cscott/amplify-fusion
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

first commit

Browse Source
This commit is contained in:
Conan Scott
2026-01-21 17:37:42 +11:00
commit bd1ed71ac4
142 changed files with 18994 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
templates/envoy/NOTES.txt Normal file
View File

@@ -0,0 +1,8 @@
Thank you for installing the {{ .Chart.Name }} chart for the Amplify Integration Platform.
Your release is named {{ .Release.Name }}.
To learn more about the release, try:
$ helm status {{ .Release.Name }}
$ helm get all {{ .Release.Name }}

59
templates/envoy/_helpers.tpl Normal file
View File

@@ -0,0 +1,59 @@
{{/*
Envoy.
*/}}
{{- define "envoy.name" -}}
{{- default "envoy" .Values.envoy.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "envoy.fullname" -}}
{{- if .Values.envoy.fullnameOverride }}
{{- .Values.envoy.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default "envoy" .Values.envoy.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "envoy.labels" -}}
{{ include "dataplane.labels" . }}
{{ include "envoy.selectorLabels" . }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "envoy.selectorLabels" -}}
app.kubernetes.io/name: {{ include "envoy.name" . }}
app: {{ include "envoy.appName" . }}
dplane: "envoy"
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "envoy.serviceAccountName" -}}
{{- if .Values.envoy.serviceAccount.create }}
{{- default (include "envoy.fullname" .) .Values.envoy.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.envoy.serviceAccount.name }}
{{- end }}
{{- end }}
{{- define "envoy.appName" -}}
{{- $name := default "envoy" .Values.envoy.nameOverride -}}
{{- $env := default "envoy" .Values.global.appEnv -}}
{{- printf "%s-%s" $name $env | trunc 63 | trimSuffix "-" -}}
{{- end }}

47
templates/envoy/calico.netpol.yaml Normal file
View File

@@ -0,0 +1,47 @@
{{- if .Values.envoy.calicoNetpol.enabled }}
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
name: {{ template "envoy.appName" . }}
namespace: {{ .Release.Namespace }}
spec:
order: 10
selector: dplane == 'envoy'
types:
- Ingress
- Egress
ingress:
### traffic from the load balancer ###
- action: Allow
protocol: TCP
source: {{ toYaml .Values.envoy.calicoNetpol.subnetEntityRule | nindent 8 }}
destination:
ports:
{{- range .Values.envoy.service.ports }}
- {{ .targetPort }}
{{end }}
egress:
# allow to communicate to DNS pods
- action: Allow
protocol: UDP
destination:
namespaceSelector: projectcalico.org/name == 'kube-system'
ports:
- 53
- action: Allow
protocol: TCP
destination:
namespaceSelector: projectcalico.org/name == 'kube-system'
ports:
- 53
### all egress traffic to the inbound-worker,orchestrator ###
- action: Allow
protocol: TCP
destination:
selector: dplane == 'inbound-worker' || dplane == 'orchestrator' || dplane == 'pep-server'
namespaceSelector: projectcalico.org/name == '{{ .Release.Namespace }}'
### Traffic to the internet ###
- action: Allow
protocol: TCP
destination: {{ toYaml .Values.envoy.calicoNetpol.outboundRule | nindent 8 }}
{{- end}}

602
templates/envoy/configmap.yaml Normal file
View File

@@ -0,0 +1,602 @@
{{- if eq .Values.common.externalConfigMaps false }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "envoy.appName" . }}
labels:
{{ include "envoy.labels" . | indent 4 }}
data:
{{- range $key, $value := .Values.envoy.files }}
{{ $key }}: |-
{{ $value | default "" | indent 4 }}
{{- end -}}
{{- if (index .Values.envoy.templates "envoy.yaml") }}
envoy.yaml: |-
{{ $valueWithDefault := default "" (index .Values.envoy.templates "envoy.yaml") -}}
{{ tpl $valueWithDefault $ | indent 4 }}
{{- else }}
envoy.yaml: |-
node:
cluster: ampint-gw
id: ampint-gw
admin:
address:
socket_address:
address: 0.0.0.0
port_value: {{ .Values.envoy.adminPorts.admin.containerPort }}
dynamic_resources:
cds_config:
resource_api_version: V3
api_config_source:
api_type: GRPC
transport_api_version: V3
grpc_services:
- envoy_grpc:
cluster_name: xds_cluster
lds_config:
resource_api_version: V3
api_config_source:
api_type: GRPC
transport_api_version: V3
grpc_services:
- envoy_grpc:
cluster_name: xds_cluster
static_resources:
listeners:
- name: internal
address:
socket_address:
address: 0.0.0.0
port_value: 9902
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: internal
codec_type: AUTO
stream_idle_timeout: 15s
use_remote_address: true
xff_num_trusted_hops: 0
common_http_protocol_options:
idle_timeout: 15s
route_config:
name: internal
validate_clusters: false
virtual_hosts:
- name: internal
domains:
- "*"
routes:
- match:
path: "/started"
route:
cluster: blackhole
http_filters:
- name: envoy.filters.http.lua
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua
inline_code: |
function envoy_on_request(request_handle)
local headers, body = request_handle:httpCall(
"service_admin",
{
[":method"] = "GET",
[":path"] = "/stats?filter=http.apim.rds.ampint-api.update_success&format=text",
[":authority"] = "internal"
},
"", 2000, false)
local headersMtls, bodyMtls = request_handle:httpCall(
"service_admin",
{
[":method"] = "GET",
[":path"] = "/stats?filter=http.apim.rds.ampint-api-mtls.update_success&format=text",
[":authority"] = "internal"
},
"", 2000, false)
local count = string.gsub(body, "^%s*.+:%s*(.-)%s*$", "%1")
local countMtls = string.match(bodyMtls, ":[%s]*(%d+)")
if count == "0" or countMtls == "0" then
request_handle:respond(
{[":status"] = "503"},
"Not Ready")
else
request_handle:respond(
{[":status"] = "200"},
"Ready")
end
end
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
{{ if .Values.global.multihost.enabled }}
{{ if .Values.global.multihost.listeners.tcp.http.enabled }}
- name: multiHostHttp
address:
socket_address:
address: 0.0.0.0
port_value: 9080
listener_filters:
- name: envoy.filters.listener.proxy_protocol
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.listener.proxy_protocol.v3.ProxyProtocol
"allow_requests_without_proxy_protocol": true
filter_chains:
- filter_chain_match:
server_names:
- "{{ .Values.global.multihost.listeners.tcp.http.hostPrefix }}.{{ .Values.global.external_domain }}"
- filters:
- name: envoy.filters.network.connection_limit
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.connection_limit.v3.ConnectionLimit
stat_prefix: traffic_max_connections
max_connections: 30000
delay: 10s
- name: envoy.filters.network.tcp_proxy
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
stat_prefix: http
cluster: inbound-worker-http
max_connect_attempts: 3
idle_timeout: {{ .Values.envoy.timeouts.idleTimeout }}
{{- end }}
{{ if .Values.global.multihost.listeners.ssh.sftp.enabled }}
- name: multiHostSftp
address:
socket_address:
address: 0.0.0.0
port_value: 2222
listener_filters:
- name: envoy.filters.listener.proxy_protocol
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.listener.proxy_protocol.v3.ProxyProtocol
"allow_requests_without_proxy_protocol": true
- name: "envoy.filters.listener.tls_inspector"
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector
filter_chains:
- filter_chain_match:
server_names:
- "{{ .Values.global.multihost.listeners.ssh.sftp.hostPrefix }}.{{ .Values.global.external_domain }}"
- filters:
- name: envoy.filters.network.connection_limit
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.connection_limit.v3.ConnectionLimit
stat_prefix: ssh_max_connections
max_connections: 30000
delay: 10s
- name: envoy.filters.network.tcp_proxy
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
stat_prefix: ssh
cluster: inbound-worker-ssh
max_connect_attempts: 3
idle_timeout: {{ .Values.envoy.timeouts.idleTimeout }}
{{- end }}
{{ else }}
- name: https-1
address:
socket_address:
address: 0.0.0.0
port_value: 9443
listener_filters:
- name: envoy.filters.listener.proxy_protocol
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.listener.proxy_protocol.v3.ProxyProtocol
"allow_requests_without_proxy_protocol": true
- name: "envoy.filters.listener.tls_inspector"
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector
filter_chains:
- filter_chain_match:
server_names:
{{- if eq (include "parent.dataplaneMode" . ) "shared" }}
- "*.{{ .Values.global.external_domain }}"
{{- else }}
- "{{ .Values.global.external_domain }}"
{{- end }}
filters:
- name: envoy.filters.network.connection_limit
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.connection_limit.v3.ConnectionLimit
stat_prefix: traffic_max_connections
max_connections: 30000
delay: 10s
- name: envoy.filters.network.tcp_proxy
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
stat_prefix: https
cluster: inbound-worker-https
max_connect_attempts: 3
idle_timeout: {{ .Values.envoy.timeouts.idleTimeout }}
- name: https-2
address:
socket_address:
address: 0.0.0.0
port_value: 8443
listener_filters:
- name: envoy.filters.listener.proxy_protocol
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.listener.proxy_protocol.v3.ProxyProtocol
"allow_requests_without_proxy_protocol": true
- name: "envoy.filters.listener.tls_inspector"
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector
filter_chains:
- filter_chain_match:
server_names:
{{- if eq (include "parent.dataplaneMode" . ) "shared" }}
- "*.{{ .Values.global.external_domain }}"
{{- else }}
- "{{ .Values.global.external_domain }}"
{{- end }}
filters:
- name: envoy.filters.network.connection_limit
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.connection_limit.v3.ConnectionLimit
stat_prefix: traffic_max_connections
max_connections: 30000
delay: 10s
- name: envoy.filters.network.tcp_proxy
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
stat_prefix: https
cluster: inbound-worker-https
max_connect_attempts: 3
idle_timeout: {{ .Values.envoy.timeouts.idleTimeout }}
- name: http
address:
socket_address:
address: 0.0.0.0
port_value: 9080
listener_filters:
- name: envoy.filters.listener.proxy_protocol
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.listener.proxy_protocol.v3.ProxyProtocol
"allow_requests_without_proxy_protocol": true
filter_chains:
- filters:
- name: envoy.filters.network.connection_limit
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.connection_limit.v3.ConnectionLimit
stat_prefix: traffic_max_connections
max_connections: 30000
delay: 10s
- name: envoy.filters.network.tcp_proxy
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
stat_prefix: http
cluster: inbound-worker-http
max_connect_attempts: 3
idle_timeout: {{ .Values.envoy.timeouts.idleTimeout }}
- name: ssh
address:
socket_address:
address: 0.0.0.0
port_value: 2222
listener_filters:
- name: envoy.filters.listener.proxy_protocol
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.listener.proxy_protocol.v3.ProxyProtocol
"allow_requests_without_proxy_protocol": true
- name: "envoy.filters.listener.tls_inspector"
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector
filter_chains:
filters:
- name: envoy.filters.network.connection_limit
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.connection_limit.v3.ConnectionLimit
stat_prefix: ssh_max_connections
max_connections: 30000
delay: 10s
- name: envoy.filters.network.tcp_proxy
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
stat_prefix: ssh
cluster: inbound-worker-ssh
max_connect_attempts: 3
idle_timeout: {{ .Values.envoy.timeouts.idleTimeout }}
{{- end }}
clusters:
- name: service_admin
connect_timeout: 0.25s
type: STATIC
lb_policy: ROUND_ROBIN
typed_extension_protocol_options:
envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
"@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
explicit_http_config:
http2_protocol_options:
# Configure an HTTP/2 keep-alive to detect connection issues and reconnect
# to the admin server if the connection is no longer responsive.
connection_keepalive:
interval: 30s
timeout: 5s
load_assignment:
cluster_name: service_admin
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: 127.0.0.1
port_value: 9901
- name: xds_cluster
connect_timeout: 0.25s
type: LOGICAL_DNS
lb_policy: ROUND_ROBIN
typed_extension_protocol_options:
envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
"@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
explicit_http_config:
http2_protocol_options:
connection_keepalive:
interval: 30s
timeout: 5s
load_assignment:
cluster_name: xds_cluster
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: pep-server-{{ .Values.global.appEnv }}
port_value: 9090
#Note the health checks needs only to be applied to one of the pep_clusters
health_checks:
- timeout: 2s
interval: 3s
unhealthy_threshold: 2
healthy_threshold: 2
grpc_health_check:
service_name: ""
no_traffic_healthy_interval: 5s
{{- if .Values.common.openTelemetry.enabled }}
- name: otel_cluster
connect_timeout: 0.25s
type: LOGICAL_DNS
lb_policy: ROUND_ROBIN
typed_extension_protocol_options:
envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
"@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
explicit_http_config:
http2_protocol_options:
connection_keepalive:
interval: 30s
timeout: 5s
load_assignment:
cluster_name: otel_cluster
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: pep-server-{{ .Values.global.appEnv }}
port_value: 9090
{{- end }}
- name: als_cluster
connect_timeout: 0.25s
type: LOGICAL_DNS
lb_policy: ROUND_ROBIN
typed_extension_protocol_options:
envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
"@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
explicit_http_config:
http2_protocol_options:
connection_keepalive:
interval: 30s
timeout: 5s
load_assignment:
cluster_name: als_cluster
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: pep-server-{{ .Values.global.appEnv }}
port_value: 9090
- name: ext_authz_cluster
connect_timeout: 0.25s
type: LOGICAL_DNS
lb_policy: ROUND_ROBIN
typed_extension_protocol_options:
envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
"@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
explicit_http_config:
http2_protocol_options:
connection_keepalive:
interval: 30s
timeout: 5s
load_assignment:
cluster_name: ext_authz_cluster
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: pep-server-{{ .Values.global.appEnv }}
port_value: 9090
- name: ext_proc_start_audit_cluster
connect_timeout: 0.25s
type: LOGICAL_DNS
lb_policy: ROUND_ROBIN
typed_extension_protocol_options:
envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
"@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
explicit_http_config:
http2_protocol_options:
connection_keepalive:
interval: 30s
timeout: 5s
load_assignment:
cluster_name: ext_proc_start_audit_cluster
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: pep-server-{{ .Values.global.appEnv }}
port_value: 9090
{{- if ne (include "parent.dataplaneMode" . ) "shared" }}
- name: orchestrator_cluster
connect_timeout: {{ .Values.envoy.timeouts.connectTimeout }}
type: STRICT_DNS
lb_policy: ROUND_ROBIN
typed_extension_protocol_options:
envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
"@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
explicit_http_config:
http2_protocol_options:
connection_keepalive:
interval: 30s
timeout: 5s
load_assignment:
cluster_name: orchestrator_cluster
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: orchestrator-{{ .Values.global.appEnv }}
port_value: 50051
health_checks:
- timeout: 3s
interval: 3s
unhealthy_threshold: 1
healthy_threshold: 2
grpc_health_check:
service_name: ""
no_traffic_healthy_interval: 30s
- name: orchestrator_cluster-sse
connect_timeout: {{ .Values.envoy.timeouts.connectTimeout }}
type: STRICT_DNS
lb_policy: ROUND_ROBIN
typed_extension_protocol_options:
envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
"@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
explicit_http_config:
http_protocol_options: {}
load_assignment:
cluster_name: orchestrator_cluster-sse
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: orchestrator-{{ .Values.global.appEnv }}
port_value: 50052
{{- end }}
- name: inbound-worker-sse
connect_timeout: {{ .Values.envoy.timeouts.connectTimeout }}
http_protocol_options:
allow_chunked_length: true
typed_extension_protocol_options:
envoy.extensions.upstreams.tcp.v3.TcpProtocolOptions:
"@type": type.googleapis.com/envoy.extensions.upstreams.tcp.v3.TcpProtocolOptions
idle_timeout: {{ .Values.envoy.timeouts.idleTimeout }}
type: LOGICAL_DNS
load_assignment:
cluster_name: inbound-worker-sse
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: inbound-worker-{{ .Values.global.appEnv }}
port_value: 7080
health_checks:
- timeout: 1s
interval: 20s
unhealthy_threshold: 3
healthy_threshold: 3
tcp_health_check: {}
- name: inbound-worker-http
connect_timeout: {{ .Values.envoy.timeouts.connectTimeout }}
http_protocol_options:
allow_chunked_length: true
typed_extension_protocol_options:
envoy.extensions.upstreams.tcp.v3.TcpProtocolOptions:
"@type": type.googleapis.com/envoy.extensions.upstreams.tcp.v3.TcpProtocolOptions
idle_timeout: {{ .Values.envoy.timeouts.idleTimeout }}
type: LOGICAL_DNS
load_assignment:
cluster_name: inbound-worker-http
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: inbound-worker-{{ .Values.global.appEnv }}
port_value: 9080
health_checks:
- timeout: 1s
interval: 20s
unhealthy_threshold: 3
healthy_threshold: 3
tcp_health_check: {}
- name: inbound-worker-https
connect_timeout: {{ .Values.envoy.timeouts.connectTimeout }}
http_protocol_options:
allow_chunked_length: true
typed_extension_protocol_options:
envoy.extensions.upstreams.tcp.v3.TcpProtocolOptions:
"@type": type.googleapis.com/envoy.extensions.upstreams.tcp.v3.TcpProtocolOptions
idle_timeout: {{ .Values.envoy.timeouts.idleTimeout }}
type: LOGICAL_DNS
load_assignment:
cluster_name: inbound-worker-https
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: inbound-worker-{{ .Values.global.appEnv }}
port_value: 9443
health_checks:
- timeout: 1s
interval: 20s
unhealthy_threshold: 3
healthy_threshold: 3
tcp_health_check: {}
- name: inbound-worker-ssh
connect_timeout: {{ .Values.envoy.timeouts.connectTimeout }}
typed_extension_protocol_options:
envoy.extensions.upstreams.tcp.v3.TcpProtocolOptions:
"@type": type.googleapis.com/envoy.extensions.upstreams.tcp.v3.TcpProtocolOptions
idle_timeout: {{ .Values.envoy.timeouts.idleTimeout }}
type: LOGICAL_DNS
load_assignment:
cluster_name: inbound-worker-ssh
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: inbound-worker-{{ .Values.global.appEnv }}
port_value: 2222
health_checks:
- timeout: 1s
interval: 20s
unhealthy_threshold: 3
healthy_threshold: 3
tcp_health_check: {}
{{- end }}
{{- end }}

180
templates/envoy/deployment.yaml Normal file
View File

@@ -0,0 +1,180 @@
{{- if .Values.envoy.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "envoy.appName" . }}
labels:
{{ include "envoy.labels" . | indent 4 }}
spec:
{{- if not .Values.envoy.autoscaling.enabled }}
replicas: {{ .Values.envoy.replicaCount }}
{{- end }}
selector:
matchLabels:
{{- include "envoy.selectorLabels" . | nindent 6 }}
strategy:
type: {{ .Values.envoy.strategy.type }}
rollingUpdate:
maxSurge: {{ .Values.envoy.strategy.rollingUpdate.maxSurge }}
maxUnavailable: {{ .Values.envoy.strategy.rollingUpdate.maxUnavailable }}
template:
metadata:
labels:
{{- include "envoy.selectorLabels" . | nindent 8 }}
{{- if .Values.envoy.podLabels }}
## Custom pod labels
{{- range $key, $value := .Values.envoy.podLabels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
annotations:
checksum/config: {{ include (print .Template.BasePath "/envoy/configmap.yaml") . | sha256sum }}
{{- if .Values.envoy.podAnnotations }}
## Custom pod annotations
{{- range $key, $value := .Values.envoy.podAnnotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
spec:
{{- with .Values.global.image.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.envoy.podSecurityContextEnabled }}
securityContext:
{{ toYaml .Values.envoy.podSecurityContext | nindent 8 }}
{{- end }}
{{- if .Values.envoy.serviceAccount.enabled }}
serviceAccountName: {{ include "envoy.serviceAccountName" . }}
{{- end }}
terminationGracePeriodSeconds: {{ .Values.envoy.terminationGracePeriodSeconds }}
#forces the use of tcp for dns resolutions
dnsConfig:
options:
- name: use-vc
{{- if .Values.fluentBit.enabled }}
{{- include "dataplane.createLogDirectoryInitContainer" (dict "serviceName" "envoy" "securityContext" .Values.envoy.securityContext "additionalPathParam" "" "root" .) | nindent 6 }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.envoy.securityContext | nindent 12 }}
image: "{{ default .Values.global.image.repository .Values.envoy.image.repository }}/{{ .Values.envoy.image.name }}:{{ .Values.envoy.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.global.image.pullPolicy }}
envFrom:
- secretRef:
name: {{ .Values.common.clusterDetails.name }}
- configMapRef:
name: configmap-common
command:
{{ toYaml .Values.envoy.command | nindent 12 }}
args:
{{- if $.Values.envoy.argsTemplate }}
{{ tpl $.Values.envoy.argsTemplate $ | nindent 12}}
{{- else }}
{{ toYaml .Values.envoy.args | nindent 12 }}
{{- end }}
ports:
{{- with .Values.envoy.adminPorts }}
{{- range $key, $port := . }}
- name: {{ $key }}
{{ toYaml $port | nindent 14 }}
{{- end }}
{{- end }}
{{- if .Values.global.multihost.enabled }}
- name: ssh
protocol: TCP
containerPort: 2222
- name: tls
protocol: TCP
containerPort: 8443
- name: http
protocol: TCP
containerPort: 9080
{{- else }}
{{- with .Values.envoy.ports }}
{{- range $key, $port := . }}
- name: {{ $key }}
{{ toYaml $port | nindent 14 }}
{{- end }}
{{- end }}
{{- end }}
livenessProbe: {{- toYaml .Values.envoy.livenessProbe | nindent 12 }}
startupProbe: {{- toYaml .Values.envoy.startupProbe | nindent 12 }}
readinessProbe: {{- toYaml .Values.envoy.readinessProbe | nindent 12 }}
env:
- name: server_truststore_password
valueFrom:
secretKeyRef:
key: password
name: certificate-password
- name: server_cert_password
valueFrom:
secretKeyRef:
key: password
name: certificate-password
- name: sftp_server_cert_password
valueFrom:
secretKeyRef:
key: password
name: certificate-password
- name: LOGLEVEL
value: "{{ .Values.envoy.logLevel }}"
{{- with .Values.envoy.env }}
{{- toYaml . | nindent 12 }}
{{- end }}
resources:
{{ toYaml .Values.envoy.resources | nindent 12 }}
volumeMounts:
- name: config
mountPath: /config
- name: {{ .Values.global.volumeStorageName }}
mountPath: /efs
{{- range $key, $value := .Values.envoy.secretMounts }}
- name: {{ $key }}
mountPath: {{ $value.mountPath }}
{{- end }}
- mountPath: "/certificate/{{ .Values.common.certificate.name }}"
subPath: {{ .Values.common.certificate.name }}
name: domain-certificate
lifecycle:
{{ toYaml .Values.envoy.lifecycle | nindent 12 }}
{{- with .Values.envoy.nodeSelector }}
nodeSelector:
{{ toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.envoy.affinity }}
affinity:
{{ toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.envoy.tolerations }}
tolerations:
{{ toYaml . | nindent 8 }}
{{- end }}
volumes:
- name: config
projected:
defaultMode: 420
sources:
- configMap:
name: {{ template "envoy.appName" . }}
- name: workdir
emptyDir: {}
- name: {{ .Values.global.volumeStorageName }}
persistentVolumeClaim:
claimName: {{ .Release.Namespace }}-{{ .Values.global.claimName }}
{{- range $key, $value := .Values.envoy.secretMounts }}
- name: {{ $key }}
secret:
secretName: {{ $value.secretName }}
defaultMode: {{ $value.defaultMode }}
{{- end }}
- name: cert
emptyDir: {}
- name: domain-certificate
secret:
secretName: domain-certificate
items:
- key: {{ .Values.common.certificate.name }}
path: {{ .Values.common.certificate.name }}
{{- end }}

32
templates/envoy/hpa.yaml Normal file
View File

@@ -0,0 +1,32 @@
{{- if .Values.envoy.autoscaling.enabled }}
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: {{ template "envoy.appName" . }}
labels:
{{- include "envoy.labels" . | nindent 4 }}
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ include "envoy.appName" . }}
minReplicas: {{ .Values.envoy.autoscaling.minReplicas }}
maxReplicas: {{ .Values.envoy.autoscaling.maxReplicas }}
metrics:
{{- if .Values.envoy.autoscaling.targetCPUUtilizationPercentage }}
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: {{ .Values.envoy.autoscaling.targetCPUUtilizationPercentage }}
{{- end }}
{{- if .Values.envoy.autoscaling.targetMemoryUtilizationPercentage }}
- type: Resource
resource:
name: memory
target:
type: Utilization
averageUtilization: {{ .Values.envoy.autoscaling.targetMemoryUtilizationPercentage }}
{{- end }}
{{- end }}

12
templates/envoy/poddisruptionbudget.yaml Normal file
View File

@@ -0,0 +1,12 @@
{{- if .Values.envoy.podDisruptionBudget.enabled }}
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ template "envoy.appName" . }}
namespace: {{ .Release.Namespace }}
spec:
minAvailable: {{ .Values.envoy.podDisruptionBudget.minPods }}
selector:
matchLabels:
dplane: {{ .Chart.Name }}
{{- end}}

90
templates/envoy/routes.yaml Normal file
View File

@@ -0,0 +1,90 @@
{{- if and .Values.global.multihost.enabled .Values.envoy.route.https.enabled -}}
kind: Route
apiVersion: route.openshift.io/v1
metadata:
name: {{ template "envoy.appName" . }}-https
namespace: {{ .Release.Namespace }}
labels:
{{- include "envoy.labels" . | nindent 4 }}
app.kubernetes.io/component: {{ template "envoy.appName" . }}
spec:
host: {{ .Values.global.multihost.listeners.tls.https.hostPrefix }}.{{ .Values.global.external_domain }}
to:
kind: Service
name: {{ template "envoy.appName" . }}
port:
targetPort: 8443
tls:
termination: passthrough
insecureEdgeTerminationPolicy: Redirect
wildcardPolicy: None
{{- end }}
---
{{- if and .Values.global.multihost.enabled .Values.envoy.route.api.enabled -}}
kind: Route
apiVersion: route.openshift.io/v1
metadata:
name: {{ template "envoy.appName" . }}-apim
namespace: {{ .Release.Namespace }}
labels:
{{- include "envoy.labels" . | nindent 4 }}
app.kubernetes.io/component: {{ template "envoy.appName" . }}
spec:
host: {{ .Values.global.multihost.listeners.tls.api.hostPrefix }}.{{ .Values.global.external_domain }}
to:
kind: Service
name: {{ template "envoy.appName" . }}
port:
targetPort: 8443
tls:
termination: passthrough
insecureEdgeTerminationPolicy: Redirect
wildcardPolicy: None
{{- end }}
---
{{- if and .Values.global.multihost.enabled .Values.envoy.route.webhook.enabled -}}
kind: Route
apiVersion: route.openshift.io/v1
metadata:
name: {{ template "envoy.appName" . }}-webhook
namespace: {{ .Release.Namespace }}
labels:
{{- include "envoy.labels" . | nindent 4 }}
app.kubernetes.io/component: {{ template "envoy.appName" . }}
spec:
host: {{ .Values.global.multihost.listeners.tls.webhook.hostPrefix }}.{{ .Values.global.external_domain }}
to:
kind: Service
name: {{ template "envoy.appName" . }}
port:
targetPort: 8443
tls:
termination: passthrough
insecureEdgeTerminationPolicy: Redirect
wildcardPolicy: None
{{- end }}
---
{{- if and .Values.global.multihost.enabled .Values.envoy.route.http.enabled -}}
kind: Route
apiVersion: route.openshift.io/v1
metadata:
name: {{ template "envoy.appName" . }}-http
namespace: {{ .Release.Namespace }}
labels:
{{- include "envoy.labels" . | nindent 4 }}
app.kubernetes.io/component: {{ template "envoy.appName" . }}
spec:
host: {{ .Values.global.multihost.listeners.tcp.http.hostPrefix }}.{{ .Values.global.external_domain }}
to:
kind: Service
name: {{ template "envoy.appName" . }}
port:
targetPort: 9080
wildcardPolicy: None
{{- end }}

55
templates/envoy/service.yaml Normal file
View File

@@ -0,0 +1,55 @@
apiVersion: v1
kind: Service
metadata:
name: {{ template "envoy.appName" . }}
namespace: {{ .Release.Namespace }}
{{- if .Values.envoy.service.annotations }}
{{- with .Values.envoy.service.annotations }}
annotations:
{{- tpl (toYaml .) $ | nindent 4 }}
{{- end }}
{{- else }}
annotations:
{{- end }}
{{- if eq (include "parent.dataplaneMode" . ) "shared" }}
external-dns.alpha.kubernetes.io/hostname: {{ .Values.global.shared_lb_prefix }}.{{ .Values.global.external_domain }}
{{- else if .Values.global.multihost.enabled}}
external-dns.alpha.kubernetes.io/hostname: "*.{{ .Values.global.external_domain }}"
{{- else }}
external-dns.alpha.kubernetes.io/hostname: "{{ .Values.global.external_domain }}"
{{- end }}
service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "{{ .Values.envoy.timeouts.loadbalancer }}"
labels:
{{- include "envoy.labels" . | nindent 4 }}
spec:
type: {{ .Values.envoy.service.type }}
selector:
{{- include "envoy.selectorLabels" . | nindent 4 }}
ports:
{{- if .Values.envoy.exposeProxyAdminPort }}
- name: admin
port: {{ .Values.envoy.proxyAdminPort }}
targetPort: admin
protocol: TCP
{{- end }}
{{- if .Values.global.multihost.enabled }}
- name: ssh
protocol: TCP
port: {{ .Values.global.multihost.listeners.ssh.port }}
targetPort: 2222
- name: tls
protocol: TCP
port: {{ .Values.global.multihost.listeners.tls.port }}
targetPort: 8443
- name: http
protocol: TCP
port: {{ .Values.global.multihost.listeners.tcp.port }}
targetPort: 9080
{{- else }}
{{- range $port := .Values.envoy.service.ports }}
- name: {{ $port.name }}
protocol: {{ $port.protocol }}
port: {{ $port.port }}
targetPort: {{ $port.targetPort }}
{{- end }}
{{- end }}

13
templates/envoy/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,13 @@
{{- if ( and .Values.envoy.serviceAccount.enabled ( not .Values.envoy.serviceAccount.preexisting ) ) -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "envoy.serviceAccountName" . }}
labels:
{{- include "envoy.labels" . | nindent 4 }}
{{- with .Values.envoy.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
automountServiceAccountToken: {{ .Values.envoy.serviceAccount.automountServiceAccountToken }}
{{- end }}