1 {{/* vim: set filetype=mustache: */}}
3 Create a default fully qualified app name.
4 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
7 {{- define "kong.namespace" -}}
8 {{- default .Release.Namespace .Values.namespace -}}
11 {{- define "kong.release" -}}
12 {{- default .Release.Name -}}
15 {{- define "kong.name" -}}
16 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
19 {{- define "kong.fullname" -}}
20 {{- $name := default .Chart.Name .Values.nameOverride -}}
21 {{- default (printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-") .Values.fullnameOverride -}}
24 {{- define "kong.chart" -}}
25 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
28 {{- define "kong.metaLabels" -}}
29 app.kubernetes.io/name: {{ template "kong.name" . }}
30 helm.sh/chart: {{ template "kong.chart" . }}
31 app.kubernetes.io/instance: "{{ .Release.Name }}"
32 app.kubernetes.io/managed-by: "{{ .Release.Service }}"
33 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
34 {{- range $key, $value := .Values.extraLabels }}
35 {{ $key }}: {{ include "kong.renderTpl" (dict "value" $value "context" $) | quote }}
39 {{- define "kong.selectorLabels" -}}
40 app.kubernetes.io/name: {{ template "kong.name" . }}
41 app.kubernetes.io/component: app
42 app.kubernetes.io/instance: "{{ .Release.Name }}"
45 {{- define "kong.postgresql.fullname" -}}
46 {{- $name := default "postgresql" .Values.postgresql.nameOverride -}}
47 {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
50 {{- define "kong.dblessConfig.fullname" -}}
51 {{- $name := default "kong-custom-dbless-config" .Values.dblessConfig.nameOverride -}}
52 {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
56 Create the name of the service account to use
58 {{- define "kong.serviceAccountName" -}}
59 {{- if .Values.deployment.serviceAccount.create -}}
60 {{ default (include "kong.fullname" .) .Values.deployment.serviceAccount.name }}
62 {{ default "default" .Values.deployment.serviceAccount.name }}
67 Create the name of the secret for service account token to use
69 {{- define "kong.serviceAccountTokenName" -}}
70 {{ include "kong.serviceAccountName" . }}-token
74 Create Ingress resource for a Kong service
76 {{- define "kong.ingress" -}}
77 {{- $servicePort := include "kong.ingress.servicePort" . }}
78 {{- $path := .ingress.path -}}
79 {{- $hostname := .ingress.hostname -}}
80 {{- $pathType := .ingress.pathType -}}
81 apiVersion: networking.k8s.io/v1
84 name: {{ .fullName }}-{{ .serviceName }}
85 namespace: {{ .namespace }}
87 {{- .metaLabels | nindent 4 }}
88 {{- range $key, $value := .ingress.labels }}
89 {{- $key | nindent 4 }}: {{ $value | quote }}
91 {{- if .ingress.annotations }}
93 {{- range $key, $value := .ingress.annotations }}
94 {{ $key }}: {{ $value | quote }}
98 {{- if .ingress.ingressClassName }}
99 ingressClassName: {{ .ingress.ingressClassName }}
102 {{- if ( not (or $hostname .ingress.hosts)) }}
107 name: {{ .fullName }}-{{ .serviceName }}
109 number: {{ $servicePort }}
111 pathType: {{ $pathType }}
112 {{- else if $hostname }}
113 - host: {{ $hostname | quote }}
118 name: {{ .fullName }}-{{ .serviceName }}
120 number: {{ $servicePort }}
122 pathType: {{ $pathType }}
124 {{- range .ingress.hosts }}
125 - host: {{ .host | quote }}
131 {{ .backend | toYaml | nindent 12 }}
134 name: {{ $.fullName }}-{{ $.serviceName }}
136 number: {{ $servicePort }}
138 {{- if (and $hostname (and (eq $path .path))) }}
139 {{- fail "duplication of specified ingress path" }}
142 pathType: {{ .pathType }}
145 {{- if (hasKey .ingress "tls") }}
147 {{- if (kindIs "string" .ingress.tls) }}
149 {{- range .ingress.hosts }}
150 - {{ .host | quote }}
153 - {{ $hostname | quote }}
155 secretName: {{ .ingress.tls }}
156 {{- else if (kindIs "slice" .ingress.tls) }}
157 {{- range .ingress.tls }}
162 secretName: {{ .secretName }}
169 Create Service resource for a Kong service
171 {{- define "kong.service" -}}
175 name: {{ .fullName }}-{{ .serviceName }}
176 namespace: {{ .namespace }}
177 {{- if .annotations }}
179 {{- range $key, $value := .annotations }}
180 {{ $key }}: {{ $value | quote }}
184 {{- .metaLabels | nindent 4 }}
185 {{- range $key, $value := .labels }}
186 {{ $key }}: {{ $value | quote }}
190 {{- if eq .type "LoadBalancer" }}
191 {{- if .loadBalancerIP }}
192 loadBalancerIP: {{ .loadBalancerIP }}
194 {{- if .loadBalancerSourceRanges }}
195 loadBalancerSourceRanges:
196 {{- range $cidr := .loadBalancerSourceRanges }}
200 {{- if .loadBalancerClass }}
201 loadBalancerClass: {{ .loadBalancerClass }}
204 {{- if .externalIPs }}
206 {{- range $ip := .externalIPs }}
212 {{- if .http.enabled }}
213 - name: kong-{{ .serviceName }}
214 port: {{ .http.servicePort }}
215 targetPort: {{ .http.containerPort }}
216 {{- if .http.appProtocol }}
217 appProtocol: {{ .http.appProtocol }}
219 {{- if (and (or (eq .type "LoadBalancer") (eq .type "NodePort")) (not (empty .http.nodePort))) }}
220 nodePort: {{ .http.nodePort }}
225 {{- if .tls.enabled }}
226 - name: kong-{{ .serviceName }}-tls
227 port: {{ .tls.servicePort }}
228 targetPort: {{ .tls.overrideServiceTargetPort | default .tls.containerPort }}
229 {{- if .tls.appProtocol }}
230 appProtocol: {{ .tls.appProtocol }}
232 {{- if (and (or (eq .type "LoadBalancer") (eq .type "NodePort")) (not (empty .tls.nodePort))) }}
233 nodePort: {{ .tls.nodePort }}
237 {{- if (hasKey . "stream") }}
238 {{- $defaultProtocol := "TCP" }}
239 {{- if (hasSuffix "udp-proxy" .serviceName) }}
240 {{- $defaultProtocol = "UDP" }}
242 {{- range $index, $streamEntry := .stream }}
243 {{- if (not (hasKey $streamEntry "protocol")) }}
244 {{- $_ := set $streamEntry "protocol" $defaultProtocol }}
248 - name: stream{{ if (eq (default "TCP" .protocol) "UDP") }}udp{{ end }}-{{ .containerPort }}
249 port: {{ .servicePort }}
250 targetPort: {{ .containerPort }}
251 {{- if (and (or (eq $.type "LoadBalancer") (eq $.type "NodePort")) (not (empty .nodePort))) }}
252 nodePort: {{ .nodePort }}
254 protocol: {{ .protocol | default "TCP" }}
257 {{- if .externalTrafficPolicy }}
258 externalTrafficPolicy: {{ .externalTrafficPolicy }}
261 {{- if (or (not (eq .clusterIP "None")) (and (eq .type "ClusterIP") (eq .clusterIP "None"))) }}
262 clusterIP: {{ .clusterIP }}
266 {{- .selectorLabels | nindent 4 }}
271 Create KONG_SERVICE_LISTEN strings
272 Generic tool for creating KONG_PROXY_LISTEN, KONG_ADMIN_LISTEN, etc.
274 {{- define "kong.listen" -}}
275 {{- $unifiedListen := list -}}
276 {{- $defaultAddrs := (list "0.0.0.0" "[::]") -}}
278 {{/* Some services do not support these blocks at all, so these checks are a
279 two-stage "is it safe to evaluate this?" and then "should we evaluate
283 {{- if .http.enabled -}}
284 {{- $listenConfig := dict -}}
285 {{- $listenConfig := merge $listenConfig .http -}}
286 {{- $addresses := (default $defaultAddrs .addresses) -}}
287 {{- range $addresses -}}
288 {{- $_ := set $listenConfig "address" . -}}
289 {{- $httpListen := (include "kong.singleListen" $listenConfig) -}}
290 {{- $unifiedListen = append $unifiedListen $httpListen -}}
296 {{- if .tls.enabled -}}
298 This is a bit of a hack to support always including "ssl" in the parameter
299 list for TLS listens. It's not possible to set a variable to an object from
300 .Values and then modify one of the objects values locally, although
301 https://github.com/helm/helm/issues/4987 indicates it should be. Instead,
302 this creates a new object and new parameters list built from the original.
304 {{- $listenConfig := dict -}}
305 {{- $listenConfig := merge $listenConfig .tls -}}
306 {{- $parameters := append .tls.parameters "ssl" -}}
307 {{- $_ := set $listenConfig "parameters" $parameters -}}
308 {{- $addresses := (default $defaultAddrs .addresses) -}}
309 {{- range $addresses -}}
310 {{- $_ := set $listenConfig "address" . -}}
311 {{- $tlsListen := (include "kong.singleListen" $listenConfig) -}}
312 {{- $unifiedListen = append $unifiedListen $tlsListen -}}
317 {{- $listenString := ($unifiedListen | join ", ") -}}
318 {{- if eq (len $listenString) 0 -}}
319 {{- $listenString = "off" -}}
321 {{- $listenString -}}
325 Create KONG_PORT_MAPS string
326 Parameters: takes a service (e.g. .Values.proxy) as its argument and returns KONG_PORT_MAPS for that service.
328 {{- define "kong.port_maps" -}}
329 {{- $portMaps := list -}}
331 {{- if .http.enabled -}}
332 {{- $portMaps = append $portMaps (printf "%d:%d" (int64 .http.servicePort) (int64 .http.containerPort)) -}}
335 {{- if .tls.enabled -}}
336 {{- $portMaps = append $portMaps (printf "%d:%d" (int64 .tls.servicePort) (int64 .tls.containerPort)) -}}
339 {{- $portMapsString := ($portMaps | join ", ") -}}
340 {{- $portMapsString -}}
344 Create KONG_STREAM_LISTEN string
346 {{- define "kong.streamListen" -}}
347 {{- $unifiedListen := list -}}
348 {{- $defaultAddrs := (list "0.0.0.0" "[::]") -}}
349 {{- range .stream -}}
350 {{- $listenConfig := dict -}}
351 {{- $listenConfig := merge $listenConfig . -}}
352 {{- $addresses := (default $defaultAddrs .addresses) -}}
353 {{- range $addresses -}}
354 {{- $_ := set $listenConfig "address" . -}}
355 {{/* You set NGINX stream listens to UDP using a parameter due to historical reasons.
356 Our configuration is dual-purpose, for both the Service and listen string, so we
357 forcibly inject this parameter if that's the Service protocol. The default handles
358 configs that predate the addition of the protocol field, where we only supported TCP. */}}
359 {{- if (eq (default "TCP" $listenConfig.protocol) "UDP") -}}
360 {{- $_ := set $listenConfig "parameters" (append (default (list) $listenConfig.parameters) "udp") -}}
362 {{- $unifiedListen = append $unifiedListen (include "kong.singleListen" $listenConfig ) -}}
366 {{- $listenString := ($unifiedListen | join ", ") -}}
367 {{- if eq (len $listenString) 0 -}}
368 {{- $listenString = "" -}}
370 {{- $listenString -}}
374 Create a single listen (IP+port+parameter combo)
376 {{- define "kong.singleListen" -}}
377 {{- $listen := list -}}
378 {{- $listen = append $listen (printf "%s:%d" .address (int64 .containerPort)) -}}
379 {{- range $param := .parameters | default (list) | uniq }}
380 {{- $listen = append $listen $param -}}
382 {{- $listen | join " " -}}
386 Return the admin API service name for service discovery
388 {{- define "kong.adminSvc" -}}
389 {{- $gatewayDiscovery := .Values.ingressController.gatewayDiscovery -}}
390 {{- if $gatewayDiscovery.enabled -}}
391 {{- $adminApiService := $gatewayDiscovery.adminApiService -}}
392 {{- $adminApiServiceName := $gatewayDiscovery.adminApiService.name -}}
393 {{- $generateAdminApiService := $gatewayDiscovery.generateAdminApiService -}}
395 {{- if and $generateAdminApiService $adminApiService.name -}}
396 {{- fail (printf ".Values.ingressController.gatewayDiscovery.adminApiService and .Values.ingressController.gatewayDiscovery.generateAdminApiService must not be provided at the same time") -}}
399 {{- if $generateAdminApiService -}}
400 {{- $adminApiServiceName = (printf "%s-%s" .Release.Name "gateway-admin") -}}
402 {{- $_ := required ".ingressController.gatewayDiscovery.adminApiService.name has to be provided when .Values.ingressController.gatewayDiscovery.enabled is set to true" $adminApiServiceName -}}
405 {{- if (semverCompare "< 2.9.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
406 {{- fail (printf "Gateway discovery is available in controller versions 2.9 and up. Detected %s" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
409 {{- if .Values.deployment.kong.enabled }}
410 {{- fail "deployment.kong.enabled and ingressController.gatewayDiscovery.enabled are mutually exclusive and cannot be enabled at once. Gateway discovery requires a split release installation of Gateways and Ingress Controller." }}
413 {{- $namespace := $adminApiService.namespace | default ( include "kong.namespace" . ) -}}
414 {{- printf "%s/%s" $namespace $adminApiServiceName -}}
416 {{- fail "Can't use gateway discovery when .Values.ingressController.gatewayDiscovery.enabled is set to false." -}}
421 Return the local admin API URL, preferring HTTPS if available
423 {{- define "kong.adminLocalURL" -}}
424 {{- if .Values.admin.tls.enabled -}}
425 https://localhost:{{ .Values.admin.tls.containerPort }}
426 {{- else if .Values.admin.http.enabled -}}
427 http://localhost:{{ .Values.admin.http.containerPort }}
429 http://localhost:9999 # You have no admin listens! The controller will not work unless you set .Values.admin.http.enabled=true or .Values.admin.tls.enabled=true!
434 Create the ingress servicePort value string
437 {{- define "kong.ingress.servicePort" -}}
438 {{- if .tls.enabled -}}
439 {{ .tls.servicePort }}
441 {{ .http.servicePort }}
446 Generate an appropriate external URL from a Kong service's ingress configuration
447 Strips trailing slashes from the path. Manager at least does not handle these
448 intelligently and will append its own slash regardless, and the admin API cannot handle
452 {{- define "kong.ingress.serviceUrl" -}}
454 https://{{ .hostname }}{{ .path | trimSuffix "/" }}
456 http://{{ .hostname }}{{ .path | trimSuffix "/" }}
461 The name of the service used for the ingress controller's validation webhook
464 {{- define "kong.service.validationWebhook" -}}
465 {{ include "kong.fullname" . }}-validation-webhook
470 The name of the Service which will be used by the controller to update the Ingress status field.
473 {{- define "kong.controller-publish-service" -}}
474 {{- $proxyOverride := "" -}}
475 {{- if .Values.proxy.nameOverride -}}
476 {{- $proxyOverride = ( tpl .Values.proxy.nameOverride . ) -}}
478 {{- (printf "%s/%s" ( include "kong.namespace" . ) ( default ( printf "%s-proxy" (include "kong.fullname" . )) $proxyOverride )) -}}
481 {{- define "kong.ingressController.env" -}}
483 ====== AUTO-GENERATED ENVIRONMENT VARIABLES ======
487 {{- $autoEnv := dict -}}
488 {{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY" true -}}
489 {{- $_ := set $autoEnv "CONTROLLER_PUBLISH_SERVICE" ( include "kong.controller-publish-service" . ) -}}
490 {{- $_ := set $autoEnv "CONTROLLER_INGRESS_CLASS" .Values.ingressController.ingressClass -}}
491 {{- $_ := set $autoEnv "CONTROLLER_ELECTION_ID" (printf "kong-ingress-controller-leader-%s" .Values.ingressController.ingressClass) -}}
493 {{- if .Values.ingressController.admissionWebhook.enabled }}
494 {{- $address := (default "0.0.0.0" .Values.ingressController.admissionWebhook.address) -}}
495 {{- $_ := set $autoEnv "CONTROLLER_ADMISSION_WEBHOOK_LISTEN" (printf "%s:%d" $address (int64 .Values.ingressController.admissionWebhook.port)) -}}
497 {{- if (not (eq (len .Values.ingressController.watchNamespaces) 0)) }}
498 {{- $_ := set $autoEnv "CONTROLLER_WATCH_NAMESPACE" (.Values.ingressController.watchNamespaces | join ",") -}}
502 ====== ADMIN API CONFIGURATION ======
505 {{- if .Values.ingressController.gatewayDiscovery.enabled -}}
506 {{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_SVC" (include "kong.adminSvc" . ) -}}
508 {{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_URL" (include "kong.adminLocalURL" .) -}}
511 {{- if .Values.ingressController.adminApi.tls.client.enabled }}
512 {{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_TLS_CLIENT_CERT_FILE" "/etc/secrets/admin-api-cert/tls.crt" -}}
513 {{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_TLS_CLIENT_KEY_FILE" "/etc/secrets/admin-api-cert/tls.key" -}}
517 ====== KONNECT ENVIRONMENT VARIABLES ======
520 {{- if .Values.ingressController.konnect.enabled }}
521 {{- if (semverCompare "< 2.9.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
522 {{- fail (printf "Konnect sync is available in controller versions 2.9 and up. Detected %s" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
525 {{- if not .Values.ingressController.gatewayDiscovery.enabled }}
526 {{- fail "ingressController.gatewayDiscovery.enabled has to be true when ingressController.konnect.enabled"}}
529 {{- $konnect := .Values.ingressController.konnect -}}
530 {{- $_ := required "ingressController.konnect.runtimeGroupID is required when ingressController.konnect.enabled" $konnect.runtimeGroupID -}}
532 {{- $_ = set $autoEnv "CONTROLLER_KONNECT_SYNC_ENABLED" true -}}
533 {{- $_ = set $autoEnv "CONTROLLER_KONNECT_RUNTIME_GROUP_ID" $konnect.runtimeGroupID -}}
534 {{- $_ = set $autoEnv "CONTROLLER_KONNECT_ADDRESS" (printf "https://%s" .Values.ingressController.konnect.apiHostname) -}}
536 {{- $tlsCert := include "secretkeyref" (dict "name" $konnect.tlsClientCertSecretName "key" "tls.crt") -}}
537 {{- $tlsKey := include "secretkeyref" (dict "name" $konnect.tlsClientCertSecretName "key" "tls.key") -}}
538 {{- $_ = set $autoEnv "CONTROLLER_KONNECT_TLS_CLIENT_CERT" $tlsCert -}}
539 {{- $_ = set $autoEnv "CONTROLLER_KONNECT_TLS_CLIENT_KEY" $tlsKey -}}
541 {{- if $konnect.license.enabled }}
542 {{- $_ = set $autoEnv "CONTROLLER_KONNECT_LICENSING_ENABLED" true -}}
547 ====== USER-SET ENVIRONMENT VARIABLES ======
550 {{- $userEnv := dict -}}
551 {{- range $key, $val := .Values.ingressController.env }}
552 {{- $upper := upper $key -}}
553 {{- $var := printf "CONTROLLER_%s" $upper -}}
554 {{- $_ := set $userEnv $var $val -}}
558 ====== CUSTOM-SET INGRESS CONTROLLER ENVIRONMENT VARIABLES ======
561 {{- $customIngressEnv := dict -}}
562 {{- range $key, $val := .Values.ingressController.customEnv }}
563 {{- $upper := upper $key -}}
564 {{- $_ := set $customIngressEnv $upper $val -}}
568 ====== MERGE AND RENDER ENV BLOCK ======
571 {{- $completeEnv := mergeOverwrite $autoEnv $userEnv $customIngressEnv -}}
572 {{- template "kong.renderEnv" $completeEnv -}}
576 {{- define "kong.userDefinedVolumes" -}}
577 {{- if .Values.deployment.userDefinedVolumes }}
578 {{- toYaml .Values.deployment.userDefinedVolumes }}
582 {{- define "kong.volumes" -}}
583 - name: {{ template "kong.fullname" . }}-prefix-dir
585 sizeLimit: {{ .Values.deployment.prefixDir.sizeLimit }}
586 - name: {{ template "kong.fullname" . }}-tmp
588 sizeLimit: {{ .Values.deployment.tmpDir.sizeLimit }}
589 {{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }}
590 - name: {{ template "kong.serviceAccountTokenName" . }}
591 {{- /* Due to GKE versions (e.g. v1.23.15-gke.1900) we need to handle pre-release part of the version as well.
592 See the related documentation of semver module that Helm depends on for semverCompare:
593 https://github.com/Masterminds/semver#working-with-prerelease-versions
594 Related Helm issue: https://github.com/helm/helm/issues/3810 */}}
595 {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }}
598 - serviceAccountToken:
599 expirationSeconds: 3607
605 name: kube-root-ca.crt
610 fieldPath: metadata.namespace
614 secretName: {{ template "kong.serviceAccountTokenName" . }}
624 {{- if and ( .Capabilities.APIVersions.Has "cert-manager.io/v1" ) .Values.certificates.enabled -}}
625 {{- if .Values.certificates.cluster.enabled }}
626 - name: {{ include "kong.fullname" . }}-cluster-cert
628 secretName: {{ include "kong.fullname" . }}-cluster-cert
630 {{- if .Values.certificates.proxy.enabled }}
631 - name: {{ include "kong.fullname" . }}-proxy-cert
633 secretName: {{ include "kong.fullname" . }}-proxy-cert
635 {{- if .Values.certificates.admin.enabled }}
636 - name: {{ include "kong.fullname" . }}-admin-cert
638 secretName: {{ include "kong.fullname" . }}-admin-cert
640 {{- if .Values.enterprise.enabled }}
641 {{- if .Values.certificates.portal.enabled }}
642 - name: {{ include "kong.fullname" . }}-portal-cert
644 secretName: {{ include "kong.fullname" . }}-portal-cert
648 {{- if (and (.Values.postgresql.enabled) .Values.waitImage.enabled) }}
649 - name: {{ template "kong.fullname" . }}-bash-wait-for-postgres
651 name: {{ template "kong.fullname" . }}-bash-wait-for-postgres
654 {{- range .Values.plugins.configMaps }}
655 - name: kong-plugin-{{ .pluginName }}
658 {{- range .subdirectories }}
664 {{- range .Values.plugins.secrets }}
665 - name: kong-plugin-{{ .pluginName }}
667 secretName: {{ .name }}
668 {{- range .subdirectories }}
671 secretName: {{ .name }}
675 {{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off")) }}
676 {{- $dblessSourceCount := (add (.Values.dblessConfig.configMap | len | min 1) (.Values.dblessConfig.secret | len | min 1) (.Values.dblessConfig.config | len | min 1)) -}}
677 {{- if gt $dblessSourceCount 1 -}}
678 {{- fail "Ambiguous configuration: only one of of .Values.dblessConfig.configMap, .Values.dblessConfig.secret, and .Values.dblessConfig.config can be set." -}}
679 {{- else if eq $dblessSourceCount 1 }}
680 - name: kong-custom-dbless-config-volume
681 {{- if .Values.dblessConfig.configMap }}
683 name: {{ .Values.dblessConfig.configMap }}
684 {{- else if .Values.dblessConfig.secret }}
686 secretName: {{ .Values.dblessConfig.secret }}
689 name: {{ template "kong.dblessConfig.fullname" . }}
694 {{- if and .Values.ingressController.enabled .Values.ingressController.admissionWebhook.enabled }}
697 {{- if .Values.ingressController.admissionWebhook.certificate.provided }}
698 secretName: {{ .Values.ingressController.admissionWebhook.certificate.secretName }}
700 secretName: {{ template "kong.fullname" . }}-validation-webhook-keypair
703 {{- if or $.Values.admin.tls.client.secretName $.Values.admin.tls.client.caBundle }}
704 - name: admin-client-ca
706 name: {{ template "kong.fullname" . }}-admin-client-ca
708 {{- range $secretVolume := .Values.secretVolumes }}
713 {{- range .Values.extraConfigMaps }}
718 {{- range .Values.extraSecrets }}
721 secretName: {{ .name }}
723 {{- if and .Values.ingressController.adminApi.tls.client.enabled .Values.ingressController.enabled }}
724 - name: admin-api-cert
726 secretName: {{ template "adminApiService.certSecretName" . }}
730 {{- define "controller.adminApiCertVolumeMount" -}}
731 {{- if and .Values.ingressController.adminApi.tls.client.enabled .Values.ingressController.enabled }}
732 - name: admin-api-cert
733 mountPath: /etc/secrets/admin-api-cert
738 {{- define "kong.userDefinedVolumeMounts" -}}
739 {{- if .userDefinedVolumeMounts }}
740 {{- toYaml .userDefinedVolumeMounts }}
744 {{- define "kong.volumeMounts" -}}
745 - name: {{ template "kong.fullname" . }}-prefix-dir
746 mountPath: /kong_prefix/
747 - name: {{ template "kong.fullname" . }}-tmp
749 {{- if and ( .Capabilities.APIVersions.Has "cert-manager.io/v1" ) .Values.certificates.enabled -}}
750 {{- if .Values.certificates.cluster.enabled }}
751 - name: {{ include "kong.fullname" . }}-cluster-cert
752 mountPath: /etc/cert-manager/cluster/
754 {{- if .Values.certificates.proxy.enabled }}
755 - name: {{ include "kong.fullname" . }}-proxy-cert
756 mountPath: /etc/cert-manager/proxy/
758 {{- if .Values.certificates.admin.enabled }}
759 - name: {{ include "kong.fullname" . }}-admin-cert
760 mountPath: /etc/cert-manager/admin/
762 {{- if .Values.enterprise.enabled }}
763 {{- if .Values.certificates.portal.enabled }}
764 - name: {{ include "kong.fullname" . }}-portal-cert
765 mountPath: /etc/cert-manager/portal/
769 {{- $dblessSourceCount := (add (.Values.dblessConfig.configMap | len | min 1) (.Values.dblessConfig.secret | len | min 1) (.Values.dblessConfig.config | len | min 1)) -}}
770 {{- if eq $dblessSourceCount 1 -}}
771 {{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off")) }}
772 - name: kong-custom-dbless-config-volume
773 mountPath: /kong_dbless/
776 {{- if or $.Values.admin.tls.client.caBundle $.Values.admin.tls.client.secretName }}
777 - name: admin-client-ca
778 mountPath: /etc/admin-client-ca/
781 {{- range .Values.secretVolumes }}
783 mountPath: /etc/secrets/{{ . }}
785 {{- range .Values.plugins.configMaps }}
786 {{- $mountPath := printf "/opt/kong/plugins/%s" .pluginName }}
787 - name: kong-plugin-{{ .pluginName }}
788 mountPath: {{ $mountPath }}
790 {{- range .subdirectories }}
792 mountPath: {{ printf "%s/%s" $mountPath ( .path | default .name ) }}
796 {{- range .Values.plugins.secrets }}
797 {{- $mountPath := printf "/opt/kong/plugins/%s" .pluginName }}
798 - name: kong-plugin-{{ .pluginName }}
799 mountPath: {{ $mountPath }}
801 {{- range .subdirectories }}
803 mountPath: {{ printf "%s/%s" $mountPath .path }}
808 {{- range .Values.extraConfigMaps }}
810 mountPath: {{ .mountPath }}
813 subPath: {{ .subPath }}
816 {{- range .Values.extraSecrets }}
818 mountPath: {{ .mountPath }}
821 subPath: {{ .subPath }}
827 {{- define "kong.plugins" -}}
828 {{ $myList := list "bundled" }}
829 {{- range .Values.plugins.configMaps -}}
830 {{- $myList = append $myList .pluginName -}}
832 {{- range .Values.plugins.secrets -}}
833 {{ $myList = append $myList .pluginName -}}
835 {{- $myList | uniq | join "," -}}
838 {{- define "kong.wait-for-db" -}}
840 image: {{ include "kong.getRepoTag" .Values.image }}
841 imagePullPolicy: {{ .Values.image.pullPolicy }}
843 {{ toYaml .Values.containerSecurityContext | nindent 4 }}
845 {{- include "kong.env" . | nindent 2 }}
846 {{- include "kong.envFrom" .Values.envFrom | nindent 2 }}
847 {{/* TODO the prefix override is to work around https://github.com/Kong/charts/issues/295
848 Note that we use args instead of command here to /not/ override the standard image entrypoint. */}}
849 args: [ "/bin/bash", "-c", "export KONG_NGINX_DAEMON=on KONG_PREFIX=`mktemp -d` KONG_KEYRING_ENABLED=off; until kong start; do echo 'waiting for db'; sleep 1; done; kong stop"]
851 {{- include "kong.volumeMounts" . | nindent 4 }}
852 {{- include "kong.userDefinedVolumeMounts" .Values.deployment | nindent 4 }}
854 {{- toYaml .Values.resources | nindent 4 }}
857 {{/* effectiveVersion takes an image dict from values.yaml. if .effectiveSemver is set, it returns that, else it returns .tag */}}
858 {{- define "kong.effectiveVersion" -}}
859 {{- /* Because Kong Gateway enterprise uses versions with 4 segments and not 3 */ -}}
860 {{- /* as semver does, we need to account for that here by extracting */ -}}
861 {{- /* first 3 segments for comparison */ -}}
862 {{- if .effectiveSemver -}}
863 {{- if regexMatch "^[0-9]+.[0-9]+.[0-9]+" .effectiveSemver -}}
864 {{- regexFind "^[0-9]+.[0-9]+.[0-9]+" .effectiveSemver -}}
866 {{- .effectiveSemver -}}
869 {{- $tag := (trimSuffix "-redhat" .tag) -}}
870 {{- if regexMatch "^[0-9]+.[0-9]+.[0-9]+" .tag -}}
871 {{- regexFind "^[0-9]+.[0-9]+.[0-9]+" .tag -}}
878 {{- define "kong.controller-container" -}}
879 - name: ingress-controller
881 {{ toYaml .Values.containerSecurityContext | nindent 4 }}
883 {{ if .Values.ingressController.args}}
884 {{- range $val := .Values.ingressController.args }}
889 {{- if .Values.ingressController.admissionWebhook.enabled }}
891 containerPort: {{ .Values.ingressController.admissionWebhook.port }}
894 {{ if (semverCompare ">= 2.0.0" (include "kong.effectiveVersion" .Values.ingressController.image)) -}}
907 fieldPath: metadata.name
908 - name: POD_NAMESPACE
912 fieldPath: metadata.namespace
913 {{- include "kong.ingressController.env" . | indent 2 }}
914 {{ include "kong.envFrom" .Values.ingressController.envFrom | indent 2 }}
915 image: {{ include "kong.getRepoTag" .Values.ingressController.image }}
916 imagePullPolicy: {{ .Values.image.pullPolicy }}
917 {{/* disableReadiness is a hidden setting to drop this block entirely for use with a debugger
918 Helm value interpretation doesn't let you replace the default HTTP checks with any other
919 check type, and all HTTP checks freeze when a debugger pauses operation.
920 Setting disableReadiness to ANY value disables the probes.
922 {{- if (not (hasKey .Values.ingressController "disableProbes")) }}
924 {{ toYaml .Values.ingressController.readinessProbe | indent 4 }}
926 {{ toYaml .Values.ingressController.livenessProbe | indent 4 }}
929 {{ toYaml .Values.ingressController.resources | indent 4 }}
931 {{- if .Values.ingressController.admissionWebhook.enabled }}
933 mountPath: /admission-webhook
936 {{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }}
937 - name: {{ template "kong.serviceAccountTokenName" . }}
938 mountPath: /var/run/secrets/kubernetes.io/serviceaccount
941 {{- include "kong.userDefinedVolumeMounts" .Values.ingressController | nindent 2 }}
942 {{- include "controller.adminApiCertVolumeMount" . | nindent 2 }}
945 {{- define "secretkeyref" -}}
953 Use the Pod security context defined in Values or set the UID by default
955 {{- define "kong.podsecuritycontext" -}}
956 {{ .Values.securityContext | toYaml }}
959 {{- define "kong.no_daemon_env" -}}
960 {{- template "kong.env" . }}
961 - name: KONG_NGINX_DAEMON
966 The environment values passed to Kong; this should come after all
967 the template that it itself is using form the above sections.
969 {{- define "kong.env" -}}
971 ====== AUTO-GENERATED ENVIRONMENT VARIABLES ======
973 {{- $autoEnv := dict -}}
975 {{- $_ := set $autoEnv "KONG_LUA_PACKAGE_PATH" "/opt/?.lua;/opt/?/init.lua;;" -}}
977 {{- $_ := set $autoEnv "KONG_PROXY_ACCESS_LOG" "/dev/stdout" -}}
978 {{- $_ := set $autoEnv "KONG_PROXY_STREAM_ACCESS_LOG" "/dev/stdout basic" -}}
979 {{- $_ := set $autoEnv "KONG_ADMIN_ACCESS_LOG" "/dev/stdout" -}}
980 {{- $_ := set $autoEnv "KONG_STATUS_ACCESS_LOG" "off" -}}
981 {{- $_ := set $autoEnv "KONG_PROXY_ERROR_LOG" "/dev/stderr" -}}
982 {{- $_ := set $autoEnv "KONG_PROXY_STREAM_ERROR_LOG" "/dev/stderr" -}}
983 {{- $_ := set $autoEnv "KONG_ADMIN_ERROR_LOG" "/dev/stderr" -}}
984 {{- $_ := set $autoEnv "KONG_STATUS_ERROR_LOG" "/dev/stderr" -}}
986 {{- if .Values.ingressController.enabled -}}
987 {{- $_ := set $autoEnv "KONG_KIC" "on" -}}
990 {{- with .Values.admin -}}
991 {{- $listenConfig := dict -}}
992 {{- $listenConfig := merge $listenConfig . -}}
993 {{- if (and (not (hasKey . "addresses")) (not .enabled)) -}}
994 {{- $_ := set $listenConfig "addresses" (list "127.0.0.1" "[::1]") -}}
996 {{- $_ := set $autoEnv "KONG_ADMIN_LISTEN" (include "kong.listen" $listenConfig) -}}
998 {{- if or .tls.client.secretName .tls.client.caBundle -}}
999 {{- $_ := set $autoEnv "KONG_NGINX_ADMIN_SSL_VERIFY_CLIENT" "on" -}}
1000 {{- $_ := set $autoEnv "KONG_NGINX_ADMIN_SSL_CLIENT_CERTIFICATE" "/etc/admin-client-ca/tls.crt" -}}
1005 {{- if and ( .Capabilities.APIVersions.Has "cert-manager.io/v1" ) .Values.certificates.enabled -}}
1006 {{- if (and .Values.certificates.cluster.enabled .Values.cluster.enabled) -}}
1007 {{- $_ := set $autoEnv "KONG_CLUSTER_MTLS" "pki" -}}
1008 {{- $_ := set $autoEnv "KONG_CLUSTER_SERVER_NAME" .Values.certificates.cluster.commonName -}}
1009 {{- $_ := set $autoEnv "KONG_CLUSTER_CA_CERT" "/etc/cert-manager/cluster/ca.crt" -}}
1010 {{- $_ := set $autoEnv "KONG_CLUSTER_CERT" "/etc/cert-manager/cluster/tls.crt" -}}
1011 {{- $_ := set $autoEnv "KONG_CLUSTER_CERT_KEY" "/etc/cert-manager/cluster/tls.key" -}}
1014 {{- if .Values.certificates.proxy.enabled -}}
1015 {{- $_ := set $autoEnv "KONG_SSL_CERT" "/etc/cert-manager/proxy/tls.crt" -}}
1016 {{- $_ := set $autoEnv "KONG_SSL_CERT_KEY" "/etc/cert-manager/proxy/tls.key" -}}
1019 {{- if .Values.certificates.admin.enabled -}}
1020 {{- $_ := set $autoEnv "KONG_ADMIN_SSL_CERT" "/etc/cert-manager/admin/tls.crt" -}}
1021 {{- $_ := set $autoEnv "KONG_ADMIN_SSL_CERT_KEY" "/etc/cert-manager/admin/tls.key" -}}
1022 {{- if .Values.enterprise.enabled }}
1023 {{- $_ := set $autoEnv "KONG_ADMIN_GUI_SSL_CERT" "/etc/cert-manager/admin/tls.crt" -}}
1024 {{- $_ := set $autoEnv "KONG_ADMIN_GUI_SSL_CERT_KEY" "/etc/cert-manager/admin/tls.key" -}}
1028 {{- if .Values.enterprise.enabled }}
1029 {{- if .Values.certificates.portal.enabled -}}
1030 {{- $_ := set $autoEnv "KONG_PORTAL_API_SSL_CERT" "/etc/cert-manager/portal/tls.crt" -}}
1031 {{- $_ := set $autoEnv "KONG_PORTAL_API_SSL_CERT_KEY" "/etc/cert-manager/portal/tls.key" -}}
1032 {{- $_ := set $autoEnv "KONG_PORTAL_GUI_SSL_CERT" "/etc/cert-manager/portal/tls.crt" -}}
1033 {{- $_ := set $autoEnv "KONG_PORTAL_GUI_SSL_CERT_KEY" "/etc/cert-manager/portal/tls.key" -}}
1038 {{- if .Values.admin.ingress.enabled }}
1039 {{- $_ := set $autoEnv "KONG_ADMIN_GUI_API_URL" (include "kong.ingress.serviceUrl" .Values.admin.ingress) -}}
1040 {{- $_ := set $autoEnv "KONG_ADMIN_API_URI" (include "kong.ingress.serviceUrl" .Values.admin.ingress) -}}
1043 {{- $_ := set $autoEnv "KONG_PROXY_LISTEN" (include "kong.listen" .Values.proxy) -}}
1045 {{- $streamStrings := list -}}
1046 {{- if .Values.proxy.enabled -}}
1047 {{- $tcpStreamString := (include "kong.streamListen" .Values.proxy) -}}
1048 {{- if (not (eq $tcpStreamString "")) -}}
1049 {{- $streamStrings = (append $streamStrings $tcpStreamString) -}}
1052 {{- if .Values.udpProxy.enabled -}}
1053 {{- $udpStreamString := (include "kong.streamListen" .Values.udpProxy) -}}
1054 {{- if (not (eq $udpStreamString "")) -}}
1055 {{- $streamStrings = (append $streamStrings $udpStreamString) -}}
1058 {{- $streamString := $streamStrings | join ", " -}}
1059 {{- if (eq (len $streamString) 0) -}}
1060 {{- $streamString = "off" -}}
1062 {{- $_ := set $autoEnv "KONG_STREAM_LISTEN" $streamString -}}
1064 {{- $_ := set $autoEnv "KONG_STATUS_LISTEN" (include "kong.listen" .Values.status) -}}
1066 {{- if .Values.proxy.enabled -}}
1067 {{- $_ := set $autoEnv "KONG_PORT_MAPS" (include "kong.port_maps" .Values.proxy) -}}
1070 {{- $_ := set $autoEnv "KONG_CLUSTER_LISTEN" (include "kong.listen" .Values.cluster) -}}
1072 {{- if .Values.enterprise.enabled }}
1073 {{- $_ := set $autoEnv "KONG_PORTAL_API_ACCESS_LOG" "/dev/stdout" -}}
1074 {{- $_ := set $autoEnv "KONG_PORTAL_GUI_ACCESS_LOG" "/dev/stdout" -}}
1075 {{- $_ := set $autoEnv "KONG_ADMIN_GUI_ACCESS_LOG" "/dev/stdout" -}}
1076 {{- $_ := set $autoEnv "KONG_PORTAL_API_ERROR_LOG" "/dev/stderr" -}}
1077 {{- $_ := set $autoEnv "KONG_PORTAL_GUI_ERROR_LOG" "/dev/stderr" -}}
1078 {{- $_ := set $autoEnv "KONG_ADMIN_GUI_ERROR_LOG" "/dev/stderr" -}}
1080 {{- $_ := set $autoEnv "KONG_ADMIN_GUI_LISTEN" (include "kong.listen" .Values.manager) -}}
1081 {{- if .Values.manager.ingress.enabled }}
1082 {{- $_ := set $autoEnv "KONG_ADMIN_GUI_URL" (include "kong.ingress.serviceUrl" .Values.manager.ingress) -}}
1085 {{- if not .Values.enterprise.vitals.enabled }}
1086 {{- $_ := set $autoEnv "KONG_VITALS" "off" -}}
1088 {{- $_ := set $autoEnv "KONG_CLUSTER_TELEMETRY_LISTEN" (include "kong.listen" .Values.clustertelemetry) -}}
1090 {{- if .Values.enterprise.portal.enabled }}
1091 {{- $_ := set $autoEnv "KONG_PORTAL" "on" -}}
1092 {{- $_ := set $autoEnv "KONG_PORTAL_GUI_LISTEN" (include "kong.listen" .Values.portal) -}}
1093 {{- $_ := set $autoEnv "KONG_PORTAL_API_LISTEN" (include "kong.listen" .Values.portalapi) -}}
1095 {{- if .Values.portal.ingress.enabled }}
1096 {{- $_ := set $autoEnv "KONG_PORTAL_GUI_HOST" .Values.portal.ingress.hostname -}}
1097 {{- if .Values.portal.ingress.tls }}
1098 {{- $_ := set $autoEnv "KONG_PORTAL_GUI_PROTOCOL" "https" -}}
1100 {{- $_ := set $autoEnv "KONG_PORTAL_GUI_PROTOCOL" "http" -}}
1104 {{- if .Values.portalapi.ingress.enabled }}
1105 {{- $_ := set $autoEnv "KONG_PORTAL_API_URL" (include "kong.ingress.serviceUrl" .Values.portalapi.ingress) -}}
1109 {{- if .Values.enterprise.rbac.enabled }}
1110 {{- $_ := set $autoEnv "KONG_ENFORCE_RBAC" "on" -}}
1111 {{- $_ := set $autoEnv "KONG_ADMIN_GUI_AUTH" .Values.enterprise.rbac.admin_gui_auth | default "basic-auth" -}}
1113 {{- if not (eq .Values.enterprise.rbac.admin_gui_auth "basic-auth") }}
1114 {{- $guiAuthConf := include "secretkeyref" (dict "name" .Values.enterprise.rbac.admin_gui_auth_conf_secret "key" "admin_gui_auth_conf") -}}
1115 {{- $_ := set $autoEnv "KONG_ADMIN_GUI_AUTH_CONF" $guiAuthConf -}}
1118 {{- $guiSessionConf := include "secretkeyref" (dict "name" .Values.enterprise.rbac.session_conf_secret "key" "admin_gui_session_conf") -}}
1119 {{- $_ := set $autoEnv "KONG_ADMIN_GUI_SESSION_CONF" $guiSessionConf -}}
1122 {{- if .Values.enterprise.smtp.enabled }}
1123 {{- $_ := set $autoEnv "KONG_SMTP_MOCK" "off" -}}
1124 {{- $_ := set $autoEnv "KONG_PORTAL_EMAILS_FROM" .Values.enterprise.smtp.portal_emails_from -}}
1125 {{- $_ := set $autoEnv "KONG_PORTAL_EMAILS_REPLY_TO" .Values.enterprise.smtp.portal_emails_reply_to -}}
1126 {{- $_ := set $autoEnv "KONG_ADMIN_EMAILS_FROM" .Values.enterprise.smtp.admin_emails_from -}}
1127 {{- $_ := set $autoEnv "KONG_ADMIN_EMAILS_REPLY_TO" .Values.enterprise.smtp.admin_emails_reply_to -}}
1128 {{- $_ := set $autoEnv "KONG_SMTP_ADMIN_EMAILS" .Values.enterprise.smtp.smtp_admin_emails -}}
1129 {{- $_ := set $autoEnv "KONG_SMTP_HOST" .Values.enterprise.smtp.smtp_host -}}
1130 {{- $_ := set $autoEnv "KONG_SMTP_AUTH_TYPE" .Values.enterprise.smtp.smtp_auth_type -}}
1131 {{- $_ := set $autoEnv "KONG_SMTP_SSL" .Values.enterprise.smtp.smtp_ssl -}}
1132 {{- $_ := set $autoEnv "KONG_SMTP_PORT" .Values.enterprise.smtp.smtp_port -}}
1133 {{- $_ := set $autoEnv "KONG_SMTP_STARTTLS" (quote .Values.enterprise.smtp.smtp_starttls) -}}
1134 {{- if .Values.enterprise.smtp.auth.smtp_username }}
1135 {{- $_ := set $autoEnv "KONG_SMTP_USERNAME" .Values.enterprise.smtp.auth.smtp_username -}}
1136 {{- $smtpPassword := include "secretkeyref" (dict "name" .Values.enterprise.smtp.auth.smtp_password_secret "key" "smtp_password") -}}
1137 {{- $_ := set $autoEnv "KONG_SMTP_PASSWORD" $smtpPassword -}}
1140 {{- $_ := set $autoEnv "KONG_SMTP_MOCK" "on" -}}
1143 {{- if .Values.enterprise.license_secret -}}
1144 {{- $lic := include "secretkeyref" (dict "name" .Values.enterprise.license_secret "key" "license") -}}
1145 {{- $_ := set $autoEnv "KONG_LICENSE_DATA" $lic -}}
1148 {{- end }} {{/* End of the Enterprise settings block */}}
1150 {{- if .Values.postgresql.enabled }}
1151 {{- $_ := set $autoEnv "KONG_PG_HOST" (include "kong.postgresql.fullname" .) -}}
1152 {{- $_ := set $autoEnv "KONG_PG_PORT" .Values.postgresql.service.ports.postgresql -}}
1153 {{- $pgPassword := include "secretkeyref" (dict "name" (include "kong.postgresql.fullname" .) "key" "password") -}}
1155 {{- $_ := set $autoEnv "KONG_PG_PASSWORD" $pgPassword -}}
1156 {{- else if eq .Values.env.database "postgres" }}
1157 {{- $_ := set $autoEnv "KONG_PG_PORT" "5432" }}
1160 {{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off")) }}
1161 {{- $dblessSourceCount := (add (.Values.dblessConfig.configMap | len | min 1) (.Values.dblessConfig.secret | len | min 1) (.Values.dblessConfig.config | len | min 1)) -}}
1162 {{- if eq $dblessSourceCount 1 -}}
1163 {{- $_ := set $autoEnv "KONG_DECLARATIVE_CONFIG" "/kong_dbless/kong.yml" -}}
1167 {{- if (.Values.plugins) }}
1168 {{- $_ := set $autoEnv "KONG_PLUGINS" (include "kong.plugins" .) -}}
1172 ====== USER-SET ENVIRONMENT VARIABLES ======
1175 {{- $userEnv := dict -}}
1176 {{- range $key, $val := .Values.env }}
1177 {{- if (contains "_log" $key) -}}
1178 {{- if (eq (typeOf $val) "bool") -}}
1179 {{- fail (printf "env.%s must use string 'off' to disable. Without quotes, YAML will coerce the value to a boolean and Kong will reject it" $key) -}}
1182 {{- $upper := upper $key -}}
1183 {{- $var := printf "KONG_%s" $upper -}}
1184 {{- $_ := set $userEnv $var $val -}}
1188 ====== CUSTOM-SET ENVIRONMENT VARIABLES ======
1191 {{- $customEnv := dict -}}
1192 {{- range $key, $val := .Values.customEnv }}
1193 {{- $upper := upper $key -}}
1194 {{- $_ := set $customEnv $upper $val -}}
1198 ====== MERGE AND RENDER ENV BLOCK ======
1201 {{- $completeEnv := mergeOverwrite $autoEnv $userEnv $customEnv -}}
1202 {{- template "kong.renderEnv" $completeEnv -}}
1207 Given a dictionary of variable=value pairs, render a container env block.
1208 Environment variables are sorted alphabetically
1210 {{- define "kong.renderEnv" -}}
1214 {{- range keys . | sortAlpha }}
1215 {{- $val := pluck . $dict | first -}}
1216 {{- $valueType := printf "%T" $val -}}
1217 {{ if eq $valueType "map[string]interface {}" }}
1219 {{ toYaml $val | indent 2 -}}
1220 {{- else if eq $valueType "string" }}
1221 {{- if regexMatch "valueFrom" $val }}
1223 {{ $val | indent 2 }}
1226 value: {{ $val | quote }}
1230 value: {{ $val | quote }}
1236 {{- define "kong.wait-for-postgres" -}}
1237 - name: wait-for-postgres
1238 {{- if (or .Values.waitImage.unifiedRepoTag .Values.waitImage.repository) }}
1239 image: {{ include "kong.getRepoTag" .Values.waitImage }}
1240 {{- else }} {{/* default to the Kong image */}}
1241 image: {{ include "kong.getRepoTag" .Values.image }}
1243 imagePullPolicy: {{ .Values.waitImage.pullPolicy }}
1245 {{- include "kong.no_daemon_env" . | nindent 2 }}
1246 {{- include "kong.envFrom" .Values.envFrom | nindent 2 }}
1247 command: [ "bash", "/wait_postgres/wait.sh" ]
1249 - name: {{ template "kong.fullname" . }}-bash-wait-for-postgres
1250 mountPath: /wait_postgres
1252 {{- toYaml .Values.migrations.resources | nindent 4 }}
1255 {{- define "kong.deprecation-warnings" -}}
1256 {{- $warnings := list -}}
1257 {{- range $warning := . }}
1258 {{- $warnings = append $warnings (wrap 80 (printf "WARNING: %s" $warning)) -}}
1259 {{- $warnings = append $warnings "\n\n" -}}
1261 {{- $warningString := ($warnings | join "") -}}
1262 {{- $warningString -}}
1265 {{- define "kong.getRepoTag" -}}
1266 {{- if .unifiedRepoTag }}
1267 {{- .unifiedRepoTag }}
1268 {{- else if .repository }}
1269 {{- .repository }}:{{ .tag }}
1274 kong.kubernetesRBACRoles outputs a static list of RBAC rules (the "rules" block
1275 of a Role or ClusterRole) that provide the ingress controller access to the
1276 Kubernetes namespace-scoped resources it uses to build Kong configuration.
1278 Collectively, these are built from:
1279 kubectl kustomize github.com/kong/kubernetes-ingress-controller/config/rbac?ref=main
1280 kubectl kustomize github.com/kong/kubernetes-ingress-controller/config/rbac/gateway?ref=main
1282 However, there is no way to generate the split between cluster and namespaced
1283 role sets used in the charts. Updating these requires separating out cluster
1284 resource roles into their separate templates.
1286 {{- define "kong.kubernetesRBACRules" -}}
1287 {{- if and (semverCompare ">= 3.1.0" (include "kong.effectiveVersion" .Values.ingressController.image))
1288 (contains (print .Values.ingressController.env.feature_gates) "KongServiceFacade=true") }}
1290 - incubator.ingress-controller.konghq.com
1292 - kongservicefacades
1298 - incubator.ingress-controller.konghq.com
1300 - kongservicefacades/status
1306 {{- if (semverCompare ">= 3.0.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
1308 - configuration.konghq.com
1310 - kongupstreampolicies
1316 - configuration.konghq.com
1318 - kongupstreampolicies/status
1324 {{- if (semverCompare ">= 2.11.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
1326 - configuration.konghq.com
1328 - kongconsumergroups
1334 - configuration.konghq.com
1336 - kongconsumergroups/status
1342 {{- if (semverCompare "< 2.10.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
1397 - configuration.konghq.com
1399 - ingressclassparameterses
1405 - configuration.konghq.com
1413 - configuration.konghq.com
1415 - kongconsumers/status
1421 - configuration.konghq.com
1429 - configuration.konghq.com
1431 - kongingresses/status
1437 - configuration.konghq.com
1445 - configuration.konghq.com
1447 - kongplugins/status
1453 - configuration.konghq.com
1461 - configuration.konghq.com
1463 - tcpingresses/status
1469 - configuration.konghq.com
1477 - configuration.konghq.com
1479 - udpingresses/status
1500 {{- if or (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1alpha2") (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1beta1") (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1")}}
1502 - gateway.networking.k8s.io
1511 - gateway.networking.k8s.io
1518 - gateway.networking.k8s.io
1526 - gateway.networking.k8s.io
1533 - gateway.networking.k8s.io
1541 - gateway.networking.k8s.io
1543 - referencegrants/status
1547 - gateway.networking.k8s.io
1555 - gateway.networking.k8s.io
1562 - gateway.networking.k8s.io
1570 - gateway.networking.k8s.io
1577 - gateway.networking.k8s.io
1585 - gateway.networking.k8s.io
1592 - gateway.networking.k8s.io
1600 - gateway.networking.k8s.io
1608 {{- if (.Capabilities.APIVersions.Has "networking.internal.knative.dev/v1alpha1") }}
1610 - networking.internal.knative.dev
1618 - networking.internal.knative.dev
1650 {{- if (semverCompare ">= 3.1.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
1652 - configuration.konghq.com
1660 - configuration.konghq.com
1662 - konglicenses/status
1671 kong.kubernetesRBACClusterRoles outputs a static list of RBAC rules (the "rules" block
1672 of a Role or ClusterRole) that provide the ingress controller access to the
1673 Kubernetes Cluster-scoped resources it uses to build Kong configuration.
1675 {{- define "kong.kubernetesRBACClusterRules" -}}
1676 {{- if (semverCompare ">= 3.1.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
1678 - configuration.konghq.com
1686 - configuration.konghq.com
1695 - configuration.konghq.com
1697 - kongclusterplugins
1703 - configuration.konghq.com
1705 - kongclusterplugins/status
1710 {{- if (semverCompare ">= 2.10.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
1712 - apiextensions.k8s.io
1714 - customresourcedefinitions
1719 {{- if or (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1alpha2") (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1beta1") (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1")}}
1721 - gateway.networking.k8s.io
1729 - gateway.networking.k8s.io
1731 - gatewayclasses/status
1754 {{- define "kong.autoscalingVersion" -}}
1755 {{- if (.Capabilities.APIVersions.Has "autoscaling/v2") -}}
1757 {{- else if (.Capabilities.APIVersions.Has "autoscaling/v2beta2") -}}
1764 {{- define "kong.policyVersion" -}}
1765 {{- if (.Capabilities.APIVersions.Has "policy/v1beta1" ) -}}
1768 {{- fail (printf "Cluster doesn't have policy/v1beta1 API." ) }}
1772 {{- define "kong.renderTpl" -}}
1773 {{- if typeIs "string" .value }}
1774 {{- tpl .value .context }}
1776 {{- tpl (.value | toYaml) .context }}
1780 {{- define "kong.ingressVersion" -}}
1781 {{- if (.Capabilities.APIVersions.Has "networking.k8s.io/v1") -}}
1782 networking.k8s.io/v1
1783 {{- else if (.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1") -}}
1784 networking.k8s.io/v1beta1
1790 {{- define "kong.proxy.compatibleReadiness" -}}
1791 {{- $proxyReadiness := .Values.readinessProbe -}}
1792 {{- if (or (semverCompare "< 3.3.0" (include "kong.effectiveVersion" .Values.image)) (and .Values.ingressController.enabled (semverCompare "< 2.11.0" (include "kong.effectiveVersion" .Values.ingressController.image)))) -}}
1793 {{- if (eq $proxyReadiness.httpGet.path "/status/ready") -}}
1794 {{- $_ := set $proxyReadiness.httpGet "path" "/status" -}}
1797 {{- (toYaml $proxyReadiness) -}}
1800 {{- define "kong.envFrom" -}}
1801 {{- if (gt (len .) 0) -}}
1803 {{- toYaml . | nindent 2 -}}