Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

initial support for API Gateway #925

Merged
merged 13 commits into from
Jan 26, 2022
Merged

initial support for API Gateway #925

Show file tree
Hide file tree
Changes from 9 commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
e7b21bb
server-acl-init: add api-gateway-controller token generation
nickethier Dec 10, 2021
5280b17
templates: add initial api-gateway templates
nickethier Dec 10, 2021
a85c585
plumb through auto encrypt and auth method
nickethier Jan 19, 2022
9779221
lint: fix fmt error
nickethier Jan 19, 2022
253f3af
api-gateway: add unit tests for template files
nickethier Jan 19, 2022
819d3a1
api-gateway: remove default image
nickethier Jan 19, 2022
b292168
Apply suggestions from code review
nickethier Jan 20, 2022
e8be08a
simplify enabled condition check
nickethier Jan 22, 2022
8d2c728
skip namespace check for gateway and gatewayclass crds
nickethier Jan 24, 2022
683978e
Apply suggestions from code review
nickethier Jan 26, 2022
505bf65
add token tests for api gateway controller
nickethier Jan 26, 2022
1fd1b53
add token tests for api gateway controller
nickethier Jan 26, 2022
f107e5f
Apply suggestions from code review
nickethier Jan 26, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
211 changes: 211 additions & 0 deletions charts/consul/templates/api-gateway-controller-clusterrole.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,211 @@
{{- if .Values.apiGateway.enabled }}
# The ClusterRole to enable the API Gateway controller to access required api endpoints.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "consul.fullname" . }}-api-gateway-controller
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: api-gateway-controller
rules:
- apiGroups:
- api-gateway.consul.hashicorp.com
resources:
- gatewayclassconfigs
verbs:
- get
- list
- update
- watch
- apiGroups:
- api-gateway.consul.hashicorp.com
resources:
- gatewayclassconfigs/finalizers
verbs:
- update
- apiGroups:
- apps
resources:
- deployments
verbs:
- create
- get
- list
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- get
- list
- update
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- configmaps/status
verbs:
- get
- patch
- update
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- ""
resources:
- pods
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
nickethier marked this conversation as resolved.
Show resolved Hide resolved
- apiGroups:
- ""
resources:
- services
verbs:
- create
- get
- list
- watch
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- create
- get
- list
- watch
- apiGroups:
- gateway.networking.k8s.io
resources:
- gatewayclasses
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- gateway.networking.k8s.io
resources:
- gatewayclasses/finalizers
verbs:
- update
- apiGroups:
- gateway.networking.k8s.io
resources:
nickethier marked this conversation as resolved.
Show resolved Hide resolved
- gatewayclasses/status
verbs:
- get
- patch
- update
- apiGroups:
- gateway.networking.k8s.io
resources:
- gateways
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- gateway.networking.k8s.io
resources:
- gateways/finalizers
verbs:
- update
- apiGroups:
- gateway.networking.k8s.io
resources:
- gateways/status
verbs:
- get
- patch
- update
- apiGroups:
- gateway.networking.k8s.io
resources:
- httproutes
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- gateway.networking.k8s.io
resources:
- httproutes/finalizers
verbs:
- update
- apiGroups:
- gateway.networking.k8s.io
resources:
- httproutes/status
verbs:
- get
- patch
- update
- apiGroups:
- gateway.networking.k8s.io
resources:
- tcproutes
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- gateway.networking.k8s.io
resources:
- tcproutes/finalizers
verbs:
- update
- apiGroups:
- gateway.networking.k8s.io
resources:
- tcproutes/status
verbs:
- get
- patch
- update
{{- end }}
20 changes: 20 additions & 0 deletions charts/consul/templates/api-gateway-controller-clusterrolebinding.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
{{- if .Values.apiGateway.enabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "consul.fullname" . }}-api-gateway-controller-role-binding
nickethier marked this conversation as resolved.
Show resolved Hide resolved
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: api-gateway-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "consul.fullname" . }}-api-gateway-controller
subjects:
- kind: ServiceAccount
name: {{ template "consul.fullname" . }}-api-gateway-controller-svc-account
nickethier marked this conversation as resolved.
Show resolved Hide resolved
namespace: {{ .Release.Namespace }}
{{- end }}
148 changes: 148 additions & 0 deletions charts/consul/templates/api-gateway-controller-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,148 @@
{{- if .Values.apiGateway.enabled }}
{{- if not .Values.client.grpc }}{{ fail "client.grpc must be true for api gateway" }}{{ end }}
{{- if not .Values.apiGateway.image}}{{ fail "apiGateway.image must be set to enable api gateway" }}{{ end }}
{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the api gw has other prerequisites, it'd be good add those validations here.

apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "consul.fullname" . }}-api-gateway-controller
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: api-gateway-controller
spec:
replicas: {{ .Values.apiGateway.controller.replicas }}
selector:
matchLabels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
release: {{ .Release.Name }}
component: api-gateway-controller
template:
metadata:
annotations:
consul.hashicorp.com/connect-inject: "false"
{{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }}
"vault.hashicorp.com/agent-init-first": "true"
"vault.hashicorp.com/agent-inject": "true"
"vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }}
"vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }}
"vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }}
{{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }}
"vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}"
"vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}"
{{- end }}
{{- end }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
release: {{ .Release.Name }}
component: api-gateway-controller
spec:
serviceAccountName: {{ template "consul.fullname" . }}-api-gateway-controller-svc-account
nickethier marked this conversation as resolved.
Show resolved Hide resolved
containers:
- name: api-gateway-controller
image: {{ .Values.apiGateway.image }}
ports:
- containerPort: 9090
name: sds
protocol: TCP
env:
{{- if .Values.global.tls.enabled }}
- name: CONSUL_CACERT
value: /consul/tls/ca/tls.crt
{{- end }}
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: IP
valueFrom:
fieldRef:
fieldPath: status.podIP
{{- if .Values.global.acls.manageSystemACLs }}
- name: CONSUL_HTTP_TOKEN
valueFrom:
secretKeyRef:
name: "{{ template "consul.fullname" . }}-api-gateway-controller-acl-token"
key: "token"
{{- end }}
- name: CONSUL_HTTP_ADDR
{{- if .Values.global.tls.enabled }}
value: https://$(HOST_IP):8501
{{- else }}
value: http://$(HOST_IP):8500
{{- end }}
command:
- "/bin/sh"
- "-ec"
- |
consul-api-gateway server \
-sds-server-host $(IP) \
-k8s-namespace {{ .Release.Namespace }} \
-log-level {{ default .Values.global.logLevel .Values.apiGateway.logLevel }} \
volumeMounts:
{{- if .Values.global.tls.enabled }}
{{- if .Values.global.tls.enableAutoEncrypt }}
- name: consul-auto-encrypt-ca-cert
{{- else }}
- name: consul-ca-cert
{{- end }}
mountPath: /consul/tls/ca
readOnly: true
{{- end }}
volumes:
{{- if .Values.global.tls.enabled }}
{{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }}
- name: consul-ca-cert
secret:
{{- if .Values.global.tls.caCert.secretName }}
secretName: {{ .Values.global.tls.caCert.secretName }}
{{- else }}
secretName: {{ template "consul.fullname" . }}-ca-cert
{{- end }}
items:
- key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }}
path: tls.crt
{{- end }}
{{- if .Values.global.tls.enableAutoEncrypt }}
- name: consul-auto-encrypt-ca-cert
emptyDir:
medium: "Memory"
{{- end }}
{{- end }}
{{- if or (and .Values.global.acls.manageSystemACLs) (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt) }}
initContainers:
{{- if .Values.global.acls.manageSystemACLs }}
- name: api-gateway-controller-acl-init
image: {{ .Values.global.imageK8S }}
command:
- "/bin/sh"
- "-ec"
- |
consul-k8s-control-plane acl-init \
-secret-name="{{ template "consul.fullname" . }}-api-gateway-controller-acl-token" \
-k8s-namespace={{ .Release.Namespace }}
resources:
requests:
memory: "25Mi"
cpu: "50m"
limits:
memory: "25Mi"
cpu: "50m"
{{- end }}
{{- if (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt) }}
{{- include "consul.getAutoEncryptClientCA" . | nindent 6 }}
{{- end }}
{{- end }}
{{- if .Values.apiGateway.controller.priorityClassName }}
priorityClassName: {{ .Values.apiGateway.controller.priorityClassName | quote }}
{{- end }}
{{- if .Values.apiGateway.controller.nodeSelector }}
nodeSelector:
{{ tpl .Values.apiGateway.controller.nodeSelector . | indent 8 | trim }}
{{- end }}
{{- end }}
Loading