X-Git-Url: https://gerrit.o-ran-sc.org/r/gitweb?a=blobdiff_plain;f=helm%2Finfrastructure%2Fsubcharts%2Fkong%2Ftemplates%2F_helpers.tpl;h=853b83f47a9a10bf61ca4621be1fc66395301fa9;hb=4c278289d5bcb55892d99151310cb1df046f5d52;hp=0a39678cc9493eca9a2714d2db08858be23f72fa;hpb=38dc857062b14145f5b9db89d10eba0ae5b90d11;p=ric-plt%2Fric-dep.git diff --git a/helm/infrastructure/subcharts/kong/templates/_helpers.tpl b/helm/infrastructure/subcharts/kong/templates/_helpers.tpl index 0a39678..853b83f 100755 --- a/helm/infrastructure/subcharts/kong/templates/_helpers.tpl +++ b/helm/infrastructure/subcharts/kong/templates/_helpers.tpl @@ -13,13 +13,26 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} {{- end -}} -{{- define "kong.postgresql.fullname" -}} -{{- $name := default "postgresql" .Values.postgresql.nameOverride -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- define "kong.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "kong.metaLabels" -}} +app.kubernetes.io/name: {{ template "kong.name" . }} +helm.sh/chart: {{ template "kong.chart" . }} +app.kubernetes.io/instance: "{{ .Release.Name }}" +app.kubernetes.io/managed-by: "{{ .Release.Service }}" +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end -}} + +{{- define "kong.selectorLabels" -}} +app.kubernetes.io/name: {{ template "kong.name" . }} +app.kubernetes.io/component: app +app.kubernetes.io/instance: "{{ .Release.Name }}" {{- end -}} -{{- define "kong.cassandra.fullname" -}} -{{- $name := default "cassandra" .Values.cassandra.nameOverride -}} +{{- define "kong.postgresql.fullname" -}} +{{- $name := default "postgresql" .Values.postgresql.nameOverride -}} {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} {{- end -}} @@ -35,7 +48,7 @@ Create the name of the service account to use {{- if .Values.ingressController.serviceAccount.create -}} {{ default (include "kong.fullname" .) .Values.ingressController.serviceAccount.name }} {{- else -}} - {{ default "default" .Values.serviceAccount.name }} + {{ default "default" .Values.ingressController.serviceAccount.name }} {{- end -}} {{- end -}} @@ -123,6 +136,28 @@ Create the ingress servicePort value string {{- end -}} {{- end -}} +{{/* +Generate an appropriate external URL from a Kong service's ingress configuration +Strips trailing slashes from the path. Manager at least does not handle these +intelligently and will append its own slash regardless, and the admin API cannot handle +the extra slash. +*/}} + +{{- define "kong.ingress.serviceUrl" -}} +{{- if .tls -}} + https://{{ .hostname }}{{ .path | trimSuffix "/" }} +{{- else -}} + http://{{ .hostname }}{{ .path | trimSuffix "/" }} +{{- end -}} +{{- end -}} + +{{/* +The name of the service used for the ingress controller's validation webhook +*/}} + +{{- define "kong.service.validationWebhook" -}} +{{ include "kong.fullname" . }}-validation-webhook +{{- end -}} {{- define "kong.env" -}} {{- range $key, $val := .Values.env }} @@ -136,6 +171,95 @@ Create the ingress servicePort value string {{- end -}} {{- end -}} +{{- define "kong.ingressController.env" -}} +{{- range $key, $val := .Values.ingressController.env }} +- name: CONTROLLER_{{ $key | upper}} +{{- $valueType := printf "%T" $val -}} +{{ if eq $valueType "map[string]interface {}" }} +{{ toYaml $val | indent 2 -}} +{{- else }} + value: {{ $val | quote -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "kong.volumes" -}} +- name: {{ template "kong.fullname" . }}-prefix-dir + emptyDir: {} +- name: {{ template "kong.fullname" . }}-tmp + emptyDir: {} +{{- range .Values.plugins.configMaps }} +- name: kong-plugin-{{ .pluginName }} + configMap: + name: {{ .name }} +{{- end }} +{{- range .Values.plugins.secrets }} +- name: kong-plugin-{{ .pluginName }} + secret: + secretName: {{ .name }} +{{- end }} +- name: custom-nginx-template-volume + configMap: + name: {{ template "kong.fullname" . }}-default-custom-server-blocks +{{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off")) }} +- name: kong-custom-dbless-config-volume + configMap: + {{- if .Values.dblessConfig.configMap }} + name: {{ .Values.dblessConfig.configMap }} + {{- else }} + name: {{ template "kong.dblessConfig.fullname" . }} + {{- end }} +{{- end }} +{{- if .Values.ingressController.admissionWebhook.enabled }} +- name: webhook-cert + secret: + secretName: {{ template "kong.fullname" . }}-validation-webhook-keypair +{{- end }} +{{- range $secretVolume := .Values.secretVolumes }} +- name: {{ . }} + secret: + secretName: {{ . }} +{{- end }} +{{- end -}} + +{{- define "kong.volumeMounts" -}} +- name: {{ template "kong.fullname" . }}-prefix-dir + mountPath: /kong_prefix/ +- name: {{ template "kong.fullname" . }}-tmp + mountPath: /tmp +- name: custom-nginx-template-volume + mountPath: /kong +{{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off")) }} +- name: kong-custom-dbless-config-volume + mountPath: /kong_dbless/ +{{- end }} +{{- range .Values.secretVolumes }} +- name: {{ . }} + mountPath: /etc/secrets/{{ . }} +{{- end }} +{{- range .Values.plugins.configMaps }} +- name: kong-plugin-{{ .pluginName }} + mountPath: /opt/kong/plugins/{{ .pluginName }} + readOnly: true +{{- end }} +{{- range .Values.plugins.secrets }} +- name: kong-plugin-{{ .pluginName }} + mountPath: /opt/kong/plugins/{{ .pluginName }} + readOnly: true +{{- end }} +{{- end -}} + +{{- define "kong.plugins" -}} +{{ $myList := list "bundled" }} +{{- range .Values.plugins.configMaps -}} +{{- $myList = append $myList .pluginName -}} +{{- end -}} +{{- range .Values.plugins.secrets -}} + {{ $myList = append $myList .pluginName -}} +{{- end }} +{{- $myList | join "," -}} +{{- end -}} + {{- define "kong.wait-for-db" -}} - name: wait-for-db image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" @@ -155,12 +279,14 @@ Create the ingress servicePort value string name: {{ template "kong.postgresql.fullname" . }} key: postgresql-password {{- end }} - {{- if .Values.cassandra.enabled }} - - name: KONG_CASSANDRA_CONTACT_POINTS - value: {{ template "kong.cassandra.fullname" . }} - {{- end }} + - name: KONG_LUA_PACKAGE_PATH + value: "/opt/?.lua;;" + - name: KONG_PLUGINS + value: {{ template "kong.plugins" . }} {{- include "kong.env" . | nindent 2 }} command: [ "/bin/sh", "-c", "until kong start; do echo 'waiting for db'; sleep 1; done; kong stop" ] + volumeMounts: + {{- include "kong.volumeMounts" . | nindent 4 }} {{- end -}} {{- define "kong.controller-container" -}} @@ -179,6 +305,9 @@ Create the ingress servicePort value string {{- else }} - --kong-url=http://localhost:{{ .Values.admin.containerPort }} {{- end }} + {{- if .Values.ingressController.admissionWebhook.enabled }} + - --admission-webhook-listen=0.0.0.0:{{ .Values.ingressController.admissionWebhook.port }} + {{- end }} env: - name: POD_NAME valueFrom: @@ -190,29 +319,21 @@ Create the ingress servicePort value string fieldRef: apiVersion: v1 fieldPath: metadata.namespace +{{- include "kong.ingressController.env" . | indent 2 }} image: "{{ .Values.ingressController.image.repository }}:{{ .Values.ingressController.image.tag }}" imagePullPolicy: {{ .Values.image.pullPolicy }} - livenessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - initialDelaySeconds: 30 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 readinessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 +{{ toYaml .Values.ingressController.readinessProbe | indent 4 }} + livenessProbe: +{{ toYaml .Values.ingressController.livenessProbe | indent 4 }} resources: -{{ toYaml .Values.ingressController.resources | indent 10 }} +{{ toYaml .Values.ingressController.resources | indent 4 }} +{{- if .Values.ingressController.admissionWebhook.enabled }} + volumeMounts: + - name: webhook-cert + mountPath: /admission-webhook + readOnly: true +{{- end }} {{- end -}} {{/* @@ -225,3 +346,164 @@ Retrieve Kong Enterprise license from a secret and make it available in env vars name: {{ .Values.enterprise.license_secret }} key: license {{- end -}} + +{{/* +Use the Pod security context defined in Values or set the UID by default +*/}} +{{- define "kong.podsecuritycontext" -}} +{{ .Values.securityContext | toYaml }} +{{- end -}} + +{{/* +The environment values passed to Kong; this should come after all +the template that it itself is using form the above sections. +*/}} +{{- define "kong.final_env" -}} +- name: KONG_LUA_PACKAGE_PATH + value: "/opt/?.lua;;" +{{- if not .Values.env.admin_listen }} +{{- if .Values.admin.useTLS }} +- name: KONG_ADMIN_LISTEN + value: "0.0.0.0:{{ .Values.admin.containerPort }} ssl" +{{- else }} +- name: KONG_ADMIN_LISTEN + value: 0.0.0.0:{{ .Values.admin.containerPort }} +{{- end }} +{{- end }} +{{- if .Values.admin.ingress.enabled }} +- name: KONG_ADMIN_API_URI + value: {{ include "kong.ingress.serviceUrl" .Values.admin.ingress }} +{{- end }} +{{- if not .Values.env.proxy_listen }} +- name: KONG_PROXY_LISTEN + value: {{ template "kong.kongProxyListenValue" . }} +{{- end }} +{{- if and (not .Values.env.admin_gui_listen) (.Values.enterprise.enabled) }} +- name: KONG_ADMIN_GUI_LISTEN + value: {{ template "kong.kongManagerListenValue" . }} +{{- end }} +{{- if and (.Values.manager.ingress.enabled) (.Values.enterprise.enabled) }} +- name: KONG_ADMIN_GUI_URL + value: {{ include "kong.ingress.serviceUrl" .Values.manager.ingress }} +{{- end }} +{{- if and (not .Values.env.portal_gui_listen) (.Values.enterprise.enabled) (.Values.enterprise.portal.enabled) }} +- name: KONG_PORTAL_GUI_LISTEN + value: {{ template "kong.kongPortalListenValue" . }} +{{- end }} +{{- if and (.Values.portal.ingress.enabled) (.Values.enterprise.enabled) (.Values.enterprise.portal.enabled) }} +- name: KONG_PORTAL_GUI_HOST + value: {{ .Values.portal.ingress.hostname }} +{{- if .Values.portal.ingress.tls }} +- name: KONG_PORTAL_GUI_PROTOCOL + value: https +{{- else }} +- name: KONG_PORTAL_GUI_PROTOCOL + value: http +{{- end }} +{{- end }} +{{- if and (not .Values.env.portal_api_listen) (.Values.enterprise.enabled) (.Values.enterprise.portal.enabled) }} +- name: KONG_PORTAL_API_LISTEN + value: {{ template "kong.kongPortalApiListenValue" . }} +{{- end }} +{{- if and (.Values.portalapi.ingress.enabled) (.Values.enterprise.enabled) (.Values.enterprise.portal.enabled) }} +- name: KONG_PORTAL_API_URL + value: {{ include "kong.ingress.serviceUrl" .Values.portalapi.ingress }} +{{- end }} +- name: KONG_NGINX_DAEMON + value: "off" +{{- if .Values.enterprise.enabled }} +{{- if not .Values.enterprise.vitals.enabled }} +- name: KONG_VITALS + value: "off" +{{- end }} +{{- if .Values.enterprise.portal.enabled }} +- name: KONG_PORTAL + value: "on" +{{- if .Values.enterprise.portal.portal_auth }} +- name: KONG_PORTAL_AUTH + value: {{ .Values.enterprise.portal.portal_auth }} +- name: KONG_PORTAL_SESSION_CONF + valueFrom: + secretKeyRef: + name: {{ .Values.enterprise.portal.session_conf_secret }} + key: portal_session_conf +{{- end }} +{{- end }} +{{- if .Values.enterprise.rbac.enabled }} +- name: KONG_ENFORCE_RBAC + value: "on" +- name: KONG_ADMIN_GUI_AUTH + value: {{ .Values.enterprise.rbac.admin_gui_auth | default "basic-auth" }} +{{- if not (eq .Values.enterprise.rbac.admin_gui_auth "basic-auth") }} +- name: KONG_ADMIN_GUI_AUTH_CONF + valueFrom: + secretKeyRef: + name: {{ .Values.enterprise.rbac.admin_gui_auth_conf_secret }} + key: admin_gui_auth_conf +{{- end }} +- name: KONG_ADMIN_GUI_SESSION_CONF + valueFrom: + secretKeyRef: + name: {{ .Values.enterprise.rbac.session_conf_secret }} + key: admin_gui_session_conf +{{- end }} +{{- if .Values.enterprise.smtp.enabled }} +- name: KONG_PORTAL_EMAILS_FROM + value: {{ .Values.enterprise.smtp.portal_emails_from }} +- name: KONG_PORTAL_EMAILS_REPLY_TO + value: {{ .Values.enterprise.smtp.portal_emails_reply_to }} +- name: KONG_ADMIN_EMAILS_FROM + value: {{ .Values.enterprise.smtp.admin_emails_from }} +- name: KONG_ADMIN_EMAILS_REPLY_TO + value: {{ .Values.enterprise.smtp.admin_emails_reply_to }} +- name: KONG_SMTP_HOST + value: {{ .Values.enterprise.smtp.smtp_host }} +- name: KONG_SMTP_PORT + value: {{ .Values.enterprise.smtp.smtp_port | quote }} +- name: KONG_SMTP_STARTTLS + value: {{ .Values.enterprise.smtp.smtp_starttls | quote }} +{{- if .Values.enterprise.smtp.auth.smtp_username }} +- name: KONG_SMTP_USERNAME + value: {{ .Values.enterprise.smtp.auth.smtp_username }} +- name: KONG_SMTP_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.enterprise.smtp.auth.smtp_password_secret }} + key: smtp_password +{{- end }} +{{- else }} +- name: KONG_SMTP_MOCK + value: "on" +{{- end }} +{{ include "kong.license" . }} +{{- end }} +- name: KONG_NGINX_HTTP_INCLUDE + value: /kong/servers.conf +{{- if .Values.postgresql.enabled }} +- name: KONG_PG_HOST + value: {{ template "kong.postgresql.fullname" . }} +- name: KONG_PG_PORT + value: "{{ .Values.postgresql.service.port }}" +- name: KONG_PG_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "kong.postgresql.fullname" . }} + key: postgresql-password +{{- end }} +{{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off")) }} +- name: KONG_DECLARATIVE_CONFIG + value: "/kong_dbless/kong.yml" +{{- end }} +- name: KONG_PLUGINS + value: {{ template "kong.plugins" . }} +{{- include "kong.env" . }} +{{- end -}} + +{{- define "kong.wait-for-postgres" -}} +- name: wait-for-postgres + image: "{{ .Values.waitImage.repository }}:{{ .Values.waitImage.tag }}" + imagePullPolicy: {{ .Values.waitImage.pullPolicy }} + env: + {{- include "kong.final_env" . | nindent 2 }} + command: [ "/bin/sh", "-c", "until nc -zv $KONG_PG_HOST $KONG_PG_PORT -w1; do echo 'waiting for db'; sleep 1; done" ] +{{- end -}}