Skip to content

Commit

Permalink
Merge pull request #925 from hashicorp/api-gateway/initial-support
Browse files Browse the repository at this point in the history 
initial support for API Gateway
  • Loading branch information
@nickethier
nickethier authored Jan 26, 2022
2 parents 6744883 + f107e5f commit a64c8e7
Show file tree
Hide file tree
Showing 20 changed files with 1,386 additions and 7 deletions.
211 changes: 211 additions & 0 deletions charts/consul/templates/api-gateway-controller-clusterrole.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,211 @@
{{- if .Values.apiGateway.enabled }}
# The ClusterRole to enable the API Gateway controller to access required api endpoints.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "consul.fullname" . }}-api-gateway-controller
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: api-gateway-controller
rules:
- apiGroups:
- api-gateway.consul.hashicorp.com
resources:
- gatewayclassconfigs
verbs:
- get
- list
- update
- watch
- apiGroups:
- api-gateway.consul.hashicorp.com
resources:
- gatewayclassconfigs/finalizers
verbs:
- update
- apiGroups:
- apps
resources:
- deployments
verbs:
- create
- get
- list
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- get
- list
- update
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- configmaps/status
verbs:
- get
- patch
- update
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- ""
resources:
- pods
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- services
verbs:
- create
- get
- list
- watch
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- create
- get
- list
- watch
- apiGroups:
- gateway.networking.k8s.io
resources:
- gatewayclasses
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- gateway.networking.k8s.io
resources:
- gatewayclasses/finalizers
verbs:
- update
- apiGroups:
- gateway.networking.k8s.io
resources:
- gatewayclasses/status
verbs:
- get
- patch
- update
- apiGroups:
- gateway.networking.k8s.io
resources:
- gateways
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- gateway.networking.k8s.io
resources:
- gateways/finalizers
verbs:
- update
- apiGroups:
- gateway.networking.k8s.io
resources:
- gateways/status
verbs:
- get
- patch
- update
- apiGroups:
- gateway.networking.k8s.io
resources:
- httproutes
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- gateway.networking.k8s.io
resources:
- httproutes/finalizers
verbs:
- update
- apiGroups:
- gateway.networking.k8s.io
resources:
- httproutes/status
verbs:
- get
- patch
- update
- apiGroups:
- gateway.networking.k8s.io
resources:
- tcproutes
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- gateway.networking.k8s.io
resources:
- tcproutes/finalizers
verbs:
- update
- apiGroups:
- gateway.networking.k8s.io
resources:
- tcproutes/status
verbs:
- get
- patch
- update
{{- end }}
20 changes: 20 additions & 0 deletions charts/consul/templates/api-gateway-controller-clusterrolebinding.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
{{- if .Values.apiGateway.enabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "consul.fullname" . }}-api-gateway-controller
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: api-gateway-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "consul.fullname" . }}-api-gateway-controller
subjects:
- kind: ServiceAccount
name: {{ template "consul.fullname" . }}-api-gateway-controller
namespace: {{ .Release.Namespace }}
{{- end }}
148 changes: 148 additions & 0 deletions charts/consul/templates/api-gateway-controller-deployment.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,148 @@
{{- if .Values.apiGateway.enabled }}
{{- if not .Values.client.grpc }}{{ fail "client.grpc must be true for api gateway" }}{{ end }}
{{- if not .Values.apiGateway.image}}{{ fail "apiGateway.image must be set to enable api gateway" }}{{ end }}
{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "consul.fullname" . }}-api-gateway-controller
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: api-gateway-controller
spec:
replicas: {{ .Values.apiGateway.controller.replicas }}
selector:
matchLabels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
release: {{ .Release.Name }}
component: api-gateway-controller
template:
metadata:
annotations:
consul.hashicorp.com/connect-inject: "false"
{{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }}
"vault.hashicorp.com/agent-init-first": "true"
"vault.hashicorp.com/agent-inject": "true"
"vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }}
"vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }}
"vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }}
{{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }}
"vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}"
"vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}"
{{- end }}
{{- end }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
release: {{ .Release.Name }}
component: api-gateway-controller
spec:
serviceAccountName: {{ template "consul.fullname" . }}-api-gateway-controller
containers:
- name: api-gateway-controller
image: {{ .Values.apiGateway.image }}
ports:
- containerPort: 9090
name: sds
protocol: TCP
env:
{{- if .Values.global.tls.enabled }}
- name: CONSUL_CACERT
value: /consul/tls/ca/tls.crt
{{- end }}
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: IP
valueFrom:
fieldRef:
fieldPath: status.podIP
{{- if .Values.global.acls.manageSystemACLs }}
- name: CONSUL_HTTP_TOKEN
valueFrom:
secretKeyRef:
name: "{{ template "consul.fullname" . }}-api-gateway-controller-acl-token"
key: "token"
{{- end }}
- name: CONSUL_HTTP_ADDR
{{- if .Values.global.tls.enabled }}
value: https://$(HOST_IP):8501
{{- else }}
value: http://$(HOST_IP):8500
{{- end }}
command:
- "/bin/sh"
- "-ec"
- |
consul-api-gateway server \
-sds-server-host $(IP) \
-k8s-namespace {{ .Release.Namespace }} \
-log-level {{ default .Values.global.logLevel .Values.apiGateway.logLevel }} \
volumeMounts:
{{- if .Values.global.tls.enabled }}
{{- if .Values.global.tls.enableAutoEncrypt }}
- name: consul-auto-encrypt-ca-cert
{{- else }}
- name: consul-ca-cert
{{- end }}
mountPath: /consul/tls/ca
readOnly: true
{{- end }}
volumes:
{{- if .Values.global.tls.enabled }}
{{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }}
- name: consul-ca-cert
secret:
{{- if .Values.global.tls.caCert.secretName }}
secretName: {{ .Values.global.tls.caCert.secretName }}
{{- else }}
secretName: {{ template "consul.fullname" . }}-ca-cert
{{- end }}
items:
- key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }}
path: tls.crt
{{- end }}
{{- if .Values.global.tls.enableAutoEncrypt }}
- name: consul-auto-encrypt-ca-cert
emptyDir:
medium: "Memory"
{{- end }}
{{- end }}
{{- if or (and .Values.global.acls.manageSystemACLs) (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt) }}
initContainers:
{{- if .Values.global.acls.manageSystemACLs }}
- name: api-gateway-controller-acl-init
image: {{ .Values.global.imageK8S }}
command:
- "/bin/sh"
- "-ec"
- |
consul-k8s-control-plane acl-init \
-secret-name="{{ template "consul.fullname" . }}-api-gateway-controller-acl-token" \
-k8s-namespace={{ .Release.Namespace }}
resources:
requests:
memory: "25Mi"
cpu: "50m"
limits:
memory: "25Mi"
cpu: "50m"
{{- end }}
{{- if (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt) }}
{{- include "consul.getAutoEncryptClientCA" . | nindent 6 }}
{{- end }}
{{- end }}
{{- if .Values.apiGateway.controller.priorityClassName }}
priorityClassName: {{ .Values.apiGateway.controller.priorityClassName | quote }}
{{- end }}
{{- if .Values.apiGateway.controller.nodeSelector }}
nodeSelector:
{{ tpl .Values.apiGateway.controller.nodeSelector . | indent 8 | trim }}
{{- end }}
{{- end }}
Loading

0 comments on commit a64c8e7

Please sign in to comment.