-example_recipe_oran_i_release.yaml
\ No newline at end of file
+example_recipe_oran_j_release.yaml
\ No newline at end of file
--- /dev/null
+################################################################################
+# Copyright (c) 2019 AT&T Intellectual Property. #
+# Copyright (c) 2021 HCL Technologies Limited. #
+# Copyright (c) 2022 Samsung Electronics Co., Ltd. #
+# #
+# Licensed under the Apache License, Version 2.0 (the "License"); #
+# you may not use this file except in compliance with the License. #
+# You may obtain a copy of the License at #
+# #
+# http://www.apache.org/licenses/LICENSE-2.0 #
+# #
+# Unless required by applicable law or agreed to in writing, software #
+# distributed under the License is distributed on an "AS IS" BASIS, #
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. #
+# See the License for the specific language governing permissions and #
+# limitations under the License. #
+###############################################################################
+
+#-------------------------------------------------------------------------
+# Global common setting
+#-------------------------------------------------------------------------
+
+common:
+ releasePrefix: r4
+# If a local docker registry is used, please specify it using the following option
+# localregistry: nexus3.o-ran-sc.org:10004
+
+# Change the overall image pull policy using the following option
+# pullpolicy: IfNotPresent
+
+# Change the namespaces using the following options
+# namespace:
+# aux: ricaux
+# platform: ricplt
+# xapp: ricxapp
+# infra: ricinfra
+
+# ricip should be the ingress controller listening IP for the platform cluster
+# auxip should be the ingress controller listening IP for the AUX cluster
+extsvcplt:
+ ricip: "10.0.0.1"
+ auxip: "10.0.0.1"
+
+
+# Specify the docker registry credential using the following
+# The release and staging LF repos' credentials have already been included.
+# Please do not create duplicated entries
+#docker-credential:
+# enabled: true
+# credential:
+# SOME_KEY_NAME:
+# registry: ""
+# credential:
+# user: ""
+# password: ""
+# email: ""
+
+prometheus:
+ enabled: true
+
+a1mediator:
+ image:
+ registry: "nexus3.o-ran-sc.org:10002/o-ran-sc"
+ name: ric-plt-a1
+ tag: 3.2.2
+ rmr_timeout_config:
+ a1_rcv_retry_times: 20
+ ins_del_no_resp_ttl: 5
+ ins_del_resp_ttl: 10
+
+appmgr:
+ image:
+ init:
+ registry: "nexus3.o-ran-sc.org:10002/o-ran-sc"
+ name: it-dep-init
+ tag: 0.0.1
+ appmgr:
+ registry: "nexus3.o-ran-sc.org:10002/o-ran-sc"
+ name: ric-plt-appmgr
+ tag: 0.5.8
+ chartmuseum:
+ registry: "docker.io"
+ name: chartmuseum/chartmuseum
+ tag: v0.8.2
+
+
+dbaas:
+ image:
+ registry: "nexus3.o-ran-sc.org:10002/o-ran-sc"
+ name: ric-plt-dbaas
+ tag: 0.6.4
+ enableHighAvailability: false
+ # Enable pod anti affinity only if you have more than 3 k8s nodes
+ enablePodAntiAffinity: false
+
+
+e2mgr:
+ image:
+ registry: "nexus3.o-ran-sc.org:10002/o-ran-sc"
+ name: ric-plt-e2mgr
+ tag: 6.0.6
+ privilegedmode: false
+ globalRicId:
+ ricId: "AACCE"
+ mcc: "310"
+ mnc: "411"
+ rnibWriter:
+ stateChangeMessageChannel: RAN_CONNECTION_STATUS_CHANGE
+ ranManipulationMessageChannel: RAN_MANIPULATION
+
+e2term:
+ alpha:
+ image:
+ registry: "nexus3.o-ran-sc.org:10002/o-ran-sc"
+ name: ric-plt-e2
+ tag: 6.0.6
+ privilegedmode: false
+ hostnetworkmode: false
+ env:
+ print: "1"
+ messagecollectorfile: "/data/outgoing/"
+ dataVolSize: 100Mi
+ storageClassName: local-storage
+ pizpub:
+ enabled: false
+
+
+jaegeradapter:
+ image:
+ registry: "docker.io"
+ name: jaegertracing/all-in-one
+ tag: 1.12
+
+
+rtmgr:
+ image:
+ registry: "nexus3.o-ran-sc.org:10002/o-ran-sc"
+ name: ric-plt-rtmgr
+ tag: 0.9.6
+
+submgr:
+ image:
+ registry: "nexus3.o-ran-sc.org:10002/o-ran-sc"
+ name: ric-plt-submgr
+ tag: 0.10.2
+
+vespamgr:
+ image:
+ registry: "nexus3.o-ran-sc.org:10002/o-ran-sc"
+ name: ric-plt-vespamgr
+ tag: 0.7.5
+ prometheusurl: "http://r4-infrastructure-prometheus-server.ricplt"
+
+o1mediator:
+ image:
+ registry: "nexus3.o-ran-sc.org:10002/o-ran-sc"
+ name: ric-plt-o1
+ tag: 0.6.3
+
+
+alarmmanager:
+ image:
+ registry: "nexus3.o-ran-sc.org:10002/o-ran-sc"
+ name: ric-plt-alarmmanager
+ tag: 0.5.16
+
+influxdb:
+ image:
+ registry: "influxdb"
+ name: influxdb
+ tag: "2.2.0-alpine"
fi
for component in $COMPONENTS; do
- helm dep up $DIR/../helm/$component
+ helm dep build $DIR/../helm/$component
COMPONENT="${RELEASE_PREFIX}-$component"
if [ -z $IS_HELM3 ]
then
fi
}
-KUBEV="1.16.0"
+KUBEV="1.28.11"
KUBECNIV="0.7.5"
-HELMV="3.5.4"
+HELMV="3.14.4"
DOCKERV="20.10.21"
echo running ${0}
echo "" > /opt/config/docker_version.txt
echo "1.16.0" > /opt/config/k8s_version.txt
echo "0.7.5" > /opt/config/k8s_cni_version.txt
-echo "3.5.4" > /opt/config/helm_version.txt
+echo "3.14.4" > /opt/config/helm_version.txt
echo "$(hostname -I)" > /opt/config/host_private_ip_addr.txt
echo "$(curl ifconfig.co)" > /opt/config/k8s_mst_floating_ip_addr.txt
echo "$(hostname -I)" > /opt/config/k8s_mst_private_ip_addr.txt
echo "### helm version = "${HELMV}
echo "### k8s cni version = "${KUBECNIV}
-KUBEVERSION="${KUBEV}-00"
+#KUBEVERSION="${KUBEV}-00"
CNIVERSION="${KUBECNIV}-00"
DOCKERVERSION="${DOCKERV}"
echo "docker version to use = "${DOCKERVERSION}
-curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add -
-echo 'deb http://apt.kubernetes.io/ kubernetes-xenial main' > /etc/apt/sources.list.d/kubernetes.list
+#curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add -
+#echo 'deb http://apt.kubernetes.io/ kubernetes-xenial main' > /etc/apt/sources.list.d/kubernetes.list
+
+mkdir /etc/apt/keyrings
+echo "deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.28/deb/ /" | sudo tee /etc/apt/sources.list.d/kubernetes.list
+curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.28/deb/Release.key | sudo gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg
mkdir -p /etc/apt/apt.conf.d
echo "APT::Acquire::Retries \"3\";" > /etc/apt/apt.conf.d/80-retries
kind: KubeProxyConfiguration
mode: ipvs
EOF
- else
+ elif [[ ${KUBEV} == 1.28.* ]] ; then
+ echo "Do Nothing for now."
+ else
echo "Unsupported Kubernetes version requested. Bail."
exit
fi
namespace: kube-system
EOF
-
+if [[ ${KUBEV} == 1.28.11 ]]; then
+ kubeadm init --pod-network-cidr=10.244.0.0/16
+ mkdir -p /run/flannel
+cat <<EOF > /run/flannel/subnet.env
+FLANNEL_NETWORK=10.244.0.0/16
+FLANNEL_SUBNET=10.244.0.1/24
+FLANNEL_MTU=1450
+FLANNEL_IPMASQ=true
+EOF
+else
kubeadm init --config /root/config.yaml
+fi
cd /root
rm -rf .kube
kubectl get pods --all-namespaces
+if [[ ${KUBEV} == 1.28.11 ]]; then
+ kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
+else
# we refer to version 0.18.1 because later versions use namespace kube-flannel instead of kube-system TODO
kubectl apply -f "https://raw.githubusercontent.com/flannel-io/flannel/v0.18.1/Documentation/kube-flannel.yml"
+fi
+if [[ ${KUBEV} == 1.28.11 ]]; then
+ wait_for_pods_running 7 kube-system
+ wait_for_pods_running 1 kube-flannel
+ kubectl taint nodes --all node-role.kubernetes.io/control-plane:NoSchedule-
+else
wait_for_pods_running 8 kube-system
-
kubectl taint nodes --all node-role.kubernetes.io/master-
+fi
+
HELMV=$(cat /opt/config/helm_version.txt)
HELMVERSION=${HELMV}
-apiVersion: networking.k8s.io/v1beta1
+apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ include "common.ingressname.a1mediator" . }}
- http:
paths:
- path: {{ include "common.kongpath.ric.a1mediator" . }}
+ pathType: Prefix
backend:
- serviceName: {{ include "common.servicename.a1mediator.http" . }}
- servicePort: {{ include "common.serviceport.a1mediator.http" . }}
+ service:
+ name: {{ include "common.servicename.a1mediator.http" . }}
+ port:
+ number: {{ include "common.serviceport.a1mediator.http" . }}
-apiVersion: networking.k8s.io/v1beta1
+apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ include "common.ingressname.appmgr" . }}
rules:
- http:
paths:
- - path: {{ include "common.kongpath.ric.appmgr" . }}
- backend:
- serviceName: {{ include "common.servicename.appmgr.http" . }}
- servicePort: {{ include "common.serviceport.appmgr.http" . }}
+ - pathType: Prefix
+ path: {{ include "common.kongpath.ric.appmgr" . }}
+ backend:
+ service:
+ name: {{ include "common.servicename.appmgr.http" . }}
+ port:
+ number: {{ include "common.serviceport.appmgr.http" . }}
name: {{ include "common.serviceaccountname.appmgr" . }}
namespace: {{ include "common.namespace.platform" . }}
---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "common.serviceaccountname.appmgr" . }}-{{ include "common.tillerNameSpace" $ctx }}-access
verbs: ["get","list"]
{{- end }}
---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "common.serviceaccountname.appmgr" . }}-{{ include "common.tillerNameSpace" $ctx }}-access
name: {{ include "common.serviceaccountname.appmgr" . }}
namespace: {{ include "common.namespace.platform" . }}
---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "common.serviceaccountname.appmgr" . }}-{{ include "common.tillerNameSpace" $ctx }}-getappconfig
resources: ["configmaps", "endpoints", "services"]
verbs: ["get", "list", "create", "update", "delete"]
---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "common.serviceaccountname.appmgr" . }}-{{ include "common.namespace.xapp" . }}-getappconfig
-apiVersion: networking.k8s.io/v1beta1
+apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ include "common.ingressname.e2mgr" . }}
- http:
paths:
- path: {{ include "common.kongpath.ric.e2mgr" . }}
+ pathType: Prefix
backend:
- serviceName: {{ include "common.servicename.e2mgr.http" . }}
- servicePort: {{ include "common.serviceport.e2mgr.http" . }}
+ service:
+ name: {{ include "common.servicename.e2mgr.http" . }}
+ port:
+ number: {{ include "common.serviceport.e2mgr.http" . }}
repository: "file://./subcharts/docker-credential"
condition: docker-credential.enabled
- name: kong
- version: 0.36.6
+ version: 2.38.0
repository: "file://./subcharts/kong"
condition: kong.enabled
- name: certificate-manager
--- /dev/null
+# Changelog
+
+## 2.38.0
+
+### Changes
+
+* Added support for setting `SVC.tls.appProtocol` and `SVC.http.appProtocol` values to configure the appProtocol fields
+ for Kubernetes Service HTTP and TLS ports. It might be useful for integration with external load balancers like GCP.
+ [#1018](https://github.com/Kong/charts/pull/1018)
+
+## 2.37.1
+
+* Rename the controller status port. This fixes a collision with the proxy status port in the Prometheus ServiceMonitor.
+ [#1008](https://github.com/Kong/charts/pull/1008)
+
+## 2.37.0
+
+### Changes
+
+* Bumped default `kong/kubernetes-ingress-controller` image tag and updated CRDs to 3.1.
+ [#1011](https://github.com/Kong/charts/pull/1011)
+* Bumped default `kong` image tag to 3.6.
+ [#1011](https://github.com/Kong/charts/pull/1011)
+
+## 2.36.0
+
+### Fixed
+
+* Add `KongLicense` RBAC rules.
+ [#1006](https://github.com/Kong/charts/pull/1006)
+
+## 2.35.1
+
+### Fixed
+
+* The plugin helper no longer sets the plugin list when not in use.
+ [#1002](https://github.com/Kong/charts/pull/1002)
+
+## 2.35.0
+
+### Added
+
+* Added controller's RBAC rules for `KongVault` CRD (installed only when KIC
+ version >= 3.1.0).
+ [#992](https://github.com/Kong/charts/pull/992)
+
+### Fixed
+
+* Added a missing `envFrom` render in the main Kong proxy container.
+ [#994](https://github.com/Kong/charts/pull/994)
+
+## 2.34.0
+
+### Added
+
+* The `envFrom` and `ingressController.envFrom` values.yaml keys now populate
+ the container field of the same name. This loads environment variables from
+ ConfigMap or Secret resource keys in bulk:
+ https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables
+ [#987](https://github.com/Kong/charts/pull/987)
+* Kong listens now use both IPv4 and IPv6 addresses.
+ [#986](https://github.com/Kong/charts/pull/986)
+
+## 2.33.3
+
+### Fixed
+
+* Add RBAC rules for get, list and watch operations on namespaces so that Gateway API
+ controllers in KIC can access using a cached controller-runtime client.
+ [#974](https://github.com/Kong/charts/pull/974)
+
+## 2.33.2
+
+### Fixed
+
+* Fix a template bug related to the `affinity` field for migrations Pods.
+ [#972](https://github.com/Kong/charts/pull/972)
+
+## 2.33.1
+
+### Fixed
+
+* Use changed `incubator.ingress-controller.konghq.com` API group name in `KongServiceFacade`
+ RBAC rules. Refer to [KIC#5302](https://github.com/Kong/kubernetes-ingress-controller/pull/5302)
+ for rename reasoning.
+ [#968](https://github.com/Kong/charts/pull/968)
+
+## 2.33.0
+
+### Improvements
+
+* Only allow `None` ClusterIPs on ClusterIP-type Services.
+ [#961](https://github.com/Kong/charts/pull/961)
+ [#962](https://github.com/Kong/charts/pull/962)
+* Bumped Kong version to 3.5.
+ [#957](https://github.com/Kong/charts/pull/957)
+* Support for `affinity` configuration has been added to migration job templates.
+* Display a warning message when Kong Manager is enabled and the Admin API is disabled.
+* Validate Gateway API's `Gateway` and `HTTPRoute` resources in the controller's
+ admission webhook only when KIC version is 3.0 or higher.
+ [#954](https://github.com/Kong/charts/pull/954)
+* Added controller's RBAC rules for `KongServiceFacade` CRD (installed only when
+ KongServiceFacade feature gate turned on and KIC version >= 3.1.0).
+ [#963](https://github.com/Kong/charts/pull/963)
+
+## 2.32.0
+
+### Improvements
+
+* Add new `deployment.hostname` value to make identifying instances in
+ controlplane/dataplane configurations easier.
+ [#943](https://github.com/Kong/charts/pull/943)
+
+## 2.31.0
+
+### Improvements
+
+* Added controller's RBAC rules for `KongUpstreamPolicy` CRD.
+ [#917](https://github.com/Kong/charts/pull/917)
+* Added services resource to admission webhook config for KIC >= 3.0.0.
+ [#919](https://github.com/Kong/charts/pull/919)
+* Update default ingress controller version to v3.0
+ [#929](https://github.com/Kong/charts/pull/929)
+ [#930](https://github.com/Kong/charts/pull/930)
+
+### Fixed
+
+* The target port for cmetrics should only be applied if the ingress controller is enabled.
+ [#926](https://github.com/Kong/charts/pull/926)
+* Fix RBAC for Gateway API v1.
+ [#928](https://github.com/Kong/charts/pull/928)
+* Enable Admission webhook for Gateway API v1 resources.
+ [#928](https://github.com/Kong/charts/pull/928)
+
+## 2.30.0
+
+### Improvements
+
+* Prevent installing PodDisruptionBudget for `replicaCount: 1` or `autoscaling.minReplicas: 1`.
+ [#896](https://github.com/Kong/charts/pull/896)
+* The admission webhook now will be triggered on Secrets creation for KIC 2.12.1+.
+ [#907](https://github.com/Kong/charts/pull/907)
+* Container security context defaults now comply with the restricted pod
+ security standard. This includes an enforced run as user ID set to 1000. UID
+ 1000 is used for official Kong images other than Alpine images (which use UID
+ 100) and for KIC images 3.0.0+ (older images use UID 65532). Images that do
+ not use UID 1000 can still run with this user, as static image files are
+ world-accessible and runtime-created files are created in temporary
+ directories created for the run as user.
+ [#911](https://github.com/Kong/charts/pull/911)
+* Allow using templates (via `tpl`) when specifying `proxy.nameOverride`.
+ [#914](https://github.com/Kong/charts/pull/914)
+
+## 2.29.0
+
+### Improvements
+* Make it possible to set the admission webhook's `timeoutSeconds`.
+ [#894](https://github.com/Kong/charts/pull/894)
+
+## 2.28.1
+
+### Fixed
+
+* The admission webhook now includes Gateway API resources and Ingress
+ resources for controller versions 2.12+. This version introduces new
+ validations for Kong's regex path implementation.
+ [#892](https://github.com/Kong/charts/pull/892)
+
+## 2.28.0
+
+### Improvements
+
+* Bump default `kong` image tag to 3.4.
+ [#883](https://github.com/Kong/charts/pull/883)
+* Bump default ingress controller image tag to 2.12.
+* Added validation rule for `latency` upstream load balancing algorithm to
+ CRDs. [Upgrade your CRDs](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#updates-to-crds)
+ when installing this release.
+
+## 2.27.0
+
+### Improvements
+
+* Listens now all support `.address` configuration. This was an existing
+ setting that was not applied properly for some listens.
+ [#881](https://github.com/Kong/charts/pull/881)
+
+## 2.26.5
+
+### Fixed
+
+* Kuma ServiceAccount Token hints and volumes are also available in migrations
+ Pods.
+ [#877](https://github.com/Kong/charts/pull/877)
+
+## 2.26.4
+
+### Fixed
+
+* updated `admin_api_uri` to `admin_gui_api_url` as per [kong documentation](https://docs.konghq.com/gateway/3.4.x/reference/configuration/#admin_api_uri).
+
+## 2.26.3
+
+### Fixed
+
+* Enabled Service and Ingress in Kong Manager for non enterprise users.
+
+## 2.26.2
+
+### Fixed
+
+* Add missing CRD KongConsumerGroup and extend status subresource for CRDs
+
+## 2.26.1
+
+### Fixed
+
+* Fix parsing enterprise tags (like e.g. `3.4.0.0`)
+ [#857](https://github.com/Kong/charts/pull/857)
+
+## 2.26.0
+
+### Breaking changes
+
+2.26 changes the default proxy readiness endpoint for newer Kong versions. This
+causes an issue in a narrow edge case. If all of the following are true:
+
+* You use Kong 3.3 or newer.
+* You use controller 2.10 or older.
+* You run the controller and proxy in separate Deployments.
+
+you are affected and should review [the 2.26 upgrade instructions](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#2260).
+
+### Improvements
+
+* Use the Kong 3.3 `/status/ready` endpoint for readiness probes by default if
+ available. If not available, use the old `/status` default.
+ [#844](https://github.com/Kong/charts/pull/844)
+* Add ArgoCD `Sync` and `BeforeHookCreation` [hook policies](https://argo-cd.readthedocs.io/en/stable/user-guide/resource_hooks/)
+ to the the init and pre-upgrade migrations Jobs.
+* Add controller's RBAC rules for `KongConsumerGroups` CRD.
+ [#850](https://github.com/Kong/charts/pull/850)
+* Updated controller version to 2.11.
+
+## 2.25.0
+
+- Generate the `adminApiService.name` value from `.Release.Name` rather than
+ hardcoding to `kong`
+ [#839](https://github.com/Kong/charts/pull/839)
+
+## 2.24.0
+
+### Improvements
+
+* Running `tpl` against user-supplied labels and annotations used in Deployment
+ [#814](https://github.com/Kong/charts/pull/814)
+
+ Example:
+ ```yaml
+ podLabels:
+ version: "{{ .Values.image.tag }}" # Will render dynamically when overridden downstream
+ ```
+
+* Fail to render templates when PodSecurityPolicy was requested but cluster doesn't
+ serve its API.
+ [#823](https://github.com/Kong/charts/pull/823)
+* Add support for multiple hosts and tls configurations for Kong proxy `Ingress`.
+ [#813](https://github.com/Kong/charts/pull/813)
+* Bump postgres default tag to `13.11.0-debian-11-r20` which includes arm64 images.
+ [#834](https://github.com/Kong/charts/pull/834)
+
+### Fixed
+
+* Fix Ingress and HPA API versions during capabilities checking
+ [#827](https://github.com/Kong/charts/pull/827)
+
+## 2.23.0
+
+### Improvements
+
+* Add custom label configuration option for Kong proxy `Ingress`.
+ [#812](https://github.com/Kong/charts/pull/812)
+* Bump default `kong/kubernetes-ingress-controller` image tag to 2.10.
+ Bump default `kong` image tag to 3.3.
+ [#815](https://github.com/Kong/charts/pull/815)
+
+## 2.22.0
+
+### Improvements
+
+* Removed redundant RBAC permissions for non-existing subresources `secrets/status`
+ and `endpoints/status`.
+ [#798](https://github.com/Kong/charts/pull/798)
+* For Kong Ingress Controller in version >= 2.10, RBAC permissions for `Endpoints`
+ are not configured anymore (because it uses `EndpointSlices`).
+ [#798](https://github.com/Kong/charts/pull/798)
+* Added support for setting `certificates.cluster.commonName`. This allows a custom
+ certificate `CommonName` to be provided when deploying Kong Gateway in hybrid
+ mode using Cert Manager [#804](https://github.com/Kong/charts/pull/804)
+
+## 2.21.0
+
+### Improvements
+
+* Added support for `startupProbe` on Kong pods. This can be configured via
+ `.Values.startupProbe`. To maintain backward compatibility, it is disabled by default.
+ [#792](https://github.com/Kong/charts/pull/792)
+* Customize Admission Webhook namespaceSelectors and compose them from values.
+ [#794](https://github.com/Kong/charts/pull/794)
+* Added `CustomResourceDefinition` `list` and `watch` permissions to controller's ClusterRole.
+ [#796](https://github.com/Kong/charts/pull/796)
+
+## 2.20.2
+
+### Fixed
+
+* Automatic license provisioning for Gateways managed by Ingress Controllers in Konnect mode
+ is disabled by default.
+ To enable it, set `.Values.ingressController.konnect.license.enabled=true`.
+ [#793](https://github.com/Kong/charts/pull/793)
+
+## 2.20.1
+
+### Fixed
+
+* Fix correct timestamp format and remove `isCA` in certificates
+ [#791](https://github.com/Kong/charts/pull/791)
+
+## 2.20.0
+
+### Improvements
+
+* Added support for automatic license provisioning for Gateways managed by
+ Ingress Controllers in Konnect mode (`.Values.ingressController.konnect.enabled=true`).
+ [#787](https://github.com/Kong/charts/pull/787)
+
+## 2.19.1
+
+### Fixed
+
+* Fix `webhook-cert` being mounted regardless if `.Values.ingressController.enabled`
+ is set.
+ [#779](https://github.com/Kong/charts/pull/779)
+
+## 2.19.0
+
+### Improvements
+
+* Security context enforces read-only root filesystem by default. This is not
+ expected to affect most configurations, but [will affect custom plugins that
+ write to the container filesystem](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#2170).
+ [#770](https://github.com/Kong/charts/pull/770)
+
+## 2.18.0
+
+### Improvements
+
+* Added support for the Admin API service TLS client verification.
+ [#780](https://github.com/Kong/charts/pull/780
+
+## 2.17.1
+
+### Fixed
+
+* The `-redhat` suffix on official KIC images is no longer considered part of
+ the semver string for version checks.
+ [#779](https://github.com/Kong/charts/pull/779)
+
+## 2.17.0
+
+### Improvements
+
+* Added support for controller's gateway discovery.
+ With `ingressController.gatewayDiscovery.enabled` set to `true` Kong Ingress Controller
+ will enable gateway discovery using an Admin API service.
+ For more information on this please see [the corresponding README.md section][kic_gateway_discovery_readme].
+ This feature is only available when deploying chart with Kong Ingress Controller in version 2.9 or higher.
+ [#747](https://github.com/Kong/charts/pull/747)
+* Added experimental support for the ingress controller's Konnect sync feature via `ingressController.konnect.*` values.
+ This feature is only available when deploying chart with Kong Ingress Controller in version 2.9 or higher and
+ requires `ingressController.gatewayDiscovery.enabled` set to `true`.
+ [#746](https://github.com/Kong/charts/pull/746)
+* Added support for annotations on the admission webhook ValidatingWebhookConfiguration.
+ [#760](https://github.com/Kong/charts/pull/760)
+* Added support for `subject` and `privateKey` properties on certificates.
+ [#762](https://github.com/Kong/charts/pull/762)
+* Added support for loadBalancerClass in LoadBalancer type services.
+ [#767](https://github.com/Kong/charts/pull/767)
+* Added support for `GRPCRoute`s.
+ [#772](https://github.com/Kong/charts/pull/772)
+* Default Kong version is bumped to 3.2.
+ [#773](https://github.com/Kong/charts/pull/773)
+* Added support for admissionhook to include labels.
+ [#768](https://github.com/Kong/charts/pull/768)
+
+### Under the hood
+
+* Add kube-linter to the CI pipeline to ensure produced manifests comply
+ with community best practices.
+ [#751](https://github.com/Kong/charts/pull/751)
+
+[kic_gateway_discovery_readme]: ./README.md#the-gatewaydiscovery-section
+
+## 2.16.5
+
+### Fixed
+
+* Fix autoscaling version detection.
+ [#752](https://github.com/Kong/charts/pull/752)
+* Don't include a clear-stale-pid initContainer when kong gateway is not
+ enabled in the deployment.
+ [#749](https://github.com/Kong/charts/pull/749)
+
+## 2.16.4
+
+### Fixed
+
+* HorizontalPodAutoscaler's API version is detected properly.
+ [#744](https://github.com/Kong/charts/pull/744)
+
+## 2.16.3
+
+### Fixed
+
+* Fix template issue preventing custom dblessconfig volume from being mounted.
+ [#741](https://github.com/Kong/charts/pull/741)
+
+## 2.16.2
+
+### Fixed
+
+* The admission webhook is disabled when the ingress controller is disabled, as
+ the admission webhook requires a service provided by the ingress controller.
+
+## 2.16.1
+
+### Fixed
+
+* serviceAccount projected volume is properly provisioned for GKE clusters >= 1.20.
+ [#735](https://github.com/Kong/charts/pull/735)
+
+## 2.16.0
+
+### Improvements
+
+* Let users specify their own labels and annotations for generated PodSecurityPolicy.
+ [#721](https://github.com/Kong/charts/pull/721)
+* Enable the admission webhook by default. This can reject configuration, but
+ is not expected to be a meaningfully breaking change. Existing configuration
+ is not affected, and any new changes that the webhook would reject would also
+ be rejected by Kong.
+ [#727](https://github.com/Kong/charts/pull/727)
+* Replaced static secret with projected volume in deployment.
+ [#722](https://github.com/Kong/charts/pull/722)
+* Reject invalid log config values.
+ [#733](https://github.com/Kong/charts/pull/733)
+* Update custom resource definitions to latest v2.8.1 from
+ kong/kubernetes-ingress-controller
+ [#730](https://github.com/Kong/charts/pull/730)
+* Respect setting `.Values.deployment.serviceAccount.automountServiceAccountToken` in
+ migrations Jobs. This was already the case for the Deployment.
+ [#729](https://github.com/Kong/charts/pull/729)
+
+## 2.15.3
+
+### Fixed
+
+* Changed `ingressController.readinessProbe` to use `/readyz` to prevent pods from becoming ready and serving 404s prior to the `ingress-controller` first syncing config to the `proxy` [#716](https://github.com/Kong/charts/pull/716).
+* Fixed incorrect `if` block order in volume mount templates.
+
+## 2.15.2
+
+### Fixed
+
+* Do not attempt to mount DB-less config if none provided by chart.
+
+## 2.15.1
+
+### Fixed
+
+* Remove unnecessary failure condition from [#695](https://github.com/Kong/charts/pull/695).
+
+## 2.15.0
+
+### Improvements
+
+* Add the `dblessConfig.secret` key to the values file, allowing the user to
+ supply a Secret for their dbless config file.
+ [#695](https://github.com/Kong/charts/pull/695)
+* Add support for version `v1beta1` of the Gateway API when generating RBAC rules.
+* Add support for version `v1beta1` of the Gateway API when generating RBAC rules.
+ ([#706](https://github.com/Kong/charts/pull/706))
+* Prevent supplying duplicate plugin inclusion to `KONG_PLUGINS` env variable.
+ ([#711](https://github.com/Kong/charts/pull/711))
+
+### Fixed
+
+* Removed appProtocol to fix AKS load balancer
+ ([#705](https://github.com/Kong/charts/pull/705))
+* Fix lookup for CA certificate secret for admission webhook.
+ ([#704](https://github.com/Kong/charts/pull/704))
+
+## 2.14.0
+
+Note: KIC 2.8 does include several updates to CRDs, but only for documentation and validation.
+You can [upgrade CRDs](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#updates-to-crds),
+but doing so is not required.
+
+### Improvements
+
+* Default Kong and KIC versions bumped to 3.1 and 2.8.
+* UDP proxy (udpProxy) assumes the UDP protocol by default for stream entries (udpProxy.stream).
+ This can be still overridden to TCP by specifying the protocol explicitly, but it is not recommended to do so.
+ [#682](https://github.com/Kong/charts/pull/682)
+* Supported `autoscaling/v2` API
+ ([#679](https://github.com/Kong/charts/pull/679))
+* Add support for specifying the minium number of seconds for which newly created pods should be ready without
+ any of its container crashing, for it to be considered available. (`deployment.minReadySeconds`)
+ ([#688](https://github.com/Kong/charts/pull/688))
+* Increased the default memory requests and limits for the Kong pod to 2G
+ ([#690](https://github.com/Kong/charts/pull/690))
+* Add a rule for `KongIngress` to the ValidatingWebhookConfiguration.
+ ([#702](https://github.com/Kong/charts/pull/702))
+
+### Fixed
+
+* Removed `PodSecurityPolicy` if the API is not supported in k8s cluster
+ to be compatible to k8s 1.25+.
+ [#680](https://github.com/Kong/charts/pull/680)
+
+
+## 2.13.1
+
+### Improvements
+
+* Updated default controller version to [KIC 2.7](https://github.com/Kong/kubernetes-ingress-controller/blob/main/CHANGELOG.md#270).
+
+## 2.13.0
+
+### Improvements
+
+* Added cert-manager issuer support for proxy default and cluster mtls certificates
+ ([#592](https://github.com/Kong/charts/pull/592))
+* Updated CRDs with the new ordering field for KongPlugins, the new
+ IngressClassParameters resource, and assorted field description updates.
+ These [require a manual update](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#updates-to-crds).
+* Updated default tags to Kong 3.0 and KIC 2.6.
+
+## 2.12.0
+
+### Improvements
+
+* Added ClusterRole for cluster-scoped resources when using watchNamespaces.
+ [#611](https://github.com/Kong/charts/issues/611)
+* Added `extraObjects` to create additional k8s resources as part of the helm release.
+ [#652](https://github.com/Kong/charts/issues/652)
+
+## 2.11.0
+
+### Fixed
+
+* Fixed Deployment missing if in case of empty tolerations
+ [#630](https://github.com/Kong/charts/issues/630)
+* Use stdout and stderr by default for all logs. Several were writing to prefix
+ directory files.
+ [#634](https://github.com/Kong/charts/issues/634)
+* Remove `terminationGracePeriodSeconds` from KIC's container spec since this
+ field is only applicable for pods, not containers.
+ [#640](https://github.com/Kong/charts/issues/640)
+
+### Improvements
+
+* Bump controller version to 2.5.
+ [#642](https://github.com/Kong/charts/issues/642)
+* Added `fullnameOverride` to override the normal resource name string.
+ [#635](https://github.com/Kong/charts/issues/635)
+* Added size limits for emptyDir mounts.
+ [#632](https://github.com/Kong/charts/issues/632)
+
+## 2.10.2
+
+### Fixed
+
+* Kuma now also mounts ServiceAccount tokens on releases without a controller
+ container.
+
+## 2.10.1
+
+### Fixed
+
+* Updated manual ServiceAccount Secret mount format for compatibility with
+ Kuma.
+
+## 2.10.0
+
+### Added
+
+* Added option to disable test job pods.
+ [#598](https://github.com/Kong/charts/issues/598)
+* Changed default admission failure policy from `Fail` to `Ignore`.
+ [#612](https://github.com/Kong/charts/issues/612)
+* ServiceAccount tokens are now only mounted in the controller container to
+ limit attack surface.
+ [#619](https://github.com/Kong/charts/issues/619)
+
+## 2.9.1
+
+### Fixed
+
+* Fixed another unwanted newline chomp that broke GatewayClass
+ permissions.
+
+## 2.9.0
+
+* Added terminationDelaySeconds for Ingress Controller.
+ ([597](https://github.com/Kong/charts/pull/597))
+* Made KNative permissions conditional on CRD availability.
+
+### Fixed
+
+* Removed KNative permission from the Gateway permissions set.
+
+## 2.8.2
+
+### Fixed
+
+* Fixed an unwanted newline chomp in fix PR #595.
+ ([594](https://github.com/Kong/charts/pull/594))
+
+## 2.8.1
+
+### Fixed
+
+* Fixed the stream default type, which should have been an empty array, not an
+ empty map. This had no effect on chart behavior, but resulted in warning
+ messages when user values.yamls contained non-empty stream configuration.
+ ([594](https://github.com/Kong/charts/pull/594))
+* Gateway API permissions are no longer created if Gateway API CRDs are not
+ installed on the cluster. This would block installs by non-super admin users.
+ ([595](https://github.com/Kong/charts/pull/595))
+
+## 2.8.0
+
+### Breaking changes
+
+2.8 requires manual removal of existing IngressClass resources and updates the
+Postgres sub-chart version. Further details are available [in the upgrade guide](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#280).
+
+The chart honors `ingressController.installCRDs: false` again. Remove it from
+your values.yaml if it is currently present. Unless your install user [lacks
+permissions to read
+CRDs](https://github.com/Kong/charts/blob/main/charts/kong/README.md#removing-c
+luster-scoped-permissions), which would have prevented you from installing
+earlier chart versions, you should omit this setting and let the templates
+detect whether you use the legacy CRD installation method automatically.
+
+### Improvements
+
+* Added Ingress for cluster sync.
+ ([583](https://github.com/Kong/charts/pull/583))
+* Added controller support for custom environment variables.
+ ([568](https://github.com/Kong/charts/pull/568))
+* Ingress `pathType` field is now configurable.
+ ([564](https://github.com/Kong/charts/pull/564))
+* Added IngressClass resources to RBAC roles.
+ ([563](https://github.com/Kong/charts/pull/563))
+* Ingresses now support wildcard hostnames.
+ ([559](https://github.com/Kong/charts/pull/559))
+* Enables the option to add sidecar containers to the migration containers.
+ ([540](https://github.com/Kong/charts/pull/540))
+* Update the IngressClass controller string to match the value used upstream.
+ ([557](https://github.com/Kong/charts/pull/557))
+* Added support for user-defined controller volume mounts.
+ ([560](https://github.com/Kong/charts/pull/560))
+* Added support for autoscaling `behavior`.
+ ([561](https://github.com/Kong/charts/pull/561))
+* Improved support and documentation for installations that [lack
+ cluster-scoped permissions](https://github.com/Kong/charts/blob/main/charts/kong/README.md#removing-cluster-scoped-permissions).
+ ([565](https://github.com/Kong/charts/pull/565))
+* Updated podDisruptionBudget from `policy/v1beta1` to `policy/v1`.
+ ([574](https://github.com/Kong/charts/pull/574))
+* Updated controller version to 2.3.
+
+### Fixed
+
+* Removed CREATE from ValidatingWebhookConfiguration objectSelector for Secrets to align with changes in Kong/kubernetes-ingress-controller.
+ ([#542](https://github.com/Kong/charts/pull/542))
+* Fixed traffic routing from Istio's envoy proxy to Kong proxy when using Istio's AuthorizationPolicy.
+ ([#550](https://github.com/Kong/charts/pull/550))
+* Fixed creation of non-default IngressClasses
+ ([#552](https://github.com/Kong/charts/pull/552))
+* Fixed: wait_for_db no longer tries to instantiate the keyring in Kong Enterprise
+ ([#556](https://github.com/Kong/charts/pull/556))
+
+## 2.7.0
+
+2.7.0 includes CRD updates, which [must be applied manually](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#270).
+
+### Breaking Changes
+
+* There are upstream changes to the Postgres sub-chart that change many
+ values.yaml keys. The default `postgresqlUsername` and `postgresqlDatabase`
+ keys used in this chart's values.yaml are now `auth.username` and
+ `auth.database`. If you set other Postgres sub-chart values, consult the
+ [upstream README](https://github.com/bitnami/charts/tree/master/bitnami/postgresql)
+ and [upgrade guide](https://docs.bitnami.com/kubernetes/infrastructure/postgresql/administration/upgrade/#to-1100)
+ to see what you need to change.
+
+### Improvements
+
+* Added Gateway API resources to RBAC rules.
+ ([#536](https://github.com/Kong/charts/pull/536))
+* Replaced `sleep 15` in `preStop` command with `--wait=15` argument to `kong quit`.
+ ([#531](https://github.com/Kong/charts/pull/531))
+* Added support for non `KONG_` prefixed custom environment variables
+ ([#530](https://github.com/Kong/charts/pull/530))
+* Updated to latest CRDs from upstream.
+
+## 2.6.5
+
+### Fixed
+
+* Generated IngressClass resources persist across updates properly.
+ ([#518](https://github.com/Kong/charts/pull/518))
+
+## 2.6.4
+
+### Improvements
+
+* Updated default tags to Kong 2.7, Kong Enterprise 2.7.0.0, and Kong Ingress
+ Controller 2.1.
+
+### Fixed
+
+* Corrected a misnamed field in podDisruptionBudget.
+ ([#519](https://github.com/Kong/charts/pull/519))
+
+## 2.6.3
+
+### Improvements
+
+* Increased example resources for the Kong container.
+ ([#511](https://github.com/Kong/charts/pull/511))
+
+### Fixed
+
+* Corrected an invalid label match condition for the admission webhook.
+ ([#513](https://github.com/Kong/charts/pull/513))
+
+## 2.6.2
+
+### Improvements
+
+* Added `app` and `version` labels to pods.
+ ([#504](https://github.com/Kong/charts/pull/504))
+* Reworked leftover socket file cleanup to avoid similar problems of the same
+ class.
+ ([#508](https://github.com/Kong/charts/pull/508))
+
+### Fixed
+
+* SecurityContext and resources applied to PID cleanup initContainer also.
+ ([#503](https://github.com/Kong/charts/pull/503))
+* Disabled the admission webhook on Helm Secrets, fixing an issue where it
+ prevented Helm from updating release metadata.
+ ([#500](https://github.com/Kong/charts/pull/500))
+* initContainers that use the Kong image use the same imagePullPolicy as the
+ main Kong container.
+ ([#501](https://github.com/Kong/charts/pull/501))
+* Applied mesh sidecar annotations to the Pod, not the Deployment.
+ ([#507](https://github.com/Kong/charts/pull/507))
+
+## 2.6.1
+
+### Fixed
+
+* Disabled IngressClass creation on Kubernetes versions that do not support it.
+* Added missing resources (Secrets, KongClusterPlugins) to the admission
+ controller configuration.
+ ([#492](https://github.com/Kong/charts/pull/492))
+
+## 2.6.0
+
+**Note:** chart versions 2.3.0 through 2.5.0 contained an incorrect
+KongIngress CRD. The `proxy.path` field was missing. Helm will not fix this
+automatically on upgrade. You can fix it by running:
+
+```
+kubectl apply -f https://raw.githubusercontent.com/Kong/charts/main/charts/kong/crds/custom-resource-definitions.yaml
+```
+
+### Improvements
+
+* Added an initContainer to clear leftover PID file in the event of a Kong
+ container crash, allowing the container to restart.
+ ([#480](https://github.com/Kong/charts/pull/480))
+* Added deployment.hostNetwork to enable host network access.
+ ([#486](https://github.com/Kong/charts/pull/486))
+
+### Fixed
+
+* NOTES.txt documentation link now uses up-to-date location.
+* Ingress availability check tightened to require the Ingress API specifically
+ in `networking.k8s.io/v1`.
+ ([#484](https://github.com/Kong/charts/pull/484))
+* Flipped backwards logic for creating an IngressClass when no IngressClass was
+ present.
+ ([#485](https://github.com/Kong/charts/pull/485))
+* Removed unnecessary hardcoded controller container argument.
+ ([#481](https://github.com/Kong/charts/pull/481))
+* Restored missing `proxy.path` field to KongIngress CRD.
+
+## 2.5.0
+
+### Improvements
+
+* Default Kong proxy version updated to 2.6.
+
+### Fixed
+
+* Properly disable KongClusterPlugin when watchNamespaces is set.
+ ([#475](https://github.com/Kong/charts/pull/475))
+
+## 2.4.0
+
+### Breaking Changes
+
+* KIC now defaults to version 2.0. If you use a database, you must first
+ perform a temporary intermediate upgrade to disable KIC before upgrading it
+ to 2.0 and re-enabling it. See the [upgrade guide](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#disable-ingress-controller-prior-to-2x-upgrade-when-using-postgresql)
+ for detailed instructions.
+* ServiceAccount are now always created by default unless explicitly disabled.
+ ServiceAccount customization has [moved under the `deployment` section of
+ configuration](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#changed-serviceaccount-configuration-location)
+ to reflect this. This accomodates configurations that need a ServiceAccount
+ but that do not use the ingress controller.
+ ([#455](https://github.com/Kong/charts/pull/455))
+
+### Improvements
+
+* Migration jobs support a configurable backoffLimit.
+ ([#442](https://github.com/Kong/charts/pull/442))
+* Generated Ingresses now use `networking.k8s.io/v1` when available.
+ ([#446](https://github.com/Kong/charts/pull/446))
+
+### Fixed
+
+* 5-digit UDP ports now work properly.
+ ([#443](https://github.com/Kong/charts/pull/443))
+* Fixed port name used for NLB annotation example.
+ ([#458](https://github.com/Kong/charts/pull/458))
+* Fixed a compatibility issue with Helm's `--set-file` feature and
+ user-provided DB-less configuration ConfigMaps.
+ ([#465](https://github.com/Kong/charts/pull/465))
+
+## 2.3.0
+
+### Breaking Changes
+
+* Upgraded CRDs to V1 from the previous deprecated v1beta1.
+ [#391](https://github.com/kong/charts/issues/391)
+ ACTION REQUIRED: This is a breaking change as it makes
+ this chart incompatible with Kubernetes clusters older
+ than v1.16.x. Upgrade your cluster to a version greater
+ than or equal to v1.16 before installing.
+ Note that technically it will remain possible to deploy
+ on older clusters by managing the CRDs manually ahead of
+ time (e.g. intentionally deploying the legacy CRDs) but
+ these configurations will be considered unsupported.
+ [upgrade](https://kubernetes.io/docs/tasks/administer-cluster/cluster-upgrade/)
+ ACTION REQUIRED: For existing deployments Helm avoids managing
+ CRDs so when upgrading from a previous release you will need
+ to apply the new V1 versions of the CRDs (in `crds/`) manually.
+ [hip-0011](https://github.com/helm/community/blob/main/hips/hip-0011.md)
+ ([#415](https://github.com/Kong/charts/pull/415))
+* Added support for controller metrics to the Prometheus resources. This
+ requires KIC 2.x. The chart automatically detects if your controller image is
+ compatible, but only if your tag is semver-compliant. If you are using an
+ image without a semver-compliant tag (such as `next`) you _must_ set the
+ `ingressController.image.effectiveSemver` value to a semver string
+ appropriate for your image (for example, if your image is 2.0.0-based, you
+ would set it to `2.0.0`.
+ ([#430](https://github.com/Kong/charts/pull/430))
+
+### Improvements
+
+* Updated default Kong versions to 2.5 (OSS) and 2.5.0.0 (Enterprise).
+* Added user-configured initContainer support to Jobs.
+ ([#408](https://github.com/Kong/charts/pull/408))
+* Upgraded RBAC resources to v1 from v1beta1 for compatibility with Kubernetes
+ 1.22 and newer. This breaks compatibility with Kubernetes 1.7 and older, but
+ these Kubernetes versions were never supported, so this change is not
+ breaking. Added additional permissions to support KIC 2.x.
+ ([#420](https://github.com/Kong/charts/pull/420))
+ ([#419](https://github.com/Kong/charts/pull/419))
+* Added `ingressController.watchNamespaces[]` to values.yaml. When set, the
+ controller will only watch the listed namespaces (instead of all namespaces,
+ the default), and will create Roles for each namespace (instead of a
+ ClusterRole). This feature requires KIC 2.x.
+ ([#420](https://github.com/Kong/charts/pull/420))
+* Added support for [dnsPolicy and
+ dnsConfig](https://kubernetes.io/docs/tasks/administer-cluster/nodelocaldns/).
+ ([#425](https://github.com/Kong/charts/pull/425))
+* Use migration commands directly in upgrade/install Jobs instead of invoking
+ them via a shell. This adds support for some additional features in Kong
+ images that only apply when the container command starts with `kong`.
+ ([#429](https://github.com/Kong/charts/pull/429))
+
+### Fixed
+* Fixed an incorrect template for DaemonSet releases.
+ ([#426](https://github.com/Kong/charts/pull/426))
+
+## 2.2.0
+
+### Breaking changes
+
+* Removed default `maxUnavailable` setting for pod disruption budget
+ configuration. This is necessary to allow usage of the `minUnavailable`
+ setting, but means that there is no longer any default availability
+ constraint. If you set `podDisruptionBudget.enabled=true` in your values and
+ did not previously set any `podDisruptionBudget.maxUnavailable` value, you
+ must add `podDisruptionBudget.maxUnavailable="50%"` to your values.
+
+### Improvements
+
+* Added host alias injection to override DNS and/or add DNS entries not
+ available from the DNS resolver.
+ ([#366](https://github.com/Kong/charts/pull/366))
+* Added support for custom labels.
+ ([#370](https://github.com/Kong/charts/pull/370))
+* Only add paths to Ingresses if configured, for OpenShift 4.x compatibility.
+ ([#375](https://github.com/Kong/charts/pull/375))
+* Kong containers no longer the image ENTRYPOINT. This allows the stock image
+ bootstrap scripts to run normally.
+ ([#377](https://github.com/Kong/charts/pull/377))
+* Added security context settings for containers.
+ ([#387](https://github.com/Kong/charts/pull/387))
+* Bumped Kong and controller image defaults to the latest versions.
+ ([#378](https://github.com/Kong/charts/pull/378))
+* Added support for user-provided admission webhook certificates.
+ ([#385](https://github.com/Kong/charts/pull/385))
+* Disable service account tokens when it is unnecessary.
+ ([#389](https://github.com/Kong/charts/pull/389))
+
+### Fixed
+
+* Admission webhook port is now listed under the controller container, where
+ the admission webhook runs.
+ ([#384](https://github.com/Kong/charts/pull/384))
+
+### Documentation
+
+* Removed a duplicate key from example values.
+ ([#360](https://github.com/Kong/charts/pull/360))
+* Clarified Enterprise free mode usage.
+ ([#362](https://github.com/Kong/charts/pull/362))
+* Expand EKS Service annotation examples for proxy.
+ ([#376](https://github.com/Kong/charts/pull/375))
+
+## 2.1.0
+
+### Improvements
+
+* Added support for user-defined volumes, volume mounts, and init containers.
+ ([#317](https://github.com/Kong/charts/pull/317))
+* Tolerations are now applied to migration Job Pods also.
+ ([#341](https://github.com/Kong/charts/pull/341))
+* Added support for using a DaemonSet instead of Deployment.
+ ([#347](https://github.com/Kong/charts/pull/347))
+* Updated default image versions and completed migration off Bintray
+ repositories.
+ ([#349](https://github.com/Kong/charts/pull/349))
+* PDB ignores migration Job Pods.
+ ([#352](https://github.com/Kong/charts/pull/352))
+
+### Documentation
+
+* Clarified service monitor usage information.
+ ([#345](https://github.com/Kong/charts/pull/345))
+
+## 2.0.0
+
+### Breaking changes
+
+* Helm 2 is no longer supported. You **must** [migrate your Kong chart releases
+ to Helm 3](https://helm.sh/docs/topics/v2_v3_migration/) before updating to
+ this release.
+* Deprecated [Portal auth settings](https://github.com/Kong/charts/blob/kong-1.15.0/charts/kong/UPGRADE.md#removal-of-dedicated-portal-authentication-configuration-parameters)
+ are no longer supported.
+* The deprecated [`runMigrations` setting](https://github.com/Kong/charts/blob/kong-1.15.0/charts/kong/UPGRADE.md#changes-to-migration-job-configuration)
+ is no longer supported.
+* Deprecated [admin API Service configuration](https://github.com/Kong/charts/blob/kong-1.15.0/charts/kong/UPGRADE.md#changes-to-kong-service-configuration)
+ is no longer supported.
+* Deprecated [multi-host proxy configuration](https://github.com/Kong/charts/blob/kong-1.15.0/charts/kong/UPGRADE.md#removal-of-multi-host-proxy-ingress)
+ is no longer supported.
+
+`helm upgrade` with the previous version (1.15.0) will print a warning message
+if you still use any of the removed values.yaml configuration. If you do not
+see any warnings after the upgrade completes, you are already using the modern
+equivalents of these settings and can proceed with upgrading to 2.0.0-rc1.
+
+### Improvements
+
+* Admission webhook certificates persist after their initial creation. This
+ prevents an unnecessary restart of Kong Pods on upgrades that do not actually
+ modify the deployment.
+ ([#256](https://github.com/Kong/charts/pull/256))
+* `ingressController.installCRDs` now defaults to `false`, simplifying
+ installation on Helm 3. Installs now default to using Helm 3's CRD management
+ system, and do not require changes to values or install flags to install
+ successfully.
+ ([#305](https://github.com/Kong/charts/pull/305))
+* Added support for Pod `topologySpreadConstraints`.
+ ([#308](https://github.com/Kong/charts/pull/308))
+* Kong Ingress Controller image now pulled from Docker Hub (due to Bintray being
+ discontinued). Changed the default Docker image repository for the ingress
+ controller.
+
+### Fixed
+
+* Generated admission webhook certificates now include SANs for compatibility
+ with Go 1.15 controller builds.
+ ([#312](https://github.com/Kong/charts/pull/312)).
+
+### Documentation
+
+* Clarified use of `terminationGracePeriodSeconds`.
+ ([#302](https://github.com/Kong/charts/pull/302))
+
+## 1.15.0
+
+1.15.0 is an interim release before the planned release of 2.0.0. There were
+several feature changes we wanted to release prior to the removal of deprecated
+functionality for 2.0. The original planned deprecations covered in the [1.14.0
+changelog](#1140) are still planned for 2.0.0.
+
+### Improvements
+
+* The default Kong version is now 2.3 and the default Kong Enterprise version
+ is now 2.3.2.0.
+* Added configurable `terminationGracePeriodSeconds` for the pre-stop lifecycle
+ hook.
+ ([#271](https://github.com/Kong/charts/pull/271)).
+* Initial migration database wait init containers no longer have a default
+ image configuration in values.yaml. When no image is specified, the chart
+ will use the Kong image. The standard Kong images include bash, and can run
+ the database wait script without downloading a separate image. Configuring a
+ wait image is now only necessary if you use a custom Kong image that lacks
+ bash.
+ ([#285](https://github.com/Kong/charts/pull/285)).
+* Init containers for database availability and migration completeness can now
+ be disabled. They cause compatibility issues with many service meshes.
+ ([#285](https://github.com/Kong/charts/pull/285)).
+* Removed the default migration Job annotation that disabled Kuma's mesh proxy.
+ The latest version of Kuma no longer prevents Jobs from completing.
+ ([#285](https://github.com/Kong/charts/pull/285)).
+* Services now support user-configurable labels, and the Prometheus
+ ServiceMonitor label is included on the proxy Service by default. Users that
+ disable the proxy Service and add this label to another Service to collect
+ metrics.
+ ([#290](https://github.com/Kong/charts/pull/290)).
+* Migration Jobs now allow resource quota configuration. Init containers
+ inherit their resource quotas from their associated Kong container.
+ ([#294](https://github.com/Kong/charts/pull/294)).
+
+### Fixed
+
+* The database readiness wait script ConfigMap and associated mounts are no
+ longer created if that feature is not in use.
+ ([#285](https://github.com/Kong/charts/pull/285)).
+* Removed a duplicated field from CRDs.
+ ([#281](https://github.com/Kong/charts/pull/281)).
+
+## 1.14.5
+
+### Fixed
+
+* Removed `http2` from default status listen TLS parameters. It only supports a
+ limited subset of the extra listen parameters, and does not allow `http2`.
+
+## 1.14.4
+
+### Fixed
+
+* Status listens now include parameters in the default values.yaml. The absence
+ of these defaults caused a template rendering error when the TLS listen was
+ enabled.
+
+### Documentation
+
+* Updated status listen comments to reflect TLS listen availability on Kong
+ 2.1+.
+
+## 1.14.3
+
+### Fixed
+
+* Fix issues with legacy proxy Ingress object template.
+
+## 1.14.2
+
+### Fixed
+
+* Corrected invalid default value for `enterprise.smtp.smtp_auth`.
+
+## 1.14.1
+
+### Fixed
+
+* Moved several Kong container settings into the appropriate template block.
+ Previously these were rendered whether or not the Kong container was enabled,
+ which unintentionally applied them to the controller container.
+
+## 1.14.0
+
+### Breaking changes
+
+1.14 is the last planned 1.x version of the Kong chart. 2.x will remove support
+for Helm 2.x and all deprecated configuration. The chart prints a warning when
+upgrading or installing if it detects any configuration still using an old
+format.
+
+* All Ingress and Service resources now use the same template. This ensures
+ that all chart Ingresses and Services support the same configuration. The
+ proxy previously used a unique Ingress configuration, which is now
+ deprecated. If you use the proxy Ingress, [see the instructions in
+ UPGRADE.md](https://github.com/Kong/charts/blob/kong-1.14.0/charts/kong/UPGRADE.md#removal-of-multi-host-proxy-ingress)
+ to update your configuration. No changes are required for other Service and
+ Ingress configurations.
+ ([#251](https://github.com/Kong/charts/pull/251)).
+* The chart now uses the standard Kong status endpoint instead of custom
+ configuration, allowing users to specify their own custom configuration. The
+ status endpoint is no available in versions older than Kong 1.4.0 or Kong
+ Enterprise 1.5.0; if you use an older version, you will need to [add and load
+ the old custom configuration](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#default-custom-server-block-replaced-with-status-listen).
+
+ If you use a newer version and include Kong container readinessProbe and/or
+ livenessProbe configuration in your values.yaml, you must change the port
+ from `metrics` to `status`.
+ ([#255](https://github.com/Kong/charts/pull/255)).
+
+### Fixed
+
+* Correct an issue with migrations Job toggles.
+ ([#231](https://github.com/Kong/charts/pull/231))
+
+## 1.13.0
+
+### Improvements
+
+* Updated default Kong Enterprise version to 2.2.1.0-alpine.
+* Updated default Kong Ingress Controller version to 1.1.
+* Add `namespace` to values.yaml to override release namespace if desired.
+ ([#231](https://github.com/Kong/charts/pull/231))
+
+### Fixed
+
+* Migration Jobs now use the same nodeSelector configuration as the main Kong
+ Deployment.
+ ([#238](https://github.com/Kong/charts/pull/238))
+* Disabled custom Kong template mount if Kong is not enabled.
+ ([#240](https://github.com/Kong/charts/pull/240))
+* Changed YAML string to a YAML boolean.
+ ([#240](https://github.com/Kong/charts/pull/240))
+
+### Documentation
+
+* Clarify requirements for using horizontal pod autoscalers.
+ ([#236](https://github.com/Kong/charts/pull/236))
+
+## 1.12.0
+
+### Improvements
+
+* Increased default worker count to 2 to avoid issues with latency during
+ blocking tasks, such as DB-less config updates. This change increases memory
+ usage, but the increase should not be a concern for any but the smallest
+ deployments (deployments with memory limits below 512MB).
+* Updated default Kong version to 2.2.
+ ([#221](https://github.com/Kong/charts/pull/221))
+* Updated default Kong Enterprise version to 2.1.4.1.
+* Added a means to mount extra ConfigMap and Secret resources.
+ ([#208](https://github.com/Kong/charts/pull/208))
+* Added configurable annotations for migration Jobs.
+ ([#219](https://github.com/Kong/charts/pull/219))
+* Added template for deprecation warnings to automate formatting and avoid
+ excess newlines.
+
+### Fixed
+
+* Upgrades no longer force auto-scaling Deployments back to the replica count.
+ ([#222](https://github.com/Kong/charts/pull/222))
+
+## 1.11.0
+
+### Breaking changes
+
+* Kong Ingress Controller 1.0 removes support for several deprecated flags and
+ the KongCredential custom resource. Please see the [controller changelog](https://github.com/Kong/kubernetes-ingress-controller/blob/main/CHANGELOG.md#breaking-changes)
+ for details. Note that Helm 3 will not remove the KongCredential CRD by
+ default: you should delete it manually after converting KongCredentials to
+ [credential Secrets](https://github.com/Kong/kubernetes-ingress-controller/blob/next/docs/guides/using-consumer-credential-resource.md#provision-a-consumer).
+ If you manage CRDs using Helm (check to see if your KongCredential CRD has a
+ `app.kubernetes.io/managed-by: Helm` label), perform the credential Secret
+ conversion **before** upgrading to chart 1.11.0 to avoid losing credential
+ configuration.
+* The chart no longer uses the `extensions` API for PodSecurityPolicy, and now
+ uses the modern `policy` API. This breaks compatibility with Kubernetes
+ versions 1.11 and older.
+ ([#195](https://github.com/Kong/charts/pull/195))
+
+### Improvements
+
+* Updated default controller version to 1.0.
+* The chart now adds namespace information to manifests explicitly. This
+ simplifies workflows that use `helm template`.
+ ([#193](https://github.com/Kong/charts/pull/193))
+
+### Fixed
+* Changes to annotation block generation prevent incorrect YAML indentation
+ when specifying annotations via command line arguments to Helm commands.
+ ([#200](https://github.com/Kong/charts/pull/200))
+
+## 1.10.0
+
+### Breaking changes
+
+* Kong Ingress Controller 0.10.0 comes with breaking changes to global
+ `KongPlugin`s and to resources without an ingress class defined. Refer to the
+ [`UPGRADE.md notes for chart 1.10.0`](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#1100)
+ for details.
+
+### Improvements
+
+* Updated default controller version to 0.10.0.
+
+### Fixed
+
+* Removed the `status` field from the `TCPIngress` CRD.
+ ([#188](https://github.com/Kong/charts/pull/188))
+
+## 1.9.1
+
+### Documentation
+
+* Clarified documentation for [breaking changes in 1.9.0](#190) to indicate
+ that any values.yaml that sets `waitImage.repository` requires changes,
+ including those that set the old default.
+* Updated Enterprise examples to use latest Enterprise image version.
+
+## 1.9.0
+
+### Breaking changes
+
+1.9.0 now uses a bash-based pre-migration database availability check. If you
+set `waitImage.repository` in values.yaml, either to the previous default
+(`busybox`) or to a custom image, you must change it to an image that includes
+a `bash` executable.
+
+Once you have `waitImage.repository` set to an image with bash, [perform an
+initial chart version upgrade with migrations disabled](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#changes-to-wait-for-postgres-image)
+before re-enabling migrations, updating your Kong image version, and performing
+a second release upgrade.
+
+### Improvements
+
+* Added support for sidecar injection.
+ ([#174](https://github.com/Kong/charts/pull/174))
+* Changed to a bash-based pre-migration database availability check.
+ ([#179](https://github.com/Kong/charts/pull/179))
+* Changed to a bash-based pre-migration database availability check.
+ ([#179](https://github.com/Kong/charts/pull/179))
+* Updated default Kong Enterprise version to 2.1.3.0.
+
+### Fixed
+
+* Added missing cluster telemetry service and fixed missing cluster service
+ port.
+ ([#185](https://github.com/Kong/charts/pull/185))
+
+### Documentation
+
+* Added an example Enterprise controller-managed DB-less values.yaml.
+ ([#175](https://github.com/Kong/charts/pull/175))
+
+## 1.8.0
+
+**Kong Enterprise users:** please review documentation for the [Kong Enterprise
+2.1.x beta
+release](https://docs.konghq.com/enterprise/2.1.x/release-notes/#coming-soon)
+and [hybrid mode on Kong
+Enterprise](https://docs.konghq.com/enterprise/2.1.x/deployment/hybrid-mode/#kubernetes-support)
+as well. Version 1.8 of the Kong Helm chart adds support for hybrid mode, which
+is currently only available in the 2.1.x beta. Production systems should
+continue to use the Kong Enterprise 1.5.x stable releases, which do not support
+hybrid mode.
+
+### Improvements
+
+* Update default Kong version to 2.1.
+* Update Kong Enterprise images to 1.5.0.4 (kong-enterprise-edition) and
+ 2.0.4.2 (kong-enterprise-k8s).
+* Updated default controller version to 0.9.1.
+ ([#150](https://github.com/Kong/charts/pull/150))
+* Added support for ServiceMonitor targetLabels (for use with the Prometheus
+ Operator).
+ ([#162](https://github.com/Kong/charts/pull/162))
+* Automatically handle the [new port_maps
+ setting](https://github.com/Kong/kong/pull/5861) for the proxy service.
+ ([#169](https://github.com/Kong/charts/pull/169))
+* Add support for [hybrid mode
+ deployments](https://docs.konghq.com/latest/hybrid-mode/).
+ ([#160](https://github.com/Kong/charts/pull/160))
+
+
+### Fixed
+
+* Fixed an issue with improperly-rendered listen strings.
+ ([#155](https://github.com/Kong/charts/pull/155))
+
+### Documentation
+
+* Improved inline documentation of `env` in values.yaml.
+ ([#163](https://github.com/Kong/charts/pull/163))
+
+## 1.7.0
+
+### Improvements
+
+* Added support for
+ [CRD-only](https://github.com/Kong/charts/blob/1.7.0/charts/kong/README.md#crds-only)
+ and [controller-only releases](https://github.com/Kong/charts/blob/next/charts/kong/README.md#standalone-controller-nodes).
+ ([#136](https://github.com/Kong/charts/pull/136))
+
+### Documentation
+
+* Added a set of [example
+ values.yamls](https://github.com/Kong/charts/tree/main/charts/kong/example-values)
+ for various configurations of Kong and Kong Enterprise.
+ ([#134](https://github.com/Kong/charts/pull/134))
+
+## 1.6.1
+
+This release contains no changes other than the version. This is to address an
+issue with our release automation.
+
+## 1.6.0
+
+### Improvements
+
+* Updated default controller version to 0.9.0.
+ ([#132](https://github.com/Kong/charts/pull/132))
+* Updated default Enterprise versions to 2.0.4.1 and 1.5.0.2.
+ ([#130](https://github.com/Kong/charts/pull/130))
+* Added ability to override chart lifecycle.
+ ([#116](https://github.com/Kong/charts/pull/116))
+* Added ability to apply user-defined labels to pods.
+ ([#121](https://github.com/Kong/charts/pull/121))
+* Filtered serviceMonitor to disable metrics collection from non-proxy
+ services.
+ ([#112](https://github.com/Kong/charts/pull/112))
+* Set admin API to listen on localhost only if possible.
+ ([#125](https://github.com/Kong/charts/pull/125))
+* Add `auth_type` and `ssl` settings to `smtp` block.
+ ([#127](https://github.com/Kong/charts/pull/127))
+* Remove UID from default securityContext.
+ ([#138](https://github.com/Kong/charts/pull/138))
+
+### Documentation
+
+* Corrected invalid default serviceMonitor.interval value.
+ ([#110](https://github.com/Kong/charts/pull/110))
+* Removed duplicate `installCRDs` documentation.
+ ([#115](https://github.com/Kong/charts/pull/115))
+* Simplified example license Secret creation command.
+ ([#131](https://github.com/Kong/charts/pull/131))
+
+## 1.5.0
+
+### Improvements
+
+* Added support for annotating the ServiceAccount.
+ ([#97](https://github.com/Kong/charts/pull/97))
+* Updated controller templates to use environment variables for default
+ configuration.
+ ([#99](https://github.com/Kong/charts/pull/99))
+* Added support for stream listens.
+ ([#103](https://github.com/Kong/charts/pull/103))
+* Moved migration configuration under a `migrations` block with support for
+ enabling upgrade jobs independently and adding annotations.
+ ([#102](https://github.com/Kong/charts/pull/102))
+* Added support for the [status listen](https://github.com/Kong/kong/pull/4977).
+ ([#107](https://github.com/Kong/charts/pull/107))
+* :warning: Exposed PodSecurityPolicy spec in values.yaml and added default
+ configuration to enforce a read-only root filesystem. **Kong Enterprise
+ versions prior to 1.5.0 require the root filesystem be read-write. If you use
+ an older version and enforce PodSecurityPolicy, you must set
+ `.Values.podSecurityPolicy.spec.readOnlyRootFilesystem: false`.**
+ ([#104](https://github.com/Kong/charts/pull/104))
+
+### Fixed
+
+* Fixed old init-migrations jobs blocking upgrades.
+ ([#102](https://github.com/Kong/charts/pull/102))
+
+### Documentation
+
+* Fixed discrepancy between image version in values.yaml and README.md.
+ ([#96](https://github.com/Kong/charts/pull/96))
+* Added example Enterprise image tags to values.yaml.
+ ([#100](https://github.com/Kong/charts/pull/100))
+* Added deprecation warnings in CHANGELOG.md.
+ ([#91](https://github.com/Kong/charts/pull/91))
+* Improved RBAC documentation to clarify process and use new controller
+ functionality.
+ ([#95](https://github.com/Kong/charts/pull/95))
+* Added documentation for managing multi-release clusters with varied node
+ roles (e.g. admin-only, Portal-only, etc.).
+ ([#102](https://github.com/Kong/charts/pull/102))
+
+## 1.4.1
+
+### Documentation
+
+* Fixed an issue with the 1.4.1 upgrade steps.
+
+## 1.4.0
+
+### Improvements
+
+* :warning: Service and listen configuration now use a unified configuration
+ format. **The previous configuration format for the admin API service is
+ deprecated and will be removed in a future release.** Listen configuration
+ now supports specifying parameters. Kubernetes service creation can now be
+ enabled or disabled for all Kong services. Users should review the
+ [1.4.0 upgrade guide](https://github.com/Kong/charts/blob/next/charts/kong/UPGRADE.md#changes-to-kong-service-configuration)
+ for details on how to update their values.yaml.
+ ([#72](https://github.com/Kong/charts/pull/72))
+* Updated the default controller version to 0.8. This adds new
+ KongClusterPlugin and TCPIngress CRDs and RBAC permissions for them. Users
+ should also note that `strip_path` now defaults to disabled, which will
+ likely break existing configuration. See [the controller
+ changelog](https://github.com/Kong/kubernetes-ingress-controller/blob/main/CHANGELOG.md#080---20200325)
+ and [upgrade-guide](https://github.com/Kong/charts/blob/next/charts/kong/UPGRADE.md#strip_path-now-defaults-to-false-for-controller-managed-routes)
+ for full details.
+ ([#77](https://github.com/Kong/charts/pull/77))
+* Added support for user-supplied ingress controller CLI arguments.
+ ([#79](https://github.com/Kong/charts/pull/79))
+* Added support for annotating the chart's deployment.
+ ([#81](https://github.com/Kong/charts/pull/81))
+* Switched to the Bitnami Postgres chart, as the chart in Helm's repository has
+ [moved
+ there](https://github.com/helm/charts/tree/master/stable/postgresql#this-helm-chart-is-deprecated).
+ ([#82](https://github.com/Kong/charts/pull/82))
+
+### Fixed
+
+* Corrected the app version in Chart.yaml.
+ ([#86](https://github.com/Kong/charts/pull/86))
+
+### Documentation
+
+* Fixed incorrect default value for `installCRDs`.
+ ([#78](https://github.com/Kong/charts/pull/78))
+* Added detailed upgrade guide covering breaking changes and deprecations.
+ ([#74](https://github.com/Kong/charts/pull/74))
+* Improved installation steps for Helm 2 and Helm 3.
+ ([#83](https://github.com/Kong/charts/pull/83))
+ ([#84](https://github.com/Kong/charts/pull/84))
+* Remove outdated `ingressController.replicaCount` setting.
+ ([#87](https://github.com/Kong/charts/pull/87))
+
+## 1.3.1
+
+### Fixed
+
+* Added missing newline to NOTES.txt template.
+ ([#66](https://github.com/Kong/charts/pull/66))
+
+### Documentation
+
+* Instruct users to create secrets for both the kong-enterprise-k8s and
+ kong-enterprise-edition Docker registries.
+ ([#65](https://github.com/Kong/charts/pull/65))
+* Updated maintainer information.
+
+## 1.3.0
+
+### Improvements
+
+* Custom plugin mounts now support subdirectories. These are necessary for
+ plugins that include their own migrations. Note that Kong versions prior to
+ 2.0.1 [have a bug](https://github.com/Kong/kong/pull/5509) that prevents them
+ from running these migrations. ([#24](https://github.com/Kong/charts/pull/24))
+* LoadBalancer services will now respect their NodePort.
+ ([#48](https://github.com/Kong/charts/pull/41))
+* The proxy TLS listen now enables HTTP/2 (and, by extension, gRPC).
+ ([#47](https://github.com/Kong/charts/pull/47))
+* Added support for `priorityClassName` to the Kong deployment.
+ ([#56](https://github.com/Kong/charts/pull/56))
+* Bumped default Kong version to 2.0 and controller version to 0.7.1.
+ ([#60](https://github.com/Kong/charts/pull/60))
+* :warning: Removed dedicated Portal auth settings, which are unnecessary in
+ modern versions. **The `enterprise.portal.portal_auth` and
+ `enterprise.portal.session_conf_secret` settings in values.yaml are
+ deprecated and will be removed in a future release.** See the [upgrade
+ guide](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#removal-of-dedicated-portal-authentication-configuration-parameters)
+ for instructions on migrating them to environment variables.
+ ([#55](https://github.com/Kong/charts/pull/55))
+
+### Fixed
+
+* Fixed typo in HorizontalPodAutoscaler template.
+ ([#45](https://github.com/Kong/charts/pull/45))
+
+### Documentation
+
+* Added contributing guidelines. ([#41](https://github.com/Kong/charts/pull/41))
+* Added README section for Helm 2 versus Helm 3 considerations.
+ ([#34](https://github.com/Kong/charts/pull/41))
+* Added documentation for `proxy.annotations` to README.md.
+ ([#57](https://github.com/Kong/charts/pull/57))
+* Added FAQ entry for init-migrations job conflicts on upgrades.
+ ([#59](https://github.com/Kong/charts/pull/59)
+* Move changelog out of README.md into CHANGELOG.md.
+ ([#60](https://github.com/Kong/charts/pull/60)
+* Improved formatting for 1.2.0 changelog.
+
+## 1.2.0
+
+### Improvements
+* Added support for HorizontalPodAutoscaler.
+ ([#12](https://github.com/Kong/charts/pull/12))
+* Environment variables are now consistently sorted alphabetically.
+ ([#29](https://github.com/Kong/charts/pull/29))
+
+### Fixed
+* Removed temporary ServiceAccount template, which caused upgrades to break the
+ existing ServiceAccount's credentials. Moved template and instructions for
+ use to FAQs, as the temporary user is only needed in rare scenarios.
+ ([#31](https://github.com/Kong/charts/pull/31))
+* Fix an issue where the wait-for-postgres job did not know which port to use
+ in some scenarios. ([#28](https://github.com/Kong/charts/pull/28))
+
+### Documentation
+* Added warning regarding volume mounts.
+ ([#25](https://github.com/Kong/charts/pull/25))
+
+## 1.1.1
+
+### Fixed
+
+* Add missing `smtp_admin_emails` and `smtp_mock = off` to SMTP enabled block in
+ `kong.env`.
+
+### CI changes
+
+* Remove version bump requirement in preparation for new release model.
+
+## 1.1.0
+
+> https://github.com/Kong/charts/pull/4
+
+### Improvements
+
+* Significantly refactor the `env`/EnvVar templating system to determine the
+ complete set of environment variables (both user-defined variables and
+ variables generated from other sections of values.yaml) and resolve conflicts
+ before rendering. User-provided values are now guaranteed to take precedence
+ over generated values. Previously, precedence relied on a Kubernetes
+ implementation quirk that was not consistent across all Kubernetes providers.
+* Combine templates for license, session configuration, etc. that generate
+ `secretKeyRef` values into a single generic template.
+
+## 1.0.3
+
+- Fix invalid namespace for pre-migrations and Role.
+- Fix whitespaces formatting in README.
+
+## 1.0.2
+
+- Helm 3 support: CRDs are declared in crds directory. Backward compatible support for helm 2.
+
+## 1.0.1
+
+Fixed invalid namespace variable name causing ServiceAccount and Role to be generated in other namespace than desired.
+
+## 1.0.0
+
+There are not code changes between `1.0.0` and `0.36.5`.
+From this version onwards, charts are hosted at https://charts.konghq.com.
+
+The `0.x` versions of the chart are available in Helm's
+[Charts](https://github.com/helm/charts) repository are are now considered
+deprecated.
+
+## 0.36.5
+
+> PR https://github.com/helm/charts/pull/20099
+
+### Improvements
+
+- Allow `grpc` protocol for KongPlugins
+
+## 0.36.4
+
+> PR https://github.com/helm/charts/pull/20051
+
+### Fixed
+
+- Issue: [`Ingress Controller errors when chart is redeployed with Admission
+ Webhook enabled`](https://github.com/helm/charts/issues/20050)
+
+## 0.36.3
+
+> PR https://github.com/helm/charts/pull/19992
+
+### Fixed
+
+- Fix spacing in ServiceMonitor when label is specified in config
+
+## 0.36.2
+
+> PR https://github.com/helm/charts/pull/19955
+
+### Fixed
+
+- Set `sideEffects` and `admissionReviewVersions` for Admission Webhook
+- timeouts for liveness and readiness probes has been changed from `1s` to `5s`
+
+## 0.36.1
+
+> PR https://github.com/helm/charts/pull/19946
+
+### Fixed
+
+- Added missing watch permission to custom resources
+
+## 0.36.0
+
+> PR https://github.com/helm/charts/pull/19916
+
+### Upgrade Instructions
+
+- When upgrading from <0.35.0, in-place chart upgrades will fail.
+ It is necessary to delete the helm release with `helm del --purge $RELEASE` and redeploy from scratch.
+ Note that this will cause downtime for the kong proxy.
+
+### Improvements
+
+- Fixed Deployment's label selector that prevented in-place chart upgrades.
+
+## 0.35.1
+
+> PR https://github.com/helm/charts/pull/19914
+
+### Improvements
+
+- Update CRDs to Ingress Controller 0.7
+- Optimize readiness and liveness probes for more responsive health checks
+- Fixed incorrect space in NOTES.txt
+
+## 0.35.0
+
+> PR [#19856](https://github.com/helm/charts/pull/19856)
+
+### Improvements
+
+- Labels on all resources have been updated to adhere to the Helm Chart
+ guideline here:
+ https://v2.helm.sh/docs/developing_charts/#syncing-your-chart-repository
+
+## 0.34.2
+
+> PR [#19854](https://github.com/helm/charts/pull/19854)
+
+This release contains no user-visible changes
+
+### Under the hood
+
+ - Various tests have been consolidated to speed up CI.
+
+## 0.34.1
+
+> PR [#19887](https://github.com/helm/charts/pull/19887)
+
+### Fixed
+
+- Correct indentation for Job securityContexts.
+
+## 0.34.0
+
+> PR [#19885](https://github.com/helm/charts/pull/19885)
+
+### New features
+
+- Update default version of Ingress Controller to 0.7.0
+
+## 0.33.1
+
+> PR [#19852](https://github.com/helm/charts/pull/19852)
+
+### Fixed
+
+- Correct an issue with white space handling within `final_env` helper.
+
+## 0.33.0
+
+> PR [#19840](https://github.com/helm/charts/pull/19840)
+
+### Dependencies
+
+- Postgres sub-chart has been bumped up to 8.1.2
+
+### Fixed
+
+- Removed podDisruption budge for Ingress Controller. Ingress Controller and
+ Kong run in the same pod so this was no longer applicable
+- Migration job now receives the same environment variable and configuration
+ as that of the Kong pod.
+- If Kong is configured to run with Postgres, the Kong pods now always wait
+ for Postgres to start. Previously this was done only when the sub-chart
+ Postgres was deployed.
+- A hard-coded container name is used for kong: `proxy`. Previously this
+ was auto-generated by Helm. This deterministic naming allows for simpler
+ scripts and documentation.
+
+### Under the hood
+
+Following changes have no end user visible effects:
+
+- All Custom Resource Definitions have been consolidated into a single
+ template file
+- All RBAC resources have been consolidated into a single template file
+- `wait-for-postgres` container has been refactored and de-duplicated
+
+## 0.32.1
+
+### Improvements
+
+- This is a doc only release. No code changes have been done.
+- Post installation steps have been simplified and now point to a getting
+ started page
+- Misc updates to README:
+ - Document missing variables
+ - Remove outdated variables
+ - Revamp and rewrite major portions of the README
+ - Added a table of content to make the content navigable
+
+## 0.32.0
+
+### Improvements
+
+- Create and mount emptyDir volumes for `/tmp` and `/kong_prefix` to allow
+ for read-only root filesystem securityContexts and PodSecurityPolicys.
+- Use read-only mounts for custom plugin volumes.
+- Update stock PodSecurityPolicy to allow emptyDir access.
+- Override the standard `/usr/local/kong` prefix to the mounted emptyDir
+ at `/kong_prefix` in `.Values.env`.
+- Add securityContext injection points to template. By default,
+ it sets Kong pods to run with UID 1000.
+
+### Fixes
+
+- Correct behavior for the Vitals toggle.
+ Vitals defaults to on in all current Kong Enterprise releases, and
+ the existing template only created the Vitals environment variable
+ if `.Values.enterprise.enabled == true`. Inverted template to create
+ it (and set it to "off") if that setting is instead disabled.
+- Correct an issue where custom plugin configurations would block Kong
+ from starting.
+
+## 0.31.0
+
+### Breaking changes
+
+- Admin Service is disabled by default (`admin.enabled`)
+- Default for `proxy.type` has been changed to `LoadBalancer`
+
+### New features
+
+- Update default version of Kong to 1.4
+- Update default version of Ingress Controller to 0.6.2
+- Add support to disable kong-admin service via `admin.enabled` flag.
+
+## 0.31.2
+
+### Fixes
+
+- Do not remove white space between documents when rendering
+ `migrations-pre-upgrade.yaml`
+
+## 0.30.1
+
+### New Features
+
+- Add support for specifying Proxy service ClusterIP
+
+## 0.30.0
+
+### Breaking changes
+
+- `admin_gui_auth_conf_secret` is now required for Kong Manager
+ authentication methods other than `basic-auth`.
+ Users defining values for `admin_gui_auth_conf` should migrate them to
+ an externally-defined secret with a key of `admin_gui_auth_conf` and
+ reference the secret name in `admin_gui_auth_conf_secret`.
+
+## 0.29.0
+
+### New Features
+
+- Add support for specifying Ingress Controller environment variables.
+
+## 0.28.0
+
+### New Features
+
+- Added support for the Validating Admission Webhook with the Ingress Controller.
+
+## 0.27.2
+
+### Fixes
+
+- Do not create a ServiceAccount if it is not necessary.
+- If a configuration change requires creating a ServiceAccount,
+ create a temporary ServiceAccount to allow pre-upgrade tasks to
+ complete before the regular ServiceAccount is created.
+
+## 0.27.1
+
+### Documentation updates
+- Retroactive changelog update for 0.24 breaking changes.
+
+## 0.27.0
+
+### Breaking changes
+
+- DB-less mode is enabled by default.
+- Kong is installed as an Ingress Controller for the cluster by default.
+
+## 0.25.0
+
+### New features
+
+- Add support for PodSecurityPolicy
+- Require creation of a ServiceAccount
+
+## 0.24.0
+
+### Breaking changes
+
+- The configuration format for ingresses in values.yaml has changed.
+Previously, all ingresses accepted an array of hostnames, and would create
+ingress rules for each. Ingress configuration for services other than the proxy
+now accepts a single hostname, which allows simpler TLS configuration and
+automatic population of `admin_api_uri` and similar settings. Configuration for
+the proxy ingress is unchanged, but its documentation now accurately reflects
+the TLS configuration needed.
-apiVersion: v1
-appVersion: "1.4"
-description: DEPRECATED The Cloud-Native Ingress and API-management
-engine: gotpl
+apiVersion: v2
+appVersion: "3.6"
+dependencies:
+- condition: postgresql.enabled
+ name: postgresql
+ repository: https://charts.bitnami.com/bitnami
+ version: 11.9.13
+description: The Cloud-Native Ingress and API-management
home: https://konghq.com/
icon: https://s3.amazonaws.com/downloads.kong/universe/assets/icon-kong-inc-large.png
maintainers:
-- email: shashi@konghq.com
- name: shashiranjan84
-- email: harry@konghq.com
- name: hbagdi
+- email: team-k8s@konghq.com
+ name: team-k8s-bot
name: kong
-version: 0.36.6
+sources:
+- https://github.com/Kong/charts/tree/main/charts/kong
+version: 2.38.0
# Frequently Asked Questions (FAQs)
-#### Kong fails to start after `helm upgrade` when Postgres is used. What do I do?
+Despite the title, this is more a list of common problems.
+
+#### Kong cannot connect to a fresh Postgres install and fails to start
+
+If Kong is reporting that it cannot connect to Postgres because of an invalid
+password on a fresh install, you likely have a leftover PersistentVolume from a
+previous install using the same name. You should delete your install, delete
+the associated PersistentVolumeClaim, and install again.
+
+Postgres PVCs [are not deleted when the chart install is
+deleted](https://docs.bitnami.com/kubernetes/faq/troubleshooting/troubleshooting-helm-chart-issues/#persistence-volumes-pvs-retained-from-previous-releases),
+and will be reused by subsequent installs if still present. Since the `kong`
+user password is written to disk during database initialization only, that old
+user's password is expected, not the new user's.
+
+PVC names use the pattern `data-<release name>-postgresql-<replica index>`. If
+you named your install `foo` and did not increase the Postgres replica count,
+you will have a single `data-foo-postgresql-0` PVC that needs to be deleted:
+
+```
+kubectl delete pvc data-foo-postgresql-0
+```
+
+If you use a workflow that frequently deletes and re-creates installs, you
+should make sure to delete PVCs when you delete the release:
+
+```
+helm delete foo; kubectl delete pvc data-foo-postgresql-0
+```
+
+#### Upgrading a release fails due to missing ServiceAccount
+
+When upgrading a release, some configuration changes result in this error:
+
+```
+Error creating: pods "releasename-kong-pre-upgrade-migrations-" is forbidden: error looking up service account releasename-kong: serviceaccount "releasename-kong" not found
+```
+
+Enabling the ingress controller or PodSecurityPolicy requires that the Kong
+chart also create a ServiceAccount. When upgrading from a configuration that
+previously had neither of these features enabled, the pre-upgrade-migrations
+Job attempts to use this ServiceAccount before it is created. It is [not
+possible to easily handle this case automatically](https://github.com/Kong/charts/pull/31).
+
+Users encountering this issue should temporarily modify their
+[pre-upgrade-migrations template](https://github.com/Kong/charts/blob/main/charts/kong/templates/migrations-pre-upgrade.yaml),
+adding the following at the bottom:
+
+```
+{{ if or .Values.podSecurityPolicy.enabled (and .Values.ingressController.enabled .Values.ingressController.serviceAccount.create) -}}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{ template "kong.serviceAccountName" . }}
+ namespace: {{ template "kong.namespace" . }}
+ annotations:
+ "helm.sh/hook": pre-upgrade
+ "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+ labels:
+ {{- include "kong.metaLabels" . | nindent 4 }}
+{{- end -}}
+```
+
+Upgrading with this in place will create a temporary service account before
+creating the actual service account. After this initial upgrade, users must
+revert to the original pre-upgrade migrations template, as leaving the
+temporary ServiceAccount template in place will [cause permissions issues on
+subsequent upgrades](https://github.com/Kong/charts/issues/30).
+
+#### Running "helm upgrade" fails because of old init-migrations Job
+
+When running `helm upgrade`, the upgrade fails and Helm reports an error
+similar to the following:
+
+```
+Error: UPGRADE FAILED: cannot patch "RELEASE-NAME-kong-init-migrations" with
+kind Job: Job.batch "RELEASE-NAME-kong-init-migrations" is invalid ... field
+is immutable
+```
+
+This occurs if a `RELEASE-NAME-kong-init-migrations` Job is left over from a
+previous `helm install` or `helm upgrade`. Deleting it with
+`kubectl delete job RELEASE-NAME-kong-init-migrations` will allow the upgrade
+to proceed. Chart versions greater than 1.5.0 delete the job automatically.
+
+#### DB-backed instances do not start when deployed within a service mesh
+
+Service meshes, such as Istio and Kuma, if deployed in a mode that injects
+a sidecar to Kong, don't make the mesh available to `InitContainer`s,
+because the sidecar starts _after_ all `InitContainer`s finish.
+
+By default, this chart uses init containers to ensure that the database is
+online and has migrations applied before starting Kong. This provides for a
+smoother startup, but isn't compatible with service mesh sidecar requirements
+if Kong is to access the database through the mesh.
+
+Setting `waitImage.enabled=false` in values.yaml disables these init containers
+and resolves this issue. However, during the initial install, your Kong
+Deployment will enter the CrashLoopBackOff state while waiting for migrations
+to complete. It will eventually exit this state and enter Running as long as
+there are no issues finishing migrations, usually within 2 minutes.
+
+If your Deployment is stuck in CrashLoopBackoff for longer, check the init
+migrations Job logs to see if it is unable to connect to the database or unable
+to complete migrations for some other reason. Resolve any issues you find,
+delete the release, and attempt to install again.
+
+#### Kong fails to start after `helm upgrade` when Postgres is used
+
+As of Kong chart 2.8, this issue is no longer present. 2.8 updates the Postgres
+sub-chart to a version that checks for existing password Secrets and leaves
+them as-is rather than overwriting them.
You may be running into this issue: https://github.com/helm/charts/issues/12575.
This issue is caused due to: https://github.com/helm/helm/issues/3053.
This is to ensure that the password is not generated randomly but is set to
the same one that is user-provided on each upgrade.
-#### Kong fails to start on a fresh installation with Postgres. What do I do?
-
-Please make sure that there is no `PersistentVolumes` present from a previous
-release. If there are, it can lead to data or passwords being out of sync
-and result in connection issues.
-
-A simple way to find out is to use the following command:
-
-```
-kubectl get pv -n <your-namespace>
-```
+The Postgres chart provides [two options](https://github.com/bitnami/charts/tree/master/bitnami/postgresql#postgresql-common-parameters)
+for setting a password:
-And then based on the `AGE` column, determine if you have an old volume.
-If you do, then please delete the release, delete the volume, and then
-do a fresh installation. PersistentVolumes can remain in the cluster even if
-you delete the namespace itself (the namespace in which they were present).
+- `auth.password` sets a password directly in values.yaml, in cleartext. This
+ is fine if you are using the instance for testing and have no security
+ concerns.
+- `auth.existingSecret` specifies a Secret that contains [specific keys](https://github.com/bitnami/charts/blob/a6146a1ed392c8683c30b21e3fef905d86b0d2d6/bitnami/postgresql/values.yaml#L134-L143).
+ This should be used if you need to properly secure the Postgres instance.
+If you have already upgraded, the old password is lost. You will need to
+delete the Helm release and the Postgres PersistentVolumeClaim before
+re-installing with a non-random password.
-# DEPRECATED
-
-This chart has been deprecated in favor of
-Kong's official chart [repository](https://github.com/kong/charts).
-
-All users are advised to immediately migrate over to the new repository.
-
## Kong for Kubernetes
[Kong for Kubernetes](https://github.com/Kong/kubernetes-ingress-controller)
## TL;DR;
```bash
-$ helm repo update
-$ helm install stable/kong
+helm repo add kong https://charts.konghq.com
+helm repo update
+
+helm install kong/kong --generate-name
```
-## Table of content
+## Table of contents
- [Prerequisites](#prerequisites)
- [Install](#install)
- [Uninstall](#uninstall)
-- [Kong Enterprise](#kong-enterprise)
- [FAQs](#faqs)
+- [Kong Enterprise](#kong-enterprise)
- [Deployment Options](#deployment-options)
- [Database](#database)
+ - [DB-less deployment](#db-less-deployment)
+ - [Using the Postgres sub-chart](#using-the-postgres-sub-chart)
+ - [Postgres sub-chart considerations for OpenShift](#postgres-sub-chart-considerations-for-openshift)
- [Runtime package](#runtime-package)
- [Configuration method](#configuration-method)
+ - [Separate admin and proxy nodes](#separate-admin-and-proxy-nodes)
+ - [Standalone controller nodes](#standalone-controller-nodes)
+ - [Hybrid mode](#hybrid-mode)
+ - [Certificates](#certificates)
+ - [Control plane node configuration](#control-plane-node-configuration)
+ - [Data plane node configuration](#data-plane-node-configuration)
+ - [Cert Manager Integration](#cert-manager-integration)
+ - [CRD management](#crd-management)
+ - [InitContainers](#initcontainers)
+ - [HostAliases](#hostaliases)
+ - [Sidecar Containers](#sidecar-containers)
+ - [Migration Sidecar Containers](#migration-sidecar-containers)
+ - [User Defined Volumes](#user-defined-volumes)
+ - [User Defined Volume Mounts](#user-defined-volume-mounts)
+ - [Removing cluster-scoped permissions](#removing-cluster-scoped-permissions)
+ - [Using a DaemonSet](#using-a-daemonset)
+ - [Using dnsPolicy and dnsConfig](#using-dnspolicy-and-dnsconfig)
+ - [Example configurations](#example-configurations)
- [Configuration](#configuration)
- - [Kong Parameters](#kong-parameters)
+ - [Kong parameters](#kong-parameters)
+ - [Kong Service Parameters](#kong-service-parameters)
+ - [Admin Service mTLS](#admin-service-mtls)
+ - [Stream listens](#stream-listens)
- [Ingress Controller Parameters](#ingress-controller-parameters)
+ - [The `env` section](#the-env-section)
+ - [The `customEnv` section](#the-customenv-section)
- [General Parameters](#general-parameters)
- - [The `env` section](#the-env-section)
+ - [The `env` section](#the-env-section-1)
+ - [The `customEnv` section](#the-customenv-section-1)
+ - [The `extraLabels` section](#the-extralabels-section)
- [Kong Enterprise Parameters](#kong-enterprise-parameters)
+ - [Overview](#overview)
- [Prerequisites](#prerequisites-1)
- [Kong Enterprise License](#kong-enterprise-license)
- [Kong Enterprise Docker registry access](#kong-enterprise-docker-registry-access)
- [RBAC](#rbac)
- [Sessions](#sessions)
- [Email/SMTP](#emailsmtp)
-- [Changelog](#changelog)
+- [Prometheus Operator integration](#prometheus-operator-integration)
+- [Argo CD considerations](#argo-cd-considerations)
+- [Changelog](https://github.com/Kong/charts/blob/main/charts/kong/CHANGELOG.md)
+- [Upgrading](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md)
- [Seeking help](#seeking-help)
## Prerequisites
-- Kubernetes 1.12+
+- Kubernetes 1.17+. Older chart releases support older Kubernetes versions.
+ Refer to the [supported version matrix](https://docs.konghq.com/kubernetes-ingress-controller/latest/references/version-compatibility/#kubernetes)
+ and the [chart changelog](https://github.com/Kong/charts/blob/main/charts/kong/CHANGELOG.md)
+ for information about the default chart controller versions and Kubernetes
+ versions supported by controller releases.
- PV provisioner support in the underlying infrastructure if persistence
is needed for Kong datastore.
## Install
-To install the chart with the release name `my-release`:
+To install Kong:
```bash
-$ helm repo update
-$ helm install --name my-release stable/kong
+helm repo add kong https://charts.konghq.com
+helm repo update
+
+helm install kong/kong --generate-name
```
## Uninstall
-To uninstall/delete the `my-release` deployment:
+To uninstall/delete a Helm release `my-release`:
```bash
-$ helm delete my-release
+helm delete my-release
```
The command removes all the Kubernetes components associated with the
## FAQs
Please read the
-[FAQs](https://github.com/helm/charts/blob/master/stable/kong/FAQs.md)
+[FAQs](https://github.com/Kong/charts/blob/main/charts/kong/FAQs.md)
document.
## Kong Enterprise
If using Kong Enterprise, several additional steps are necessary before
installing the chart:
-- set `enterprise.enabled` to `true` in `values.yaml` file
-- Update values.yaml to use a Kong Enterprise image
-- Satisfy the two prerequsisites below for
+- Set `enterprise.enabled` to `true` in `values.yaml` file.
+- Update values.yaml to use a Kong Enterprise image.
+- Satisfy the two prerequisites below for
[Enterprise License](#kong-enterprise-license) and
- [Enterprise Docker Registry](#kong-enterprise-docker-registry-access)
+ [Enterprise Docker Registry](#kong-enterprise-docker-registry-access).
+- (Optional) [set a `password` environment variable](#rbac) to create the
+ initial super-admin. Though not required, this is recommended for users that
+ wish to use RBAC, as it cannot be done after initial setup.
-Once you have these set, it is possible to install Kong Enterprise
+Once you have these set, it is possible to install Kong Enterprise.
Please read through
[Kong Enterprise considerations](#kong-enterprise-parameters)
### Database
-Kong can run with or without a database (DB-less).
-By default, this chart installs Kong without a database.
+Kong can run with or without a database (DB-less). By default, this chart
+installs Kong without a database.
+
+You can set the database the `env.database` parameter. For more details, please
+read the [env](#the-env-section) section.
-Although Kong can run with Postgres and Cassandra, the recommended database,
-if you would like to use one, is Postgres for Kubernetes installations.
-If your use-case warrants Cassandra, you should run the Cassandra cluster
-outside of Kubernetes.
+#### DB-less deployment
-The database to use for Kong can be controlled via the `env.database` parameter.
-For more details, please read the [env](#the-env-section) section.
+When deploying Kong in DB-less mode(`env.database: "off"`)
+and without the Ingress Controller(`ingressController.enabled: false`),
+you have to provide a [declarative configuration](https://docs.konghq.com/gateway-oss/latest/db-less-and-declarative-config/#the-declarative-configuration-format) for Kong to run.
+You can provide an existing ConfigMap
+(`dblessConfig.configMap`) or Secret (`dblessConfig.secret`) or place the whole
+configuration into `values.yaml` (`dblessConfig.config`) parameter. See the
+example configuration in the default values.yaml for more details. You can use
+`--set-file dblessConfig.config=/path/to/declarative-config.yaml` in Helm
+commands to substitute in a complete declarative config file.
-Furthermore, this chart allows you to bring your own database that you manage
-or spin up a new Postgres instance using the `postgres.enabled` parameter.
+Note that externally supplied ConfigMaps are not hashed or tracked in deployment annotations.
+Subsequent ConfigMap updates will require user-initiated new deployment rollouts
+to apply the new configuration. You should run `kubectl rollout restart deploy`
+after updating externally supplied ConfigMap content.
-> Cassandra deployment via a sub-chart was previously supported but
-the support has now been dropped due to stability issues.
-You can still deploy Cassandra on your own and configure Kong to use
-that via the `env.database` parameter.
+#### Using the Postgres sub-chart
-#### DB-less deployment
+The chart can optionally spawn a Postgres instance using [Bitnami's Postgres
+chart](https://github.com/bitnami/charts/blob/master/bitnami/postgresql/README.md)
+as a sub-chart. Set `postgresql.enabled=true` to enable the sub-chart. Enabling
+this will auto-populate Postgres connection settings in Kong's environment.
-When deploying Kong in DB-less mode(`env.database: "off"`)
-and without the Ingress Controller(`ingressController.enabled: false`),
-you have to provide a declarative configuration for Kong to run.
-The configuration can be provided using an existing ConfigMap
-(`dblessConfig.configMap`) or or the whole configuration can be put into the
-`values.yaml` file for deployment itself, under the `dblessConfig.config`
-parameter. See the example configuration in the default values.yaml
-for more details.
+The Postgres sub-chart is best used to quickly provision temporary environments
+without installing and configuring your database separately. For longer-lived
+environments, we recommend you manage your database outside the Kong Helm
+release.
+
+##### Postgres sub-chart considerations for OpenShift
+
+Due to the default `securityContexts` in the postgres sub-chart, you will need to add the following values to the `postgresql` section to get postgres running on OpenShift:
+
+```yaml
+ volumePermissions:
+ enabled: false
+ securityContext:
+ runAsUser: "auto"
+ primary:
+ containerSecurityContext:
+ enabled: false
+ podSecurityContext:
+ enabled: false
+```
### Runtime package
There are three different packages of Kong that are available:
-- **Kong Gateway**
+- **Kong Gateway**\
This is the [Open-Source](https://github.com/kong/kong) offering. It is a
full-blown API Gateway and Ingress solution with a wide-array of functionality.
When Kong Gateway is combined with the Ingress based configuration method,
you get Kong for Kubernetes. This is the default deployment for this Helm
Chart.
-- **Kong Enterprise K8S**
+- **Kong Enterprise K8S**\
This package builds up on top of the Open-Source Gateway and bundles in all
the Enterprise-only plugins as well.
When Kong Enterprise K8S is combined with the Ingress based
configuration method, you get Kong for Kubernetes Enterprise.
This package also comes with 24x7 support from Kong Inc.
-- **Kong Enterprise**
+- **Kong Enterprise**\
This is the full-blown Enterprise package which packs with itself all the
Enterprise functionality like Manager, Portal, Vitals, etc.
This package can't be run in DB-less mode.
### Configuration method
Kong can be configured via two methods:
-- **Ingress and CRDs**
+- **Ingress and CRDs**\
The configuration for Kong is done via `kubectl` and Kubernetes-native APIs.
This is also known as Kong Ingress Controller or Kong for Kubernetes and is
the default deployment pattern for this Helm Chart. The configuration
for Kong is managed via Ingress and a few
- [Custom Resources](https://github.com/Kong/kubernetes-ingress-controller/blob/master/docs/concepts/custom-resources.md).
+ [Custom Resources](https://docs.konghq.com/kubernetes-ingress-controller/latest/concepts/custom-resources).
For more details, please read the
- [documentation](https://github.com/Kong/kubernetes-ingress-controller/tree/master/docs)
+ [documentation](https://docs.konghq.com/kubernetes-ingress-controller/)
on Kong Ingress Controller.
To configure and fine-tune the controller, please read the
[Ingress Controller Parameters](#ingress-controller-parameters) section.
-- **Admin API**
+- **Admin API**\
This is the traditional method of running and configuring Kong.
By default, the Admin API of Kong is not exposed as a Service. This
can be controlled via `admin.enabled` and `env.admin_listen` parameters.
+### Separate admin and proxy nodes
+
+*Note: although this section is titled "Separate admin and proxy nodes", this
+split release technique is generally applicable to any deployment with
+different types of Kong nodes. Separating Admin API and proxy nodes is one of
+the more common use cases for splitting across multiple releases, but you can
+also split releases for split proxy and Developer Portal nodes, multiple groups
+of proxy nodes with separate listen configurations for network segmentation, etc.
+However, it does not apply to hybrid mode, as only the control plane release
+interacts with the database.*
+
+Users may wish to split their Kong deployment into multiple instances that only
+run some of Kong's services (i.e. you run `helm install` once for every
+instance type you wish to create).
+
+To disable Kong services on an instance, you should set `SVC.enabled`,
+`SVC.http.enabled`, `SVC.tls.enabled`, and `SVC.ingress.enabled` all to
+`false`, where `SVC` is `proxy`, `admin`, `manager`, `portal`, or `portalapi`.
+
+The standard chart upgrade automation process assumes that there is only a
+single Kong release in the Kong cluster, and runs both `migrations up` and
+`migrations finish` jobs. To handle clusters split across multiple releases,
+you should:
+1. Upgrade one of the releases with `helm upgrade RELEASENAME -f values.yaml
+ --set migrations.preUpgrade=true --set migrations.postUpgrade=false`.
+2. Upgrade all but one of the remaining releases with `helm upgrade RELEASENAME
+ -f values.yaml --set migrations.preUpgrade=false --set
+ migrations.postUpgrade=false`.
+3. Upgrade the final release with `helm upgrade RELEASENAME -f values.yaml
+ --set migrations.preUpgrade=false --set migrations.postUpgrade=true`.
+
+This ensures that all instances are using the new Kong package before running
+`kong migrations finish`.
+
+Users should note that Helm supports supplying multiple values.yaml files,
+allowing you to separate shared configuration from instance-specific
+configuration. For example, you may have a shared values.yaml that contains
+environment variables and other common settings, and then several
+instance-specific values.yamls that contain service configuration only. You can
+then create releases with:
+
+```bash
+helm install proxy-only -f shared-values.yaml -f only-proxy.yaml kong/kong
+helm install admin-only -f shared-values.yaml -f only-admin.yaml kong/kong
+```
+
+### Standalone controller nodes
+
+The chart can deploy releases that contain the controller only, with no Kong
+container, by setting `deployment.kong.enabled: false` in values.yaml. There
+are several controller settings that must be populated manually in this
+scenario and several settings that are useful when using multiple controllers:
+
+* `ingressController.env.kong_admin_url` must be set to the Kong Admin API URL.
+ If the Admin API is exposed by a service in the cluster, this should look
+ something like `https://my-release-kong-admin.kong-namespace.svc:8444`
+* `ingressController.env.publish_service` must be set to the Kong proxy
+ service, e.g. `namespace/my-release-kong-proxy`.
+* `ingressController.ingressClass` should be set to a different value for each
+ instance of the controller.
+* `ingressController.env.kong_admin_filter_tag` should be set to a different value
+ for each instance of the controller.
+* If using Kong Enterprise, `ingressController.env.kong_workspace` can
+ optionally create configuration in a workspace other than `default`.
+
+Standalone controllers require a database-backed Kong instance, as DB-less mode
+requires that a single controller generate a complete Kong configuration.
+
+### Hybrid mode
+
+Kong supports [hybrid mode
+deployments](https://docs.konghq.com/2.0.x/hybrid-mode/) as of Kong 2.0.0 and
+[Kong Enterprise 2.1.0](https://docs.konghq.com/enterprise/2.1.x/deployment/hybrid-mode/).
+These deployments split Kong nodes into control plane (CP) nodes, which provide
+the admin API and interact with the database, and data plane (DP) nodes, which
+provide the proxy and receive configuration from control plane nodes.
+
+You can deploy hybrid mode Kong clusters by [creating separate releases for each node
+type](#separate-admin-and-proxy-nodes), i.e. use separate control and data
+plane values.yamls that are then installed separately. The [control
+plane](#control-plane-node-configuration) and [data
+plane](#data-plane-node-configuration) configuration sections below cover the
+values.yaml specifics for each.
+
+Cluster certificates are not generated automatically. You must [create a
+certificate and key pair](#certificates) for intra-cluster communication.
+
+When upgrading the Kong version, you must [upgrade the control plane release
+first and then upgrade the data plane release](https://docs.konghq.com/gateway/latest/plan-and-deploy/hybrid-mode/#version-compatibility).
+
+#### Certificates
+
+> This example shows how to use Kong Hybrid mode with `cluster_mtls: shared`.
+> For an example of `cluster_mtls: pki` see the [hybrid-cert-manager example](https://github.com/Kong/charts/blob/main/charts/kong/example-values/hybrid-cert-manager/)
+
+Hybrid mode uses TLS to secure the CP/DP node communication channel, and
+requires certificates for it. You can generate these either using `kong hybrid
+gen_cert` on a local Kong installation or using OpenSSL:
+
+```bash
+openssl req -new -x509 -nodes -newkey ec:<(openssl ecparam -name secp384r1) \
+ -keyout /tmp/cluster.key -out /tmp/cluster.crt \
+ -days 1095 -subj "/CN=kong_clustering"
+```
+
+You must then place these certificates in a Secret:
+
+```bash
+kubectl create secret tls kong-cluster-cert --cert=/tmp/cluster.crt --key=/tmp/cluster.key
+```
+
+#### Control plane node configuration
+
+You must configure the control plane nodes to mount the certificate secret on
+the container filesystem is serve it from the cluster listen. In values.yaml:
+
+```yaml
+secretVolumes:
+- kong-cluster-cert
+```
+
+```yaml
+env:
+ role: control_plane
+ cluster_cert: /etc/secrets/kong-cluster-cert/tls.crt
+ cluster_cert_key: /etc/secrets/kong-cluster-cert/tls.key
+```
+
+Furthermore, you must enable the cluster listen and Kubernetes Service, and
+should typically disable the proxy:
+
+```yaml
+cluster:
+ enabled: true
+ tls:
+ enabled: true
+ servicePort: 8005
+ containerPort: 8005
+
+proxy:
+ enabled: false
+```
+
+Enterprise users with Vitals enabled must also enable the cluster telemetry
+service:
+
+```yaml
+clustertelemetry:
+ enabled: true
+ tls:
+ enabled: true
+ servicePort: 8006
+ containerPort: 8006
+```
+
+If using the ingress controller, you must also specify the DP proxy service as
+its publish target to keep Ingress status information up to date:
+
+```
+ingressController:
+ env:
+ publish_service: hybrid/example-release-data-kong-proxy
+```
+
+Replace `hybrid` with your DP nodes' namespace and `example-release-data` with
+the name of the DP release.
+
+#### Data plane node configuration
+
+Data plane configuration also requires the certificate and `role`
+configuration, and the database should always be set to `off`. You must also
+trust the cluster certificate and indicate what hostname/port Kong should use
+to find control plane nodes.
+
+Though not strictly required, you should disable the admin service (it will not
+work on DP nodes anyway, but should be disabled to avoid creating an invalid
+Service resource).
+
+```yaml
+secretVolumes:
+- kong-cluster-cert
+```
+
+```yaml
+admin:
+ enabled: false
+```
+
+```yaml
+env:
+ role: data_plane
+ database: "off"
+ cluster_cert: /etc/secrets/kong-cluster-cert/tls.crt
+ cluster_cert_key: /etc/secrets/kong-cluster-cert/tls.key
+ lua_ssl_trusted_certificate: /etc/secrets/kong-cluster-cert/tls.crt
+ cluster_control_plane: control-plane-release-name-kong-cluster.hybrid.svc.cluster.local:8005
+ cluster_telemetry_endpoint: control-plane-release-name-kong-clustertelemetry.hybrid.svc.cluster.local:8006 # Enterprise-only
+```
+
+Note that the `cluster_control_plane` value will differ depending on your
+environment. `control-plane-release-name` will change to your CP release name,
+`hybrid` will change to whatever namespace it resides in. See [Kubernetes'
+documentation on Service
+DNS](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/)
+for more detail.
+
+If you use multiple Helm releases to manage different data plane configurations
+attached to the same control plane, setting the `deployment.hostname` field
+will help you keep track of which is which in the `/clustering/data-plane`
+endpoint.
+
+### Cert Manager Integration
+
+By default, Kong will create self-signed certificates on start for its TLS
+listens if you do not provide your own. The chart can create
+[cert-manager](https://cert-manager.io/docs/) Certificates for its Services and
+configure them for you. To use this integration, install cert-manager, create
+an issuer, set `certificates.enabled: true` in values.yaml, and set your issuer
+name in `certificates.issuer` or `certificates.clusterIssuer` depending on the
+issuer type.
+
+If you do not have an issuer available, you can install the example [self-signed ClusterIssuer](https://cert-manager.io/docs/configuration/selfsigned/#bootstrapping-ca-issuers)
+and set `certificates.clusterIssuer: selfsigned-issuer` for testing. You
+should, however, migrate to an issuer using a CA your clients trust for actual
+usage.
+
+The `proxy`, `admin`, `portal`, and `cluster` subsections under `certificates`
+let you choose hostnames, override issuers, set `subject` or set `privateKey` on a per-certificate basis for the
+proxy, admin API and Manager, Portal and Portal API, and hybrid mode mTLS
+services, respectively.
+
+To use hybrid mode, the control and data plane releases must use the same
+issuer for their cluster certificates.
+
+### CRD management
+
+Earlier versions of this chart (<2.0) created CRDs associated with the ingress
+controller as part of the release. This raised two challenges:
+
+- Multiple release of the chart would conflict with one another, as each would
+ attempt to create its own set of CRDs.
+- Because deleting a CRD also deletes any custom resources associated with it,
+ deleting a release of the chart could destroy user configuration without
+ providing any means to restore it.
+
+Helm 3 introduced a simplified CRD management method that was safer, but
+requires some manual work when a chart added or modified CRDs: CRDs are created
+on install if they are not already present, but are not modified during
+release upgrades or deletes. Our chart release upgrade instructions call out
+when manual action is necessary to update CRDs. This CRD handling strategy is
+recommended for most users.
+
+Some users may wish to manage their CRDs automatically. If you manage your CRDs
+this way, we _strongly_ recommend that you back up all associated custom
+resources in the event you need to recover from unintended CRD deletion.
+
+While Helm 3's CRD management system is recommended, there is no simple means
+of migrating away from release-managed CRDs if you previously installed your
+release with the old system (you would need to back up your existing custom
+resources, delete your release, reinstall, and restore your custom resources
+after). As such, the chart detects if you currently use release-managed CRDs
+and continues to use the old CRD templates when using chart version 2.0+. If
+you do (your resources will have a `meta.helm.sh/release-name` annotation), we
+_strongly_ recommend that you back up all associated custom resources in the
+event you need to recover from unintended CRD deletion.
+
+### InitContainers
+
+The chart is able to deploy initContainers along with Kong. This can be very
+useful when there's a requirement for custom initialization. The
+`deployment.initContainers` field in values.yaml takes an array of objects that
+get appended as-is to the existing `spec.template.initContainers` array in the
+kong deployment resource.
+
+### HostAliases
+
+The chart is able to inject host aliases into containers. This can be very useful
+when it's required to resolve additional domain name which can't be looked-up
+directly from dns server. The `deployment.hostAliases` field in values.yaml
+takes an array of objects that set to `spec.template.hostAliases` field in the
+kong deployment resource.
+
+### Sidecar Containers
+
+The chart can deploy additional containers along with the Kong and Ingress
+Controller containers, sometimes referred to as "sidecar containers". This can
+be useful to include network proxies or logging services along with Kong. The
+`deployment.sidecarContainers` field in values.yaml takes an array of objects
+that get appended as-is to the existing `spec.template.spec.containers` array
+in the Kong deployment resource.
+
+### Migration Sidecar Containers
+
+In the same way sidecar containers are attached to the Kong and Ingress
+Controller containers the chart can add sidecars to the containers that runs
+the migrations. The
+`migrations.sidecarContainers` field in values.yaml takes an array of objects
+that get appended as-is to the existing `spec.template.spec.containers` array
+in the pre-upgrade-migrations, post-upgrade-migrations and migration resrouces.
+Keep in mind the containers should be finite and they should be terminated
+with the migration containers, otherwise the migration could get the status
+as finished and the deployment of the chart will reach the timeout.
+
+### User Defined Volumes
+
+The chart can deploy additional volumes along with Kong. This can be useful to
+include additional volumes which required during iniatilization phase
+(InitContainer). The `deployment.userDefinedVolumes` field in values.yaml
+takes an array of objects that get appended as-is to the existing
+`spec.template.spec.volumes` array in the kong deployment resource.
+
+### User Defined Volume Mounts
+
+The chart can mount user-defined volumes. The
+`deployment.userDefinedVolumeMounts` and
+`ingressController.userDefinedVolumeMounts` fields in values.yaml take an array
+of object that get appended as-is to the existing
+`spec.template.spec.containers[].volumeMounts` and
+`spec.template.spec.initContainers[].volumeMounts` array in the kong deployment
+resource.
+
+### Removing cluster-scoped permissions
+
+You can limit the controller's access to allow it to only watch specific
+namespaces for namespaced resources. By default, the controller watches all
+namespaces. Limiting access requires several changes to configuration:
+
+- Set `ingressController.watchNamespaces` to a list of namespaces you want to
+ watch. The chart will automatically generate roles for each namespace and
+ assign them to the controller's service account.
+- Optionally set `ingressController.installCRDs=false` if your user role (the
+ role you use when running `helm install`, not the controller service
+ account's role) does not have access to get CRDs. By default, the chart
+ attempts to look up the controller CRDs for [a legacy behavior
+ check](#crd-management).
+
+### Using a DaemonSet
+
+Setting `deployment.daemonset: true` deploys Kong using a [DaemonSet
+controller](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/)
+instead of a Deployment controller. This runs a Kong Pod on every kubelet in
+the Kubernetes cluster. For such configuration it may be desirable to configure
+Pods to use the network of the host they run on instead of a dedicated network
+namespace. The benefit of this approach is that the Kong can bind ports directly
+to Kubernetes nodes' network interfaces, without the extra network translation
+imposed by NodePort Services. It can be achieved by setting `deployment.hostNetwork: true`.
+
+### Using dnsPolicy and dnsConfig
+
+The chart able to inject custom DNS configuration into containers. This can be useful when you have EKS cluster with [NodeLocal DNSCache](https://kubernetes.io/docs/tasks/administer-cluster/nodelocaldns/) configured and attach AWS security groups directly to pod using [security groups for pods feature](https://docs.aws.amazon.com/eks/latest/userguide/security-groups-for-pods.html).
+
+### Example configurations
+
+Several example values.yaml are available in the
+[example-values](https://github.com/Kong/charts/blob/main/charts/kong/example-values/)
+directory.
+
## Configuration
### Kong parameters
| Parameter | Description | Default |
| ---------------------------------- | ------------------------------------------------------------------------------------- | ------------------- |
| image.repository | Kong image | `kong` |
-| image.tag | Kong image version | `1.3` |
+| image.tag | Kong image version | `3.5` |
+| image.effectiveSemver | Semantic version to use for version-dependent features (if `tag` is not a semver) | |
| image.pullPolicy | Image pull policy | `IfNotPresent` |
| image.pullSecrets | Image pull secrets | `null` |
-| replicaCount | Kong instance count | `1` |
-| admin.enabled | Create Admin Service | `false` |
-| admin.useTLS | Secure Admin traffic | `true` |
-| admin.servicePort | TCP port on which the Kong admin service is exposed | `8444` |
-| admin.containerPort | TCP port on which Kong app listens for admin traffic | `8444` |
-| admin.nodePort | Node port when service type is `NodePort` | |
-| admin.hostPort | Host port to use for admin traffic | |
-| admin.type | k8s service type, Options: NodePort, ClusterIP, LoadBalancer | `NodePort` |
-| admin.loadBalancerIP | Will reuse an existing ingress static IP for the admin service | `null` |
-| admin.loadBalancerSourceRanges | Limit admin access to CIDRs if set and service type is `LoadBalancer` | `[]` |
-| admin.ingress.enabled | Enable ingress resource creation (works with proxy.type=ClusterIP) | `false` |
-| admin.ingress.tls | Name of secret resource, containing TLS secret | |
-| admin.ingress.hosts | List of ingress hosts. | `[]` |
-| admin.ingress.path | Ingress path. | `/` |
-| admin.ingress.annotations | Ingress annotations. See documentation for your ingress controller for details | `{}` |
-| proxy.http.enabled | Enables http on the proxy | true |
-| proxy.http.servicePort | Service port to use for http | 80 |
-| proxy.http.containerPort | Container port to use for http | 8000 |
-| proxy.http.nodePort | Node port to use for http | 32080 |
-| proxy.http.hostPort | Host port to use for http | |
-| proxy.tls.enabled | Enables TLS on the proxy | true |
-| proxy.tls.containerPort | Container port to use for TLS | 8443 |
-| proxy.tls.servicePort | Service port to use for TLS | 8443 |
-| proxy.tls.nodePort | Node port to use for TLS | 32443 |
-| proxy.tls.hostPort | Host port to use for TLS | |
-| proxy.tls.overrideServiceTargetPort| Override service port to use for TLS without touching Kong containerPort | |
-| proxy.type | k8s service type. Options: NodePort, ClusterIP, LoadBalancer | `LoadBalancer` |
-| proxy.clusterIP | k8s service clusterIP | |
-| proxy.loadBalancerSourceRanges | Limit proxy access to CIDRs if set and service type is `LoadBalancer` | `[]` |
-| proxy.loadBalancerIP | To reuse an existing ingress static IP for the admin service | |
-| proxy.externalIPs | IPs for which nodes in the cluster will also accept traffic for the proxy | `[]` |
-| proxy.externalTrafficPolicy | k8s service's externalTrafficPolicy. Options: Cluster, Local | |
-| proxy.ingress.enabled | Enable ingress resource creation (works with proxy.type=ClusterIP) | `false` |
-| proxy.ingress.tls | Name of secret resource, containing TLS secret | |
-| proxy.ingress.hosts | List of ingress hosts. | `[]` |
-| proxy.ingress.path | Ingress path. | `/` |
-| proxy.ingress.annotations | Ingress annotations. See documentation for your ingress controller for details | `{}` |
+| replicaCount | Kong instance count. It has no effect when `autoscaling.enabled` is set to true | `1` |
| plugins | Install custom plugins into Kong via ConfigMaps or Secrets | `{}` |
| env | Additional [Kong configurations](https://getkong.org/docs/latest/configuration/) | |
-| runMigrations | Run Kong migrations job | `true` |
-| waitImage.repository | Image used to wait for database to become ready | `busybox` |
-| waitImage.tag | Tag for image used to wait for database to become ready | `latest` |
+| customEnv | Custom Environment variables without `KONG_` prefix | |
+| envFrom | Populate environment variables from ConfigMap or Secret keys | |
+| migrations.preUpgrade | Run "kong migrations up" jobs | `true` |
+| migrations.postUpgrade | Run "kong migrations finish" jobs | `true` |
+| migrations.annotations | Annotations for migration job pods | `{"sidecar.istio.io/inject": "false" |
+| migrations.jobAnnotations | Additional annotations for migration jobs | `{}` |
+| migrations.backoffLimit | Override the system backoffLimit | `{}` |
+| waitImage.enabled | Spawn init containers that wait for the database before starting Kong | `true` |
+| waitImage.repository | Image used to wait for database to become ready. Uses the Kong image if none set | |
+| waitImage.tag | Tag for image used to wait for database to become ready | |
| waitImage.pullPolicy | Wait image pull policy | `IfNotPresent` |
| postgresql.enabled | Spin up a new postgres instance for Kong | `false` |
| dblessConfig.configMap | Name of an existing ConfigMap containing the `kong.yml` file. This must have the key `kong.yml`.| `` |
| dblessConfig.config | Yaml configuration file for the dbless (declarative) configuration of Kong | see in `values.yaml` |
+#### Kong Service Parameters
+
+The various `SVC.*` parameters below are common to the various Kong services
+(the admin API, proxy, Kong Manager, the Developer Portal, and the Developer
+Portal API) and define their listener configuration, K8S Service properties,
+and K8S Ingress properties. Defaults are listed only if consistent across the
+individual services: see values.yaml for their individual default values.
+
+`SVC` below can be substituted with each of:
+* `proxy`
+* `udpProxy`
+* `admin`
+* `manager`
+* `portal`
+* `portalapi`
+* `cluster`
+* `clustertelemetry`
+* `status`
+
+`status` is intended for internal use within the cluster. Unlike other
+services it cannot be exposed externally, and cannot create a Kubernetes
+service or ingress. It supports the settings under `SVC.http` and `SVC.tls`
+only.
+
+`cluster` is used on hybrid mode control plane nodes. It does not support the
+`SVC.http.*` settings (cluster communications must be TLS-only) or the
+`SVC.ingress.*` settings (cluster communication requires TLS client
+authentication, which cannot pass through an ingress proxy). `clustertelemetry`
+is similar, and used when Vitals is enabled on Kong Enterprise control plane
+nodes.
+
+`udpProxy` is used for UDP stream listens (Kubernetes does not yet support
+mixed TCP/UDP LoadBalancer Services). It _does not_ support the `http`, `tls`,
+or `ingress` sections, as it is used only for stream listens.
+
+| Parameter | Description | Default |
+|-----------------------------------|-------------------------------------------------------------------------------------------|--------------------------|
+| SVC.enabled | Create Service resource for SVC (admin, proxy, manager, etc.) | |
+| SVC.http.enabled | Enables http on the service | |
+| SVC.http.servicePort | Service port to use for http | |
+| SVC.http.containerPort | Container port to use for http | |
+| SVC.http.nodePort | Node port to use for http | |
+| SVC.http.hostPort | Host port to use for http | |
+| SVC.http.parameters | Array of additional listen parameters | `[]` |
+| SVC.http.appProtocol | `appProtocol` to be set in a Service's port. If left empty, no `appProtocol` will be set. | |
+| SVC.tls.enabled | Enables TLS on the service | |
+| SVC.tls.containerPort | Container port to use for TLS | |
+| SVC.tls.servicePort | Service port to use for TLS | |
+| SVC.tls.nodePort | Node port to use for TLS | |
+| SVC.tls.hostPort | Host port to use for TLS | |
+| SVC.tls.overrideServiceTargetPort | Override service port to use for TLS without touching Kong containerPort | |
+| SVC.tls.parameters | Array of additional listen parameters | `["http2"]` |
+| SVC.tls.appProtocol | `appProtocol` to be set in a Service's port. If left empty, no `appProtocol` will be set. | |
+| SVC.type | k8s service type. Options: NodePort, ClusterIP, LoadBalancer | |
+| SVC.clusterIP | k8s service clusterIP | |
+| SVC.loadBalancerClass | loadBalancerClass to use for LoadBalancer provisionning | |
+| SVC.loadBalancerSourceRanges | Limit service access to CIDRs if set and service type is `LoadBalancer` | `[]` |
+| SVC.loadBalancerIP | Reuse an existing ingress static IP for the service | |
+| SVC.externalIPs | IPs for which nodes in the cluster will also accept traffic for the servic | `[]` |
+| SVC.externalTrafficPolicy | k8s service's externalTrafficPolicy. Options: Cluster, Local | |
+| SVC.ingress.enabled | Enable ingress resource creation (works with SVC.type=ClusterIP) | `false` |
+| SVC.ingress.ingressClassName | Set the ingressClassName to associate this Ingress with an IngressClass | |
+| SVC.ingress.hostname | Ingress hostname | `""` |
+| SVC.ingress.path | Ingress path. | `/` |
+| SVC.ingress.pathType | Ingress pathType. One of `ImplementationSpecific`, `Exact` or `Prefix` | `ImplementationSpecific` |
+| SVC.ingress.hosts | Slice of hosts configurations, including `hostname`, `path` and `pathType` keys | `[]` |
+| SVC.ingress.tls | Name of secret resource or slice of `secretName` and `hosts` keys | |
+| SVC.ingress.annotations | Ingress annotations. See documentation for your ingress controller for details | `{}` |
+| SVC.ingress.labels | Ingress labels. Additional custom labels to add to the ingress. | `{}` |
+| SVC.annotations | Service annotations | `{}` |
+| SVC.labels | Service labels | `{}` |
+
+#### Admin Service mTLS
+
+On top of the common parameters listed above, the `admin` service supports parameters for mTLS client verification.
+If any of `admin.tls.client.caBundle` or `admin.tls.client.secretName` are set, the admin service will be configured to
+require mTLS client verification. If both are set, `admin.tls.client.caBundle` will take precedence.
+
+| Parameter | Description | Default |
+|-----------------------------|---------------------------------------------------------------------------------------------|---------|
+| admin.tls.client.caBundle | CA certificate to use for TLS verification of the Admin API client (PEM-encoded). | `""` |
+| admin.tls.client.secretName | CA certificate secret name - must contain a `tls.crt` key with the PEM-encoded certificate. | `""` |
+
+#### Stream listens
+
+The proxy configuration additionally supports creating stream listens. These
+are configured using an array of objects under `proxy.stream` and `udpProxy.stream`:
+
+| Parameter | Description | Default |
+| ---------------------------------- | ------------------------------------------------------------------------------------- | ------------------- |
+| protocol | The listen protocol, either "TCP" or "UDP" | |
+| containerPort | Container port to use for a stream listen | |
+| servicePort | Service port to use for a stream listen | |
+| nodePort | Node port to use for a stream listen | |
+| hostPort | Host port to use for a stream listen | |
+| parameters | Array of additional listen parameters | `[]` |
+
### Ingress Controller Parameters
All of the following properties are nested under the `ingressController`
section of `values.yaml` file:
-| Parameter | Description | Default |
-| ---------------------------------- | ------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------- |
-| enabled | Deploy the ingress controller, rbac and crd | true |
-| replicaCount | Number of desired ingress controllers | 1 |
-| image.repository | Docker image with the ingress controller | kong-docker-kubernetes-ingress-controller.bintray.io/kong-ingress-controller |
-| image.tag | Version of the ingress controller | 0.7.0 |
-| readinessProbe | Kong ingress controllers readiness probe | |
-| livenessProbe | Kong ingress controllers liveness probe | |
-| env | Specify Kong Ingress Controller configuration via environment variables | |
-| ingressClass | The ingress-class value for controller | kong |
-| admissionWebhook.enabled | Whether to enable the validating admission webhook | false |
-| admissionWebhook.failurePolicy | How unrecognized errors from the admission endpoint are handled (Ignore or Fail) | Fail |
-| admissionWebhook.port | The port the ingress controller will listen on for admission webhooks | 8080 |
-
-For a complete list of all configuration values you can set in the
+| Parameter | Description | Default |
+|--------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------|
+| enabled | Deploy the ingress controller, rbac and crd | true |
+| image.repository | Docker image with the ingress controller | kong/kubernetes-ingress-controller |
+| image.tag | Version of the ingress controller | `3.0` |
+| image.effectiveSemver | Version of the ingress controller used for version-specific features when image.tag is not a valid semantic version | |
+| readinessProbe | Kong ingress controllers readiness probe | |
+| livenessProbe | Kong ingress controllers liveness probe | |
+| installCRDs | Legacy toggle for Helm 2-style CRD management. Should not be set [unless necessary due to cluster permissions](#removing-cluster-scoped-permissions). | false |
+| env | Specify Kong Ingress Controller configuration via environment variables | |
+| customEnv | Specify custom environment variables (without the CONTROLLER_ prefix) | |
+| envFrom | Populate environment variables from ConfigMap or Secret keys | |
+| ingressClass | The name of this controller's ingressClass | kong |
+| ingressClassAnnotations | The ingress-class value for controller | kong |
+| args | List of ingress-controller cli arguments | [] |
+| watchNamespaces | List of namespaces to watch. Watches all namespaces if empty | [] |
+| admissionWebhook.enabled | Whether to enable the validating admission webhook | true |
+| admissionWebhook.failurePolicy | How unrecognized errors from the admission endpoint are handled (Ignore or Fail) | Ignore |
+| admissionWebhook.port | The port the ingress controller will listen on for admission webhooks | 8080 |
+| admissionWebhook.address | The address the ingress controller will listen on for admission webhooks, if not 0.0.0.0 | |
+| admissionWebhook.annotations | Annotations for the Validation Webhook Configuration | |
+| admissionWebhook.certificate.provided | Use a provided certificate. When set to false, the chart will automatically generate a certificate. | false |
+| admissionWebhook.certificate.secretName | Name of the TLS secret for the provided webhook certificate | |
+| admissionWebhook.certificate.caBundle | PEM encoded CA bundle which will be used to validate the provided webhook certificate | |
+| admissionWebhook.namespaceSelector | Add namespaceSelector to the webhook. Please go to [Kubernetes doc for the specs](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector) | |
+| admissionWebhook.timeoutSeconds | Kubernetes `apiserver`'s timeout when running this webhook. Default: 10 seconds. | |
+| userDefinedVolumes | Create volumes. Please go to Kubernetes doc for the spec of the volumes | |
+| userDefinedVolumeMounts | Create volumeMounts. Please go to Kubernetes doc for the spec of the volumeMounts | |
+| terminationGracePeriodSeconds | Sets the [termination grace period](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution) for Deployment pod | 30 |
+| gatewayDiscovery.enabled | Enables Kong instance service discovery (for more details see [gatewayDiscovery section][gd_section]) | false |
+| gatewayDiscovery.generateAdminApiService | Generate the admin API service name based on the release name (for more details see [gatewayDiscovery section][gd_section]) | false |
+| gatewayDiscovery.adminApiService.namespace | The namespace of the Kong admin API service (for more details see [gatewayDiscovery section][gd_section]) | `.Release.Namespace` |
+| gatewayDiscovery.adminApiService.name | The name of the Kong admin API service (for more details see [gatewayDiscovery section][gd_section]) | "" |
+| konnect.enabled | Enable synchronisation of data plane configuration with Konnect Runtime Group | false |
+| konnect.runtimeGroupID | Konnect Runtime Group's unique identifier. | |
+| konnect.apiHostname | Konnect API hostname. Defaults to a production US-region. | us.kic.api.konghq.com |
+| konnect.tlsClientCertSecretName | Name of the secret that contains Konnect Runtime Group's client TLS certificate. | konnect-client-tls |
+| konnect.license.enabled | Enable automatic license provisioning for Gateways managed by Ingress Controller in Konnect mode. | false |
+| adminApi.tls.client.enabled | Enable TLS client verification for the Admin API. By default, Helm will generate certificates automatically. | false |
+| adminApi.tls.client.certProvided | Use user-provided certificates. If set to false, Helm will generate certificates. | false |
+| adminApi.tls.client.secretName | Client TLS certificate/key pair secret name. Can be also set when `certProvided` is false to enforce a generated secret's name. | "" |
+| adminApi.tls.client.caSecretName | CA TLS certificate/key pair secret name. Can be also set when `certProvided` is false to enforce a generated secret's name. | "" |
+
+[gd_section]: #the-gatewayDiscovery-section
+
+#### The `env` section
+For a complete list of all configuration values you can set in the
`env` section, please read the Kong Ingress Controller's
-[configuration document](https://github.com/Kong/kubernetes-ingress-controller/blob/master/docs/references/cli-arguments.md).
+[configuration document](https://docs.konghq.com/kubernetes-ingress-controller/latest/reference/cli-arguments/).
+
+#### The `customEnv` section
+
+The `customEnv` section can be used to configure all environment variables other than Ingress Controller configuration.
+Any key value put under this section translates to environment variables.
+Every key is upper-cased before setting the environment variable.
+
+An example:
+
+```yaml
+kong:
+ ingressController:
+ customEnv:
+ TZ: "Europe/Berlin"
+```
+
+#### The `gatewayDiscovery` section
+
+Kong Ingress Controller v2.9 has introduced gateway discovery which allows
+the controller to discover Gateway instances that it should configure using
+an Admin API Kubernetes service.
+
+Using this feature requires a split release installation of Gateways and Ingress Controller.
+For exemplar `values.yaml` files which use this feature please see: [examples README.md](./example-values/README.md).
+or use the [`ingress` chart](../ingress/README.md) which can handle this for you.
+
+##### Configuration
+
+You'll be able to configure this feature through configuration section under
+`ingressController.gatewayDiscovery`:
+
+- If `ingressController.gatewayDiscovery.enabled` is set to `false`: the ingress controller
+ will control a pre-determined set of Gateway instances based on Admin API URLs
+ (provided under the hood via `CONTROLLER_KONG_ADMIN_URL` environment variable).
+
+- If `ingressController.gatewayDiscovery.enabled` is set to `true`: the ingress controller
+ will dynamically locate Gateway instances by watching the specified Kubernetes
+ service.
+ (provided under the hood via `CONTROLLER_KONG_ADMIN_SVC` environment variable).
+
+ The following admin API Service flags have to be present in order for gateway
+ discovery to work:
+
+ - `ingressController.gatewayDiscovery.adminApiService.name`
+ - `ingressController.gatewayDiscovery.adminApiService.namespace`
+
+ If you set `ingressController.gatewayDiscovery.generateAdminApiService` to `true`,
+ the chart will generate values for `name` and `namespace` based on the current release name and
+ namespace. This is useful when consuming the `kong` chart as a subchart.
+
+Additionally, you can control the addresses that are generated for your Gateways
+via the `--gateway-discovery-dns-strategy` CLI flag that can be set on the Ingress Controller
+(or an equivalent environment variable: `CONTROLLER_GATEWAY_DISCOVERY_DNS_STRATEGY`).
+It accepts 3 values which change the way that Gateway addresses are generated:
+- `service` - for service scoped pod DNS names: `pod-ip-address.service-name.my-namespace.svc.cluster-domain.example`
+- `pod` - for namespace scope pod DNS names: `pod-ip-address.my-namespace.pod.cluster-domain.example`
+- `ip` (default, retains behavior introduced in v2.9) - for regular IP addresses
+
+When using `gatewayDiscovery`, you should consider configuring the Admin service to use mTLS client verification to make
+this interface secure.
+Without that, anyone who can access the Admin API from inside the cluster can configure the Gateway instances.
+
+On the controller release side, that can be achieved by setting `ingressController.adminApi.tls.client.enabled` to `true`.
+By default, Helm will generate a certificate Secret named `<release name>-admin-api-keypair` and
+a CA Secret named `<release name>-admin-api-ca-keypair` for you.
+
+To provide your own cert, set `ingressController.adminApi.tls.client.certProvided` to
+`true`, `ingressController.adminApi.tls.client.secretName` to the name of the Secret containing your client cert, and `ingressController.adminApi.tls.client.caSecretName` to the name of the Secret containing your CA cert.
+
+On the Gateway release side, set either `admin.tls.client.secretName` to the name of your CA Secret or set `admin.tls.client.caBundle` to the CA certificate string.
### General Parameters
| Parameter | Description | Default |
| ---------------------------------- | ------------------------------------------------------------------------------------- | ------------------- |
+| namespace | Namespace to deploy chart resources | |
+| deployment.kong.enabled | Enable or disable deploying Kong | `true` |
+| deployment.minReadySeconds | Minimum number of seconds for which newly created pods should be ready without any of its container crashing, for it to be considered available. | |
+| deployment.initContainers | Create initContainers. Please go to Kubernetes doc for the spec of the initContainers | |
+| deployment.daemonset | Use a DaemonSet instead of a Deployment | `false` |
+| deployment.hostname | Set the Deployment's `.spec.template.hostname`. Kong reports this as its hostname. | |
+| deployment.hostNetwork | Enable hostNetwork, which binds to the ports to the host | `false` |
+| deployment.userDefinedVolumes | Create volumes. Please go to Kubernetes doc for the spec of the volumes | |
+| deployment.userDefinedVolumeMounts | Create volumeMounts. Please go to Kubernetes doc for the spec of the volumeMounts | |
+| deployment.serviceAccount.create | Create Service Account for the Deployment / Daemonset and the migrations | `true` |
+| deployment.serviceAccount.automountServiceAccountToken | Enable ServiceAccount token automount in Kong deployment | `false` |
+| deployment.serviceAccount.name | Name of the Service Account, a default one will be generated if left blank. | "" |
+| deployment.serviceAccount.annotations | Annotations for the Service Account | {} |
+| deployment.test.enabled | Enable creation of test resources for use with "helm test" | `false` |
+| autoscaling.enabled | Set this to `true` to enable autoscaling | `false` |
+| autoscaling.minReplicas | Set minimum number of replicas | `2` |
+| autoscaling.maxReplicas | Set maximum number of replicas | `5` |
+| autoscaling.behavior | Sets the [behavior for scaling up and down](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configurable-scaling-behavior) | `{}` |
+| autoscaling.targetCPUUtilizationPercentage | Target Percentage for when autoscaling takes affect. Only used if cluster does not support `autoscaling/v2` or `autoscaling/v2beta2` | `80` |
+| autoscaling.metrics | metrics used for autoscaling for clusters that supports `autoscaling/v2` or `autoscaling/v2beta2` | See [values.yaml](values.yaml) |
| updateStrategy | update strategy for deployment | `{}` |
| readinessProbe | Kong readiness probe | |
| livenessProbe | Kong liveness probe | |
+| startupProbe | Kong startup probe | |
+| lifecycle | Proxy container lifecycle hooks | see `values.yaml` |
+| terminationGracePeriodSeconds | Sets the [termination grace period](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution) for Deployment pods | 30 |
| affinity | Node/pod affinities | |
+| topologySpreadConstraints | Control how Pods are spread across cluster among failure-domains | |
| nodeSelector | Node labels for pod assignment | `{}` |
-| podAnnotations | Annotations to add to each pod | `{}` |
+| deploymentAnnotations | Annotations to add to deployment | see `values.yaml` |
+| podAnnotations | Annotations to add to each pod | see `values.yaml` |
+| podLabels | Labels to add to each pod | `{}` |
| resources | Pod resource requests & limits | `{}` |
| tolerations | List of node taints to tolerate | `[]` |
+| dnsPolicy | Pod dnsPolicy | |
+| dnsConfig | Pod dnsConfig | |
| podDisruptionBudget.enabled | Enable PodDisruptionBudget for Kong | `false` |
| podDisruptionBudget.maxUnavailable | Represents the minimum number of Pods that can be unavailable (integer or percentage) | `50%` |
| podDisruptionBudget.minAvailable | Represents the number of Pods that must be available (integer or percentage) | |
| podSecurityPolicy.enabled | Enable podSecurityPolicy for Kong | `false` |
-| serviceMonitor.enabled | Create ServiceMonitor for Prometheus Operator | false |
-| serviceMonitor.interval | Scrapping interval | 10s |
-| serviceMonitor.namespace | Where to create ServiceMonitor | |
+| podSecurityPolicy.labels | Labels to add to podSecurityPolicy for Kong | `{}` |
+| podSecurityPolicy.annotations | Annotations to add to podSecurityPolicy for Kong | `{}` |
+| podSecurityPolicy.spec | Collection of [PodSecurityPolicy settings](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#what-is-a-pod-security-policy) | |
+| priorityClassName | Set pod scheduling priority class for Kong pods | `""` |
| secretVolumes | Mount given secrets as a volume in Kong container to override default certs and keys. | `[]` |
-| serviceMonitor.labels | ServiceMonito Labels | {} |
+| securityContext | Set the securityContext for Kong Pods | `{}` |
+| containerSecurityContext | Set the securityContext for Containers | See values.yaml |
+| serviceMonitor.enabled | Create ServiceMonitor for Prometheus Operator | `false` |
+| serviceMonitor.interval | Scraping interval | `30s` |
+| serviceMonitor.namespace | Where to create ServiceMonitor | |
+| serviceMonitor.labels | ServiceMonitor labels | `{}` |
+| serviceMonitor.targetLabels | ServiceMonitor targetLabels | `{}` |
+| serviceMonitor.honorLabels | ServiceMonitor honorLabels | `{}` |
+| serviceMonitor.metricRelabelings | ServiceMonitor metricRelabelings | `{}` |
+| extraConfigMaps | ConfigMaps to add to mounted volumes | `[]` |
+| extraSecrets | Secrets to add to mounted volumes | `[]` |
+| nameOverride | Replaces "kong" in resource names, like "RELEASENAME-nameOverride" instead of "RELEASENAME-kong" | `""` |
+| fullnameOverride | Overrides the entire resource name string | `""` |
+| extraObjects | Create additional k8s resources | `[]` |
+**Note:** If you are using `deployment.hostNetwork` to bind to lower ports ( < 1024), which may be the desired option (ports 80 and 433), you also
+need to tweak the `containerSecurityContext` configuration as in the example:
+
+```yaml
+containerSecurityContext: # run as root to bind to lower ports
+ capabilities:
+ add: [NET_BIND_SERVICE]
+ runAsGroup: 0
+ runAsNonRoot: false
+ runAsUser: 0
+```
+
+**Note:** The default `podAnnotations` values disable inbound proxying for Kuma
+and Istio. This is appropriate when using Kong as a gateway for external
+traffic inbound into the cluster.
+
+If you want to use Kong as an internal proxy within the cluster network, you
+should enable inbound the inbound mesh proxies:
+
+```yaml
+# Enable inbound mesh proxying for Kuma and Istio
+podAnnotations:
+ kuma.io/gateway: disabled
+ traffic.sidecar.istio.io/includeInboundPorts: "*"
+```
#### The `env` section
Furthermore, all `kong.env` parameters can also accept a mapping instead of a
value to ensure the parameters can be set through configmaps and secrets.
-An example :
+An example:
```yaml
kong:
secretKeyRef:
key: kong
name: postgres
- nginx_worker_processes: "2"
+ nginx_worker_processes: "2"
```
For complete list of Kong configurations please check the
> **Tip**: You can use the default [values.yaml](values.yaml)
-##### Admin/Proxy listener override
+#### The `customEnv` section
-If you specify `env.admin_listen` or `env.proxy_listen`, this chart will use
-the value provided by you as opposed to constructing a listen variable
-from fields like `proxy.http.containerPort` and `proxy.http.enabled`.
-This allows you to be more prescriptive when defining listen directives.
+The `customEnv` section can be used to configure all custom properties of other than Kong.
+Any key value put under this section translates to environment variables
+that can be used in Kong's plugin configurations. Every key is upper-cased before setting the environment variable.
-**Note:** Overriding `env.proxy_listen` and `env.admin_listen` will
-potentially cause `admin.containerPort`, `proxy.http.containerPort` and
-`proxy.tls.containerPort` to become out of sync,
-and therefore must be updated accordingly.
+An example:
-For example, updating to `env.proxy_listen: 0.0.0.0:4444, 0.0.0.0:4443 ssl`
-will need `proxy.http.containerPort: 4444` and `proxy.tls.containerPort: 4443`
-to be set in order for the service definition to work properly.
+```yaml
+kong:
+ customEnv:
+ api_token:
+ valueFrom:
+ secretKeyRef:
+ key: token
+ name: api_key
+ client_name: testClient
+```
+
+#### The `extraLabels` section
+
+The `extraLabels` section can be used to configure some extra labels that will be added to each Kubernetes object generated.
+
+For example, you can add the `acme.com/some-key: some-value` label to each Kubernetes object by putting the following in your Helm values:
+
+```yaml
+extraLabels:
+ acme.com/some-key: some-value
+```
## Kong Enterprise Parameters
Kong Open-Source. To use Kong Enterprise, at the minimum,
you need to do the following:
-- set `enterprise.enabled` to `true` in `values.yaml` file
-- Update values.yaml to use a Kong Enterprise image
-- Satisfy the two prerequsisites below for Enterprise License and
- Enterprise Docker Registry
+- Set `enterprise.enabled` to `true` in `values.yaml` file.
+- Update values.yaml to use a Kong Enterprise image.
+- Satisfy the two prerequisites below for Enterprise License and
+ Enterprise Docker Registry.
+- (Optional) [set a `password` environment variable](#rbac) to create the
+ initial super-admin. Though not required, this is recommended for users that
+ wish to use RBAC, as it cannot be done after initial setup.
Once you have these set, it is possible to install Kong Enterprise,
but please make sure to review the below sections for other settings that
#### Kong Enterprise License
-All Kong Enterprise deployments require a license. If you do not have a copy
-of yours, please contact Kong Support. Once you have it, you will need to
-store it in a Secret. Save your secret in a file named `license` (no extension)
-and then create and inspect your secret:
+Kong Enterprise 2.3+ can run with or without a license. If you wish to run 2.3+
+without a license, you can skip this step and leave `enterprise.license_secret`
+unset. In this case only a limited subset of features will be available.
+Earlier versions require a license.
+
+If you have paid for a license, but you do not have a copy of yours, please
+contact Kong Support. Once you have it, you will need to store it in a Secret:
```bash
-$ kubectl create secret generic kong-enterprise-license --from-file=./license
+kubectl create secret generic kong-enterprise-license --from-file=license=./license.json
```
Set the secret name in `values.yaml`, in the `.enterprise.license_secret` key.
#### Kong Enterprise Docker registry access
-Next, we need to setup Docker credentials in order to allow Kubernetes
-nodes to pull down Kong Enterprise Docker image, which is hosted as a private
-repository.
+Kong Enterprise versions 2.2 and earlier use a private Docker registry and
+require a pull secret. **If you use 2.3 or newer, you can skip this step.**
-As part of your sign up for Kong Enterprise, you should have received
-credentials for these as well.
+You should have received credentials to log into docker hub after
+purchasing Kong Enterprise. After logging in, you can retrieve your API key
+from \<your username\> \> Edit Profile \> API Key. Use this to create registry
+secrets:
```bash
-$ kubectl create secret docker-registry kong-enterprise-docker \
- --docker-server=kong-docker-kong-enterprise-k8s.bintray.io \
- --docker-username=<your-username> \
- --docker-password=<your-password>
-secret/kong-enterprise-docker created
+kubectl create secret docker-registry kong-enterprise-edition-docker \
+ --docker-server=hub.docker.io \
+ --docker-username=<username-provided-to-you> \
+ --docker-password=<password-provided-to-you>
+secret/kong-enterprise-edition-docker created
```
-Set the secret name in `values.yaml` in the `image.pullSecrets` section.
-Again, Please ensure the above secret is created in the same namespace in which
+Set the secret names in `values.yaml` in the `image.pullSecrets` section.
+Again, please ensure the above secret is created in the same namespace in which
Kong is going to be deployed.
### Service location hints
accessed in order to function properly. Kong's default behavior for attempting
to locate these absent configuration is unlikely to work in common Kubernetes
environments. Because of this, you should set each of `admin_gui_url`,
-`admin_api_uri`, `proxy_url`, `portal_api_url`, `portal_gui_host`, and
+`admin_gui_api_url`, `proxy_url`, `portal_api_url`, `portal_gui_host`, and
`portal_gui_protocol` under the `.env` key in values.yaml to locations where
each of their respective services can be accessed to ensure that Kong services
can locate one another and properly set CORS headers. See the
### RBAC
-You can create a default RBAC superuser when initially setting up an
-environment, by setting the `KONG_PASSWORD` environment variable on the initial
-migration Job's Pod. This will create a `kong_admin` admin whose token and
-basic-auth password match the value of `KONG_PASSWORD`.
-You can create a secret holding the initial password value and then
-mount the secret as an environment variable using the `env` section.
-
-Note that RBAC is **NOT** currently enabled on the admin API container for the
-controller Pod when the ingress controller is enabled. This admin API container
-is not exposed outside the Pod, so only the controller can interact with it. We
-intend to add RBAC to this container in the future after updating the controller
-to add support for storing its RBAC token in a Secret, as currently it would
-need to be stored in plaintext. RBAC is still enforced on the admin API of the
-main deployment when using the ingress controller, as that admin API *is*
-accessible outside the Pod.
+You can create a default RBAC superuser when initially running `helm install`
+by setting a `password` environment variable under `env` in values.yaml. It
+should be a reference to a secret key containing your desired password. This
+will create a `kong_admin` admin whose token and basic-auth password match the
+value in the secret. For example:
+
+```yaml
+env:
+ password:
+ valueFrom:
+ secretKeyRef:
+ name: kong-enterprise-superuser-password
+ key: password
+```
+
+If using the ingress controller, it needs access to the token as well, by
+specifying `kong_admin_token` in its environment variables:
+
+```yaml
+ingressController:
+ env:
+ kong_admin_token:
+ valueFrom:
+ secretKeyRef:
+ name: kong-enterprise-superuser-password
+ key: password
+```
+
+Although the above examples both use the initial super-admin, we recommend
+[creating a less-privileged RBAC user](https://docs.konghq.com/enterprise/latest/kong-manager/administration/rbac/add-user/)
+for the controller after installing. It needs at least workspace admin
+privileges in its workspace (`default` by default, settable by adding a
+`workspace` variable under `ingressController.env`). Once you create the
+controller user, add its token to a secret and update your `kong_admin_token`
+variable to use it. Remove the `password` variable from Kong's environment
+variables and the secret containing the super-admin token after.
### Sessions
Login sessions for Kong Manager and the Developer Portal make use of
[the Kong Sessions plugin](https://docs.konghq.com/enterprise/latest/kong-manager/authentication/sessions).
-Their configuration must be stored in Secrets, as it contains an HMAC key.
-If using either RBAC or the Portal, create a Secret with `admin_gui_session_conf`
-and `portal_session_conf` keys.
+When configured via values.yaml, their configuration must be stored in Secrets,
+as it contains an HMAC key.
+Kong Manager's session configuration must be configured via values.yaml,
+whereas this is optional for the Developer Portal on versions 0.36+. Providing
+Portal session configuration in values.yaml provides the default session
+configuration, which can be overridden on a per-workspace basis.
+
+```bash
+cat admin_gui_session_conf
```
-$ cat admin_gui_session_conf
+
+```json
{"cookie_name":"admin_session","cookie_samesite":"off","secret":"admin-secret-CHANGEME","cookie_secure":true,"storage":"kong"}
-$ cat portal_session_conf
+```
+
+```bash
+cat portal_session_conf
+```
+
+```json
{"cookie_name":"portal_session","cookie_samesite":"off","secret":"portal-secret-CHANGEME","cookie_secure":true,"storage":"kong"}
-$ kubectl create secret generic kong-session-config --from-file=admin_gui_session_conf --from-file=portal_session_conf
+```
+
+```bash
+kubectl create secret generic kong-session-config --from-file=admin_gui_session_conf --from-file=portal_session_conf
+```
+
+```bash
secret/kong-session-config created
```
+
The exact plugin settings may vary in your environment. The `secret` should
always be changed for both configurations.
-After creating your secret, set its name in values.yaml, in the
-`.enterprise.rbac.session_conf_secret` and
-`.enterprise.portal.session_conf_secret` keys.
+After creating your secret, set its name in values.yaml in
+`.enterprise.rbac.session_conf_secret`. If you create a Portal configuration,
+add it at `env.portal_session_conf` using a secretKeyRef.
### Email/SMTP
allow Admin/Developer invites to proceed without sending email. Note, however,
that these have limited functionality without sending email.
-If your SMTP server requires authentication, you should the `username` and
-`smtp_password_secret` keys under `.enterprise.smtp.auth`.
+If your SMTP server requires authentication, you must provide the `username`
+and `smtp_password_secret` keys under `.enterprise.smtp.auth`.
`smtp_password_secret` must be a Secret containing an `smtp_password` key whose
value is your SMTP password.
-## Changelog
-
-### 0.36.6
-
-This version has no code changes and Kong's chart is now deprecated in this
-repository. Please use Kong's official
-[chart repository](https://github.com/kong/charts).
-
-### 0.36.5
-
-> PR https://github.com/helm/charts/pull/20099
-
-#### Improvements
-
-- Allow `grpc` protocol for KongPlugins
-
-### 0.36.4
-
-> PR https://github.com/helm/charts/pull/20051
-
-#### Fixed
-
-- Issue: [`Ingress Controller errors when chart is redeployed with Admission
- Webhook enabled`](https://github.com/helm/charts/issues/20050)
-
-### 0.36.3
-
-> PR https://github.com/helm/charts/pull/19992
-
-#### Fixed
-
-- Fix spacing in ServiceMonitor when label is specified in config
-
-### 0.36.2
-
-> PR https://github.com/helm/charts/pull/19955
-
-#### Fixed
-
-- Set `sideEffects` and `admissionReviewVersions` for Admission Webhook
-- timeouts for liveness and readiness probes has been changed from `1s` to `5s`
-
-### 0.36.1
-
-> PR https://github.com/helm/charts/pull/19946
-
-#### Fixed
-
-- Added missing watch permission to custom resources
-
-### 0.36.0
-
-> PR https://github.com/helm/charts/pull/19916
-
-#### Upgrade Instructions
-
-- When upgrading from <0.35.0, in-place chart upgrades will fail.
- It is necessary to delete the helm release with `helm del --purge $RELEASE` and redeploy from scratch.
- Note that this will cause downtime for the kong proxy.
-
-#### Improvements
-
-- Fixed Deployment's label selector that prevented in-place chart upgrades.
-
-### 0.35.1
-
-> PR https://github.com/helm/charts/pull/19914
-
-#### Improvements
-
-- Update CRDs to Ingress Controller 0.7
-- Optimize readiness and liveness probes for more responsive health checks
-- Fixed incorrect space in NOTES.txt
-
-### 0.35.0
-
-> PR [#19856](https://github.com/helm/charts/pull/19856)
-
-#### Improvements
-
-- Labels on all resources have been updated to adhere to the Helm Chart
- guideline here:
- https://v2.helm.sh/docs/developing_charts/#syncing-your-chart-repository
+By default, SMTP uses `AUTH` `PLAIN` when you provide credentials. If your provider requires `AUTH LOGIN`, set `smtp_auth_type: login`.
-### 0.34.2
+## Prometheus Operator integration
-> PR [#19854](https://github.com/helm/charts/pull/19854)
+The chart can configure a ServiceMonitor resource to instruct the [Prometheus
+Operator](https://github.com/prometheus-operator/prometheus-operator) to
+collect metrics from Kong Pods. To enable this, set
+`serviceMonitor.enabled=true` in `values.yaml`.
-This release contains no user-visible changes
+Kong exposes memory usage and connection counts by default. You can enable
+traffic metrics for routes and services by configuring the [Prometheus
+plugin](https://docs.konghq.com/hub/kong-inc/prometheus/).
-#### Under the hood
+The ServiceMonitor requires an `enable-metrics: "true"` label on one of the
+chart's Services to collect data. By default, this label is set on the proxy
+Service. It should only be set on a single chart Service to avoid duplicate
+data. If you disable the proxy Service (e.g. on a hybrid control plane instance
+or Portal-only instance) and still wish to collect memory usage metrics, add
+this label to another Service, e.g. on the admin API Service:
- - Various tests have been consolidated to speed up CI.
-
-### 0.34.1
-
-> PR [#19887](https://github.com/helm/charts/pull/19887)
-
-#### Fixed
-
-- Correct indentation for Job securityContexts.
-
-### 0.34.0
-
-> PR [#19885](https://github.com/helm/charts/pull/19885)
-
-#### New features
-
-- Update default version of Ingress Controller to 0.7.0
-
-### 0.33.1
-
-> PR [#19852](https://github.com/helm/charts/pull/19852)
-
-#### Fixed
-
-- Correct an issue with white space handling within `final_env` helper.
-
-### 0.33.0
-
-> PR [#19840](https://github.com/helm/charts/pull/19840)
-
-#### Dependencies
-
-- Postgres sub-chart has been bumped up to 8.1.2
-
-#### Fixed
-
-- Removed podDisruption budge for Ingress Controller. Ingress Controller and
- Kong run in the same pod so this was no longer applicable
-- Migration job now receives the same environment variable and configuration
- as that of the Kong pod.
-- If Kong is configured to run with Postgres, the Kong pods now always wait
- for Postgres to start. Previously this was done only when the sub-chart
- Postgres was deployed.
-- A hard-coded container name is used for kong: `proxy`. Previously this
- was auto-generated by Helm. This deterministic naming allows for simpler
- scripts and documentation.
-
-#### Under the hood
-
-Following changes have no end user visible effects:
-
-- All Custom Resource Definitions have been consolidated into a single
- template file
-- All RBAC resources have been consolidated into a single template file
-- `wait-for-postgres` container has been refactored and de-duplicated
-
-### 0.32.1
-
-#### Improvements
-
-- This is a doc only release. No code changes have been done.
-- Post installation steps have been simplified and now point to a getting
- started page
-- Misc updates to README:
- - Document missing variables
- - Remove outdated variables
- - Revamp and rewrite major portions of the README
- - Added a table of content to make the content navigable
-
-### 0.32.0
-
-#### Improvements
-
-- Create and mount emptyDir volumes for `/tmp` and `/kong_prefix` to allow
- for read-only root filesystem securityContexts and PodSecurityPolicys.
-- Use read-only mounts for custom plugin volumes.
-- Update stock PodSecurityPolicy to allow emptyDir access.
-- Override the standard `/usr/local/kong` prefix to the mounted emptyDir
- at `/kong_prefix` in `.Values.env`.
-- Add securityContext injection points to template. By default,
- it sets Kong pods to run with UID 1000.
-
-#### Fixes
-
-- Correct behavior for the Vitals toggle.
- Vitals defaults to on in all current Kong Enterprise releases, and
- the existing template only created the Vitals environment variable
- if `.Values.enterprise.enabled == true`. Inverted template to create
- it (and set it to "off") if that setting is instead disabled.
-- Correct an issue where custom plugin configurations would block Kong
- from starting.
-
-### 0.31.0
-
-#### Breaking changes
-
-- Admin Service is disabled by default (`admin.enabled`)
-- Default for `proxy.type` has been changed to `LoadBalancer`
-
-#### New features
-
-- Update default version of Kong to 1.4
-- Update default version of Ingress Controller to 0.6.2
-- Add support to disable kong-admin service via `admin.enabled` flag.
-
-### 0.31.2
-
-#### Fixes
-
-- Do not remove white space between documents when rendering
- `migrations-pre-upgrade.yaml`
-
-### 0.30.1
-
-#### New Features
-
-- Add support for specifying Proxy service ClusterIP
-
-### 0.30.0
-
-#### Breaking changes
-
-- `admin_gui_auth_conf_secret` is now required for Kong Manager
- authentication methods other than `basic-auth`.
- Users defining values for `admin_gui_auth_conf` should migrate them to
- an externally-defined secret with a key of `admin_gui_auth_conf` and
- reference the secret name in `admin_gui_auth_conf_secret`.
-
-### 0.29.0
-
-#### New Features
-
-- Add support for specifying Ingress Controller environment variables.
-
-### 0.28.0
-
-#### New Features
-
-- Added support for the Validating Admission Webhook with the Ingress Controller.
-
-### 0.27.2
-
-#### Fixes
-
-- Do not create a ServiceAccount if it is not necessary.
-- If a configuration change requires creating a ServiceAccount,
- create a temporary ServiceAccount to allow pre-upgrade tasks to
- complete before the regular ServiceAccount is created.
-
-### 0.27.1
-
-#### Documentation updates
-- Retroactive changelog update for 0.24 breaking changes.
-
-### 0.27.0
-
-#### Breaking changes
-
-- DB-less mode is enabled by default.
-- Kong is installed as an Ingress Controller for the cluster by default.
-
-### 0.25.0
+```
+admin:
+ labels:
+ enable-metrics: "true"
+```
-#### New features
+## Argo CD Considerations
-- Add support for PodSecurityPolicy
-- Require creation of a ServiceAccount
+The built-in database subchart (`postgresql.enabled` in values) is not
+supported when installing the chart via Argo CD.
-### 0.24.0
+Argo CD does not support the full Helm lifecycle. There is no distinction
+between the initial install and upgrades. Both operations are a "sync" in Argo
+terms. This affects when migration Jobs execute in database-backed Kong
+installs.
-#### Breaking changes
+The chart sets the `Sync` and `BeforeHookCreation` deletion
+[hook policies](https://argo-cd.readthedocs.io/en/stable/user-guide/resource_hooks/)
+on the `init-migrations` and `pre-upgrade-migrations` Jobs.
-- The configuration format for ingresses in values.yaml has changed.
-Previously, all ingresses accepted an array of hostnames, and would create
-ingress rules for each. Ingress configuration for services other than the proxy
-now accepts a single hostname, which allows simpler TLS configuration and
-automatic population of `admin_api_uri` and similar settings. Configuration for
-the proxy ingress is unchanged, but its documentation now accurately reflects
-the TLS configuration needed.
+The `pre-upgrade-migrations` Job normally uses Helm's `pre-upgrade` policy. Argo
+translates this to its `PreSync` policy, which would create the Job before all
+sync phase resources. Doing this before various sync phase resources (such as
+the ServiceAccount) are in place would prevent the Job from running
+successfully. Overriding this with Argo's `Sync` policy starts the Job at the
+same time as the upgraded Deployment Pods. The new Pods may fail to start
+temporarily, but will eventually start normally once migrations complete.
## Seeking help
--- /dev/null
+# Upgrade considerations
+
+New versions of the Kong chart may add significant new functionality or
+deprecate/entirely remove old functionality. This document covers how and why
+users should update their chart configuration to take advantage of new features
+or migrate away from deprecated features.
+
+In general, breaking changes deprecate their old features before removing them
+entirely. While support for the old functionality remains, the chart will show
+a warning about the outdated configuration when running `helm
+install/status/upgrade`.
+
+Note that not all versions contain breaking changes. If a version is not
+present in the table of contents, it requires no version-specific changes when
+upgrading from a previous version.
+
+## Table of contents
+
+- [Upgrade considerations for all versions](#upgrade-considerations-for-all-versions)
+- [2.26.0](#2260)
+- [2.19.0](#2190)
+- [2.13.0](#2130)
+- [2.8.0](#280)
+- [2.7.0](#270)
+- [2.4.0](#240)
+- [2.3.0](#230)
+- [2.2.0](#220)
+- [2.1.0](#210)
+- [2.0.0](#200)
+- [1.14.0](#1140)
+- [1.11.0](#1110)
+- [1.10.0](#1100)
+- [1.9.0](#190)
+- [1.6.0](#160)
+- [1.5.0](#150)
+- [1.4.0](#140)
+- [1.3.0](#130)
+
+## Upgrade considerations for all versions
+
+The chart automates the
+[upgrade migration process](https://github.com/Kong/kong/blob/master/UPGRADE.md).
+When running `helm upgrade`, the chart spawns an initial job to run `kong
+migrations up` and then spawns new Kong pods with the updated version. Once
+these pods become ready, they begin processing traffic and old pods are
+terminated. Once this is complete, the chart spawns another job to run `kong
+migrations finish`.
+
+If you split your Kong deployment across multiple Helm releases (to create
+proxy-only and admin-only nodes, for example), you must
+[set which migration jobs run based on your upgrade order](https://github.com/Kong/charts/blob/main/charts/kong/README.md#separate-admin-and-proxy-nodes).
+However, this does not apply to hybrid mode, which can run both migrations but
+requires [upgrading the control plane version
+first](https://docs.konghq.com/gateway/latest/plan-and-deploy/hybrid-mode/#version-compatibility).
+
+While the migrations themselves are automated, the chart does not automatically
+ensure that you follow the recommended upgrade path. If you are upgrading from
+more than one minor Kong version back, check the [upgrade path
+recommendations for Kong open source](https://github.com/Kong/kong/blob/master/UPGRADE.md#3-suggested-upgrade-path)
+or [Kong Enterprise](https://docs.konghq.com/enterprise/latest/deployment/migrations/).
+
+Although not required, users should upgrade their chart version and Kong
+version indepedently. In the even of any issues, this will help clarify whether
+the issue stems from changes in Kubernetes resources or changes in Kong.
+
+Users may encounter an error when upgrading which displays a large block of
+text ending with `field is immutable`. This is typically due to a bug with the
+`init-migrations` job, which was not removed automatically prior to 1.5.0.
+If you encounter this error, deleting any existing `init-migrations` jobs will
+clear it.
+
+### Updates to CRDs
+
+Helm installs CRDs at initial install but [does not update them
+after](https://github.com/helm/community/blob/main/hips/hip-0011.md). Some
+chart releases include updates to CRDs that must be applied to successfully
+upgrade. Because Helm does not handle these updates, you must manually apply
+them before upgrading your release.
+
+``` kubectl apply -f
+https://raw.githubusercontent.com/Kong/charts/kong-<version>/charts/kong/crds/custom-resource-definitions.yaml
+```
+
+For example, if your release is 2.6.4, you would apply
+`https://raw.githubusercontent.com/Kong/charts/kong-2.6.4/charts/kong/crds/custom-resource-definitions.yaml`.
+
+## 2.26.0
+
+If you are using controller version 2.10 or lower and proxy version 3.3 or
+higher in separate Deployments (such as when using the `ingress` chart), proxy
+Pods will not become ready unless you override the default readiness endpoint:
+
+```
+readinessProbe:
+ httpGet:
+ path: /status
+```
+
+This section goes under the `gateway` section when using the `ingress` chart.
+
+2.26 changes the default proxy readiness endpoint to the `/status/ready`
+endpoint introduced in Kong 3.3. This endpoint reports true when Kong has
+configuration available, whereas the previous `/status` endpoint returned true
+immediately after start, and could result in proxy instances attempting to
+serve requests before they had configuration.
+
+The chart has logic to fall back to the older endpoint if the proxy and
+controller versions do not work well with the new endpoint. However, the chart
+detection cannot determine the controller version when the controller is in a
+separate Deployment, and will always use the new endpoint if the Kong image
+version is 3.3 or higher.
+
+Kong recommends Kong 3.3 and higher users update to controller 2.11 at their
+earliest convenience to take advantage of the improved readiness behavior.
+
+## 2.19.0
+
+2.19 sets a default [security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)
+that declares a read-only root filesystem for Kong containers. The base Kong and KIC
+images are compatible with this setting. The chart mounts temporary writeable
+emptyDir filesystems for locations that require writeable files (`/tmp` and
+`/kong_prefix/`).
+
+This setting limit attack surface and should be compatible with most
+installations. However, if you use custom plugins that write to disk, you must
+either mount a writeable emptyDir for them or override the new defaults by
+setting:
+
+```
+containerSecurityContext:
+ readOnlyRootFilesystem: false
+```
+
+in your values.yaml.
+
+## 2.13.0
+
+2.13.0 includes updated CRDs. You must [apply these manually](#updates-to-crds)
+before upgrading an existing release.
+
+2.13 changes the default Kong tag to 3.0 and the default KIC tag to 2.6. We
+recommend that you set these versions (`image.tag` and
+`ingressController.image.tag`) in your values.yaml to allow updating the chart
+without also updating the container versions. If you do update to these
+container image versions, you should first review the Kong 3.0 breaking changes
+(see the [open
+source](https://github.com/Kong/kong/blob/master/CHANGELOG.md#300) and
+[Enterprise](https://docs.konghq.com/gateway/changelog/#3000) Kong changelogs)
+and the [ingress controller upgrade guide for Kong
+3.x](https://docs.konghq.com/kubernetes-ingress-controller/2.6.x/guides/upgrade-kong-3x).
+
+Kong 3.0 requires KIC version 2.6 at minimum. It will not work with any
+previous versions. Changes to regular expression paths in Kong 3.x furthermore
+require changes to Ingresses that use regular expression paths in rules.
+
+## 2.8.0
+
+### IngressClass controller name change requires manual delete
+
+2.8 updates the chart-managed IngressClass's controller name to match the
+controller name used elsewhere in Kong's documenation. Controller names are
+immutable, so Helm cannot actually update existing IngressClass resources.
+
+Prior to your upgrade, you must delete the existing IngressClass. Helm will
+create a new IngressClass with the new controller name during the upgrade:
+
+```
+kubectl delete ingressclass <class name, "kong" by default>
+helm upgrade RELEASE_NAME kong/kong ...
+```
+
+Removing the IngressClass will not affect configuration: the controller
+IngressClass implementation is still in progress, and it will still ingest
+resources whose `ingress.class` annotation or `ingressClassName` value matches
+the the `CONTROLLER_INGRESS_CLASS` value in the controller environment even if
+no matching IngressClass exists.
+
+### Postgres subchart version update
+
+2.8 updates the Postgres subchart version from 8.6.8 to 11.1.15. This changes
+a number of values.yaml keys and the default Postgres version. The previous
+default Postgres version was [11.7.0-debian-10-r37](https://github.com/bitnami/charts/blob/590c6b0f4e07161614453b12efe71f22e0c00a46/bitnami/postgresql/values.yaml#L18).
+
+To use the new version on an existing install, you should [follow Bitnami's
+instructions for updating values.yaml keys and upgrading their chart]() as well
+as [the Postgres upgrade instructions](https://www.postgresql.org/docs/current/upgrading.html).
+
+You can alternately use the new chart without upgrading Postgres by setting
+`postgresql.image.tag=11.7.0-debian-10-r37` or use the old version of the
+chart. Helm documentation is unclear on whether ignoring a subchart version
+change for a release is possible, so we recommend [dumping the
+database](https://www.postgresql.org/docs/current/backup-dump.html) and
+creating a separate release if you wish to continue using 8.6.8:
+
+```
+helm install my-release -f values.yaml --version 8.6.8 bitnami/postgresql
+```
+
+Afterwords, you will upgrade your Kong chart release with
+`postgresql.enabled=false` and `env.pg_host` and `env.pg_password` set to the
+appropriate hostname and Secret reference for your new release (these are set
+automatically when the subchart is enabled, but will not be set automatically
+with a separate release).
+
+## 2.7.0
+
+2.7 updates CRDs to the version released in KIC 2.1.0. Helm does not upgrade
+CRDs automatically; you must `kubectl apply -f https://raw.githubusercontent.com/Kong/charts/kong-2.7.0/charts/kong/crds/custom-resource-definitions.yaml`
+manually before upgrading.
+
+You should not apply the updated CRDs until you are prepared to upgrade to KIC
+2.1 or higher, and [must have first upgraded to 2.0](https://github.com/Kong/kubernetes-ingress-controller/blob/v2.1.1/CHANGELOG.md#breaking-changes)
+and applied the [previous version of the CRDs](https://raw.githubusercontent.com/Kong/charts/kong-2.6.4/charts/kong/crds/custom-resource-definitions.yaml).
+
+## 2.4.0
+
+### Disable ingress controller prior to 2.x upgrade when using PostgreSQL
+
+Chart version 2.4 is the first Kong chart version that defaults to the 2.x
+series of ingress controller releases. 2.x uses a different leader election
+system than 1.x. If both versions are running simultaneously, both controller
+versions will attempt to interact with the admin API, potentially setting
+inconsistent configuration in the database when PostgreSQL is the backend.
+
+If you are configured with the following:
+
+- ingressController.enabled=true
+- postgresql.enabled=true
+
+and do not override the ingress controller version, you must perform the
+upgrade in multiple steps:
+
+First, pin the controller version and upgrade to chart 2.4.0:
+
+```console
+helm upgrade --wait \
+ --set ingressController.image.tag=<CURRENT_CONTROLLER_VERSION> \
+ --version 2.4.0 \
+ --namespace <YOUR_RELEASE_NAMESPACE> \
+ <YOUR_RELEASE_NAME> kong/kong
+```
+
+Second, temporarily disable the ingress controller:
+
+```console
+helm upgrade --wait \
+ --set ingressController.enabled=false \
+ --set deployment.serviceaccount.create=true \
+ --version 2.4.0 \
+ --namespace <YOUR_RELEASE_NAMESPACE> \
+ <YOUR_RELEASE_NAME> kong/kong
+```
+
+Finally, re-enable the ingress controller at the new version:
+
+```console
+helm upgrade --wait \
+ --set ingressController.enabled=true \
+ --set ingressController.image.tag=<NEW_CONTROLLER_VERSION> \
+ --version 2.4.0 \
+ --namespace <YOUR_RELEASE_NAMESPACE> \
+ <YOUR_RELEASE_NAME> kong/kong
+```
+
+While the controller is disabled, changes to Kubernetes configuration (Ingress
+resources, KongPlugin resources, Service Endpoints, etc.) will not update Kong
+proxy configuration. We recommend you establish an active maintenance window
+under which to perform this upgrade and inform users and stakeholders so as to
+avoid unexpected disruption.
+
+### Changed ServiceAccount configuration location
+
+2.4.0 moved ServiceAccount configuration from
+`ingressController.serviceAccount` to `deployment.serviceAccount` to accomodate
+configurations that required a ServiceAccount but did not use the controller.
+
+The chart now creates a ServiceAccount by default. When enabled, upgrade
+migration hooks require the ServiceAccount, but Helm will not create it before
+the hooks run, and the migration jobs will fail. To avoid this, first perform
+an initial chart upgrade that does not update the Kong image version and sets
+`migrations.preUpgrade=false` and `migrations.postUpgrade=false`. This will
+create the account for future upgrades, and you can re-enable migrations and
+upgrade your Kong version after.
+
+If you disable ServiceAccount or override its name, you must move your
+configuration under `deployment.serviceAccount`. The chart will warn you if it
+detects non-default configuration in the original location when you upgrade.
+You can use `helm upgrade --dry-run` to see if you are affected before actually
+upgrading.
+
+## 2.3.0
+
+### Updated CRDs and CRD API version
+
+2.3.0 adds new and updated CRDs for KIC 2.x. These CRDs are compatible with
+KIC 1.x also. The CRD API version is now v1, replacing the deprecated v1beta1,
+to support Kubernetes 1.22 and onward. API version v1 requires Kubernetes 1.16
+and newer.
+
+Helm 2-style CRD management will upgrade CRDs automatically. You can check to
+see if you are using Helm 2-style management by running:
+
+```
+kubectl get crd kongconsumers.configuration.konghq.com -o yaml | grep "meta.helm.sh/release-name"
+```
+
+If you see output, you are using Helm 2-style CRD management.
+
+Helm 3-style CRD management (the default) does not upgrade CRDs automatically.
+You must apply the changes manually by running:
+
+```
+kubectl apply -f https://raw.githubusercontent.com/Kong/charts/kong-2.2.0/charts/kong/crds/custom-resource-definitions.yaml
+```
+
+Although not recommended, you can remain on an older Kubernetes version and not
+upgrade your CRDs if you are using Helm 3-style CRD management. However, you
+will not be able to run KIC 2.x, and these configurations are considered
+unsupported.
+
+### Ingress controller feature detection
+
+2.3.0 includes some features that are enabled by default, but require KIC 2.x.
+KIC 2.x is not yet the default ingress controller version because there are
+currently only preview releases for it. To maintain compatibility with KIC 1.x,
+the chart automatically detects the KIC image version and disables incompatible
+features. This feature detection requires a semver image tag, and the chart
+cannot render successfully if the image tag is not semver-compliant.
+
+Standard KIC images do use semver-compliant tags, and you do not need to make
+any configuration changes if you use one. If you use a non-semver tag, such as
+`next`, you must set the new `ingressController.image.effectiveSemver` field to
+your approximate semver version. For example, if your `next` tag is for an
+unreleased `2.1.0` KIC version, you should set `effectiveSemver: 2.1.0`.
+
+## 2.2.0
+
+### Changes to pod disruption budget defaults
+
+Prior to 2.2.0, the default values.yaml included
+`podDisruptionBudget.maxUnavailable: 50%`. This prevented setting
+`podDisruptionBudget.minUnavailable` at all. To allow use of
+`podDisruptionBudget.minUnavailable`, we have removed the
+`podDisruptionBudget.maxUnavailable` default. If you previously relied on this
+default (you set `podDisruptionBudget.enabled: true` but did not set
+`podDisruptionBudget.maxUnavailable`), you now must explicitly set
+`podDisruptionBudget.maxUnavailable: 50%` in your values.yaml.
+
+## 2.1.0
+
+### Migration off Bintray
+
+Bintray, the Docker registry previously used for several images used by this
+chart, is [sunsetting May 1,
+2021](https://jfrog.com/blog/into-the-sunset-bintray-jcenter-gocenter-and-chartcenter/).
+
+The chart default `values.yaml` now uses the new Docker Hub repositories for all
+affected images. You should check your release `values.yaml` files to confirm that
+they do not still reference Bintray repositories. If they do, update them to
+use the Docker Hub repositories now in the default `values.yaml`.
+
+## 2.0.0
+
+### Support for Helm 2 dropped
+
+2.0.0 takes advantage of template functionality that is only available in Helm
+3 and reworks values defaults to target Helm 3 CRD handling, and requires Helm
+3 as such. If you are not already using Helm 3, you must migrate to it before
+updating to 2.0.0 or later:
+
+https://helm.sh/docs/topics/v2_v3_migration/
+
+If desired, you can migrate your Kong chart releases without migrating charts'
+releases.
+
+### Support for deprecated 1.x features removed
+
+Several previous 1.x chart releases reworked sections of values.yaml while
+maintaining support for the older version of those settings. 2.x drops support
+for the older versions of these settings entirely:
+
+* [Portal auth settings](#removal-of-dedicated-portal-authentication-configuration-parameters)
+* [The `runMigrations` setting](#changes-to-migration-job-configuration)
+* [Single-stack admin API Service configuration](#changes-to-kong-service-configuration)
+* [Multi-host proxy configuration](#removal-of-multi-host-proxy-ingress)
+
+Each deprecated setting is accompanied by a warning that appears at the end of
+`helm upgrade` output on a 1.x release:
+
+```
+WARNING: You are currently using legacy ...
+```
+
+If you do not see any such warnings when upgrading a release using chart
+1.15.0, you are not using deprecated configuration and are ready to upgrade to
+2.0.0. If you do see these warnings, follow the linked instructions to migrate
+to the current settings format.
+
+## 1.14.0
+
+### Removal of multi-host proxy Ingress
+
+Most of the chart's Ingress templates support a single hostname and TLS Secret.
+The proxy Ingress template originally differed, and allowed multiple hostnames
+and TLS configurations. As of chart 1.14.0, we have deprecated the unique proxy
+Ingress configuration; it is now identical to all other Kong services. If you
+do not need to configure multiple Ingress rules for your proxy, you will
+change:
+
+```yaml
+ingress:
+ hosts: ["proxy.kong.example"]
+ tls:
+ - hosts:
+ - proxy.kong.example
+ secretName: example-tls-secret
+ path: /
+```
+to:
+
+```yaml
+ingress:
+ tls: example-tls-secret
+ hostname: proxy.kong.example
+ path: /
+```
+We plan to remove support for the multi-host configuration entirely in version
+2.0 of the chart. If you currently use multiple hosts, we recommend that you
+either:
+- Define Ingresses for each application, e.g. if you proxy applicationA at
+ `foo.kong.example` and applicationB at `bar.kong.example`, you deploy those
+ applications with their own Ingress resources that target the proxy.
+- Define a multi-host Ingress manually. Before upgrading, save your current
+ proxy Ingress, delete labels from the saved copy, and set
+ `proxy.ingress.enabled=false`. After upgrading, create your Ingress from the
+ saved copy and edit it directly to add new rules.
+
+We expect that most users do not need a built-in multi-host proxy Ingress or
+even a proxy Ingress at all: the old configuration predates the Kong Ingress
+Controller and is most useful if you place Kong behind some other controller.
+If you are interested in preserving this functionality, please [discuss your
+use case with us](https://github.com/Kong/charts/issues/73). If there is
+sufficient interest, we will explore options for continuing to support the
+original proxy Ingress configuration format.
+
+### Default custom server block replaced with status listen
+
+Earlier versions of the chart included [a custom server block](https://github.com/Kong/charts/blob/kong-1.13.0/charts/kong/templates/config-custom-server-blocks.yaml)
+to provide `/status` and `/metrics` endpoints. This server block simplified
+RBAC-enabled Enterprise deployments by providing access to these endpoints
+outside the (protected) admin API.
+
+Current versions (Kong 1.4.0+ and Kong Enterprise 1.5.0+) have a built-in
+status listen that provides the same functionality, and chart 1.14.0 uses it
+for readiness/liveness probes and the Prometheus service monitor.
+
+If you are using a version that supports the new status endpoint, you do not
+need to make any changes to your values unless you include `readinessProbe` and
+`livenessProbe` in them. If you do, you must change the port from `metrics` to
+`status`.
+
+If you are using an older version that does not support the status listen, you
+will need to:
+- Create the server block ConfigMap independent of the chart. You will need to
+ set the ConfigMap name and namespace manually and remove the labels block.
+- Add an `extraConfigMaps` values entry for your ConfigMap.
+- Set `env.nginx_http_include` to `/path/to/your/mount/servers.conf`.
+- Add the [old readiness/liveness probe blocks](https://github.com/Kong/charts/blob/kong-1.13.0/charts/kong/values.yaml#L437-L458)
+ to your values.yaml.
+- If you use the Prometheus service monitor, edit it after installing the chart
+ and set `targetPort` to `9542`. This cannot be set from values.yaml, but Helm
+ 3 will preserve the change on subsequent upgrades.
+
+## 1.11.0
+
+### `KongCredential` custom resources no longer supported
+
+1.11.0 updates the default Kong Ingress Controller version to 1.0. Controller
+1.0 removes support for the deprecated KongCredential resource. Before
+upgrading to chart 1.11.0, you must convert existing KongCredential resources
+to [credential Secrets](https://github.com/Kong/kubernetes-ingress-controller/blob/next/docs/guides/using-consumer-credential-resource.md#provision-a-consumer).
+
+Custom resource management varies depending on your exact chart configuration.
+By default, Helm 3 only creates CRDs in the `crds` directory if they are not
+already present, and does not modify or remove them after. If you use this
+management method, you should create a manifest file that contains [only the
+KongCredential CRD](https://github.com/Kong/charts/blob/kong-1.10.0/charts/kong/crds/custom-resource-definitions.yaml#L35-L68)
+and then [delete it](https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#delete-a-customresourcedefinition).
+
+Helm 2 and Helm 3 both allow managing CRDs via the chart. In Helm 2, this is
+required; in Helm 3, it is optional. When using this method, only a single
+release will actually manage the CRD. Check to see which release has
+`ingressController.installCRDs: true` to determine which does so if you have
+multiple releases. When using this management method, upgrading a release to
+chart 1.11.0 will delete the KongCredential CRD during the upgrade, which will
+_delete any existing KongCredential resources_. To avoid losing configuration,
+check to see if your CRD is managed:
+
+```
+kubectl get crd kongcredentials.configuration.konghq.com -o yaml | grep "app.kubernetes.io/managed-by: Helm"
+```
+
+If that command returns output, your CRD is managed and you must convert to
+credential Secrets before upgrading (you should do so regardless, but are not
+at risk of losing data, and can downgrade to an older chart version if you have
+issues).
+
+### Changes to CRDs
+
+Controller 1.0 [introduces a status field](https://github.com/Kong/kubernetes-ingress-controller/blob/main/CHANGELOG.md#added)
+for its custom resources. By default, Helm 3 does not apply updates to custom
+resource definitions if those definitions are already present on the Kubernetes
+API server (and they will be if you are upgrading a release from a previous
+chart version). To update your custom resources:
+
+```
+kubectl apply -f https://raw.githubusercontent.com/Kong/charts/main/charts/kong/crds/custom-resource-definitions.yaml
+```
+
+### Deprecated controller flags/environment variables and annotations removed
+
+Kong Ingress Controller 0.x versions had a number of deprecated
+flags/environment variables and annotations. Version 1.0 removes support for
+these, and you must update your configuration to use their modern equivalents
+before upgrading to chart 1.11.0.
+
+The [controller changelog](https://github.com/Kong/kubernetes-ingress-controller/blob/master/CHANGELOG.md#breaking-changes)
+provides links to lists of deprecated configuration and their replacements.
+
+## 1.10.0
+
+### `KongClusterPlugin` replaces global `KongPlugin`s
+
+Kong Ingress Controller 0.10.0 no longer supports `KongPlugin`s with a `global: true` label. See the [KIC changelog for 0.10.0](https://github.com/Kong/kubernetes-ingress-controller/blob/main/CHANGELOG.md#0100---20200915) for migration hints.
+
+### Dropping support for resources not specifying an ingress class
+
+Kong Ingress Controller 0.10.0 drops support for certain kinds of resources without a `kubernetes.io/ingress.class` annotation. See the [KIC changelog for 0.10.0](https://github.com/Kong/kubernetes-ingress-controller/blob/main/CHANGELOG.md#0100---20200915) for the exact list of those kinds, and for possible migration paths.
+
+## 1.9.0
+
+### New image for Enterprise controller-managed DB-less deployments
+
+As of Kong Enterprise 2.1.3.0, there is no longer a separate image
+(`kong-enterprise-k8s`) for controller-managed DB-less deployments. All Kong
+Enterprise deployments now use the `kong-enterprise-edition` image.
+
+Existing users of the `kong-enterprise-k8s` image can use the latest
+`kong-enterprise-edition` image as a drop-in replacement for the
+`kong-enterprise-k8s` image. You will also need to [create a Docker registry
+secret](https://github.com/Kong/charts/blob/main/charts/kong/README.md#kong-enterprise-docker-registry-access)
+for the `kong-enterprise-edition` registry and add it to `image.pullSecrets` in
+values.yaml if you do not have one already.
+
+### Changes to wait-for-postgres image
+
+Prior to 1.9.0, the chart launched a busybox initContainer for migration Pods
+to check Postgres' reachability [using
+netcat](https://github.com/Kong/charts/blob/kong-1.8.0/charts/kong/templates/_helpers.tpl#L626).
+
+As of 1.9.0, the chart uses a [bash
+script](https://github.com/Kong/charts/blob/kong-1.9.0/charts/kong/templates/wait-for-postgres-script.yaml)
+to perform the same connectivity check. The default `waitImage.repository`
+value is now `bash` rather than `busybox`. Double-check your values.yaml to
+confirm that you do not set `waitImage.repository` and `waitImage.tag` to the
+old defaults: if you do, remove that configuration before upgrading.
+
+The Helm upgrade cycle requires this script be available for upgrade jobs. On
+existing installations, you must first perform an initial `helm upgrade --set
+migrations.preUpgrade=false --migrations.postUpgrade=false` to chart 1.9.0.
+Perform this initial upgrade without making changes to your Kong image version:
+if you are upgrading Kong along with the chart, perform a separate upgrade
+after with the migration jobs re-enabled.
+
+If you do not override `waitImage.repository` in your releases, you do not need
+to make any other configuration changes when upgrading to 1.9.0.
+
+If you do override `waitImage.repository` to use a custom image, you must
+switch to a custom image that provides a `bash` executable. Note that busybox
+images, or images derived from it, do _not_ include a `bash` executable. We
+recommend switching to an image derived from the public bash Docker image or a
+base operating system image that provides a `bash` executable.
+
+## 1.6.0
+
+### Changes to Custom Resource Definitions
+
+The KongPlugin and KongClusterPlugin resources have changed. Helm 3's CRD
+management system does not modify CRDs during `helm upgrade`, and these must be
+updated manually:
+
+```
+kubectl apply -f https://raw.githubusercontent.com/Kong/charts/kong-1.6.0/charts/kong/crds/custom-resource-definitions.yaml
+```
+
+Existing plugin resources do not require changes; the CRD update only adds new
+fields.
+
+### Removal of default security context UID setting
+
+Versions of Kong prior to 2.0 and Kong Enterprise prior to 1.3 use Docker
+images that required setting a UID via Kubernetes in some environments
+(primarily OpenShift). This is no longer necessary with modern Docker images
+and can cause issues depending on other environment settings, so it was
+removed.
+
+Most users should not need to take any action, but if you encounter permissions
+errors when upgrading (`kubectl describe pod PODNAME` should contain any), you
+can restore it by adding the following to your values.yaml:
+
+```
+securityContext:
+ runAsUser: 1000
+```
+
+## 1.5.0
+
+### PodSecurityPolicy defaults to read-only root filesystem
+
+1.5.0 defaults to using a read-only root container filesystem if
+`podSecurityPolicy.enabled: true` is set in values.yaml. This improves
+security, but is incompatible with Kong Enterprise versions prior to 1.5. If
+you use an older version and enable PodSecurityPolicy, you must set
+`podSecurityPolicy.spec.readOnlyRootFilesystem: false`.
+
+Kong open-source and Kong for Kubernetes Enterprise are compatible with a
+read-only root filesystem on all versions.
+
+### Changes to migration job configuration
+
+Previously, all migration jobs were enabled/disabled through a single
+`runMigrations` setting. 1.5.0 splits these into toggles for each of the
+individual upgrade migrations:
+
+```
+migrations:
+ preUpgrade: true
+ postUpgrade: true
+```
+
+Initial migration jobs are now only run during `helm install` and are deleted
+automatically when users first run `helm upgrade`.
+
+Users should replace `runMigrations` with the above block from the latest
+values.yaml.
+
+The new format addresses several needs:
+* The initial migrations job are only created during the initial install,
+ preventing [conflicts on upgrades](https://github.com/Kong/charts/blob/main/charts/kong/FAQs.md#running-helm-upgrade-fails-because-of-old-init-migrations-job).
+* The upgrade migrations jobs can be disabled as need for managing
+ [multi-release clusters](https://github.com/Kong/charts/blob/main/charts/kong/README.md#separate-admin-and-proxy-nodes).
+ This enables management of clusters that have nodes with different roles,
+ e.g. nodes that only run the proxy and nodes that only run the admin API.
+* Migration jobs now allow specifying annotations, and provide a default set
+ of annotations that disable some service mesh sidecars. Because sidecar
+ containers do not terminate, they [prevent the jobs from completing](https://github.com/kubernetes/kubernetes/issues/25908).
+
+## 1.4.0
+
+### Changes to default Postgres permissions
+
+The [Postgres sub-chart](https://github.com/bitnami/charts/tree/master/bitnami/postgresql)
+used by this chart has modified the way their chart handles file permissions.
+This is not an issue for new installations, but prevents Postgres from starting
+if its PVC was created with an older version. If affected, your Postgres pod
+logs will show:
+
+```
+postgresql 19:16:04.03 INFO ==> ** Starting PostgreSQL **
+2020-03-27 19:16:04.053 GMT [1] FATAL: data directory "/bitnami/postgresql/data" has group or world access
+2020-03-27 19:16:04.053 GMT [1] DETAIL: Permissions should be u=rwx (0700).
+```
+
+You can restore the old permission handling behavior by adding two settings to
+the `postgresql` block in values.yaml:
+
+```yaml
+postgresql:
+ enabled: true
+ postgresqlDataDir: /bitnami/postgresql/data
+ volumePermissions:
+ enabled: true
+```
+
+For background, see https://github.com/helm/charts/issues/13651
+
+### `strip_path` now defaults to `false` for controller-managed routes
+
+1.4.0 defaults to version 0.8 of the ingress controller, which changes the
+default value of the `strip_path` route setting from `true` to `false`. To
+understand how this works in practice, compare the upstream path for these
+requests when `strip_path` is toggled:
+
+| Ingress path | `strip_path` | Request path | Upstream path |
+|--------------|--------------|--------------|---------------|
+| /foo/bar | true | /foo/bar/baz | /baz |
+| /foo/bar | false | /foo/bar/baz | /foo/bar/baz |
+
+This change brings the controller in line with the Kubernetes Ingress
+specification, which expects that controllers will not modify the request
+before passing it upstream unless explicitly configured to do so.
+
+To preserve your existing route handling, you should add this annotation to
+your ingress resources:
+
+```
+konghq.com/strip-path: "true"
+```
+
+This is a new annotation that is equivalent to the `route.strip_path` setting
+in KongIngress resources. Note that if you have already set this to `false`,
+you should leave it as-is and not add an annotation to the ingress.
+
+### Changes to Kong service configuration
+
+1.4.0 reworks the templates and configuration used to generate Kong
+configuration and Kuberenetes resources for Kong's services (the admin API,
+proxy, Developer Portal, etc.). For the admin API, this requires breaking
+changes to the configuration format in values.yaml. Prior to 1.4.0, the admin
+API allowed a single listen only, which could be toggled between HTTPS and
+HTTP:
+
+```yaml
+admin:
+ enabled: false # create Service
+ useTLS: true
+ servicePort: 8444
+ containerPort: 8444
+```
+In 1.4.0+, the admin API allows enabling or disabling the HTTP and TLS listens
+independently. The equivalent of the above configuration is:
+
+```yaml
+admin:
+ enabled: false # create Service
+ http:
+ enabled: false # create HTTP listen
+ servicePort: 8001
+ containerPort: 8001
+ parameters: []
+
+ tls:
+ enabled: true # create HTTPS listen
+ servicePort: 8444
+ containerPort: 8444
+ parameters:
+ - http2
+```
+All Kong services now support `SERVICE.enabled` parameters: these allow
+disabling the creation of a Kubernetes Service resource for that Kong service,
+which is useful in configurations where nodes have different roles, e.g. where
+some nodes only handle proxy traffic and some only handle admin API traffic. To
+disable a Kong service completely, you should also set `SERVICE.http.enabled:
+false` and `SERVICE.tls.enabled: false`. Disabling creation of the Service
+resource only leaves the Kong service enabled, but only accessible within its
+pod. The admin API is configured with only Service creation disabled to allow
+the ingress controller to access it without allowing access from other pods.
+
+Services now also include a new `parameters` section that allows setting
+additional listen options, e.g. the `reuseport` and `backlog=16384` parameters
+from the [default 2.0.0 proxy
+listen](https://github.com/Kong/kong/blob/2.0.0/kong.conf.default#L186). For
+compatibility with older Kong versions, the chart defaults do not enable most
+of the newer parameters, only HTTP/2 support. Users of versions 1.3.0 and newer
+can safely add the new parameters.
+
+## 1.3.0
+
+### Removal of dedicated Portal authentication configuration parameters
+
+1.3.0 deprecates the `enterprise.portal.portal_auth` and
+`enterprise.portal.session_conf_secret` settings in values.yaml in favor of
+placing equivalent configuration under `env`. These settings are less important
+in Kong Enterprise 0.36+, as they can both be set per workspace in Kong
+Manager.
+
+These settings provide the default settings for Portal instances: when the
+"Authentication plugin" and "Session Config" dropdowns at
+https://manager.kong.example/WORKSPACE/portal/settings/ are set to "Default",
+the settings from `KONG_PORTAL_AUTH` and `KONG_PORTAL_SESSION_CONF` are used.
+If these environment variables are not set, the defaults are to use
+`basic-auth` and `{}` (which applies the [session plugin default
+configuration](https://docs.konghq.com/hub/kong-inc/session/)).
+
+If you set nonstandard defaults and wish to keep using these settings, or use
+Kong Enterprise 0.35 (which did not provide a means to set per-workspace
+session configuration) you should convert them to environment variables. For
+example, if you currently have:
+
+```yaml
+portal:
+ enabled: true
+ portal_auth: basic-auth
+ session_conf_secret: portal-session
+```
+You should remove the `portal_auth` and `session_conf_secret` entries and
+replace them with their equivalents under the `env` block:
+
+```yaml
+env:
+ portal_auth: basic-auth
+ portal_session_conf:
+ valueFrom:
+ secretKeyRef:
+ name: portal-session
+ key: portal_session_conf
+```
--- /dev/null
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
--- /dev/null
+annotations:
+ category: Database
+apiVersion: v2
+appVersion: 14.5.0
+dependencies:
+- name: common
+ repository: https://charts.bitnami.com/bitnami
+ tags:
+ - bitnami-common
+ version: 2.x.x
+description: PostgreSQL (Postgres) is an open source object-relational database known for reliability and data integrity. ACID-compliant, it supports foreign keys, joins, views, triggers and stored procedures.
+home: https://github.com/bitnami/charts/tree/main/bitnami/postgresql
+icon: https://bitnami.com/assets/stacks/postgresql/img/postgresql-stack-220x234.png
+keywords:
+- postgresql
+- postgres
+- database
+- sql
+- replication
+- cluster
+maintainers:
+- name: Bitnami
+ url: https://github.com/bitnami/charts
+name: postgresql
+sources:
+- https://github.com/bitnami/containers/tree/main/bitnami/postgresql
+- https://www.postgresql.org/
+version: 11.9.13
--- /dev/null
+<!--- app-name: PostgreSQL -->
+
+# PostgreSQL packaged by Bitnami
+
+PostgreSQL (Postgres) is an open source object-relational database known for reliability and data integrity. ACID-compliant, it supports foreign keys, joins, views, triggers and stored procedures.
+
+[Overview of PostgreSQL](http://www.postgresql.org)
+
+Trademarks: This software listing is packaged by Bitnami. The respective trademarks mentioned in the offering are owned by the respective companies, and use of them does not imply any affiliation or endorsement.
+
+## TL;DR
+
+```bash
+helm repo add my-repo https://charts.bitnami.com/bitnami
+helm install my-release my-repo/postgresql
+```
+
+## Introduction
+
+This chart bootstraps a [PostgreSQL](https://github.com/bitnami/containers/tree/main/bitnami/postgresql) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
+
+For HA, please see [this repo](https://github.com/bitnami/charts/tree/main/bitnami/postgresql-ha)
+
+Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters.
+
+## Prerequisites
+
+- Kubernetes 1.19+
+- Helm 3.2.0+
+- PV provisioner support in the underlying infrastructure
+
+## Installing the Chart
+
+To install the chart with the release name `my-release`:
+
+```bash
+helm install my-release my-repo/postgresql
+```
+
+The command deploys PostgreSQL on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation.
+
+> **Tip**: List all releases using `helm list`
+
+## Uninstalling the Chart
+
+To uninstall/delete the `my-release` deployment:
+
+```console
+helm delete my-release
+```
+
+The command removes all the Kubernetes components but PVC's associated with the chart and deletes the release.
+
+To delete the PVC's associated with `my-release`:
+
+```bash
+kubectl delete pvc -l release=my-release
+```
+
+> **Note**: Deleting the PVC's will delete postgresql data as well. Please be cautious before doing it.
+
+## Parameters
+
+### Global parameters
+
+| Name | Description | Value |
+| ---------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----- |
+| `global.imageRegistry` | Global Docker image registry | `""` |
+| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` |
+| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` |
+| `global.postgresql.auth.postgresPassword` | Password for the "postgres" admin user (overrides `auth.postgresPassword`) | `""` |
+| `global.postgresql.auth.username` | Name for a custom user to create (overrides `auth.username`) | `""` |
+| `global.postgresql.auth.password` | Password for the custom user to create (overrides `auth.password`) | `""` |
+| `global.postgresql.auth.database` | Name for a custom database to create (overrides `auth.database`) | `""` |
+| `global.postgresql.auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials (overrides `auth.existingSecret`). | `""` |
+| `global.postgresql.auth.secretKeys.adminPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.adminPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` |
+| `global.postgresql.auth.secretKeys.userPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.userPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` |
+| `global.postgresql.auth.secretKeys.replicationPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.replicationPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` |
+| `global.postgresql.service.ports.postgresql` | PostgreSQL service port (overrides `service.ports.postgresql`) | `""` |
+
+
+### Common parameters
+
+| Name | Description | Value |
+| ------------------------ | -------------------------------------------------------------------------------------------- | --------------- |
+| `kubeVersion` | Override Kubernetes version | `""` |
+| `nameOverride` | String to partially override common.names.fullname template (will maintain the release name) | `""` |
+| `fullnameOverride` | String to fully override common.names.fullname template | `""` |
+| `clusterDomain` | Kubernetes Cluster Domain | `cluster.local` |
+| `extraDeploy` | Array of extra objects to deploy with the release (evaluated as a template) | `[]` |
+| `commonLabels` | Add labels to all the deployed resources | `{}` |
+| `commonAnnotations` | Add annotations to all the deployed resources | `{}` |
+| `diagnosticMode.enabled` | Enable diagnostic mode (all probes will be disabled and the command will be overridden) | `false` |
+| `diagnosticMode.command` | Command to override all containers in the statefulset | `["sleep"]` |
+| `diagnosticMode.args` | Args to override all containers in the statefulset | `["infinity"]` |
+
+
+### PostgreSQL common parameters
+
+| Name | Description | Value |
+| ---------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------- |
+| `image.registry` | PostgreSQL image registry | `docker.io` |
+| `image.repository` | PostgreSQL image repository | `bitnami/postgresql` |
+| `image.tag` | PostgreSQL image tag (immutable tags are recommended) | `14.5.0-debian-11-r35` |
+| `image.digest` | PostgreSQL image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
+| `image.pullPolicy` | PostgreSQL image pull policy | `IfNotPresent` |
+| `image.pullSecrets` | Specify image pull secrets | `[]` |
+| `image.debug` | Specify if debug values should be set | `false` |
+| `auth.enablePostgresUser` | Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user | `true` |
+| `auth.postgresPassword` | Password for the "postgres" admin user. Ignored if `auth.existingSecret` with key `postgres-password` is provided | `""` |
+| `auth.username` | Name for a custom user to create | `""` |
+| `auth.password` | Password for the custom user to create. Ignored if `auth.existingSecret` with key `password` is provided | `""` |
+| `auth.database` | Name for a custom database to create | `""` |
+| `auth.replicationUsername` | Name of the replication user | `repl_user` |
+| `auth.replicationPassword` | Password for the replication user. Ignored if `auth.existingSecret` with key `replication-password` is provided | `""` |
+| `auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials. `auth.postgresPassword`, `auth.password`, and `auth.replicationPassword` will be ignored and picked up from this secret. The secret might also contains the key `ldap-password` if LDAP is enabled. `ldap.bind_password` will be ignored and picked from this secret in this case. | `""` |
+| `auth.secretKeys.adminPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. | `postgres-password` |
+| `auth.secretKeys.userPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. | `password` |
+| `auth.secretKeys.replicationPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. | `replication-password` |
+| `auth.usePasswordFiles` | Mount credentials as a files instead of using an environment variable | `false` |
+| `architecture` | PostgreSQL architecture (`standalone` or `replication`) | `standalone` |
+| `replication.synchronousCommit` | Set synchronous commit mode. Allowed values: `on`, `remote_apply`, `remote_write`, `local` and `off` | `off` |
+| `replication.numSynchronousReplicas` | Number of replicas that will have synchronous replication. Note: Cannot be greater than `readReplicas.replicaCount`. | `0` |
+| `replication.applicationName` | Cluster application name. Useful for advanced replication settings | `my_application` |
+| `containerPorts.postgresql` | PostgreSQL container port | `5432` |
+| `audit.logHostname` | Log client hostnames | `false` |
+| `audit.logConnections` | Add client log-in operations to the log file | `false` |
+| `audit.logDisconnections` | Add client log-outs operations to the log file | `false` |
+| `audit.pgAuditLog` | Add operations to log using the pgAudit extension | `""` |
+| `audit.pgAuditLogCatalog` | Log catalog using pgAudit | `off` |
+| `audit.clientMinMessages` | Message log level to share with the user | `error` |
+| `audit.logLinePrefix` | Template for log line prefix (default if not set) | `""` |
+| `audit.logTimezone` | Timezone for the log timestamps | `""` |
+| `ldap.enabled` | Enable LDAP support | `false` |
+| `ldap.server` | IP address or name of the LDAP server. | `""` |
+| `ldap.port` | Port number on the LDAP server to connect to | `""` |
+| `ldap.prefix` | String to prepend to the user name when forming the DN to bind | `""` |
+| `ldap.suffix` | String to append to the user name when forming the DN to bind | `""` |
+| `ldap.basedn` | Root DN to begin the search for the user in | `""` |
+| `ldap.binddn` | DN of user to bind to LDAP | `""` |
+| `ldap.bindpw` | Password for the user to bind to LDAP | `""` |
+| `ldap.searchAttribute` | Attribute to match against the user name in the search | `""` |
+| `ldap.searchFilter` | The search filter to use when doing search+bind authentication | `""` |
+| `ldap.scheme` | Set to `ldaps` to use LDAPS | `""` |
+| `ldap.tls.enabled` | Se to true to enable TLS encryption | `false` |
+| `ldap.uri` | LDAP URL beginning in the form `ldap[s]://host[:port]/basedn`. If provided, all the other LDAP parameters will be ignored. | `""` |
+| `postgresqlDataDir` | PostgreSQL data dir folder | `/bitnami/postgresql/data` |
+| `postgresqlSharedPreloadLibraries` | Shared preload libraries (comma-separated list) | `pgaudit` |
+| `shmVolume.enabled` | Enable emptyDir volume for /dev/shm for PostgreSQL pod(s) | `true` |
+| `shmVolume.sizeLimit` | Set this to enable a size limit on the shm tmpfs | `""` |
+| `tls.enabled` | Enable TLS traffic support | `false` |
+| `tls.autoGenerated` | Generate automatically self-signed TLS certificates | `false` |
+| `tls.preferServerCiphers` | Whether to use the server's TLS cipher preferences rather than the client's | `true` |
+| `tls.certificatesSecret` | Name of an existing secret that contains the certificates | `""` |
+| `tls.certFilename` | Certificate filename | `""` |
+| `tls.certKeyFilename` | Certificate key filename | `""` |
+| `tls.certCAFilename` | CA Certificate filename | `""` |
+| `tls.crlFilename` | File containing a Certificate Revocation List | `""` |
+
+
+### PostgreSQL Primary parameters
+
+| Name | Description | Value |
+| -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | --------------------- |
+| `primary.name` | Name of the primary database (eg primary, master, leader, ...) | `primary` |
+| `primary.configuration` | PostgreSQL Primary main configuration to be injected as ConfigMap | `""` |
+| `primary.pgHbaConfiguration` | PostgreSQL Primary client authentication configuration | `""` |
+| `primary.existingConfigmap` | Name of an existing ConfigMap with PostgreSQL Primary configuration | `""` |
+| `primary.extendedConfiguration` | Extended PostgreSQL Primary configuration (appended to main or default configuration) | `""` |
+| `primary.existingExtendedConfigmap` | Name of an existing ConfigMap with PostgreSQL Primary extended configuration | `""` |
+| `primary.initdb.args` | PostgreSQL initdb extra arguments | `""` |
+| `primary.initdb.postgresqlWalDir` | Specify a custom location for the PostgreSQL transaction log | `""` |
+| `primary.initdb.scripts` | Dictionary of initdb scripts | `{}` |
+| `primary.initdb.scriptsConfigMap` | ConfigMap with scripts to be run at first boot | `""` |
+| `primary.initdb.scriptsSecret` | Secret with scripts to be run at first boot (in case it contains sensitive information) | `""` |
+| `primary.initdb.user` | Specify the PostgreSQL username to execute the initdb scripts | `""` |
+| `primary.initdb.password` | Specify the PostgreSQL password to execute the initdb scripts | `""` |
+| `primary.standby.enabled` | Whether to enable current cluster's primary as standby server of another cluster or not | `false` |
+| `primary.standby.primaryHost` | The Host of replication primary in the other cluster | `""` |
+| `primary.standby.primaryPort` | The Port of replication primary in the other cluster | `""` |
+| `primary.extraEnvVars` | Array with extra environment variables to add to PostgreSQL Primary nodes | `[]` |
+| `primary.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for PostgreSQL Primary nodes | `""` |
+| `primary.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for PostgreSQL Primary nodes | `""` |
+| `primary.command` | Override default container command (useful when using custom images) | `[]` |
+| `primary.args` | Override default container args (useful when using custom images) | `[]` |
+| `primary.livenessProbe.enabled` | Enable livenessProbe on PostgreSQL Primary containers | `true` |
+| `primary.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` |
+| `primary.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` |
+| `primary.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` |
+| `primary.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` |
+| `primary.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
+| `primary.readinessProbe.enabled` | Enable readinessProbe on PostgreSQL Primary containers | `true` |
+| `primary.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` |
+| `primary.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` |
+| `primary.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` |
+| `primary.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` |
+| `primary.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
+| `primary.startupProbe.enabled` | Enable startupProbe on PostgreSQL Primary containers | `false` |
+| `primary.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `30` |
+| `primary.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` |
+| `primary.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` |
+| `primary.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` |
+| `primary.startupProbe.successThreshold` | Success threshold for startupProbe | `1` |
+| `primary.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
+| `primary.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
+| `primary.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
+| `primary.lifecycleHooks` | for the PostgreSQL Primary container to automate configuration before or after startup | `{}` |
+| `primary.resources.limits` | The resources limits for the PostgreSQL Primary containers | `{}` |
+| `primary.resources.requests.memory` | The requested memory for the PostgreSQL Primary containers | `256Mi` |
+| `primary.resources.requests.cpu` | The requested cpu for the PostgreSQL Primary containers | `250m` |
+| `primary.podSecurityContext.enabled` | Enable security context | `true` |
+| `primary.podSecurityContext.fsGroup` | Group ID for the pod | `1001` |
+| `primary.containerSecurityContext.enabled` | Enable container security context | `true` |
+| `primary.containerSecurityContext.runAsUser` | User ID for the container | `1001` |
+| `primary.hostAliases` | PostgreSQL primary pods host aliases | `[]` |
+| `primary.hostNetwork` | Specify if host network should be enabled for PostgreSQL pod (postgresql primary) | `false` |
+| `primary.hostIPC` | Specify if host IPC should be enabled for PostgreSQL pod (postgresql primary) | `false` |
+| `primary.labels` | Map of labels to add to the statefulset (postgresql primary) | `{}` |
+| `primary.annotations` | Annotations for PostgreSQL primary pods | `{}` |
+| `primary.podLabels` | Map of labels to add to the pods (postgresql primary) | `{}` |
+| `primary.podAnnotations` | Map of annotations to add to the pods (postgresql primary) | `{}` |
+| `primary.podAffinityPreset` | PostgreSQL primary pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` |
+| `primary.podAntiAffinityPreset` | PostgreSQL primary pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `soft` |
+| `primary.nodeAffinityPreset.type` | PostgreSQL primary node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` |
+| `primary.nodeAffinityPreset.key` | PostgreSQL primary node label key to match Ignored if `primary.affinity` is set. | `""` |
+| `primary.nodeAffinityPreset.values` | PostgreSQL primary node label values to match. Ignored if `primary.affinity` is set. | `[]` |
+| `primary.affinity` | Affinity for PostgreSQL primary pods assignment | `{}` |
+| `primary.nodeSelector` | Node labels for PostgreSQL primary pods assignment | `{}` |
+| `primary.tolerations` | Tolerations for PostgreSQL primary pods assignment | `[]` |
+| `primary.topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` |
+| `primary.priorityClassName` | Priority Class to use for each pod (postgresql primary) | `""` |
+| `primary.schedulerName` | Use an alternate scheduler, e.g. "stork". | `""` |
+| `primary.terminationGracePeriodSeconds` | Seconds PostgreSQL primary pod needs to terminate gracefully | `""` |
+| `primary.updateStrategy.type` | PostgreSQL Primary statefulset strategy type | `RollingUpdate` |
+| `primary.updateStrategy.rollingUpdate` | PostgreSQL Primary statefulset rolling update configuration parameters | `{}` |
+| `primary.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the PostgreSQL Primary container(s) | `[]` |
+| `primary.extraVolumes` | Optionally specify extra list of additional volumes for the PostgreSQL Primary pod(s) | `[]` |
+| `primary.sidecars` | Add additional sidecar containers to the PostgreSQL Primary pod(s) | `[]` |
+| `primary.initContainers` | Add additional init containers to the PostgreSQL Primary pod(s) | `[]` |
+| `primary.extraPodSpec` | Optionally specify extra PodSpec for the PostgreSQL Primary pod(s) | `{}` |
+| `primary.service.type` | Kubernetes Service type | `ClusterIP` |
+| `primary.service.ports.postgresql` | PostgreSQL service port | `5432` |
+| `primary.service.nodePorts.postgresql` | Node port for PostgreSQL | `""` |
+| `primary.service.clusterIP` | Static clusterIP or None for headless services | `""` |
+| `primary.service.annotations` | Annotations for PostgreSQL primary service | `{}` |
+| `primary.service.loadBalancerIP` | Load balancer IP if service type is `LoadBalancer` | `""` |
+| `primary.service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` |
+| `primary.service.loadBalancerSourceRanges` | Addresses that are allowed when service is LoadBalancer | `[]` |
+| `primary.service.extraPorts` | Extra ports to expose in the PostgreSQL primary service | `[]` |
+| `primary.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` |
+| `primary.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` |
+| `primary.persistence.enabled` | Enable PostgreSQL Primary data persistence using PVC | `true` |
+| `primary.persistence.existingClaim` | Name of an existing PVC to use | `""` |
+| `primary.persistence.mountPath` | The path the volume will be mounted at | `/bitnami/postgresql` |
+| `primary.persistence.subPath` | The subdirectory of the volume to mount to | `""` |
+| `primary.persistence.storageClass` | PVC Storage Class for PostgreSQL Primary data volume | `""` |
+| `primary.persistence.accessModes` | PVC Access Mode for PostgreSQL volume | `["ReadWriteOnce"]` |
+| `primary.persistence.size` | PVC Storage Request for PostgreSQL volume | `8Gi` |
+| `primary.persistence.annotations` | Annotations for the PVC | `{}` |
+| `primary.persistence.labels` | Labels for the PVC | `{}` |
+| `primary.persistence.selector` | Selector to match an existing Persistent Volume (this value is evaluated as a template) | `{}` |
+| `primary.persistence.dataSource` | Custom PVC data source | `{}` |
+
+
+### PostgreSQL read only replica parameters (only used when `architecture` is set to `replication`)
+
+| Name | Description | Value |
+| ------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | --------------------- |
+| `readReplicas.name` | Name of the read replicas database (eg secondary, slave, ...) | `read` |
+| `readReplicas.replicaCount` | Number of PostgreSQL read only replicas | `1` |
+| `readReplicas.extendedConfiguration` | Extended PostgreSQL read only replicas configuration (appended to main or default configuration) | `""` |
+| `readReplicas.extraEnvVars` | Array with extra environment variables to add to PostgreSQL read only nodes | `[]` |
+| `readReplicas.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for PostgreSQL read only nodes | `""` |
+| `readReplicas.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for PostgreSQL read only nodes | `""` |
+| `readReplicas.command` | Override default container command (useful when using custom images) | `[]` |
+| `readReplicas.args` | Override default container args (useful when using custom images) | `[]` |
+| `readReplicas.livenessProbe.enabled` | Enable livenessProbe on PostgreSQL read only containers | `true` |
+| `readReplicas.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` |
+| `readReplicas.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` |
+| `readReplicas.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` |
+| `readReplicas.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` |
+| `readReplicas.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
+| `readReplicas.readinessProbe.enabled` | Enable readinessProbe on PostgreSQL read only containers | `true` |
+| `readReplicas.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` |
+| `readReplicas.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` |
+| `readReplicas.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` |
+| `readReplicas.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` |
+| `readReplicas.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
+| `readReplicas.startupProbe.enabled` | Enable startupProbe on PostgreSQL read only containers | `false` |
+| `readReplicas.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `30` |
+| `readReplicas.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` |
+| `readReplicas.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` |
+| `readReplicas.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` |
+| `readReplicas.startupProbe.successThreshold` | Success threshold for startupProbe | `1` |
+| `readReplicas.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
+| `readReplicas.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
+| `readReplicas.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
+| `readReplicas.lifecycleHooks` | for the PostgreSQL read only container to automate configuration before or after startup | `{}` |
+| `readReplicas.resources.limits` | The resources limits for the PostgreSQL read only containers | `{}` |
+| `readReplicas.resources.requests.memory` | The requested memory for the PostgreSQL read only containers | `256Mi` |
+| `readReplicas.resources.requests.cpu` | The requested cpu for the PostgreSQL read only containers | `250m` |
+| `readReplicas.podSecurityContext.enabled` | Enable security context | `true` |
+| `readReplicas.podSecurityContext.fsGroup` | Group ID for the pod | `1001` |
+| `readReplicas.containerSecurityContext.enabled` | Enable container security context | `true` |
+| `readReplicas.containerSecurityContext.runAsUser` | User ID for the container | `1001` |
+| `readReplicas.hostAliases` | PostgreSQL read only pods host aliases | `[]` |
+| `readReplicas.hostNetwork` | Specify if host network should be enabled for PostgreSQL pod (PostgreSQL read only) | `false` |
+| `readReplicas.hostIPC` | Specify if host IPC should be enabled for PostgreSQL pod (postgresql primary) | `false` |
+| `readReplicas.labels` | Map of labels to add to the statefulset (PostgreSQL read only) | `{}` |
+| `readReplicas.annotations` | Annotations for PostgreSQL read only pods | `{}` |
+| `readReplicas.podLabels` | Map of labels to add to the pods (PostgreSQL read only) | `{}` |
+| `readReplicas.podAnnotations` | Map of annotations to add to the pods (PostgreSQL read only) | `{}` |
+| `readReplicas.podAffinityPreset` | PostgreSQL read only pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` |
+| `readReplicas.podAntiAffinityPreset` | PostgreSQL read only pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `soft` |
+| `readReplicas.nodeAffinityPreset.type` | PostgreSQL read only node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` |
+| `readReplicas.nodeAffinityPreset.key` | PostgreSQL read only node label key to match Ignored if `primary.affinity` is set. | `""` |
+| `readReplicas.nodeAffinityPreset.values` | PostgreSQL read only node label values to match. Ignored if `primary.affinity` is set. | `[]` |
+| `readReplicas.affinity` | Affinity for PostgreSQL read only pods assignment | `{}` |
+| `readReplicas.nodeSelector` | Node labels for PostgreSQL read only pods assignment | `{}` |
+| `readReplicas.tolerations` | Tolerations for PostgreSQL read only pods assignment | `[]` |
+| `readReplicas.topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` |
+| `readReplicas.priorityClassName` | Priority Class to use for each pod (PostgreSQL read only) | `""` |
+| `readReplicas.schedulerName` | Use an alternate scheduler, e.g. "stork". | `""` |
+| `readReplicas.terminationGracePeriodSeconds` | Seconds PostgreSQL read only pod needs to terminate gracefully | `""` |
+| `readReplicas.updateStrategy.type` | PostgreSQL read only statefulset strategy type | `RollingUpdate` |
+| `readReplicas.updateStrategy.rollingUpdate` | PostgreSQL read only statefulset rolling update configuration parameters | `{}` |
+| `readReplicas.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the PostgreSQL read only container(s) | `[]` |
+| `readReplicas.extraVolumes` | Optionally specify extra list of additional volumes for the PostgreSQL read only pod(s) | `[]` |
+| `readReplicas.sidecars` | Add additional sidecar containers to the PostgreSQL read only pod(s) | `[]` |
+| `readReplicas.initContainers` | Add additional init containers to the PostgreSQL read only pod(s) | `[]` |
+| `readReplicas.extraPodSpec` | Optionally specify extra PodSpec for the PostgreSQL read only pod(s) | `{}` |
+| `readReplicas.service.type` | Kubernetes Service type | `ClusterIP` |
+| `readReplicas.service.ports.postgresql` | PostgreSQL service port | `5432` |
+| `readReplicas.service.nodePorts.postgresql` | Node port for PostgreSQL | `""` |
+| `readReplicas.service.clusterIP` | Static clusterIP or None for headless services | `""` |
+| `readReplicas.service.annotations` | Annotations for PostgreSQL read only service | `{}` |
+| `readReplicas.service.loadBalancerIP` | Load balancer IP if service type is `LoadBalancer` | `""` |
+| `readReplicas.service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` |
+| `readReplicas.service.loadBalancerSourceRanges` | Addresses that are allowed when service is LoadBalancer | `[]` |
+| `readReplicas.service.extraPorts` | Extra ports to expose in the PostgreSQL read only service | `[]` |
+| `readReplicas.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` |
+| `readReplicas.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` |
+| `readReplicas.persistence.enabled` | Enable PostgreSQL read only data persistence using PVC | `true` |
+| `readReplicas.persistence.existingClaim` | Name of an existing PVC to use | `""` |
+| `readReplicas.persistence.mountPath` | The path the volume will be mounted at | `/bitnami/postgresql` |
+| `readReplicas.persistence.subPath` | The subdirectory of the volume to mount to | `""` |
+| `readReplicas.persistence.storageClass` | PVC Storage Class for PostgreSQL read only data volume | `""` |
+| `readReplicas.persistence.accessModes` | PVC Access Mode for PostgreSQL volume | `["ReadWriteOnce"]` |
+| `readReplicas.persistence.size` | PVC Storage Request for PostgreSQL volume | `8Gi` |
+| `readReplicas.persistence.annotations` | Annotations for the PVC | `{}` |
+| `readReplicas.persistence.labels` | Labels for the PVC | `{}` |
+| `readReplicas.persistence.selector` | Selector to match an existing Persistent Volume (this value is evaluated as a template) | `{}` |
+| `readReplicas.persistence.dataSource` | Custom PVC data source | `{}` |
+
+
+### NetworkPolicy parameters
+
+| Name | Description | Value |
+| ------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
+| `networkPolicy.enabled` | Enable network policies | `false` |
+| `networkPolicy.metrics.enabled` | Enable network policies for metrics (prometheus) | `false` |
+| `networkPolicy.metrics.namespaceSelector` | Monitoring namespace selector labels. These labels will be used to identify the prometheus' namespace. | `{}` |
+| `networkPolicy.metrics.podSelector` | Monitoring pod selector labels. These labels will be used to identify the Prometheus pods. | `{}` |
+| `networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled` | Enable ingress rule that makes PostgreSQL primary node only accessible from a particular origin. | `false` |
+| `networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector` | Namespace selector label that is allowed to access the PostgreSQL primary node. This label will be used to identified the allowed namespace(s). | `{}` |
+| `networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector` | Pods selector label that is allowed to access the PostgreSQL primary node. This label will be used to identified the allowed pod(s). | `{}` |
+| `networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules` | Custom network policy for the PostgreSQL primary node. | `{}` |
+| `networkPolicy.ingressRules.readReplicasAccessOnlyFrom.enabled` | Enable ingress rule that makes PostgreSQL read-only nodes only accessible from a particular origin. | `false` |
+| `networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector` | Namespace selector label that is allowed to access the PostgreSQL read-only nodes. This label will be used to identified the allowed namespace(s). | `{}` |
+| `networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector` | Pods selector label that is allowed to access the PostgreSQL read-only nodes. This label will be used to identified the allowed pod(s). | `{}` |
+| `networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules` | Custom network policy for the PostgreSQL read-only nodes. | `{}` |
+| `networkPolicy.egressRules.denyConnectionsToExternal` | Enable egress rule that denies outgoing traffic outside the cluster, except for DNS (port 53). | `false` |
+| `networkPolicy.egressRules.customRules` | Custom network policy rule | `{}` |
+
+
+### Volume Permissions parameters
+
+| Name | Description | Value |
+| ------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------- | ----------------------- |
+| `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume | `false` |
+| `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` |
+| `volumePermissions.image.repository` | Init container volume-permissions image repository | `bitnami/bitnami-shell` |
+| `volumePermissions.image.tag` | Init container volume-permissions image tag (immutable tags are recommended) | `11-debian-11-r45` |
+| `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
+| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` |
+| `volumePermissions.image.pullSecrets` | Init container volume-permissions image pull secrets | `[]` |
+| `volumePermissions.resources.limits` | Init container volume-permissions resource limits | `{}` |
+| `volumePermissions.resources.requests` | Init container volume-permissions resource requests | `{}` |
+| `volumePermissions.containerSecurityContext.runAsUser` | User ID for the init container | `0` |
+
+
+### Other Parameters
+
+| Name | Description | Value |
+| --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
+| `serviceAccount.create` | Enable creation of ServiceAccount for PostgreSQL pod | `false` |
+| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` |
+| `serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `true` |
+| `serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` |
+| `rbac.create` | Create Role and RoleBinding (required for PSP to work) | `false` |
+| `rbac.rules` | Custom RBAC rules to set | `[]` |
+| `psp.create` | Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later | `false` |
+
+
+### Metrics Parameters
+
+| Name | Description | Value |
+| ----------------------------------------------- | ---------------------------------------------------------------------------------------------------------- | --------------------------- |
+| `metrics.enabled` | Start a prometheus exporter | `false` |
+| `metrics.image.registry` | PostgreSQL Prometheus Exporter image registry | `docker.io` |
+| `metrics.image.repository` | PostgreSQL Prometheus Exporter image repository | `bitnami/postgres-exporter` |
+| `metrics.image.tag` | PostgreSQL Prometheus Exporter image tag (immutable tags are recommended) | `0.11.1-debian-11-r22` |
+| `metrics.image.digest` | PostgreSQL image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
+| `metrics.image.pullPolicy` | PostgreSQL Prometheus Exporter image pull policy | `IfNotPresent` |
+| `metrics.image.pullSecrets` | Specify image pull secrets | `[]` |
+| `metrics.customMetrics` | Define additional custom metrics | `{}` |
+| `metrics.extraEnvVars` | Extra environment variables to add to PostgreSQL Prometheus exporter | `[]` |
+| `metrics.containerSecurityContext.enabled` | Enable PostgreSQL Prometheus exporter containers' Security Context | `true` |
+| `metrics.containerSecurityContext.runAsUser` | Set PostgreSQL Prometheus exporter containers' Security Context runAsUser | `1001` |
+| `metrics.containerSecurityContext.runAsNonRoot` | Set PostgreSQL Prometheus exporter containers' Security Context runAsNonRoot | `true` |
+| `metrics.livenessProbe.enabled` | Enable livenessProbe on PostgreSQL Prometheus exporter containers | `true` |
+| `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `5` |
+| `metrics.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` |
+| `metrics.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` |
+| `metrics.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` |
+| `metrics.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
+| `metrics.readinessProbe.enabled` | Enable readinessProbe on PostgreSQL Prometheus exporter containers | `true` |
+| `metrics.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` |
+| `metrics.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` |
+| `metrics.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` |
+| `metrics.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` |
+| `metrics.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
+| `metrics.startupProbe.enabled` | Enable startupProbe on PostgreSQL Prometheus exporter containers | `false` |
+| `metrics.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` |
+| `metrics.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` |
+| `metrics.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` |
+| `metrics.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` |
+| `metrics.startupProbe.successThreshold` | Success threshold for startupProbe | `1` |
+| `metrics.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
+| `metrics.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
+| `metrics.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
+| `metrics.containerPorts.metrics` | PostgreSQL Prometheus exporter metrics container port | `9187` |
+| `metrics.resources.limits` | The resources limits for the PostgreSQL Prometheus exporter container | `{}` |
+| `metrics.resources.requests` | The requested resources for the PostgreSQL Prometheus exporter container | `{}` |
+| `metrics.service.ports.metrics` | PostgreSQL Prometheus Exporter service port | `9187` |
+| `metrics.service.clusterIP` | Static clusterIP or None for headless services | `""` |
+| `metrics.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` |
+| `metrics.service.annotations` | Annotations for Prometheus to auto-discover the metrics endpoint | `{}` |
+| `metrics.serviceMonitor.enabled` | Create ServiceMonitor Resource for scraping metrics using Prometheus Operator | `false` |
+| `metrics.serviceMonitor.namespace` | Namespace for the ServiceMonitor Resource (defaults to the Release Namespace) | `""` |
+| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped. | `""` |
+| `metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `""` |
+| `metrics.serviceMonitor.labels` | Additional labels that can be used so ServiceMonitor will be discovered by Prometheus | `{}` |
+| `metrics.serviceMonitor.selector` | Prometheus instance selector labels | `{}` |
+| `metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping | `[]` |
+| `metrics.serviceMonitor.metricRelabelings` | MetricRelabelConfigs to apply to samples before ingestion | `[]` |
+| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` |
+| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` |
+| `metrics.prometheusRule.enabled` | Create a PrometheusRule for Prometheus Operator | `false` |
+| `metrics.prometheusRule.namespace` | Namespace for the PrometheusRule Resource (defaults to the Release Namespace) | `""` |
+| `metrics.prometheusRule.labels` | Additional labels that can be used so PrometheusRule will be discovered by Prometheus | `{}` |
+| `metrics.prometheusRule.rules` | PrometheusRule definitions | `[]` |
+
+
+Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
+
+```bash
+$ helm install my-release \
+ --set auth.postgresPassword=secretpassword
+ my-repo/postgresql
+```
+
+The above command sets the PostgreSQL `postgres` account password to `secretpassword`.
+
+> NOTE: Once this chart is deployed, it is not possible to change the application's access credentials, such as usernames or passwords, using Helm. To change these application credentials after deployment, delete any persistent volumes (PVs) used by the chart and re-deploy it, or use the application's built-in administrative tools if available.
+
+> **Warning** Setting a password will be ignored on new installation in case when previous Posgresql release was deleted through the helm command. In that case, old PVC will have an old password, and setting it through helm won't take effect. Deleting persistent volumes (PVs) will solve the issue. Refer to [issue 2061](https://github.com/bitnami/charts/issues/2061) for more details
+
+Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,
+
+```bash
+helm install my-release -f values.yaml my-repo/postgresql
+```
+
+> **Tip**: You can use the default [values.yaml](values.yaml)
+
+## Configuration and installation details
+
+### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/)
+
+It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image.
+
+Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist.
+
+### Customizing primary and read replica services in a replicated configuration
+
+At the top level, there is a service object which defines the services for both primary and readReplicas. For deeper customization, there are service objects for both the primary and read types individually. This allows you to override the values in the top level service object so that the primary and read can be of different service types and with different clusterIPs / nodePorts. Also in the case you want the primary and read to be of type nodePort, you will need to set the nodePorts to different values to prevent a collision. The values that are deeper in the primary.service or readReplicas.service objects will take precedence over the top level service object.
+
+### Use a different PostgreSQL version
+
+To modify the application version used in this chart, specify a different version of the image using the `image.tag` parameter and/or a different repository using the `image.repository` parameter. Refer to the [chart documentation for more information on these parameters and how to use them with images from a private registry](https://docs.bitnami.com/kubernetes/infrastructure/postgresql/configuration/change-image-version/).
+
+### postgresql.conf / pg_hba.conf files as configMap
+
+This helm chart also supports to customize the PostgreSQL configuration file. You can add additional PostgreSQL configuration parameters using the `primary.extendedConfiguration`/`readReplicas.extendedConfiguration` parameters as a string. Alternatively, to replace the entire default configuration use `primary.configuration`.
+
+You can also add a custom pg_hba.conf using the `primary.pgHbaConfiguration` parameter.
+
+In addition to these options, you can also set an external ConfigMap with all the configuration files. This is done by setting the `primary.existingConfigmap` parameter. Note that this will override the two previous options.
+
+### Initialize a fresh instance
+
+The [Bitnami PostgreSQL](https://github.com/bitnami/containers/tree/main/bitnami/postgresql) image allows you to use your custom scripts to initialize a fresh instance. In order to execute the scripts, you can specify custom scripts using the `primary.initdb.scripts` parameter as a string.
+
+In addition, you can also set an external ConfigMap with all the initialization scripts. This is done by setting the `primary.initdb.scriptsConfigMap` parameter. Note that this will override the two previous options. If your initialization scripts contain sensitive information such as credentials or passwords, you can use the `primary.initdb.scriptsSecret` parameter.
+
+The allowed extensions are `.sh`, `.sql` and `.sql.gz`.
+
+### Securing traffic using TLS
+
+TLS support can be enabled in the chart by specifying the `tls.` parameters while creating a release. The following parameters should be configured to properly enable the TLS support in the chart:
+
+- `tls.enabled`: Enable TLS support. Defaults to `false`
+- `tls.certificatesSecret`: Name of an existing secret that contains the certificates. No defaults.
+- `tls.certFilename`: Certificate filename. No defaults.
+- `tls.certKeyFilename`: Certificate key filename. No defaults.
+
+For example:
+
+- First, create the secret with the cetificates files:
+
+ ```console
+ kubectl create secret generic certificates-tls-secret --from-file=./cert.crt --from-file=./cert.key --from-file=./ca.crt
+ ```
+
+- Then, use the following parameters:
+
+ ```console
+ volumePermissions.enabled=true
+ tls.enabled=true
+ tls.certificatesSecret="certificates-tls-secret"
+ tls.certFilename="cert.crt"
+ tls.certKeyFilename="cert.key"
+ ```
+
+ > Note TLS and VolumePermissions: PostgreSQL requires certain permissions on sensitive files (such as certificate keys) to start up. Due to an on-going [issue](https://github.com/kubernetes/kubernetes/issues/57923) regarding kubernetes permissions and the use of `containerSecurityContext.runAsUser`, you must enable `volumePermissions` to ensure everything works as expected.
+
+### Sidecars
+
+If you need additional containers to run within the same pod as PostgreSQL (e.g. an additional metrics or logging exporter), you can do so via the `sidecars` config parameter. Simply define your container according to the Kubernetes container spec.
+
+```yaml
+# For the PostgreSQL primary
+primary:
+ sidecars:
+ - name: your-image-name
+ image: your-image
+ imagePullPolicy: Always
+ ports:
+ - name: portname
+ containerPort: 1234
+# For the PostgreSQL replicas
+readReplicas:
+ sidecars:
+ - name: your-image-name
+ image: your-image
+ imagePullPolicy: Always
+ ports:
+ - name: portname
+ containerPort: 1234
+```
+
+### Metrics
+
+The chart optionally can start a metrics exporter for [prometheus](https://prometheus.io). The metrics endpoint (port 9187) is not exposed and it is expected that the metrics are collected from inside the k8s cluster using something similar as the described in the [example Prometheus scrape configuration](https://github.com/prometheus/prometheus/blob/master/documentation/examples/prometheus-kubernetes.yml).
+
+The exporter allows to create custom metrics from additional SQL queries. See the Chart's `values.yaml` for an example and consult the [exporters documentation](https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file) for more details.
+
+### Use of global variables
+
+In more complex scenarios, we may have the following tree of dependencies
+
+```
+ +--------------+
+ | |
+ +------------+ Chart 1 +-----------+
+ | | | |
+ | --------+------+ |
+ | | |
+ | | |
+ | | |
+ | | |
+ v v v
++-------+------+ +--------+------+ +--------+------+
+| | | | | |
+| PostgreSQL | | Sub-chart 1 | | Sub-chart 2 |
+| | | | | |
++--------------+ +---------------+ +---------------+
+```
+
+The three charts below depend on the parent chart Chart 1. However, subcharts 1 and 2 may need to connect to PostgreSQL as well. In order to do so, subcharts 1 and 2 need to know the PostgreSQL credentials, so one option for deploying could be deploy Chart 1 with the following parameters:
+
+```
+postgresql.auth.username=testuser
+subchart1.postgresql.auth.username=testuser
+subchart2.postgresql.auth.username=testuser
+postgresql.auth.password=testpass
+subchart1.postgresql.auth.password=testpass
+subchart2.postgresql.auth.password=testpass
+postgresql.auth.database=testdb
+subchart1.postgresql.auth.database=testdb
+subchart2.postgresql.auth.database=testdb
+```
+
+If the number of dependent sub-charts increases, installing the chart with parameters can become increasingly difficult. An alternative would be to set the credentials using global variables as follows:
+
+```
+global.postgresql.auth.username=testuser
+global.postgresql.auth.password=testpass
+global.postgresql.auth.database=testdb
+```
+
+This way, the credentials will be available in all of the subcharts.
+
+## Persistence
+
+The [Bitnami PostgreSQL](https://github.com/bitnami/containers/tree/main/bitnami/postgresql) image stores the PostgreSQL data and configurations at the `/bitnami/postgresql` path of the container.
+
+Persistent Volume Claims are used to keep the data across deployments. This is known to work in GCE, AWS, and minikube.
+See the [Parameters](#parameters) section to configure the PVC or to disable persistence.
+
+If you already have data in it, you will fail to sync to standby nodes for all commits, details can refer to the [code present in the container repository](https://github.com/bitnami/containers/tree/main/bitnami/postgresql). If you need to use those data, please covert them to sql and import after `helm install` finished.
+
+## NetworkPolicy
+
+To enable network policy for PostgreSQL, install [a networking plugin that implements the Kubernetes NetworkPolicy spec](https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy#before-you-begin), and set `networkPolicy.enabled` to `true`.
+
+For Kubernetes v1.5 & v1.6, you must also turn on NetworkPolicy by setting the DefaultDeny namespace annotation. Note: this will enforce policy for _all_ pods in the namespace:
+
+```bash
+kubectl annotate namespace default "net.beta.kubernetes.io/network-policy={\"ingress\":{\"isolation\":\"DefaultDeny\"}}"
+```
+
+With NetworkPolicy enabled, traffic will be limited to just port 5432.
+
+For more precise policy, set `networkPolicy.allowExternal=false`. This will only allow pods with the generated client label to connect to PostgreSQL.
+This label will be displayed in the output of a successful install.
+
+## Differences between Bitnami PostgreSQL image and [Docker Official](https://hub.docker.com/_/postgres) image
+
+- The Docker Official PostgreSQL image does not support replication. If you pass any replication environment variable, this would be ignored. The only environment variables supported by the Docker Official image are POSTGRES_USER, POSTGRES_DB, POSTGRES_PASSWORD, POSTGRES_INITDB_ARGS, POSTGRES_INITDB_WALDIR and PGDATA. All the remaining environment variables are specific to the Bitnami PostgreSQL image.
+- The Bitnami PostgreSQL image is non-root by default. This requires that you run the pod with `securityContext` and updates the permissions of the volume with an `initContainer`. A key benefit of this configuration is that the pod follows security best practices and is prepared to run on Kubernetes distributions with hard security constraints like OpenShift.
+- For OpenShift, one may either define the runAsUser and fsGroup accordingly, or try this more dynamic option: volumePermissions.securityContext.runAsUser="auto",securityContext.enabled=false,containerSecurityContext.enabled=false,shmVolume.chmod.enabled=false
+
+### Setting Pod's affinity
+
+This chart allows you to set your custom affinity using the `XXX.affinity` parameter(s). Find more information about Pod's affinity in the [kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity).
+
+As an alternative, you can use of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/main/bitnami/common#affinities) chart. To do so, set the `XXX.podAffinityPreset`, `XXX.podAntiAffinityPreset`, or `XXX.nodeAffinityPreset` parameters.
+
+## Troubleshooting
+
+Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues).
+
+## Upgrading
+
+Refer to the [chart documentation for more information about how to upgrade from previous releases](https://docs.bitnami.com/kubernetes/infrastructure/postgresql/administration/upgrade/).
+
+## License
+
+Copyright © 2022 Bitnami
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
\ No newline at end of file
--- /dev/null
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
--- /dev/null
+annotations:
+ category: Infrastructure
+apiVersion: v2
+appVersion: 2.0.4
+description: A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself.
+home: https://github.com/bitnami/charts/tree/main/bitnami/common
+icon: https://bitnami.com/downloads/logos/bitnami-mark.png
+keywords:
+- common
+- helper
+- template
+- function
+- bitnami
+maintainers:
+- name: Bitnami
+ url: https://github.com/bitnami/charts
+name: common
+sources:
+- https://github.com/bitnami/charts
+- https://www.bitnami.com/
+type: library
+version: 2.0.4
--- /dev/null
+# Bitnami Common Library Chart
+
+A [Helm Library Chart](https://helm.sh/docs/topics/library_charts/#helm) for grouping common logic between bitnami charts.
+
+## TL;DR
+
+```yaml
+dependencies:
+ - name: common
+ version: 1.x.x
+ repository: https://charts.bitnami.com/bitnami
+```
+
+```bash
+$ helm dependency update
+```
+
+```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ include "common.names.fullname" . }}
+data:
+ myvalue: "Hello World"
+```
+
+## Introduction
+
+This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager.
+
+Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters.
+
+## Prerequisites
+
+- Kubernetes 1.19+
+- Helm 3.2.0+
+
+## Parameters
+
+The following table lists the helpers available in the library which are scoped in different sections.
+
+### Affinities
+
+| Helper identifier | Description | Expected Input |
+|-------------------------------|------------------------------------------------------|------------------------------------------------|
+| `common.affinities.nodes.soft` | Return a soft nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` |
+| `common.affinities.nodes.hard` | Return a hard nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` |
+| `common.affinities.pods.soft` | Return a soft podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` |
+| `common.affinities.pods.hard` | Return a hard podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` |
+
+### Capabilities
+
+| Helper identifier | Description | Expected Input |
+|------------------------------------------------|------------------------------------------------------------------------------------------------|-------------------|
+| `common.capabilities.kubeVersion` | Return the target Kubernetes version (using client default if .Values.kubeVersion is not set). | `.` Chart context |
+| `common.capabilities.cronjob.apiVersion` | Return the appropriate apiVersion for cronjob. | `.` Chart context |
+| `common.capabilities.deployment.apiVersion` | Return the appropriate apiVersion for deployment. | `.` Chart context |
+| `common.capabilities.statefulset.apiVersion` | Return the appropriate apiVersion for statefulset. | `.` Chart context |
+| `common.capabilities.ingress.apiVersion` | Return the appropriate apiVersion for ingress. | `.` Chart context |
+| `common.capabilities.rbac.apiVersion` | Return the appropriate apiVersion for RBAC resources. | `.` Chart context |
+| `common.capabilities.crd.apiVersion` | Return the appropriate apiVersion for CRDs. | `.` Chart context |
+| `common.capabilities.policy.apiVersion` | Return the appropriate apiVersion for podsecuritypolicy. | `.` Chart context |
+| `common.capabilities.networkPolicy.apiVersion` | Return the appropriate apiVersion for networkpolicy. | `.` Chart context |
+| `common.capabilities.apiService.apiVersion` | Return the appropriate apiVersion for APIService. | `.` Chart context |
+| `common.capabilities.hpa.apiVersion` | Return the appropriate apiVersion for Horizontal Pod Autoscaler | `.` Chart context |
+| `common.capabilities.supportsHelmVersion` | Returns true if the used Helm version is 3.3+ | `.` Chart context |
+
+### Errors
+
+| Helper identifier | Description | Expected Input |
+|-----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------|
+| `common.errors.upgrade.passwords.empty` | It will ensure required passwords are given when we are upgrading a chart. If `validationErrors` is not empty it will throw an error and will stop the upgrade action. | `dict "validationErrors" (list $validationError00 $validationError01) "context" $` |
+
+### Images
+
+| Helper identifier | Description | Expected Input |
+|-----------------------------|------------------------------------------------------|---------------------------------------------------------------------------------------------------------|
+| `common.images.image` | Return the proper and full image name | `dict "imageRoot" .Values.path.to.the.image "global" $`, see [ImageRoot](#imageroot) for the structure. |
+| `common.images.pullSecrets` | Return the proper Docker Image Registry Secret Names (deprecated: use common.images.renderPullSecrets instead) | `dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global` |
+| `common.images.renderPullSecrets` | Return the proper Docker Image Registry Secret Names (evaluates values as templates) | `dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "context" $` |
+
+### Ingress
+
+| Helper identifier | Description | Expected Input |
+|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `common.ingress.backend` | Generate a proper Ingress backend entry depending on the API version | `dict "serviceName" "foo" "servicePort" "bar"`, see the [Ingress deprecation notice](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) for the syntax differences |
+| `common.ingress.supportsPathType` | Prints "true" if the pathType field is supported | `.` Chart context |
+| `common.ingress.supportsIngressClassname` | Prints "true" if the ingressClassname field is supported | `.` Chart context |
+| `common.ingress.certManagerRequest` | Prints "true" if required cert-manager annotations for TLS signed certificates are set in the Ingress annotations | `dict "annotations" .Values.path.to.the.ingress.annotations` |
+
+### Labels
+
+| Helper identifier | Description | Expected Input |
+|-----------------------------|-----------------------------------------------------------------------------|-------------------|
+| `common.labels.standard` | Return Kubernetes standard labels | `.` Chart context |
+| `common.labels.matchLabels` | Labels to use on `deploy.spec.selector.matchLabels` and `svc.spec.selector` | `.` Chart context |
+
+### Names
+
+| Helper identifier | Description | Expected Input |
+|-----------------------------------|-----------------------------------------------------------------------|-------------------|
+| `common.names.name` | Expand the name of the chart or use `.Values.nameOverride` | `.` Chart context |
+| `common.names.fullname` | Create a default fully qualified app name. | `.` Chart context |
+| `common.names.namespace` | Allow the release namespace to be overridden | `.` Chart context |
+| `common.names.fullname.namespace` | Create a fully qualified app name adding the installation's namespace | `.` Chart context |
+| `common.names.chart` | Chart name plus version | `.` Chart context |
+
+### Secrets
+
+| Helper identifier | Description | Expected Input |
+|---------------------------|--------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `common.secrets.name` | Generate the name of the secret. | `dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $` see [ExistingSecret](#existingsecret) for the structure. |
+| `common.secrets.key` | Generate secret key. | `dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName"` see [ExistingSecret](#existingsecret) for the structure. |
+| `common.passwords.manage` | Generate secret password or retrieve one if already created. | `dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "context" $`, length, strong and chartNAme fields are optional. |
+| `common.secrets.exists` | Returns whether a previous generated secret already exists. | `dict "secret" "secret-name" "context" $` |
+
+### Storage
+
+| Helper identifier | Description | Expected Input |
+|-------------------------------|---------------------------------------|---------------------------------------------------------------------------------------------------------------------|
+| `common.storage.class` | Return the proper Storage Class | `dict "persistence" .Values.path.to.the.persistence "global" $`, see [Persistence](#persistence) for the structure. |
+
+### TplValues
+
+| Helper identifier | Description | Expected Input |
+|---------------------------|----------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `common.tplvalues.render` | Renders a value that contains template | `dict "value" .Values.path.to.the.Value "context" $`, value is the value should rendered as template, context frequently is the chart context `$` or `.` |
+
+### Utils
+
+| Helper identifier | Description | Expected Input |
+|--------------------------------|------------------------------------------------------------------------------------------|------------------------------------------------------------------------|
+| `common.utils.fieldToEnvVar` | Build environment variable name given a field. | `dict "field" "my-password"` |
+| `common.utils.secret.getvalue` | Print instructions to get a secret value. | `dict "secret" "secret-name" "field" "secret-value-field" "context" $` |
+| `common.utils.getValueFromKey` | Gets a value from `.Values` object given its key path | `dict "key" "path.to.key" "context" $` |
+| `common.utils.getKeyFromList` | Returns first `.Values` key with a defined value or first of the list if all non-defined | `dict "keys" (list "path.to.key1" "path.to.key2") "context" $` |
+
+### Validations
+
+| Helper identifier | Description | Expected Input |
+|--------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `common.validations.values.single.empty` | Validate a value must not be empty. | `dict "valueKey" "path.to.value" "secret" "secret.name" "field" "my-password" "subchart" "subchart" "context" $` secret, field and subchart are optional. In case they are given, the helper will generate a how to get instruction. See [ValidateValue](#validatevalue) |
+| `common.validations.values.multiple.empty` | Validate a multiple values must not be empty. It returns a shared error for all the values. | `dict "required" (list $validateValueConf00 $validateValueConf01) "context" $`. See [ValidateValue](#validatevalue) |
+| `common.validations.values.mariadb.passwords` | This helper will ensure required password for MariaDB are not empty. It returns a shared error for all the values. | `dict "secret" "mariadb-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mariadb chart and the helper. |
+| `common.validations.values.mysql.passwords` | This helper will ensure required password for MySQL are not empty. It returns a shared error for all the values. | `dict "secret" "mysql-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mysql chart and the helper. |
+| `common.validations.values.postgresql.passwords` | This helper will ensure required password for PostgreSQL are not empty. It returns a shared error for all the values. | `dict "secret" "postgresql-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use postgresql chart and the helper. |
+| `common.validations.values.redis.passwords` | This helper will ensure required password for Redis® are not empty. It returns a shared error for all the values. | `dict "secret" "redis-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use redis chart and the helper. |
+| `common.validations.values.cassandra.passwords` | This helper will ensure required password for Cassandra are not empty. It returns a shared error for all the values. | `dict "secret" "cassandra-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use cassandra chart and the helper. |
+| `common.validations.values.mongodb.passwords` | This helper will ensure required password for MongoDB® are not empty. It returns a shared error for all the values. | `dict "secret" "mongodb-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mongodb chart and the helper. |
+
+### Warnings
+
+| Helper identifier | Description | Expected Input |
+|------------------------------|----------------------------------|------------------------------------------------------------|
+| `common.warnings.rollingTag` | Warning about using rolling tag. | `ImageRoot` see [ImageRoot](#imageroot) for the structure. |
+
+## Special input schemas
+
+### ImageRoot
+
+```yaml
+registry:
+ type: string
+ description: Docker registry where the image is located
+ example: docker.io
+
+repository:
+ type: string
+ description: Repository and image name
+ example: bitnami/nginx
+
+tag:
+ type: string
+ description: image tag
+ example: 1.16.1-debian-10-r63
+
+pullPolicy:
+ type: string
+ description: Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
+
+pullSecrets:
+ type: array
+ items:
+ type: string
+ description: Optionally specify an array of imagePullSecrets (evaluated as templates).
+
+debug:
+ type: boolean
+ description: Set to true if you would like to see extra information on logs
+ example: false
+
+## An instance would be:
+# registry: docker.io
+# repository: bitnami/nginx
+# tag: 1.16.1-debian-10-r63
+# pullPolicy: IfNotPresent
+# debug: false
+```
+
+### Persistence
+
+```yaml
+enabled:
+ type: boolean
+ description: Whether enable persistence.
+ example: true
+
+storageClass:
+ type: string
+ description: Ghost data Persistent Volume Storage Class, If set to "-", storageClassName: "" which disables dynamic provisioning.
+ example: "-"
+
+accessMode:
+ type: string
+ description: Access mode for the Persistent Volume Storage.
+ example: ReadWriteOnce
+
+size:
+ type: string
+ description: Size the Persistent Volume Storage.
+ example: 8Gi
+
+path:
+ type: string
+ description: Path to be persisted.
+ example: /bitnami
+
+## An instance would be:
+# enabled: true
+# storageClass: "-"
+# accessMode: ReadWriteOnce
+# size: 8Gi
+# path: /bitnami
+```
+
+### ExistingSecret
+
+```yaml
+name:
+ type: string
+ description: Name of the existing secret.
+ example: mySecret
+keyMapping:
+ description: Mapping between the expected key name and the name of the key in the existing secret.
+ type: object
+
+## An instance would be:
+# name: mySecret
+# keyMapping:
+# password: myPasswordKey
+```
+
+#### Example of use
+
+When we store sensitive data for a deployment in a secret, some times we want to give to users the possibility of using theirs existing secrets.
+
+```yaml
+# templates/secret.yaml
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ include "common.names.fullname" . }}
+ labels:
+ app: {{ include "common.names.fullname" . }}
+type: Opaque
+data:
+ password: {{ .Values.password | b64enc | quote }}
+
+# templates/dpl.yaml
+---
+...
+ env:
+ - name: PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ include "common.secrets.name" (dict "existingSecret" .Values.existingSecret "context" $) }}
+ key: {{ include "common.secrets.key" (dict "existingSecret" .Values.existingSecret "key" "password") }}
+...
+
+# values.yaml
+---
+name: mySecret
+keyMapping:
+ password: myPasswordKey
+```
+
+### ValidateValue
+
+#### NOTES.txt
+
+```console
+{{- $validateValueConf00 := (dict "valueKey" "path.to.value00" "secret" "secretName" "field" "password-00") -}}
+{{- $validateValueConf01 := (dict "valueKey" "path.to.value01" "secret" "secretName" "field" "password-01") -}}
+
+{{ include "common.validations.values.multiple.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }}
+```
+
+If we force those values to be empty we will see some alerts
+
+```console
+$ helm install test mychart --set path.to.value00="",path.to.value01=""
+ 'path.to.value00' must not be empty, please add '--set path.to.value00=$PASSWORD_00' to the command. To get the current value:
+
+ export PASSWORD_00=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-00}" | base64 -d)
+
+ 'path.to.value01' must not be empty, please add '--set path.to.value01=$PASSWORD_01' to the command. To get the current value:
+
+ export PASSWORD_01=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-01}" | base64 -d)
+```
+
+## Upgrading
+
+### To 1.0.0
+
+[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL.
+
+**What changes were introduced in this major version?**
+
+- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field.
+- Use `type: library`. [Here](https://v3.helm.sh/docs/faq/#library-chart-support) you can find more information.
+- The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Charts
+
+**Considerations when upgrading to this version**
+
+- If you want to upgrade to this version from a previous one installed with Helm v3, you shouldn't face any issues
+- If you want to upgrade to this version using Helm v2, this scenario is not supported as this version doesn't support Helm v2 anymore
+- If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3
+
+**Useful links**
+
+- https://docs.bitnami.com/tutorials/resolve-helm2-helm3-post-migration-issues/
+- https://helm.sh/docs/topics/v2_v3_migration/
+- https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/
+
+## License
+
+Copyright © 2022 Bitnami
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
--- /dev/null
+{{/* vim: set filetype=mustache: */}}
+
+{{/*
+Return a soft nodeAffinity definition
+{{ include "common.affinities.nodes.soft" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}}
+*/}}
+{{- define "common.affinities.nodes.soft" -}}
+preferredDuringSchedulingIgnoredDuringExecution:
+ - preference:
+ matchExpressions:
+ - key: {{ .key }}
+ operator: In
+ values:
+ {{- range .values }}
+ - {{ . | quote }}
+ {{- end }}
+ weight: 1
+{{- end -}}
+
+{{/*
+Return a hard nodeAffinity definition
+{{ include "common.affinities.nodes.hard" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}}
+*/}}
+{{- define "common.affinities.nodes.hard" -}}
+requiredDuringSchedulingIgnoredDuringExecution:
+ nodeSelectorTerms:
+ - matchExpressions:
+ - key: {{ .key }}
+ operator: In
+ values:
+ {{- range .values }}
+ - {{ . | quote }}
+ {{- end }}
+{{- end -}}
+
+{{/*
+Return a nodeAffinity definition
+{{ include "common.affinities.nodes" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}}
+*/}}
+{{- define "common.affinities.nodes" -}}
+ {{- if eq .type "soft" }}
+ {{- include "common.affinities.nodes.soft" . -}}
+ {{- else if eq .type "hard" }}
+ {{- include "common.affinities.nodes.hard" . -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Return a soft podAffinity/podAntiAffinity definition
+{{ include "common.affinities.pods.soft" (dict "component" "FOO" "extraMatchLabels" .Values.extraMatchLabels "context" $) -}}
+*/}}
+{{- define "common.affinities.pods.soft" -}}
+{{- $component := default "" .component -}}
+{{- $extraMatchLabels := default (dict) .extraMatchLabels -}}
+preferredDuringSchedulingIgnoredDuringExecution:
+ - podAffinityTerm:
+ labelSelector:
+ matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 10 }}
+ {{- if not (empty $component) }}
+ {{ printf "app.kubernetes.io/component: %s" $component }}
+ {{- end }}
+ {{- range $key, $value := $extraMatchLabels }}
+ {{ $key }}: {{ $value | quote }}
+ {{- end }}
+ namespaces:
+ - {{ include "common.names.namespace" .context | quote }}
+ topologyKey: kubernetes.io/hostname
+ weight: 1
+{{- end -}}
+
+{{/*
+Return a hard podAffinity/podAntiAffinity definition
+{{ include "common.affinities.pods.hard" (dict "component" "FOO" "extraMatchLabels" .Values.extraMatchLabels "context" $) -}}
+*/}}
+{{- define "common.affinities.pods.hard" -}}
+{{- $component := default "" .component -}}
+{{- $extraMatchLabels := default (dict) .extraMatchLabels -}}
+requiredDuringSchedulingIgnoredDuringExecution:
+ - labelSelector:
+ matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 8 }}
+ {{- if not (empty $component) }}
+ {{ printf "app.kubernetes.io/component: %s" $component }}
+ {{- end }}
+ {{- range $key, $value := $extraMatchLabels }}
+ {{ $key }}: {{ $value | quote }}
+ {{- end }}
+ namespaces:
+ - {{ include "common.names.namespace" .context | quote }}
+ topologyKey: kubernetes.io/hostname
+{{- end -}}
+
+{{/*
+Return a podAffinity/podAntiAffinity definition
+{{ include "common.affinities.pods" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}}
+*/}}
+{{- define "common.affinities.pods" -}}
+ {{- if eq .type "soft" }}
+ {{- include "common.affinities.pods.soft" . -}}
+ {{- else if eq .type "hard" }}
+ {{- include "common.affinities.pods.hard" . -}}
+ {{- end -}}
+{{- end -}}
--- /dev/null
+{{/* vim: set filetype=mustache: */}}
+
+{{/*
+Return the target Kubernetes version
+*/}}
+{{- define "common.capabilities.kubeVersion" -}}
+{{- if .Values.global }}
+ {{- if .Values.global.kubeVersion }}
+ {{- .Values.global.kubeVersion -}}
+ {{- else }}
+ {{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}}
+ {{- end -}}
+{{- else }}
+{{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for poddisruptionbudget.
+*/}}
+{{- define "common.capabilities.policy.apiVersion" -}}
+{{- if semverCompare "<1.21-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "policy/v1beta1" -}}
+{{- else -}}
+{{- print "policy/v1" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for networkpolicy.
+*/}}
+{{- define "common.capabilities.networkPolicy.apiVersion" -}}
+{{- if semverCompare "<1.7-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "extensions/v1beta1" -}}
+{{- else -}}
+{{- print "networking.k8s.io/v1" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for cronjob.
+*/}}
+{{- define "common.capabilities.cronjob.apiVersion" -}}
+{{- if semverCompare "<1.21-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "batch/v1beta1" -}}
+{{- else -}}
+{{- print "batch/v1" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for deployment.
+*/}}
+{{- define "common.capabilities.deployment.apiVersion" -}}
+{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "extensions/v1beta1" -}}
+{{- else -}}
+{{- print "apps/v1" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for statefulset.
+*/}}
+{{- define "common.capabilities.statefulset.apiVersion" -}}
+{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "apps/v1beta1" -}}
+{{- else -}}
+{{- print "apps/v1" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for ingress.
+*/}}
+{{- define "common.capabilities.ingress.apiVersion" -}}
+{{- if .Values.ingress -}}
+{{- if .Values.ingress.apiVersion -}}
+{{- .Values.ingress.apiVersion -}}
+{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "extensions/v1beta1" -}}
+{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "networking.k8s.io/v1beta1" -}}
+{{- else -}}
+{{- print "networking.k8s.io/v1" -}}
+{{- end }}
+{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "extensions/v1beta1" -}}
+{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "networking.k8s.io/v1beta1" -}}
+{{- else -}}
+{{- print "networking.k8s.io/v1" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for RBAC resources.
+*/}}
+{{- define "common.capabilities.rbac.apiVersion" -}}
+{{- if semverCompare "<1.17-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "rbac.authorization.k8s.io/v1beta1" -}}
+{{- else -}}
+{{- print "rbac.authorization.k8s.io/v1" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for CRDs.
+*/}}
+{{- define "common.capabilities.crd.apiVersion" -}}
+{{- if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "apiextensions.k8s.io/v1beta1" -}}
+{{- else -}}
+{{- print "apiextensions.k8s.io/v1" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for APIService.
+*/}}
+{{- define "common.capabilities.apiService.apiVersion" -}}
+{{- if semverCompare "<1.10-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "apiregistration.k8s.io/v1beta1" -}}
+{{- else -}}
+{{- print "apiregistration.k8s.io/v1" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for Horizontal Pod Autoscaler.
+*/}}
+{{- define "common.capabilities.hpa.apiVersion" -}}
+{{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .context) -}}
+{{- if .beta2 -}}
+{{- print "autoscaling/v2beta2" -}}
+{{- else -}}
+{{- print "autoscaling/v2beta1" -}}
+{{- end -}}
+{{- else -}}
+{{- print "autoscaling/v2" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Returns true if the used Helm version is 3.3+.
+A way to check the used Helm version was not introduced until version 3.3.0 with .Capabilities.HelmVersion, which contains an additional "{}}" structure.
+This check is introduced as a regexMatch instead of {{ if .Capabilities.HelmVersion }} because checking for the key HelmVersion in <3.3 results in a "interface not found" error.
+**To be removed when the catalog's minimun Helm version is 3.3**
+*/}}
+{{- define "common.capabilities.supportsHelmVersion" -}}
+{{- if regexMatch "{(v[0-9])*[^}]*}}$" (.Capabilities | toString ) }}
+ {{- true -}}
+{{- end -}}
+{{- end -}}
--- /dev/null
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Through error when upgrading using empty passwords values that must not be empty.
+
+Usage:
+{{- $validationError00 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password00" "secret" "secretName" "field" "password-00") -}}
+{{- $validationError01 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password01" "secret" "secretName" "field" "password-01") -}}
+{{ include "common.errors.upgrade.passwords.empty" (dict "validationErrors" (list $validationError00 $validationError01) "context" $) }}
+
+Required password params:
+ - validationErrors - String - Required. List of validation strings to be return, if it is empty it won't throw error.
+ - context - Context - Required. Parent context.
+*/}}
+{{- define "common.errors.upgrade.passwords.empty" -}}
+ {{- $validationErrors := join "" .validationErrors -}}
+ {{- if and $validationErrors .context.Release.IsUpgrade -}}
+ {{- $errorString := "\nPASSWORDS ERROR: You must provide your current passwords when upgrading the release." -}}
+ {{- $errorString = print $errorString "\n Note that even after reinstallation, old credentials may be needed as they may be kept in persistent volume claims." -}}
+ {{- $errorString = print $errorString "\n Further information can be obtained at https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues/#credential-errors-while-upgrading-chart-releases" -}}
+ {{- $errorString = print $errorString "\n%s" -}}
+ {{- printf $errorString $validationErrors | fail -}}
+ {{- end -}}
+{{- end -}}
--- /dev/null
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Return the proper image name
+{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" $) }}
+*/}}
+{{- define "common.images.image" -}}
+{{- $registryName := .imageRoot.registry -}}
+{{- $repositoryName := .imageRoot.repository -}}
+{{- $separator := ":" -}}
+{{- $termination := .imageRoot.tag | toString -}}
+{{- if .global }}
+ {{- if .global.imageRegistry }}
+ {{- $registryName = .global.imageRegistry -}}
+ {{- end -}}
+{{- end -}}
+{{- if .imageRoot.digest }}
+ {{- $separator = "@" -}}
+ {{- $termination = .imageRoot.digest | toString -}}
+{{- end -}}
+{{- printf "%s/%s%s%s" $registryName $repositoryName $separator $termination -}}
+{{- end -}}
+
+{{/*
+Return the proper Docker Image Registry Secret Names (deprecated: use common.images.renderPullSecrets instead)
+{{ include "common.images.pullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global) }}
+*/}}
+{{- define "common.images.pullSecrets" -}}
+ {{- $pullSecrets := list }}
+
+ {{- if .global }}
+ {{- range .global.imagePullSecrets -}}
+ {{- $pullSecrets = append $pullSecrets . -}}
+ {{- end -}}
+ {{- end -}}
+
+ {{- range .images -}}
+ {{- range .pullSecrets -}}
+ {{- $pullSecrets = append $pullSecrets . -}}
+ {{- end -}}
+ {{- end -}}
+
+ {{- if (not (empty $pullSecrets)) }}
+imagePullSecrets:
+ {{- range $pullSecrets }}
+ - name: {{ . }}
+ {{- end }}
+ {{- end }}
+{{- end -}}
+
+{{/*
+Return the proper Docker Image Registry Secret Names evaluating values as templates
+{{ include "common.images.renderPullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "context" $) }}
+*/}}
+{{- define "common.images.renderPullSecrets" -}}
+ {{- $pullSecrets := list }}
+ {{- $context := .context }}
+
+ {{- if $context.Values.global }}
+ {{- range $context.Values.global.imagePullSecrets -}}
+ {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}}
+ {{- end -}}
+ {{- end -}}
+
+ {{- range .images -}}
+ {{- range .pullSecrets -}}
+ {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}}
+ {{- end -}}
+ {{- end -}}
+
+ {{- if (not (empty $pullSecrets)) }}
+imagePullSecrets:
+ {{- range $pullSecrets }}
+ - name: {{ . }}
+ {{- end }}
+ {{- end }}
+{{- end -}}
--- /dev/null
+{{/* vim: set filetype=mustache: */}}
+
+{{/*
+Generate backend entry that is compatible with all Kubernetes API versions.
+
+Usage:
+{{ include "common.ingress.backend" (dict "serviceName" "backendName" "servicePort" "backendPort" "context" $) }}
+
+Params:
+ - serviceName - String. Name of an existing service backend
+ - servicePort - String/Int. Port name (or number) of the service. It will be translated to different yaml depending if it is a string or an integer.
+ - context - Dict - Required. The context for the template evaluation.
+*/}}
+{{- define "common.ingress.backend" -}}
+{{- $apiVersion := (include "common.capabilities.ingress.apiVersion" .context) -}}
+{{- if or (eq $apiVersion "extensions/v1beta1") (eq $apiVersion "networking.k8s.io/v1beta1") -}}
+serviceName: {{ .serviceName }}
+servicePort: {{ .servicePort }}
+{{- else -}}
+service:
+ name: {{ .serviceName }}
+ port:
+ {{- if typeIs "string" .servicePort }}
+ name: {{ .servicePort }}
+ {{- else if or (typeIs "int" .servicePort) (typeIs "float64" .servicePort) }}
+ number: {{ .servicePort | int }}
+ {{- end }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Print "true" if the API pathType field is supported
+Usage:
+{{ include "common.ingress.supportsPathType" . }}
+*/}}
+{{- define "common.ingress.supportsPathType" -}}
+{{- if (semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .)) -}}
+{{- print "false" -}}
+{{- else -}}
+{{- print "true" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Returns true if the ingressClassname field is supported
+Usage:
+{{ include "common.ingress.supportsIngressClassname" . }}
+*/}}
+{{- define "common.ingress.supportsIngressClassname" -}}
+{{- if semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "false" -}}
+{{- else -}}
+{{- print "true" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return true if cert-manager required annotations for TLS signed
+certificates are set in the Ingress annotations
+Ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations
+Usage:
+{{ include "common.ingress.certManagerRequest" ( dict "annotations" .Values.path.to.the.ingress.annotations ) }}
+*/}}
+{{- define "common.ingress.certManagerRequest" -}}
+{{ if or (hasKey .annotations "cert-manager.io/cluster-issuer") (hasKey .annotations "cert-manager.io/issuer") (hasKey .annotations "kubernetes.io/tls-acme") }}
+ {{- true -}}
+{{- end -}}
+{{- end -}}
--- /dev/null
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Kubernetes standard labels
+*/}}
+{{- define "common.labels.standard" -}}
+app.kubernetes.io/name: {{ include "common.names.name" . }}
+helm.sh/chart: {{ include "common.names.chart" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+
+{{/*
+Labels to use on deploy.spec.selector.matchLabels and svc.spec.selector
+*/}}
+{{- define "common.labels.matchLabels" -}}
+app.kubernetes.io/name: {{ include "common.names.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
--- /dev/null
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "common.names.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "common.names.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "common.names.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified dependency name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+Usage:
+{{ include "common.names.dependency.fullname" (dict "chartName" "dependency-chart-name" "chartValues" .Values.dependency-chart "context" $) }}
+*/}}
+{{- define "common.names.dependency.fullname" -}}
+{{- if .chartValues.fullnameOverride -}}
+{{- .chartValues.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .chartName .chartValues.nameOverride -}}
+{{- if contains $name .context.Release.Name -}}
+{{- .context.Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .context.Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Allow the release namespace to be overridden for multi-namespace deployments in combined charts.
+*/}}
+{{- define "common.names.namespace" -}}
+{{- if .Values.namespaceOverride -}}
+{{- .Values.namespaceOverride -}}
+{{- else -}}
+{{- .Release.Namespace -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create a fully qualified app name adding the installation's namespace.
+*/}}
+{{- define "common.names.fullname.namespace" -}}
+{{- printf "%s-%s" (include "common.names.fullname" .) (include "common.names.namespace" .) | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
--- /dev/null
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Generate secret name.
+
+Usage:
+{{ include "common.secrets.name" (dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $) }}
+
+Params:
+ - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user
+ to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility.
+ +info: https://github.com/bitnami/charts/tree/main/bitnami/common#existingsecret
+ - defaultNameSuffix - String - Optional. It is used only if we have several secrets in the same deployment.
+ - context - Dict - Required. The context for the template evaluation.
+*/}}
+{{- define "common.secrets.name" -}}
+{{- $name := (include "common.names.fullname" .context) -}}
+
+{{- if .defaultNameSuffix -}}
+{{- $name = printf "%s-%s" $name .defaultNameSuffix | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- with .existingSecret -}}
+{{- if not (typeIs "string" .) -}}
+{{- with .name -}}
+{{- $name = . -}}
+{{- end -}}
+{{- else -}}
+{{- $name = . -}}
+{{- end -}}
+{{- end -}}
+
+{{- printf "%s" $name -}}
+{{- end -}}
+
+{{/*
+Generate secret key.
+
+Usage:
+{{ include "common.secrets.key" (dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName") }}
+
+Params:
+ - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user
+ to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility.
+ +info: https://github.com/bitnami/charts/tree/main/bitnami/common#existingsecret
+ - key - String - Required. Name of the key in the secret.
+*/}}
+{{- define "common.secrets.key" -}}
+{{- $key := .key -}}
+
+{{- if .existingSecret -}}
+ {{- if not (typeIs "string" .existingSecret) -}}
+ {{- if .existingSecret.keyMapping -}}
+ {{- $key = index .existingSecret.keyMapping $.key -}}
+ {{- end -}}
+ {{- end }}
+{{- end -}}
+
+{{- printf "%s" $key -}}
+{{- end -}}
+
+{{/*
+Generate secret password or retrieve one if already created.
+
+Usage:
+{{ include "common.secrets.passwords.manage" (dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "context" $) }}
+
+Params:
+ - secret - String - Required - Name of the 'Secret' resource where the password is stored.
+ - key - String - Required - Name of the key in the secret.
+ - providedValues - List<String> - Required - The path to the validating value in the values.yaml, e.g: "mysql.password". Will pick first parameter with a defined value.
+ - length - int - Optional - Length of the generated random password.
+ - strong - Boolean - Optional - Whether to add symbols to the generated random password.
+ - chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart.
+ - context - Context - Required - Parent context.
+
+The order in which this function returns a secret password:
+ 1. Already existing 'Secret' resource
+ (If a 'Secret' resource is found under the name provided to the 'secret' parameter to this function and that 'Secret' resource contains a key with the name passed as the 'key' parameter to this function then the value of this existing secret password will be returned)
+ 2. Password provided via the values.yaml
+ (If one of the keys passed to the 'providedValues' parameter to this function is a valid path to a key in the values.yaml and has a value, the value of the first key with a value will be returned)
+ 3. Randomly generated secret password
+ (A new random secret password with the length specified in the 'length' parameter will be generated and returned)
+
+*/}}
+{{- define "common.secrets.passwords.manage" -}}
+
+{{- $password := "" }}
+{{- $subchart := "" }}
+{{- $chartName := default "" .chartName }}
+{{- $passwordLength := default 10 .length }}
+{{- $providedPasswordKey := include "common.utils.getKeyFromList" (dict "keys" .providedValues "context" $.context) }}
+{{- $providedPasswordValue := include "common.utils.getValueFromKey" (dict "key" $providedPasswordKey "context" $.context) }}
+{{- $secretData := (lookup "v1" "Secret" $.context.Release.Namespace .secret).data }}
+{{- if $secretData }}
+ {{- if hasKey $secretData .key }}
+ {{- $password = index $secretData .key | quote }}
+ {{- else }}
+ {{- printf "\nPASSWORDS ERROR: The secret \"%s\" does not contain the key \"%s\"\n" .secret .key | fail -}}
+ {{- end -}}
+{{- else if $providedPasswordValue }}
+ {{- $password = $providedPasswordValue | toString | b64enc | quote }}
+{{- else }}
+
+ {{- if .context.Values.enabled }}
+ {{- $subchart = $chartName }}
+ {{- end -}}
+
+ {{- $requiredPassword := dict "valueKey" $providedPasswordKey "secret" .secret "field" .key "subchart" $subchart "context" $.context -}}
+ {{- $requiredPasswordError := include "common.validations.values.single.empty" $requiredPassword -}}
+ {{- $passwordValidationErrors := list $requiredPasswordError -}}
+ {{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" $passwordValidationErrors "context" $.context) -}}
+
+ {{- if .strong }}
+ {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }}
+ {{- $password = randAscii $passwordLength }}
+ {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }}
+ {{- $password = printf "%s%s" $subStr $password | toString | shuffle | b64enc | quote }}
+ {{- else }}
+ {{- $password = randAlphaNum $passwordLength | b64enc | quote }}
+ {{- end }}
+{{- end -}}
+{{- printf "%s" $password -}}
+{{- end -}}
+
+{{/*
+Returns whether a previous generated secret already exists
+
+Usage:
+{{ include "common.secrets.exists" (dict "secret" "secret-name" "context" $) }}
+
+Params:
+ - secret - String - Required - Name of the 'Secret' resource where the password is stored.
+ - context - Context - Required - Parent context.
+*/}}
+{{- define "common.secrets.exists" -}}
+{{- $secret := (lookup "v1" "Secret" $.context.Release.Namespace .secret) }}
+{{- if $secret }}
+ {{- true -}}
+{{- end -}}
+{{- end -}}
--- /dev/null
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Return the proper Storage Class
+{{ include "common.storage.class" ( dict "persistence" .Values.path.to.the.persistence "global" $) }}
+*/}}
+{{- define "common.storage.class" -}}
+
+{{- $storageClass := .persistence.storageClass -}}
+{{- if .global -}}
+ {{- if .global.storageClass -}}
+ {{- $storageClass = .global.storageClass -}}
+ {{- end -}}
+{{- end -}}
+
+{{- if $storageClass -}}
+ {{- if (eq "-" $storageClass) -}}
+ {{- printf "storageClassName: \"\"" -}}
+ {{- else }}
+ {{- printf "storageClassName: %s" $storageClass -}}
+ {{- end -}}
+{{- end -}}
+
+{{- end -}}
--- /dev/null
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Renders a value that contains template.
+Usage:
+{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $) }}
+*/}}
+{{- define "common.tplvalues.render" -}}
+ {{- if typeIs "string" .value }}
+ {{- tpl .value .context }}
+ {{- else }}
+ {{- tpl (.value | toYaml) .context }}
+ {{- end }}
+{{- end -}}
--- /dev/null
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Print instructions to get a secret value.
+Usage:
+{{ include "common.utils.secret.getvalue" (dict "secret" "secret-name" "field" "secret-value-field" "context" $) }}
+*/}}
+{{- define "common.utils.secret.getvalue" -}}
+{{- $varname := include "common.utils.fieldToEnvVar" . -}}
+export {{ $varname }}=$(kubectl get secret --namespace {{ .context.Release.Namespace | quote }} {{ .secret }} -o jsonpath="{.data.{{ .field }}}" | base64 -d)
+{{- end -}}
+
+{{/*
+Build env var name given a field
+Usage:
+{{ include "common.utils.fieldToEnvVar" dict "field" "my-password" }}
+*/}}
+{{- define "common.utils.fieldToEnvVar" -}}
+ {{- $fieldNameSplit := splitList "-" .field -}}
+ {{- $upperCaseFieldNameSplit := list -}}
+
+ {{- range $fieldNameSplit -}}
+ {{- $upperCaseFieldNameSplit = append $upperCaseFieldNameSplit ( upper . ) -}}
+ {{- end -}}
+
+ {{ join "_" $upperCaseFieldNameSplit }}
+{{- end -}}
+
+{{/*
+Gets a value from .Values given
+Usage:
+{{ include "common.utils.getValueFromKey" (dict "key" "path.to.key" "context" $) }}
+*/}}
+{{- define "common.utils.getValueFromKey" -}}
+{{- $splitKey := splitList "." .key -}}
+{{- $value := "" -}}
+{{- $latestObj := $.context.Values -}}
+{{- range $splitKey -}}
+ {{- if not $latestObj -}}
+ {{- printf "please review the entire path of '%s' exists in values" $.key | fail -}}
+ {{- end -}}
+ {{- $value = ( index $latestObj . ) -}}
+ {{- $latestObj = $value -}}
+{{- end -}}
+{{- printf "%v" (default "" $value) -}}
+{{- end -}}
+
+{{/*
+Returns first .Values key with a defined value or first of the list if all non-defined
+Usage:
+{{ include "common.utils.getKeyFromList" (dict "keys" (list "path.to.key1" "path.to.key2") "context" $) }}
+*/}}
+{{- define "common.utils.getKeyFromList" -}}
+{{- $key := first .keys -}}
+{{- $reverseKeys := reverse .keys }}
+{{- range $reverseKeys }}
+ {{- $value := include "common.utils.getValueFromKey" (dict "key" . "context" $.context ) }}
+ {{- if $value -}}
+ {{- $key = . }}
+ {{- end -}}
+{{- end -}}
+{{- printf "%s" $key -}}
+{{- end -}}
--- /dev/null
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Warning about using rolling tag.
+Usage:
+{{ include "common.warnings.rollingTag" .Values.path.to.the.imageRoot }}
+*/}}
+{{- define "common.warnings.rollingTag" -}}
+
+{{- if and (contains "bitnami/" .repository) (not (.tag | toString | regexFind "-r\\d+$|sha256:")) }}
+WARNING: Rolling tag detected ({{ .repository }}:{{ .tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment.
++info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/
+{{- end }}
+
+{{- end -}}
--- /dev/null
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Validate Cassandra required passwords are not empty.
+
+Usage:
+{{ include "common.validations.values.cassandra.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
+Params:
+ - secret - String - Required. Name of the secret where Cassandra values are stored, e.g: "cassandra-passwords-secret"
+ - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false
+*/}}
+{{- define "common.validations.values.cassandra.passwords" -}}
+ {{- $existingSecret := include "common.cassandra.values.existingSecret" . -}}
+ {{- $enabled := include "common.cassandra.values.enabled" . -}}
+ {{- $dbUserPrefix := include "common.cassandra.values.key.dbUser" . -}}
+ {{- $valueKeyPassword := printf "%s.password" $dbUserPrefix -}}
+
+ {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}}
+ {{- $requiredPasswords := list -}}
+
+ {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "cassandra-password" -}}
+ {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}}
+
+ {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
+
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for existingSecret.
+
+Usage:
+{{ include "common.cassandra.values.existingSecret" (dict "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false
+*/}}
+{{- define "common.cassandra.values.existingSecret" -}}
+ {{- if .subchart -}}
+ {{- .context.Values.cassandra.dbUser.existingSecret | quote -}}
+ {{- else -}}
+ {{- .context.Values.dbUser.existingSecret | quote -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for enabled cassandra.
+
+Usage:
+{{ include "common.cassandra.values.enabled" (dict "context" $) }}
+*/}}
+{{- define "common.cassandra.values.enabled" -}}
+ {{- if .subchart -}}
+ {{- printf "%v" .context.Values.cassandra.enabled -}}
+ {{- else -}}
+ {{- printf "%v" (not .context.Values.enabled) -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for the key dbUser
+
+Usage:
+{{ include "common.cassandra.values.key.dbUser" (dict "subchart" "true" "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false
+*/}}
+{{- define "common.cassandra.values.key.dbUser" -}}
+ {{- if .subchart -}}
+ cassandra.dbUser
+ {{- else -}}
+ dbUser
+ {{- end -}}
+{{- end -}}
--- /dev/null
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Validate MariaDB required passwords are not empty.
+
+Usage:
+{{ include "common.validations.values.mariadb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
+Params:
+ - secret - String - Required. Name of the secret where MariaDB values are stored, e.g: "mysql-passwords-secret"
+ - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false
+*/}}
+{{- define "common.validations.values.mariadb.passwords" -}}
+ {{- $existingSecret := include "common.mariadb.values.auth.existingSecret" . -}}
+ {{- $enabled := include "common.mariadb.values.enabled" . -}}
+ {{- $architecture := include "common.mariadb.values.architecture" . -}}
+ {{- $authPrefix := include "common.mariadb.values.key.auth" . -}}
+ {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}}
+ {{- $valueKeyUsername := printf "%s.username" $authPrefix -}}
+ {{- $valueKeyPassword := printf "%s.password" $authPrefix -}}
+ {{- $valueKeyReplicationPassword := printf "%s.replicationPassword" $authPrefix -}}
+
+ {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}}
+ {{- $requiredPasswords := list -}}
+
+ {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mariadb-root-password" -}}
+ {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}}
+
+ {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }}
+ {{- if not (empty $valueUsername) -}}
+ {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mariadb-password" -}}
+ {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}}
+ {{- end -}}
+
+ {{- if (eq $architecture "replication") -}}
+ {{- $requiredReplicationPassword := dict "valueKey" $valueKeyReplicationPassword "secret" .secret "field" "mariadb-replication-password" -}}
+ {{- $requiredPasswords = append $requiredPasswords $requiredReplicationPassword -}}
+ {{- end -}}
+
+ {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
+
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for existingSecret.
+
+Usage:
+{{ include "common.mariadb.values.auth.existingSecret" (dict "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false
+*/}}
+{{- define "common.mariadb.values.auth.existingSecret" -}}
+ {{- if .subchart -}}
+ {{- .context.Values.mariadb.auth.existingSecret | quote -}}
+ {{- else -}}
+ {{- .context.Values.auth.existingSecret | quote -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for enabled mariadb.
+
+Usage:
+{{ include "common.mariadb.values.enabled" (dict "context" $) }}
+*/}}
+{{- define "common.mariadb.values.enabled" -}}
+ {{- if .subchart -}}
+ {{- printf "%v" .context.Values.mariadb.enabled -}}
+ {{- else -}}
+ {{- printf "%v" (not .context.Values.enabled) -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for architecture
+
+Usage:
+{{ include "common.mariadb.values.architecture" (dict "subchart" "true" "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false
+*/}}
+{{- define "common.mariadb.values.architecture" -}}
+ {{- if .subchart -}}
+ {{- .context.Values.mariadb.architecture -}}
+ {{- else -}}
+ {{- .context.Values.architecture -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for the key auth
+
+Usage:
+{{ include "common.mariadb.values.key.auth" (dict "subchart" "true" "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false
+*/}}
+{{- define "common.mariadb.values.key.auth" -}}
+ {{- if .subchart -}}
+ mariadb.auth
+ {{- else -}}
+ auth
+ {{- end -}}
+{{- end -}}
--- /dev/null
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Validate MongoDB® required passwords are not empty.
+
+Usage:
+{{ include "common.validations.values.mongodb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
+Params:
+ - secret - String - Required. Name of the secret where MongoDB® values are stored, e.g: "mongodb-passwords-secret"
+ - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false
+*/}}
+{{- define "common.validations.values.mongodb.passwords" -}}
+ {{- $existingSecret := include "common.mongodb.values.auth.existingSecret" . -}}
+ {{- $enabled := include "common.mongodb.values.enabled" . -}}
+ {{- $authPrefix := include "common.mongodb.values.key.auth" . -}}
+ {{- $architecture := include "common.mongodb.values.architecture" . -}}
+ {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}}
+ {{- $valueKeyUsername := printf "%s.username" $authPrefix -}}
+ {{- $valueKeyDatabase := printf "%s.database" $authPrefix -}}
+ {{- $valueKeyPassword := printf "%s.password" $authPrefix -}}
+ {{- $valueKeyReplicaSetKey := printf "%s.replicaSetKey" $authPrefix -}}
+ {{- $valueKeyAuthEnabled := printf "%s.enabled" $authPrefix -}}
+
+ {{- $authEnabled := include "common.utils.getValueFromKey" (dict "key" $valueKeyAuthEnabled "context" .context) -}}
+
+ {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") (eq $authEnabled "true") -}}
+ {{- $requiredPasswords := list -}}
+
+ {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mongodb-root-password" -}}
+ {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}}
+
+ {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }}
+ {{- $valueDatabase := include "common.utils.getValueFromKey" (dict "key" $valueKeyDatabase "context" .context) }}
+ {{- if and $valueUsername $valueDatabase -}}
+ {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mongodb-password" -}}
+ {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}}
+ {{- end -}}
+
+ {{- if (eq $architecture "replicaset") -}}
+ {{- $requiredReplicaSetKey := dict "valueKey" $valueKeyReplicaSetKey "secret" .secret "field" "mongodb-replica-set-key" -}}
+ {{- $requiredPasswords = append $requiredPasswords $requiredReplicaSetKey -}}
+ {{- end -}}
+
+ {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
+
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for existingSecret.
+
+Usage:
+{{ include "common.mongodb.values.auth.existingSecret" (dict "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether MongoDb is used as subchart or not. Default: false
+*/}}
+{{- define "common.mongodb.values.auth.existingSecret" -}}
+ {{- if .subchart -}}
+ {{- .context.Values.mongodb.auth.existingSecret | quote -}}
+ {{- else -}}
+ {{- .context.Values.auth.existingSecret | quote -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for enabled mongodb.
+
+Usage:
+{{ include "common.mongodb.values.enabled" (dict "context" $) }}
+*/}}
+{{- define "common.mongodb.values.enabled" -}}
+ {{- if .subchart -}}
+ {{- printf "%v" .context.Values.mongodb.enabled -}}
+ {{- else -}}
+ {{- printf "%v" (not .context.Values.enabled) -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for the key auth
+
+Usage:
+{{ include "common.mongodb.values.key.auth" (dict "subchart" "true" "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false
+*/}}
+{{- define "common.mongodb.values.key.auth" -}}
+ {{- if .subchart -}}
+ mongodb.auth
+ {{- else -}}
+ auth
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for architecture
+
+Usage:
+{{ include "common.mongodb.values.architecture" (dict "subchart" "true" "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false
+*/}}
+{{- define "common.mongodb.values.architecture" -}}
+ {{- if .subchart -}}
+ {{- .context.Values.mongodb.architecture -}}
+ {{- else -}}
+ {{- .context.Values.architecture -}}
+ {{- end -}}
+{{- end -}}
--- /dev/null
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Validate MySQL required passwords are not empty.
+
+Usage:
+{{ include "common.validations.values.mysql.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
+Params:
+ - secret - String - Required. Name of the secret where MySQL values are stored, e.g: "mysql-passwords-secret"
+ - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false
+*/}}
+{{- define "common.validations.values.mysql.passwords" -}}
+ {{- $existingSecret := include "common.mysql.values.auth.existingSecret" . -}}
+ {{- $enabled := include "common.mysql.values.enabled" . -}}
+ {{- $architecture := include "common.mysql.values.architecture" . -}}
+ {{- $authPrefix := include "common.mysql.values.key.auth" . -}}
+ {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}}
+ {{- $valueKeyUsername := printf "%s.username" $authPrefix -}}
+ {{- $valueKeyPassword := printf "%s.password" $authPrefix -}}
+ {{- $valueKeyReplicationPassword := printf "%s.replicationPassword" $authPrefix -}}
+
+ {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}}
+ {{- $requiredPasswords := list -}}
+
+ {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mysql-root-password" -}}
+ {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}}
+
+ {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }}
+ {{- if not (empty $valueUsername) -}}
+ {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mysql-password" -}}
+ {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}}
+ {{- end -}}
+
+ {{- if (eq $architecture "replication") -}}
+ {{- $requiredReplicationPassword := dict "valueKey" $valueKeyReplicationPassword "secret" .secret "field" "mysql-replication-password" -}}
+ {{- $requiredPasswords = append $requiredPasswords $requiredReplicationPassword -}}
+ {{- end -}}
+
+ {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
+
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for existingSecret.
+
+Usage:
+{{ include "common.mysql.values.auth.existingSecret" (dict "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false
+*/}}
+{{- define "common.mysql.values.auth.existingSecret" -}}
+ {{- if .subchart -}}
+ {{- .context.Values.mysql.auth.existingSecret | quote -}}
+ {{- else -}}
+ {{- .context.Values.auth.existingSecret | quote -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for enabled mysql.
+
+Usage:
+{{ include "common.mysql.values.enabled" (dict "context" $) }}
+*/}}
+{{- define "common.mysql.values.enabled" -}}
+ {{- if .subchart -}}
+ {{- printf "%v" .context.Values.mysql.enabled -}}
+ {{- else -}}
+ {{- printf "%v" (not .context.Values.enabled) -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for architecture
+
+Usage:
+{{ include "common.mysql.values.architecture" (dict "subchart" "true" "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false
+*/}}
+{{- define "common.mysql.values.architecture" -}}
+ {{- if .subchart -}}
+ {{- .context.Values.mysql.architecture -}}
+ {{- else -}}
+ {{- .context.Values.architecture -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for the key auth
+
+Usage:
+{{ include "common.mysql.values.key.auth" (dict "subchart" "true" "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false
+*/}}
+{{- define "common.mysql.values.key.auth" -}}
+ {{- if .subchart -}}
+ mysql.auth
+ {{- else -}}
+ auth
+ {{- end -}}
+{{- end -}}
--- /dev/null
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Validate PostgreSQL required passwords are not empty.
+
+Usage:
+{{ include "common.validations.values.postgresql.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
+Params:
+ - secret - String - Required. Name of the secret where postgresql values are stored, e.g: "postgresql-passwords-secret"
+ - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false
+*/}}
+{{- define "common.validations.values.postgresql.passwords" -}}
+ {{- $existingSecret := include "common.postgresql.values.existingSecret" . -}}
+ {{- $enabled := include "common.postgresql.values.enabled" . -}}
+ {{- $valueKeyPostgresqlPassword := include "common.postgresql.values.key.postgressPassword" . -}}
+ {{- $valueKeyPostgresqlReplicationEnabled := include "common.postgresql.values.key.replicationPassword" . -}}
+ {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}}
+ {{- $requiredPasswords := list -}}
+ {{- $requiredPostgresqlPassword := dict "valueKey" $valueKeyPostgresqlPassword "secret" .secret "field" "postgresql-password" -}}
+ {{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlPassword -}}
+
+ {{- $enabledReplication := include "common.postgresql.values.enabled.replication" . -}}
+ {{- if (eq $enabledReplication "true") -}}
+ {{- $requiredPostgresqlReplicationPassword := dict "valueKey" $valueKeyPostgresqlReplicationEnabled "secret" .secret "field" "postgresql-replication-password" -}}
+ {{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlReplicationPassword -}}
+ {{- end -}}
+
+ {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to decide whether evaluate global values.
+
+Usage:
+{{ include "common.postgresql.values.use.global" (dict "key" "key-of-global" "context" $) }}
+Params:
+ - key - String - Required. Field to be evaluated within global, e.g: "existingSecret"
+*/}}
+{{- define "common.postgresql.values.use.global" -}}
+ {{- if .context.Values.global -}}
+ {{- if .context.Values.global.postgresql -}}
+ {{- index .context.Values.global.postgresql .key | quote -}}
+ {{- end -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for existingSecret.
+
+Usage:
+{{ include "common.postgresql.values.existingSecret" (dict "context" $) }}
+*/}}
+{{- define "common.postgresql.values.existingSecret" -}}
+ {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "existingSecret" "context" .context) -}}
+
+ {{- if .subchart -}}
+ {{- default (.context.Values.postgresql.existingSecret | quote) $globalValue -}}
+ {{- else -}}
+ {{- default (.context.Values.existingSecret | quote) $globalValue -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for enabled postgresql.
+
+Usage:
+{{ include "common.postgresql.values.enabled" (dict "context" $) }}
+*/}}
+{{- define "common.postgresql.values.enabled" -}}
+ {{- if .subchart -}}
+ {{- printf "%v" .context.Values.postgresql.enabled -}}
+ {{- else -}}
+ {{- printf "%v" (not .context.Values.enabled) -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for the key postgressPassword.
+
+Usage:
+{{ include "common.postgresql.values.key.postgressPassword" (dict "subchart" "true" "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false
+*/}}
+{{- define "common.postgresql.values.key.postgressPassword" -}}
+ {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "postgresqlUsername" "context" .context) -}}
+
+ {{- if not $globalValue -}}
+ {{- if .subchart -}}
+ postgresql.postgresqlPassword
+ {{- else -}}
+ postgresqlPassword
+ {{- end -}}
+ {{- else -}}
+ global.postgresql.postgresqlPassword
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for enabled.replication.
+
+Usage:
+{{ include "common.postgresql.values.enabled.replication" (dict "subchart" "true" "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false
+*/}}
+{{- define "common.postgresql.values.enabled.replication" -}}
+ {{- if .subchart -}}
+ {{- printf "%v" .context.Values.postgresql.replication.enabled -}}
+ {{- else -}}
+ {{- printf "%v" .context.Values.replication.enabled -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for the key replication.password.
+
+Usage:
+{{ include "common.postgresql.values.key.replicationPassword" (dict "subchart" "true" "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false
+*/}}
+{{- define "common.postgresql.values.key.replicationPassword" -}}
+ {{- if .subchart -}}
+ postgresql.replication.password
+ {{- else -}}
+ replication.password
+ {{- end -}}
+{{- end -}}
--- /dev/null
+
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Validate Redis® required passwords are not empty.
+
+Usage:
+{{ include "common.validations.values.redis.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
+Params:
+ - secret - String - Required. Name of the secret where redis values are stored, e.g: "redis-passwords-secret"
+ - subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false
+*/}}
+{{- define "common.validations.values.redis.passwords" -}}
+ {{- $enabled := include "common.redis.values.enabled" . -}}
+ {{- $valueKeyPrefix := include "common.redis.values.keys.prefix" . -}}
+ {{- $standarizedVersion := include "common.redis.values.standarized.version" . }}
+
+ {{- $existingSecret := ternary (printf "%s%s" $valueKeyPrefix "auth.existingSecret") (printf "%s%s" $valueKeyPrefix "existingSecret") (eq $standarizedVersion "true") }}
+ {{- $existingSecretValue := include "common.utils.getValueFromKey" (dict "key" $existingSecret "context" .context) }}
+
+ {{- $valueKeyRedisPassword := ternary (printf "%s%s" $valueKeyPrefix "auth.password") (printf "%s%s" $valueKeyPrefix "password") (eq $standarizedVersion "true") }}
+ {{- $valueKeyRedisUseAuth := ternary (printf "%s%s" $valueKeyPrefix "auth.enabled") (printf "%s%s" $valueKeyPrefix "usePassword") (eq $standarizedVersion "true") }}
+
+ {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}}
+ {{- $requiredPasswords := list -}}
+
+ {{- $useAuth := include "common.utils.getValueFromKey" (dict "key" $valueKeyRedisUseAuth "context" .context) -}}
+ {{- if eq $useAuth "true" -}}
+ {{- $requiredRedisPassword := dict "valueKey" $valueKeyRedisPassword "secret" .secret "field" "redis-password" -}}
+ {{- $requiredPasswords = append $requiredPasswords $requiredRedisPassword -}}
+ {{- end -}}
+
+ {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for enabled redis.
+
+Usage:
+{{ include "common.redis.values.enabled" (dict "context" $) }}
+*/}}
+{{- define "common.redis.values.enabled" -}}
+ {{- if .subchart -}}
+ {{- printf "%v" .context.Values.redis.enabled -}}
+ {{- else -}}
+ {{- printf "%v" (not .context.Values.enabled) -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right prefix path for the values
+
+Usage:
+{{ include "common.redis.values.key.prefix" (dict "subchart" "true" "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false
+*/}}
+{{- define "common.redis.values.keys.prefix" -}}
+ {{- if .subchart -}}redis.{{- else -}}{{- end -}}
+{{- end -}}
+
+{{/*
+Checks whether the redis chart's includes the standarizations (version >= 14)
+
+Usage:
+{{ include "common.redis.values.standarized.version" (dict "context" $) }}
+*/}}
+{{- define "common.redis.values.standarized.version" -}}
+
+ {{- $standarizedAuth := printf "%s%s" (include "common.redis.values.keys.prefix" .) "auth" -}}
+ {{- $standarizedAuthValues := include "common.utils.getValueFromKey" (dict "key" $standarizedAuth "context" .context) }}
+
+ {{- if $standarizedAuthValues -}}
+ {{- true -}}
+ {{- end -}}
+{{- end -}}
--- /dev/null
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Validate values must not be empty.
+
+Usage:
+{{- $validateValueConf00 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-00") -}}
+{{- $validateValueConf01 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-01") -}}
+{{ include "common.validations.values.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }}
+
+Validate value params:
+ - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password"
+ - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret"
+ - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password"
+*/}}
+{{- define "common.validations.values.multiple.empty" -}}
+ {{- range .required -}}
+ {{- include "common.validations.values.single.empty" (dict "valueKey" .valueKey "secret" .secret "field" .field "context" $.context) -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Validate a value must not be empty.
+
+Usage:
+{{ include "common.validations.value.empty" (dict "valueKey" "mariadb.password" "secret" "secretName" "field" "my-password" "subchart" "subchart" "context" $) }}
+
+Validate value params:
+ - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password"
+ - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret"
+ - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password"
+ - subchart - String - Optional - Name of the subchart that the validated password is part of.
+*/}}
+{{- define "common.validations.values.single.empty" -}}
+ {{- $value := include "common.utils.getValueFromKey" (dict "key" .valueKey "context" .context) }}
+ {{- $subchart := ternary "" (printf "%s." .subchart) (empty .subchart) }}
+
+ {{- if not $value -}}
+ {{- $varname := "my-value" -}}
+ {{- $getCurrentValue := "" -}}
+ {{- if and .secret .field -}}
+ {{- $varname = include "common.utils.fieldToEnvVar" . -}}
+ {{- $getCurrentValue = printf " To get the current value:\n\n %s\n" (include "common.utils.secret.getvalue" .) -}}
+ {{- end -}}
+ {{- printf "\n '%s' must not be empty, please add '--set %s%s=$%s' to the command.%s" .valueKey $subchart .valueKey $varname $getCurrentValue -}}
+ {{- end -}}
+{{- end -}}
--- /dev/null
+## bitnami/common
+## It is required by CI/CD tools and processes.
+## @skip exampleValue
+##
+exampleValue: common-chart
--- /dev/null
+CHART NAME: {{ .Chart.Name }}
+CHART VERSION: {{ .Chart.Version }}
+APP VERSION: {{ .Chart.AppVersion }}
+
+** Please be patient while the chart is being deployed **
+
+{{- if .Values.diagnosticMode.enabled }}
+The chart has been deployed in diagnostic mode. All probes have been disabled and the command has been overwritten with:
+
+ command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 4 }}
+ args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 4 }}
+
+Get the list of pods by executing:
+
+ kubectl get pods --namespace {{ .Release.Namespace }} -l app.kubernetes.io/instance={{ .Release.Name }}
+
+Access the pod you want to debug by executing
+
+ kubectl exec --namespace {{ .Release.Namespace }} -ti <NAME OF THE POD> -- /opt/bitnami/scripts/postgresql/entrypoint.sh /bin/bash
+
+In order to replicate the container startup scripts execute this command:
+
+ /opt/bitnami/scripts/postgresql/entrypoint.sh /opt/bitnami/scripts/postgresql/run.sh
+
+{{- else }}
+
+PostgreSQL can be accessed via port {{ include "postgresql.service.port" . }} on the following DNS names from within your cluster:
+
+ {{ include "postgresql.primary.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local - Read/Write connection
+
+{{- if eq .Values.architecture "replication" }}
+
+ {{ include "postgresql.readReplica.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local - Read only connection
+
+{{- end }}
+
+{{- $customUser := include "postgresql.username" . }}
+{{- if and (not (empty $customUser)) (ne $customUser "postgres") .Values.auth.enablePostgresUser }}
+
+To get the password for "postgres" run:
+
+ export POSTGRES_ADMIN_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "postgresql.secretName" . }} -o jsonpath="{.data.postgres-password}" | base64 -d)
+
+To get the password for "{{ $customUser }}" run:
+
+ export POSTGRES_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "postgresql.secretName" . }} -o jsonpath="{.data.password}" | base64 -d)
+
+{{- else }}
+
+To get the password for "{{ default "postgres" $customUser }}" run:
+
+ export POSTGRES_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "postgresql.secretName" . }} -o jsonpath="{.data.{{ ternary "password" "postgres-password" (and (not (empty $customUser)) (ne $customUser "postgres")) }}}" | base64 -d)
+
+{{- end }}
+
+To connect to your database run the following command:
+
+ kubectl run {{ include "common.names.fullname" . }}-client --rm --tty -i --restart='Never' --namespace {{ .Release.Namespace }} --image {{ include "postgresql.image" . }} --env="PGPASSWORD=$POSTGRES_PASSWORD" \
+ --command -- psql --host {{ include "postgresql.primary.fullname" . }} -U {{ default "postgres" $customUser }} -d {{- if include "postgresql.database" . }} {{ include "postgresql.database" . }}{{- else }} postgres{{- end }} -p {{ include "postgresql.service.port" . }}
+
+ > NOTE: If you access the container using bash, make sure that you execute "/opt/bitnami/scripts/postgresql/entrypoint.sh /bin/bash" in order to avoid the error "psql: local user with ID {{ .Values.primary.containerSecurityContext.runAsUser }}} does not exist"
+
+To connect to your database from outside the cluster execute the following commands:
+
+{{- if contains "NodePort" .Values.primary.service.type }}
+
+ export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+ export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "postgresql.primary.fullname" . }})
+ PGPASSWORD="$POSTGRES_PASSWORD" psql --host $NODE_IP --port $NODE_PORT -U {{ default "postgres" $customUser }} -d {{- if include "postgresql.database" . }} {{ include "postgresql.database" . }}{{- else }} postgres{{- end }}
+
+{{- else if contains "LoadBalancer" .Values.primary.service.type }}
+
+ NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+ Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ include "postgresql.primary.fullname" . }}'
+
+ export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "postgresql.primary.fullname" . }} --template "{{ "{{ range (index .status.loadBalancer.ingress 0) }}{{ . }}{{ end }}" }}")
+ PGPASSWORD="$POSTGRES_PASSWORD" psql --host $SERVICE_IP --port {{ include "postgresql.service.port" . }} -U {{ default "postgres" $customUser }} -d {{- if include "postgresql.database" . }} {{ include "postgresql.database" . }}{{- else }} postgres{{- end }}
+
+{{- else if contains "ClusterIP" .Values.primary.service.type }}
+
+ kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ include "postgresql.primary.fullname" . }} {{ include "postgresql.service.port" . }}:{{ include "postgresql.service.port" . }} &
+ PGPASSWORD="$POSTGRES_PASSWORD" psql --host 127.0.0.1 -U {{ default "postgres" $customUser }} -d {{- if include "postgresql.database" . }} {{ include "postgresql.database" . }}{{- else }} postgres{{- end }} -p {{ include "postgresql.service.port" . }}
+
+{{- end }}
+{{- end }}
+
+{{- include "postgresql.validateValues" . -}}
+{{- include "common.warnings.rollingTag" .Values.image -}}
+{{- include "common.warnings.rollingTag" .Values.volumePermissions.image }}
--- /dev/null
+{{/* vim: set filetype=mustache: */}}
+
+{{/*
+Create a default fully qualified app name for PostgreSQL Primary objects
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "postgresql.primary.fullname" -}}
+{{- if eq .Values.architecture "replication" }}
+ {{- printf "%s-%s" (include "common.names.fullname" .) .Values.primary.name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+ {{- include "common.names.fullname" . -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name for PostgreSQL read-only replicas objects
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "postgresql.readReplica.fullname" -}}
+{{- printf "%s-%s" (include "common.names.fullname" .) .Values.readReplicas.name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create the default FQDN for PostgreSQL primary headless service
+We truncate at 63 chars because of the DNS naming spec.
+*/}}
+{{- define "postgresql.primary.svc.headless" -}}
+{{- printf "%s-hl" (include "postgresql.primary.fullname" .) | trunc 63 | trimSuffix "-" }}
+{{- end -}}
+
+{{/*
+Create the default FQDN for PostgreSQL read-only replicas headless service
+We truncate at 63 chars because of the DNS naming spec.
+*/}}
+{{- define "postgresql.readReplica.svc.headless" -}}
+{{- printf "%s-hl" (include "postgresql.readReplica.fullname" .) | trunc 63 | trimSuffix "-" }}
+{{- end -}}
+
+{{/*
+Return the proper PostgreSQL image name
+*/}}
+{{- define "postgresql.image" -}}
+{{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) }}
+{{- end -}}
+
+{{/*
+Return the proper PostgreSQL metrics image name
+*/}}
+{{- define "postgresql.metrics.image" -}}
+{{ include "common.images.image" (dict "imageRoot" .Values.metrics.image "global" .Values.global) }}
+{{- end -}}
+
+{{/*
+Return the proper image name (for the init container volume-permissions image)
+*/}}
+{{- define "postgresql.volumePermissions.image" -}}
+{{ include "common.images.image" (dict "imageRoot" .Values.volumePermissions.image "global" .Values.global) }}
+{{- end -}}
+
+{{/*
+Return the proper Docker Image Registry Secret Names
+*/}}
+{{- define "postgresql.imagePullSecrets" -}}
+{{ include "common.images.pullSecrets" (dict "images" (list .Values.image .Values.metrics.image .Values.volumePermissions.image) "global" .Values.global) }}
+{{- end -}}
+
+{{/*
+Return the name for a custom user to create
+*/}}
+{{- define "postgresql.username" -}}
+{{- if .Values.global.postgresql.auth.username }}
+ {{- .Values.global.postgresql.auth.username -}}
+{{- else -}}
+ {{- .Values.auth.username -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the name for a custom database to create
+*/}}
+{{- define "postgresql.database" -}}
+{{- if .Values.global.postgresql.auth.database }}
+ {{- .Values.global.postgresql.auth.database -}}
+{{- else if .Values.auth.database -}}
+ {{- .Values.auth.database -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Get the password secret.
+*/}}
+{{- define "postgresql.secretName" -}}
+{{- if .Values.global.postgresql.auth.existingSecret }}
+ {{- printf "%s" (tpl .Values.global.postgresql.auth.existingSecret $) -}}
+{{- else if .Values.auth.existingSecret -}}
+ {{- printf "%s" (tpl .Values.auth.existingSecret $) -}}
+{{- else -}}
+ {{- printf "%s" (include "common.names.fullname" .) -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Get the replication-password key.
+*/}}
+{{- define "postgresql.replicationPasswordKey" -}}
+{{- if or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret }}
+ {{- if .Values.global.postgresql.auth.secretKeys.replicationPasswordKey }}
+ {{- printf "%s" (tpl .Values.global.postgresql.auth.secretKeys.replicationPasswordKey $) -}}
+ {{- else if .Values.auth.secretKeys.replicationPasswordKey -}}
+ {{- printf "%s" (tpl .Values.auth.secretKeys.replicationPasswordKey $) -}}
+ {{- else -}}
+ {{- "replication-password" -}}
+ {{- end -}}
+{{- else -}}
+ {{- "replication-password" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Get the admin-password key.
+*/}}
+{{- define "postgresql.adminPasswordKey" -}}
+{{- if or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret }}
+ {{- if .Values.global.postgresql.auth.secretKeys.adminPasswordKey }}
+ {{- printf "%s" (tpl .Values.global.postgresql.auth.secretKeys.adminPasswordKey $) -}}
+ {{- else if .Values.auth.secretKeys.adminPasswordKey -}}
+ {{- printf "%s" (tpl .Values.auth.secretKeys.adminPasswordKey $) -}}
+ {{- end -}}
+{{- else -}}
+ {{- "postgres-password" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Get the user-password key.
+*/}}
+{{- define "postgresql.userPasswordKey" -}}
+{{- if or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret }}
+ {{- if or (empty (include "postgresql.username" .)) (eq (include "postgresql.username" .) "postgres") }}
+ {{- printf "%s" (include "postgresql.adminPasswordKey" .) -}}
+ {{- else -}}
+ {{- if .Values.global.postgresql.auth.secretKeys.userPasswordKey }}
+ {{- printf "%s" (tpl .Values.global.postgresql.auth.secretKeys.userPasswordKey $) -}}
+ {{- else if .Values.auth.secretKeys.userPasswordKey -}}
+ {{- printf "%s" (tpl .Values.auth.secretKeys.userPasswordKey $) -}}
+ {{- end -}}
+ {{- end -}}
+{{- else -}}
+ {{- ternary "password" "postgres-password" (and (not (empty (include "postgresql.username" .))) (ne (include "postgresql.username" .) "postgres")) -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return true if a secret object should be created
+*/}}
+{{- define "postgresql.createSecret" -}}
+{{- if not (or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret) -}}
+ {{- true -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return PostgreSQL service port
+*/}}
+{{- define "postgresql.service.port" -}}
+{{- if .Values.global.postgresql.service.ports.postgresql }}
+ {{- .Values.global.postgresql.service.ports.postgresql -}}
+{{- else -}}
+ {{- .Values.primary.service.ports.postgresql -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return PostgreSQL service port
+*/}}
+{{- define "postgresql.readReplica.service.port" -}}
+{{- if .Values.global.postgresql.service.ports.postgresql }}
+ {{- .Values.global.postgresql.service.ports.postgresql -}}
+{{- else -}}
+ {{- .Values.readReplicas.service.ports.postgresql -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Get the PostgreSQL primary configuration ConfigMap name.
+*/}}
+{{- define "postgresql.primary.configmapName" -}}
+{{- if .Values.primary.existingConfigmap -}}
+ {{- printf "%s" (tpl .Values.primary.existingConfigmap $) -}}
+{{- else -}}
+ {{- printf "%s-configuration" (include "postgresql.primary.fullname" .) -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return true if a configmap object should be created for PostgreSQL primary with the configuration
+*/}}
+{{- define "postgresql.primary.createConfigmap" -}}
+{{- if and (or .Values.primary.configuration .Values.primary.pgHbaConfiguration) (not .Values.primary.existingConfigmap) }}
+ {{- true -}}
+{{- else -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Get the PostgreSQL primary extended configuration ConfigMap name.
+*/}}
+{{- define "postgresql.primary.extendedConfigmapName" -}}
+{{- if .Values.primary.existingExtendedConfigmap -}}
+ {{- printf "%s" (tpl .Values.primary.existingExtendedConfigmap $) -}}
+{{- else -}}
+ {{- printf "%s-extended-configuration" (include "postgresql.primary.fullname" .) -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Get the PostgreSQL read replica extended configuration ConfigMap name.
+*/}}
+{{- define "postgresql.readReplicas.extendedConfigmapName" -}}
+ {{- printf "%s-extended-configuration" (include "postgresql.readReplica.fullname" .) -}}
+{{- end -}}
+
+{{/*
+Return true if a configmap object should be created for PostgreSQL primary with the extended configuration
+*/}}
+{{- define "postgresql.primary.createExtendedConfigmap" -}}
+{{- if and .Values.primary.extendedConfiguration (not .Values.primary.existingExtendedConfigmap) }}
+ {{- true -}}
+{{- else -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return true if a configmap object should be created for PostgreSQL read replica with the extended configuration
+*/}}
+{{- define "postgresql.readReplicas.createExtendedConfigmap" -}}
+{{- if .Values.readReplicas.extendedConfiguration }}
+ {{- true -}}
+{{- else -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+ Create the name of the service account to use
+ */}}
+{{- define "postgresql.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create -}}
+ {{ default (include "common.names.fullname" .) .Values.serviceAccount.name }}
+{{- else -}}
+ {{ default "default" .Values.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return true if a configmap should be mounted with PostgreSQL configuration
+*/}}
+{{- define "postgresql.mountConfigurationCM" -}}
+{{- if or .Values.primary.configuration .Values.primary.pgHbaConfiguration .Values.primary.existingConfigmap }}
+ {{- true -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Get the initialization scripts ConfigMap name.
+*/}}
+{{- define "postgresql.initdb.scriptsCM" -}}
+{{- if .Values.primary.initdb.scriptsConfigMap -}}
+ {{- printf "%s" (tpl .Values.primary.initdb.scriptsConfigMap $) -}}
+{{- else -}}
+ {{- printf "%s-init-scripts" (include "postgresql.primary.fullname" .) -}}
+{{- end -}}
+{{- end -}}
+
+{/*
+Return true if TLS is enabled for LDAP connection
+*/}}
+{{- define "postgresql.ldap.tls.enabled" -}}
+{{- if and (kindIs "string" .Values.ldap.tls) (not (empty .Values.ldap.tls)) }}
+ {{- true -}}
+{{- else if and (kindIs "map" .Values.ldap.tls) .Values.ldap.tls.enabled }}
+ {{- true -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Get the readiness probe command
+*/}}
+{{- define "postgresql.readinessProbeCommand" -}}
+{{- $customUser := include "postgresql.username" . }}
+- |
+{{- if (include "postgresql.database" .) }}
+ exec pg_isready -U {{ default "postgres" $customUser | quote }} -d "dbname={{ include "postgresql.database" . }} {{- if .Values.tls.enabled }} sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }}
+{{- else }}
+ exec pg_isready -U {{ default "postgres" $customUser | quote }} {{- if .Values.tls.enabled }} -d "sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }}
+{{- end }}
+{{- if contains "bitnami/" .Values.image.repository }}
+ [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
+{{- end -}}
+{{- end -}}
+
+{{/*
+Compile all warnings into a single message, and call fail.
+*/}}
+{{- define "postgresql.validateValues" -}}
+{{- $messages := list -}}
+{{- $messages := append $messages (include "postgresql.validateValues.ldapConfigurationMethod" .) -}}
+{{- $messages := append $messages (include "postgresql.validateValues.psp" .) -}}
+{{- $messages := without $messages "" -}}
+{{- $message := join "\n" $messages -}}
+
+{{- if $message -}}
+{{- printf "\nVALUES VALIDATION:\n%s" $message | fail -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Validate values of Postgresql - If ldap.url is used then you don't need the other settings for ldap
+*/}}
+{{- define "postgresql.validateValues.ldapConfigurationMethod" -}}
+{{- if and .Values.ldap.enabled (and (not (empty .Values.ldap.url)) (not (empty .Values.ldap.server))) }}
+postgresql: ldap.url, ldap.server
+ You cannot set both `ldap.url` and `ldap.server` at the same time.
+ Please provide a unique way to configure LDAP.
+ More info at https://www.postgresql.org/docs/current/auth-ldap.html
+{{- end -}}
+{{- end -}}
+
+{{/*
+Validate values of Postgresql - If PSP is enabled RBAC should be enabled too
+*/}}
+{{- define "postgresql.validateValues.psp" -}}
+{{- if and .Values.psp.create (not .Values.rbac.create) }}
+postgresql: psp.create, rbac.create
+ RBAC should be enabled if PSP is enabled in order for PSP to work.
+ More info at https://kubernetes.io/docs/concepts/policy/pod-security-policy/#authorizing-policies
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the path to the cert file.
+*/}}
+{{- define "postgresql.tlsCert" -}}
+{{- if .Values.tls.autoGenerated }}
+ {{- printf "/opt/bitnami/postgresql/certs/tls.crt" -}}
+{{- else -}}
+ {{- required "Certificate filename is required when TLS in enabled" .Values.tls.certFilename | printf "/opt/bitnami/postgresql/certs/%s" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the path to the cert key file.
+*/}}
+{{- define "postgresql.tlsCertKey" -}}
+{{- if .Values.tls.autoGenerated }}
+ {{- printf "/opt/bitnami/postgresql/certs/tls.key" -}}
+{{- else -}}
+{{- required "Certificate Key filename is required when TLS in enabled" .Values.tls.certKeyFilename | printf "/opt/bitnami/postgresql/certs/%s" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the path to the CA cert file.
+*/}}
+{{- define "postgresql.tlsCACert" -}}
+{{- if .Values.tls.autoGenerated }}
+ {{- printf "/opt/bitnami/postgresql/certs/ca.crt" -}}
+{{- else -}}
+ {{- printf "/opt/bitnami/postgresql/certs/%s" .Values.tls.certCAFilename -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the path to the CRL file.
+*/}}
+{{- define "postgresql.tlsCRL" -}}
+{{- if .Values.tls.crlFilename -}}
+{{- printf "/opt/bitnami/postgresql/certs/%s" .Values.tls.crlFilename -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return true if a TLS credentials secret object should be created
+*/}}
+{{- define "postgresql.createTlsSecret" -}}
+{{- if and .Values.tls.autoGenerated (not .Values.tls.certificatesSecret) }}
+ {{- true -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the path to the CA cert file.
+*/}}
+{{- define "postgresql.tlsSecretName" -}}
+{{- if .Values.tls.autoGenerated }}
+ {{- printf "%s-crt" (include "common.names.fullname" .) -}}
+{{- else -}}
+ {{ required "A secret containing TLS certificates is required when TLS is enabled" .Values.tls.certificatesSecret }}
+{{- end -}}
+{{- end -}}
--- /dev/null
+{{- range .Values.extraDeploy }}
+---
+{{ include "common.tplvalues.render" (dict "value" . "context" $) }}
+{{- end }}
--- /dev/null
+{{- if and .Values.networkPolicy.enabled (or .Values.networkPolicy.egressRules.denyConnectionsToExternal .Values.networkPolicy.egressRules.customRules) }}
+apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
+kind: NetworkPolicy
+metadata:
+ name: {{ printf "%s-egress" (include "common.names.fullname" .) }}
+ namespace: {{ .Release.Namespace }}
+ labels: {{- include "common.labels.standard" . | nindent 4 }}
+ {{- if .Values.commonLabels }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
+ {{- end }}
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+spec:
+ podSelector:
+ matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }}
+ policyTypes:
+ - Egress
+ egress:
+ {{- if .Values.networkPolicy.egressRules.denyConnectionsToExternal }}
+ - ports:
+ - port: 53
+ protocol: UDP
+ - port: 53
+ protocol: TCP
+ - to:
+ - namespaceSelector: {}
+ {{- end }}
+ {{- if .Values.networkPolicy.egressRules.customRules }}
+ {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.egressRules.customRules "context" $) | nindent 4 }}
+ {{- end }}
+{{- end }}
--- /dev/null
+{{- if (include "postgresql.primary.createConfigmap" .) }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ printf "%s-configuration" (include "postgresql.primary.fullname" .) }}
+ namespace: {{ .Release.Namespace | quote }}
+ labels: {{- include "common.labels.standard" . | nindent 4 }}
+ app.kubernetes.io/component: primary
+ {{- if .Values.commonLabels }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
+ {{- end }}
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+data:
+ {{- if .Values.primary.configuration }}
+ postgresql.conf: |-
+ {{- include "common.tplvalues.render" ( dict "value" .Values.primary.configuration "context" $ ) | nindent 4 }}
+ {{- end }}
+ {{- if .Values.primary.pgHbaConfiguration }}
+ pg_hba.conf: |
+ {{- include "common.tplvalues.render" ( dict "value" .Values.primary.pgHbaConfiguration "context" $ ) | nindent 4 }}
+ {{- end }}
+{{- end }}
--- /dev/null
+{{- if (include "postgresql.primary.createExtendedConfigmap" .) }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ printf "%s-extended-configuration" (include "postgresql.primary.fullname" .) }}
+ namespace: {{ .Release.Namespace | quote }}
+ labels: {{- include "common.labels.standard" . | nindent 4 }}
+ app.kubernetes.io/component: primary
+ {{- if .Values.commonLabels }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
+ {{- end }}
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+data:
+ override.conf: |-
+ {{- include "common.tplvalues.render" ( dict "value" .Values.primary.extendedConfiguration "context" $ ) | nindent 4 }}
+{{- end }}
--- /dev/null
+{{- if and .Values.primary.initdb.scripts (not .Values.primary.initdb.scriptsConfigMap) }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ printf "%s-init-scripts" (include "postgresql.primary.fullname" .) }}
+ namespace: {{ .Release.Namespace | quote }}
+ labels: {{- include "common.labels.standard" . | nindent 4 }}
+ {{- if .Values.commonLabels }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
+ {{- end }}
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+data: {{- include "common.tplvalues.render" (dict "value" .Values.primary.initdb.scripts "context" .) | nindent 2 }}
+{{- end }}
--- /dev/null
+{{- if and .Values.metrics.enabled .Values.metrics.customMetrics }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ printf "%s-metrics" (include "postgresql.primary.fullname" .) }}
+ namespace: {{ .Release.Namespace | quote }}
+ labels: {{- include "common.labels.standard" . | nindent 4 }}
+ {{- if .Values.commonLabels }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
+ {{- end }}
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+data:
+ custom-metrics.yaml: {{ toYaml .Values.metrics.customMetrics | quote }}
+{{- end }}
--- /dev/null
+{{- if .Values.metrics.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ printf "%s-metrics" (include "postgresql.primary.fullname" .) }}
+ namespace: {{ .Release.Namespace | quote }}
+ labels: {{- include "common.labels.standard" . | nindent 4 }}
+ app.kubernetes.io/component: metrics
+ {{- if .Values.commonLabels }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
+ {{- end }}
+ annotations:
+ {{- if .Values.commonAnnotations }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+ {{- if .Values.metrics.service.annotations }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.service.annotations "context" $ ) | nindent 4 }}
+ {{- end }}
+spec:
+ type: ClusterIP
+ sessionAffinity: {{ .Values.metrics.service.sessionAffinity }}
+ {{- if .Values.metrics.service.clusterIP }}
+ clusterIP: {{ .Values.metrics.service.clusterIP }}
+ {{- end }}
+ ports:
+ - name: http-metrics
+ port: {{ .Values.metrics.service.ports.metrics }}
+ targetPort: http-metrics
+ selector: {{- include "common.labels.matchLabels" . | nindent 4 }}
+ app.kubernetes.io/component: primary
+{{- end }}
--- /dev/null
+{{- if and .Values.networkPolicy.enabled (or .Values.networkPolicy.metrics.enabled .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled) }}
+apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
+kind: NetworkPolicy
+metadata:
+ name: {{ printf "%s-ingress" (include "postgresql.primary.fullname" .) }}
+ namespace: {{ .Release.Namespace | quote }}
+ labels: {{- include "common.labels.standard" . | nindent 4 }}
+ app.kubernetes.io/component: primary
+ {{- if .Values.commonLabels }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
+ {{- end }}
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+spec:
+ podSelector:
+ matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }}
+ app.kubernetes.io/component: primary
+ ingress:
+ {{- if and .Values.metrics.enabled .Values.networkPolicy.metrics.enabled (or .Values.networkPolicy.metrics.namespaceSelector .Values.networkPolicy.metrics.podSelector) }}
+ - from:
+ {{- if .Values.networkPolicy.metrics.namespaceSelector }}
+ - namespaceSelector:
+ matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.metrics.namespaceSelector "context" $) | nindent 14 }}
+ {{- end }}
+ {{- if .Values.networkPolicy.metrics.podSelector }}
+ - podSelector:
+ matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.metrics.podSelector "context" $) | nindent 14 }}
+ {{- end }}
+ ports:
+ - port: {{ .Values.metrics.containerPorts.metrics }}
+ {{- end }}
+ {{- if and .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled (or .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector) }}
+ - from:
+ {{- if .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector }}
+ - namespaceSelector:
+ matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector "context" $) | nindent 14 }}
+ {{- end }}
+ {{- if .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector }}
+ - podSelector:
+ matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector "context" $) | nindent 14 }}
+ {{- end }}
+ ports:
+ - port: {{ .Values.containerPorts.postgresql }}
+ {{- end }}
+ {{- if and .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled (eq .Values.architecture "replication") }}
+ - from:
+ - podSelector:
+ matchLabels: {{- include "common.labels.matchLabels" . | nindent 14 }}
+ app.kubernetes.io/component: read
+ ports:
+ - port: {{ .Values.containerPorts.postgresql }}
+ {{- end }}
+ {{- if .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules }}
+ {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules "context" $) | nindent 4 }}
+ {{- end }}
+{{- end }}
--- /dev/null
+{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+ name: {{ include "postgresql.primary.fullname" . }}
+ namespace: {{ default .Release.Namespace .Values.metrics.serviceMonitor.namespace | quote }}
+ labels: {{- include "common.labels.standard" . | nindent 4 }}
+ app.kubernetes.io/component: metrics
+ {{- if .Values.metrics.serviceMonitor.labels }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.labels "context" $ ) | nindent 4 }}
+ {{- end }}
+ {{- if .Values.commonLabels }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
+ {{- end }}
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+spec:
+ {{- if .Values.metrics.serviceMonitor.jobLabel }}
+ jobLabel: {{ .Values.metrics.serviceMonitor.jobLabel }}
+ {{- end }}
+ selector:
+ matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }}
+ {{- if .Values.metrics.serviceMonitor.selector }}
+ {{- include "common.tplvalues.render" (dict "value" .Values.metrics.serviceMonitor.selector "context" $) | nindent 6 }}
+ {{- end }}
+ app.kubernetes.io/component: metrics
+ endpoints:
+ - port: http-metrics
+ {{- if .Values.metrics.serviceMonitor.interval }}
+ interval: {{ .Values.metrics.serviceMonitor.interval }}
+ {{- end }}
+ {{- if .Values.metrics.serviceMonitor.scrapeTimeout }}
+ scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }}
+ {{- end }}
+ {{- if .Values.metrics.serviceMonitor.relabelings }}
+ relabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.relabelings "context" $) | nindent 6 }}
+ {{- end }}
+ {{- if .Values.metrics.serviceMonitor.metricRelabelings }}
+ metricRelabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.metricRelabelings "context" $) | nindent 6 }}
+ {{- end }}
+ {{- if .Values.metrics.serviceMonitor.honorLabels }}
+ honorLabels: {{ .Values.metrics.serviceMonitor.honorLabels }}
+ {{- end }}
+ namespaceSelector:
+ matchNames:
+ - {{ .Release.Namespace | quote }}
+{{- end }}
--- /dev/null
+{{- $customUser := include "postgresql.username" . }}
+apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }}
+kind: StatefulSet
+metadata:
+ name: {{ include "postgresql.primary.fullname" . }}
+ namespace: {{ .Release.Namespace | quote }}
+ labels: {{- include "common.labels.standard" . | nindent 4 }}
+ app.kubernetes.io/component: primary
+ {{- if .Values.commonLabels }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
+ {{- end }}
+ {{- if .Values.primary.labels }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.primary.labels "context" $ ) | nindent 4 }}
+ {{- end }}
+ annotations:
+ {{- if .Values.commonAnnotations }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+ {{- if .Values.primary.annotations }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.primary.annotations "context" $ ) | nindent 4 }}
+ {{- end }}
+spec:
+ replicas: 1
+ serviceName: {{ include "postgresql.primary.svc.headless" . }}
+ {{- if .Values.primary.updateStrategy }}
+ updateStrategy: {{- toYaml .Values.primary.updateStrategy | nindent 4 }}
+ {{- end }}
+ selector:
+ matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }}
+ app.kubernetes.io/component: primary
+ template:
+ metadata:
+ name: {{ include "postgresql.primary.fullname" . }}
+ labels: {{- include "common.labels.standard" . | nindent 8 }}
+ app.kubernetes.io/component: primary
+ {{- if .Values.commonLabels }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 8 }}
+ {{- end }}
+ {{- if .Values.primary.podLabels }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.primary.podLabels "context" $ ) | nindent 8 }}
+ {{- end }}
+ annotations:
+ {{- if (include "postgresql.primary.createConfigmap" .) }}
+ checksum/configuration: {{ include (print $.Template.BasePath "/primary/configmap.yaml") . | sha256sum }}
+ {{- end }}
+ {{- if (include "postgresql.primary.createExtendedConfigmap" .) }}
+ checksum/extended-configuration: {{ include (print $.Template.BasePath "/primary/extended-configmap.yaml") . | sha256sum }}
+ {{- end }}
+ {{- if .Values.primary.podAnnotations }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.primary.podAnnotations "context" $ ) | nindent 8 }}
+ {{- end }}
+ spec:
+ {{- if .Values.primary.extraPodSpec }}
+ {{- include "common.tplvalues.render" (dict "value" .Values.primary.extraPodSpec "context" $) | nindent 6 }}
+ {{- end }}
+ serviceAccountName: {{ include "postgresql.serviceAccountName" . }}
+ {{- include "postgresql.imagePullSecrets" . | nindent 6 }}
+ {{- if .Values.primary.hostAliases }}
+ hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.primary.hostAliases "context" $) | nindent 8 }}
+ {{- end }}
+ {{- if .Values.primary.affinity }}
+ affinity: {{- include "common.tplvalues.render" (dict "value" .Values.primary.affinity "context" $) | nindent 8 }}
+ {{- else }}
+ affinity:
+ podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.primary.podAffinityPreset "component" "primary" "context" $) | nindent 10 }}
+ podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.primary.podAntiAffinityPreset "component" "primary" "context" $) | nindent 10 }}
+ nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.primary.nodeAffinityPreset.type "key" .Values.primary.nodeAffinityPreset.key "values" .Values.primary.nodeAffinityPreset.values) | nindent 10 }}
+ {{- end }}
+ {{- if .Values.primary.nodeSelector }}
+ nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.primary.nodeSelector "context" $) | nindent 8 }}
+ {{- end }}
+ {{- if .Values.primary.tolerations }}
+ tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.primary.tolerations "context" $) | nindent 8 }}
+ {{- end }}
+ {{- if .Values.primary.topologySpreadConstraints }}
+ topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.primary.topologySpreadConstraints "context" .) | nindent 8 }}
+ {{- end }}
+ {{- if .Values.primary.priorityClassName }}
+ priorityClassName: {{ .Values.primary.priorityClassName }}
+ {{- end }}
+ {{- if .Values.primary.schedulerName }}
+ schedulerName: {{ .Values.primary.schedulerName | quote }}
+ {{- end }}
+ {{- if .Values.primary.terminationGracePeriodSeconds }}
+ terminationGracePeriodSeconds: {{ .Values.primary.terminationGracePeriodSeconds }}
+ {{- end }}
+ {{- if .Values.primary.podSecurityContext.enabled }}
+ securityContext: {{- omit .Values.primary.podSecurityContext "enabled" | toYaml | nindent 8 }}
+ {{- end }}
+ hostNetwork: {{ .Values.primary.hostNetwork }}
+ hostIPC: {{ .Values.primary.hostIPC }}
+ initContainers:
+ {{- if and .Values.tls.enabled (not .Values.volumePermissions.enabled) }}
+ - name: copy-certs
+ image: {{ include "postgresql.volumePermissions.image" . }}
+ imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
+ {{- if .Values.primary.resources }}
+ resources: {{- toYaml .Values.primary.resources | nindent 12 }}
+ {{- end }}
+ # We don't require a privileged container in this case
+ {{- if .Values.primary.containerSecurityContext.enabled }}
+ securityContext: {{- omit .Values.primary.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+ {{- end }}
+ command:
+ - /bin/sh
+ - -ec
+ - |
+ cp /tmp/certs/* /opt/bitnami/postgresql/certs/
+ chmod 600 {{ include "postgresql.tlsCertKey" . }}
+ volumeMounts:
+ - name: raw-certificates
+ mountPath: /tmp/certs
+ - name: postgresql-certificates
+ mountPath: /opt/bitnami/postgresql/certs
+ {{- else if and .Values.volumePermissions.enabled (or .Values.primary.persistence.enabled .Values.shmVolume.enabled) }}
+ - name: init-chmod-data
+ image: {{ include "postgresql.volumePermissions.image" . }}
+ imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
+ {{- if .Values.volumePermissions.resources }}
+ resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }}
+ {{- end }}
+ command:
+ - /bin/sh
+ - -ec
+ - |
+ {{- if .Values.primary.persistence.enabled }}
+ {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }}
+ chown `id -u`:`id -G | cut -d " " -f2` {{ .Values.primary.persistence.mountPath }}
+ {{- else }}
+ chown {{ .Values.primary.containerSecurityContext.runAsUser }}:{{ .Values.primary.podSecurityContext.fsGroup }} {{ .Values.primary.persistence.mountPath }}
+ {{- end }}
+ mkdir -p {{ .Values.primary.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.primary.persistence.mountPath }}/conf {{- end }}
+ chmod 700 {{ .Values.primary.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.primary.persistence.mountPath }}/conf {{- end }}
+ find {{ .Values.primary.persistence.mountPath }} -mindepth 1 -maxdepth 1 {{- if not (include "postgresql.mountConfigurationCM" .) }} -not -name "conf" {{- end }} -not -name ".snapshot" -not -name "lost+found" | \
+ {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }}
+ xargs -r chown -R `id -u`:`id -G | cut -d " " -f2`
+ {{- else }}
+ xargs -r chown -R {{ .Values.primary.containerSecurityContext.runAsUser }}:{{ .Values.primary.podSecurityContext.fsGroup }}
+ {{- end }}
+ {{- end }}
+ {{- if .Values.shmVolume.enabled }}
+ chmod -R 777 /dev/shm
+ {{- end }}
+ {{- if .Values.tls.enabled }}
+ cp /tmp/certs/* /opt/bitnami/postgresql/certs/
+ {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }}
+ chown -R `id -u`:`id -G | cut -d " " -f2` /opt/bitnami/postgresql/certs/
+ {{- else }}
+ chown -R {{ .Values.primary.containerSecurityContext.runAsUser }}:{{ .Values.primary.podSecurityContext.fsGroup }} /opt/bitnami/postgresql/certs/
+ {{- end }}
+ chmod 600 {{ include "postgresql.tlsCertKey" . }}
+ {{- end }}
+ {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }}
+ securityContext: {{- omit .Values.volumePermissions.containerSecurityContext "runAsUser" | toYaml | nindent 12 }}
+ {{- else }}
+ securityContext: {{- .Values.volumePermissions.containerSecurityContext | toYaml | nindent 12 }}
+ {{- end }}
+ volumeMounts:
+ {{- if .Values.primary.persistence.enabled }}
+ - name: data
+ mountPath: {{ .Values.primary.persistence.mountPath }}
+ {{- if .Values.primary.persistence.subPath }}
+ subPath: {{ .Values.primary.persistence.subPath }}
+ {{- end }}
+ {{- end }}
+ {{- if .Values.shmVolume.enabled }}
+ - name: dshm
+ mountPath: /dev/shm
+ {{- end }}
+ {{- if .Values.tls.enabled }}
+ - name: raw-certificates
+ mountPath: /tmp/certs
+ - name: postgresql-certificates
+ mountPath: /opt/bitnami/postgresql/certs
+ {{- end }}
+ {{- end }}
+ {{- if .Values.primary.initContainers }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.primary.initContainers "context" $ ) | nindent 8 }}
+ {{- end }}
+ containers:
+ - name: postgresql
+ image: {{ include "postgresql.image" . }}
+ imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
+ {{- if .Values.primary.containerSecurityContext.enabled }}
+ securityContext: {{- omit .Values.primary.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+ {{- end }}
+ {{- if .Values.diagnosticMode.enabled }}
+ command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
+ {{- else if .Values.primary.command }}
+ command: {{- include "common.tplvalues.render" (dict "value" .Values.primary.command "context" $) | nindent 12 }}
+ {{- end }}
+ {{- if .Values.diagnosticMode.enabled }}
+ args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }}
+ {{- else if .Values.primary.args }}
+ args: {{- include "common.tplvalues.render" (dict "value" .Values.primary.args "context" $) | nindent 12 }}
+ {{- end }}
+ env:
+ - name: BITNAMI_DEBUG
+ value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }}
+ - name: POSTGRESQL_PORT_NUMBER
+ value: {{ .Values.containerPorts.postgresql | quote }}
+ - name: POSTGRESQL_VOLUME_DIR
+ value: {{ .Values.primary.persistence.mountPath | quote }}
+ {{- if .Values.primary.persistence.mountPath }}
+ - name: PGDATA
+ value: {{ .Values.postgresqlDataDir | quote }}
+ {{- end }}
+ # Authentication
+ {{- if and (not (empty $customUser)) (ne $customUser "postgres") }}
+ - name: POSTGRES_USER
+ value: {{ $customUser | quote }}
+ {{- if .Values.auth.enablePostgresUser }}
+ {{- if .Values.auth.usePasswordFiles }}
+ - name: POSTGRES_POSTGRES_PASSWORD_FILE
+ value: "/opt/bitnami/postgresql/secrets/postgres-password"
+ {{- else }}
+ - name: POSTGRES_POSTGRES_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ include "postgresql.secretName" . }}
+ key: {{ include "postgresql.adminPasswordKey" . }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- if .Values.auth.usePasswordFiles }}
+ - name: POSTGRES_PASSWORD_FILE
+ value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (ternary "password" "postgres-password" (and (not (empty $customUser)) (ne $customUser "postgres"))) }}
+ {{- else }}
+ - name: POSTGRES_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ include "postgresql.secretName" . }}
+ key: {{ include "postgresql.userPasswordKey" . }}
+ {{- end }}
+ {{- if (include "postgresql.database" .) }}
+ - name: POSTGRES_DB
+ value: {{ (include "postgresql.database" .) | quote }}
+ {{- end }}
+ # Replication
+ {{- if or (eq .Values.architecture "replication") .Values.primary.standby.enabled }}
+ - name: POSTGRES_REPLICATION_MODE
+ value: {{ ternary "slave" "master" .Values.primary.standby.enabled | quote }}
+ - name: POSTGRES_REPLICATION_USER
+ value: {{ .Values.auth.replicationUsername | quote }}
+ {{- if .Values.auth.usePasswordFiles }}
+ - name: POSTGRES_REPLICATION_PASSWORD_FILE
+ value: "/opt/bitnami/postgresql/secrets/replication-password"
+ {{- else }}
+ - name: POSTGRES_REPLICATION_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ include "postgresql.secretName" . }}
+ key: {{ include "postgresql.replicationPasswordKey" . }}
+ {{- end }}
+ {{- if not (eq .Values.replication.synchronousCommit "off") }}
+ - name: POSTGRES_SYNCHRONOUS_COMMIT_MODE
+ value: {{ .Values.replication.synchronousCommit | quote }}
+ - name: POSTGRES_NUM_SYNCHRONOUS_REPLICAS
+ value: {{ .Values.replication.numSynchronousReplicas | quote }}
+ {{- end }}
+ - name: POSTGRES_CLUSTER_APP_NAME
+ value: {{ .Values.replication.applicationName }}
+ {{- end }}
+ # Initdb
+ {{- if .Values.primary.initdb.args }}
+ - name: POSTGRES_INITDB_ARGS
+ value: {{ .Values.primary.initdb.args | quote }}
+ {{- end }}
+ {{- if .Values.primary.initdb.postgresqlWalDir }}
+ - name: POSTGRES_INITDB_WALDIR
+ value: {{ .Values.primary.initdb.postgresqlWalDir | quote }}
+ {{- end }}
+ {{- if .Values.primary.initdb.user }}
+ - name: POSTGRESQL_INITSCRIPTS_USERNAME
+ value: {{ .Values.primary.initdb.user }}
+ {{- end }}
+ {{- if .Values.primary.initdb.password }}
+ - name: POSTGRESQL_INITSCRIPTS_PASSWORD
+ value: {{ .Values.primary.initdb.password | quote }}
+ {{- end }}
+ # Standby
+ {{- if .Values.primary.standby.enabled }}
+ - name: POSTGRES_MASTER_HOST
+ value: {{ .Values.primary.standby.primaryHost }}
+ - name: POSTGRES_MASTER_PORT_NUMBER
+ value: {{ .Values.primary.standby.primaryPort | quote }}
+ {{- end }}
+ # LDAP
+ - name: POSTGRESQL_ENABLE_LDAP
+ value: {{ ternary "yes" "no" .Values.ldap.enabled | quote }}
+ {{- if .Values.ldap.enabled }}
+ {{- if or .Values.ldap.url .Values.ldap.uri }}
+ - name: POSTGRESQL_LDAP_URL
+ value: {{ coalesce .Values.ldap.url .Values.ldap.uri }}
+ {{- else }}
+ - name: POSTGRESQL_LDAP_SERVER
+ value: {{ .Values.ldap.server }}
+ - name: POSTGRESQL_LDAP_PORT
+ value: {{ .Values.ldap.port | quote }}
+ - name: POSTGRESQL_LDAP_SCHEME
+ value: {{ .Values.ldap.scheme }}
+ {{- if (include "postgresql.ldap.tls.enabled" .) }}
+ - name: POSTGRESQL_LDAP_TLS
+ value: "1"
+ {{- end }}
+ - name: POSTGRESQL_LDAP_PREFIX
+ value: {{ .Values.ldap.prefix | quote }}
+ - name: POSTGRESQL_LDAP_SUFFIX
+ value: {{ .Values.ldap.suffix | quote }}
+ - name: POSTGRESQL_LDAP_BASE_DN
+ value: {{ coalesce .Values.ldap.baseDN .Values.ldap.basedn }}
+ - name: POSTGRESQL_LDAP_BIND_DN
+ value: {{ coalesce .Values.ldap.bindDN .Values.ldap.binddn}}
+ {{- if or (not (empty .Values.ldap.bind_password)) (not (empty .Values.ldap.bindpw)) }}
+ - name: POSTGRESQL_LDAP_BIND_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ include "postgresql.secretName" . }}
+ key: ldap-password
+ {{- end }}
+ - name: POSTGRESQL_LDAP_SEARCH_ATTR
+ value: {{ coalesce .Values.ldap.search_attr .Values.ldap.searchAttribute }}
+ - name: POSTGRESQL_LDAP_SEARCH_FILTER
+ value: {{ coalesce .Values.ldap.search_filter .Values.ldap.searchFilter }}
+ {{- end }}
+ {{- end }}
+ # TLS
+ - name: POSTGRESQL_ENABLE_TLS
+ value: {{ ternary "yes" "no" .Values.tls.enabled | quote }}
+ {{- if .Values.tls.enabled }}
+ - name: POSTGRESQL_TLS_PREFER_SERVER_CIPHERS
+ value: {{ ternary "yes" "no" .Values.tls.preferServerCiphers | quote }}
+ - name: POSTGRESQL_TLS_CERT_FILE
+ value: {{ include "postgresql.tlsCert" . }}
+ - name: POSTGRESQL_TLS_KEY_FILE
+ value: {{ include "postgresql.tlsCertKey" . }}
+ {{- if .Values.tls.certCAFilename }}
+ - name: POSTGRESQL_TLS_CA_FILE
+ value: {{ include "postgresql.tlsCACert" . }}
+ {{- end }}
+ {{- if .Values.tls.crlFilename }}
+ - name: POSTGRESQL_TLS_CRL_FILE
+ value: {{ include "postgresql.tlsCRL" . }}
+ {{- end }}
+ {{- end }}
+ # Audit
+ - name: POSTGRESQL_LOG_HOSTNAME
+ value: {{ .Values.audit.logHostname | quote }}
+ - name: POSTGRESQL_LOG_CONNECTIONS
+ value: {{ .Values.audit.logConnections | quote }}
+ - name: POSTGRESQL_LOG_DISCONNECTIONS
+ value: {{ .Values.audit.logDisconnections | quote }}
+ {{- if .Values.audit.logLinePrefix }}
+ - name: POSTGRESQL_LOG_LINE_PREFIX
+ value: {{ .Values.audit.logLinePrefix | quote }}
+ {{- end }}
+ {{- if .Values.audit.logTimezone }}
+ - name: POSTGRESQL_LOG_TIMEZONE
+ value: {{ .Values.audit.logTimezone | quote }}
+ {{- end }}
+ {{- if .Values.audit.pgAuditLog }}
+ - name: POSTGRESQL_PGAUDIT_LOG
+ value: {{ .Values.audit.pgAuditLog | quote }}
+ {{- end }}
+ - name: POSTGRESQL_PGAUDIT_LOG_CATALOG
+ value: {{ .Values.audit.pgAuditLogCatalog | quote }}
+ # Others
+ - name: POSTGRESQL_CLIENT_MIN_MESSAGES
+ value: {{ .Values.audit.clientMinMessages | quote }}
+ - name: POSTGRESQL_SHARED_PRELOAD_LIBRARIES
+ value: {{ .Values.postgresqlSharedPreloadLibraries | quote }}
+ {{- if .Values.primary.extraEnvVars }}
+ {{- include "common.tplvalues.render" (dict "value" .Values.primary.extraEnvVars "context" $) | nindent 12 }}
+ {{- end }}
+ {{- if or .Values.primary.extraEnvVarsCM .Values.primary.extraEnvVarsSecret }}
+ envFrom:
+ {{- if .Values.primary.extraEnvVarsCM }}
+ - configMapRef:
+ name: {{ .Values.primary.extraEnvVarsCM }}
+ {{- end }}
+ {{- if .Values.primary.extraEnvVarsSecret }}
+ - secretRef:
+ name: {{ .Values.primary.extraEnvVarsSecret }}
+ {{- end }}
+ {{- end }}
+ ports:
+ - name: tcp-postgresql
+ containerPort: {{ .Values.containerPorts.postgresql }}
+ {{- if not .Values.diagnosticMode.enabled }}
+ {{- if .Values.primary.customStartupProbe }}
+ startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.primary.customStartupProbe "context" $) | nindent 12 }}
+ {{- else if .Values.primary.startupProbe.enabled }}
+ startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.primary.startupProbe "enabled") "context" $) | nindent 12 }}
+ exec:
+ command:
+ - /bin/sh
+ - -c
+ {{- if (include "postgresql.database" .) }}
+ - exec pg_isready -U {{ default "postgres" $customUser | quote }} -d "dbname={{ include "postgresql.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }}
+ {{- else }}
+ - exec pg_isready -U {{ default "postgres" $customUser | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }}
+ {{- end }}
+ {{- end }}
+ {{- if .Values.primary.customLivenessProbe }}
+ livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.primary.customLivenessProbe "context" $) | nindent 12 }}
+ {{- else if .Values.primary.livenessProbe.enabled }}
+ livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.primary.livenessProbe "enabled") "context" $) | nindent 12 }}
+ exec:
+ command:
+ - /bin/sh
+ - -c
+ {{- if (include "postgresql.database" .) }}
+ - exec pg_isready -U {{ default "postgres" $customUser | quote }} -d "dbname={{ include "postgresql.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }}
+ {{- else }}
+ - exec pg_isready -U {{ default "postgres" $customUser | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }}
+ {{- end }}
+ {{- end }}
+ {{- if .Values.primary.customReadinessProbe }}
+ readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.primary.customReadinessProbe "context" $) | nindent 12 }}
+ {{- else if .Values.primary.readinessProbe.enabled }}
+ readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.primary.readinessProbe "enabled") "context" $) | nindent 12 }}
+ exec:
+ command:
+ - /bin/sh
+ - -c
+ - -e
+ {{- include "postgresql.readinessProbeCommand" . | nindent 16 }}
+ {{- end }}
+ {{- end }}
+ {{- if .Values.primary.resources }}
+ resources: {{- toYaml .Values.primary.resources | nindent 12 }}
+ {{- end }}
+ {{- if .Values.primary.lifecycleHooks }}
+ lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.primary.lifecycleHooks "context" $) | nindent 12 }}
+ {{- end }}
+ volumeMounts:
+ {{- if or .Values.primary.initdb.scriptsConfigMap .Values.primary.initdb.scripts }}
+ - name: custom-init-scripts
+ mountPath: /docker-entrypoint-initdb.d/
+ {{- end }}
+ {{- if .Values.primary.initdb.scriptsSecret }}
+ - name: custom-init-scripts-secret
+ mountPath: /docker-entrypoint-initdb.d/secret
+ {{- end }}
+ {{- if or .Values.primary.extendedConfiguration .Values.primary.existingExtendedConfigmap }}
+ - name: postgresql-extended-config
+ mountPath: /bitnami/postgresql/conf/conf.d/
+ {{- end }}
+ {{- if .Values.auth.usePasswordFiles }}
+ - name: postgresql-password
+ mountPath: /opt/bitnami/postgresql/secrets/
+ {{- end }}
+ {{- if .Values.tls.enabled }}
+ - name: postgresql-certificates
+ mountPath: /opt/bitnami/postgresql/certs
+ readOnly: true
+ {{- end }}
+ {{- if .Values.shmVolume.enabled }}
+ - name: dshm
+ mountPath: /dev/shm
+ {{- end }}
+ {{- if .Values.primary.persistence.enabled }}
+ - name: data
+ mountPath: {{ .Values.primary.persistence.mountPath }}
+ {{- if .Values.primary.persistence.subPath }}
+ subPath: {{ .Values.primary.persistence.subPath }}
+ {{- end }}
+ {{- end }}
+ {{- if or .Values.primary.configuration .Values.primary.pgHbaConfiguration .Values.primary.existingConfigmap }}
+ - name: postgresql-config
+ mountPath: /bitnami/postgresql/conf
+ {{- end }}
+ {{- if .Values.primary.extraVolumeMounts }}
+ {{- include "common.tplvalues.render" (dict "value" .Values.primary.extraVolumeMounts "context" $) | nindent 12 }}
+ {{- end }}
+ {{- if .Values.metrics.enabled }}
+ - name: metrics
+ image: {{ include "postgresql.metrics.image" . }}
+ imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }}
+ {{- if .Values.metrics.containerSecurityContext.enabled }}
+ securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+ {{- end }}
+ {{- if .Values.diagnosticMode.enabled }}
+ command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
+ args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }}
+ {{- else if .Values.metrics.customMetrics }}
+ args: ["--extend.query-path", "/conf/custom-metrics.yaml"]
+ {{- end }}
+ env:
+ {{- $database := required "In order to enable metrics you need to specify a database (.Values.auth.database or .Values.global.postgresql.auth.database)" (include "postgresql.database" .) }}
+ - name: DATA_SOURCE_URI
+ value: {{ printf "127.0.0.1:%d/%s?sslmode=disable" (int (include "postgresql.service.port" .)) $database }}
+ {{- if .Values.auth.usePasswordFiles }}
+ - name: DATA_SOURCE_PASS_FILE
+ value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (ternary "password" "postgres-password" (and (not (empty $customUser)) (ne $customUser "postgres"))) }}
+ {{- else }}
+ - name: DATA_SOURCE_PASS
+ valueFrom:
+ secretKeyRef:
+ name: {{ include "postgresql.secretName" . }}
+ key: {{ include "postgresql.userPasswordKey" . }}
+ {{- end }}
+ - name: DATA_SOURCE_USER
+ value: {{ default "postgres" $customUser | quote }}
+ {{- if .Values.metrics.extraEnvVars }}
+ {{- include "common.tplvalues.render" (dict "value" .Values.metrics.extraEnvVars "context" $) | nindent 12 }}
+ {{- end }}
+ ports:
+ - name: http-metrics
+ containerPort: {{ .Values.metrics.containerPorts.metrics }}
+ {{- if not .Values.diagnosticMode.enabled }}
+ {{- if .Values.metrics.customStartupProbe }}
+ startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customStartupProbe "context" $) | nindent 12 }}
+ {{- else if .Values.metrics.startupProbe.enabled }}
+ startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.startupProbe "enabled") "context" $) | nindent 12 }}
+ tcpSocket:
+ port: http-metrics
+ {{- end }}
+ {{- if .Values.metrics.customLivenessProbe }}
+ livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customLivenessProbe "context" $) | nindent 12 }}
+ {{- else if .Values.metrics.livenessProbe.enabled }}
+ livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.livenessProbe "enabled") "context" $) | nindent 12 }}
+ httpGet:
+ path: /
+ port: http-metrics
+ {{- end }}
+ {{- if .Values.metrics.customReadinessProbe }}
+ readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customReadinessProbe "context" $) | nindent 12 }}
+ {{- else if .Values.metrics.readinessProbe.enabled }}
+ readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.readinessProbe "enabled") "context" $) | nindent 12 }}
+ httpGet:
+ path: /
+ port: http-metrics
+ {{- end }}
+ {{- end }}
+ volumeMounts:
+ {{- if .Values.auth.usePasswordFiles }}
+ - name: postgresql-password
+ mountPath: /opt/bitnami/postgresql/secrets/
+ {{- end }}
+ {{- if .Values.metrics.customMetrics }}
+ - name: custom-metrics
+ mountPath: /conf
+ readOnly: true
+ {{- end }}
+ {{- if .Values.metrics.resources }}
+ resources: {{- toYaml .Values.metrics.resources | nindent 12 }}
+ {{- end }}
+ {{- end }}
+ {{- if .Values.primary.sidecars }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.primary.sidecars "context" $ ) | nindent 8 }}
+ {{- end }}
+ volumes:
+ {{- if or .Values.primary.configuration .Values.primary.pgHbaConfiguration .Values.primary.existingConfigmap }}
+ - name: postgresql-config
+ configMap:
+ name: {{ include "postgresql.primary.configmapName" . }}
+ {{- end }}
+ {{- if or .Values.primary.extendedConfiguration .Values.primary.existingExtendedConfigmap }}
+ - name: postgresql-extended-config
+ configMap:
+ name: {{ include "postgresql.primary.extendedConfigmapName" . }}
+ {{- end }}
+ {{- if .Values.auth.usePasswordFiles }}
+ - name: postgresql-password
+ secret:
+ secretName: {{ include "postgresql.secretName" . }}
+ {{- end }}
+ {{- if or .Values.primary.initdb.scriptsConfigMap .Values.primary.initdb.scripts }}
+ - name: custom-init-scripts
+ configMap:
+ name: {{ include "postgresql.initdb.scriptsCM" . }}
+ {{- end }}
+ {{- if .Values.primary.initdb.scriptsSecret }}
+ - name: custom-init-scripts-secret
+ secret:
+ secretName: {{ tpl .Values.primary.initdb.scriptsSecret $ }}
+ {{- end }}
+ {{- if .Values.tls.enabled }}
+ - name: raw-certificates
+ secret:
+ secretName: {{ include "postgresql.tlsSecretName" . }}
+ - name: postgresql-certificates
+ emptyDir: {}
+ {{- end }}
+ {{- if .Values.primary.extraVolumes }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.primary.extraVolumes "context" $ ) | nindent 8 }}
+ {{- end }}
+ {{- if and .Values.metrics.enabled .Values.metrics.customMetrics }}
+ - name: custom-metrics
+ configMap:
+ name: {{ printf "%s-metrics" (include "common.names.fullname" .) }}
+ {{- end }}
+ {{- if .Values.shmVolume.enabled }}
+ - name: dshm
+ emptyDir:
+ medium: Memory
+ {{- if .Values.shmVolume.sizeLimit }}
+ sizeLimit: {{ .Values.shmVolume.sizeLimit }}
+ {{- end }}
+ {{- end }}
+ {{- if and .Values.primary.persistence.enabled .Values.primary.persistence.existingClaim }}
+ - name: data
+ persistentVolumeClaim:
+ claimName: {{ tpl .Values.primary.persistence.existingClaim $ }}
+ {{- else if not .Values.primary.persistence.enabled }}
+ - name: data
+ emptyDir: {}
+ {{- else }}
+ volumeClaimTemplates:
+ - metadata:
+ name: data
+ {{- if .Values.primary.persistence.annotations }}
+ annotations: {{- include "common.tplvalues.render" (dict "value" .Values.primary.persistence.annotations "context" $) | nindent 10 }}
+ {{- end }}
+ {{- if .Values.primary.persistence.labels }}
+ labels: {{- include "common.tplvalues.render" (dict "value" .Values.primary.persistence.labels "context" $) | nindent 10 }}
+ {{- end }}
+ spec:
+ accessModes:
+ {{- range .Values.primary.persistence.accessModes }}
+ - {{ . | quote }}
+ {{- end }}
+ {{- if .Values.primary.persistence.dataSource }}
+ dataSource: {{- include "common.tplvalues.render" (dict "value" .Values.primary.persistence.dataSource "context" $) | nindent 10 }}
+ {{- end }}
+ resources:
+ requests:
+ storage: {{ .Values.primary.persistence.size | quote }}
+ {{- if .Values.primary.persistence.selector }}
+ selector: {{- include "common.tplvalues.render" (dict "value" .Values.primary.persistence.selector "context" $) | nindent 10 }}
+ {{- end }}
+ {{- include "common.storage.class" (dict "persistence" .Values.primary.persistence "global" .Values.global) | nindent 8 }}
+ {{- end }}
--- /dev/null
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ include "postgresql.primary.svc.headless" . }}
+ namespace: {{ .Release.Namespace | quote }}
+ labels: {{- include "common.labels.standard" . | nindent 4 }}
+ {{- if .Values.commonLabels }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
+ {{- end }}
+ app.kubernetes.io/component: primary
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+ # Use this annotation in addition to the actual publishNotReadyAddresses
+ # field below because the annotation will stop being respected soon but the
+ # field is broken in some versions of Kubernetes:
+ # https://github.com/kubernetes/kubernetes/issues/58662
+ service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
+spec:
+ type: ClusterIP
+ clusterIP: None
+ # We want all pods in the StatefulSet to have their addresses published for
+ # the sake of the other Postgresql pods even before they're ready, since they
+ # have to be able to talk to each other in order to become ready.
+ publishNotReadyAddresses: true
+ ports:
+ - name: tcp-postgresql
+ port: {{ template "postgresql.service.port" . }}
+ targetPort: tcp-postgresql
+ selector: {{- include "common.labels.matchLabels" . | nindent 4 }}
+ app.kubernetes.io/component: primary
--- /dev/null
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ include "postgresql.primary.fullname" . }}
+ namespace: {{ .Release.Namespace | quote }}
+ labels: {{- include "common.labels.standard" . | nindent 4 }}
+ {{- if .Values.commonLabels }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
+ {{- end }}
+ app.kubernetes.io/component: primary
+ annotations:
+ {{- if .Values.commonAnnotations }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+ {{- if .Values.primary.service.annotations }}
+ {{- include "common.tplvalues.render" (dict "value" .Values.primary.service.annotations "context" $) | nindent 4 }}
+ {{- end }}
+spec:
+ type: {{ .Values.primary.service.type }}
+ {{- if or (eq .Values.primary.service.type "LoadBalancer") (eq .Values.primary.service.type "NodePort") }}
+ externalTrafficPolicy: {{ .Values.primary.service.externalTrafficPolicy | quote }}
+ {{- end }}
+ {{- if and (eq .Values.primary.service.type "LoadBalancer") (not (empty .Values.primary.service.loadBalancerSourceRanges)) }}
+ loadBalancerSourceRanges: {{ .Values.primary.service.loadBalancerSourceRanges }}
+ {{- end }}
+ {{- if and (eq .Values.primary.service.type "LoadBalancer") (not (empty .Values.primary.service.loadBalancerIP)) }}
+ loadBalancerIP: {{ .Values.primary.service.loadBalancerIP }}
+ {{- end }}
+ {{- if and .Values.primary.service.clusterIP (eq .Values.primary.service.type "ClusterIP") }}
+ clusterIP: {{ .Values.primary.service.clusterIP }}
+ {{- end }}
+ {{- if .Values.primary.service.sessionAffinity }}
+ sessionAffinity: {{ .Values.primary.service.sessionAffinity }}
+ {{- end }}
+ {{- if .Values.primary.service.sessionAffinityConfig }}
+ sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.primary.service.sessionAffinityConfig "context" $) | nindent 4 }}
+ {{- end }}
+ ports:
+ - name: tcp-postgresql
+ port: {{ template "postgresql.service.port" . }}
+ targetPort: tcp-postgresql
+ {{- if and (or (eq .Values.primary.service.type "NodePort") (eq .Values.primary.service.type "LoadBalancer")) (not (empty .Values.primary.service.nodePorts.postgresql)) }}
+ nodePort: {{ .Values.primary.service.nodePorts.postgresql }}
+ {{- else if eq .Values.primary.service.type "ClusterIP" }}
+ nodePort: null
+ {{- end }}
+ {{- if .Values.primary.service.extraPorts }}
+ {{- include "common.tplvalues.render" (dict "value" .Values.primary.service.extraPorts "context" $) | nindent 4 }}
+ {{- end }}
+ selector: {{- include "common.labels.matchLabels" . | nindent 4 }}
+ app.kubernetes.io/component: primary
--- /dev/null
+{{- if and .Values.metrics.enabled .Values.metrics.prometheusRule.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+ name: {{ include "common.names.fullname" . }}
+ namespace: {{ default .Release.Namespace .Values.metrics.prometheusRule.namespace | quote }}
+ labels: {{- include "common.labels.standard" . | nindent 4 }}
+ app.kubernetes.io/component: metrics
+ {{- if .Values.commonLabels }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
+ {{- end }}
+ {{- if .Values.metrics.prometheusRule.labels }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.prometheusRule.labels "context" $ ) | nindent 4 }}
+ {{- end }}
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+spec:
+ groups:
+ - name: {{ include "common.names.fullname" . }}
+ rules: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.prometheusRule.rules "context" $ ) | nindent 8 }}
+{{- end }}
--- /dev/null
+{{- $pspAvailable := (semverCompare "<1.25-0" (include "common.capabilities.kubeVersion" .)) -}}
+{{- if and $pspAvailable .Values.psp.create }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+ name: {{ include "common.names.fullname" . }}
+ namespace: {{ .Release.Namespace | quote }}
+ labels: {{- include "common.labels.standard" . | nindent 4 }}
+ {{- if .Values.commonLabels }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
+ {{- end }}
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+spec:
+ privileged: false
+ volumes:
+ - 'configMap'
+ - 'secret'
+ - 'persistentVolumeClaim'
+ - 'emptyDir'
+ - 'projected'
+ hostNetwork: false
+ hostIPC: false
+ hostPID: false
+ runAsUser:
+ rule: 'RunAsAny'
+ seLinux:
+ rule: 'RunAsAny'
+ supplementalGroups:
+ rule: 'MustRunAs'
+ ranges:
+ - min: 1
+ max: 65535
+ fsGroup:
+ rule: 'MustRunAs'
+ ranges:
+ - min: 1
+ max: 65535
+ readOnlyRootFilesystem: false
+{{- end }}
--- /dev/null
+{{- if (include "postgresql.readReplicas.createExtendedConfigmap" .) }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ printf "%s-extended-configuration" (include "postgresql.readReplica.fullname" .) }}
+ namespace: {{ .Release.Namespace | quote }}
+ labels: {{- include "common.labels.standard" . | nindent 4 }}
+ app.kubernetes.io/component: read
+ {{- if .Values.commonLabels }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
+ {{- end }}
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+data:
+ override.conf: |-
+ {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.extendedConfiguration "context" $ ) | nindent 4 }}
+{{- end }}
--- /dev/null
+{{- if and .Values.metrics.enabled .Values.metrics.customMetrics (eq .Values.architecture "replication") }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ printf "%s-metrics" (include "postgresql.readReplica.fullname" .) }}
+ namespace: {{ .Release.Namespace | quote }}
+ labels: {{- include "common.labels.standard" . | nindent 4 }}
+ {{- if .Values.commonLabels }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
+ {{- end }}
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+data:
+ custom-metrics.yaml: {{ toYaml .Values.metrics.customMetrics | quote }}
+{{- end }}
--- /dev/null
+{{- if and .Values.metrics.enabled (eq .Values.architecture "replication") }}
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ printf "%s-metrics" (include "postgresql.readReplica.fullname" .) }}
+ namespace: {{ .Release.Namespace | quote }}
+ labels: {{- include "common.labels.standard" . | nindent 4 }}
+ app.kubernetes.io/component: metrics-read
+ {{- if .Values.commonLabels }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
+ {{- end }}
+ annotations:
+ {{- if .Values.commonAnnotations }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+ {{- if .Values.metrics.service.annotations }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.service.annotations "context" $ ) | nindent 4 }}
+ {{- end }}
+spec:
+ type: ClusterIP
+ sessionAffinity: {{ .Values.metrics.service.sessionAffinity }}
+ {{- if .Values.metrics.service.clusterIP }}
+ clusterIP: {{ .Values.metrics.service.clusterIP }}
+ {{- end }}
+ ports:
+ - name: http-metrics
+ port: {{ .Values.metrics.service.ports.metrics }}
+ targetPort: http-metrics
+ selector: {{- include "common.labels.matchLabels" . | nindent 4 }}
+ app.kubernetes.io/component: read
+{{- end }}
--- /dev/null
+{{- if and .Values.networkPolicy.enabled (eq .Values.architecture "replication") .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.enabled }}
+apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
+kind: NetworkPolicy
+metadata:
+ name: {{ printf "%s-ingress" (include "postgresql.readReplica.fullname" .) }}
+ namespace: {{ .Release.Namespace | quote }}
+ labels: {{- include "common.labels.standard" . | nindent 4 }}
+ app.kubernetes.io/component: read
+ {{- if .Values.commonLabels }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
+ {{- end }}
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+spec:
+ podSelector:
+ matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }}
+ app.kubernetes.io/component: read
+ ingress:
+ {{- if and .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.enabled (or .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector) }}
+ - from:
+ {{- if .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector }}
+ - namespaceSelector:
+ matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector "context" $) | nindent 14 }}
+ {{- end }}
+ {{- if .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector }}
+ - podSelector:
+ matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector "context" $) | nindent 14 }}
+ {{- end }}
+ ports:
+ - port: {{ .Values.containerPorts.postgresql }}
+ {{- end }}
+ {{- if .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules }}
+ {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules "context" $) | nindent 4 }}
+ {{- end }}
+{{- end }}
--- /dev/null
+{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled (eq .Values.architecture "replication") }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+ name: {{ include "postgresql.readReplica.fullname" . }}
+ namespace: {{ default .Release.Namespace .Values.metrics.serviceMonitor.namespace | quote }}
+ labels: {{- include "common.labels.standard" . | nindent 4 }}
+ app.kubernetes.io/component: metrics-read
+ {{- if .Values.metrics.serviceMonitor.labels }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.labels "context" $ ) | nindent 4 }}
+ {{- end }}
+ {{- if .Values.commonLabels }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
+ {{- end }}
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+spec:
+ {{- if .Values.metrics.serviceMonitor.jobLabel }}
+ jobLabel: {{ .Values.metrics.serviceMonitor.jobLabel }}
+ {{- end }}
+ selector:
+ matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }}
+ {{- if .Values.metrics.serviceMonitor.selector }}
+ {{- include "common.tplvalues.render" (dict "value" .Values.metrics.serviceMonitor.selector "context" $) | nindent 6 }}
+ {{- end }}
+ app.kubernetes.io/component: metrics-read
+ endpoints:
+ - port: http-metrics
+ {{- if .Values.metrics.serviceMonitor.interval }}
+ interval: {{ .Values.metrics.serviceMonitor.interval }}
+ {{- end }}
+ {{- if .Values.metrics.serviceMonitor.scrapeTimeout }}
+ scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }}
+ {{- end }}
+ {{- if .Values.metrics.serviceMonitor.relabelings }}
+ relabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.relabelings "context" $) | nindent 6 }}
+ {{- end }}
+ {{- if .Values.metrics.serviceMonitor.metricRelabelings }}
+ metricRelabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.metricRelabelings "context" $) | nindent 6 }}
+ {{- end }}
+ {{- if .Values.metrics.serviceMonitor.honorLabels }}
+ honorLabels: {{ .Values.metrics.serviceMonitor.honorLabels }}
+ {{- end }}
+ namespaceSelector:
+ matchNames:
+ - {{ .Release.Namespace | quote }}
+{{- end }}
--- /dev/null
+{{- if eq .Values.architecture "replication" }}
+{{- $customUser := include "postgresql.username" . }}
+apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }}
+kind: StatefulSet
+metadata:
+ name: {{ include "postgresql.readReplica.fullname" . }}
+ namespace: {{ .Release.Namespace | quote }}
+ labels: {{- include "common.labels.standard" . | nindent 4 }}
+ app.kubernetes.io/component: read
+ {{- if .Values.commonLabels }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
+ {{- end }}
+ {{- if .Values.readReplicas.labels }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.labels "context" $ ) | nindent 4 }}
+ {{- end }}
+ annotations:
+ {{- if .Values.commonAnnotations }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+ {{- if .Values.readReplicas.annotations }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.annotations "context" $ ) | nindent 4 }}
+ {{- end }}
+spec:
+ replicas: {{ .Values.readReplicas.replicaCount }}
+ serviceName: {{ include "postgresql.readReplica.svc.headless" . }}
+ {{- if .Values.readReplicas.updateStrategy }}
+ updateStrategy: {{- toYaml .Values.readReplicas.updateStrategy | nindent 4 }}
+ {{- end }}
+ selector:
+ matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }}
+ app.kubernetes.io/component: read
+ template:
+ metadata:
+ name: {{ include "postgresql.readReplica.fullname" . }}
+ labels: {{- include "common.labels.standard" . | nindent 8 }}
+ app.kubernetes.io/component: read
+ {{- if .Values.commonLabels }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 8 }}
+ {{- end }}
+ {{- if .Values.readReplicas.podLabels }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.podLabels "context" $ ) | nindent 8 }}
+ {{- end }}
+ annotations:
+ {{- if (include "postgresql.readReplicas.createExtendedConfigmap" .) }}
+ checksum/extended-configuration: {{ include (print $.Template.BasePath "/read/extended-configmap.yaml") . | sha256sum }}
+ {{- end }}
+ {{- if .Values.readReplicas.podAnnotations }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.podAnnotations "context" $ ) | nindent 8 }}
+ {{- end }}
+ spec:
+ {{- if .Values.readReplicas.extraPodSpec }}
+ {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.extraPodSpec "context" $) | nindent 6 }}
+ {{- end }}
+ serviceAccountName: {{ include "postgresql.serviceAccountName" . }}
+ {{- include "postgresql.imagePullSecrets" . | nindent 6 }}
+ {{- if .Values.readReplicas.hostAliases }}
+ hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.hostAliases "context" $) | nindent 8 }}
+ {{- end }}
+ {{- if .Values.readReplicas.affinity }}
+ affinity: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.affinity "context" $) | nindent 8 }}
+ {{- else }}
+ affinity:
+ podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.readReplicas.podAffinityPreset "component" "read" "context" $) | nindent 10 }}
+ podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.readReplicas.podAntiAffinityPreset "component" "read" "context" $) | nindent 10 }}
+ nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.readReplicas.nodeAffinityPreset.type "key" .Values.readReplicas.nodeAffinityPreset.key "values" .Values.readReplicas.nodeAffinityPreset.values) | nindent 10 }}
+ {{- end }}
+ {{- if .Values.readReplicas.nodeSelector }}
+ nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.nodeSelector "context" $) | nindent 8 }}
+ {{- end }}
+ {{- if .Values.readReplicas.tolerations }}
+ tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.tolerations "context" $) | nindent 8 }}
+ {{- end }}
+ {{- if .Values.readReplicas.topologySpreadConstraints }}
+ topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.topologySpreadConstraints "context" $) | nindent 8 }}
+ {{- end }}
+ {{- if .Values.readReplicas.priorityClassName }}
+ priorityClassName: {{ .Values.readReplicas.priorityClassName }}
+ {{- end }}
+ {{- if .Values.readReplicas.schedulerName }}
+ schedulerName: {{ .Values.readReplicas.schedulerName | quote }}
+ {{- end }}
+ {{- if .Values.readReplicas.terminationGracePeriodSeconds }}
+ terminationGracePeriodSeconds: {{ .Values.readReplicas.terminationGracePeriodSeconds }}
+ {{- end }}
+ {{- if .Values.readReplicas.podSecurityContext.enabled }}
+ securityContext: {{- omit .Values.readReplicas.podSecurityContext "enabled" | toYaml | nindent 8 }}
+ {{- end }}
+ hostNetwork: {{ .Values.readReplicas.hostNetwork }}
+ hostIPC: {{ .Values.readReplicas.hostIPC }}
+ initContainers:
+ {{- if and .Values.tls.enabled (not .Values.volumePermissions.enabled) }}
+ - name: copy-certs
+ image: {{ include "postgresql.volumePermissions.image" . }}
+ imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
+ {{- if .Values.readReplicas.resources }}
+ resources: {{- toYaml .Values.readReplicas.resources | nindent 12 }}
+ {{- end }}
+ # We don't require a privileged container in this case
+ {{- if .Values.readReplicas.containerSecurityContext.enabled }}
+ securityContext: {{- omit .Values.readReplicas.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+ {{- end }}
+ command:
+ - /bin/sh
+ - -ec
+ - |
+ cp /tmp/certs/* /opt/bitnami/postgresql/certs/
+ chmod 600 {{ include "postgresql.tlsCertKey" . }}
+ volumeMounts:
+ - name: raw-certificates
+ mountPath: /tmp/certs
+ - name: postgresql-certificates
+ mountPath: /opt/bitnami/postgresql/certs
+ {{- else if and .Values.volumePermissions.enabled (or .Values.readReplicas.persistence.enabled .Values.shmVolume.enabled) }}
+ - name: init-chmod-data
+ image: {{ include "postgresql.volumePermissions.image" . }}
+ imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
+ {{- if .Values.readReplicas.resources }}
+ resources: {{- toYaml .Values.readReplicas.resources | nindent 12 }}
+ {{- end }}
+ command:
+ - /bin/sh
+ - -ec
+ - |
+ {{- if .Values.readReplicas.persistence.enabled }}
+ {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }}
+ chown `id -u`:`id -G | cut -d " " -f2` {{ .Values.readReplicas.persistence.mountPath }}
+ {{- else }}
+ chown {{ .Values.readReplicas.containerSecurityContext.runAsUser }}:{{ .Values.readReplicas.podSecurityContext.fsGroup }} {{ .Values.readReplicas.persistence.mountPath }}
+ {{- end }}
+ mkdir -p {{ .Values.readReplicas.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.readReplicas.persistence.mountPath }}/conf {{- end }}
+ chmod 700 {{ .Values.readReplicas.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.readReplicas.persistence.mountPath }}/conf {{- end }}
+ find {{ .Values.readReplicas.persistence.mountPath }} -mindepth 1 -maxdepth 1 {{- if not (include "postgresql.mountConfigurationCM" .) }} -not -name "conf" {{- end }} -not -name ".snapshot" -not -name "lost+found" | \
+ {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }}
+ xargs -r chown -R `id -u`:`id -G | cut -d " " -f2`
+ {{- else }}
+ xargs -r chown -R {{ .Values.readReplicas.containerSecurityContext.runAsUser }}:{{ .Values.readReplicas.podSecurityContext.fsGroup }}
+ {{- end }}
+ {{- end }}
+ {{- if .Values.shmVolume.enabled }}
+ chmod -R 777 /dev/shm
+ {{- end }}
+ {{- if .Values.tls.enabled }}
+ cp /tmp/certs/* /opt/bitnami/postgresql/certs/
+ {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }}
+ chown -R `id -u`:`id -G | cut -d " " -f2` /opt/bitnami/postgresql/certs/
+ {{- else }}
+ chown -R {{ .Values.readReplicas.containerSecurityContext.runAsUser }}:{{ .Values.readReplicas.podSecurityContext.fsGroup }} /opt/bitnami/postgresql/certs/
+ {{- end }}
+ chmod 600 {{ include "postgresql.tlsCertKey" . }}
+ {{- end }}
+ {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }}
+ securityContext: {{- omit .Values.volumePermissions.containerSecurityContext "runAsUser" | toYaml | nindent 12 }}
+ {{- else }}
+ securityContext: {{- .Values.volumePermissions.containerSecurityContext | toYaml | nindent 12 }}
+ {{- end }}
+ volumeMounts:
+ {{ if .Values.readReplicas.persistence.enabled }}
+ - name: data
+ mountPath: {{ .Values.readReplicas.persistence.mountPath }}
+ {{- if .Values.readReplicas.persistence.subPath }}
+ subPath: {{ .Values.readReplicas.persistence.subPath }}
+ {{- end }}
+ {{- end }}
+ {{- if .Values.shmVolume.enabled }}
+ - name: dshm
+ mountPath: /dev/shm
+ {{- end }}
+ {{- if .Values.tls.enabled }}
+ - name: raw-certificates
+ mountPath: /tmp/certs
+ - name: postgresql-certificates
+ mountPath: /opt/bitnami/postgresql/certs
+ {{- end }}
+ {{- end }}
+ {{- if .Values.readReplicas.initContainers }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.initContainers "context" $ ) | nindent 8 }}
+ {{- end }}
+ containers:
+ - name: postgresql
+ image: {{ include "postgresql.image" . }}
+ imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
+ {{- if .Values.readReplicas.containerSecurityContext.enabled }}
+ securityContext: {{- omit .Values.readReplicas.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+ {{- end }}
+ {{- if .Values.diagnosticMode.enabled }}
+ command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
+ {{- else if .Values.readReplicas.command }}
+ command: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.command "context" $) | nindent 12 }}
+ {{- end }}
+ {{- if .Values.diagnosticMode.enabled }}
+ args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }}
+ {{- else if .Values.readReplicas.args }}
+ args: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.args "context" $) | nindent 12 }}
+ {{- end }}
+ env:
+ - name: BITNAMI_DEBUG
+ value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }}
+ - name: POSTGRESQL_PORT_NUMBER
+ value: {{ .Values.containerPorts.postgresql | quote }}
+ - name: POSTGRESQL_VOLUME_DIR
+ value: {{ .Values.readReplicas.persistence.mountPath | quote }}
+ {{- if .Values.readReplicas.persistence.mountPath }}
+ - name: PGDATA
+ value: {{ .Values.postgresqlDataDir | quote }}
+ {{- end }}
+ # Authentication
+ {{- if and (not (empty $customUser)) (ne $customUser "postgres") .Values.auth.enablePostgresUser }}
+ {{- if .Values.auth.usePasswordFiles }}
+ - name: POSTGRES_POSTGRES_PASSWORD_FILE
+ value: "/opt/bitnami/postgresql/secrets/postgres-password"
+ {{- else }}
+ - name: POSTGRES_POSTGRES_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ include "postgresql.secretName" . }}
+ key: {{ include "postgresql.adminPasswordKey" . }}
+ {{- end }}
+ {{- end }}
+ {{- if .Values.auth.usePasswordFiles }}
+ - name: POSTGRES_PASSWORD_FILE
+ value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (ternary "password" "postgres-password" (and (not (empty $customUser)) (ne $customUser "postgres"))) }}
+ {{- else }}
+ - name: POSTGRES_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ include "postgresql.secretName" . }}
+ key: {{ include "postgresql.userPasswordKey" . }}
+ {{- end }}
+ # Replication
+ - name: POSTGRES_REPLICATION_MODE
+ value: "slave"
+ - name: POSTGRES_REPLICATION_USER
+ value: {{ .Values.auth.replicationUsername | quote }}
+ {{- if .Values.auth.usePasswordFiles }}
+ - name: POSTGRES_REPLICATION_PASSWORD_FILE
+ value: "/opt/bitnami/postgresql/secrets/replication-password"
+ {{- else }}
+ - name: POSTGRES_REPLICATION_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ include "postgresql.secretName" . }}
+ key: {{ include "postgresql.replicationPasswordKey" . }}
+ {{- end }}
+ - name: POSTGRES_CLUSTER_APP_NAME
+ value: {{ .Values.replication.applicationName }}
+ - name: POSTGRES_MASTER_HOST
+ value: {{ include "postgresql.primary.fullname" . }}
+ - name: POSTGRES_MASTER_PORT_NUMBER
+ value: {{ include "postgresql.service.port" . | quote }}
+ # TLS
+ - name: POSTGRESQL_ENABLE_TLS
+ value: {{ ternary "yes" "no" .Values.tls.enabled | quote }}
+ {{- if .Values.tls.enabled }}
+ - name: POSTGRESQL_TLS_PREFER_SERVER_CIPHERS
+ value: {{ ternary "yes" "no" .Values.tls.preferServerCiphers | quote }}
+ - name: POSTGRESQL_TLS_CERT_FILE
+ value: {{ include "postgresql.tlsCert" . }}
+ - name: POSTGRESQL_TLS_KEY_FILE
+ value: {{ include "postgresql.tlsCertKey" . }}
+ {{- if .Values.tls.certCAFilename }}
+ - name: POSTGRESQL_TLS_CA_FILE
+ value: {{ include "postgresql.tlsCACert" . }}
+ {{- end }}
+ {{- if .Values.tls.crlFilename }}
+ - name: POSTGRESQL_TLS_CRL_FILE
+ value: {{ include "postgresql.tlsCRL" . }}
+ {{- end }}
+ {{- end }}
+ # Audit
+ - name: POSTGRESQL_LOG_HOSTNAME
+ value: {{ .Values.audit.logHostname | quote }}
+ - name: POSTGRESQL_LOG_CONNECTIONS
+ value: {{ .Values.audit.logConnections | quote }}
+ - name: POSTGRESQL_LOG_DISCONNECTIONS
+ value: {{ .Values.audit.logDisconnections | quote }}
+ {{- if .Values.audit.logLinePrefix }}
+ - name: POSTGRESQL_LOG_LINE_PREFIX
+ value: {{ .Values.audit.logLinePrefix | quote }}
+ {{- end }}
+ {{- if .Values.audit.logTimezone }}
+ - name: POSTGRESQL_LOG_TIMEZONE
+ value: {{ .Values.audit.logTimezone | quote }}
+ {{- end }}
+ {{- if .Values.audit.pgAuditLog }}
+ - name: POSTGRESQL_PGAUDIT_LOG
+ value: {{ .Values.audit.pgAuditLog | quote }}
+ {{- end }}
+ - name: POSTGRESQL_PGAUDIT_LOG_CATALOG
+ value: {{ .Values.audit.pgAuditLogCatalog | quote }}
+ # Others
+ - name: POSTGRESQL_CLIENT_MIN_MESSAGES
+ value: {{ .Values.audit.clientMinMessages | quote }}
+ - name: POSTGRESQL_SHARED_PRELOAD_LIBRARIES
+ value: {{ .Values.postgresqlSharedPreloadLibraries | quote }}
+ {{- if .Values.readReplicas.extraEnvVars }}
+ {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.extraEnvVars "context" $) | nindent 12 }}
+ {{- end }}
+ {{- if or .Values.readReplicas.extraEnvVarsCM .Values.readReplicas.extraEnvVarsSecret }}
+ envFrom:
+ {{- if .Values.readReplicas.extraEnvVarsCM }}
+ - configMapRef:
+ name: {{ .Values.readReplicas.extraEnvVarsCM }}
+ {{- end }}
+ {{- if .Values.readReplicas.extraEnvVarsSecret }}
+ - secretRef:
+ name: {{ .Values.readReplicas.extraEnvVarsSecret }}
+ {{- end }}
+ {{- end }}
+ ports:
+ - name: tcp-postgresql
+ containerPort: {{ .Values.containerPorts.postgresql }}
+ {{- if not .Values.diagnosticMode.enabled }}
+ {{- if .Values.readReplicas.customStartupProbe }}
+ startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.customStartupProbe "context" $) | nindent 12 }}
+ {{- else if .Values.readReplicas.startupProbe.enabled }}
+ startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readReplicas.startupProbe "enabled") "context" $) | nindent 12 }}
+ exec:
+ command:
+ - /bin/sh
+ - -c
+ {{- if (include "postgresql.database" .) }}
+ - exec pg_isready -U {{ default "postgres" $customUser| quote }} -d "dbname={{ include "postgresql.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }}
+ {{- else }}
+ - exec pg_isready -U {{ default "postgres" $customUser | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }}
+ {{- end }}
+ {{- end }}
+ {{- if .Values.readReplicas.customLivenessProbe }}
+ livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.customLivenessProbe "context" $) | nindent 12 }}
+ {{- else if .Values.readReplicas.livenessProbe.enabled }}
+ livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readReplicas.livenessProbe "enabled") "context" $) | nindent 12 }}
+ exec:
+ command:
+ - /bin/sh
+ - -c
+ {{- if (include "postgresql.database" .) }}
+ - exec pg_isready -U {{ default "postgres" $customUser | quote }} -d "dbname={{ include "postgresql.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }}
+ {{- else }}
+ - exec pg_isready -U {{default "postgres" $customUser | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }}
+ {{- end }}
+ {{- end }}
+ {{- if .Values.readReplicas.customReadinessProbe }}
+ readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.customReadinessProbe "context" $) | nindent 12 }}
+ {{- else if .Values.readReplicas.readinessProbe.enabled }}
+ readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readReplicas.readinessProbe "enabled") "context" $) | nindent 12 }}
+ exec:
+ command:
+ - /bin/sh
+ - -c
+ - -e
+ {{- include "postgresql.readinessProbeCommand" . | nindent 16 }}
+ {{- end }}
+ {{- end }}
+ {{- if .Values.readReplicas.resources }}
+ resources: {{- toYaml .Values.readReplicas.resources | nindent 12 }}
+ {{- end }}
+ {{- if .Values.readReplicas.lifecycleHooks }}
+ lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.lifecycleHooks "context" $) | nindent 12 }}
+ {{- end }}
+ volumeMounts:
+ {{- if .Values.auth.usePasswordFiles }}
+ - name: postgresql-password
+ mountPath: /opt/bitnami/postgresql/secrets/
+ {{- end }}
+ {{- if .Values.readReplicas.extendedConfiguration }}
+ - name: postgresql-extended-config
+ mountPath: /bitnami/postgresql/conf/conf.d/
+ {{- end }}
+ {{- if .Values.tls.enabled }}
+ - name: postgresql-certificates
+ mountPath: /opt/bitnami/postgresql/certs
+ readOnly: true
+ {{- end }}
+ {{- if .Values.shmVolume.enabled }}
+ - name: dshm
+ mountPath: /dev/shm
+ {{- end }}
+ {{- if .Values.readReplicas.persistence.enabled }}
+ - name: data
+ mountPath: {{ .Values.readReplicas.persistence.mountPath }}
+ {{- if .Values.readReplicas.persistence.subPath }}
+ subPath: {{ .Values.readReplicas.persistence.subPath }}
+ {{- end }}
+ {{- end }}
+ {{- if .Values.readReplicas.extraVolumeMounts }}
+ {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.extraVolumeMounts "context" $) | nindent 12 }}
+ {{- end }}
+ {{- if .Values.metrics.enabled }}
+ - name: metrics
+ image: {{ include "postgresql.metrics.image" . }}
+ imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }}
+ {{- if .Values.metrics.containerSecurityContext.enabled }}
+ securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+ {{- end }}
+ {{- if .Values.diagnosticMode.enabled }}
+ command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
+ args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }}
+ {{- else if .Values.metrics.customMetrics }}
+ args: [ "--extend.query-path", "/conf/custom-metrics.yaml" ]
+ {{- end }}
+ env:
+ {{- $database := required "In order to enable metrics you need to specify a database (.Values.auth.database or .Values.global.postgresql.auth.database)" (include "postgresql.database" .) }}
+ - name: DATA_SOURCE_URI
+ value: {{ printf "127.0.0.1:%d/%s?sslmode=disable" (int (include "postgresql.service.port" .)) $database }}
+ {{- if .Values.auth.usePasswordFiles }}
+ - name: DATA_SOURCE_PASS_FILE
+ value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (ternary "password" "postgres-password" (and (not (empty $customUser)) (ne $customUser "postgres"))) }}
+ {{- else }}
+ - name: DATA_SOURCE_PASS
+ valueFrom:
+ secretKeyRef:
+ name: {{ include "postgresql.secretName" . }}
+ key: {{ include "postgresql.userPasswordKey" . }}
+ {{- end }}
+ - name: DATA_SOURCE_USER
+ value: {{ default "postgres" $customUser | quote }}
+ {{- if .Values.metrics.extraEnvVars }}
+ {{- include "common.tplvalues.render" (dict "value" .Values.metrics.extraEnvVars "context" $) | nindent 12 }}
+ {{- end }}
+ ports:
+ - name: http-metrics
+ containerPort: {{ .Values.metrics.containerPorts.metrics }}
+ {{- if not .Values.diagnosticMode.enabled }}
+ {{- if .Values.metrics.customStartupProbe }}
+ startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customStartupProbe "context" $) | nindent 12 }}
+ {{- else if .Values.metrics.startupProbe.enabled }}
+ startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.startupProbe "enabled") "context" $) | nindent 12 }}
+ tcpSocket:
+ port: http-metrics
+ {{- end }}
+ {{- if .Values.metrics.customLivenessProbe }}
+ livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customLivenessProbe "context" $) | nindent 12 }}
+ {{- else if .Values.metrics.livenessProbe.enabled }}
+ livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.livenessProbe "enabled") "context" $) | nindent 12 }}
+ httpGet:
+ path: /
+ port: http-metrics
+ {{- end }}
+ {{- if .Values.metrics.customReadinessProbe }}
+ readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customReadinessProbe "context" $) | nindent 12 }}
+ {{- else if .Values.metrics.readinessProbe.enabled }}
+ readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.readinessProbe "enabled") "context" $) | nindent 12 }}
+ httpGet:
+ path: /
+ port: http-metrics
+ {{- end }}
+ {{- end }}
+ volumeMounts:
+ {{- if .Values.auth.usePasswordFiles }}
+ - name: postgresql-password
+ mountPath: /opt/bitnami/postgresql/secrets/
+ {{- end }}
+ {{- if .Values.metrics.customMetrics }}
+ - name: custom-metrics
+ mountPath: /conf
+ readOnly: true
+ {{- end }}
+ {{- if .Values.metrics.resources }}
+ resources: {{- toYaml .Values.metrics.resources | nindent 12 }}
+ {{- end }}
+ {{- end }}
+ {{- if .Values.readReplicas.sidecars }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.sidecars "context" $ ) | nindent 8 }}
+ {{- end }}
+ volumes:
+ {{- if .Values.readReplicas.extendedConfiguration }}
+ - name: postgresql-extended-config
+ configMap:
+ name: {{ include "postgresql.readReplicas.extendedConfigmapName" . }}
+ {{- end }}
+ {{- if .Values.auth.usePasswordFiles }}
+ - name: postgresql-password
+ secret:
+ secretName: {{ include "postgresql.secretName" . }}
+ {{- end }}
+ {{- if .Values.tls.enabled }}
+ - name: raw-certificates
+ secret:
+ secretName: {{ include "postgresql.tlsSecretName" . }}
+ - name: postgresql-certificates
+ emptyDir: {}
+ {{- end }}
+ {{- if and .Values.metrics.enabled .Values.metrics.customMetrics }}
+ - name: custom-metrics
+ configMap:
+ name: {{ printf "%s-metrics" (include "common.names.fullname" .) }}
+ {{- end }}
+ {{- if .Values.shmVolume.enabled }}
+ - name: dshm
+ emptyDir:
+ medium: Memory
+ {{- if .Values.shmVolume.sizeLimit }}
+ sizeLimit: {{ .Values.shmVolume.sizeLimit }}
+ {{- end }}
+ {{- end }}
+ {{- if .Values.readReplicas.extraVolumes }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.extraVolumes "context" $ ) | nindent 8 }}
+ {{- end }}
+ {{- if and .Values.readReplicas.persistence.enabled .Values.readReplicas.persistence.existingClaim }}
+ - name: data
+ persistentVolumeClaim:
+ claimName: {{ tpl .Values.readReplicas.persistence.existingClaim $ }}
+ {{- else if not .Values.readReplicas.persistence.enabled }}
+ - name: data
+ emptyDir: {}
+ {{- else }}
+ volumeClaimTemplates:
+ - metadata:
+ name: data
+ {{- if .Values.readReplicas.persistence.annotations }}
+ annotations: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.persistence.annotations "context" $) | nindent 10 }}
+ {{- end }}
+ {{- if .Values.readReplicas.persistence.labels }}
+ labels: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.persistence.labels "context" $) | nindent 10 }}
+ {{- end }}
+ spec:
+ accessModes:
+ {{- range .Values.readReplicas.persistence.accessModes }}
+ - {{ . | quote }}
+ {{- end }}
+ {{- if .Values.readReplicas.persistence.dataSource }}
+ dataSource: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.persistence.dataSource "context" $) | nindent 10 }}
+ {{- end }}
+ resources:
+ requests:
+ storage: {{ .Values.readReplicas.persistence.size | quote }}
+ {{- if .Values.readReplicas.persistence.selector }}
+ selector: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.persistence.selector "context" $) | nindent 10 }}
+ {{- end -}}
+ {{- include "common.storage.class" (dict "persistence" .Values.readReplicas.persistence "global" .Values.global) | nindent 8 }}
+ {{- end }}
+{{- end }}
--- /dev/null
+{{- if eq .Values.architecture "replication" }}
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ include "postgresql.readReplica.svc.headless" . }}
+ namespace: {{ .Release.Namespace | quote }}
+ labels: {{- include "common.labels.standard" . | nindent 4 }}
+ {{- if .Values.commonLabels }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
+ {{- end }}
+ app.kubernetes.io/component: read
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+ # Use this annotation in addition to the actual publishNotReadyAddresses
+ # field below because the annotation will stop being respected soon but the
+ # field is broken in some versions of Kubernetes:
+ # https://github.com/kubernetes/kubernetes/issues/58662
+ service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
+spec:
+ type: ClusterIP
+ clusterIP: None
+ # We want all pods in the StatefulSet to have their addresses published for
+ # the sake of the other Postgresql pods even before they're ready, since they
+ # have to be able to talk to each other in order to become ready.
+ publishNotReadyAddresses: true
+ ports:
+ - name: tcp-postgresql
+ port: {{ include "postgresql.readReplica.service.port" . }}
+ targetPort: tcp-postgresql
+ selector: {{- include "common.labels.matchLabels" . | nindent 4 }}
+ app.kubernetes.io/component: read
+{{- end }}
--- /dev/null
+{{- if eq .Values.architecture "replication" }}
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ include "postgresql.readReplica.fullname" . }}
+ namespace: {{ .Release.Namespace | quote }}
+ labels: {{- include "common.labels.standard" . | nindent 4 }}
+ {{- if .Values.commonLabels }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
+ {{- end }}
+ app.kubernetes.io/component: read
+ annotations:
+ {{- if .Values.commonAnnotations }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+ {{- if .Values.readReplicas.service.annotations }}
+ {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.service.annotations "context" $) | nindent 4 }}
+ {{- end }}
+spec:
+ type: {{ .Values.readReplicas.service.type }}
+ {{- if or (eq .Values.readReplicas.service.type "LoadBalancer") (eq .Values.readReplicas.service.type "NodePort") }}
+ externalTrafficPolicy: {{ .Values.readReplicas.service.externalTrafficPolicy | quote }}
+ {{- end }}
+ {{- if and (eq .Values.readReplicas.service.type "LoadBalancer") (not (empty .Values.readReplicas.service.loadBalancerSourceRanges)) }}
+ loadBalancerSourceRanges: {{ .Values.readReplicas.service.loadBalancerSourceRanges }}
+ {{- end }}
+ {{- if and (eq .Values.readReplicas.service.type "LoadBalancer") (not (empty .Values.readReplicas.service.loadBalancerIP)) }}
+ loadBalancerIP: {{ .Values.readReplicas.service.loadBalancerIP }}
+ {{- end }}
+ {{- if and .Values.readReplicas.service.clusterIP (eq .Values.readReplicas.service.type "ClusterIP") }}
+ clusterIP: {{ .Values.readReplicas.service.clusterIP }}
+ {{- end }}
+ {{- if .Values.readReplicas.service.sessionAffinity }}
+ sessionAffinity: {{ .Values.readReplicas.service.sessionAffinity }}
+ {{- end }}
+ {{- if .Values.readReplicas.service.sessionAffinityConfig }}
+ sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.service.sessionAffinityConfig "context" $) | nindent 4 }}
+ {{- end }}
+ ports:
+ - name: tcp-postgresql
+ port: {{ include "postgresql.readReplica.service.port" . }}
+ targetPort: tcp-postgresql
+ {{- if and (or (eq .Values.readReplicas.service.type "NodePort") (eq .Values.readReplicas.service.type "LoadBalancer")) (not (empty .Values.readReplicas.service.nodePorts.postgresql)) }}
+ nodePort: {{ .Values.readReplicas.service.nodePorts.postgresql }}
+ {{- else if eq .Values.readReplicas.service.type "ClusterIP" }}
+ nodePort: null
+ {{- end }}
+ {{- if .Values.readReplicas.service.extraPorts }}
+ {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.service.extraPorts "context" $) | nindent 4 }}
+ {{- end }}
+ selector: {{- include "common.labels.matchLabels" . | nindent 4 }}
+ app.kubernetes.io/component: read
+{{- end }}
--- /dev/null
+{{- if .Values.rbac.create }}
+kind: Role
+apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
+metadata:
+ name: {{ include "common.names.fullname" . }}
+ namespace: {{ .Release.Namespace | quote }}
+ labels: {{- include "common.labels.standard" . | nindent 4 }}
+ {{- if .Values.commonLabels }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
+ {{- end }}
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+# yamllint disable rule:indentation
+rules:
+ {{- $pspAvailable := (semverCompare "<1.25-0" (include "common.capabilities.kubeVersion" .)) -}}
+ {{- if and $pspAvailable .Values.psp.create }}
+ - apiGroups:
+ - 'policy'
+ resources:
+ - 'podsecuritypolicies'
+ verbs:
+ - 'use'
+ resourceNames:
+ - {{ include "common.names.fullname" . }}
+ {{- end }}
+ {{- if .Values.rbac.rules }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.rbac.rules "context" $ ) | nindent 2 }}
+ {{- end }}
+# yamllint enable rule:indentation
+{{- end }}
--- /dev/null
+{{- if .Values.rbac.create }}
+kind: RoleBinding
+apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
+metadata:
+ name: {{ include "common.names.fullname" . }}
+ namespace: {{ .Release.Namespace | quote }}
+ labels: {{- include "common.labels.standard" . | nindent 4 }}
+ {{- if .Values.commonLabels }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
+ {{- end }}
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+roleRef:
+ kind: Role
+ name: {{ include "common.names.fullname" . }}
+ apiGroup: rbac.authorization.k8s.io
+subjects:
+ - kind: ServiceAccount
+ name: {{ include "postgresql.serviceAccountName" . }}
+ namespace: {{ .Release.Namespace | quote }}
+{{- end }}
--- /dev/null
+{{- if (include "postgresql.createSecret" .) }}
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ include "common.names.fullname" . }}
+ namespace: {{ .Release.Namespace | quote }}
+ labels: {{- include "common.labels.standard" . | nindent 4 }}
+ {{- if .Values.commonLabels }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
+ {{- end }}
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+type: Opaque
+data:
+ {{- if .Values.auth.enablePostgresUser }}
+ postgres-password: {{ include "common.secrets.passwords.manage" (dict "secret" (include "common.names.fullname" .) "key" "postgres-password" "providedValues" (list "global.postgresql.auth.postgresPassword" "auth.postgresPassword") "context" $) }}
+ {{- end }}
+ {{- if not (empty (include "postgresql.username" .)) }}
+ password: {{ include "common.secrets.passwords.manage" (dict "secret" (include "common.names.fullname" .) "key" "password" "providedValues" (list "global.postgresql.auth.password" "auth.password") "context" $) }}
+ {{- end }}
+ {{- if eq .Values.architecture "replication" }}
+ replication-password: {{ include "common.secrets.passwords.manage" (dict "secret" (include "common.names.fullname" .) "key" "replication-password" "providedValues" (list "auth.replicationPassword") "context" $) }}
+ {{- end }}
+ # We don't auto-generate LDAP password when it's not provided as we do for other passwords
+ {{- if and .Values.ldap.enabled (or .Values.ldap.bind_password .Values.ldap.bindpw) }}
+ ldap-password: {{ coalesce .Values.ldap.bind_password .Values.ldap.bindpw | b64enc | quote }}
+ {{- end }}
+{{- end -}}
--- /dev/null
+{{- if .Values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{ include "postgresql.serviceAccountName" . }}
+ namespace: {{ .Release.Namespace | quote }}
+ labels: {{- include "common.labels.standard" . | nindent 4 }}
+ {{- if .Values.commonLabels }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
+ {{- end }}
+ annotations:
+ {{- if .Values.commonAnnotations }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+ {{- if .Values.serviceAccount.annotations }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.serviceAccount.annotations "context" $ ) | nindent 4 }}
+ {{- end }}
+automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
+{{- end }}
--- /dev/null
+{{- if (include "postgresql.createTlsSecret" . ) }}
+{{- $ca := genCA "postgresql-ca" 365 }}
+{{- $fullname := include "common.names.fullname" . }}
+{{- $releaseNamespace := .Release.Namespace }}
+{{- $clusterDomain := .Values.clusterDomain }}
+{{- $primaryHeadlessServiceName := include "postgresql.primary.svc.headless" . }}
+{{- $readHeadlessServiceName := include "postgresql.readReplica.svc.headless" . }}
+{{- $altNames := list (printf "*.%s.%s.svc.%s" $fullname $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $fullname $releaseNamespace $clusterDomain) (printf "*.%s.%s.svc.%s" $primaryHeadlessServiceName $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $primaryHeadlessServiceName $releaseNamespace $clusterDomain) (printf "*.%s.%s.svc.%s" $readHeadlessServiceName $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $readHeadlessServiceName $releaseNamespace $clusterDomain) $fullname }}
+{{- $crt := genSignedCert $fullname nil $altNames 365 $ca }}
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ printf "%s-crt" (include "common.names.fullname" .) }}
+ namespace: {{ .Release.Namespace | quote }}
+ labels: {{- include "common.labels.standard" . | nindent 4 }}
+ {{- if .Values.commonLabels }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
+ {{- end }}
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+type: kubernetes.io/tls
+data:
+ ca.crt: {{ $ca.Cert | b64enc | quote }}
+ tls.crt: {{ $crt.Cert | b64enc | quote }}
+ tls.key: {{ $crt.Key | b64enc | quote }}
+{{- end }}
--- /dev/null
+{
+ "$schema": "http://json-schema.org/schema#",
+ "type": "object",
+ "properties": {
+ "architecture": {
+ "type": "string",
+ "title": "PostgreSQL architecture",
+ "form": true,
+ "description": "Allowed values: `standalone` or `replication`"
+ },
+ "auth": {
+ "type": "object",
+ "title": "Authentication configuration",
+ "form": true,
+ "properties": {
+ "enablePostgresUser": {
+ "type": "boolean",
+ "title": "Enable \"postgres\" admin user",
+ "description": "Assign a password to the \"postgres\" admin user. Otherwise, remote access will be blocked for this user",
+ "form": true
+ },
+ "postgresPassword": {
+ "type": "string",
+ "title": "Password for the \"postgres\" admin user",
+ "description": "Defaults to a random 10-character alphanumeric string if not set",
+ "form": true
+ },
+ "database": {
+ "type": "string",
+ "title": "PostgreSQL custom database",
+ "description": "Name of the custom database to be created during the 1st initialization of PostgreSQL",
+ "form": true
+ },
+ "username": {
+ "type": "string",
+ "title": "PostgreSQL custom user",
+ "description": "Name of the custom user to be created during the 1st initialization of PostgreSQL. This user only has permissions on the PostgreSQL custom database",
+ "form": true
+ },
+ "password": {
+ "type": "string",
+ "title": "Password for the custom user to create",
+ "description": "Defaults to a random 10-character alphanumeric string if not set",
+ "form": true
+ },
+ "replicationUsername": {
+ "type": "string",
+ "title": "PostgreSQL replication user",
+ "description": "Name of user used to manage replication.",
+ "form": true,
+ "hidden": {
+ "value": "standalone",
+ "path": "architecture"
+ }
+ },
+ "replicationPassword": {
+ "type": "string",
+ "title": "Password for PostgreSQL replication user",
+ "description": "Defaults to a random 10-character alphanumeric string if not set",
+ "form": true,
+ "hidden": {
+ "value": "standalone",
+ "path": "architecture"
+ }
+ }
+ }
+ },
+ "persistence": {
+ "type": "object",
+ "properties": {
+ "size": {
+ "type": "string",
+ "title": "Persistent Volume Size",
+ "form": true,
+ "render": "slider",
+ "sliderMin": 1,
+ "sliderMax": 100,
+ "sliderUnit": "Gi"
+ }
+ }
+ },
+ "resources": {
+ "type": "object",
+ "title": "Required Resources",
+ "description": "Configure resource requests",
+ "form": true,
+ "properties": {
+ "requests": {
+ "type": "object",
+ "properties": {
+ "memory": {
+ "type": "string",
+ "form": true,
+ "render": "slider",
+ "title": "Memory Request",
+ "sliderMin": 10,
+ "sliderMax": 2048,
+ "sliderUnit": "Mi"
+ },
+ "cpu": {
+ "type": "string",
+ "form": true,
+ "render": "slider",
+ "title": "CPU Request",
+ "sliderMin": 10,
+ "sliderMax": 2000,
+ "sliderUnit": "m"
+ }
+ }
+ }
+ }
+ },
+ "replication": {
+ "type": "object",
+ "form": true,
+ "title": "Replication Details",
+ "properties": {
+ "enabled": {
+ "type": "boolean",
+ "title": "Enable Replication",
+ "form": true
+ },
+ "readReplicas": {
+ "type": "integer",
+ "title": "read Replicas",
+ "form": true,
+ "hidden": {
+ "value": "standalone",
+ "path": "architecture"
+ }
+ }
+ }
+ },
+ "volumePermissions": {
+ "type": "object",
+ "properties": {
+ "enabled": {
+ "type": "boolean",
+ "form": true,
+ "title": "Enable Init Containers",
+ "description": "Change the owner of the persist volume mountpoint to RunAsUser:fsGroup"
+ }
+ }
+ },
+ "metrics": {
+ "type": "object",
+ "properties": {
+ "enabled": {
+ "type": "boolean",
+ "title": "Configure metrics exporter",
+ "form": true
+ }
+ }
+ }
+ }
+}
--- /dev/null
+## @section Global parameters
+## Please, note that this will override the parameters, including dependencies, configured to use the global value
+##
+global:
+ ## @param global.imageRegistry Global Docker image registry
+ ##
+ imageRegistry: ""
+ ## @param global.imagePullSecrets Global Docker registry secret names as an array
+ ## e.g.
+ ## imagePullSecrets:
+ ## - myRegistryKeySecretName
+ ##
+ imagePullSecrets: []
+ ## @param global.storageClass Global StorageClass for Persistent Volume(s)
+ ##
+ storageClass: ""
+ postgresql:
+ ## @param global.postgresql.auth.postgresPassword Password for the "postgres" admin user (overrides `auth.postgresPassword`)
+ ## @param global.postgresql.auth.username Name for a custom user to create (overrides `auth.username`)
+ ## @param global.postgresql.auth.password Password for the custom user to create (overrides `auth.password`)
+ ## @param global.postgresql.auth.database Name for a custom database to create (overrides `auth.database`)
+ ## @param global.postgresql.auth.existingSecret Name of existing secret to use for PostgreSQL credentials (overrides `auth.existingSecret`).
+ ## @param global.postgresql.auth.secretKeys.adminPasswordKey Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.adminPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set.
+ ## @param global.postgresql.auth.secretKeys.userPasswordKey Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.userPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set.
+ ## @param global.postgresql.auth.secretKeys.replicationPasswordKey Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.replicationPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set.
+ ##
+ auth:
+ postgresPassword: ""
+ username: ""
+ password: ""
+ database: ""
+ existingSecret: ""
+ secretKeys:
+ adminPasswordKey: ""
+ userPasswordKey: ""
+ replicationPasswordKey: ""
+ ## @param global.postgresql.service.ports.postgresql PostgreSQL service port (overrides `service.ports.postgresql`)
+ ##
+ service:
+ ports:
+ postgresql: ""
+
+## @section Common parameters
+##
+
+## @param kubeVersion Override Kubernetes version
+##
+kubeVersion: ""
+## @param nameOverride String to partially override common.names.fullname template (will maintain the release name)
+##
+nameOverride: ""
+## @param fullnameOverride String to fully override common.names.fullname template
+##
+fullnameOverride: ""
+## @param clusterDomain Kubernetes Cluster Domain
+##
+clusterDomain: cluster.local
+## @param extraDeploy Array of extra objects to deploy with the release (evaluated as a template)
+##
+extraDeploy: []
+## @param commonLabels Add labels to all the deployed resources
+##
+commonLabels: {}
+## @param commonAnnotations Add annotations to all the deployed resources
+##
+commonAnnotations: {}
+## Enable diagnostic mode in the statefulset
+##
+diagnosticMode:
+ ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden)
+ ##
+ enabled: false
+ ## @param diagnosticMode.command Command to override all containers in the statefulset
+ ##
+ command:
+ - sleep
+ ## @param diagnosticMode.args Args to override all containers in the statefulset
+ ##
+ args:
+ - infinity
+
+## @section PostgreSQL common parameters
+##
+
+## Bitnami PostgreSQL image version
+## ref: https://hub.docker.com/r/bitnami/postgresql/tags/
+## @param image.registry PostgreSQL image registry
+## @param image.repository PostgreSQL image repository
+## @param image.tag PostgreSQL image tag (immutable tags are recommended)
+## @param image.digest PostgreSQL image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
+## @param image.pullPolicy PostgreSQL image pull policy
+## @param image.pullSecrets Specify image pull secrets
+## @param image.debug Specify if debug values should be set
+##
+image:
+ registry: docker.io
+ repository: bitnami/postgresql
+ tag: 14.5.0-debian-11-r35
+ digest: ""
+ ## Specify a imagePullPolicy
+ ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
+ ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
+ ##
+ pullPolicy: IfNotPresent
+ ## Optionally specify an array of imagePullSecrets.
+ ## Secrets must be manually created in the namespace.
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+ ## Example:
+ ## pullSecrets:
+ ## - myRegistryKeySecretName
+ ##
+ pullSecrets: []
+ ## Set to true if you would like to see extra information on logs
+ ##
+ debug: false
+## Authentication parameters
+## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#setting-the-root-password-on-first-run
+## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#creating-a-database-on-first-run
+## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#creating-a-database-user-on-first-run
+##
+auth:
+ ## @param auth.enablePostgresUser Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user
+ ##
+ enablePostgresUser: true
+ ## @param auth.postgresPassword Password for the "postgres" admin user. Ignored if `auth.existingSecret` with key `postgres-password` is provided
+ ##
+ postgresPassword: ""
+ ## @param auth.username Name for a custom user to create
+ ##
+ username: ""
+ ## @param auth.password Password for the custom user to create. Ignored if `auth.existingSecret` with key `password` is provided
+ ##
+ password: ""
+ ## @param auth.database Name for a custom database to create
+ ##
+ database: ""
+ ## @param auth.replicationUsername Name of the replication user
+ ##
+ replicationUsername: repl_user
+ ## @param auth.replicationPassword Password for the replication user. Ignored if `auth.existingSecret` with key `replication-password` is provided
+ ##
+ replicationPassword: ""
+ ## @param auth.existingSecret Name of existing secret to use for PostgreSQL credentials. `auth.postgresPassword`, `auth.password`, and `auth.replicationPassword` will be ignored and picked up from this secret. The secret might also contains the key `ldap-password` if LDAP is enabled. `ldap.bind_password` will be ignored and picked from this secret in this case.
+ ##
+ existingSecret: ""
+ ## @param auth.secretKeys.adminPasswordKey Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set.
+ ## @param auth.secretKeys.userPasswordKey Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set.
+ ## @param auth.secretKeys.replicationPasswordKey Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set.
+ ##
+ secretKeys:
+ adminPasswordKey: postgres-password
+ userPasswordKey: password
+ replicationPasswordKey: replication-password
+ ## @param auth.usePasswordFiles Mount credentials as a files instead of using an environment variable
+ ##
+ usePasswordFiles: false
+## @param architecture PostgreSQL architecture (`standalone` or `replication`)
+##
+architecture: standalone
+## Replication configuration
+## Ignored if `architecture` is `standalone`
+##
+replication:
+ ## @param replication.synchronousCommit Set synchronous commit mode. Allowed values: `on`, `remote_apply`, `remote_write`, `local` and `off`
+ ## @param replication.numSynchronousReplicas Number of replicas that will have synchronous replication. Note: Cannot be greater than `readReplicas.replicaCount`.
+ ## ref: https://www.postgresql.org/docs/current/runtime-config-wal.html#GUC-SYNCHRONOUS-COMMIT
+ ##
+ synchronousCommit: "off"
+ numSynchronousReplicas: 0
+ ## @param replication.applicationName Cluster application name. Useful for advanced replication settings
+ ##
+ applicationName: my_application
+## @param containerPorts.postgresql PostgreSQL container port
+##
+containerPorts:
+ postgresql: 5432
+## Audit settings
+## https://github.com/bitnami/containers/tree/main/bitnami/postgresql#auditing
+## @param audit.logHostname Log client hostnames
+## @param audit.logConnections Add client log-in operations to the log file
+## @param audit.logDisconnections Add client log-outs operations to the log file
+## @param audit.pgAuditLog Add operations to log using the pgAudit extension
+## @param audit.pgAuditLogCatalog Log catalog using pgAudit
+## @param audit.clientMinMessages Message log level to share with the user
+## @param audit.logLinePrefix Template for log line prefix (default if not set)
+## @param audit.logTimezone Timezone for the log timestamps
+##
+audit:
+ logHostname: false
+ logConnections: false
+ logDisconnections: false
+ pgAuditLog: ""
+ pgAuditLogCatalog: "off"
+ clientMinMessages: error
+ logLinePrefix: ""
+ logTimezone: ""
+## LDAP configuration
+## @param ldap.enabled Enable LDAP support
+## DEPRECATED ldap.url It will removed in a future, please use 'ldap.uri' instead
+## @param ldap.server IP address or name of the LDAP server.
+## @param ldap.port Port number on the LDAP server to connect to
+## @param ldap.prefix String to prepend to the user name when forming the DN to bind
+## @param ldap.suffix String to append to the user name when forming the DN to bind
+## DEPRECATED ldap.baseDN It will removed in a future, please use 'ldap.basedn' instead
+## DEPRECATED ldap.bindDN It will removed in a future, please use 'ldap.binddn' instead
+## DEPRECATED ldap.bind_password It will removed in a future, please use 'ldap.bindpw' instead
+## @param ldap.basedn Root DN to begin the search for the user in
+## @param ldap.binddn DN of user to bind to LDAP
+## @param ldap.bindpw Password for the user to bind to LDAP
+## DEPRECATED ldap.search_attr It will removed in a future, please use 'ldap.searchAttribute' instead
+## DEPRECATED ldap.search_filter It will removed in a future, please use 'ldap.searchFilter' instead
+## @param ldap.searchAttribute Attribute to match against the user name in the search
+## @param ldap.searchFilter The search filter to use when doing search+bind authentication
+## @param ldap.scheme Set to `ldaps` to use LDAPS
+## DEPRECATED ldap.tls as string is deprecated,please use 'ldap.tls.enabled' instead
+## @param ldap.tls.enabled Se to true to enable TLS encryption
+##
+ldap:
+ enabled: false
+ server: ""
+ port: ""
+ prefix: ""
+ suffix: ""
+ basedn: ""
+ binddn: ""
+ bindpw: ""
+ searchAttribute: ""
+ searchFilter: ""
+ scheme: ""
+ tls:
+ enabled: false
+ ## @param ldap.uri LDAP URL beginning in the form `ldap[s]://host[:port]/basedn`. If provided, all the other LDAP parameters will be ignored.
+ ## Ref: https://www.postgresql.org/docs/current/auth-ldap.html
+ uri: ""
+## @param postgresqlDataDir PostgreSQL data dir folder
+##
+postgresqlDataDir: /bitnami/postgresql/data
+## @param postgresqlSharedPreloadLibraries Shared preload libraries (comma-separated list)
+##
+postgresqlSharedPreloadLibraries: "pgaudit"
+## Start PostgreSQL pod(s) without limitations on shm memory.
+## By default docker and containerd (and possibly other container runtimes) limit `/dev/shm` to `64M`
+## ref: https://github.com/docker-library/postgres/issues/416
+## ref: https://github.com/containerd/containerd/issues/3654
+##
+shmVolume:
+ ## @param shmVolume.enabled Enable emptyDir volume for /dev/shm for PostgreSQL pod(s)
+ ##
+ enabled: true
+ ## @param shmVolume.sizeLimit Set this to enable a size limit on the shm tmpfs
+ ## Note: the size of the tmpfs counts against container's memory limit
+ ## e.g:
+ ## sizeLimit: 1Gi
+ ##
+ sizeLimit: ""
+## TLS configuration
+##
+tls:
+ ## @param tls.enabled Enable TLS traffic support
+ ##
+ enabled: false
+ ## @param tls.autoGenerated Generate automatically self-signed TLS certificates
+ ##
+ autoGenerated: false
+ ## @param tls.preferServerCiphers Whether to use the server's TLS cipher preferences rather than the client's
+ ##
+ preferServerCiphers: true
+ ## @param tls.certificatesSecret Name of an existing secret that contains the certificates
+ ##
+ certificatesSecret: ""
+ ## @param tls.certFilename Certificate filename
+ ##
+ certFilename: ""
+ ## @param tls.certKeyFilename Certificate key filename
+ ##
+ certKeyFilename: ""
+ ## @param tls.certCAFilename CA Certificate filename
+ ## If provided, PostgreSQL will authenticate TLS/SSL clients by requesting them a certificate
+ ## ref: https://www.postgresql.org/docs/9.6/auth-methods.html
+ ##
+ certCAFilename: ""
+ ## @param tls.crlFilename File containing a Certificate Revocation List
+ ##
+ crlFilename: ""
+
+## @section PostgreSQL Primary parameters
+##
+primary:
+ ## @param primary.name Name of the primary database (eg primary, master, leader, ...)
+ ##
+ name: primary
+ ## @param primary.configuration PostgreSQL Primary main configuration to be injected as ConfigMap
+ ## ref: https://www.postgresql.org/docs/current/static/runtime-config.html
+ ##
+ configuration: ""
+ ## @param primary.pgHbaConfiguration PostgreSQL Primary client authentication configuration
+ ## ref: https://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html
+ ## e.g:#
+ ## pgHbaConfiguration: |-
+ ## local all all trust
+ ## host all all localhost trust
+ ## host mydatabase mysuser 192.168.0.0/24 md5
+ ##
+ pgHbaConfiguration: ""
+ ## @param primary.existingConfigmap Name of an existing ConfigMap with PostgreSQL Primary configuration
+ ## NOTE: `primary.configuration` and `primary.pgHbaConfiguration` will be ignored
+ ##
+ existingConfigmap: ""
+ ## @param primary.extendedConfiguration Extended PostgreSQL Primary configuration (appended to main or default configuration)
+ ## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#allow-settings-to-be-loaded-from-files-other-than-the-default-postgresqlconf
+ ##
+ extendedConfiguration: ""
+ ## @param primary.existingExtendedConfigmap Name of an existing ConfigMap with PostgreSQL Primary extended configuration
+ ## NOTE: `primary.extendedConfiguration` will be ignored
+ ##
+ existingExtendedConfigmap: ""
+ ## Initdb configuration
+ ## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#specifying-initdb-arguments
+ ##
+ initdb:
+ ## @param primary.initdb.args PostgreSQL initdb extra arguments
+ ##
+ args: ""
+ ## @param primary.initdb.postgresqlWalDir Specify a custom location for the PostgreSQL transaction log
+ ##
+ postgresqlWalDir: ""
+ ## @param primary.initdb.scripts Dictionary of initdb scripts
+ ## Specify dictionary of scripts to be run at first boot
+ ## e.g:
+ ## scripts:
+ ## my_init_script.sh: |
+ ## #!/bin/sh
+ ## echo "Do something."
+ ##
+ scripts: {}
+ ## @param primary.initdb.scriptsConfigMap ConfigMap with scripts to be run at first boot
+ ## NOTE: This will override `primary.initdb.scripts`
+ ##
+ scriptsConfigMap: ""
+ ## @param primary.initdb.scriptsSecret Secret with scripts to be run at first boot (in case it contains sensitive information)
+ ## NOTE: This can work along `primary.initdb.scripts` or `primary.initdb.scriptsConfigMap`
+ ##
+ scriptsSecret: ""
+ ## @param primary.initdb.user Specify the PostgreSQL username to execute the initdb scripts
+ ##
+ user: ""
+ ## @param primary.initdb.password Specify the PostgreSQL password to execute the initdb scripts
+ ##
+ password: ""
+ ## Configure current cluster's primary server to be the standby server in other cluster.
+ ## This will allow cross cluster replication and provide cross cluster high availability.
+ ## You will need to configure pgHbaConfiguration if you want to enable this feature with local cluster replication enabled.
+ ## @param primary.standby.enabled Whether to enable current cluster's primary as standby server of another cluster or not
+ ## @param primary.standby.primaryHost The Host of replication primary in the other cluster
+ ## @param primary.standby.primaryPort The Port of replication primary in the other cluster
+ ##
+ standby:
+ enabled: false
+ primaryHost: ""
+ primaryPort: ""
+ ## @param primary.extraEnvVars Array with extra environment variables to add to PostgreSQL Primary nodes
+ ## e.g:
+ ## extraEnvVars:
+ ## - name: FOO
+ ## value: "bar"
+ ##
+ extraEnvVars: []
+ ## @param primary.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for PostgreSQL Primary nodes
+ ##
+ extraEnvVarsCM: ""
+ ## @param primary.extraEnvVarsSecret Name of existing Secret containing extra env vars for PostgreSQL Primary nodes
+ ##
+ extraEnvVarsSecret: ""
+ ## @param primary.command Override default container command (useful when using custom images)
+ ##
+ command: []
+ ## @param primary.args Override default container args (useful when using custom images)
+ ##
+ args: []
+ ## Configure extra options for PostgreSQL Primary containers' liveness, readiness and startup probes
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
+ ## @param primary.livenessProbe.enabled Enable livenessProbe on PostgreSQL Primary containers
+ ## @param primary.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
+ ## @param primary.livenessProbe.periodSeconds Period seconds for livenessProbe
+ ## @param primary.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
+ ## @param primary.livenessProbe.failureThreshold Failure threshold for livenessProbe
+ ## @param primary.livenessProbe.successThreshold Success threshold for livenessProbe
+ ##
+ livenessProbe:
+ enabled: true
+ initialDelaySeconds: 30
+ periodSeconds: 10
+ timeoutSeconds: 5
+ failureThreshold: 6
+ successThreshold: 1
+ ## @param primary.readinessProbe.enabled Enable readinessProbe on PostgreSQL Primary containers
+ ## @param primary.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
+ ## @param primary.readinessProbe.periodSeconds Period seconds for readinessProbe
+ ## @param primary.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
+ ## @param primary.readinessProbe.failureThreshold Failure threshold for readinessProbe
+ ## @param primary.readinessProbe.successThreshold Success threshold for readinessProbe
+ ##
+ readinessProbe:
+ enabled: true
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ timeoutSeconds: 5
+ failureThreshold: 6
+ successThreshold: 1
+ ## @param primary.startupProbe.enabled Enable startupProbe on PostgreSQL Primary containers
+ ## @param primary.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
+ ## @param primary.startupProbe.periodSeconds Period seconds for startupProbe
+ ## @param primary.startupProbe.timeoutSeconds Timeout seconds for startupProbe
+ ## @param primary.startupProbe.failureThreshold Failure threshold for startupProbe
+ ## @param primary.startupProbe.successThreshold Success threshold for startupProbe
+ ##
+ startupProbe:
+ enabled: false
+ initialDelaySeconds: 30
+ periodSeconds: 10
+ timeoutSeconds: 1
+ failureThreshold: 15
+ successThreshold: 1
+ ## @param primary.customLivenessProbe Custom livenessProbe that overrides the default one
+ ##
+ customLivenessProbe: {}
+ ## @param primary.customReadinessProbe Custom readinessProbe that overrides the default one
+ ##
+ customReadinessProbe: {}
+ ## @param primary.customStartupProbe Custom startupProbe that overrides the default one
+ ##
+ customStartupProbe: {}
+ ## @param primary.lifecycleHooks for the PostgreSQL Primary container to automate configuration before or after startup
+ ##
+ lifecycleHooks: {}
+ ## PostgreSQL Primary resource requests and limits
+ ## ref: https://kubernetes.io/docs/user-guide/compute-resources/
+ ## @param primary.resources.limits The resources limits for the PostgreSQL Primary containers
+ ## @param primary.resources.requests.memory The requested memory for the PostgreSQL Primary containers
+ ## @param primary.resources.requests.cpu The requested cpu for the PostgreSQL Primary containers
+ ##
+ resources:
+ limits: {}
+ requests:
+ memory: 256Mi
+ cpu: 250m
+ ## Pod Security Context
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+ ## @param primary.podSecurityContext.enabled Enable security context
+ ## @param primary.podSecurityContext.fsGroup Group ID for the pod
+ ##
+ podSecurityContext:
+ enabled: true
+ fsGroup: 1001
+ ## Container Security Context
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+ ## @param primary.containerSecurityContext.enabled Enable container security context
+ ## @param primary.containerSecurityContext.runAsUser User ID for the container
+ ##
+ containerSecurityContext:
+ enabled: true
+ runAsUser: 1001
+ ## @param primary.hostAliases PostgreSQL primary pods host aliases
+ ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
+ ##
+ hostAliases: []
+ ## @param primary.hostNetwork Specify if host network should be enabled for PostgreSQL pod (postgresql primary)
+ ##
+ hostNetwork: false
+ ## @param primary.hostIPC Specify if host IPC should be enabled for PostgreSQL pod (postgresql primary)
+ ##
+ hostIPC: false
+ ## @param primary.labels Map of labels to add to the statefulset (postgresql primary)
+ ##
+ labels: {}
+ ## @param primary.annotations Annotations for PostgreSQL primary pods
+ ##
+ annotations: {}
+ ## @param primary.podLabels Map of labels to add to the pods (postgresql primary)
+ ##
+ podLabels: {}
+ ## @param primary.podAnnotations Map of annotations to add to the pods (postgresql primary)
+ ##
+ podAnnotations: {}
+ ## @param primary.podAffinityPreset PostgreSQL primary pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard`
+ ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
+ ##
+ podAffinityPreset: ""
+ ## @param primary.podAntiAffinityPreset PostgreSQL primary pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard`
+ ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
+ ##
+ podAntiAffinityPreset: soft
+ ## PostgreSQL Primary node affinity preset
+ ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
+ ##
+ nodeAffinityPreset:
+ ## @param primary.nodeAffinityPreset.type PostgreSQL primary node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard`
+ ##
+ type: ""
+ ## @param primary.nodeAffinityPreset.key PostgreSQL primary node label key to match Ignored if `primary.affinity` is set.
+ ## E.g.
+ ## key: "kubernetes.io/e2e-az-name"
+ ##
+ key: ""
+ ## @param primary.nodeAffinityPreset.values PostgreSQL primary node label values to match. Ignored if `primary.affinity` is set.
+ ## E.g.
+ ## values:
+ ## - e2e-az1
+ ## - e2e-az2
+ ##
+ values: []
+ ## @param primary.affinity Affinity for PostgreSQL primary pods assignment
+ ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
+ ## Note: primary.podAffinityPreset, primary.podAntiAffinityPreset, and primary.nodeAffinityPreset will be ignored when it's set
+ ##
+ affinity: {}
+ ## @param primary.nodeSelector Node labels for PostgreSQL primary pods assignment
+ ## ref: https://kubernetes.io/docs/user-guide/node-selection/
+ ##
+ nodeSelector: {}
+ ## @param primary.tolerations Tolerations for PostgreSQL primary pods assignment
+ ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+ ##
+ tolerations: []
+ ## @param primary.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
+ ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
+ ##
+ topologySpreadConstraints: []
+ ## @param primary.priorityClassName Priority Class to use for each pod (postgresql primary)
+ ##
+ priorityClassName: ""
+ ## @param primary.schedulerName Use an alternate scheduler, e.g. "stork".
+ ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
+ ##
+ schedulerName: ""
+ ## @param primary.terminationGracePeriodSeconds Seconds PostgreSQL primary pod needs to terminate gracefully
+ ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods
+ ##
+ terminationGracePeriodSeconds: ""
+ ## @param primary.updateStrategy.type PostgreSQL Primary statefulset strategy type
+ ## @param primary.updateStrategy.rollingUpdate PostgreSQL Primary statefulset rolling update configuration parameters
+ ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
+ ##
+ updateStrategy:
+ type: RollingUpdate
+ rollingUpdate: {}
+ ## @param primary.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the PostgreSQL Primary container(s)
+ ##
+ extraVolumeMounts: []
+ ## @param primary.extraVolumes Optionally specify extra list of additional volumes for the PostgreSQL Primary pod(s)
+ ##
+ extraVolumes: []
+ ## @param primary.sidecars Add additional sidecar containers to the PostgreSQL Primary pod(s)
+ ## For example:
+ ## sidecars:
+ ## - name: your-image-name
+ ## image: your-image
+ ## imagePullPolicy: Always
+ ## ports:
+ ## - name: portname
+ ## containerPort: 1234
+ ##
+ sidecars: []
+ ## @param primary.initContainers Add additional init containers to the PostgreSQL Primary pod(s)
+ ## Example
+ ##
+ ## initContainers:
+ ## - name: do-something
+ ## image: busybox
+ ## command: ['do', 'something']
+ ##
+ initContainers: []
+ ## @param primary.extraPodSpec Optionally specify extra PodSpec for the PostgreSQL Primary pod(s)
+ ##
+ extraPodSpec: {}
+ ## PostgreSQL Primary service configuration
+ ##
+ service:
+ ## @param primary.service.type Kubernetes Service type
+ ##
+ type: ClusterIP
+ ## @param primary.service.ports.postgresql PostgreSQL service port
+ ##
+ ports:
+ postgresql: 5432
+ ## Node ports to expose
+ ## NOTE: choose port between <30000-32767>
+ ## @param primary.service.nodePorts.postgresql Node port for PostgreSQL
+ ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
+ ##
+ nodePorts:
+ postgresql: ""
+ ## @param primary.service.clusterIP Static clusterIP or None for headless services
+ ## e.g:
+ ## clusterIP: None
+ ##
+ clusterIP: ""
+ ## @param primary.service.annotations Annotations for PostgreSQL primary service
+ ##
+ annotations: {}
+ ## @param primary.service.loadBalancerIP Load balancer IP if service type is `LoadBalancer`
+ ## Set the LoadBalancer service type to internal only
+ ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
+ ##
+ loadBalancerIP: ""
+ ## @param primary.service.externalTrafficPolicy Enable client source IP preservation
+ ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
+ ##
+ externalTrafficPolicy: Cluster
+ ## @param primary.service.loadBalancerSourceRanges Addresses that are allowed when service is LoadBalancer
+ ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
+ ##
+ ## loadBalancerSourceRanges:
+ ## - 10.10.10.0/24
+ ##
+ loadBalancerSourceRanges: []
+ ## @param primary.service.extraPorts Extra ports to expose in the PostgreSQL primary service
+ ##
+ extraPorts: []
+ ## @param primary.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP"
+ ## If "ClientIP", consecutive client requests will be directed to the same Pod
+ ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
+ ##
+ sessionAffinity: None
+ ## @param primary.service.sessionAffinityConfig Additional settings for the sessionAffinity
+ ## sessionAffinityConfig:
+ ## clientIP:
+ ## timeoutSeconds: 300
+ ##
+ sessionAffinityConfig: {}
+ ## PostgreSQL Primary persistence configuration
+ ##
+ persistence:
+ ## @param primary.persistence.enabled Enable PostgreSQL Primary data persistence using PVC
+ ##
+ enabled: true
+ ## @param primary.persistence.existingClaim Name of an existing PVC to use
+ ##
+ existingClaim: ""
+ ## @param primary.persistence.mountPath The path the volume will be mounted at
+ ## Note: useful when using custom PostgreSQL images
+ ##
+ mountPath: /bitnami/postgresql
+ ## @param primary.persistence.subPath The subdirectory of the volume to mount to
+ ## Useful in dev environments and one PV for multiple services
+ ##
+ subPath: ""
+ ## @param primary.persistence.storageClass PVC Storage Class for PostgreSQL Primary data volume
+ ## If defined, storageClassName: <storageClass>
+ ## If set to "-", storageClassName: "", which disables dynamic provisioning
+ ## If undefined (the default) or set to null, no storageClassName spec is
+ ## set, choosing the default provisioner. (gp2 on AWS, standard on
+ ## GKE, AWS & OpenStack)
+ ##
+ storageClass: ""
+ ## @param primary.persistence.accessModes PVC Access Mode for PostgreSQL volume
+ ##
+ accessModes:
+ - ReadWriteOnce
+ ## @param primary.persistence.size PVC Storage Request for PostgreSQL volume
+ ##
+ size: 8Gi
+ ## @param primary.persistence.annotations Annotations for the PVC
+ ##
+ annotations: {}
+ ## @param primary.persistence.labels Labels for the PVC
+ ##
+ labels: {}
+ ## @param primary.persistence.selector Selector to match an existing Persistent Volume (this value is evaluated as a template)
+ ## selector:
+ ## matchLabels:
+ ## app: my-app
+ ##
+ selector: {}
+ ## @param primary.persistence.dataSource Custom PVC data source
+ ##
+ dataSource: {}
+
+## @section PostgreSQL read only replica parameters (only used when `architecture` is set to `replication`)
+##
+readReplicas:
+ ## @param readReplicas.name Name of the read replicas database (eg secondary, slave, ...)
+ ##
+ name: read
+ ## @param readReplicas.replicaCount Number of PostgreSQL read only replicas
+ ##
+ replicaCount: 1
+ ## @param readReplicas.extendedConfiguration Extended PostgreSQL read only replicas configuration (appended to main or default configuration)
+ ## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#allow-settings-to-be-loaded-from-files-other-than-the-default-postgresqlconf
+ ##
+ extendedConfiguration: ""
+ ## @param readReplicas.extraEnvVars Array with extra environment variables to add to PostgreSQL read only nodes
+ ## e.g:
+ ## extraEnvVars:
+ ## - name: FOO
+ ## value: "bar"
+ ##
+ extraEnvVars: []
+ ## @param readReplicas.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for PostgreSQL read only nodes
+ ##
+ extraEnvVarsCM: ""
+ ## @param readReplicas.extraEnvVarsSecret Name of existing Secret containing extra env vars for PostgreSQL read only nodes
+ ##
+ extraEnvVarsSecret: ""
+ ## @param readReplicas.command Override default container command (useful when using custom images)
+ ##
+ command: []
+ ## @param readReplicas.args Override default container args (useful when using custom images)
+ ##
+ args: []
+ ## Configure extra options for PostgreSQL read only containers' liveness, readiness and startup probes
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
+ ## @param readReplicas.livenessProbe.enabled Enable livenessProbe on PostgreSQL read only containers
+ ## @param readReplicas.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
+ ## @param readReplicas.livenessProbe.periodSeconds Period seconds for livenessProbe
+ ## @param readReplicas.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
+ ## @param readReplicas.livenessProbe.failureThreshold Failure threshold for livenessProbe
+ ## @param readReplicas.livenessProbe.successThreshold Success threshold for livenessProbe
+ ##
+ livenessProbe:
+ enabled: true
+ initialDelaySeconds: 30
+ periodSeconds: 10
+ timeoutSeconds: 5
+ failureThreshold: 6
+ successThreshold: 1
+ ## @param readReplicas.readinessProbe.enabled Enable readinessProbe on PostgreSQL read only containers
+ ## @param readReplicas.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
+ ## @param readReplicas.readinessProbe.periodSeconds Period seconds for readinessProbe
+ ## @param readReplicas.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
+ ## @param readReplicas.readinessProbe.failureThreshold Failure threshold for readinessProbe
+ ## @param readReplicas.readinessProbe.successThreshold Success threshold for readinessProbe
+ ##
+ readinessProbe:
+ enabled: true
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ timeoutSeconds: 5
+ failureThreshold: 6
+ successThreshold: 1
+ ## @param readReplicas.startupProbe.enabled Enable startupProbe on PostgreSQL read only containers
+ ## @param readReplicas.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
+ ## @param readReplicas.startupProbe.periodSeconds Period seconds for startupProbe
+ ## @param readReplicas.startupProbe.timeoutSeconds Timeout seconds for startupProbe
+ ## @param readReplicas.startupProbe.failureThreshold Failure threshold for startupProbe
+ ## @param readReplicas.startupProbe.successThreshold Success threshold for startupProbe
+ ##
+ startupProbe:
+ enabled: false
+ initialDelaySeconds: 30
+ periodSeconds: 10
+ timeoutSeconds: 1
+ failureThreshold: 15
+ successThreshold: 1
+ ## @param readReplicas.customLivenessProbe Custom livenessProbe that overrides the default one
+ ##
+ customLivenessProbe: {}
+ ## @param readReplicas.customReadinessProbe Custom readinessProbe that overrides the default one
+ ##
+ customReadinessProbe: {}
+ ## @param readReplicas.customStartupProbe Custom startupProbe that overrides the default one
+ ##
+ customStartupProbe: {}
+ ## @param readReplicas.lifecycleHooks for the PostgreSQL read only container to automate configuration before or after startup
+ ##
+ lifecycleHooks: {}
+ ## PostgreSQL read only resource requests and limits
+ ## ref: https://kubernetes.io/docs/user-guide/compute-resources/
+ ## @param readReplicas.resources.limits The resources limits for the PostgreSQL read only containers
+ ## @param readReplicas.resources.requests.memory The requested memory for the PostgreSQL read only containers
+ ## @param readReplicas.resources.requests.cpu The requested cpu for the PostgreSQL read only containers
+ ##
+ resources:
+ limits: {}
+ requests:
+ memory: 256Mi
+ cpu: 250m
+ ## Pod Security Context
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+ ## @param readReplicas.podSecurityContext.enabled Enable security context
+ ## @param readReplicas.podSecurityContext.fsGroup Group ID for the pod
+ ##
+ podSecurityContext:
+ enabled: true
+ fsGroup: 1001
+ ## Container Security Context
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+ ## @param readReplicas.containerSecurityContext.enabled Enable container security context
+ ## @param readReplicas.containerSecurityContext.runAsUser User ID for the container
+ ##
+ containerSecurityContext:
+ enabled: true
+ runAsUser: 1001
+ ## @param readReplicas.hostAliases PostgreSQL read only pods host aliases
+ ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
+ ##
+ hostAliases: []
+ ## @param readReplicas.hostNetwork Specify if host network should be enabled for PostgreSQL pod (PostgreSQL read only)
+ ##
+ hostNetwork: false
+ ## @param readReplicas.hostIPC Specify if host IPC should be enabled for PostgreSQL pod (postgresql primary)
+ ##
+ hostIPC: false
+ ## @param readReplicas.labels Map of labels to add to the statefulset (PostgreSQL read only)
+ ##
+ labels: {}
+ ## @param readReplicas.annotations Annotations for PostgreSQL read only pods
+ ##
+ annotations: {}
+ ## @param readReplicas.podLabels Map of labels to add to the pods (PostgreSQL read only)
+ ##
+ podLabels: {}
+ ## @param readReplicas.podAnnotations Map of annotations to add to the pods (PostgreSQL read only)
+ ##
+ podAnnotations: {}
+ ## @param readReplicas.podAffinityPreset PostgreSQL read only pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard`
+ ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
+ ##
+ podAffinityPreset: ""
+ ## @param readReplicas.podAntiAffinityPreset PostgreSQL read only pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard`
+ ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
+ ##
+ podAntiAffinityPreset: soft
+ ## PostgreSQL read only node affinity preset
+ ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
+ ##
+ nodeAffinityPreset:
+ ## @param readReplicas.nodeAffinityPreset.type PostgreSQL read only node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard`
+ ##
+ type: ""
+ ## @param readReplicas.nodeAffinityPreset.key PostgreSQL read only node label key to match Ignored if `primary.affinity` is set.
+ ## E.g.
+ ## key: "kubernetes.io/e2e-az-name"
+ ##
+ key: ""
+ ## @param readReplicas.nodeAffinityPreset.values PostgreSQL read only node label values to match. Ignored if `primary.affinity` is set.
+ ## E.g.
+ ## values:
+ ## - e2e-az1
+ ## - e2e-az2
+ ##
+ values: []
+ ## @param readReplicas.affinity Affinity for PostgreSQL read only pods assignment
+ ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
+ ## Note: primary.podAffinityPreset, primary.podAntiAffinityPreset, and primary.nodeAffinityPreset will be ignored when it's set
+ ##
+ affinity: {}
+ ## @param readReplicas.nodeSelector Node labels for PostgreSQL read only pods assignment
+ ## ref: https://kubernetes.io/docs/user-guide/node-selection/
+ ##
+ nodeSelector: {}
+ ## @param readReplicas.tolerations Tolerations for PostgreSQL read only pods assignment
+ ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+ ##
+ tolerations: []
+ ## @param readReplicas.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
+ ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
+ ##
+ topologySpreadConstraints: []
+ ## @param readReplicas.priorityClassName Priority Class to use for each pod (PostgreSQL read only)
+ ##
+ priorityClassName: ""
+ ## @param readReplicas.schedulerName Use an alternate scheduler, e.g. "stork".
+ ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
+ ##
+ schedulerName: ""
+ ## @param readReplicas.terminationGracePeriodSeconds Seconds PostgreSQL read only pod needs to terminate gracefully
+ ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods
+ ##
+ terminationGracePeriodSeconds: ""
+ ## @param readReplicas.updateStrategy.type PostgreSQL read only statefulset strategy type
+ ## @param readReplicas.updateStrategy.rollingUpdate PostgreSQL read only statefulset rolling update configuration parameters
+ ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
+ ##
+ updateStrategy:
+ type: RollingUpdate
+ rollingUpdate: {}
+ ## @param readReplicas.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the PostgreSQL read only container(s)
+ ##
+ extraVolumeMounts: []
+ ## @param readReplicas.extraVolumes Optionally specify extra list of additional volumes for the PostgreSQL read only pod(s)
+ ##
+ extraVolumes: []
+ ## @param readReplicas.sidecars Add additional sidecar containers to the PostgreSQL read only pod(s)
+ ## For example:
+ ## sidecars:
+ ## - name: your-image-name
+ ## image: your-image
+ ## imagePullPolicy: Always
+ ## ports:
+ ## - name: portname
+ ## containerPort: 1234
+ ##
+ sidecars: []
+ ## @param readReplicas.initContainers Add additional init containers to the PostgreSQL read only pod(s)
+ ## Example
+ ##
+ ## initContainers:
+ ## - name: do-something
+ ## image: busybox
+ ## command: ['do', 'something']
+ ##
+ initContainers: []
+ ## @param readReplicas.extraPodSpec Optionally specify extra PodSpec for the PostgreSQL read only pod(s)
+ ##
+ extraPodSpec: {}
+ ## PostgreSQL read only service configuration
+ ##
+ service:
+ ## @param readReplicas.service.type Kubernetes Service type
+ ##
+ type: ClusterIP
+ ## @param readReplicas.service.ports.postgresql PostgreSQL service port
+ ##
+ ports:
+ postgresql: 5432
+ ## Node ports to expose
+ ## NOTE: choose port between <30000-32767>
+ ## @param readReplicas.service.nodePorts.postgresql Node port for PostgreSQL
+ ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
+ ##
+ nodePorts:
+ postgresql: ""
+ ## @param readReplicas.service.clusterIP Static clusterIP or None for headless services
+ ## e.g:
+ ## clusterIP: None
+ ##
+ clusterIP: ""
+ ## @param readReplicas.service.annotations Annotations for PostgreSQL read only service
+ ##
+ annotations: {}
+ ## @param readReplicas.service.loadBalancerIP Load balancer IP if service type is `LoadBalancer`
+ ## Set the LoadBalancer service type to internal only
+ ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
+ ##
+ loadBalancerIP: ""
+ ## @param readReplicas.service.externalTrafficPolicy Enable client source IP preservation
+ ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
+ ##
+ externalTrafficPolicy: Cluster
+ ## @param readReplicas.service.loadBalancerSourceRanges Addresses that are allowed when service is LoadBalancer
+ ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
+ ##
+ ## loadBalancerSourceRanges:
+ ## - 10.10.10.0/24
+ ##
+ loadBalancerSourceRanges: []
+ ## @param readReplicas.service.extraPorts Extra ports to expose in the PostgreSQL read only service
+ ##
+ extraPorts: []
+ ## @param readReplicas.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP"
+ ## If "ClientIP", consecutive client requests will be directed to the same Pod
+ ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
+ ##
+ sessionAffinity: None
+ ## @param readReplicas.service.sessionAffinityConfig Additional settings for the sessionAffinity
+ ## sessionAffinityConfig:
+ ## clientIP:
+ ## timeoutSeconds: 300
+ ##
+ sessionAffinityConfig: {}
+ ## PostgreSQL read only persistence configuration
+ ##
+ persistence:
+ ## @param readReplicas.persistence.enabled Enable PostgreSQL read only data persistence using PVC
+ ##
+ enabled: true
+ ## @param readReplicas.persistence.existingClaim Name of an existing PVC to use
+ ##
+ existingClaim: ""
+ ## @param readReplicas.persistence.mountPath The path the volume will be mounted at
+ ## Note: useful when using custom PostgreSQL images
+ ##
+ mountPath: /bitnami/postgresql
+ ## @param readReplicas.persistence.subPath The subdirectory of the volume to mount to
+ ## Useful in dev environments and one PV for multiple services
+ ##
+ subPath: ""
+ ## @param readReplicas.persistence.storageClass PVC Storage Class for PostgreSQL read only data volume
+ ## If defined, storageClassName: <storageClass>
+ ## If set to "-", storageClassName: "", which disables dynamic provisioning
+ ## If undefined (the default) or set to null, no storageClassName spec is
+ ## set, choosing the default provisioner. (gp2 on AWS, standard on
+ ## GKE, AWS & OpenStack)
+ ##
+ storageClass: ""
+ ## @param readReplicas.persistence.accessModes PVC Access Mode for PostgreSQL volume
+ ##
+ accessModes:
+ - ReadWriteOnce
+ ## @param readReplicas.persistence.size PVC Storage Request for PostgreSQL volume
+ ##
+ size: 8Gi
+ ## @param readReplicas.persistence.annotations Annotations for the PVC
+ ##
+ annotations: {}
+ ## @param readReplicas.persistence.labels Labels for the PVC
+ ##
+ labels: {}
+ ## @param readReplicas.persistence.selector Selector to match an existing Persistent Volume (this value is evaluated as a template)
+ ## selector:
+ ## matchLabels:
+ ## app: my-app
+ ##
+ selector: {}
+ ## @param readReplicas.persistence.dataSource Custom PVC data source
+ ##
+ dataSource: {}
+
+## @section NetworkPolicy parameters
+
+## Add networkpolicies
+##
+networkPolicy:
+ ## @param networkPolicy.enabled Enable network policies
+ ##
+ enabled: false
+ ## @param networkPolicy.metrics.enabled Enable network policies for metrics (prometheus)
+ ## @param networkPolicy.metrics.namespaceSelector [object] Monitoring namespace selector labels. These labels will be used to identify the prometheus' namespace.
+ ## @param networkPolicy.metrics.podSelector [object] Monitoring pod selector labels. These labels will be used to identify the Prometheus pods.
+ ##
+ metrics:
+ enabled: false
+ ## e.g:
+ ## namespaceSelector:
+ ## label: monitoring
+ ##
+ namespaceSelector: {}
+ ## e.g:
+ ## podSelector:
+ ## label: monitoring
+ ##
+ podSelector: {}
+ ## Ingress Rules
+ ##
+ ingressRules:
+ ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled Enable ingress rule that makes PostgreSQL primary node only accessible from a particular origin.
+ ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector [object] Namespace selector label that is allowed to access the PostgreSQL primary node. This label will be used to identified the allowed namespace(s).
+ ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector [object] Pods selector label that is allowed to access the PostgreSQL primary node. This label will be used to identified the allowed pod(s).
+ ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules [object] Custom network policy for the PostgreSQL primary node.
+ ##
+ primaryAccessOnlyFrom:
+ enabled: false
+ ## e.g:
+ ## namespaceSelector:
+ ## label: ingress
+ ##
+ namespaceSelector: {}
+ ## e.g:
+ ## podSelector:
+ ## label: access
+ ##
+ podSelector: {}
+ ## custom ingress rules
+ ## e.g:
+ ## customRules:
+ ## - from:
+ ## - namespaceSelector:
+ ## matchLabels:
+ ## label: example
+ customRules: {}
+ ## @param networkPolicy.ingressRules.readReplicasAccessOnlyFrom.enabled Enable ingress rule that makes PostgreSQL read-only nodes only accessible from a particular origin.
+ ## @param networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector [object] Namespace selector label that is allowed to access the PostgreSQL read-only nodes. This label will be used to identified the allowed namespace(s).
+ ## @param networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector [object] Pods selector label that is allowed to access the PostgreSQL read-only nodes. This label will be used to identified the allowed pod(s).
+ ## @param networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules [object] Custom network policy for the PostgreSQL read-only nodes.
+ ##
+ readReplicasAccessOnlyFrom:
+ enabled: false
+ ## e.g:
+ ## namespaceSelector:
+ ## label: ingress
+ ##
+ namespaceSelector: {}
+ ## e.g:
+ ## podSelector:
+ ## label: access
+ ##
+ podSelector: {}
+ ## custom ingress rules
+ ## e.g:
+ ## CustomRules:
+ ## - from:
+ ## - namespaceSelector:
+ ## matchLabels:
+ ## label: example
+ customRules: {}
+ ## @param networkPolicy.egressRules.denyConnectionsToExternal Enable egress rule that denies outgoing traffic outside the cluster, except for DNS (port 53).
+ ## @param networkPolicy.egressRules.customRules [object] Custom network policy rule
+ ##
+ egressRules:
+ # Deny connections to external. This is not compatible with an external database.
+ denyConnectionsToExternal: false
+ ## Additional custom egress rules
+ ## e.g:
+ ## customRules:
+ ## - to:
+ ## - namespaceSelector:
+ ## matchLabels:
+ ## label: example
+ customRules: {}
+
+## @section Volume Permissions parameters
+
+## Init containers parameters:
+## volumePermissions: Change the owner and group of the persistent volume(s) mountpoint(s) to 'runAsUser:fsGroup' on each node
+##
+volumePermissions:
+ ## @param volumePermissions.enabled Enable init container that changes the owner and group of the persistent volume
+ ##
+ enabled: false
+ ## @param volumePermissions.image.registry Init container volume-permissions image registry
+ ## @param volumePermissions.image.repository Init container volume-permissions image repository
+ ## @param volumePermissions.image.tag Init container volume-permissions image tag (immutable tags are recommended)
+ ## @param volumePermissions.image.digest Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
+ ## @param volumePermissions.image.pullPolicy Init container volume-permissions image pull policy
+ ## @param volumePermissions.image.pullSecrets Init container volume-permissions image pull secrets
+ ##
+ image:
+ registry: docker.io
+ repository: bitnami/bitnami-shell
+ tag: 11-debian-11-r45
+ digest: ""
+ pullPolicy: IfNotPresent
+ ## Optionally specify an array of imagePullSecrets.
+ ## Secrets must be manually created in the namespace.
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+ ## Example:
+ ## pullSecrets:
+ ## - myRegistryKeySecretName
+ ##
+ pullSecrets: []
+ ## Init container resource requests and limits
+ ## ref: https://kubernetes.io/docs/user-guide/compute-resources/
+ ## @param volumePermissions.resources.limits Init container volume-permissions resource limits
+ ## @param volumePermissions.resources.requests Init container volume-permissions resource requests
+ ##
+ resources:
+ limits: {}
+ requests: {}
+ ## Init container' Security Context
+ ## Note: the chown of the data folder is done to containerSecurityContext.runAsUser
+ ## and not the below volumePermissions.containerSecurityContext.runAsUser
+ ## @param volumePermissions.containerSecurityContext.runAsUser User ID for the init container
+ ##
+ containerSecurityContext:
+ runAsUser: 0
+
+## @section Other Parameters
+
+## Service account for PostgreSQL to use.
+## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
+##
+serviceAccount:
+ ## @param serviceAccount.create Enable creation of ServiceAccount for PostgreSQL pod
+ ##
+ create: false
+ ## @param serviceAccount.name The name of the ServiceAccount to use.
+ ## If not set and create is true, a name is generated using the common.names.fullname template
+ ##
+ name: ""
+ ## @param serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created
+ ## Can be set to false if pods using this serviceAccount do not need to use K8s API
+ ##
+ automountServiceAccountToken: true
+ ## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount
+ ##
+ annotations: {}
+## Creates role for ServiceAccount
+## @param rbac.create Create Role and RoleBinding (required for PSP to work)
+##
+rbac:
+ create: false
+ ## @param rbac.rules Custom RBAC rules to set
+ ## e.g:
+ ## rules:
+ ## - apiGroups:
+ ## - ""
+ ## resources:
+ ## - pods
+ ## verbs:
+ ## - get
+ ## - list
+ ##
+ rules: []
+## Pod Security Policy
+## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/
+## @param psp.create Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later
+##
+psp:
+ create: false
+
+## @section Metrics Parameters
+
+metrics:
+ ## @param metrics.enabled Start a prometheus exporter
+ ##
+ enabled: false
+ ## @param metrics.image.registry PostgreSQL Prometheus Exporter image registry
+ ## @param metrics.image.repository PostgreSQL Prometheus Exporter image repository
+ ## @param metrics.image.tag PostgreSQL Prometheus Exporter image tag (immutable tags are recommended)
+ ## @param metrics.image.digest PostgreSQL image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
+ ## @param metrics.image.pullPolicy PostgreSQL Prometheus Exporter image pull policy
+ ## @param metrics.image.pullSecrets Specify image pull secrets
+ ##
+ image:
+ registry: docker.io
+ repository: bitnami/postgres-exporter
+ tag: 0.11.1-debian-11-r22
+ digest: ""
+ pullPolicy: IfNotPresent
+ ## Optionally specify an array of imagePullSecrets.
+ ## Secrets must be manually created in the namespace.
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+ ## Example:
+ ## pullSecrets:
+ ## - myRegistryKeySecretName
+ ##
+ pullSecrets: []
+ ## @param metrics.customMetrics Define additional custom metrics
+ ## ref: https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file
+ ## customMetrics:
+ ## pg_database:
+ ## query: "SELECT d.datname AS name, CASE WHEN pg_catalog.has_database_privilege(d.datname, 'CONNECT') THEN pg_catalog.pg_database_size(d.datname) ELSE 0 END AS size_bytes FROM pg_catalog.pg_database d where datname not in ('template0', 'template1', 'postgres')"
+ ## metrics:
+ ## - name:
+ ## usage: "LABEL"
+ ## description: "Name of the database"
+ ## - size_bytes:
+ ## usage: "GAUGE"
+ ## description: "Size of the database in bytes"
+ ##
+ customMetrics: {}
+ ## @param metrics.extraEnvVars Extra environment variables to add to PostgreSQL Prometheus exporter
+ ## see: https://github.com/wrouesnel/postgres_exporter#environment-variables
+ ## For example:
+ ## extraEnvVars:
+ ## - name: PG_EXPORTER_DISABLE_DEFAULT_METRICS
+ ## value: "true"
+ ##
+ extraEnvVars: []
+ ## PostgreSQL Prometheus exporter containers' Security Context
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
+ ## @param metrics.containerSecurityContext.enabled Enable PostgreSQL Prometheus exporter containers' Security Context
+ ## @param metrics.containerSecurityContext.runAsUser Set PostgreSQL Prometheus exporter containers' Security Context runAsUser
+ ## @param metrics.containerSecurityContext.runAsNonRoot Set PostgreSQL Prometheus exporter containers' Security Context runAsNonRoot
+ ##
+ containerSecurityContext:
+ enabled: true
+ runAsUser: 1001
+ runAsNonRoot: true
+ ## Configure extra options for PostgreSQL Prometheus exporter containers' liveness, readiness and startup probes
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
+ ## @param metrics.livenessProbe.enabled Enable livenessProbe on PostgreSQL Prometheus exporter containers
+ ## @param metrics.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
+ ## @param metrics.livenessProbe.periodSeconds Period seconds for livenessProbe
+ ## @param metrics.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
+ ## @param metrics.livenessProbe.failureThreshold Failure threshold for livenessProbe
+ ## @param metrics.livenessProbe.successThreshold Success threshold for livenessProbe
+ ##
+ livenessProbe:
+ enabled: true
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ timeoutSeconds: 5
+ failureThreshold: 6
+ successThreshold: 1
+ ## @param metrics.readinessProbe.enabled Enable readinessProbe on PostgreSQL Prometheus exporter containers
+ ## @param metrics.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
+ ## @param metrics.readinessProbe.periodSeconds Period seconds for readinessProbe
+ ## @param metrics.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
+ ## @param metrics.readinessProbe.failureThreshold Failure threshold for readinessProbe
+ ## @param metrics.readinessProbe.successThreshold Success threshold for readinessProbe
+ ##
+ readinessProbe:
+ enabled: true
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ timeoutSeconds: 5
+ failureThreshold: 6
+ successThreshold: 1
+ ## @param metrics.startupProbe.enabled Enable startupProbe on PostgreSQL Prometheus exporter containers
+ ## @param metrics.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
+ ## @param metrics.startupProbe.periodSeconds Period seconds for startupProbe
+ ## @param metrics.startupProbe.timeoutSeconds Timeout seconds for startupProbe
+ ## @param metrics.startupProbe.failureThreshold Failure threshold for startupProbe
+ ## @param metrics.startupProbe.successThreshold Success threshold for startupProbe
+ ##
+ startupProbe:
+ enabled: false
+ initialDelaySeconds: 10
+ periodSeconds: 10
+ timeoutSeconds: 1
+ failureThreshold: 15
+ successThreshold: 1
+ ## @param metrics.customLivenessProbe Custom livenessProbe that overrides the default one
+ ##
+ customLivenessProbe: {}
+ ## @param metrics.customReadinessProbe Custom readinessProbe that overrides the default one
+ ##
+ customReadinessProbe: {}
+ ## @param metrics.customStartupProbe Custom startupProbe that overrides the default one
+ ##
+ customStartupProbe: {}
+ ## @param metrics.containerPorts.metrics PostgreSQL Prometheus exporter metrics container port
+ ##
+ containerPorts:
+ metrics: 9187
+ ## PostgreSQL Prometheus exporter resource requests and limits
+ ## ref: https://kubernetes.io/docs/user-guide/compute-resources/
+ ## @param metrics.resources.limits The resources limits for the PostgreSQL Prometheus exporter container
+ ## @param metrics.resources.requests The requested resources for the PostgreSQL Prometheus exporter container
+ ##
+ resources:
+ limits: {}
+ requests: {}
+ ## Service configuration
+ ##
+ service:
+ ## @param metrics.service.ports.metrics PostgreSQL Prometheus Exporter service port
+ ##
+ ports:
+ metrics: 9187
+ ## @param metrics.service.clusterIP Static clusterIP or None for headless services
+ ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address
+ ##
+ clusterIP: ""
+ ## @param metrics.service.sessionAffinity Control where client requests go, to the same pod or round-robin
+ ## Values: ClientIP or None
+ ## ref: https://kubernetes.io/docs/user-guide/services/
+ ##
+ sessionAffinity: None
+ ## @param metrics.service.annotations [object] Annotations for Prometheus to auto-discover the metrics endpoint
+ ##
+ annotations:
+ prometheus.io/scrape: "true"
+ prometheus.io/port: "{{ .Values.metrics.service.ports.metrics }}"
+ ## Prometheus Operator ServiceMonitor configuration
+ ##
+ serviceMonitor:
+ ## @param metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using Prometheus Operator
+ ##
+ enabled: false
+ ## @param metrics.serviceMonitor.namespace Namespace for the ServiceMonitor Resource (defaults to the Release Namespace)
+ ##
+ namespace: ""
+ ## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped.
+ ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
+ ##
+ interval: ""
+ ## @param metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended
+ ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
+ ##
+ scrapeTimeout: ""
+ ## @param metrics.serviceMonitor.labels Additional labels that can be used so ServiceMonitor will be discovered by Prometheus
+ ##
+ labels: {}
+ ## @param metrics.serviceMonitor.selector Prometheus instance selector labels
+ ## ref: https://github.com/bitnami/charts/tree/main/bitnami/prometheus-operator#prometheus-configuration
+ ##
+ selector: {}
+ ## @param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping
+ ##
+ relabelings: []
+ ## @param metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion
+ ##
+ metricRelabelings: []
+ ## @param metrics.serviceMonitor.honorLabels Specify honorLabels parameter to add the scrape endpoint
+ ##
+ honorLabels: false
+ ## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus.
+ ##
+ jobLabel: ""
+ ## Custom PrometheusRule to be defined
+ ## The value is evaluated as a template, so, for example, the value can depend on .Release or .Chart
+ ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions
+ ##
+ prometheusRule:
+ ## @param metrics.prometheusRule.enabled Create a PrometheusRule for Prometheus Operator
+ ##
+ enabled: false
+ ## @param metrics.prometheusRule.namespace Namespace for the PrometheusRule Resource (defaults to the Release Namespace)
+ ##
+ namespace: ""
+ ## @param metrics.prometheusRule.labels Additional labels that can be used so PrometheusRule will be discovered by Prometheus
+ ##
+ labels: {}
+ ## @param metrics.prometheusRule.rules PrometheusRule definitions
+ ## Make sure to constraint the rules to the current postgresql service.
+ ## rules:
+ ## - alert: HugeReplicationLag
+ ## expr: pg_replication_lag{service="{{ printf "%s-metrics" (include "common.names.fullname" .) }}"} / 3600 > 1
+ ## for: 1m
+ ## labels:
+ ## severity: critical
+ ## annotations:
+ ## description: replication for {{ include "common.names.fullname" . }} PostgreSQL is lagging by {{ "{{ $value }}" }} hour(s).
+ ## summary: PostgreSQL replication is lagging by {{ "{{ $value }}" }} hour(s).
+ ##
+ rules: []
--- /dev/null
+# It's a configuration file used by helm-chartsnap to ignore dynamically generated fields
+# when comparing the chart's snapshot with the rendered chart.
+# See https://github.com/jlandowner/helm-chartsnap?tab=readme-ov-file#handling-dynamic-values-.
+dynamicFields:
+ - apiVersion: v1
+ kind: Secret
+ name: chartsnap-postgresql
+ jsonPath:
+ - /data/postgres-password
+ - apiVersion: v1
+ kind: Secret
+ name: chartsnap-kong-validation-webhook-keypair
+ jsonPath:
+ - /data/tls.crt
+ - /data/tls.key
+ - apiVersion: v1
+ kind: Secret
+ name: chartsnap-kong-validation-webhook-ca-keypair
+ jsonPath:
+ - /data/tls.crt
+ - /data/tls.key
+ - apiVersion: admissionregistration.k8s.io/v1
+ kind: ValidatingWebhookConfiguration
+ name: chartsnap-kong-validations
+ jsonPath:
+ - /webhooks/0/clientConfig/caBundle
--- /dev/null
+[admin-api-service-clusterip-values]
+SnapShot = """
+- object:
+ apiVersion: apps/v1
+ kind: Deployment
+ metadata:
+ labels:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ namespace: default
+ spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/name: kong
+ template:
+ metadata:
+ annotations:
+ checksum/dbless.config: 626be043e4a43b0d55af934d06216254abe132b29af82450379439ecd927219a
+ kuma.io/gateway: enabled
+ kuma.io/service-account-token-volume: chartsnap-kong-token
+ traffic.sidecar.istio.io/includeInboundPorts: \"\"
+ labels:
+ app: chartsnap-kong
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ version: \"3.6\"
+ spec:
+ automountServiceAccountToken: false
+ containers:
+ - env:
+ - name: KONG_ADMIN_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_GUI_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_GUI_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_LISTEN
+ value: 0.0.0.0:8444 http2 ssl, [::]:8444 http2 ssl
+ - name: KONG_CLUSTER_LISTEN
+ value: \"off\"
+ - name: KONG_DATABASE
+ value: \"off\"
+ - name: KONG_DECLARATIVE_CONFIG
+ value: /kong_dbless/kong.yml
+ - name: KONG_LUA_PACKAGE_PATH
+ value: /opt/?.lua;/opt/?/init.lua;;
+ - name: KONG_NGINX_WORKER_PROCESSES
+ value: \"2\"
+ - name: KONG_PORTAL_API_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PORTAL_API_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PORT_MAPS
+ value: 80:8000, 443:8443
+ - name: KONG_PREFIX
+ value: /kong_prefix/
+ - name: KONG_PROXY_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PROXY_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PROXY_LISTEN
+ value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
+ - name: KONG_PROXY_STREAM_ACCESS_LOG
+ value: /dev/stdout basic
+ - name: KONG_PROXY_STREAM_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ROUTER_FLAVOR
+ value: traditional
+ - name: KONG_STATUS_ACCESS_LOG
+ value: \"off\"
+ - name: KONG_STATUS_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_STATUS_LISTEN
+ value: 0.0.0.0:8100, [::]:8100
+ - name: KONG_STREAM_LISTEN
+ value: \"off\"
+ - name: KONG_NGINX_DAEMON
+ value: \"off\"
+ image: kong:3.6
+ imagePullPolicy: IfNotPresent
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - kong
+ - quit
+ - --wait=15
+ livenessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /status
+ port: status
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ name: proxy
+ ports:
+ - containerPort: 8444
+ name: admin-tls
+ protocol: TCP
+ - containerPort: 8000
+ name: proxy
+ protocol: TCP
+ - containerPort: 8443
+ name: proxy-tls
+ protocol: TCP
+ - containerPort: 8100
+ name: status
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /status/ready
+ port: status
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /kong_prefix/
+ name: chartsnap-kong-prefix-dir
+ - mountPath: /tmp
+ name: chartsnap-kong-tmp
+ - mountPath: /kong_dbless/
+ name: kong-custom-dbless-config-volume
+ initContainers:
+ - command:
+ - rm
+ - -vrf
+ - $KONG_PREFIX/pids
+ env:
+ - name: KONG_ADMIN_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_GUI_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_GUI_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_LISTEN
+ value: 0.0.0.0:8444 http2 ssl, [::]:8444 http2 ssl
+ - name: KONG_CLUSTER_LISTEN
+ value: \"off\"
+ - name: KONG_DATABASE
+ value: \"off\"
+ - name: KONG_DECLARATIVE_CONFIG
+ value: /kong_dbless/kong.yml
+ - name: KONG_LUA_PACKAGE_PATH
+ value: /opt/?.lua;/opt/?/init.lua;;
+ - name: KONG_NGINX_WORKER_PROCESSES
+ value: \"2\"
+ - name: KONG_PORTAL_API_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PORTAL_API_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PORT_MAPS
+ value: 80:8000, 443:8443
+ - name: KONG_PREFIX
+ value: /kong_prefix/
+ - name: KONG_PROXY_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PROXY_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PROXY_LISTEN
+ value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
+ - name: KONG_PROXY_STREAM_ACCESS_LOG
+ value: /dev/stdout basic
+ - name: KONG_PROXY_STREAM_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ROUTER_FLAVOR
+ value: traditional
+ - name: KONG_STATUS_ACCESS_LOG
+ value: \"off\"
+ - name: KONG_STATUS_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_STATUS_LISTEN
+ value: 0.0.0.0:8100, [::]:8100
+ - name: KONG_STREAM_LISTEN
+ value: \"off\"
+ image: kong:3.6
+ imagePullPolicy: IfNotPresent
+ name: clear-stale-pid
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /kong_prefix/
+ name: chartsnap-kong-prefix-dir
+ - mountPath: /tmp
+ name: chartsnap-kong-tmp
+ - mountPath: /kong_dbless/
+ name: kong-custom-dbless-config-volume
+ securityContext: {}
+ serviceAccountName: chartsnap-kong
+ terminationGracePeriodSeconds: 30
+ volumes:
+ - emptyDir:
+ sizeLimit: 256Mi
+ name: chartsnap-kong-prefix-dir
+ - emptyDir:
+ sizeLimit: 1Gi
+ name: chartsnap-kong-tmp
+ - name: chartsnap-kong-token
+ projected:
+ sources:
+ - serviceAccountToken:
+ expirationSeconds: 3607
+ path: token
+ - configMap:
+ items:
+ - key: ca.crt
+ path: ca.crt
+ name: kube-root-ca.crt
+ - downwardAPI:
+ items:
+ - fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ path: namespace
+ - configMap:
+ name: chartsnap-kong-custom-dbless-config
+ name: kong-custom-dbless-config-volume
+- object:
+ apiVersion: v1
+ data:
+ kong.yml: |
+ _format_version: \"1.1\"
+ services:
+ - name: example.com
+ url: http://example.com
+ routes:
+ - name: example
+ paths:
+ - \"/example\"
+ kind: ConfigMap
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-custom-dbless-config
+ namespace: default
+- object:
+ apiVersion: v1
+ kind: Service
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-admin
+ namespace: default
+ spec:
+ ports:
+ - name: kong-admin-tls
+ port: 8444
+ protocol: TCP
+ targetPort: 8444
+ selector:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/name: kong
+ type: ClusterIP
+- object:
+ apiVersion: v1
+ kind: Service
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-manager
+ namespace: default
+ spec:
+ ports:
+ - name: kong-manager
+ port: 8002
+ protocol: TCP
+ targetPort: 8002
+ - name: kong-manager-tls
+ port: 8445
+ protocol: TCP
+ targetPort: 8445
+ selector:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/name: kong
+ type: NodePort
+- object:
+ apiVersion: v1
+ kind: Service
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ enable-metrics: \"true\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-proxy
+ namespace: default
+ spec:
+ ports:
+ - name: kong-proxy
+ port: 80
+ protocol: TCP
+ targetPort: 8000
+ - name: kong-proxy-tls
+ port: 443
+ protocol: TCP
+ targetPort: 8443
+ selector:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/name: kong
+ type: LoadBalancer
+- object:
+ apiVersion: v1
+ kind: ServiceAccount
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ namespace: default
+"""
--- /dev/null
+[custom-labels-values]
+SnapShot = """
+- object:
+ apiVersion: admissionregistration.k8s.io/v1
+ kind: ValidatingWebhookConfiguration
+ metadata:
+ labels:
+ acme.com/some-key: some-value
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-validations
+ namespace: default
+ webhooks:
+ - admissionReviewVersions:
+ - v1beta1
+ clientConfig:
+ caBundle: '###DYNAMIC_FIELD###'
+ service:
+ name: chartsnap-kong-validation-webhook
+ namespace: default
+ failurePolicy: Ignore
+ name: validations.kong.konghq.com
+ objectSelector:
+ matchExpressions:
+ - key: owner
+ operator: NotIn
+ values:
+ - helm
+ rules:
+ - apiGroups:
+ - configuration.konghq.com
+ apiVersions:
+ - '*'
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - kongconsumers
+ - kongplugins
+ - kongclusterplugins
+ - kongingresses
+ - apiGroups:
+ - \"\"
+ apiVersions:
+ - v1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - secrets
+ - services
+ - apiGroups:
+ - networking.k8s.io
+ apiVersions:
+ - v1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - ingresses
+ - apiGroups:
+ - gateway.networking.k8s.io
+ apiVersions:
+ - v1alpha2
+ - v1beta1
+ - v1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - gateways
+ - httproutes
+ sideEffects: None
+- object:
+ apiVersion: apps/v1
+ kind: Deployment
+ metadata:
+ labels:
+ acme.com/some-key: some-value
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ namespace: default
+ spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/name: kong
+ template:
+ metadata:
+ annotations:
+ kuma.io/gateway: enabled
+ kuma.io/service-account-token-volume: chartsnap-kong-token
+ traffic.sidecar.istio.io/includeInboundPorts: \"\"
+ labels:
+ acme.com/some-key: some-value
+ app: chartsnap-kong
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ version: \"3.6\"
+ spec:
+ automountServiceAccountToken: false
+ containers:
+ - args: null
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: CONTROLLER_ADMISSION_WEBHOOK_LISTEN
+ value: 0.0.0.0:8080
+ - name: CONTROLLER_ELECTION_ID
+ value: kong-ingress-controller-leader-kong
+ - name: CONTROLLER_INGRESS_CLASS
+ value: kong
+ - name: CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY
+ value: \"true\"
+ - name: CONTROLLER_KONG_ADMIN_URL
+ value: https://localhost:8444
+ - name: CONTROLLER_PUBLISH_SERVICE
+ value: default/chartsnap-kong-proxy
+ image: kong/kubernetes-ingress-controller:3.1
+ imagePullPolicy: IfNotPresent
+ livenessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 10254
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ name: ingress-controller
+ ports:
+ - containerPort: 8080
+ name: webhook
+ protocol: TCP
+ - containerPort: 10255
+ name: cmetrics
+ protocol: TCP
+ - containerPort: 10254
+ name: cstatus
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /readyz
+ port: 10254
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /admission-webhook
+ name: webhook-cert
+ readOnly: true
+ - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+ name: chartsnap-kong-token
+ readOnly: true
+ - env:
+ - name: KONG_ADMIN_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_GUI_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_GUI_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_LISTEN
+ value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
+ - name: KONG_CLUSTER_LISTEN
+ value: \"off\"
+ - name: KONG_DATABASE
+ value: \"off\"
+ - name: KONG_KIC
+ value: \"on\"
+ - name: KONG_LUA_PACKAGE_PATH
+ value: /opt/?.lua;/opt/?/init.lua;;
+ - name: KONG_NGINX_WORKER_PROCESSES
+ value: \"2\"
+ - name: KONG_PORTAL_API_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PORTAL_API_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PORT_MAPS
+ value: 80:8000, 443:8443
+ - name: KONG_PREFIX
+ value: /kong_prefix/
+ - name: KONG_PROXY_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PROXY_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PROXY_LISTEN
+ value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
+ - name: KONG_PROXY_STREAM_ACCESS_LOG
+ value: /dev/stdout basic
+ - name: KONG_PROXY_STREAM_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ROUTER_FLAVOR
+ value: traditional
+ - name: KONG_STATUS_ACCESS_LOG
+ value: \"off\"
+ - name: KONG_STATUS_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_STATUS_LISTEN
+ value: 0.0.0.0:8100, [::]:8100
+ - name: KONG_STREAM_LISTEN
+ value: \"off\"
+ - name: KONG_NGINX_DAEMON
+ value: \"off\"
+ image: kong:3.6
+ imagePullPolicy: IfNotPresent
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - kong
+ - quit
+ - --wait=15
+ livenessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /status
+ port: status
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ name: proxy
+ ports:
+ - containerPort: 8000
+ name: proxy
+ protocol: TCP
+ - containerPort: 8443
+ name: proxy-tls
+ protocol: TCP
+ - containerPort: 8100
+ name: status
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /status/ready
+ port: status
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /kong_prefix/
+ name: chartsnap-kong-prefix-dir
+ - mountPath: /tmp
+ name: chartsnap-kong-tmp
+ initContainers:
+ - command:
+ - rm
+ - -vrf
+ - $KONG_PREFIX/pids
+ env:
+ - name: KONG_ADMIN_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_GUI_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_GUI_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_LISTEN
+ value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
+ - name: KONG_CLUSTER_LISTEN
+ value: \"off\"
+ - name: KONG_DATABASE
+ value: \"off\"
+ - name: KONG_KIC
+ value: \"on\"
+ - name: KONG_LUA_PACKAGE_PATH
+ value: /opt/?.lua;/opt/?/init.lua;;
+ - name: KONG_NGINX_WORKER_PROCESSES
+ value: \"2\"
+ - name: KONG_PORTAL_API_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PORTAL_API_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PORT_MAPS
+ value: 80:8000, 443:8443
+ - name: KONG_PREFIX
+ value: /kong_prefix/
+ - name: KONG_PROXY_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PROXY_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PROXY_LISTEN
+ value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
+ - name: KONG_PROXY_STREAM_ACCESS_LOG
+ value: /dev/stdout basic
+ - name: KONG_PROXY_STREAM_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ROUTER_FLAVOR
+ value: traditional
+ - name: KONG_STATUS_ACCESS_LOG
+ value: \"off\"
+ - name: KONG_STATUS_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_STATUS_LISTEN
+ value: 0.0.0.0:8100, [::]:8100
+ - name: KONG_STREAM_LISTEN
+ value: \"off\"
+ image: kong:3.6
+ imagePullPolicy: IfNotPresent
+ name: clear-stale-pid
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /kong_prefix/
+ name: chartsnap-kong-prefix-dir
+ - mountPath: /tmp
+ name: chartsnap-kong-tmp
+ securityContext: {}
+ serviceAccountName: chartsnap-kong
+ terminationGracePeriodSeconds: 30
+ volumes:
+ - emptyDir:
+ sizeLimit: 256Mi
+ name: chartsnap-kong-prefix-dir
+ - emptyDir:
+ sizeLimit: 1Gi
+ name: chartsnap-kong-tmp
+ - name: chartsnap-kong-token
+ projected:
+ sources:
+ - serviceAccountToken:
+ expirationSeconds: 3607
+ path: token
+ - configMap:
+ items:
+ - key: ca.crt
+ path: ca.crt
+ name: kube-root-ca.crt
+ - downwardAPI:
+ items:
+ - fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ path: namespace
+ - name: webhook-cert
+ secret:
+ secretName: chartsnap-kong-validation-webhook-keypair
+- object:
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: ClusterRole
+ metadata:
+ labels:
+ acme.com/some-key: some-value
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ rules:
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongupstreampolicies
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongupstreampolicies/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongconsumergroups
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongconsumergroups/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - \"\"
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+ - apiGroups:
+ - \"\"
+ resources:
+ - nodes
+ verbs:
+ - list
+ - watch
+ - apiGroups:
+ - \"\"
+ resources:
+ - pods
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - \"\"
+ resources:
+ - secrets
+ verbs:
+ - list
+ - watch
+ - apiGroups:
+ - \"\"
+ resources:
+ - services
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - \"\"
+ resources:
+ - services/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - ingressclassparameterses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongconsumers
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongconsumers/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongplugins
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongplugins/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - tcpingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - tcpingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - udpingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - udpingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - extensions
+ resources:
+ - ingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - extensions
+ resources:
+ - ingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - discovery.k8s.io
+ resources:
+ - endpointslices
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - konglicenses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - konglicenses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongvaults
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongvaults/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongclusterplugins
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongclusterplugins/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - apiextensions.k8s.io
+ resources:
+ - customresourcedefinitions
+ verbs:
+ - list
+ - watch
+ - apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingressclasses
+ verbs:
+ - get
+ - list
+ - watch
+- object:
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: ClusterRoleBinding
+ metadata:
+ labels:
+ acme.com/some-key: some-value
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: chartsnap-kong
+ subjects:
+ - kind: ServiceAccount
+ name: chartsnap-kong
+ namespace: default
+- object:
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: Role
+ metadata:
+ labels:
+ acme.com/some-key: some-value
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ namespace: default
+ rules:
+ - apiGroups:
+ - \"\"
+ resources:
+ - configmaps
+ - pods
+ - secrets
+ - namespaces
+ verbs:
+ - get
+ - apiGroups:
+ - \"\"
+ resourceNames:
+ - kong-ingress-controller-leader-kong-kong
+ resources:
+ - configmaps
+ verbs:
+ - get
+ - update
+ - apiGroups:
+ - \"\"
+ resources:
+ - configmaps
+ verbs:
+ - create
+ - apiGroups:
+ - \"\"
+ - coordination.k8s.io
+ resources:
+ - configmaps
+ - leases
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - delete
+ - apiGroups:
+ - \"\"
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+ - apiGroups:
+ - \"\"
+ resources:
+ - services
+ verbs:
+ - get
+- object:
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: RoleBinding
+ metadata:
+ labels:
+ acme.com/some-key: some-value
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ namespace: default
+ roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: chartsnap-kong
+ subjects:
+ - kind: ServiceAccount
+ name: chartsnap-kong
+ namespace: default
+- object:
+ apiVersion: v1
+ data:
+ tls.crt: '###DYNAMIC_FIELD###'
+ tls.key: '###DYNAMIC_FIELD###'
+ kind: Secret
+ metadata:
+ labels:
+ acme.com/some-key: some-value
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-validation-webhook-ca-keypair
+ namespace: default
+ type: kubernetes.io/tls
+- object:
+ apiVersion: v1
+ data:
+ tls.crt: '###DYNAMIC_FIELD###'
+ tls.key: '###DYNAMIC_FIELD###'
+ kind: Secret
+ metadata:
+ labels:
+ acme.com/some-key: some-value
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-validation-webhook-keypair
+ namespace: default
+ type: kubernetes.io/tls
+- object:
+ apiVersion: v1
+ kind: Service
+ metadata:
+ labels:
+ acme.com/some-key: some-value
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-manager
+ namespace: default
+ spec:
+ ports:
+ - name: kong-manager
+ port: 8002
+ protocol: TCP
+ targetPort: 8002
+ - name: kong-manager-tls
+ port: 8445
+ protocol: TCP
+ targetPort: 8445
+ selector:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/name: kong
+ type: NodePort
+- object:
+ apiVersion: v1
+ kind: Service
+ metadata:
+ labels:
+ acme.com/some-key: some-value
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ enable-metrics: \"true\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-proxy
+ namespace: default
+ spec:
+ ports:
+ - name: kong-proxy
+ port: 80
+ protocol: TCP
+ targetPort: 8000
+ - name: kong-proxy-tls
+ port: 443
+ protocol: TCP
+ targetPort: 8443
+ selector:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/name: kong
+ type: LoadBalancer
+- object:
+ apiVersion: v1
+ kind: Service
+ metadata:
+ labels:
+ acme.com/some-key: some-value
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-validation-webhook
+ namespace: default
+ spec:
+ ports:
+ - name: webhook
+ port: 443
+ protocol: TCP
+ targetPort: webhook
+ selector:
+ acme.com/some-key: some-value
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+- object:
+ apiVersion: v1
+ kind: ServiceAccount
+ metadata:
+ labels:
+ acme.com/some-key: some-value
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ namespace: default
+"""
--- /dev/null
+[default-values]
+SnapShot = """
+- object:
+ apiVersion: admissionregistration.k8s.io/v1
+ kind: ValidatingWebhookConfiguration
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-validations
+ namespace: default
+ webhooks:
+ - admissionReviewVersions:
+ - v1beta1
+ clientConfig:
+ caBundle: '###DYNAMIC_FIELD###'
+ service:
+ name: chartsnap-kong-validation-webhook
+ namespace: default
+ failurePolicy: Ignore
+ name: validations.kong.konghq.com
+ objectSelector:
+ matchExpressions:
+ - key: owner
+ operator: NotIn
+ values:
+ - helm
+ rules:
+ - apiGroups:
+ - configuration.konghq.com
+ apiVersions:
+ - '*'
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - kongconsumers
+ - kongplugins
+ - kongclusterplugins
+ - kongingresses
+ - apiGroups:
+ - \"\"
+ apiVersions:
+ - v1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - secrets
+ - services
+ - apiGroups:
+ - networking.k8s.io
+ apiVersions:
+ - v1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - ingresses
+ - apiGroups:
+ - gateway.networking.k8s.io
+ apiVersions:
+ - v1alpha2
+ - v1beta1
+ - v1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - gateways
+ - httproutes
+ sideEffects: None
+- object:
+ apiVersion: apps/v1
+ kind: Deployment
+ metadata:
+ labels:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ namespace: default
+ spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/name: kong
+ template:
+ metadata:
+ annotations:
+ kuma.io/gateway: enabled
+ kuma.io/service-account-token-volume: chartsnap-kong-token
+ traffic.sidecar.istio.io/includeInboundPorts: \"\"
+ labels:
+ app: chartsnap-kong
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ version: \"3.6\"
+ spec:
+ automountServiceAccountToken: false
+ containers:
+ - args: null
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: CONTROLLER_ADMISSION_WEBHOOK_LISTEN
+ value: 0.0.0.0:8080
+ - name: CONTROLLER_ANONYMOUS_REPORTS
+ value: \"false\"
+ - name: CONTROLLER_ELECTION_ID
+ value: kong-ingress-controller-leader-kong
+ - name: CONTROLLER_INGRESS_CLASS
+ value: kong
+ - name: CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY
+ value: \"true\"
+ - name: CONTROLLER_KONG_ADMIN_URL
+ value: https://localhost:8444
+ - name: CONTROLLER_PUBLISH_SERVICE
+ value: default/chartsnap-kong-proxy
+ image: kong/kubernetes-ingress-controller:3.1
+ imagePullPolicy: IfNotPresent
+ livenessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 10254
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ name: ingress-controller
+ ports:
+ - containerPort: 8080
+ name: webhook
+ protocol: TCP
+ - containerPort: 10255
+ name: cmetrics
+ protocol: TCP
+ - containerPort: 10254
+ name: cstatus
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /readyz
+ port: 10254
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /admission-webhook
+ name: webhook-cert
+ readOnly: true
+ - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+ name: chartsnap-kong-token
+ readOnly: true
+ - env:
+ - name: KONG_ADMIN_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_GUI_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_GUI_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_LISTEN
+ value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
+ - name: KONG_ANONYMOUS_REPORTS
+ value: \"off\"
+ - name: KONG_CLUSTER_LISTEN
+ value: \"off\"
+ - name: KONG_DATABASE
+ value: \"off\"
+ - name: KONG_KIC
+ value: \"on\"
+ - name: KONG_LUA_PACKAGE_PATH
+ value: /opt/?.lua;/opt/?/init.lua;;
+ - name: KONG_NGINX_WORKER_PROCESSES
+ value: \"2\"
+ - name: KONG_PORTAL_API_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PORTAL_API_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PORT_MAPS
+ value: 80:8000, 443:8443
+ - name: KONG_PREFIX
+ value: /kong_prefix/
+ - name: KONG_PROXY_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PROXY_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PROXY_LISTEN
+ value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
+ - name: KONG_PROXY_STREAM_ACCESS_LOG
+ value: /dev/stdout basic
+ - name: KONG_PROXY_STREAM_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ROUTER_FLAVOR
+ value: traditional
+ - name: KONG_STATUS_ACCESS_LOG
+ value: \"off\"
+ - name: KONG_STATUS_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_STATUS_LISTEN
+ value: 0.0.0.0:8100, [::]:8100
+ - name: KONG_STREAM_LISTEN
+ value: \"off\"
+ - name: KONG_NGINX_DAEMON
+ value: \"off\"
+ image: kong:3.6
+ imagePullPolicy: IfNotPresent
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - kong
+ - quit
+ - --wait=15
+ livenessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /status
+ port: status
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ name: proxy
+ ports:
+ - containerPort: 8000
+ name: proxy
+ protocol: TCP
+ - containerPort: 8443
+ name: proxy-tls
+ protocol: TCP
+ - containerPort: 8100
+ name: status
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /status/ready
+ port: status
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /kong_prefix/
+ name: chartsnap-kong-prefix-dir
+ - mountPath: /tmp
+ name: chartsnap-kong-tmp
+ initContainers:
+ - command:
+ - rm
+ - -vrf
+ - $KONG_PREFIX/pids
+ env:
+ - name: KONG_ADMIN_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_GUI_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_GUI_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_LISTEN
+ value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
+ - name: KONG_ANONYMOUS_REPORTS
+ value: \"off\"
+ - name: KONG_CLUSTER_LISTEN
+ value: \"off\"
+ - name: KONG_DATABASE
+ value: \"off\"
+ - name: KONG_KIC
+ value: \"on\"
+ - name: KONG_LUA_PACKAGE_PATH
+ value: /opt/?.lua;/opt/?/init.lua;;
+ - name: KONG_NGINX_WORKER_PROCESSES
+ value: \"2\"
+ - name: KONG_PORTAL_API_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PORTAL_API_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PORT_MAPS
+ value: 80:8000, 443:8443
+ - name: KONG_PREFIX
+ value: /kong_prefix/
+ - name: KONG_PROXY_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PROXY_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PROXY_LISTEN
+ value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
+ - name: KONG_PROXY_STREAM_ACCESS_LOG
+ value: /dev/stdout basic
+ - name: KONG_PROXY_STREAM_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ROUTER_FLAVOR
+ value: traditional
+ - name: KONG_STATUS_ACCESS_LOG
+ value: \"off\"
+ - name: KONG_STATUS_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_STATUS_LISTEN
+ value: 0.0.0.0:8100, [::]:8100
+ - name: KONG_STREAM_LISTEN
+ value: \"off\"
+ image: kong:3.6
+ imagePullPolicy: IfNotPresent
+ name: clear-stale-pid
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /kong_prefix/
+ name: chartsnap-kong-prefix-dir
+ - mountPath: /tmp
+ name: chartsnap-kong-tmp
+ securityContext: {}
+ serviceAccountName: chartsnap-kong
+ terminationGracePeriodSeconds: 30
+ volumes:
+ - emptyDir:
+ sizeLimit: 256Mi
+ name: chartsnap-kong-prefix-dir
+ - emptyDir:
+ sizeLimit: 1Gi
+ name: chartsnap-kong-tmp
+ - name: chartsnap-kong-token
+ projected:
+ sources:
+ - serviceAccountToken:
+ expirationSeconds: 3607
+ path: token
+ - configMap:
+ items:
+ - key: ca.crt
+ path: ca.crt
+ name: kube-root-ca.crt
+ - downwardAPI:
+ items:
+ - fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ path: namespace
+ - name: webhook-cert
+ secret:
+ secretName: chartsnap-kong-validation-webhook-keypair
+- object:
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: ClusterRole
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ rules:
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongupstreampolicies
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongupstreampolicies/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongconsumergroups
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongconsumergroups/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - \"\"
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+ - apiGroups:
+ - \"\"
+ resources:
+ - nodes
+ verbs:
+ - list
+ - watch
+ - apiGroups:
+ - \"\"
+ resources:
+ - pods
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - \"\"
+ resources:
+ - secrets
+ verbs:
+ - list
+ - watch
+ - apiGroups:
+ - \"\"
+ resources:
+ - services
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - \"\"
+ resources:
+ - services/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - ingressclassparameterses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongconsumers
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongconsumers/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongplugins
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongplugins/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - tcpingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - tcpingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - udpingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - udpingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - extensions
+ resources:
+ - ingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - extensions
+ resources:
+ - ingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - discovery.k8s.io
+ resources:
+ - endpointslices
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - konglicenses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - konglicenses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongvaults
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongvaults/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongclusterplugins
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongclusterplugins/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - apiextensions.k8s.io
+ resources:
+ - customresourcedefinitions
+ verbs:
+ - list
+ - watch
+ - apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingressclasses
+ verbs:
+ - get
+ - list
+ - watch
+- object:
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: ClusterRoleBinding
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: chartsnap-kong
+ subjects:
+ - kind: ServiceAccount
+ name: chartsnap-kong
+ namespace: default
+- object:
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: Role
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ namespace: default
+ rules:
+ - apiGroups:
+ - \"\"
+ resources:
+ - configmaps
+ - pods
+ - secrets
+ - namespaces
+ verbs:
+ - get
+ - apiGroups:
+ - \"\"
+ resourceNames:
+ - kong-ingress-controller-leader-kong-kong
+ resources:
+ - configmaps
+ verbs:
+ - get
+ - update
+ - apiGroups:
+ - \"\"
+ resources:
+ - configmaps
+ verbs:
+ - create
+ - apiGroups:
+ - \"\"
+ - coordination.k8s.io
+ resources:
+ - configmaps
+ - leases
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - delete
+ - apiGroups:
+ - \"\"
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+ - apiGroups:
+ - \"\"
+ resources:
+ - services
+ verbs:
+ - get
+- object:
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: RoleBinding
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ namespace: default
+ roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: chartsnap-kong
+ subjects:
+ - kind: ServiceAccount
+ name: chartsnap-kong
+ namespace: default
+- object:
+ apiVersion: v1
+ data:
+ tls.crt: '###DYNAMIC_FIELD###'
+ tls.key: '###DYNAMIC_FIELD###'
+ kind: Secret
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-validation-webhook-ca-keypair
+ namespace: default
+ type: kubernetes.io/tls
+- object:
+ apiVersion: v1
+ data:
+ tls.crt: '###DYNAMIC_FIELD###'
+ tls.key: '###DYNAMIC_FIELD###'
+ kind: Secret
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-validation-webhook-keypair
+ namespace: default
+ type: kubernetes.io/tls
+- object:
+ apiVersion: v1
+ kind: Service
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-manager
+ namespace: default
+ spec:
+ ports:
+ - name: kong-manager
+ port: 8002
+ protocol: TCP
+ targetPort: 8002
+ - name: kong-manager-tls
+ port: 8445
+ protocol: TCP
+ targetPort: 8445
+ selector:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/name: kong
+ type: NodePort
+- object:
+ apiVersion: v1
+ kind: Service
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ enable-metrics: \"true\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-proxy
+ namespace: default
+ spec:
+ ports:
+ - name: kong-proxy
+ port: 80
+ protocol: TCP
+ targetPort: 8000
+ - name: kong-proxy-tls
+ port: 443
+ protocol: TCP
+ targetPort: 8443
+ selector:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/name: kong
+ type: LoadBalancer
+- object:
+ apiVersion: v1
+ kind: Service
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-validation-webhook
+ namespace: default
+ spec:
+ ports:
+ - name: webhook
+ port: 443
+ protocol: TCP
+ targetPort: webhook
+ selector:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+- object:
+ apiVersion: v1
+ kind: ServiceAccount
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ namespace: default
+"""
--- /dev/null
+[kong-ingress-1-values]
+SnapShot = """
+- object:
+ apiVersion: admissionregistration.k8s.io/v1
+ kind: ValidatingWebhookConfiguration
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-validations
+ namespace: default
+ webhooks:
+ - admissionReviewVersions:
+ - v1beta1
+ clientConfig:
+ caBundle: '###DYNAMIC_FIELD###'
+ service:
+ name: chartsnap-kong-validation-webhook
+ namespace: default
+ failurePolicy: Ignore
+ name: validations.kong.konghq.com
+ objectSelector:
+ matchExpressions:
+ - key: owner
+ operator: NotIn
+ values:
+ - helm
+ rules:
+ - apiGroups:
+ - configuration.konghq.com
+ apiVersions:
+ - '*'
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - kongconsumers
+ - kongplugins
+ - kongclusterplugins
+ - kongingresses
+ - apiGroups:
+ - \"\"
+ apiVersions:
+ - v1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - secrets
+ - services
+ - apiGroups:
+ - networking.k8s.io
+ apiVersions:
+ - v1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - ingresses
+ - apiGroups:
+ - gateway.networking.k8s.io
+ apiVersions:
+ - v1alpha2
+ - v1beta1
+ - v1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - gateways
+ - httproutes
+ sideEffects: None
+- object:
+ apiVersion: apps/v1
+ kind: Deployment
+ metadata:
+ labels:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ namespace: default
+ spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/name: kong
+ template:
+ metadata:
+ annotations:
+ kuma.io/gateway: enabled
+ kuma.io/service-account-token-volume: chartsnap-kong-token
+ traffic.sidecar.istio.io/includeInboundPorts: \"\"
+ labels:
+ app: chartsnap-kong
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ version: \"3.6\"
+ spec:
+ automountServiceAccountToken: false
+ containers:
+ - args: null
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: CONTROLLER_ADMISSION_WEBHOOK_LISTEN
+ value: 0.0.0.0:8080
+ - name: CONTROLLER_ELECTION_ID
+ value: kong-ingress-controller-leader-kong
+ - name: CONTROLLER_INGRESS_CLASS
+ value: kong
+ - name: CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY
+ value: \"true\"
+ - name: CONTROLLER_KONG_ADMIN_URL
+ value: https://localhost:8444
+ - name: CONTROLLER_PUBLISH_SERVICE
+ value: default/chartsnap-kong-proxy
+ image: kong/kubernetes-ingress-controller:3.1
+ imagePullPolicy: IfNotPresent
+ livenessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 10254
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ name: ingress-controller
+ ports:
+ - containerPort: 8080
+ name: webhook
+ protocol: TCP
+ - containerPort: 10255
+ name: cmetrics
+ protocol: TCP
+ - containerPort: 10254
+ name: cstatus
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /readyz
+ port: 10254
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /admission-webhook
+ name: webhook-cert
+ readOnly: true
+ - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+ name: chartsnap-kong-token
+ readOnly: true
+ - env:
+ - name: KONG_ADMIN_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_GUI_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_GUI_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_LISTEN
+ value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
+ - name: KONG_CLUSTER_LISTEN
+ value: \"off\"
+ - name: KONG_DATABASE
+ value: \"off\"
+ - name: KONG_KIC
+ value: \"on\"
+ - name: KONG_LUA_PACKAGE_PATH
+ value: /opt/?.lua;/opt/?/init.lua;;
+ - name: KONG_NGINX_WORKER_PROCESSES
+ value: \"2\"
+ - name: KONG_PORTAL_API_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PORTAL_API_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PORT_MAPS
+ value: 80:8000, 443:8443
+ - name: KONG_PREFIX
+ value: /kong_prefix/
+ - name: KONG_PROXY_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PROXY_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PROXY_LISTEN
+ value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
+ - name: KONG_PROXY_STREAM_ACCESS_LOG
+ value: /dev/stdout basic
+ - name: KONG_PROXY_STREAM_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ROUTER_FLAVOR
+ value: traditional
+ - name: KONG_STATUS_ACCESS_LOG
+ value: \"off\"
+ - name: KONG_STATUS_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_STATUS_LISTEN
+ value: 0.0.0.0:8100, [::]:8100
+ - name: KONG_STREAM_LISTEN
+ value: \"off\"
+ - name: KONG_NGINX_DAEMON
+ value: \"off\"
+ image: kong:3.6
+ imagePullPolicy: IfNotPresent
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - kong
+ - quit
+ - --wait=15
+ livenessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /status
+ port: status
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ name: proxy
+ ports:
+ - containerPort: 8000
+ name: proxy
+ protocol: TCP
+ - containerPort: 8443
+ name: proxy-tls
+ protocol: TCP
+ - containerPort: 8100
+ name: status
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /status/ready
+ port: status
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /kong_prefix/
+ name: chartsnap-kong-prefix-dir
+ - mountPath: /tmp
+ name: chartsnap-kong-tmp
+ initContainers:
+ - command:
+ - rm
+ - -vrf
+ - $KONG_PREFIX/pids
+ env:
+ - name: KONG_ADMIN_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_GUI_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_GUI_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_LISTEN
+ value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
+ - name: KONG_CLUSTER_LISTEN
+ value: \"off\"
+ - name: KONG_DATABASE
+ value: \"off\"
+ - name: KONG_KIC
+ value: \"on\"
+ - name: KONG_LUA_PACKAGE_PATH
+ value: /opt/?.lua;/opt/?/init.lua;;
+ - name: KONG_NGINX_WORKER_PROCESSES
+ value: \"2\"
+ - name: KONG_PORTAL_API_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PORTAL_API_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PORT_MAPS
+ value: 80:8000, 443:8443
+ - name: KONG_PREFIX
+ value: /kong_prefix/
+ - name: KONG_PROXY_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PROXY_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PROXY_LISTEN
+ value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
+ - name: KONG_PROXY_STREAM_ACCESS_LOG
+ value: /dev/stdout basic
+ - name: KONG_PROXY_STREAM_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ROUTER_FLAVOR
+ value: traditional
+ - name: KONG_STATUS_ACCESS_LOG
+ value: \"off\"
+ - name: KONG_STATUS_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_STATUS_LISTEN
+ value: 0.0.0.0:8100, [::]:8100
+ - name: KONG_STREAM_LISTEN
+ value: \"off\"
+ image: kong:3.6
+ imagePullPolicy: IfNotPresent
+ name: clear-stale-pid
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /kong_prefix/
+ name: chartsnap-kong-prefix-dir
+ - mountPath: /tmp
+ name: chartsnap-kong-tmp
+ securityContext: {}
+ serviceAccountName: chartsnap-kong
+ terminationGracePeriodSeconds: 30
+ volumes:
+ - emptyDir:
+ sizeLimit: 256Mi
+ name: chartsnap-kong-prefix-dir
+ - emptyDir:
+ sizeLimit: 1Gi
+ name: chartsnap-kong-tmp
+ - name: chartsnap-kong-token
+ projected:
+ sources:
+ - serviceAccountToken:
+ expirationSeconds: 3607
+ path: token
+ - configMap:
+ items:
+ - key: ca.crt
+ path: ca.crt
+ name: kube-root-ca.crt
+ - downwardAPI:
+ items:
+ - fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ path: namespace
+ - name: webhook-cert
+ secret:
+ secretName: chartsnap-kong-validation-webhook-keypair
+- object:
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-proxy
+ namespace: default
+ spec:
+ rules:
+ - http:
+ paths:
+ - backend:
+ service:
+ name: chartsnap-kong-proxy
+ port:
+ number: 443
+ path: /
+ pathType: ImplementationSpecific
+ tls:
+ - hosts: null
+ secretName: kong.proxy.example.secret
+- object:
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: ClusterRole
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ rules:
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongupstreampolicies
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongupstreampolicies/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongconsumergroups
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongconsumergroups/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - \"\"
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+ - apiGroups:
+ - \"\"
+ resources:
+ - nodes
+ verbs:
+ - list
+ - watch
+ - apiGroups:
+ - \"\"
+ resources:
+ - pods
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - \"\"
+ resources:
+ - secrets
+ verbs:
+ - list
+ - watch
+ - apiGroups:
+ - \"\"
+ resources:
+ - services
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - \"\"
+ resources:
+ - services/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - ingressclassparameterses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongconsumers
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongconsumers/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongplugins
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongplugins/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - tcpingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - tcpingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - udpingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - udpingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - extensions
+ resources:
+ - ingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - extensions
+ resources:
+ - ingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - discovery.k8s.io
+ resources:
+ - endpointslices
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - konglicenses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - konglicenses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongvaults
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongvaults/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongclusterplugins
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongclusterplugins/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - apiextensions.k8s.io
+ resources:
+ - customresourcedefinitions
+ verbs:
+ - list
+ - watch
+ - apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingressclasses
+ verbs:
+ - get
+ - list
+ - watch
+- object:
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: ClusterRoleBinding
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: chartsnap-kong
+ subjects:
+ - kind: ServiceAccount
+ name: chartsnap-kong
+ namespace: default
+- object:
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: Role
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ namespace: default
+ rules:
+ - apiGroups:
+ - \"\"
+ resources:
+ - configmaps
+ - pods
+ - secrets
+ - namespaces
+ verbs:
+ - get
+ - apiGroups:
+ - \"\"
+ resourceNames:
+ - kong-ingress-controller-leader-kong-kong
+ resources:
+ - configmaps
+ verbs:
+ - get
+ - update
+ - apiGroups:
+ - \"\"
+ resources:
+ - configmaps
+ verbs:
+ - create
+ - apiGroups:
+ - \"\"
+ - coordination.k8s.io
+ resources:
+ - configmaps
+ - leases
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - delete
+ - apiGroups:
+ - \"\"
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+ - apiGroups:
+ - \"\"
+ resources:
+ - services
+ verbs:
+ - get
+- object:
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: RoleBinding
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ namespace: default
+ roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: chartsnap-kong
+ subjects:
+ - kind: ServiceAccount
+ name: chartsnap-kong
+ namespace: default
+- object:
+ apiVersion: v1
+ data:
+ tls.crt: '###DYNAMIC_FIELD###'
+ tls.key: '###DYNAMIC_FIELD###'
+ kind: Secret
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-validation-webhook-ca-keypair
+ namespace: default
+ type: kubernetes.io/tls
+- object:
+ apiVersion: v1
+ data:
+ tls.crt: '###DYNAMIC_FIELD###'
+ tls.key: '###DYNAMIC_FIELD###'
+ kind: Secret
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-validation-webhook-keypair
+ namespace: default
+ type: kubernetes.io/tls
+- object:
+ apiVersion: v1
+ data:
+ tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURoakNDQW00Q0NRQ0tyTDdSS1Y0NTBEQU5CZ2txaGtpRzl3MEJBUXNGQURDQmhERUxNQWtHQTFVRUJoTUMKV0ZneEVqQVFCZ05WQkFnTUNWTjBZWFJsVG1GdFpURVJNQThHQTFVRUJ3d0lRMmwwZVU1aGJXVXhGREFTQmdOVgpCQW9NQzBOdmJYQmhibmxPWVcxbE1Sc3dHUVlEVlFRTERCSkRiMjF3WVc1NVUyVmpkR2x2Yms1aGJXVXhHekFaCkJnTlZCQU1NRW5CeWIzaDVMbXR2Ym1jdVpYaGhiWEJzWlRBZUZ3MHlNekEyTWprd09ERTBNekJhRncwek16QTIKTWpZd09ERTBNekJhTUlHRU1Rc3dDUVlEVlFRR0V3SllXREVTTUJBR0ExVUVDQXdKVTNSaGRHVk9ZVzFsTVJFdwpEd1lEVlFRSERBaERhWFI1VG1GdFpURVVNQklHQTFVRUNnd0xRMjl0Y0dGdWVVNWhiV1V4R3pBWkJnTlZCQXNNCkVrTnZiWEJoYm5sVFpXTjBhVzl1VG1GdFpURWJNQmtHQTFVRUF3d1NjSEp2ZUhrdWEyOXVaeTVsZUdGdGNHeGwKTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUE4Wmd4czI1RXdtaXRsRG1HMitWVwpscUZ4R3lkVHU2dWlCVldFZjNoV0h2R3YvUWpYZHBBWXlkc3ZpNS92b1FtcjNUeVJBb3VaR1lCR3RuVEF0cU5rCnFLUmFVaWppVlN3TTNzeUl1cHluMlRjSjk1N2RLUCtUYTRaL0VNUlRwSCtya1psV01LNVYrNUszTmFIL21leDUKVWRRWkl4WUxNM0xIM0t0cmt2OWZRNlhSZ2dkeXo0MEt2YUV6SW1scEVoQnBoS0g5UWJiL3RFRE0vdFFqbC9FUApmbUF5M2Y5WE1uRDNSeFY3TnFrZktpUjNXZ1JDMnFyNWtPbXlJTGp1YWxERk1Zb3lDZUlmSnd1WmVDaEpGb3ZHClFKUFY2WU9xTG5aRWN3MU9BaVBXQnMycXVmWmlsNXplekRDZUFGZDV3eXVrS1dPZ3pTZ3Q2VzZvN2FBRTBDK3YKclFJREFRQUJNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUNGZHhFOFVsMVorcWxBbW1lTk5BdlAyZVVxSElTbQpHWXZidzdGdW82bXNJY3V3cjZKeENBWjIwako5UkphalMzWS9TS3BteXM2OXZxU21ic25oeUJzc01mL1ZtenFSClBVLzVkUUZiblNybUJqMnFBNWxtRCtENDVLUEtrTjc1V21NeDRQWkZseEw3WHVLYnZhYVZBUjFFUmRNZy90NisKUXpPV3BVWVZrcFJnQmlxTDBTTjhvTStOTjdScGFESFNkZjlTY1FtUmhNVklNNDdVZ1ZXNWhta21mQjBkUTFhQQo5NWdTQ3E0cGVwUFRzY3NsbVBzM0lOck5BTk45KytyMnM1bXRTWnp5VktRU0cwRjQ0Y1puWjdTdkdTVFJORDlUCnRKVzNTcko3elBwS0JqWi9qVDRRVnpBdGtHN3FSV2ZhYnlWTmVrK29wMTgwSVY5Um9IR1JDU0kyCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+ tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRRHhtREd6YmtUQ2FLMlUKT1liYjVWYVdvWEViSjFPN3E2SUZWWVIvZUZZZThhLzlDTmQya0JqSjJ5K0xuKytoQ2F2ZFBKRUNpNWtaZ0VhMgpkTUMybzJTb3BGcFNLT0pWTEF6ZXpJaTZuS2ZaTnduM250MG8vNU5yaG44UXhGT2tmNnVSbVZZd3JsWDdrcmMxCm9mK1o3SGxSMUJrakZnc3pjc2ZjcTJ1Uy8xOURwZEdDQjNMUGpRcTlvVE1pYVdrU0VHbUVvZjFCdHYrMFFNeisKMUNPWDhROStZRExkLzFjeWNQZEhGWHMycVI4cUpIZGFCRUxhcXZtUTZiSWd1TzVxVU1VeGlqSUo0aDhuQzVsNApLRWtXaThaQWs5WHBnNm91ZGtSekRVNENJOVlHemFxNTltS1huTjdNTUo0QVYzbkRLNlFwWTZETktDM3BicWp0Cm9BVFFMNit0QWdNQkFBRUNnZ0VCQUs3N1I0d3BJcDRZU1JoaGJoN1loWldHQ3JEYkZCZUtZVWd4djB5LzhNaHEKenNlYlhzdGQ1TVpXL2FISVRqdzZFQU9tT1hVNWZNTHVtTWpQMlVDdktWbkg2QzgzczI1ekFFTmlxdWxXUzIvVgpJRi83N1Qwamx6ZTY2MDlPa3pKQzBoWWJsRVNnRUdDc3pBdUpjT0tnVnVLQWwxQkZTQW1VYWRPWFNNdm9NS3lDCkJlekZaVEhOcGRWQ2xwUHVLNGQrWFJJZ1hHWS84RzNmWlFXRWNjV2tTYmRjQUlLdVYvWktHQ0IyT2dXS1VzSHgKTStscEw1TTZ3aXdYOEFNdUVWVHJsMWNwKzAzTjdOaUYwMFpYdCszZzVZUkJmRitYWjZ1b3hmbENQZ3VHdzh6bgpvN2tFRVNKZ2YycHZyZWYveHBjSVFSM090aHZjSzR5RldOcndPbExHQk9FQ2dZRUErNmJBREF0bDAvRlpzV08zCnVvNlBRNXZTL0tqbS9XaUkzeUo5TUdLNzQxTFZpMlRMUGpVZ092SDdkZUVjNVJjUmoxV1Nna3d1bUdzZWE2WkQKWXRWSTRZTDdMM1NUQ3JyZUNFTDRhOUJPcFB0azcxWWw3TmhxZktEaXhzU1FnNmt4dDJ1TlYvZXNSQ1JPeENoWgp5bk9JTmkvN3lOeFpVek4zcndyVjBCMUFNYVVDZ1lFQTljVDBZNkJWRHZLdFFaV1gvR1REZ2pUUzN6QWlPWmFNCjVFM3NleHh6MXY4eDF0N3JvWDV3aHNaVjlzQ05nNlJaNjIyT3hJejhHQnVvMnU1M2h2WFJabmdDaG1PcHYwRjgKcm5STWFNR0tIeGN2TmNrVUZUMW9TdDJCeEhNT1FNZTM2cERVTnZ0S3pvNGJoakpVUU94Mm14RU9TNERscm4rMApRU3FqVFpyWGwya0NnWUJ1UmIyMkNYQ1BsUjBHbkhtd0tEUWpIaTh3UkJza1JDQm1Gc2pnNFFNUU5BWWJWUW15CnNyankyNEtqUHdmWVkybHdjOEVGazdoL1ZjRTR6dHlNZklXNVBCb3h5MVY3eURMdlQ5bG45Um5oTmNBZkdKTDUKM0VPZFpTcTZpdndBbGEyUmdIR3BjSUJ1UTdLNFJpNUNocW5UaE9kQ056eDFOd0psRTh4cHE4ZXJlUUtCZ1FEeQppV3B3UXRLT0ROa0VCdi9WT1E5am1JT2RjOS9pbXZyeGR5RHZvWFdENzVXY3FhTTVYUkRwUUNPbmZnQnBzREI0CjBFWjdHM0xReThNSVF4czcyYXpMaFpWZ1VFdzlEUUJoSFM0bWx4Q2FmQU8vL1c3UFF5bC84RGJXeW9CL1YxamQKcUExMU1PcHpDdlNJcTNSUUdjczJYaytRSFdVTW5zUWhKMVcvQ1JiSE9RS0JnRTVQZ0hrbW1PY1VXZkJBZUtzTApvb2FNNzBINVN1YUNYN1Y1enBhM3hFMW5WVWMxend5aldOdkdWbTA5WkpEOFFMR1ZDV2U0R1o5R1NvV2tqSUMvCklFKzA0M29kUERuL2JwSDlTMDF2a0s1ZDRJSGc3QUcwWXI5SW1zS0paT0djT1dmdUdKSlZ5em1CRXhaSU9pbnoKVFFuaFdhZWs0NE1hdVJYOC9pRjZyZWorCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
+ kind: Secret
+ metadata:
+ name: kong.proxy.example.secret
+ type: kubernetes.io/tls
+- object:
+ apiVersion: v1
+ kind: Service
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-manager
+ namespace: default
+ spec:
+ ports:
+ - name: kong-manager
+ port: 8002
+ protocol: TCP
+ targetPort: 8002
+ - name: kong-manager-tls
+ port: 8445
+ protocol: TCP
+ targetPort: 8445
+ selector:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/name: kong
+ type: NodePort
+- object:
+ apiVersion: v1
+ kind: Service
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ enable-metrics: \"true\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-proxy
+ namespace: default
+ spec:
+ ports:
+ - name: kong-proxy
+ port: 80
+ protocol: TCP
+ targetPort: 8000
+ - name: kong-proxy-tls
+ port: 443
+ protocol: TCP
+ targetPort: 8443
+ selector:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/name: kong
+ type: LoadBalancer
+- object:
+ apiVersion: v1
+ kind: Service
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-validation-webhook
+ namespace: default
+ spec:
+ ports:
+ - name: webhook
+ port: 443
+ protocol: TCP
+ targetPort: webhook
+ selector:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+- object:
+ apiVersion: v1
+ kind: ServiceAccount
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ namespace: default
+"""
--- /dev/null
+[kong-ingress-2-values]
+SnapShot = """
+- object:
+ apiVersion: admissionregistration.k8s.io/v1
+ kind: ValidatingWebhookConfiguration
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-validations
+ namespace: default
+ webhooks:
+ - admissionReviewVersions:
+ - v1beta1
+ clientConfig:
+ caBundle: '###DYNAMIC_FIELD###'
+ service:
+ name: chartsnap-kong-validation-webhook
+ namespace: default
+ failurePolicy: Ignore
+ name: validations.kong.konghq.com
+ objectSelector:
+ matchExpressions:
+ - key: owner
+ operator: NotIn
+ values:
+ - helm
+ rules:
+ - apiGroups:
+ - configuration.konghq.com
+ apiVersions:
+ - '*'
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - kongconsumers
+ - kongplugins
+ - kongclusterplugins
+ - kongingresses
+ - apiGroups:
+ - \"\"
+ apiVersions:
+ - v1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - secrets
+ - services
+ - apiGroups:
+ - networking.k8s.io
+ apiVersions:
+ - v1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - ingresses
+ - apiGroups:
+ - gateway.networking.k8s.io
+ apiVersions:
+ - v1alpha2
+ - v1beta1
+ - v1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - gateways
+ - httproutes
+ sideEffects: None
+- object:
+ apiVersion: apps/v1
+ kind: Deployment
+ metadata:
+ labels:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ namespace: default
+ spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/name: kong
+ template:
+ metadata:
+ annotations:
+ kuma.io/gateway: enabled
+ kuma.io/service-account-token-volume: chartsnap-kong-token
+ traffic.sidecar.istio.io/includeInboundPorts: \"\"
+ labels:
+ app: chartsnap-kong
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ version: \"3.6\"
+ spec:
+ automountServiceAccountToken: false
+ containers:
+ - args: null
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: CONTROLLER_ADMISSION_WEBHOOK_LISTEN
+ value: 0.0.0.0:8080
+ - name: CONTROLLER_ELECTION_ID
+ value: kong-ingress-controller-leader-kong
+ - name: CONTROLLER_INGRESS_CLASS
+ value: kong
+ - name: CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY
+ value: \"true\"
+ - name: CONTROLLER_KONG_ADMIN_URL
+ value: https://localhost:8444
+ - name: CONTROLLER_PUBLISH_SERVICE
+ value: default/chartsnap-kong-proxy
+ image: kong/kubernetes-ingress-controller:3.1
+ imagePullPolicy: IfNotPresent
+ livenessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 10254
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ name: ingress-controller
+ ports:
+ - containerPort: 8080
+ name: webhook
+ protocol: TCP
+ - containerPort: 10255
+ name: cmetrics
+ protocol: TCP
+ - containerPort: 10254
+ name: cstatus
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /readyz
+ port: 10254
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /admission-webhook
+ name: webhook-cert
+ readOnly: true
+ - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+ name: chartsnap-kong-token
+ readOnly: true
+ - env:
+ - name: KONG_ADMIN_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_GUI_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_GUI_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_LISTEN
+ value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
+ - name: KONG_CLUSTER_LISTEN
+ value: \"off\"
+ - name: KONG_DATABASE
+ value: \"off\"
+ - name: KONG_KIC
+ value: \"on\"
+ - name: KONG_LUA_PACKAGE_PATH
+ value: /opt/?.lua;/opt/?/init.lua;;
+ - name: KONG_NGINX_WORKER_PROCESSES
+ value: \"2\"
+ - name: KONG_PORTAL_API_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PORTAL_API_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PORT_MAPS
+ value: 80:8000, 443:8443
+ - name: KONG_PREFIX
+ value: /kong_prefix/
+ - name: KONG_PROXY_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PROXY_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PROXY_LISTEN
+ value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
+ - name: KONG_PROXY_STREAM_ACCESS_LOG
+ value: /dev/stdout basic
+ - name: KONG_PROXY_STREAM_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ROUTER_FLAVOR
+ value: traditional
+ - name: KONG_STATUS_ACCESS_LOG
+ value: \"off\"
+ - name: KONG_STATUS_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_STATUS_LISTEN
+ value: 0.0.0.0:8100, [::]:8100
+ - name: KONG_STREAM_LISTEN
+ value: \"off\"
+ - name: KONG_NGINX_DAEMON
+ value: \"off\"
+ image: kong:3.6
+ imagePullPolicy: IfNotPresent
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - kong
+ - quit
+ - --wait=15
+ livenessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /status
+ port: status
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ name: proxy
+ ports:
+ - containerPort: 8000
+ name: proxy
+ protocol: TCP
+ - containerPort: 8443
+ name: proxy-tls
+ protocol: TCP
+ - containerPort: 8100
+ name: status
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /status/ready
+ port: status
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /kong_prefix/
+ name: chartsnap-kong-prefix-dir
+ - mountPath: /tmp
+ name: chartsnap-kong-tmp
+ initContainers:
+ - command:
+ - rm
+ - -vrf
+ - $KONG_PREFIX/pids
+ env:
+ - name: KONG_ADMIN_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_GUI_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_GUI_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_LISTEN
+ value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
+ - name: KONG_CLUSTER_LISTEN
+ value: \"off\"
+ - name: KONG_DATABASE
+ value: \"off\"
+ - name: KONG_KIC
+ value: \"on\"
+ - name: KONG_LUA_PACKAGE_PATH
+ value: /opt/?.lua;/opt/?/init.lua;;
+ - name: KONG_NGINX_WORKER_PROCESSES
+ value: \"2\"
+ - name: KONG_PORTAL_API_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PORTAL_API_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PORT_MAPS
+ value: 80:8000, 443:8443
+ - name: KONG_PREFIX
+ value: /kong_prefix/
+ - name: KONG_PROXY_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PROXY_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PROXY_LISTEN
+ value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
+ - name: KONG_PROXY_STREAM_ACCESS_LOG
+ value: /dev/stdout basic
+ - name: KONG_PROXY_STREAM_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ROUTER_FLAVOR
+ value: traditional
+ - name: KONG_STATUS_ACCESS_LOG
+ value: \"off\"
+ - name: KONG_STATUS_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_STATUS_LISTEN
+ value: 0.0.0.0:8100, [::]:8100
+ - name: KONG_STREAM_LISTEN
+ value: \"off\"
+ image: kong:3.6
+ imagePullPolicy: IfNotPresent
+ name: clear-stale-pid
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /kong_prefix/
+ name: chartsnap-kong-prefix-dir
+ - mountPath: /tmp
+ name: chartsnap-kong-tmp
+ securityContext: {}
+ serviceAccountName: chartsnap-kong
+ terminationGracePeriodSeconds: 30
+ volumes:
+ - emptyDir:
+ sizeLimit: 256Mi
+ name: chartsnap-kong-prefix-dir
+ - emptyDir:
+ sizeLimit: 1Gi
+ name: chartsnap-kong-tmp
+ - name: chartsnap-kong-token
+ projected:
+ sources:
+ - serviceAccountToken:
+ expirationSeconds: 3607
+ path: token
+ - configMap:
+ items:
+ - key: ca.crt
+ path: ca.crt
+ name: kube-root-ca.crt
+ - downwardAPI:
+ items:
+ - fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ path: namespace
+ - name: webhook-cert
+ secret:
+ secretName: chartsnap-kong-validation-webhook-keypair
+- object:
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-proxy
+ namespace: default
+ spec:
+ rules:
+ - host: proxy.kong.example
+ http:
+ paths:
+ - backend:
+ service:
+ name: chartsnap-kong-proxy
+ port:
+ number: 443
+ path: /
+ pathType: ImplementationSpecific
+ tls:
+ - hosts:
+ - proxy.kong.example
+ secretName: kong.proxy.example.secret
+- object:
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: ClusterRole
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ rules:
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongupstreampolicies
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongupstreampolicies/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongconsumergroups
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongconsumergroups/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - \"\"
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+ - apiGroups:
+ - \"\"
+ resources:
+ - nodes
+ verbs:
+ - list
+ - watch
+ - apiGroups:
+ - \"\"
+ resources:
+ - pods
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - \"\"
+ resources:
+ - secrets
+ verbs:
+ - list
+ - watch
+ - apiGroups:
+ - \"\"
+ resources:
+ - services
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - \"\"
+ resources:
+ - services/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - ingressclassparameterses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongconsumers
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongconsumers/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongplugins
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongplugins/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - tcpingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - tcpingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - udpingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - udpingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - extensions
+ resources:
+ - ingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - extensions
+ resources:
+ - ingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - discovery.k8s.io
+ resources:
+ - endpointslices
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - konglicenses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - konglicenses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongvaults
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongvaults/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongclusterplugins
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongclusterplugins/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - apiextensions.k8s.io
+ resources:
+ - customresourcedefinitions
+ verbs:
+ - list
+ - watch
+ - apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingressclasses
+ verbs:
+ - get
+ - list
+ - watch
+- object:
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: ClusterRoleBinding
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: chartsnap-kong
+ subjects:
+ - kind: ServiceAccount
+ name: chartsnap-kong
+ namespace: default
+- object:
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: Role
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ namespace: default
+ rules:
+ - apiGroups:
+ - \"\"
+ resources:
+ - configmaps
+ - pods
+ - secrets
+ - namespaces
+ verbs:
+ - get
+ - apiGroups:
+ - \"\"
+ resourceNames:
+ - kong-ingress-controller-leader-kong-kong
+ resources:
+ - configmaps
+ verbs:
+ - get
+ - update
+ - apiGroups:
+ - \"\"
+ resources:
+ - configmaps
+ verbs:
+ - create
+ - apiGroups:
+ - \"\"
+ - coordination.k8s.io
+ resources:
+ - configmaps
+ - leases
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - delete
+ - apiGroups:
+ - \"\"
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+ - apiGroups:
+ - \"\"
+ resources:
+ - services
+ verbs:
+ - get
+- object:
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: RoleBinding
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ namespace: default
+ roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: chartsnap-kong
+ subjects:
+ - kind: ServiceAccount
+ name: chartsnap-kong
+ namespace: default
+- object:
+ apiVersion: v1
+ data:
+ tls.crt: '###DYNAMIC_FIELD###'
+ tls.key: '###DYNAMIC_FIELD###'
+ kind: Secret
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-validation-webhook-ca-keypair
+ namespace: default
+ type: kubernetes.io/tls
+- object:
+ apiVersion: v1
+ data:
+ tls.crt: '###DYNAMIC_FIELD###'
+ tls.key: '###DYNAMIC_FIELD###'
+ kind: Secret
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-validation-webhook-keypair
+ namespace: default
+ type: kubernetes.io/tls
+- object:
+ apiVersion: v1
+ data:
+ tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURoakNDQW00Q0NRQ0tyTDdSS1Y0NTBEQU5CZ2txaGtpRzl3MEJBUXNGQURDQmhERUxNQWtHQTFVRUJoTUMKV0ZneEVqQVFCZ05WQkFnTUNWTjBZWFJsVG1GdFpURVJNQThHQTFVRUJ3d0lRMmwwZVU1aGJXVXhGREFTQmdOVgpCQW9NQzBOdmJYQmhibmxPWVcxbE1Sc3dHUVlEVlFRTERCSkRiMjF3WVc1NVUyVmpkR2x2Yms1aGJXVXhHekFaCkJnTlZCQU1NRW5CeWIzaDVMbXR2Ym1jdVpYaGhiWEJzWlRBZUZ3MHlNekEyTWprd09ERTBNekJhRncwek16QTIKTWpZd09ERTBNekJhTUlHRU1Rc3dDUVlEVlFRR0V3SllXREVTTUJBR0ExVUVDQXdKVTNSaGRHVk9ZVzFsTVJFdwpEd1lEVlFRSERBaERhWFI1VG1GdFpURVVNQklHQTFVRUNnd0xRMjl0Y0dGdWVVNWhiV1V4R3pBWkJnTlZCQXNNCkVrTnZiWEJoYm5sVFpXTjBhVzl1VG1GdFpURWJNQmtHQTFVRUF3d1NjSEp2ZUhrdWEyOXVaeTVsZUdGdGNHeGwKTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUE4Wmd4czI1RXdtaXRsRG1HMitWVwpscUZ4R3lkVHU2dWlCVldFZjNoV0h2R3YvUWpYZHBBWXlkc3ZpNS92b1FtcjNUeVJBb3VaR1lCR3RuVEF0cU5rCnFLUmFVaWppVlN3TTNzeUl1cHluMlRjSjk1N2RLUCtUYTRaL0VNUlRwSCtya1psV01LNVYrNUszTmFIL21leDUKVWRRWkl4WUxNM0xIM0t0cmt2OWZRNlhSZ2dkeXo0MEt2YUV6SW1scEVoQnBoS0g5UWJiL3RFRE0vdFFqbC9FUApmbUF5M2Y5WE1uRDNSeFY3TnFrZktpUjNXZ1JDMnFyNWtPbXlJTGp1YWxERk1Zb3lDZUlmSnd1WmVDaEpGb3ZHClFKUFY2WU9xTG5aRWN3MU9BaVBXQnMycXVmWmlsNXplekRDZUFGZDV3eXVrS1dPZ3pTZ3Q2VzZvN2FBRTBDK3YKclFJREFRQUJNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUNGZHhFOFVsMVorcWxBbW1lTk5BdlAyZVVxSElTbQpHWXZidzdGdW82bXNJY3V3cjZKeENBWjIwako5UkphalMzWS9TS3BteXM2OXZxU21ic25oeUJzc01mL1ZtenFSClBVLzVkUUZiblNybUJqMnFBNWxtRCtENDVLUEtrTjc1V21NeDRQWkZseEw3WHVLYnZhYVZBUjFFUmRNZy90NisKUXpPV3BVWVZrcFJnQmlxTDBTTjhvTStOTjdScGFESFNkZjlTY1FtUmhNVklNNDdVZ1ZXNWhta21mQjBkUTFhQQo5NWdTQ3E0cGVwUFRzY3NsbVBzM0lOck5BTk45KytyMnM1bXRTWnp5VktRU0cwRjQ0Y1puWjdTdkdTVFJORDlUCnRKVzNTcko3elBwS0JqWi9qVDRRVnpBdGtHN3FSV2ZhYnlWTmVrK29wMTgwSVY5Um9IR1JDU0kyCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+ tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRRHhtREd6YmtUQ2FLMlUKT1liYjVWYVdvWEViSjFPN3E2SUZWWVIvZUZZZThhLzlDTmQya0JqSjJ5K0xuKytoQ2F2ZFBKRUNpNWtaZ0VhMgpkTUMybzJTb3BGcFNLT0pWTEF6ZXpJaTZuS2ZaTnduM250MG8vNU5yaG44UXhGT2tmNnVSbVZZd3JsWDdrcmMxCm9mK1o3SGxSMUJrakZnc3pjc2ZjcTJ1Uy8xOURwZEdDQjNMUGpRcTlvVE1pYVdrU0VHbUVvZjFCdHYrMFFNeisKMUNPWDhROStZRExkLzFjeWNQZEhGWHMycVI4cUpIZGFCRUxhcXZtUTZiSWd1TzVxVU1VeGlqSUo0aDhuQzVsNApLRWtXaThaQWs5WHBnNm91ZGtSekRVNENJOVlHemFxNTltS1huTjdNTUo0QVYzbkRLNlFwWTZETktDM3BicWp0Cm9BVFFMNit0QWdNQkFBRUNnZ0VCQUs3N1I0d3BJcDRZU1JoaGJoN1loWldHQ3JEYkZCZUtZVWd4djB5LzhNaHEKenNlYlhzdGQ1TVpXL2FISVRqdzZFQU9tT1hVNWZNTHVtTWpQMlVDdktWbkg2QzgzczI1ekFFTmlxdWxXUzIvVgpJRi83N1Qwamx6ZTY2MDlPa3pKQzBoWWJsRVNnRUdDc3pBdUpjT0tnVnVLQWwxQkZTQW1VYWRPWFNNdm9NS3lDCkJlekZaVEhOcGRWQ2xwUHVLNGQrWFJJZ1hHWS84RzNmWlFXRWNjV2tTYmRjQUlLdVYvWktHQ0IyT2dXS1VzSHgKTStscEw1TTZ3aXdYOEFNdUVWVHJsMWNwKzAzTjdOaUYwMFpYdCszZzVZUkJmRitYWjZ1b3hmbENQZ3VHdzh6bgpvN2tFRVNKZ2YycHZyZWYveHBjSVFSM090aHZjSzR5RldOcndPbExHQk9FQ2dZRUErNmJBREF0bDAvRlpzV08zCnVvNlBRNXZTL0tqbS9XaUkzeUo5TUdLNzQxTFZpMlRMUGpVZ092SDdkZUVjNVJjUmoxV1Nna3d1bUdzZWE2WkQKWXRWSTRZTDdMM1NUQ3JyZUNFTDRhOUJPcFB0azcxWWw3TmhxZktEaXhzU1FnNmt4dDJ1TlYvZXNSQ1JPeENoWgp5bk9JTmkvN3lOeFpVek4zcndyVjBCMUFNYVVDZ1lFQTljVDBZNkJWRHZLdFFaV1gvR1REZ2pUUzN6QWlPWmFNCjVFM3NleHh6MXY4eDF0N3JvWDV3aHNaVjlzQ05nNlJaNjIyT3hJejhHQnVvMnU1M2h2WFJabmdDaG1PcHYwRjgKcm5STWFNR0tIeGN2TmNrVUZUMW9TdDJCeEhNT1FNZTM2cERVTnZ0S3pvNGJoakpVUU94Mm14RU9TNERscm4rMApRU3FqVFpyWGwya0NnWUJ1UmIyMkNYQ1BsUjBHbkhtd0tEUWpIaTh3UkJza1JDQm1Gc2pnNFFNUU5BWWJWUW15CnNyankyNEtqUHdmWVkybHdjOEVGazdoL1ZjRTR6dHlNZklXNVBCb3h5MVY3eURMdlQ5bG45Um5oTmNBZkdKTDUKM0VPZFpTcTZpdndBbGEyUmdIR3BjSUJ1UTdLNFJpNUNocW5UaE9kQ056eDFOd0psRTh4cHE4ZXJlUUtCZ1FEeQppV3B3UXRLT0ROa0VCdi9WT1E5am1JT2RjOS9pbXZyeGR5RHZvWFdENzVXY3FhTTVYUkRwUUNPbmZnQnBzREI0CjBFWjdHM0xReThNSVF4czcyYXpMaFpWZ1VFdzlEUUJoSFM0bWx4Q2FmQU8vL1c3UFF5bC84RGJXeW9CL1YxamQKcUExMU1PcHpDdlNJcTNSUUdjczJYaytRSFdVTW5zUWhKMVcvQ1JiSE9RS0JnRTVQZ0hrbW1PY1VXZkJBZUtzTApvb2FNNzBINVN1YUNYN1Y1enBhM3hFMW5WVWMxend5aldOdkdWbTA5WkpEOFFMR1ZDV2U0R1o5R1NvV2tqSUMvCklFKzA0M29kUERuL2JwSDlTMDF2a0s1ZDRJSGc3QUcwWXI5SW1zS0paT0djT1dmdUdKSlZ5em1CRXhaSU9pbnoKVFFuaFdhZWs0NE1hdVJYOC9pRjZyZWorCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
+ kind: Secret
+ metadata:
+ name: kong.proxy.example.secret
+ type: kubernetes.io/tls
+- object:
+ apiVersion: v1
+ kind: Service
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-manager
+ namespace: default
+ spec:
+ ports:
+ - name: kong-manager
+ port: 8002
+ protocol: TCP
+ targetPort: 8002
+ - name: kong-manager-tls
+ port: 8445
+ protocol: TCP
+ targetPort: 8445
+ selector:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/name: kong
+ type: NodePort
+- object:
+ apiVersion: v1
+ kind: Service
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ enable-metrics: \"true\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-proxy
+ namespace: default
+ spec:
+ ports:
+ - name: kong-proxy
+ port: 80
+ protocol: TCP
+ targetPort: 8000
+ - name: kong-proxy-tls
+ port: 443
+ protocol: TCP
+ targetPort: 8443
+ selector:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/name: kong
+ type: LoadBalancer
+- object:
+ apiVersion: v1
+ kind: Service
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-validation-webhook
+ namespace: default
+ spec:
+ ports:
+ - name: webhook
+ port: 443
+ protocol: TCP
+ targetPort: webhook
+ selector:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+- object:
+ apiVersion: v1
+ kind: ServiceAccount
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ namespace: default
+"""
--- /dev/null
+[kong-ingress-3-values]
+SnapShot = """
+- object:
+ apiVersion: admissionregistration.k8s.io/v1
+ kind: ValidatingWebhookConfiguration
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-validations
+ namespace: default
+ webhooks:
+ - admissionReviewVersions:
+ - v1beta1
+ clientConfig:
+ caBundle: '###DYNAMIC_FIELD###'
+ service:
+ name: chartsnap-kong-validation-webhook
+ namespace: default
+ failurePolicy: Ignore
+ name: validations.kong.konghq.com
+ objectSelector:
+ matchExpressions:
+ - key: owner
+ operator: NotIn
+ values:
+ - helm
+ rules:
+ - apiGroups:
+ - configuration.konghq.com
+ apiVersions:
+ - '*'
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - kongconsumers
+ - kongplugins
+ - kongclusterplugins
+ - kongingresses
+ - apiGroups:
+ - \"\"
+ apiVersions:
+ - v1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - secrets
+ - services
+ - apiGroups:
+ - networking.k8s.io
+ apiVersions:
+ - v1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - ingresses
+ - apiGroups:
+ - gateway.networking.k8s.io
+ apiVersions:
+ - v1alpha2
+ - v1beta1
+ - v1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - gateways
+ - httproutes
+ sideEffects: None
+- object:
+ apiVersion: apps/v1
+ kind: Deployment
+ metadata:
+ labels:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ namespace: default
+ spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/name: kong
+ template:
+ metadata:
+ annotations:
+ kuma.io/gateway: enabled
+ kuma.io/service-account-token-volume: chartsnap-kong-token
+ traffic.sidecar.istio.io/includeInboundPorts: \"\"
+ labels:
+ app: chartsnap-kong
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ version: \"3.6\"
+ spec:
+ automountServiceAccountToken: false
+ containers:
+ - args: null
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: CONTROLLER_ADMISSION_WEBHOOK_LISTEN
+ value: 0.0.0.0:8080
+ - name: CONTROLLER_ELECTION_ID
+ value: kong-ingress-controller-leader-kong
+ - name: CONTROLLER_INGRESS_CLASS
+ value: kong
+ - name: CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY
+ value: \"true\"
+ - name: CONTROLLER_KONG_ADMIN_URL
+ value: https://localhost:8444
+ - name: CONTROLLER_PUBLISH_SERVICE
+ value: default/chartsnap-kong-proxy
+ image: kong/kubernetes-ingress-controller:3.1
+ imagePullPolicy: IfNotPresent
+ livenessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 10254
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ name: ingress-controller
+ ports:
+ - containerPort: 8080
+ name: webhook
+ protocol: TCP
+ - containerPort: 10255
+ name: cmetrics
+ protocol: TCP
+ - containerPort: 10254
+ name: cstatus
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /readyz
+ port: 10254
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /admission-webhook
+ name: webhook-cert
+ readOnly: true
+ - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+ name: chartsnap-kong-token
+ readOnly: true
+ - env:
+ - name: KONG_ADMIN_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_GUI_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_GUI_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_LISTEN
+ value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
+ - name: KONG_CLUSTER_LISTEN
+ value: \"off\"
+ - name: KONG_DATABASE
+ value: \"off\"
+ - name: KONG_KIC
+ value: \"on\"
+ - name: KONG_LUA_PACKAGE_PATH
+ value: /opt/?.lua;/opt/?/init.lua;;
+ - name: KONG_NGINX_WORKER_PROCESSES
+ value: \"2\"
+ - name: KONG_PORTAL_API_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PORTAL_API_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PORT_MAPS
+ value: 80:8000, 443:8443
+ - name: KONG_PREFIX
+ value: /kong_prefix/
+ - name: KONG_PROXY_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PROXY_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PROXY_LISTEN
+ value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
+ - name: KONG_PROXY_STREAM_ACCESS_LOG
+ value: /dev/stdout basic
+ - name: KONG_PROXY_STREAM_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ROUTER_FLAVOR
+ value: traditional
+ - name: KONG_STATUS_ACCESS_LOG
+ value: \"off\"
+ - name: KONG_STATUS_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_STATUS_LISTEN
+ value: 0.0.0.0:8100, [::]:8100
+ - name: KONG_STREAM_LISTEN
+ value: \"off\"
+ - name: KONG_NGINX_DAEMON
+ value: \"off\"
+ image: kong:3.6
+ imagePullPolicy: IfNotPresent
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - kong
+ - quit
+ - --wait=15
+ livenessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /status
+ port: status
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ name: proxy
+ ports:
+ - containerPort: 8000
+ name: proxy
+ protocol: TCP
+ - containerPort: 8443
+ name: proxy-tls
+ protocol: TCP
+ - containerPort: 8100
+ name: status
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /status/ready
+ port: status
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /kong_prefix/
+ name: chartsnap-kong-prefix-dir
+ - mountPath: /tmp
+ name: chartsnap-kong-tmp
+ initContainers:
+ - command:
+ - rm
+ - -vrf
+ - $KONG_PREFIX/pids
+ env:
+ - name: KONG_ADMIN_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_GUI_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_GUI_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_LISTEN
+ value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
+ - name: KONG_CLUSTER_LISTEN
+ value: \"off\"
+ - name: KONG_DATABASE
+ value: \"off\"
+ - name: KONG_KIC
+ value: \"on\"
+ - name: KONG_LUA_PACKAGE_PATH
+ value: /opt/?.lua;/opt/?/init.lua;;
+ - name: KONG_NGINX_WORKER_PROCESSES
+ value: \"2\"
+ - name: KONG_PORTAL_API_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PORTAL_API_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PORT_MAPS
+ value: 80:8000, 443:8443
+ - name: KONG_PREFIX
+ value: /kong_prefix/
+ - name: KONG_PROXY_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PROXY_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PROXY_LISTEN
+ value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
+ - name: KONG_PROXY_STREAM_ACCESS_LOG
+ value: /dev/stdout basic
+ - name: KONG_PROXY_STREAM_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ROUTER_FLAVOR
+ value: traditional
+ - name: KONG_STATUS_ACCESS_LOG
+ value: \"off\"
+ - name: KONG_STATUS_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_STATUS_LISTEN
+ value: 0.0.0.0:8100, [::]:8100
+ - name: KONG_STREAM_LISTEN
+ value: \"off\"
+ image: kong:3.6
+ imagePullPolicy: IfNotPresent
+ name: clear-stale-pid
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /kong_prefix/
+ name: chartsnap-kong-prefix-dir
+ - mountPath: /tmp
+ name: chartsnap-kong-tmp
+ securityContext: {}
+ serviceAccountName: chartsnap-kong
+ terminationGracePeriodSeconds: 30
+ volumes:
+ - emptyDir:
+ sizeLimit: 256Mi
+ name: chartsnap-kong-prefix-dir
+ - emptyDir:
+ sizeLimit: 1Gi
+ name: chartsnap-kong-tmp
+ - name: chartsnap-kong-token
+ projected:
+ sources:
+ - serviceAccountToken:
+ expirationSeconds: 3607
+ path: token
+ - configMap:
+ items:
+ - key: ca.crt
+ path: ca.crt
+ name: kube-root-ca.crt
+ - downwardAPI:
+ items:
+ - fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ path: namespace
+ - name: webhook-cert
+ secret:
+ secretName: chartsnap-kong-validation-webhook-keypair
+- object:
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-proxy
+ namespace: default
+ spec:
+ rules:
+ - host: proxy.kong.example
+ http:
+ paths:
+ - backend:
+ service:
+ name: chartsnap-kong-proxy
+ port:
+ number: 443
+ path: /
+ pathType: ImplementationSpecific
+- object:
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: ClusterRole
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ rules:
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongupstreampolicies
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongupstreampolicies/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongconsumergroups
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongconsumergroups/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - \"\"
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+ - apiGroups:
+ - \"\"
+ resources:
+ - nodes
+ verbs:
+ - list
+ - watch
+ - apiGroups:
+ - \"\"
+ resources:
+ - pods
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - \"\"
+ resources:
+ - secrets
+ verbs:
+ - list
+ - watch
+ - apiGroups:
+ - \"\"
+ resources:
+ - services
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - \"\"
+ resources:
+ - services/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - ingressclassparameterses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongconsumers
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongconsumers/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongplugins
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongplugins/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - tcpingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - tcpingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - udpingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - udpingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - extensions
+ resources:
+ - ingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - extensions
+ resources:
+ - ingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - discovery.k8s.io
+ resources:
+ - endpointslices
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - konglicenses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - konglicenses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongvaults
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongvaults/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongclusterplugins
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongclusterplugins/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - apiextensions.k8s.io
+ resources:
+ - customresourcedefinitions
+ verbs:
+ - list
+ - watch
+ - apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingressclasses
+ verbs:
+ - get
+ - list
+ - watch
+- object:
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: ClusterRoleBinding
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: chartsnap-kong
+ subjects:
+ - kind: ServiceAccount
+ name: chartsnap-kong
+ namespace: default
+- object:
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: Role
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ namespace: default
+ rules:
+ - apiGroups:
+ - \"\"
+ resources:
+ - configmaps
+ - pods
+ - secrets
+ - namespaces
+ verbs:
+ - get
+ - apiGroups:
+ - \"\"
+ resourceNames:
+ - kong-ingress-controller-leader-kong-kong
+ resources:
+ - configmaps
+ verbs:
+ - get
+ - update
+ - apiGroups:
+ - \"\"
+ resources:
+ - configmaps
+ verbs:
+ - create
+ - apiGroups:
+ - \"\"
+ - coordination.k8s.io
+ resources:
+ - configmaps
+ - leases
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - delete
+ - apiGroups:
+ - \"\"
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+ - apiGroups:
+ - \"\"
+ resources:
+ - services
+ verbs:
+ - get
+- object:
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: RoleBinding
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ namespace: default
+ roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: chartsnap-kong
+ subjects:
+ - kind: ServiceAccount
+ name: chartsnap-kong
+ namespace: default
+- object:
+ apiVersion: v1
+ data:
+ tls.crt: '###DYNAMIC_FIELD###'
+ tls.key: '###DYNAMIC_FIELD###'
+ kind: Secret
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-validation-webhook-ca-keypair
+ namespace: default
+ type: kubernetes.io/tls
+- object:
+ apiVersion: v1
+ data:
+ tls.crt: '###DYNAMIC_FIELD###'
+ tls.key: '###DYNAMIC_FIELD###'
+ kind: Secret
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-validation-webhook-keypair
+ namespace: default
+ type: kubernetes.io/tls
+- object:
+ apiVersion: v1
+ kind: Service
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-manager
+ namespace: default
+ spec:
+ ports:
+ - name: kong-manager
+ port: 8002
+ protocol: TCP
+ targetPort: 8002
+ - name: kong-manager-tls
+ port: 8445
+ protocol: TCP
+ targetPort: 8445
+ selector:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/name: kong
+ type: NodePort
+- object:
+ apiVersion: v1
+ kind: Service
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ enable-metrics: \"true\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-proxy
+ namespace: default
+ spec:
+ ports:
+ - name: kong-proxy
+ port: 80
+ protocol: TCP
+ targetPort: 8000
+ - name: kong-proxy-tls
+ port: 443
+ protocol: TCP
+ targetPort: 8443
+ selector:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/name: kong
+ type: LoadBalancer
+- object:
+ apiVersion: v1
+ kind: Service
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-validation-webhook
+ namespace: default
+ spec:
+ ports:
+ - name: webhook
+ port: 443
+ protocol: TCP
+ targetPort: webhook
+ selector:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+- object:
+ apiVersion: v1
+ kind: ServiceAccount
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ namespace: default
+"""
--- /dev/null
+[kong-ingress-4-values]
+SnapShot = """
+- object:
+ apiVersion: admissionregistration.k8s.io/v1
+ kind: ValidatingWebhookConfiguration
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-validations
+ namespace: default
+ webhooks:
+ - admissionReviewVersions:
+ - v1beta1
+ clientConfig:
+ caBundle: '###DYNAMIC_FIELD###'
+ service:
+ name: chartsnap-kong-validation-webhook
+ namespace: default
+ failurePolicy: Ignore
+ name: validations.kong.konghq.com
+ objectSelector:
+ matchExpressions:
+ - key: owner
+ operator: NotIn
+ values:
+ - helm
+ rules:
+ - apiGroups:
+ - configuration.konghq.com
+ apiVersions:
+ - '*'
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - kongconsumers
+ - kongplugins
+ - kongclusterplugins
+ - kongingresses
+ - apiGroups:
+ - \"\"
+ apiVersions:
+ - v1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - secrets
+ - services
+ - apiGroups:
+ - networking.k8s.io
+ apiVersions:
+ - v1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - ingresses
+ - apiGroups:
+ - gateway.networking.k8s.io
+ apiVersions:
+ - v1alpha2
+ - v1beta1
+ - v1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - gateways
+ - httproutes
+ sideEffects: None
+- object:
+ apiVersion: apps/v1
+ kind: Deployment
+ metadata:
+ labels:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ namespace: default
+ spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/name: kong
+ template:
+ metadata:
+ annotations:
+ kuma.io/gateway: enabled
+ kuma.io/service-account-token-volume: chartsnap-kong-token
+ traffic.sidecar.istio.io/includeInboundPorts: \"\"
+ labels:
+ app: chartsnap-kong
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ version: \"3.6\"
+ spec:
+ automountServiceAccountToken: false
+ containers:
+ - args: null
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: CONTROLLER_ADMISSION_WEBHOOK_LISTEN
+ value: 0.0.0.0:8080
+ - name: CONTROLLER_ELECTION_ID
+ value: kong-ingress-controller-leader-kong
+ - name: CONTROLLER_INGRESS_CLASS
+ value: kong
+ - name: CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY
+ value: \"true\"
+ - name: CONTROLLER_KONG_ADMIN_URL
+ value: https://localhost:8444
+ - name: CONTROLLER_PUBLISH_SERVICE
+ value: default/chartsnap-kong-proxy
+ image: kong/kubernetes-ingress-controller:3.1
+ imagePullPolicy: IfNotPresent
+ livenessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 10254
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ name: ingress-controller
+ ports:
+ - containerPort: 8080
+ name: webhook
+ protocol: TCP
+ - containerPort: 10255
+ name: cmetrics
+ protocol: TCP
+ - containerPort: 10254
+ name: cstatus
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /readyz
+ port: 10254
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /admission-webhook
+ name: webhook-cert
+ readOnly: true
+ - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+ name: chartsnap-kong-token
+ readOnly: true
+ - env:
+ - name: KONG_ADMIN_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_GUI_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_GUI_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_LISTEN
+ value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
+ - name: KONG_CLUSTER_LISTEN
+ value: \"off\"
+ - name: KONG_DATABASE
+ value: \"off\"
+ - name: KONG_KIC
+ value: \"on\"
+ - name: KONG_LUA_PACKAGE_PATH
+ value: /opt/?.lua;/opt/?/init.lua;;
+ - name: KONG_NGINX_WORKER_PROCESSES
+ value: \"2\"
+ - name: KONG_PORTAL_API_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PORTAL_API_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PORT_MAPS
+ value: 80:8000, 443:8443
+ - name: KONG_PREFIX
+ value: /kong_prefix/
+ - name: KONG_PROXY_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PROXY_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PROXY_LISTEN
+ value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
+ - name: KONG_PROXY_STREAM_ACCESS_LOG
+ value: /dev/stdout basic
+ - name: KONG_PROXY_STREAM_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ROUTER_FLAVOR
+ value: traditional
+ - name: KONG_STATUS_ACCESS_LOG
+ value: \"off\"
+ - name: KONG_STATUS_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_STATUS_LISTEN
+ value: 0.0.0.0:8100, [::]:8100
+ - name: KONG_STREAM_LISTEN
+ value: \"off\"
+ - name: KONG_NGINX_DAEMON
+ value: \"off\"
+ image: kong:3.6
+ imagePullPolicy: IfNotPresent
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - kong
+ - quit
+ - --wait=15
+ livenessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /status
+ port: status
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ name: proxy
+ ports:
+ - containerPort: 8000
+ name: proxy
+ protocol: TCP
+ - containerPort: 8443
+ name: proxy-tls
+ protocol: TCP
+ - containerPort: 8100
+ name: status
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /status/ready
+ port: status
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /kong_prefix/
+ name: chartsnap-kong-prefix-dir
+ - mountPath: /tmp
+ name: chartsnap-kong-tmp
+ initContainers:
+ - command:
+ - rm
+ - -vrf
+ - $KONG_PREFIX/pids
+ env:
+ - name: KONG_ADMIN_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_GUI_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_GUI_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_LISTEN
+ value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
+ - name: KONG_CLUSTER_LISTEN
+ value: \"off\"
+ - name: KONG_DATABASE
+ value: \"off\"
+ - name: KONG_KIC
+ value: \"on\"
+ - name: KONG_LUA_PACKAGE_PATH
+ value: /opt/?.lua;/opt/?/init.lua;;
+ - name: KONG_NGINX_WORKER_PROCESSES
+ value: \"2\"
+ - name: KONG_PORTAL_API_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PORTAL_API_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PORT_MAPS
+ value: 80:8000, 443:8443
+ - name: KONG_PREFIX
+ value: /kong_prefix/
+ - name: KONG_PROXY_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PROXY_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PROXY_LISTEN
+ value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
+ - name: KONG_PROXY_STREAM_ACCESS_LOG
+ value: /dev/stdout basic
+ - name: KONG_PROXY_STREAM_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ROUTER_FLAVOR
+ value: traditional
+ - name: KONG_STATUS_ACCESS_LOG
+ value: \"off\"
+ - name: KONG_STATUS_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_STATUS_LISTEN
+ value: 0.0.0.0:8100, [::]:8100
+ - name: KONG_STREAM_LISTEN
+ value: \"off\"
+ image: kong:3.6
+ imagePullPolicy: IfNotPresent
+ name: clear-stale-pid
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /kong_prefix/
+ name: chartsnap-kong-prefix-dir
+ - mountPath: /tmp
+ name: chartsnap-kong-tmp
+ securityContext: {}
+ serviceAccountName: chartsnap-kong
+ terminationGracePeriodSeconds: 30
+ volumes:
+ - emptyDir:
+ sizeLimit: 256Mi
+ name: chartsnap-kong-prefix-dir
+ - emptyDir:
+ sizeLimit: 1Gi
+ name: chartsnap-kong-tmp
+ - name: chartsnap-kong-token
+ projected:
+ sources:
+ - serviceAccountToken:
+ expirationSeconds: 3607
+ path: token
+ - configMap:
+ items:
+ - key: ca.crt
+ path: ca.crt
+ name: kube-root-ca.crt
+ - downwardAPI:
+ items:
+ - fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ path: namespace
+ - name: webhook-cert
+ secret:
+ secretName: chartsnap-kong-validation-webhook-keypair
+- object:
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-proxy
+ namespace: default
+ spec:
+ rules:
+ - host: proxy.kong.example
+ http:
+ paths:
+ - backend:
+ service:
+ name: chartsnap-kong-proxy
+ port:
+ number: 443
+ path: /
+ pathType: ImplementationSpecific
+ - host: proxy2.kong.example
+ http:
+ paths:
+ - backend:
+ service:
+ name: chartsnap-kong-proxy
+ port:
+ number: 443
+ path: /foo
+ pathType: Prefix
+ - backend:
+ service:
+ name: chartsnap-kong-proxy
+ port:
+ number: 443
+ path: /bar
+ pathType: Prefix
+ - host: proxy3.kong.example
+ http:
+ paths:
+ - backend:
+ service:
+ name: chartsnap-kong-proxy
+ port:
+ number: 443
+ path: /baz
+ pathType: Prefix
+ tls:
+ - hosts:
+ - proxy.kong.example
+ secretName: proxy.kong.example.secret
+ - hosts:
+ - proxy2.kong.example
+ - proxy3.kong.example
+ secretName: proxy.kong.example.secret2
+- object:
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: ClusterRole
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ rules:
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongupstreampolicies
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongupstreampolicies/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongconsumergroups
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongconsumergroups/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - \"\"
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+ - apiGroups:
+ - \"\"
+ resources:
+ - nodes
+ verbs:
+ - list
+ - watch
+ - apiGroups:
+ - \"\"
+ resources:
+ - pods
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - \"\"
+ resources:
+ - secrets
+ verbs:
+ - list
+ - watch
+ - apiGroups:
+ - \"\"
+ resources:
+ - services
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - \"\"
+ resources:
+ - services/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - ingressclassparameterses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongconsumers
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongconsumers/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongplugins
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongplugins/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - tcpingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - tcpingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - udpingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - udpingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - extensions
+ resources:
+ - ingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - extensions
+ resources:
+ - ingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - discovery.k8s.io
+ resources:
+ - endpointslices
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - konglicenses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - konglicenses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongvaults
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongvaults/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongclusterplugins
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongclusterplugins/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - apiextensions.k8s.io
+ resources:
+ - customresourcedefinitions
+ verbs:
+ - list
+ - watch
+ - apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingressclasses
+ verbs:
+ - get
+ - list
+ - watch
+- object:
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: ClusterRoleBinding
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: chartsnap-kong
+ subjects:
+ - kind: ServiceAccount
+ name: chartsnap-kong
+ namespace: default
+- object:
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: Role
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ namespace: default
+ rules:
+ - apiGroups:
+ - \"\"
+ resources:
+ - configmaps
+ - pods
+ - secrets
+ - namespaces
+ verbs:
+ - get
+ - apiGroups:
+ - \"\"
+ resourceNames:
+ - kong-ingress-controller-leader-kong-kong
+ resources:
+ - configmaps
+ verbs:
+ - get
+ - update
+ - apiGroups:
+ - \"\"
+ resources:
+ - configmaps
+ verbs:
+ - create
+ - apiGroups:
+ - \"\"
+ - coordination.k8s.io
+ resources:
+ - configmaps
+ - leases
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - delete
+ - apiGroups:
+ - \"\"
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+ - apiGroups:
+ - \"\"
+ resources:
+ - services
+ verbs:
+ - get
+- object:
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: RoleBinding
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ namespace: default
+ roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: chartsnap-kong
+ subjects:
+ - kind: ServiceAccount
+ name: chartsnap-kong
+ namespace: default
+- object:
+ apiVersion: v1
+ data:
+ tls.crt: '###DYNAMIC_FIELD###'
+ tls.key: '###DYNAMIC_FIELD###'
+ kind: Secret
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-validation-webhook-ca-keypair
+ namespace: default
+ type: kubernetes.io/tls
+- object:
+ apiVersion: v1
+ data:
+ tls.crt: '###DYNAMIC_FIELD###'
+ tls.key: '###DYNAMIC_FIELD###'
+ kind: Secret
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-validation-webhook-keypair
+ namespace: default
+ type: kubernetes.io/tls
+- object:
+ apiVersion: v1
+ data:
+ tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURoakNDQW00Q0NRQ0tyTDdSS1Y0NTBEQU5CZ2txaGtpRzl3MEJBUXNGQURDQmhERUxNQWtHQTFVRUJoTUMKV0ZneEVqQVFCZ05WQkFnTUNWTjBZWFJsVG1GdFpURVJNQThHQTFVRUJ3d0lRMmwwZVU1aGJXVXhGREFTQmdOVgpCQW9NQzBOdmJYQmhibmxPWVcxbE1Sc3dHUVlEVlFRTERCSkRiMjF3WVc1NVUyVmpkR2x2Yms1aGJXVXhHekFaCkJnTlZCQU1NRW5CeWIzaDVMbXR2Ym1jdVpYaGhiWEJzWlRBZUZ3MHlNekEyTWprd09ERTBNekJhRncwek16QTIKTWpZd09ERTBNekJhTUlHRU1Rc3dDUVlEVlFRR0V3SllXREVTTUJBR0ExVUVDQXdKVTNSaGRHVk9ZVzFsTVJFdwpEd1lEVlFRSERBaERhWFI1VG1GdFpURVVNQklHQTFVRUNnd0xRMjl0Y0dGdWVVNWhiV1V4R3pBWkJnTlZCQXNNCkVrTnZiWEJoYm5sVFpXTjBhVzl1VG1GdFpURWJNQmtHQTFVRUF3d1NjSEp2ZUhrdWEyOXVaeTVsZUdGdGNHeGwKTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUE4Wmd4czI1RXdtaXRsRG1HMitWVwpscUZ4R3lkVHU2dWlCVldFZjNoV0h2R3YvUWpYZHBBWXlkc3ZpNS92b1FtcjNUeVJBb3VaR1lCR3RuVEF0cU5rCnFLUmFVaWppVlN3TTNzeUl1cHluMlRjSjk1N2RLUCtUYTRaL0VNUlRwSCtya1psV01LNVYrNUszTmFIL21leDUKVWRRWkl4WUxNM0xIM0t0cmt2OWZRNlhSZ2dkeXo0MEt2YUV6SW1scEVoQnBoS0g5UWJiL3RFRE0vdFFqbC9FUApmbUF5M2Y5WE1uRDNSeFY3TnFrZktpUjNXZ1JDMnFyNWtPbXlJTGp1YWxERk1Zb3lDZUlmSnd1WmVDaEpGb3ZHClFKUFY2WU9xTG5aRWN3MU9BaVBXQnMycXVmWmlsNXplekRDZUFGZDV3eXVrS1dPZ3pTZ3Q2VzZvN2FBRTBDK3YKclFJREFRQUJNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUNGZHhFOFVsMVorcWxBbW1lTk5BdlAyZVVxSElTbQpHWXZidzdGdW82bXNJY3V3cjZKeENBWjIwako5UkphalMzWS9TS3BteXM2OXZxU21ic25oeUJzc01mL1ZtenFSClBVLzVkUUZiblNybUJqMnFBNWxtRCtENDVLUEtrTjc1V21NeDRQWkZseEw3WHVLYnZhYVZBUjFFUmRNZy90NisKUXpPV3BVWVZrcFJnQmlxTDBTTjhvTStOTjdScGFESFNkZjlTY1FtUmhNVklNNDdVZ1ZXNWhta21mQjBkUTFhQQo5NWdTQ3E0cGVwUFRzY3NsbVBzM0lOck5BTk45KytyMnM1bXRTWnp5VktRU0cwRjQ0Y1puWjdTdkdTVFJORDlUCnRKVzNTcko3elBwS0JqWi9qVDRRVnpBdGtHN3FSV2ZhYnlWTmVrK29wMTgwSVY5Um9IR1JDU0kyCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+ tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRRHhtREd6YmtUQ2FLMlUKT1liYjVWYVdvWEViSjFPN3E2SUZWWVIvZUZZZThhLzlDTmQya0JqSjJ5K0xuKytoQ2F2ZFBKRUNpNWtaZ0VhMgpkTUMybzJTb3BGcFNLT0pWTEF6ZXpJaTZuS2ZaTnduM250MG8vNU5yaG44UXhGT2tmNnVSbVZZd3JsWDdrcmMxCm9mK1o3SGxSMUJrakZnc3pjc2ZjcTJ1Uy8xOURwZEdDQjNMUGpRcTlvVE1pYVdrU0VHbUVvZjFCdHYrMFFNeisKMUNPWDhROStZRExkLzFjeWNQZEhGWHMycVI4cUpIZGFCRUxhcXZtUTZiSWd1TzVxVU1VeGlqSUo0aDhuQzVsNApLRWtXaThaQWs5WHBnNm91ZGtSekRVNENJOVlHemFxNTltS1huTjdNTUo0QVYzbkRLNlFwWTZETktDM3BicWp0Cm9BVFFMNit0QWdNQkFBRUNnZ0VCQUs3N1I0d3BJcDRZU1JoaGJoN1loWldHQ3JEYkZCZUtZVWd4djB5LzhNaHEKenNlYlhzdGQ1TVpXL2FISVRqdzZFQU9tT1hVNWZNTHVtTWpQMlVDdktWbkg2QzgzczI1ekFFTmlxdWxXUzIvVgpJRi83N1Qwamx6ZTY2MDlPa3pKQzBoWWJsRVNnRUdDc3pBdUpjT0tnVnVLQWwxQkZTQW1VYWRPWFNNdm9NS3lDCkJlekZaVEhOcGRWQ2xwUHVLNGQrWFJJZ1hHWS84RzNmWlFXRWNjV2tTYmRjQUlLdVYvWktHQ0IyT2dXS1VzSHgKTStscEw1TTZ3aXdYOEFNdUVWVHJsMWNwKzAzTjdOaUYwMFpYdCszZzVZUkJmRitYWjZ1b3hmbENQZ3VHdzh6bgpvN2tFRVNKZ2YycHZyZWYveHBjSVFSM090aHZjSzR5RldOcndPbExHQk9FQ2dZRUErNmJBREF0bDAvRlpzV08zCnVvNlBRNXZTL0tqbS9XaUkzeUo5TUdLNzQxTFZpMlRMUGpVZ092SDdkZUVjNVJjUmoxV1Nna3d1bUdzZWE2WkQKWXRWSTRZTDdMM1NUQ3JyZUNFTDRhOUJPcFB0azcxWWw3TmhxZktEaXhzU1FnNmt4dDJ1TlYvZXNSQ1JPeENoWgp5bk9JTmkvN3lOeFpVek4zcndyVjBCMUFNYVVDZ1lFQTljVDBZNkJWRHZLdFFaV1gvR1REZ2pUUzN6QWlPWmFNCjVFM3NleHh6MXY4eDF0N3JvWDV3aHNaVjlzQ05nNlJaNjIyT3hJejhHQnVvMnU1M2h2WFJabmdDaG1PcHYwRjgKcm5STWFNR0tIeGN2TmNrVUZUMW9TdDJCeEhNT1FNZTM2cERVTnZ0S3pvNGJoakpVUU94Mm14RU9TNERscm4rMApRU3FqVFpyWGwya0NnWUJ1UmIyMkNYQ1BsUjBHbkhtd0tEUWpIaTh3UkJza1JDQm1Gc2pnNFFNUU5BWWJWUW15CnNyankyNEtqUHdmWVkybHdjOEVGazdoL1ZjRTR6dHlNZklXNVBCb3h5MVY3eURMdlQ5bG45Um5oTmNBZkdKTDUKM0VPZFpTcTZpdndBbGEyUmdIR3BjSUJ1UTdLNFJpNUNocW5UaE9kQ056eDFOd0psRTh4cHE4ZXJlUUtCZ1FEeQppV3B3UXRLT0ROa0VCdi9WT1E5am1JT2RjOS9pbXZyeGR5RHZvWFdENzVXY3FhTTVYUkRwUUNPbmZnQnBzREI0CjBFWjdHM0xReThNSVF4czcyYXpMaFpWZ1VFdzlEUUJoSFM0bWx4Q2FmQU8vL1c3UFF5bC84RGJXeW9CL1YxamQKcUExMU1PcHpDdlNJcTNSUUdjczJYaytRSFdVTW5zUWhKMVcvQ1JiSE9RS0JnRTVQZ0hrbW1PY1VXZkJBZUtzTApvb2FNNzBINVN1YUNYN1Y1enBhM3hFMW5WVWMxend5aldOdkdWbTA5WkpEOFFMR1ZDV2U0R1o5R1NvV2tqSUMvCklFKzA0M29kUERuL2JwSDlTMDF2a0s1ZDRJSGc3QUcwWXI5SW1zS0paT0djT1dmdUdKSlZ5em1CRXhaSU9pbnoKVFFuaFdhZWs0NE1hdVJYOC9pRjZyZWorCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
+ kind: Secret
+ metadata:
+ name: kong.proxy.example.secret
+ type: kubernetes.io/tls
+- object:
+ apiVersion: v1
+ data:
+ tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURmakNDQW1ZQ0NRREVtWjF0cnJwaURqQU5CZ2txaGtpRzl3MEJBUXNGQURDQmdERUxNQWtHQTFVRUJoTUMKV0ZneEVqQVFCZ05WQkFnTUNWTjBZWFJsVG1GdFpURVJNQThHQTFVRUJ3d0lRMmwwZVU1aGJXVXhGREFTQmdOVgpCQW9NQzBOdmJYQmhibmxPWVcxbE1Sc3dHUVlEVlFRTERCSkRiMjF3WVc1NVUyVmpkR2x2Yms1aGJXVXhGekFWCkJnTlZCQU1NRGlvdWEyOXVaeTVsZUdGdGNHeGxNQjRYRFRJek1EWXlPVEE0TVRjek4xb1hEVE16TURZeU5qQTQKTVRjek4xb3dnWUF4Q3pBSkJnTlZCQVlUQWxoWU1SSXdFQVlEVlFRSURBbFRkR0YwWlU1aGJXVXhFVEFQQmdOVgpCQWNNQ0VOcGRIbE9ZVzFsTVJRd0VnWURWUVFLREF0RGIyMXdZVzU1VG1GdFpURWJNQmtHQTFVRUN3d1NRMjl0CmNHRnVlVk5sWTNScGIyNU9ZVzFsTVJjd0ZRWURWUVFEREE0cUxtdHZibWN1WlhoaGJYQnNaVENDQVNJd0RRWUoKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTDlSR1g1VytsRW8wcGg2eTJqeHN6TGZOcjMvNlpFOQpPR0pPMGl1WmpwRml2dHBya24ydDlqYTRaNUdYOGh4NUczS1FsRkhrVFBmV01BWmUzdldINTF0alZzYjZwY2UwCjlkMUo4WXNxWkh5RHVlUzBrS3RUbEFmc0F5MnVjL3ZvUUdmOTdZeUI2TlJ4TEJmNHBnSVJ4eHpGM3o0Q1ZOSTgKTzE5Ym1PYVo1Vkk1QWZpbENSMUI1ekxuN2VoeEJHOHhTQmRtQUg0eWFob2t5RXk2a0ZtRzJCaEtJWjdsL1BZYQpqbU1yQ3cwekRVampvblBublZTWTkxL0EwNUJVTVk5OEZsME00QVV5T1V3enBaajhqMXhLMTNqUVlGeXJwUHQwCklHNUdLR044akVCcnRkdGVlcGZIdFZuekFWYnhoT0hkcXZoUWhrSDJDSGVwOStIQkNIL25VL1VDQXdFQUFUQU4KQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBQkcxVVYyUFRJekhrNEt4cjBHT0NXalhjTTdKUU9hbUJQM3dZSCswRgpyc09YUG9IOHVLV25XYjhSSGE1MDhMenU4MGNzS1lYcnZ4SEhDcmcxdXJjRnl3bnNMaUtMNGhsQklTd2ZMNzFFClVXODhQdGYyWTdjTnJZRzNLc2MvMWVpait1RWd5bVdCbjkraVYzbzE5VERwRjlZZWZwYzNUUDJqMGhNUHcwMlgKa1gzSlh3b250NnBQaDhlQjhXRU1OZkF5NzZmb0lMcytVd0Fjck56QkpjSVZSTERoZWFNMFNFd0xCNUpuaWZ5ZwplRE1aSE56MkhLais0NU1wTzFOSDBtd3ZJRTRLQjNITUNSSlMybmZFbWVMcFdCMWpmZTV6T2o1bWhTeS82M0RVCldDQll1aUhtelFWaGxJS21lQzBlVmd3bGtkMTFrUDRNM1hoWnB6V09aQ1BoaGc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+ tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQy9VUmwrVnZwUktOS1kKZXN0bzhiTXkzemE5LyttUlBUaGlUdElybVk2UllyN2FhNUo5cmZZMnVHZVJsL0ljZVJ0eWtKUlI1RXozMWpBRwpYdDcxaCtkYlkxYkcrcVhIdFBYZFNmR0xLbVI4Zzdua3RKQ3JVNVFIN0FNdHJuUDc2RUJuL2UyTWdlalVjU3dYCitLWUNFY2NjeGQ4K0FsVFNQRHRmVzVqbW1lVlNPUUg0cFFrZFFlY3k1KzNvY1FSdk1VZ1haZ0IrTW1vYUpNaE0KdXBCWmh0Z1lTaUdlNWZ6MkdvNWpLd3NOTXcxSTQ2Sno1NTFVbVBkZndOT1FWREdQZkJaZERPQUZNamxNTTZXWQovSTljU3RkNDBHQmNxNlQ3ZENCdVJpaGpmSXhBYTdYYlhucVh4N1ZaOHdGVzhZVGgzYXI0VUlaQjlnaDNxZmZoCndRaC81MVAxQWdNQkFBRUNnZ0VCQUlCZ0l3TXJ5ZnY3c0pTd2tSMXlVaFNvdzByckZnZG5WUlppWFpUMERUNXgKVEMrMFR6QVdNMGkwcElxRnN1aDRPM3E4bVVuNkw4dDk1ZXZnYlN2RWJmSmN6alhtcXFjL1BsdW02blcvbEg0WQp4Znc1VFhvcE13Tzkwc1FzYzVkdFdRcHUwWitlN0dUaEsvMUowOXMvb3FRa0FwRFJiNmxDMFhSRE9tNUNoaWFNCi95Z2M2dGUzUHkrRXpzSmRMRm9YWndFQnVQWTB2KzlBclhpNmlUMllaN1ZacE9iZzQxcm1ocHNObTFLNmdJajUKZFZKNGZYa2Z5V0hsSmJBYzVTRDkrVWMrTGFjUEcxSjVJUWx6eTM0WlM0ZG9VQ2lmODZuVHFzSnFVTU1sNXYxcAp3SFFUZFI2MkdnWnRPM1grOU4vdHE3SExqU0tHY0JEd3E4bEM4QXZ0VHdFQ2dZRUErWWpVdzI1em42aWhjaXFpCmo3dDJiQVdLdzdlbng1RXFzU25ZOG1PYzR2TDdNa1YyN2ZhYXp1cW8wUEtOeWJOa1grUlhIMDN4S0NDd0x0N0UKLzRDUlFHMGNkQmhBQ2szMkpadllrQmxESUZ3VmtnMHVnNGk4Snp6VjVCT2hEeWdwZUhJTDVVTkx2eGJDbVh6MAo1bXNYRktPYW1HYkFCbE9KTEZsR1R4WWdzeWtDZ1lFQXhFWWI0dFVmRmhiTmpJTUMyd1hFRXdWZkJYOFJqNzVqCjN6SkwxV3o4YWxUQmxFemZYOTZiNmg3VjFNT1NHcmlabFJ1cGpEaUFsUkhPZytDSXlPbmdISFkwd2xTaHNmemQKSDluL2dOdUZsanFuQkF3OVpaSW9hbE1zUVVER3RLSnVIejhEYzlVNzRFMGM3WldQWk1Ub0pNdFV2Zkl5T0pZSgpQODh1YnYvam4rMENnWUJaNmpzNFhKRmZRNFZCUFNtc2Z4RXg1V0ZXR3RSakxlVGpSNy83djNjbHRBWmQyL2Y1CjBUV0JQNzhxNDJ2QjlWbEMwR1d3U3dhTnZoR2VJZmw4VTVpRFRZM0dLNExQODcyeFdaSFVnclhVY0RuNWtiUmsKQXg1QlNVT05WcUZmYzhwVnMwcWtCdmJCV1hNdm1YNHBsUWNSRWM3QUFhNUoyVW9CWi8zVXU1VjIyUUtCZ0ZnVQpKanQ2N0lKYkpVN2pGQXI1NFcydndWNlVFV3R5UXh0TVZOK29FdlljcHVwSVBRMm10azB3SFVGbnFrODNmQ1IvCnoyeFBodFJlczFCWEdNc2d1U1BNb0F4OU1qclBnT1BrVGxhakxLV29HSDhtaHY3bndoOUV4OTFZbGxORmVTbW8KZTRJbHRNTUpsK3UrYkNVS2dDclMzR3FKSDZScElDbDBiaC85MFVaWkFvR0FaUEsrdldLQ0N6aHNhSnVWak1VSQpiTEJlMi9CM0xxTVBhakFLTjVTNU9GYlpBZm5NeE9BT1lnd25iWmdpZGVkcVk2QkIyLytVVGt4MW1IUjhKcmpGCnRyN20wS2VvRFY4dmQxSENvSkF3b2hqQ1B6SkJhSW9WYWNkRFNsMDNIOVFEck4yd0RFYUxoWFBlVkRoNGZ2NmQKa3d6V3FZWUlETzRKQlp5L21Wa0t4NFU9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
+ kind: Secret
+ metadata:
+ name: kong.proxy.example.secret2
+ type: kubernetes.io/tls
+- object:
+ apiVersion: v1
+ kind: Service
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-manager
+ namespace: default
+ spec:
+ ports:
+ - name: kong-manager
+ port: 8002
+ protocol: TCP
+ targetPort: 8002
+ - name: kong-manager-tls
+ port: 8445
+ protocol: TCP
+ targetPort: 8445
+ selector:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/name: kong
+ type: NodePort
+- object:
+ apiVersion: v1
+ kind: Service
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ enable-metrics: \"true\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-proxy
+ namespace: default
+ spec:
+ ports:
+ - name: kong-proxy
+ port: 80
+ protocol: TCP
+ targetPort: 8000
+ - name: kong-proxy-tls
+ port: 443
+ protocol: TCP
+ targetPort: 8443
+ selector:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/name: kong
+ type: LoadBalancer
+- object:
+ apiVersion: v1
+ kind: Service
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-validation-webhook
+ namespace: default
+ spec:
+ ports:
+ - name: webhook
+ port: 443
+ protocol: TCP
+ targetPort: webhook
+ selector:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+- object:
+ apiVersion: v1
+ kind: ServiceAccount
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ namespace: default
+"""
--- /dev/null
+['kong-ingress-5-3.1-rbac-values']
+SnapShot = """
+- object:
+ apiVersion: admissionregistration.k8s.io/v1
+ kind: ValidatingWebhookConfiguration
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-validations
+ namespace: default
+ webhooks:
+ - admissionReviewVersions:
+ - v1beta1
+ clientConfig:
+ caBundle: '###DYNAMIC_FIELD###'
+ service:
+ name: chartsnap-kong-validation-webhook
+ namespace: default
+ failurePolicy: Ignore
+ name: validations.kong.konghq.com
+ objectSelector:
+ matchExpressions:
+ - key: owner
+ operator: NotIn
+ values:
+ - helm
+ rules:
+ - apiGroups:
+ - configuration.konghq.com
+ apiVersions:
+ - '*'
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - kongconsumers
+ - kongplugins
+ - kongclusterplugins
+ - kongingresses
+ - apiGroups:
+ - \"\"
+ apiVersions:
+ - v1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - secrets
+ - services
+ - apiGroups:
+ - networking.k8s.io
+ apiVersions:
+ - v1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - ingresses
+ - apiGroups:
+ - gateway.networking.k8s.io
+ apiVersions:
+ - v1alpha2
+ - v1beta1
+ - v1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - gateways
+ - httproutes
+ sideEffects: None
+- object:
+ apiVersion: apps/v1
+ kind: Deployment
+ metadata:
+ labels:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ namespace: default
+ spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/name: kong
+ template:
+ metadata:
+ annotations:
+ kuma.io/gateway: enabled
+ kuma.io/service-account-token-volume: chartsnap-kong-token
+ traffic.sidecar.istio.io/includeInboundPorts: \"\"
+ labels:
+ app: chartsnap-kong
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ version: \"3.6\"
+ spec:
+ automountServiceAccountToken: false
+ containers:
+ - args: null
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: CONTROLLER_ADMISSION_WEBHOOK_LISTEN
+ value: 0.0.0.0:8080
+ - name: CONTROLLER_ANONYMOUS_REPORTS
+ value: \"false\"
+ - name: CONTROLLER_ELECTION_ID
+ value: kong-ingress-controller-leader-kong
+ - name: CONTROLLER_INGRESS_CLASS
+ value: kong
+ - name: CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY
+ value: \"true\"
+ - name: CONTROLLER_KONG_ADMIN_URL
+ value: https://localhost:8444
+ - name: CONTROLLER_PUBLISH_SERVICE
+ value: default/chartsnap-kong-proxy
+ image: kong/kubernetes-ingress-controller:3.1.0
+ imagePullPolicy: IfNotPresent
+ livenessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 10254
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ name: ingress-controller
+ ports:
+ - containerPort: 8080
+ name: webhook
+ protocol: TCP
+ - containerPort: 10255
+ name: cmetrics
+ protocol: TCP
+ - containerPort: 10254
+ name: cstatus
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /readyz
+ port: 10254
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /admission-webhook
+ name: webhook-cert
+ readOnly: true
+ - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+ name: chartsnap-kong-token
+ readOnly: true
+ - env:
+ - name: KONG_ADMIN_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_GUI_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_GUI_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_LISTEN
+ value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
+ - name: KONG_ANONYMOUS_REPORTS
+ value: \"off\"
+ - name: KONG_CLUSTER_LISTEN
+ value: \"off\"
+ - name: KONG_DATABASE
+ value: \"off\"
+ - name: KONG_KIC
+ value: \"on\"
+ - name: KONG_LUA_PACKAGE_PATH
+ value: /opt/?.lua;/opt/?/init.lua;;
+ - name: KONG_NGINX_WORKER_PROCESSES
+ value: \"2\"
+ - name: KONG_PORTAL_API_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PORTAL_API_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PORT_MAPS
+ value: 80:8000, 443:8443
+ - name: KONG_PREFIX
+ value: /kong_prefix/
+ - name: KONG_PROXY_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PROXY_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PROXY_LISTEN
+ value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
+ - name: KONG_PROXY_STREAM_ACCESS_LOG
+ value: /dev/stdout basic
+ - name: KONG_PROXY_STREAM_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ROUTER_FLAVOR
+ value: traditional
+ - name: KONG_STATUS_ACCESS_LOG
+ value: \"off\"
+ - name: KONG_STATUS_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_STATUS_LISTEN
+ value: 0.0.0.0:8100, [::]:8100
+ - name: KONG_STREAM_LISTEN
+ value: \"off\"
+ - name: KONG_NGINX_DAEMON
+ value: \"off\"
+ image: kong:3.6
+ imagePullPolicy: IfNotPresent
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - kong
+ - quit
+ - --wait=15
+ livenessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /status
+ port: status
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ name: proxy
+ ports:
+ - containerPort: 8000
+ name: proxy
+ protocol: TCP
+ - containerPort: 8443
+ name: proxy-tls
+ protocol: TCP
+ - containerPort: 8100
+ name: status
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /status/ready
+ port: status
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /kong_prefix/
+ name: chartsnap-kong-prefix-dir
+ - mountPath: /tmp
+ name: chartsnap-kong-tmp
+ initContainers:
+ - command:
+ - rm
+ - -vrf
+ - $KONG_PREFIX/pids
+ env:
+ - name: KONG_ADMIN_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_GUI_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_GUI_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_LISTEN
+ value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
+ - name: KONG_ANONYMOUS_REPORTS
+ value: \"off\"
+ - name: KONG_CLUSTER_LISTEN
+ value: \"off\"
+ - name: KONG_DATABASE
+ value: \"off\"
+ - name: KONG_KIC
+ value: \"on\"
+ - name: KONG_LUA_PACKAGE_PATH
+ value: /opt/?.lua;/opt/?/init.lua;;
+ - name: KONG_NGINX_WORKER_PROCESSES
+ value: \"2\"
+ - name: KONG_PORTAL_API_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PORTAL_API_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PORT_MAPS
+ value: 80:8000, 443:8443
+ - name: KONG_PREFIX
+ value: /kong_prefix/
+ - name: KONG_PROXY_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PROXY_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PROXY_LISTEN
+ value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
+ - name: KONG_PROXY_STREAM_ACCESS_LOG
+ value: /dev/stdout basic
+ - name: KONG_PROXY_STREAM_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ROUTER_FLAVOR
+ value: traditional
+ - name: KONG_STATUS_ACCESS_LOG
+ value: \"off\"
+ - name: KONG_STATUS_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_STATUS_LISTEN
+ value: 0.0.0.0:8100, [::]:8100
+ - name: KONG_STREAM_LISTEN
+ value: \"off\"
+ image: kong:3.6
+ imagePullPolicy: IfNotPresent
+ name: clear-stale-pid
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /kong_prefix/
+ name: chartsnap-kong-prefix-dir
+ - mountPath: /tmp
+ name: chartsnap-kong-tmp
+ securityContext: {}
+ serviceAccountName: chartsnap-kong
+ terminationGracePeriodSeconds: 30
+ volumes:
+ - emptyDir:
+ sizeLimit: 256Mi
+ name: chartsnap-kong-prefix-dir
+ - emptyDir:
+ sizeLimit: 1Gi
+ name: chartsnap-kong-tmp
+ - name: chartsnap-kong-token
+ projected:
+ sources:
+ - serviceAccountToken:
+ expirationSeconds: 3607
+ path: token
+ - configMap:
+ items:
+ - key: ca.crt
+ path: ca.crt
+ name: kube-root-ca.crt
+ - downwardAPI:
+ items:
+ - fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ path: namespace
+ - name: webhook-cert
+ secret:
+ secretName: chartsnap-kong-validation-webhook-keypair
+- object:
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: ClusterRole
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ rules:
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongupstreampolicies
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongupstreampolicies/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongconsumergroups
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongconsumergroups/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - \"\"
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+ - apiGroups:
+ - \"\"
+ resources:
+ - nodes
+ verbs:
+ - list
+ - watch
+ - apiGroups:
+ - \"\"
+ resources:
+ - pods
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - \"\"
+ resources:
+ - secrets
+ verbs:
+ - list
+ - watch
+ - apiGroups:
+ - \"\"
+ resources:
+ - services
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - \"\"
+ resources:
+ - services/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - ingressclassparameterses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongconsumers
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongconsumers/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongplugins
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongplugins/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - tcpingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - tcpingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - udpingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - udpingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - extensions
+ resources:
+ - ingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - extensions
+ resources:
+ - ingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - discovery.k8s.io
+ resources:
+ - endpointslices
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - konglicenses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - konglicenses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongvaults
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongvaults/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongclusterplugins
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongclusterplugins/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - apiextensions.k8s.io
+ resources:
+ - customresourcedefinitions
+ verbs:
+ - list
+ - watch
+ - apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingressclasses
+ verbs:
+ - get
+ - list
+ - watch
+- object:
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: ClusterRoleBinding
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: chartsnap-kong
+ subjects:
+ - kind: ServiceAccount
+ name: chartsnap-kong
+ namespace: default
+- object:
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: Role
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ namespace: default
+ rules:
+ - apiGroups:
+ - \"\"
+ resources:
+ - configmaps
+ - pods
+ - secrets
+ - namespaces
+ verbs:
+ - get
+ - apiGroups:
+ - \"\"
+ resourceNames:
+ - kong-ingress-controller-leader-kong-kong
+ resources:
+ - configmaps
+ verbs:
+ - get
+ - update
+ - apiGroups:
+ - \"\"
+ resources:
+ - configmaps
+ verbs:
+ - create
+ - apiGroups:
+ - \"\"
+ - coordination.k8s.io
+ resources:
+ - configmaps
+ - leases
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - delete
+ - apiGroups:
+ - \"\"
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+ - apiGroups:
+ - \"\"
+ resources:
+ - services
+ verbs:
+ - get
+- object:
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: RoleBinding
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ namespace: default
+ roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: chartsnap-kong
+ subjects:
+ - kind: ServiceAccount
+ name: chartsnap-kong
+ namespace: default
+- object:
+ apiVersion: v1
+ data:
+ tls.crt: '###DYNAMIC_FIELD###'
+ tls.key: '###DYNAMIC_FIELD###'
+ kind: Secret
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-validation-webhook-ca-keypair
+ namespace: default
+ type: kubernetes.io/tls
+- object:
+ apiVersion: v1
+ data:
+ tls.crt: '###DYNAMIC_FIELD###'
+ tls.key: '###DYNAMIC_FIELD###'
+ kind: Secret
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-validation-webhook-keypair
+ namespace: default
+ type: kubernetes.io/tls
+- object:
+ apiVersion: v1
+ kind: Service
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-manager
+ namespace: default
+ spec:
+ ports:
+ - name: kong-manager
+ port: 8002
+ protocol: TCP
+ targetPort: 8002
+ - name: kong-manager-tls
+ port: 8445
+ protocol: TCP
+ targetPort: 8445
+ selector:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/name: kong
+ type: NodePort
+- object:
+ apiVersion: v1
+ kind: Service
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ enable-metrics: \"true\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-proxy
+ namespace: default
+ spec:
+ ports:
+ - name: kong-proxy
+ port: 80
+ protocol: TCP
+ targetPort: 8000
+ - name: kong-proxy-tls
+ port: 443
+ protocol: TCP
+ targetPort: 8443
+ selector:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/name: kong
+ type: LoadBalancer
+- object:
+ apiVersion: v1
+ kind: Service
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-validation-webhook
+ namespace: default
+ spec:
+ ports:
+ - name: webhook
+ port: 443
+ protocol: TCP
+ targetPort: webhook
+ selector:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+- object:
+ apiVersion: v1
+ kind: ServiceAccount
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ namespace: default
+"""
--- /dev/null
+[proxy-appprotocol-values]
+SnapShot = """
+- object:
+ apiVersion: admissionregistration.k8s.io/v1
+ kind: ValidatingWebhookConfiguration
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-validations
+ namespace: default
+ webhooks:
+ - admissionReviewVersions:
+ - v1beta1
+ clientConfig:
+ caBundle: '###DYNAMIC_FIELD###'
+ service:
+ name: chartsnap-kong-validation-webhook
+ namespace: default
+ failurePolicy: Ignore
+ name: validations.kong.konghq.com
+ objectSelector:
+ matchExpressions:
+ - key: owner
+ operator: NotIn
+ values:
+ - helm
+ rules:
+ - apiGroups:
+ - configuration.konghq.com
+ apiVersions:
+ - '*'
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - kongconsumers
+ - kongplugins
+ - kongclusterplugins
+ - kongingresses
+ - apiGroups:
+ - \"\"
+ apiVersions:
+ - v1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - secrets
+ - services
+ - apiGroups:
+ - networking.k8s.io
+ apiVersions:
+ - v1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - ingresses
+ - apiGroups:
+ - gateway.networking.k8s.io
+ apiVersions:
+ - v1alpha2
+ - v1beta1
+ - v1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - gateways
+ - httproutes
+ sideEffects: None
+- object:
+ apiVersion: apps/v1
+ kind: Deployment
+ metadata:
+ labels:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ namespace: default
+ spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/name: kong
+ template:
+ metadata:
+ annotations:
+ kuma.io/gateway: enabled
+ kuma.io/service-account-token-volume: chartsnap-kong-token
+ traffic.sidecar.istio.io/includeInboundPorts: \"\"
+ labels:
+ app: chartsnap-kong
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ version: \"3.6\"
+ spec:
+ automountServiceAccountToken: false
+ containers:
+ - args: null
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: CONTROLLER_ADMISSION_WEBHOOK_LISTEN
+ value: 0.0.0.0:8080
+ - name: CONTROLLER_ELECTION_ID
+ value: kong-ingress-controller-leader-kong
+ - name: CONTROLLER_INGRESS_CLASS
+ value: kong
+ - name: CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY
+ value: \"true\"
+ - name: CONTROLLER_KONG_ADMIN_URL
+ value: https://localhost:8444
+ - name: CONTROLLER_PUBLISH_SERVICE
+ value: default/chartsnap-kong-proxy
+ image: kong/kubernetes-ingress-controller:3.1
+ imagePullPolicy: IfNotPresent
+ livenessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 10254
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ name: ingress-controller
+ ports:
+ - containerPort: 8080
+ name: webhook
+ protocol: TCP
+ - containerPort: 10255
+ name: cmetrics
+ protocol: TCP
+ - containerPort: 10254
+ name: cstatus
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /readyz
+ port: 10254
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /admission-webhook
+ name: webhook-cert
+ readOnly: true
+ - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+ name: chartsnap-kong-token
+ readOnly: true
+ - env:
+ - name: KONG_ADMIN_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_GUI_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_GUI_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_LISTEN
+ value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
+ - name: KONG_CLUSTER_LISTEN
+ value: \"off\"
+ - name: KONG_DATABASE
+ value: \"off\"
+ - name: KONG_KIC
+ value: \"on\"
+ - name: KONG_LUA_PACKAGE_PATH
+ value: /opt/?.lua;/opt/?/init.lua;;
+ - name: KONG_NGINX_WORKER_PROCESSES
+ value: \"2\"
+ - name: KONG_PORTAL_API_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PORTAL_API_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PORT_MAPS
+ value: 80:8000, 443:8443
+ - name: KONG_PREFIX
+ value: /kong_prefix/
+ - name: KONG_PROXY_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PROXY_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PROXY_LISTEN
+ value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
+ - name: KONG_PROXY_STREAM_ACCESS_LOG
+ value: /dev/stdout basic
+ - name: KONG_PROXY_STREAM_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ROUTER_FLAVOR
+ value: traditional
+ - name: KONG_STATUS_ACCESS_LOG
+ value: \"off\"
+ - name: KONG_STATUS_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_STATUS_LISTEN
+ value: 0.0.0.0:8100, [::]:8100
+ - name: KONG_STREAM_LISTEN
+ value: \"off\"
+ - name: KONG_NGINX_DAEMON
+ value: \"off\"
+ image: kong:3.6
+ imagePullPolicy: IfNotPresent
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - kong
+ - quit
+ - --wait=15
+ livenessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /status
+ port: status
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ name: proxy
+ ports:
+ - containerPort: 8000
+ name: proxy
+ protocol: TCP
+ - containerPort: 8443
+ name: proxy-tls
+ protocol: TCP
+ - containerPort: 8100
+ name: status
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /status/ready
+ port: status
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /kong_prefix/
+ name: chartsnap-kong-prefix-dir
+ - mountPath: /tmp
+ name: chartsnap-kong-tmp
+ initContainers:
+ - command:
+ - rm
+ - -vrf
+ - $KONG_PREFIX/pids
+ env:
+ - name: KONG_ADMIN_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_GUI_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_GUI_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_LISTEN
+ value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
+ - name: KONG_CLUSTER_LISTEN
+ value: \"off\"
+ - name: KONG_DATABASE
+ value: \"off\"
+ - name: KONG_KIC
+ value: \"on\"
+ - name: KONG_LUA_PACKAGE_PATH
+ value: /opt/?.lua;/opt/?/init.lua;;
+ - name: KONG_NGINX_WORKER_PROCESSES
+ value: \"2\"
+ - name: KONG_PORTAL_API_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PORTAL_API_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PORT_MAPS
+ value: 80:8000, 443:8443
+ - name: KONG_PREFIX
+ value: /kong_prefix/
+ - name: KONG_PROXY_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PROXY_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PROXY_LISTEN
+ value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
+ - name: KONG_PROXY_STREAM_ACCESS_LOG
+ value: /dev/stdout basic
+ - name: KONG_PROXY_STREAM_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ROUTER_FLAVOR
+ value: traditional
+ - name: KONG_STATUS_ACCESS_LOG
+ value: \"off\"
+ - name: KONG_STATUS_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_STATUS_LISTEN
+ value: 0.0.0.0:8100, [::]:8100
+ - name: KONG_STREAM_LISTEN
+ value: \"off\"
+ image: kong:3.6
+ imagePullPolicy: IfNotPresent
+ name: clear-stale-pid
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /kong_prefix/
+ name: chartsnap-kong-prefix-dir
+ - mountPath: /tmp
+ name: chartsnap-kong-tmp
+ securityContext: {}
+ serviceAccountName: chartsnap-kong
+ terminationGracePeriodSeconds: 30
+ volumes:
+ - emptyDir:
+ sizeLimit: 256Mi
+ name: chartsnap-kong-prefix-dir
+ - emptyDir:
+ sizeLimit: 1Gi
+ name: chartsnap-kong-tmp
+ - name: chartsnap-kong-token
+ projected:
+ sources:
+ - serviceAccountToken:
+ expirationSeconds: 3607
+ path: token
+ - configMap:
+ items:
+ - key: ca.crt
+ path: ca.crt
+ name: kube-root-ca.crt
+ - downwardAPI:
+ items:
+ - fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ path: namespace
+ - name: webhook-cert
+ secret:
+ secretName: chartsnap-kong-validation-webhook-keypair
+- object:
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: ClusterRole
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ rules:
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongupstreampolicies
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongupstreampolicies/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongconsumergroups
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongconsumergroups/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - \"\"
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+ - apiGroups:
+ - \"\"
+ resources:
+ - nodes
+ verbs:
+ - list
+ - watch
+ - apiGroups:
+ - \"\"
+ resources:
+ - pods
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - \"\"
+ resources:
+ - secrets
+ verbs:
+ - list
+ - watch
+ - apiGroups:
+ - \"\"
+ resources:
+ - services
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - \"\"
+ resources:
+ - services/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - ingressclassparameterses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongconsumers
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongconsumers/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongplugins
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongplugins/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - tcpingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - tcpingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - udpingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - udpingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - extensions
+ resources:
+ - ingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - extensions
+ resources:
+ - ingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - discovery.k8s.io
+ resources:
+ - endpointslices
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - konglicenses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - konglicenses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongvaults
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongvaults/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongclusterplugins
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongclusterplugins/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - apiextensions.k8s.io
+ resources:
+ - customresourcedefinitions
+ verbs:
+ - list
+ - watch
+ - apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingressclasses
+ verbs:
+ - get
+ - list
+ - watch
+- object:
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: ClusterRoleBinding
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: chartsnap-kong
+ subjects:
+ - kind: ServiceAccount
+ name: chartsnap-kong
+ namespace: default
+- object:
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: Role
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ namespace: default
+ rules:
+ - apiGroups:
+ - \"\"
+ resources:
+ - configmaps
+ - pods
+ - secrets
+ - namespaces
+ verbs:
+ - get
+ - apiGroups:
+ - \"\"
+ resourceNames:
+ - kong-ingress-controller-leader-kong-kong
+ resources:
+ - configmaps
+ verbs:
+ - get
+ - update
+ - apiGroups:
+ - \"\"
+ resources:
+ - configmaps
+ verbs:
+ - create
+ - apiGroups:
+ - \"\"
+ - coordination.k8s.io
+ resources:
+ - configmaps
+ - leases
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - delete
+ - apiGroups:
+ - \"\"
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+ - apiGroups:
+ - \"\"
+ resources:
+ - services
+ verbs:
+ - get
+- object:
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: RoleBinding
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ namespace: default
+ roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: chartsnap-kong
+ subjects:
+ - kind: ServiceAccount
+ name: chartsnap-kong
+ namespace: default
+- object:
+ apiVersion: v1
+ data:
+ tls.crt: '###DYNAMIC_FIELD###'
+ tls.key: '###DYNAMIC_FIELD###'
+ kind: Secret
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-validation-webhook-ca-keypair
+ namespace: default
+ type: kubernetes.io/tls
+- object:
+ apiVersion: v1
+ data:
+ tls.crt: '###DYNAMIC_FIELD###'
+ tls.key: '###DYNAMIC_FIELD###'
+ kind: Secret
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-validation-webhook-keypair
+ namespace: default
+ type: kubernetes.io/tls
+- object:
+ apiVersion: v1
+ kind: Service
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-manager
+ namespace: default
+ spec:
+ ports:
+ - name: kong-manager
+ port: 8002
+ protocol: TCP
+ targetPort: 8002
+ - name: kong-manager-tls
+ port: 8445
+ protocol: TCP
+ targetPort: 8445
+ selector:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/name: kong
+ type: NodePort
+- object:
+ apiVersion: v1
+ kind: Service
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ enable-metrics: \"true\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-proxy
+ namespace: default
+ spec:
+ ports:
+ - appProtocol: http
+ name: kong-proxy
+ port: 80
+ protocol: TCP
+ targetPort: 8000
+ - appProtocol: https
+ name: kong-proxy-tls
+ port: 443
+ protocol: TCP
+ targetPort: 8443
+ selector:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/name: kong
+ type: LoadBalancer
+- object:
+ apiVersion: v1
+ kind: Service
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-validation-webhook
+ namespace: default
+ spec:
+ ports:
+ - name: webhook
+ port: 443
+ protocol: TCP
+ targetPort: webhook
+ selector:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+- object:
+ apiVersion: v1
+ kind: ServiceAccount
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ namespace: default
+"""
--- /dev/null
+[service-account]
+SnapShot = """
+- object:
+ apiVersion: admissionregistration.k8s.io/v1
+ kind: ValidatingWebhookConfiguration
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-validations
+ namespace: default
+ webhooks:
+ - admissionReviewVersions:
+ - v1beta1
+ clientConfig:
+ caBundle: '###DYNAMIC_FIELD###'
+ service:
+ name: chartsnap-kong-validation-webhook
+ namespace: default
+ failurePolicy: Ignore
+ name: validations.kong.konghq.com
+ objectSelector:
+ matchExpressions:
+ - key: owner
+ operator: NotIn
+ values:
+ - helm
+ rules:
+ - apiGroups:
+ - configuration.konghq.com
+ apiVersions:
+ - '*'
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - kongconsumers
+ - kongplugins
+ - kongclusterplugins
+ - kongingresses
+ - apiGroups:
+ - \"\"
+ apiVersions:
+ - v1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - secrets
+ - services
+ - apiGroups:
+ - networking.k8s.io
+ apiVersions:
+ - v1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - ingresses
+ - apiGroups:
+ - gateway.networking.k8s.io
+ apiVersions:
+ - v1alpha2
+ - v1beta1
+ - v1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - gateways
+ - httproutes
+ sideEffects: None
+- object:
+ apiVersion: apps/v1
+ kind: Deployment
+ metadata:
+ labels:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ namespace: default
+ spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/name: kong
+ template:
+ metadata:
+ annotations:
+ kuma.io/gateway: enabled
+ kuma.io/service-account-token-volume: my-kong-sa-token
+ traffic.sidecar.istio.io/includeInboundPorts: \"\"
+ labels:
+ app: chartsnap-kong
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ version: \"3.6\"
+ spec:
+ automountServiceAccountToken: false
+ containers:
+ - args: null
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: CONTROLLER_ADMISSION_WEBHOOK_LISTEN
+ value: 0.0.0.0:8080
+ - name: CONTROLLER_ELECTION_ID
+ value: kong-ingress-controller-leader-kong
+ - name: CONTROLLER_INGRESS_CLASS
+ value: kong
+ - name: CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY
+ value: \"true\"
+ - name: CONTROLLER_KONG_ADMIN_URL
+ value: https://localhost:8444
+ - name: CONTROLLER_PUBLISH_SERVICE
+ value: default/chartsnap-kong-proxy
+ image: kong/kubernetes-ingress-controller:3.1
+ imagePullPolicy: IfNotPresent
+ livenessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 10254
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ name: ingress-controller
+ ports:
+ - containerPort: 8080
+ name: webhook
+ protocol: TCP
+ - containerPort: 10255
+ name: cmetrics
+ protocol: TCP
+ - containerPort: 10254
+ name: cstatus
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /readyz
+ port: 10254
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /admission-webhook
+ name: webhook-cert
+ readOnly: true
+ - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+ name: my-kong-sa-token
+ readOnly: true
+ - env:
+ - name: KONG_ADMIN_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_GUI_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_GUI_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_LISTEN
+ value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
+ - name: KONG_CLUSTER_LISTEN
+ value: \"off\"
+ - name: KONG_DATABASE
+ value: \"off\"
+ - name: KONG_KIC
+ value: \"on\"
+ - name: KONG_LUA_PACKAGE_PATH
+ value: /opt/?.lua;/opt/?/init.lua;;
+ - name: KONG_NGINX_WORKER_PROCESSES
+ value: \"2\"
+ - name: KONG_PORTAL_API_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PORTAL_API_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PORT_MAPS
+ value: 80:8000, 443:8443
+ - name: KONG_PREFIX
+ value: /kong_prefix/
+ - name: KONG_PROXY_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PROXY_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PROXY_LISTEN
+ value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
+ - name: KONG_PROXY_STREAM_ACCESS_LOG
+ value: /dev/stdout basic
+ - name: KONG_PROXY_STREAM_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ROUTER_FLAVOR
+ value: traditional
+ - name: KONG_STATUS_ACCESS_LOG
+ value: \"off\"
+ - name: KONG_STATUS_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_STATUS_LISTEN
+ value: 0.0.0.0:8100, [::]:8100
+ - name: KONG_STREAM_LISTEN
+ value: \"off\"
+ - name: KONG_NGINX_DAEMON
+ value: \"off\"
+ image: kong:3.6
+ imagePullPolicy: IfNotPresent
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - kong
+ - quit
+ - --wait=15
+ livenessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /status
+ port: status
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ name: proxy
+ ports:
+ - containerPort: 8000
+ name: proxy
+ protocol: TCP
+ - containerPort: 8443
+ name: proxy-tls
+ protocol: TCP
+ - containerPort: 8100
+ name: status
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /status/ready
+ port: status
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /kong_prefix/
+ name: chartsnap-kong-prefix-dir
+ - mountPath: /tmp
+ name: chartsnap-kong-tmp
+ initContainers:
+ - command:
+ - rm
+ - -vrf
+ - $KONG_PREFIX/pids
+ env:
+ - name: KONG_ADMIN_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_GUI_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_GUI_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_LISTEN
+ value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
+ - name: KONG_CLUSTER_LISTEN
+ value: \"off\"
+ - name: KONG_DATABASE
+ value: \"off\"
+ - name: KONG_KIC
+ value: \"on\"
+ - name: KONG_LUA_PACKAGE_PATH
+ value: /opt/?.lua;/opt/?/init.lua;;
+ - name: KONG_NGINX_WORKER_PROCESSES
+ value: \"2\"
+ - name: KONG_PORTAL_API_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PORTAL_API_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PORT_MAPS
+ value: 80:8000, 443:8443
+ - name: KONG_PREFIX
+ value: /kong_prefix/
+ - name: KONG_PROXY_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PROXY_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PROXY_LISTEN
+ value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
+ - name: KONG_PROXY_STREAM_ACCESS_LOG
+ value: /dev/stdout basic
+ - name: KONG_PROXY_STREAM_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ROUTER_FLAVOR
+ value: traditional
+ - name: KONG_STATUS_ACCESS_LOG
+ value: \"off\"
+ - name: KONG_STATUS_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_STATUS_LISTEN
+ value: 0.0.0.0:8100, [::]:8100
+ - name: KONG_STREAM_LISTEN
+ value: \"off\"
+ image: kong:3.6
+ imagePullPolicy: IfNotPresent
+ name: clear-stale-pid
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /kong_prefix/
+ name: chartsnap-kong-prefix-dir
+ - mountPath: /tmp
+ name: chartsnap-kong-tmp
+ securityContext: {}
+ serviceAccountName: my-kong-sa
+ terminationGracePeriodSeconds: 30
+ volumes:
+ - emptyDir:
+ sizeLimit: 256Mi
+ name: chartsnap-kong-prefix-dir
+ - emptyDir:
+ sizeLimit: 1Gi
+ name: chartsnap-kong-tmp
+ - name: my-kong-sa-token
+ projected:
+ sources:
+ - serviceAccountToken:
+ expirationSeconds: 3607
+ path: token
+ - configMap:
+ items:
+ - key: ca.crt
+ path: ca.crt
+ name: kube-root-ca.crt
+ - downwardAPI:
+ items:
+ - fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ path: namespace
+ - name: webhook-cert
+ secret:
+ secretName: chartsnap-kong-validation-webhook-keypair
+- object:
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: ClusterRole
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ rules:
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongupstreampolicies
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongupstreampolicies/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongconsumergroups
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongconsumergroups/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - \"\"
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+ - apiGroups:
+ - \"\"
+ resources:
+ - nodes
+ verbs:
+ - list
+ - watch
+ - apiGroups:
+ - \"\"
+ resources:
+ - pods
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - \"\"
+ resources:
+ - secrets
+ verbs:
+ - list
+ - watch
+ - apiGroups:
+ - \"\"
+ resources:
+ - services
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - \"\"
+ resources:
+ - services/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - ingressclassparameterses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongconsumers
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongconsumers/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongplugins
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongplugins/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - tcpingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - tcpingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - udpingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - udpingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - extensions
+ resources:
+ - ingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - extensions
+ resources:
+ - ingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - discovery.k8s.io
+ resources:
+ - endpointslices
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - konglicenses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - konglicenses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongvaults
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongvaults/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongclusterplugins
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongclusterplugins/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - apiextensions.k8s.io
+ resources:
+ - customresourcedefinitions
+ verbs:
+ - list
+ - watch
+ - apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingressclasses
+ verbs:
+ - get
+ - list
+ - watch
+- object:
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: ClusterRoleBinding
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: chartsnap-kong
+ subjects:
+ - kind: ServiceAccount
+ name: my-kong-sa
+ namespace: default
+- object:
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: Role
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ namespace: default
+ rules:
+ - apiGroups:
+ - \"\"
+ resources:
+ - configmaps
+ - pods
+ - secrets
+ - namespaces
+ verbs:
+ - get
+ - apiGroups:
+ - \"\"
+ resourceNames:
+ - kong-ingress-controller-leader-kong-kong
+ resources:
+ - configmaps
+ verbs:
+ - get
+ - update
+ - apiGroups:
+ - \"\"
+ resources:
+ - configmaps
+ verbs:
+ - create
+ - apiGroups:
+ - \"\"
+ - coordination.k8s.io
+ resources:
+ - configmaps
+ - leases
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - delete
+ - apiGroups:
+ - \"\"
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+ - apiGroups:
+ - \"\"
+ resources:
+ - services
+ verbs:
+ - get
+- object:
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: RoleBinding
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ namespace: default
+ roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: chartsnap-kong
+ subjects:
+ - kind: ServiceAccount
+ name: my-kong-sa
+ namespace: default
+- object:
+ apiVersion: v1
+ data:
+ tls.crt: '###DYNAMIC_FIELD###'
+ tls.key: '###DYNAMIC_FIELD###'
+ kind: Secret
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-validation-webhook-ca-keypair
+ namespace: default
+ type: kubernetes.io/tls
+- object:
+ apiVersion: v1
+ data:
+ tls.crt: '###DYNAMIC_FIELD###'
+ tls.key: '###DYNAMIC_FIELD###'
+ kind: Secret
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-validation-webhook-keypair
+ namespace: default
+ type: kubernetes.io/tls
+- object:
+ apiVersion: v1
+ kind: Service
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-manager
+ namespace: default
+ spec:
+ ports:
+ - name: kong-manager
+ port: 8002
+ protocol: TCP
+ targetPort: 8002
+ - name: kong-manager-tls
+ port: 8445
+ protocol: TCP
+ targetPort: 8445
+ selector:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/name: kong
+ type: NodePort
+- object:
+ apiVersion: v1
+ kind: Service
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ enable-metrics: \"true\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-proxy
+ namespace: default
+ spec:
+ ports:
+ - name: kong-proxy
+ port: 80
+ protocol: TCP
+ targetPort: 8000
+ - name: kong-proxy-tls
+ port: 443
+ protocol: TCP
+ targetPort: 8443
+ selector:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/name: kong
+ type: LoadBalancer
+- object:
+ apiVersion: v1
+ kind: Service
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-validation-webhook
+ namespace: default
+ spec:
+ ports:
+ - name: webhook
+ port: 443
+ protocol: TCP
+ targetPort: webhook
+ selector:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+- object:
+ apiVersion: v1
+ kind: ServiceAccount
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: my-kong-sa
+ namespace: default
+"""
--- /dev/null
+[single-image-default-values]
+SnapShot = """
+- object:
+ apiVersion: admissionregistration.k8s.io/v1
+ kind: ValidatingWebhookConfiguration
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-validations
+ namespace: default
+ webhooks:
+ - admissionReviewVersions:
+ - v1beta1
+ clientConfig:
+ caBundle: '###DYNAMIC_FIELD###'
+ service:
+ name: chartsnap-kong-validation-webhook
+ namespace: default
+ failurePolicy: Ignore
+ name: validations.kong.konghq.com
+ objectSelector:
+ matchExpressions:
+ - key: owner
+ operator: NotIn
+ values:
+ - helm
+ rules:
+ - apiGroups:
+ - configuration.konghq.com
+ apiVersions:
+ - '*'
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - kongconsumers
+ - kongplugins
+ - kongclusterplugins
+ - kongingresses
+ - apiGroups:
+ - \"\"
+ apiVersions:
+ - v1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - secrets
+ - services
+ - apiGroups:
+ - networking.k8s.io
+ apiVersions:
+ - v1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - ingresses
+ - apiGroups:
+ - gateway.networking.k8s.io
+ apiVersions:
+ - v1alpha2
+ - v1beta1
+ - v1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - gateways
+ - httproutes
+ sideEffects: None
+- object:
+ apiVersion: apps/v1
+ kind: Deployment
+ metadata:
+ labels:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ namespace: default
+ spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/name: kong
+ template:
+ metadata:
+ annotations:
+ kuma.io/gateway: enabled
+ kuma.io/service-account-token-volume: chartsnap-kong-token
+ traffic.sidecar.istio.io/includeInboundPorts: \"\"
+ labels:
+ app: chartsnap-kong
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ version: \"3.6\"
+ spec:
+ automountServiceAccountToken: false
+ containers:
+ - args: null
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: CONTROLLER_ADMISSION_WEBHOOK_LISTEN
+ value: 0.0.0.0:8080
+ - name: CONTROLLER_ANONYMOUS_REPORTS
+ value: \"false\"
+ - name: CONTROLLER_ELECTION_ID
+ value: kong-ingress-controller-leader-kong
+ - name: CONTROLLER_INGRESS_CLASS
+ value: kong
+ - name: CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY
+ value: \"true\"
+ - name: CONTROLLER_KONG_ADMIN_URL
+ value: https://localhost:8444
+ - name: CONTROLLER_PUBLISH_SERVICE
+ value: default/chartsnap-kong-proxy
+ image: kong/kubernetes-ingress-controller:3.0
+ imagePullPolicy: IfNotPresent
+ livenessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 10254
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ name: ingress-controller
+ ports:
+ - containerPort: 8080
+ name: webhook
+ protocol: TCP
+ - containerPort: 10255
+ name: cmetrics
+ protocol: TCP
+ - containerPort: 10254
+ name: cstatus
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /readyz
+ port: 10254
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /admission-webhook
+ name: webhook-cert
+ readOnly: true
+ - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+ name: chartsnap-kong-token
+ readOnly: true
+ - env:
+ - name: KONG_ADMIN_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_GUI_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_GUI_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_LISTEN
+ value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
+ - name: KONG_ANONYMOUS_REPORTS
+ value: \"off\"
+ - name: KONG_CLUSTER_LISTEN
+ value: \"off\"
+ - name: KONG_DATABASE
+ value: \"off\"
+ - name: KONG_KIC
+ value: \"on\"
+ - name: KONG_LUA_PACKAGE_PATH
+ value: /opt/?.lua;/opt/?/init.lua;;
+ - name: KONG_NGINX_WORKER_PROCESSES
+ value: \"2\"
+ - name: KONG_PORTAL_API_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PORTAL_API_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PORT_MAPS
+ value: 80:8000, 443:8443
+ - name: KONG_PREFIX
+ value: /kong_prefix/
+ - name: KONG_PROXY_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PROXY_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PROXY_LISTEN
+ value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
+ - name: KONG_PROXY_STREAM_ACCESS_LOG
+ value: /dev/stdout basic
+ - name: KONG_PROXY_STREAM_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ROUTER_FLAVOR
+ value: traditional
+ - name: KONG_STATUS_ACCESS_LOG
+ value: \"off\"
+ - name: KONG_STATUS_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_STATUS_LISTEN
+ value: 0.0.0.0:8100, [::]:8100
+ - name: KONG_STREAM_LISTEN
+ value: \"off\"
+ - name: KONG_NGINX_DAEMON
+ value: \"off\"
+ image: kong:3.4.1
+ imagePullPolicy: IfNotPresent
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - kong
+ - quit
+ - --wait=15
+ livenessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /status
+ port: status
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ name: proxy
+ ports:
+ - containerPort: 8000
+ name: proxy
+ protocol: TCP
+ - containerPort: 8443
+ name: proxy-tls
+ protocol: TCP
+ - containerPort: 8100
+ name: status
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /status/ready
+ port: status
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /kong_prefix/
+ name: chartsnap-kong-prefix-dir
+ - mountPath: /tmp
+ name: chartsnap-kong-tmp
+ initContainers:
+ - command:
+ - rm
+ - -vrf
+ - $KONG_PREFIX/pids
+ env:
+ - name: KONG_ADMIN_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_GUI_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_GUI_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_LISTEN
+ value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
+ - name: KONG_ANONYMOUS_REPORTS
+ value: \"off\"
+ - name: KONG_CLUSTER_LISTEN
+ value: \"off\"
+ - name: KONG_DATABASE
+ value: \"off\"
+ - name: KONG_KIC
+ value: \"on\"
+ - name: KONG_LUA_PACKAGE_PATH
+ value: /opt/?.lua;/opt/?/init.lua;;
+ - name: KONG_NGINX_WORKER_PROCESSES
+ value: \"2\"
+ - name: KONG_PORTAL_API_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PORTAL_API_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PORT_MAPS
+ value: 80:8000, 443:8443
+ - name: KONG_PREFIX
+ value: /kong_prefix/
+ - name: KONG_PROXY_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PROXY_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PROXY_LISTEN
+ value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
+ - name: KONG_PROXY_STREAM_ACCESS_LOG
+ value: /dev/stdout basic
+ - name: KONG_PROXY_STREAM_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ROUTER_FLAVOR
+ value: traditional
+ - name: KONG_STATUS_ACCESS_LOG
+ value: \"off\"
+ - name: KONG_STATUS_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_STATUS_LISTEN
+ value: 0.0.0.0:8100, [::]:8100
+ - name: KONG_STREAM_LISTEN
+ value: \"off\"
+ image: kong:3.4.1
+ imagePullPolicy: IfNotPresent
+ name: clear-stale-pid
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /kong_prefix/
+ name: chartsnap-kong-prefix-dir
+ - mountPath: /tmp
+ name: chartsnap-kong-tmp
+ securityContext: {}
+ serviceAccountName: chartsnap-kong
+ terminationGracePeriodSeconds: 30
+ volumes:
+ - emptyDir:
+ sizeLimit: 256Mi
+ name: chartsnap-kong-prefix-dir
+ - emptyDir:
+ sizeLimit: 1Gi
+ name: chartsnap-kong-tmp
+ - name: chartsnap-kong-token
+ projected:
+ sources:
+ - serviceAccountToken:
+ expirationSeconds: 3607
+ path: token
+ - configMap:
+ items:
+ - key: ca.crt
+ path: ca.crt
+ name: kube-root-ca.crt
+ - downwardAPI:
+ items:
+ - fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ path: namespace
+ - name: webhook-cert
+ secret:
+ secretName: chartsnap-kong-validation-webhook-keypair
+- object:
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: ClusterRole
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ rules:
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongupstreampolicies
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongupstreampolicies/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongconsumergroups
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongconsumergroups/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - \"\"
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+ - apiGroups:
+ - \"\"
+ resources:
+ - nodes
+ verbs:
+ - list
+ - watch
+ - apiGroups:
+ - \"\"
+ resources:
+ - pods
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - \"\"
+ resources:
+ - secrets
+ verbs:
+ - list
+ - watch
+ - apiGroups:
+ - \"\"
+ resources:
+ - services
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - \"\"
+ resources:
+ - services/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - ingressclassparameterses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongconsumers
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongconsumers/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongplugins
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongplugins/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - tcpingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - tcpingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - udpingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - udpingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - extensions
+ resources:
+ - ingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - extensions
+ resources:
+ - ingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - discovery.k8s.io
+ resources:
+ - endpointslices
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - konglicenses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - konglicenses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongvaults
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongvaults/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongclusterplugins
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongclusterplugins/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - apiextensions.k8s.io
+ resources:
+ - customresourcedefinitions
+ verbs:
+ - list
+ - watch
+ - apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingressclasses
+ verbs:
+ - get
+ - list
+ - watch
+- object:
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: ClusterRoleBinding
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: chartsnap-kong
+ subjects:
+ - kind: ServiceAccount
+ name: chartsnap-kong
+ namespace: default
+- object:
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: Role
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ namespace: default
+ rules:
+ - apiGroups:
+ - \"\"
+ resources:
+ - configmaps
+ - pods
+ - secrets
+ - namespaces
+ verbs:
+ - get
+ - apiGroups:
+ - \"\"
+ resourceNames:
+ - kong-ingress-controller-leader-kong-kong
+ resources:
+ - configmaps
+ verbs:
+ - get
+ - update
+ - apiGroups:
+ - \"\"
+ resources:
+ - configmaps
+ verbs:
+ - create
+ - apiGroups:
+ - \"\"
+ - coordination.k8s.io
+ resources:
+ - configmaps
+ - leases
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - delete
+ - apiGroups:
+ - \"\"
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+ - apiGroups:
+ - \"\"
+ resources:
+ - services
+ verbs:
+ - get
+- object:
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: RoleBinding
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ namespace: default
+ roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: chartsnap-kong
+ subjects:
+ - kind: ServiceAccount
+ name: chartsnap-kong
+ namespace: default
+- object:
+ apiVersion: v1
+ data:
+ tls.crt: '###DYNAMIC_FIELD###'
+ tls.key: '###DYNAMIC_FIELD###'
+ kind: Secret
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-validation-webhook-ca-keypair
+ namespace: default
+ type: kubernetes.io/tls
+- object:
+ apiVersion: v1
+ data:
+ tls.crt: '###DYNAMIC_FIELD###'
+ tls.key: '###DYNAMIC_FIELD###'
+ kind: Secret
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-validation-webhook-keypair
+ namespace: default
+ type: kubernetes.io/tls
+- object:
+ apiVersion: v1
+ kind: Service
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-manager
+ namespace: default
+ spec:
+ ports:
+ - name: kong-manager
+ port: 8002
+ protocol: TCP
+ targetPort: 8002
+ - name: kong-manager-tls
+ port: 8445
+ protocol: TCP
+ targetPort: 8445
+ selector:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/name: kong
+ type: NodePort
+- object:
+ apiVersion: v1
+ kind: Service
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ enable-metrics: \"true\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-proxy
+ namespace: default
+ spec:
+ ports:
+ - name: kong-proxy
+ port: 80
+ protocol: TCP
+ targetPort: 8000
+ - name: kong-proxy-tls
+ port: 443
+ protocol: TCP
+ targetPort: 8443
+ selector:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/name: kong
+ type: LoadBalancer
+- object:
+ apiVersion: v1
+ kind: Service
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-validation-webhook
+ namespace: default
+ spec:
+ ports:
+ - name: webhook
+ port: 443
+ protocol: TCP
+ targetPort: webhook
+ selector:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+- object:
+ apiVersion: v1
+ kind: ServiceAccount
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ namespace: default
+"""
--- /dev/null
+['test-enterprise-version-3.4.0.0-values']
+SnapShot = """
+- object:
+ apiVersion: apps/v1
+ kind: Deployment
+ metadata:
+ labels:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ namespace: default
+ spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/name: kong
+ template:
+ metadata:
+ annotations:
+ kuma.io/gateway: enabled
+ kuma.io/service-account-token-volume: chartsnap-kong-token
+ traffic.sidecar.istio.io/includeInboundPorts: \"\"
+ labels:
+ app: chartsnap-kong
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ version: \"3.6\"
+ spec:
+ automountServiceAccountToken: false
+ containers:
+ - env:
+ - name: KONG_ADMIN_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_GUI_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_GUI_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_LISTEN
+ value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
+ - name: KONG_CLUSTER_LISTEN
+ value: \"off\"
+ - name: KONG_DATABASE
+ value: \"off\"
+ - name: KONG_LUA_PACKAGE_PATH
+ value: /opt/?.lua;/opt/?/init.lua;;
+ - name: KONG_NGINX_WORKER_PROCESSES
+ value: \"2\"
+ - name: KONG_PORTAL_API_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PORTAL_API_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PORT_MAPS
+ value: 80:8000, 443:8443
+ - name: KONG_PREFIX
+ value: /kong_prefix/
+ - name: KONG_PROXY_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PROXY_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PROXY_LISTEN
+ value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
+ - name: KONG_PROXY_STREAM_ACCESS_LOG
+ value: /dev/stdout basic
+ - name: KONG_PROXY_STREAM_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ROUTER_FLAVOR
+ value: traditional
+ - name: KONG_STATUS_ACCESS_LOG
+ value: \"off\"
+ - name: KONG_STATUS_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_STATUS_LISTEN
+ value: 0.0.0.0:8100, [::]:8100
+ - name: KONG_STREAM_LISTEN
+ value: \"off\"
+ - name: KONG_NGINX_DAEMON
+ value: \"off\"
+ image: kong/kong-gateway:3.4.0.0
+ imagePullPolicy: IfNotPresent
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - kong
+ - quit
+ - --wait=15
+ livenessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /status
+ port: status
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ name: proxy
+ ports:
+ - containerPort: 8000
+ name: proxy
+ protocol: TCP
+ - containerPort: 8443
+ name: proxy-tls
+ protocol: TCP
+ - containerPort: 8100
+ name: status
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /status
+ port: status
+ scheme: HTTP
+ initialDelaySeconds: 1
+ periodSeconds: 1
+ successThreshold: 1
+ timeoutSeconds: 5
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /kong_prefix/
+ name: chartsnap-kong-prefix-dir
+ - mountPath: /tmp
+ name: chartsnap-kong-tmp
+ initContainers:
+ - command:
+ - rm
+ - -vrf
+ - $KONG_PREFIX/pids
+ env:
+ - name: KONG_ADMIN_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_GUI_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_GUI_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_LISTEN
+ value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
+ - name: KONG_CLUSTER_LISTEN
+ value: \"off\"
+ - name: KONG_DATABASE
+ value: \"off\"
+ - name: KONG_LUA_PACKAGE_PATH
+ value: /opt/?.lua;/opt/?/init.lua;;
+ - name: KONG_NGINX_WORKER_PROCESSES
+ value: \"2\"
+ - name: KONG_PORTAL_API_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PORTAL_API_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PORT_MAPS
+ value: 80:8000, 443:8443
+ - name: KONG_PREFIX
+ value: /kong_prefix/
+ - name: KONG_PROXY_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PROXY_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PROXY_LISTEN
+ value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
+ - name: KONG_PROXY_STREAM_ACCESS_LOG
+ value: /dev/stdout basic
+ - name: KONG_PROXY_STREAM_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ROUTER_FLAVOR
+ value: traditional
+ - name: KONG_STATUS_ACCESS_LOG
+ value: \"off\"
+ - name: KONG_STATUS_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_STATUS_LISTEN
+ value: 0.0.0.0:8100, [::]:8100
+ - name: KONG_STREAM_LISTEN
+ value: \"off\"
+ image: kong/kong-gateway:3.4.0.0
+ imagePullPolicy: IfNotPresent
+ name: clear-stale-pid
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /kong_prefix/
+ name: chartsnap-kong-prefix-dir
+ - mountPath: /tmp
+ name: chartsnap-kong-tmp
+ securityContext: {}
+ serviceAccountName: chartsnap-kong
+ terminationGracePeriodSeconds: 30
+ volumes:
+ - emptyDir:
+ sizeLimit: 256Mi
+ name: chartsnap-kong-prefix-dir
+ - emptyDir:
+ sizeLimit: 1Gi
+ name: chartsnap-kong-tmp
+ - name: chartsnap-kong-token
+ projected:
+ sources:
+ - serviceAccountToken:
+ expirationSeconds: 3607
+ path: token
+ - configMap:
+ items:
+ - key: ca.crt
+ path: ca.crt
+ name: kube-root-ca.crt
+ - downwardAPI:
+ items:
+ - fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ path: namespace
+- object:
+ apiVersion: v1
+ kind: Service
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-manager
+ namespace: default
+ spec:
+ ports:
+ - name: kong-manager
+ port: 8002
+ protocol: TCP
+ targetPort: 8002
+ - name: kong-manager-tls
+ port: 8445
+ protocol: TCP
+ targetPort: 8445
+ selector:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/name: kong
+ type: NodePort
+- object:
+ apiVersion: v1
+ kind: Service
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ enable-metrics: \"true\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-proxy
+ namespace: default
+ spec:
+ ports:
+ - name: kong-proxy
+ port: 80
+ protocol: TCP
+ targetPort: 8000
+ - name: kong-proxy-tls
+ port: 443
+ protocol: TCP
+ targetPort: 8443
+ selector:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/name: kong
+ type: LoadBalancer
+- object:
+ apiVersion: v1
+ kind: ServiceAccount
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ namespace: default
+"""
--- /dev/null
+[test1-values]
+SnapShot = """
+- object:
+ apiVersion: admissionregistration.k8s.io/v1
+ kind: ValidatingWebhookConfiguration
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-validations
+ namespace: default
+ webhooks:
+ - admissionReviewVersions:
+ - v1beta1
+ clientConfig:
+ caBundle: '###DYNAMIC_FIELD###'
+ service:
+ name: chartsnap-kong-validation-webhook
+ namespace: default
+ failurePolicy: Ignore
+ name: validations.kong.konghq.com
+ objectSelector:
+ matchExpressions:
+ - key: owner
+ operator: NotIn
+ values:
+ - helm
+ rules:
+ - apiGroups:
+ - configuration.konghq.com
+ apiVersions:
+ - '*'
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - kongconsumers
+ - kongplugins
+ - kongclusterplugins
+ - kongingresses
+ - apiGroups:
+ - \"\"
+ apiVersions:
+ - v1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - secrets
+ - services
+ - apiGroups:
+ - networking.k8s.io
+ apiVersions:
+ - v1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - ingresses
+ - apiGroups:
+ - gateway.networking.k8s.io
+ apiVersions:
+ - v1alpha2
+ - v1beta1
+ - v1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - gateways
+ - httproutes
+ sideEffects: None
+- object:
+ apiVersion: apps/v1
+ kind: Deployment
+ metadata:
+ labels:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ namespace: default
+ spec:
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/name: kong
+ template:
+ metadata:
+ annotations:
+ kuma.io/gateway: enabled
+ kuma.io/service-account-token-volume: chartsnap-kong-token
+ traffic.sidecar.istio.io/includeInboundPorts: \"\"
+ labels:
+ app: kong
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ environment: test
+ helm.sh/chart: kong-2.38.0
+ version: \"3.6\"
+ spec:
+ automountServiceAccountToken: false
+ containers:
+ - args: null
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: CONTROLLER_ADMISSION_WEBHOOK_LISTEN
+ value: 0.0.0.0:8080
+ - name: CONTROLLER_ANONYMOUS_REPORTS
+ value: \"false\"
+ - name: CONTROLLER_ELECTION_ID
+ value: kong-ingress-controller-leader-kong
+ - name: CONTROLLER_INGRESS_CLASS
+ value: kong
+ - name: CONTROLLER_KONG_ADMIN_HEADER
+ value: foo:bar
+ - name: CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY
+ value: \"true\"
+ - name: CONTROLLER_KONG_ADMIN_URL
+ value: https://localhost:8444
+ - name: CONTROLLER_PUBLISH_SERVICE
+ value: default/chartsnap-kong-proxy
+ image: kong/kubernetes-ingress-controller:3.1
+ imagePullPolicy: IfNotPresent
+ livenessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 10254
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ name: ingress-controller
+ ports:
+ - containerPort: 8080
+ name: webhook
+ protocol: TCP
+ - containerPort: 10255
+ name: cmetrics
+ protocol: TCP
+ - containerPort: 10254
+ name: cstatus
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /readyz
+ port: 10254
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /admission-webhook
+ name: webhook-cert
+ readOnly: true
+ - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+ name: chartsnap-kong-token
+ readOnly: true
+ - mountPath: /tmp/foo
+ name: tmpdir
+ readOnly: true
+ - mountPath: /tmp/controller
+ name: controllerdir
+ - env:
+ - name: KONG_ADMIN_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_API_URI
+ value: http://admin.kong.example
+ - name: KONG_ADMIN_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_GUI_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_GUI_API_URL
+ value: http://admin.kong.example
+ - name: KONG_ADMIN_GUI_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_LISTEN
+ value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
+ - name: KONG_ANONYMOUS_REPORTS
+ value: \"off\"
+ - name: KONG_CLUSTER_LISTEN
+ value: \"off\"
+ - name: KONG_DATABASE
+ value: \"off\"
+ - name: KONG_KIC
+ value: \"on\"
+ - name: KONG_LUA_PACKAGE_PATH
+ value: /opt/?.lua;/opt/?/init.lua;;
+ - name: KONG_NGINX_WORKER_PROCESSES
+ value: \"2\"
+ - name: KONG_PORTAL_API_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PORTAL_API_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PORT_MAPS
+ value: 80:8000, 443:8443
+ - name: KONG_PREFIX
+ value: /kong_prefix/
+ - name: KONG_PROXY_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PROXY_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PROXY_LISTEN
+ value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
+ - name: KONG_PROXY_STREAM_ACCESS_LOG
+ value: /dev/stdout basic
+ - name: KONG_PROXY_STREAM_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ROUTER_FLAVOR
+ value: traditional
+ - name: KONG_STATUS_ACCESS_LOG
+ value: \"off\"
+ - name: KONG_STATUS_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_STATUS_LISTEN
+ value: 0.0.0.0:8100, [::]:8100
+ - name: KONG_STREAM_LISTEN
+ value: \"off\"
+ - name: KONG_NGINX_DAEMON
+ value: \"off\"
+ image: kong:3.6
+ imagePullPolicy: IfNotPresent
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - kong
+ - quit
+ - --wait=15
+ livenessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /status
+ port: status
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ name: proxy
+ ports:
+ - containerPort: 8000
+ name: proxy
+ protocol: TCP
+ - containerPort: 8443
+ name: proxy-tls
+ protocol: TCP
+ - containerPort: 8100
+ name: status
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /status/ready
+ port: status
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /kong_prefix/
+ name: chartsnap-kong-prefix-dir
+ - mountPath: /tmp
+ name: chartsnap-kong-tmp
+ - mountPath: /tmp/foo
+ name: tmpdir
+ initContainers:
+ - command:
+ - rm
+ - -vrf
+ - $KONG_PREFIX/pids
+ env:
+ - name: KONG_ADMIN_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_API_URI
+ value: http://admin.kong.example
+ - name: KONG_ADMIN_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_GUI_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_GUI_API_URL
+ value: http://admin.kong.example
+ - name: KONG_ADMIN_GUI_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_LISTEN
+ value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
+ - name: KONG_ANONYMOUS_REPORTS
+ value: \"off\"
+ - name: KONG_CLUSTER_LISTEN
+ value: \"off\"
+ - name: KONG_DATABASE
+ value: \"off\"
+ - name: KONG_KIC
+ value: \"on\"
+ - name: KONG_LUA_PACKAGE_PATH
+ value: /opt/?.lua;/opt/?/init.lua;;
+ - name: KONG_NGINX_WORKER_PROCESSES
+ value: \"2\"
+ - name: KONG_PORTAL_API_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PORTAL_API_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PORT_MAPS
+ value: 80:8000, 443:8443
+ - name: KONG_PREFIX
+ value: /kong_prefix/
+ - name: KONG_PROXY_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PROXY_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PROXY_LISTEN
+ value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
+ - name: KONG_PROXY_STREAM_ACCESS_LOG
+ value: /dev/stdout basic
+ - name: KONG_PROXY_STREAM_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ROUTER_FLAVOR
+ value: traditional
+ - name: KONG_STATUS_ACCESS_LOG
+ value: \"off\"
+ - name: KONG_STATUS_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_STATUS_LISTEN
+ value: 0.0.0.0:8100, [::]:8100
+ - name: KONG_STREAM_LISTEN
+ value: \"off\"
+ image: kong:3.6
+ imagePullPolicy: IfNotPresent
+ name: clear-stale-pid
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /kong_prefix/
+ name: chartsnap-kong-prefix-dir
+ - mountPath: /tmp
+ name: chartsnap-kong-tmp
+ - command:
+ - /bin/sh
+ - -c
+ - \"true\"
+ image: bash:latest
+ name: bash
+ resources:
+ limits:
+ cpu: 100m
+ memory: 64Mi
+ requests:
+ cpu: 100m
+ memory: 64Mi
+ volumeMounts:
+ - mountPath: /tmp/foo
+ name: tmpdir
+ securityContext: {}
+ serviceAccountName: chartsnap-kong
+ terminationGracePeriodSeconds: 30
+ volumes:
+ - emptyDir:
+ sizeLimit: 256Mi
+ name: chartsnap-kong-prefix-dir
+ - emptyDir:
+ sizeLimit: 1Gi
+ name: chartsnap-kong-tmp
+ - name: chartsnap-kong-token
+ projected:
+ sources:
+ - serviceAccountToken:
+ expirationSeconds: 3607
+ path: token
+ - configMap:
+ items:
+ - key: ca.crt
+ path: ca.crt
+ name: kube-root-ca.crt
+ - downwardAPI:
+ items:
+ - fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ path: namespace
+ - name: webhook-cert
+ secret:
+ secretName: chartsnap-kong-validation-webhook-keypair
+ - emptyDir: {}
+ name: tmpdir
+ - emptyDir: {}
+ name: controllerdir
+- object:
+ apiVersion: autoscaling/v2
+ kind: HorizontalPodAutoscaler
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ namespace: default
+ spec:
+ maxReplicas: 5
+ metrics:
+ - resource:
+ name: cpu
+ target:
+ averageUtilization: 80
+ type: Utilization
+ type: Resource
+ minReplicas: 2
+ scaleTargetRef:
+ apiVersion: apps/v1
+ kind: Deployment
+ name: chartsnap-kong
+- object:
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-proxy
+ namespace: default
+ spec:
+ rules:
+ - host: proxy.kong.example
+ http:
+ paths:
+ - backend:
+ service:
+ name: chartsnap-kong-proxy
+ port:
+ number: 443
+ path: /
+ pathType: ImplementationSpecific
+- object:
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: ClusterRole
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ rules:
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongupstreampolicies
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongupstreampolicies/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongconsumergroups
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongconsumergroups/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - \"\"
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+ - apiGroups:
+ - \"\"
+ resources:
+ - nodes
+ verbs:
+ - list
+ - watch
+ - apiGroups:
+ - \"\"
+ resources:
+ - pods
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - \"\"
+ resources:
+ - secrets
+ verbs:
+ - list
+ - watch
+ - apiGroups:
+ - \"\"
+ resources:
+ - services
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - \"\"
+ resources:
+ - services/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - ingressclassparameterses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongconsumers
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongconsumers/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongplugins
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongplugins/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - tcpingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - tcpingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - udpingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - udpingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - extensions
+ resources:
+ - ingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - extensions
+ resources:
+ - ingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - discovery.k8s.io
+ resources:
+ - endpointslices
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - konglicenses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - konglicenses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongvaults
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongvaults/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongclusterplugins
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongclusterplugins/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - apiextensions.k8s.io
+ resources:
+ - customresourcedefinitions
+ verbs:
+ - list
+ - watch
+ - apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingressclasses
+ verbs:
+ - get
+ - list
+ - watch
+- object:
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: ClusterRoleBinding
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: chartsnap-kong
+ subjects:
+ - kind: ServiceAccount
+ name: chartsnap-kong
+ namespace: default
+- object:
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: Role
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ namespace: default
+ rules:
+ - apiGroups:
+ - \"\"
+ resources:
+ - configmaps
+ - pods
+ - secrets
+ - namespaces
+ verbs:
+ - get
+ - apiGroups:
+ - \"\"
+ resourceNames:
+ - kong-ingress-controller-leader-kong-kong
+ resources:
+ - configmaps
+ verbs:
+ - get
+ - update
+ - apiGroups:
+ - \"\"
+ resources:
+ - configmaps
+ verbs:
+ - create
+ - apiGroups:
+ - \"\"
+ - coordination.k8s.io
+ resources:
+ - configmaps
+ - leases
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - delete
+ - apiGroups:
+ - \"\"
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+ - apiGroups:
+ - \"\"
+ resources:
+ - services
+ verbs:
+ - get
+- object:
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: RoleBinding
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ namespace: default
+ roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: chartsnap-kong
+ subjects:
+ - kind: ServiceAccount
+ name: chartsnap-kong
+ namespace: default
+- object:
+ apiVersion: v1
+ data:
+ tls.crt: '###DYNAMIC_FIELD###'
+ tls.key: '###DYNAMIC_FIELD###'
+ kind: Secret
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-validation-webhook-ca-keypair
+ namespace: default
+ type: kubernetes.io/tls
+- object:
+ apiVersion: v1
+ data:
+ tls.crt: '###DYNAMIC_FIELD###'
+ tls.key: '###DYNAMIC_FIELD###'
+ kind: Secret
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-validation-webhook-keypair
+ namespace: default
+ type: kubernetes.io/tls
+- object:
+ apiVersion: v1
+ kind: Service
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-manager
+ namespace: default
+ spec:
+ ports:
+ - name: kong-manager
+ port: 8002
+ protocol: TCP
+ targetPort: 8002
+ - name: kong-manager-tls
+ port: 8445
+ protocol: TCP
+ targetPort: 8445
+ selector:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/name: kong
+ type: NodePort
+- object:
+ apiVersion: v1
+ kind: Service
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ enable-metrics: \"true\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-proxy
+ namespace: default
+ spec:
+ ports:
+ - name: kong-proxy
+ port: 80
+ protocol: TCP
+ targetPort: 8000
+ - name: kong-proxy-tls
+ port: 443
+ protocol: TCP
+ targetPort: 8443
+ selector:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/name: kong
+ type: LoadBalancer
+- object:
+ apiVersion: v1
+ kind: Service
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-validation-webhook
+ namespace: default
+ spec:
+ ports:
+ - name: webhook
+ port: 443
+ protocol: TCP
+ targetPort: webhook
+ selector:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+- object:
+ apiVersion: v1
+ kind: ServiceAccount
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ namespace: default
+"""
--- /dev/null
+[test2-values]
+SnapShot = """
+- object:
+ apiVersion: admissionregistration.k8s.io/v1
+ kind: ValidatingWebhookConfiguration
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-validations
+ namespace: default
+ webhooks:
+ - admissionReviewVersions:
+ - v1beta1
+ clientConfig:
+ caBundle: '###DYNAMIC_FIELD###'
+ service:
+ name: chartsnap-kong-validation-webhook
+ namespace: default
+ failurePolicy: Ignore
+ name: validations.kong.konghq.com
+ objectSelector:
+ matchExpressions:
+ - key: owner
+ operator: NotIn
+ values:
+ - helm
+ rules:
+ - apiGroups:
+ - configuration.konghq.com
+ apiVersions:
+ - '*'
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - kongconsumers
+ - kongplugins
+ - kongclusterplugins
+ - kongingresses
+ - apiGroups:
+ - \"\"
+ apiVersions:
+ - v1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - secrets
+ - services
+ - apiGroups:
+ - networking.k8s.io
+ apiVersions:
+ - v1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - ingresses
+ - apiGroups:
+ - gateway.networking.k8s.io
+ apiVersions:
+ - v1alpha2
+ - v1beta1
+ - v1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - gateways
+ - httproutes
+ sideEffects: None
+ timeoutSeconds: 5
+- object:
+ apiVersion: apps/v1
+ kind: Deployment
+ metadata:
+ labels:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ namespace: default
+ spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/name: kong
+ strategy:
+ rollingUpdate:
+ maxSurge: 1
+ maxUnavailable: 0
+ type: RollingUpdate
+ template:
+ metadata:
+ annotations:
+ kuma.io/gateway: enabled
+ kuma.io/service-account-token-volume: chartsnap-kong-token
+ traffic.sidecar.istio.io/includeInboundPorts: \"\"
+ labels:
+ app: chartsnap-kong
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ version: \"3.6\"
+ spec:
+ automountServiceAccountToken: false
+ containers:
+ - args: null
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: CONTROLLER_ADMISSION_WEBHOOK_LISTEN
+ value: 0.0.0.0:8080
+ - name: CONTROLLER_ANONYMOUS_REPORTS
+ value: \"false\"
+ - name: CONTROLLER_ELECTION_ID
+ value: kong-ingress-controller-leader-kong
+ - name: CONTROLLER_INGRESS_CLASS
+ value: kong
+ - name: CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY
+ value: \"true\"
+ - name: CONTROLLER_KONG_ADMIN_URL
+ value: https://localhost:8444
+ - name: CONTROLLER_PUBLISH_SERVICE
+ value: default/chartsnap-kong-proxy
+ - name: CONTROLLER_WATCH_NAMESPACE
+ value: default
+ - name: TZ
+ value: Europe/Berlin
+ envFrom:
+ - configMapRef:
+ name: env-config
+ image: kong/kubernetes-ingress-controller:3.1
+ imagePullPolicy: IfNotPresent
+ livenessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 10254
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ name: ingress-controller
+ ports:
+ - containerPort: 8080
+ name: webhook
+ protocol: TCP
+ - containerPort: 10255
+ name: cmetrics
+ protocol: TCP
+ - containerPort: 10254
+ name: cstatus
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /readyz
+ port: 10254
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /admission-webhook
+ name: webhook-cert
+ readOnly: true
+ - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+ name: chartsnap-kong-token
+ readOnly: true
+ - env:
+ - name: KONG_ADMIN_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_API_URI
+ value: http://
+ - name: KONG_ADMIN_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_GUI_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_GUI_API_URL
+ value: http://
+ - name: KONG_ADMIN_GUI_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_LISTEN
+ value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
+ - name: KONG_ANONYMOUS_REPORTS
+ value: \"off\"
+ - name: KONG_CLUSTER_LISTEN
+ value: \"off\"
+ - name: KONG_DATABASE
+ value: postgres
+ - name: KONG_KIC
+ value: \"on\"
+ - name: KONG_LUA_PACKAGE_PATH
+ value: /opt/?.lua;/opt/?/init.lua;;
+ - name: KONG_NGINX_WORKER_PROCESSES
+ value: \"2\"
+ - name: KONG_PG_HOST
+ value: chartsnap-postgresql
+ - name: KONG_PG_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ key: password
+ name: chartsnap-postgresql
+ - name: KONG_PG_PORT
+ value: \"5432\"
+ - name: KONG_PORTAL_API_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PORTAL_API_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PORT_MAPS
+ value: 80:8000, 443:8443
+ - name: KONG_PREFIX
+ value: /kong_prefix/
+ - name: KONG_PROXY_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PROXY_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PROXY_LISTEN
+ value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
+ - name: KONG_PROXY_STREAM_ACCESS_LOG
+ value: /dev/stdout basic
+ - name: KONG_PROXY_STREAM_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ROUTER_FLAVOR
+ value: traditional
+ - name: KONG_STATUS_ACCESS_LOG
+ value: \"off\"
+ - name: KONG_STATUS_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_STATUS_LISTEN
+ value: 0.0.0.0:8100, [::]:8100
+ - name: KONG_STREAM_LISTEN
+ value: 0.0.0.0:9000, [::]:9000, 0.0.0.0:9001 ssl, [::]:9001 ssl
+ - name: KONG_NGINX_DAEMON
+ value: \"off\"
+ envFrom:
+ - configMapRef:
+ name: env-config
+ image: kong:3.6
+ imagePullPolicy: IfNotPresent
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - kong
+ - quit
+ - --wait=15
+ livenessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /status
+ port: status
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ name: proxy
+ ports:
+ - containerPort: 8000
+ name: proxy
+ protocol: TCP
+ - containerPort: 8443
+ name: proxy-tls
+ protocol: TCP
+ - containerPort: 9000
+ name: stream-9000
+ protocol: TCP
+ - containerPort: 9001
+ name: stream-9001
+ protocol: TCP
+ - containerPort: 8100
+ name: status
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /status/ready
+ port: status
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /kong_prefix/
+ name: chartsnap-kong-prefix-dir
+ - mountPath: /tmp
+ name: chartsnap-kong-tmp
+ initContainers:
+ - command:
+ - rm
+ - -vrf
+ - $KONG_PREFIX/pids
+ env:
+ - name: KONG_ADMIN_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_API_URI
+ value: http://
+ - name: KONG_ADMIN_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_GUI_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_GUI_API_URL
+ value: http://
+ - name: KONG_ADMIN_GUI_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_LISTEN
+ value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
+ - name: KONG_ANONYMOUS_REPORTS
+ value: \"off\"
+ - name: KONG_CLUSTER_LISTEN
+ value: \"off\"
+ - name: KONG_DATABASE
+ value: postgres
+ - name: KONG_KIC
+ value: \"on\"
+ - name: KONG_LUA_PACKAGE_PATH
+ value: /opt/?.lua;/opt/?/init.lua;;
+ - name: KONG_NGINX_WORKER_PROCESSES
+ value: \"2\"
+ - name: KONG_PG_HOST
+ value: chartsnap-postgresql
+ - name: KONG_PG_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ key: password
+ name: chartsnap-postgresql
+ - name: KONG_PG_PORT
+ value: \"5432\"
+ - name: KONG_PORTAL_API_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PORTAL_API_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PORT_MAPS
+ value: 80:8000, 443:8443
+ - name: KONG_PREFIX
+ value: /kong_prefix/
+ - name: KONG_PROXY_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PROXY_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PROXY_LISTEN
+ value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
+ - name: KONG_PROXY_STREAM_ACCESS_LOG
+ value: /dev/stdout basic
+ - name: KONG_PROXY_STREAM_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ROUTER_FLAVOR
+ value: traditional
+ - name: KONG_STATUS_ACCESS_LOG
+ value: \"off\"
+ - name: KONG_STATUS_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_STATUS_LISTEN
+ value: 0.0.0.0:8100, [::]:8100
+ - name: KONG_STREAM_LISTEN
+ value: 0.0.0.0:9000, [::]:9000, 0.0.0.0:9001 ssl, [::]:9001 ssl
+ envFrom:
+ - configMapRef:
+ name: env-config
+ image: kong:3.6
+ imagePullPolicy: IfNotPresent
+ name: clear-stale-pid
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /kong_prefix/
+ name: chartsnap-kong-prefix-dir
+ - mountPath: /tmp
+ name: chartsnap-kong-tmp
+ - command:
+ - /bin/sh
+ - -c
+ - \"true\"
+ image: bash:latest
+ name: bash
+ resources:
+ limits:
+ cpu: 100m
+ memory: 64Mi
+ requests:
+ cpu: 100m
+ memory: 64Mi
+ - args:
+ - /bin/bash
+ - -c
+ - export KONG_NGINX_DAEMON=on KONG_PREFIX=`mktemp -d` KONG_KEYRING_ENABLED=off; until kong start; do echo 'waiting for db'; sleep 1; done; kong stop
+ env:
+ - name: KONG_ADMIN_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_API_URI
+ value: http://
+ - name: KONG_ADMIN_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_GUI_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_GUI_API_URL
+ value: http://
+ - name: KONG_ADMIN_GUI_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_LISTEN
+ value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
+ - name: KONG_ANONYMOUS_REPORTS
+ value: \"off\"
+ - name: KONG_CLUSTER_LISTEN
+ value: \"off\"
+ - name: KONG_DATABASE
+ value: postgres
+ - name: KONG_KIC
+ value: \"on\"
+ - name: KONG_LUA_PACKAGE_PATH
+ value: /opt/?.lua;/opt/?/init.lua;;
+ - name: KONG_NGINX_WORKER_PROCESSES
+ value: \"2\"
+ - name: KONG_PG_HOST
+ value: chartsnap-postgresql
+ - name: KONG_PG_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ key: password
+ name: chartsnap-postgresql
+ - name: KONG_PG_PORT
+ value: \"5432\"
+ - name: KONG_PORTAL_API_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PORTAL_API_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PORT_MAPS
+ value: 80:8000, 443:8443
+ - name: KONG_PREFIX
+ value: /kong_prefix/
+ - name: KONG_PROXY_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PROXY_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PROXY_LISTEN
+ value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
+ - name: KONG_PROXY_STREAM_ACCESS_LOG
+ value: /dev/stdout basic
+ - name: KONG_PROXY_STREAM_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ROUTER_FLAVOR
+ value: traditional
+ - name: KONG_STATUS_ACCESS_LOG
+ value: \"off\"
+ - name: KONG_STATUS_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_STATUS_LISTEN
+ value: 0.0.0.0:8100, [::]:8100
+ - name: KONG_STREAM_LISTEN
+ value: 0.0.0.0:9000, [::]:9000, 0.0.0.0:9001 ssl, [::]:9001 ssl
+ envFrom:
+ - configMapRef:
+ name: env-config
+ image: kong:3.6
+ imagePullPolicy: IfNotPresent
+ name: wait-for-db
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /kong_prefix/
+ name: chartsnap-kong-prefix-dir
+ - mountPath: /tmp
+ name: chartsnap-kong-tmp
+ securityContext: {}
+ serviceAccountName: chartsnap-kong
+ terminationGracePeriodSeconds: 30
+ volumes:
+ - emptyDir:
+ sizeLimit: 256Mi
+ name: chartsnap-kong-prefix-dir
+ - emptyDir:
+ sizeLimit: 1Gi
+ name: chartsnap-kong-tmp
+ - name: chartsnap-kong-token
+ projected:
+ sources:
+ - serviceAccountToken:
+ expirationSeconds: 3607
+ path: token
+ - configMap:
+ items:
+ - key: ca.crt
+ path: ca.crt
+ name: kube-root-ca.crt
+ - downwardAPI:
+ items:
+ - fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ path: namespace
+ - configMap:
+ defaultMode: 493
+ name: chartsnap-kong-bash-wait-for-postgres
+ name: chartsnap-kong-bash-wait-for-postgres
+ - name: webhook-cert
+ secret:
+ secretName: chartsnap-kong-validation-webhook-keypair
+- object:
+ apiVersion: apps/v1
+ kind: StatefulSet
+ metadata:
+ annotations: null
+ labels:
+ app.kubernetes.io/component: primary
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: postgresql
+ helm.sh/chart: postgresql-11.9.13
+ name: chartsnap-postgresql
+ namespace: default
+ spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: primary
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/name: postgresql
+ serviceName: chartsnap-postgresql-hl
+ template:
+ metadata:
+ annotations: null
+ labels:
+ app.kubernetes.io/component: primary
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: postgresql
+ helm.sh/chart: postgresql-11.9.13
+ name: chartsnap-postgresql
+ spec:
+ affinity:
+ nodeAffinity: null
+ podAffinity: null
+ podAntiAffinity:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ - podAffinityTerm:
+ labelSelector:
+ matchLabels:
+ app.kubernetes.io/component: primary
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/name: postgresql
+ namespaces:
+ - default
+ topologyKey: kubernetes.io/hostname
+ weight: 1
+ containers:
+ - env:
+ - name: BITNAMI_DEBUG
+ value: \"false\"
+ - name: POSTGRESQL_PORT_NUMBER
+ value: \"5432\"
+ - name: POSTGRESQL_VOLUME_DIR
+ value: /bitnami/postgresql
+ - name: PGDATA
+ value: /bitnami/postgresql/data
+ - name: POSTGRES_USER
+ value: kong
+ - name: POSTGRES_POSTGRES_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ key: postgres-password
+ name: chartsnap-postgresql
+ - name: POSTGRES_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ key: password
+ name: chartsnap-postgresql
+ - name: POSTGRES_DB
+ value: kong
+ - name: POSTGRESQL_ENABLE_LDAP
+ value: \"no\"
+ - name: POSTGRESQL_ENABLE_TLS
+ value: \"no\"
+ - name: POSTGRESQL_LOG_HOSTNAME
+ value: \"false\"
+ - name: POSTGRESQL_LOG_CONNECTIONS
+ value: \"false\"
+ - name: POSTGRESQL_LOG_DISCONNECTIONS
+ value: \"false\"
+ - name: POSTGRESQL_PGAUDIT_LOG_CATALOG
+ value: \"off\"
+ - name: POSTGRESQL_CLIENT_MIN_MESSAGES
+ value: error
+ - name: POSTGRESQL_SHARED_PRELOAD_LIBRARIES
+ value: pgaudit
+ image: docker.io/bitnami/postgresql:13.11.0-debian-11-r20
+ imagePullPolicy: IfNotPresent
+ livenessProbe:
+ exec:
+ command:
+ - /bin/sh
+ - -c
+ - exec pg_isready -U \"kong\" -d \"dbname=kong\" -h 127.0.0.1 -p 5432
+ failureThreshold: 6
+ initialDelaySeconds: 30
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ name: postgresql
+ ports:
+ - containerPort: 5432
+ name: tcp-postgresql
+ readinessProbe:
+ exec:
+ command:
+ - /bin/sh
+ - -c
+ - -e
+ - |
+ exec pg_isready -U \"kong\" -d \"dbname=kong\" -h 127.0.0.1 -p 5432
+ [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
+ failureThreshold: 6
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ resources:
+ limits: {}
+ requests:
+ cpu: 250m
+ memory: 256Mi
+ securityContext:
+ runAsUser: 1001
+ volumeMounts:
+ - mountPath: /dev/shm
+ name: dshm
+ - mountPath: /bitnami/postgresql
+ name: data
+ hostIPC: false
+ hostNetwork: false
+ initContainers: null
+ securityContext:
+ fsGroup: 1001
+ serviceAccountName: default
+ volumes:
+ - emptyDir:
+ medium: Memory
+ name: dshm
+ updateStrategy:
+ rollingUpdate: {}
+ type: RollingUpdate
+ volumeClaimTemplates:
+ - metadata:
+ name: data
+ spec:
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: 8Gi
+- object:
+ apiVersion: batch/v1
+ kind: Job
+ metadata:
+ annotations:
+ argocd.argoproj.io/hook: Sync
+ argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
+ labels:
+ app.kubernetes.io/component: init-migrations
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-init-migrations
+ namespace: default
+ spec:
+ backoffLimit: null
+ template:
+ metadata:
+ annotations:
+ kuma.io/service-account-token-volume: chartsnap-kong-token
+ sidecar.istio.io/inject: \"false\"
+ labels:
+ app.kubernetes.io/component: init-migrations
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: kong-init-migrations
+ spec:
+ automountServiceAccountToken: false
+ containers:
+ - args:
+ - kong
+ - migrations
+ - bootstrap
+ env:
+ - name: KONG_ADMIN_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_API_URI
+ value: http://
+ - name: KONG_ADMIN_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_GUI_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_GUI_API_URL
+ value: http://
+ - name: KONG_ADMIN_GUI_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_LISTEN
+ value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
+ - name: KONG_ANONYMOUS_REPORTS
+ value: \"off\"
+ - name: KONG_CLUSTER_LISTEN
+ value: \"off\"
+ - name: KONG_DATABASE
+ value: postgres
+ - name: KONG_KIC
+ value: \"on\"
+ - name: KONG_LUA_PACKAGE_PATH
+ value: /opt/?.lua;/opt/?/init.lua;;
+ - name: KONG_NGINX_WORKER_PROCESSES
+ value: \"2\"
+ - name: KONG_PG_HOST
+ value: chartsnap-postgresql
+ - name: KONG_PG_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ key: password
+ name: chartsnap-postgresql
+ - name: KONG_PG_PORT
+ value: \"5432\"
+ - name: KONG_PORTAL_API_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PORTAL_API_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PORT_MAPS
+ value: 80:8000, 443:8443
+ - name: KONG_PREFIX
+ value: /kong_prefix/
+ - name: KONG_PROXY_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PROXY_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PROXY_LISTEN
+ value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
+ - name: KONG_PROXY_STREAM_ACCESS_LOG
+ value: /dev/stdout basic
+ - name: KONG_PROXY_STREAM_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ROUTER_FLAVOR
+ value: traditional
+ - name: KONG_STATUS_ACCESS_LOG
+ value: \"off\"
+ - name: KONG_STATUS_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_STATUS_LISTEN
+ value: 0.0.0.0:8100, [::]:8100
+ - name: KONG_STREAM_LISTEN
+ value: 0.0.0.0:9000, [::]:9000, 0.0.0.0:9001 ssl, [::]:9001 ssl
+ - name: KONG_NGINX_DAEMON
+ value: \"off\"
+ envFrom:
+ - configMapRef:
+ name: env-config
+ image: kong:3.6
+ imagePullPolicy: IfNotPresent
+ name: kong-migrations
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /kong_prefix/
+ name: chartsnap-kong-prefix-dir
+ - mountPath: /tmp
+ name: chartsnap-kong-tmp
+ initContainers:
+ - command:
+ - /bin/sh
+ - -c
+ - \"true\"
+ image: bash:latest
+ name: bash
+ resources:
+ limits:
+ cpu: 100m
+ memory: 64Mi
+ requests:
+ cpu: 100m
+ memory: 64Mi
+ - command:
+ - bash
+ - /wait_postgres/wait.sh
+ env:
+ - name: KONG_ADMIN_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_API_URI
+ value: http://
+ - name: KONG_ADMIN_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_GUI_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_GUI_API_URL
+ value: http://
+ - name: KONG_ADMIN_GUI_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_LISTEN
+ value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
+ - name: KONG_ANONYMOUS_REPORTS
+ value: \"off\"
+ - name: KONG_CLUSTER_LISTEN
+ value: \"off\"
+ - name: KONG_DATABASE
+ value: postgres
+ - name: KONG_KIC
+ value: \"on\"
+ - name: KONG_LUA_PACKAGE_PATH
+ value: /opt/?.lua;/opt/?/init.lua;;
+ - name: KONG_NGINX_WORKER_PROCESSES
+ value: \"2\"
+ - name: KONG_PG_HOST
+ value: chartsnap-postgresql
+ - name: KONG_PG_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ key: password
+ name: chartsnap-postgresql
+ - name: KONG_PG_PORT
+ value: \"5432\"
+ - name: KONG_PORTAL_API_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PORTAL_API_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PORT_MAPS
+ value: 80:8000, 443:8443
+ - name: KONG_PREFIX
+ value: /kong_prefix/
+ - name: KONG_PROXY_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PROXY_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PROXY_LISTEN
+ value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
+ - name: KONG_PROXY_STREAM_ACCESS_LOG
+ value: /dev/stdout basic
+ - name: KONG_PROXY_STREAM_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ROUTER_FLAVOR
+ value: traditional
+ - name: KONG_STATUS_ACCESS_LOG
+ value: \"off\"
+ - name: KONG_STATUS_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_STATUS_LISTEN
+ value: 0.0.0.0:8100, [::]:8100
+ - name: KONG_STREAM_LISTEN
+ value: 0.0.0.0:9000, [::]:9000, 0.0.0.0:9001 ssl, [::]:9001 ssl
+ - name: KONG_NGINX_DAEMON
+ value: \"off\"
+ envFrom:
+ - configMapRef:
+ name: env-config
+ image: kong:3.6
+ imagePullPolicy: IfNotPresent
+ name: wait-for-postgres
+ resources: {}
+ volumeMounts:
+ - mountPath: /wait_postgres
+ name: chartsnap-kong-bash-wait-for-postgres
+ restartPolicy: OnFailure
+ securityContext: {}
+ serviceAccountName: chartsnap-kong
+ volumes:
+ - emptyDir:
+ sizeLimit: 256Mi
+ name: chartsnap-kong-prefix-dir
+ - emptyDir:
+ sizeLimit: 1Gi
+ name: chartsnap-kong-tmp
+ - name: chartsnap-kong-token
+ projected:
+ sources:
+ - serviceAccountToken:
+ expirationSeconds: 3607
+ path: token
+ - configMap:
+ items:
+ - key: ca.crt
+ path: ca.crt
+ name: kube-root-ca.crt
+ - downwardAPI:
+ items:
+ - fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ path: namespace
+ - configMap:
+ defaultMode: 493
+ name: chartsnap-kong-bash-wait-for-postgres
+ name: chartsnap-kong-bash-wait-for-postgres
+ - name: webhook-cert
+ secret:
+ secretName: chartsnap-kong-validation-webhook-keypair
+- object:
+ apiVersion: batch/v1
+ kind: Job
+ metadata:
+ annotations:
+ helm.sh/hook: post-upgrade
+ helm.sh/hook-delete-policy: before-hook-creation
+ labels:
+ app.kubernetes.io/component: post-upgrade-migrations
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-post-upgrade-migrations
+ namespace: default
+ spec:
+ backoffLimit: null
+ template:
+ metadata:
+ annotations:
+ kuma.io/service-account-token-volume: chartsnap-kong-token
+ sidecar.istio.io/inject: \"false\"
+ labels:
+ app.kubernetes.io/component: post-upgrade-migrations
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: kong-post-upgrade-migrations
+ spec:
+ automountServiceAccountToken: false
+ containers:
+ - args:
+ - kong
+ - migrations
+ - finish
+ env:
+ - name: KONG_ADMIN_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_API_URI
+ value: http://
+ - name: KONG_ADMIN_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_GUI_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_GUI_API_URL
+ value: http://
+ - name: KONG_ADMIN_GUI_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_LISTEN
+ value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
+ - name: KONG_ANONYMOUS_REPORTS
+ value: \"off\"
+ - name: KONG_CLUSTER_LISTEN
+ value: \"off\"
+ - name: KONG_DATABASE
+ value: postgres
+ - name: KONG_KIC
+ value: \"on\"
+ - name: KONG_LUA_PACKAGE_PATH
+ value: /opt/?.lua;/opt/?/init.lua;;
+ - name: KONG_NGINX_WORKER_PROCESSES
+ value: \"2\"
+ - name: KONG_PG_HOST
+ value: chartsnap-postgresql
+ - name: KONG_PG_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ key: password
+ name: chartsnap-postgresql
+ - name: KONG_PG_PORT
+ value: \"5432\"
+ - name: KONG_PORTAL_API_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PORTAL_API_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PORT_MAPS
+ value: 80:8000, 443:8443
+ - name: KONG_PREFIX
+ value: /kong_prefix/
+ - name: KONG_PROXY_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PROXY_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PROXY_LISTEN
+ value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
+ - name: KONG_PROXY_STREAM_ACCESS_LOG
+ value: /dev/stdout basic
+ - name: KONG_PROXY_STREAM_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ROUTER_FLAVOR
+ value: traditional
+ - name: KONG_STATUS_ACCESS_LOG
+ value: \"off\"
+ - name: KONG_STATUS_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_STATUS_LISTEN
+ value: 0.0.0.0:8100, [::]:8100
+ - name: KONG_STREAM_LISTEN
+ value: 0.0.0.0:9000, [::]:9000, 0.0.0.0:9001 ssl, [::]:9001 ssl
+ - name: KONG_NGINX_DAEMON
+ value: \"off\"
+ envFrom:
+ - configMapRef:
+ name: env-config
+ image: kong:3.6
+ imagePullPolicy: IfNotPresent
+ name: kong-post-upgrade-migrations
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /kong_prefix/
+ name: chartsnap-kong-prefix-dir
+ - mountPath: /tmp
+ name: chartsnap-kong-tmp
+ initContainers:
+ - command:
+ - /bin/sh
+ - -c
+ - \"true\"
+ image: bash:latest
+ name: bash
+ resources:
+ limits:
+ cpu: 100m
+ memory: 64Mi
+ requests:
+ cpu: 100m
+ memory: 64Mi
+ - command:
+ - bash
+ - /wait_postgres/wait.sh
+ env:
+ - name: KONG_ADMIN_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_API_URI
+ value: http://
+ - name: KONG_ADMIN_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_GUI_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_GUI_API_URL
+ value: http://
+ - name: KONG_ADMIN_GUI_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_LISTEN
+ value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
+ - name: KONG_ANONYMOUS_REPORTS
+ value: \"off\"
+ - name: KONG_CLUSTER_LISTEN
+ value: \"off\"
+ - name: KONG_DATABASE
+ value: postgres
+ - name: KONG_KIC
+ value: \"on\"
+ - name: KONG_LUA_PACKAGE_PATH
+ value: /opt/?.lua;/opt/?/init.lua;;
+ - name: KONG_NGINX_WORKER_PROCESSES
+ value: \"2\"
+ - name: KONG_PG_HOST
+ value: chartsnap-postgresql
+ - name: KONG_PG_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ key: password
+ name: chartsnap-postgresql
+ - name: KONG_PG_PORT
+ value: \"5432\"
+ - name: KONG_PORTAL_API_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PORTAL_API_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PORT_MAPS
+ value: 80:8000, 443:8443
+ - name: KONG_PREFIX
+ value: /kong_prefix/
+ - name: KONG_PROXY_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PROXY_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PROXY_LISTEN
+ value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
+ - name: KONG_PROXY_STREAM_ACCESS_LOG
+ value: /dev/stdout basic
+ - name: KONG_PROXY_STREAM_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ROUTER_FLAVOR
+ value: traditional
+ - name: KONG_STATUS_ACCESS_LOG
+ value: \"off\"
+ - name: KONG_STATUS_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_STATUS_LISTEN
+ value: 0.0.0.0:8100, [::]:8100
+ - name: KONG_STREAM_LISTEN
+ value: 0.0.0.0:9000, [::]:9000, 0.0.0.0:9001 ssl, [::]:9001 ssl
+ - name: KONG_NGINX_DAEMON
+ value: \"off\"
+ envFrom:
+ - configMapRef:
+ name: env-config
+ image: kong:3.6
+ imagePullPolicy: IfNotPresent
+ name: wait-for-postgres
+ resources: {}
+ volumeMounts:
+ - mountPath: /wait_postgres
+ name: chartsnap-kong-bash-wait-for-postgres
+ restartPolicy: OnFailure
+ securityContext: {}
+ serviceAccountName: chartsnap-kong
+ volumes:
+ - emptyDir:
+ sizeLimit: 256Mi
+ name: chartsnap-kong-prefix-dir
+ - emptyDir:
+ sizeLimit: 1Gi
+ name: chartsnap-kong-tmp
+ - name: chartsnap-kong-token
+ projected:
+ sources:
+ - serviceAccountToken:
+ expirationSeconds: 3607
+ path: token
+ - configMap:
+ items:
+ - key: ca.crt
+ path: ca.crt
+ name: kube-root-ca.crt
+ - downwardAPI:
+ items:
+ - fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ path: namespace
+ - configMap:
+ defaultMode: 493
+ name: chartsnap-kong-bash-wait-for-postgres
+ name: chartsnap-kong-bash-wait-for-postgres
+ - name: webhook-cert
+ secret:
+ secretName: chartsnap-kong-validation-webhook-keypair
+- object:
+ apiVersion: batch/v1
+ kind: Job
+ metadata:
+ annotations:
+ argocd.argoproj.io/hook: Sync
+ argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
+ helm.sh/hook: pre-upgrade
+ helm.sh/hook-delete-policy: before-hook-creation
+ labels:
+ app.kubernetes.io/component: pre-upgrade-migrations
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-pre-upgrade-migrations
+ namespace: default
+ spec:
+ backoffLimit: null
+ template:
+ metadata:
+ annotations:
+ kuma.io/service-account-token-volume: chartsnap-kong-token
+ sidecar.istio.io/inject: \"false\"
+ labels:
+ app.kubernetes.io/component: pre-upgrade-migrations
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: kong-pre-upgrade-migrations
+ spec:
+ automountServiceAccountToken: false
+ containers:
+ - args:
+ - kong
+ - migrations
+ - up
+ env:
+ - name: KONG_ADMIN_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_API_URI
+ value: http://
+ - name: KONG_ADMIN_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_GUI_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_GUI_API_URL
+ value: http://
+ - name: KONG_ADMIN_GUI_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_LISTEN
+ value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
+ - name: KONG_ANONYMOUS_REPORTS
+ value: \"off\"
+ - name: KONG_CLUSTER_LISTEN
+ value: \"off\"
+ - name: KONG_DATABASE
+ value: postgres
+ - name: KONG_KIC
+ value: \"on\"
+ - name: KONG_LUA_PACKAGE_PATH
+ value: /opt/?.lua;/opt/?/init.lua;;
+ - name: KONG_NGINX_WORKER_PROCESSES
+ value: \"2\"
+ - name: KONG_PG_HOST
+ value: chartsnap-postgresql
+ - name: KONG_PG_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ key: password
+ name: chartsnap-postgresql
+ - name: KONG_PG_PORT
+ value: \"5432\"
+ - name: KONG_PORTAL_API_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PORTAL_API_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PORT_MAPS
+ value: 80:8000, 443:8443
+ - name: KONG_PREFIX
+ value: /kong_prefix/
+ - name: KONG_PROXY_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PROXY_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PROXY_LISTEN
+ value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
+ - name: KONG_PROXY_STREAM_ACCESS_LOG
+ value: /dev/stdout basic
+ - name: KONG_PROXY_STREAM_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ROUTER_FLAVOR
+ value: traditional
+ - name: KONG_STATUS_ACCESS_LOG
+ value: \"off\"
+ - name: KONG_STATUS_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_STATUS_LISTEN
+ value: 0.0.0.0:8100, [::]:8100
+ - name: KONG_STREAM_LISTEN
+ value: 0.0.0.0:9000, [::]:9000, 0.0.0.0:9001 ssl, [::]:9001 ssl
+ - name: KONG_NGINX_DAEMON
+ value: \"off\"
+ envFrom:
+ - configMapRef:
+ name: env-config
+ image: kong:3.6
+ imagePullPolicy: IfNotPresent
+ name: kong-upgrade-migrations
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /kong_prefix/
+ name: chartsnap-kong-prefix-dir
+ - mountPath: /tmp
+ name: chartsnap-kong-tmp
+ initContainers:
+ - command:
+ - /bin/sh
+ - -c
+ - \"true\"
+ image: bash:latest
+ name: bash
+ resources:
+ limits:
+ cpu: 100m
+ memory: 64Mi
+ requests:
+ cpu: 100m
+ memory: 64Mi
+ - command:
+ - bash
+ - /wait_postgres/wait.sh
+ env:
+ - name: KONG_ADMIN_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_API_URI
+ value: http://
+ - name: KONG_ADMIN_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_GUI_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_GUI_API_URL
+ value: http://
+ - name: KONG_ADMIN_GUI_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_LISTEN
+ value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
+ - name: KONG_ANONYMOUS_REPORTS
+ value: \"off\"
+ - name: KONG_CLUSTER_LISTEN
+ value: \"off\"
+ - name: KONG_DATABASE
+ value: postgres
+ - name: KONG_KIC
+ value: \"on\"
+ - name: KONG_LUA_PACKAGE_PATH
+ value: /opt/?.lua;/opt/?/init.lua;;
+ - name: KONG_NGINX_WORKER_PROCESSES
+ value: \"2\"
+ - name: KONG_PG_HOST
+ value: chartsnap-postgresql
+ - name: KONG_PG_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ key: password
+ name: chartsnap-postgresql
+ - name: KONG_PG_PORT
+ value: \"5432\"
+ - name: KONG_PORTAL_API_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PORTAL_API_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PORT_MAPS
+ value: 80:8000, 443:8443
+ - name: KONG_PREFIX
+ value: /kong_prefix/
+ - name: KONG_PROXY_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PROXY_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PROXY_LISTEN
+ value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
+ - name: KONG_PROXY_STREAM_ACCESS_LOG
+ value: /dev/stdout basic
+ - name: KONG_PROXY_STREAM_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ROUTER_FLAVOR
+ value: traditional
+ - name: KONG_STATUS_ACCESS_LOG
+ value: \"off\"
+ - name: KONG_STATUS_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_STATUS_LISTEN
+ value: 0.0.0.0:8100, [::]:8100
+ - name: KONG_STREAM_LISTEN
+ value: 0.0.0.0:9000, [::]:9000, 0.0.0.0:9001 ssl, [::]:9001 ssl
+ - name: KONG_NGINX_DAEMON
+ value: \"off\"
+ envFrom:
+ - configMapRef:
+ name: env-config
+ image: kong:3.6
+ imagePullPolicy: IfNotPresent
+ name: wait-for-postgres
+ resources: {}
+ volumeMounts:
+ - mountPath: /wait_postgres
+ name: chartsnap-kong-bash-wait-for-postgres
+ restartPolicy: OnFailure
+ securityContext: {}
+ serviceAccountName: chartsnap-kong
+ volumes:
+ - emptyDir:
+ sizeLimit: 256Mi
+ name: chartsnap-kong-prefix-dir
+ - emptyDir:
+ sizeLimit: 1Gi
+ name: chartsnap-kong-tmp
+ - name: chartsnap-kong-token
+ projected:
+ sources:
+ - serviceAccountToken:
+ expirationSeconds: 3607
+ path: token
+ - configMap:
+ items:
+ - key: ca.crt
+ path: ca.crt
+ name: kube-root-ca.crt
+ - downwardAPI:
+ items:
+ - fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ path: namespace
+ - configMap:
+ defaultMode: 493
+ name: chartsnap-kong-bash-wait-for-postgres
+ name: chartsnap-kong-bash-wait-for-postgres
+ - name: webhook-cert
+ secret:
+ secretName: chartsnap-kong-validation-webhook-keypair
+- object:
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-proxy
+ namespace: default
+ spec:
+ rules:
+ - host: proxy.kong.example
+ http:
+ paths:
+ - backend:
+ service:
+ name: chartsnap-kong-proxy
+ port:
+ number: 443
+ path: /
+ pathType: ImplementationSpecific
+- object:
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: ClusterRole
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ rules:
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongvaults
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongvaults/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongclusterplugins
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongclusterplugins/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - apiextensions.k8s.io
+ resources:
+ - customresourcedefinitions
+ verbs:
+ - list
+ - watch
+ - apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingressclasses
+ verbs:
+ - get
+ - list
+ - watch
+- object:
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: ClusterRoleBinding
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: chartsnap-kong
+ subjects:
+ - kind: ServiceAccount
+ name: chartsnap-kong
+ namespace: default
+- object:
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: Role
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ namespace: default
+ rules:
+ - apiGroups:
+ - \"\"
+ resources:
+ - configmaps
+ - pods
+ - secrets
+ - namespaces
+ verbs:
+ - get
+ - apiGroups:
+ - \"\"
+ resourceNames:
+ - kong-ingress-controller-leader-kong-kong
+ resources:
+ - configmaps
+ verbs:
+ - get
+ - update
+ - apiGroups:
+ - \"\"
+ resources:
+ - configmaps
+ verbs:
+ - create
+ - apiGroups:
+ - \"\"
+ - coordination.k8s.io
+ resources:
+ - configmaps
+ - leases
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - delete
+ - apiGroups:
+ - \"\"
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+ - apiGroups:
+ - \"\"
+ resources:
+ - services
+ verbs:
+ - get
+- object:
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: Role
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-default
+ namespace: default
+ rules:
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongupstreampolicies
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongupstreampolicies/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongconsumergroups
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongconsumergroups/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - \"\"
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+ - apiGroups:
+ - \"\"
+ resources:
+ - nodes
+ verbs:
+ - list
+ - watch
+ - apiGroups:
+ - \"\"
+ resources:
+ - pods
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - \"\"
+ resources:
+ - secrets
+ verbs:
+ - list
+ - watch
+ - apiGroups:
+ - \"\"
+ resources:
+ - services
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - \"\"
+ resources:
+ - services/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - ingressclassparameterses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongconsumers
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongconsumers/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongplugins
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongplugins/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - tcpingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - tcpingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - udpingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - udpingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - extensions
+ resources:
+ - ingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - extensions
+ resources:
+ - ingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - discovery.k8s.io
+ resources:
+ - endpointslices
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - konglicenses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - konglicenses/status
+ verbs:
+ - get
+ - patch
+ - update
+- object:
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: RoleBinding
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ namespace: default
+ roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: chartsnap-kong
+ subjects:
+ - kind: ServiceAccount
+ name: chartsnap-kong
+ namespace: default
+- object:
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: RoleBinding
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-default
+ namespace: default
+ roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: chartsnap-kong-default
+ subjects:
+ - kind: ServiceAccount
+ name: chartsnap-kong
+ namespace: default
+- object:
+ apiVersion: v1
+ data:
+ wait.sh: |
+ until timeout 2 bash -c \"9<>/dev/tcp/${KONG_PG_HOST}/${KONG_PG_PORT}\"
+ do echo \"waiting for db - trying ${KONG_PG_HOST}:${KONG_PG_PORT}\"
+ sleep 2
+ done
+ kind: ConfigMap
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-bash-wait-for-postgres
+ namespace: default
+- object:
+ apiVersion: v1
+ data:
+ test-env: test
+ kind: ConfigMap
+ metadata:
+ name: env-config
+- object:
+ apiVersion: v1
+ data:
+ tls.crt: '###DYNAMIC_FIELD###'
+ tls.key: '###DYNAMIC_FIELD###'
+ kind: Secret
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-validation-webhook-ca-keypair
+ namespace: default
+ type: kubernetes.io/tls
+- object:
+ apiVersion: v1
+ data:
+ tls.crt: '###DYNAMIC_FIELD###'
+ tls.key: '###DYNAMIC_FIELD###'
+ kind: Secret
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-validation-webhook-keypair
+ namespace: default
+ type: kubernetes.io/tls
+- object:
+ apiVersion: v1
+ data:
+ password: a29uZw==
+ postgres-password: '###DYNAMIC_FIELD###'
+ kind: Secret
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: postgresql
+ helm.sh/chart: postgresql-11.9.13
+ name: chartsnap-postgresql
+ namespace: default
+ type: Opaque
+- object:
+ apiVersion: v1
+ kind: Service
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-manager
+ namespace: default
+ spec:
+ ports:
+ - name: kong-manager
+ port: 8002
+ protocol: TCP
+ targetPort: 8002
+ - name: kong-manager-tls
+ port: 8445
+ protocol: TCP
+ targetPort: 8445
+ selector:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/name: kong
+ type: NodePort
+- object:
+ apiVersion: v1
+ kind: Service
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ enable-metrics: \"true\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-proxy
+ namespace: default
+ spec:
+ ports:
+ - name: kong-proxy
+ port: 80
+ protocol: TCP
+ targetPort: 8000
+ - name: kong-proxy-tls
+ port: 443
+ protocol: TCP
+ targetPort: 8443
+ - name: stream-9000
+ port: 9000
+ protocol: TCP
+ targetPort: 9000
+ - name: stream-9001
+ port: 9001
+ protocol: TCP
+ targetPort: 9001
+ selector:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/name: kong
+ type: LoadBalancer
+- object:
+ apiVersion: v1
+ kind: Service
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-validation-webhook
+ namespace: default
+ spec:
+ ports:
+ - name: webhook
+ port: 443
+ protocol: TCP
+ targetPort: webhook
+ selector:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+- object:
+ apiVersion: v1
+ kind: Service
+ metadata:
+ annotations: null
+ labels:
+ app.kubernetes.io/component: primary
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: postgresql
+ helm.sh/chart: postgresql-11.9.13
+ name: chartsnap-postgresql
+ namespace: default
+ spec:
+ ports:
+ - name: tcp-postgresql
+ nodePort: null
+ port: 5432
+ targetPort: tcp-postgresql
+ selector:
+ app.kubernetes.io/component: primary
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/name: postgresql
+ sessionAffinity: None
+ type: ClusterIP
+- object:
+ apiVersion: v1
+ kind: Service
+ metadata:
+ labels:
+ app.kubernetes.io/component: primary
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: postgresql
+ helm.sh/chart: postgresql-11.9.13
+ service.alpha.kubernetes.io/tolerate-unready-endpoints: \"true\"
+ name: chartsnap-postgresql-hl
+ namespace: default
+ spec:
+ clusterIP: None
+ ports:
+ - name: tcp-postgresql
+ port: 5432
+ targetPort: tcp-postgresql
+ publishNotReadyAddresses: true
+ selector:
+ app.kubernetes.io/component: primary
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/name: postgresql
+ type: ClusterIP
+- object:
+ apiVersion: v1
+ kind: ServiceAccount
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ namespace: default
+"""
--- /dev/null
+[test3-values]
+SnapShot = """
+- object:
+ apiVersion: apps/v1
+ kind: Deployment
+ metadata:
+ labels:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ namespace: default
+ spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/name: kong
+ template:
+ metadata:
+ annotations:
+ checksum/dbless.config: 95c0309e6b27de23d64edae3a3602472635243f133fba88af3034ed4d5703d4a
+ kuma.io/gateway: enabled
+ kuma.io/service-account-token-volume: chartsnap-kong-token
+ traffic.sidecar.istio.io/includeInboundPorts: \"\"
+ labels:
+ app: chartsnap-kong
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ version: \"3.6\"
+ spec:
+ automountServiceAccountToken: false
+ containers:
+ - env:
+ - name: KONG_ADMIN_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_GUI_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_GUI_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_LISTEN
+ value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
+ - name: KONG_ANONYMOUS_REPORTS
+ value: \"off\"
+ - name: KONG_CLUSTER_LISTEN
+ value: \"off\"
+ - name: KONG_DATABASE
+ value: \"off\"
+ - name: KONG_DECLARATIVE_CONFIG
+ value: /kong_dbless/kong.yml
+ - name: KONG_LUA_PACKAGE_PATH
+ value: /opt/?.lua;/opt/?/init.lua;;
+ - name: KONG_NGINX_WORKER_PROCESSES
+ value: \"2\"
+ - name: KONG_PORTAL_API_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PORTAL_API_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PORT_MAPS
+ value: 80:8000, 443:8443
+ - name: KONG_PREFIX
+ value: /kong_prefix/
+ - name: KONG_PROXY_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PROXY_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PROXY_LISTEN
+ value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
+ - name: KONG_PROXY_STREAM_ACCESS_LOG
+ value: /dev/stdout basic
+ - name: KONG_PROXY_STREAM_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ROUTER_FLAVOR
+ value: traditional
+ - name: KONG_STATUS_ACCESS_LOG
+ value: \"off\"
+ - name: KONG_STATUS_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_STATUS_LISTEN
+ value: 0.0.0.0:8100, [::]:8100
+ - name: KONG_STREAM_LISTEN
+ value: \"off\"
+ - name: KONG_NGINX_DAEMON
+ value: \"off\"
+ image: kong:3.6
+ imagePullPolicy: IfNotPresent
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - kong
+ - quit
+ - --wait=15
+ livenessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /status
+ port: status
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ name: proxy
+ ports:
+ - containerPort: 8000
+ name: proxy
+ protocol: TCP
+ - containerPort: 8443
+ name: proxy-tls
+ protocol: TCP
+ - containerPort: 8100
+ name: status
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /status/ready
+ port: status
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /kong_prefix/
+ name: chartsnap-kong-prefix-dir
+ - mountPath: /tmp
+ name: chartsnap-kong-tmp
+ - mountPath: /kong_dbless/
+ name: kong-custom-dbless-config-volume
+ - mountPath: /opt/tmp
+ name: tmpdir
+ initContainers:
+ - command:
+ - rm
+ - -vrf
+ - $KONG_PREFIX/pids
+ env:
+ - name: KONG_ADMIN_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_GUI_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_GUI_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_LISTEN
+ value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
+ - name: KONG_ANONYMOUS_REPORTS
+ value: \"off\"
+ - name: KONG_CLUSTER_LISTEN
+ value: \"off\"
+ - name: KONG_DATABASE
+ value: \"off\"
+ - name: KONG_DECLARATIVE_CONFIG
+ value: /kong_dbless/kong.yml
+ - name: KONG_LUA_PACKAGE_PATH
+ value: /opt/?.lua;/opt/?/init.lua;;
+ - name: KONG_NGINX_WORKER_PROCESSES
+ value: \"2\"
+ - name: KONG_PORTAL_API_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PORTAL_API_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PORT_MAPS
+ value: 80:8000, 443:8443
+ - name: KONG_PREFIX
+ value: /kong_prefix/
+ - name: KONG_PROXY_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PROXY_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PROXY_LISTEN
+ value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
+ - name: KONG_PROXY_STREAM_ACCESS_LOG
+ value: /dev/stdout basic
+ - name: KONG_PROXY_STREAM_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ROUTER_FLAVOR
+ value: traditional
+ - name: KONG_STATUS_ACCESS_LOG
+ value: \"off\"
+ - name: KONG_STATUS_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_STATUS_LISTEN
+ value: 0.0.0.0:8100, [::]:8100
+ - name: KONG_STREAM_LISTEN
+ value: \"off\"
+ image: kong:3.6
+ imagePullPolicy: IfNotPresent
+ name: clear-stale-pid
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /kong_prefix/
+ name: chartsnap-kong-prefix-dir
+ - mountPath: /tmp
+ name: chartsnap-kong-tmp
+ - mountPath: /kong_dbless/
+ name: kong-custom-dbless-config-volume
+ - command:
+ - /bin/sh
+ - -c
+ - \"true\"
+ image: bash:latest
+ name: bash
+ resources:
+ limits:
+ cpu: 100m
+ memory: 64Mi
+ requests:
+ cpu: 100m
+ memory: 64Mi
+ volumeMounts:
+ - mountPath: /opt/tmp
+ name: tmpdir
+ securityContext: {}
+ serviceAccountName: chartsnap-kong
+ terminationGracePeriodSeconds: 30
+ volumes:
+ - emptyDir:
+ sizeLimit: 256Mi
+ name: chartsnap-kong-prefix-dir
+ - emptyDir:
+ sizeLimit: 1Gi
+ name: chartsnap-kong-tmp
+ - name: chartsnap-kong-token
+ projected:
+ sources:
+ - serviceAccountToken:
+ expirationSeconds: 3607
+ path: token
+ - configMap:
+ items:
+ - key: ca.crt
+ path: ca.crt
+ name: kube-root-ca.crt
+ - downwardAPI:
+ items:
+ - fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ path: namespace
+ - configMap:
+ name: chartsnap-kong-custom-dbless-config
+ name: kong-custom-dbless-config-volume
+ - emptyDir: {}
+ name: tmpdir
+- object:
+ apiVersion: v1
+ data:
+ kong.yml: |
+ _format_version: \"1.1\"
+ services:
+ - name: example.com
+ url: http://example.com
+ routes:
+ - name: example
+ paths:
+ - \"/example\"
+ kind: ConfigMap
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-custom-dbless-config
+ namespace: default
+- object:
+ apiVersion: v1
+ kind: Service
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-manager
+ namespace: default
+ spec:
+ ports:
+ - name: kong-manager
+ port: 8002
+ protocol: TCP
+ targetPort: 8002
+ - name: kong-manager-tls
+ port: 8445
+ protocol: TCP
+ targetPort: 8445
+ selector:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/name: kong
+ type: NodePort
+- object:
+ apiVersion: v1
+ kind: Service
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ enable-metrics: \"true\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-proxy
+ namespace: default
+ spec:
+ ports:
+ - name: kong-proxy
+ port: 80
+ protocol: TCP
+ targetPort: 8000
+ - name: kong-proxy-tls
+ port: 443
+ protocol: TCP
+ targetPort: 8443
+ selector:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/name: kong
+ type: LoadBalancer
+- object:
+ apiVersion: v1
+ kind: ServiceAccount
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ namespace: default
+"""
--- /dev/null
+[test4-values]
+SnapShot = """
+- object:
+ apiVersion: apps/v1
+ kind: Deployment
+ metadata:
+ labels:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ namespace: default
+ spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/name: kong
+ template:
+ metadata:
+ annotations:
+ checksum/dbless.config: 95c0309e6b27de23d64edae3a3602472635243f133fba88af3034ed4d5703d4a
+ kuma.io/gateway: enabled
+ kuma.io/service-account-token-volume: chartsnap-kong-token
+ traffic.sidecar.istio.io/includeInboundPorts: \"\"
+ labels:
+ app: chartsnap-kong
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ version: \"3.6\"
+ spec:
+ automountServiceAccountToken: false
+ containers:
+ - env:
+ - name: KONG_ADMIN_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_GUI_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_GUI_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_LISTEN
+ value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
+ - name: KONG_ANONYMOUS_REPORTS
+ value: \"off\"
+ - name: KONG_CLUSTER_LISTEN
+ value: \"off\"
+ - name: KONG_DATABASE
+ value: \"off\"
+ - name: KONG_DECLARATIVE_CONFIG
+ value: /kong_dbless/kong.yml
+ - name: KONG_LUA_PACKAGE_PATH
+ value: /opt/?.lua;/opt/?/init.lua;;
+ - name: KONG_NGINX_WORKER_PROCESSES
+ value: \"2\"
+ - name: KONG_PORTAL_API_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PORTAL_API_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PORT_MAPS
+ value: 80:8000, 443:8443
+ - name: KONG_PREFIX
+ value: /kong_prefix/
+ - name: KONG_PROXY_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PROXY_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PROXY_LISTEN
+ value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
+ - name: KONG_PROXY_STREAM_ACCESS_LOG
+ value: /dev/stdout basic
+ - name: KONG_PROXY_STREAM_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ROUTER_FLAVOR
+ value: traditional
+ - name: KONG_STATUS_ACCESS_LOG
+ value: \"off\"
+ - name: KONG_STATUS_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_STATUS_LISTEN
+ value: 0.0.0.0:8100, [::]:8100
+ - name: KONG_STREAM_LISTEN
+ value: 0.0.0.0:9000, [::]:9000, 0.0.0.0:9001 ssl, [::]:9001 ssl
+ - name: KONG_NGINX_DAEMON
+ value: \"off\"
+ image: kong:3.6
+ imagePullPolicy: IfNotPresent
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - kong
+ - quit
+ - --wait=15
+ livenessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /status
+ port: status
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ name: proxy
+ ports:
+ - containerPort: 8000
+ name: proxy
+ protocol: TCP
+ - containerPort: 8443
+ name: proxy-tls
+ protocol: TCP
+ - containerPort: 9000
+ name: stream-9000
+ protocol: TCP
+ - containerPort: 9001
+ name: stream-9001
+ protocol: TCP
+ - containerPort: 8100
+ name: status
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /status/ready
+ port: status
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /kong_prefix/
+ name: chartsnap-kong-prefix-dir
+ - mountPath: /tmp
+ name: chartsnap-kong-tmp
+ - mountPath: /kong_dbless/
+ name: kong-custom-dbless-config-volume
+ initContainers:
+ - command:
+ - rm
+ - -vrf
+ - $KONG_PREFIX/pids
+ env:
+ - name: KONG_ADMIN_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_GUI_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_GUI_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_LISTEN
+ value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
+ - name: KONG_ANONYMOUS_REPORTS
+ value: \"off\"
+ - name: KONG_CLUSTER_LISTEN
+ value: \"off\"
+ - name: KONG_DATABASE
+ value: \"off\"
+ - name: KONG_DECLARATIVE_CONFIG
+ value: /kong_dbless/kong.yml
+ - name: KONG_LUA_PACKAGE_PATH
+ value: /opt/?.lua;/opt/?/init.lua;;
+ - name: KONG_NGINX_WORKER_PROCESSES
+ value: \"2\"
+ - name: KONG_PORTAL_API_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PORTAL_API_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PORT_MAPS
+ value: 80:8000, 443:8443
+ - name: KONG_PREFIX
+ value: /kong_prefix/
+ - name: KONG_PROXY_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PROXY_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PROXY_LISTEN
+ value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
+ - name: KONG_PROXY_STREAM_ACCESS_LOG
+ value: /dev/stdout basic
+ - name: KONG_PROXY_STREAM_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ROUTER_FLAVOR
+ value: traditional
+ - name: KONG_STATUS_ACCESS_LOG
+ value: \"off\"
+ - name: KONG_STATUS_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_STATUS_LISTEN
+ value: 0.0.0.0:8100, [::]:8100
+ - name: KONG_STREAM_LISTEN
+ value: 0.0.0.0:9000, [::]:9000, 0.0.0.0:9001 ssl, [::]:9001 ssl
+ image: kong:3.6
+ imagePullPolicy: IfNotPresent
+ name: clear-stale-pid
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /kong_prefix/
+ name: chartsnap-kong-prefix-dir
+ - mountPath: /tmp
+ name: chartsnap-kong-tmp
+ - mountPath: /kong_dbless/
+ name: kong-custom-dbless-config-volume
+ securityContext: {}
+ serviceAccountName: chartsnap-kong
+ terminationGracePeriodSeconds: 30
+ volumes:
+ - emptyDir:
+ sizeLimit: 256Mi
+ name: chartsnap-kong-prefix-dir
+ - emptyDir:
+ sizeLimit: 1Gi
+ name: chartsnap-kong-tmp
+ - name: chartsnap-kong-token
+ projected:
+ sources:
+ - serviceAccountToken:
+ expirationSeconds: 3607
+ path: token
+ - configMap:
+ items:
+ - key: ca.crt
+ path: ca.crt
+ name: kube-root-ca.crt
+ - downwardAPI:
+ items:
+ - fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ path: namespace
+ - configMap:
+ name: chartsnap-kong-custom-dbless-config
+ name: kong-custom-dbless-config-volume
+- object:
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-proxy
+ namespace: default
+ spec:
+ rules:
+ - http:
+ paths:
+ - backend:
+ service:
+ name: chartsnap-kong-proxy
+ port:
+ number: 443
+ path: /
+ pathType: ImplementationSpecific
+- object:
+ apiVersion: v1
+ data:
+ kong.yml: |
+ _format_version: \"1.1\"
+ services:
+ - name: example.com
+ url: http://example.com
+ routes:
+ - name: example
+ paths:
+ - \"/example\"
+ kind: ConfigMap
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-custom-dbless-config
+ namespace: default
+- object:
+ apiVersion: v1
+ kind: Service
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-manager
+ namespace: default
+ spec:
+ ports:
+ - name: kong-manager
+ port: 8002
+ protocol: TCP
+ targetPort: 8002
+ - name: kong-manager-tls
+ port: 8445
+ protocol: TCP
+ targetPort: 8445
+ selector:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/name: kong
+ type: NodePort
+- object:
+ apiVersion: v1
+ kind: Service
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ enable-metrics: \"true\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-proxy
+ namespace: default
+ spec:
+ ports:
+ - name: kong-proxy
+ port: 80
+ protocol: TCP
+ targetPort: 8000
+ - name: kong-proxy-tls
+ port: 443
+ protocol: TCP
+ targetPort: 8443
+ - name: stream-9000
+ port: 9000
+ protocol: TCP
+ targetPort: 9000
+ - name: stream-9001
+ port: 9001
+ protocol: TCP
+ targetPort: 9001
+ selector:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/name: kong
+ type: LoadBalancer
+- object:
+ apiVersion: v1
+ kind: ServiceAccount
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ namespace: default
+"""
--- /dev/null
+[test5-values]
+SnapShot = """
+- object:
+ apiVersion: admissionregistration.k8s.io/v1
+ kind: ValidatingWebhookConfiguration
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-validations
+ namespace: default
+ webhooks:
+ - admissionReviewVersions:
+ - v1beta1
+ clientConfig:
+ caBundle: '###DYNAMIC_FIELD###'
+ service:
+ name: chartsnap-kong-validation-webhook
+ namespace: default
+ failurePolicy: Ignore
+ name: validations.kong.konghq.com
+ objectSelector:
+ matchExpressions:
+ - key: owner
+ operator: NotIn
+ values:
+ - helm
+ rules:
+ - apiGroups:
+ - configuration.konghq.com
+ apiVersions:
+ - '*'
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - kongconsumers
+ - kongplugins
+ - kongclusterplugins
+ - kongingresses
+ - apiGroups:
+ - \"\"
+ apiVersions:
+ - v1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - secrets
+ - services
+ - apiGroups:
+ - networking.k8s.io
+ apiVersions:
+ - v1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - ingresses
+ - apiGroups:
+ - gateway.networking.k8s.io
+ apiVersions:
+ - v1alpha2
+ - v1beta1
+ - v1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - gateways
+ - httproutes
+ sideEffects: None
+- object:
+ apiVersion: apps/v1
+ kind: Deployment
+ metadata:
+ labels:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ namespace: default
+ spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/name: kong
+ strategy:
+ rollingUpdate:
+ maxSurge: 1
+ maxUnavailable: 0
+ type: RollingUpdate
+ template:
+ metadata:
+ annotations:
+ kuma.io/gateway: enabled
+ kuma.io/service-account-token-volume: chartsnap-kong-token
+ traffic.sidecar.istio.io/includeInboundPorts: \"\"
+ labels:
+ app: chartsnap-kong
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ version: \"3.6\"
+ spec:
+ automountServiceAccountToken: false
+ containers:
+ - args: null
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: CONTROLLER_ADMISSION_WEBHOOK_LISTEN
+ value: 0.0.0.0:8080
+ - name: CONTROLLER_ANONYMOUS_REPORTS
+ value: \"false\"
+ - name: CONTROLLER_ELECTION_ID
+ value: kong-ingress-controller-leader-kong
+ - name: CONTROLLER_INGRESS_CLASS
+ value: kong
+ - name: CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY
+ value: \"true\"
+ - name: CONTROLLER_KONG_ADMIN_URL
+ value: https://localhost:8444
+ - name: CONTROLLER_PUBLISH_SERVICE
+ value: default/chartsnap-kong-proxy
+ image: kong/kubernetes-ingress-controller:3.1
+ imagePullPolicy: IfNotPresent
+ livenessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 10254
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ name: ingress-controller
+ ports:
+ - containerPort: 8080
+ name: webhook
+ protocol: TCP
+ - containerPort: 10255
+ name: cmetrics
+ protocol: TCP
+ - containerPort: 10254
+ name: cstatus
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /readyz
+ port: 10254
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /admission-webhook
+ name: webhook-cert
+ readOnly: true
+ - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+ name: chartsnap-kong-token
+ readOnly: true
+ - env:
+ - name: CLIENT_ID
+ value: exampleId
+ - name: KONG_ADMIN_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_API_URI
+ value: http://
+ - name: KONG_ADMIN_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_GUI_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_GUI_API_URL
+ value: http://
+ - name: KONG_ADMIN_GUI_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_LISTEN
+ value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
+ - name: KONG_ANONYMOUS_REPORTS
+ value: \"off\"
+ - name: KONG_CLUSTER_LISTEN
+ value: \"off\"
+ - name: KONG_DATABASE
+ value: postgres
+ - name: KONG_KIC
+ value: \"on\"
+ - name: KONG_LUA_PACKAGE_PATH
+ value: /opt/?.lua;/opt/?/init.lua;;
+ - name: KONG_NGINX_WORKER_PROCESSES
+ value: \"2\"
+ - name: KONG_PG_HOST
+ value: chartsnap-postgresql
+ - name: KONG_PG_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ key: password
+ name: chartsnap-postgresql
+ - name: KONG_PG_PORT
+ value: \"5432\"
+ - name: KONG_PORTAL_API_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PORTAL_API_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PORT_MAPS
+ value: 80:8000, 443:8443
+ - name: KONG_PREFIX
+ value: /kong_prefix/
+ - name: KONG_PROXY_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PROXY_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PROXY_LISTEN
+ value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
+ - name: KONG_PROXY_STREAM_ACCESS_LOG
+ value: /dev/stdout basic
+ - name: KONG_PROXY_STREAM_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ROUTER_FLAVOR
+ value: traditional
+ - name: KONG_STATUS_ACCESS_LOG
+ value: \"off\"
+ - name: KONG_STATUS_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_STATUS_LISTEN
+ value: 0.0.0.0:8100, [::]:8100
+ - name: KONG_STREAM_LISTEN
+ value: \"off\"
+ - name: KONG_NGINX_DAEMON
+ value: \"off\"
+ image: kong:3.6
+ imagePullPolicy: IfNotPresent
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - kong
+ - quit
+ - --wait=15
+ livenessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /status
+ port: status
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ name: proxy
+ ports:
+ - containerPort: 8000
+ name: proxy
+ protocol: TCP
+ - containerPort: 8443
+ name: proxy-tls
+ protocol: TCP
+ - containerPort: 8100
+ name: status
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /status/ready
+ port: status
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /kong_prefix/
+ name: chartsnap-kong-prefix-dir
+ - mountPath: /tmp
+ name: chartsnap-kong-tmp
+ initContainers:
+ - command:
+ - rm
+ - -vrf
+ - $KONG_PREFIX/pids
+ env:
+ - name: CLIENT_ID
+ value: exampleId
+ - name: KONG_ADMIN_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_API_URI
+ value: http://
+ - name: KONG_ADMIN_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_GUI_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_GUI_API_URL
+ value: http://
+ - name: KONG_ADMIN_GUI_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_LISTEN
+ value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
+ - name: KONG_ANONYMOUS_REPORTS
+ value: \"off\"
+ - name: KONG_CLUSTER_LISTEN
+ value: \"off\"
+ - name: KONG_DATABASE
+ value: postgres
+ - name: KONG_KIC
+ value: \"on\"
+ - name: KONG_LUA_PACKAGE_PATH
+ value: /opt/?.lua;/opt/?/init.lua;;
+ - name: KONG_NGINX_WORKER_PROCESSES
+ value: \"2\"
+ - name: KONG_PG_HOST
+ value: chartsnap-postgresql
+ - name: KONG_PG_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ key: password
+ name: chartsnap-postgresql
+ - name: KONG_PG_PORT
+ value: \"5432\"
+ - name: KONG_PORTAL_API_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PORTAL_API_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PORT_MAPS
+ value: 80:8000, 443:8443
+ - name: KONG_PREFIX
+ value: /kong_prefix/
+ - name: KONG_PROXY_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PROXY_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PROXY_LISTEN
+ value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
+ - name: KONG_PROXY_STREAM_ACCESS_LOG
+ value: /dev/stdout basic
+ - name: KONG_PROXY_STREAM_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ROUTER_FLAVOR
+ value: traditional
+ - name: KONG_STATUS_ACCESS_LOG
+ value: \"off\"
+ - name: KONG_STATUS_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_STATUS_LISTEN
+ value: 0.0.0.0:8100, [::]:8100
+ - name: KONG_STREAM_LISTEN
+ value: \"off\"
+ image: kong:3.6
+ imagePullPolicy: IfNotPresent
+ name: clear-stale-pid
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /kong_prefix/
+ name: chartsnap-kong-prefix-dir
+ - mountPath: /tmp
+ name: chartsnap-kong-tmp
+ - args:
+ - /bin/bash
+ - -c
+ - export KONG_NGINX_DAEMON=on KONG_PREFIX=`mktemp -d` KONG_KEYRING_ENABLED=off; until kong start; do echo 'waiting for db'; sleep 1; done; kong stop
+ env:
+ - name: CLIENT_ID
+ value: exampleId
+ - name: KONG_ADMIN_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_API_URI
+ value: http://
+ - name: KONG_ADMIN_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_GUI_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_GUI_API_URL
+ value: http://
+ - name: KONG_ADMIN_GUI_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_LISTEN
+ value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
+ - name: KONG_ANONYMOUS_REPORTS
+ value: \"off\"
+ - name: KONG_CLUSTER_LISTEN
+ value: \"off\"
+ - name: KONG_DATABASE
+ value: postgres
+ - name: KONG_KIC
+ value: \"on\"
+ - name: KONG_LUA_PACKAGE_PATH
+ value: /opt/?.lua;/opt/?/init.lua;;
+ - name: KONG_NGINX_WORKER_PROCESSES
+ value: \"2\"
+ - name: KONG_PG_HOST
+ value: chartsnap-postgresql
+ - name: KONG_PG_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ key: password
+ name: chartsnap-postgresql
+ - name: KONG_PG_PORT
+ value: \"5432\"
+ - name: KONG_PORTAL_API_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PORTAL_API_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PORT_MAPS
+ value: 80:8000, 443:8443
+ - name: KONG_PREFIX
+ value: /kong_prefix/
+ - name: KONG_PROXY_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PROXY_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PROXY_LISTEN
+ value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
+ - name: KONG_PROXY_STREAM_ACCESS_LOG
+ value: /dev/stdout basic
+ - name: KONG_PROXY_STREAM_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ROUTER_FLAVOR
+ value: traditional
+ - name: KONG_STATUS_ACCESS_LOG
+ value: \"off\"
+ - name: KONG_STATUS_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_STATUS_LISTEN
+ value: 0.0.0.0:8100, [::]:8100
+ - name: KONG_STREAM_LISTEN
+ value: \"off\"
+ image: kong:3.6
+ imagePullPolicy: IfNotPresent
+ name: wait-for-db
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /kong_prefix/
+ name: chartsnap-kong-prefix-dir
+ - mountPath: /tmp
+ name: chartsnap-kong-tmp
+ securityContext: {}
+ serviceAccountName: chartsnap-kong
+ terminationGracePeriodSeconds: 30
+ volumes:
+ - emptyDir:
+ sizeLimit: 256Mi
+ name: chartsnap-kong-prefix-dir
+ - emptyDir:
+ sizeLimit: 1Gi
+ name: chartsnap-kong-tmp
+ - name: chartsnap-kong-token
+ projected:
+ sources:
+ - serviceAccountToken:
+ expirationSeconds: 3607
+ path: token
+ - configMap:
+ items:
+ - key: ca.crt
+ path: ca.crt
+ name: kube-root-ca.crt
+ - downwardAPI:
+ items:
+ - fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ path: namespace
+ - configMap:
+ defaultMode: 493
+ name: chartsnap-kong-bash-wait-for-postgres
+ name: chartsnap-kong-bash-wait-for-postgres
+ - name: webhook-cert
+ secret:
+ secretName: chartsnap-kong-validation-webhook-keypair
+- object:
+ apiVersion: apps/v1
+ kind: StatefulSet
+ metadata:
+ annotations: null
+ labels:
+ app.kubernetes.io/component: primary
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: postgresql
+ helm.sh/chart: postgresql-11.9.13
+ name: chartsnap-postgresql
+ namespace: default
+ spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: primary
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/name: postgresql
+ serviceName: chartsnap-postgresql-hl
+ template:
+ metadata:
+ annotations: null
+ labels:
+ app.kubernetes.io/component: primary
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: postgresql
+ helm.sh/chart: postgresql-11.9.13
+ name: chartsnap-postgresql
+ spec:
+ affinity:
+ nodeAffinity: null
+ podAffinity: null
+ podAntiAffinity:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ - podAffinityTerm:
+ labelSelector:
+ matchLabels:
+ app.kubernetes.io/component: primary
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/name: postgresql
+ namespaces:
+ - default
+ topologyKey: kubernetes.io/hostname
+ weight: 1
+ containers:
+ - env:
+ - name: BITNAMI_DEBUG
+ value: \"false\"
+ - name: POSTGRESQL_PORT_NUMBER
+ value: \"5432\"
+ - name: POSTGRESQL_VOLUME_DIR
+ value: /bitnami/postgresql
+ - name: PGDATA
+ value: /bitnami/postgresql/data
+ - name: POSTGRES_USER
+ value: kong
+ - name: POSTGRES_POSTGRES_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ key: postgres-password
+ name: chartsnap-postgresql
+ - name: POSTGRES_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ key: password
+ name: chartsnap-postgresql
+ - name: POSTGRES_DB
+ value: kong
+ - name: POSTGRESQL_ENABLE_LDAP
+ value: \"no\"
+ - name: POSTGRESQL_ENABLE_TLS
+ value: \"no\"
+ - name: POSTGRESQL_LOG_HOSTNAME
+ value: \"false\"
+ - name: POSTGRESQL_LOG_CONNECTIONS
+ value: \"false\"
+ - name: POSTGRESQL_LOG_DISCONNECTIONS
+ value: \"false\"
+ - name: POSTGRESQL_PGAUDIT_LOG_CATALOG
+ value: \"off\"
+ - name: POSTGRESQL_CLIENT_MIN_MESSAGES
+ value: error
+ - name: POSTGRESQL_SHARED_PRELOAD_LIBRARIES
+ value: pgaudit
+ image: docker.io/bitnami/postgresql:13.11.0-debian-11-r20
+ imagePullPolicy: IfNotPresent
+ livenessProbe:
+ exec:
+ command:
+ - /bin/sh
+ - -c
+ - exec pg_isready -U \"kong\" -d \"dbname=kong\" -h 127.0.0.1 -p 5432
+ failureThreshold: 6
+ initialDelaySeconds: 30
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ name: postgresql
+ ports:
+ - containerPort: 5432
+ name: tcp-postgresql
+ readinessProbe:
+ exec:
+ command:
+ - /bin/sh
+ - -c
+ - -e
+ - |
+ exec pg_isready -U \"kong\" -d \"dbname=kong\" -h 127.0.0.1 -p 5432
+ [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
+ failureThreshold: 6
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ resources:
+ limits: {}
+ requests:
+ cpu: 250m
+ memory: 256Mi
+ securityContext:
+ runAsUser: 1001
+ volumeMounts:
+ - mountPath: /dev/shm
+ name: dshm
+ - mountPath: /bitnami/postgresql
+ name: data
+ hostIPC: false
+ hostNetwork: false
+ initContainers: null
+ securityContext:
+ fsGroup: 1001
+ serviceAccountName: default
+ volumes:
+ - emptyDir:
+ medium: Memory
+ name: dshm
+ updateStrategy:
+ rollingUpdate: {}
+ type: RollingUpdate
+ volumeClaimTemplates:
+ - metadata:
+ name: data
+ spec:
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: 8Gi
+- object:
+ apiVersion: batch/v1
+ kind: Job
+ metadata:
+ annotations:
+ argocd.argoproj.io/hook: Sync
+ argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
+ labels:
+ app.kubernetes.io/component: init-migrations
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-init-migrations
+ namespace: default
+ spec:
+ backoffLimit: null
+ template:
+ metadata:
+ annotations:
+ kuma.io/service-account-token-volume: chartsnap-kong-token
+ sidecar.istio.io/inject: \"false\"
+ labels:
+ app.kubernetes.io/component: init-migrations
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: kong-init-migrations
+ spec:
+ automountServiceAccountToken: false
+ containers:
+ - args:
+ - kong
+ - migrations
+ - bootstrap
+ env:
+ - name: CLIENT_ID
+ value: exampleId
+ - name: KONG_ADMIN_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_API_URI
+ value: http://
+ - name: KONG_ADMIN_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_GUI_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_GUI_API_URL
+ value: http://
+ - name: KONG_ADMIN_GUI_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_LISTEN
+ value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
+ - name: KONG_ANONYMOUS_REPORTS
+ value: \"off\"
+ - name: KONG_CLUSTER_LISTEN
+ value: \"off\"
+ - name: KONG_DATABASE
+ value: postgres
+ - name: KONG_KIC
+ value: \"on\"
+ - name: KONG_LUA_PACKAGE_PATH
+ value: /opt/?.lua;/opt/?/init.lua;;
+ - name: KONG_NGINX_WORKER_PROCESSES
+ value: \"2\"
+ - name: KONG_PG_HOST
+ value: chartsnap-postgresql
+ - name: KONG_PG_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ key: password
+ name: chartsnap-postgresql
+ - name: KONG_PG_PORT
+ value: \"5432\"
+ - name: KONG_PORTAL_API_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PORTAL_API_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PORT_MAPS
+ value: 80:8000, 443:8443
+ - name: KONG_PREFIX
+ value: /kong_prefix/
+ - name: KONG_PROXY_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PROXY_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PROXY_LISTEN
+ value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
+ - name: KONG_PROXY_STREAM_ACCESS_LOG
+ value: /dev/stdout basic
+ - name: KONG_PROXY_STREAM_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ROUTER_FLAVOR
+ value: traditional
+ - name: KONG_STATUS_ACCESS_LOG
+ value: \"off\"
+ - name: KONG_STATUS_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_STATUS_LISTEN
+ value: 0.0.0.0:8100, [::]:8100
+ - name: KONG_STREAM_LISTEN
+ value: \"off\"
+ - name: KONG_NGINX_DAEMON
+ value: \"off\"
+ image: kong:3.6
+ imagePullPolicy: IfNotPresent
+ name: kong-migrations
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /kong_prefix/
+ name: chartsnap-kong-prefix-dir
+ - mountPath: /tmp
+ name: chartsnap-kong-tmp
+ initContainers:
+ - command:
+ - bash
+ - /wait_postgres/wait.sh
+ env:
+ - name: CLIENT_ID
+ value: exampleId
+ - name: KONG_ADMIN_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_API_URI
+ value: http://
+ - name: KONG_ADMIN_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_GUI_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_GUI_API_URL
+ value: http://
+ - name: KONG_ADMIN_GUI_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_LISTEN
+ value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
+ - name: KONG_ANONYMOUS_REPORTS
+ value: \"off\"
+ - name: KONG_CLUSTER_LISTEN
+ value: \"off\"
+ - name: KONG_DATABASE
+ value: postgres
+ - name: KONG_KIC
+ value: \"on\"
+ - name: KONG_LUA_PACKAGE_PATH
+ value: /opt/?.lua;/opt/?/init.lua;;
+ - name: KONG_NGINX_WORKER_PROCESSES
+ value: \"2\"
+ - name: KONG_PG_HOST
+ value: chartsnap-postgresql
+ - name: KONG_PG_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ key: password
+ name: chartsnap-postgresql
+ - name: KONG_PG_PORT
+ value: \"5432\"
+ - name: KONG_PORTAL_API_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PORTAL_API_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PORT_MAPS
+ value: 80:8000, 443:8443
+ - name: KONG_PREFIX
+ value: /kong_prefix/
+ - name: KONG_PROXY_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PROXY_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PROXY_LISTEN
+ value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
+ - name: KONG_PROXY_STREAM_ACCESS_LOG
+ value: /dev/stdout basic
+ - name: KONG_PROXY_STREAM_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ROUTER_FLAVOR
+ value: traditional
+ - name: KONG_STATUS_ACCESS_LOG
+ value: \"off\"
+ - name: KONG_STATUS_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_STATUS_LISTEN
+ value: 0.0.0.0:8100, [::]:8100
+ - name: KONG_STREAM_LISTEN
+ value: \"off\"
+ - name: KONG_NGINX_DAEMON
+ value: \"off\"
+ image: kong:3.6
+ imagePullPolicy: IfNotPresent
+ name: wait-for-postgres
+ resources: {}
+ volumeMounts:
+ - mountPath: /wait_postgres
+ name: chartsnap-kong-bash-wait-for-postgres
+ restartPolicy: OnFailure
+ securityContext: {}
+ serviceAccountName: chartsnap-kong
+ volumes:
+ - emptyDir:
+ sizeLimit: 256Mi
+ name: chartsnap-kong-prefix-dir
+ - emptyDir:
+ sizeLimit: 1Gi
+ name: chartsnap-kong-tmp
+ - name: chartsnap-kong-token
+ projected:
+ sources:
+ - serviceAccountToken:
+ expirationSeconds: 3607
+ path: token
+ - configMap:
+ items:
+ - key: ca.crt
+ path: ca.crt
+ name: kube-root-ca.crt
+ - downwardAPI:
+ items:
+ - fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ path: namespace
+ - configMap:
+ defaultMode: 493
+ name: chartsnap-kong-bash-wait-for-postgres
+ name: chartsnap-kong-bash-wait-for-postgres
+ - name: webhook-cert
+ secret:
+ secretName: chartsnap-kong-validation-webhook-keypair
+- object:
+ apiVersion: batch/v1
+ kind: Job
+ metadata:
+ annotations:
+ helm.sh/hook: post-upgrade
+ helm.sh/hook-delete-policy: before-hook-creation
+ labels:
+ app.kubernetes.io/component: post-upgrade-migrations
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-post-upgrade-migrations
+ namespace: default
+ spec:
+ backoffLimit: null
+ template:
+ metadata:
+ annotations:
+ kuma.io/service-account-token-volume: chartsnap-kong-token
+ sidecar.istio.io/inject: \"false\"
+ labels:
+ app.kubernetes.io/component: post-upgrade-migrations
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: kong-post-upgrade-migrations
+ spec:
+ automountServiceAccountToken: false
+ containers:
+ - args:
+ - kong
+ - migrations
+ - finish
+ env:
+ - name: CLIENT_ID
+ value: exampleId
+ - name: KONG_ADMIN_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_API_URI
+ value: http://
+ - name: KONG_ADMIN_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_GUI_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_GUI_API_URL
+ value: http://
+ - name: KONG_ADMIN_GUI_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_LISTEN
+ value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
+ - name: KONG_ANONYMOUS_REPORTS
+ value: \"off\"
+ - name: KONG_CLUSTER_LISTEN
+ value: \"off\"
+ - name: KONG_DATABASE
+ value: postgres
+ - name: KONG_KIC
+ value: \"on\"
+ - name: KONG_LUA_PACKAGE_PATH
+ value: /opt/?.lua;/opt/?/init.lua;;
+ - name: KONG_NGINX_WORKER_PROCESSES
+ value: \"2\"
+ - name: KONG_PG_HOST
+ value: chartsnap-postgresql
+ - name: KONG_PG_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ key: password
+ name: chartsnap-postgresql
+ - name: KONG_PG_PORT
+ value: \"5432\"
+ - name: KONG_PORTAL_API_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PORTAL_API_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PORT_MAPS
+ value: 80:8000, 443:8443
+ - name: KONG_PREFIX
+ value: /kong_prefix/
+ - name: KONG_PROXY_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PROXY_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PROXY_LISTEN
+ value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
+ - name: KONG_PROXY_STREAM_ACCESS_LOG
+ value: /dev/stdout basic
+ - name: KONG_PROXY_STREAM_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ROUTER_FLAVOR
+ value: traditional
+ - name: KONG_STATUS_ACCESS_LOG
+ value: \"off\"
+ - name: KONG_STATUS_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_STATUS_LISTEN
+ value: 0.0.0.0:8100, [::]:8100
+ - name: KONG_STREAM_LISTEN
+ value: \"off\"
+ - name: KONG_NGINX_DAEMON
+ value: \"off\"
+ image: kong:3.6
+ imagePullPolicy: IfNotPresent
+ name: kong-post-upgrade-migrations
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /kong_prefix/
+ name: chartsnap-kong-prefix-dir
+ - mountPath: /tmp
+ name: chartsnap-kong-tmp
+ initContainers:
+ - command:
+ - bash
+ - /wait_postgres/wait.sh
+ env:
+ - name: CLIENT_ID
+ value: exampleId
+ - name: KONG_ADMIN_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_API_URI
+ value: http://
+ - name: KONG_ADMIN_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_GUI_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_GUI_API_URL
+ value: http://
+ - name: KONG_ADMIN_GUI_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_LISTEN
+ value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
+ - name: KONG_ANONYMOUS_REPORTS
+ value: \"off\"
+ - name: KONG_CLUSTER_LISTEN
+ value: \"off\"
+ - name: KONG_DATABASE
+ value: postgres
+ - name: KONG_KIC
+ value: \"on\"
+ - name: KONG_LUA_PACKAGE_PATH
+ value: /opt/?.lua;/opt/?/init.lua;;
+ - name: KONG_NGINX_WORKER_PROCESSES
+ value: \"2\"
+ - name: KONG_PG_HOST
+ value: chartsnap-postgresql
+ - name: KONG_PG_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ key: password
+ name: chartsnap-postgresql
+ - name: KONG_PG_PORT
+ value: \"5432\"
+ - name: KONG_PORTAL_API_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PORTAL_API_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PORT_MAPS
+ value: 80:8000, 443:8443
+ - name: KONG_PREFIX
+ value: /kong_prefix/
+ - name: KONG_PROXY_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PROXY_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PROXY_LISTEN
+ value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
+ - name: KONG_PROXY_STREAM_ACCESS_LOG
+ value: /dev/stdout basic
+ - name: KONG_PROXY_STREAM_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ROUTER_FLAVOR
+ value: traditional
+ - name: KONG_STATUS_ACCESS_LOG
+ value: \"off\"
+ - name: KONG_STATUS_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_STATUS_LISTEN
+ value: 0.0.0.0:8100, [::]:8100
+ - name: KONG_STREAM_LISTEN
+ value: \"off\"
+ - name: KONG_NGINX_DAEMON
+ value: \"off\"
+ image: kong:3.6
+ imagePullPolicy: IfNotPresent
+ name: wait-for-postgres
+ resources: {}
+ volumeMounts:
+ - mountPath: /wait_postgres
+ name: chartsnap-kong-bash-wait-for-postgres
+ restartPolicy: OnFailure
+ securityContext: {}
+ serviceAccountName: chartsnap-kong
+ volumes:
+ - emptyDir:
+ sizeLimit: 256Mi
+ name: chartsnap-kong-prefix-dir
+ - emptyDir:
+ sizeLimit: 1Gi
+ name: chartsnap-kong-tmp
+ - name: chartsnap-kong-token
+ projected:
+ sources:
+ - serviceAccountToken:
+ expirationSeconds: 3607
+ path: token
+ - configMap:
+ items:
+ - key: ca.crt
+ path: ca.crt
+ name: kube-root-ca.crt
+ - downwardAPI:
+ items:
+ - fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ path: namespace
+ - configMap:
+ defaultMode: 493
+ name: chartsnap-kong-bash-wait-for-postgres
+ name: chartsnap-kong-bash-wait-for-postgres
+ - name: webhook-cert
+ secret:
+ secretName: chartsnap-kong-validation-webhook-keypair
+- object:
+ apiVersion: batch/v1
+ kind: Job
+ metadata:
+ annotations:
+ argocd.argoproj.io/hook: Sync
+ argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
+ helm.sh/hook: pre-upgrade
+ helm.sh/hook-delete-policy: before-hook-creation
+ labels:
+ app.kubernetes.io/component: pre-upgrade-migrations
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-pre-upgrade-migrations
+ namespace: default
+ spec:
+ backoffLimit: null
+ template:
+ metadata:
+ annotations:
+ kuma.io/service-account-token-volume: chartsnap-kong-token
+ sidecar.istio.io/inject: \"false\"
+ labels:
+ app.kubernetes.io/component: pre-upgrade-migrations
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: kong-pre-upgrade-migrations
+ spec:
+ automountServiceAccountToken: false
+ containers:
+ - args:
+ - kong
+ - migrations
+ - up
+ env:
+ - name: CLIENT_ID
+ value: exampleId
+ - name: KONG_ADMIN_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_API_URI
+ value: http://
+ - name: KONG_ADMIN_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_GUI_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_GUI_API_URL
+ value: http://
+ - name: KONG_ADMIN_GUI_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_LISTEN
+ value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
+ - name: KONG_ANONYMOUS_REPORTS
+ value: \"off\"
+ - name: KONG_CLUSTER_LISTEN
+ value: \"off\"
+ - name: KONG_DATABASE
+ value: postgres
+ - name: KONG_KIC
+ value: \"on\"
+ - name: KONG_LUA_PACKAGE_PATH
+ value: /opt/?.lua;/opt/?/init.lua;;
+ - name: KONG_NGINX_WORKER_PROCESSES
+ value: \"2\"
+ - name: KONG_PG_HOST
+ value: chartsnap-postgresql
+ - name: KONG_PG_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ key: password
+ name: chartsnap-postgresql
+ - name: KONG_PG_PORT
+ value: \"5432\"
+ - name: KONG_PORTAL_API_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PORTAL_API_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PORT_MAPS
+ value: 80:8000, 443:8443
+ - name: KONG_PREFIX
+ value: /kong_prefix/
+ - name: KONG_PROXY_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PROXY_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PROXY_LISTEN
+ value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
+ - name: KONG_PROXY_STREAM_ACCESS_LOG
+ value: /dev/stdout basic
+ - name: KONG_PROXY_STREAM_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ROUTER_FLAVOR
+ value: traditional
+ - name: KONG_STATUS_ACCESS_LOG
+ value: \"off\"
+ - name: KONG_STATUS_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_STATUS_LISTEN
+ value: 0.0.0.0:8100, [::]:8100
+ - name: KONG_STREAM_LISTEN
+ value: \"off\"
+ - name: KONG_NGINX_DAEMON
+ value: \"off\"
+ image: kong:3.6
+ imagePullPolicy: IfNotPresent
+ name: kong-upgrade-migrations
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /kong_prefix/
+ name: chartsnap-kong-prefix-dir
+ - mountPath: /tmp
+ name: chartsnap-kong-tmp
+ initContainers:
+ - command:
+ - bash
+ - /wait_postgres/wait.sh
+ env:
+ - name: CLIENT_ID
+ value: exampleId
+ - name: KONG_ADMIN_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_API_URI
+ value: http://
+ - name: KONG_ADMIN_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_GUI_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_GUI_API_URL
+ value: http://
+ - name: KONG_ADMIN_GUI_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ADMIN_LISTEN
+ value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
+ - name: KONG_ANONYMOUS_REPORTS
+ value: \"off\"
+ - name: KONG_CLUSTER_LISTEN
+ value: \"off\"
+ - name: KONG_DATABASE
+ value: postgres
+ - name: KONG_KIC
+ value: \"on\"
+ - name: KONG_LUA_PACKAGE_PATH
+ value: /opt/?.lua;/opt/?/init.lua;;
+ - name: KONG_NGINX_WORKER_PROCESSES
+ value: \"2\"
+ - name: KONG_PG_HOST
+ value: chartsnap-postgresql
+ - name: KONG_PG_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ key: password
+ name: chartsnap-postgresql
+ - name: KONG_PG_PORT
+ value: \"5432\"
+ - name: KONG_PORTAL_API_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PORTAL_API_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PORT_MAPS
+ value: 80:8000, 443:8443
+ - name: KONG_PREFIX
+ value: /kong_prefix/
+ - name: KONG_PROXY_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_PROXY_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PROXY_LISTEN
+ value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
+ - name: KONG_PROXY_STREAM_ACCESS_LOG
+ value: /dev/stdout basic
+ - name: KONG_PROXY_STREAM_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_ROUTER_FLAVOR
+ value: traditional
+ - name: KONG_STATUS_ACCESS_LOG
+ value: \"off\"
+ - name: KONG_STATUS_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_STATUS_LISTEN
+ value: 0.0.0.0:8100, [::]:8100
+ - name: KONG_STREAM_LISTEN
+ value: \"off\"
+ - name: KONG_NGINX_DAEMON
+ value: \"off\"
+ image: kong:3.6
+ imagePullPolicy: IfNotPresent
+ name: wait-for-postgres
+ resources: {}
+ volumeMounts:
+ - mountPath: /wait_postgres
+ name: chartsnap-kong-bash-wait-for-postgres
+ restartPolicy: OnFailure
+ securityContext: {}
+ serviceAccountName: chartsnap-kong
+ volumes:
+ - emptyDir:
+ sizeLimit: 256Mi
+ name: chartsnap-kong-prefix-dir
+ - emptyDir:
+ sizeLimit: 1Gi
+ name: chartsnap-kong-tmp
+ - name: chartsnap-kong-token
+ projected:
+ sources:
+ - serviceAccountToken:
+ expirationSeconds: 3607
+ path: token
+ - configMap:
+ items:
+ - key: ca.crt
+ path: ca.crt
+ name: kube-root-ca.crt
+ - downwardAPI:
+ items:
+ - fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ path: namespace
+ - configMap:
+ defaultMode: 493
+ name: chartsnap-kong-bash-wait-for-postgres
+ name: chartsnap-kong-bash-wait-for-postgres
+ - name: webhook-cert
+ secret:
+ secretName: chartsnap-kong-validation-webhook-keypair
+- object:
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-proxy
+ namespace: default
+ spec:
+ rules:
+ - host: proxy.kong.example
+ http:
+ paths:
+ - backend:
+ service:
+ name: chartsnap-kong-proxy
+ port:
+ number: 443
+ path: /
+ pathType: ImplementationSpecific
+- object:
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: ClusterRole
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ rules:
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongupstreampolicies
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongupstreampolicies/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongconsumergroups
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongconsumergroups/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - \"\"
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+ - apiGroups:
+ - \"\"
+ resources:
+ - nodes
+ verbs:
+ - list
+ - watch
+ - apiGroups:
+ - \"\"
+ resources:
+ - pods
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - \"\"
+ resources:
+ - secrets
+ verbs:
+ - list
+ - watch
+ - apiGroups:
+ - \"\"
+ resources:
+ - services
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - \"\"
+ resources:
+ - services/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - ingressclassparameterses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongconsumers
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongconsumers/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongplugins
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongplugins/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - tcpingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - tcpingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - udpingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - udpingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - extensions
+ resources:
+ - ingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - extensions
+ resources:
+ - ingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - discovery.k8s.io
+ resources:
+ - endpointslices
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - konglicenses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - konglicenses/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongvaults
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongvaults/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongclusterplugins
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongclusterplugins/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - apiextensions.k8s.io
+ resources:
+ - customresourcedefinitions
+ verbs:
+ - list
+ - watch
+ - apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingressclasses
+ verbs:
+ - get
+ - list
+ - watch
+- object:
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: ClusterRoleBinding
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: chartsnap-kong
+ subjects:
+ - kind: ServiceAccount
+ name: chartsnap-kong
+ namespace: default
+- object:
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: Role
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ namespace: default
+ rules:
+ - apiGroups:
+ - \"\"
+ resources:
+ - configmaps
+ - pods
+ - secrets
+ - namespaces
+ verbs:
+ - get
+ - apiGroups:
+ - \"\"
+ resourceNames:
+ - kong-ingress-controller-leader-kong-kong
+ resources:
+ - configmaps
+ verbs:
+ - get
+ - update
+ - apiGroups:
+ - \"\"
+ resources:
+ - configmaps
+ verbs:
+ - create
+ - apiGroups:
+ - \"\"
+ - coordination.k8s.io
+ resources:
+ - configmaps
+ - leases
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - delete
+ - apiGroups:
+ - \"\"
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+ - apiGroups:
+ - \"\"
+ resources:
+ - services
+ verbs:
+ - get
+- object:
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: RoleBinding
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ namespace: default
+ roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: chartsnap-kong
+ subjects:
+ - kind: ServiceAccount
+ name: chartsnap-kong
+ namespace: default
+- object:
+ apiVersion: v1
+ data:
+ wait.sh: |
+ until timeout 2 bash -c \"9<>/dev/tcp/${KONG_PG_HOST}/${KONG_PG_PORT}\"
+ do echo \"waiting for db - trying ${KONG_PG_HOST}:${KONG_PG_PORT}\"
+ sleep 2
+ done
+ kind: ConfigMap
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-bash-wait-for-postgres
+ namespace: default
+- object:
+ apiVersion: v1
+ data:
+ tls.crt: '###DYNAMIC_FIELD###'
+ tls.key: '###DYNAMIC_FIELD###'
+ kind: Secret
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-validation-webhook-ca-keypair
+ namespace: default
+ type: kubernetes.io/tls
+- object:
+ apiVersion: v1
+ data:
+ tls.crt: '###DYNAMIC_FIELD###'
+ tls.key: '###DYNAMIC_FIELD###'
+ kind: Secret
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-validation-webhook-keypair
+ namespace: default
+ type: kubernetes.io/tls
+- object:
+ apiVersion: v1
+ data:
+ password: a29uZw==
+ postgres-password: '###DYNAMIC_FIELD###'
+ kind: Secret
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: postgresql
+ helm.sh/chart: postgresql-11.9.13
+ name: chartsnap-postgresql
+ namespace: default
+ type: Opaque
+- object:
+ apiVersion: v1
+ kind: Service
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-manager
+ namespace: default
+ spec:
+ ports:
+ - name: kong-manager
+ port: 8002
+ protocol: TCP
+ targetPort: 8002
+ - name: kong-manager-tls
+ port: 8445
+ protocol: TCP
+ targetPort: 8445
+ selector:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/name: kong
+ type: NodePort
+- object:
+ apiVersion: v1
+ kind: Service
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ enable-metrics: \"true\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-proxy
+ namespace: default
+ spec:
+ ports:
+ - name: kong-proxy
+ port: 80
+ protocol: TCP
+ targetPort: 8000
+ - name: kong-proxy-tls
+ port: 443
+ protocol: TCP
+ targetPort: 8443
+ selector:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/name: kong
+ type: LoadBalancer
+- object:
+ apiVersion: v1
+ kind: Service
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong-validation-webhook
+ namespace: default
+ spec:
+ ports:
+ - name: webhook
+ port: 443
+ protocol: TCP
+ targetPort: webhook
+ selector:
+ app.kubernetes.io/component: app
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+- object:
+ apiVersion: v1
+ kind: Service
+ metadata:
+ annotations: null
+ labels:
+ app.kubernetes.io/component: primary
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: postgresql
+ helm.sh/chart: postgresql-11.9.13
+ name: chartsnap-postgresql
+ namespace: default
+ spec:
+ ports:
+ - name: tcp-postgresql
+ nodePort: null
+ port: 5432
+ targetPort: tcp-postgresql
+ selector:
+ app.kubernetes.io/component: primary
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/name: postgresql
+ sessionAffinity: None
+ type: ClusterIP
+- object:
+ apiVersion: v1
+ kind: Service
+ metadata:
+ labels:
+ app.kubernetes.io/component: primary
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: postgresql
+ helm.sh/chart: postgresql-11.9.13
+ service.alpha.kubernetes.io/tolerate-unready-endpoints: \"true\"
+ name: chartsnap-postgresql-hl
+ namespace: default
+ spec:
+ clusterIP: None
+ ports:
+ - name: tcp-postgresql
+ port: 5432
+ targetPort: tcp-postgresql
+ publishNotReadyAddresses: true
+ selector:
+ app.kubernetes.io/component: primary
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/name: postgresql
+ type: ClusterIP
+- object:
+ apiVersion: v1
+ kind: ServiceAccount
+ metadata:
+ labels:
+ app.kubernetes.io/instance: chartsnap
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kong
+ app.kubernetes.io/version: \"3.6\"
+ helm.sh/chart: kong-2.38.0
+ name: chartsnap-kong
+ namespace: default
+"""
--- /dev/null
+admin:
+ enabled: true
+ type: ClusterIP
+
+# Stub config to make the instance become ready
+dblessConfig:
+ config: |
+ _format_version: "1.1"
+ services:
+ - name: example.com
+ url: http://example.com
+ routes:
+ - name: example
+ paths:
+ - "/example"
+
+ingressController:
+ enabled: false
--- /dev/null
+# install chart with some extra labels
+extraLabels:
+ acme.com/some-key: some-value
# install chart with default values
-proxy:
- type: NodePort
+env:
+ anonymous_reports: "off"
+ingressController:
+ env:
+ anonymous_reports: "false"
--- /dev/null
+# CI test for empty hostname including tls secret using string
+proxy:
+ ingress:
+ enabled: true
+ tls: "kong.proxy.example.secret"
+
+extraObjects:
+- apiVersion: v1
+ data:
+ tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURoakNDQW00Q0NRQ0tyTDdSS1Y0NTBEQU5CZ2txaGtpRzl3MEJBUXNGQURDQmhERUxNQWtHQTFVRUJoTUMKV0ZneEVqQVFCZ05WQkFnTUNWTjBZWFJsVG1GdFpURVJNQThHQTFVRUJ3d0lRMmwwZVU1aGJXVXhGREFTQmdOVgpCQW9NQzBOdmJYQmhibmxPWVcxbE1Sc3dHUVlEVlFRTERCSkRiMjF3WVc1NVUyVmpkR2x2Yms1aGJXVXhHekFaCkJnTlZCQU1NRW5CeWIzaDVMbXR2Ym1jdVpYaGhiWEJzWlRBZUZ3MHlNekEyTWprd09ERTBNekJhRncwek16QTIKTWpZd09ERTBNekJhTUlHRU1Rc3dDUVlEVlFRR0V3SllXREVTTUJBR0ExVUVDQXdKVTNSaGRHVk9ZVzFsTVJFdwpEd1lEVlFRSERBaERhWFI1VG1GdFpURVVNQklHQTFVRUNnd0xRMjl0Y0dGdWVVNWhiV1V4R3pBWkJnTlZCQXNNCkVrTnZiWEJoYm5sVFpXTjBhVzl1VG1GdFpURWJNQmtHQTFVRUF3d1NjSEp2ZUhrdWEyOXVaeTVsZUdGdGNHeGwKTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUE4Wmd4czI1RXdtaXRsRG1HMitWVwpscUZ4R3lkVHU2dWlCVldFZjNoV0h2R3YvUWpYZHBBWXlkc3ZpNS92b1FtcjNUeVJBb3VaR1lCR3RuVEF0cU5rCnFLUmFVaWppVlN3TTNzeUl1cHluMlRjSjk1N2RLUCtUYTRaL0VNUlRwSCtya1psV01LNVYrNUszTmFIL21leDUKVWRRWkl4WUxNM0xIM0t0cmt2OWZRNlhSZ2dkeXo0MEt2YUV6SW1scEVoQnBoS0g5UWJiL3RFRE0vdFFqbC9FUApmbUF5M2Y5WE1uRDNSeFY3TnFrZktpUjNXZ1JDMnFyNWtPbXlJTGp1YWxERk1Zb3lDZUlmSnd1WmVDaEpGb3ZHClFKUFY2WU9xTG5aRWN3MU9BaVBXQnMycXVmWmlsNXplekRDZUFGZDV3eXVrS1dPZ3pTZ3Q2VzZvN2FBRTBDK3YKclFJREFRQUJNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUNGZHhFOFVsMVorcWxBbW1lTk5BdlAyZVVxSElTbQpHWXZidzdGdW82bXNJY3V3cjZKeENBWjIwako5UkphalMzWS9TS3BteXM2OXZxU21ic25oeUJzc01mL1ZtenFSClBVLzVkUUZiblNybUJqMnFBNWxtRCtENDVLUEtrTjc1V21NeDRQWkZseEw3WHVLYnZhYVZBUjFFUmRNZy90NisKUXpPV3BVWVZrcFJnQmlxTDBTTjhvTStOTjdScGFESFNkZjlTY1FtUmhNVklNNDdVZ1ZXNWhta21mQjBkUTFhQQo5NWdTQ3E0cGVwUFRzY3NsbVBzM0lOck5BTk45KytyMnM1bXRTWnp5VktRU0cwRjQ0Y1puWjdTdkdTVFJORDlUCnRKVzNTcko3elBwS0JqWi9qVDRRVnpBdGtHN3FSV2ZhYnlWTmVrK29wMTgwSVY5Um9IR1JDU0kyCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+ tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRRHhtREd6YmtUQ2FLMlUKT1liYjVWYVdvWEViSjFPN3E2SUZWWVIvZUZZZThhLzlDTmQya0JqSjJ5K0xuKytoQ2F2ZFBKRUNpNWtaZ0VhMgpkTUMybzJTb3BGcFNLT0pWTEF6ZXpJaTZuS2ZaTnduM250MG8vNU5yaG44UXhGT2tmNnVSbVZZd3JsWDdrcmMxCm9mK1o3SGxSMUJrakZnc3pjc2ZjcTJ1Uy8xOURwZEdDQjNMUGpRcTlvVE1pYVdrU0VHbUVvZjFCdHYrMFFNeisKMUNPWDhROStZRExkLzFjeWNQZEhGWHMycVI4cUpIZGFCRUxhcXZtUTZiSWd1TzVxVU1VeGlqSUo0aDhuQzVsNApLRWtXaThaQWs5WHBnNm91ZGtSekRVNENJOVlHemFxNTltS1huTjdNTUo0QVYzbkRLNlFwWTZETktDM3BicWp0Cm9BVFFMNit0QWdNQkFBRUNnZ0VCQUs3N1I0d3BJcDRZU1JoaGJoN1loWldHQ3JEYkZCZUtZVWd4djB5LzhNaHEKenNlYlhzdGQ1TVpXL2FISVRqdzZFQU9tT1hVNWZNTHVtTWpQMlVDdktWbkg2QzgzczI1ekFFTmlxdWxXUzIvVgpJRi83N1Qwamx6ZTY2MDlPa3pKQzBoWWJsRVNnRUdDc3pBdUpjT0tnVnVLQWwxQkZTQW1VYWRPWFNNdm9NS3lDCkJlekZaVEhOcGRWQ2xwUHVLNGQrWFJJZ1hHWS84RzNmWlFXRWNjV2tTYmRjQUlLdVYvWktHQ0IyT2dXS1VzSHgKTStscEw1TTZ3aXdYOEFNdUVWVHJsMWNwKzAzTjdOaUYwMFpYdCszZzVZUkJmRitYWjZ1b3hmbENQZ3VHdzh6bgpvN2tFRVNKZ2YycHZyZWYveHBjSVFSM090aHZjSzR5RldOcndPbExHQk9FQ2dZRUErNmJBREF0bDAvRlpzV08zCnVvNlBRNXZTL0tqbS9XaUkzeUo5TUdLNzQxTFZpMlRMUGpVZ092SDdkZUVjNVJjUmoxV1Nna3d1bUdzZWE2WkQKWXRWSTRZTDdMM1NUQ3JyZUNFTDRhOUJPcFB0azcxWWw3TmhxZktEaXhzU1FnNmt4dDJ1TlYvZXNSQ1JPeENoWgp5bk9JTmkvN3lOeFpVek4zcndyVjBCMUFNYVVDZ1lFQTljVDBZNkJWRHZLdFFaV1gvR1REZ2pUUzN6QWlPWmFNCjVFM3NleHh6MXY4eDF0N3JvWDV3aHNaVjlzQ05nNlJaNjIyT3hJejhHQnVvMnU1M2h2WFJabmdDaG1PcHYwRjgKcm5STWFNR0tIeGN2TmNrVUZUMW9TdDJCeEhNT1FNZTM2cERVTnZ0S3pvNGJoakpVUU94Mm14RU9TNERscm4rMApRU3FqVFpyWGwya0NnWUJ1UmIyMkNYQ1BsUjBHbkhtd0tEUWpIaTh3UkJza1JDQm1Gc2pnNFFNUU5BWWJWUW15CnNyankyNEtqUHdmWVkybHdjOEVGazdoL1ZjRTR6dHlNZklXNVBCb3h5MVY3eURMdlQ5bG45Um5oTmNBZkdKTDUKM0VPZFpTcTZpdndBbGEyUmdIR3BjSUJ1UTdLNFJpNUNocW5UaE9kQ056eDFOd0psRTh4cHE4ZXJlUUtCZ1FEeQppV3B3UXRLT0ROa0VCdi9WT1E5am1JT2RjOS9pbXZyeGR5RHZvWFdENzVXY3FhTTVYUkRwUUNPbmZnQnBzREI0CjBFWjdHM0xReThNSVF4czcyYXpMaFpWZ1VFdzlEUUJoSFM0bWx4Q2FmQU8vL1c3UFF5bC84RGJXeW9CL1YxamQKcUExMU1PcHpDdlNJcTNSUUdjczJYaytRSFdVTW5zUWhKMVcvQ1JiSE9RS0JnRTVQZ0hrbW1PY1VXZkJBZUtzTApvb2FNNzBINVN1YUNYN1Y1enBhM3hFMW5WVWMxend5aldOdkdWbTA5WkpEOFFMR1ZDV2U0R1o5R1NvV2tqSUMvCklFKzA0M29kUERuL2JwSDlTMDF2a0s1ZDRJSGc3QUcwWXI5SW1zS0paT0djT1dmdUdKSlZ5em1CRXhaSU9pbnoKVFFuaFdhZWs0NE1hdVJYOC9pRjZyZWorCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
+ kind: Secret
+ metadata:
+ name: kong.proxy.example.secret
+ type: kubernetes.io/tls
--- /dev/null
+# CI test for hostname including tls secret using string
+proxy:
+ ingress:
+ enabled: true
+ hostname: "proxy.kong.example"
+ tls: "kong.proxy.example.secret"
+
+extraObjects:
+- apiVersion: v1
+ data:
+ tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURoakNDQW00Q0NRQ0tyTDdSS1Y0NTBEQU5CZ2txaGtpRzl3MEJBUXNGQURDQmhERUxNQWtHQTFVRUJoTUMKV0ZneEVqQVFCZ05WQkFnTUNWTjBZWFJsVG1GdFpURVJNQThHQTFVRUJ3d0lRMmwwZVU1aGJXVXhGREFTQmdOVgpCQW9NQzBOdmJYQmhibmxPWVcxbE1Sc3dHUVlEVlFRTERCSkRiMjF3WVc1NVUyVmpkR2x2Yms1aGJXVXhHekFaCkJnTlZCQU1NRW5CeWIzaDVMbXR2Ym1jdVpYaGhiWEJzWlRBZUZ3MHlNekEyTWprd09ERTBNekJhRncwek16QTIKTWpZd09ERTBNekJhTUlHRU1Rc3dDUVlEVlFRR0V3SllXREVTTUJBR0ExVUVDQXdKVTNSaGRHVk9ZVzFsTVJFdwpEd1lEVlFRSERBaERhWFI1VG1GdFpURVVNQklHQTFVRUNnd0xRMjl0Y0dGdWVVNWhiV1V4R3pBWkJnTlZCQXNNCkVrTnZiWEJoYm5sVFpXTjBhVzl1VG1GdFpURWJNQmtHQTFVRUF3d1NjSEp2ZUhrdWEyOXVaeTVsZUdGdGNHeGwKTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUE4Wmd4czI1RXdtaXRsRG1HMitWVwpscUZ4R3lkVHU2dWlCVldFZjNoV0h2R3YvUWpYZHBBWXlkc3ZpNS92b1FtcjNUeVJBb3VaR1lCR3RuVEF0cU5rCnFLUmFVaWppVlN3TTNzeUl1cHluMlRjSjk1N2RLUCtUYTRaL0VNUlRwSCtya1psV01LNVYrNUszTmFIL21leDUKVWRRWkl4WUxNM0xIM0t0cmt2OWZRNlhSZ2dkeXo0MEt2YUV6SW1scEVoQnBoS0g5UWJiL3RFRE0vdFFqbC9FUApmbUF5M2Y5WE1uRDNSeFY3TnFrZktpUjNXZ1JDMnFyNWtPbXlJTGp1YWxERk1Zb3lDZUlmSnd1WmVDaEpGb3ZHClFKUFY2WU9xTG5aRWN3MU9BaVBXQnMycXVmWmlsNXplekRDZUFGZDV3eXVrS1dPZ3pTZ3Q2VzZvN2FBRTBDK3YKclFJREFRQUJNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUNGZHhFOFVsMVorcWxBbW1lTk5BdlAyZVVxSElTbQpHWXZidzdGdW82bXNJY3V3cjZKeENBWjIwako5UkphalMzWS9TS3BteXM2OXZxU21ic25oeUJzc01mL1ZtenFSClBVLzVkUUZiblNybUJqMnFBNWxtRCtENDVLUEtrTjc1V21NeDRQWkZseEw3WHVLYnZhYVZBUjFFUmRNZy90NisKUXpPV3BVWVZrcFJnQmlxTDBTTjhvTStOTjdScGFESFNkZjlTY1FtUmhNVklNNDdVZ1ZXNWhta21mQjBkUTFhQQo5NWdTQ3E0cGVwUFRzY3NsbVBzM0lOck5BTk45KytyMnM1bXRTWnp5VktRU0cwRjQ0Y1puWjdTdkdTVFJORDlUCnRKVzNTcko3elBwS0JqWi9qVDRRVnpBdGtHN3FSV2ZhYnlWTmVrK29wMTgwSVY5Um9IR1JDU0kyCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+ tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRRHhtREd6YmtUQ2FLMlUKT1liYjVWYVdvWEViSjFPN3E2SUZWWVIvZUZZZThhLzlDTmQya0JqSjJ5K0xuKytoQ2F2ZFBKRUNpNWtaZ0VhMgpkTUMybzJTb3BGcFNLT0pWTEF6ZXpJaTZuS2ZaTnduM250MG8vNU5yaG44UXhGT2tmNnVSbVZZd3JsWDdrcmMxCm9mK1o3SGxSMUJrakZnc3pjc2ZjcTJ1Uy8xOURwZEdDQjNMUGpRcTlvVE1pYVdrU0VHbUVvZjFCdHYrMFFNeisKMUNPWDhROStZRExkLzFjeWNQZEhGWHMycVI4cUpIZGFCRUxhcXZtUTZiSWd1TzVxVU1VeGlqSUo0aDhuQzVsNApLRWtXaThaQWs5WHBnNm91ZGtSekRVNENJOVlHemFxNTltS1huTjdNTUo0QVYzbkRLNlFwWTZETktDM3BicWp0Cm9BVFFMNit0QWdNQkFBRUNnZ0VCQUs3N1I0d3BJcDRZU1JoaGJoN1loWldHQ3JEYkZCZUtZVWd4djB5LzhNaHEKenNlYlhzdGQ1TVpXL2FISVRqdzZFQU9tT1hVNWZNTHVtTWpQMlVDdktWbkg2QzgzczI1ekFFTmlxdWxXUzIvVgpJRi83N1Qwamx6ZTY2MDlPa3pKQzBoWWJsRVNnRUdDc3pBdUpjT0tnVnVLQWwxQkZTQW1VYWRPWFNNdm9NS3lDCkJlekZaVEhOcGRWQ2xwUHVLNGQrWFJJZ1hHWS84RzNmWlFXRWNjV2tTYmRjQUlLdVYvWktHQ0IyT2dXS1VzSHgKTStscEw1TTZ3aXdYOEFNdUVWVHJsMWNwKzAzTjdOaUYwMFpYdCszZzVZUkJmRitYWjZ1b3hmbENQZ3VHdzh6bgpvN2tFRVNKZ2YycHZyZWYveHBjSVFSM090aHZjSzR5RldOcndPbExHQk9FQ2dZRUErNmJBREF0bDAvRlpzV08zCnVvNlBRNXZTL0tqbS9XaUkzeUo5TUdLNzQxTFZpMlRMUGpVZ092SDdkZUVjNVJjUmoxV1Nna3d1bUdzZWE2WkQKWXRWSTRZTDdMM1NUQ3JyZUNFTDRhOUJPcFB0azcxWWw3TmhxZktEaXhzU1FnNmt4dDJ1TlYvZXNSQ1JPeENoWgp5bk9JTmkvN3lOeFpVek4zcndyVjBCMUFNYVVDZ1lFQTljVDBZNkJWRHZLdFFaV1gvR1REZ2pUUzN6QWlPWmFNCjVFM3NleHh6MXY4eDF0N3JvWDV3aHNaVjlzQ05nNlJaNjIyT3hJejhHQnVvMnU1M2h2WFJabmdDaG1PcHYwRjgKcm5STWFNR0tIeGN2TmNrVUZUMW9TdDJCeEhNT1FNZTM2cERVTnZ0S3pvNGJoakpVUU94Mm14RU9TNERscm4rMApRU3FqVFpyWGwya0NnWUJ1UmIyMkNYQ1BsUjBHbkhtd0tEUWpIaTh3UkJza1JDQm1Gc2pnNFFNUU5BWWJWUW15CnNyankyNEtqUHdmWVkybHdjOEVGazdoL1ZjRTR6dHlNZklXNVBCb3h5MVY3eURMdlQ5bG45Um5oTmNBZkdKTDUKM0VPZFpTcTZpdndBbGEyUmdIR3BjSUJ1UTdLNFJpNUNocW5UaE9kQ056eDFOd0psRTh4cHE4ZXJlUUtCZ1FEeQppV3B3UXRLT0ROa0VCdi9WT1E5am1JT2RjOS9pbXZyeGR5RHZvWFdENzVXY3FhTTVYUkRwUUNPbmZnQnBzREI0CjBFWjdHM0xReThNSVF4czcyYXpMaFpWZ1VFdzlEUUJoSFM0bWx4Q2FmQU8vL1c3UFF5bC84RGJXeW9CL1YxamQKcUExMU1PcHpDdlNJcTNSUUdjczJYaytRSFdVTW5zUWhKMVcvQ1JiSE9RS0JnRTVQZ0hrbW1PY1VXZkJBZUtzTApvb2FNNzBINVN1YUNYN1Y1enBhM3hFMW5WVWMxend5aldOdkdWbTA5WkpEOFFMR1ZDV2U0R1o5R1NvV2tqSUMvCklFKzA0M29kUERuL2JwSDlTMDF2a0s1ZDRJSGc3QUcwWXI5SW1zS0paT0djT1dmdUdKSlZ5em1CRXhaSU9pbnoKVFFuaFdhZWs0NE1hdVJYOC9pRjZyZWorCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
+ kind: Secret
+ metadata:
+ name: kong.proxy.example.secret
+ type: kubernetes.io/tls
--- /dev/null
+# CI test for using ingress hosts configuration
+proxy:
+ ingress:
+ enabled: true
+ hosts:
+ - host: proxy.kong.example
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
--- /dev/null
+# CI test for testing combined ingress hostname and hosts configuration including tls configuraion using slice
+proxy:
+ ingress:
+ enabled: true
+ hostname: "proxy.kong.example"
+ hosts:
+ - host: "proxy2.kong.example"
+ paths:
+ - path: /foo
+ pathType: Prefix
+ - path: /bar
+ pathType: Prefix
+ - host: "proxy3.kong.example"
+ paths:
+ - path: /baz
+ pathType: Prefix
+ tls:
+ - hosts:
+ - "proxy.kong.example"
+ secretName: "proxy.kong.example.secret"
+ - hosts:
+ - "proxy2.kong.example"
+ - "proxy3.kong.example"
+ secretName: "proxy.kong.example.secret2"
+
+extraObjects:
+- apiVersion: v1
+ data:
+ tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURoakNDQW00Q0NRQ0tyTDdSS1Y0NTBEQU5CZ2txaGtpRzl3MEJBUXNGQURDQmhERUxNQWtHQTFVRUJoTUMKV0ZneEVqQVFCZ05WQkFnTUNWTjBZWFJsVG1GdFpURVJNQThHQTFVRUJ3d0lRMmwwZVU1aGJXVXhGREFTQmdOVgpCQW9NQzBOdmJYQmhibmxPWVcxbE1Sc3dHUVlEVlFRTERCSkRiMjF3WVc1NVUyVmpkR2x2Yms1aGJXVXhHekFaCkJnTlZCQU1NRW5CeWIzaDVMbXR2Ym1jdVpYaGhiWEJzWlRBZUZ3MHlNekEyTWprd09ERTBNekJhRncwek16QTIKTWpZd09ERTBNekJhTUlHRU1Rc3dDUVlEVlFRR0V3SllXREVTTUJBR0ExVUVDQXdKVTNSaGRHVk9ZVzFsTVJFdwpEd1lEVlFRSERBaERhWFI1VG1GdFpURVVNQklHQTFVRUNnd0xRMjl0Y0dGdWVVNWhiV1V4R3pBWkJnTlZCQXNNCkVrTnZiWEJoYm5sVFpXTjBhVzl1VG1GdFpURWJNQmtHQTFVRUF3d1NjSEp2ZUhrdWEyOXVaeTVsZUdGdGNHeGwKTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUE4Wmd4czI1RXdtaXRsRG1HMitWVwpscUZ4R3lkVHU2dWlCVldFZjNoV0h2R3YvUWpYZHBBWXlkc3ZpNS92b1FtcjNUeVJBb3VaR1lCR3RuVEF0cU5rCnFLUmFVaWppVlN3TTNzeUl1cHluMlRjSjk1N2RLUCtUYTRaL0VNUlRwSCtya1psV01LNVYrNUszTmFIL21leDUKVWRRWkl4WUxNM0xIM0t0cmt2OWZRNlhSZ2dkeXo0MEt2YUV6SW1scEVoQnBoS0g5UWJiL3RFRE0vdFFqbC9FUApmbUF5M2Y5WE1uRDNSeFY3TnFrZktpUjNXZ1JDMnFyNWtPbXlJTGp1YWxERk1Zb3lDZUlmSnd1WmVDaEpGb3ZHClFKUFY2WU9xTG5aRWN3MU9BaVBXQnMycXVmWmlsNXplekRDZUFGZDV3eXVrS1dPZ3pTZ3Q2VzZvN2FBRTBDK3YKclFJREFRQUJNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUNGZHhFOFVsMVorcWxBbW1lTk5BdlAyZVVxSElTbQpHWXZidzdGdW82bXNJY3V3cjZKeENBWjIwako5UkphalMzWS9TS3BteXM2OXZxU21ic25oeUJzc01mL1ZtenFSClBVLzVkUUZiblNybUJqMnFBNWxtRCtENDVLUEtrTjc1V21NeDRQWkZseEw3WHVLYnZhYVZBUjFFUmRNZy90NisKUXpPV3BVWVZrcFJnQmlxTDBTTjhvTStOTjdScGFESFNkZjlTY1FtUmhNVklNNDdVZ1ZXNWhta21mQjBkUTFhQQo5NWdTQ3E0cGVwUFRzY3NsbVBzM0lOck5BTk45KytyMnM1bXRTWnp5VktRU0cwRjQ0Y1puWjdTdkdTVFJORDlUCnRKVzNTcko3elBwS0JqWi9qVDRRVnpBdGtHN3FSV2ZhYnlWTmVrK29wMTgwSVY5Um9IR1JDU0kyCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+ tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRRHhtREd6YmtUQ2FLMlUKT1liYjVWYVdvWEViSjFPN3E2SUZWWVIvZUZZZThhLzlDTmQya0JqSjJ5K0xuKytoQ2F2ZFBKRUNpNWtaZ0VhMgpkTUMybzJTb3BGcFNLT0pWTEF6ZXpJaTZuS2ZaTnduM250MG8vNU5yaG44UXhGT2tmNnVSbVZZd3JsWDdrcmMxCm9mK1o3SGxSMUJrakZnc3pjc2ZjcTJ1Uy8xOURwZEdDQjNMUGpRcTlvVE1pYVdrU0VHbUVvZjFCdHYrMFFNeisKMUNPWDhROStZRExkLzFjeWNQZEhGWHMycVI4cUpIZGFCRUxhcXZtUTZiSWd1TzVxVU1VeGlqSUo0aDhuQzVsNApLRWtXaThaQWs5WHBnNm91ZGtSekRVNENJOVlHemFxNTltS1huTjdNTUo0QVYzbkRLNlFwWTZETktDM3BicWp0Cm9BVFFMNit0QWdNQkFBRUNnZ0VCQUs3N1I0d3BJcDRZU1JoaGJoN1loWldHQ3JEYkZCZUtZVWd4djB5LzhNaHEKenNlYlhzdGQ1TVpXL2FISVRqdzZFQU9tT1hVNWZNTHVtTWpQMlVDdktWbkg2QzgzczI1ekFFTmlxdWxXUzIvVgpJRi83N1Qwamx6ZTY2MDlPa3pKQzBoWWJsRVNnRUdDc3pBdUpjT0tnVnVLQWwxQkZTQW1VYWRPWFNNdm9NS3lDCkJlekZaVEhOcGRWQ2xwUHVLNGQrWFJJZ1hHWS84RzNmWlFXRWNjV2tTYmRjQUlLdVYvWktHQ0IyT2dXS1VzSHgKTStscEw1TTZ3aXdYOEFNdUVWVHJsMWNwKzAzTjdOaUYwMFpYdCszZzVZUkJmRitYWjZ1b3hmbENQZ3VHdzh6bgpvN2tFRVNKZ2YycHZyZWYveHBjSVFSM090aHZjSzR5RldOcndPbExHQk9FQ2dZRUErNmJBREF0bDAvRlpzV08zCnVvNlBRNXZTL0tqbS9XaUkzeUo5TUdLNzQxTFZpMlRMUGpVZ092SDdkZUVjNVJjUmoxV1Nna3d1bUdzZWE2WkQKWXRWSTRZTDdMM1NUQ3JyZUNFTDRhOUJPcFB0azcxWWw3TmhxZktEaXhzU1FnNmt4dDJ1TlYvZXNSQ1JPeENoWgp5bk9JTmkvN3lOeFpVek4zcndyVjBCMUFNYVVDZ1lFQTljVDBZNkJWRHZLdFFaV1gvR1REZ2pUUzN6QWlPWmFNCjVFM3NleHh6MXY4eDF0N3JvWDV3aHNaVjlzQ05nNlJaNjIyT3hJejhHQnVvMnU1M2h2WFJabmdDaG1PcHYwRjgKcm5STWFNR0tIeGN2TmNrVUZUMW9TdDJCeEhNT1FNZTM2cERVTnZ0S3pvNGJoakpVUU94Mm14RU9TNERscm4rMApRU3FqVFpyWGwya0NnWUJ1UmIyMkNYQ1BsUjBHbkhtd0tEUWpIaTh3UkJza1JDQm1Gc2pnNFFNUU5BWWJWUW15CnNyankyNEtqUHdmWVkybHdjOEVGazdoL1ZjRTR6dHlNZklXNVBCb3h5MVY3eURMdlQ5bG45Um5oTmNBZkdKTDUKM0VPZFpTcTZpdndBbGEyUmdIR3BjSUJ1UTdLNFJpNUNocW5UaE9kQ056eDFOd0psRTh4cHE4ZXJlUUtCZ1FEeQppV3B3UXRLT0ROa0VCdi9WT1E5am1JT2RjOS9pbXZyeGR5RHZvWFdENzVXY3FhTTVYUkRwUUNPbmZnQnBzREI0CjBFWjdHM0xReThNSVF4czcyYXpMaFpWZ1VFdzlEUUJoSFM0bWx4Q2FmQU8vL1c3UFF5bC84RGJXeW9CL1YxamQKcUExMU1PcHpDdlNJcTNSUUdjczJYaytRSFdVTW5zUWhKMVcvQ1JiSE9RS0JnRTVQZ0hrbW1PY1VXZkJBZUtzTApvb2FNNzBINVN1YUNYN1Y1enBhM3hFMW5WVWMxend5aldOdkdWbTA5WkpEOFFMR1ZDV2U0R1o5R1NvV2tqSUMvCklFKzA0M29kUERuL2JwSDlTMDF2a0s1ZDRJSGc3QUcwWXI5SW1zS0paT0djT1dmdUdKSlZ5em1CRXhaSU9pbnoKVFFuaFdhZWs0NE1hdVJYOC9pRjZyZWorCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
+ kind: Secret
+ metadata:
+ name: kong.proxy.example.secret
+ type: kubernetes.io/tls
+- apiVersion: v1
+ data:
+ tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURmakNDQW1ZQ0NRREVtWjF0cnJwaURqQU5CZ2txaGtpRzl3MEJBUXNGQURDQmdERUxNQWtHQTFVRUJoTUMKV0ZneEVqQVFCZ05WQkFnTUNWTjBZWFJsVG1GdFpURVJNQThHQTFVRUJ3d0lRMmwwZVU1aGJXVXhGREFTQmdOVgpCQW9NQzBOdmJYQmhibmxPWVcxbE1Sc3dHUVlEVlFRTERCSkRiMjF3WVc1NVUyVmpkR2x2Yms1aGJXVXhGekFWCkJnTlZCQU1NRGlvdWEyOXVaeTVsZUdGdGNHeGxNQjRYRFRJek1EWXlPVEE0TVRjek4xb1hEVE16TURZeU5qQTQKTVRjek4xb3dnWUF4Q3pBSkJnTlZCQVlUQWxoWU1SSXdFQVlEVlFRSURBbFRkR0YwWlU1aGJXVXhFVEFQQmdOVgpCQWNNQ0VOcGRIbE9ZVzFsTVJRd0VnWURWUVFLREF0RGIyMXdZVzU1VG1GdFpURWJNQmtHQTFVRUN3d1NRMjl0CmNHRnVlVk5sWTNScGIyNU9ZVzFsTVJjd0ZRWURWUVFEREE0cUxtdHZibWN1WlhoaGJYQnNaVENDQVNJd0RRWUoKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTDlSR1g1VytsRW8wcGg2eTJqeHN6TGZOcjMvNlpFOQpPR0pPMGl1WmpwRml2dHBya24ydDlqYTRaNUdYOGh4NUczS1FsRkhrVFBmV01BWmUzdldINTF0alZzYjZwY2UwCjlkMUo4WXNxWkh5RHVlUzBrS3RUbEFmc0F5MnVjL3ZvUUdmOTdZeUI2TlJ4TEJmNHBnSVJ4eHpGM3o0Q1ZOSTgKTzE5Ym1PYVo1Vkk1QWZpbENSMUI1ekxuN2VoeEJHOHhTQmRtQUg0eWFob2t5RXk2a0ZtRzJCaEtJWjdsL1BZYQpqbU1yQ3cwekRVampvblBublZTWTkxL0EwNUJVTVk5OEZsME00QVV5T1V3enBaajhqMXhLMTNqUVlGeXJwUHQwCklHNUdLR044akVCcnRkdGVlcGZIdFZuekFWYnhoT0hkcXZoUWhrSDJDSGVwOStIQkNIL25VL1VDQXdFQUFUQU4KQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBQkcxVVYyUFRJekhrNEt4cjBHT0NXalhjTTdKUU9hbUJQM3dZSCswRgpyc09YUG9IOHVLV25XYjhSSGE1MDhMenU4MGNzS1lYcnZ4SEhDcmcxdXJjRnl3bnNMaUtMNGhsQklTd2ZMNzFFClVXODhQdGYyWTdjTnJZRzNLc2MvMWVpait1RWd5bVdCbjkraVYzbzE5VERwRjlZZWZwYzNUUDJqMGhNUHcwMlgKa1gzSlh3b250NnBQaDhlQjhXRU1OZkF5NzZmb0lMcytVd0Fjck56QkpjSVZSTERoZWFNMFNFd0xCNUpuaWZ5ZwplRE1aSE56MkhLais0NU1wTzFOSDBtd3ZJRTRLQjNITUNSSlMybmZFbWVMcFdCMWpmZTV6T2o1bWhTeS82M0RVCldDQll1aUhtelFWaGxJS21lQzBlVmd3bGtkMTFrUDRNM1hoWnB6V09aQ1BoaGc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+ tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQy9VUmwrVnZwUktOS1kKZXN0bzhiTXkzemE5LyttUlBUaGlUdElybVk2UllyN2FhNUo5cmZZMnVHZVJsL0ljZVJ0eWtKUlI1RXozMWpBRwpYdDcxaCtkYlkxYkcrcVhIdFBYZFNmR0xLbVI4Zzdua3RKQ3JVNVFIN0FNdHJuUDc2RUJuL2UyTWdlalVjU3dYCitLWUNFY2NjeGQ4K0FsVFNQRHRmVzVqbW1lVlNPUUg0cFFrZFFlY3k1KzNvY1FSdk1VZ1haZ0IrTW1vYUpNaE0KdXBCWmh0Z1lTaUdlNWZ6MkdvNWpLd3NOTXcxSTQ2Sno1NTFVbVBkZndOT1FWREdQZkJaZERPQUZNamxNTTZXWQovSTljU3RkNDBHQmNxNlQ3ZENCdVJpaGpmSXhBYTdYYlhucVh4N1ZaOHdGVzhZVGgzYXI0VUlaQjlnaDNxZmZoCndRaC81MVAxQWdNQkFBRUNnZ0VCQUlCZ0l3TXJ5ZnY3c0pTd2tSMXlVaFNvdzByckZnZG5WUlppWFpUMERUNXgKVEMrMFR6QVdNMGkwcElxRnN1aDRPM3E4bVVuNkw4dDk1ZXZnYlN2RWJmSmN6alhtcXFjL1BsdW02blcvbEg0WQp4Znc1VFhvcE13Tzkwc1FzYzVkdFdRcHUwWitlN0dUaEsvMUowOXMvb3FRa0FwRFJiNmxDMFhSRE9tNUNoaWFNCi95Z2M2dGUzUHkrRXpzSmRMRm9YWndFQnVQWTB2KzlBclhpNmlUMllaN1ZacE9iZzQxcm1ocHNObTFLNmdJajUKZFZKNGZYa2Z5V0hsSmJBYzVTRDkrVWMrTGFjUEcxSjVJUWx6eTM0WlM0ZG9VQ2lmODZuVHFzSnFVTU1sNXYxcAp3SFFUZFI2MkdnWnRPM1grOU4vdHE3SExqU0tHY0JEd3E4bEM4QXZ0VHdFQ2dZRUErWWpVdzI1em42aWhjaXFpCmo3dDJiQVdLdzdlbng1RXFzU25ZOG1PYzR2TDdNa1YyN2ZhYXp1cW8wUEtOeWJOa1grUlhIMDN4S0NDd0x0N0UKLzRDUlFHMGNkQmhBQ2szMkpadllrQmxESUZ3VmtnMHVnNGk4Snp6VjVCT2hEeWdwZUhJTDVVTkx2eGJDbVh6MAo1bXNYRktPYW1HYkFCbE9KTEZsR1R4WWdzeWtDZ1lFQXhFWWI0dFVmRmhiTmpJTUMyd1hFRXdWZkJYOFJqNzVqCjN6SkwxV3o4YWxUQmxFemZYOTZiNmg3VjFNT1NHcmlabFJ1cGpEaUFsUkhPZytDSXlPbmdISFkwd2xTaHNmemQKSDluL2dOdUZsanFuQkF3OVpaSW9hbE1zUVVER3RLSnVIejhEYzlVNzRFMGM3WldQWk1Ub0pNdFV2Zkl5T0pZSgpQODh1YnYvam4rMENnWUJaNmpzNFhKRmZRNFZCUFNtc2Z4RXg1V0ZXR3RSakxlVGpSNy83djNjbHRBWmQyL2Y1CjBUV0JQNzhxNDJ2QjlWbEMwR1d3U3dhTnZoR2VJZmw4VTVpRFRZM0dLNExQODcyeFdaSFVnclhVY0RuNWtiUmsKQXg1QlNVT05WcUZmYzhwVnMwcWtCdmJCV1hNdm1YNHBsUWNSRWM3QUFhNUoyVW9CWi8zVXU1VjIyUUtCZ0ZnVQpKanQ2N0lKYkpVN2pGQXI1NFcydndWNlVFV3R5UXh0TVZOK29FdlljcHVwSVBRMm10azB3SFVGbnFrODNmQ1IvCnoyeFBodFJlczFCWEdNc2d1U1BNb0F4OU1qclBnT1BrVGxhakxLV29HSDhtaHY3bndoOUV4OTFZbGxORmVTbW8KZTRJbHRNTUpsK3UrYkNVS2dDclMzR3FKSDZScElDbDBiaC85MFVaWkFvR0FaUEsrdldLQ0N6aHNhSnVWak1VSQpiTEJlMi9CM0xxTVBhakFLTjVTNU9GYlpBZm5NeE9BT1lnd25iWmdpZGVkcVk2QkIyLytVVGt4MW1IUjhKcmpGCnRyN20wS2VvRFY4dmQxSENvSkF3b2hqQ1B6SkJhSW9WYWNkRFNsMDNIOVFEck4yd0RFYUxoWFBlVkRoNGZ2NmQKa3d6V3FZWUlETzRKQlp5L21Wa0t4NFU9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
+ kind: Secret
+ metadata:
+ name: kong.proxy.example.secret2
+ type: kubernetes.io/tls
--- /dev/null
+env:
+ anonymous_reports: "off"
+ingressController:
+ env:
+ anonymous_reports: "false"
+ image:
+ tag: "3.1.0"
--- /dev/null
+# This values test that the `proxy.*.appProtocol` can be set to a custom value.
+
+proxy:
+ http:
+ appProtocol: "http"
+ tls:
+ appProtocol: "https"
--- /dev/null
+
+# install chart with a service account
+deployment:
+ serviceAccount:
+ create: true
+ name: "my-kong-sa"
+ annotations: {}
+
+ingressController:
+ serviceAccount:
+ create: false
--- /dev/null
+# install chart with default values
+# use single image strings instead of repository/tag
+
+image:
+ unifiedRepoTag: kong:3.4.1
+
+env:
+ anonymous_reports: "off"
+ingressController:
+ env:
+ anonymous_reports: "false"
+ image:
+ unifiedRepoTag: kong/kubernetes-ingress-controller:3.0
--- /dev/null
+ingressController:
+ enabled: false
+
+image:
+ repository: kong/kong-gateway
+ tag: "3.4.0.0"
+
+readinessProbe:
+ httpGet:
+ path: "/status"
+ port: status
+ scheme: HTTP
+ initialDelaySeconds: 1
+ periodSeconds: 1
-# This tests the following unrealted aspects of Ingress Controller
+# This tests the following unrelated aspects of Ingress Controller
+# - HPA enabled
+autoscaling:
+ enabled: true
+ args:
+ - --alsologtostderr
# - ingressController deploys without a database (default)
ingressController:
enabled: true
enabled: true
# - environment variables can be injected into ingress controller container
env:
+ anonymous_reports: "false"
kong_admin_header: "foo:bar"
-# - podSecurityPolicies are enabled
-podSecurityPolicy:
- enabled: true
+# - annotations can be injected for service account
+ serviceAccount:
+ annotations:
+ eks.amazonaws.com/role-arn: arn:aws:iam::AWS_ACCOUNT_ID:role/IAM_ROLE_NAME
+ userDefinedVolumeMounts:
+ - name: "tmpdir"
+ mountPath: "/tmp/foo"
+ readOnly: true
+ - name: "controllerdir"
+ mountPath: "/tmp/controller"
+# - pod labels can be added to the deployment template
+podLabels:
+ app: kong
+ environment: test
# - ingress resources are created with hosts
admin:
- type: NodePort
ingress:
enabled: true
- hosts: ["test.com", "test2.com"]
+ hostname: admin.kong.example
annotations: {}
path: /
proxy:
- type: NodePort
ingress:
enabled: true
- hosts: ["test.com", "test2.com"]
+ hostname: proxy.kong.example
annotations: {}
path: /
+env:
+ anonymous_reports: "off"
+
+deployment:
+ initContainers:
+ - name: "bash"
+ image: "bash:latest"
+ command: ["/bin/sh", "-c", "true"]
+ resources:
+ limits:
+ cpu: "100m"
+ memory: "64Mi"
+ requests:
+ cpu: "100m"
+ memory: "64Mi"
+ volumeMounts:
+ - name: "tmpdir"
+ mountPath: "/tmp/foo"
+ userDefinedVolumes:
+ - name: "tmpdir"
+ emptyDir: {}
+ - name: "controllerdir"
+ emptyDir: {}
+ userDefinedVolumeMounts:
+ - name: "tmpdir"
+ mountPath: "/tmp/foo"
-# This tests the following unrealted aspects of Ingress Controller
+# This tests the following unrelated aspects of Ingress Controller
# - ingressController deploys with a database
+# - stream listens work
+# - a mixture of controller, Kong, and shared volumes successfully mount
+# - watchNamespaces is set
+# - the admission webhook is enabled; has the timeout explicitly set
ingressController:
enabled: true
+ admissionWebhook:
+ enabled: true
+ timeoutSeconds: 5
+ env:
+ anonymous_reports: "false"
+ envFrom:
+ - configMapRef:
+ name: env-config
+ customEnv:
+ TZ: "Europe/Berlin"
+ watchNamespaces:
+ - default
postgresql:
enabled: true
- postgresqlUsername: kong
- postgresqlDatabase: kong
- service:
- port: 5432
+ auth:
+ username: kong
+ password: kong
env:
+ anonymous_reports: "off"
database: "postgres"
+envFrom:
+- configMapRef:
+ name: env-config
# - ingress resources are created without hosts
admin:
- type: NodePort
ingress:
enabled: true
hosts: []
path: /
proxy:
- type: NodePort
ingress:
enabled: true
- hosts: []
+ hostname: proxy.kong.example
annotations: {}
path: /
- useTLS: true
+# - add stream listens
+ stream:
+ - containerPort: 9000
+ servicePort: 9000
+ parameters: []
+ - containerPort: 9001
+ servicePort: 9001
+ parameters:
+ - ssl
-# - PDB is enabled
-podDisruptionBudget:
- enabled: true
# update strategy
updateStrategy:
type: "RollingUpdate"
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
+deployment:
+ initContainers:
+ - name: "bash"
+ image: "bash:latest"
+ command: ["/bin/sh", "-c", "true"]
+ resources:
+ limits:
+ cpu: "100m"
+ memory: "64Mi"
+ requests:
+ cpu: "100m"
+ memory: "64Mi"
+
+extraObjects:
+- apiVersion: v1
+ kind: ConfigMap
+ metadata:
+ name: env-config
+ data:
+ test-env: test
enabled: false
# - disable DB for kong
env:
+ anonymous_reports: "off"
database: "off"
postgresql:
enabled: false
-# - supply DBless config for kong
+deployment:
+ initContainers:
+ - name: "bash"
+ image: "bash:latest"
+ command: ["/bin/sh", "-c", "true"]
+ resources:
+ limits:
+ cpu: "100m"
+ memory: "64Mi"
+ requests:
+ cpu: "100m"
+ memory: "64Mi"
+ volumeMounts:
+ - name: "tmpdir"
+ mountPath: "/opt/tmp"
+ userDefinedVolumes:
+ - name: "tmpdir"
+ emptyDir: {}
+ userDefinedVolumeMounts:
+ - name: "tmpdir"
+ mountPath: "/opt/tmp"
dblessConfig:
- # Or the configuration is passed in full-text below
- config:
+ config: |
_format_version: "1.1"
services:
- - name: test-svc
+ - name: example.com
url: http://example.com
routes:
- - name: test
+ - name: example
paths:
- - /test
- plugins:
- - name: request-termination
- config:
- status_code: 200
- message: "dbless-config"
-proxy:
- type: NodePort
+ - "/example"
--- /dev/null
+# CI test for testing dbless deployment without ingress controllers using legacy admin listen and stream listens
+# - disable ingress controller
+ingressController:
+ enabled: false
+ env:
+ anonymous_reports: "false"
+
+# - disable DB for kong
+env:
+ anonymous_reports: "off"
+ database: "off"
+postgresql:
+ enabled: false
+proxy:
+# - add stream listens
+ stream:
+ - containerPort: 9000
+ servicePort: 9000
+ parameters: []
+ - containerPort: 9001
+ servicePort: 9001
+ parameters:
+ - ssl
+ ingress:
+ enabled: true
+dblessConfig:
+ config: |
+ _format_version: "1.1"
+ services:
+ - name: example.com
+ url: http://example.com
+ routes:
+ - name: example
+ paths:
+ - "/example"
--- /dev/null
+# This tests the following unrelated aspects of Ingress Controller
+# - ingressController deploys with a database
+# - TODO remove this test when https://github.com/Kong/charts/issues/295 is solved
+# and its associated wait-for-db workaround is removed.
+# This test is similar to test2-values.yaml, but lacks a stream listen.
+# wait-for-db will _not_ create a socket file. This test ensures the workaround
+# does not interfere with startup when there is no file to remove.
+
+ingressController:
+ enabled: true
+ env:
+ anonymous_reports: "false"
+postgresql:
+ enabled: true
+ auth:
+ username: kong
+ password: kong
+ service:
+ ports:
+ postgresql: 5432
+env:
+ anonymous_reports: "off"
+ database: "postgres"
+# Added example for customEnv
+customEnv:
+ client_id: "exampleId"
+# - ingress resources are created without hosts
+admin:
+ ingress:
+ enabled: true
+ hosts: []
+ path: /
+proxy:
+ ingress:
+ enabled: true
+ hostname: proxy.kong.example
+ annotations: {}
+ path: /
+
+# update strategy
+updateStrategy:
+ type: "RollingUpdate"
+ rollingUpdate:
+ maxSurge: 1
+ maxUnavailable: 0
--- /dev/null
+# generated using: kubectl kustomize 'github.com/kong/kubernetes-ingress-controller/config/crd?ref=v3.1.0'
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.14.0
+ name: ingressclassparameterses.configuration.konghq.com
+spec:
+ group: configuration.konghq.com
+ names:
+ kind: IngressClassParameters
+ listKind: IngressClassParametersList
+ plural: ingressclassparameterses
+ singular: ingressclassparameters
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: IngressClassParameters is the Schema for the IngressClassParameters
+ API.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec is the IngressClassParameters specification.
+ properties:
+ enableLegacyRegexDetection:
+ default: false
+ description: |-
+ EnableLegacyRegexDetection automatically detects if ImplementationSpecific Ingress paths are regular expression
+ paths using the legacy 2.x heuristic. The controller adds the "~" prefix to those paths if the Kong version is
+ 3.0 or higher.
+ type: boolean
+ serviceUpstream:
+ default: false
+ description: Offload load-balancing to kube-proxy or sidecar.
+ type: boolean
+ type: object
+ type: object
+ served: true
+ storage: true
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.14.0
+ name: kongclusterplugins.configuration.konghq.com
+spec:
+ group: configuration.konghq.com
+ names:
+ categories:
+ - kong-ingress-controller
+ kind: KongClusterPlugin
+ listKind: KongClusterPluginList
+ plural: kongclusterplugins
+ shortNames:
+ - kcp
+ singular: kongclusterplugin
+ scope: Cluster
+ versions:
+ - additionalPrinterColumns:
+ - description: Name of the plugin
+ jsonPath: .plugin
+ name: Plugin-Type
+ type: string
+ - description: Age
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ - description: Indicates if the plugin is disabled
+ jsonPath: .disabled
+ name: Disabled
+ priority: 1
+ type: boolean
+ - description: Configuration of the plugin
+ jsonPath: .config
+ name: Config
+ priority: 1
+ type: string
+ - jsonPath: .status.conditions[?(@.type=="Programmed")].status
+ name: Programmed
+ type: string
+ name: v1
+ schema:
+ openAPIV3Schema:
+ description: KongClusterPlugin is the Schema for the kongclusterplugins API.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ config:
+ description: |-
+ Config contains the plugin configuration. It's a list of keys and values
+ required to configure the plugin.
+ Please read the documentation of the plugin being configured to set values
+ in here. For any plugin in Kong, anything that goes in the `config` JSON
+ key in the Admin API request, goes into this property.
+ Only one of `config` or `configFrom` may be used in a KongClusterPlugin, not both at once.
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ configFrom:
+ description: |-
+ ConfigFrom references a secret containing the plugin configuration.
+ This should be used when the plugin configuration contains sensitive information,
+ such as AWS credentials in the Lambda plugin or the client secret in the OIDC plugin.
+ Only one of `config` or `configFrom` may be used in a KongClusterPlugin, not both at once.
+ properties:
+ secretKeyRef:
+ description: Specifies a name, a namespace, and a key of a secret
+ to refer to.
+ properties:
+ key:
+ description: The key containing the value.
+ type: string
+ name:
+ description: The secret containing the key.
+ type: string
+ namespace:
+ description: The namespace containing the secret.
+ type: string
+ required:
+ - key
+ - name
+ - namespace
+ type: object
+ required:
+ - secretKeyRef
+ type: object
+ configPatches:
+ description: |-
+ ConfigPatches represents JSON patches to the configuration of the plugin.
+ Each item means a JSON patch to add something in the configuration,
+ where path is specified in `path` and value is in `valueFrom` referencing
+ a key in a secret.
+ When Config is specified, patches will be applied to the configuration in Config.
+ Otherwise, patches will be applied to an empty object.
+ items:
+ description: |-
+ NamespacedConfigPatch is a JSON patch to add values from secrets to KongClusterPlugin
+ to the generated configuration of plugin in Kong.
+ properties:
+ path:
+ description: Path is the JSON path to add the patch.
+ type: string
+ valueFrom:
+ description: ValueFrom is the reference to a key of a secret where
+ the patched value comes from.
+ properties:
+ secretKeyRef:
+ description: Specifies a name, a namespace, and a key of a secret
+ to refer to.
+ properties:
+ key:
+ description: The key containing the value.
+ type: string
+ name:
+ description: The secret containing the key.
+ type: string
+ namespace:
+ description: The namespace containing the secret.
+ type: string
+ required:
+ - key
+ - name
+ - namespace
+ type: object
+ required:
+ - secretKeyRef
+ type: object
+ required:
+ - path
+ - valueFrom
+ type: object
+ type: array
+ consumerRef:
+ description: ConsumerRef is a reference to a particular consumer.
+ type: string
+ disabled:
+ description: Disabled set if the plugin is disabled or not.
+ type: boolean
+ instance_name:
+ description: |-
+ InstanceName is an optional custom name to identify an instance of the plugin. This is useful when running the
+ same plugin in multiple contexts, for example, on multiple services.
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ ordering:
+ description: |-
+ Ordering overrides the normal plugin execution order. It's only available on Kong Enterprise.
+ `<phase>` is a request processing phase (for example, `access` or `body_filter`) and
+ `<plugin>` is the name of the plugin that will run before or after the KongPlugin.
+ For example, a KongPlugin with `plugin: rate-limiting` and `before.access: ["key-auth"]`
+ will create a rate limiting plugin that limits requests _before_ they are authenticated.
+ properties:
+ after:
+ additionalProperties:
+ items:
+ type: string
+ type: array
+ description: PluginOrderingPhase indicates which plugins in a phase
+ should affect the target plugin's order
+ type: object
+ before:
+ additionalProperties:
+ items:
+ type: string
+ type: array
+ description: PluginOrderingPhase indicates which plugins in a phase
+ should affect the target plugin's order
+ type: object
+ type: object
+ plugin:
+ description: PluginName is the name of the plugin to which to apply the
+ config.
+ type: string
+ protocols:
+ description: |-
+ Protocols configures plugin to run on requests received on specific
+ protocols.
+ items:
+ description: |-
+ KongProtocol is a valid Kong protocol.
+ This alias is necessary to deal with https://github.com/kubernetes-sigs/controller-tools/issues/342
+ enum:
+ - http
+ - https
+ - grpc
+ - grpcs
+ - tcp
+ - tls
+ - udp
+ type: string
+ type: array
+ run_on:
+ description: |-
+ RunOn configures the plugin to run on the first or the second or both
+ nodes in case of a service mesh deployment.
+ enum:
+ - first
+ - second
+ - all
+ type: string
+ status:
+ description: Status represents the current status of the KongClusterPlugin
+ resource.
+ properties:
+ conditions:
+ default:
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Programmed
+ description: |-
+ Conditions describe the current conditions of the KongClusterPluginStatus.
+
+
+ Known condition types are:
+
+
+ * "Programmed"
+ items:
+ description: "Condition contains details for one aspect of the current
+ state of this API Resource.\n---\nThis struct is intended for
+ direct use as an array at the field path .status.conditions. For
+ example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
+ observations of a foo's current state.\n\t // Known .status.conditions.type
+ are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+ +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
+ \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
+ patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+ \ // other fields\n\t}"
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: |-
+ type of condition in CamelCase or in foo.example.com/CamelCase.
+ ---
+ Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+ useful (see .node.status.conditions), the ability to deconflict is important.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ type: object
+ required:
+ - plugin
+ type: object
+ x-kubernetes-validations:
+ - message: Using both config and configFrom fields is not allowed.
+ rule: '!(has(self.config) && has(self.configFrom))'
+ - message: Using both configFrom and configPatches fields is not allowed.
+ rule: '!(has(self.configFrom) && has(self.configPatches))'
+ - message: The plugin field is immutable
+ rule: self.plugin == oldSelf.plugin
+ served: true
+ storage: true
+ subresources:
+ status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.14.0
+ name: kongconsumergroups.configuration.konghq.com
+spec:
+ group: configuration.konghq.com
+ names:
+ categories:
+ - kong-ingress-controller
+ kind: KongConsumerGroup
+ listKind: KongConsumerGroupList
+ plural: kongconsumergroups
+ shortNames:
+ - kcg
+ singular: kongconsumergroup
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - description: Age
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ - jsonPath: .status.conditions[?(@.type=="Programmed")].status
+ name: Programmed
+ type: string
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ description: KongConsumerGroup is the Schema for the kongconsumergroups API.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ status:
+ description: Status represents the current status of the KongConsumerGroup
+ resource.
+ properties:
+ conditions:
+ default:
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Programmed
+ description: |-
+ Conditions describe the current conditions of the KongConsumerGroup.
+
+
+ Known condition types are:
+
+
+ * "Programmed"
+ items:
+ description: "Condition contains details for one aspect of the current
+ state of this API Resource.\n---\nThis struct is intended for
+ direct use as an array at the field path .status.conditions. For
+ example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
+ observations of a foo's current state.\n\t // Known .status.conditions.type
+ are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+ +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
+ \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
+ patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+ \ // other fields\n\t}"
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: |-
+ type of condition in CamelCase or in foo.example.com/CamelCase.
+ ---
+ Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+ useful (see .node.status.conditions), the ability to deconflict is important.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.14.0
+ name: kongconsumers.configuration.konghq.com
+spec:
+ group: configuration.konghq.com
+ names:
+ categories:
+ - kong-ingress-controller
+ kind: KongConsumer
+ listKind: KongConsumerList
+ plural: kongconsumers
+ shortNames:
+ - kc
+ singular: kongconsumer
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - description: Username of a Kong Consumer
+ jsonPath: .username
+ name: Username
+ type: string
+ - description: Age
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ - jsonPath: .status.conditions[?(@.type=="Programmed")].status
+ name: Programmed
+ type: string
+ name: v1
+ schema:
+ openAPIV3Schema:
+ description: KongConsumer is the Schema for the kongconsumers API.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ consumerGroups:
+ description: |-
+ ConsumerGroups are references to consumer groups (that consumer wants to be part of)
+ provisioned in Kong.
+ items:
+ type: string
+ type: array
+ credentials:
+ description: |-
+ Credentials are references to secrets containing a credential to be
+ provisioned in Kong.
+ items:
+ type: string
+ type: array
+ custom_id:
+ description: |-
+ CustomID is a Kong cluster-unique existing ID for the consumer - useful for mapping
+ Kong with users in your existing database.
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ status:
+ description: Status represents the current status of the KongConsumer
+ resource.
+ properties:
+ conditions:
+ default:
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Programmed
+ description: |-
+ Conditions describe the current conditions of the KongConsumer.
+
+
+ Known condition types are:
+
+
+ * "Programmed"
+ items:
+ description: "Condition contains details for one aspect of the current
+ state of this API Resource.\n---\nThis struct is intended for
+ direct use as an array at the field path .status.conditions. For
+ example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
+ observations of a foo's current state.\n\t // Known .status.conditions.type
+ are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+ +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
+ \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
+ patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+ \ // other fields\n\t}"
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: |-
+ type of condition in CamelCase or in foo.example.com/CamelCase.
+ ---
+ Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+ useful (see .node.status.conditions), the ability to deconflict is important.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ type: object
+ username:
+ description: Username is a Kong cluster-unique username of the consumer.
+ type: string
+ type: object
+ x-kubernetes-validations:
+ - message: Need to provide either username or custom_id
+ rule: has(self.username) || has(self.custom_id)
+ served: true
+ storage: true
+ subresources:
+ status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.14.0
+ name: kongingresses.configuration.konghq.com
+spec:
+ group: configuration.konghq.com
+ names:
+ categories:
+ - kong-ingress-controller
+ kind: KongIngress
+ listKind: KongIngressList
+ plural: kongingresses
+ shortNames:
+ - ki
+ singular: kongingress
+ scope: Namespaced
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ description: KongIngress is the Schema for the kongingresses API.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ proxy:
+ description: |-
+ Proxy defines additional connection options for the routes to be configured in the
+ Kong Gateway, e.g. `connection_timeout`, `retries`, etc.
+ properties:
+ connect_timeout:
+ description: "The timeout in milliseconds for\testablishing a connection
+ to the upstream server.\nDeprecated: use Service's \"konghq.com/connect-timeout\"
+ annotation instead."
+ minimum: 0
+ type: integer
+ path:
+ description: |-
+ (optional) The path to be used in requests to the upstream server.
+ Deprecated: use Service's "konghq.com/path" annotation instead.
+ pattern: ^/.*$
+ type: string
+ protocol:
+ description: |-
+ The protocol used to communicate with the upstream.
+ Deprecated: use Service's "konghq.com/protocol" annotation instead.
+ enum:
+ - http
+ - https
+ - grpc
+ - grpcs
+ - tcp
+ - tls
+ - udp
+ type: string
+ read_timeout:
+ description: |-
+ The timeout in milliseconds between two successive read operations
+ for transmitting a request to the upstream server.
+ Deprecated: use Service's "konghq.com/read-timeout" annotation instead.
+ minimum: 0
+ type: integer
+ retries:
+ description: |-
+ The number of retries to execute upon failure to proxy.
+ Deprecated: use Service's "konghq.com/retries" annotation instead.
+ minimum: 0
+ type: integer
+ write_timeout:
+ description: |-
+ The timeout in milliseconds between two successive write operations
+ for transmitting a request to the upstream server.
+ Deprecated: use Service's "konghq.com/write-timeout" annotation instead.
+ minimum: 0
+ type: integer
+ type: object
+ route:
+ description: |-
+ Route define rules to match client requests.
+ Each Route is associated with a Service,
+ and a Service may have multiple Routes associated to it.
+ properties:
+ headers:
+ additionalProperties:
+ items:
+ type: string
+ type: array
+ description: |-
+ Headers contains one or more lists of values indexed by header name
+ that will cause this Route to match if present in the request.
+ The Host header cannot be used with this attribute.
+ Deprecated: use Ingress' "konghq.com/headers" annotation instead.
+ type: object
+ https_redirect_status_code:
+ description: |-
+ HTTPSRedirectStatusCode is the status code Kong responds with
+ when all properties of a Route match except the protocol.
+ Deprecated: use Ingress' "ingress.kubernetes.io/force-ssl-redirect" or
+ "konghq.com/https-redirect-status-code" annotations instead.
+ type: integer
+ methods:
+ description: |-
+ Methods is a list of HTTP methods that match this Route.
+ Deprecated: use Ingress' "konghq.com/methods" annotation instead.
+ items:
+ type: string
+ type: array
+ path_handling:
+ description: |-
+ PathHandling controls how the Service path, Route path and requested path
+ are combined when sending a request to the upstream.
+ Deprecated: use Ingress' "konghq.com/path-handling" annotation instead.
+ enum:
+ - v0
+ - v1
+ type: string
+ preserve_host:
+ description: |-
+ PreserveHost sets When matching a Route via one of the hosts domain names,
+ use the request Host header in the upstream request headers.
+ If set to false, the upstream Host header will be that of the Service’s host.
+ Deprecated: use Ingress' "konghq.com/preserve-host" annotation instead.
+ type: boolean
+ protocols:
+ description: |-
+ Protocols is an array of the protocols this Route should allow.
+ Deprecated: use Ingress' "konghq.com/protocols" annotation instead.
+ items:
+ description: |-
+ KongProtocol is a valid Kong protocol.
+ This alias is necessary to deal with https://github.com/kubernetes-sigs/controller-tools/issues/342
+ enum:
+ - http
+ - https
+ - grpc
+ - grpcs
+ - tcp
+ - tls
+ - udp
+ type: string
+ type: array
+ regex_priority:
+ description: |-
+ RegexPriority is a number used to choose which route resolves a given request
+ when several routes match it using regexes simultaneously.
+ Deprecated: use Ingress' "konghq.com/regex-priority" annotation instead.
+ type: integer
+ request_buffering:
+ description: |-
+ RequestBuffering sets whether to enable request body buffering or not.
+ Deprecated: use Ingress' "konghq.com/request-buffering" annotation instead.
+ type: boolean
+ response_buffering:
+ description: |-
+ ResponseBuffering sets whether to enable response body buffering or not.
+ Deprecated: use Ingress' "konghq.com/response-buffering" annotation instead.
+ type: boolean
+ snis:
+ description: |-
+ SNIs is a list of SNIs that match this Route when using stream routing.
+ Deprecated: use Ingress' "konghq.com/snis" annotation instead.
+ items:
+ type: string
+ type: array
+ strip_path:
+ description: |-
+ StripPath sets When matching a Route via one of the paths
+ strip the matching prefix from the upstream request URL.
+ Deprecated: use Ingress' "konghq.com/strip-path" annotation instead.
+ type: boolean
+ type: object
+ upstream:
+ description: |-
+ Upstream represents a virtual hostname and can be used to loadbalance
+ incoming requests over multiple targets (e.g. Kubernetes `Services` can
+ be a target, OR `Endpoints` can be targets).
+ properties:
+ algorithm:
+ description: |-
+ Algorithm is the load balancing algorithm to use.
+ Accepted values are: "round-robin", "consistent-hashing", "least-connections", "latency".
+ enum:
+ - round-robin
+ - consistent-hashing
+ - least-connections
+ - latency
+ type: string
+ hash_fallback:
+ description: |-
+ HashFallback defines What to use as hashing input
+ if the primary hash_on does not return a hash.
+ Accepted values are: "none", "consumer", "ip", "header", "cookie".
+ type: string
+ hash_fallback_header:
+ description: |-
+ HashFallbackHeader is the header name to take the value from as hash input.
+ Only required when "hash_fallback" is set to "header".
+ type: string
+ hash_fallback_query_arg:
+ description: HashFallbackQueryArg is the "hash_fallback" version of
+ HashOnQueryArg.
+ type: string
+ hash_fallback_uri_capture:
+ description: HashFallbackURICapture is the "hash_fallback" version
+ of HashOnURICapture.
+ type: string
+ hash_on:
+ description: |-
+ HashOn defines what to use as hashing input.
+ Accepted values are: "none", "consumer", "ip", "header", "cookie", "path", "query_arg", "uri_capture".
+ type: string
+ hash_on_cookie:
+ description: |-
+ The cookie name to take the value from as hash input.
+ Only required when "hash_on" or "hash_fallback" is set to "cookie".
+ type: string
+ hash_on_cookie_path:
+ description: |-
+ The cookie path to set in the response headers.
+ Only required when "hash_on" or "hash_fallback" is set to "cookie".
+ type: string
+ hash_on_header:
+ description: |-
+ HashOnHeader defines the header name to take the value from as hash input.
+ Only required when "hash_on" is set to "header".
+ type: string
+ hash_on_query_arg:
+ description: HashOnQueryArg is the query string parameter whose value
+ is the hash input when "hash_on" is set to "query_arg".
+ type: string
+ hash_on_uri_capture:
+ description: |-
+ HashOnURICapture is the name of the capture group whose value is the hash input when "hash_on" is set to
+ "uri_capture".
+ type: string
+ healthchecks:
+ description: Healthchecks defines the health check configurations
+ in Kong.
+ properties:
+ active:
+ description: ActiveHealthcheck configures active health check
+ probing.
+ properties:
+ concurrency:
+ minimum: 1
+ type: integer
+ headers:
+ additionalProperties:
+ items:
+ type: string
+ type: array
+ type: object
+ healthy:
+ description: |-
+ Healthy configures thresholds and HTTP status codes
+ to mark targets healthy for an upstream.
+ properties:
+ http_statuses:
+ items:
+ type: integer
+ type: array
+ interval:
+ minimum: 0
+ type: integer
+ successes:
+ minimum: 0
+ type: integer
+ type: object
+ http_path:
+ pattern: ^/.*$
+ type: string
+ https_sni:
+ type: string
+ https_verify_certificate:
+ type: boolean
+ timeout:
+ minimum: 0
+ type: integer
+ type:
+ type: string
+ unhealthy:
+ description: |-
+ Unhealthy configures thresholds and HTTP status codes
+ to mark targets unhealthy.
+ properties:
+ http_failures:
+ minimum: 0
+ type: integer
+ http_statuses:
+ items:
+ type: integer
+ type: array
+ interval:
+ minimum: 0
+ type: integer
+ tcp_failures:
+ minimum: 0
+ type: integer
+ timeouts:
+ minimum: 0
+ type: integer
+ type: object
+ type: object
+ passive:
+ description: |-
+ PassiveHealthcheck configures passive checks around
+ passive health checks.
+ properties:
+ healthy:
+ description: |-
+ Healthy configures thresholds and HTTP status codes
+ to mark targets healthy for an upstream.
+ properties:
+ http_statuses:
+ items:
+ type: integer
+ type: array
+ interval:
+ minimum: 0
+ type: integer
+ successes:
+ minimum: 0
+ type: integer
+ type: object
+ type:
+ type: string
+ unhealthy:
+ description: |-
+ Unhealthy configures thresholds and HTTP status codes
+ to mark targets unhealthy.
+ properties:
+ http_failures:
+ minimum: 0
+ type: integer
+ http_statuses:
+ items:
+ type: integer
+ type: array
+ interval:
+ minimum: 0
+ type: integer
+ tcp_failures:
+ minimum: 0
+ type: integer
+ timeouts:
+ minimum: 0
+ type: integer
+ type: object
+ type: object
+ threshold:
+ type: number
+ type: object
+ host_header:
+ description: |-
+ HostHeader is The hostname to be used as Host header
+ when proxying requests through Kong.
+ type: string
+ slots:
+ description: Slots is the number of slots in the load balancer algorithm.
+ minimum: 10
+ type: integer
+ type: object
+ type: object
+ x-kubernetes-validations:
+ - message: '''proxy'' field is no longer supported, use Service''s annotations
+ instead'
+ rule: '!has(self.proxy)'
+ - message: '''route'' field is no longer supported, use Ingress'' annotations
+ instead'
+ rule: '!has(self.route)'
+ served: true
+ storage: true
+ subresources:
+ status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.14.0
+ name: konglicenses.configuration.konghq.com
+spec:
+ group: configuration.konghq.com
+ names:
+ categories:
+ - kong-ingress-controller
+ kind: KongLicense
+ listKind: KongLicenseList
+ plural: konglicenses
+ shortNames:
+ - kl
+ singular: konglicense
+ scope: Cluster
+ versions:
+ - additionalPrinterColumns:
+ - description: Age
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ - description: Enabled to configure on Kong gateway instances
+ jsonPath: .enabled
+ name: Enabled
+ type: boolean
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: KongLicense stores a Kong enterprise license to apply to managed
+ Kong gateway instances.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ enabled:
+ default: true
+ description: |-
+ Enabled is set to true to let controllers (like KIC or KGO) to reconcile it.
+ Default value is true to apply the license by default.
+ type: boolean
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ rawLicenseString:
+ description: RawLicenseString is a string with the raw content of the
+ license.
+ type: string
+ status:
+ description: Status is the status of the KongLicense being processed by
+ controllers.
+ properties:
+ controllers:
+ items:
+ description: |-
+ KongLicenseControllerStatus is the status of owning KongLicense being processed
+ identified by the controllerName field.
+ properties:
+ conditions:
+ default:
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Programmed
+ description: Conditions describe the current conditions of the
+ KongLicense on the controller.
+ items:
+ description: "Condition contains details for one aspect of
+ the current state of this API Resource.\n---\nThis struct
+ is intended for direct use as an array at the field path
+ .status.conditions. For example,\n\n\n\ttype FooStatus
+ struct{\n\t // Represents the observations of a foo's
+ current state.\n\t // Known .status.conditions.type are:
+ \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+ +patchMergeKey=type\n\t // +patchStrategy=merge\n\t //
+ +listType=map\n\t // +listMapKey=type\n\t Conditions
+ []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\"
+ patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+ \ // other fields\n\t}"
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False,
+ Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: |-
+ type of condition in CamelCase or in foo.example.com/CamelCase.
+ ---
+ Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+ useful (see .node.status.conditions), the ability to deconflict is important.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ controllerName:
+ description: |-
+ ControllerName is an identifier of the controller to reconcile this KongLicense.
+ Should be unique in the list of controller statuses.
+ type: string
+ controllerRef:
+ description: |-
+ ControllerRef is the reference of the controller to reconcile this KongLicense.
+ It is usually the name of (KIC/KGO) pod that reconciles it.
+ properties:
+ group:
+ description: |-
+ Group is the group of referent.
+ It should be empty if the referent is in "core" group (like pod).
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: |-
+ Kind is the kind of the referent.
+ By default the nil kind means kind Pod.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent.
+ It should be empty if the referent is cluster scoped.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - controllerName
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - controllerName
+ x-kubernetes-list-type: map
+ type: object
+ required:
+ - enabled
+ - rawLicenseString
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.14.0
+ name: kongplugins.configuration.konghq.com
+spec:
+ group: configuration.konghq.com
+ names:
+ categories:
+ - kong-ingress-controller
+ kind: KongPlugin
+ listKind: KongPluginList
+ plural: kongplugins
+ shortNames:
+ - kp
+ singular: kongplugin
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - description: Name of the plugin
+ jsonPath: .plugin
+ name: Plugin-Type
+ type: string
+ - description: Age
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ - description: Indicates if the plugin is disabled
+ jsonPath: .disabled
+ name: Disabled
+ priority: 1
+ type: boolean
+ - description: Configuration of the plugin
+ jsonPath: .config
+ name: Config
+ priority: 1
+ type: string
+ - jsonPath: .status.conditions[?(@.type=="Programmed")].status
+ name: Programmed
+ type: string
+ name: v1
+ schema:
+ openAPIV3Schema:
+ description: KongPlugin is the Schema for the kongplugins API.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ config:
+ description: |-
+ Config contains the plugin configuration. It's a list of keys and values
+ required to configure the plugin.
+ Please read the documentation of the plugin being configured to set values
+ in here. For any plugin in Kong, anything that goes in the `config` JSON
+ key in the Admin API request, goes into this property.
+ Only one of `config` or `configFrom` may be used in a KongPlugin, not both at once.
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ configFrom:
+ description: |-
+ ConfigFrom references a secret containing the plugin configuration.
+ This should be used when the plugin configuration contains sensitive information,
+ such as AWS credentials in the Lambda plugin or the client secret in the OIDC plugin.
+ Only one of `config` or `configFrom` may be used in a KongPlugin, not both at once.
+ properties:
+ secretKeyRef:
+ description: Specifies a name and a key of a secret to refer to. The
+ namespace is implicitly set to the one of referring object.
+ properties:
+ key:
+ description: The key containing the value.
+ type: string
+ name:
+ description: The secret containing the key.
+ type: string
+ required:
+ - key
+ - name
+ type: object
+ required:
+ - secretKeyRef
+ type: object
+ configPatches:
+ description: |-
+ ConfigPatches represents JSON patches to the configuration of the plugin.
+ Each item means a JSON patch to add something in the configuration,
+ where path is specified in `path` and value is in `valueFrom` referencing
+ a key in a secret.
+ When Config is specified, patches will be applied to the configuration in Config.
+ Otherwise, patches will be applied to an empty object.
+ items:
+ description: |-
+ ConfigPatch is a JSON patch (RFC6902) to add values from Secret to the generated configuration.
+ It is an equivalent of the following patch:
+ `{"op": "add", "path": {.Path}, "value": {.ComputedValueFrom}}`.
+ properties:
+ path:
+ description: Path is the JSON-Pointer value (RFC6901) that references
+ a location within the target configuration.
+ type: string
+ valueFrom:
+ description: ValueFrom is the reference to a key of a secret where
+ the patched value comes from.
+ properties:
+ secretKeyRef:
+ description: Specifies a name and a key of a secret to refer
+ to. The namespace is implicitly set to the one of referring
+ object.
+ properties:
+ key:
+ description: The key containing the value.
+ type: string
+ name:
+ description: The secret containing the key.
+ type: string
+ required:
+ - key
+ - name
+ type: object
+ required:
+ - secretKeyRef
+ type: object
+ required:
+ - path
+ - valueFrom
+ type: object
+ type: array
+ consumerRef:
+ description: ConsumerRef is a reference to a particular consumer.
+ type: string
+ disabled:
+ description: Disabled set if the plugin is disabled or not.
+ type: boolean
+ instance_name:
+ description: |-
+ InstanceName is an optional custom name to identify an instance of the plugin. This is useful when running the
+ same plugin in multiple contexts, for example, on multiple services.
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ ordering:
+ description: |-
+ Ordering overrides the normal plugin execution order. It's only available on Kong Enterprise.
+ `<phase>` is a request processing phase (for example, `access` or `body_filter`) and
+ `<plugin>` is the name of the plugin that will run before or after the KongPlugin.
+ For example, a KongPlugin with `plugin: rate-limiting` and `before.access: ["key-auth"]`
+ will create a rate limiting plugin that limits requests _before_ they are authenticated.
+ properties:
+ after:
+ additionalProperties:
+ items:
+ type: string
+ type: array
+ description: PluginOrderingPhase indicates which plugins in a phase
+ should affect the target plugin's order
+ type: object
+ before:
+ additionalProperties:
+ items:
+ type: string
+ type: array
+ description: PluginOrderingPhase indicates which plugins in a phase
+ should affect the target plugin's order
+ type: object
+ type: object
+ plugin:
+ description: PluginName is the name of the plugin to which to apply the
+ config.
+ type: string
+ protocols:
+ description: |-
+ Protocols configures plugin to run on requests received on specific
+ protocols.
+ items:
+ description: |-
+ KongProtocol is a valid Kong protocol.
+ This alias is necessary to deal with https://github.com/kubernetes-sigs/controller-tools/issues/342
+ enum:
+ - http
+ - https
+ - grpc
+ - grpcs
+ - tcp
+ - tls
+ - udp
+ type: string
+ type: array
+ run_on:
+ description: |-
+ RunOn configures the plugin to run on the first or the second or both
+ nodes in case of a service mesh deployment.
+ enum:
+ - first
+ - second
+ - all
+ type: string
+ status:
+ description: Status represents the current status of the KongPlugin resource.
+ properties:
+ conditions:
+ default:
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Programmed
+ description: |-
+ Conditions describe the current conditions of the KongPluginStatus.
+
+
+ Known condition types are:
+
+
+ * "Programmed"
+ items:
+ description: "Condition contains details for one aspect of the current
+ state of this API Resource.\n---\nThis struct is intended for
+ direct use as an array at the field path .status.conditions. For
+ example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
+ observations of a foo's current state.\n\t // Known .status.conditions.type
+ are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+ +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
+ \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
+ patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+ \ // other fields\n\t}"
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: |-
+ type of condition in CamelCase or in foo.example.com/CamelCase.
+ ---
+ Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+ useful (see .node.status.conditions), the ability to deconflict is important.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ type: object
+ required:
+ - plugin
+ type: object
+ x-kubernetes-validations:
+ - message: Using both config and configFrom fields is not allowed.
+ rule: '!(has(self.config) && has(self.configFrom))'
+ - message: Using both configFrom and configPatches fields is not allowed.
+ rule: '!(has(self.configFrom) && has(self.configPatches))'
+ - message: The plugin field is immutable
+ rule: self.plugin == oldSelf.plugin
+ served: true
+ storage: true
+ subresources:
+ status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.14.0
+ labels:
+ gateway.networking.k8s.io/policy: direct
+ name: kongupstreampolicies.configuration.konghq.com
+spec:
+ group: configuration.konghq.com
+ names:
+ categories:
+ - kong-ingress-controller
+ kind: KongUpstreamPolicy
+ listKind: KongUpstreamPolicyList
+ plural: kongupstreampolicies
+ shortNames:
+ - kup
+ singular: kongupstreampolicy
+ scope: Namespaced
+ versions:
+ - name: v1beta1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ KongUpstreamPolicy allows configuring algorithm that should be used for load balancing traffic between Kong
+ Upstream's Targets. It also allows configuring health checks for Kong Upstream's Targets.
+
+
+ Its configuration is similar to Kong Upstream object (https://docs.konghq.com/gateway/latest/admin-api/#upstream-object),
+ and it is applied to Kong Upstream objects created by the controller.
+
+
+ It can be attached to Services. To attach it to a Service, it has to be annotated with
+ `konghq.com/upstream-policy: <name>`, where `<name>` is the name of the KongUpstreamPolicy
+ object in the same namespace as the Service.
+
+
+ When attached to a Service, it will affect all Kong Upstreams created for the Service.
+
+
+ When attached to a Service used in a Gateway API *Route rule with multiple BackendRefs, all of its Services MUST
+ be configured with the same KongUpstreamPolicy. Otherwise, the controller will *ignore* the KongUpstreamPolicy.
+
+
+ Note: KongUpstreamPolicy doesn't implement Gateway API's GEP-713 strictly.
+ In particular, it doesn't use the TargetRef for attaching to Services and Gateway API *Routes - annotations are
+ used instead. This is to allow reusing the same KongUpstreamPolicy for multiple Services and Gateway API *Routes.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec contains the configuration of the Kong upstream.
+ properties:
+ algorithm:
+ description: |-
+ Algorithm is the load balancing algorithm to use.
+ Accepted values are: "round-robin", "consistent-hashing", "least-connections", "latency".
+ enum:
+ - round-robin
+ - consistent-hashing
+ - least-connections
+ - latency
+ type: string
+ hashOn:
+ description: |-
+ HashOn defines how to calculate hash for consistent-hashing load balancing algorithm.
+ Algorithm must be set to "consistent-hashing" for this field to have effect.
+ properties:
+ cookie:
+ description: Cookie is the name of the cookie to use as hash input.
+ type: string
+ cookiePath:
+ description: CookiePath is cookie path to set in the response
+ headers.
+ type: string
+ header:
+ description: Header is the name of the header to use as hash input.
+ type: string
+ input:
+ description: |-
+ Input allows using one of the predefined inputs (ip, consumer, path).
+ For other parametrized inputs, use one of the fields below.
+ enum:
+ - ip
+ - consumer
+ - path
+ type: string
+ queryArg:
+ description: QueryArg is the name of the query argument to use
+ as hash input.
+ type: string
+ uriCapture:
+ description: URICapture is the name of the URI capture group to
+ use as hash input.
+ type: string
+ type: object
+ hashOnFallback:
+ description: |-
+ HashOnFallback defines how to calculate hash for consistent-hashing load balancing algorithm if the primary hash
+ function fails.
+ Algorithm must be set to "consistent-hashing" for this field to have effect.
+ properties:
+ cookie:
+ description: Cookie is the name of the cookie to use as hash input.
+ type: string
+ cookiePath:
+ description: CookiePath is cookie path to set in the response
+ headers.
+ type: string
+ header:
+ description: Header is the name of the header to use as hash input.
+ type: string
+ input:
+ description: |-
+ Input allows using one of the predefined inputs (ip, consumer, path).
+ For other parametrized inputs, use one of the fields below.
+ enum:
+ - ip
+ - consumer
+ - path
+ type: string
+ queryArg:
+ description: QueryArg is the name of the query argument to use
+ as hash input.
+ type: string
+ uriCapture:
+ description: URICapture is the name of the URI capture group to
+ use as hash input.
+ type: string
+ type: object
+ healthchecks:
+ description: Healthchecks defines the health check configurations
+ in Kong.
+ properties:
+ active:
+ description: Active configures active health check probing.
+ properties:
+ concurrency:
+ description: Concurrency is the number of targets to check
+ concurrently.
+ minimum: 1
+ type: integer
+ headers:
+ additionalProperties:
+ items:
+ type: string
+ type: array
+ description: Headers is a list of HTTP headers to add to the
+ probe request.
+ type: object
+ healthy:
+ description: Healthy configures thresholds and HTTP status
+ codes to mark targets healthy for an upstream.
+ properties:
+ httpStatuses:
+ description: HTTPStatuses is a list of HTTP status codes
+ that Kong considers a success.
+ items:
+ description: HTTPStatus is an HTTP status code.
+ maximum: 599
+ minimum: 100
+ type: integer
+ type: array
+ interval:
+ description: Interval is the interval between active health
+ checks for an upstream in seconds when in a healthy
+ state.
+ minimum: 0
+ type: integer
+ successes:
+ description: Successes is the number of successes to consider
+ a target healthy.
+ minimum: 0
+ type: integer
+ type: object
+ httpPath:
+ description: HTTPPath is the path to use in GET HTTP request
+ to run as a probe.
+ pattern: ^/.*$
+ type: string
+ httpsSni:
+ description: HTTPSSNI is the SNI to use in GET HTTPS request
+ to run as a probe.
+ type: string
+ httpsVerifyCertificate:
+ description: HTTPSVerifyCertificate is a boolean value that
+ indicates if the certificate should be verified.
+ type: boolean
+ timeout:
+ description: Timeout is the probe timeout in seconds.
+ minimum: 0
+ type: integer
+ type:
+ description: |-
+ Type determines whether to perform active health checks using HTTP or HTTPS, or just attempt a TCP connection.
+ Accepted values are "http", "https", "tcp", "grpc", "grpcs".
+ enum:
+ - http
+ - https
+ - tcp
+ - grpc
+ - grpcs
+ type: string
+ unhealthy:
+ description: Unhealthy configures thresholds and HTTP status
+ codes to mark targets unhealthy for an upstream.
+ properties:
+ httpFailures:
+ description: HTTPFailures is the number of failures to
+ consider a target unhealthy.
+ minimum: 0
+ type: integer
+ httpStatuses:
+ description: HTTPStatuses is a list of HTTP status codes
+ that Kong considers a failure.
+ items:
+ description: HTTPStatus is an HTTP status code.
+ maximum: 599
+ minimum: 100
+ type: integer
+ type: array
+ interval:
+ description: Interval is the interval between active health
+ checks for an upstream in seconds when in an unhealthy
+ state.
+ minimum: 0
+ type: integer
+ tcpFailures:
+ description: TCPFailures is the number of TCP failures
+ in a row to consider a target unhealthy.
+ minimum: 0
+ type: integer
+ timeouts:
+ description: Timeouts is the number of timeouts in a row
+ to consider a target unhealthy.
+ minimum: 0
+ type: integer
+ type: object
+ type: object
+ passive:
+ description: Passive configures passive health check probing.
+ properties:
+ healthy:
+ description: Healthy configures thresholds and HTTP status
+ codes to mark targets healthy for an upstream.
+ properties:
+ httpStatuses:
+ description: HTTPStatuses is a list of HTTP status codes
+ that Kong considers a success.
+ items:
+ description: HTTPStatus is an HTTP status code.
+ maximum: 599
+ minimum: 100
+ type: integer
+ type: array
+ interval:
+ description: Interval is the interval between active health
+ checks for an upstream in seconds when in a healthy
+ state.
+ minimum: 0
+ type: integer
+ successes:
+ description: Successes is the number of successes to consider
+ a target healthy.
+ minimum: 0
+ type: integer
+ type: object
+ type:
+ description: |-
+ Type determines whether to perform passive health checks interpreting HTTP/HTTPS statuses,
+ or just check for TCP connection success.
+ Accepted values are "http", "https", "tcp", "grpc", "grpcs".
+ enum:
+ - http
+ - https
+ - tcp
+ - grpc
+ - grpcs
+ type: string
+ unhealthy:
+ description: Unhealthy configures thresholds and HTTP status
+ codes to mark targets unhealthy.
+ properties:
+ httpFailures:
+ description: HTTPFailures is the number of failures to
+ consider a target unhealthy.
+ minimum: 0
+ type: integer
+ httpStatuses:
+ description: HTTPStatuses is a list of HTTP status codes
+ that Kong considers a failure.
+ items:
+ description: HTTPStatus is an HTTP status code.
+ maximum: 599
+ minimum: 100
+ type: integer
+ type: array
+ interval:
+ description: Interval is the interval between active health
+ checks for an upstream in seconds when in an unhealthy
+ state.
+ minimum: 0
+ type: integer
+ tcpFailures:
+ description: TCPFailures is the number of TCP failures
+ in a row to consider a target unhealthy.
+ minimum: 0
+ type: integer
+ timeouts:
+ description: Timeouts is the number of timeouts in a row
+ to consider a target unhealthy.
+ minimum: 0
+ type: integer
+ type: object
+ type: object
+ threshold:
+ description: |-
+ Threshold is the minimum percentage of the upstream’s targets’ weight that must be available for the whole
+ upstream to be considered healthy.
+ type: integer
+ type: object
+ slots:
+ description: |-
+ Slots is the number of slots in the load balancer algorithm.
+ If not set, the default value in Kong for the algorithm is used.
+ maximum: 65536
+ minimum: 10
+ type: integer
+ type: object
+ status:
+ description: Status defines the current state of KongUpstreamPolicy
+ properties:
+ ancestors:
+ description: |-
+ Ancestors is a list of ancestor resources (usually Gateways) that are
+ associated with the policy, and the status of the policy with respect to
+ each ancestor. When this policy attaches to a parent, the controller that
+ manages the parent and the ancestors MUST add an entry to this list when
+ the controller first sees the policy and SHOULD update the entry as
+ appropriate when the relevant ancestor is modified.
+
+
+ Note that choosing the relevant ancestor is left to the Policy designers;
+ an important part of Policy design is designing the right object level at
+ which to namespace this status.
+
+
+ Note also that implementations MUST ONLY populate ancestor status for
+ the Ancestor resources they are responsible for. Implementations MUST
+ use the ControllerName field to uniquely identify the entries in this list
+ that they are responsible for.
+
+
+ Note that to achieve this, the list of PolicyAncestorStatus structs
+ MUST be treated as a map with a composite key, made up of the AncestorRef
+ and ControllerName fields combined.
+
+
+ A maximum of 16 ancestors will be represented in this list. An empty list
+ means the Policy is not relevant for any ancestors.
+
+
+ If this slice is full, implementations MUST NOT add further entries.
+ Instead they MUST consider the policy unimplementable and signal that
+ on any related resources such as the ancestor that would be referenced
+ here. For example, if this list was full on BackendTLSPolicy, no
+ additional Gateways would be able to reference the Service targeted by
+ the BackendTLSPolicy.
+ items:
+ description: |-
+ PolicyAncestorStatus describes the status of a route with respect to an
+ associated Ancestor.
+
+
+ Ancestors refer to objects that are either the Target of a policy or above it
+ in terms of object hierarchy. For example, if a policy targets a Service, the
+ Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and
+ the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most
+ useful object to place Policy status on, so we recommend that implementations
+ SHOULD use Gateway as the PolicyAncestorStatus object unless the designers
+ have a _very_ good reason otherwise.
+
+
+ In the context of policy attachment, the Ancestor is used to distinguish which
+ resource results in a distinct application of this policy. For example, if a policy
+ targets a Service, it may have a distinct result per attached Gateway.
+
+
+ Policies targeting the same resource may have different effects depending on the
+ ancestors of those resources. For example, different Gateways targeting the same
+ Service may have different capabilities, especially if they have different underlying
+ implementations.
+
+
+ For example, in BackendTLSPolicy, the Policy attaches to a Service that is
+ used as a backend in a HTTPRoute that is itself attached to a Gateway.
+ In this case, the relevant object for status is the Gateway, and that is the
+ ancestor object referred to in this status.
+
+
+ Note that a parent is also an ancestor, so for objects where the parent is the
+ relevant object for status, this struct SHOULD still be used.
+
+
+ This struct is intended to be used in a slice that's effectively a map,
+ with a composite key made up of the AncestorRef and the ControllerName.
+ properties:
+ ancestorRef:
+ description: |-
+ AncestorRef corresponds with a ParentRef in the spec that this
+ PolicyAncestorStatus struct describes the status of.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+
+ Support: Core
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: |-
+ Kind is kind of the referent.
+
+
+ There are two kinds of parent resources with "Core" support:
+
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, experimental, ClusterIP Services only)
+
+
+ Support for other resources is Implementation-Specific.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: |-
+ Name is the name of the referent.
+
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+
+
+ <gateway:experimental:description>
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
+
+
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
+ </gateway:experimental:description>
+
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+ <gateway:experimental:description>
+ When the parent resource is a Service, this targets a specific port in the
+ Service spec. When both Port (experimental) and SectionName are specified,
+ the name and port of the selected port must match both specified values.
+ </gateway:experimental:description>
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+
+
+ Support: Extended
+
+
+ <gateway:experimental>
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+
+ * Gateway: Listener Name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port Name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values. Note that attaching Routes to Services as Parents
+ is part of experimental Mesh support and is not supported for any other
+ purpose.
+
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ conditions:
+ description: Conditions describes the status of the Policy with
+ respect to the given Ancestor.
+ items:
+ description: "Condition contains details for one aspect of
+ the current state of this API Resource.\n---\nThis struct
+ is intended for direct use as an array at the field path
+ .status.conditions. For example,\n\n\n\ttype FooStatus
+ struct{\n\t // Represents the observations of a foo's
+ current state.\n\t // Known .status.conditions.type are:
+ \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+ +patchMergeKey=type\n\t // +patchStrategy=merge\n\t //
+ +listType=map\n\t // +listMapKey=type\n\t Conditions
+ []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\"
+ patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+ \ // other fields\n\t}"
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False,
+ Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: |-
+ type of condition in CamelCase or in foo.example.com/CamelCase.
+ ---
+ Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+ useful (see .node.status.conditions), the ability to deconflict is important.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ controllerName:
+ description: |-
+ ControllerName is a domain/path string that indicates the name of the
+ controller that wrote this status. This corresponds with the
+ controllerName field on GatewayClass.
+
+
+ Example: "example.net/gateway-controller".
+
+
+ The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+ valid Kubernetes names
+ (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+
+
+ Controllers MUST populate this field when writing status. Controllers should ensure that
+ entries to status populated with their ControllerName are cleaned up when they are no
+ longer necessary.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ required:
+ - ancestorRef
+ - controllerName
+ type: object
+ maxItems: 16
+ type: array
+ required:
+ - ancestors
+ type: object
+ type: object
+ x-kubernetes-validations:
+ - message: Only one of spec.hashOn.(input|cookie|header|uriCapture|queryArg)
+ can be set.
+ rule: 'has(self.spec.hashOn) ? [has(self.spec.hashOn.input), has(self.spec.hashOn.cookie),
+ has(self.spec.hashOn.header), has(self.spec.hashOn.uriCapture), has(self.spec.hashOn.queryArg)].filter(fieldSet,
+ fieldSet == true).size() <= 1 : true'
+ - message: When spec.hashOn.cookie is set, spec.hashOn.cookiePath is required.
+ rule: 'has(self.spec.hashOn) && has(self.spec.hashOn.cookie) ? has(self.spec.hashOn.cookiePath)
+ : true'
+ - message: When spec.hashOn.cookiePath is set, spec.hashOn.cookie is required.
+ rule: 'has(self.spec.hashOn) && has(self.spec.hashOn.cookiePath) ? has(self.spec.hashOn.cookie)
+ : true'
+ - message: spec.algorithm must be set to "consistent-hashing" when spec.hashOn
+ is set.
+ rule: 'has(self.spec.hashOn) ? has(self.spec.algorithm) && self.spec.algorithm
+ == "consistent-hashing" : true'
+ - message: Only one of spec.hashOnFallback.(input|header|uriCapture|queryArg)
+ can be set.
+ rule: 'has(self.spec.hashOnFallback) ? [has(self.spec.hashOnFallback.input),
+ has(self.spec.hashOnFallback.header), has(self.spec.hashOnFallback.uriCapture),
+ has(self.spec.hashOnFallback.queryArg)].filter(fieldSet, fieldSet == true).size()
+ <= 1 : true'
+ - message: spec.algorithm must be set to "consistent-hashing" when spec.hashOnFallback
+ is set.
+ rule: 'has(self.spec.hashOnFallback) ? has(self.spec.algorithm) && self.spec.algorithm
+ == "consistent-hashing" : true'
+ - message: spec.hashOnFallback.cookie must not be set.
+ rule: 'has(self.spec.hashOnFallback) ? !has(self.spec.hashOnFallback.cookie)
+ : true'
+ - message: spec.hashOnFallback.cookiePath must not be set.
+ rule: 'has(self.spec.hashOnFallback) ? !has(self.spec.hashOnFallback.cookiePath)
+ : true'
+ - message: spec.healthchecks.passive.healthy.interval must not be set.
+ rule: 'has(self.spec.healthchecks) && has(self.spec.healthchecks.passive)
+ && has(self.spec.healthchecks.passive.healthy) ? !has(self.spec.healthchecks.passive.healthy.interval)
+ : true'
+ - message: spec.healthchecks.passive.unhealthy.interval must not be set.
+ rule: 'has(self.spec.healthchecks) && has(self.spec.healthchecks.passive)
+ && has(self.spec.healthchecks.passive.unhealthy) ? !has(self.spec.healthchecks.passive.unhealthy.interval)
+ : true'
+ - message: spec.hashOnFallback must not be set when spec.hashOn.cookie is
+ set.
+ rule: 'has(self.spec.hashOn) && has(self.spec.hashOn.cookie) ? !has(self.spec.hashOnFallback)
+ : true'
+ served: true
+ storage: true
+ subresources:
+ status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.14.0
+ name: kongvaults.configuration.konghq.com
+spec:
+ group: configuration.konghq.com
+ names:
+ categories:
+ - kong-ingress-controller
+ kind: KongVault
+ listKind: KongVaultList
+ plural: kongvaults
+ shortNames:
+ - kv
+ singular: kongvault
+ scope: Cluster
+ versions:
+ - additionalPrinterColumns:
+ - description: Name of the backend of the vault
+ jsonPath: .spec.backend
+ name: Backend Type
+ type: string
+ - description: Prefix of vault URI to reference the values in the vault
+ jsonPath: .spec.prefix
+ name: Prefix
+ type: string
+ - description: Age
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ - description: Description
+ jsonPath: .spec.description
+ name: Description
+ priority: 1
+ type: string
+ - jsonPath: .status.conditions[?(@.type=="Programmed")].status
+ name: Programmed
+ type: string
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ KongVault is the schema for kongvaults API which defines a custom Kong vault.
+ A Kong vault is a storage to store sensitive data, where the values can be referenced in configuration of plugins.
+ See: https://docs.konghq.com/gateway/latest/kong-enterprise/secrets-management/
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: KongVaultSpec defines specification of a custom Kong vault.
+ properties:
+ backend:
+ description: |-
+ Backend is the type of the backend storing the secrets in the vault.
+ The supported backends of Kong is listed here:
+ https://docs.konghq.com/gateway/latest/kong-enterprise/secrets-management/backends/
+ minLength: 1
+ type: string
+ config:
+ description: Config is the configuration of the vault. Varies for
+ different backends.
+ x-kubernetes-preserve-unknown-fields: true
+ description:
+ description: Description is the additional information about the vault.
+ type: string
+ prefix:
+ description: |-
+ Prefix is the prefix of vault URI for referencing values in the vault.
+ It is immutable after created.
+ minLength: 1
+ type: string
+ required:
+ - backend
+ - prefix
+ type: object
+ status:
+ description: KongVaultStatus represents the current status of the KongVault
+ resource.
+ properties:
+ conditions:
+ default:
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Programmed
+ description: |-
+ Conditions describe the current conditions of the KongVaultStatus.
+
+
+ Known condition types are:
+
+
+ * "Programmed"
+ items:
+ description: "Condition contains details for one aspect of the current
+ state of this API Resource.\n---\nThis struct is intended for
+ direct use as an array at the field path .status.conditions. For
+ example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
+ observations of a foo's current state.\n\t // Known .status.conditions.type
+ are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+ +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
+ \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
+ patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+ \ // other fields\n\t}"
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: |-
+ type of condition in CamelCase or in foo.example.com/CamelCase.
+ ---
+ Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+ useful (see .node.status.conditions), the ability to deconflict is important.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ required:
+ - conditions
+ type: object
+ required:
+ - spec
+ type: object
+ x-kubernetes-validations:
+ - message: The spec.prefix field is immutable
+ rule: self.spec.prefix == oldSelf.spec.prefix
+ served: true
+ storage: true
+ subresources:
+ status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.14.0
+ name: tcpingresses.configuration.konghq.com
+spec:
+ group: configuration.konghq.com
+ names:
+ categories:
+ - kong-ingress-controller
+ kind: TCPIngress
+ listKind: TCPIngressList
+ plural: tcpingresses
+ singular: tcpingress
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - description: Address of the load balancer
+ jsonPath: .status.loadBalancer.ingress[*].ip
+ name: Address
+ type: string
+ - description: Age
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ description: TCPIngress is the Schema for the tcpingresses API.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec is the TCPIngress specification.
+ properties:
+ rules:
+ description: A list of rules used to configure the Ingress.
+ items:
+ description: |-
+ IngressRule represents a rule to apply against incoming requests.
+ Matching is performed based on an (optional) SNI and port.
+ properties:
+ backend:
+ description: |-
+ Backend defines the referenced service endpoint to which the traffic
+ will be forwarded to.
+ properties:
+ serviceName:
+ description: Specifies the name of the referenced service.
+ minLength: 1
+ type: string
+ servicePort:
+ description: Specifies the port of the referenced service.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - serviceName
+ - servicePort
+ type: object
+ host:
+ description: |-
+ Host is the fully qualified domain name of a network host, as defined
+ by RFC 3986.
+ If a Host is not specified, then port-based TCP routing is performed. Kong
+ doesn't care about the content of the TCP stream in this case.
+ If a Host is specified, the protocol must be TLS over TCP.
+ A plain-text TCP request cannot be routed based on Host. It can only
+ be routed based on Port.
+ type: string
+ port:
+ description: |-
+ Port is the port on which to accept TCP or TLS over TCP sessions and
+ route. It is a required field. If a Host is not specified, the requested
+ are routed based only on Port.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - backend
+ - port
+ type: object
+ type: array
+ tls:
+ description: |-
+ TLS configuration. This is similar to the `tls` section in the
+ Ingress resource in networking.v1beta1 group.
+ The mapping of SNIs to TLS cert-key pair defined here will be
+ used for HTTP Ingress rules as well. Once can define the mapping in
+ this resource or the original Ingress resource, both have the same
+ effect.
+ items:
+ description: IngressTLS describes the transport layer security.
+ properties:
+ hosts:
+ description: |-
+ Hosts are a list of hosts included in the TLS certificate. The values in
+ this list must match the name/s used in the tlsSecret. Defaults to the
+ wildcard host setting for the loadbalancer controller fulfilling this
+ Ingress, if left unspecified.
+ items:
+ type: string
+ type: array
+ secretName:
+ description: SecretName is the name of the secret used to terminate
+ SSL traffic.
+ type: string
+ type: object
+ type: array
+ type: object
+ status:
+ description: TCPIngressStatus defines the observed state of TCPIngress.
+ properties:
+ loadBalancer:
+ description: LoadBalancer contains the current status of the load-balancer.
+ properties:
+ ingress:
+ description: |-
+ Ingress is a list containing ingress points for the load-balancer.
+ Traffic intended for the service should be sent to these ingress points.
+ items:
+ description: |-
+ LoadBalancerIngress represents the status of a load-balancer ingress point:
+ traffic intended for the service should be sent to an ingress point.
+ properties:
+ hostname:
+ description: |-
+ Hostname is set for load-balancer ingress points that are DNS based
+ (typically AWS load-balancers)
+ type: string
+ ip:
+ description: |-
+ IP is set for load-balancer ingress points that are IP based
+ (typically GCE or OpenStack load-balancers)
+ type: string
+ ipMode:
+ description: |-
+ IPMode specifies how the load-balancer IP behaves, and may only be specified when the ip field is specified.
+ Setting this to "VIP" indicates that traffic is delivered to the node with
+ the destination set to the load-balancer's IP and port.
+ Setting this to "Proxy" indicates that traffic is delivered to the node or pod with
+ the destination set to the node's IP and node port or the pod's IP and port.
+ Service implementations may use this information to adjust traffic routing.
+ type: string
+ ports:
+ description: |-
+ Ports is a list of records of service ports
+ If used, every port defined in the service should have an entry in it
+ items:
+ properties:
+ error:
+ description: |-
+ Error is to record the problem with the service port
+ The format of the error shall comply with the following rules:
+ - built-in error values shall be specified in this file and those shall use
+ CamelCase names
+ - cloud provider specific error values must have names that comply with the
+ format foo.example.com/CamelCase.
+ ---
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ port:
+ description: Port is the port number of the service
+ port of which status is recorded here
+ format: int32
+ type: integer
+ protocol:
+ default: TCP
+ description: |-
+ Protocol is the protocol of the service port of which status is recorded here
+ The supported values are: "TCP", "UDP", "SCTP"
+ type: string
+ required:
+ - port
+ - protocol
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ type: object
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.14.0
+ name: udpingresses.configuration.konghq.com
+spec:
+ group: configuration.konghq.com
+ names:
+ categories:
+ - kong-ingress-controller
+ kind: UDPIngress
+ listKind: UDPIngressList
+ plural: udpingresses
+ singular: udpingress
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - description: Address of the load balancer
+ jsonPath: .status.loadBalancer.ingress[*].ip
+ name: Address
+ type: string
+ - description: Age
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ description: UDPIngress is the Schema for the udpingresses API.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec is the UDPIngress specification.
+ properties:
+ rules:
+ description: A list of rules used to configure the Ingress.
+ items:
+ description: |-
+ UDPIngressRule represents a rule to apply against incoming requests
+ wherein no Host matching is available for request routing, only the port
+ is used to match requests.
+ properties:
+ backend:
+ description: |-
+ Backend defines the Kubernetes service which accepts traffic from the
+ listening Port defined above.
+ properties:
+ serviceName:
+ description: Specifies the name of the referenced service.
+ minLength: 1
+ type: string
+ servicePort:
+ description: Specifies the port of the referenced service.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - serviceName
+ - servicePort
+ type: object
+ port:
+ description: |-
+ Port indicates the port for the Kong proxy to accept incoming traffic
+ on, which will then be routed to the service Backend.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - backend
+ - port
+ type: object
+ type: array
+ type: object
+ status:
+ description: UDPIngressStatus defines the observed state of UDPIngress.
+ properties:
+ loadBalancer:
+ description: LoadBalancer contains the current status of the load-balancer.
+ properties:
+ ingress:
+ description: |-
+ Ingress is a list containing ingress points for the load-balancer.
+ Traffic intended for the service should be sent to these ingress points.
+ items:
+ description: |-
+ LoadBalancerIngress represents the status of a load-balancer ingress point:
+ traffic intended for the service should be sent to an ingress point.
+ properties:
+ hostname:
+ description: |-
+ Hostname is set for load-balancer ingress points that are DNS based
+ (typically AWS load-balancers)
+ type: string
+ ip:
+ description: |-
+ IP is set for load-balancer ingress points that are IP based
+ (typically GCE or OpenStack load-balancers)
+ type: string
+ ipMode:
+ description: |-
+ IPMode specifies how the load-balancer IP behaves, and may only be specified when the ip field is specified.
+ Setting this to "VIP" indicates that traffic is delivered to the node with
+ the destination set to the load-balancer's IP and port.
+ Setting this to "Proxy" indicates that traffic is delivered to the node or pod with
+ the destination set to the node's IP and node port or the pod's IP and port.
+ Service implementations may use this information to adjust traffic routing.
+ type: string
+ ports:
+ description: |-
+ Ports is a list of records of service ports
+ If used, every port defined in the service should have an entry in it
+ items:
+ properties:
+ error:
+ description: |-
+ Error is to record the problem with the service port
+ The format of the error shall comply with the following rules:
+ - built-in error values shall be specified in this file and those shall use
+ CamelCase names
+ - cloud provider specific error values must have names that comply with the
+ format foo.example.com/CamelCase.
+ ---
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ port:
+ description: Port is the port number of the service
+ port of which status is recorded here
+ format: int32
+ type: integer
+ protocol:
+ default: TCP
+ description: |-
+ Protocol is the protocol of the service port of which status is recorded here
+ The supported values are: "TCP", "UDP", "SCTP"
+ type: string
+ required:
+ - port
+ - protocol
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ type: object
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
--- /dev/null
+# Example values.yaml configurations
+
+The YAML files in this directory provide basic example configurations for
+common Kong deployment scenarios on Kubernetes.
+
+* [minimal-kong-controller.yaml](minimal-kong-controller.yaml) installs Kong
+ open source with the ingress controller in DB-less mode.
+
+* [minimal-kong-standalone.yaml](minimal-kong-standalone.yaml) installs Kong
+ open source and Postgres with no controller.
+
+* [minimal-kong-enterprise-dbless.yaml](minimal-kong-enterprise-dbless.yaml)
+ installs Kong for Kubernetes with Kong Enterprise with the ingress controller
+ in DB-less mode.
+
+* [minimal-k4k8s-with-kong-enterprise.yaml](minimal-k4k8s-with-kong-enterprise.yaml)
+ installs Kong for Kubernetes with Kong Enterprise with the ingress controller
+ and PostgreSQL. It does not enable Enterprise features other than Kong
+ Manager, and does not expose it or the Admin API via a TLS-secured ingress.
+
+* [full-k4k8s-with-kong-enterprise.yaml](full-k4k8s-with-kong-enterprise.yaml)
+ installs Kong for Kubernetes with Kong Enterprise with the ingress controller
+ in PostgreSQL. It enables all Enterprise services.
+
+* [minimal-kong-hybrid-control.yaml](minimal-kong-hybrid-control.yaml) and
+ [minimal-kong-hybrid-data.yaml](minimal-kong-hybrid-data.yaml) install
+ separate releases for hybrid mode control and data plane nodes, using the
+ built-in PostgreSQL chart on the control plane release. They require some
+ pre-work to [create certificates](https://github.com/Kong/charts/blob/main/charts/kong/README.md#certificates)
+ and configure the control plane location. See comments in the file headers
+ for additional details.
+
+ Note that you should install the control plane release first if possible:
+ data planes must be able to talk with a control plane node before they can
+ come online. Starting control planes first is not strictly required (data
+ plane nodes will retry their connection for a while before Kubernetes
+ restarts them, so starting control planes second, but around the same time
+ will usually work), but is the smoothest option.
+
+* [minimal-kong-enterprise-hybrid-control.yaml](minimal-kong-enterprise-hybrid-control.yaml) and
+ [minimal-kong-enterprise-hybrid-data.yaml](minimal-kong-enterprise-hybrid-data.yaml) install
+ separate releases of Kong Enterprise for hybrid mode control and data plane nodes, using the
+ built-in PostgreSQL chart on the control plane release. They require some
+ pre-work to [create certificates](https://github.com/Kong/charts/blob/main/charts/kong/README.md#certificates)
+ and configure the control plane location. See comments in the file headers
+ for additional details.
+
+ Note that you should install the control plane release first if possible:
+ data planes must be able to talk with a control plane node before they can
+ come online. Starting control planes first is not strictly required (data
+ plane nodes will retry their connection for a while before Kubernetes
+ restarts them, so starting control planes second, but around the same time
+ will usually work), but is the smoothest option.
+
+* [minimal-kong-gd-controller.yaml](minimal-kong-gd-controller.yaml) and
+ [minimal-kong-gd-gateway.yaml](minimal-kong-gd-gateway.yaml) install a
+ single controller and cluster of gateway instances. The controller release
+ configuration must specify the names of the gateway proxy and admin
+ Services. The examples use `gw` as the gateway release name. If you wish to
+ use another name, set the controller configuration to match. For example, if
+ you use `hydrogen` as your gateway release name, set
+ `proxy.nameOverride=hydrogen-kong-proxy` and
+ `ingressController.adminApiService.name=hydrogen-kong-admin`.
+
+* [minimal-kong-gd-controller-konnect.yaml](minimal-kong-gd-controller-konnect.yaml) and
+ [minimal-kong-gd-gateway.yaml](minimal-kong-gd-gateway.yaml) install a single Ingress
+ Controller with Kong's Konnect sync feature enabled and a cluster of gateway instances.
+ In order to make it work, `ingressController.konnect.runtimeGroupID` has to be
+ supplied and a `konnect-client-tls` secret has to be created upfront.
+
+All Enterprise examples require some level of additional user configuration to
+install properly. Read the comments at the top of each file for instructions.
--- /dev/null
+# Kong Gateway Helm Docs Samples
+This directory contains sample values files written in support of official [docs.konghq.com](https://docs.konghq.com/gateway/3.0.x/install-and-run/) workflows.
+
+## Disclaimer
+The samples here are published for educational purposes and should not be considered production ready as-is.
\ No newline at end of file
--- /dev/null
+demo: true
+admin:
+ annotations:
+ konghq.com/protocol: https
+ enabled: true
+ http:
+ enabled: false
+ ingress:
+ annotations:
+ konghq.com/https-redirect-status-code: "301"
+ konghq.com/protocols: https
+ konghq.com/strip-path: "true"
+ nginx.ingress.kubernetes.io/app-root: /
+ nginx.ingress.kubernetes.io/backend-protocol: HTTPS
+ nginx.ingress.kubernetes.io/permanent-redirect-code: "301"
+ enabled: true
+ hostname: kong.127-0-0-1.nip.io
+ path: /api
+ tls: quickstart-kong-admin-cert
+ tls:
+ containerPort: 8444
+ enabled: true
+ parameters:
+ - http2
+ servicePort: 8444
+ type: ClusterIP
+affinity:
+ podAntiAffinity:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ - podAffinityTerm:
+ labelSelector:
+ matchExpressions:
+ - key: app.kubernetes.io/instance
+ operator: In
+ values:
+ - dataplane
+ topologyKey: kubernetes.io/hostname
+ weight: 100
+certificates:
+ enabled: true
+ issuer: quickstart-kong-selfsigned-issuer
+ cluster:
+ enabled: true
+ admin:
+ enabled: true
+ commonName: kong.127-0-0-1.nip.io
+ portal:
+ enabled: true
+ commonName: developer.127-0-0-1.nip.io
+ proxy:
+ enabled: true
+ commonName: 127-0-0-1.nip.io
+ dnsNames:
+ - '*.127-0-0-1.nip.io'
+cluster:
+ enabled: true
+ labels:
+ konghq.com/service: cluster
+ tls:
+ containerPort: 8005
+ enabled: true
+ servicePort: 8005
+ type: ClusterIP
+clustertelemetry:
+ enabled: true
+ tls:
+ containerPort: 8006
+ enabled: true
+ servicePort: 8006
+ type: ClusterIP
+deployment:
+ kong:
+ daemonset: false
+ enabled: true
+enterprise:
+ enabled: true
+ license_secret: kong-enterprise-license
+ portal:
+ enabled: true
+ rbac:
+ admin_api_auth: basic-auth
+ admin_gui_auth_conf_secret: kong-config-secret
+ enabled: true
+ session_conf_secret: kong-config-secret
+ smtp:
+ enabled: false
+ vitals:
+ enabled: true
+env:
+ admin_access_log: /dev/stdout
+ admin_gui_api_url: https://kong.127-0-0-1.nip.io/api
+ admin_error_log: /dev/stdout
+ admin_gui_access_log: /dev/stdout
+ admin_gui_error_log: /dev/stdout
+ admin_gui_host: kong.127-0-0-1.nip.io
+ admin_gui_protocol: https
+ admin_gui_url: https://kong.127-0-0-1.nip.io/
+ cluster_data_plane_purge_delay: 60
+ cluster_listen: 0.0.0.0:8005
+ cluster_telemetry_listen: 0.0.0.0:8006
+ database: postgres
+ log_level: debug
+ lua_package_path: /opt/?.lua;;
+ nginx_worker_processes: "2"
+ password:
+ valueFrom:
+ secretKeyRef:
+ key: kong_admin_password
+ name: kong-config-secret
+ pg_database: kong
+ pg_host:
+ valueFrom:
+ secretKeyRef:
+ key: pg_host
+ name: kong-config-secret
+ pg_ssl: "off"
+ pg_ssl_verify: "off"
+ pg_user: kong
+ plugins: bundled,openid-connect
+ portal: true
+ portal_api_access_log: /dev/stdout
+ portal_api_error_log: /dev/stdout
+ portal_api_url: https://developer.127-0-0-1.nip.io/api
+ portal_auth: basic-auth
+ portal_cors_origins: '*'
+ portal_gui_access_log: /dev/stdout
+ portal_gui_error_log: /dev/stdout
+ portal_gui_host: developer.127-0-0-1.nip.io
+ portal_gui_protocol: https
+ portal_gui_url: https://developer.127-0-0-1.nip.io/
+ portal_session_conf:
+ valueFrom:
+ secretKeyRef:
+ key: portal_session_conf
+ name: kong-config-secret
+ prefix: /kong_prefix/
+ proxy_access_log: /dev/stdout
+ proxy_error_log: /dev/stdout
+ proxy_stream_access_log: /dev/stdout
+ proxy_stream_error_log: /dev/stdout
+ smtp_mock: "on"
+ status_listen: 0.0.0.0:8100
+ trusted_ips: 0.0.0.0/0,::/0
+ vitals: true
+extraLabels:
+ konghq.com/component: quickstart
+image:
+ repository: kong/kong-gateway
+ tag: "3.5"
+ingressController:
+ enabled: true
+ env:
+ kong_admin_filter_tag: ingress_controller_default
+ kong_admin_tls_skip_verify: true
+ kong_admin_token:
+ valueFrom:
+ secretKeyRef:
+ key: password
+ name: kong-config-secret
+ kong_admin_url: https://localhost:8444
+ kong_workspace: default
+ publish_service: kong/quickstart-kong-proxy
+ image:
+ repository: docker.io/kong/kubernetes-ingress-controller
+ tag: "2.10"
+ ingressClass: default
+ installCRDs: false
+manager:
+ annotations:
+ konghq.com/protocol: https
+ enabled: true
+ http:
+ containerPort: 8002
+ enabled: false
+ servicePort: 8002
+ ingress:
+ annotations:
+ konghq.com/https-redirect-status-code: "301"
+ nginx.ingress.kubernetes.io/backend-protocol: HTTPS
+ ingressClassName: kong
+ enabled: true
+ hostname: kong.127-0-0-1.nip.io
+ path: /
+ tls: quickstart-kong-admin-cert
+ tls:
+ containerPort: 8445
+ enabled: true
+ parameters:
+ - http2
+ servicePort: 8445
+ type: ClusterIP
+migrations:
+ enabled: true
+ postUpgrade: true
+ preUpgrade: true
+namespace: kong
+podAnnotations:
+ kuma.io/gateway: enabled
+portal:
+ annotations:
+ konghq.com/protocol: https
+ enabled: true
+ http:
+ containerPort: 8003
+ enabled: false
+ servicePort: 8003
+ ingress:
+ annotations:
+ konghq.com/https-redirect-status-code: "301"
+ konghq.com/protocols: https
+ konghq.com/strip-path: "false"
+ ingressClassName: kong
+ enabled: true
+ hostname: developer.127-0-0-1.nip.io
+ path: /
+ tls: quickstart-kong-portal-cert
+ tls:
+ containerPort: 8446
+ enabled: true
+ parameters:
+ - http2
+ servicePort: 8446
+ type: ClusterIP
+portalapi:
+ annotations:
+ konghq.com/protocol: https
+ enabled: true
+ http:
+ enabled: false
+ ingress:
+ annotations:
+ konghq.com/https-redirect-status-code: "301"
+ konghq.com/protocols: https
+ konghq.com/strip-path: "true"
+ nginx.ingress.kubernetes.io/app-root: /
+ ingressClassName: kong
+ enabled: true
+ hostname: developer.127-0-0-1.nip.io
+ path: /api
+ tls: quickstart-kong-portal-cert
+ tls:
+ containerPort: 8447
+ enabled: true
+ parameters:
+ - http2
+ servicePort: 8447
+ type: ClusterIP
+postgresql:
+ enabled: true
+ auth:
+ database: kong
+ username: kong
+proxy:
+ annotations:
+ prometheus.io/port: "9542"
+ prometheus.io/scrape: "true"
+ enabled: true
+ http:
+ containerPort: 8080
+ enabled: true
+ hostPort: 80
+ ingress:
+ enabled: false
+ labels:
+ enable-metrics: true
+ tls:
+ containerPort: 8443
+ enabled: true
+ hostPort: 443
+ type: LoadBalancer
+replicaCount: 1
+secretVolumes: []
+status:
+ enabled: true
+ http:
+ containerPort: 8100
+ enabled: true
+ tls:
+ containerPort: 8543
+ enabled: false
+
--- /dev/null
+# Kong for Kubernetes with Kong Enterprise with Enterprise features enabled and
+# exposed via TLS-enabled Ingresses. Before installing:
+# * Several settings (search for the string "CHANGEME") require user-provided
+# Secrets. These Secrets must be created before installation.
+# * Ingresses reference example "<service>.kong.CHANGEME.example" hostnames. These must
+# be changed to an actual hostname that resolve to your proxy.
+# * Ensure that your session configurations create cookies that are usable
+# across your services. The admin session configuration must create cookies
+# that are sent to both the admin API and Kong Manager, and any Dev Portal
+# instances with authentication must create cookies that are sent to both
+# the Portal and Portal API.
+
+image:
+ repository: kong/kong-gateway
+ tag: "3.5"
+
+env:
+ prefix: /kong_prefix/
+ database: postgres
+
+ password:
+ valueFrom:
+ secretKeyRef:
+ name: kong-enterprise-superuser-password #CHANGEME
+ key: password #CHANGEME
+
+admin:
+ enabled: true
+ annotations:
+ konghq.com/protocol: "https"
+
+ tls:
+ enabled: true
+ servicePort: 8444
+ containerPort: 8444
+ parameters:
+ - http2
+
+ ingress:
+ enabled: true
+ tls: CHANGEME-admin-tls-secret
+ hostname: admin.kong.CHANGEME.example
+ ingressClassName: kong
+ path: /
+
+proxy:
+ enabled: true
+ type: LoadBalancer
+ annotations: {}
+
+ http:
+ enabled: true
+ servicePort: 80
+ containerPort: 8000
+ parameters: []
+
+ tls:
+ enabled: true
+ servicePort: 443
+ containerPort: 8443
+ parameters:
+ - http2
+
+ stream: {}
+
+ ingress:
+ enabled: false
+ annotations: {}
+ path: /
+
+ externalIPs: []
+
+enterprise:
+ enabled: true
+ # CHANGEME: https://github.com/Kong/charts/blob/main/charts/kong/README.md#kong-enterprise-license
+ license_secret: kong-enterprise-license
+ vitals:
+ enabled: true
+ portal:
+ enabled: true
+ rbac:
+ enabled: true
+ admin_gui_auth: basic-auth
+ session_conf_secret: kong-session-config
+ admin_gui_auth_conf_secret: CHANGEME-admin-gui-auth-conf-secret
+ smtp:
+ enabled: false
+ portal_emails_from: none@example.com
+ portal_emails_reply_to: none@example.com
+ admin_emails_from: none@example.com
+ admin_emails_reply_to: none@example.com
+ smtp_admin_emails: none@example.com
+ smtp_host: smtp.example.com
+ smtp_port: 587
+ smtp_auth_type: ''
+ smtp_ssl: nil
+ smtp_starttls: true
+ auth:
+ smtp_username: '' # e.g. postmaster@example.com
+ smtp_password_secret: CHANGEME-smtp-password
+
+manager:
+ enabled: true
+ type: NodePort
+ annotations:
+ konghq.com/protocol: "https"
+
+ http:
+ enabled: false
+
+ tls:
+ enabled: true
+ servicePort: 8445
+ containerPort: 8445
+ parameters:
+ - http2
+
+ ingress:
+ enabled: true
+ tls: CHANGEME-manager-tls-secret
+ hostname: manager.kong.CHANGEME.example
+ annotations: {}
+ path: /
+
+ externalIPs: []
+
+portal:
+ enabled: true
+ type: NodePort
+ annotations:
+ konghq.com/protocol: "https"
+
+ http:
+ enabled: true
+ servicePort: 8003
+ containerPort: 8003
+ parameters: []
+
+ tls:
+ enabled: true
+ servicePort: 8446
+ containerPort: 8446
+ parameters:
+ - http2
+
+ ingress:
+ enabled: true
+ tls: CHANGEME-portal-tls-secret
+ hostname: portal.kong.CHANGEME.example
+ ingressClassName: kong
+ path: /
+
+ externalIPs: []
+
+portalapi:
+ enabled: true
+ type: NodePort
+ annotations:
+ konghq.com/protocol: "https"
+
+ http:
+ enabled: true
+ servicePort: 8004
+ containerPort: 8004
+ parameters: []
+
+ tls:
+ enabled: true
+ servicePort: 8447
+ containerPort: 8447
+ parameters:
+ - http2
+
+ ingress:
+ enabled: true
+ tls: CHANGEME-portalapi-tls-secret
+ hostname: portalapi.kong.CHANGEME.example
+ ingressClassName: kong
+ path: /
+
+ externalIPs: []
+
+postgresql:
+ enabled: true
+ auth:
+ username: kong
+ database: kong
+
+ingressController:
+ enabled: true
+ env:
+ kong_admin_token:
+ valueFrom:
+ secretKeyRef:
+ name: kong-enterprise-superuser-password #CHANGEME
+ key: password #CHANGEME
--- /dev/null
+This README explains how to install Kong in DB-backed mode with Postgres and Cert Manager
+
+# Install Postgres
+
+Use the bitnami chart to install Postgres. Read the output to understand how to connect to the database.
+
+```bash
+helm install postgres oci://registry-1.docker.io/bitnamicharts/postgresql -n db --create-namespace
+```
+
+Once connected, create a postgres user and database:
+
+```sql
+CREATE USER kong WITH PASSWORD 'super_secret'; CREATE DATABASE kong OWNER kong;
+```
+
+# Cert Manager
+
+Install Cert Manager in to your cluster:
+
+```bash
+kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.11.0/cert-manager.crds.yaml
+helm install \
+ cert-manager jetstack/cert-manager \
+ --namespace cert-manager \
+ --create-namespace \
+ --version v1.11.0
+```
+
+Create a self signed CA + Issuer for future use:
+
+```yaml
+echo "
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: kong
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+ name: selfsigned-issuer
+spec:
+ selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: my-selfsigned-ca
+ namespace: kong
+spec:
+ isCA: true
+ commonName: my-selfsigned-ca
+ secretName: root-secret
+ privateKey:
+ algorithm: ECDSA
+ size: 256
+ issuerRef:
+ name: selfsigned-issuer
+ kind: ClusterIssuer
+ group: cert-manager.io
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+ name: my-ca-issuer
+ namespace: kong
+spec:
+ ca:
+ secretName: root-secret
+" | kubectl apply -f -
+```
+
+# Kong
+
+Deploy Kong using the `cp-values.yaml` and `dp-values.yaml` in this folder:
+
+```bash
+helm install kong-cp kong/kong -n kong --values cp-values.yaml
+helm install kong-dp kong/kong -n kong --values dp-values.yaml
+```
+
+You should now have Kong running in hybrid mode
--- /dev/null
+env:
+ role: control_plane
+ database: postgres
+ pg_host: postgres-postgresql.db.svc.cluster.local
+ pg_user: kong
+ pg_password: super_secret
+
+cluster:
+ enabled: true
+ tls:
+ enabled: true
+
+certificates:
+ enabled: true
+ issuer: my-ca-issuer
+ cluster:
+ enabled: true
+ commonName: custom.example.com
+
+proxy:
+ enabled: false
+
+ingressController:
+ env:
+ publish_service: kong/kong-cp-kong-proxy
--- /dev/null
+env:
+ role: data_plane
+ database: "off"
+ cluster_control_plane: kong-cp-kong-cluster.kong.svc.cluster.local:8005
+
+cluster:
+ enabled: true
+ tls:
+ enabled: true
+
+certificates:
+ enabled: true
+ issuer: my-ca-issuer
+ cluster:
+ enabled: true
+ commonName: custom.example.com
+
+admin:
+ enabled: false
+
+ingressController:
+ enabled: false
--- /dev/null
+# Basic values.yaml for Kong for Kubernetes with Kong Enterprise
+# Several settings (search for the string "CHANGEME") require user-provided
+# Secrets. These Secrets must be created before installation.
+#
+# This installation does not create an Ingress or LoadBalancer Service for
+# the Admin API or Kong Manager. They require port-forwards to access without
+# further configuration to add them:
+# kubectl port-forward deploy/your-deployment-kong 8001:8001 8002:8002
+
+image:
+ repository: kong/kong-gateway
+ tag: "3.5"
+
+admin:
+ enabled: true
+ http:
+ enabled: true
+ servicePort: 8001
+ containerPort: 8001
+
+enterprise:
+ enabled: true
+ # CHANGEME: https://github.com/Kong/charts/blob/main/charts/kong/README.md#kong-enterprise-license
+ license_secret: kong-enterprise-license
+ vitals:
+ enabled: false
+ portal:
+ enabled: false
+ rbac:
+ enabled: false
+ smtp:
+ enabled: false
+
+portal:
+ enabled: false
+
+portalapi:
+ enabled: false
+
+env:
+ prefix: /kong_prefix/
+ database: postgres
+ password:
+ valueFrom:
+ secretKeyRef:
+ name: kong-enterprise-superuser-password #CHANGEME
+ key: password #CHANGEME
+
+postgresql:
+ enabled: true
+ auth:
+ username: kong
+ database: kong
+
+ingressController:
+ enabled: true
--- /dev/null
+# Basic values.yaml configuration for Kong for Kubernetes (with the ingress controller)
+
+image:
+ repository: kong
+ tag: "3.5"
+
+env:
+ prefix: /kong_prefix/
+ database: "off"
+
+ingressController:
+ enabled: true
--- /dev/null
+# Basic values.yaml for Kong for Kubernetes with Kong Enterprise (DB-less)
+# Several settings (search for the string "CHANGEME") require user-provided
+# Secrets. These Secrets must be created before installation.
+
+image:
+ repository: kong/kong-gateway
+ tag: "3.5"
+
+enterprise:
+ enabled: true
+ # See instructions regarding enterprise licenses at https://github.com/Kong/charts/blob/master/charts/kong/README.md#kong-enterprise-license
+ license_secret: kong-enterprise-license # CHANGEME
+ vitals:
+ enabled: false
+ portal:
+ enabled: false
+ rbac:
+ enabled: false
+
+manager:
+ enabled: false
+
+portal:
+ enabled: false
+
+portalapi:
+ enabled: false
+
+env:
+ database: "off"
+
+ingressController:
+ enabled: true
+
+proxy:
+ # Enable creating a Kubernetes service for the proxy
+ enabled: true
+ type: NodePort
--- /dev/null
+# Basic configuration for Kong Enterprise without the ingress controller, using the Postgres subchart
+# This installation does not create an Ingress or LoadBalancer Service for
+# the Admin API. It requires port-forwards to access without further
+# configuration to add them, e.g.:
+# kubectl port-forward deploy/your-deployment-kong 8001:8001
+# Before installing:
+# * Several settings (search for the string "CHANGEME") require user-provided
+# Secrets. These Secrets must be created before installation.
+# * Ensure that your session configurations create cookies that are usable
+# across your services. The admin session configuration must create cookies
+# that are sent to both the admin API and Kong Manager, and any Dev Portal
+# instances with authentication must create cookies that are sent to both
+# the Portal and Portal API.
+
+image:
+ repository: kong/kong-gateway
+ tag: "3.5"
+
+env:
+ database: postgres
+ role: control_plane
+ cluster_cert: /etc/secrets/kong-cluster-cert/tls.crt
+ cluster_cert_key: /etc/secrets/kong-cluster-cert/tls.key
+
+admin:
+ enabled: true
+ http:
+ enabled: true
+
+cluster:
+ enabled: true
+ tls:
+ enabled: true
+
+clustertelemetry:
+ enabled: true
+ tls:
+ containerPort: 8006
+ enabled: true
+ servicePort: 8006
+ type: ClusterIP
+
+proxy:
+ enabled: false
+
+secretVolumes:
+- kong-cluster-cert
+
+postgresql:
+ enabled: true
+
+ingressController:
+ enabled: false
+
+enterprise:
+ enabled: true
+ # See instructions regarding enterprise licenses at https://github.com/Kong/charts/blob/master/charts/kong/README.md#kong-enterprise-license
+ license_secret: kong-enterprise-license # CHANGEME
+ vitals:
+ enabled: false
+
+portal:
+ enabled: false
+
+portalapi:
+ enabled: false
--- /dev/null
+# Basic configuration for Kong Enterprise as a hybrid mode data plane node.
+# It depends on the presence of a control plane release, as shown in
+# https://github.com/Kong/charts/blob/main/charts/kong/example-values/minimal-kong-enterprise-hybrid-control.yaml
+#
+# The "env.cluster_control_plane" value must be changed to your control plane
+# instance's cluster Service hostname. Search "CHANGEME" to find it in this
+# example.
+#
+# Hybrid mode requires a certificate. See https://github.com/Kong/charts/blob/main/charts/kong/README.md#certificates
+# to create one.
+
+
+image:
+ repository: kong/kong-gateway
+ tag: "3.5"
+
+env:
+ role: data_plane
+ cluster_control_plane: CHANGEME-control-service.CHANGEME-namespace.svc.cluster.local:8005
+ cluster_telemetry_endpoint: CHANGEME-cluster-telemetry-service.CHANGEME-namespace.svc.cluster.local:8006
+ lua_ssl_trusted_certificate: /etc/secrets/kong-cluster-cert/tls.crt
+ cluster_cert: /etc/secrets/kong-cluster-cert/tls.crt
+ cluster_cert_key: /etc/secrets/kong-cluster-cert/tls.key
+
+secretVolumes:
+- kong-cluster-cert
+
+ingressController:
+ enabled: false
+
+enterprise:
+ enabled: true
+ # See instructions regarding enterprise licenses at https://github.com/Kong/charts/blob/master/charts/kong/README.md#kong-enterprise-license
+ license_secret: kong-enterprise-license # CHANGEME
+ vitals:
+ enabled: false
+
+manager:
+ enabled: false
+
+portal:
+ enabled: false
+
+portalapi:
+ enabled: false
--- /dev/null
+deployment:
+ kong:
+ enabled: false
+
+proxy:
+ ## This must match the gateway release's proxy Service name.
+ ## The Service name uses the pattern "<release name>-kong-proxy".
+ ## In this example, the companion gateway release is named "gw"
+ nameOverride: gw-kong-proxy
+
+ingressController:
+ enabled: true
+
+ gatewayDiscovery:
+ enabled: true
+ adminApiService:
+ ## This must match the gateway release's admin Service name.
+ ## The Service name uses the pattern "<release name>-kong-admin".
+ ## In this example, the companion gateway release is named "gw"
+ name: gw-kong-admin
+
+ konnect:
+ enabled: true
+ runtimeGroupID: "00000000-0000-0000-0000-000000000000" # CHANGEME
--- /dev/null
+deployment:
+ kong:
+ enabled: false
+
+proxy:
+ ## This must match the gateway release's proxy Service name.
+ ## The Service name uses the pattern "<release name>-kong-proxy".
+ ## In this example, the companion gateway release is named "gw"
+ nameOverride: gw-kong-proxy
+
+ingressController:
+ enabled: true
+
+ gatewayDiscovery:
+ enabled: true
+ adminApiService:
+ ## This must match the gateway release's admin Service name.
+ ## The Service name uses the pattern "<release name>-kong-admin".
+ ## In this example, the companion gateway release is named "gw"
+ name: gw-kong-admin
+
+ adminApi:
+ tls:
+ client:
+ # Enable TLS client authentication for the Admin API.
+ enabled: true
+ # We're specifying the name of the secret to have a static name that we
+ # will use in the gateway release.
+ caSecretName: "admin-api-ca-cert"
+
+ env:
+ # This must match the gateway release's proxy Service HTTPs port name.
+ kong_admin_svc_port_names: "kong-admin-tls"
--- /dev/null
+admin:
+ enabled: true
+ type: ClusterIP
+ clusterIP: None
+ tls:
+ client:
+ secretName: "admin-api-ca-cert"
+
+ingressController:
+ enabled: false
+
+replicaCount: 3
+## This example creates a static 3-Pod Kong gateway Deployment.
+## To use autoscaling instead, comment the above replicaCount and uncomment
+## the autoscaling section below.
+# autoscaling:
+# enabled: true
--- /dev/null
+# Basic configuration for Kong without the ingress controller, using the Postgres subchart
+# This installation does not create an Ingress or LoadBalancer Service for
+# the Admin API. It requires port-forwards to access without further
+# configuration to add them, e.g.:
+# kubectl port-forward deploy/your-deployment-kong 8001:8001
+
+image:
+ repository: kong
+ tag: "3.5"
+
+env:
+ prefix: /kong_prefix/
+ database: postgres
+ role: control_plane
+ cluster_cert: /etc/secrets/kong-cluster-cert/tls.crt
+ cluster_cert_key: /etc/secrets/kong-cluster-cert/tls.key
+
+admin:
+ enabled: true
+ http:
+ enabled: true
+ servicePort: 8001
+ containerPort: 8001
+
+cluster:
+ enabled: true
+ tls:
+ enabled: true
+ servicePort: 8005
+ containerPort: 8005
+
+proxy:
+ enabled: false
+
+secretVolumes:
+- kong-cluster-cert
+
+postgresql:
+ enabled: true
+ auth:
+ username: kong
+ database: kong
+
+ingressController:
+ enabled: false
--- /dev/null
+# Basic configuration for Kong as a hybrid mode data plane node.
+# It depends on the presence of a control plane release, as shown in
+# https://github.com/Kong/charts/blob/main/charts/kong/example-values/minimal-kong-hybrid-control.yaml
+#
+# The "env.cluster_control_plane" value must be changed to your control plane
+# instance's cluster Service hostname. Search "CHANGEME" to find it in this
+# example.
+#
+# Hybrid mode requires a certificate. See https://github.com/Kong/charts/blob/main/charts/kong/README.md#certificates
+# to create one.
+
+image:
+ repository: kong
+ tag: "3.5"
+
+env:
+ prefix: /kong_prefix/
+ database: "off"
+ role: data_plane
+ cluster_control_plane: CHANGEME-control-service.CHANGEME-namespace.svc.cluster.local:8005
+ lua_ssl_trusted_certificate: /etc/secrets/kong-cluster-cert/tls.crt
+ cluster_cert: /etc/secrets/kong-cluster-cert/tls.crt
+ cluster_cert_key: /etc/secrets/kong-cluster-cert/tls.key
+
+admin:
+ enabled: false
+
+secretVolumes:
+- kong-cluster-cert
+
+ingressController:
+ enabled: false
--- /dev/null
+# Basic configuration for Kong without the ingress controller, using the Postgres subchart
+# This installation does not create an Ingress or LoadBalancer Service for
+# the Admin API. It requires port-forwards to access without further
+# configuration to add them, e.g.:
+# kubectl port-forward deploy/your-deployment-kong 8001:8001
+
+image:
+ repository: kong
+ tag: "3.5"
+
+env:
+ prefix: /kong_prefix/
+ database: postgres
+
+admin:
+ enabled: true
+ http:
+ enabled: true
+ servicePort: 8001
+ containerPort: 8001
+
+postgresql:
+ enabled: true
+ auth:
+ username: kong
+ database: kong
+
+ingressController:
+ enabled: false
-To connect to Kong, please execute the following command
+To connect to Kong, please execute the following commands:
+{{ if contains "LoadBalancer" .Values.proxy.type }}
+HOST=$(kubectl get svc --namespace {{ template "kong.namespace" . }} {{ template "kong.fullname" . }}-proxy -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
+PORT=$(kubectl get svc --namespace {{ template "kong.namespace" . }} {{ template "kong.fullname" . }}-proxy -o jsonpath='{.spec.ports[0].port}')
+{{ else if contains "NodePort" .Values.proxy.type }}HOST=$(kubectl get nodes --namespace {{ template "kong.namespace" . }} -o jsonpath='{.items[0].status.addresses[0].address}')
+PORT=$(kubectl get svc --namespace {{ template "kong.namespace" . }} {{ template "kong.fullname" . }}-proxy -o jsonpath='{.spec.ports[0].nodePort}')
+{{ end -}}
+export PROXY_IP=${HOST}:${PORT}
+curl $PROXY_IP
+
+Once installed, please follow along the getting started guide to start using
+Kong: https://docs.konghq.com/kubernetes-ingress-controller/latest/guides/getting-started/
+{{ $warnings := list -}}
-{{- if contains "LoadBalancer" .Values.proxy.type }}
- HOST=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "kong.fullname" . }}-proxy -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
- PORT=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "kong.fullname" . }}-proxy -o jsonpath='{.spec.ports[0].port}')
-{{- else if contains "NodePort" .Values.proxy.type -}}
- HOST=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath='{.items[0].status.addresses[0].address}')
- PORT=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "kong.fullname" . }}-proxy -o jsonpath='{.spec.ports[0].nodePort}')
+{{- if (hasKey .Values.ingressController "serviceAccount") -}}
+{{- if (or (hasKey .Values.ingressController.serviceAccount "name") (hasKey .Values.ingressController.serviceAccount "annotations")) -}}
+{{- $warnings = append $warnings "you have set either .ingressController.serviceAccount.name or .ingressController.serviceAccount.annotations. These settings have moved to .deployment.serviceAccount.name and .deployment.serviceAccount.annotations. You must move your configuration to the new location in values.yaml" -}}
{{- end -}}
-export PROXY_IP=${HOST}:${PORT}
-curl $PROXY_IP
+{{- end -}}
+
+{{- if and .Values.manager.enabled (or .Values.manager.http.enabled .Values.manager.tls.enabled) -}}
+{{- if not (and .Values.admin.enabled (or .Values.admin.http.enabled .Values.admin.tls.enabled)) -}}
+{{- $warnings = append $warnings "Kong Manager will not be functional because the Admin API is not enabled. Setting both .admin.enabled and .admin.http.enabled and/or .admin.tls.enabled to true to enable the Admin API over HTTP/TLS." -}}
+{{- end -}}
+{{- end -}}
+
+{{- include "kong.deprecation-warnings" $warnings -}}
+
+{{- if .Values.demo -}}
+
+#############################################################################################
+##### WARNING: DEMO VALUES USED
+#############################################################################################
-Once installed, please follow along the getting started guide to start using Kong:
-https://bit.ly/k4k8s-get-started
+The values file used has been marked as a demo configuration.
+It should NOT be used in production without comprehensive review of all settings provided.
+#############################################################################################
+##### WARNING: DEMO VALUES USED
+#############################################################################################
+{{- end -}}
\ No newline at end of file
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
+{{- define "kong.namespace" -}}
+{{- default .Release.Namespace .Values.namespace -}}
+{{- end -}}
+
+{{- define "kong.release" -}}
+{{- default .Release.Name -}}
+{{- end -}}
+
{{- define "kong.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- define "kong.fullname" -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
-{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- default (printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-") .Values.fullnameOverride -}}
{{- end -}}
{{- define "kong.chart" -}}
app.kubernetes.io/instance: "{{ .Release.Name }}"
app.kubernetes.io/managed-by: "{{ .Release.Service }}"
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- range $key, $value := .Values.extraLabels }}
+{{ $key }}: {{ include "kong.renderTpl" (dict "value" $value "context" $) | quote }}
+{{- end }}
{{- end -}}
{{- define "kong.selectorLabels" -}}
Create the name of the service account to use
*/}}
{{- define "kong.serviceAccountName" -}}
-{{- if .Values.ingressController.serviceAccount.create -}}
- {{ default (include "kong.fullname" .) .Values.ingressController.serviceAccount.name }}
+{{- if .Values.deployment.serviceAccount.create -}}
+ {{ default (include "kong.fullname" .) .Values.deployment.serviceAccount.name }}
{{- else -}}
- {{ default "default" .Values.ingressController.serviceAccount.name }}
+ {{ default "default" .Values.deployment.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
-Create the KONG_PROXY_LISTEN value string
+Create the name of the secret for service account token to use
*/}}
-{{- define "kong.kongProxyListenValue" -}}
-
-{{- if and .Values.proxy.http.enabled .Values.proxy.tls.enabled -}}
- 0.0.0.0:{{ .Values.proxy.http.containerPort }},0.0.0.0:{{ .Values.proxy.tls.containerPort }} ssl
-{{- else -}}
-{{- if .Values.proxy.http.enabled -}}
- 0.0.0.0:{{ .Values.proxy.http.containerPort }}
-{{- end -}}
-{{- if .Values.proxy.tls.enabled -}}
- 0.0.0.0:{{ .Values.proxy.tls.containerPort }} ssl
-{{- end -}}
+{{- define "kong.serviceAccountTokenName" -}}
+{{ include "kong.serviceAccountName" . }}-token
{{- end -}}
+{{/*
+Create Ingress resource for a Kong service
+*/}}
+{{- define "kong.ingress" -}}
+{{- $servicePort := include "kong.ingress.servicePort" . }}
+{{- $path := .ingress.path -}}
+{{- $hostname := .ingress.hostname -}}
+{{- $pathType := .ingress.pathType -}}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: {{ .fullName }}-{{ .serviceName }}
+ namespace: {{ .namespace }}
+ labels:
+ {{- .metaLabels | nindent 4 }}
+ {{- range $key, $value := .ingress.labels }}
+ {{- $key | nindent 4 }}: {{ $value | quote }}
+ {{- end }}
+ {{- if .ingress.annotations }}
+ annotations:
+ {{- range $key, $value := .ingress.annotations }}
+ {{ $key }}: {{ $value | quote }}
+ {{- end }}
+ {{- end }}
+spec:
+{{- if .ingress.ingressClassName }}
+ ingressClassName: {{ .ingress.ingressClassName }}
{{- end }}
+ rules:
+ {{- if ( not (or $hostname .ingress.hosts)) }}
+ - http:
+ paths:
+ - backend:
+ service:
+ name: {{ .fullName }}-{{ .serviceName }}
+ port:
+ number: {{ $servicePort }}
+ path: {{ $path }}
+ pathType: {{ $pathType }}
+ {{- else if $hostname }}
+ - host: {{ $hostname | quote }}
+ http:
+ paths:
+ - backend:
+ service:
+ name: {{ .fullName }}-{{ .serviceName }}
+ port:
+ number: {{ $servicePort }}
+ path: {{ $path }}
+ pathType: {{ $pathType }}
+ {{- end }}
+ {{- range .ingress.hosts }}
+ - host: {{ .host | quote }}
+ http:
+ paths:
+ {{- range .paths }}
+ - backend:
+ {{- if .backend -}}
+ {{ .backend | toYaml | nindent 12 }}
+ {{- else }}
+ service:
+ name: {{ $.fullName }}-{{ $.serviceName }}
+ port:
+ number: {{ $servicePort }}
+ {{- end }}
+ {{- if (and $hostname (and (eq $path .path))) }}
+ {{- fail "duplication of specified ingress path" }}
+ {{- end }}
+ path: {{ .path }}
+ pathType: {{ .pathType }}
+ {{- end }}
+ {{- end }}
+ {{- if (hasKey .ingress "tls") }}
+ tls:
+ {{- if (kindIs "string" .ingress.tls) }}
+ - hosts:
+ {{- range .ingress.hosts }}
+ - {{ .host | quote }}
+ {{- end }}
+ {{- if $hostname }}
+ - {{ $hostname | quote }}
+ {{- end }}
+ secretName: {{ .ingress.tls }}
+ {{- else if (kindIs "slice" .ingress.tls) }}
+ {{- range .ingress.tls }}
+ - hosts:
+ {{- range .hosts }}
+ - {{ . | quote }}
+ {{- end }}
+ secretName: {{ .secretName }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+{{- end -}}
{{/*
-Create the KONG_ADMIN_GUI_LISTEN value string
+Create Service resource for a Kong service
*/}}
-{{- define "kong.kongManagerListenValue" -}}
-
-{{- if and .Values.manager.http.enabled .Values.manager.tls.enabled -}}
- 0.0.0.0:{{ .Values.manager.http.containerPort }},0.0.0.0:{{ .Values.manager.tls.containerPort }} ssl
-{{- else -}}
-{{- if .Values.manager.http.enabled -}}
- 0.0.0.0:{{ .Values.manager.http.containerPort }}
-{{- end -}}
-{{- if .Values.manager.tls.enabled -}}
- 0.0.0.0:{{ .Values.manager.tls.containerPort }} ssl
-{{- end -}}
+{{- define "kong.service" -}}
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ .fullName }}-{{ .serviceName }}
+ namespace: {{ .namespace }}
+ {{- if .annotations }}
+ annotations:
+ {{- range $key, $value := .annotations }}
+ {{ $key }}: {{ $value | quote }}
+ {{- end }}
+ {{- end }}
+ labels:
+ {{- .metaLabels | nindent 4 }}
+ {{- range $key, $value := .labels }}
+ {{ $key }}: {{ $value | quote }}
+ {{- end }}
+spec:
+ type: {{ .type }}
+ {{- if eq .type "LoadBalancer" }}
+ {{- if .loadBalancerIP }}
+ loadBalancerIP: {{ .loadBalancerIP }}
+ {{- end }}
+ {{- if .loadBalancerSourceRanges }}
+ loadBalancerSourceRanges:
+ {{- range $cidr := .loadBalancerSourceRanges }}
+ - {{ $cidr }}
+ {{- end }}
+ {{- end }}
+ {{- if .loadBalancerClass }}
+ loadBalancerClass: {{ .loadBalancerClass }}
+ {{- end }}
+ {{- end }}
+ {{- if .externalIPs }}
+ externalIPs:
+ {{- range $ip := .externalIPs }}
+ - {{ $ip }}
+ {{- end -}}
+ {{- end }}
+ ports:
+ {{- if .http }}
+ {{- if .http.enabled }}
+ - name: kong-{{ .serviceName }}
+ port: {{ .http.servicePort }}
+ targetPort: {{ .http.containerPort }}
+ {{- if .http.appProtocol }}
+ appProtocol: {{ .http.appProtocol }}
+ {{- end }}
+ {{- if (and (or (eq .type "LoadBalancer") (eq .type "NodePort")) (not (empty .http.nodePort))) }}
+ nodePort: {{ .http.nodePort }}
+ {{- end }}
+ protocol: TCP
+ {{- end }}
+ {{- end }}
+ {{- if .tls.enabled }}
+ - name: kong-{{ .serviceName }}-tls
+ port: {{ .tls.servicePort }}
+ targetPort: {{ .tls.overrideServiceTargetPort | default .tls.containerPort }}
+ {{- if .tls.appProtocol }}
+ appProtocol: {{ .tls.appProtocol }}
+ {{- end }}
+ {{- if (and (or (eq .type "LoadBalancer") (eq .type "NodePort")) (not (empty .tls.nodePort))) }}
+ nodePort: {{ .tls.nodePort }}
+ {{- end }}
+ protocol: TCP
+ {{- end }}
+ {{- if (hasKey . "stream") }}
+ {{- $defaultProtocol := "TCP" }}
+ {{- if (hasSuffix "udp-proxy" .serviceName) }}
+ {{- $defaultProtocol = "UDP" }}
+ {{- end }}
+ {{- range $index, $streamEntry := .stream }}
+ {{- if (not (hasKey $streamEntry "protocol")) }}
+ {{- $_ := set $streamEntry "protocol" $defaultProtocol }}
+ {{- end }}
+ {{- end }}
+ {{- range .stream }}
+ - name: stream{{ if (eq (default "TCP" .protocol) "UDP") }}udp{{ end }}-{{ .containerPort }}
+ port: {{ .servicePort }}
+ targetPort: {{ .containerPort }}
+ {{- if (and (or (eq $.type "LoadBalancer") (eq $.type "NodePort")) (not (empty .nodePort))) }}
+ nodePort: {{ .nodePort }}
+ {{- end }}
+ protocol: {{ .protocol | default "TCP" }}
+ {{- end }}
+ {{- end }}
+ {{- if .externalTrafficPolicy }}
+ externalTrafficPolicy: {{ .externalTrafficPolicy }}
+ {{- end }}
+ {{- if .clusterIP }}
+ {{- if (or (not (eq .clusterIP "None")) (and (eq .type "ClusterIP") (eq .clusterIP "None"))) }}
+ clusterIP: {{ .clusterIP }}
+ {{- end }}
+ {{- end }}
+ selector:
+ {{- .selectorLabels | nindent 4 }}
{{- end -}}
-{{- end }}
{{/*
-Create the KONG_PORTAL_GUI_LISTEN value string
+Create KONG_SERVICE_LISTEN strings
+Generic tool for creating KONG_PROXY_LISTEN, KONG_ADMIN_LISTEN, etc.
*/}}
-{{- define "kong.kongPortalListenValue" -}}
+{{- define "kong.listen" -}}
+ {{- $unifiedListen := list -}}
+ {{- $defaultAddrs := (list "0.0.0.0" "[::]") -}}
-{{- if and .Values.portal.http.enabled .Values.portal.tls.enabled -}}
- 0.0.0.0:{{ .Values.portal.http.containerPort }},0.0.0.0:{{ .Values.portal.tls.containerPort }} ssl
-{{- else -}}
-{{- if .Values.portal.http.enabled -}}
- 0.0.0.0:{{ .Values.portal.http.containerPort }}
+ {{/* Some services do not support these blocks at all, so these checks are a
+ two-stage "is it safe to evaluate this?" and then "should we evaluate
+ this?"
+ */}}
+ {{- if .http -}}
+ {{- if .http.enabled -}}
+ {{- $listenConfig := dict -}}
+ {{- $listenConfig := merge $listenConfig .http -}}
+ {{- $addresses := (default $defaultAddrs .addresses) -}}
+ {{- range $addresses -}}
+ {{- $_ := set $listenConfig "address" . -}}
+ {{- $httpListen := (include "kong.singleListen" $listenConfig) -}}
+ {{- $unifiedListen = append $unifiedListen $httpListen -}}
+ {{- end -}}
+ {{- end -}}
+ {{- end -}}
+
+ {{- if .tls -}}
+ {{- if .tls.enabled -}}
+ {{/*
+ This is a bit of a hack to support always including "ssl" in the parameter
+ list for TLS listens. It's not possible to set a variable to an object from
+ .Values and then modify one of the objects values locally, although
+ https://github.com/helm/helm/issues/4987 indicates it should be. Instead,
+ this creates a new object and new parameters list built from the original.
+ */}}
+ {{- $listenConfig := dict -}}
+ {{- $listenConfig := merge $listenConfig .tls -}}
+ {{- $parameters := append .tls.parameters "ssl" -}}
+ {{- $_ := set $listenConfig "parameters" $parameters -}}
+ {{- $addresses := (default $defaultAddrs .addresses) -}}
+ {{- range $addresses -}}
+ {{- $_ := set $listenConfig "address" . -}}
+ {{- $tlsListen := (include "kong.singleListen" $listenConfig) -}}
+ {{- $unifiedListen = append $unifiedListen $tlsListen -}}
+ {{- end -}}
+ {{- end -}}
+ {{- end -}}
+
+ {{- $listenString := ($unifiedListen | join ", ") -}}
+ {{- if eq (len $listenString) 0 -}}
+ {{- $listenString = "off" -}}
+ {{- end -}}
+ {{- $listenString -}}
{{- end -}}
-{{- if .Values.portal.tls.enabled -}}
- 0.0.0.0:{{ .Values.portal.tls.containerPort }} ssl
+
+{{/*
+Create KONG_PORT_MAPS string
+Parameters: takes a service (e.g. .Values.proxy) as its argument and returns KONG_PORT_MAPS for that service.
+*/}}
+{{- define "kong.port_maps" -}}
+ {{- $portMaps := list -}}
+
+ {{- if .http.enabled -}}
+ {{- $portMaps = append $portMaps (printf "%d:%d" (int64 .http.servicePort) (int64 .http.containerPort)) -}}
+ {{- end -}}
+
+ {{- if .tls.enabled -}}
+ {{- $portMaps = append $portMaps (printf "%d:%d" (int64 .tls.servicePort) (int64 .tls.containerPort)) -}}
+ {{- end -}}
+
+ {{- $portMapsString := ($portMaps | join ", ") -}}
+ {{- $portMapsString -}}
{{- end -}}
+
+{{/*
+Create KONG_STREAM_LISTEN string
+*/}}
+{{- define "kong.streamListen" -}}
+ {{- $unifiedListen := list -}}
+ {{- $defaultAddrs := (list "0.0.0.0" "[::]") -}}
+ {{- range .stream -}}
+ {{- $listenConfig := dict -}}
+ {{- $listenConfig := merge $listenConfig . -}}
+ {{- $addresses := (default $defaultAddrs .addresses) -}}
+ {{- range $addresses -}}
+ {{- $_ := set $listenConfig "address" . -}}
+ {{/* You set NGINX stream listens to UDP using a parameter due to historical reasons.
+ Our configuration is dual-purpose, for both the Service and listen string, so we
+ forcibly inject this parameter if that's the Service protocol. The default handles
+ configs that predate the addition of the protocol field, where we only supported TCP. */}}
+ {{- if (eq (default "TCP" $listenConfig.protocol) "UDP") -}}
+ {{- $_ := set $listenConfig "parameters" (append (default (list) $listenConfig.parameters) "udp") -}}
+ {{- end -}}
+ {{- $unifiedListen = append $unifiedListen (include "kong.singleListen" $listenConfig ) -}}
+ {{- end -}}
+ {{- end -}}
+
+ {{- $listenString := ($unifiedListen | join ", ") -}}
+ {{- if eq (len $listenString) 0 -}}
+ {{- $listenString = "" -}}
+ {{- end -}}
+ {{- $listenString -}}
{{- end -}}
-{{- end }}
+{{/*
+Create a single listen (IP+port+parameter combo)
+*/}}
+{{- define "kong.singleListen" -}}
+ {{- $listen := list -}}
+ {{- $listen = append $listen (printf "%s:%d" .address (int64 .containerPort)) -}}
+ {{- range $param := .parameters | default (list) | uniq }}
+ {{- $listen = append $listen $param -}}
+ {{- end -}}
+ {{- $listen | join " " -}}
+{{- end -}}
{{/*
-Create the KONG_PORTAL_API_LISTEN value string
+Return the admin API service name for service discovery
*/}}
-{{- define "kong.kongPortalApiListenValue" -}}
+{{- define "kong.adminSvc" -}}
+{{- $gatewayDiscovery := .Values.ingressController.gatewayDiscovery -}}
+{{- if $gatewayDiscovery.enabled -}}
+ {{- $adminApiService := $gatewayDiscovery.adminApiService -}}
+ {{- $adminApiServiceName := $gatewayDiscovery.adminApiService.name -}}
+ {{- $generateAdminApiService := $gatewayDiscovery.generateAdminApiService -}}
+
+ {{- if and $generateAdminApiService $adminApiService.name -}}
+ {{- fail (printf ".Values.ingressController.gatewayDiscovery.adminApiService and .Values.ingressController.gatewayDiscovery.generateAdminApiService must not be provided at the same time") -}}
+ {{- end -}}
+
+ {{- if $generateAdminApiService -}}
+ {{- $adminApiServiceName = (printf "%s-%s" .Release.Name "gateway-admin") -}}
+ {{- else }}
+ {{- $_ := required ".ingressController.gatewayDiscovery.adminApiService.name has to be provided when .Values.ingressController.gatewayDiscovery.enabled is set to true" $adminApiServiceName -}}
+ {{- end }}
+
+ {{- if (semverCompare "< 2.9.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
+ {{- fail (printf "Gateway discovery is available in controller versions 2.9 and up. Detected %s" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
+ {{- end }}
-{{- if and .Values.portalapi.http.enabled .Values.portalapi.tls.enabled -}}
- 0.0.0.0:{{ .Values.portalapi.http.containerPort }},0.0.0.0:{{ .Values.portalapi.tls.containerPort }} ssl
+ {{- if .Values.deployment.kong.enabled }}
+ {{- fail "deployment.kong.enabled and ingressController.gatewayDiscovery.enabled are mutually exclusive and cannot be enabled at once. Gateway discovery requires a split release installation of Gateways and Ingress Controller." }}
+ {{- end }}
+
+ {{- $namespace := $adminApiService.namespace | default ( include "kong.namespace" . ) -}}
+ {{- printf "%s/%s" $namespace $adminApiServiceName -}}
{{- else -}}
-{{- if .Values.portalapi.http.enabled -}}
- 0.0.0.0:{{ .Values.portalapi.http.containerPort }}
-{{- end -}}
-{{- if .Values.portalapi.tls.enabled -}}
- 0.0.0.0:{{ .Values.portalapi.tls.containerPort }} ssl
+ {{- fail "Can't use gateway discovery when .Values.ingressController.gatewayDiscovery.enabled is set to false." -}}
{{- end -}}
{{- end -}}
-{{- end }}
+{{/*
+Return the local admin API URL, preferring HTTPS if available
+*/}}
+{{- define "kong.adminLocalURL" -}}
+ {{- if .Values.admin.tls.enabled -}}
+https://localhost:{{ .Values.admin.tls.containerPort }}
+ {{- else if .Values.admin.http.enabled -}}
+http://localhost:{{ .Values.admin.http.containerPort }}
+ {{- else -}}
+http://localhost:9999 # You have no admin listens! The controller will not work unless you set .Values.admin.http.enabled=true or .Values.admin.tls.enabled=true!
+ {{- end -}}
+{{- end -}}
{{/*
Create the ingress servicePort value string
{{ include "kong.fullname" . }}-validation-webhook
{{- end -}}
-{{- define "kong.env" -}}
-{{- range $key, $val := .Values.env }}
-- name: KONG_{{ $key | upper}}
-{{- $valueType := printf "%T" $val -}}
-{{ if eq $valueType "map[string]interface {}" }}
-{{ toYaml $val | indent 2 -}}
-{{- else }}
- value: {{ $val | quote -}}
-{{- end -}}
-{{- end -}}
+
+{{/*
+The name of the Service which will be used by the controller to update the Ingress status field.
+*/}}
+
+{{- define "kong.controller-publish-service" -}}
+{{- $proxyOverride := "" -}}
+ {{- if .Values.proxy.nameOverride -}}
+ {{- $proxyOverride = ( tpl .Values.proxy.nameOverride . ) -}}
+ {{- end -}}
+{{- (printf "%s/%s" ( include "kong.namespace" . ) ( default ( printf "%s-proxy" (include "kong.fullname" . )) $proxyOverride )) -}}
{{- end -}}
{{- define "kong.ingressController.env" -}}
+{{/*
+ ====== AUTO-GENERATED ENVIRONMENT VARIABLES ======
+*/}}
+
+
+{{- $autoEnv := dict -}}
+ {{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY" true -}}
+ {{- $_ := set $autoEnv "CONTROLLER_PUBLISH_SERVICE" ( include "kong.controller-publish-service" . ) -}}
+ {{- $_ := set $autoEnv "CONTROLLER_INGRESS_CLASS" .Values.ingressController.ingressClass -}}
+ {{- $_ := set $autoEnv "CONTROLLER_ELECTION_ID" (printf "kong-ingress-controller-leader-%s" .Values.ingressController.ingressClass) -}}
+
+ {{- if .Values.ingressController.admissionWebhook.enabled }}
+ {{- $address := (default "0.0.0.0" .Values.ingressController.admissionWebhook.address) -}}
+ {{- $_ := set $autoEnv "CONTROLLER_ADMISSION_WEBHOOK_LISTEN" (printf "%s:%d" $address (int64 .Values.ingressController.admissionWebhook.port)) -}}
+ {{- end }}
+ {{- if (not (eq (len .Values.ingressController.watchNamespaces) 0)) }}
+ {{- $_ := set $autoEnv "CONTROLLER_WATCH_NAMESPACE" (.Values.ingressController.watchNamespaces | join ",") -}}
+ {{- end }}
+
+{{/*
+ ====== ADMIN API CONFIGURATION ======
+*/}}
+
+ {{- if .Values.ingressController.gatewayDiscovery.enabled -}}
+ {{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_SVC" (include "kong.adminSvc" . ) -}}
+ {{- else -}}
+ {{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_URL" (include "kong.adminLocalURL" .) -}}
+ {{- end -}}
+
+ {{- if .Values.ingressController.adminApi.tls.client.enabled }}
+ {{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_TLS_CLIENT_CERT_FILE" "/etc/secrets/admin-api-cert/tls.crt" -}}
+ {{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_TLS_CLIENT_KEY_FILE" "/etc/secrets/admin-api-cert/tls.key" -}}
+ {{- end }}
+
+{{/*
+ ====== KONNECT ENVIRONMENT VARIABLES ======
+*/}}
+
+{{- if .Values.ingressController.konnect.enabled }}
+ {{- if (semverCompare "< 2.9.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
+ {{- fail (printf "Konnect sync is available in controller versions 2.9 and up. Detected %s" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
+ {{- end }}
+
+ {{- if not .Values.ingressController.gatewayDiscovery.enabled }}
+ {{- fail "ingressController.gatewayDiscovery.enabled has to be true when ingressController.konnect.enabled"}}
+ {{- end }}
+
+ {{- $konnect := .Values.ingressController.konnect -}}
+ {{- $_ := required "ingressController.konnect.runtimeGroupID is required when ingressController.konnect.enabled" $konnect.runtimeGroupID -}}
+
+ {{- $_ = set $autoEnv "CONTROLLER_KONNECT_SYNC_ENABLED" true -}}
+ {{- $_ = set $autoEnv "CONTROLLER_KONNECT_RUNTIME_GROUP_ID" $konnect.runtimeGroupID -}}
+ {{- $_ = set $autoEnv "CONTROLLER_KONNECT_ADDRESS" (printf "https://%s" .Values.ingressController.konnect.apiHostname) -}}
+
+ {{- $tlsCert := include "secretkeyref" (dict "name" $konnect.tlsClientCertSecretName "key" "tls.crt") -}}
+ {{- $tlsKey := include "secretkeyref" (dict "name" $konnect.tlsClientCertSecretName "key" "tls.key") -}}
+ {{- $_ = set $autoEnv "CONTROLLER_KONNECT_TLS_CLIENT_CERT" $tlsCert -}}
+ {{- $_ = set $autoEnv "CONTROLLER_KONNECT_TLS_CLIENT_KEY" $tlsKey -}}
+
+ {{- if $konnect.license.enabled }}
+ {{- $_ = set $autoEnv "CONTROLLER_KONNECT_LICENSING_ENABLED" true -}}
+ {{- end }}
+{{- end }}
+
+{{/*
+ ====== USER-SET ENVIRONMENT VARIABLES ======
+*/}}
+
+{{- $userEnv := dict -}}
{{- range $key, $val := .Values.ingressController.env }}
-- name: CONTROLLER_{{ $key | upper}}
-{{- $valueType := printf "%T" $val -}}
-{{ if eq $valueType "map[string]interface {}" }}
-{{ toYaml $val | indent 2 -}}
-{{- else }}
- value: {{ $val | quote -}}
+ {{- $upper := upper $key -}}
+ {{- $var := printf "CONTROLLER_%s" $upper -}}
+ {{- $_ := set $userEnv $var $val -}}
+{{- end -}}
+
+{{/*
+ ====== CUSTOM-SET INGRESS CONTROLLER ENVIRONMENT VARIABLES ======
+*/}}
+
+{{- $customIngressEnv := dict -}}
+{{- range $key, $val := .Values.ingressController.customEnv }}
+ {{- $upper := upper $key -}}
+ {{- $_ := set $customIngressEnv $upper $val -}}
{{- end -}}
+
+{{/*
+ ====== MERGE AND RENDER ENV BLOCK ======
+*/}}
+
+{{- $completeEnv := mergeOverwrite $autoEnv $userEnv $customIngressEnv -}}
+{{- template "kong.renderEnv" $completeEnv -}}
+
{{- end -}}
+
+{{- define "kong.userDefinedVolumes" -}}
+{{- if .Values.deployment.userDefinedVolumes }}
+{{- toYaml .Values.deployment.userDefinedVolumes }}
+{{- end }}
{{- end -}}
{{- define "kong.volumes" -}}
- name: {{ template "kong.fullname" . }}-prefix-dir
- emptyDir: {}
+ emptyDir:
+ sizeLimit: {{ .Values.deployment.prefixDir.sizeLimit }}
- name: {{ template "kong.fullname" . }}-tmp
- emptyDir: {}
+ emptyDir:
+ sizeLimit: {{ .Values.deployment.tmpDir.sizeLimit }}
+{{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }}
+- name: {{ template "kong.serviceAccountTokenName" . }}
+ {{- /* Due to GKE versions (e.g. v1.23.15-gke.1900) we need to handle pre-release part of the version as well.
+ See the related documentation of semver module that Helm depends on for semverCompare:
+ https://github.com/Masterminds/semver#working-with-prerelease-versions
+ Related Helm issue: https://github.com/helm/helm/issues/3810 */}}
+ {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }}
+ projected:
+ sources:
+ - serviceAccountToken:
+ expirationSeconds: 3607
+ path: token
+ - configMap:
+ items:
+ - key: ca.crt
+ path: ca.crt
+ name: kube-root-ca.crt
+ - downwardAPI:
+ items:
+ - fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ path: namespace
+ {{- else }}
+ secret:
+ secretName: {{ template "kong.serviceAccountTokenName" . }}
+ items:
+ - key: token
+ path: token
+ - key: ca.crt
+ path: ca.crt
+ - key: namespace
+ path: namespace
+ {{- end }}
+{{- end }}
+{{- if and ( .Capabilities.APIVersions.Has "cert-manager.io/v1" ) .Values.certificates.enabled -}}
+{{- if .Values.certificates.cluster.enabled }}
+- name: {{ include "kong.fullname" . }}-cluster-cert
+ secret:
+ secretName: {{ include "kong.fullname" . }}-cluster-cert
+{{- end }}
+{{- if .Values.certificates.proxy.enabled }}
+- name: {{ include "kong.fullname" . }}-proxy-cert
+ secret:
+ secretName: {{ include "kong.fullname" . }}-proxy-cert
+{{- end }}
+{{- if .Values.certificates.admin.enabled }}
+- name: {{ include "kong.fullname" . }}-admin-cert
+ secret:
+ secretName: {{ include "kong.fullname" . }}-admin-cert
+{{- end }}
+{{- if .Values.enterprise.enabled }}
+{{- if .Values.certificates.portal.enabled }}
+- name: {{ include "kong.fullname" . }}-portal-cert
+ secret:
+ secretName: {{ include "kong.fullname" . }}-portal-cert
+{{- end }}
+{{- end }}
+{{- end }}
+{{- if (and (.Values.postgresql.enabled) .Values.waitImage.enabled) }}
+- name: {{ template "kong.fullname" . }}-bash-wait-for-postgres
+ configMap:
+ name: {{ template "kong.fullname" . }}-bash-wait-for-postgres
+ defaultMode: 0755
+{{- end }}
{{- range .Values.plugins.configMaps }}
- name: kong-plugin-{{ .pluginName }}
configMap:
name: {{ .name }}
+{{- range .subdirectories }}
+- name: {{ .name }}
+ configMap:
+ name: {{ .name }}
+{{- end }}
{{- end }}
{{- range .Values.plugins.secrets }}
- name: kong-plugin-{{ .pluginName }}
secret:
secretName: {{ .name }}
+{{- range .subdirectories }}
+- name: {{ .name }}
+ secret:
+ secretName: {{ .name }}
{{- end }}
-- name: custom-nginx-template-volume
- configMap:
- name: {{ template "kong.fullname" . }}-default-custom-server-blocks
+{{- end }}
+
{{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off")) }}
+ {{- $dblessSourceCount := (add (.Values.dblessConfig.configMap | len | min 1) (.Values.dblessConfig.secret | len | min 1) (.Values.dblessConfig.config | len | min 1)) -}}
+ {{- if gt $dblessSourceCount 1 -}}
+ {{- fail "Ambiguous configuration: only one of of .Values.dblessConfig.configMap, .Values.dblessConfig.secret, and .Values.dblessConfig.config can be set." -}}
+ {{- else if eq $dblessSourceCount 1 }}
- name: kong-custom-dbless-config-volume
- configMap:
{{- if .Values.dblessConfig.configMap }}
+ configMap:
name: {{ .Values.dblessConfig.configMap }}
+ {{- else if .Values.dblessConfig.secret }}
+ secret:
+ secretName: {{ .Values.dblessConfig.secret }}
{{- else }}
+ configMap:
name: {{ template "kong.dblessConfig.fullname" . }}
{{- end }}
+ {{- end }}
{{- end }}
-{{- if .Values.ingressController.admissionWebhook.enabled }}
+
+{{- if and .Values.ingressController.enabled .Values.ingressController.admissionWebhook.enabled }}
- name: webhook-cert
secret:
+ {{- if .Values.ingressController.admissionWebhook.certificate.provided }}
+ secretName: {{ .Values.ingressController.admissionWebhook.certificate.secretName }}
+ {{- else }}
secretName: {{ template "kong.fullname" . }}-validation-webhook-keypair
+ {{- end }}
{{- end }}
+{{- if or $.Values.admin.tls.client.secretName $.Values.admin.tls.client.caBundle }}
+- name: admin-client-ca
+ configMap:
+ name: {{ template "kong.fullname" . }}-admin-client-ca
+{{- end -}}
{{- range $secretVolume := .Values.secretVolumes }}
- name: {{ . }}
secret:
secretName: {{ . }}
{{- end }}
+{{- range .Values.extraConfigMaps }}
+- name: {{ .name }}
+ configMap:
+ name: {{ .name }}
+{{- end }}
+{{- range .Values.extraSecrets }}
+- name: {{ .name }}
+ secret:
+ secretName: {{ .name }}
+{{- end }}
+{{- if and .Values.ingressController.adminApi.tls.client.enabled .Values.ingressController.enabled }}
+- name: admin-api-cert
+ secret:
+ secretName: {{ template "adminApiService.certSecretName" . }}
+{{- end }}
+{{- end -}}
+
+{{- define "controller.adminApiCertVolumeMount" -}}
+{{- if and .Values.ingressController.adminApi.tls.client.enabled .Values.ingressController.enabled }}
+- name: admin-api-cert
+ mountPath: /etc/secrets/admin-api-cert
+ readOnly: true
+{{- end -}}
+{{- end -}}
+
+{{- define "kong.userDefinedVolumeMounts" -}}
+{{- if .userDefinedVolumeMounts }}
+{{- toYaml .userDefinedVolumeMounts }}
+{{- end }}
{{- end -}}
{{- define "kong.volumeMounts" -}}
mountPath: /kong_prefix/
- name: {{ template "kong.fullname" . }}-tmp
mountPath: /tmp
-- name: custom-nginx-template-volume
- mountPath: /kong
-{{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off")) }}
+{{- if and ( .Capabilities.APIVersions.Has "cert-manager.io/v1" ) .Values.certificates.enabled -}}
+{{- if .Values.certificates.cluster.enabled }}
+- name: {{ include "kong.fullname" . }}-cluster-cert
+ mountPath: /etc/cert-manager/cluster/
+{{- end }}
+{{- if .Values.certificates.proxy.enabled }}
+- name: {{ include "kong.fullname" . }}-proxy-cert
+ mountPath: /etc/cert-manager/proxy/
+{{- end }}
+{{- if .Values.certificates.admin.enabled }}
+- name: {{ include "kong.fullname" . }}-admin-cert
+ mountPath: /etc/cert-manager/admin/
+{{- end }}
+{{- if .Values.enterprise.enabled }}
+{{- if .Values.certificates.portal.enabled }}
+- name: {{ include "kong.fullname" . }}-portal-cert
+ mountPath: /etc/cert-manager/portal/
+{{- end }}
+{{- end }}
+{{- end }}
+{{- $dblessSourceCount := (add (.Values.dblessConfig.configMap | len | min 1) (.Values.dblessConfig.secret | len | min 1) (.Values.dblessConfig.config | len | min 1)) -}}
+ {{- if eq $dblessSourceCount 1 -}}
+ {{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off")) }}
- name: kong-custom-dbless-config-volume
mountPath: /kong_dbless/
-{{- end }}
+ {{- end }}
+ {{- end }}
+{{- if or $.Values.admin.tls.client.caBundle $.Values.admin.tls.client.secretName }}
+- name: admin-client-ca
+ mountPath: /etc/admin-client-ca/
+ readOnly: true
+{{- end -}}
{{- range .Values.secretVolumes }}
- name: {{ . }}
mountPath: /etc/secrets/{{ . }}
{{- end }}
{{- range .Values.plugins.configMaps }}
+{{- $mountPath := printf "/opt/kong/plugins/%s" .pluginName }}
- name: kong-plugin-{{ .pluginName }}
- mountPath: /opt/kong/plugins/{{ .pluginName }}
+ mountPath: {{ $mountPath }}
+ readOnly: true
+{{- range .subdirectories }}
+- name: {{ .name }}
+ mountPath: {{ printf "%s/%s" $mountPath ( .path | default .name ) }}
readOnly: true
{{- end }}
+{{- end }}
{{- range .Values.plugins.secrets }}
+{{- $mountPath := printf "/opt/kong/plugins/%s" .pluginName }}
- name: kong-plugin-{{ .pluginName }}
- mountPath: /opt/kong/plugins/{{ .pluginName }}
+ mountPath: {{ $mountPath }}
+ readOnly: true
+{{- range .subdirectories }}
+- name: {{ .name }}
+ mountPath: {{ printf "%s/%s" $mountPath .path }}
readOnly: true
{{- end }}
+{{- end }}
+
+{{- range .Values.extraConfigMaps }}
+- name: {{ .name }}
+ mountPath: {{ .mountPath }}
+
+ {{- if .subPath }}
+ subPath: {{ .subPath }}
+ {{- end }}
+{{- end }}
+{{- range .Values.extraSecrets }}
+- name: {{ .name }}
+ mountPath: {{ .mountPath }}
+
+ {{- if .subPath }}
+ subPath: {{ .subPath }}
+ {{- end }}
+{{- end }}
+
{{- end -}}
{{- define "kong.plugins" -}}
{{- range .Values.plugins.secrets -}}
{{ $myList = append $myList .pluginName -}}
{{- end }}
-{{- $myList | join "," -}}
+{{- $myList | uniq | join "," -}}
{{- end -}}
{{- define "kong.wait-for-db" -}}
- name: wait-for-db
- image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+ image: {{ include "kong.getRepoTag" .Values.image }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
+ securityContext:
+ {{ toYaml .Values.containerSecurityContext | nindent 4 }}
env:
- {{- if .Values.enterprise.enabled }}
- {{- include "kong.license" . | nindent 2 }}
- {{- end }}
- {{- if .Values.postgresql.enabled }}
- - name: KONG_PG_HOST
- value: {{ template "kong.postgresql.fullname" . }}
- - name: KONG_PG_PORT
- value: "{{ .Values.postgresql.service.port }}"
- - name: KONG_PG_PASSWORD
- valueFrom:
- secretKeyRef:
- name: {{ template "kong.postgresql.fullname" . }}
- key: postgresql-password
- {{- end }}
- - name: KONG_LUA_PACKAGE_PATH
- value: "/opt/?.lua;;"
- - name: KONG_PLUGINS
- value: {{ template "kong.plugins" . }}
- {{- include "kong.env" . | nindent 2 }}
- command: [ "/bin/sh", "-c", "until kong start; do echo 'waiting for db'; sleep 1; done; kong stop" ]
+ {{- include "kong.env" . | nindent 2 }}
+ {{- include "kong.envFrom" .Values.envFrom | nindent 2 }}
+{{/* TODO the prefix override is to work around https://github.com/Kong/charts/issues/295
+ Note that we use args instead of command here to /not/ override the standard image entrypoint. */}}
+ args: [ "/bin/bash", "-c", "export KONG_NGINX_DAEMON=on KONG_PREFIX=`mktemp -d` KONG_KEYRING_ENABLED=off; until kong start; do echo 'waiting for db'; sleep 1; done; kong stop"]
volumeMounts:
{{- include "kong.volumeMounts" . | nindent 4 }}
+ {{- include "kong.userDefinedVolumeMounts" .Values.deployment | nindent 4 }}
+ resources:
+ {{- toYaml .Values.resources | nindent 4 }}
+{{- end -}}
+
+{{/* effectiveVersion takes an image dict from values.yaml. if .effectiveSemver is set, it returns that, else it returns .tag */}}
+{{- define "kong.effectiveVersion" -}}
+{{- /* Because Kong Gateway enterprise uses versions with 4 segments and not 3 */ -}}
+{{- /* as semver does, we need to account for that here by extracting */ -}}
+{{- /* first 3 segments for comparison */ -}}
+{{- if .effectiveSemver -}}
+ {{- if regexMatch "^[0-9]+.[0-9]+.[0-9]+" .effectiveSemver -}}
+ {{- regexFind "^[0-9]+.[0-9]+.[0-9]+" .effectiveSemver -}}
+ {{- else -}}
+ {{- .effectiveSemver -}}
+ {{- end -}}
+{{- else -}}
+ {{- $tag := (trimSuffix "-redhat" .tag) -}}
+ {{- if regexMatch "^[0-9]+.[0-9]+.[0-9]+" .tag -}}
+ {{- regexFind "^[0-9]+.[0-9]+.[0-9]+" .tag -}}
+ {{- else -}}
+ {{- .tag -}}
+ {{- end -}}
+{{- end -}}
{{- end -}}
{{- define "kong.controller-container" -}}
- name: ingress-controller
+ securityContext:
+{{ toYaml .Values.containerSecurityContext | nindent 4 }}
args:
- - /kong-ingress-controller
- # Service from were we extract the IP address/es to use in Ingress status
- - --publish-service={{ .Release.Namespace }}/{{ template "kong.fullname" . }}-proxy
- # Set the ingress class
- - --ingress-class={{ .Values.ingressController.ingressClass }}
- - --election-id=kong-ingress-controller-leader-{{ .Values.ingressController.ingressClass }}
- # the kong URL points to the kong admin api server
- {{- if .Values.admin.useTLS }}
- - --kong-url=https://localhost:{{ .Values.admin.containerPort }}
- - --admin-tls-skip-verify # TODO make this configurable
- {{- else }}
- - --kong-url=http://localhost:{{ .Values.admin.containerPort }}
+ {{ if .Values.ingressController.args}}
+ {{- range $val := .Values.ingressController.args }}
+ - {{ $val }}
+ {{- end }}
{{- end }}
+ ports:
{{- if .Values.ingressController.admissionWebhook.enabled }}
- - --admission-webhook-listen=0.0.0.0:{{ .Values.ingressController.admissionWebhook.port }}
+ - name: webhook
+ containerPort: {{ .Values.ingressController.admissionWebhook.port }}
+ protocol: TCP
{{- end }}
+ {{ if (semverCompare ">= 2.0.0" (include "kong.effectiveVersion" .Values.ingressController.image)) -}}
+ - name: cmetrics
+ containerPort: 10255
+ protocol: TCP
+ {{- end }}
+ - name: cstatus
+ containerPort: 10254
+ protocol: TCP
env:
- name: POD_NAME
valueFrom:
apiVersion: v1
fieldPath: metadata.namespace
{{- include "kong.ingressController.env" . | indent 2 }}
- image: "{{ .Values.ingressController.image.repository }}:{{ .Values.ingressController.image.tag }}"
+{{ include "kong.envFrom" .Values.ingressController.envFrom | indent 2 }}
+ image: {{ include "kong.getRepoTag" .Values.ingressController.image }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
+{{/* disableReadiness is a hidden setting to drop this block entirely for use with a debugger
+ Helm value interpretation doesn't let you replace the default HTTP checks with any other
+ check type, and all HTTP checks freeze when a debugger pauses operation.
+ Setting disableReadiness to ANY value disables the probes.
+*/}}
+{{- if (not (hasKey .Values.ingressController "disableProbes")) }}
readinessProbe:
{{ toYaml .Values.ingressController.readinessProbe | indent 4 }}
livenessProbe:
{{ toYaml .Values.ingressController.livenessProbe | indent 4 }}
+{{- end }}
resources:
{{ toYaml .Values.ingressController.resources | indent 4 }}
-{{- if .Values.ingressController.admissionWebhook.enabled }}
volumeMounts:
+{{- if .Values.ingressController.admissionWebhook.enabled }}
- name: webhook-cert
mountPath: /admission-webhook
readOnly: true
{{- end }}
+{{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }}
+ - name: {{ template "kong.serviceAccountTokenName" . }}
+ mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+ readOnly: true
+{{- end }}
+ {{- include "kong.userDefinedVolumeMounts" .Values.ingressController | nindent 2 }}
+ {{- include "controller.adminApiCertVolumeMount" . | nindent 2 }}
{{- end -}}
-{{/*
-Retrieve Kong Enterprise license from a secret and make it available in env vars
-*/}}
-{{- define "kong.license" -}}
-- name: KONG_LICENSE_DATA
- valueFrom:
- secretKeyRef:
- name: {{ .Values.enterprise.license_secret }}
- key: license
+{{- define "secretkeyref" -}}
+valueFrom:
+ secretKeyRef:
+ name: {{ .name }}
+ key: {{ .key }}
{{- end -}}
{{/*
{{ .Values.securityContext | toYaml }}
{{- end -}}
+{{- define "kong.no_daemon_env" -}}
+{{- template "kong.env" . }}
+- name: KONG_NGINX_DAEMON
+ value: "off"
+{{- end -}}
+
{{/*
The environment values passed to Kong; this should come after all
the template that it itself is using form the above sections.
*/}}
-{{- define "kong.final_env" -}}
-- name: KONG_LUA_PACKAGE_PATH
- value: "/opt/?.lua;;"
-{{- if not .Values.env.admin_listen }}
-{{- if .Values.admin.useTLS }}
-- name: KONG_ADMIN_LISTEN
- value: "0.0.0.0:{{ .Values.admin.containerPort }} ssl"
-{{- else }}
-- name: KONG_ADMIN_LISTEN
- value: 0.0.0.0:{{ .Values.admin.containerPort }}
+{{- define "kong.env" -}}
+{{/*
+ ====== AUTO-GENERATED ENVIRONMENT VARIABLES ======
+*/}}
+{{- $autoEnv := dict -}}
+
+{{- $_ := set $autoEnv "KONG_LUA_PACKAGE_PATH" "/opt/?.lua;/opt/?/init.lua;;" -}}
+
+{{- $_ := set $autoEnv "KONG_PROXY_ACCESS_LOG" "/dev/stdout" -}}
+{{- $_ := set $autoEnv "KONG_PROXY_STREAM_ACCESS_LOG" "/dev/stdout basic" -}}
+{{- $_ := set $autoEnv "KONG_ADMIN_ACCESS_LOG" "/dev/stdout" -}}
+{{- $_ := set $autoEnv "KONG_STATUS_ACCESS_LOG" "off" -}}
+{{- $_ := set $autoEnv "KONG_PROXY_ERROR_LOG" "/dev/stderr" -}}
+{{- $_ := set $autoEnv "KONG_PROXY_STREAM_ERROR_LOG" "/dev/stderr" -}}
+{{- $_ := set $autoEnv "KONG_ADMIN_ERROR_LOG" "/dev/stderr" -}}
+{{- $_ := set $autoEnv "KONG_STATUS_ERROR_LOG" "/dev/stderr" -}}
+
+{{- if .Values.ingressController.enabled -}}
+ {{- $_ := set $autoEnv "KONG_KIC" "on" -}}
+{{- end -}}
+
+{{- with .Values.admin -}}
+ {{- $listenConfig := dict -}}
+ {{- $listenConfig := merge $listenConfig . -}}
+ {{- if (and (not (hasKey . "addresses")) (not .enabled)) -}}
+ {{- $_ := set $listenConfig "addresses" (list "127.0.0.1" "[::1]") -}}
+ {{- end -}}
+ {{- $_ := set $autoEnv "KONG_ADMIN_LISTEN" (include "kong.listen" $listenConfig) -}}
+
+ {{- if or .tls.client.secretName .tls.client.caBundle -}}
+ {{- $_ := set $autoEnv "KONG_NGINX_ADMIN_SSL_VERIFY_CLIENT" "on" -}}
+ {{- $_ := set $autoEnv "KONG_NGINX_ADMIN_SSL_CLIENT_CERTIFICATE" "/etc/admin-client-ca/tls.crt" -}}
+ {{- end -}}
+
+{{- end -}}
+
+{{- if and ( .Capabilities.APIVersions.Has "cert-manager.io/v1" ) .Values.certificates.enabled -}}
+ {{- if (and .Values.certificates.cluster.enabled .Values.cluster.enabled) -}}
+ {{- $_ := set $autoEnv "KONG_CLUSTER_MTLS" "pki" -}}
+ {{- $_ := set $autoEnv "KONG_CLUSTER_SERVER_NAME" .Values.certificates.cluster.commonName -}}
+ {{- $_ := set $autoEnv "KONG_CLUSTER_CA_CERT" "/etc/cert-manager/cluster/ca.crt" -}}
+ {{- $_ := set $autoEnv "KONG_CLUSTER_CERT" "/etc/cert-manager/cluster/tls.crt" -}}
+ {{- $_ := set $autoEnv "KONG_CLUSTER_CERT_KEY" "/etc/cert-manager/cluster/tls.key" -}}
+ {{- end -}}
+
+ {{- if .Values.certificates.proxy.enabled -}}
+ {{- $_ := set $autoEnv "KONG_SSL_CERT" "/etc/cert-manager/proxy/tls.crt" -}}
+ {{- $_ := set $autoEnv "KONG_SSL_CERT_KEY" "/etc/cert-manager/proxy/tls.key" -}}
+ {{- end -}}
+
+ {{- if .Values.certificates.admin.enabled -}}
+ {{- $_ := set $autoEnv "KONG_ADMIN_SSL_CERT" "/etc/cert-manager/admin/tls.crt" -}}
+ {{- $_ := set $autoEnv "KONG_ADMIN_SSL_CERT_KEY" "/etc/cert-manager/admin/tls.key" -}}
+ {{- if .Values.enterprise.enabled }}
+ {{- $_ := set $autoEnv "KONG_ADMIN_GUI_SSL_CERT" "/etc/cert-manager/admin/tls.crt" -}}
+ {{- $_ := set $autoEnv "KONG_ADMIN_GUI_SSL_CERT_KEY" "/etc/cert-manager/admin/tls.key" -}}
+ {{- end -}}
+ {{- end -}}
+
+ {{- if .Values.enterprise.enabled }}
+ {{- if .Values.certificates.portal.enabled -}}
+ {{- $_ := set $autoEnv "KONG_PORTAL_API_SSL_CERT" "/etc/cert-manager/portal/tls.crt" -}}
+ {{- $_ := set $autoEnv "KONG_PORTAL_API_SSL_CERT_KEY" "/etc/cert-manager/portal/tls.key" -}}
+ {{- $_ := set $autoEnv "KONG_PORTAL_GUI_SSL_CERT" "/etc/cert-manager/portal/tls.crt" -}}
+ {{- $_ := set $autoEnv "KONG_PORTAL_GUI_SSL_CERT_KEY" "/etc/cert-manager/portal/tls.key" -}}
+ {{- end -}}
+ {{- end -}}
+{{- end -}}
+
+{{- if .Values.admin.ingress.enabled }}
+ {{- $_ := set $autoEnv "KONG_ADMIN_GUI_API_URL" (include "kong.ingress.serviceUrl" .Values.admin.ingress) -}}
+ {{- $_ := set $autoEnv "KONG_ADMIN_API_URI" (include "kong.ingress.serviceUrl" .Values.admin.ingress) -}}
+{{- end -}}
+
+{{- $_ := set $autoEnv "KONG_PROXY_LISTEN" (include "kong.listen" .Values.proxy) -}}
+
+{{- $streamStrings := list -}}
+{{- if .Values.proxy.enabled -}}
+ {{- $tcpStreamString := (include "kong.streamListen" .Values.proxy) -}}
+ {{- if (not (eq $tcpStreamString "")) -}}
+ {{- $streamStrings = (append $streamStrings $tcpStreamString) -}}
+ {{- end -}}
+{{- end -}}
+{{- if .Values.udpProxy.enabled -}}
+ {{- $udpStreamString := (include "kong.streamListen" .Values.udpProxy) -}}
+ {{- if (not (eq $udpStreamString "")) -}}
+ {{- $streamStrings = (append $streamStrings $udpStreamString) -}}
+ {{- end -}}
+{{- end -}}
+{{- $streamString := $streamStrings | join ", " -}}
+{{- if (eq (len $streamString) 0) -}}
+ {{- $streamString = "off" -}}
+{{- end -}}
+{{- $_ := set $autoEnv "KONG_STREAM_LISTEN" $streamString -}}
+
+{{- $_ := set $autoEnv "KONG_STATUS_LISTEN" (include "kong.listen" .Values.status) -}}
+
+{{- if .Values.proxy.enabled -}}
+ {{- $_ := set $autoEnv "KONG_PORT_MAPS" (include "kong.port_maps" .Values.proxy) -}}
+{{- end -}}
+
+{{- $_ := set $autoEnv "KONG_CLUSTER_LISTEN" (include "kong.listen" .Values.cluster) -}}
+
+{{- if .Values.enterprise.enabled }}
+ {{- $_ := set $autoEnv "KONG_PORTAL_API_ACCESS_LOG" "/dev/stdout" -}}
+ {{- $_ := set $autoEnv "KONG_PORTAL_GUI_ACCESS_LOG" "/dev/stdout" -}}
+ {{- $_ := set $autoEnv "KONG_ADMIN_GUI_ACCESS_LOG" "/dev/stdout" -}}
+ {{- $_ := set $autoEnv "KONG_PORTAL_API_ERROR_LOG" "/dev/stderr" -}}
+ {{- $_ := set $autoEnv "KONG_PORTAL_GUI_ERROR_LOG" "/dev/stderr" -}}
+ {{- $_ := set $autoEnv "KONG_ADMIN_GUI_ERROR_LOG" "/dev/stderr" -}}
+
+ {{- $_ := set $autoEnv "KONG_ADMIN_GUI_LISTEN" (include "kong.listen" .Values.manager) -}}
+ {{- if .Values.manager.ingress.enabled }}
+ {{- $_ := set $autoEnv "KONG_ADMIN_GUI_URL" (include "kong.ingress.serviceUrl" .Values.manager.ingress) -}}
+ {{- end -}}
+
+ {{- if not .Values.enterprise.vitals.enabled }}
+ {{- $_ := set $autoEnv "KONG_VITALS" "off" -}}
+ {{- end }}
+ {{- $_ := set $autoEnv "KONG_CLUSTER_TELEMETRY_LISTEN" (include "kong.listen" .Values.clustertelemetry) -}}
+
+ {{- if .Values.enterprise.portal.enabled }}
+ {{- $_ := set $autoEnv "KONG_PORTAL" "on" -}}
+ {{- $_ := set $autoEnv "KONG_PORTAL_GUI_LISTEN" (include "kong.listen" .Values.portal) -}}
+ {{- $_ := set $autoEnv "KONG_PORTAL_API_LISTEN" (include "kong.listen" .Values.portalapi) -}}
+
+ {{- if .Values.portal.ingress.enabled }}
+ {{- $_ := set $autoEnv "KONG_PORTAL_GUI_HOST" .Values.portal.ingress.hostname -}}
+ {{- if .Values.portal.ingress.tls }}
+ {{- $_ := set $autoEnv "KONG_PORTAL_GUI_PROTOCOL" "https" -}}
+ {{- else }}
+ {{- $_ := set $autoEnv "KONG_PORTAL_GUI_PROTOCOL" "http" -}}
+ {{- end }}
+ {{- end }}
+
+ {{- if .Values.portalapi.ingress.enabled }}
+ {{- $_ := set $autoEnv "KONG_PORTAL_API_URL" (include "kong.ingress.serviceUrl" .Values.portalapi.ingress) -}}
+ {{- end }}
+ {{- end }}
+
+ {{- if .Values.enterprise.rbac.enabled }}
+ {{- $_ := set $autoEnv "KONG_ENFORCE_RBAC" "on" -}}
+ {{- $_ := set $autoEnv "KONG_ADMIN_GUI_AUTH" .Values.enterprise.rbac.admin_gui_auth | default "basic-auth" -}}
+
+ {{- if not (eq .Values.enterprise.rbac.admin_gui_auth "basic-auth") }}
+ {{- $guiAuthConf := include "secretkeyref" (dict "name" .Values.enterprise.rbac.admin_gui_auth_conf_secret "key" "admin_gui_auth_conf") -}}
+ {{- $_ := set $autoEnv "KONG_ADMIN_GUI_AUTH_CONF" $guiAuthConf -}}
+ {{- end }}
+
+ {{- $guiSessionConf := include "secretkeyref" (dict "name" .Values.enterprise.rbac.session_conf_secret "key" "admin_gui_session_conf") -}}
+ {{- $_ := set $autoEnv "KONG_ADMIN_GUI_SESSION_CONF" $guiSessionConf -}}
+ {{- end }}
+
+ {{- if .Values.enterprise.smtp.enabled }}
+ {{- $_ := set $autoEnv "KONG_SMTP_MOCK" "off" -}}
+ {{- $_ := set $autoEnv "KONG_PORTAL_EMAILS_FROM" .Values.enterprise.smtp.portal_emails_from -}}
+ {{- $_ := set $autoEnv "KONG_PORTAL_EMAILS_REPLY_TO" .Values.enterprise.smtp.portal_emails_reply_to -}}
+ {{- $_ := set $autoEnv "KONG_ADMIN_EMAILS_FROM" .Values.enterprise.smtp.admin_emails_from -}}
+ {{- $_ := set $autoEnv "KONG_ADMIN_EMAILS_REPLY_TO" .Values.enterprise.smtp.admin_emails_reply_to -}}
+ {{- $_ := set $autoEnv "KONG_SMTP_ADMIN_EMAILS" .Values.enterprise.smtp.smtp_admin_emails -}}
+ {{- $_ := set $autoEnv "KONG_SMTP_HOST" .Values.enterprise.smtp.smtp_host -}}
+ {{- $_ := set $autoEnv "KONG_SMTP_AUTH_TYPE" .Values.enterprise.smtp.smtp_auth_type -}}
+ {{- $_ := set $autoEnv "KONG_SMTP_SSL" .Values.enterprise.smtp.smtp_ssl -}}
+ {{- $_ := set $autoEnv "KONG_SMTP_PORT" .Values.enterprise.smtp.smtp_port -}}
+ {{- $_ := set $autoEnv "KONG_SMTP_STARTTLS" (quote .Values.enterprise.smtp.smtp_starttls) -}}
+ {{- if .Values.enterprise.smtp.auth.smtp_username }}
+ {{- $_ := set $autoEnv "KONG_SMTP_USERNAME" .Values.enterprise.smtp.auth.smtp_username -}}
+ {{- $smtpPassword := include "secretkeyref" (dict "name" .Values.enterprise.smtp.auth.smtp_password_secret "key" "smtp_password") -}}
+ {{- $_ := set $autoEnv "KONG_SMTP_PASSWORD" $smtpPassword -}}
+ {{- end }}
+ {{- else }}
+ {{- $_ := set $autoEnv "KONG_SMTP_MOCK" "on" -}}
+ {{- end }}
+
+ {{- if .Values.enterprise.license_secret -}}
+ {{- $lic := include "secretkeyref" (dict "name" .Values.enterprise.license_secret "key" "license") -}}
+ {{- $_ := set $autoEnv "KONG_LICENSE_DATA" $lic -}}
+ {{- end }}
+
+{{- end }} {{/* End of the Enterprise settings block */}}
+
+{{- if .Values.postgresql.enabled }}
+ {{- $_ := set $autoEnv "KONG_PG_HOST" (include "kong.postgresql.fullname" .) -}}
+ {{- $_ := set $autoEnv "KONG_PG_PORT" .Values.postgresql.service.ports.postgresql -}}
+ {{- $pgPassword := include "secretkeyref" (dict "name" (include "kong.postgresql.fullname" .) "key" "password") -}}
+
+ {{- $_ := set $autoEnv "KONG_PG_PASSWORD" $pgPassword -}}
+{{- else if eq .Values.env.database "postgres" }}
+ {{- $_ := set $autoEnv "KONG_PG_PORT" "5432" }}
{{- end }}
+
+{{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off")) }}
+{{- $dblessSourceCount := (add (.Values.dblessConfig.configMap | len | min 1) (.Values.dblessConfig.secret | len | min 1) (.Values.dblessConfig.config | len | min 1)) -}}
+{{- if eq $dblessSourceCount 1 -}}
+ {{- $_ := set $autoEnv "KONG_DECLARATIVE_CONFIG" "/kong_dbless/kong.yml" -}}
{{- end }}
-{{- if .Values.admin.ingress.enabled }}
-- name: KONG_ADMIN_API_URI
- value: {{ include "kong.ingress.serviceUrl" .Values.admin.ingress }}
-{{- end }}
-{{- if not .Values.env.proxy_listen }}
-- name: KONG_PROXY_LISTEN
- value: {{ template "kong.kongProxyListenValue" . }}
-{{- end }}
-{{- if and (not .Values.env.admin_gui_listen) (.Values.enterprise.enabled) }}
-- name: KONG_ADMIN_GUI_LISTEN
- value: {{ template "kong.kongManagerListenValue" . }}
-{{- end }}
-{{- if and (.Values.manager.ingress.enabled) (.Values.enterprise.enabled) }}
-- name: KONG_ADMIN_GUI_URL
- value: {{ include "kong.ingress.serviceUrl" .Values.manager.ingress }}
-{{- end }}
-{{- if and (not .Values.env.portal_gui_listen) (.Values.enterprise.enabled) (.Values.enterprise.portal.enabled) }}
-- name: KONG_PORTAL_GUI_LISTEN
- value: {{ template "kong.kongPortalListenValue" . }}
-{{- end }}
-{{- if and (.Values.portal.ingress.enabled) (.Values.enterprise.enabled) (.Values.enterprise.portal.enabled) }}
-- name: KONG_PORTAL_GUI_HOST
- value: {{ .Values.portal.ingress.hostname }}
-{{- if .Values.portal.ingress.tls }}
-- name: KONG_PORTAL_GUI_PROTOCOL
- value: https
+{{- end }}
+
+{{- if (.Values.plugins) }}
+{{- $_ := set $autoEnv "KONG_PLUGINS" (include "kong.plugins" .) -}}
+{{- end }}
+
+{{/*
+ ====== USER-SET ENVIRONMENT VARIABLES ======
+*/}}
+
+{{- $userEnv := dict -}}
+{{- range $key, $val := .Values.env }}
+ {{- if (contains "_log" $key) -}}
+ {{- if (eq (typeOf $val) "bool") -}}
+ {{- fail (printf "env.%s must use string 'off' to disable. Without quotes, YAML will coerce the value to a boolean and Kong will reject it" $key) -}}
+ {{- end -}}
+ {{- end -}}
+ {{- $upper := upper $key -}}
+ {{- $var := printf "KONG_%s" $upper -}}
+ {{- $_ := set $userEnv $var $val -}}
+{{- end -}}
+
+{{/*
+ ====== CUSTOM-SET ENVIRONMENT VARIABLES ======
+*/}}
+
+{{- $customEnv := dict -}}
+{{- range $key, $val := .Values.customEnv }}
+ {{- $upper := upper $key -}}
+ {{- $_ := set $customEnv $upper $val -}}
+{{- end -}}
+
+{{/*
+ ====== MERGE AND RENDER ENV BLOCK ======
+*/}}
+
+{{- $completeEnv := mergeOverwrite $autoEnv $userEnv $customEnv -}}
+{{- template "kong.renderEnv" $completeEnv -}}
+
+{{- end -}}
+
+{{/*
+Given a dictionary of variable=value pairs, render a container env block.
+Environment variables are sorted alphabetically
+*/}}
+{{- define "kong.renderEnv" -}}
+
+{{- $dict := . -}}
+
+{{- range keys . | sortAlpha }}
+{{- $val := pluck . $dict | first -}}
+{{- $valueType := printf "%T" $val -}}
+{{ if eq $valueType "map[string]interface {}" }}
+- name: {{ . }}
+{{ toYaml $val | indent 2 -}}
+{{- else if eq $valueType "string" }}
+{{- if regexMatch "valueFrom" $val }}
+- name: {{ . }}
+{{ $val | indent 2 }}
{{- else }}
-- name: KONG_PORTAL_GUI_PROTOCOL
- value: http
+- name: {{ . }}
+ value: {{ $val | quote }}
+{{- end }}
+{{- else }}
+- name: {{ . }}
+ value: {{ $val | quote }}
+{{- end }}
+{{- end -}}
+
+{{- end -}}
+
+{{- define "kong.wait-for-postgres" -}}
+- name: wait-for-postgres
+{{- if (or .Values.waitImage.unifiedRepoTag .Values.waitImage.repository) }}
+ image: {{ include "kong.getRepoTag" .Values.waitImage }}
+{{- else }} {{/* default to the Kong image */}}
+ image: {{ include "kong.getRepoTag" .Values.image }}
{{- end }}
+ imagePullPolicy: {{ .Values.waitImage.pullPolicy }}
+ env:
+ {{- include "kong.no_daemon_env" . | nindent 2 }}
+ {{- include "kong.envFrom" .Values.envFrom | nindent 2 }}
+ command: [ "bash", "/wait_postgres/wait.sh" ]
+ volumeMounts:
+ - name: {{ template "kong.fullname" . }}-bash-wait-for-postgres
+ mountPath: /wait_postgres
+ resources:
+ {{- toYaml .Values.migrations.resources | nindent 4 }}
+{{- end -}}
+
+{{- define "kong.deprecation-warnings" -}}
+ {{- $warnings := list -}}
+ {{- range $warning := . }}
+ {{- $warnings = append $warnings (wrap 80 (printf "WARNING: %s" $warning)) -}}
+ {{- $warnings = append $warnings "\n\n" -}}
+ {{- end -}}
+ {{- $warningString := ($warnings | join "") -}}
+ {{- $warningString -}}
+{{- end -}}
+
+{{- define "kong.getRepoTag" -}}
+{{- if .unifiedRepoTag }}
+{{- .unifiedRepoTag }}
+{{- else if .repository }}
+{{- .repository }}:{{ .tag }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+kong.kubernetesRBACRoles outputs a static list of RBAC rules (the "rules" block
+of a Role or ClusterRole) that provide the ingress controller access to the
+Kubernetes namespace-scoped resources it uses to build Kong configuration.
+
+Collectively, these are built from:
+kubectl kustomize github.com/kong/kubernetes-ingress-controller/config/rbac?ref=main
+kubectl kustomize github.com/kong/kubernetes-ingress-controller/config/rbac/gateway?ref=main
+
+However, there is no way to generate the split between cluster and namespaced
+role sets used in the charts. Updating these requires separating out cluster
+resource roles into their separate templates.
+*/}}
+{{- define "kong.kubernetesRBACRules" -}}
+{{- if and (semverCompare ">= 3.1.0" (include "kong.effectiveVersion" .Values.ingressController.image))
+ (contains (print .Values.ingressController.env.feature_gates) "KongServiceFacade=true") }}
+- apiGroups:
+ - incubator.ingress-controller.konghq.com
+ resources:
+ - kongservicefacades
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - incubator.ingress-controller.konghq.com
+ resources:
+ - kongservicefacades/status
+ verbs:
+ - get
+ - patch
+ - update
{{- end }}
-{{- if and (not .Values.env.portal_api_listen) (.Values.enterprise.enabled) (.Values.enterprise.portal.enabled) }}
-- name: KONG_PORTAL_API_LISTEN
- value: {{ template "kong.kongPortalApiListenValue" . }}
+{{- if (semverCompare ">= 3.0.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
+- apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongupstreampolicies
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongupstreampolicies/status
+ verbs:
+ - get
+ - patch
+ - update
{{- end }}
-{{- if and (.Values.portalapi.ingress.enabled) (.Values.enterprise.enabled) (.Values.enterprise.portal.enabled) }}
-- name: KONG_PORTAL_API_URL
- value: {{ include "kong.ingress.serviceUrl" .Values.portalapi.ingress }}
+{{- if (semverCompare ">= 2.11.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
+- apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongconsumergroups
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongconsumergroups/status
+ verbs:
+ - get
+ - patch
+ - update
{{- end }}
-- name: KONG_NGINX_DAEMON
- value: "off"
-{{- if .Values.enterprise.enabled }}
-{{- if not .Values.enterprise.vitals.enabled }}
-- name: KONG_VITALS
- value: "off"
+{{- if (semverCompare "< 2.10.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
+- apiGroups:
+ - ""
+ resources:
+ - endpoints
+ verbs:
+ - list
+ - watch
{{- end }}
-{{- if .Values.enterprise.portal.enabled }}
-- name: KONG_PORTAL
- value: "on"
-{{- if .Values.enterprise.portal.portal_auth }}
-- name: KONG_PORTAL_AUTH
- value: {{ .Values.enterprise.portal.portal_auth }}
-- name: KONG_PORTAL_SESSION_CONF
- valueFrom:
- secretKeyRef:
- name: {{ .Values.enterprise.portal.session_conf_secret }}
- key: portal_session_conf
-{{- end }}
-{{- end }}
-{{- if .Values.enterprise.rbac.enabled }}
-- name: KONG_ENFORCE_RBAC
- value: "on"
-- name: KONG_ADMIN_GUI_AUTH
- value: {{ .Values.enterprise.rbac.admin_gui_auth | default "basic-auth" }}
-{{- if not (eq .Values.enterprise.rbac.admin_gui_auth "basic-auth") }}
-- name: KONG_ADMIN_GUI_AUTH_CONF
- valueFrom:
- secretKeyRef:
- name: {{ .Values.enterprise.rbac.admin_gui_auth_conf_secret }}
- key: admin_gui_auth_conf
-{{- end }}
-- name: KONG_ADMIN_GUI_SESSION_CONF
- valueFrom:
- secretKeyRef:
- name: {{ .Values.enterprise.rbac.session_conf_secret }}
- key: admin_gui_session_conf
-{{- end }}
-{{- if .Values.enterprise.smtp.enabled }}
-- name: KONG_PORTAL_EMAILS_FROM
- value: {{ .Values.enterprise.smtp.portal_emails_from }}
-- name: KONG_PORTAL_EMAILS_REPLY_TO
- value: {{ .Values.enterprise.smtp.portal_emails_reply_to }}
-- name: KONG_ADMIN_EMAILS_FROM
- value: {{ .Values.enterprise.smtp.admin_emails_from }}
-- name: KONG_ADMIN_EMAILS_REPLY_TO
- value: {{ .Values.enterprise.smtp.admin_emails_reply_to }}
-- name: KONG_SMTP_HOST
- value: {{ .Values.enterprise.smtp.smtp_host }}
-- name: KONG_SMTP_PORT
- value: {{ .Values.enterprise.smtp.smtp_port | quote }}
-- name: KONG_SMTP_STARTTLS
- value: {{ .Values.enterprise.smtp.smtp_starttls | quote }}
-{{- if .Values.enterprise.smtp.auth.smtp_username }}
-- name: KONG_SMTP_USERNAME
- value: {{ .Values.enterprise.smtp.auth.smtp_username }}
-- name: KONG_SMTP_PASSWORD
- valueFrom:
- secretKeyRef:
- name: {{ .Values.enterprise.smtp.auth.smtp_password_secret }}
- key: smtp_password
+- apiGroups:
+ - ""
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+- apiGroups:
+ - ""
+ resources:
+ - nodes
+ verbs:
+ - list
+ - watch
+- apiGroups:
+ - ""
+ resources:
+ - pods
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - ""
+ resources:
+ - secrets
+ verbs:
+ - list
+ - watch
+- apiGroups:
+ - ""
+ resources:
+ - services
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - ""
+ resources:
+ - services/status
+ verbs:
+ - get
+ - patch
+ - update
+- apiGroups:
+ - configuration.konghq.com
+ resources:
+ - ingressclassparameterses
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongconsumers
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongconsumers/status
+ verbs:
+ - get
+ - patch
+ - update
+- apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongingresses
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+- apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongplugins
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongplugins/status
+ verbs:
+ - get
+ - patch
+ - update
+- apiGroups:
+ - configuration.konghq.com
+ resources:
+ - tcpingresses
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - configuration.konghq.com
+ resources:
+ - tcpingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+- apiGroups:
+ - configuration.konghq.com
+ resources:
+ - udpingresses
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - configuration.konghq.com
+ resources:
+ - udpingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+- apiGroups:
+ - extensions
+ resources:
+ - ingresses
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - extensions
+ resources:
+ - ingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+{{- if or (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1alpha2") (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1beta1") (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1")}}
+- apiGroups:
+ - gateway.networking.k8s.io
+ resources:
+ - gateways
+ verbs:
+ - get
+ - list
+ - update
+ - watch
+- apiGroups:
+ - gateway.networking.k8s.io
+ resources:
+ - gateways/status
+ verbs:
+ - get
+ - update
+- apiGroups:
+ - gateway.networking.k8s.io
+ resources:
+ - httproutes
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - gateway.networking.k8s.io
+ resources:
+ - httproutes/status
+ verbs:
+ - get
+ - update
+- apiGroups:
+ - gateway.networking.k8s.io
+ resources:
+ - referencegrants
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - gateway.networking.k8s.io
+ resources:
+ - referencegrants/status
+ verbs:
+ - get
+- apiGroups:
+ - gateway.networking.k8s.io
+ resources:
+ - tcproutes
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - gateway.networking.k8s.io
+ resources:
+ - tcproutes/status
+ verbs:
+ - get
+ - update
+- apiGroups:
+ - gateway.networking.k8s.io
+ resources:
+ - tlsroutes
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - gateway.networking.k8s.io
+ resources:
+ - tlsroutes/status
+ verbs:
+ - get
+ - update
+- apiGroups:
+ - gateway.networking.k8s.io
+ resources:
+ - udproutes
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - gateway.networking.k8s.io
+ resources:
+ - udproutes/status
+ verbs:
+ - get
+ - update
+- apiGroups:
+ - gateway.networking.k8s.io
+ resources:
+ - grpcroutes
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - gateway.networking.k8s.io
+ resources:
+ - grpcroutes/status
+ verbs:
+ - get
+ - patch
+ - update
{{- end }}
-{{- else }}
-- name: KONG_SMTP_MOCK
- value: "on"
+{{- if (.Capabilities.APIVersions.Has "networking.internal.knative.dev/v1alpha1") }}
+- apiGroups:
+ - networking.internal.knative.dev
+ resources:
+ - ingresses
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - networking.internal.knative.dev
+ resources:
+ - ingresses/status
+ verbs:
+ - get
+ - patch
+ - update
{{- end }}
-{{ include "kong.license" . }}
+- apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+- apiGroups:
+ - discovery.k8s.io
+ resources:
+ - endpointslices
+ verbs:
+ - get
+ - list
+ - watch
+{{- if (semverCompare ">= 3.1.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
+- apiGroups:
+ - configuration.konghq.com
+ resources:
+ - konglicenses
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - configuration.konghq.com
+ resources:
+ - konglicenses/status
+ verbs:
+ - get
+ - patch
+ - update
+{{- end -}}
+{{- end -}}
+
+{{/*
+kong.kubernetesRBACClusterRoles outputs a static list of RBAC rules (the "rules" block
+of a Role or ClusterRole) that provide the ingress controller access to the
+Kubernetes Cluster-scoped resources it uses to build Kong configuration.
+*/}}
+{{- define "kong.kubernetesRBACClusterRules" -}}
+{{- if (semverCompare ">= 3.1.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
+- apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongvaults
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongvaults/status
+ verbs:
+ - get
+ - patch
+ - update
{{- end }}
-- name: KONG_NGINX_HTTP_INCLUDE
- value: /kong/servers.conf
-{{- if .Values.postgresql.enabled }}
-- name: KONG_PG_HOST
- value: {{ template "kong.postgresql.fullname" . }}
-- name: KONG_PG_PORT
- value: "{{ .Values.postgresql.service.port }}"
-- name: KONG_PG_PASSWORD
- valueFrom:
- secretKeyRef:
- name: {{ template "kong.postgresql.fullname" . }}
- key: postgresql-password
+- apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongclusterplugins
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongclusterplugins/status
+ verbs:
+ - get
+ - patch
+ - update
+{{- if (semverCompare ">= 2.10.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
+- apiGroups:
+ - apiextensions.k8s.io
+ resources:
+ - customresourcedefinitions
+ verbs:
+ - list
+ - watch
{{- end }}
-{{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off")) }}
-- name: KONG_DECLARATIVE_CONFIG
- value: "/kong_dbless/kong.yml"
+{{- if or (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1alpha2") (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1beta1") (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1")}}
+- apiGroups:
+ - gateway.networking.k8s.io
+ resources:
+ - gatewayclasses
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - gateway.networking.k8s.io
+ resources:
+ - gatewayclasses/status
+ verbs:
+ - get
+ - update
+- apiGroups:
+ - ""
+ resources:
+ - namespaces
+ verbs:
+ - get
+ - list
+ - watch
{{- end }}
-- name: KONG_PLUGINS
- value: {{ template "kong.plugins" . }}
-{{- include "kong.env" . }}
+- apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingressclasses
+ verbs:
+ - get
+ - list
+ - watch
{{- end -}}
-{{- define "kong.wait-for-postgres" -}}
-- name: wait-for-postgres
- image: "{{ .Values.waitImage.repository }}:{{ .Values.waitImage.tag }}"
- imagePullPolicy: {{ .Values.waitImage.pullPolicy }}
- env:
- {{- include "kong.final_env" . | nindent 2 }}
- command: [ "/bin/sh", "-c", "until nc -zv $KONG_PG_HOST $KONG_PG_PORT -w1; do echo 'waiting for db'; sleep 1; done" ]
+{{- define "kong.autoscalingVersion" -}}
+{{- if (.Capabilities.APIVersions.Has "autoscaling/v2") -}}
+autoscaling/v2
+{{- else if (.Capabilities.APIVersions.Has "autoscaling/v2beta2") -}}
+autoscaling/v2beta2
+{{- else -}}
+autoscaling/v1
+{{- end -}}
+{{- end -}}
+
+{{- define "kong.policyVersion" -}}
+{{- if (.Capabilities.APIVersions.Has "policy/v1beta1" ) -}}
+policy/v1beta1
+{{- else -}}
+{{- fail (printf "Cluster doesn't have policy/v1beta1 API." ) }}
+{{- end -}}
+{{- end -}}
+
+{{- define "kong.renderTpl" -}}
+ {{- if typeIs "string" .value }}
+{{- tpl .value .context }}
+ {{- else }}
+{{- tpl (.value | toYaml) .context }}
+ {{- end }}
+{{- end -}}
+
+{{- define "kong.ingressVersion" -}}
+{{- if (.Capabilities.APIVersions.Has "networking.k8s.io/v1") -}}
+networking.k8s.io/v1
+{{- else if (.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1") -}}
+networking.k8s.io/v1beta1
+{{- else -}}
+extensions/v1beta1
+{{- end -}}
+{{- end -}}
+
+{{- define "kong.proxy.compatibleReadiness" -}}
+{{- $proxyReadiness := .Values.readinessProbe -}}
+{{- if (or (semverCompare "< 3.3.0" (include "kong.effectiveVersion" .Values.image)) (and .Values.ingressController.enabled (semverCompare "< 2.11.0" (include "kong.effectiveVersion" .Values.ingressController.image)))) -}}
+ {{- if (eq $proxyReadiness.httpGet.path "/status/ready") -}}
+ {{- $_ := set $proxyReadiness.httpGet "path" "/status" -}}
+ {{- end -}}
+{{- end -}}
+{{- (toYaml $proxyReadiness) -}}
+{{- end -}}
+
+{{- define "kong.envFrom" -}}
+ {{- if (gt (len .) 0) -}}
+envFrom:
+{{- toYaml . | nindent 2 -}}
+ {{- else -}}
+ {{- end -}}
{{- end -}}
-{{- if .Values.ingressController.admissionWebhook.enabled }}
-{{- $cn := printf "%s.%s.svc" ( include "kong.service.validationWebhook" . ) .Release.Namespace }}
+{{- if (and .Values.ingressController.admissionWebhook.enabled .Values.ingressController.enabled) }}
+{{- $certCert := "" -}}
+{{- $certKey := "" -}}
+{{- $caCert := "" -}}
+{{- $caKey := "" -}}
+{{- if not .Values.ingressController.admissionWebhook.certificate.provided }}
+{{- $cn := printf "%s.%s.svc" ( include "kong.service.validationWebhook" . ) ( include "kong.namespace" . ) -}}
{{- $ca := genCA "kong-admission-ca" 3650 -}}
-{{- $cert := genSignedCert $cn nil nil 3650 $ca -}}
+{{- $cert := genSignedCert $cn nil (list $cn) 3650 $ca -}}
+{{- $certCert = $cert.Cert -}}
+{{- $certKey = $cert.Key -}}
+{{- $caCert = $ca.Cert -}}
+{{- $caKey = $ca.Key -}}
+
+{{- $caSecret := (lookup "v1" "Secret" (include "kong.namespace" .) (printf "%s-validation-webhook-ca-keypair" (include "kong.fullname" .))) -}}
+{{- $certSecret := (lookup "v1" "Secret" (include "kong.namespace" .) (printf "%s-validation-webhook-keypair" (include "kong.fullname" .))) -}}
+{{- if $certSecret }}
+{{- $certCert = (b64dec (get $certSecret.data "tls.crt")) -}}
+{{- $certKey = (b64dec (get $certSecret.data "tls.key")) -}}
+{{- end }}
+{{- if $caSecret }}
+{{- $caCert = (b64dec (get $caSecret.data "tls.crt")) -}}
+{{- $caKey = (b64dec (get $caSecret.data "tls.key")) -}}
+{{- end }}
+{{- end }}
kind: ValidatingWebhookConfiguration
{{- if .Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1" }}
apiVersion: admissionregistration.k8s.io/v1
{{- end }}
metadata:
name: {{ template "kong.fullname" . }}-validations
+ namespace: {{ template "kong.namespace" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
+ {{- if .Values.ingressController.admissionWebhook.annotations }}
+ annotations:
+ {{- range $key, $value := .Values.ingressController.admissionWebhook.annotations }}
+ {{ $key }}: {{ $value | quote }}
+ {{- end }}
+ {{- end }}
webhooks:
- name: validations.kong.konghq.com
+ {{- with .Values.ingressController.admissionWebhook.namespaceSelector }}
+ namespaceSelector:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ {{- with .Values.ingressController.admissionWebhook.timeoutSeconds }}
+ timeoutSeconds: {{ . }}
+ {{- end }}
+ objectSelector:
+ matchExpressions:
+ - key: owner
+ operator: NotIn
+ values:
+ - helm
failurePolicy: {{ .Values.ingressController.admissionWebhook.failurePolicy }}
sideEffects: None
admissionReviewVersions: ["v1beta1"]
resources:
- kongconsumers
- kongplugins
+{{- if (semverCompare ">= 2.0.4" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
+ - kongclusterplugins
+{{- end }}
+{{- if (semverCompare ">= 2.8.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
+ - kongingresses
+{{- end }}
+ - apiGroups:
+ - ''
+ apiVersions:
+ - 'v1'
+ operations:
+{{- if (semverCompare ">= 2.12.1" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
+ - CREATE
+{{- end }}
+ - UPDATE
+ resources:
+ - secrets
+{{- if (semverCompare ">= 3.0.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
+ - services
+{{- end }}
+{{- if (semverCompare ">= 2.12.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
+ - apiGroups:
+ - networking.k8s.io
+ apiVersions:
+ - 'v1'
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - ingresses
+ - apiGroups:
+ - gateway.networking.k8s.io
+ apiVersions:
+ - 'v1alpha2'
+ - 'v1beta1'
+{{- if (semverCompare ">= 3.0.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
+ - 'v1'
+{{- end }}
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - gateways
+ - httproutes
+{{- end }}
clientConfig:
- caBundle: {{ b64enc $ca.Cert }}
+ {{- if not .Values.ingressController.admissionWebhook.certificate.provided }}
+ caBundle: {{ b64enc $caCert }}
+ {{- else }}
+ {{- if .Values.ingressController.admissionWebhook.certificate.caBundle }}
+ caBundle: {{ b64enc .Values.ingressController.admissionWebhook.certificate.caBundle }}
+ {{- end }}
+ {{- end }}
service:
name: {{ template "kong.service.validationWebhook" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ template "kong.namespace" . }}
---
apiVersion: v1
kind: Service
metadata:
name: {{ template "kong.service.validationWebhook" . }}
+ namespace: {{ template "kong.namespace" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
+ {{- if .Values.ingressController.admissionWebhook.service.labels }}
+ {{- toYaml .Values.ingressController.admissionWebhook.service.labels | nindent 4 }}
+ {{- end }}
spec:
ports:
- name: webhook
selector:
{{- include "kong.metaLabels" . | nindent 4 }}
app.kubernetes.io/component: app
+{{- if not .Values.ingressController.admissionWebhook.certificate.provided }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ template "kong.fullname" . }}-validation-webhook-ca-keypair
+ namespace: {{ template "kong.namespace" . }}
+ labels:
+ {{- include "kong.metaLabels" . | nindent 4 }}
+type: kubernetes.io/tls
+data:
+ tls.crt: {{ b64enc $caCert }}
+ tls.key: {{ b64enc $caKey }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ template "kong.fullname" . }}-validation-webhook-keypair
+ namespace: {{ template "kong.namespace" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
type: kubernetes.io/tls
data:
- tls.crt: {{ b64enc $cert.Cert }}
- tls.key: {{ b64enc $cert.Key }}
-{{ end }}
+ tls.crt: {{ b64enc $certCert }}
+ tls.key: {{ b64enc $certKey }}
+{{- end }}
+{{- end }}
--- /dev/null
+{{- if and ( .Capabilities.APIVersions.Has "cert-manager.io/v1" ) .Values.certificates.enabled -}}
+
+{{- $genericCertificateConfig := dict -}}
+{{- $_ := set $genericCertificateConfig "fullName" (include "kong.fullname" .) -}}
+{{- $_ := set $genericCertificateConfig "namespace" (include "kong.namespace" .) -}}
+{{- $_ := set $genericCertificateConfig "metaLabels" (include "kong.metaLabels" .) -}}
+{{- $_ := set $genericCertificateConfig "globalIssuer" .Values.certificates.issuer -}}
+{{- $_ := set $genericCertificateConfig "globalClusterIssuer" .Values.certificates.clusterIssuer -}}
+{{- $_ := set $genericCertificateConfig "globalSubject" .Values.certificates.subject -}}
+{{- $_ := set $genericCertificateConfig "globalPrivateKey" .Values.certificates.privateKey -}}
+{{- $_ := set $genericCertificateConfig "defaultIssuer" (printf "%s-%s-%s" .Release.Name .Chart.Name "selfsigned-issuer") -}}
+
+{{- if .Values.certificates.admin.enabled }}
+{{- $certificateConfig := mustMerge (mustDeepCopy $genericCertificateConfig) .Values.certificates.admin -}}
+{{- $_ := set $certificateConfig "serviceName" "admin" -}}
+{{- include "kong.certificate" $certificateConfig -}}
+{{- end }}
+
+{{- if (and .Values.certificates.portal.enabled .Values.enterprise.enabled) }}
+{{- $certificateConfig := mustMerge (mustDeepCopy $genericCertificateConfig) .Values.certificates.portal -}}
+{{- $_ := set $certificateConfig "serviceName" "portal" -}}
+{{- include "kong.certificate" $certificateConfig -}}
+{{- end }}
+
+{{- if .Values.certificates.proxy.enabled }}
+{{- $certificateConfig := mustMerge (mustDeepCopy $genericCertificateConfig) .Values.certificates.proxy -}}
+{{- $_ := set $certificateConfig "serviceName" "proxy" -}}
+{{- include "kong.certificate" $certificateConfig -}}
+{{- end }}
+
+{{- if .Values.certificates.cluster.enabled }}
+{{- $certificateConfig := dict -}}
+{{- $certificateConfig = mustMerge (mustDeepCopy $genericCertificateConfig) .Values.certificates.cluster -}}
+{{- $_ := set $certificateConfig "serviceName" "cluster" -}}
+{{- include "kong.certificate" $certificateConfig -}}
+{{- end }}
+
+{{- end }}
+
+{{- define "kong.certificate" }}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: {{ .fullName }}-{{ .serviceName }}
+ namespace: {{ .namespace }}
+ labels:
+ {{- .metaLabels | nindent 4 }}
+spec:
+ secretName: {{ .fullName }}-{{ .serviceName }}-cert
+ commonName: {{ .commonName }}
+ dnsNames:
+ {{- range (append .dnsNames .commonName) }}
+ - {{ . | quote }}
+ {{- end }}
+ renewBefore: 360h0m0s
+ duration: 2160h0m0s
+ {{ if .subject -}}
+ subject:
+ {{- toYaml .subject | nindent 4 }}
+ {{ else if .globalSubject -}}
+ subject:
+ {{- toYaml .globalSubject | nindent 4 }}
+ {{- end }}
+ {{ if .privateKey -}}
+ privateKey:
+ {{- toYaml .privateKey | nindent 4 }}
+ {{ else if .globalPrivateKey -}}
+ privateKey:
+ {{- toYaml .globalPrivateKey | nindent 4 }}
+ {{- end }}
+ {{ if .clusterIssuer -}}
+ issuerRef:
+ name: {{ .clusterIssuer }}
+ kind: ClusterIssuer
+ {{ else if .issuer -}}
+ issuerRef:
+ name: {{ .issuer }}
+ kind: Issuer
+ {{ else if .globalClusterIssuer -}}
+ issuerRef:
+ name: {{ .globalClusterIssuer}}
+ kind: ClusterIssuer
+ {{ else if .globalIssuer -}}
+ issuerRef:
+ name: {{ .globalIssuer }}
+ kind: Issuer
+ {{- end -}}
+{{- end }}
+++ /dev/null
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: {{ template "kong.fullname" . }}-default-custom-server-blocks
- labels:
- {{- include "kong.metaLabels" . | nindent 4 }}
-data:
- servers.conf: |
- # Prometheus metrics and health-checking server
- server {
- server_name kong_prometheus_exporter;
- listen 0.0.0.0:9542; # can be any other port as well
- access_log off;
- location /status {
- default_type text/plain;
- return 200;
- }
- location /metrics {
- default_type text/plain;
- content_by_lua_block {
- local prometheus = require "kong.plugins.prometheus.exporter"
- prometheus:collect()
- }
- }
- location /nginx_status {
- internal;
- access_log off;
- stub_status;
- }
- }
+{{- if .Values.deployment.kong.enabled }}
{{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off")) }}
-{{- if not .Values.dblessConfig.configMap }}
+{{- if not (or .Values.dblessConfig.configMap .Values.dblessConfig.secret) }}
+{{- if .Values.dblessConfig.config }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "kong.dblessConfig.fullname" . }}
+ namespace: {{ template "kong.namespace" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
data:
- kong.yml: |
-{{ .Values.dblessConfig.config | toYaml | indent 4 }}
+ kong.yml: | {{- .Values.dblessConfig.config | nindent 4 }}
+{{- end }}
+{{- end }}
{{- end }}
{{- end }}
{{- if and .Values.ingressController.rbac.create .Values.ingressController.enabled -}}
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
- name: {{ template "kong.fullname" . }}
- namespace: {{ .Release.namespace }}
+ name: {{ template "kong.fullname" . }}
+ namespace: {{ template "kong.namespace" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
rules:
- configmaps
verbs:
- create
+{{- if (semverCompare "< 2.10.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
- apiGroups:
- ""
resources:
- endpoints
verbs:
- get
+{{- end }}
+ # Begin KIC 2.x leader permissions
+ - apiGroups:
+ - ""
+ - coordination.k8s.io
+ resources:
+ - configmaps
+ - leases
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - delete
+ - apiGroups:
+ - ""
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+ - apiGroups:
+ - ""
+ resources:
+ - services
+ verbs:
+ - get
---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
- name: {{ template "kong.fullname" . }}
- namespace: {{ .Release.Namespace }}
+ name: {{ template "kong.fullname" . }}
+ namespace: {{ template "kong.namespace" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
roleRef:
subjects:
- kind: ServiceAccount
name: {{ template "kong.serviceAccountName" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ template "kong.namespace" . }}
+{{- if eq (len .Values.ingressController.watchNamespaces) 0 }}
---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
- name: {{ template "kong.fullname" . }}
+ name: {{ template "kong.fullname" . }}
rules:
- - apiGroups:
- - ""
- resources:
- - endpoints
- - nodes
- - pods
- - secrets
- verbs:
- - list
- - watch
- - apiGroups:
- - ""
- resources:
- - nodes
- verbs:
- - get
- - apiGroups:
- - ""
- resources:
- - services
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - "extensions"
- - "networking.k8s.io"
- resources:
- - ingresses
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - ""
- resources:
- - events
- verbs:
- - create
- - patch
- - apiGroups:
- - "extensions"
- - "networking.k8s.io"
- resources:
- - ingresses/status
- verbs:
- - update
- - apiGroups:
- - "configuration.konghq.com"
- resources:
- - kongplugins
- - kongcredentials
- - kongconsumers
- - kongingresses
- verbs:
- - get
- - list
- - watch
+{{ include "kong.kubernetesRBACRules" . }}
+{{ include "kong.kubernetesRBACClusterRules" . }}
---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
- name: {{ template "kong.fullname" . }}
+ name: {{ template "kong.fullname" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
- name: {{ template "kong.fullname" . }}
+ name: {{ template "kong.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ template "kong.serviceAccountName" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ template "kong.namespace" . }}
+{{- else }}
+{{- range .Values.ingressController.watchNamespaces }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ labels:
+ {{- include "kong.metaLabels" $ | nindent 4 }}
+ name: {{ template "kong.fullname" $ }}-{{ . }}
+ namespace: {{ . }}
+rules:
+{{ include "kong.kubernetesRBACRules" $ }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ template "kong.fullname" $ }}-{{ . }}
+ labels:
+ {{- include "kong.metaLabels" $ | nindent 4 }}
+ namespace: {{ . }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ template "kong.fullname" $ }}-{{ . }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ template "kong.serviceAccountName" $ }}
+ namespace: {{ template "kong.namespace" $ }}
+{{- end }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ labels:
+ {{- include "kong.metaLabels" . | nindent 4 }}
+ name: {{ template "kong.fullname" . }}
+rules:
+{{ include "kong.kubernetesRBACClusterRules" . }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: {{ template "kong.fullname" . }}
+ labels:
+ {{- include "kong.metaLabels" . | nindent 4 }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: {{ template "kong.fullname" . }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ template "kong.serviceAccountName" . }}
+ namespace: {{ template "kong.namespace" . }}
+{{- end -}}
{{- end -}}
+++ /dev/null
-{{- if or .Values.podSecurityPolicy.enabled (and .Values.ingressController.enabled .Values.ingressController.serviceAccount.create) -}}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: {{ template "kong.serviceAccountName" . }}
- namespace: {{ .Release.namespace }}
- labels:
- {{- include "kong.metaLabels" . | nindent 4 }}
-{{- end -}}
-{{- if and .Values.ingressController.enabled .Values.ingressController.installCRDs -}}
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
- name: kongconsumers.configuration.konghq.com
- labels:
- {{- include "kong.metaLabels" . | nindent 4 }}
-spec:
- group: configuration.konghq.com
- version: v1
- scope: Namespaced
- names:
- kind: KongConsumer
- plural: kongconsumers
- shortNames:
- - kc
- additionalPrinterColumns:
- - name: Username
- type: string
- description: Username of a Kong Consumer
- JSONPath: .username
- - name: Age
- type: date
- description: Age
- JSONPath: .metadata.creationTimestamp
- validation:
- openAPIV3Schema:
- properties:
- username:
- type: string
- custom_id:
- type: string
- credentials:
- type: array
- items:
- type: string
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
- name: kongcredentials.configuration.konghq.com
- labels:
- {{- include "kong.metaLabels" . | nindent 4 }}
-spec:
- group: configuration.konghq.com
- version: v1
- scope: Namespaced
- names:
- kind: KongCredential
- plural: kongcredentials
- additionalPrinterColumns:
- - name: Credential-type
- type: string
- description: Type of credential
- JSONPath: .type
- - name: Age
- type: date
- description: Age
- JSONPath: .metadata.creationTimestamp
- - name: Consumer-Ref
- type: string
- description: Owner of the credential
- JSONPath: .consumerRef
- validation:
- openAPIV3Schema:
- required:
- - consumerRef
- - type
- properties:
- consumerRef:
- type: string
- type:
- type: string
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
- name: kongplugins.configuration.konghq.com
- labels:
- {{- include "kong.metaLabels" . | nindent 4 }}
-spec:
- group: configuration.konghq.com
- version: v1
- scope: Namespaced
- names:
- kind: KongPlugin
- plural: kongplugins
- shortNames:
- - kp
- additionalPrinterColumns:
- - name: Plugin-Type
- type: string
- description: Name of the plugin
- JSONPath: .plugin
- - name: Age
- type: date
- description: Age
- JSONPath: .metadata.creationTimestamp
- - name: Disabled
- type: boolean
- description: Indicates if the plugin is disabled
- JSONPath: .disabled
- priority: 1
- - name: Config
- type: string
- description: Configuration of the plugin
- JSONPath: .config
- priority: 1
- validation:
- openAPIV3Schema:
- required:
- - plugin
- properties:
- plugin:
- type: string
- disabled:
- type: boolean
- config:
- type: object
- run_on:
- type: string
- enum:
- - first
- - second
- - all
- protocols:
- type: array
- items:
- type: string
- enum:
- - http
- - https
- - tcp
- - tls
- - grpc
- - grpcs
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
- name: kongingresses.configuration.konghq.com
- labels:
- {{- include "kong.metaLabels" . | nindent 4 }}
-spec:
- group: configuration.konghq.com
- version: v1
- scope: Namespaced
- names:
- kind: KongIngress
- plural: kongingresses
- shortNames:
- - ki
- validation:
- openAPIV3Schema:
- properties:
- route:
- properties:
- methods:
- type: array
- items:
- type: string
- headers:
- type: object
- additionalProperties:
- type: array
- items:
- type: string
- regex_priority:
- type: integer
- strip_path:
- type: boolean
- preserve_host:
- type: boolean
- protocols:
- type: array
- items:
- type: string
- enum:
- - http
- - https
- - grpc
- - grpcs
- https_redirect_status_code:
- type: integer
- proxy:
- type: object
- properties:
- protocol:
- type: string
- enum:
- - http
- - https
- - grpc
- - grpcs
- path:
- type: string
- pattern: ^/.*$
- retries:
- type: integer
- minimum: 0
- connect_timeout:
- type: integer
- minimum: 0
- read_timeout:
- type: integer
- minimum: 0
- write_timeout:
- type: integer
- minimum: 0
- upstream:
- type: object
- properties:
- algorithm:
- type: string
- enum:
- - "round-robin"
- - "consistent-hashing"
- - "least-connections"
- host_header:
- type: string
- hash_on:
- type: string
- hash_on_cookie:
- type: string
- hash_on_cookie_path:
- type: string
- hash_on_header:
- type: string
- hash_fallback_header:
- type: string
- hash_fallback:
- type: string
- slots:
- type: integer
- minimum: 10
- healthchecks:
- type: object
- properties:
- active:
- type: object
- properties:
- concurrency:
- type: integer
- minimum: 1
- timeout:
- type: integer
- minimum: 0
- http_path:
- type: string
- pattern: ^/.*$
- healthy: &healthy
- type: object
- properties:
- http_statuses:
- type: array
- items:
- type: integer
- interval:
- type: integer
- minimum: 0
- successes:
- type: integer
- minimum: 0
- unhealthy: &unhealthy
- type: object
- properties:
- http_failures:
- type: integer
- minimum: 0
- http_statuses:
- type: array
- items:
- type: integer
- interval:
- type: integer
- minimum: 0
- tcp_failures:
- type: integer
- minimum: 0
- timeout:
- type: integer
- minimum: 0
- passive:
- type: object
- properties:
- healthy: *healthy
- unhealthy: *unhealthy
+{{- $installCRDs := false -}}
+{{- if (hasKey .Values.ingressController "installCRDs") -}}
+ {{/* Explicitly set, honor whatever's set */}}
+ {{- $installCRDs = .Values.ingressController.installCRDs -}}
+{{- else -}}
+ {{/* Legacy default handling. CRD installation is _not_ enabled, but CRDs are already present
+ and are managed by this release. This release previously relied on the <2.0 default
+ .Values.ingressController.installCRDs=true. The default change would delete CRDs on upgrade,
+ which would cascade delete all associated CRs. This unexpected loss of configuration is bad,
+ so this clause pretends the default didn't change if you have an existing release that relied
+ on it
+ */}}
+ {{- $kongPluginCRD := false -}}
+ {{- if .Capabilities.APIVersions.Has "apiextensions.k8s.io/v1/CustomResourceDefinition" -}}
+ {{- $kongPluginCRD = (lookup "apiextensions.k8s.io/v1" "CustomResourceDefinition" "" "kongplugins.configuration.konghq.com") -}}
+ {{- else -}}
+ {{/* TODO: remove the v1beta1 path when we no longer support k8s <1.16 */}}
+ {{- $kongPluginCRD = (lookup "apiextensions.k8s.io/v1beta1" "CustomResourceDefinition" "" "kongplugins.configuration.konghq.com") -}}
+ {{- end -}}
+ {{- if $kongPluginCRD -}}
+ {{- if (hasKey $kongPluginCRD.metadata "annotations") -}}
+ {{- if (eq .Release.Name (get $kongPluginCRD.metadata.annotations "meta.helm.sh/release-name")) -}}
+ {{- $installCRDs = true -}}
+ {{- end -}}
+ {{- end -}}
+ {{- end -}}
{{- end -}}
+
+{{- if $installCRDs -}}
+{{- range $path, $bytes := .Files.Glob "crds/*.yaml" }}
+{{ $.Files.Get $path }}
+---
+{{- end }}
+{{- end }}
+{{- if or .Values.deployment.kong.enabled .Values.ingressController.enabled }}
apiVersion: apps/v1
+{{- if .Values.deployment.daemonset }}
+kind: DaemonSet
+{{- else }}
kind: Deployment
+{{- end }}
metadata:
name: {{ template "kong.fullname" . }}
+ namespace: {{ template "kong.namespace" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
app.kubernetes.io/component: app
+ {{- if .Values.deploymentAnnotations }}
+ annotations:
+ {{- range $key, $value := .Values.deploymentAnnotations }}
+ {{ $key }}: {{ include "kong.renderTpl" (dict "value" $value "context" $) | quote }}
+ {{- end }}
+ {{- end }}
spec:
+ {{- if not .Values.autoscaling.enabled }}
+ {{- if not .Values.deployment.daemonset }}
replicas: {{ .Values.replicaCount }}
+ {{- end }}
+ {{- end }}
selector:
matchLabels:
{{- include "kong.selectorLabels" . | nindent 6 }}
{{- if .Values.updateStrategy }}
+ {{- if .Values.deployment.daemonset }}
+ updateStrategy:
+ {{- else }}
strategy:
+ {{- end }}
{{ toYaml .Values.updateStrategy | indent 4 }}
{{- end }}
+ {{- if .Values.deployment.minReadySeconds }}
+ minReadySeconds: {{ .Values.deployment.minReadySeconds }}
+ {{- end }}
template:
metadata:
annotations:
- {{- if .Values.ingressController.admissionWebhook.enabled }}
- checksum/admission-webhook.yaml: {{ include (print $.Template.BasePath "/admission-webhook.yaml") . | sha256sum }}
+ {{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }}
+ kuma.io/service-account-token-volume: {{ template "kong.serviceAccountTokenName" . }}
{{- end }}
{{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off" )) }}
{{- if .Values.dblessConfig.config }}
{{- end }}
{{- end }}
{{- if .Values.podAnnotations }}
-{{ toYaml .Values.podAnnotations | indent 8 }}
- {{- end }}
- {{- if $.Values.global }}
- {{- if $.Values.global.danm_networks }}
- {{- $networklist := list }}
- {{- range $network := $.Values.global.danm_networks }}
- {{- if $network.tenants }}
- {{- if $network.tenants.kong }}
- {{- $networklist = append $networklist $network }}
- {{- end }}
- {{- end }}
- {{- end }}
- {{- if $networklist }}
- danm.k8s.io/interfaces: |
- [
- {{- range $network := $networklist }}
- {{- printf "\n {\"clusterNetwork\": \"%s\"" $network.name }}
- {{- if $network.tenants.kong.ip }}
- {{- printf ", \"ip\": \"%s\"" $network.tenants.kong.ip }}
- {{- else }}
- {{- printf ", \"ip\": \"dynamic\"" }}
- {{- end }}
- {{- if $network.tenants.kong.ip6 }}
- {{- printf ", \"ip6\": \"%s\"" $network.tenants.kong.ip6 }}
- {{- end }}
- {{- if $network.tenants.kong.proutes }}
- {{- printf ", \"proutes\": {" }}
- {{- range $subnet, $gw := $network.tenants.kong.proutes }}
- {{- if eq $subnet ( first ( keys $network.tenants.kong.proutes ))}}
- {{- printf "\"%s\": \"%s\"" $subnet $gw }}
- {{- else }}
- {{- printf ", \"%s\": \"%s\"" $subnet $gw }}
- {{- end }}
- {{- end }}
- {{- printf "}" }}
- {{- end }}
- {{- if ne $network.name (last $networklist).name }}
- {{- printf "}," }}
- {{- else }}
- {{- printf "}" }}
- {{- end }}
- {{- end }}
- ]
- {{- end }}
- {{- end }}
+ {{- range $key, $value := .Values.podAnnotations }}
+ {{ $key }}: {{ include "kong.renderTpl" (dict "value" $value "context" $) | quote }}
+ {{- end }}
{{- end }}
labels:
{{- include "kong.metaLabels" . | nindent 8 }}
app.kubernetes.io/component: app
+ app: {{ template "kong.fullname" . }}
+ version: {{ .Chart.AppVersion | quote }}
+ {{- if .Values.podLabels }}
+ {{ include "kong.renderTpl" (dict "value" .Values.podLabels "context" $) | nindent 8 }}
+ {{- end }}
spec:
- {{- if or .Values.ingressController.enabled .Values.podSecurityPolicy.enabled }}
+ {{- if .Values.deployment.hostname }}
+ hostname: {{ .Values.deployment.hostname }}
+ {{- end }}
+ {{- if .Values.deployment.hostNetwork }}
+ hostNetwork: true
+ {{- end }}
+ {{- if .Values.priorityClassName }}
+ priorityClassName: "{{ .Values.priorityClassName }}"
+ {{- end }}
+ {{- if or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name }}
serviceAccountName: {{ template "kong.serviceAccountName" . }}
+ {{- end }}
+ {{- if (and (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name) .Values.deployment.serviceAccount.automountServiceAccountToken) }}
+ automountServiceAccountToken: true
+ {{- else }}
+ automountServiceAccountToken: false
{{ end }}
{{- if .Values.image.pullSecrets }}
imagePullSecrets:
- name: {{ . }}
{{- end }}
{{- end }}
- {{- if not (eq .Values.env.database "off") }}
+ {{- if .Values.deployment.kong.enabled }}
initContainers:
- {{- include "kong.wait-for-db" . | nindent 6 }}
- {{ end }}
+ - name: clear-stale-pid
+ image: {{ include "kong.getRepoTag" .Values.image }}
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ securityContext:
+ {{ toYaml .Values.containerSecurityContext | nindent 10 }}
+ resources:
+{{ toYaml .Values.resources | indent 10 }}
+ command:
+ - "rm"
+ - "-vrf"
+ - "$KONG_PREFIX/pids"
+ env:
+ {{- include "kong.env" . | nindent 8 }}
+ {{- include "kong.envFrom" .Values.envFrom | nindent 8 }}
+ volumeMounts:
+ {{- include "kong.volumeMounts" . | nindent 8 }}
+ {{- if .Values.deployment.initContainers }}
+ {{- toYaml .Values.deployment.initContainers | nindent 6 }}
+ {{- end }}
+ {{- if (and (not (eq .Values.env.database "off")) .Values.waitImage.enabled) }}
+ {{- include "kong.wait-for-db" . | nindent 6 }}
+ {{- end }}
+ {{- end }}
+ {{- if .Values.deployment.hostAliases }}
+ hostAliases:
+ {{- toYaml .Values.deployment.hostAliases | nindent 6 }}
+ {{- end}}
+ {{- if .Values.dnsPolicy }}
+ dnsPolicy: {{ .Values.dnsPolicy | quote }}
+ {{- end }}
+ {{- if .Values.dnsConfig }}
+ dnsConfig:
+{{ toYaml .Values.dnsConfig | indent 8 }}
+ {{- end }}
containers:
{{- if .Values.ingressController.enabled }}
{{- include "kong.controller-container" . | nindent 6 }}
{{ end }}
+ {{- if .Values.deployment.sidecarContainers }}
+ {{- toYaml .Values.deployment.sidecarContainers | nindent 6 }}
+ {{- end }}
+ {{- if .Values.deployment.kong.enabled }}
- name: "proxy"
- image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+ image: {{ include "kong.getRepoTag" .Values.image }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
+ securityContext:
+ {{ toYaml .Values.containerSecurityContext | nindent 10 }}
env:
- {{- include "kong.final_env" . | nindent 8 }}
+ {{- include "kong.no_daemon_env" . | nindent 8 }}
+ {{- include "kong.envFrom" .Values.envFrom | nindent 8 }}
lifecycle:
- preStop:
- exec:
- command: [ "/bin/sh", "-c", "kong quit" ]
+ {{- toYaml .Values.lifecycle | nindent 10 }}
ports:
+ {{- if (and .Values.admin.http.enabled .Values.admin.enabled) }}
- name: admin
- containerPort: {{ .Values.admin.containerPort }}
- {{- if .Values.admin.hostPort }}
- hostPort: {{ .Values.admin.hostPort }}
+ containerPort: {{ .Values.admin.http.containerPort }}
+ {{- if .Values.admin.http.hostPort }}
+ hostPort: {{ .Values.admin.http.hostPort }}
+ {{- end}}
+ protocol: TCP
+ {{- end }}
+ {{- if (and .Values.admin.tls.enabled .Values.admin.enabled) }}
+ - name: admin-tls
+ containerPort: {{ .Values.admin.tls.containerPort }}
+ {{- if .Values.admin.tls.hostPort }}
+ hostPort: {{ .Values.admin.tls.hostPort }}
{{- end}}
protocol: TCP
- {{- if .Values.proxy.http.enabled }}
+ {{- end }}
+ {{- if (and .Values.proxy.http.enabled .Values.proxy.enabled) }}
- name: proxy
containerPort: {{ .Values.proxy.http.containerPort }}
{{- if .Values.proxy.http.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
- {{- if .Values.proxy.tls.enabled }}
+ {{- if (and .Values.proxy.tls.enabled .Values.proxy.enabled)}}
- name: proxy-tls
containerPort: {{ .Values.proxy.tls.containerPort }}
{{- if .Values.proxy.tls.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
- - name: metrics
- containerPort: 9542
+ {{- range .Values.proxy.stream }}
+ - name: stream{{ if (eq (default "TCP" .protocol) "UDP") }}udp{{ end }}-{{ .containerPort }}
+ containerPort: {{ .containerPort }}
+ {{- if .hostPort }}
+ hostPort: {{ .hostPort }}
+ {{- end}}
+ protocol: {{ .protocol }}
+ {{- end }}
+ {{- range .Values.udpProxy.stream }}
+ - name: streamudp-{{ .containerPort }}
+ containerPort: {{ .containerPort }}
+ {{- if .hostPort }}
+ hostPort: {{ .hostPort }}
+ {{- end}}
+ protocol: {{ .protocol }}
+ {{- end }}
+ {{- if (and .Values.status.http.enabled .Values.status.enabled)}}
+ - name: status
+ containerPort: {{ .Values.status.http.containerPort }}
+ {{- if .Values.status.http.hostPort }}
+ hostPort: {{ .Values.status.http.hostPort }}
+ {{- end}}
+ protocol: TCP
+ {{- end }}
+ {{- if (and .Values.status.tls.enabled .Values.status.enabled) }}
+ - name: status-tls
+ containerPort: {{ .Values.status.tls.containerPort }}
+ {{- if .Values.status.tls.hostPort }}
+ hostPort: {{ .Values.status.tls.hostPort }}
+ {{- end}}
protocol: TCP
- {{- if .Values.ingressController.admissionWebhook.enabled }}
- - name: webhook
- containerPort: {{ .Values.ingressController.admissionWebhook.port }}
+ {{- end }}
+ {{- if (and .Values.cluster.tls.enabled .Values.cluster.enabled) }}
+ - name: cluster-tls
+ containerPort: {{ .Values.cluster.tls.containerPort }}
+ {{- if .Values.cluster.tls.hostPort }}
+ hostPort: {{ .Values.cluster.tls.hostPort }}
+ {{- end}}
protocol: TCP
{{- end }}
{{- if .Values.enterprise.enabled }}
- {{- if .Values.manager.http.enabled }}
+ {{- if (and .Values.manager.http.enabled .Values.manager.enabled) }}
- name: manager
containerPort: {{ .Values.manager.http.containerPort }}
{{- if .Values.manager.http.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
- {{- if .Values.manager.tls.enabled }}
+ {{- if (and .Values.manager.tls.enabled .Values.manager.enabled) }}
- name: manager-tls
containerPort: {{ .Values.manager.tls.containerPort }}
{{- if .Values.manager.tls.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
- {{- if .Values.portal.http.enabled }}
+ {{- if (and .Values.portal.http.enabled .Values.portal.enabled) }}
- name: portal
containerPort: {{ .Values.portal.http.containerPort }}
{{- if .Values.portal.http.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
- {{- if .Values.portal.tls.enabled }}
+ {{- if (and .Values.portal.tls.enabled .Values.portal.enabled) }}
- name: portal-tls
containerPort: {{ .Values.portal.tls.containerPort }}
{{- if .Values.portal.tls.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
- {{- if .Values.portalapi.http.enabled }}
+ {{- if (and .Values.portalapi.http.enabled .Values.portalapi.enabled) }}
- name: portalapi
containerPort: {{ .Values.portalapi.http.containerPort }}
{{- if .Values.portalapi.http.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
- {{- if .Values.portalapi.tls.enabled }}
+ {{- if (and .Values.portalapi.tls.enabled .Values.portalapi.enabled) }}
- name: portalapi-tls
containerPort: {{ .Values.portalapi.tls.containerPort }}
{{- if .Values.portalapi.tls.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
+ {{- if (and .Values.clustertelemetry.tls.enabled .Values.clustertelemetry.enabled) }}
+ - name: clustert-tls
+ containerPort: {{ .Values.clustertelemetry.tls.containerPort }}
+ {{- if .Values.clustertelemetry.tls.hostPort }}
+ hostPort: {{ .Values.clustertelemetry.tls.hostPort }}
+ {{- end}}
+ protocol: TCP
+ {{- end }}
{{- end }}
volumeMounts:
{{- include "kong.volumeMounts" . | nindent 10 }}
+ {{- include "kong.userDefinedVolumeMounts" .Values.deployment | nindent 10 }}
readinessProbe:
-{{ toYaml .Values.readinessProbe | indent 10 }}
+{{ include "kong.proxy.compatibleReadiness" . | indent 10 }}
livenessProbe:
{{ toYaml .Values.livenessProbe | indent 10 }}
+ {{- if .Values.startupProbe }}
+ startupProbe:
+{{ toYaml .Values.startupProbe | indent 10 }}
+ {{- end }}
resources:
{{ toYaml .Values.resources | indent 10 }}
+ {{- end }} {{/* End of Kong container spec */}}
{{- if .Values.affinity }}
affinity:
{{ toYaml .Values.affinity | indent 8 }}
+ {{- end }}
+ {{- if .Values.topologySpreadConstraints }}
+ topologySpreadConstraints:
+{{ toYaml .Values.topologySpreadConstraints | indent 8 }}
{{- end }}
securityContext:
{{- include "kong.podsecuritycontext" . | nindent 8 }}
nodeSelector:
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end }}
+ terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
+ {{- if .Values.tolerations }}
tolerations:
{{ toYaml .Values.tolerations | indent 8 }}
+ {{- end }}
volumes:
{{- include "kong.volumes" . | nindent 8 -}}
+ {{- include "kong.userDefinedVolumes" . | nindent 8 -}}
+{{- end }}
--- /dev/null
+{{ range .Values.extraObjects }}
+---
+{{ tpl (toYaml .) $ }}
+{{ end }}
--- /dev/null
+{{- if .Values.autoscaling.enabled }}
+apiVersion: {{ include "kong.autoscalingVersion" . }}
+kind: HorizontalPodAutoscaler
+metadata:
+ name: "{{ template "kong.fullname" . }}"
+ namespace: {{ template "kong.namespace" . }}
+ labels:
+ {{- include "kong.metaLabels" . | nindent 4 }}
+spec:
+ scaleTargetRef:
+ apiVersion: apps/v1
+ kind: Deployment
+ name: "{{ template "kong.fullname" . }}"
+ minReplicas: {{ .Values.autoscaling.minReplicas }}
+ maxReplicas: {{ .Values.autoscaling.maxReplicas }}
+ {{- if .Values.autoscaling.behavior }}
+ behavior:
+ {{- toYaml .Values.autoscaling.behavior | nindent 4 }}
+ {{- end }}
+ {{- if contains "autoscaling/v2" (include "kong.autoscalingVersion" . ) }}
+ metrics:
+ {{- toYaml .Values.autoscaling.metrics | nindent 4 }}
+ {{- else }}
+ targetCPUUtilizationPercentage: {{ .Values.autoscaling.targetCPUUtilizationPercentage | default 80 }}
+ {{- end }}
+{{- end }}
+++ /dev/null
-{{- if .Values.admin.ingress.enabled -}}
-{{- $serviceName := include "kong.fullname" . -}}
-{{- $servicePort := .Values.admin.servicePort -}}
-{{- $path := .Values.admin.ingress.path -}}
-{{- $tls := .Values.admin.ingress.tls -}}
-{{- $hostname := .Values.admin.ingress.hostname -}}
-apiVersion: extensions/v1beta1
-kind: Ingress
-metadata:
- name: {{ template "kong.fullname" . }}-admin
- labels:
- {{- include "kong.metaLabels" . | nindent 4 }}
- annotations:
- {{- range $key, $value := .Values.admin.ingress.annotations }}
- {{ $key }}: {{ $value | quote }}
- {{- end }}
-spec:
- rules:
- - host: {{ $hostname }}
- http:
- paths:
- - path: {{ $path }}
- backend:
- serviceName: {{ $serviceName }}-admin
- servicePort: {{ $servicePort }}
- {{- if $tls }}
- tls:
- - hosts:
- - {{ $hostname }}
- secretName: {{ $tls }}
- {{- end -}}
-{{- end -}}
--- /dev/null
+{{/* Default to not managing if unsupported or created outside this chart */}}
+{{- $includeIngressClass := false -}}
+{{- if .Values.ingressController.enabled -}}
+ {{- if (.Capabilities.APIVersions.Has "networking.k8s.io/v1/IngressClass") -}}
+ {{- with (lookup "networking.k8s.io/v1" "IngressClass" "" .Values.ingressController.ingressClass) -}}
+ {{- if (hasKey .metadata "annotations") -}}
+ {{- if (eq $.Release.Name (get .metadata.annotations "meta.helm.sh/release-name")) -}}
+ {{/* IngressClass exists and is managed by this chart */}}
+ {{- $includeIngressClass = true -}}
+ {{- end -}}
+ {{- end -}}
+ {{- else -}}
+ {{/* IngressClass doesn't exist */}}
+ {{- $includeIngressClass = true -}}
+ {{- end -}}
+ {{- end -}}
+{{- end -}}
+{{- if $includeIngressClass -}}
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+ name: {{ .Values.ingressController.ingressClass }}
+ {{- if .Values.ingressController.ingressClassAnnotations }}
+ annotations:
+ {{- range $key, $value := .Values.ingressController.ingressClassAnnotations }}
+ {{ $key }}: {{ $value | quote }}
+ {{- end }}
+ {{- end }}
+ labels:
+ {{- include "kong.metaLabels" . | nindent 4 }}
+spec:
+ controller: ingress-controllers.konghq.com/kong
+{{- end -}}
+++ /dev/null
-{{- if .Values.enterprise.enabled }}
-{{- if .Values.manager.ingress.enabled -}}
-{{- $serviceName := include "kong.fullname" . -}}
-{{- $servicePort := include "kong.ingress.servicePort" .Values.manager -}}
-{{- $path := .Values.manager.ingress.path -}}
-{{- $tls := .Values.manager.ingress.tls -}}
-{{- $hostname := .Values.manager.ingress.hostname -}}
-apiVersion: extensions/v1beta1
-kind: Ingress
-metadata:
- name: {{ template "kong.fullname" . }}-manager
- labels:
- {{- include "kong.metaLabels" . | nindent 4 }}
- annotations:
- {{- range $key, $value := .Values.manager.ingress.annotations }}
- {{ $key }}: {{ $value | quote }}
- {{- end }}
-spec:
- rules:
- - host: {{ $hostname }}
- http:
- paths:
- - path: {{ $path }}
- backend:
- serviceName: {{ $serviceName }}-manager
- servicePort: {{ $servicePort }}
- {{- if $tls }}
- tls:
- - hosts:
- - {{ $hostname }}
- secretName: {{ $tls }}
- {{- end -}}
-{{- end -}}
-{{- end -}}
+++ /dev/null
-{{- if .Values.enterprise.enabled }}
-{{- if .Values.portalapi.ingress.enabled -}}
-{{- $serviceName := include "kong.fullname" . -}}
-{{- $servicePort := include "kong.ingress.servicePort" .Values.portalapi -}}
-{{- $path := .Values.portalapi.ingress.path -}}
-{{- $tls := .Values.portalapi.ingress.tls -}}
-{{- $hostname := .Values.portalapi.ingress.hostname -}}
-apiVersion: extensions/v1beta1
-kind: Ingress
-metadata:
- name: {{ template "kong.fullname" . }}-portalapi
- labels:
- {{- include "kong.metaLabels" . | nindent 4 }}
- annotations:
- {{- range $key, $value := .Values.portalapi.ingress.annotations }}
- {{ $key }}: {{ $value | quote }}
- {{- end }}
-spec:
- rules:
- - host: {{ $hostname }}
- http:
- paths:
- - path: {{ $path }}
- backend:
- serviceName: {{ $serviceName }}-portalapi
- servicePort: {{ $servicePort }}
- {{- if $tls }}
- tls:
- - hosts:
- - {{ $hostname }}
- secretName: {{ $tls }}
- {{- end -}}
-{{- end -}}
-{{- end -}}
+++ /dev/null
-{{- if .Values.enterprise.enabled }}
-{{- if .Values.portal.ingress.enabled -}}
-{{- $serviceName := include "kong.fullname" . -}}
-{{- $servicePort := include "kong.ingress.servicePort" .Values.portal -}}
-{{- $path := .Values.portal.ingress.path -}}
-{{- $tls := .Values.portal.ingress.tls -}}
-{{- $hostname := .Values.portal.ingress.hostname -}}
-apiVersion: extensions/v1beta1
-kind: Ingress
-metadata:
- name: {{ template "kong.fullname" . }}-portal
- labels:
- {{- include "kong.metaLabels" . | nindent 4 }}
- annotations:
- {{- range $key, $value := .Values.portal.ingress.annotations }}
- {{ $key }}: {{ $value | quote }}
- {{- end }}
-spec:
- rules:
- - host: {{ $hostname }}
- http:
- paths:
- - path: {{ $path }}
- backend:
- serviceName: {{ $serviceName }}-portal
- servicePort: {{ $servicePort }}
- {{- if $tls }}
- tls:
- - hosts:
- - {{ $hostname }}
- secretName: {{ $tls }}
- {{- end -}}
-{{- end -}}
-{{- end -}}
+++ /dev/null
-{{- if .Values.proxy.ingress.enabled -}}
-{{- $serviceName := include "kong.fullname" . -}}
-{{- $servicePort := include "kong.ingress.servicePort" .Values.proxy -}}
-{{- $path := .Values.proxy.ingress.path -}}
-{{- $hosts_count := len .Values.proxy.ingress.hosts -}}
-apiVersion: extensions/v1beta1
-kind: Ingress
-metadata:
- name: {{ template "kong.fullname" . }}-proxy
- labels:
- {{- include "kong.metaLabels" . | nindent 4 }}
- annotations:
- {{- range $key, $value := .Values.proxy.ingress.annotations }}
- {{ $key }}: {{ $value | quote }}
- {{- end }}
-spec:
- rules:
- {{- if eq $hosts_count 0 }}
- - http:
- paths:
- - path: {{ $path }}
- backend:
- serviceName: {{ $serviceName }}-proxy
- servicePort: {{ $servicePort }}
- {{ else -}}
- {{- range $host := .Values.proxy.ingress.hosts }}
- - host: {{ $host | quote }}
- http:
- paths:
- - path: {{ $path }}
- backend:
- serviceName: {{ $serviceName }}-proxy
- servicePort: {{ $servicePort }}
- {{- end -}}
- {{- end -}}
- {{- if .Values.proxy.ingress.tls }}
- tls:
-{{ toYaml .Values.proxy.ingress.tls | indent 4 }}
- {{- end -}}
-{{- end -}}
-{{- if (and (.Values.runMigrations) (not (eq .Values.env.database "off"))) }}
+{{- if .Values.deployment.kong.enabled }}
+{{- if (and .Values.migrations.postUpgrade (not (eq .Values.env.database "off"))) }}
# Why is this Job duplicated and not using only helm hooks?
# See: https://github.com/helm/charts/pull/7362
apiVersion: batch/v1
kind: Job
metadata:
name: {{ template "kong.fullname" . }}-post-upgrade-migrations
+ namespace: {{ template "kong.namespace" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
app.kubernetes.io/component: post-upgrade-migrations
annotations:
helm.sh/hook: "post-upgrade"
helm.sh/hook-delete-policy: "before-hook-creation"
+ {{- range $key, $value := .Values.migrations.jobAnnotations }}
+ {{ $key }}: {{ $value | quote }}
+ {{- end }}
spec:
+ backoffLimit: {{ .Values.migrations.backoffLimit }}
template:
metadata:
name: {{ template "kong.name" . }}-post-upgrade-migrations
labels:
{{- include "kong.metaLabels" . | nindent 8 }}
app.kubernetes.io/component: post-upgrade-migrations
+ {{- if .Values.migrations.annotations }}
+ annotations:
+ {{- range $key, $value := .Values.migrations.annotations }}
+ {{ $key }}: {{ $value | quote }}
+ {{- end }}
+ {{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }}
+ kuma.io/service-account-token-volume: {{ template "kong.serviceAccountTokenName" . }}
+ {{- end }}
+ {{- end }}
spec:
- {{- if .Values.podSecurityPolicy.enabled }}
+ {{- if or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name }}
serviceAccountName: {{ template "kong.serviceAccountName" . }}
{{- end }}
+ {{- if (and (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name) .Values.deployment.serviceAccount.automountServiceAccountToken) }}
+ automountServiceAccountToken: true
+ {{- else }}
+ automountServiceAccountToken: false
+ {{ end }}
{{- if .Values.image.pullSecrets }}
imagePullSecrets:
{{- range .Values.image.pullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
+ {{- if (or (and (.Values.postgresql.enabled) .Values.waitImage.enabled) .Values.deployment.initContainers) }}
initContainers:
- {{- if (eq .Values.env.database "postgres") }}
+ {{- if .Values.deployment.initContainers }}
+ {{- toYaml .Values.deployment.initContainers | nindent 6 }}
+ {{- end }}
+ {{- if (and (.Values.postgresql.enabled) .Values.waitImage.enabled) }}
{{- include "kong.wait-for-postgres" . | nindent 6 }}
{{- end }}
+ {{- end }}
containers:
+ {{- if .Values.migrations.sidecarContainers }}
+ {{- toYaml .Values.migrations.sidecarContainers | nindent 6 }}
+ {{- end }}
- name: {{ template "kong.name" . }}-post-upgrade-migrations
- image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+ image: {{ include "kong.getRepoTag" .Values.image }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
+ securityContext:
+ {{ toYaml .Values.containerSecurityContext | nindent 10 }}
env:
- {{- include "kong.final_env" . | nindent 8 }}
- command: [ "/bin/sh", "-c", "kong migrations finish" ]
+ {{- include "kong.no_daemon_env" . | nindent 8 }}
+ {{- include "kong.envFrom" .Values.envFrom | nindent 8 }}
+ args: [ "kong", "migrations", "finish" ]
volumeMounts:
{{- include "kong.volumeMounts" . | nindent 8 }}
+ {{- include "kong.userDefinedVolumeMounts" .Values.deployment | nindent 8 }}
+ resources:
+ {{- toYaml .Values.migrations.resources | nindent 10 }}
securityContext:
{{- include "kong.podsecuritycontext" . | nindent 8 }}
+ {{- if .Values.affinity }}
+ affinity:
+ {{- toYaml .Values.affinity | nindent 8 }}
+ {{- end }}
+ {{- if .Values.nodeSelector }}
+ nodeSelector:
+ {{- toYaml .Values.nodeSelector | nindent 8 }}
+ {{- end }}
+ {{- if .Values.tolerations }}
+ tolerations:
+ {{- toYaml .Values.tolerations | nindent 8 }}
+ {{- end }}
restartPolicy: OnFailure
volumes:
{{- include "kong.volumes" . | nindent 6 -}}
+ {{- include "kong.userDefinedVolumes" . | nindent 6 -}}
+{{- end }}
{{- end }}
-{{- if (and (.Values.runMigrations) (not (eq .Values.env.database "off"))) }}
+{{- if .Values.deployment.kong.enabled }}
+{{- if (and .Values.migrations.preUpgrade (not (eq .Values.env.database "off"))) }}
# Why is this Job duplicated and not using only helm hooks?
# See: https://github.com/helm/charts/pull/7362
apiVersion: batch/v1
kind: Job
metadata:
name: {{ template "kong.fullname" . }}-pre-upgrade-migrations
+ namespace: {{ template "kong.namespace" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
app.kubernetes.io/component: pre-upgrade-migrations
annotations:
helm.sh/hook: "pre-upgrade"
helm.sh/hook-delete-policy: "before-hook-creation"
+ argocd.argoproj.io/hook: Sync
+ argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
+ {{- range $key, $value := .Values.migrations.jobAnnotations }}
+ {{ $key }}: {{ $value | quote }}
+ {{- end }}
spec:
+ backoffLimit: {{ .Values.migrations.backoffLimit }}
template:
metadata:
name: {{ template "kong.name" . }}-pre-upgrade-migrations
labels:
{{- include "kong.metaLabels" . | nindent 8 }}
app.kubernetes.io/component: pre-upgrade-migrations
+ {{- if .Values.migrations.annotations }}
+ annotations:
+ {{- range $key, $value := .Values.migrations.annotations }}
+ {{ $key }}: {{ $value | quote }}
+ {{- end }}
+ {{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }}
+ kuma.io/service-account-token-volume: {{ template "kong.serviceAccountTokenName" . }}
+ {{- end }}
+ {{- end }}
spec:
- {{- if .Values.podSecurityPolicy.enabled }}
+ {{- if or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name }}
serviceAccountName: {{ template "kong.serviceAccountName" . }}
{{- end }}
+ {{- if (and (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name) .Values.deployment.serviceAccount.automountServiceAccountToken) }}
+ automountServiceAccountToken: true
+ {{- else }}
+ automountServiceAccountToken: false
+ {{ end }}
{{- if .Values.image.pullSecrets }}
imagePullSecrets:
{{- range .Values.image.pullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
+ {{- if (or (and (.Values.postgresql.enabled) .Values.waitImage.enabled) .Values.deployment.initContainers) }}
initContainers:
- {{- if (eq .Values.env.database "postgres") }}
+ {{- if .Values.deployment.initContainers }}
+ {{- toYaml .Values.deployment.initContainers | nindent 6 }}
+ {{- end }}
+ {{- if (and (.Values.postgresql.enabled) .Values.waitImage.enabled) }}
{{- include "kong.wait-for-postgres" . | nindent 6 }}
{{- end }}
+ {{- end }}
containers:
+ {{- if .Values.migrations.sidecarContainers }}
+ {{- toYaml .Values.migrations.sidecarContainers | nindent 6 }}
+ {{- end }}
- name: {{ template "kong.name" . }}-upgrade-migrations
- image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+ image: {{ include "kong.getRepoTag" .Values.image }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
+ securityContext:
+ {{ toYaml .Values.containerSecurityContext | nindent 10 }}
env:
- {{- include "kong.final_env" . | nindent 8 }}
- command: [ "/bin/sh", "-c", "kong migrations up" ]
+ {{- include "kong.no_daemon_env" . | nindent 8 }}
+ {{- include "kong.envFrom" .Values.envFrom | nindent 8 }}
+ args: [ "kong", "migrations", "up" ]
volumeMounts:
{{- include "kong.volumeMounts" . | nindent 8 }}
+ {{- include "kong.userDefinedVolumeMounts" .Values.deployment | nindent 8 }}
+ resources:
+ {{- toYaml .Values.migrations.resources| nindent 10 }}
securityContext:
{{- include "kong.podsecuritycontext" . | nindent 8 }}
+ {{- if .Values.affinity }}
+ affinity:
+ {{- toYaml .Values.affinity | nindent 8 }}
+ {{- end }}
+ {{- if .Values.nodeSelector }}
+ nodeSelector:
+ {{- toYaml .Values.nodeSelector | nindent 8 }}
+ {{- end }}
+ {{- if .Values.tolerations }}
+ tolerations:
+ {{- toYaml .Values.tolerations | nindent 8 }}
+ {{- end }}
restartPolicy: OnFailure
volumes:
{{- include "kong.volumes" . | nindent 6 -}}
+ {{- include "kong.userDefinedVolumes" . | nindent 6 -}}
+{{- end }}
{{- end }}
-
-{{ if or .Values.podSecurityPolicy.enabled (and .Values.ingressController.enabled .Values.ingressController.serviceAccount.create) -}}
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: {{ template "kong.serviceAccountName" . }}
- namespace: {{ .Release.namespace }}
- annotations:
- "helm.sh/hook": pre-upgrade
- "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
- labels:
- {{- include "kong.metaLabels" . | nindent 4 }}
-{{- end -}}
-{{- if (and (.Values.runMigrations) (not (eq .Values.env.database "off"))) }}
+{{- if .Values.deployment.kong.enabled }}
+{{- if .Release.IsInstall -}}
+{{/* .migrations.init isn't normally exposed in values.yaml, since it should
+ generally always run on install--there should never be any reason to
+ disable it, and at worst it's a no-op. However, https://github.com/helm/helm/issues/3308
+ means we cannot use the default function to create a hidden value, hence
+ the workaround with this $runInit variable.
+ */}}
+{{- $runInit := true -}}
+{{- if (hasKey .Values.migrations "init") -}}
+ {{- $runInit = .Values.migrations.init -}}
+{{- end -}}
+
+{{- if (and ($runInit) (not (eq .Values.env.database "off"))) }}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ template "kong.fullname" . }}-init-migrations
+ namespace: {{ template "kong.namespace" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
app.kubernetes.io/component: init-migrations
+ annotations:
+ argocd.argoproj.io/hook: Sync
+ argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
+ {{- range $key, $value := .Values.migrations.jobAnnotations }}
+ {{ $key }}: {{ $value | quote }}
+ {{- end }}
spec:
+ backoffLimit: {{ .Values.migrations.backoffLimit }}
template:
metadata:
name: {{ template "kong.name" . }}-init-migrations
labels:
{{- include "kong.metaLabels" . | nindent 8 }}
app.kubernetes.io/component: init-migrations
+ {{- if .Values.migrations.annotations }}
+ annotations:
+ {{- range $key, $value := .Values.migrations.annotations }}
+ {{ $key }}: {{ $value | quote }}
+ {{- end }}
+ {{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }}
+ kuma.io/service-account-token-volume: {{ template "kong.serviceAccountTokenName" . }}
+ {{- end }}
+ {{- end }}
spec:
- {{- if .Values.podSecurityPolicy.enabled }}
+ {{- if or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name }}
serviceAccountName: {{ template "kong.serviceAccountName" . }}
{{- end }}
+ {{- if (and (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name) .Values.deployment.serviceAccount.automountServiceAccountToken) }}
+ automountServiceAccountToken: true
+ {{- else }}
+ automountServiceAccountToken: false
+ {{ end }}
{{- if .Values.image.pullSecrets }}
imagePullSecrets:
{{- range .Values.image.pullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
+ {{- if (or (and (.Values.postgresql.enabled) .Values.waitImage.enabled) .Values.deployment.initContainers) }}
initContainers:
- {{- if (eq .Values.env.database "postgres") }}
+ {{- if .Values.deployment.initContainers }}
+ {{- toYaml .Values.deployment.initContainers | nindent 6 }}
+ {{- end }}
+ {{- if (and (.Values.postgresql.enabled) .Values.waitImage.enabled) }}
{{- include "kong.wait-for-postgres" . | nindent 6 }}
{{- end }}
+ {{- end }}
containers:
+ {{- if .Values.migrations.sidecarContainers }}
+ {{- toYaml .Values.migrations.sidecarContainers | nindent 6 }}
+ {{- end }}
- name: {{ template "kong.name" . }}-migrations
- image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+ image: {{ include "kong.getRepoTag" .Values.image }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
+ securityContext:
+ {{ toYaml .Values.containerSecurityContext | nindent 10 }}
env:
- {{- include "kong.final_env" . | nindent 8 }}
- command: [ "/bin/sh", "-c", "kong migrations bootstrap" ]
+ {{- include "kong.no_daemon_env" . | nindent 8 }}
+ {{- include "kong.envFrom" .Values.envFrom | nindent 8 }}
+ args: [ "kong", "migrations", "bootstrap" ]
volumeMounts:
{{- include "kong.volumeMounts" . | nindent 8 }}
+ {{- include "kong.userDefinedVolumeMounts" .Values.deployment | nindent 8 }}
+ resources:
+ {{- toYaml .Values.migrations.resources | nindent 10 }}
securityContext:
{{- include "kong.podsecuritycontext" . | nindent 8 }}
+ {{- if .Values.affinity }}
+ affinity:
+ {{- toYaml .Values.affinity | nindent 8 }}
+ {{- end }}
+ {{- if .Values.nodeSelector }}
+ nodeSelector:
+ {{- toYaml .Values.nodeSelector | nindent 8 }}
+ {{- end }}
+ {{- if .Values.tolerations }}
+ tolerations:
+ {{- toYaml .Values.tolerations | nindent 8 }}
+ {{- end }}
restartPolicy: OnFailure
volumes:
{{- include "kong.volumes" . | nindent 6 -}}
+ {{- include "kong.userDefinedVolumes" . | nindent 6 -}}
+{{- end }}
+{{- end }}
{{- end }}
{{- if .Values.podDisruptionBudget.enabled }}
-apiVersion: policy/v1beta1
+{{- if and (not .Values.autoscaling.enabled) (le (int .Values.replicaCount) 1) }}
+{{- fail "Enabling PodDisruptionBudget with replicaCount: 1 and no autoscaling prevents pod restarts during upgrades" }}
+{{- end }}
+{{- if and .Values.autoscaling.enabled (le (int .Values.autoscaling.minReplicas) 1) }}
+{{- fail "Enabling PodDisruptionBudget with autoscaling.minReplicas: 1 prevents pod restarts during upgrades" }}
+{{- end }}
+apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ template "kong.fullname" . }}
+ namespace: {{ template "kong.namespace" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
spec:
selector:
matchLabels:
{{- include "kong.metaLabels" . | nindent 6 }}
+ app.kubernetes.io/component: app
{{- end }}
-{{- if .Values.podSecurityPolicy.enabled }}
-apiVersion: policy/v1beta1
+{{- if and (.Values.podSecurityPolicy.enabled) }}
+apiVersion: {{ include "kong.policyVersion" . }}
kind: PodSecurityPolicy
metadata:
name: {{ template "kong.serviceAccountName" . }}-psp
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
+ {{- with .Values.podSecurityPolicy.labels }}
+ {{- range $key, $value := . }}
+ {{ $key }}: {{ $value }}
+ {{- end }}
+ {{- end }}
+ {{- with .Values.podSecurityPolicy.annotations }}
+ annotations:
+ {{- range $key, $value := . }}
+ {{ $key }}: {{ $value | quote }}
+ {{- end }}
+ {{- end }}
spec:
- privileged: false
- fsGroup:
- rule: RunAsAny
- runAsUser:
- rule: RunAsAny
- runAsGroup:
- rule: RunAsAny
- seLinux:
- rule: RunAsAny
- supplementalGroups:
- rule: RunAsAny
- volumes:
- - 'configMap'
- - 'secret'
- - 'emptyDir'
- allowPrivilegeEscalation: false
- hostNetwork: false
- hostIPC: false
- hostPID: false
+{{ .Values.podSecurityPolicy.spec | toYaml | indent 2 }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
{{- include "kong.metaLabels" . | nindent 4 }}
rules:
- apiGroups:
- - extensions
+ - policy
resources:
- podsecuritypolicies
verbs:
kind: ClusterRoleBinding
metadata:
name: {{ template "kong.serviceAccountName" . }}-psp
- namespace: {{ .Release.Namespace }}
+ namespace: {{ template "kong.namespace" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
subjects:
- kind: ServiceAccount
name: {{ template "kong.serviceAccountName" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ template "kong.namespace" . }}
roleRef:
kind: ClusterRole
name: {{ template "kong.serviceAccountName" . }}-psp
--- /dev/null
+{{- /* Due to GKE versions (e.g. v1.23.15-gke.1900) we need to handle pre-release part of the version as well.
+See the related documentation of semver module that Helm depends on for semverCompare:
+https://github.com/Masterminds/semver#working-with-prerelease-versions
+Related Helm issue: https://github.com/helm/helm/issues/3810 */}}
+{{- if and (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name) (semverCompare "<1.20.0-0" .Capabilities.KubeVersion.Version) }}
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ template "kong.serviceAccountTokenName" . }}
+ namespace: {{ template "kong.namespace" . }}
+ annotations:
+ kubernetes.io/service-account.name: {{ template "kong.serviceAccountName" . }}
+type: kubernetes.io/service-account-token
+{{- end }}
--- /dev/null
+{{- if and (or .Values.deployment.kong.enabled .Values.ingressController.enabled) .Values.deployment.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{ template "kong.serviceAccountName" . }}
+ namespace: {{ template "kong.namespace" . }}
+ {{- if .Values.deployment.serviceAccount.annotations }}
+ annotations:
+ {{- range $key, $value := .Values.deployment.serviceAccount.annotations }}
+ {{ $key }}: {{ $value | quote }}
+ {{- end }}
+ {{- end }}
+ labels:
+ {{- include "kong.metaLabels" . | nindent 4 }}
+{{- end -}}
-{{- if .Values.admin.enabled -}}
+{{- if .Values.deployment.kong.enabled }}
+{{- if and .Values.admin.enabled (or .Values.admin.http.enabled .Values.admin.tls.enabled) -}}
+{{- $serviceConfig := dict -}}
+{{- $serviceConfig := merge $serviceConfig .Values.admin -}}
+{{- $_ := set $serviceConfig "ingressVersion" (include "kong.ingressVersion" .) -}}
+{{- $_ := set $serviceConfig "fullName" (include "kong.fullname" .) -}}
+{{- $_ := set $serviceConfig "namespace" (include "kong.namespace" .) -}}
+{{- $_ := set $serviceConfig "metaLabels" (include "kong.metaLabels" .) -}}
+{{- $_ := set $serviceConfig "selectorLabels" (include "kong.selectorLabels" .) -}}
+{{- $_ := set $serviceConfig "serviceName" "admin" -}}
+{{- include "kong.service" $serviceConfig }}
+{{ if .Values.admin.ingress.enabled }}
+---
+{{ include "kong.ingress" $serviceConfig }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "adminApiService.certSecretName" -}}
+ {{- default (printf "%s-admin-api-keypair" (include "kong.fullname" .)) .Values.ingressController.adminApi.tls.client.secretName -}}
+{{- end -}}
+
+{{- define "adminApiService.caSecretName" -}}
+ {{- default (printf "%s-admin-api-ca-keypair" (include "kong.fullname" .)) .Values.ingressController.adminApi.tls.client.caSecretName -}}
+{{- end -}}
+
+{{- $clientVerifyEnabled := .Values.ingressController.adminApi.tls.client.enabled -}}
+{{- $clientCertProvided := .Values.ingressController.adminApi.tls.client.certProvided -}}
+
+{{/* If the client verification is enabled but no secret was provided by the user, let's generate certificates. */ -}}
+{{- if and $clientVerifyEnabled (not $clientCertProvided) }}
+{{- $certCert := "" -}}
+{{- $certKey := "" -}}
+
+{{- $cn := printf "admin.%s.svc" ( include "kong.namespace" . ) -}}
+{{- $ca := genCA "admin-api-ca" 3650 -}}
+{{- $cert := genSignedCert $cn nil (list $cn) 3650 $ca -}}
+
+{{- $certCert = $cert.Cert -}}
+{{- $certKey = $cert.Key -}}
+{{/* Verify whether a secret with a given name already exists. If it does, let's use its cert and key data. */}}
+{{- $certSecret := (lookup "v1" "Secret" (include "kong.namespace" .) (include "adminApiService.certSecretName" .)) -}}
+{{- if $certSecret }}
+{{- $certCert = (b64dec (get $certSecret.data "tls.crt")) -}}
+{{- $certKey = (b64dec (get $certSecret.data "tls.key")) -}}
+{{- end }}
+
+{{- $caCert := $ca.Cert -}}
+{{- $caKey := $ca.Key -}}
+{{/* Verify whether a secret with a given name already exists. If it does, let's use its cert and key data. */ -}}
+{{- $caSecret := (lookup "v1" "Secret" (include "kong.namespace" .) (include "adminApiService.caSecretName" .))}}
+{{- if $caSecret }}
+{{- $caCert = (b64dec (get $caSecret.data "tls.crt")) -}}
+{{- $caKey = (b64dec (get $caSecret.data "tls.key")) -}}
+{{- end }}
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ template "adminApiService.certSecretName" . }}
+ namespace: {{ template "kong.namespace" . }}
+ labels:
+ {{- include "kong.metaLabels" . | nindent 4 }}
+type: kubernetes.io/tls
+data:
+ tls.crt: {{ b64enc $certCert }}
+ tls.key: {{ b64enc $certKey }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ template "adminApiService.caSecretName" . }}
+ namespace: {{ template "kong.namespace" . }}
+ labels:
+ {{- include "kong.metaLabels" . | nindent 4 }}
+type: kubernetes.io/tls
+data:
+ tls.crt: {{ b64enc $caCert }}
+ tls.key: {{ b64enc $caKey }}
+{{- end }}
+
+{{- /* Create a CA ConfigMap for Kong. */ -}}
+{{- $secretProvided := $.Values.admin.tls.client.secretName -}}
+{{- $bundleProvided := $.Values.admin.tls.client.caBundle -}}
+
+{{- if or $secretProvided $bundleProvided -}}
+{{- $cert := "" -}}
+
+{{- if $secretProvided -}}
+{{- $certSecret := (lookup "v1" "Secret" (include "kong.namespace" .) $.Values.admin.tls.client.secretName) -}}
+{{- if $certSecret }}
+{{- $cert = (b64dec (get $certSecret.data "tls.crt")) -}}
+{{- else -}}
+{{- fail (printf "%s/%s secret not found" (include "kong.namespace" .) $.Values.admin.tls.client.secretName) -}}
+{{- end }}
+{{- end }}
+
+{{- if $bundleProvided -}}
+{{- $cert = $.Values.admin.tls.client.caBundle -}}
+{{- end }}
+
+---
apiVersion: v1
-kind: Service
+kind: ConfigMap
metadata:
- name: {{ template "kong.fullname" . }}-admin
- annotations:
- {{- range $key, $value := .Values.admin.annotations }}
- {{ $key }}: {{ $value | quote }}
- {{- end }}
+ name: {{ template "kong.fullname" . }}-admin-client-ca
+ namespace: {{ template "kong.namespace" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
-spec:
- type: {{ .Values.admin.type }}
- {{- if eq .Values.admin.type "LoadBalancer" }}
- {{- if .Values.admin.loadBalancerIP }}
- loadBalancerIP: {{ .Values.admin.loadBalancerIP }}
- {{- end }}
- {{- if .Values.admin.loadBalancerSourceRanges }}
- loadBalancerSourceRanges:
- {{- range $cidr := .Values.admin.loadBalancerSourceRanges }}
- - {{ $cidr }}
- {{- end }}
- {{- end }}
- {{- end }}
- ports:
- - name: kong-admin
- port: {{ .Values.admin.servicePort }}
- targetPort: {{ .Values.admin.containerPort }}
- {{- if (and (eq .Values.admin.type "NodePort") (not (empty .Values.admin.nodePort))) }}
- nodePort: {{ .Values.admin.nodePort }}
- {{- end }}
- protocol: TCP
- selector:
- {{- include "kong.selectorLabels" . | nindent 4 }}
+data:
+ tls.crt: {{ $cert | quote }}
{{- end -}}
--- /dev/null
+{{- if .Values.deployment.kong.enabled }}
+{{- if and .Values.clustertelemetry.enabled .Values.clustertelemetry.tls.enabled -}}
+{{- $serviceConfig := dict -}}
+{{- $serviceConfig := merge $serviceConfig .Values.clustertelemetry -}}
+{{- $_ := set $serviceConfig "ingressVersion" (include "kong.ingressVersion" .) -}}
+{{- $_ := set $serviceConfig "fullName" (include "kong.fullname" .) -}}
+{{- $_ := set $serviceConfig "namespace" (include "kong.namespace" .) -}}
+{{- $_ := set $serviceConfig "metaLabels" (include "kong.metaLabels" .) -}}
+{{- $_ := set $serviceConfig "selectorLabels" (include "kong.selectorLabels" .) -}}
+{{- $_ := set $serviceConfig "serviceName" "clustertelemetry" -}}
+{{- include "kong.service" $serviceConfig }}
+{{ if .Values.clustertelemetry.ingress.enabled }}
+---
+{{ include "kong.ingress" $serviceConfig }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
--- /dev/null
+{{- if .Values.deployment.kong.enabled }}
+{{- if and .Values.cluster.enabled .Values.cluster.tls.enabled -}}
+{{- $serviceConfig := dict -}}
+{{- $serviceConfig := merge $serviceConfig .Values.cluster -}}
+{{- $_ := set $serviceConfig "ingressVersion" (include "kong.ingressVersion" .) -}}
+{{- $_ := set $serviceConfig "fullName" (include "kong.fullname" .) -}}
+{{- $_ := set $serviceConfig "namespace" (include "kong.namespace" .) -}}
+{{- $_ := set $serviceConfig "metaLabels" (include "kong.metaLabels" .) -}}
+{{- $_ := set $serviceConfig "selectorLabels" (include "kong.selectorLabels" .) -}}
+{{- $_ := set $serviceConfig "serviceName" "cluster" -}}
+{{- include "kong.service" $serviceConfig }}
+{{ if .Values.cluster.ingress.enabled }}
+---
+{{ include "kong.ingress" $serviceConfig }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
-{{- if .Values.enterprise.enabled }}
-apiVersion: v1
-kind: Service
-metadata:
- name: {{ template "kong.fullname" . }}-manager
- annotations:
- {{- range $key, $value := .Values.manager.annotations }}
- {{ $key }}: {{ $value | quote }}
- {{- end }}
- labels:
- {{- include "kong.metaLabels" . | nindent 4 }}
-spec:
- type: {{ .Values.manager.type }}
- {{- if eq .Values.manager.type "LoadBalancer" }}
- {{- if .Values.manager.loadBalancerIP }}
- loadBalancerIP: {{ .Values.manager.loadBalancerIP }}
- {{- end }}
- {{- if .Values.manager.loadBalancerSourceRanges }}
- loadBalancerSourceRanges:
- {{- range $cidr := .Values.manager.loadBalancerSourceRanges }}
- - {{ $cidr }}
- {{- end }}
- {{- end }}
- {{- end }}
- externalIPs:
- {{- range $ip := .Values.manager.externalIPs }}
- - {{ $ip }}
- {{- end }}
- ports:
- {{- if .Values.manager.http.enabled }}
- - name: kong-manager
- port: {{ .Values.manager.http.servicePort }}
- targetPort: {{ .Values.manager.http.containerPort }}
- {{- if (and (eq .Values.manager.type "NodePort") (not (empty .Values.manager.http.nodePort))) }}
- nodePort: {{ .Values.manager.http.nodePort }}
- {{- end }}
- protocol: TCP
- {{- end }}
- {{- if or .Values.manager.tls.enabled }}
- - name: kong-manager-tls
- port: {{ .Values.manager.tls.servicePort }}
- targetPort: {{ .Values.manager.tls.containerPort }}
- {{- if (and (eq .Values.manager.type "NodePort") (not (empty .Values.manager.tls.nodePort))) }}
- nodePort: {{ .Values.manager.tls.nodePort }}
- {{- end }}
- protocol: TCP
- {{- end }}
- selector:
- {{- include "kong.selectorLabels" . | nindent 4 }}
+{{- if .Values.deployment.kong.enabled }}
+{{- if and .Values.manager.enabled (or .Values.manager.http.enabled .Values.manager.tls.enabled) -}}
+{{- $serviceConfig := dict -}}
+{{- $serviceConfig := merge $serviceConfig .Values.manager -}}
+{{- $_ := set $serviceConfig "ingressVersion" (include "kong.ingressVersion" .) -}}
+{{- $_ := set $serviceConfig "fullName" (include "kong.fullname" .) -}}
+{{- $_ := set $serviceConfig "namespace" (include "kong.namespace" .) -}}
+{{- $_ := set $serviceConfig "metaLabels" (include "kong.metaLabels" .) -}}
+{{- $_ := set $serviceConfig "selectorLabels" (include "kong.selectorLabels" .) -}}
+{{- $_ := set $serviceConfig "serviceName" "manager" -}}
+{{- include "kong.service" $serviceConfig }}
+{{ if .Values.manager.ingress.enabled }}
+---
+{{ include "kong.ingress" $serviceConfig }}
+{{- end -}}
+{{- end -}}
{{- end -}}
+{{- if .Values.deployment.kong.enabled }}
{{- if .Values.enterprise.enabled }}
-apiVersion: v1
-kind: Service
-metadata:
- name: {{ template "kong.fullname" . }}-portalapi
- annotations:
- {{- range $key, $value := .Values.portalapi.annotations }}
- {{ $key }}: {{ $value | quote }}
- {{- end }}
- labels:
- {{- include "kong.metaLabels" . | nindent 4 }}
-spec:
- type: {{ .Values.portalapi.type }}
- {{- if eq .Values.portalapi.type "LoadBalancer" }}
- {{- if .Values.portalapi.loadBalancerIP }}
- loadBalancerIP: {{ .Values.portalapi.loadBalancerIP }}
- {{- end }}
- {{- if .Values.portalapi.loadBalancerSourceRanges }}
- loadBalancerSourceRanges:
- {{- range $cidr := .Values.portalapi.loadBalancerSourceRanges }}
- - {{ $cidr }}
- {{- end }}
- {{- end }}
- {{- end }}
- externalIPs:
- {{- range $ip := .Values.portalapi.externalIPs }}
- - {{ $ip }}
- {{- end }}
- ports:
- {{- if .Values.portalapi.http.enabled }}
- - name: kong-portalapi
- port: {{ .Values.portalapi.http.servicePort }}
- targetPort: {{ .Values.portalapi.http.containerPort }}
- {{- if (and (eq .Values.portalapi.type "NodePort") (not (empty .Values.portalapi.http.nodePort))) }}
- nodePort: {{ .Values.portalapi.http.nodePort }}
- {{- end }}
- protocol: TCP
- {{- end }}
- {{- if or .Values.portalapi.tls.enabled }}
- - name: kong-portalapi-tls
- port: {{ .Values.portalapi.tls.servicePort }}
- targetPort: {{ .Values.portalapi.tls.containerPort }}
- {{- if (and (eq .Values.portalapi.type "NodePort") (not (empty .Values.portalapi.tls.nodePort))) }}
- nodePort: {{ .Values.portalapi.tls.nodePort }}
- {{- end }}
- protocol: TCP
- {{- end }}
- selector:
- {{- include "kong.selectorLabels" . | nindent 4 }}
+{{- if and .Values.portalapi.enabled (or .Values.portalapi.http.enabled .Values.portalapi.tls.enabled) -}}
+{{- $serviceConfig := dict -}}
+{{- $serviceConfig := merge $serviceConfig .Values.portalapi -}}
+{{- $_ := set $serviceConfig "ingressVersion" (include "kong.ingressVersion" .) -}}
+{{- $_ := set $serviceConfig "fullName" (include "kong.fullname" .) -}}
+{{- $_ := set $serviceConfig "namespace" (include "kong.namespace" .) -}}
+{{- $_ := set $serviceConfig "metaLabels" (include "kong.metaLabels" .) -}}
+{{- $_ := set $serviceConfig "selectorLabels" (include "kong.selectorLabels" .) -}}
+{{- $_ := set $serviceConfig "serviceName" "portalapi" -}}
+{{- include "kong.service" $serviceConfig }}
+{{ if .Values.portalapi.ingress.enabled }}
+---
+{{ include "kong.ingress" $serviceConfig }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
{{- end -}}
+{{- if .Values.deployment.kong.enabled }}
{{- if .Values.enterprise.enabled }}
-apiVersion: v1
-kind: Service
-metadata:
- name: {{ template "kong.fullname" . }}-portal
- annotations:
- {{- range $key, $value := .Values.portal.annotations }}
- {{ $key }}: {{ $value | quote }}
- {{- end }}
- labels:
- {{- include "kong.metaLabels" . | nindent 4 }}
-spec:
- type: {{ .Values.portal.type }}
- {{- if eq .Values.portal.type "LoadBalancer" }}
- {{- if .Values.portal.loadBalancerIP }}
- loadBalancerIP: {{ .Values.portal.loadBalancerIP }}
- {{- end }}
- {{- if .Values.portal.loadBalancerSourceRanges }}
- loadBalancerSourceRanges:
- {{- range $cidr := .Values.portal.loadBalancerSourceRanges }}
- - {{ $cidr }}
- {{- end }}
- {{- end }}
- {{- end }}
- externalIPs:
- {{- range $ip := .Values.portal.externalIPs }}
- - {{ $ip }}
- {{- end }}
- ports:
- {{- if .Values.portal.http.enabled }}
- - name: kong-portal
- port: {{ .Values.portal.http.servicePort }}
- targetPort: {{ .Values.portal.http.containerPort }}
- {{- if (and (eq .Values.portal.type "NodePort") (not (empty .Values.portal.http.nodePort))) }}
- nodePort: {{ .Values.portal.http.nodePort }}
- {{- end }}
- protocol: TCP
- {{- end }}
- {{- if or .Values.portal.tls.enabled }}
- - name: kong-portal-tls
- port: {{ .Values.portal.tls.servicePort }}
- targetPort: {{ .Values.portal.tls.containerPort }}
- {{- if (and (eq .Values.portal.type "NodePort") (not (empty .Values.portal.tls.nodePort))) }}
- nodePort: {{ .Values.portal.tls.nodePort }}
- {{- end }}
- protocol: TCP
- {{- end }}
- selector:
- {{- include "kong.selectorLabels" . | nindent 4 }}
+{{- if and .Values.portal.enabled (or .Values.portal.http.enabled .Values.portal.tls.enabled) -}}
+{{- $serviceConfig := dict -}}
+{{- $serviceConfig := merge $serviceConfig .Values.portal -}}
+{{- $_ := set $serviceConfig "ingressVersion" (include "kong.ingressVersion" .) -}}
+{{- $_ := set $serviceConfig "fullName" (include "kong.fullname" .) -}}
+{{- $_ := set $serviceConfig "namespace" (include "kong.namespace" .) -}}
+{{- $_ := set $serviceConfig "metaLabels" (include "kong.metaLabels" .) -}}
+{{- $_ := set $serviceConfig "selectorLabels" (include "kong.selectorLabels" .) -}}
+{{- $_ := set $serviceConfig "serviceName" "portal" -}}
+{{- include "kong.service" $serviceConfig }}
+{{ if .Values.portal.ingress.enabled }}
+---
+{{ include "kong.ingress" $serviceConfig }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
{{- end -}}
-apiVersion: v1
-kind: Service
-metadata:
- name: {{ template "kong.fullname" . }}-proxy
- annotations:
- {{- range $key, $value := .Values.proxy.annotations }}
- {{ $key }}: {{ $value | quote }}
- {{- end }}
- labels:
- {{- include "kong.metaLabels" . | nindent 4 }}
-spec:
- type: {{ .Values.proxy.type }}
- {{- if eq .Values.proxy.type "LoadBalancer" }}
- {{- if .Values.proxy.loadBalancerIP }}
- loadBalancerIP: {{ .Values.proxy.loadBalancerIP }}
- {{- end }}
- {{- if .Values.proxy.loadBalancerSourceRanges }}
- loadBalancerSourceRanges:
- {{- range $cidr := .Values.proxy.loadBalancerSourceRanges }}
- - {{ $cidr }}
- {{- end }}
- {{- end }}
- {{- end }}
- externalIPs:
- {{- range $ip := .Values.proxy.externalIPs }}
- - {{ $ip }}
- {{- end }}
- ports:
- {{- if .Values.proxy.http.enabled }}
- - name: kong-proxy
- port: {{ .Values.proxy.http.servicePort }}
- targetPort: {{ .Values.proxy.http.containerPort }}
- {{- if (and (eq .Values.proxy.type "NodePort") (not (empty .Values.proxy.http.nodePort))) }}
- nodePort: {{ .Values.proxy.http.nodePort }}
- {{- end }}
- protocol: TCP
- {{- end }}
- {{- if or .Values.proxy.tls.enabled }}
- - name: kong-proxy-tls
- port: {{ .Values.proxy.tls.servicePort }}
- targetPort: {{ .Values.proxy.tls.overrideServiceTargetPort | default .Values.proxy.tls.containerPort }}
- {{- if (and (eq .Values.proxy.type "NodePort") (not (empty .Values.proxy.tls.nodePort))) }}
- nodePort: {{ .Values.proxy.tls.nodePort }}
- {{- end }}
- protocol: TCP
- {{- end }}
- {{- if .Values.proxy.externalTrafficPolicy }}
- externalTrafficPolicy: {{ .Values.proxy.externalTrafficPolicy }}
- {{- end }}
- {{- if .Values.proxy.clusterIP }}
- clusterIP: {{ .Values.proxy.clusterIP }}
- {{- end }}
- selector:
- {{- include "kong.selectorLabels" . | nindent 4 }}
+{{- if .Values.deployment.kong.enabled }}
+{{- if and .Values.proxy.enabled (or .Values.proxy.http.enabled .Values.proxy.tls.enabled) -}}
+{{- $serviceConfig := dict -}}
+{{- $serviceConfig := merge $serviceConfig .Values.proxy -}}
+{{- $_ := set $serviceConfig "fullName" (include "kong.fullname" .) -}}
+{{- $_ := set $serviceConfig "namespace" (include "kong.namespace" .) -}}
+{{- $_ := set $serviceConfig "metaLabels" (include "kong.metaLabels" .) -}}
+{{- $_ := set $serviceConfig "selectorLabels" (include "kong.selectorLabels" .) -}}
+{{- $_ := set $serviceConfig "serviceName" "proxy" -}}
+{{- include "kong.service" $serviceConfig }}
+{{ if .Values.proxy.ingress.enabled }}
+---
+{{ include "kong.ingress" $serviceConfig }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
--- /dev/null
+{{- if .Values.deployment.kong.enabled }}
+{{- if and .Values.udpProxy.enabled -}}
+{{- $serviceConfig := dict -}}
+{{- $serviceConfig := merge $serviceConfig .Values.udpProxy -}}
+{{- $_ := set $serviceConfig "ingressVersion" (include "kong.ingressVersion" .) -}}
+{{- $_ := set $serviceConfig "fullName" (include "kong.fullname" .) -}}
+{{- $_ := set $serviceConfig "namespace" (include "kong.namespace" .) -}}
+{{- $_ := set $serviceConfig "metaLabels" (include "kong.metaLabels" .) -}}
+{{- $_ := set $serviceConfig "selectorLabels" (include "kong.selectorLabels" .) -}}
+{{- $_ := set $serviceConfig "serviceName" "udp-proxy" -}}
+{{- $_ := set $serviceConfig "tls" (dict "enabled" false) -}}
+{{- $_ := set $serviceConfig "http" (dict "enabled" false) -}}
+{{- include "kong.service" $serviceConfig }}
+{{- end -}}
+{{- end -}}
{{- end }}
spec:
endpoints:
- - targetPort: metrics
+ - targetPort: status
scheme: http
{{- if .Values.serviceMonitor.interval }}
interval: {{ .Values.serviceMonitor.interval }}
{{- end }}
+ {{- if .Values.serviceMonitor.honorLabels }}
+ honorLabels: true
+ {{- end }}
+ {{- if .Values.serviceMonitor.metricRelabelings }}
+ metricRelabelings: {{ toYaml .Values.serviceMonitor.metricRelabelings | nindent 6 }}
+ {{- end }}
+ {{- if and .Values.ingressController.enabled (semverCompare ">= 2.0.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
+ - targetPort: cmetrics
+ scheme: http
+ {{- if .Values.serviceMonitor.interval }}
+ interval: {{ .Values.serviceMonitor.interval }}
+ {{- end }}
+ {{- if .Values.serviceMonitor.honorLabels }}
+ honorLabels: true
+ {{- end }}
+ {{- if .Values.serviceMonitor.metricRelabelings }}
+ metricRelabelings: {{ toYaml .Values.serviceMonitor.metricRelabelings | nindent 6 }}
+ {{- end }}
+ {{- end }}
jobLabel: {{ .Release.Name }}
namespaceSelector:
matchNames:
- - {{ .Release.Namespace }}
+ - {{ template "kong.namespace" . }}
selector:
matchLabels:
+ enable-metrics: "true"
{{- include "kong.metaLabels" . | nindent 6 }}
+ {{- if .Values.serviceMonitor.targetLabels }}
+ targetLabels: {{ toYaml .Values.serviceMonitor.targetLabels | nindent 4 }}
+ {{- end }}
{{- end }}
--- /dev/null
+{{- if .Values.deployment.test.enabled }}
+---
+apiVersion: v1
+kind: Pod
+metadata:
+ name: "{{ .Release.Name }}-test-ingress"
+ annotations:
+ "helm.sh/hook": test
+spec:
+ restartPolicy: OnFailure
+ containers:
+ - name: "{{ .Release.Name }}-curl"
+ image: curlimages/curl
+ command:
+ - curl
+ - "http://{{ .Release.Name }}-kong-proxy.{{ .Release.Namespace }}.svc.cluster.local/httpbin"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+ name: "{{ .Release.Name }}-test-httproute"
+ annotations:
+ "helm.sh/hook": test
+spec:
+ restartPolicy: OnFailure
+ containers:
+ - name: "{{ .Release.Name }}-curl"
+ image: curlimages/curl
+ command:
+ - curl
+ - "http://{{ .Release.Name }}-kong-proxy.{{ .Release.Namespace }}.svc.cluster.local/httproute"
+{{- end }}
--- /dev/null
+{{- if .Values.deployment.test.enabled }}
+---
+apiVersion: v1
+kind: Pod
+metadata:
+ name: "{{ .Release.Name }}-httpbin"
+ labels:
+ app: httpbin
+spec:
+ containers:
+ - name: httpbin
+ image: kennethreitz/httpbin
+ ports:
+ - containerPort: 80
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: "{{ .Release.Name }}-httpbin"
+spec:
+ ports:
+ - port: 80
+ protocol: TCP
+ targetPort: 80
+ selector:
+ app: httpbin
+ type: ClusterIP
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: "{{ .Release.Name }}-httpbin"
+ annotations:
+ httpbin.ingress.kubernetes.io/rewrite-target: /
+ konghq.com/strip-path: "true"
+spec:
+ ingressClassName: kong
+ rules:
+ - http:
+ paths:
+ - path: /httpbin
+ pathType: Prefix
+ backend:
+ service:
+ name: "{{ .Release.Name }}-httpbin"
+ port:
+ number: 80
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: GatewayClass
+metadata:
+ name: "{{ .Release.Name }}-kong-test"
+spec:
+ controllerName: konghq.com/kic-gateway-controller
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: Gateway
+metadata:
+ name: "{{ .Release.Name }}-kong-test"
+ annotations:
+ konghq.com/gateway-unmanaged: "true"
+spec:
+ gatewayClassName: "{{ .Release.Name }}-kong-test"
+ listeners: # Use GatewayClass defaults for listener definition.
+ - name: http
+ protocol: HTTP
+ port: 80
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+ name: "{{ .Release.Name }}-httpbin"
+spec:
+ parentRefs:
+ - name: "{{ .Release.Name }}-kong-test"
+ rules:
+ - matches:
+ - path:
+ type: PathPrefix
+ value: "/httproute"
+ backendRefs:
+ - name: "{{ .Release.Name }}-httpbin"
+ port: 80
+{{- end }}
--- /dev/null
+{{ if (and (.Values.postgresql.enabled) .Values.waitImage.enabled) }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ template "kong.fullname" . }}-bash-wait-for-postgres
+ namespace: {{ template "kong.namespace" . }}
+ labels:
+ {{- include "kong.metaLabels" . | nindent 4 }}
+data:
+ wait.sh: |
+ until timeout 2 bash -c "9<>/dev/tcp/${KONG_PG_HOST}/${KONG_PG_PORT}"
+ do echo "waiting for db - trying ${KONG_PG_HOST}:${KONG_PG_PORT}"
+ sleep 2
+ done
+{{ end }}
# Declare variables to be passed into your templates.
#
# Sections:
+# - Deployment parameters
# - Kong parameters
# - Ingress Controller parameters
# - Postgres sub-chart parameters
# - Miscellaneous parameters
# - Kong Enterprise parameters
+# -----------------------------------------------------------------------------
+# Deployment parameters
+# -----------------------------------------------------------------------------
+
+deployment:
+ kong:
+ # Enable or disable Kong itself
+ # Setting this to false with ingressController.enabled=true will create a
+ # controller-only release.
+ enabled: true
+ ## Minimum number of seconds for which a newly created pod should be ready without any of its container crashing,
+ ## for it to be considered available.
+ # minReadySeconds: 60
+ ## Specify the service account to create and to be assigned to the deployment / daemonset and for the migrations
+ serviceAccount:
+ create: true
+ # Automount the service account token. By default, this is disabled, and the token is only mounted on the controller
+ # container. Some sidecars require enabling this. Note that enabling this exposes Kubernetes credentials to Kong
+ # Lua code, increasing potential attack surface.
+ automountServiceAccountToken: false
+ ## Optionally specify the name of the service account to create and the annotations to add.
+ # name:
+ # annotations: {}
+
+ ## Optionally specify any extra sidecar containers to be included in the deployment
+ ## See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#container-v1-core
+ # sidecarContainers:
+ # - name: sidecar
+ # image: sidecar:latest
+ # initContainers:
+ # - name: initcon
+ # image: initcon:latest
+ # hostAliases:
+ # - ip: "127.0.0.1"
+ # hostnames:
+ # - "foo.local"
+ # - "bar.local"
+
+ ## Define any volumes and mounts you want present in the Kong proxy container
+ # userDefinedVolumes:
+ # - name: "volumeName"
+ # emptyDir: {}
+ # userDefinedVolumeMounts:
+ # - name: "volumeName"
+ # mountPath: "/opt/user/dir/mount"
+ test:
+ # Enable creation of test resources for use with "helm test"
+ enabled: false
+ # Use a DaemonSet controller instead of a Deployment controller
+ daemonset: false
+ hostNetwork: false
+ # Set the Deployment's spec.template.hostname field.
+ # This propagates to Kong API endpoints that report
+ # the hostname, such as the admin API root and hybrid mode
+ # /clustering/data-planes endpoint
+ hostname: ""
+ # kong_prefix empty dir size
+ prefixDir:
+ sizeLimit: 256Mi
+ # tmp empty dir size
+ tmpDir:
+ sizeLimit: 1Gi
+# Override namepsace for Kong chart resources. By default, the chart creates resources in the release namespace.
+# This may not be desirable when using this chart as a dependency.
+# namespace: "example"
+
# -----------------------------------------------------------------------------
# Kong parameters
# -----------------------------------------------------------------------------
-# Specify Kong configurations
-# Kong configurations guide https://docs.konghq.com/latest/configuration
+# Specify Kong configuration
+# This chart takes all entries defined under `.env` and transforms them into into `KONG_*`
+# environment variables for Kong containers.
+# Their names here should match the names used in https://github.com/Kong/kong/blob/master/kong.conf.default
+# See https://docs.konghq.com/latest/configuration also for additional details
# Values here take precedence over values from other sections of values.yaml,
# e.g. setting pg_user here will override the value normally set when postgresql.enabled
# is set below. In general, you should not set values here if they are set elsewhere.
env:
database: "off"
- nginx_worker_processes: "1"
+ # the chart uses the traditional router (for Kong 3.x+) because the ingress
+ # controller generates traditional routes. if you do not use the controller,
+ # you may set this to "traditional_compatible" or "expressions" to use the new
+ # DSL-based router
+ router_flavor: "traditional"
+ nginx_worker_processes: "2"
proxy_access_log: /dev/stdout
admin_access_log: /dev/stdout
admin_gui_access_log: /dev/stdout
portal_api_error_log: /dev/stderr
prefix: /kong_prefix/
+# This section is any customer specific environments variables that doesn't require KONG_ prefix.
+# These custom environment variables are typicall used in custom plugins or serverless plugins to
+# access environment specific credentials or tokens.
+# Example as below, uncomment if required and add additional attributes as required.
+# Note that these environment variables will only apply to the proxy and init container. The ingress-controller
+# container has its own customEnv section.
+
+# customEnv:
+# api_token:
+# valueFrom:
+# secretKeyRef:
+# key: token
+# name: api_key
+# client_name: testClient
+
+# Load all ConfigMap or Secret keys as environment variables:
+# https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables
+envFrom: []
+
+# This section can be used to configure some extra labels that will be added to each Kubernetes object generated.
+extraLabels: {}
+
# Specify Kong's Docker image and repository details here
image:
repository: kong
- # repository: kong-docker-kong-enterprise-k8s.bintray.io/kong-enterprise-k8s
- # repository: kong-docker-kong-enterprise-edition-docker.bintray.io/kong-enterprise-edition
- tag: 1.4
+ tag: "3.6"
+ # Kong Enterprise
+ # repository: kong/kong-gateway
+ # tag: "3.5"
+
+ # Specify a semver version if your image tag is not one (e.g. "nightly")
+ effectiveSemver:
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
- ## If using the official Kong Enterprise registry above, you MUST provide a secret.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
##
# pullSecrets:
# - myRegistrKeySecretName
-# Specify Kong admin service configuration
-# Note: It is recommended to not use the Admin API to configure Kong
-# when using Kong as an Ingress Controller.
+# Specify Kong admin API service and listener configuration
admin:
+ # Enable creating a Kubernetes service for the admin API
+ # Disabling this is recommended for most ingress controller configurations
+ # Enterprise users that wish to use Kong Manager with the controller should enable this
enabled: false
- # If you want to specify annotations for the admin service, uncomment the following
- # line, add additional or adjust as needed, and remove the curly braces after 'annotations:'.
+ type: NodePort
+ loadBalancerClass:
+ # To specify annotations or labels for the admin service, add them to the respective
+ # "annotations" or "labels" dictionaries below.
annotations: {}
# service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
+ labels: {}
+
+ http:
+ # Enable plaintext HTTP listen for the admin API
+ # Disabling this and using a TLS listen only is recommended for most configuration
+ enabled: false
+ servicePort: 8001
+ containerPort: 8001
+ # Set a nodePort which is available if service type is NodePort
+ # nodePort: 32080
+ # Additional listen parameters, e.g. "reuseport", "backlog=16384"
+ parameters: []
+
+ tls:
+ # Enable HTTPS listen for the admin API
+ enabled: true
+ servicePort: 8444
+ containerPort: 8444
+ # Set a target port for the TLS port in the admin API service, useful when using TLS
+ # termination on an ELB.
+ # overrideServiceTargetPort: 8000
+ # Set a nodePort which is available if service type is NodePort
+ # nodePort: 32443
+ # Additional listen parameters, e.g. "reuseport", "backlog=16384"
+ parameters:
+ - http2
+
+ # Specify the CA certificate to use for TLS verification of the Admin API client by:
+ # - secretName - the secret must contain a key named "tls.crt" with the PEM-encoded certificate.
+ # - caBundle (PEM-encoded certificate string).
+ # If both are set, caBundle takes precedence.
+ client:
+ caBundle: ""
+ secretName: ""
- # HTTPS traffic on the admin port
- # if set to false also set readinessProbe and livenessProbe httpGet scheme's to 'HTTP'
- useTLS: true
- servicePort: 8444
- containerPort: 8444
- # Kong admin service type
- type: NodePort
- # Set a nodePort which is available
- # nodePort: 32444
# Kong admin ingress settings. Useful if you want to expose the Admin
# API of Kong outside the k8s cluster.
ingress:
# Enable/disable exposure using ingress.
enabled: false
+ ingressClassName:
# TLS secret name.
# tls: kong-admin.example.com-tls
# Ingress hostname
annotations: {}
# Ingress path.
path: /
+ # Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix)
+ pathType: ImplementationSpecific
+
+# Specify Kong status listener configuration
+# This listen is internal-only. It cannot be exposed through a service or ingress.
+status:
+ enabled: true
+ http:
+ # Enable plaintext HTTP listen for the status listen
+ enabled: true
+ containerPort: 8100
+ parameters: []
+
+ tls:
+ # Enable HTTPS listen for the status listen
+ # Kong versions prior to 2.1 do not support TLS status listens.
+ # This setting must remain false on those versions
+ enabled: false
+ containerPort: 8543
+ parameters: []
+
+# Name the kong hybrid cluster CA certificate secret
+clusterCaSecretName: ""
+
+# Specify Kong cluster service and listener configuration
+#
+# The cluster service *must* use TLS. It does not support the "http" block
+# available on other services.
+#
+# The cluster service cannot be exposed through an Ingress, as it must perform
+# TLS client validation directly and is not compatible with TLS-terminating
+# proxies. If you need to expose it externally, you must use "type:
+# LoadBalancer" and use a TCP-only load balancer (check your Kubernetes
+# provider's documentation, as the configuration required for this varies).
+cluster:
+ enabled: false
+ # To specify annotations or labels for the cluster service, add them to the respective
+ # "annotations" or "labels" dictionaries below.
+ annotations: {}
+ # service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
+ labels: {}
+
+ tls:
+ enabled: false
+ servicePort: 8005
+ containerPort: 8005
+ parameters: []
+
+ type: ClusterIP
+ loadBalancerClass:
+
+ # Kong cluster ingress settings. Useful if you want to split CP and DP
+ # in different clusters.
+ ingress:
+ # Enable/disable exposure using ingress.
+ enabled: false
+ ingressClassName:
+ # TLS secret name.
+ # tls: kong-cluster.example.com-tls
+ # Ingress hostname
+ hostname:
+ # Map of ingress annotations.
+ annotations: {}
+ # Ingress path.
+ path: /
+ # Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix)
+ pathType: ImplementationSpecific
# Specify Kong proxy service configuration
proxy:
- # If you want to specify annotations for the proxy service, uncomment the following
- # line, add additional or adjust as needed, and remove the curly braces after 'annotations:'.
+ # Enable creating a Kubernetes service for the proxy
+ enabled: true
+ type: LoadBalancer
+ loadBalancerClass:
+ # Override proxy Service name
+ nameOverride: ""
+ # To specify annotations or labels for the proxy service, add them to the respective
+ # "annotations" or "labels" dictionaries below.
annotations: {}
- # service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
+ # If terminating TLS at the ELB, the following annotations can be used
+ # "service.beta.kubernetes.io/aws-load-balancer-backend-protocol": "*",
+ # "service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled": "true",
+ # "service.beta.kubernetes.io/aws-load-balancer-ssl-cert": "arn:aws:acm:REGION:ACCOUNT:certificate/XXXXXX-XXXXXXX-XXXXXXX-XXXXXXXX",
+ # "service.beta.kubernetes.io/aws-load-balancer-ssl-ports": "kong-proxy-tls",
+ # "service.beta.kubernetes.io/aws-load-balancer-type": "elb"
+ labels:
+ enable-metrics: "true"
- # HTTP plain-text traffic
http:
+ # Enable plaintext HTTP listen for the proxy
enabled: true
- servicePort: 32080
- containerPort: 32080
+ servicePort: 80
+ containerPort: 8000
# Set a nodePort which is available if service type is NodePort
- nodePort: 32080
+ # nodePort: 32080
+ # Additional listen parameters, e.g. "reuseport", "backlog=16384"
+ parameters: []
tls:
+ # Enable HTTPS listen for the proxy
enabled: true
- servicePort: 32443
- containerPort: 32443
- # Set a target port for the TLS port in proxy service, useful when using TLS
- # termination on an ELB.
+ servicePort: 443
+ containerPort: 8443
+ # Set a target port for the TLS port in proxy service
# overrideServiceTargetPort: 8000
# Set a nodePort which is available if service type is NodePort
- nodePort: 32443
+ # nodePort: 32443
+ # Additional listen parameters, e.g. "reuseport", "backlog=16384"
+ parameters:
+ - http2
- type: NodePort
+ # Specify the Service's TLS port's appProtocol. This can be useful when integrating with
+ # external load balancers that require the `appProtocol` field to be set (e.g. GCP).
+ appProtocol: ""
+
+ # Define stream (TCP) listen
+ # To enable, remove "[]", uncomment the section below, and select your desired
+ # ports and parameters. Listens are dynamically named after their containerPort,
+ # e.g. "stream-9000" for the below.
+ # Note: although you can select the protocol here, you cannot set UDP if you
+ # use a LoadBalancer Service due to limitations in current Kubernetes versions.
+ # To proxy both TCP and UDP with LoadBalancers, you must enable the udpProxy Service
+ # in the next section and place all UDP stream listen configuration under it.
+ stream: []
+ # # Set the container (internal) and service (external) ports for this listen.
+ # # These values should normally be the same. If your environment requires they
+ # # differ, note that Kong will match routes based on the containerPort only.
+ # - containerPort: 9000
+ # servicePort: 9000
+ # protocol: TCP
+ # # Optionally set a static nodePort if the service type is NodePort
+ # # nodePort: 32080
+ # # Additional listen parameters, e.g. "ssl", "reuseport", "backlog=16384"
+ # # "ssl" is required for SNI-based routes. It is not supported on versions <2.0
+ # parameters: []
# Kong proxy ingress settings.
# Note: You need this only if you are using another Ingress Controller
ingress:
# Enable/disable exposure using ingress.
enabled: false
- hosts: []
- # TLS section. Unlike other ingresses, this follows the format at
- # https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
- # tls:
- # - hosts:
- # - 1.example.com
- # secretName: example1-com-tls-secret
- # - hosts:
- # - 2.example.net
- # secretName: example2-net-tls-secret
- # Map of ingress annotations.
+ ingressClassName:
+ # To specify annotations or labels for the ingress, add them to the respective
+ # "annotations" or "labels" dictionaries below.
annotations: {}
- # Ingress path.
+ labels: {}
+ # Ingress hostname
+ hostname:
+ # Ingress path (when used with hostname above).
path: /
+ # Each path in an Ingress is required to have a corresponding path type (when used with hostname above). (ImplementationSpecific/Exact/Prefix)
+ pathType: ImplementationSpecific
+ # Ingress hosts. Use this instead of or in combination with hostname to specify multiple ingress host configurations
+ hosts: []
+ # - host: kong-proxy.example.com
+ # paths:
+ # # Ingress path.
+ # - path: /*
+ # # Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix)
+ # pathType: ImplementationSpecific
+ # - host: kong-proxy-other.example.com
+ # paths:
+ # # Ingress path.
+ # - path: /other
+ # # Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix)
+ # pathType: ImplementationSpecific
+ # backend:
+ # service:
+ # name: kong-other-proxy
+ # port:
+ # number: 80
+ #
+ # TLS secret(s)
+ # tls: kong-proxy.example.com-tls
+ # Or if multiple hosts/secrets needs to be configured:
+ # tls:
+ # - secretName: kong-proxy.example.com-tls
+ # hosts:
+ # - kong-proxy.example.com
+ # - secretName: kong-proxy-other.example.com-tls
+ # hosts:
+ # - kong-proxy-other.example.com
+
+ # Optionally specify a static load balancer IP.
+ # loadBalancerIP:
+
+# Specify Kong UDP proxy service configuration
+# Currently, LoadBalancer type Services are generally limited to a single transport protocol
+# Multi-protocol Services are an alpha feature as of Kubernetes 1.20:
+# https://kubernetes.io/docs/concepts/services-networking/service/#load-balancers-with-mixed-protocol-types
+# You should enable this Service if you proxy UDP traffic, and configure UDP stream listens under it
+udpProxy:
+ # Enable creating a Kubernetes service for UDP proxying
+ enabled: false
+ type: LoadBalancer
+ loadBalancerClass:
+ # To specify annotations or labels for the proxy service, add them to the respective
+ # "annotations" or "labels" dictionaries below.
+ annotations: {}
+ # service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
+ labels: {}
+ # Optionally specify a static load balancer IP.
+ # loadBalancerIP:
- externalIPs: []
+ # Define stream (UDP) listen
+ # To enable, remove "[]", uncomment the section below, and select your desired
+ # ports and parameters. Listens are dynamically named after their servicePort,
+ # e.g. "stream-9000" for the below.
+ stream: []
+ # # Set the container (internal) and service (external) ports for this listen.
+ # # These values should normally be the same. If your environment requires they
+ # # differ, note that Kong will match routes based on the containerPort only.
+ # - containerPort: 9000
+ # servicePort: 9000
+ # protocol: UDP
+ # # Optionally set a static nodePort if the service type is NodePort
+ # # nodePort: 32080
+ # # Additional listen parameters, e.g. "ssl", "reuseport", "backlog=16384"
+ # # "ssl" is required for SNI-based routes. It is not supported on versions <2.0
+ # parameters: []
# Custom Kong plugins can be loaded into Kong by mounting the plugin code
# into the file-system of Kong container.
# The `name` property refers to the name of the ConfigMap or Secret
# itself, while the pluginName refers to the name of the plugin as it appears
# in Kong.
+# Subdirectories (which are optional) require separate ConfigMaps/Secrets.
+# "path" indicates their directory under the main plugin directory: the example
+# below will mount the contents of kong-plugin-rewriter-migrations at "/opt/kong/rewriter/migrations".
plugins: {}
# configMaps:
# - pluginName: rewriter
# name: kong-plugin-rewriter
+ # subdirectories:
+ # - name: kong-plugin-rewriter-migrations
+ # path: migrations
# secrets:
# - pluginName: rewriter
# name: kong-plugin-rewriter
# Inject specified secrets as a volume in Kong Container at path /etc/secrets/{secret-name}/
-# This can be used to override default SSL certificates
+# This can be used to override default SSL certificates.
+# Be aware that the secret name will be used verbatim, and that certain types
+# of punctuation (e.g. `.`) can cause issues.
# Example configuration
# secretVolumes:
# - kong-proxy-tls
# - kong-admin-tls
secretVolumes: []
-# Set runMigrations to run Kong migrations
-runMigrations: true
+# Enable/disable migration jobs, and set annotations for them
+migrations:
+ # Enable pre-upgrade migrations (run "kong migrations up")
+ preUpgrade: true
+ # Enable post-upgrade migrations (run "kong migrations finish")
+ postUpgrade: true
+ # Annotations to apply to migrations job pods
+ # By default, these disable service mesh sidecar injection for Istio and Kuma,
+ # as the sidecar containers do not terminate and prevent the jobs from completing
+ annotations:
+ sidecar.istio.io/inject: false
+ # Additional annotations to apply to migration jobs
+ # This is helpful in certain non-Helm installation situations such as GitOps
+ # where additional control is required around this job creation.
+ jobAnnotations: {}
+ # Optionally set a backoffLimit. If none is set, Jobs will use the cluster default
+ backoffLimit:
+ resources: {}
+ # Example reasonable setting for "resources":
+ # resources:
+ # limits:
+ # cpu: 100m
+ # memory: 256Mi
+ # requests:
+ # cpu: 50m
+ # memory: 128Mi
+ ## Optionally specify any extra sidecar containers to be included in the deployment
+ ## See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#container-v1-core
+ ## Keep in mind these containers should be terminated along with the main
+ ## migration containers
+ # sidecarContainers:
+ # - name: sidecar
+ # image: sidecar:latest
# Kong's configuration for DB-less mode
# Note: Use this section only if you are deploying Kong in DB-less mode
dblessConfig:
# Either Kong's configuration is managed from an existing ConfigMap (with Key: kong.yml)
configMap: ""
+ # Or Kong's configuration is managed from an existing Secret (with Key: kong.yml)
+ secret: ""
# Or the configuration is passed in full-text below
- config:
- _format_version: "1.1"
- services:
- # Example configuration
- # - name: example.com
- # url: http://example.com
- # routes:
- # - name: example
- # paths:
- # - "/example"
+ config: |
+ # # _format_version: "1.1"
+ # # services:
+ # # # Example configuration
+ # # # - name: example.com
+ # # # url: http://example.com
+ # # # routes:
+ # # # - name: example
+ # # # paths:
+ # # # - "/example"
+ ## Optionally specify any extra sidecar containers to be included in the
+ ## migration jobs
+ ## See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#container-v1-core
+ # sidecarContainers:
+ # - name: sidecar
+ # image: sidecar:latest
# -----------------------------------------------------------------------------
# Ingress Controller parameters
# -----------------------------------------------------------------------------
# Kong Ingress Controller's primary purpose is to satisfy Ingress resources
-# created in k8s. It uses CRDs for more fine grained control over routing and
+# created in k8s. It uses CRDs for more fine grained control over routing and
# for Kong specific configuration.
ingressController:
enabled: true
image:
repository: kong/kubernetes-ingress-controller
- tag: 0.7.0
+ tag: "3.1"
+ # Optionally set a semantic version for version-gated features. This can normally
+ # be left unset. You only need to set this if your tag is not a semver string,
+ # such as when you are using a "next" tag. Set this to the effective semantic
+ # version of your tag: for example if using a "next" image for an unreleased 3.1.0
+ # version, set this to "3.1.0".
+ effectiveSemver:
+ args: []
+
+ gatewayDiscovery:
+ enabled: false
+ generateAdminApiService: false
+ adminApiService:
+ namespace: ""
+ name: ""
+
+ # Specify individual namespaces to watch for ingress configuration. By default,
+ # when no namespaces are set, the controller watches all namespaces and uses a
+ # ClusterRole to grant access to Kubernetes resources. When you list specific
+ # namespaces, the controller will watch those namespaces only and will create
+ # namespaced-scoped Roles for each of them. The controller will still use a
+ # ClusterRole for cluster-scoped resources.
+ # Requires controller 2.0.0 or newer.
+ watchNamespaces: []
# Specify Kong Ingress Controller configuration via environment variables
- env: {}
+ env:
+ # The controller disables TLS verification by default because Kong
+ # generates self-signed certificates by default. Set this to false once you
+ # have installed CA-signed certificates.
+ kong_admin_tls_skip_verify: true
+ # If using Kong Enterprise with RBAC enabled, uncomment the section below
+ # and specify the secret/key containing your admin token.
+ # kong_admin_token:
+ # valueFrom:
+ # secretKeyRef:
+ # name: CHANGEME-admin-token-secret
+ # key: CHANGEME-admin-token-key
+
+ # This section is any customer specific environments variables that doesn't require CONTROLLER_ prefix.
+ # Example as below, uncomment if required and add additional attributes as required.
+ # customEnv:
+ # TZ: "Europe/Berlin"
+
+ # Load all ConfigMap or Secret keys as environment variables:
+ # https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables
+ envFrom: []
admissionWebhook:
- enabled: false
- failurePolicy: Fail
+ enabled: true
+ failurePolicy: Ignore
port: 8080
+ certificate:
+ provided: false
+ namespaceSelector: {}
+ # Specifiy the secretName when the certificate is provided via a TLS secret
+ # secretName: ""
+ # Specifiy the CA bundle of the provided certificate.
+ # This is a PEM encoded CA bundle which will be used to validate the webhook certificate. If unspecified, system trust roots on the apiserver are used.
+ # caBundle:
+ # | Add the CA bundle content here.
+ service:
+ # Specify custom labels for the validation webhook service.
+ labels: {}
+ # Tune the default Kubernetes timeoutSeconds of 10 seconds
+ # timeoutSeconds: 10
ingressClass: kong
+ # annotations for IngressClass resource (Kubernetes 1.18+)
+ ingressClassAnnotations: {}
+
+ ## Define any volumes and mounts you want present in the ingress controller container
+ ## Volumes are defined above in deployment.userDefinedVolumes
+ # userDefinedVolumeMounts:
+ # - name: "volumeName"
+ # mountPath: "/opt/user/dir/mount"
rbac:
# Specifies whether RBAC resources should be created
create: true
- serviceAccount:
- # Specifies whether a ServiceAccount should be created
- create: true
- # The name of the ServiceAccount to use.
- # If not set and create is true, a name is generated using the fullname template
- name:
-
- installCRDs: true
-
# general properties
livenessProbe:
httpGet:
failureThreshold: 3
readinessProbe:
httpGet:
- path: "/healthz"
+ path: "/readyz"
port: 10254
scheme: HTTP
initialDelaySeconds: 5
successThreshold: 1
failureThreshold: 3
resources: {}
+ # Example reasonable setting for "resources":
+ # resources:
+ # limits:
+ # cpu: 100m
+ # memory: 256Mi
+ # requests:
+ # cpu: 50m
+ # memory: 128Mi
+
+ konnect:
+ enabled: false
+
+ # Specifies a Konnect Runtime Group's ID that the controller will push its data-plane config to.
+ runtimeGroupID: ""
+
+ # Specifies a Konnect API hostname that the controller will use to push its data-plane config to.
+ # By default, this is set to US region's production API hostname.
+ # If you are using a different region, you can set this to the appropriate hostname (e.g. "eu.kic.api.konghq.com").
+ apiHostname: "us.kic.api.konghq.com"
+
+ # Specifies a secret that contains a client TLS certificate that the controller
+ # will use to authenticate against Konnect APIs.
+ tlsClientCertSecretName: "konnect-client-tls"
+
+ license:
+ # Specifies whether the controller should fetch a license from Konnect and apply it to managed Gateways.
+ enabled: false
+
+ adminApi:
+ tls:
+ client:
+ # Enable TLS client authentication for the Admin API.
+ enabled: false
+
+ # If set to false, Helm will generate certificates for you.
+ # If set to true, you are expected to provide your own secret (see secretName, caSecretName).
+ certProvided: false
+
+ # Client TLS certificate/key pair secret name that Ingress Controller will use to authenticate with Kong Admin API.
+ # If certProvided is set to false, it is optional (can be specified though if you want to force Helm to use
+ # a specific secret name).
+ secretName: ""
+
+ # CA TLS certificate/key pair secret name that the client TLS certificate is signed by.
+ # If certProvided is set to false, it is optional (can be specified though if you want to force Helm to use
+ # a specific secret name).
+ caSecretName: ""
+
# -----------------------------------------------------------------------------
# Postgres sub-chart parameters
# - (recommended) Deploy and maintain a database and pass the connection
# details to Kong via the `env` section.
# - You can use the below `postgresql` sub-chart to deploy a database
-# along-with Kong as part of a single Helm release.
+# along-with Kong as part of a single Helm release. Running a database
+# independently is recommended for production, but the built-in Postgres is
+# useful for quickly creating test instances.
# PostgreSQL chart documentation:
-# https://github.com/helm/charts/blob/master/stable/postgresql/README.md
+# https://github.com/bitnami/charts/blob/master/bitnami/postgresql/README.md
+#
+# WARNING: by default, the Postgres chart generates a random password each
+# time it upgrades, which breaks access to existing volumes. You should set a
+# password explicitly:
+# https://github.com/Kong/charts/blob/main/charts/kong/FAQs.md#kong-fails-to-start-after-helm-upgrade-when-postgres-is-used-what-do-i-do
postgresql:
enabled: false
- # postgresqlUsername: kong
- # postgresqlDatabase: kong
- # service:
- # port: 5432
+ auth:
+ username: kong
+ database: kong
+ image:
+ # use postgres < 14 until is https://github.com/Kong/kong/issues/8533 resolved and released
+ # enterprise (kong-gateway) supports postgres 14
+ tag: 13.11.0-debian-11-r20
+ service:
+ ports:
+ postgresql: "5432"
+
+# -----------------------------------------------------------------------------
+# Configure cert-manager integration
+# -----------------------------------------------------------------------------
+
+certificates:
+ enabled: false
+
+ # Set either `issuer` or `clusterIssuer` to the name of the desired cert manager issuer
+ # If left blank a built in self-signed issuer will be created and utilized
+ issuer: ""
+ clusterIssuer: ""
+
+ # Set proxy.enabled to true to issue default kong-proxy certificate with cert-manager
+ proxy:
+ enabled: true
+ # Set `issuer` or `clusterIssuer` to name of alternate cert-manager clusterIssuer to override default
+ # self-signed issuer.
+ issuer: ""
+ clusterIssuer: ""
+ # Use commonName and dnsNames to set the common name and dns alt names which this
+ # certificate is valid for. Wildcard records are supported by the included self-signed issuer.
+ commonName: "app.example"
+ # Remove the "[]" and uncomment/change the examples to add SANs
+ dnsNames: []
+ # - "app.example"
+ # - "*.apps.example"
+ # - "*.kong.example"
+
+ # Set admin.enabled true to issue kong admin api and manager certificate with cert-manager
+ admin:
+ enabled: true
+ # Set `issuer` or `clusterIssuer` to name of alternate cert-manager clusterIssuer to override default
+ # self-signed issuer.
+ issuer: ""
+ clusterIssuer: ""
+ # Use commonName and dnsNames to set the common name and dns alt names which this
+ # certificate is valid for. Wildcard records are supported by the included self-signed issuer.
+ commonName: "kong.example"
+ # Remove the "[]" and uncomment/change the examples to add SANs
+ dnsNames: []
+ # - "manager.kong.example"
+
+ # Set portal.enabled to true to issue a developer portal certificate with cert-manager
+ portal:
+ enabled: true
+ # Set `issuer` or `clusterIssuer` to name of alternate cert-manager clusterIssuer to override default
+ # self-signed issuer.
+ issuer: ""
+ clusterIssuer: ""
+ # Use commonName and dnsNames to set the common name and dns alt names which this
+ # certificate is valid for. Wildcard records are supported by the included self-signed issuer.
+ commonName: "developer.example"
+ # Remove the "{}" and uncomment/change the examples to add SANs
+ dnsNames: []
+ # - "manager.kong.example"
+
+ # Set cluster.enabled true to issue kong hybrid mtls certificate with cert-manager
+ cluster:
+ enabled: true
+ # Issuers used by the control and data plane releases must match for this certificate.
+ issuer: ""
+ clusterIssuer: ""
+ commonName: "kong_clustering"
+ dnsNames: []
# -----------------------------------------------------------------------------
# Miscellaneous parameters
# -----------------------------------------------------------------------------
waitImage:
- repository: busybox
- tag: latest
+ # Wait for the database to come online before starting Kong or running migrations
+ # If Kong is to access the database through a service mesh that injects a sidecar to
+ # Kong's container, this must be disabled. Otherwise there'll be a deadlock:
+ # InitContainer waiting for DB access that requires the sidecar, and the sidecar
+ # waiting for InitContainers to finish.
+ enabled: true
+ # Optionally specify an image that provides bash for pre-migration database
+ # checks. If none is specified, the chart uses the Kong image. The official
+ # Kong images provide bash
+ # repository: bash
+ # tag: 5
pullPolicy: IfNotPresent
# update strategy
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
resources: {}
# limits:
- # cpu: 100m
- # memory: 128Mi
+ # cpu: 1
+ # memory: 2G
# requests:
- # cpu: 100m
- # memory: 128Mi
+ # cpu: 1
+ # memory: 2G
# readinessProbe for Kong pods
-# If using Kong Enterprise with RBAC, you must add a Kong-Admin-Token header
readinessProbe:
httpGet:
- path: "/status"
- port: metrics
+ path: "/status/ready"
+ port: status
scheme: HTTP
initialDelaySeconds: 5
timeoutSeconds: 5
livenessProbe:
httpGet:
path: "/status"
- port: metrics
+ port: status
scheme: HTTP
initialDelaySeconds: 5
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 3
+# startupProbe for Kong pods
+# startupProbe:
+# httpGet:
+# path: "/status"
+# port: status
+# scheme: HTTP
+# initialDelaySeconds: 5
+# timeoutSeconds: 5
+# periodSeconds: 2
+# successThreshold: 1
+# failureThreshold: 40
+
+# Proxy container lifecycle hooks
+# Ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
+lifecycle:
+ preStop:
+ exec:
+ # kong quit has a default timeout of 10 seconds, and a default wait of 0 seconds.
+ # Note: together they should be less than the terminationGracePeriodSeconds setting below.
+ command:
+ - kong
+ - quit
+ - '--wait=15'
+
+# Sets the termination grace period for pods spawned by the Kubernetes Deployment.
+# Ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution
+terminationGracePeriodSeconds: 30
+
# Affinity for pod assignment
# Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
# affinity: {}
+# Topology spread constraints for pod assignment (requires Kubernetes >= 1.19)
+# Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
+# topologySpreadConstraints: []
+
# Tolerations for pod assignment
# Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
tolerations: []
nodeSelector: {}
# Annotation to be added to Kong pods
-podAnnotations: {}
+podAnnotations:
+ kuma.io/gateway: enabled
+ traffic.sidecar.istio.io/includeInboundPorts: ""
+
+# Labels to be added to Kong pods
+podLabels: {}
-# Kong pod count
+# Kong pod count.
+# It has no effect when autoscaling.enabled is set to true
replicaCount: 1
+# Annotations to be added to Kong deployment
+deploymentAnnotations: {}
+
+# Enable autoscaling using HorizontalPodAutoscaler
+# When configuring an HPA, you must set resource requests on all containers via
+# "resources" and, if using the controller, "ingressController.resources" in values.yaml
+autoscaling:
+ enabled: false
+ minReplicas: 2
+ maxReplicas: 5
+ behavior: {}
+ ## targetCPUUtilizationPercentage only used if the cluster doesn't support autoscaling/v2 or autoscaling/v2beta
+ targetCPUUtilizationPercentage:
+ ## Otherwise for clusters that do support autoscaling/v2 or autoscaling/v2beta, use metrics
+ metrics:
+ - type: Resource
+ resource:
+ name: cpu
+ target:
+ type: Utilization
+ averageUtilization: 80
+
# Kong Pod Disruption Budget
podDisruptionBudget:
enabled: false
- maxUnavailable: "50%"
+ # Uncomment only one of the following when enabled is set to true
+ # maxUnavailable: "50%"
+ # minAvailable: "50%"
podSecurityPolicy:
enabled: false
+ labels: {}
+ annotations: {}
+ spec:
+ privileged: false
+ fsGroup:
+ rule: RunAsAny
+ runAsUser:
+ rule: RunAsAny
+ runAsGroup:
+ rule: RunAsAny
+ seLinux:
+ rule: RunAsAny
+ supplementalGroups:
+ rule: RunAsAny
+ volumes:
+ - 'configMap'
+ - 'secret'
+ - 'emptyDir'
+ - 'projected'
+ allowPrivilegeEscalation: false
+ hostNetwork: false
+ hostIPC: false
+ hostPID: false
+ # Make the root filesystem read-only. This is not compatible with Kong Enterprise <1.5.
+ # If you use Kong Enterprise <1.5, this must be set to false.
+ readOnlyRootFilesystem: true
+
+
+priorityClassName: ""
# securityContext for Kong pods.
-securityContext:
+securityContext: {}
+
+# securityContext for containers.
+containerSecurityContext:
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
runAsUser: 1000
+ runAsNonRoot: true
+ seccompProfile:
+ type: RuntimeDefault
+ capabilities:
+ drop:
+ - ALL
+
+## Optional DNS configuration for Kong pods
+# dnsPolicy: ClusterFirst
+# dnsConfig:
+# nameservers:
+# - "10.100.0.10"
+# options:
+# - name: ndots
+# value: "5"
+# searches:
+# - default.svc.cluster.local
+# - svc.cluster.local
+# - cluster.local
+# - us-east-1.compute.internal
serviceMonitor:
# Specifies whether ServiceMonitor for Prometheus operator should be created
+ # If you wish to gather metrics from a Kong instance with the proxy disabled (such as a hybrid control plane), see:
+ # https://github.com/Kong/charts/blob/main/charts/kong/README.md#prometheus-operator-integration
enabled: false
- # interval: 10s
+ # interval: 30s
# Specifies namespace, where ServiceMonitor should be installed
# namespace: monitoring
# labels:
# foo: bar
+ # targetLabels:
+ # - foo
+
+ # honorLabels: false
+ # metricRelabelings: []
# -----------------------------------------------------------------------------
# Kong Enterprise parameters
enabled: false
# Kong Enterprise license secret name
# This secret must contain a single 'license' key, containing your base64-encoded license data
- # The license secret is required for all Kong Enterprise deployments
- license_secret: you-must-create-a-kong-license-secret
- # Session configuration secret
- # The session conf secret is required if using RBAC or the Portal
+ # The license secret is required to unlock all Enterprise features. If you omit it,
+ # Kong will run in free mode, with some Enterprise features disabled.
+ # license_secret: kong-enterprise-license
vitals:
enabled: true
portal:
enabled: false
- # portal_auth here sets the default authentication mechanism for the Portal
- # FIXME This can be changed per-workspace, but must currently default to
- # basic-auth to work around limitations with session configuration
- portal_auth: basic-auth
- # If the Portal is enabled and any workspace's Portal uses authentication,
- # this Secret must contain an portal_session_conf key
- # The key value must be a secret configuration, following the example at
- # https://docs.konghq.com/enterprise/latest/developer-portal/configuration/authentication/sessions
- session_conf_secret: you-must-create-a-portal-session-conf-secret
rbac:
enabled: false
admin_gui_auth: basic-auth
# If RBAC is enabled, this Secret must contain an admin_gui_session_conf key
# The key value must be a secret configuration, following the example at
# https://docs.konghq.com/enterprise/latest/kong-manager/authentication/sessions
- session_conf_secret: you-must-create-an-rbac-session-conf-secret
+ session_conf_secret: kong-session-config
# If admin_gui_auth is not set to basic-auth, provide a secret name which
# has an admin_gui_auth_conf key containing the plugin config JSON
- admin_gui_auth_conf_secret: you-must-create-an-admin-gui-auth-conf-secret
+ admin_gui_auth_conf_secret: CHANGEME-admin-gui-auth-conf-secret
# For configuring emails and SMTP, please read through:
# https://docs.konghq.com/enterprise/latest/developer-portal/configuration/smtp
# https://docs.konghq.com/enterprise/latest/kong-manager/networking/email
smtp_admin_emails: none@example.com
smtp_host: smtp.example.com
smtp_port: 587
+ smtp_auth_type: ''
+ smtp_ssl: nil
smtp_starttls: true
auth:
# If your SMTP server does not require authentication, this section can
# string, you must create a Secret with an smtp_password key containing
# your SMTP password and specify its name here.
smtp_username: '' # e.g. postmaster@example.com
- smtp_password_secret: you-must-create-an-smtp-password
+ smtp_password_secret: CHANGEME-smtp-password
manager:
- # If you want to specify annotations for the Manager service, uncomment the following
- # line, add additional or adjust as needed, and remove the curly braces after 'annotations:'.
+ # Enable creating a Kubernetes service for Kong Manager
+ enabled: true
+ type: NodePort
+ loadBalancerClass:
+ # To specify annotations or labels for the Manager service, add them to the respective
+ # "annotations" or "labels" dictionaries below.
annotations: {}
# service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
+ labels: {}
- # HTTP plain-text traffic
http:
+ # Enable plaintext HTTP listen for Kong Manager
enabled: true
servicePort: 8002
containerPort: 8002
# Set a nodePort which is available if service type is NodePort
# nodePort: 32080
+ # Additional listen parameters, e.g. "reuseport", "backlog=16384"
+ parameters: []
tls:
+ # Enable HTTPS listen for Kong Manager
enabled: true
servicePort: 8445
containerPort: 8445
# Set a nodePort which is available if service type is NodePort
# nodePort: 32443
+ # Additional listen parameters, e.g. "reuseport", "backlog=16384"
+ parameters:
+ - http2
- type: NodePort
-
- # Kong proxy ingress settings.
ingress:
# Enable/disable exposure using ingress.
enabled: false
+ ingressClassName:
# TLS secret name.
- # tls: kong-proxy.example.com-tls
+ # tls: kong-manager.example.com-tls
# Ingress hostname
hostname:
# Map of ingress annotations.
annotations: {}
# Ingress path.
path: /
-
- externalIPs: []
+ # Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix)
+ pathType: ImplementationSpecific
portal:
- # If you want to specify annotations for the Portal service, uncomment the following
- # line, add additional or adjust as needed, and remove the curly braces after 'annotations:'.
+ # Enable creating a Kubernetes service for the Developer Portal
+ enabled: true
+ type: NodePort
+ loadBalancerClass:
+ # To specify annotations or labels for the Portal service, add them to the respective
+ # "annotations" or "labels" dictionaries below.
annotations: {}
# service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
+ labels: {}
- # HTTP plain-text traffic
http:
+ # Enable plaintext HTTP listen for the Developer Portal
enabled: true
servicePort: 8003
containerPort: 8003
# Set a nodePort which is available if service type is NodePort
# nodePort: 32080
+ # Additional listen parameters, e.g. "reuseport", "backlog=16384"
+ parameters: []
tls:
+ # Enable HTTPS listen for the Developer Portal
enabled: true
servicePort: 8446
containerPort: 8446
# Set a nodePort which is available if service type is NodePort
# nodePort: 32443
+ # Additional listen parameters, e.g. "reuseport", "backlog=16384"
+ parameters:
+ - http2
- type: NodePort
-
- # Kong proxy ingress settings.
ingress:
# Enable/disable exposure using ingress.
enabled: false
+ ingressClassName:
# TLS secret name.
- # tls: kong-proxy.example.com-tls
+ # tls: kong-portal.example.com-tls
# Ingress hostname
hostname:
# Map of ingress annotations.
annotations: {}
# Ingress path.
path: /
-
- externalIPs: []
+ # Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix)
+ pathType: ImplementationSpecific
portalapi:
- # If you want to specify annotations for the Portal API service, uncomment the following
- # line, add additional or adjust as needed, and remove the curly braces after 'annotations:'.
+ # Enable creating a Kubernetes service for the Developer Portal API
+ enabled: true
+ type: NodePort
+ loadBalancerClass:
+ # To specify annotations or labels for the Portal API service, add them to the respective
+ # "annotations" or "labels" dictionaries below.
annotations: {}
# service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
+ labels: {}
- # HTTP plain-text traffic
http:
+ # Enable plaintext HTTP listen for the Developer Portal API
enabled: true
servicePort: 8004
containerPort: 8004
# Set a nodePort which is available if service type is NodePort
# nodePort: 32080
+ # Additional listen parameters, e.g. "reuseport", "backlog=16384"
+ parameters: []
tls:
+ # Enable HTTPS listen for the Developer Portal API
enabled: true
servicePort: 8447
containerPort: 8447
# Set a nodePort which is available if service type is NodePort
# nodePort: 32443
+ # Additional listen parameters, e.g. "reuseport", "backlog=16384"
+ parameters:
+ - http2
- type: NodePort
+ ingress:
+ # Enable/disable exposure using ingress.
+ enabled: false
+ ingressClassName:
+ # TLS secret name.
+ # tls: kong-portalapi.example.com-tls
+ # Ingress hostname
+ hostname:
+ # Map of ingress annotations.
+ annotations: {}
+ # Ingress path.
+ path: /
+ # Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix)
+ pathType: ImplementationSpecific
- # Kong proxy ingress settings.
+clustertelemetry:
+ enabled: false
+ # To specify annotations or labels for the cluster telemetry service, add them to the respective
+ # "annotations" or "labels" dictionaries below.
+ annotations: {}
+ # service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
+ labels: {}
+
+ tls:
+ enabled: false
+ servicePort: 8006
+ containerPort: 8006
+ parameters: []
+
+ type: ClusterIP
+ loadBalancerClass:
+
+ # Kong clustertelemetry ingress settings. Useful if you want to split
+ # CP and DP in different clusters.
ingress:
# Enable/disable exposure using ingress.
enabled: false
+ ingressClassName:
# TLS secret name.
- # tls: kong-proxy.example.com-tls
+ # tls: kong-clustertelemetry.example.com-tls
# Ingress hostname
hostname:
# Map of ingress annotations.
annotations: {}
# Ingress path.
path: /
+ # Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix)
+ pathType: ImplementationSpecific
+
+extraConfigMaps: []
+# extraConfigMaps:
+# - name: my-config-map
+# mountPath: /mount/to/my/location
+# subPath: my-subpath # Optional, if you wish to mount a single key and not the entire ConfigMap
+
+extraSecrets: []
+# extraSecrets:
+# - name: my-secret
+# mountPath: /mount/to/my/location
+# subPath: my-subpath # Optional, if you wish to mount a single key and not the entire ConfigMap
- externalIPs: []
+extraObjects: []
+# extraObjects:
+# - apiVersion: configuration.konghq.com/v1
+# kind: KongClusterPlugin
+# metadata:
+# name: prometheus
+# config:
+# per_consumer: false
+# plugin: prometheus
{{- if and .Values.alertmanager.enabled .Values.rbac.create -}}
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
{{- if and .Values.alertmanager.enabled .Values.rbac.create -}}
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
{{- if and .Values.server.enabled .Values.rbac.create -}}
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
{{- if and .Values.server.enabled .Values.rbac.create -}}
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
name: {{ include "common.serviceaccountname.tiller" $ctx }}
namespace: {{ $deployNameSpace }}
---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "common.tillerName" $ctx }}-tiller-base
resources: ["pods", "configmaps", "deployments", "services"]
verbs: ["get", "list", "create", "delete"]
---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "common.serviceaccountname.tiller" $ctx }}-{{ $nameSpace }}-tiller-base
name: {{ include "common.serviceaccountname.tiller" $ctx }}
namespace: {{ $deployNameSpace }}
---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "common.tillerName" $ctx }}-tiller-operation
resources: ["configmaps"]
verbs: ["get", "list", "create", "delete", "update"]
---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "common.serviceaccountname.tiller" $ctx }}-{{ $nameSpace }}-tiller-operation
namespace: {{ $deployNameSpace }}
{{- if .serviceAccount.role }}
---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "common.tillerName" $ctx }}-tiller-deployer
rules:
{{ toYaml .serviceAccount.role }}
---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "common.serviceaccountname.tiller" $ctx }}-{{ $nameSpace }}-tiller-deployer
name: {{ $serviceAccountName }}
namespace: {{ $deployNameSpace }}
---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ $serviceAccountName }}-secret-create
resources: ["secrets"]
verbs: ["create", "get", "patch"]
---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ $serviceAccountName }}-secret-create
Code Review / ric-plt / ric-dep.git / commitdiff