 | {{- end }} 79 | app.kubernetes.io/component: {{ include "ambassador.name" . }}-devportal-demo 80 | product: aes 81 | spec: 82 | {{- if .Values.env }} 83 | {{- if hasKey .Values.env "AMBASSADOR_ID" }} 84 | ambassador_id: {{ .Values.env.AMBASSADOR_ID | quote }} 85 | {{- end }} 86 | {{- end }} 87 | prefix: /docs/ 88 | rewrite: "/docs/" 89 | service: "127.0.0.1:8500" 90 | --- 91 | apiVersion: getambassador.io/v2 92 | kind: Mapping 93 | metadata: 94 | # This Mapping name is referenced by convention, it's important to leave as-is. 95 | name: {{ include "ambassador.fullname" . }}-devportal-api 96 | labels: 97 | app.kubernetes.io/name: {{ include "ambassador.name" . }} 98 | app.kubernetes.io/part-of: {{ .Release.Name }} 99 | helm.sh/chart: {{ include "ambassador.chart" . }} 100 | app.kubernetes.io/instance: {{ .Release.Name }} 101 | {{- if .Values.deploymentTool }} 102 | app.kubernetes.io/managed-by: {{ .Values.deploymentTool }} 103 | {{- else }} 104 | app.kubernetes.io/managed-by: {{ .Release.Service }} 105 | {{- end }} 106 | app.kubernetes.io/component: {{ include "ambassador.name" . }}-devportal-api 107 | product: aes 108 | spec: 109 | {{- if .Values.env }} 110 | {{- if hasKey .Values.env "AMBASSADOR_ID" }} 111 | ambassador_id: {{ .Values.env.AMBASSADOR_ID | quote }} 112 | {{- end }} 113 | {{- end }} 114 | prefix: /openapi/ 115 | rewrite: "" 116 | service: "127.0.0.1:8500" 117 | {{ end }} 118 | -------------------------------------------------------------------------------- /manifests/ambassador/base/templates/aes-ratelimit.yaml: -------------------------------------------------------------------------------- 1 | {{ if and .Values.rateLimit.create .Values.enableAES }} 2 | --- 3 | apiVersion: getambassador.io/v2 4 | kind: RateLimitService 5 | metadata: 6 | name: {{ include "ambassador.fullname" . }}-ratelimit 7 | namespace: {{ include "ambassador.namespace" . }} 8 | labels: 9 | app.kubernetes.io/name: {{ include "ambassador.name" . }} 10 | app.kubernetes.io/part-of: {{ .Release.Name }} 11 | helm.sh/chart: {{ include "ambassador.chart" . }} 12 | app.kubernetes.io/instance: {{ .Release.Name }} 13 | {{- if .Values.deploymentTool }} 14 | app.kubernetes.io/managed-by: {{ .Values.deploymentTool }} 15 | {{- else }} 16 | app.kubernetes.io/managed-by: {{ .Release.Service }} 17 | {{- end }} 18 | app.kubernetes.io/component: {{ include "ambassador.name" . }}-ratelimit 19 | product: aes 20 | spec: 21 | {{- if .Values.env }} 22 | {{- if hasKey .Values.env "AMBASSADOR_ID" }} 23 | ambassador_id: {{ .Values.env.AMBASSADOR_ID | quote }} 24 | {{- end }} 25 | {{- end }} 26 | service: 127.0.0.1:8500 27 | {{ end }} 28 | -------------------------------------------------------------------------------- /manifests/ambassador/base/templates/aes-redis.yaml: -------------------------------------------------------------------------------- 1 | {{ if and .Values.redis.create .Values.enableAES }} 2 | --- 3 | apiVersion: v1 4 | kind: Service 5 | metadata: 6 | name: {{ include "ambassador.fullname" . }}-redis 7 | namespace: {{ include "ambassador.namespace" . }} 8 | labels: 9 | app.kubernetes.io/name: {{ include "ambassador.fullname" . }}-redis 10 | app.kubernetes.io/part-of: {{ .Release.Name }} 11 | helm.sh/chart: {{ include "ambassador.chart" . }} 12 | app.kubernetes.io/instance: {{ .Release.Name }} 13 | {{- if .Values.deploymentTool }} 14 | app.kubernetes.io/managed-by: {{ .Values.deploymentTool }} 15 | {{- else }} 16 | app.kubernetes.io/managed-by: {{ .Release.Service }} 17 | {{- end }} 18 | annotations: 19 | a8r.io/owner: "Ambassador Labs" 20 | a8r.io/repository: github.com/datawire/ambassador 21 | a8r.io/description: "The Ambassador Edge Stack Redis store for auth and rate limiting, among other things." 22 | a8r.io/documentation: https://www.getambassador.io/docs/latest/ 23 | a8r.io/chat: http://d6e.co/slack 24 | a8r.io/bugs: https://github.com/datawire/ambassador/issues 25 | a8r.io/support: https://www.getambassador.io/about-us/support/ 26 | a8r.io/dependencies: "None" 27 | {{- with .Values.redis.annotations.service }} 28 | {{- toYaml . | nindent 4 }} 29 | {{- end }} 30 | spec: 31 | type: ClusterIP 32 | ports: 33 | - port: 6379 34 | targetPort: 6379 35 | selector: 36 | app.kubernetes.io/name: {{ include "ambassador.fullname" . }}-redis 37 | app.kubernetes.io/instance: {{ .Release.Name }} 38 | --- 39 | apiVersion: apps/v1 40 | kind: Deployment 41 | metadata: 42 | name: {{ include "ambassador.fullname" . }}-redis 43 | namespace: {{ include "ambassador.namespace" . }} 44 | labels: 45 | app.kubernetes.io/name: {{ include "ambassador.fullname" . }}-redis 46 | app.kubernetes.io/part-of: {{ .Release.Name }} 47 | helm.sh/chart: {{ include "ambassador.chart" . }} 48 | app.kubernetes.io/instance: {{ .Release.Name }} 49 | {{- if .Values.deploymentTool }} 50 | app.kubernetes.io/managed-by: {{ .Values.deploymentTool }} 51 | {{- else }} 52 | app.kubernetes.io/managed-by: {{ .Release.Service }} 53 | {{- end }} 54 | product: aes 55 | annotations: 56 | {{- toYaml .Values.redis.annotations.deployment | nindent 4}} 57 | spec: 58 | replicas: 1 59 | selector: 60 | matchLabels: 61 | app.kubernetes.io/name: {{ include "ambassador.fullname" . }}-redis 62 | app.kubernetes.io/instance: {{ .Release.Name }} 63 | template: 64 | metadata: 65 | labels: 66 | app.kubernetes.io/name: {{ include "ambassador.fullname" . }}-redis 67 | app.kubernetes.io/instance: {{ .Release.Name }} 68 | spec: 69 | containers: 70 | - name: redis 71 | image: "{{ .Values.redis.image.repository }}:{{ .Values.redis.image.tag }}" 72 | imagePullPolicy: {{ .Values.redis.image.pullPolicy }} 73 | resources: 74 | {{- toYaml .Values.redis.resources | nindent 10 }} 75 | restartPolicy: Always 76 | {{- with .Values.redis.nodeSelector }} 77 | nodeSelector: 78 | {{- toYaml . | nindent 8 }} 79 | {{- end }} 80 | {{- with .Values.redis.affinity }} 81 | affinity: 82 | {{- toYaml . | nindent 8 }} 83 | {{- end }} 84 | {{- with .Values.redis.tolerations }} 85 | tolerations: 86 | {{- toYaml . | nindent 8 }} 87 | {{- end }} 88 | {{ end }} 89 | -------------------------------------------------------------------------------- /manifests/ambassador/base/templates/aes-resolvers.yaml: -------------------------------------------------------------------------------- 1 | {{ if .Values.resolvers.endpoint.create }} 2 | --- 3 | apiVersion: getambassador.io/v2 4 | kind: KubernetesEndpointResolver 5 | metadata: 6 | name: {{ .Values.resolvers.endpoint.name }} 7 | namespace: {{ include "ambassador.namespace" . }} 8 | {{ end }} 9 | {{ if .Values.resolvers.consul.create }} 10 | --- 11 | apiVersion: getambassador.io/v2 12 | kind: ConsulResolver 13 | metadata: 14 | name: {{ .Values.resolvers.consul.name }} 15 | namespace: {{ include "ambassador.namespace" . }} 16 | spec: 17 | {{- toYaml .Values.resolvers.consul.spec | nindent 2 }} 18 | {{ end }} -------------------------------------------------------------------------------- /manifests/ambassador/base/templates/aes-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.licenseKey.createSecret .Values.enableAES }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | annotations: 6 | helm.sh/resource-policy: keep 7 | {{- if .Values.licenseKey.annotations }} 8 | {{- toYaml .Values.licenseKey.annotations | nindent 4 }} 9 | {{- end }} 10 | {{- if .Values.licenseKey.secretName }} 11 | name: {{ .Values.licenseKey.secretName }} 12 | {{- else }} 13 | name: {{ include "ambassador.fullname" . }}-edge-stack 14 | {{- end }} 15 | namespace: {{ include "ambassador.namespace" . }} 16 | type: Opaque 17 | data: 18 | license-key: {{- if .Values.licenseKey.value }} {{ .Values.licenseKey.value | b64enc }} {{- else }} "" {{- end }} 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /manifests/ambassador/base/templates/config.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.ambassadorConfig }} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: '{{ include "ambassador.fullname" . }}-file-config' 6 | namespace: {{ include "ambassador.namespace" . }} 7 | labels: 8 | app.kubernetes.io/name: {{ include "ambassador.name" . }} 9 | app.kubernetes.io/part-of: {{ .Release.Name }} 10 | helm.sh/chart: {{ include "ambassador.chart" . }} 11 | app.kubernetes.io/instance: {{ .Release.Name }} 12 | {{- if .Values.deploymentTool }} 13 | app.kubernetes.io/managed-by: {{ .Values.deploymentTool }} 14 | {{- else }} 15 | app.kubernetes.io/managed-by: {{ .Release.Service }} 16 | {{- end }} 17 | data: 18 | ambassadorConfig: |- 19 | {{- .Values.ambassadorConfig | nindent 4 }} 20 | {{- end }} 21 | -------------------------------------------------------------------------------- /manifests/ambassador/base/templates/crd-delete.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.crds.enabled (not .Values.crds.keep)}} 2 | --- 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | name: {{ include "ambassador.serviceAccountName" . }}-crd-delete 7 | namespace: {{ include "ambassador.namespace" . }} 8 | annotations: 9 | "helm.sh/hook": post-delete 10 | "helm.sh/hook-delete-policy": hook-succeeded 11 | "helm.sh/hook-weight": "1" 12 | labels: 13 | app.kubernetes.io/name: {{ include "ambassador.name" . }} 14 | app.kubernetes.io/part-of: {{ .Release.Name }} 15 | helm.sh/chart: {{ include "ambassador.chart" . }} 16 | app.kubernetes.io/instance: {{ .Release.Name }} 17 | {{- if .Values.deploymentTool }} 18 | app.kubernetes.io/managed-by: {{ .Values.deploymentTool }} 19 | {{- else }} 20 | app.kubernetes.io/managed-by: {{ .Release.Service }} 21 | {{- end }} 22 | product: aes 23 | --- 24 | apiVersion: rbac.authorization.k8s.io/v1beta1 25 | kind: ClusterRole 26 | metadata: 27 | name: {{ include "ambassador.rbacName" . }}-crd-delete 28 | namespace: {{ include "ambassador.namespace" . }} 29 | annotations: 30 | "helm.sh/hook": post-delete 31 | "helm.sh/hook-delete-policy": hook-succeeded 32 | "helm.sh/hook-weight": "1" 33 | labels: 34 | app.kubernetes.io/name: {{ include "ambassador.name" . }} 35 | app.kubernetes.io/part-of: {{ .Release.Name }} 36 | helm.sh/chart: {{ include "ambassador.chart" . }} 37 | app.kubernetes.io/instance: {{ .Release.Name }} 38 | {{- if .Values.deploymentTool }} 39 | app.kubernetes.io/managed-by: {{ .Values.deploymentTool }} 40 | {{- else }} 41 | app.kubernetes.io/managed-by: {{ .Release.Service }} 42 | {{- end }} 43 | product: aes 44 | rules: 45 | - apiGroups: [ "apiextensions.k8s.io" ] 46 | resources: [ "customresourcedefinitions" ] 47 | verbs: ["get", "list", "watch", "delete"] 48 | --- 49 | apiVersion: rbac.authorization.k8s.io/v1beta1 50 | kind: ClusterRoleBinding 51 | metadata: 52 | name: {{ include "ambassador.rbacName" . }}-crd-delete 53 | namespace: {{ include "ambassador.namespace" . }} 54 | annotations: 55 | "helm.sh/hook": post-delete 56 | "helm.sh/hook-delete-policy": hook-succeeded 57 | "helm.sh/hook-weight": "1" 58 | labels: 59 | app.kubernetes.io/name: {{ include "ambassador.name" . }} 60 | app.kubernetes.io/part-of: {{ .Release.Name }} 61 | helm.sh/chart: {{ include "ambassador.chart" . }} 62 | app.kubernetes.io/instance: {{ .Release.Name }} 63 | {{- if .Values.deploymentTool }} 64 | app.kubernetes.io/managed-by: {{ .Values.deploymentTool }} 65 | {{- else }} 66 | app.kubernetes.io/managed-by: {{ .Release.Service }} 67 | {{- end }} 68 | product: aes 69 | roleRef: 70 | apiGroup: rbac.authorization.k8s.io 71 | kind: ClusterRole 72 | name: {{ include "ambassador.rbacName" . }}-crd-delete 73 | subjects: 74 | - name: {{ include "ambassador.serviceAccountName" . }}-crd-delete 75 | namespace: {{ include "ambassador.namespace" . }} 76 | kind: ServiceAccount 77 | --- 78 | apiVersion: batch/v1 79 | kind: Job 80 | metadata: 81 | name: {{ include "ambassador.fullname" . }}-crd-cleanup 82 | namespace: {{ include "ambassador.namespace" . }} 83 | annotations: 84 | "helm.sh/hook": post-delete 85 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded 86 | "helm.sh/hook-weight": "3" 87 | labels: 88 | app.kubernetes.io/name: {{ include "ambassador.name" . }} 89 | app.kubernetes.io/part-of: {{ .Release.Name }} 90 | helm.sh/chart: {{ include "ambassador.chart" . }} 91 | app.kubernetes.io/instance: {{ .Release.Name }} 92 | {{- if .Values.deploymentTool }} 93 | app.kubernetes.io/managed-by: {{ .Values.deploymentTool }} 94 | {{- else }} 95 | app.kubernetes.io/managed-by: {{ .Release.Service }} 96 | {{- end }} 97 | spec: 98 | template: 99 | metadata: 100 | name: {{ include "ambassador.fullname" . }}-crd-cleanup 101 | labels: 102 | app.kubernetes.io/name: {{ include "ambassador.name" . }} 103 | app.kubernetes.io/part-of: {{ .Release.Name }} 104 | helm.sh/chart: {{ include "ambassador.chart" . }} 105 | app.kubernetes.io/instance: {{ .Release.Name }} 106 | {{- if .Values.deploymentTool }} 107 | app.kubernetes.io/managed-by: {{ .Values.deploymentTool }} 108 | {{- else }} 109 | app.kubernetes.io/managed-by: {{ .Release.Service }} 110 | {{- end }} 111 | spec: 112 | {{- if .Values.rbac.create }} 113 | serviceAccountName: {{ include "ambassador.serviceAccountName" . }}-crd-delete 114 | {{- end }} 115 | containers: 116 | - name: kubectl 117 | image: "buoyantio/kubectl" 118 | args: 119 | - delete 120 | - crds 121 | - -l app.kubernetes.io/name=ambassador 122 | restartPolicy: OnFailure 123 | {{- end }} 124 | -------------------------------------------------------------------------------- /manifests/ambassador/base/templates/crds-rbac.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.crds.enabled }} 2 | {{- if .Values.rbac.create }} 3 | --- 4 | apiVersion: rbac.authorization.k8s.io/v1beta1 5 | kind: ClusterRole 6 | metadata: 7 | name: {{ include "ambassador.rbacName" . }}-crds 8 | labels: 9 | app.kubernetes.io/name: {{ include "ambassador.name" . }} 10 | helm.sh/chart: {{ include "ambassador.chart" . }} 11 | app.kubernetes.io/instance: {{ .Release.Name }} 12 | {{- if .Values.deploymentTool }} 13 | app.kubernetes.io/managed-by: {{ .Values.deploymentTool }} 14 | {{- else }} 15 | app.kubernetes.io/managed-by: {{ .Release.Service }} 16 | {{- end }} 17 | product: aes 18 | rules: 19 | - apiGroups: [ "apiextensions.k8s.io" ] 20 | resources: 21 | - customresourcedefinitions 22 | resourceNames: 23 | - authservices.getambassador.io 24 | - mappings.getambassador.io 25 | - modules.getambassador.io 26 | - ratelimitservices.getambassador.io 27 | - tcpmappings.getambassador.io 28 | - tlscontexts.getambassador.io 29 | - tracingservices.getambassador.io 30 | - kubernetesendpointresolvers.getambassador.io 31 | - kubernetesserviceresolvers.getambassador.io 32 | - consulresolvers.getambassador.io 33 | - filters.getambassador.io 34 | - filterpolicies.getambassador.io 35 | - ratelimits.getambassador.io 36 | - hosts.getambassador.io 37 | - logservices.getambassador.io 38 | verbs: ["get", "list", "watch", "delete"] 39 | --- 40 | apiVersion: rbac.authorization.k8s.io/v1beta1 41 | kind: ClusterRoleBinding 42 | metadata: 43 | name: {{ include "ambassador.rbacName" . }}-crds 44 | labels: 45 | app.kubernetes.io/name: {{ include "ambassador.name" . }} 46 | helm.sh/chart: {{ include "ambassador.chart" . }} 47 | app.kubernetes.io/instance: {{ .Release.Name }} 48 | {{- if .Values.deploymentTool }} 49 | app.kubernetes.io/managed-by: {{ .Values.deploymentTool }} 50 | {{- else }} 51 | app.kubernetes.io/managed-by: {{ .Release.Service }} 52 | {{- end }} 53 | roleRef: 54 | apiGroup: rbac.authorization.k8s.io 55 | kind: ClusterRole 56 | name: {{ include "ambassador.rbacName" . }}-crds 57 | subjects: 58 | - name: {{ include "ambassador.serviceAccountName" . }} 59 | namespace: {{ .Release.Namespace | quote }} 60 | kind: ServiceAccount 61 | {{- end }} 62 | {{- end }} 63 | -------------------------------------------------------------------------------- /manifests/ambassador/base/templates/crds.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.crds.create }} 2 | {{- range $path, $bytes := .Files.Glob "crds/*.yaml" }} 3 | {{ $.Files.Get $path }} 4 | --- 5 | {{- end }} 6 | {{- end }} 7 | -------------------------------------------------------------------------------- /manifests/ambassador/base/templates/deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | {{- if .Values.daemonSet }} 3 | kind: DaemonSet 4 | {{- else }} 5 | kind: Deployment 6 | {{- end }} 7 | metadata: 8 | name: {{ include "ambassador.fullname" . }} 9 | namespace: {{ include "ambassador.namespace" . }} 10 | labels: 11 | app.kubernetes.io/name: {{ include "ambassador.name" . }} 12 | app.kubernetes.io/part-of: {{ .Release.Name }} 13 | helm.sh/chart: {{ include "ambassador.chart" . }} 14 | app.kubernetes.io/instance: {{ .Release.Name }} 15 | {{- if .Values.deploymentTool }} 16 | app.kubernetes.io/managed-by: {{ .Values.deploymentTool }} 17 | {{- else }} 18 | app.kubernetes.io/managed-by: {{ .Release.Service }} 19 | {{- end }} 20 | product: aes 21 | {{- if .Values.deploymentLabels }} 22 | {{- toYaml .Values.deploymentLabels | nindent 4 }} 23 | {{- end }} 24 | {{- if .Values.deploymentAnnotations }} 25 | annotations: 26 | {{- toYaml .Values.deploymentAnnotations | nindent 4 }} 27 | {{- end }} 28 | spec: 29 | {{- if and (not .Values.autoscaling.enabled) (not .Values.daemonSet) }} 30 | replicas: {{ .Values.replicaCount }} 31 | {{- end }} 32 | selector: 33 | matchLabels: 34 | app.kubernetes.io/name: {{ include "ambassador.name" . }} 35 | app.kubernetes.io/instance: {{ .Release.Name }} 36 | {{- if .Values.daemonSet }} 37 | updateStrategy: 38 | {{- else }} 39 | strategy: 40 | {{- end }} 41 | {{- toYaml .Values.deploymentStrategy | nindent 4}} 42 | template: 43 | metadata: 44 | labels: 45 | app.kubernetes.io/name: {{ include "ambassador.name" . }} 46 | app.kubernetes.io/part-of: {{ .Release.Name }} 47 | app.kubernetes.io/instance: {{ .Release.Name }} 48 | {{- if .Values.deploymentTool }} 49 | app.kubernetes.io/managed-by: {{ .Values.deploymentTool }} 50 | {{- else }} 51 | app.kubernetes.io/managed-by: {{ .Release.Service }} 52 | {{- end }} 53 | product: aes 54 | {{- if .Values.podLabels }} 55 | {{- toYaml .Values.podLabels | nindent 8 }} 56 | {{- end }} 57 | annotations: 58 | checksum/config: {{ include (print $.Template.BasePath "/config.yaml") . | sha256sum }} 59 | {{- if .Values.podAnnotations }} 60 | {{- toYaml .Values.podAnnotations | nindent 8 }} 61 | {{- end }} 62 | spec: 63 | {{- if .Values.terminationGracePeriodSeconds }} 64 | terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} 65 | {{- end }} 66 | {{- /* Check if .Values.securityContext is set for backwards compatibility */ -}} 67 | {{- if .Values.securityContext -}} 68 | {{- with .Values.securityContext }} 69 | securityContext: 70 | {{- toYaml . | nindent 8 }} 71 | {{- end }} 72 | {{- else -}} 73 | {{- with .Values.security.podSecurityContext }} 74 | securityContext: 75 | {{- toYaml . | nindent 8 }} 76 | {{- end }} 77 | {{- end -}} 78 | {{- if .Values.restartPolicy }} 79 | restartPolicy: {{ .Values.restartPolicy }} 80 | {{- end }} 81 | serviceAccountName: {{ include "ambassador.serviceAccountName" . }} 82 | {{- if .Values.priorityClassName }} 83 | priorityClassName: {{ .Values.priorityClassName | quote }} 84 | {{- end }} 85 | volumes: 86 | - name: ambassador-pod-info 87 | downwardAPI: 88 | items: 89 | - fieldRef: 90 | fieldPath: metadata.labels 91 | path: labels 92 | {{- if .Values.prometheusExporter.enabled }} 93 | - name: stats-exporter-mapping-config 94 | configMap: 95 | name: {{ include "ambassador.fullname" . }}-exporter-config 96 | items: 97 | - key: exporterConfiguration 98 | path: mapping-config.yaml 99 | {{- end }} 100 | {{- if .Values.ambassadorConfig }} 101 | - name: ambassador-config 102 | configMap: 103 | name: {{ include "ambassador.fullname" . }}-file-config 104 | items: 105 | - key: ambassadorConfig 106 | path: ambassador-config.yaml 107 | {{- end }} 108 | {{- if and .Values.licenseKey.createSecret .Values.enableAES }} 109 | - name: {{ include "ambassador.fullname" . }}-edge-stack-secrets 110 | secret: 111 | {{- if .Values.licenseKey.secretName }} 112 | secretName: {{ .Values.licenseKey.secretName }} 113 | {{- else }} 114 | secretName: {{ include "ambassador.fullname" . }}-edge-stack 115 | {{- end }} 116 | {{- end }} 117 | {{- with .Values.volumes }} 118 | {{- toYaml . | nindent 8 }} 119 | {{- end }} 120 | {{- with .Values.initContainers }} 121 | initContainers: 122 | {{- toYaml . | nindent 8 }} 123 | {{- end }} 124 | containers: 125 | {{- if .Values.prometheusExporter.enabled }} 126 | - name: prometheus-exporter 127 | image: "{{ .Values.prometheusExporter.repository }}:{{ .Values.prometheusExporter.tag }}" 128 | imagePullPolicy: {{ .Values.prometheusExporter.pullPolicy }} 129 | ports: 130 | - name: metrics 131 | containerPort: 9102 132 | - name: listener 133 | containerPort: 8125 134 | args: 135 | - --statsd.listen-udp=:8125 136 | - --web.listen-address=:9102 137 | - --statsd.mapping-config=/statsd-exporter/mapping-config.yaml 138 | volumeMounts: 139 | - name: stats-exporter-mapping-config 140 | mountPath: /statsd-exporter/ 141 | readOnly: true 142 | resources: 143 | {{- toYaml .Values.prometheusExporter.resources | nindent 12 }} 144 | {{- end }} 145 | - name: {{ .Chart.Name }} 146 | image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" 147 | imagePullPolicy: {{ .Values.image.pullPolicy }} 148 | ports: 149 | {{- range .Values.service.ports }} 150 | - name: {{ .name }} 151 | containerPort: {{ int .targetPort }} 152 | {{- if .protocol }} 153 | protocol: {{ .protocol }} 154 | {{- end }} 155 | {{- if .hostPort }} 156 | hostPort: {{ .hostPort }} 157 | {{- end }} 158 | {{- end}} 159 | - name: admin 160 | containerPort: {{ .Values.adminService.port }} 161 | env: 162 | - name: HOST_IP 163 | valueFrom: 164 | fieldRef: 165 | fieldPath: status.hostIP 166 | {{- if and (or .Values.redis.create .Values.redisURL) (.Values.enableAES) }} 167 | - name: REDIS_URL 168 | {{- if .Values.redisURL }} 169 | value: {{ .Values.redisURL }} 170 | {{- else }} 171 | value: {{ include "ambassador.fullname" . }}-redis:6379 172 | {{- end }} 173 | {{- end }} 174 | {{- if and .Values.licenseKey.secretName .Values.enableAES}} 175 | - name: AMBASSADOR_AES_SECRET_NAME 176 | value: {{ .Values.licenseKey.secretName }} 177 | {{- end }} 178 | {{- if .Values.prometheusExporter.enabled }} 179 | - name: STATSD_ENABLED 180 | value: "true" 181 | - name: STATSD_HOST 182 | value: "localhost" 183 | {{- end }} 184 | {{- if .Values.scope.singleNamespace }} 185 | - name: AMBASSADOR_SINGLE_NAMESPACE 186 | value: "YES" 187 | {{- end }} 188 | - name: AMBASSADOR_NAMESPACE 189 | {{- if .Values.namespace }} 190 | value: {{ .Values.namespace.name | quote }} 191 | {{ else }} 192 | valueFrom: 193 | fieldRef: 194 | fieldPath: metadata.namespace 195 | {{- end -}} 196 | {{- if .Values.redisEnv }} 197 | {{ toYaml .Values.redisEnv | nindent 12 }} 198 | {{- end }} 199 | {{- if .Values.env }} 200 | {{- range $key,$value := .Values.env }} 201 | - name: {{ $key | upper | quote}} 202 | value: {{ $value | quote}} 203 | {{- end }} 204 | {{- end }} 205 | {{- if .Values.envRaw }} 206 | {{- with .Values.envRaw }} 207 | {{- toYaml . | nindent 12 }} 208 | {{- end }} 209 | {{- end }} 210 | {{- with .Values.security.containerSecurityContext }} 211 | securityContext: 212 | {{- toYaml . | nindent 12 }} 213 | {{- end }} 214 | livenessProbe: 215 | httpGet: 216 | path: /ambassador/v0/check_alive 217 | port: admin 218 | {{- toYaml .Values.livenessProbe | nindent 12 }} 219 | readinessProbe: 220 | httpGet: 221 | path: /ambassador/v0/check_ready 222 | port: admin 223 | {{- toYaml .Values.readinessProbe | nindent 12 }} 224 | volumeMounts: 225 | - name: ambassador-pod-info 226 | mountPath: /tmp/ambassador-pod-info 227 | readOnly: true 228 | {{- if .Values.ambassadorConfig }} 229 | - name: ambassador-config 230 | mountPath: /ambassador/ambassador-config/ambassador-config.yaml 231 | subPath: ambassador-config.yaml 232 | {{- end }} 233 | {{- if and .Values.licenseKey.createSecret .Values.enableAES }} 234 | - name: {{ include "ambassador.fullname" . }}-edge-stack-secrets 235 | mountPath: /.config/ambassador 236 | readOnly: true 237 | {{- end }} 238 | {{- with .Values.volumeMounts }} 239 | {{- toYaml . | nindent 12 }} 240 | {{- end }} 241 | resources: 242 | {{- toYaml .Values.resources | nindent 12 }} 243 | {{- with .Values.sidecarContainers }} 244 | {{- toYaml . | nindent 8 }} 245 | {{- end }} 246 | {{- with .Values.nodeSelector }} 247 | nodeSelector: 248 | {{- toYaml . | nindent 8 }} 249 | {{- end }} 250 | {{- with .Values.affinity }} 251 | affinity: 252 | {{- toYaml . | nindent 8 }} 253 | {{- end }} 254 | {{- with .Values.tolerations }} 255 | tolerations: 256 | {{- toYaml . | nindent 8 }} 257 | {{- end }} 258 | imagePullSecrets: 259 | {{- toYaml .Values.imagePullSecrets | nindent 8 }} 260 | dnsPolicy: {{ .Values.dnsPolicy }} 261 | hostNetwork: {{ .Values.hostNetwork }} 262 | -------------------------------------------------------------------------------- /manifests/ambassador/base/templates/exporter-config.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.prometheusExporter.enabled }} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: '{{ include "ambassador.fullname" . }}-exporter-config' 6 | namespace: {{ include "ambassador.namespace" . }} 7 | labels: 8 | app.kubernetes.io/name: {{ include "ambassador.name" . }} 9 | app.kubernetes.io/part-of: {{ .Release.Name }} 10 | helm.sh/chart: {{ include "ambassador.chart" . }} 11 | app.kubernetes.io/instance: {{ .Release.Name }} 12 | {{- if .Values.deploymentTool }} 13 | app.kubernetes.io/managed-by: {{ .Values.deploymentTool }} 14 | {{- else }} 15 | app.kubernetes.io/managed-by: {{ .Release.Service }} 16 | {{- end }} 17 | data: 18 | exporterConfiguration: 19 | {{- if .Values.prometheusExporter.configuration }} | 20 | {{- .Values.prometheusExporter.configuration | nindent 4 }} 21 | {{- else }} '' 22 | {{- end }} 23 | {{- end }} 24 | -------------------------------------------------------------------------------- /manifests/ambassador/base/templates/hpa.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.autoscaling.enabled (not .Values.daemonSet) }} 2 | apiVersion: autoscaling/v2beta2 3 | kind: HorizontalPodAutoscaler 4 | metadata: 5 | name: {{ include "ambassador.fullname" . }} 6 | namespace: {{ include "ambassador.namespace" . }} 7 | labels: 8 | app.kubernetes.io/name: {{ include "ambassador.name" . }} 9 | app.kubernetes.io/part-of: {{ .Release.Name }} 10 | helm.sh/chart: {{ include "ambassador.chart" . }} 11 | app.kubernetes.io/instance: {{ .Release.Name }} 12 | {{- if .Values.deploymentTool }} 13 | app.kubernetes.io/managed-by: {{ .Values.deploymentTool }} 14 | {{- else }} 15 | app.kubernetes.io/managed-by: {{ .Release.Service }} 16 | {{- end }} 17 | spec: 18 | scaleTargetRef: 19 | apiVersion: apps/v1 20 | kind: Deployment 21 | name: {{ include "ambassador.fullname" . }} 22 | minReplicas: {{ .Values.autoscaling.minReplicas }} 23 | maxReplicas: {{ .Values.autoscaling.maxReplicas }} 24 | metrics: 25 | {{- toYaml .Values.autoscaling.metrics | nindent 4 }} 26 | {{- end }} 27 | -------------------------------------------------------------------------------- /manifests/ambassador/base/templates/pdb.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.podDisruptionBudget }} 2 | apiVersion: policy/v1beta1 3 | kind: PodDisruptionBudget 4 | metadata: 5 | name: {{ include "ambassador.fullname" . }} 6 | namespace: {{ include "ambassador.namespace" . }} 7 | labels: 8 | app.kubernetes.io/name: {{ include "ambassador.name" . }} 9 | app.kubernetes.io/part-of: {{ .Release.Name }} 10 | helm.sh/chart: {{ include "ambassador.chart" . }} 11 | app.kubernetes.io/instance: {{ .Release.Name }} 12 | {{- if .Values.deploymentTool }} 13 | app.kubernetes.io/managed-by: {{ .Values.deploymentTool }} 14 | {{- else }} 15 | app.kubernetes.io/managed-by: {{ .Release.Service }} 16 | {{- end }} 17 | spec: 18 | selector: 19 | matchLabels: 20 | app.kubernetes.io/name: {{ include "ambassador.name" . }} 21 | app.kubernetes.io/part-of: {{ .Release.Name }} 22 | {{ toYaml .Values.podDisruptionBudget | indent 2 }} 23 | {{- end }} 24 | -------------------------------------------------------------------------------- /manifests/ambassador/base/templates/podsecuritypolicy.yaml: -------------------------------------------------------------------------------- 1 | {{ if .Values.security.podSecurityPolicy }} 2 | apiVersion: policy/v1beta1 3 | kind: PodSecurityPolicy 4 | metadata: 5 | name: {{ include "ambassador.fullname" . }} 6 | namespace: {{ include "ambassador.namespace" . }} 7 | labels: 8 | app.kubernetes.io/name: {{ include "ambassador.name" . }} 9 | app.kubernetes.io/part-of: {{ .Release.Name }} 10 | helm.sh/chart: {{ include "ambassador.chart" . }} 11 | app.kubernetes.io/instance: {{ .Release.Name }} 12 | {{- if .Values.deploymentTool }} 13 | app.kubernetes.io/managed-by: {{ .Values.deploymentTool }} 14 | {{- else }} 15 | app.kubernetes.io/managed-by: {{ .Release.Service }} 16 | {{- end }} 17 | {{- with .Values.security.podSecurityPolicy.annotations }} 18 | annotations: 19 | {{- toYaml . | nindent 4 }} 20 | {{- end }} 21 | {{- with .Values.security.podSecurityPolicy.spec }} 22 | spec: 23 | {{- toYaml . | nindent 2}} 24 | {{- end }} 25 | {{ end }} -------------------------------------------------------------------------------- /manifests/ambassador/base/templates/projects-rbac.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.rbac.create .Values.registry.create -}} 2 | apiVersion: rbac.authorization.k8s.io/v1beta1 3 | {{- if .Values.scope.singleNamespace }} 4 | kind: Role 5 | {{- else }} 6 | kind: ClusterRole 7 | {{- end }} 8 | metadata: 9 | name: {{ include "ambassador.rbacName" . }}-projects 10 | labels: 11 | app.kubernetes.io/name: {{ include "ambassador.name" . }} 12 | helm.sh/chart: {{ include "ambassador.chart" . }} 13 | app.kubernetes.io/instance: {{ .Release.Name }} 14 | {{- if .Values.deploymentTool }} 15 | app.kubernetes.io/managed-by: {{ .Values.deploymentTool }} 16 | {{- else }} 17 | app.kubernetes.io/managed-by: {{ .Release.Service }} 18 | {{- end }} 19 | product: aes 20 | rules: 21 | - apiGroups: [""] 22 | resources: [ "secrets", "services" ] 23 | verbs: [ "get", "list", "create", "patch", "delete", "watch" ] 24 | - apiGroups: ["apps"] 25 | resources: [ "deployments" ] 26 | verbs: [ "get", "list", "create", "patch", "delete", "watch" ] 27 | - apiGroups: ["batch"] 28 | resources: [ "jobs" ] 29 | verbs: [ "get", "list", "create", "patch", "delete", "watch" ] 30 | - apiGroups: [""] 31 | resources: [ "pods" ] 32 | verbs: [ "get", "list", "watch" ] 33 | - apiGroups: [""] 34 | resources: [ "pods/log" ] 35 | verbs: [ "get" ] 36 | --- 37 | apiVersion: rbac.authorization.k8s.io/v1beta1 38 | {{- if .Values.scope.singleNamespace }} 39 | kind: RoleBinding 40 | {{- else }} 41 | kind: ClusterRoleBinding 42 | {{- end }} 43 | metadata: 44 | name: {{ include "ambassador.rbacName" . }}-projects 45 | namespace: {{ include "ambassador.namespace" . }} 46 | labels: 47 | app.kubernetes.io/name: {{ include "ambassador.name" . }} 48 | app.kubernetes.io/part-of: {{ .Release.Name }} 49 | helm.sh/chart: {{ include "ambassador.chart" . }} 50 | app.kubernetes.io/instance: {{ .Release.Name }} 51 | {{- if .Values.deploymentTool }} 52 | app.kubernetes.io/managed-by: {{ .Values.deploymentTool }} 53 | {{- else }} 54 | app.kubernetes.io/managed-by: {{ .Release.Service }} 55 | {{- end }} 56 | product: aes 57 | roleRef: 58 | apiGroup: rbac.authorization.k8s.io 59 | {{- if .Values.scope.singleNamespace }} 60 | kind: Role 61 | {{- else }} 62 | kind: ClusterRole 63 | {{- end }} 64 | name: {{ include "ambassador.rbacName" . }}-projects 65 | subjects: 66 | - name: {{ include "ambassador.serviceAccountName" . }} 67 | namespace: {{ include "ambassador.namespace" . }} 68 | kind: ServiceAccount 69 | {{- end }} 70 | -------------------------------------------------------------------------------- /manifests/ambassador/base/templates/projects.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.registry.create }} 2 | ###################################################################### 3 | # In-cluster Registry for Projects 4 | 5 | # This mapping will make every host function as a docker 6 | # registry. It's not ideal to take over the "v2" mapping, but there 7 | # are a number of constraints that make this the least worst option 8 | # explored so far. These constraints are: 9 | # 10 | # - We need a registry where docker push/pull and similar (e.g. crictl 11 | # push/pull) can work with no special client configuration since we 12 | # don't control the clients and we can't expect our users to 13 | # reconfigure their clusters to use a special push/pull 14 | # configuration. 15 | # 16 | # - GKE's push/pull implementation (I think it's docker) and crictl 17 | # push/pull (used by default in k3s clusters) have different default 18 | # behaviors with respect to localhost registries. The docker 19 | # implementation is very permissive, it will try both cleartext and 20 | # TLS and it does not verify the TLS connection, so self-signed 21 | # registries work fine. The crictl implementation is moving in this 22 | # direction, but the version used in k3s (based on rancher's fork of 23 | # containerd at v1.3.3) is not there yet. It only tries cleartext by 24 | # default. 25 | # 26 | # - We want to minimize the requirements for users to have the 27 | # access/understanding to create special DNS configurations 28 | # (e.g. wildcard or a separate dns name for the registry). 29 | # 30 | # - You can configure the docker registry to have a prefix, 31 | # e.g. //v2/..., however without special 32 | # configuration to override the defaults, clients can't push/pull 33 | # from a registry served at a prefix. If your image is named 34 | # /, the client will look for /v2/... endpoints. 35 | # 36 | # Given all the prior constraints we are left with creating this 37 | # mapping for all hosts. If this is a problem there are a few 38 | # alternatives we could consider. We can provide a way to limit this 39 | # mapping to only one host so they can have distinct hosts for their 40 | # site and their registry. We could also look into creating a 41 | # daemonset that binds to localhost and proxies cleartext to 42 | # TLS. Based on what I know of GKE and k3s its a good guess that this 43 | # would accommodate both of them, but possibly not other clusters with 44 | # different configurations. 45 | # 46 | # Another reason to lean towards an externally accessible registry is 47 | # that there are likely some people that would want this as a feature 48 | # so they can docker push/pull images from other systems into/out of 49 | # the builtin registry. While it's true that security minded people 50 | # might not like having this registry externally accessible, it's also 51 | # quite likely those people would want to run their own fancy registry 52 | # that scans/audits images, etc. The focus for RtC is really a smooth 53 | # out of the box experience that functions end-to-end without 54 | # requiring you to build your own platform. For more security minded 55 | # people we should expect to eventually be able to configure an 56 | # external registry and/or turn off the builtin one. 57 | --- 58 | apiVersion: getambassador.io/v2 59 | kind: Mapping 60 | metadata: 61 | name: {{ include "ambassador.fullname" . }}-registry 62 | namespace: {{ include "ambassador.namespace" . }} 63 | labels: 64 | app.kubernetes.io/name: {{ include "ambassador.name" . }}-registry 65 | app.kubernetes.io/part-of: {{ .Release.Name }} 66 | helm.sh/chart: {{ include "ambassador.chart" . }} 67 | app.kubernetes.io/instance: {{ .Release.Name }} 68 | {{- if .Values.deploymentTool }} 69 | app.kubernetes.io/managed-by: {{ .Values.deploymentTool }} 70 | {{- else }} 71 | app.kubernetes.io/managed-by: {{ .Release.Service }} 72 | {{- end }} 73 | product: aes 74 | spec: 75 | prefix: /v2/ 76 | rewrite: /v2/ 77 | service: https://{{ include "ambassador.fullname" . }}-registry 78 | timeout_ms: 300000 79 | --- 80 | apiVersion: v1 81 | kind: Service 82 | metadata: 83 | name: {{ include "ambassador.fullname" . }}-registry 84 | namespace: {{ include "ambassador.namespace" . }} 85 | labels: 86 | app.kubernetes.io/name: {{ include "ambassador.name" . }}-registry 87 | app.kubernetes.io/part-of: {{ .Release.Name }} 88 | helm.sh/chart: {{ include "ambassador.chart" . }} 89 | app.kubernetes.io/instance: {{ .Release.Name }} 90 | {{- if .Values.deploymentTool }} 91 | app.kubernetes.io/managed-by: {{ .Values.deploymentTool }} 92 | {{- else }} 93 | app.kubernetes.io/managed-by: {{ .Release.Service }} 94 | {{- end }} 95 | product: aes 96 | annotations: 97 | a8r.io/owner: "Ambassador Labs" 98 | a8r.io/repository: github.com/datawire/ambassador 99 | a8r.io/description: "The Ambassador Edge internal image registry." 100 | a8r.io/documentation: https://www.getambassador.io/docs/latest/ 101 | a8r.io/chat: http://d6e.co/slack 102 | a8r.io/bugs: https://github.com/datawire/ambassador/issues 103 | a8r.io/support: https://www.getambassador.io/about-us/support/ 104 | a8r.io/dependencies: "None" 105 | spec: 106 | type: ClusterIP 107 | selector: 108 | app.kubernetes.io/name: {{ include "ambassador.fullname" . }}-registry 109 | app.kubernetes.io/instance: {{ .Release.Name }} 110 | ports: 111 | - port: 443 112 | targetPort: 5000 113 | 114 | # The registry deployment. The deployment includes a persistent volume 115 | # mount for storing images, a config-map mount for customizing the 116 | # registry configuration, and a secret mounted for tls. 117 | --- 118 | apiVersion: apps/v1 119 | kind: Deployment 120 | metadata: 121 | name: {{ include "ambassador.fullname" . }}-registry 122 | namespace: {{ include "ambassador.namespace" . }} 123 | labels: 124 | app.kubernetes.io/name: {{ include "ambassador.name" . }} 125 | app.kubernetes.io/part-of: {{ .Release.Name }} 126 | helm.sh/chart: {{ include "ambassador.chart" . }} 127 | app.kubernetes.io/instance: {{ .Release.Name }} 128 | {{- if .Values.deploymentTool }} 129 | app.kubernetes.io/managed-by: {{ .Values.deploymentTool }} 130 | {{- else }} 131 | app.kubernetes.io/managed-by: {{ .Release.Service }} 132 | {{- end }} 133 | product: aes 134 | spec: 135 | replicas: 1 136 | strategy: 137 | rollingUpdate: 138 | maxSurge: 0 139 | selector: 140 | matchLabels: 141 | app.kubernetes.io/name: {{ include "ambassador.fullname" . }}-registry 142 | app.kubernetes.io/instance: {{ .Release.Name }} 143 | template: 144 | metadata: 145 | annotations: 146 | foo: "5" 147 | labels: 148 | app.kubernetes.io/name: {{ include "ambassador.fullname" . }}-registry 149 | app.kubernetes.io/instance: {{ .Release.Name }} 150 | spec: 151 | containers: 152 | - name: registry 153 | image: registry:2 154 | ports: 155 | - containerPort: 5000 156 | volumeMounts: 157 | - mountPath: /var/lib/registry 158 | name: registry-data 159 | - name: registry-config 160 | mountPath: /etc/docker/registry 161 | - name: registry-tls 162 | mountPath: /etc/tls 163 | volumes: 164 | - name: registry-config 165 | configMap: 166 | # Provide the name of the ConfigMap containing the files you want 167 | # to add to the container 168 | name: {{ include "ambassador.fullname" . }}-registry-config 169 | - name: registry-data 170 | persistentVolumeClaim: 171 | claimName: {{ include "ambassador.fullname" . }}-registry-data 172 | - name: registry-tls 173 | secret: 174 | secretName: {{ include "ambassador.fullname" . }}-registry-tls 175 | 176 | # The configuration file for our registry. 177 | --- 178 | apiVersion: v1 179 | kind: ConfigMap 180 | metadata: 181 | name: {{ include "ambassador.fullname" . }}-registry-config 182 | namespace: {{ include "ambassador.namespace" . }} 183 | labels: 184 | app.kubernetes.io/name: {{ include "ambassador.name" . }}-registry 185 | app.kubernetes.io/part-of: {{ .Release.Name }} 186 | helm.sh/chart: {{ include "ambassador.chart" . }} 187 | app.kubernetes.io/instance: {{ .Release.Name }} 188 | {{- if .Values.deploymentTool }} 189 | app.kubernetes.io/managed-by: {{ .Values.deploymentTool }} 190 | {{- else }} 191 | app.kubernetes.io/managed-by: {{ .Release.Service }} 192 | {{- end }} 193 | product: aes 194 | data: 195 | config.yml: | 196 | version: 0.1 197 | log: 198 | fields: 199 | service: registry 200 | storage: 201 | cache: 202 | blobdescriptor: inmemory 203 | filesystem: 204 | rootdirectory: /var/lib/registry 205 | http: 206 | addr: :5000 207 | headers: 208 | X-Content-Type-Options: [nosniff] 209 | tls: 210 | certificate: /etc/tls/tls.crt 211 | key: /etc/tls/tls.key 212 | health: 213 | storagedriver: 214 | enabled: true 215 | interval: 10s 216 | threshold: 3 217 | 218 | # The persistent volume for our registry. 219 | --- 220 | apiVersion: v1 221 | kind: PersistentVolumeClaim 222 | metadata: 223 | name: {{ include "ambassador.fullname" . }}-registry-data 224 | namespace: {{ include "ambassador.namespace" . }} 225 | labels: 226 | app.kubernetes.io/name: {{ include "ambassador.name" . }}-registry 227 | app.kubernetes.io/part-of: {{ .Release.Name }} 228 | helm.sh/chart: {{ include "ambassador.chart" . }} 229 | app.kubernetes.io/instance: {{ .Release.Name }} 230 | {{- if .Values.deploymentTool }} 231 | app.kubernetes.io/managed-by: {{ .Values.deploymentTool }} 232 | {{- else }} 233 | app.kubernetes.io/managed-by: {{ .Release.Service }} 234 | {{- end }} 235 | product: aes 236 | spec: 237 | accessModes: 238 | - ReadWriteOnce 239 | resources: 240 | requests: 241 | storage: 10Gi 242 | 243 | # The self-signed tls secret for our registry. We should look into 244 | # generating this on install with a job. 245 | --- 246 | apiVersion: v1 247 | kind: Secret 248 | metadata: 249 | name: {{ include "ambassador.fullname" . }}-registry-tls 250 | namespace: {{ include "ambassador.namespace" . }} 251 | labels: 252 | app.kubernetes.io/name: {{ include "ambassador.name" . }}-registry 253 | app.kubernetes.io/part-of: {{ .Release.Name }} 254 | helm.sh/chart: {{ include "ambassador.chart" . }} 255 | app.kubernetes.io/instance: {{ .Release.Name }} 256 | {{- if .Values.deploymentTool }} 257 | app.kubernetes.io/managed-by: {{ .Values.deploymentTool }} 258 | {{- else }} 259 | app.kubernetes.io/managed-by: {{ .Release.Service }} 260 | {{- end }} 261 | product: aes 262 | type: kubernetes.io/tls 263 | data: 264 | tls.crt: | 265 | LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVEekNDQXZlZ0F3SUJBZ0lVSVZrWlJGSkVJ 266 | VCtOTlJiMFJ0TkxwZFp5TTVnd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2daWXhDekFKQmdOVkJBWVRB 267 | bFZUTVJZd0ZBWURWUVFJREExTllYTnpZV05vZFhObGRIUnpNUk13RVFZRApWUVFIREFwVGIyMWxj 268 | blpwYkd4bE1SRXdEd1lEVlFRS0RBaEVZWFJoZDJseVpURVVNQklHQTFVRUN3d0xSVzVuCmFXNWxa 269 | WEpwYm1jeEVUQVBCZ05WQkFNTUNISmxaMmx6ZEhKNU1SNHdIQVlKS29aSWh2Y05BUWtCRmc5a1pY 270 | WkEKWkdGMFlYZHBjbVV1YVc4d0hoY05NakF3TVRNd01qRXdNVFV5V2hjTk1qRXdNVEk1TWpFd01U 271 | VXlXakNCbGpFTApNQWtHQTFVRUJoTUNWVk14RmpBVUJnTlZCQWdNRFUxaGMzTmhZMmgxYzJWMGRI 272 | TXhFekFSQmdOVkJBY01DbE52CmJXVnlkbWxzYkdVeEVUQVBCZ05WQkFvTUNFUmhkR0YzYVhKbE1S 273 | UXdFZ1lEVlFRTERBdEZibWRwYm1WbGNtbHUKWnpFUk1BOEdBMVVFQXd3SWNtVm5hWE4wY25reEhq 274 | QWNCZ2txaGtpRzl3MEJDUUVXRDJSbGRrQmtZWFJoZDJseQpaUzVwYnpDQ0FTSXdEUVlKS29aSWh2 275 | Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTFRtZ21wb2szVVdCVkhqCjFqb2R5eG9LZFJad09Y 276 | WnhiZ25ITXlMa2xxLzUydGdmTEJmVlU1TzB2aE5iVm5vcEVSRWdWV0pTd3dlN0dOS0EKSjlaWWxC 277 | Qlc1Q1U5Q3FNalU2TTVOdTdiVWRQblNyNGRFSFlWcmhEakJYcVpDUElEaFhZS2ZZYWh0YlB4cis1 278 | egpueS9qQktKU2JwM3RWU3d5SEhsY3JJNHdOU2R1Q2x5UFplOFR0Q2hGQUxhcU5rWUMvclNGK0w0 279 | SWcwZmY1N0duClpFVmsyZDJja09Xbkp6akRXMGhYL3FUcXhUKzZwV2tUQThWQ0FVS2FabEY5VkRK 280 | c20rOW1XM2dBWmZ5NWdFWloKajcvaktqNTd5R1BUR2xWQXhra2J2WlJJVWQ5LzVkVmE3V1RCYnlR 281 | dkxvOEkyWWQ3S1h6Y3BjcElpS2hRREdPQQpHbGVoa2JVQ0F3RUFBYU5UTUZFd0hRWURWUjBPQkJZ 282 | RUZGTDV5NnNIb09tV0FRWVVGano4VHNETGFnUTdNQjhHCkExVWRJd1FZTUJhQUZGTDV5NnNIb09t 283 | V0FRWVVGano4VHNETGFnUTdNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHcKRFFZSktvWklodmNOQVFF 284 | TEJRQURnZ0VCQUFZdHlnNDNDTEJsbVlvY0NkSjVpSlF0NTR0anFGU2hIMzdFd3h4WQp1QVExRHRW 285 | a0Q3QngzUURZZ1cxeU1QYzFTRDhYenFUcWxjQUlOQTZwdVB0SlNPcC8wUUVqVFJSMkFSZFF5VURI 286 | ClZOZEZzcHp5MGRnbllqOXY2ckl4akdOazVHZXI3cUp4TURaUUY0dC82NHZLYWNyOHZOQ3dnSmI5 287 | WEZaMTBjNlEKdVNSNVVVN1pMTWJPeWd4a0hPQStMMXp3S2pSaXZUb2ZMbExPOURQNUJwMk9hOGgr 288 | TmZhVkJ4ZHFUS2l0UzFaOApnUnZhOTFuRHZwTjl5aHBiNFJVN2FoWW9tWGF4VE5ZVEJxVE1uZWhE 289 | aWhPQjdBS2Z0VVErdjJWZ2VlM1FxaGJ4CjRUSlJpTTUxR2VIWEtoVWw5ZXBxRnBlYllIa1BnU1ln 290 | bU1OUy9aT3JSWmFxajVRPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== 291 | tls.key: | 292 | LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2QUlCQURBTkJna3Foa2lHOXcwQkFRRUZB 293 | QVNDQktZd2dnU2lBZ0VBQW9JQkFRQzA1b0pxYUpOMUZnVlIKNDlZNkhjc2FDblVXY0RsMmNXNEp4 294 | ek1pNUphditkcllIeXdYMVZPVHRMNFRXMVo2S1JFUklGVmlVc01IdXhqUwpnQ2ZXV0pRUVZ1UWxQ 295 | UXFqSTFPak9UYnUyMUhUNTBxK0hSQjJGYTRRNHdWNm1RanlBNFYyQ24yR29iV3o4YS91CmM1OHY0 296 | d1NpVW02ZDdWVXNNaHg1WEt5T01EVW5iZ3BjajJYdkU3UW9SUUMycWpaR0F2NjBoZmkrQ0lOSDMr 297 | ZXgKcDJSRlpObmRuSkRscHljNHcxdElWLzZrNnNVL3VxVnBFd1BGUWdGQ21tWlJmVlF5Ykp2dlps 298 | dDRBR1g4dVlCRwpXWSsvNHlvK2U4aGoweHBWUU1aSkc3MlVTRkhmZitYVld1MWt3VzhrTHk2UENO 299 | bUhleWw4M0tYS1NJaW9VQXhqCmdCcFhvWkcxQWdNQkFBRUNnZ0VBWUxiMGRxdGVXclRoTnp6V0pk 300 | QVQ2K0kzWXoyd214QmR3a0NMcUZZSjhoOWsKenpNclFicTlxalJ4Z3F2TWVoZEdscDl3eHRaMGlz 301 | ZU9wOHY0Z0hKdkJxVk42RkxRUXhQNS9VUHppSlFkRld1TQozRU54cjVBN3RhK0tHRmVGSHM2Zkpk 302 | TEo5WmF6TEhkRWxmbWUyOTFGZHZzWFJMdkVVNUtmQW90M2ZiVnNWWjFxCnRucVIzY0dET3JVQ00v 303 | ZzJKZmVBYk5wSUJjTnlCV0diOGRQbm5SaHZRNW5YN1ozUnJiNTlhQnhOcldCSkFkbnEKOUtkS3BR 304 | UmU4cjBiRGJ0WVZQamxXRldpOVluWVQ0WHpQOG9TU0t5a3R4TWZraEM2dlVKb0gwNHFOSmRkWjVM 305 | WAozWjRKUm14RnlUZU1rUG0xa2dnSVVRZGJhRWp1WG0rOThOeXVkZitKcVFLQmdRRGx6SS9XMzZM 306 | am1pRE9MSDVUCnFhZTFnazNMV2lTY3hwZzRhazEyenhLSlkrWUJiNnc4UG5EVmlvY2tPa0lsSERh 307 | V0xzQ2VpRkJsM2lPSDlUWWcKQm9iY3JVZVNUbWdOaUNqSlpIWVhIUlY1TEN2bGE0UkhhcXNMWG43 308 | elptTE5GVW9YRlhaTkoyQzlqUEp5TStyQQpqOWJLWlFvQTF2NC9qOUdMTXN3eEJZem1pd0tCZ1FE 309 | SmhxNDhrYmV0MlRTRFhyMUxuY3FMVU9wak1hQmNyOEJKCnpDNlBwK3F0ck01QVE1RnkwaHRoV2Zn 310 | bDkzZU5vMWRQT2pCRDZ6amIyd2dNSHhBR2w1V0pIN005enFBSWJSaW0KbDFNcmsrUkprbUVGeUls 311 | cU95TG9jNlg0V1pPN1BwejZPQkdWTExGOFlBR09UcldaRzZwUStDeVJWN3hHUS9PWAo4QlN5UVVh 312 | d3Z3S0JnRWFXWG55dmQxYVlpb2txUzZlaFRuM0h4K08yRGRjR2ZjMmVnYXNFRW5xWGNCaHkyQ0l0 313 | ClAvV29OcmpmR0dCVDJVU3FtY3BZcnZHTG1iaHlqeXlwTkpYbXVEeHR6ektRNTQ1dFNJVHpEeHlJ 314 | Zi9kWjNta2QKaityUEhRbmhJbXBDcHQ2T1hpZDIrQlZoalR1ZFRQZlhkeS8yZDJzb256S2hGOG05 315 | VWRHaEZkWGZBb0dBRkZ0QwpabVBoeGZIVzJCNU55TUdib0E4QVhoeTVNaU9lck5XdkxsdXIzUGRE 316 | cmtJbEF4QXVLOXRHc2E4WnFIa0RiTUZYCjlzUmY3ZlZtRHJOa2p3WG8yUDBXd2Z1Sk50Q3VXTVdZ 317 | WlNKL1FOOUVaYTBvRkU3ODY3WWk0YjlLcVBOZUwvaFIKN2x1aFlncmduVnRlQktWQ3d3TU9uVy9i 318 | V00yc1lZQ2kxbzY1Y1VrQ2dZQUR4SUJmOGZUOURDS0NaZ1FvQXNDYwpvSzcvdzdDYk1hOEp5TjZa 319 | ZDRiSlIrSzRzUEtQekd2M3dEandxRzFTRkN6UU1FR01mOWt6TWFYb09XdzNaN2NCCklIZTJDUXFF 320 | N2NZdW1LYjFkOTFueU1qMVdQVC9CWEJKZzB3aUNMV0RjakdQR0xNWTJyeGsvMWwzL2xjKy9WVkcK 321 | NjRZZUh1YlllOE9Iemp5UEZGSnJZdz09Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K 322 | 323 | ###################################################################### 324 | # Project Controller 325 | # 326 | # Comment this out if you want to disable the micro CI/CD functionality: 327 | --- 328 | apiVersion: getambassador.io/v2 329 | kind: ProjectController 330 | metadata: 331 | name: {{ include "ambassador.fullname" . }}-projectcontroller 332 | namespace: {{ include "ambassador.namespace" . }} 333 | labels: 334 | app.kubernetes.io/name: {{ include "ambassador.name" . }}-projectcontroller 335 | app.kubernetes.io/part-of: {{ .Release.Name }} 336 | helm.sh/chart: {{ include "ambassador.chart" . }} 337 | app.kubernetes.io/instance: {{ .Release.Name }} 338 | {{- if .Values.deploymentTool }} 339 | app.kubernetes.io/managed-by: {{ .Values.deploymentTool }} 340 | {{- else }} 341 | app.kubernetes.io/managed-by: {{ .Release.Service }} 342 | {{- end }} 343 | projects.getambassador.io/ambassador_id: {{ if hasKey .Values.env "AMBASSADOR_ID" }}{{ .Values.env.AMBASSADOR_ID | quote }}{{ else }}default{{ end }} 344 | product: aes 345 | {{- end }} -------------------------------------------------------------------------------- /manifests/ambassador/base/templates/rbac.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.rbac.create -}} 2 | apiVersion: rbac.authorization.k8s.io/v1beta1 3 | {{- if .Values.scope.singleNamespace }} 4 | kind: Role 5 | {{- else }} 6 | kind: ClusterRole 7 | {{- end }} 8 | metadata: 9 | name: {{ include "ambassador.rbacName" . }} 10 | namespace: {{ include "ambassador.namespace" . }} 11 | labels: 12 | app.kubernetes.io/name: {{ include "ambassador.name" . }} 13 | app.kubernetes.io/part-of: {{ .Release.Name }} 14 | helm.sh/chart: {{ include "ambassador.chart" . }} 15 | app.kubernetes.io/instance: {{ .Release.Name }} 16 | {{- if .Values.deploymentTool }} 17 | app.kubernetes.io/managed-by: {{ .Values.deploymentTool }} 18 | {{- else }} 19 | app.kubernetes.io/managed-by: {{ .Release.Service }} 20 | {{- end }} 21 | product: aes 22 | rules: 23 | - apiGroups: [""] 24 | resources: 25 | - namespaces 26 | - services 27 | - secrets 28 | - endpoints 29 | verbs: ["get", "list", "watch"] 30 | 31 | - apiGroups: [ "getambassador.io" ] 32 | resources: [ "*" ] 33 | verbs: ["get", "list", "watch", "update", "patch", "create", "delete" ] 34 | 35 | - apiGroups: [ "apiextensions.k8s.io" ] 36 | resources: [ "customresourcedefinitions" ] 37 | verbs: ["get", "list", "watch", "delete"] 38 | 39 | - apiGroups: [ "networking.internal.knative.dev"] 40 | resources: [ "clusteringresses", "ingresses" ] 41 | verbs: ["get", "list", "watch"] 42 | 43 | - apiGroups: [ "networking.internal.knative.dev"] 44 | resources: [ "clusteringresses/status", "ingresses/status" ] 45 | verbs: ["update"] 46 | 47 | - apiGroups: [ "extensions", "networking.k8s.io" ] 48 | resources: [ "ingresses", "ingressclasses" ] 49 | verbs: ["get", "list", "watch"] 50 | 51 | - apiGroups: [ "extensions", "networking.k8s.io" ] 52 | resources: [ "ingresses/status" ] 53 | verbs: ["update"] 54 | 55 | {{- if .Values.enableAES }} 56 | - apiGroups: [""] 57 | resources: [ "secrets" ] 58 | verbs: ["get", "list", "watch", "create", "update"] 59 | 60 | - apiGroups: [""] 61 | resources: [ "events" ] 62 | verbs: ["get", "list", "watch", "create", "patch"] 63 | 64 | - apiGroups: ["coordination.k8s.io"] 65 | resources: [ "leases" ] 66 | verbs: ["get", "create", "update"] 67 | 68 | - apiGroups: [""] 69 | resources: [ "endpoints" ] 70 | verbs: ["get", "list", "watch", "create", "update"] 71 | {{- end }} 72 | 73 | {{- if or .Values.rbac.podSecurityPolicies .Values.security.podSecurityPolicy }} 74 | 75 | - apiGroups: ['policy'] 76 | resources: ['podsecuritypolicies'] 77 | verbs: ['use'] 78 | resourceNames: 79 | {{- if .Values.rbac.podSecurityPolicies }} 80 | {{- toYaml .Values.rbac.podSecurityPolicies | nindent 6 }} 81 | {{- end }} 82 | {{- if .Values.security.podSecurityPolicy }} 83 | - {{ include "ambassador.fullname" . }} 84 | {{- end }} 85 | {{- end }} 86 | --- 87 | apiVersion: rbac.authorization.k8s.io/v1beta1 88 | {{- if .Values.scope.singleNamespace }} 89 | kind: RoleBinding 90 | {{- else }} 91 | kind: ClusterRoleBinding 92 | {{- end }} 93 | metadata: 94 | name: {{ include "ambassador.rbacName" . }} 95 | namespace: {{ include "ambassador.namespace" . }} 96 | labels: 97 | app.kubernetes.io/name: {{ include "ambassador.name" . }} 98 | app.kubernetes.io/part-of: {{ .Release.Name }} 99 | helm.sh/chart: {{ include "ambassador.chart" . }} 100 | app.kubernetes.io/instance: {{ .Release.Name }} 101 | {{- if .Values.deploymentTool }} 102 | app.kubernetes.io/managed-by: {{ .Values.deploymentTool }} 103 | {{- else }} 104 | app.kubernetes.io/managed-by: {{ .Release.Service }} 105 | {{- end }} 106 | product: aes 107 | roleRef: 108 | apiGroup: rbac.authorization.k8s.io 109 | {{- if .Values.scope.singleNamespace }} 110 | kind: Role 111 | {{- else }} 112 | kind: ClusterRole 113 | {{- end }} 114 | name: {{ include "ambassador.rbacName" . }} 115 | subjects: 116 | - name: {{ include "ambassador.serviceAccountName" . }} 117 | namespace: {{ include "ambassador.namespace" . }} 118 | kind: ServiceAccount 119 | {{- end -}} 120 | -------------------------------------------------------------------------------- /manifests/ambassador/base/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | {{- if .Values.service.nameOverride }} 5 | name: {{ .Values.service.nameOverride }} 6 | {{- else }} 7 | name: {{ include "ambassador.fullname" . }} 8 | {{- end }} 9 | namespace: {{ include "ambassador.namespace" . }} 10 | labels: 11 | app.kubernetes.io/name: {{ include "ambassador.name" . }} 12 | app.kubernetes.io/part-of: {{ .Release.Name }} 13 | helm.sh/chart: {{ include "ambassador.chart" . }} 14 | app.kubernetes.io/instance: {{ .Release.Name }} 15 | {{- if .Values.deploymentTool }} 16 | app.kubernetes.io/managed-by: {{ .Values.deploymentTool }} 17 | {{- else }} 18 | app.kubernetes.io/managed-by: {{ .Release.Service }} 19 | {{- end }} 20 | app.kubernetes.io/component: ambassador-service 21 | product: aes 22 | annotations: 23 | a8r.io/owner: "Ambassador Labs" 24 | a8r.io/repository: github.com/datawire/ambassador 25 | a8r.io/description: "The Ambassador Edge Stack goes beyond traditional API Gateways and Ingress Controllers with the advanced edge features needed to support developer self-service and full-cycle development." 26 | a8r.io/documentation: https://www.getambassador.io/docs/latest/ 27 | a8r.io/chat: http://d6e.co/slack 28 | a8r.io/bugs: https://github.com/datawire/ambassador/issues 29 | a8r.io/support: https://www.getambassador.io/about-us/support/ 30 | a8r.io/dependencies: {{ include "ambassador.fullname" . }}-redis.{{ include "ambassador.namespace" . }} 31 | {{- if .Values.service.annotations }} 32 | {{- range $key, $value := .Values.service.annotations }} 33 | {{ $key }}: {{ $value | quote }} 34 | {{- end }} 35 | {{- end }} 36 | spec: 37 | type: {{ .Values.service.type }} 38 | {{- if .Values.service.loadBalancerIP }} 39 | loadBalancerIP: "{{ .Values.service.loadBalancerIP }}" 40 | {{- end }} 41 | {{- if .Values.service.externalTrafficPolicy }} 42 | externalTrafficPolicy: "{{ .Values.service.externalTrafficPolicy }}" 43 | {{- end }} 44 | {{- if .Values.service.sessionAffinity }} 45 | sessionAffinity: {{ .Values.service.sessionAffinity }} 46 | {{- end }} 47 | {{- if .Values.service.sessionAffinityConfig }} 48 | sessionAffinityConfig: 49 | {{- toYaml .Values.service.sessionAffinityConfig | nindent 4 }} 50 | {{- end }} 51 | ports: 52 | {{- range .Values.service.ports }} 53 | - name: {{ .name }} 54 | port: {{ int .port }} 55 | {{- if .targetPort }} 56 | targetPort: {{ int .targetPort }} 57 | {{- end }} 58 | {{- if .nodePort }} 59 | nodePort: {{ int .nodePort }} 60 | {{- end }} 61 | {{- if .protocol }} 62 | protocol: {{ .protocol }} 63 | {{- end }} 64 | {{- end}} 65 | selector: 66 | app.kubernetes.io/name: {{ include "ambassador.name" . }} 67 | app.kubernetes.io/instance: {{ .Release.Name }} 68 | {{- with .Values.service.loadBalancerSourceRanges }} 69 | loadBalancerSourceRanges: 70 | {{- toYaml . | nindent 4 }} 71 | {{- end }} 72 | {{- if .Values.service.externalIPs }} 73 | externalIPs: 74 | {{- toYaml .Values.service.externalIPs | nindent 4 }} 75 | {{- end }} 76 | -------------------------------------------------------------------------------- /manifests/ambassador/base/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ include "ambassador.serviceAccountName" . }} 6 | namespace: {{ include "ambassador.namespace" . }} 7 | labels: 8 | app.kubernetes.io/name: {{ include "ambassador.name" . }} 9 | app.kubernetes.io/part-of: {{ .Release.Name }} 10 | helm.sh/chart: {{ include "ambassador.chart" . }} 11 | app.kubernetes.io/instance: {{ .Release.Name }} 12 | {{- if .Values.deploymentTool }} 13 | app.kubernetes.io/managed-by: {{ .Values.deploymentTool }} 14 | {{- else }} 15 | app.kubernetes.io/managed-by: {{ .Release.Service }} 16 | {{- end }} 17 | product: aes 18 | {{- end -}} 19 | -------------------------------------------------------------------------------- /manifests/ambassador/base/templates/servicemonitor.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.adminService.create .Values.metrics.serviceMonitor.enabled }} 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: ServiceMonitor 4 | metadata: 5 | name: {{ include "ambassador.fullname" . }} 6 | namespace: {{ include "ambassador.namespace" . }} 7 | labels: 8 | app: {{ include "ambassador.name" . }} 9 | {{- if .Values.metrics.serviceMonitor.selector }} 10 | {{- toYaml .Values.metrics.serviceMonitor.selector | nindent 4 }} 11 | {{- end }} 12 | spec: 13 | endpoints: 14 | - port: ambassador-admin 15 | path: /metrics 16 | {{- with .Values.metrics.serviceMonitor.interval }} 17 | interval: {{ . }} 18 | {{- end }} 19 | {{- with .Values.metrics.serviceMonitor.scrapeTimeout }} 20 | scrapeTimeout: {{ . }} 21 | {{- end }} 22 | namespaceSelector: 23 | matchNames: 24 | - {{ include "ambassador.namespace" . }} 25 | selector: 26 | matchLabels: 27 | service: ambassador-admin 28 | {{- end }} 29 | -------------------------------------------------------------------------------- /manifests/ambassador/base/templates/tests/test-ready.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (.Values.test.enabled) (not .Values.daemonSet) }} 2 | apiVersion: v1 3 | kind: Pod 4 | metadata: 5 | name: "{{ include "ambassador.fullname" . }}-test-ready" 6 | labels: 7 | app.kubernetes.io/name: {{ include "ambassador.name" . }} 8 | helm.sh/chart: {{ include "ambassador.chart" . }} 9 | app.kubernetes.io/instance: {{ .Release.Name }} 10 | {{- if .Values.deploymentTool }} 11 | app.kubernetes.io/managed-by: {{ .Values.deploymentTool }} 12 | {{- else }} 13 | app.kubernetes.io/managed-by: {{ .Release.Service }} 14 | {{- end }} 15 | annotations: 16 | "helm.sh/hook": test-success 17 | spec: 18 | containers: 19 | - name: wget 20 | image: {{ .Values.test.image | default "busybox" }} 21 | command: ['wget'] 22 | args: ['{{ include "ambassador.fullname" . }}:{{ include "ambassador.servicePort" . }}/ambassador/v0/check_ready'] 23 | restartPolicy: Never 24 | {{- end }} 25 | -------------------------------------------------------------------------------- /manifests/ambassador/base/templates/traffic-agent-rbac.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.enableAES .Values.servicePreview.enabled }} 2 | {{- if .Values.servicePreview.trafficAgent.singleNamespace }} 3 | --- 4 | apiVersion: v1 5 | kind: ServiceAccount 6 | metadata: 7 | name: {{ .Values.servicePreview.trafficAgent.serviceAccountName }} 8 | namespace: {{ include "ambassador.namespace" . }} 9 | annotations: 10 | # Required because Helm creates secrets before ServiceAccount, but service-account-token depends on an existing SA. 11 | "helm.sh/hook": "pre-install" 12 | labels: 13 | app.kubernetes.io/name: {{ .Values.servicePreview.trafficAgent.serviceAccountName }} 14 | app.kubernetes.io/part-of: {{ .Release.Name }} 15 | helm.sh/chart: {{ include "ambassador.chart" . }} 16 | app.kubernetes.io/instance: {{ .Release.Name }} 17 | {{- if .Values.deploymentTool }} 18 | app.kubernetes.io/managed-by: {{ .Values.deploymentTool }} 19 | {{- else }} 20 | app.kubernetes.io/managed-by: {{ .Release.Service }} 21 | {{- end }} 22 | product: aes 23 | --- 24 | ## Create a service-account-token for traffic-agent with a matching name. 25 | ## Since the ambassador-injector will use this token name, it must be deterministic and not auto-generated. 26 | apiVersion: v1 27 | kind: Secret 28 | metadata: 29 | name: {{ .Values.servicePreview.trafficAgent.serviceAccountName }} 30 | namespace: {{ include "ambassador.namespace" . }} 31 | annotations: 32 | kubernetes.io/service-account.name: traffic-agent 33 | type: kubernetes.io/service-account-token 34 | --- 35 | apiVersion: rbac.authorization.k8s.io/v1beta1 36 | kind: Role 37 | metadata: 38 | name: {{ .Values.servicePreview.trafficAgent.serviceAccountName }} 39 | namespace: {{ include "ambassador.namespace" . }} 40 | labels: 41 | app.kubernetes.io/name: {{ .Values.servicePreview.trafficAgent.serviceAccountName }} 42 | app.kubernetes.io/part-of: {{ .Release.Name }} 43 | helm.sh/chart: {{ include "ambassador.chart" . }} 44 | app.kubernetes.io/instance: {{ .Release.Name }} 45 | {{- if .Values.deploymentTool }} 46 | app.kubernetes.io/managed-by: {{ .Values.deploymentTool }} 47 | {{- else }} 48 | app.kubernetes.io/managed-by: {{ .Release.Service }} 49 | {{- end }} 50 | product: aes 51 | rules: 52 | - apiGroups: [""] 53 | resources: [ "namespaces", "services", "secrets" ] 54 | verbs: ["get", "list", "watch"] 55 | - apiGroups: [ "getambassador.io" ] 56 | resources: [ "*" ] 57 | verbs: ["get", "list", "watch", "update"] 58 | --- 59 | apiVersion: rbac.authorization.k8s.io/v1beta1 60 | kind: RoleBinding 61 | metadata: 62 | name: {{ .Values.servicePreview.trafficAgent.serviceAccountName }} 63 | namespace: {{ include "ambassador.namespace" . }} 64 | labels: 65 | app.kubernetes.io/name: {{ .Values.servicePreview.trafficAgent.serviceAccountName }} 66 | app.kubernetes.io/part-of: {{ .Release.Name }} 67 | helm.sh/chart: {{ include "ambassador.chart" . }} 68 | app.kubernetes.io/instance: {{ .Release.Name }} 69 | {{- if .Values.deploymentTool }} 70 | app.kubernetes.io/managed-by: {{ .Values.deploymentTool }} 71 | {{- else }} 72 | app.kubernetes.io/managed-by: {{ .Release.Service }} 73 | {{- end }} 74 | product: aes 75 | roleRef: 76 | apiGroup: rbac.authorization.k8s.io 77 | kind: Role 78 | name: {{ include "ambassador.rbacName" . }} 79 | subjects: 80 | - name: {{ .Values.servicePreview.trafficAgent.serviceAccountName }} 81 | namespace: {{ include "ambassador.namespace" . }} 82 | kind: ServiceAccount 83 | {{- else }} 84 | ## If we install Service Preview cluster-wide, this means we can't use the 'traffic-agent' ServiceAccount 85 | ## as it does not exist in every namespace. We must instead grant new Roles to all ServiceAccounts (cluster-wide). 86 | --- 87 | apiVersion: rbac.authorization.k8s.io/v1beta1 88 | kind: ClusterRole 89 | metadata: 90 | name: {{ .Values.servicePreview.trafficAgent.serviceAccountName }} 91 | namespace: {{ include "ambassador.namespace" . }} 92 | labels: 93 | app.kubernetes.io/name: {{ .Values.servicePreview.trafficAgent.serviceAccountName }} 94 | app.kubernetes.io/part-of: {{ .Release.Name }} 95 | helm.sh/chart: {{ include "ambassador.chart" . }} 96 | app.kubernetes.io/instance: {{ .Release.Name }} 97 | {{- if .Values.deploymentTool }} 98 | app.kubernetes.io/managed-by: {{ .Values.deploymentTool }} 99 | {{- else }} 100 | app.kubernetes.io/managed-by: {{ .Release.Service }} 101 | {{- end }} 102 | product: aes 103 | rules: 104 | - apiGroups: [""] 105 | resources: [ "namespaces", "services", "secrets" ] 106 | verbs: ["get", "list", "watch"] 107 | - apiGroups: [ "getambassador.io" ] 108 | resources: [ "*" ] 109 | verbs: ["get", "list", "watch", "update"] 110 | --- 111 | apiVersion: rbac.authorization.k8s.io/v1beta1 112 | kind: ClusterRoleBinding 113 | metadata: 114 | name: {{ .Values.servicePreview.trafficAgent.serviceAccountName }} 115 | labels: 116 | app.kubernetes.io/name: {{ .Values.servicePreview.trafficAgent.serviceAccountName }} 117 | app.kubernetes.io/part-of: {{ .Release.Name }} 118 | helm.sh/chart: {{ include "ambassador.chart" . }} 119 | app.kubernetes.io/instance: {{ .Release.Name }} 120 | {{- if .Values.deploymentTool }} 121 | app.kubernetes.io/managed-by: {{ .Values.deploymentTool }} 122 | {{- else }} 123 | app.kubernetes.io/managed-by: {{ .Release.Service }} 124 | {{- end }} 125 | product: aes 126 | roleRef: 127 | apiGroup: rbac.authorization.k8s.io 128 | kind: ClusterRole 129 | name: {{ .Values.servicePreview.trafficAgent.serviceAccountName }} 130 | subjects: 131 | - name: system:serviceaccounts 132 | kind: Group 133 | apiGroup: rbac.authorization.k8s.io 134 | {{- end }} 135 | {{- end }} -------------------------------------------------------------------------------- /manifests/ambassador/base/templates/traffic-manager.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.enableAES .Values.servicePreview.enabled }} 2 | --- 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | name: {{ .Values.servicePreview.trafficManager.serviceAccountName }} 7 | namespace: {{ include "ambassador.namespace" . }} 8 | labels: 9 | app.kubernetes.io/name: {{ .Values.servicePreview.trafficManager.serviceAccountName }} 10 | app.kubernetes.io/part-of: {{ .Release.Name }} 11 | helm.sh/chart: {{ include "ambassador.chart" . }} 12 | app.kubernetes.io/instance: {{ .Release.Name }} 13 | {{- if .Values.deploymentTool }} 14 | app.kubernetes.io/managed-by: {{ .Values.deploymentTool }} 15 | {{- else }} 16 | app.kubernetes.io/managed-by: {{ .Release.Service }} 17 | {{- end }} 18 | product: aes 19 | --- 20 | apiVersion: rbac.authorization.k8s.io/v1beta1 21 | {{- if .Values.scope.singleNamespace }} 22 | kind: Role 23 | {{- else }} 24 | kind: ClusterRole 25 | {{- end }} 26 | metadata: 27 | name: {{ .Values.servicePreview.trafficManager.serviceAccountName }} 28 | namespace: {{ include "ambassador.namespace" . }} 29 | labels: 30 | app.kubernetes.io/name: {{ .Values.servicePreview.trafficManager.serviceAccountName }} 31 | app.kubernetes.io/part-of: {{ .Release.Name }} 32 | helm.sh/chart: {{ include "ambassador.chart" . }} 33 | app.kubernetes.io/instance: {{ .Release.Name }} 34 | {{- if .Values.deploymentTool }} 35 | app.kubernetes.io/managed-by: {{ .Values.deploymentTool }} 36 | {{- else }} 37 | app.kubernetes.io/managed-by: {{ .Release.Service }} 38 | {{- end }} 39 | product: aes 40 | rules: 41 | - apiGroups: [""] 42 | resources: ["namespaces", "services", "pods", "secrets"] 43 | verbs: ["get", "list", "watch"] 44 | --- 45 | apiVersion: rbac.authorization.k8s.io/v1beta1 46 | {{- if .Values.scope.singleNamespace }} 47 | kind: RoleBinding 48 | {{- else }} 49 | kind: ClusterRoleBinding 50 | {{- end }} 51 | metadata: 52 | name: {{ .Values.servicePreview.trafficManager.serviceAccountName }} 53 | namespace: {{ include "ambassador.namespace" . }} 54 | labels: 55 | app.kubernetes.io/name: {{ .Values.servicePreview.trafficManager.serviceAccountName }} 56 | app.kubernetes.io/part-of: {{ .Release.Name }} 57 | helm.sh/chart: {{ include "ambassador.chart" . }} 58 | app.kubernetes.io/instance: {{ .Release.Name }} 59 | {{- if .Values.deploymentTool }} 60 | app.kubernetes.io/managed-by: {{ .Values.deploymentTool }} 61 | {{- else }} 62 | app.kubernetes.io/managed-by: {{ .Release.Service }} 63 | {{- end }} 64 | product: aes 65 | roleRef: 66 | apiGroup: rbac.authorization.k8s.io 67 | {{- if .Values.scope.singleNamespace }} 68 | kind: Role 69 | {{- else }} 70 | kind: ClusterRole 71 | {{- end }} 72 | name: {{ .Values.servicePreview.trafficManager.serviceAccountName }} 73 | subjects: 74 | - kind: ServiceAccount 75 | name: {{ .Values.servicePreview.trafficManager.serviceAccountName }} 76 | namespace: {{ include "ambassador.namespace" . }} 77 | --- 78 | apiVersion: apps/v1 79 | kind: Deployment 80 | metadata: 81 | name: telepresence-proxy 82 | namespace: {{ include "ambassador.namespace" . }} 83 | labels: 84 | app.kubernetes.io/name: telepresence-proxy 85 | app.kubernetes.io/part-of: {{ .Release.Name }} 86 | helm.sh/chart: {{ include "ambassador.chart" . }} 87 | app.kubernetes.io/instance: {{ .Release.Name }} 88 | {{- if .Values.deploymentTool }} 89 | app.kubernetes.io/managed-by: {{ .Values.deploymentTool }} 90 | {{- else }} 91 | app.kubernetes.io/managed-by: {{ .Release.Service }} 92 | {{- end }} 93 | product: aes 94 | spec: 95 | replicas: 1 96 | selector: 97 | matchLabels: 98 | app.kubernetes.io/name: telepresence-proxy 99 | app.kubernetes.io/instance: {{ .Release.Name }} 100 | template: 101 | metadata: 102 | labels: 103 | app.kubernetes.io/name: telepresence-proxy 104 | app.kubernetes.io/instance: {{ .Release.Name }} 105 | spec: 106 | containers: 107 | - name: telepresence-proxy 108 | image: "{{ .Values.servicePreview.trafficManager.image.repository | default .Values.image.repository }}:{{ .Values.servicePreview.trafficManager.image.tag | default .Values.image.tag }}" 109 | imagePullPolicy: {{ .Values.image.pullPolicy }} 110 | command: [ "traffic-manager" ] 111 | env: 112 | {{- if .Values.scope.singleNamespace }} 113 | - name: AMBASSADOR_SINGLE_NAMESPACE 114 | value: "true" 115 | {{- end }} 116 | - name: AMBASSADOR_NAMESPACE 117 | {{- if .Values.namespace }} 118 | value: {{ .Values.namespace.name | quote }} 119 | {{ else }} 120 | valueFrom: 121 | fieldRef: 122 | fieldPath: metadata.namespace 123 | {{- end -}} 124 | {{- if or .Values.redis.create .Values.redisURL }} 125 | - name: REDIS_URL 126 | {{- if .Values.redisURL }} 127 | value: {{ .Values.redisURL }} 128 | {{- else }} 129 | value: {{ include "ambassador.fullname" . }}-redis:6379 130 | {{- end }} 131 | {{- end }} 132 | ports: 133 | - name: sshd 134 | containerPort: 8022 135 | volumeMounts: 136 | - mountPath: /tmp/ambassador-pod-info 137 | name: pod-info 138 | restartPolicy: Always 139 | terminationGracePeriodSeconds: 0 140 | volumes: 141 | - downwardAPI: 142 | items: 143 | - fieldRef: 144 | fieldPath: metadata.labels 145 | path: labels 146 | name: pod-info 147 | serviceAccountName: {{ .Values.servicePreview.trafficManager.serviceAccountName }} 148 | --- 149 | apiVersion: v1 150 | kind: Service 151 | metadata: 152 | name: telepresence-proxy 153 | namespace: {{ include "ambassador.namespace" . }} 154 | labels: 155 | app.kubernetes.io/name: telepresence-proxy 156 | app.kubernetes.io/part-of: {{ .Release.Name }} 157 | helm.sh/chart: {{ include "ambassador.chart" . }} 158 | app.kubernetes.io/instance: {{ .Release.Name }} 159 | {{- if .Values.deploymentTool }} 160 | app.kubernetes.io/managed-by: {{ .Values.deploymentTool }} 161 | {{- else }} 162 | app.kubernetes.io/managed-by: {{ .Release.Service }} 163 | {{- end }} 164 | annotations: 165 | a8r.io/owner: "Ambassador Labs" 166 | a8r.io/repository: github.com/datawire/ambassador 167 | a8r.io/description: "The Ambassador Edge Stack Service Preview Telepresence Proxy." 168 | a8r.io/documentation: https://www.getambassador.io/docs/latest/ 169 | a8r.io/chat: http://d6e.co/slack 170 | a8r.io/bugs: https://github.com/datawire/ambassador/issues 171 | a8r.io/support: https://www.getambassador.io/about-us/support/ 172 | a8r.io/dependencies: "None" 173 | spec: 174 | type: ClusterIP 175 | clusterIP: None 176 | selector: 177 | app.kubernetes.io/name: telepresence-proxy 178 | app.kubernetes.io/instance: {{ .Release.Name }} 179 | ports: 180 | - name: sshd 181 | protocol: TCP 182 | port: 8022 183 | - name: api 184 | protocol: TCP 185 | port: 8081 186 | {{- end }} -------------------------------------------------------------------------------- /manifests/ambassador/base/values.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # Default values for ambassador. 3 | # This is a YAML-formatted file. 4 | # Declare variables to be passed into your templates. 5 | 6 | # Manually set metadata for the Release. 7 | # 8 | # Defaults to .Chart.Name 9 | nameOverride: "" 10 | # Defaults to .Release.Name-.Chart.Name unless .Release.Name contains "ambassador" 11 | fullnameOverride: "" 12 | # Defaults to .Release.Namespace 13 | namespaceOverride: "" 14 | 15 | replicaCount: 3 16 | daemonSet: false 17 | 18 | # This will enable the test-ready Pod (https://github.com/datawire/ambassador-chart/blob/master/templates/tests/test-ready.yaml). 19 | # It will spawn a busybox container to call Ambassador's check_ready endpoint to validate it is working correctly. 20 | test: 21 | enabled: true 22 | image: busybox 23 | 24 | # Enable autoscaling using HorizontalPodAutoscaler 25 | # daemonSet: true, autoscaling will be disabled 26 | autoscaling: 27 | enabled: false 28 | minReplicas: 2 29 | maxReplicas: 5 30 | metrics: 31 | - type: Resource 32 | resource: 33 | name: cpu 34 | target: 35 | type: Utilization 36 | averageUtilization: 60 37 | - type: Resource 38 | resource: 39 | name: memory 40 | target: 41 | type: Utilization 42 | averageUtilization: 60 43 | 44 | podDisruptionBudget: {} 45 | 46 | # namespace: 47 | # name: default 48 | 49 | # Additional container environment variable 50 | # Uncomment or add additional environment variables for the container here. 51 | env: {} 52 | # Exposing statistics via StatsD 53 | # STATSD_ENABLED: true 54 | # STATSD_HOST: statsd-sink 55 | # sets the minimum number of seconds between Envoy restarts 56 | # AMBASSADOR_RESTART_TIME: 15 57 | # sets the number of seconds that the Envoy will wait for open connections to drain on a restart 58 | # AMBASSADOR_DRAIN_TIME: 5 59 | # sets the number of seconds that Ambassador will wait for the old Envoy to clean up and exit on a restart 60 | # AMBASSADOR_SHUTDOWN_TIME: 10 61 | # labels Ambassador with an ID to allow for configuring multiple Ambassadors in a cluster 62 | # AMBASSADOR_ID: default 63 | 64 | # Additional container environment variable in raw YAML format 65 | # Uncomment or add additional environment variables for the container here. 66 | envRaw: {} 67 | # - name: REDIS_PASSWORD 68 | # value: password 69 | # valueFrom: 70 | # secretKeyRef: 71 | # name: redis-password 72 | # key: password 73 | # - name: POD_IP 74 | # valueFrom: 75 | # fieldRef: 76 | # fieldPath: status.podIP 77 | 78 | imagePullSecrets: [] 79 | 80 | security: 81 | # Security Context for all containers in the pod. 82 | # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#podsecuritycontext-v1-core 83 | podSecurityContext: 84 | runAsUser: 8888 85 | # Security Context for the Ambassador container specifically 86 | # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#securitycontext-v1-core 87 | containerSecurityContext: 88 | allowPrivilegeEscalation: false 89 | # A basic PodSecurityPolicy to ensure Ambassador is running with appropriate security permissions 90 | # https://kubernetes.io/docs/concepts/policy/pod-security-policy/ 91 | # 92 | # A set of reasonable defaults is outlined below. This is not created by default as it should only 93 | # be created by a one Release. If you want to use the PodSecurityPolicy in the chart, create it in 94 | # the "master" Release and then leave it unset in all others. Set the `rbac.podSecurityPolicies` 95 | # in all non-"master" Releases. 96 | podSecurityPolicy: {} 97 | # # Add AppArmor and Seccomp annotations 98 | # # https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor 99 | # annotations: 100 | # spec: 101 | # seLinux: 102 | # rule: RunAsAny 103 | # supplementalGroups: 104 | # rule: 'MustRunAs' 105 | # ranges: 106 | # # Forbid adding the root group. 107 | # - min: 1 108 | # max: 65535 109 | # fsGroup: 110 | # rule: 'MustRunAs' 111 | # ranges: 112 | # # Forbid adding the root group. 113 | # - min: 1 114 | # max: 65535 115 | # privileged: false 116 | # allowPrivilegeEscalation: false 117 | # runAsUser: 118 | # rule: MustRunAsNonRoot 119 | 120 | image: 121 | repository: docker.io/datawire/aes 122 | tag: 1.12.3 123 | pullPolicy: IfNotPresent 124 | 125 | dnsPolicy: "ClusterFirst" 126 | hostNetwork: false 127 | 128 | service: 129 | type: LoadBalancer 130 | 131 | # Note that target http ports need to match your ambassador configurations service_port 132 | # https://www.getambassador.io/reference/modules/#the-ambassador-module 133 | ports: 134 | - name: http 135 | port: 80 136 | targetPort: 8080 137 | protocol: TCP 138 | nodePort: 32080 139 | # hostPort: 80 140 | - name: https 141 | port: 443 142 | targetPort: 8443 143 | protocol: TCP 144 | nodePort: 32443 145 | # hostPort: 443 146 | # TCPMapping_Port 147 | # port: 2222 148 | # targetPort: 2222 149 | # protocol: TCP 150 | # nodePort: 30222 151 | 152 | externalTrafficPolicy: 153 | 154 | sessionAffinity: 155 | 156 | sessionAffinityConfig: 157 | 158 | externalIPs: [] 159 | 160 | annotations: {} 161 | 162 | # Manually set the name of the generated Service 163 | nameOverride: 164 | ############################################################################# 165 | ## Ambassador should be configured using CRD definition. If you want 166 | ## to use annotations, the following is an example of annotating the 167 | ## Ambassador service with global configuration manifest. 168 | ## 169 | ## See https://www.getambassador.io/reference/core/ambassador and 170 | ## https://www.getambassador.io/reference/core/tls for more info 171 | ############################################################################# 172 | # 173 | # getambassador.io/config: | 174 | # --- 175 | # apiVersion: ambassador/v1 176 | # kind: TLSContext 177 | # name: ambassador 178 | # secret: ambassador-certs 179 | # hosts: ["*"] 180 | # --- 181 | # apiVersion: ambassador/v1 182 | # kind: Module 183 | # name: ambassador 184 | # config: 185 | # admin_port: 8001 186 | # diag_port: 8877 187 | # diagnostics: 188 | # enabled: true 189 | # enable_grpc_http11_bridge: false 190 | # enable_grpc_web: false 191 | # enable_http10: false 192 | # enable_ipv4: true 193 | # enable_ipv6: false 194 | # liveness_probe: 195 | # enabled: true 196 | # lua_scripts: 197 | # readiness_probe: 198 | # enabled: true 199 | # server_name: envoy 200 | # service_port: 8080 201 | # use_proxy_proto: false 202 | # use_remote_address: true 203 | # xff_num_trusted_hops: 0 204 | # x_forwarded_proto_redirect: false 205 | # load_balancer: 206 | # policy: round_robin 207 | # circuit_breakers: 208 | # max_connections: 2048 209 | # retry_policy: 210 | # retry_on: "5xx" 211 | # cors: 212 | 213 | adminService: 214 | create: true 215 | type: ClusterIP 216 | port: 8877 217 | snapshotPort: 8005 218 | # NodePort used if type is NodePort 219 | # nodePort: 38877 220 | annotations: 221 | {} 222 | 223 | rbac: 224 | # Specifies whether RBAC resources should be created 225 | create: true 226 | # List of Pod Security Policies to use on the container. 227 | # If security.podSecurityPolicy is set, it will be appended to the list 228 | podSecurityPolicies: [] 229 | # Name of the RBAC resources defaults to the name of the release. 230 | # Set nameOverride when installing Ambassador with cluster-wide scope in 231 | # different namespaces with the same release name to avoid conflicts. 232 | nameOverride: 233 | 234 | scope: 235 | # tells Ambassador to only use resources in the namespace or namespace set by namespace.name 236 | singleNamespace: false 237 | 238 | serviceAccount: 239 | # Specifies whether a service account should be created 240 | create: true 241 | # The name of the service account to use. 242 | # If not set and create is true, a name is generated using the fullname template 243 | name: 244 | 245 | deploymentStrategy: 246 | type: RollingUpdate 247 | 248 | restartPolicy: 249 | 250 | terminationGracePeriodSeconds: 251 | 252 | initContainers: [] 253 | 254 | sidecarContainers: [] 255 | 256 | livenessProbe: 257 | initialDelaySeconds: 30 258 | periodSeconds: 3 259 | failureThreshold: 3 260 | 261 | readinessProbe: 262 | initialDelaySeconds: 30 263 | periodSeconds: 3 264 | failureThreshold: 3 265 | 266 | 267 | volumes: [] 268 | 269 | volumeMounts: [] 270 | 271 | podLabels: 272 | {} 273 | 274 | podAnnotations: 275 | {} 276 | # prometheus.io/scrape: "true" 277 | # prometheus.io/port: "9102" 278 | 279 | deploymentLabels: 280 | {} 281 | 282 | deploymentAnnotations: 283 | {} 284 | # configmap.reloader.stakater.com/auto: "true" 285 | 286 | resources: 287 | # Recommended resource requests and limits for Ambassador 288 | limits: 289 | cpu: 1000m 290 | memory: 600Mi 291 | requests: 292 | cpu: 200m 293 | memory: 300Mi 294 | 295 | priorityClassName: "" 296 | 297 | nodeSelector: {} 298 | 299 | tolerations: [] 300 | 301 | affinity: {} 302 | 303 | ambassadorConfig: "" 304 | 305 | crds: 306 | enabled: true 307 | create: true 308 | keep: true 309 | 310 | # Prometheus Operator ServiceMonitor configuration 311 | # See documentation: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#servicemonitor 312 | metrics: 313 | serviceMonitor: 314 | enabled: false 315 | # interval: 30s 316 | # scrapeTimeout: 30s 317 | # selector: {} 318 | 319 | ################################################################################ 320 | ## Ambassador Edge Stack Configuration ## 321 | ################################################################################ 322 | 323 | # The Ambassador Edge Stack is free for limited use without a license key. 324 | # Go to https://{ambassador-host}/edge_stack/admin/#dashboard to register 325 | # for a community license key. 326 | 327 | enableAES: true 328 | 329 | # Set createSecret: false is installing multiple releases of The Ambassador 330 | # Edge Stack in the same namespace. 331 | licenseKey: 332 | value: 333 | createSecret: true 334 | secretName: 335 | # Annotations to attach to the license-key-secret. 336 | annotations: 337 | {} 338 | 339 | # The DevPortal is exposed at /docs/ endpoint in the AES container. 340 | # Setting this to true will automatically create routes for the DevPortal. 341 | createDevPortalMappings: true 342 | 343 | # The Ambassador Edge Stack uses a redis instance for managing authentication, 344 | # rate limiting, and sharing minor configuration details between pods for 345 | # centralized management. These values configure the redis instance that ships 346 | # by default with The Ambassador Edge Stack. 347 | # 348 | # URL of your redis instance. Defaults to redis instance created below. 349 | redisURL: 350 | 351 | # Ambassador ships with a basic redis instance. Configure the deployment with the options below. 352 | redis: 353 | create: true 354 | image: 355 | repository: redis 356 | tag: 5.0.1 357 | pullPolicy: IfNotPresent 358 | # Annotations for Ambassador Pro's redis instance. 359 | annotations: 360 | deployment: 361 | {} 362 | service: 363 | {} 364 | resources: {} 365 | # If you want to specify resources, uncomment the following 366 | # lines and remove the curly braces after 'resources:'. 367 | # These are placeholder values and must be tuned. 368 | # limits: 369 | # cpu: 100m 370 | # memory: 256Mi 371 | # requests: 372 | # cpu: 50m 373 | # memory: 128Mi 374 | nodeSelector: {} 375 | affinity: {} 376 | tolerations: {} 377 | 378 | 379 | # Configures the AuthService that ships with the Ambassador Edge Stack. 380 | # Setting authService.create: false will not install the AES AuthService and 381 | # allow you to define your own. 382 | # 383 | # Typically when using the AES, you will want to keep this set to true and use 384 | # the External Filter to communicate with a custom authentication service. 385 | # https://www.getambassador.io/reference/filter-reference/#filter-type-external 386 | authService: 387 | create: true 388 | # Set additional configuration options. See https://www.getambassador.io/reference/services/auth-service for more information 389 | optional_configurations: 390 | # include_body: 391 | # max_bytes: 4096 392 | # allow_partial: true 393 | # status_on_error: 394 | # code: 403 395 | # failure_mode_allow: false 396 | # retry_policy: 397 | # retry_on: "5xx" 398 | # num_retries: 2 399 | # add_linkerd_headers: true 400 | # timeout_ms: 30000 401 | 402 | 403 | # Configures the RateLimitService in the Ambassador Edge Stack. 404 | # Keep this enabled to configure RateLimits in AES. 405 | rateLimit: 406 | create: true 407 | 408 | # Projects are a beta feature of Ambassador that allow developers to stage and 409 | # deploy code with nothing more than a Github repository. 410 | # See: https://www.getambassador.io/docs/latest/topics/using/projects/ 411 | registry: 412 | create: false 413 | 414 | # Resolvers are used to configure the discovery service strategy for Ambasador Edge Stack. 415 | # See: https://www.getambassador.io/docs/latest/topics/running/resolvers/ 416 | resolvers: 417 | endpoint: 418 | create: false 419 | name: "endpoint" 420 | consul: 421 | create: false 422 | name: "consul-dc1" 423 | spec: {} 424 | # Configuration for a Consul Resolver 425 | # address: consul-server.default.svc.cluster.local:8500 426 | # datacenter: dc1 427 | 428 | ################################################################################ 429 | ## DEPRECATED configuration objects ## 430 | ################################################################################ 431 | 432 | # DEPRECATED: Ambassador now exposes the /metrics endpoint in Envoy. 433 | # DEPRECATED: See https://www.getambassador.io/user-guide/monitoring#deployment for more information on how to use the /metrics endpoint 434 | # 435 | # DEPRECATED: Enabling the prometheus exporter creates a sidecar and configures ambassador to use it 436 | prometheusExporter: 437 | enabled: false 438 | repository: prom/statsd-exporter 439 | tag: v0.8.1 440 | pullPolicy: IfNotPresent 441 | resources: {} 442 | # If you do want to specify resources, uncomment the following 443 | # lines, adjust them as necessary, and remove the curly braces after 'resources:'. 444 | # limits: 445 | # cpu: 100m 446 | # memory: 256Mi 447 | # requests: 448 | # cpu: 50m 449 | # memory: 128Mi 450 | # You can configure the statsd exporter to modify the behavior of mappings and other features. 451 | # See documentation: https://github.com/prometheus/statsd_exporter/tree/v0.8.1#metric-mapping-and-configuration 452 | # Uncomment the following line if you wish to specify a custom configuration: 453 | # configuration: | 454 | # --- 455 | # mappings: 456 | # - match: 'envoy.cluster.*.upstream_cx_connect_ms' 457 | # name: "envoy_cluster_upstream_cx_connect_time" 458 | # timer_type: 'histogram' 459 | # labels: 460 | # cluster_name: "$1" 461 | 462 | # DEPRECATED: Use security.podSecurityContext 463 | # securityContext: 464 | # runAsUser: 8888 465 | 466 | 467 | # Configures Service Preview that ships with the Ambassador Edge Stack and edgectl. 468 | # Setting servicePreview.enabled: true will install the Traffic Agent Service Account, Traffic Manager with RBAC, and ambassador-injector 469 | servicePreview: 470 | enabled: false 471 | trafficManager: 472 | image: 473 | # Leave blank to use image.repository and image.tag 474 | repository: 475 | tag: 476 | serviceAccountName: "traffic-manager" 477 | trafficAgent: 478 | image: 479 | # Leave blank to use image.repository and image.tag 480 | repository: 481 | tag: 482 | singleNamespace: true 483 | serviceAccountName: "traffic-agent" 484 | port: 9900 485 | 486 | # Configure the ambassador-injector webhook for Service Preview Traffic Agent automatic sidecar injection. 487 | injector: 488 | enabled: true 489 | 490 | # If no injector.crtPEM and injector.keyPEM are provided, a self-signed certificate will be issued 491 | # for the Common Name (CN) of `..svc`, which is the cluster-internal DNS name 492 | # for the service. 493 | crtPEM: "" 494 | keyPEM: "" 495 | 496 | # Configure the ambassador agent 497 | agent: 498 | enabled: true 499 | # this will be empty when it first gets applied, then the user will edit the agent to 500 | # make it start reporting 501 | cloudConnectToken: "" 502 | rpcAddress: https://app.getambassador.io/ 503 | image: 504 | # Leave blank to use image.repository and image.tag 505 | tag: 506 | repository: 507 | deploymentTool: "" 508 | -------------------------------------------------------------------------------- /manifests/canary-app-timed/README.md: -------------------------------------------------------------------------------- 1 | # Canary-app-timed 2 | App repo: https://github.com/codefresh-contrib/gitops-certification-examples/tree/main/canary-app-timed -------------------------------------------------------------------------------- /manifests/canary-app-timed/base/host.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: getambassador.io/v2 2 | kind: Host 3 | metadata: 4 | name: demo-host 5 | spec: 6 | # Disable default TLS on ambassador 7 | acmeProvider: 8 | authority: none 9 | # Allow HTTP port to be used as is 10 | requestPolicy: 11 | insecure: 12 | action: Route 13 | 14 | 15 | -------------------------------------------------------------------------------- /manifests/canary-app-timed/base/mapping.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: getambassador.io/v2 3 | kind: Mapping 4 | metadata: 5 | name: summer-k8s-mapping 6 | spec: 7 | prefix: /demo/ 8 | service: summer-k8s-service-stable 9 | resolver: endpoint 10 | --- 11 | apiVersion: getambassador.io/v2 12 | kind: Mapping 13 | metadata: 14 | name: summer-k8s-mapping-stable 15 | spec: 16 | prefix: /stable/ 17 | service: summer-k8s-service-stable 18 | resolver: endpoint 19 | --- 20 | apiVersion: getambassador.io/v2 21 | kind: Mapping 22 | metadata: 23 | name: summer-k8s-mapping-unstable 24 | spec: 25 | prefix: /unstable/ 26 | service: summer-k8s-service-canary 27 | resolver: endpoint -------------------------------------------------------------------------------- /manifests/canary-app-timed/base/resolver.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: getambassador.io/v2 2 | kind: KubernetesEndpointResolver 3 | metadata: 4 | name: endpoint 5 | -------------------------------------------------------------------------------- /manifests/canary-app-timed/base/rollout.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: argoproj.io/v1alpha1 3 | kind: Rollout 4 | metadata: 5 | name: simple-rollout 6 | spec: 7 | revisionHistoryLimit: 1 8 | replicas: 10 9 | selector: 10 | matchLabels: 11 | app: summer-k8s-app 12 | template: 13 | metadata: 14 | labels: 15 | app: summer-k8s-app 16 | spec: 17 | containers: 18 | - name: webserver-simple 19 | image: docker.io/todaywasawesome/colors:master-88a8cea 20 | imagePullPolicy: Always 21 | ports: 22 | - containerPort: 8080 23 | strategy: 24 | canary: 25 | stableService: summer-k8s-service-stable 26 | canaryService: summer-k8s-service-canary 27 | trafficRouting: 28 | ambassador: 29 | mappings: 30 | - summer-k8s-mapping 31 | steps: 32 | - setWeight: 30 33 | - pause: {duration: 2m} 34 | - setWeight: 60 35 | - pause: {duration: 2m} 36 | - setWeight: 100 37 | -------------------------------------------------------------------------------- /manifests/canary-app-timed/base/service.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: summer-k8s-service-stable 6 | labels: 7 | app: summer-k8s-app 8 | spec: 9 | type: ClusterIP 10 | selector: 11 | app: summer-k8s-app 12 | ports: 13 | - name: http 14 | protocol: TCP 15 | port: 80 16 | targetPort: 8080 17 | --- 18 | apiVersion: v1 19 | kind: Service 20 | metadata: 21 | name: summer-k8s-service-canary 22 | labels: 23 | app: summer-k8s-app 24 | spec: 25 | type: ClusterIP 26 | selector: 27 | app: summer-k8s-app 28 | ports: 29 | - name: http 30 | protocol: TCP 31 | port: 80 32 | targetPort: 8080 -------------------------------------------------------------------------------- /manifests/colors/README.md: -------------------------------------------------------------------------------- 1 | # Colors Application 2 | App repo: https://github.com/todaywasawesome/color-coded 3 | 4 | # Promoting changes from staging to production. 5 | The manifest folder uses a sub-folder for each application to be managed with additional subfolders for each environment. 6 | * base - Contains all the manfiests needed to deploy an application. 7 | * staging - Contains a kustomization overlay with a patch for staging and then overrides that normally go with releases. 8 | * production - Contains the same as staging with a different specific overlay for prod. 9 | 10 | To release a change, first update the staging kustomization. After a successful rollout and test, make the same changes to the production version. 11 | 12 | # Using Helm 13 | The base folder may contain a Helm chart. The overlays may reference this Helm chart or an external Helm chart with a specific version. -------------------------------------------------------------------------------- /manifests/colors/base/host.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: getambassador.io/v2 2 | kind: Host 3 | metadata: 4 | name: demo-host 5 | spec: 6 | # Disable default TLS on ambassador 7 | acmeProvider: 8 | authority: none 9 | # Allow HTTP port to be used as is 10 | requestPolicy: 11 | insecure: 12 | action: Route 13 | 14 | 15 | -------------------------------------------------------------------------------- /manifests/colors/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - host.yaml 5 | - mapping.yaml 6 | - resolver.yaml 7 | - rollout.yaml 8 | - service.yaml -------------------------------------------------------------------------------- /manifests/colors/base/mapping.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: getambassador.io/v2 3 | kind: Mapping 4 | metadata: 5 | name: summer-k8s-mapping 6 | spec: 7 | prefix: /demo/ 8 | service: summer-k8s-service-stable 9 | resolver: endpoint 10 | --- 11 | apiVersion: getambassador.io/v2 12 | kind: Mapping 13 | metadata: 14 | name: summer-k8s-mapping-stable 15 | spec: 16 | prefix: /stable/ 17 | service: summer-k8s-service-stable 18 | resolver: endpoint 19 | --- 20 | apiVersion: getambassador.io/v2 21 | kind: Mapping 22 | metadata: 23 | name: summer-k8s-mapping-unstable 24 | spec: 25 | prefix: /unstable/ 26 | service: summer-k8s-service-canary 27 | resolver: endpoint -------------------------------------------------------------------------------- /manifests/colors/base/resolver.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: getambassador.io/v2 2 | kind: KubernetesEndpointResolver 3 | metadata: 4 | name: endpoint 5 | -------------------------------------------------------------------------------- /manifests/colors/base/rollout.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: argoproj.io/v1alpha1 3 | kind: Rollout 4 | metadata: 5 | name: simple-rollout 6 | spec: 7 | revisionHistoryLimit: 1 8 | replicas: 10 9 | selector: 10 | matchLabels: 11 | app: summer-k8s-app 12 | template: 13 | metadata: 14 | labels: 15 | app: summer-k8s-app 16 | spec: 17 | containers: 18 | - name: webserver-simple 19 | image: docker.io/todaywasawesome/colors:master-5a1a370 20 | imagePullPolicy: Always 21 | ports: 22 | - containerPort: 8080 23 | strategy: 24 | canary: 25 | stableService: summer-k8s-service-stable 26 | canaryService: summer-k8s-service-canary 27 | trafficRouting: 28 | ambassador: 29 | mappings: 30 | - summer-k8s-mapping 31 | steps: 32 | - setWeight: 30 33 | - pause: {duration: 35} 34 | - setWeight: 60 35 | - pause: {duration: 35} 36 | - setWeight: 100 37 | -------------------------------------------------------------------------------- /manifests/colors/base/service.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: summer-k8s-service-stable 6 | labels: 7 | app: summer-k8s-app 8 | spec: 9 | type: ClusterIP 10 | selector: 11 | app: summer-k8s-app 12 | ports: 13 | - name: http 14 | protocol: TCP 15 | port: 80 16 | targetPort: 8080 17 | --- 18 | apiVersion: v1 19 | kind: Service 20 | metadata: 21 | name: summer-k8s-service-canary 22 | labels: 23 | app: summer-k8s-app 24 | spec: 25 | type: ClusterIP 26 | selector: 27 | app: summer-k8s-app 28 | ports: 29 | - name: http 30 | protocol: TCP 31 | port: 80 32 | targetPort: 8080 -------------------------------------------------------------------------------- /manifests/colors/production/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - ../base 5 | patches: 6 | - prod.yaml 7 | 8 | patchesStrategicMerge: 9 | - |- 10 | apiVersion: argoproj.io/v1alpha1 11 | kind: Rollout 12 | metadata: 13 | name: simple-rollout 14 | spec: 15 | template: 16 | spec: 17 | containers: 18 | - name: webserver-simple 19 | image: todaywasawesome/colors:blue #yellow, blue, or purple 20 | -------------------------------------------------------------------------------- /manifests/colors/production/prod.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/todaywasawesome/oss-apps/864c3dcfbf4748f25cfd9e97e1eba00dc3a09623/manifests/colors/production/prod.yaml -------------------------------------------------------------------------------- /manifests/colors/staging/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - ../base 5 | patches: 6 | - staging.yaml 7 | 8 | patchesStrategicMerge: 9 | - |- 10 | apiVersion: argoproj.io/v1alpha1 11 | kind: Rollout 12 | metadata: 13 | name: simple-rollout 14 | spec: 15 | template: 16 | spec: 17 | containers: 18 | - name: webserver-simple 19 | image: todaywasawesome/colors:blue #Available releases are blue, purple, yellow 20 | -------------------------------------------------------------------------------- /manifests/colors/staging/staging.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/todaywasawesome/oss-apps/864c3dcfbf4748f25cfd9e97e1eba00dc3a09623/manifests/colors/staging/staging.yaml --------------------------------------------------------------------------------