feat: update helm chart for API7 Gateway 2.8.2203 (#47)

nic-chen · web-flow · commit a390431ccfbc · 2022-03-23T23:47:27.000+08:00
diff --git a/chart/api7/templates/configmap.yaml b/chart/api7/templates/configmap.yaml
@@ -97,23 +97,24 @@ data:
         listen_port: {{ .Values.gateway.tls.port }}
         ssl_protocols: "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3"
         ssl_ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
-        {{- if .Values.cloud.domain }}
-        ssl_trusted_certificate: "/usr/local/apisix/conf/cloud-ssl/{{ .Values.cloud.certCAFilename }}"
-        {{- else if and .Values.gateway.tls.enabled .Values.gateway.tls.existingCASecret }}
+        {{- if and .Values.gateway.tls.enabled .Values.gateway.tls.existingCASecret }}
         ssl_trusted_certificate: "/usr/local/apisix/conf/ssl/{{ .Values.gateway.tls.certCAFilename }}"
         {{- end }}
 
     nginx_config:                     # config for render the template to genarate nginx.conf
-      error_log: "/dev/stderr"
-      error_log_level: "warn"         # warn,error
+      error_log: "{{ .Values.logs.errorLog }}"
+      error_log_level: "{{ .Values.logs.errorLogLevel }}"         # warn,error
       worker_processes: {{ .Values.gateway.workerProcesses }}
       worker_rlimit_nofile: 20480     # the number of files a worker process can open, should be larger than worker_connections
       event:
         worker_connections: 10620
       http:
-        access_log: "/dev/stdout"
-        access_log_format: "$remote_addr - $remote_user [$time_local] $http_host \"$request\" $status $body_bytes_sent $request_time \"$http_referer\" \"$http_user_agent\" $upstream_addr $upstream_status $upstream_response_time \"$upstream_scheme://$upstream_host$upstream_uri\""
-        access_log_format_escape: default       # allows setting json or default characters escaping in variables
+        enable_access_log: {{ .Values.logs.enableAccessLog }}
+        {{- if .Values.logs.enableAccessLog }}
+        access_log: "{{ .Values.logs.accessLog }}"
+        access_log_format: "{{ .Values.logs.accessLogFormat }}"
+        access_log_format_escape: {{ .Values.logs.accessLogFormatEscape }}
+        {{- end }}
 
         keepalive_timeout: 60s         # timeout during which a keep-alive client connection will stay open on the server side.
         client_header_timeout: 60s     # timeout for reading client request header, then 408 (Request Time-out) error is returned to the client
@@ -129,12 +130,14 @@ data:
         real_ip_from:                  # http://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from
           - 127.0.0.1
           - 'unix:'
-        {{- if .Values.cloudProxy.enabled }}
-        lua_shared_dicts:              # add custom shared cache to nginx.conf
-          etcd_token_cache: 10m
-          cloud_proxy_lock: 1m
+
+        {{- if .Values.customLuaSharedDicts }}
+        custom_lua_shared_dict:              # add custom shared cache to nginx.conf
+        {{- range $dict := .Values.customLuaSharedDicts }}
+          {{ $dict.name }}: {{ $dict.size }}
+        {{- end }}
         {{- end }}
-        #  ipc_shared_dict: 100m        # custom shared cache, format: `cache-key: cache-size`
+
       {{- if .Values.configurationSnippet.main }}
       main_configuration_snippet: {{ toYaml .Values.configurationSnippet.main | indent 6 }}
       {{- end }}
@@ -160,13 +163,9 @@ data:
         - "http://{{ .Release.Name }}-etcd.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}:{{ .Values.etcd.service.port }}"
     {{- else }}
       host:                                 # it's possible to define multiple etcd hosts addresses of the same etcd cluster.
-        {{- if .Values.cloud.domain }}
-        - "https://{{ .Values.cloud.domain }}:443"
-        {{- else }}
         {{- range $value := .Values.etcd.hosts }}
         - "{{ $value }}"             # multiple etcd address
         {{- end }}
-        {{- end }}
     {{- end }}
       prefix: {{ .Values.etcd.prefix | quote }}     # apisix configurations prefix
       timeout: {{ .Values.etcd.timeout }}   # 30 seconds
@@ -179,61 +178,31 @@ data:
         cert: "/etcd-ssl/{{ .Values.etcd.auth.tls.certFilename }}"
         key: "/etcd-ssl/{{ .Values.etcd.auth.tls.certKeyFilename }}"
         verify: {{ .Values.etcd.auth.tls.verify }}
-      {{- else if .Values.cloud.domain }}
-      tls:
-        cert: "/usr/local/apisix/conf/cloud-ssl/{{ .Values.cloud.certFilename }}"
-        key: "/usr/local/apisix/conf/cloud-ssl/{{ .Values.cloud.certKeyFilename }}"
-        verify: true
       {{- end }}
 
-    {{- if or .Values.plugins .Values.cloudProxy.enabled }}
+    {{- if .Values.discovery.enabled }}
+    discovery:
+      {{- range $key, $value := .Values.discovery.registry }}
+      {{ $key }}:
+        {{- include "apisix.tplvalues.render" (dict "value" $value "context" $) | nindent 8 }}
+      {{- end }}
+    {{- end }}
+
+    {{- if .Values.plugins }}
     plugins:                          # plugin list
     {{- range $plugin := .Values.plugins }}
-    {{- if or (not $.Values.cloud.domain) (ne $plugin "prometheus") }}
       - {{ $plugin }}
     {{- end }}
     {{- end }}
-    {{- end }}
-    {{- if .Values.cloudProxy.enabled }}
-      - cloud-proxy
-    {{- end }}
-    {{- if .Values.cloud.domain }}
-      - cloud-prometheus
-      - cloud
-    {{- end }}
+
     {{- if .Values.stream_plugins }}
     stream_plugins:
     {{- range $plugin := .Values.stream_plugins }}
       - {{ $plugin }}
     {{- end }}
     {{- end }}
-    {{- if or .Values.plugin_attr .Values.cloudProxy.enabled }}
+
+    {{- if .Values.plugin_attr }}
     plugin_attr:                     # plugin attr
-    {{- range $key, $attr := .Values.plugin_attr }}
-    {{- if or (ne $key "prometheus") (not $.Values.cloud.domain) }}
-    {{ $key | indent 2 }}: {{- toYaml $attr | nindent 8 }}
-    {{- end }}
-    {{- end }}
-    {{- end }}
-    {{- if .Values.cloudProxy.enabled }}
-      cloud-proxy:
-        domain_suffix: {{ .Values.cloudProxy.domain_suffix }}
-        org_salt_size: {{ .Values.cloudProxy.organizationSaltSize }}
-    {{- end }}
-    {{- if .Values.cloud.domain }}
-      cloud-promethues:
-        export_uri: /apisix/prometheus/metrics
-        enable_export_server: true
-        export_addr:
-          ip: "127.0.0.1"
-          port: 9091
-      cloud:
-        domain: {{ .Values.cloud.domain }}
-        port: 443
-        cert: "/usr/local/apisix/conf/cloud-ssl/{{ .Values.cloud.certFilename }}"
-        key: "/usr/local/apisix/conf/cloud-ssl/{{ .Values.cloud.certKeyFilename }}"
     {{- toYaml .Values.plugin_attr | nindent 6 }}
-      cloud-proxy:
-        domain_suffix: {{ .Values.cloudProxy.domainSuffix }}
-        org_salt_size: {{ .Values.cloudProxy.organizationSaltSize }}
     {{- end }}
diff --git a/chart/api7/templates/deployment.yaml b/chart/api7/templates/deployment.yaml
@@ -103,10 +103,6 @@ spec:
             - mountPath: /usr/local/apisix/conf/ssl
               name: ssl
             {{- end }}
-            {{- if .Values.cloud.domain }}
-            - mountPath: /usr/local/apisix/conf/cloud-ssl
-              name: cloud-ssl
-            {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
       {{- if .Values.etcd.builtin }}
@@ -129,11 +125,6 @@ spec:
             secretName: {{ .Values.gateway.tls.existingCASecret | quote }}
           name: ssl
         {{- end }}
-        {{- if .Values.cloud.domain }}
-        - secret:
-            secretName: {{ .Values.cloud.tlsSecret }}
-          name: cloud-ssl
-        {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
diff --git a/chart/api7/values.yaml b/chart/api7/values.yaml
@@ -35,19 +35,23 @@ clusterDomain: cluster.local
 
 podAnnotations: {}
 
-podSecurityContext:
-  {}
+podSecurityContext: {}
   # fsGroup: 2000
 
-securityContext:
-  {}
+securityContext: {}
   # capabilities:
   #   drop:
   #   - ALL
   # readOnlyRootFilesystem: true
   # runAsNonRoot: true
   # runAsUser: 1000
 
+customLuaSharedDicts: []
+  # - name: foo
+  #   size: 10k
+  # - name: bar
+  #   size: 1m
+
 gateway:
   type: NodePort
   # type: LoadBalancer
@@ -93,7 +97,7 @@ etcd:
   # install etcd(v3) by default, set false if do not want to install etcd(v3) together,
   # in such a case, etcd.host should be configured so that existing ETCD cluster can be
   # used.
-  builtin: true
+  builtin: false
   hosts:
     - http://etcd.host:2379 # host or ip e.g. http://172.20.128.89:2379
   prefix: "/api7"
@@ -120,6 +124,38 @@ etcd:
       certKeyFilename: "tls.key"
       verify: true
 
+discovery:
+  enabled: false
+  registry:
+      # Integration service discovery registry. E.g eureka\dns\nacos\consul_kv
+      # reference:
+      # https://apisix.apache.org/docs/apisix/discovery#configuration-for-eureka
+      # https://apisix.apache.org/docs/apisix/discovery/dns#service-discovery-via-dns
+      # https://apisix.apache.org/docs/apisix/discovery/consul_kv#configuration-for-consul-kv
+      # https://apisix.apache.org/docs/apisix/discovery/nacos#configuration-for-nacos
+      #
+      # an eureka example:
+      # eureka:
+      #   host:
+      #     - "http://${username}:${password}@${eureka_host1}:${eureka_port1}"
+      #     - "http://${username}:${password}@${eureka_host2}:${eureka_port2}"
+      #   prefix: "/eureka/"
+      #   fetch_interval: 30
+      #   weight: 100
+      #   timeout:
+      #     connect: 2000
+      #     send: 2000
+      #     read: 5000
+
+# access log and error log configuration
+logs:
+  enableAccessLog: true
+  accessLog: "/dev/stdout"
+  accessLogFormat: '$remote_addr - $remote_user [$time_local] $http_host \"$request\" $status $body_bytes_sent $request_time \"$http_referer\" \"$http_user_agent\" $upstream_addr $upstream_status $upstream_response_time \"$upstream_scheme://$upstream_host$upstream_uri\"'
+  accessLogFormatEscape: default
+  errorLog: "/dev/stderr"
+  errorLogLevel: "warn"
+
 dns:
   resolvers:
     - 127.0.0.1
@@ -134,20 +170,28 @@ dns:
 # APISIX plugins to be enabled
 plugins:
   - api-breaker
+  - authz-casbin
   - authz-keycloak
   - basic-auth
-  - batch-requests
+  # - batch-requests
+  - client-control
   - consumer-restriction
   - cors
+  - dubbo-proxy
   - echo
+  - ext-plugin-pre-req
+  - ext-plugin-post-req
+  - error-log-logger
   - fault-injection
   - grpc-transcode
+  - gzip
   - hmac-auth
   - http-logger
   - ip-restriction
   - jwt-auth
   - kafka-logger
   - key-auth
+  - log-rotate
   - limit-conn
   - limit-count
   - limit-req
@@ -157,21 +201,25 @@ plugins:
   - proxy-cache
   - proxy-mirror
   - proxy-rewrite
+  - real-ip
   - redirect
   - referer-restriction
   - request-id
   - request-validation
   - response-rewrite
   - serverless-post-function
   - serverless-pre-function
+  - skywalking
   - sls-logger
   - syslog
   - tcp-logger
+  - ua-restriction
   - udp-logger
   - uri-blocker
   - wolf-rbac
   - zipkin
   - server-info
+  - traffic-split
 stream_plugins:
   - mqtt-proxy
 plugin_attr:
@@ -185,8 +233,9 @@ plugin_attr:
       ip: "0.0.0.0"
       port: 9091
   server-info:
-    report_interval: 60  # server info report interval (unit: second)
-    report_ttl: 3600     # live time for server info in etcd (unit: second)
+    report_ttl: 60       # live time for server info in etcd (unit: second)
+    metrics_host: ""
+    metrics_port: ""
   dubbo-proxy:
     upstream_multiplex_count: 32
 
@@ -230,22 +279,6 @@ busybox:
     repository: busybox
     tag: 1.28
 
-# Whether API7 works in the cloud proxy mode, if so, cloud-proxy plugin will be
-# enabled, this plugin intercepts requests.
-cloudProxy:
-  enabled: false
-  # A valid cluster domain should have such a suffix, e.g. qa.infra0j31xa.cn.api7.cloud,
-  # the cluster is qa and the organization is infra.
-  domainSuffix: api7.cloud
-  organizationSaltSize: 6
-
-cloud:
-  tlsSecret: "api7-cloud-ssl"
-  certFilename: "tls.crt"
-  certKeyFilename: "tls.key"
-  certCAFilename: "ca.crt"
-  domain: ""
-
 # Custom configuration snippet.
 configurationSnippet:
   main: |
