From 4ef64f3c730d1146218804090365cfbcf23eeebd Mon Sep 17 00:00:00 2001 From: Dave van Duivenbode Date: Tue, 2 Dec 2025 12:57:30 +0100 Subject: [PATCH 1/3] Add standalone contour gateway provisioner chart Signed-off-by: Dave van Duivenbode --- charts/contour-gateway-provisioner/Chart.yaml | 11 + charts/contour-gateway-provisioner/README.md | 48 ++++ .../templates/_helpers.tpl | 41 ++++ .../templates/deployment.yaml | 58 +++++ .../templates/rbac.yaml | 220 ++++++++++++++++++ .../templates/serviceaccount.yaml | 12 + .../contour-gateway-provisioner/values.yaml | 35 +++ 7 files changed, 425 insertions(+) create mode 100644 charts/contour-gateway-provisioner/Chart.yaml create mode 100644 charts/contour-gateway-provisioner/README.md create mode 100644 charts/contour-gateway-provisioner/templates/_helpers.tpl create mode 100644 charts/contour-gateway-provisioner/templates/deployment.yaml create mode 100644 charts/contour-gateway-provisioner/templates/rbac.yaml create mode 100644 charts/contour-gateway-provisioner/templates/serviceaccount.yaml create mode 100644 charts/contour-gateway-provisioner/values.yaml diff --git a/charts/contour-gateway-provisioner/Chart.yaml b/charts/contour-gateway-provisioner/Chart.yaml new file mode 100644 index 0000000..b6de210 --- /dev/null +++ b/charts/contour-gateway-provisioner/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +name: contour-gateway-provisioner +description: Contour Gateway API provisioner deployment chart. +type: application +version: 0.1.0 +appVersion: 1.33.0 +home: https://projectcontour.io/ +sources: + - https://github.com/projectcontour/contour +maintainers: + - name: Contour Team diff --git a/charts/contour-gateway-provisioner/README.md b/charts/contour-gateway-provisioner/README.md new file mode 100644 index 0000000..d909fa0 --- /dev/null +++ b/charts/contour-gateway-provisioner/README.md @@ -0,0 +1,48 @@ +# Helm Chart for Contour Gateway Provisioner + +Deploys the Contour Gateway API provisioner controller using the upstream example manifest for dynamically provisioned Gateways. + +## Installing the Chart + +```console +helm repo add contour https://projectcontour.github.io/helm-charts/ +helm repo update +helm install my-provisioner contour/contour-gateway-provisioner +``` + +> **Tip**: List all releases using `helm list` or `helm ls --all-namespaces` + +## Local testing + +Render manifests locally from this repo: + +```console +helm template test ./charts/contour-gateway-provisioner +``` + +Override values inline for quick checks (example disabling RBAC): + +```console +helm template test ./charts/contour-gateway-provisioner \ + --set rbac.create=false +``` + +## Configuration + +| Name | Description | Value | +| ------------------------ | ------------------------------------------------------------------- | -------------- | +| `image.registry` | Contour image registry | `ghcr.io` | +| `image.repository` | Contour image name | `projectcontour/contour` | +| `image.tag` | Contour image tag | `v1.33.0` | +| `image.pullPolicy` | Image pull policy | `IfNotPresent` | +| `image.pullSecrets` | Image pull secrets | `[]` | +| `replicaCount` | Provisioner controller replicas | `1` | +| `metricsAddress` | Metrics bind address | `127.0.0.1:8080` | +| `serviceAccount.create` | Create a ServiceAccount for the provisioner | `true` | +| `serviceAccount.name` | Override ServiceAccount name | `""` | +| `serviceAccount.annotations` | Annotations for the ServiceAccount | `{}` | +| `serviceAccount.automountServiceAccountToken` | Automount ServiceAccount token | `true` | +| `resources.requests` | Resource requests for the controller | `cpu: 100m`, `memory: 70Mi` | +| `resources.limits` | Resource limits for the controller | `{}` | +| `rbac.create` | Create RBAC resources | `true` | +| `extraArgs` | Extra CLI args appended to `contour gateway-provisioner` | `[]` | diff --git a/charts/contour-gateway-provisioner/templates/_helpers.tpl b/charts/contour-gateway-provisioner/templates/_helpers.tpl new file mode 100644 index 0000000..8af69ea --- /dev/null +++ b/charts/contour-gateway-provisioner/templates/_helpers.tpl @@ -0,0 +1,41 @@ +{{- /* +Common template helpers +*/ -}} + +{{- define "contour-gateway-provisioner.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "contour-gateway-provisioner.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := include "contour-gateway-provisioner.name" . -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "contour-gateway-provisioner.labels" -}} +app.kubernetes.io/name: {{ include "contour-gateway-provisioner.name" . }} +helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +app.kubernetes.io/component: gateway-provisioner +{{- end -}} + +{{- define "contour-gateway-provisioner.selectorLabels" -}} +app.kubernetes.io/name: {{ include "contour-gateway-provisioner.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + +{{- define "contour-gateway-provisioner.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} +{{- default (include "contour-gateway-provisioner.fullname" .) .Values.serviceAccount.name -}} +{{- else -}} +{{- default "default" .Values.serviceAccount.name -}} +{{- end -}} +{{- end -}} diff --git a/charts/contour-gateway-provisioner/templates/deployment.yaml b/charts/contour-gateway-provisioner/templates/deployment.yaml new file mode 100644 index 0000000..fa4eb1b --- /dev/null +++ b/charts/contour-gateway-provisioner/templates/deployment.yaml @@ -0,0 +1,58 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "contour-gateway-provisioner.fullname" . }} + labels: + {{- include "contour-gateway-provisioner.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "contour-gateway-provisioner.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "contour-gateway-provisioner.labels" . | nindent 8 }} + {{- if .Values.podAnnotations }} + annotations: {{- toYaml .Values.podAnnotations | nindent 8 }} + {{- end }} + spec: + serviceAccountName: {{ include "contour-gateway-provisioner.serviceAccountName" . }} + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: 10 + containers: + - name: contour-gateway-provisioner + image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - contour + args: + - gateway-provisioner + - --metrics-addr={{ .Values.metricsAddress }} + - --enable-leader-election + {{- with .Values.extraArgs }} + {{- toYaml . | nindent 12 }} + {{- end }} + env: + - name: CONTOUR_PROVISIONER_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + resources: + {{- toYaml .Values.resources | nindent 12 }} diff --git a/charts/contour-gateway-provisioner/templates/rbac.yaml b/charts/contour-gateway-provisioner/templates/rbac.yaml new file mode 100644 index 0000000..c9cf3f6 --- /dev/null +++ b/charts/contour-gateway-provisioner/templates/rbac.yaml @@ -0,0 +1,220 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "contour-gateway-provisioner.fullname" . }} + labels: + {{- include "contour-gateway-provisioner.labels" . | nindent 4 }} +rules: + - apiGroups: + - "" + resources: + - configmaps + - namespaces + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - events + verbs: + - create + - get + - update + - apiGroups: + - "" + resources: + - secrets + - serviceaccounts + - services + verbs: + - create + - delete + - get + - list + - update + - watch + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch + - apiGroups: + - apps + resources: + - daemonsets + - deployments + verbs: + - create + - delete + - get + - list + - update + - watch + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - update + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch + - apiGroups: + - gateway.networking.k8s.io + resources: + - backendtlspolicies + - gatewayclasses + - gateways + - grpcroutes + - httproutes + - referencegrants + - tcproutes + - tlsroutes + verbs: + - get + - list + - watch + - apiGroups: + - gateway.networking.k8s.io + resources: + - backendtlspolicies/status + - gatewayclasses/status + - gateways/status + - grpcroutes/status + - httproutes/status + - tcproutes/status + - tlsroutes/status + verbs: + - update + - apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - create + - get + - update + - apiGroups: + - projectcontour.io + resources: + - contourconfigurations + verbs: + - create + - delete + - get + - list + - update + - watch + - apiGroups: + - projectcontour.io + resources: + - contourconfigurations/status + - extensionservices/status + - httpproxies/status + verbs: + - create + - get + - update + - apiGroups: + - projectcontour.io + resources: + - contourdeployments + - extensionservices + - httpproxies + - tlscertificatedelegations + verbs: + - get + - list + - watch + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + - clusterroles + - rolebindings + - roles + verbs: + - create + - delete + - get + - list + - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "contour-gateway-provisioner.fullname" . }} + labels: + {{- include "contour-gateway-provisioner.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "contour-gateway-provisioner.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ include "contour-gateway-provisioner.serviceAccountName" . }} + namespace: {{ .Release.Namespace | quote }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "contour-gateway-provisioner.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + {{- include "contour-gateway-provisioner.labels" . | nindent 4 }} +rules: + - apiGroups: + - "" + resources: + - events + verbs: + - create + - get + - update + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ printf "%s-leader-election" (include "contour-gateway-provisioner.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: + {{- include "contour-gateway-provisioner.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "contour-gateway-provisioner.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ include "contour-gateway-provisioner.serviceAccountName" . }} + namespace: {{ .Release.Namespace | quote }} +{{- end }} diff --git a/charts/contour-gateway-provisioner/templates/serviceaccount.yaml b/charts/contour-gateway-provisioner/templates/serviceaccount.yaml new file mode 100644 index 0000000..80de441 --- /dev/null +++ b/charts/contour-gateway-provisioner/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "contour-gateway-provisioner.serviceAccountName" . }} + labels: + {{- include "contour-gateway-provisioner.labels" . | nindent 4 }} + {{- if .Values.serviceAccount.annotations }} + annotations: {{- toYaml .Values.serviceAccount.annotations | nindent 4 }} + {{- end }} +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +{{- end }} diff --git a/charts/contour-gateway-provisioner/values.yaml b/charts/contour-gateway-provisioner/values.yaml new file mode 100644 index 0000000..8cb11e6 --- /dev/null +++ b/charts/contour-gateway-provisioner/values.yaml @@ -0,0 +1,35 @@ +replicaCount: 1 + +image: + registry: ghcr.io + repository: projectcontour/contour + tag: v1.33.0 + pullPolicy: IfNotPresent + pullSecrets: [] + +serviceAccount: + create: true + name: "" + annotations: {} + automountServiceAccountToken: true + +podAnnotations: {} +podLabels: {} + +nodeSelector: {} +tolerations: [] +affinity: {} + +resources: + requests: + cpu: 100m + memory: 70Mi + limits: {} + +## Arguments +metricsAddress: "127.0.0.1:8080" +extraArgs: [] + +## RBAC +rbac: + create: true From 2978d5e059b75e5f89894a22d3232ecdde71f8fb Mon Sep 17 00:00:00 2001 From: Dave van Duivenbode Date: Tue, 2 Dec 2025 13:25:43 +0100 Subject: [PATCH 2/3] Fix gateway provisioner RBAC namespace handling Signed-off-by: Dave van Duivenbode --- charts/contour-gateway-provisioner/README.md | 1 + charts/contour-gateway-provisioner/templates/_helpers.tpl | 4 ++++ charts/contour-gateway-provisioner/templates/rbac.yaml | 8 ++++---- .../templates/serviceaccount.yaml | 1 + charts/contour-gateway-provisioner/values.yaml | 1 + 5 files changed, 11 insertions(+), 4 deletions(-) diff --git a/charts/contour-gateway-provisioner/README.md b/charts/contour-gateway-provisioner/README.md index d909fa0..4d75177 100644 --- a/charts/contour-gateway-provisioner/README.md +++ b/charts/contour-gateway-provisioner/README.md @@ -40,6 +40,7 @@ helm template test ./charts/contour-gateway-provisioner \ | `metricsAddress` | Metrics bind address | `127.0.0.1:8080` | | `serviceAccount.create` | Create a ServiceAccount for the provisioner | `true` | | `serviceAccount.name` | Override ServiceAccount name | `""` | +| `serviceAccount.namespace` | Override ServiceAccount namespace used in RBAC subjects | `""` | | `serviceAccount.annotations` | Annotations for the ServiceAccount | `{}` | | `serviceAccount.automountServiceAccountToken` | Automount ServiceAccount token | `true` | | `resources.requests` | Resource requests for the controller | `cpu: 100m`, `memory: 70Mi` | diff --git a/charts/contour-gateway-provisioner/templates/_helpers.tpl b/charts/contour-gateway-provisioner/templates/_helpers.tpl index 8af69ea..71f1cee 100644 --- a/charts/contour-gateway-provisioner/templates/_helpers.tpl +++ b/charts/contour-gateway-provisioner/templates/_helpers.tpl @@ -39,3 +39,7 @@ app.kubernetes.io/instance: {{ .Release.Name }} {{- default "default" .Values.serviceAccount.name -}} {{- end -}} {{- end -}} + +{{- define "contour-gateway-provisioner.serviceAccountNamespace" -}} +{{- default .Release.Namespace .Values.serviceAccount.namespace -}} +{{- end -}} diff --git a/charts/contour-gateway-provisioner/templates/rbac.yaml b/charts/contour-gateway-provisioner/templates/rbac.yaml index c9cf3f6..3a2c569 100644 --- a/charts/contour-gateway-provisioner/templates/rbac.yaml +++ b/charts/contour-gateway-provisioner/templates/rbac.yaml @@ -175,13 +175,13 @@ roleRef: subjects: - kind: ServiceAccount name: {{ include "contour-gateway-provisioner.serviceAccountName" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "contour-gateway-provisioner.serviceAccountNamespace" . | quote }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ include "contour-gateway-provisioner.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "contour-gateway-provisioner.serviceAccountNamespace" . | quote }} labels: {{- include "contour-gateway-provisioner.labels" . | nindent 4 }} rules: @@ -206,7 +206,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ printf "%s-leader-election" (include "contour-gateway-provisioner.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "contour-gateway-provisioner.serviceAccountNamespace" . | quote }} labels: {{- include "contour-gateway-provisioner.labels" . | nindent 4 }} roleRef: @@ -216,5 +216,5 @@ roleRef: subjects: - kind: ServiceAccount name: {{ include "contour-gateway-provisioner.serviceAccountName" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "contour-gateway-provisioner.serviceAccountNamespace" . | quote }} {{- end }} diff --git a/charts/contour-gateway-provisioner/templates/serviceaccount.yaml b/charts/contour-gateway-provisioner/templates/serviceaccount.yaml index 80de441..8c2e310 100644 --- a/charts/contour-gateway-provisioner/templates/serviceaccount.yaml +++ b/charts/contour-gateway-provisioner/templates/serviceaccount.yaml @@ -3,6 +3,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "contour-gateway-provisioner.serviceAccountName" . }} + namespace: {{ include "contour-gateway-provisioner.serviceAccountNamespace" . }} labels: {{- include "contour-gateway-provisioner.labels" . | nindent 4 }} {{- if .Values.serviceAccount.annotations }} diff --git a/charts/contour-gateway-provisioner/values.yaml b/charts/contour-gateway-provisioner/values.yaml index 8cb11e6..338f1e9 100644 --- a/charts/contour-gateway-provisioner/values.yaml +++ b/charts/contour-gateway-provisioner/values.yaml @@ -10,6 +10,7 @@ image: serviceAccount: create: true name: "" + namespace: "" annotations: {} automountServiceAccountToken: true From de1aa3f6759819f7082d02a778fb1ff7802e037c Mon Sep 17 00:00:00 2001 From: Dave van Duivenbode Date: Tue, 2 Dec 2025 13:30:13 +0100 Subject: [PATCH 3/3] Document CRD requirement for gateway provisioner Signed-off-by: Dave van Duivenbode --- charts/contour-gateway-provisioner/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/charts/contour-gateway-provisioner/README.md b/charts/contour-gateway-provisioner/README.md index 4d75177..3b57b26 100644 --- a/charts/contour-gateway-provisioner/README.md +++ b/charts/contour-gateway-provisioner/README.md @@ -2,6 +2,8 @@ Deploys the Contour Gateway API provisioner controller using the upstream example manifest for dynamically provisioned Gateways. +> **Note:** The Gateway API and Contour CRDs must be installed in the cluster before running the provisioner. It watches those resources (GatewayClass, Gateway, ContourDeployment, etc.) and will fail without the CRDs present. + ## Installing the Chart ```console