diff --git a/charts/contour-gateway-provisioner/Chart.yaml b/charts/contour-gateway-provisioner/Chart.yaml new file mode 100644 index 0000000..b6de210 --- /dev/null +++ b/charts/contour-gateway-provisioner/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +name: contour-gateway-provisioner +description: Contour Gateway API provisioner deployment chart. +type: application +version: 0.1.0 +appVersion: 1.33.0 +home: https://projectcontour.io/ +sources: + - https://github.com/projectcontour/contour +maintainers: + - name: Contour Team diff --git a/charts/contour-gateway-provisioner/README.md b/charts/contour-gateway-provisioner/README.md new file mode 100644 index 0000000..3b57b26 --- /dev/null +++ b/charts/contour-gateway-provisioner/README.md @@ -0,0 +1,51 @@ +# Helm Chart for Contour Gateway Provisioner + +Deploys the Contour Gateway API provisioner controller using the upstream example manifest for dynamically provisioned Gateways. + +> **Note:** The Gateway API and Contour CRDs must be installed in the cluster before running the provisioner. It watches those resources (GatewayClass, Gateway, ContourDeployment, etc.) and will fail without the CRDs present. + +## Installing the Chart + +```console +helm repo add contour https://projectcontour.github.io/helm-charts/ +helm repo update +helm install my-provisioner contour/contour-gateway-provisioner +``` + +> **Tip**: List all releases using `helm list` or `helm ls --all-namespaces` + +## Local testing + +Render manifests locally from this repo: + +```console +helm template test ./charts/contour-gateway-provisioner +``` + +Override values inline for quick checks (example disabling RBAC): + +```console +helm template test ./charts/contour-gateway-provisioner \ + --set rbac.create=false +``` + +## Configuration + +| Name | Description | Value | +| ------------------------ | ------------------------------------------------------------------- | -------------- | +| `image.registry` | Contour image registry | `ghcr.io` | +| `image.repository` | Contour image name | `projectcontour/contour` | +| `image.tag` | Contour image tag | `v1.33.0` | +| `image.pullPolicy` | Image pull policy | `IfNotPresent` | +| `image.pullSecrets` | Image pull secrets | `[]` | +| `replicaCount` | Provisioner controller replicas | `1` | +| `metricsAddress` | Metrics bind address | `127.0.0.1:8080` | +| `serviceAccount.create` | Create a ServiceAccount for the provisioner | `true` | +| `serviceAccount.name` | Override ServiceAccount name | `""` | +| `serviceAccount.namespace` | Override ServiceAccount namespace used in RBAC subjects | `""` | +| `serviceAccount.annotations` | Annotations for the ServiceAccount | `{}` | +| `serviceAccount.automountServiceAccountToken` | Automount ServiceAccount token | `true` | +| `resources.requests` | Resource requests for the controller | `cpu: 100m`, `memory: 70Mi` | +| `resources.limits` | Resource limits for the controller | `{}` | +| `rbac.create` | Create RBAC resources | `true` | +| `extraArgs` | Extra CLI args appended to `contour gateway-provisioner` | `[]` | diff --git a/charts/contour-gateway-provisioner/templates/_helpers.tpl b/charts/contour-gateway-provisioner/templates/_helpers.tpl new file mode 100644 index 0000000..71f1cee --- /dev/null +++ b/charts/contour-gateway-provisioner/templates/_helpers.tpl @@ -0,0 +1,45 @@ +{{- /* +Common template helpers +*/ -}} + +{{- define "contour-gateway-provisioner.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "contour-gateway-provisioner.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := include "contour-gateway-provisioner.name" . -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "contour-gateway-provisioner.labels" -}} +app.kubernetes.io/name: {{ include "contour-gateway-provisioner.name" . }} +helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +app.kubernetes.io/component: gateway-provisioner +{{- end -}} + +{{- define "contour-gateway-provisioner.selectorLabels" -}} +app.kubernetes.io/name: {{ include "contour-gateway-provisioner.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + +{{- define "contour-gateway-provisioner.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} +{{- default (include "contour-gateway-provisioner.fullname" .) .Values.serviceAccount.name -}} +{{- else -}} +{{- default "default" .Values.serviceAccount.name -}} +{{- end -}} +{{- end -}} + +{{- define "contour-gateway-provisioner.serviceAccountNamespace" -}} +{{- default .Release.Namespace .Values.serviceAccount.namespace -}} +{{- end -}} diff --git a/charts/contour-gateway-provisioner/templates/deployment.yaml b/charts/contour-gateway-provisioner/templates/deployment.yaml new file mode 100644 index 0000000..fa4eb1b --- /dev/null +++ b/charts/contour-gateway-provisioner/templates/deployment.yaml @@ -0,0 +1,58 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "contour-gateway-provisioner.fullname" . }} + labels: + {{- include "contour-gateway-provisioner.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "contour-gateway-provisioner.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "contour-gateway-provisioner.labels" . | nindent 8 }} + {{- if .Values.podAnnotations }} + annotations: {{- toYaml .Values.podAnnotations | nindent 8 }} + {{- end }} + spec: + serviceAccountName: {{ include "contour-gateway-provisioner.serviceAccountName" . }} + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: 10 + containers: + - name: contour-gateway-provisioner + image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - contour + args: + - gateway-provisioner + - --metrics-addr={{ .Values.metricsAddress }} + - --enable-leader-election + {{- with .Values.extraArgs }} + {{- toYaml . | nindent 12 }} + {{- end }} + env: + - name: CONTOUR_PROVISIONER_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + resources: + {{- toYaml .Values.resources | nindent 12 }} diff --git a/charts/contour-gateway-provisioner/templates/rbac.yaml b/charts/contour-gateway-provisioner/templates/rbac.yaml new file mode 100644 index 0000000..3a2c569 --- /dev/null +++ b/charts/contour-gateway-provisioner/templates/rbac.yaml @@ -0,0 +1,220 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "contour-gateway-provisioner.fullname" . }} + labels: + {{- include "contour-gateway-provisioner.labels" . | nindent 4 }} +rules: + - apiGroups: + - "" + resources: + - configmaps + - namespaces + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - events + verbs: + - create + - get + - update + - apiGroups: + - "" + resources: + - secrets + - serviceaccounts + - services + verbs: + - create + - delete + - get + - list + - update + - watch + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch + - apiGroups: + - apps + resources: + - daemonsets + - deployments + verbs: + - create + - delete + - get + - list + - update + - watch + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - update + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch + - apiGroups: + - gateway.networking.k8s.io + resources: + - backendtlspolicies + - gatewayclasses + - gateways + - grpcroutes + - httproutes + - referencegrants + - tcproutes + - tlsroutes + verbs: + - get + - list + - watch + - apiGroups: + - gateway.networking.k8s.io + resources: + - backendtlspolicies/status + - gatewayclasses/status + - gateways/status + - grpcroutes/status + - httproutes/status + - tcproutes/status + - tlsroutes/status + verbs: + - update + - apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - create + - get + - update + - apiGroups: + - projectcontour.io + resources: + - contourconfigurations + verbs: + - create + - delete + - get + - list + - update + - watch + - apiGroups: + - projectcontour.io + resources: + - contourconfigurations/status + - extensionservices/status + - httpproxies/status + verbs: + - create + - get + - update + - apiGroups: + - projectcontour.io + resources: + - contourdeployments + - extensionservices + - httpproxies + - tlscertificatedelegations + verbs: + - get + - list + - watch + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + - clusterroles + - rolebindings + - roles + verbs: + - create + - delete + - get + - list + - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "contour-gateway-provisioner.fullname" . }} + labels: + {{- include "contour-gateway-provisioner.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "contour-gateway-provisioner.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ include "contour-gateway-provisioner.serviceAccountName" . }} + namespace: {{ include "contour-gateway-provisioner.serviceAccountNamespace" . | quote }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "contour-gateway-provisioner.fullname" . }} + namespace: {{ include "contour-gateway-provisioner.serviceAccountNamespace" . | quote }} + labels: + {{- include "contour-gateway-provisioner.labels" . | nindent 4 }} +rules: + - apiGroups: + - "" + resources: + - events + verbs: + - create + - get + - update + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ printf "%s-leader-election" (include "contour-gateway-provisioner.fullname" .) }} + namespace: {{ include "contour-gateway-provisioner.serviceAccountNamespace" . | quote }} + labels: + {{- include "contour-gateway-provisioner.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "contour-gateway-provisioner.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ include "contour-gateway-provisioner.serviceAccountName" . }} + namespace: {{ include "contour-gateway-provisioner.serviceAccountNamespace" . | quote }} +{{- end }} diff --git a/charts/contour-gateway-provisioner/templates/serviceaccount.yaml b/charts/contour-gateway-provisioner/templates/serviceaccount.yaml new file mode 100644 index 0000000..8c2e310 --- /dev/null +++ b/charts/contour-gateway-provisioner/templates/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "contour-gateway-provisioner.serviceAccountName" . }} + namespace: {{ include "contour-gateway-provisioner.serviceAccountNamespace" . }} + labels: + {{- include "contour-gateway-provisioner.labels" . | nindent 4 }} + {{- if .Values.serviceAccount.annotations }} + annotations: {{- toYaml .Values.serviceAccount.annotations | nindent 4 }} + {{- end }} +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +{{- end }} diff --git a/charts/contour-gateway-provisioner/values.yaml b/charts/contour-gateway-provisioner/values.yaml new file mode 100644 index 0000000..338f1e9 --- /dev/null +++ b/charts/contour-gateway-provisioner/values.yaml @@ -0,0 +1,36 @@ +replicaCount: 1 + +image: + registry: ghcr.io + repository: projectcontour/contour + tag: v1.33.0 + pullPolicy: IfNotPresent + pullSecrets: [] + +serviceAccount: + create: true + name: "" + namespace: "" + annotations: {} + automountServiceAccountToken: true + +podAnnotations: {} +podLabels: {} + +nodeSelector: {} +tolerations: [] +affinity: {} + +resources: + requests: + cpu: 100m + memory: 70Mi + limits: {} + +## Arguments +metricsAddress: "127.0.0.1:8080" +extraArgs: [] + +## RBAC +rbac: + create: true