cscott/amplify-fusion
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

first commit

Browse Source
This commit is contained in:
Conan Scott
2026-01-21 17:37:42 +11:00
commit bd1ed71ac4
142 changed files with 18994 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
Chart.yaml Normal file
View File

@@ -0,0 +1,5 @@
apiVersion: v2
description: Amplify Fusion chart for Kubernetes
name: amplify-fusion
type: application
version: 1.13.1

187
crd/orchestrator.yaml Normal file
View File

@@ -0,0 +1,187 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.15.0
name: orchestrators.operator.fusion.axway.com
spec:
group: operator.fusion.axway.com
names:
kind: Orchestrator
listKind: OrchestratorList
plural: orchestrators
shortNames:
- orch
singular: orchestrator
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .status.phase
name: Phase
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1
schema:
openAPIV3Schema:
description: Orchestrator is the Schema for the orchestrators API
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: OrchestratorSpec defines the desired state of Orchestrator
properties:
annotations:
additionalProperties:
type: string
description: Annotations to be added to the orchestrator
type: object
configMapData:
additionalProperties:
type: string
description: Optional map to provide support for overriding/adding
new properties in configMap
type: object
labels:
additionalProperties:
type: string
description: Labels to be added to the orchestrator
type: object
orgSchema:
description: OrgSchema is the name of the tenant
minLength: 1
type: string
resources:
description: Resources defines the resource requirements for the container
properties:
cpuLimit:
anyOf:
- type: integer
- type: string
description: CPU limit
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
cpuRequest:
anyOf:
- type: integer
- type: string
description: CPU request
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
memoryLimit:
anyOf:
- type: integer
- type: string
description: Memory limit
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
memoryRequest:
anyOf:
- type: integer
- type: string
description: Memory request
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
required:
- orgSchema
type: object
status:
description: OrchestratorStatus defines the observed state of Orchestrator
properties:
conditions:
description: Conditions represent the latest available observations
of an object's state
items:
description: "Condition contains details for one aspect of the current
state of this API Resource.\n---\nThis struct is intended for
direct use as an array at the field path .status.conditions. For
example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
observations of a foo's current state.\n\t // Known .status.conditions.type
are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
\ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
\ // other fields\n\t}"
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: |-
type of condition in CamelCase or in foo.example.com/CamelCase.
---
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
useful (see .node.status.conditions), the ability to deconflict is important.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
phase:
description: Phase represents the current phase of the Orchestrator
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}

207
templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,207 @@
{{- define "parent.dataplaneMode" -}}
{{- (eq .Values.global.clusterKey "") | ternary "shared" (printf "%s" (.Values.global.clusterKey | b64dec | fromJson).mode) }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "dataplane.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "dataplane.labels" -}}
helm.sh/chart: {{ include "dataplane.chart" . }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
{{- end }}
{{/*
Defines a reusable initContainer for the dataplane, responsible for creating a log directory for the included service in the EFS volume before the main container starts.
Usage:
{{ include "dataplane.createLogDirectoryInitContainer" (dict "root" . "serviceName" "my-service" "securityContext" ".Values.<my-service>.securityContext" "additionalPathParam" "additional-path-param" ) }}
*/}}
{{- define "dataplane.createLogDirectoryInitContainer" -}}
initContainers:
- name: {{ .root.Chart.Name }}-init
securityContext:
{{- toYaml .securityContext | nindent 4 }}
image: "{{ default .root.Values.global.image.repository .root.Values.global.alpinetools.image.repository }}/{{ .root.Values.global.alpinetools.image.name }}:{{ .root.Values.global.alpinetools.image.tag }}"
imagePullPolicy: {{ .root.Values.global.image.pullPolicy }}
volumeMounts:
- name: {{ .root.Values.global.volumeStorageName }}
mountPath: /efs
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
envFrom:
- configMapRef:
name: configmap-common
command:
- sh
- -c
- >
{{ include "dataplane.createLogDirectory" (dict "serviceName" .serviceName "efsRoot" "${efs_root}" "podName" "${POD_NAME}" "additionalPathParam" .additionalPathParam) }}
{{- end }}
{{/*
Creates a static log directory for the service pod in the EFS volume.
*/}}
{{- define "dataplane.createLogDirectory" -}}
mkdir -p "{{ .efsRoot}}/logs/{{ .serviceName}}/{{ .podName}}/{{ .additionalPathParam}}" || {
echo "Failed to create log directory: {{ .efsRoot}}/logs/{{ .serviceName}}/{{ .podName}}/{{ .additionalPathParam}}" >&2;
exit 1;
}
{{- end}}
{{/*
Common init script waits for Valkey and pre-deploy.
Usage:
- Full script: {{ include "dataplane.commonInit" (dict "context" . "buildTag" .Values.someService.image.buildTag) }}
- External Valkey only: {{ include "dataplane.commonInit" (dict "context" . "valkeyOnly" true) }}
- Internal Valkey: {{ include "dataplane.commonInit" (dict "context" . "valkeyOnly" true "internal" true "replicas" 3) }}
*/}}
{{- define "dataplane.commonInit" -}}
{{- if not .context -}}
{{- fail "dataplane.commonInit: context is required" -}}
{{- end -}}
{{- if and (not .buildTag) (not .valkeyOnly) -}}
{{- fail "dataplane.commonInit: either buildTag or valkeyOnly=true is required" -}}
{{- end -}}
{{- if and .internal (not .replicas) -}}
{{- fail "dataplane.commonInit: replicas is required when internal=true" -}}
{{- end -}}
{{- if .internal -}}
{{- include "dataplane.internalValkeyInit" . -}}
{{- else -}}
{{- include "dataplane.externalValkeyInit" . -}}
{{- end -}}
{{- if .buildTag }}
version="{{ .buildTag }}" ;
predeploy_version="{{ .buildTag }}" ;
mkdir -p "$(dirname ${server_truststore_path})" ;
{{- end }}
{{- end -}}
{{/*
Internal Valkey initialization - expects a headless service and will resolve each address within.
Usage: Called internally by dataplane.commonInit with full context dict
*/}}
{{- define "dataplane.internalValkeyInit" -}}
expected_replicas={{ .replicas }};
start_time=$(date +%s);
max_duration=300;
valkey_ready=false;
echo "Starting Valkey readiness check. Waiting for ${expected_replicas} replicas to be resolved and reachable within ${max_duration} minutes..."
until [ $(($(date +%s) - start_time)) -ge ${max_duration} ]; do
# Resolve the hostnames
all_resolved="";
{{- range .context.Values.valkey.hosts }}
host={{ .hostname }};
host_port={{ .port | default 6379 }};
# Use a timeout for nslookup itself to prevent it from hanging
host_ips=$(nslookup -timeout=2 ${host} 2>/dev/null | awk '/^Address: / {print $2}');
echo " Host '${host}' resolved to IPs: ${host_ips:-'none'}";
for ip in $host_ips; do
all_resolved="${all_resolved} ${ip}:${host_port}";
done
{{- end }}
# Check valid number of hosts
unique_endpoints=$(echo "$all_resolved" | tr ' ' '\n' | grep . | sort -u);
unique_count=$(echo "${unique_endpoints}" | wc -l);
echo "Found ${unique_count} unique endpoints. Expecting ${expected_replicas}."
if [ "${unique_count}" -ne "${expected_replicas}" ]; then
echo "Endpoint count does not match expected count. Retrying in 5 seconds..."
sleep 5;
continue;
fi
# Check port connectivity
echo "Endpoint count is correct. Checking connectivity..."
reachable_count=0;
for entry in $unique_endpoints; do
ip=$(echo $entry | cut -d: -f1);
port=$(echo $entry | cut -d: -f2);
if nc -w 2 -z ${ip} ${port} >/dev/null 2>&1; then
echo "[SUCCESS] Connectivity to ${ip}:${port} is OK."
reachable_count=$((reachable_count + 1));
else
echo "[FAILED] Could not connect to ${ip}:${port}."
fi;
done;
# Check all endpoints were reachable
if [ $reachable_count -eq $expected_replicas ]; then
echo "[SUCCESS] All ${expected_replicas} Valkey replicas are resolved and reachable."
valkey_ready=true;
break;
fi;
echo "Only ${reachable_count} of ${expected_replicas} endpoints were reachable. Retrying in 5 seconds..."
sleep 5;
done;
if [ "${valkey_ready}" != "true" ]; then
echo "[ERROR] Timed out after ${max_duration} seconds. Could not confirm readiness of all Valkey replicas."
exit 1;
fi;
{{- end -}}
{{/*
External Valkey initialization - Takes the hosts at face value, no DNS checks.
Usage: Called internally by dataplane.commonInit with full context dict
*/}}
{{- define "dataplane.externalValkeyInit" -}}
# External Valkey mode - direct host connectivity check
c=0;
x={{ len .context.Values.valkey.hosts }};
until [ $c -eq $x ]; do
c=0;
{{- range .context.Values.valkey.hosts }}
host={{ .hostname }};
port={{ .port | default 6379 }};
echo "Checking connectivity to ${host}:${port}";
if nc -w 3 -v ${host} ${port}; then
c=$((c+1));
fi;
{{- end }}
if [ $c -ne $x ]; then
echo "Only $c out of $x hosts are reachable, retrying...";
sleep 2;
fi;
done;
echo "All ${x} Valkey hosts are reachable";
{{- end -}}
{{/*
Get the Unique ports in a list of hosts with an optional port field.
Usage: {{ include "dataplane.collectPorts" (dict "hosts" .Values.valkey.hosts "defaultPort" 6379) }}
*/}}
{{- define "dataplane.collectPorts" -}}
{{- $hosts := .hosts -}}
{{- $defaultPort := .defaultPort -}}
{{- $ports := dict -}}
{{- range $hosts -}}
{{- $port := .port | default $defaultPort -}}
{{- $_ := set $ports ($port | toString) true -}}
{{- end -}}
{{- range $portValue, $_ := $ports }}
- {{ $portValue }}
{{- end -}}
{{- end -}}

8
templates/common/NOTES.txt Normal file
View File

@@ -0,0 +1,8 @@
Thank you for installing the {{ .Chart.Name }} chart for the Amplify Integration Platform.
Your release is named {{ .Release.Name }}.
To learn more about the release, try:
$ helm status {{ .Release.Name }}
$ helm get all {{ .Release.Name }}

41
templates/common/certificate.yaml Normal file
View File

@@ -0,0 +1,41 @@
{{- if .Values.common.certificate.enabled -}}
{{- $existingSecret := (lookup "v1" "Secret" .Release.Namespace "domain-certificate" ).metadata | required "Secret 'domain-certificate' containing p12 certificate is required. Create it external to helm chart or set common.certificate.enabled to true, to autogenerate cert using cert-manager" }}
{{- else }}
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: domain-certificate
spec:
# Secret names are always required.
secretName: domain-certificate
duration: {{ .Values.common.certificate.generate.duration }}
renewBefore: {{ .Values.common.certificate.generate.renewBefore }}
subject: {{- toYaml .Values.common.certificate.generate.subject | nindent 4 }}
{{- if eq (include "parent.dataplaneMode" . ) "shared" }}
commonName: "*.{{ .Values.global.external_domain }}"
{{- else if .Values.global.multihost.enabled }}
commonName: "*.{{ .Values.global.external_domain }}"
{{- else }}
commonName: "{{ .Values.global.external_domain }}"
{{- end }}
isCA: false
privateKey:
algorithm: RSA
encoding: PKCS8
size: 2048
dnsNames:
{{- if eq (include "parent.dataplaneMode" . ) "shared" }}
- "*.{{ .Values.global.external_domain }}"
{{- else if .Values.global.multihost.enabled }}
- "*.{{ .Values.global.external_domain }}"
{{- end }}
- {{ .Values.global.external_domain }}
issuerRef: {{- toYaml .Values.common.certificate.generate.issuerRef | nindent 4 }}
keystores:
pkcs12:
create: true
profile: LegacyDES
passwordSecretRef:
name: certificate-password
key: password
{{- end -}}

78
templates/common/configmap.yaml Normal file
View File

@@ -0,0 +1,78 @@
{{- if eq .Values.common.externalConfigMaps false }}
{{- $domain := ((eq .Values.global.clusterKey "") | ternary .Values.global.ctlplane_domain (printf "%s" (.Values.global.clusterKey | b64dec | fromJson).domain )) | required "If deploying a shared dataplane, set your control plane domain using .Values.global.ctlplane_domain. If not set a valid clusterKey" }}
apiVersion: v1
kind: ConfigMap
metadata:
name: configmap-common
namespace: {{ .Release.Namespace }}
data:
s3_payload: "{{ tpl .Values.common.s3_payload . }}"
app_env: {{ .Values.global.appEnv }}
tenant_namespace: "{{ .Release.Namespace }}"
k8_namespace: "{{ .Release.Namespace }}"
cluster_name: {{ (eq .Values.global.clusterKey "") | ternary "Shared Data Plane" (printf "%s" (.Values.global.clusterKey | b64dec | fromJson).name) }}
cluster_type: {{ (eq .Values.global.clusterKey "") | ternary "MANAGED_SHARED" (printf "%s" (.Values.global.clusterKey | b64dec | fromJson).runtimeType) }}
domain: {{ $domain }}
tenant: {{ (eq .Values.global.clusterKey "") | ternary "shared" (printf "%s" (.Values.global.clusterKey | b64dec | fromJson).tenant) }}
im_url: {{ (eq .Values.global.clusterKey "") | ternary (printf "wss://services.%s/monitor/ws" .Values.global.ctlplane_domain) (printf "%s" (.Values.global.clusterKey | b64dec | fromJson).im_url) }}
sink_ws_url: {{ (eq .Values.global.clusterKey "") | ternary (printf "wss://services.%s/auditservice/ws" .Values.global.ctlplane_domain) (printf "%s" (.Values.global.clusterKey | b64dec | fromJson).audit_service_url) }}
mode: {{ include "parent.dataplaneMode" . }}
server_cert_path: /certificate/{{ .Values.common.certificate.name }}
sftp_server_cert_path: /certificate/{{ .Values.common.certificate.name }}
support_email: "{{ tpl .Values.common.support_email . }}"
{{- if eq (include "parent.dataplaneMode" . ) "shared" }}
server_truststore_path: /efs/certificate/{{ include "parent.dataplaneMode" . }}/{{ tpl .Values.common.truststore . }}
efs_root: /efs
{{- else }}
clusterRefId: "{{ tpl .Values.common.clusterRefId . }}"
server_truststore_path: /efs/certificates/{{ tpl .Values.common.clusterRefId . }}/{{ tpl .Values.common.truststore . }}
efs_root: /efs/clusters/{{ tpl .Values.common.clusterRefId . }}
{{- end }}
sftp_server_port: "{{ tpl .Values.common.sftp_server_port . }}"
admin_email: "{{ tpl .Values.common.admin_email . }}"
dxchange_email_host: "{{ tpl .Values.common.email_host . }}"
dxchange_email_port: "{{ tpl .Values.common.email_port . }}"
dxchange_email_usetls: "{{ .Values.common.email_usetls }}"
dxchange_email_username: "{{ tpl .Values.common.email_username . }}"
dxchange_email_authentication: "{{ .Values.common.email_authentication }}"
dxchange_email_frommailid: "{{ tpl .Values.common.email_frommailid . }}"
log_file_enabled: "{{ .Values.common.logFileEnabled }}"
{{- if .Values.common.openTelemetry.enabled }}
otel_enabled: "{{ .Values.common.openTelemetry.enabled }}"
{{- if .Values.common.openTelemetry.exporter.http.enabled }}
otel_exporter_http_enabled: "{{ .Values.common.openTelemetry.exporter.http.enabled }}"
otel_exporter_http_endpoint: "{{ .Values.common.openTelemetry.exporter.http.endpoint }}"
{{- end }}
{{- if .Values.common.openTelemetry.exporter.grpc.enabled }}
otel_exporter_grpc_enabled: "{{ .Values.common.openTelemetry.exporter.grpc.enabled }}"
otel_exporter_grpc_endpoint: "{{ .Values.common.openTelemetry.exporter.grpc.endpoint }}"
{{- end }}
{{- end }}
{{- if .Values.valkey.enabled }}
datagrid_deployment_model: "{{ .Values.valkey.client.deployment_model }}"
datagrid_implementation: VALKEY
datagrid_read_mode: "{{ .Values.valkey.client.read_mode }}"
datagrid_username: "{{ .Values.valkey.client.datagrid_username }}"
datagrid_use_insecure_connection: "{{ not .Values.valkey.client.use_secure_connection }}"
datagrid_secure_connection_verification_mode: "{{ .Values.valkey.client.security_mode }}"
datagrid_addresses: "{{- range $i, $v := .Values.valkey.hosts }}{{ if $i }},{{ end }}{{ $v.hostname }}{{ if $v.port }}:{{ $v.port }}{{ end }}{{ end -}}"
datagrid_primary_connection_pool_min: "{{ .Values.valkey.client.datagrid_primary_connection_pool_min }}"
datagrid_primary_connection_pool_max: "{{ .Values.valkey.client.datagrid_primary_connection_pool_max }}"
datagrid_replica_connection_pool_min: "{{ .Values.valkey.client.datagrid_replica_connection_pool_min }}"
datagrid_replica_connection_pool_max: "{{ .Values.valkey.client.datagrid_replica_connection_pool_max }}"
datagrid_worker_threads: "{{ .Values.valkey.client.datagrid_worker_threads }}"
datagrid_idle_connection_timeout_millis: "{{ .Values.valkey.client.datagrid_idle_connection_timeout_millis }}"
datagrid_cluster_connect_timeout_millis: "{{ .Values.valkey.client.datagrid_cluster_connect_timeout_millis }}"
datagrid_response_timeout_millis: "{{ .Values.valkey.client.datagrid_response_timeout_millis }}"
datagrid_number_of_retries: "{{ .Values.valkey.client.datagrid_number_of_retries }}"
datagrid_retry_interval_millis: "{{ .Values.valkey.client.datagrid_retry_interval_millis }}"
datagrid_subscription_mode: "{{ .Values.valkey.client.subscription_mode }}"
datagrid_subscriptions_per_connection: "{{ .Values.valkey.client.datagrid_subscriptions_per_connection }}"
datagrid_subscription_connection_pool_size: "{{ .Values.valkey.client.datagrid_subscription_connection_pool_size }}"
datagrid_subscription_connection_min_idle_size: "{{ .Values.valkey.client.datagrid_subscription_connection_min_idle_size }}"
datagrid_subscription_connection_timeout_millis: "{{ .Values.valkey.client.datagrid_subscription_connection_timeout_millis }}"
{{- end }}
{{- with .Values.common.hsm }}
hsmCacheExpiration: "{{ .hsmCacheExpiration }}"
{{- end }}
{{- end }}

5
templates/common/general_conditions.yaml Normal file
View File

@@ -0,0 +1,5 @@
{{- if not ( kindIs "string" .Values.common.acceptGeneralConditions ) }}
{{- fail "The acceptGeneralConditions value must be a string. Check that you are using double quotes in your values file, or --set-string if using the command line. See the information in the values.yaml file, or on the online documentation." }}
{{- else if ne .Values.common.acceptGeneralConditions "yes" }}
{{- fail "You need to accept the General Conditions in order to install the application. See the information in the values.yaml file, or on the online documentation." }}
{{- end }}

30
templates/common/jobs/domain-cert-watch/_helpers.tpl Normal file
View File

@@ -0,0 +1,30 @@
{{- define "domainCertWatch.appName" -}}
{{- $name := default "domain-cert-watch" .Values.common.domainCertWatch.nameOverride -}}
{{- $env := default "env" .Values.global.appEnv -}}
{{- printf "%s-%s" $name $env | trunc 63 | trimSuffix "-" -}}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "domainCertWatch.serviceAccountName" -}}
{{- if .Values.common.domainCertWatch.serviceAccount.enabled -}}
{{ default "domain-cert-watch" .Values.common.domainCertWatch.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.common.domainCertWatch.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{- define "domainCertWatch.domainCertHash" -}}
{{- $secret := (lookup "v1" "Secret" .Release.Namespace "domain-certificate") -}}
{{- if $secret -}}
{{- $secretData := $secret.data -}}
{{- $json := toJson $secretData -}}
{{- printf "%s" $json | sha1sum -}}
{{- else -}}
{{- "UNINITIALIZED" -}}
{{- end -}}
{{- end -}}

33
templates/common/jobs/domain-cert-watch/calico.netpol.yaml Normal file
View File

@@ -0,0 +1,33 @@
{{- if .Values.common.domainCertWatch.calicoNetpol.enabled }}
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
name: domain-cert-watch-network-policy
namespace: {{ .Release.Namespace }}
spec:
order: 10
selector: dplane == 'domain-cert-watch-job'
types:
- Egress
egress:
# allow to communicate to DNS pods
- action: Allow
protocol: UDP
destination:
namespaceSelector: projectcalico.org/name == 'kube-system'
ports:
- 53
- action: Allow
protocol: TCP
destination:
namespaceSelector: projectcalico.org/name == 'kube-system'
ports:
- 53
# allow to communicate with k8s api server
- action: Allow
destination:
services:
name: kubernetes
namespace: default
protocol: TCP
{{- end}}

11
templates/common/jobs/domain-cert-watch/domain-cert-watch-configmap.yaml Normal file
View File

@@ -0,0 +1,11 @@
{{- if .Values.common.domainCertWatch.enabled -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "domainCertWatch.appName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "dataplane.labels" . | nindent 4 }}
data:
sha: {{ template "domainCertWatch.domainCertHash" . }}
{{- end }}

79
templates/common/jobs/domain-cert-watch/domain-cert-watch-cronjob.yaml Normal file
View File

@@ -0,0 +1,79 @@
{{- if .Values.common.domainCertWatch.enabled -}}
apiVersion: batch/v1
kind: CronJob
metadata:
name: {{ template "domainCertWatch.appName" . }}
namespace: {{ .Release.Namespace }}
labels:
dplane: "domain-cert-watch-job"
spec:
concurrencyPolicy: Forbid
failedJobsHistoryLimit: 1
jobTemplate:
spec:
ttlSecondsAfterFinished: {{ .Values.common.domainCertWatch.job_ttl }}
template:
metadata:
labels:
dplane: "domain-cert-watch-job"
spec:
serviceAccountName: {{ include "domainCertWatch.serviceAccountName" . }}
containers:
- image: "{{ default .Values.global.image.repository .Values.global.alpinetools.image.repository }}/{{ .Values.global.alpinetools.image.name }}:{{ .Values.global.alpinetools.image.tag }}"
imagePullPolicy: {{ .Values.global.image.pullPolicy }}
command: [ "/bin/sh", "-c" ]
args:
- |
cm_name={{ template "domainCertWatch.appName" . }}
if dcert=$(kubectl get secrets domain-certificate -o jsonpath='{.data}'); then
dc_sha=$(echo -n $dcert | sha1sum | awk '{print $1}');
echo "Generated domain-certificate secret sha - $dc_sha";
if dcert_cm=$(kubectl get configmap $cm_name -o json); then
stored_sha=$(echo -n $dcert_cm | jq -r .data.sha);
echo "Retrieved domain-certificate stored sha - $stored_sha";
if [[ "$stored_sha" == "UNINITIALIZED" || "$stored_sha" != "$dc_sha" ]]; then
echo "Stored sha found in configmap $cm_name does not match, updating entry";
if kubectl create configmap $cm_name --from-literal=sha="$dc_sha" -o yaml --dry-run=client | kubectl apply -f -; then
echo "Updated configmap $cm_name with new sha - $dc_sha";
if [[ "$stored_sha" != "UNINITIALIZED" ]]; then
echo "The domain-certificate secret has changed, rolling envoy and inbound-worker deployments";
kubectl rollout restart deployment -l dplane=envoy;
kubectl rollout restart deployment -l dplane=inbound-worker;
fi
exit 0;
else
echo "Failed to update configmap $cm_name";
exit 1;
fi
else
echo "The secret domain-certificate has not changed, no action needed";
exit 0;
fi
else
echo "Failed to retrieve stored domain-certificate sha";
exit 1;
fi
else
echo "Could not get the secret domain-certificate";
exit 1;
fi
name: domain-cert-watch
{{- with .Values.common.domainCertWatch.securityContext }}
securityContext:
{{- toYaml . | nindent 16 }}
{{- end }}
restartPolicy: Never
{{- with .Values.global.image.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 10 }}
{{- end }}
{{- if .Values.common.domainCertWatch.podSecurityContextEnabled -}}
{{- with .Values.common.domainCertWatch.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- end }}
schedule: {{ .Values.common.domainCertWatch.schedule | squote }}
successfulJobsHistoryLimit: 1
suspend: false
{{- end }}

33
templates/common/jobs/domain-cert-watch/role.yaml Normal file
View File

@@ -0,0 +1,33 @@
{{- if ( and .Values.common.domainCertWatch.serviceAccount.enabled ( not .Values.common.domainCertWatch.serviceAccount.preexisting ) ) -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "domainCertWatch.appName" . }}-role
labels:
{{- include "dataplane.labels" . | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- patch
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- patch
- update
- apiGroups:
- apps
resources:
- deployments
verbs:
- get
- list
- patch
{{- end }}

16
templates/common/jobs/domain-cert-watch/roleBinding.yaml Normal file
View File

@@ -0,0 +1,16 @@
{{- if ( and .Values.common.domainCertWatch.serviceAccount.enabled ( not .Values.common.domainCertWatch.serviceAccount.preexisting ) ) -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "domainCertWatch.appName" . }}-role-binding
labels:
{{- include "dataplane.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "domainCertWatch.appName" . }}-role
subjects:
- kind: ServiceAccount
name: {{ include "domainCertWatch.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end }}

12
templates/common/jobs/domain-cert-watch/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,12 @@
{{- if .Values.common.domainCertWatch.serviceAccount.enabled -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "domainCertWatch.serviceAccountName" . }}
labels:
{{- include "dataplane.labels" . | nindent 4 }}
{{- with .Values.common.domainCertWatch.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end -}}

28
templates/common/persistentvolume-az.yaml Normal file
View File

@@ -0,0 +1,28 @@
{{- if .Values.common.azfiles.enabled -}}
apiVersion: v1
kind: PersistentVolume
metadata:
name: {{ .Release.Namespace }}-{{ .Values.common.persistence.volumeName }}
spec:
accessModes:
- {{ .Values.common.persistence.volumeAccessMode }}
capacity:
storage: {{ .Values.common.persistence.volumeCapacity }}
persistentVolumeReclaimPolicy: {{ .Values.common.persistence.volumeReclaimPolicy }}
claimRef:
name: {{ .Release.Namespace }}-{{ .Values.global.claimName }}
namespace: {{ .Release.Namespace }}
csi:
driver: file.csi.azure.com
readOnly: false
volumeHandle: {{.Values.common.azfiles.resourceGroup}}#{{.Values.common.azfiles.storageAccountName}}#{{.Values.common.azfiles.fileshareName}}###{{.Release.Namespace}}
volumeAttributes:
resourceGroup: {{ .Values.common.azfiles.resourceGroup}}
shareName: {{.Values.common.azfiles.fileshareName}}
nodeStageSecretRef:
name: {{ .Values.common.azfiles.secretName }}
namespace: {{ .Release.Namespace }}
mountOptions:
- uid=10010
- gid=10020
{{- end -}}

20
templates/common/persistentvolume-efs.yaml Normal file
View File

@@ -0,0 +1,20 @@
{{- if .Values.common.efs.enabled -}}
apiVersion: v1
kind: PersistentVolume
metadata:
name: {{ .Release.Namespace }}-{{ .Values.common.persistence.volumeName }}
spec:
capacity:
# This doesn't matter for efs, but k8s requires this field to exist
storage: {{ .Values.common.persistence.volumeCapacity }}
volumeMode: Filesystem
accessModes:
- {{ .Values.common.persistence.volumeAccessMode }}
persistentVolumeReclaimPolicy: {{ .Values.common.persistence.volumeReclaimPolicy }}
claimRef:
name: {{ .Release.Namespace }}-{{ .Values.global.claimName }}
namespace: {{ .Release.Namespace }}
csi:
driver: efs.csi.aws.com
volumeHandle: {{ .Values.common.efs.volumeHandle }}
{{- end -}}

32
templates/common/persistentvolume-nfs.yaml Normal file
View File

@@ -0,0 +1,32 @@
{{- if and .Values.common.nfs.staticPvc .Values.common.nfs.enabled -}}
apiVersion: v1
kind: PersistentVolume
metadata:
name: {{ .Release.Namespace }}-{{ .Values.common.persistence.volumeName }}
spec:
capacity:
# This doesn't matter for efs, but k8s requires this field to exist
storage: {{ .Values.common.persistence.volumeCapacity }}
volumeMode: Filesystem
accessModes:
- {{ .Values.common.persistence.volumeAccessMode }}
persistentVolumeReclaimPolicy: {{ .Values.common.persistence.volumeReclaimPolicy }}
storageClassName: "{{ .Values.common.nfs.storageClassName }}"
claimRef:
name: {{ .Release.Namespace }}-{{ .Values.global.claimName }}
namespace: {{ .Release.Namespace }}
mountOptions: {{ toYaml .Values.common.nfs.mountOptions | nindent 2 }}
{{- if eq .Values.common.nfs.mode "csi" }}
csi:
driver: nfs.csi.k8s.io
readOnly: false
volumeHandle: {{ .Values.common.nfs.server }}{{ .Values.common.nfs.path }}
volumeAttributes:
server: {{ .Values.common.nfs.server }}
share: {{ .Values.common.nfs.path }}
{{- else -}}
nfs:
path: {{ .Values.nfs.path }}
server: {{ .Values.nfs.server }}
{{- end -}}
{{- end -}}

15
templates/common/persistentvolumeclaim-az.yaml Normal file
View File

@@ -0,0 +1,15 @@
{{- if .Values.common.azfiles.enabled -}}
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ .Release.Namespace }}-{{ .Values.global.claimName }}
spec:
accessModes:
- {{ .Values.common.persistence.claimAccessMode }}
storageClassName: "manage-csi"
resources:
requests:
storage: {{ .Values.common.persistence.claimRequestCapacity }}
volumeMode: Filesystem
volumeName: {{ .Release.Namespace }}-{{ .Values.common.persistence.volumeName }}
{{- end -}}

15
templates/common/persistentvolumeclaim-efs.yaml Normal file
View File

@@ -0,0 +1,15 @@
{{- if .Values.common.efs.enabled -}}
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ .Release.Namespace }}-{{ .Values.global.claimName }}
namespace: {{ .Release.Namespace }}
spec:
accessModes:
- {{ .Values.common.persistence.claimAccessMode }}
resources:
requests:
storage: {{ .Values.common.persistence.claimRequestCapacity }}
volumeMode: Filesystem
volumeName: {{ .Release.Namespace }}-{{ .Values.common.persistence.volumeName }}
{{- end -}}

15
templates/common/persistentvolumeclaim-nfs.yaml Normal file
View File

@@ -0,0 +1,15 @@
{{- if .Values.common.nfs.enabled -}}
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
# need to use efs here, though it's nfs, for compatibility with legacy setup
name: {{ .Release.Namespace }}-{{ .Values.global.claimName }}
namespace: {{ .Release.Namespace }}
spec:
accessModes:
- {{ .Values.common.persistence.claimAccessMode }}
storageClassName: "{{ .Values.common.nfs.storageClassName }}"
resources:
requests:
storage: {{ .Values.common.persistence.claimRequestCapacity }}
{{- end -}}

14
templates/common/persistentvolumeclaim.yaml Normal file
View File

@@ -0,0 +1,14 @@
{{- if .Values.common.pvc.enabled -}}
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ .Release.Namespace }}-{{ .Values.global.claimName }}
namespace: {{ .Release.Namespace }}
spec:
accessModes:
- {{ .Values.common.pvc.claimAccessMode }}
storageClassName: {{ .Values.common.pvc.storageClass }}
resources:
requests:
storage: {{ .Values.common.pvc.claimRequestCapacity }}
{{- end -}}

10
templates/common/secret-ampint-docker-artifactory.yaml Normal file
View File

@@ -0,0 +1,10 @@
{{- if not (eq .Values.global.image.createPullSecret.dockerconfigjson "") }}
---
apiVersion: v1
kind: Secret
metadata:
name: ampint-docker-artifactory
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: {{ required "a valid dockerconfigjson is required for the secret ampint-docker-artifactory" .Values.global.image.createPullSecret.dockerconfigjson }}
{{- end }}

0
templates/common/secret-cert-p12.yaml Normal file
View File

12
templates/common/secret-certificate-password.yaml Normal file
View File

@@ -0,0 +1,12 @@
{{- if eq .Values.common.certificate.password "" -}}
{{- $existingSecret := (lookup "v1" "Secret" .Release.Namespace "certificate-password" ).metadata | required "Secret 'certificate-password' is required. Create it external to helm chart or set common.certificate.password" }}
{{- else }}
---
apiVersion: v1
kind: Secret
metadata:
name: certificate-password
type: "Opaque"
data:
password: {{ required "common.certificate.password is required for the secret certificate-password" .Values.common.certificate.password }}
{{- end }}

13
templates/common/secret-cluster-details.yaml Normal file
View File

@@ -0,0 +1,13 @@
{{- if .Values.common.clusterDetails.existingSecret -}}
{{- $existingSecret := (lookup "v1" "Secret" .Release.Namespace .Values.common.clusterDetails.name ).metadata | required "Secret .Values.common.clusterDetails.name is required. Create it external to helm chart or set existingSecret to false" }}
{{- else }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ .Values.common.clusterDetails.name }}
type: "Opaque"
data:
dxchange_jwt_secret: {{ ((eq .Values.global.clusterKey "") | ternary .Values.common.clusterDetails.jwtSecret (printf "%s" (.Values.global.clusterKey | b64dec | fromJson).secretKey | b64enc)) | required "set required common.clusterDetails values if using shared dataplane. Otherwise set global.clusterKey" }}
cluster_id: {{ ((eq .Values.global.clusterKey "") | ternary .Values.common.clusterDetails.clusterId (printf "%s" (.Values.global.clusterKey | b64dec | fromJson).id | b64enc)) | required "set required common.clusterDetails values if using shared dataplane. Otherwise set global.clusterKey" }}
{{- end }}

15
templates/common/secret-frommail.yaml Normal file
View File

@@ -0,0 +1,15 @@
{{- if .Values.common.email_authentication -}}
{{- if .Values.common.fromMail.existingSecret -}}
{{- $existingSecret := (lookup "v1" "Secret" .Release.Namespace .Values.common.fromMail.name ).metadata | required "Secret .Values.common.fromMail.name is required. Create it external to helm chart or set existingSecret to false" }}
{{- else }}
{{ $fromMailPass := .Values.common.fromMail.password | required "Value password is required for the secret fromMail" -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ .Values.common.fromMail.name }}
type: "Opaque"
data:
dxchange_email_frompassword: {{ $fromMailPass | quote }}
{{- end -}}
{{- end -}}

19
templates/common/secret-storage-az.yaml Normal file
View File

@@ -0,0 +1,19 @@
{{- if .Values.common.azfiles.enabled -}}
{{- if .Values.common.azfiles.existingSecret -}}
{{- $existingSecret := (lookup "v1" "Secret" .Release.Namespace .Values.common.azfiles.secretName ).metadata | required "Secret .Values.common.azfiles.secretName is required when azfiles enabled. Create it external to helm chart or set existingSecret to false" }}
{{- else }}
{{ $storageAccName := ((.Values.common.azfiles.storageAccountName | b64enc )) | trim | required "Value storageAccountName is required for the secret azurefs-secret" -}}
{{ $storageAccKey := .Values.common.azfiles.azureStorageAccountKey | required "Value azureStorageAccountKey is required for the secret azurefs-secret" -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ .Values.common.azfiles.secretName }}
type: "Opaque"
data:
azurestorageaccountname: {{ $storageAccName | quote }}
azurestorageaccountkey: {{ $storageAccKey | quote }}
{{- end -}}
{{- end -}}

8
templates/envoy/NOTES.txt Normal file
View File

@@ -0,0 +1,8 @@
Thank you for installing the {{ .Chart.Name }} chart for the Amplify Integration Platform.
Your release is named {{ .Release.Name }}.
To learn more about the release, try:
$ helm status {{ .Release.Name }}
$ helm get all {{ .Release.Name }}

59
templates/envoy/_helpers.tpl Normal file
View File

@@ -0,0 +1,59 @@
{{/*
Envoy.
*/}}
{{- define "envoy.name" -}}
{{- default "envoy" .Values.envoy.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "envoy.fullname" -}}
{{- if .Values.envoy.fullnameOverride }}
{{- .Values.envoy.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default "envoy" .Values.envoy.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "envoy.labels" -}}
{{ include "dataplane.labels" . }}
{{ include "envoy.selectorLabels" . }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "envoy.selectorLabels" -}}
app.kubernetes.io/name: {{ include "envoy.name" . }}
app: {{ include "envoy.appName" . }}
dplane: "envoy"
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "envoy.serviceAccountName" -}}
{{- if .Values.envoy.serviceAccount.create }}
{{- default (include "envoy.fullname" .) .Values.envoy.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.envoy.serviceAccount.name }}
{{- end }}
{{- end }}
{{- define "envoy.appName" -}}
{{- $name := default "envoy" .Values.envoy.nameOverride -}}
{{- $env := default "envoy" .Values.global.appEnv -}}
{{- printf "%s-%s" $name $env | trunc 63 | trimSuffix "-" -}}
{{- end }}

47
templates/envoy/calico.netpol.yaml Normal file
View File

@@ -0,0 +1,47 @@
{{- if .Values.envoy.calicoNetpol.enabled }}
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
name: {{ template "envoy.appName" . }}
namespace: {{ .Release.Namespace }}
spec:
order: 10
selector: dplane == 'envoy'
types:
- Ingress
- Egress
ingress:
### traffic from the load balancer ###
- action: Allow
protocol: TCP
source: {{ toYaml .Values.envoy.calicoNetpol.subnetEntityRule | nindent 8 }}
destination:
ports:
{{- range .Values.envoy.service.ports }}
- {{ .targetPort }}
{{end }}
egress:
# allow to communicate to DNS pods
- action: Allow
protocol: UDP
destination:
namespaceSelector: projectcalico.org/name == 'kube-system'
ports:
- 53
- action: Allow
protocol: TCP
destination:
namespaceSelector: projectcalico.org/name == 'kube-system'
ports:
- 53
### all egress traffic to the inbound-worker,orchestrator ###
- action: Allow
protocol: TCP
destination:
selector: dplane == 'inbound-worker' || dplane == 'orchestrator' || dplane == 'pep-server'
namespaceSelector: projectcalico.org/name == '{{ .Release.Namespace }}'
### Traffic to the internet ###
- action: Allow
protocol: TCP
destination: {{ toYaml .Values.envoy.calicoNetpol.outboundRule | nindent 8 }}
{{- end}}

602
templates/envoy/configmap.yaml Normal file
View File

@@ -0,0 +1,602 @@
{{- if eq .Values.common.externalConfigMaps false }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "envoy.appName" . }}
labels:
{{ include "envoy.labels" . | indent 4 }}
data:
{{- range $key, $value := .Values.envoy.files }}
{{ $key }}: |-
{{ $value | default "" | indent 4 }}
{{- end -}}
{{- if (index .Values.envoy.templates "envoy.yaml") }}
envoy.yaml: |-
{{ $valueWithDefault := default "" (index .Values.envoy.templates "envoy.yaml") -}}
{{ tpl $valueWithDefault $ | indent 4 }}
{{- else }}
envoy.yaml: |-
node:
cluster: ampint-gw
id: ampint-gw
admin:
address:
socket_address:
address: 0.0.0.0
port_value: {{ .Values.envoy.adminPorts.admin.containerPort }}
dynamic_resources:
cds_config:
resource_api_version: V3
api_config_source:
api_type: GRPC
transport_api_version: V3
grpc_services:
- envoy_grpc:
cluster_name: xds_cluster
lds_config:
resource_api_version: V3
api_config_source:
api_type: GRPC
transport_api_version: V3
grpc_services:
- envoy_grpc:
cluster_name: xds_cluster
static_resources:
listeners:
- name: internal
address:
socket_address:
address: 0.0.0.0
port_value: 9902
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: internal
codec_type: AUTO
stream_idle_timeout: 15s
use_remote_address: true
xff_num_trusted_hops: 0
common_http_protocol_options:
idle_timeout: 15s
route_config:
name: internal
validate_clusters: false
virtual_hosts:
- name: internal
domains:
- "*"
routes:
- match:
path: "/started"
route:
cluster: blackhole
http_filters:
- name: envoy.filters.http.lua
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua
inline_code: |
function envoy_on_request(request_handle)
local headers, body = request_handle:httpCall(
"service_admin",
{
[":method"] = "GET",
[":path"] = "/stats?filter=http.apim.rds.ampint-api.update_success&format=text",
[":authority"] = "internal"
},
"", 2000, false)
local headersMtls, bodyMtls = request_handle:httpCall(
"service_admin",
{
[":method"] = "GET",
[":path"] = "/stats?filter=http.apim.rds.ampint-api-mtls.update_success&format=text",
[":authority"] = "internal"
},
"", 2000, false)
local count = string.gsub(body, "^%s*.+:%s*(.-)%s*$", "%1")
local countMtls = string.match(bodyMtls, ":[%s]*(%d+)")
if count == "0" or countMtls == "0" then
request_handle:respond(
{[":status"] = "503"},
"Not Ready")
else
request_handle:respond(
{[":status"] = "200"},
"Ready")
end
end
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
{{ if .Values.global.multihost.enabled }}
{{ if .Values.global.multihost.listeners.tcp.http.enabled }}
- name: multiHostHttp
address:
socket_address:
address: 0.0.0.0
port_value: 9080
listener_filters:
- name: envoy.filters.listener.proxy_protocol
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.listener.proxy_protocol.v3.ProxyProtocol
"allow_requests_without_proxy_protocol": true
filter_chains:
- filter_chain_match:
server_names:
- "{{ .Values.global.multihost.listeners.tcp.http.hostPrefix }}.{{ .Values.global.external_domain }}"
- filters:
- name: envoy.filters.network.connection_limit
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.connection_limit.v3.ConnectionLimit
stat_prefix: traffic_max_connections
max_connections: 30000
delay: 10s
- name: envoy.filters.network.tcp_proxy
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
stat_prefix: http
cluster: inbound-worker-http
max_connect_attempts: 3
idle_timeout: {{ .Values.envoy.timeouts.idleTimeout }}
{{- end }}
{{ if .Values.global.multihost.listeners.ssh.sftp.enabled }}
- name: multiHostSftp
address:
socket_address:
address: 0.0.0.0
port_value: 2222
listener_filters:
- name: envoy.filters.listener.proxy_protocol
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.listener.proxy_protocol.v3.ProxyProtocol
"allow_requests_without_proxy_protocol": true
- name: "envoy.filters.listener.tls_inspector"
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector
filter_chains:
- filter_chain_match:
server_names:
- "{{ .Values.global.multihost.listeners.ssh.sftp.hostPrefix }}.{{ .Values.global.external_domain }}"
- filters:
- name: envoy.filters.network.connection_limit
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.connection_limit.v3.ConnectionLimit
stat_prefix: ssh_max_connections
max_connections: 30000
delay: 10s
- name: envoy.filters.network.tcp_proxy
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
stat_prefix: ssh
cluster: inbound-worker-ssh
max_connect_attempts: 3
idle_timeout: {{ .Values.envoy.timeouts.idleTimeout }}
{{- end }}
{{ else }}
- name: https-1
address:
socket_address:
address: 0.0.0.0
port_value: 9443
listener_filters:
- name: envoy.filters.listener.proxy_protocol
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.listener.proxy_protocol.v3.ProxyProtocol
"allow_requests_without_proxy_protocol": true
- name: "envoy.filters.listener.tls_inspector"
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector
filter_chains:
- filter_chain_match:
server_names:
{{- if eq (include "parent.dataplaneMode" . ) "shared" }}
- "*.{{ .Values.global.external_domain }}"
{{- else }}
- "{{ .Values.global.external_domain }}"
{{- end }}
filters:
- name: envoy.filters.network.connection_limit
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.connection_limit.v3.ConnectionLimit
stat_prefix: traffic_max_connections
max_connections: 30000
delay: 10s
- name: envoy.filters.network.tcp_proxy
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
stat_prefix: https
cluster: inbound-worker-https
max_connect_attempts: 3
idle_timeout: {{ .Values.envoy.timeouts.idleTimeout }}
- name: https-2
address:
socket_address:
address: 0.0.0.0
port_value: 8443
listener_filters:
- name: envoy.filters.listener.proxy_protocol
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.listener.proxy_protocol.v3.ProxyProtocol
"allow_requests_without_proxy_protocol": true
- name: "envoy.filters.listener.tls_inspector"
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector
filter_chains:
- filter_chain_match:
server_names:
{{- if eq (include "parent.dataplaneMode" . ) "shared" }}
- "*.{{ .Values.global.external_domain }}"
{{- else }}
- "{{ .Values.global.external_domain }}"
{{- end }}
filters:
- name: envoy.filters.network.connection_limit
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.connection_limit.v3.ConnectionLimit
stat_prefix: traffic_max_connections
max_connections: 30000
delay: 10s
- name: envoy.filters.network.tcp_proxy
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
stat_prefix: https
cluster: inbound-worker-https
max_connect_attempts: 3
idle_timeout: {{ .Values.envoy.timeouts.idleTimeout }}
- name: http
address:
socket_address:
address: 0.0.0.0
port_value: 9080
listener_filters:
- name: envoy.filters.listener.proxy_protocol
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.listener.proxy_protocol.v3.ProxyProtocol
"allow_requests_without_proxy_protocol": true
filter_chains:
- filters:
- name: envoy.filters.network.connection_limit
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.connection_limit.v3.ConnectionLimit
stat_prefix: traffic_max_connections
max_connections: 30000
delay: 10s
- name: envoy.filters.network.tcp_proxy
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
stat_prefix: http
cluster: inbound-worker-http
max_connect_attempts: 3
idle_timeout: {{ .Values.envoy.timeouts.idleTimeout }}
- name: ssh
address:
socket_address:
address: 0.0.0.0
port_value: 2222
listener_filters:
- name: envoy.filters.listener.proxy_protocol
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.listener.proxy_protocol.v3.ProxyProtocol
"allow_requests_without_proxy_protocol": true
- name: "envoy.filters.listener.tls_inspector"
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector
filter_chains:
filters:
- name: envoy.filters.network.connection_limit
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.connection_limit.v3.ConnectionLimit
stat_prefix: ssh_max_connections
max_connections: 30000
delay: 10s
- name: envoy.filters.network.tcp_proxy
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
stat_prefix: ssh
cluster: inbound-worker-ssh
max_connect_attempts: 3
idle_timeout: {{ .Values.envoy.timeouts.idleTimeout }}
{{- end }}
clusters:
- name: service_admin
connect_timeout: 0.25s
type: STATIC
lb_policy: ROUND_ROBIN
typed_extension_protocol_options:
envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
"@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
explicit_http_config:
http2_protocol_options:
# Configure an HTTP/2 keep-alive to detect connection issues and reconnect
# to the admin server if the connection is no longer responsive.
connection_keepalive:
interval: 30s
timeout: 5s
load_assignment:
cluster_name: service_admin
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: 127.0.0.1
port_value: 9901
- name: xds_cluster
connect_timeout: 0.25s
type: LOGICAL_DNS
lb_policy: ROUND_ROBIN
typed_extension_protocol_options:
envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
"@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
explicit_http_config:
http2_protocol_options:
connection_keepalive:
interval: 30s
timeout: 5s
load_assignment:
cluster_name: xds_cluster
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: pep-server-{{ .Values.global.appEnv }}
port_value: 9090
#Note the health checks needs only to be applied to one of the pep_clusters
health_checks:
- timeout: 2s
interval: 3s
unhealthy_threshold: 2
healthy_threshold: 2
grpc_health_check:
service_name: ""
no_traffic_healthy_interval: 5s
{{- if .Values.common.openTelemetry.enabled }}
- name: otel_cluster
connect_timeout: 0.25s
type: LOGICAL_DNS
lb_policy: ROUND_ROBIN
typed_extension_protocol_options:
envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
"@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
explicit_http_config:
http2_protocol_options:
connection_keepalive:
interval: 30s
timeout: 5s
load_assignment:
cluster_name: otel_cluster
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: pep-server-{{ .Values.global.appEnv }}
port_value: 9090
{{- end }}
- name: als_cluster
connect_timeout: 0.25s
type: LOGICAL_DNS
lb_policy: ROUND_ROBIN
typed_extension_protocol_options:
envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
"@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
explicit_http_config:
http2_protocol_options:
connection_keepalive:
interval: 30s
timeout: 5s
load_assignment:
cluster_name: als_cluster
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: pep-server-{{ .Values.global.appEnv }}
port_value: 9090
- name: ext_authz_cluster
connect_timeout: 0.25s
type: LOGICAL_DNS
lb_policy: ROUND_ROBIN
typed_extension_protocol_options:
envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
"@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
explicit_http_config:
http2_protocol_options:
connection_keepalive:
interval: 30s
timeout: 5s
load_assignment:
cluster_name: ext_authz_cluster
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: pep-server-{{ .Values.global.appEnv }}
port_value: 9090
- name: ext_proc_start_audit_cluster
connect_timeout: 0.25s
type: LOGICAL_DNS
lb_policy: ROUND_ROBIN
typed_extension_protocol_options:
envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
"@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
explicit_http_config:
http2_protocol_options:
connection_keepalive:
interval: 30s
timeout: 5s
load_assignment:
cluster_name: ext_proc_start_audit_cluster
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: pep-server-{{ .Values.global.appEnv }}
port_value: 9090
{{- if ne (include "parent.dataplaneMode" . ) "shared" }}
- name: orchestrator_cluster
connect_timeout: {{ .Values.envoy.timeouts.connectTimeout }}
type: STRICT_DNS
lb_policy: ROUND_ROBIN
typed_extension_protocol_options:
envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
"@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
explicit_http_config:
http2_protocol_options:
connection_keepalive:
interval: 30s
timeout: 5s
load_assignment:
cluster_name: orchestrator_cluster
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: orchestrator-{{ .Values.global.appEnv }}
port_value: 50051
health_checks:
- timeout: 3s
interval: 3s
unhealthy_threshold: 1
healthy_threshold: 2
grpc_health_check:
service_name: ""
no_traffic_healthy_interval: 30s
- name: orchestrator_cluster-sse
connect_timeout: {{ .Values.envoy.timeouts.connectTimeout }}
type: STRICT_DNS
lb_policy: ROUND_ROBIN
typed_extension_protocol_options:
envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
"@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
explicit_http_config:
http_protocol_options: {}
load_assignment:
cluster_name: orchestrator_cluster-sse
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: orchestrator-{{ .Values.global.appEnv }}
port_value: 50052
{{- end }}
- name: inbound-worker-sse
connect_timeout: {{ .Values.envoy.timeouts.connectTimeout }}
http_protocol_options:
allow_chunked_length: true
typed_extension_protocol_options:
envoy.extensions.upstreams.tcp.v3.TcpProtocolOptions:
"@type": type.googleapis.com/envoy.extensions.upstreams.tcp.v3.TcpProtocolOptions
idle_timeout: {{ .Values.envoy.timeouts.idleTimeout }}
type: LOGICAL_DNS
load_assignment:
cluster_name: inbound-worker-sse
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: inbound-worker-{{ .Values.global.appEnv }}
port_value: 7080
health_checks:
- timeout: 1s
interval: 20s
unhealthy_threshold: 3
healthy_threshold: 3
tcp_health_check: {}
- name: inbound-worker-http
connect_timeout: {{ .Values.envoy.timeouts.connectTimeout }}
http_protocol_options:
allow_chunked_length: true
typed_extension_protocol_options:
envoy.extensions.upstreams.tcp.v3.TcpProtocolOptions:
"@type": type.googleapis.com/envoy.extensions.upstreams.tcp.v3.TcpProtocolOptions
idle_timeout: {{ .Values.envoy.timeouts.idleTimeout }}
type: LOGICAL_DNS
load_assignment:
cluster_name: inbound-worker-http
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: inbound-worker-{{ .Values.global.appEnv }}
port_value: 9080
health_checks:
- timeout: 1s
interval: 20s
unhealthy_threshold: 3
healthy_threshold: 3
tcp_health_check: {}
- name: inbound-worker-https
connect_timeout: {{ .Values.envoy.timeouts.connectTimeout }}
http_protocol_options:
allow_chunked_length: true
typed_extension_protocol_options:
envoy.extensions.upstreams.tcp.v3.TcpProtocolOptions:
"@type": type.googleapis.com/envoy.extensions.upstreams.tcp.v3.TcpProtocolOptions
idle_timeout: {{ .Values.envoy.timeouts.idleTimeout }}
type: LOGICAL_DNS
load_assignment:
cluster_name: inbound-worker-https
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: inbound-worker-{{ .Values.global.appEnv }}
port_value: 9443
health_checks:
- timeout: 1s
interval: 20s
unhealthy_threshold: 3
healthy_threshold: 3
tcp_health_check: {}
- name: inbound-worker-ssh
connect_timeout: {{ .Values.envoy.timeouts.connectTimeout }}
typed_extension_protocol_options:
envoy.extensions.upstreams.tcp.v3.TcpProtocolOptions:
"@type": type.googleapis.com/envoy.extensions.upstreams.tcp.v3.TcpProtocolOptions
idle_timeout: {{ .Values.envoy.timeouts.idleTimeout }}
type: LOGICAL_DNS
load_assignment:
cluster_name: inbound-worker-ssh
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: inbound-worker-{{ .Values.global.appEnv }}
port_value: 2222
health_checks:
- timeout: 1s
interval: 20s
unhealthy_threshold: 3
healthy_threshold: 3
tcp_health_check: {}
{{- end }}
{{- end }}

180
templates/envoy/deployment.yaml Normal file
View File

@@ -0,0 +1,180 @@
{{- if .Values.envoy.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "envoy.appName" . }}
labels:
{{ include "envoy.labels" . | indent 4 }}
spec:
{{- if not .Values.envoy.autoscaling.enabled }}
replicas: {{ .Values.envoy.replicaCount }}
{{- end }}
selector:
matchLabels:
{{- include "envoy.selectorLabels" . | nindent 6 }}
strategy:
type: {{ .Values.envoy.strategy.type }}
rollingUpdate:
maxSurge: {{ .Values.envoy.strategy.rollingUpdate.maxSurge }}
maxUnavailable: {{ .Values.envoy.strategy.rollingUpdate.maxUnavailable }}
template:
metadata:
labels:
{{- include "envoy.selectorLabels" . | nindent 8 }}
{{- if .Values.envoy.podLabels }}
## Custom pod labels
{{- range $key, $value := .Values.envoy.podLabels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
annotations:
checksum/config: {{ include (print .Template.BasePath "/envoy/configmap.yaml") . | sha256sum }}
{{- if .Values.envoy.podAnnotations }}
## Custom pod annotations
{{- range $key, $value := .Values.envoy.podAnnotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
spec:
{{- with .Values.global.image.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.envoy.podSecurityContextEnabled }}
securityContext:
{{ toYaml .Values.envoy.podSecurityContext | nindent 8 }}
{{- end }}
{{- if .Values.envoy.serviceAccount.enabled }}
serviceAccountName: {{ include "envoy.serviceAccountName" . }}
{{- end }}
terminationGracePeriodSeconds: {{ .Values.envoy.terminationGracePeriodSeconds }}
#forces the use of tcp for dns resolutions
dnsConfig:
options:
- name: use-vc
{{- if .Values.fluentBit.enabled }}
{{- include "dataplane.createLogDirectoryInitContainer" (dict "serviceName" "envoy" "securityContext" .Values.envoy.securityContext "additionalPathParam" "" "root" .) | nindent 6 }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.envoy.securityContext | nindent 12 }}
image: "{{ default .Values.global.image.repository .Values.envoy.image.repository }}/{{ .Values.envoy.image.name }}:{{ .Values.envoy.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.global.image.pullPolicy }}
envFrom:
- secretRef:
name: {{ .Values.common.clusterDetails.name }}
- configMapRef:
name: configmap-common
command:
{{ toYaml .Values.envoy.command | nindent 12 }}
args:
{{- if $.Values.envoy.argsTemplate }}
{{ tpl $.Values.envoy.argsTemplate $ | nindent 12}}
{{- else }}
{{ toYaml .Values.envoy.args | nindent 12 }}
{{- end }}
ports:
{{- with .Values.envoy.adminPorts }}
{{- range $key, $port := . }}
- name: {{ $key }}
{{ toYaml $port | nindent 14 }}
{{- end }}
{{- end }}
{{- if .Values.global.multihost.enabled }}
- name: ssh
protocol: TCP
containerPort: 2222
- name: tls
protocol: TCP
containerPort: 8443
- name: http
protocol: TCP
containerPort: 9080
{{- else }}
{{- with .Values.envoy.ports }}
{{- range $key, $port := . }}
- name: {{ $key }}
{{ toYaml $port | nindent 14 }}
{{- end }}
{{- end }}
{{- end }}
livenessProbe: {{- toYaml .Values.envoy.livenessProbe | nindent 12 }}
startupProbe: {{- toYaml .Values.envoy.startupProbe | nindent 12 }}
readinessProbe: {{- toYaml .Values.envoy.readinessProbe | nindent 12 }}
env:
- name: server_truststore_password
valueFrom:
secretKeyRef:
key: password
name: certificate-password
- name: server_cert_password
valueFrom:
secretKeyRef:
key: password
name: certificate-password
- name: sftp_server_cert_password
valueFrom:
secretKeyRef:
key: password
name: certificate-password
- name: LOGLEVEL
value: "{{ .Values.envoy.logLevel }}"
{{- with .Values.envoy.env }}
{{- toYaml . | nindent 12 }}
{{- end }}
resources:
{{ toYaml .Values.envoy.resources | nindent 12 }}
volumeMounts:
- name: config
mountPath: /config
- name: {{ .Values.global.volumeStorageName }}
mountPath: /efs
{{- range $key, $value := .Values.envoy.secretMounts }}
- name: {{ $key }}
mountPath: {{ $value.mountPath }}
{{- end }}
- mountPath: "/certificate/{{ .Values.common.certificate.name }}"
subPath: {{ .Values.common.certificate.name }}
name: domain-certificate
lifecycle:
{{ toYaml .Values.envoy.lifecycle | nindent 12 }}
{{- with .Values.envoy.nodeSelector }}
nodeSelector:
{{ toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.envoy.affinity }}
affinity:
{{ toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.envoy.tolerations }}
tolerations:
{{ toYaml . | nindent 8 }}
{{- end }}
volumes:
- name: config
projected:
defaultMode: 420
sources:
- configMap:
name: {{ template "envoy.appName" . }}
- name: workdir
emptyDir: {}
- name: {{ .Values.global.volumeStorageName }}
persistentVolumeClaim:
claimName: {{ .Release.Namespace }}-{{ .Values.global.claimName }}
{{- range $key, $value := .Values.envoy.secretMounts }}
- name: {{ $key }}
secret:
secretName: {{ $value.secretName }}
defaultMode: {{ $value.defaultMode }}
{{- end }}
- name: cert
emptyDir: {}
- name: domain-certificate
secret:
secretName: domain-certificate
items:
- key: {{ .Values.common.certificate.name }}
path: {{ .Values.common.certificate.name }}
{{- end }}

32
templates/envoy/hpa.yaml Normal file
View File

@@ -0,0 +1,32 @@
{{- if .Values.envoy.autoscaling.enabled }}
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: {{ template "envoy.appName" . }}
labels:
{{- include "envoy.labels" . | nindent 4 }}
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ include "envoy.appName" . }}
minReplicas: {{ .Values.envoy.autoscaling.minReplicas }}
maxReplicas: {{ .Values.envoy.autoscaling.maxReplicas }}
metrics:
{{- if .Values.envoy.autoscaling.targetCPUUtilizationPercentage }}
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: {{ .Values.envoy.autoscaling.targetCPUUtilizationPercentage }}
{{- end }}
{{- if .Values.envoy.autoscaling.targetMemoryUtilizationPercentage }}
- type: Resource
resource:
name: memory
target:
type: Utilization
averageUtilization: {{ .Values.envoy.autoscaling.targetMemoryUtilizationPercentage }}
{{- end }}
{{- end }}

12
templates/envoy/poddisruptionbudget.yaml Normal file
View File

@@ -0,0 +1,12 @@
{{- if .Values.envoy.podDisruptionBudget.enabled }}
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ template "envoy.appName" . }}
namespace: {{ .Release.Namespace }}
spec:
minAvailable: {{ .Values.envoy.podDisruptionBudget.minPods }}
selector:
matchLabels:
dplane: {{ .Chart.Name }}
{{- end}}

90
templates/envoy/routes.yaml Normal file
View File

@@ -0,0 +1,90 @@
{{- if and .Values.global.multihost.enabled .Values.envoy.route.https.enabled -}}
kind: Route
apiVersion: route.openshift.io/v1
metadata:
name: {{ template "envoy.appName" . }}-https
namespace: {{ .Release.Namespace }}
labels:
{{- include "envoy.labels" . | nindent 4 }}
app.kubernetes.io/component: {{ template "envoy.appName" . }}
spec:
host: {{ .Values.global.multihost.listeners.tls.https.hostPrefix }}.{{ .Values.global.external_domain }}
to:
kind: Service
name: {{ template "envoy.appName" . }}
port:
targetPort: 8443
tls:
termination: passthrough
insecureEdgeTerminationPolicy: Redirect
wildcardPolicy: None
{{- end }}
---
{{- if and .Values.global.multihost.enabled .Values.envoy.route.api.enabled -}}
kind: Route
apiVersion: route.openshift.io/v1
metadata:
name: {{ template "envoy.appName" . }}-apim
namespace: {{ .Release.Namespace }}
labels:
{{- include "envoy.labels" . | nindent 4 }}
app.kubernetes.io/component: {{ template "envoy.appName" . }}
spec:
host: {{ .Values.global.multihost.listeners.tls.api.hostPrefix }}.{{ .Values.global.external_domain }}
to:
kind: Service
name: {{ template "envoy.appName" . }}
port:
targetPort: 8443
tls:
termination: passthrough
insecureEdgeTerminationPolicy: Redirect
wildcardPolicy: None
{{- end }}
---
{{- if and .Values.global.multihost.enabled .Values.envoy.route.webhook.enabled -}}
kind: Route
apiVersion: route.openshift.io/v1
metadata:
name: {{ template "envoy.appName" . }}-webhook
namespace: {{ .Release.Namespace }}
labels:
{{- include "envoy.labels" . | nindent 4 }}
app.kubernetes.io/component: {{ template "envoy.appName" . }}
spec:
host: {{ .Values.global.multihost.listeners.tls.webhook.hostPrefix }}.{{ .Values.global.external_domain }}
to:
kind: Service
name: {{ template "envoy.appName" . }}
port:
targetPort: 8443
tls:
termination: passthrough
insecureEdgeTerminationPolicy: Redirect
wildcardPolicy: None
{{- end }}
---
{{- if and .Values.global.multihost.enabled .Values.envoy.route.http.enabled -}}
kind: Route
apiVersion: route.openshift.io/v1
metadata:
name: {{ template "envoy.appName" . }}-http
namespace: {{ .Release.Namespace }}
labels:
{{- include "envoy.labels" . | nindent 4 }}
app.kubernetes.io/component: {{ template "envoy.appName" . }}
spec:
host: {{ .Values.global.multihost.listeners.tcp.http.hostPrefix }}.{{ .Values.global.external_domain }}
to:
kind: Service
name: {{ template "envoy.appName" . }}
port:
targetPort: 9080
wildcardPolicy: None
{{- end }}

55
templates/envoy/service.yaml Normal file
View File

@@ -0,0 +1,55 @@
apiVersion: v1
kind: Service
metadata:
name: {{ template "envoy.appName" . }}
namespace: {{ .Release.Namespace }}
{{- if .Values.envoy.service.annotations }}
{{- with .Values.envoy.service.annotations }}
annotations:
{{- tpl (toYaml .) $ | nindent 4 }}
{{- end }}
{{- else }}
annotations:
{{- end }}
{{- if eq (include "parent.dataplaneMode" . ) "shared" }}
external-dns.alpha.kubernetes.io/hostname: {{ .Values.global.shared_lb_prefix }}.{{ .Values.global.external_domain }}
{{- else if .Values.global.multihost.enabled}}
external-dns.alpha.kubernetes.io/hostname: "*.{{ .Values.global.external_domain }}"
{{- else }}
external-dns.alpha.kubernetes.io/hostname: "{{ .Values.global.external_domain }}"
{{- end }}
service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "{{ .Values.envoy.timeouts.loadbalancer }}"
labels:
{{- include "envoy.labels" . | nindent 4 }}
spec:
type: {{ .Values.envoy.service.type }}
selector:
{{- include "envoy.selectorLabels" . | nindent 4 }}
ports:
{{- if .Values.envoy.exposeProxyAdminPort }}
- name: admin
port: {{ .Values.envoy.proxyAdminPort }}
targetPort: admin
protocol: TCP
{{- end }}
{{- if .Values.global.multihost.enabled }}
- name: ssh
protocol: TCP
port: {{ .Values.global.multihost.listeners.ssh.port }}
targetPort: 2222
- name: tls
protocol: TCP
port: {{ .Values.global.multihost.listeners.tls.port }}
targetPort: 8443
- name: http
protocol: TCP
port: {{ .Values.global.multihost.listeners.tcp.port }}
targetPort: 9080
{{- else }}
{{- range $port := .Values.envoy.service.ports }}
- name: {{ $port.name }}
protocol: {{ $port.protocol }}
port: {{ $port.port }}
targetPort: {{ $port.targetPort }}
{{- end }}
{{- end }}

13
templates/envoy/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,13 @@
{{- if ( and .Values.envoy.serviceAccount.enabled ( not .Values.envoy.serviceAccount.preexisting ) ) -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "envoy.serviceAccountName" . }}
labels:
{{- include "envoy.labels" . | nindent 4 }}
{{- with .Values.envoy.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
automountServiceAccountToken: {{ .Values.envoy.serviceAccount.automountServiceAccountToken }}
{{- end }}

8
templates/fluent-bit/NOTES.txt Normal file
View File

@@ -0,0 +1,8 @@
Thank you for installing the {{ .Chart.Name }} chart for the Amplify Integration Platform.
Your release is named {{ .Release.Name }}.
To learn more about the release, try:
$ helm status {{ .Release.Name }}
$ helm get all {{ .Release.Name }}

64
templates/fluent-bit/_helpers.tpl Normal file
View File

@@ -0,0 +1,64 @@
{{- define "fluent-bit.name" -}}
{{- default "fluent-bit" .Values.fluentBit.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- define "fluent-bit.appName" -}}
{{- $name := default "fluent-bit" .Values.fluentBit.nameOverride -}}
{{- $env := default "fluent-bit" .Values.global.appEnv -}}
{{- printf "%s-%s" $name $env | trunc 63 | trimSuffix "-" -}}
{{- end }}
{{/*
Common labels
*/}}
{{- define "fluent-bit.labels" -}}
{{ include "dataplane.labels" . }}
{{ include "fluent-bit.selectorLabels" . }}
{{- end -}}
{{/*
Selector labels
*/}}
{{- define "fluent-bit.selectorLabels" -}}
app.kubernetes.io/name: {{ include "fluent-bit.name" . }}
app: {{ include "fluent-bit.appName" . }}
dplane: "fluent-bit"
{{- end -}}
{{/*
Create the name of the service account to use
*/}}
{{- define "fluent-bit.serviceAccountName" -}}
{{- if .Values.fluentBit.serviceAccount.enabled -}}
{{ default (include "fluent-bit.name" .) .Values.fluentBit.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.fluentBit.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Fluent-bit image with tag/digest
*/}}
{{- define "fluent-bit.image" -}}
{{ default .Values.global.image.repository .Values.fluentBit.image.repository }}/{{ .Values.fluentBit.image.name }}:{{ .Values.fluentBit.image.buildTag | default .Chart.AppVersion }}
{{- end -}}
{{/*
Create the name of the service account to use
*/}}
{{- define "logrotate.serviceAccountName" -}}
{{- if .Values.fluentBit.logrotate.serviceAccount.enabled -}}
{{ default "logrotate" .Values.fluentBit.logrotate.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.fluentBit.logrotate.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Value of efs_root based on the dataplane type
*/}}
{{- define "efs_root.value" -}}
{{- $dataplaneMode := include "parent.dataplaneMode" . -}}
{{- $clusterRefId := tpl .Values.common.clusterRefId . -}}
{{- if eq $dataplaneMode "shared" -}}/efs{{- else -}}/efs/clusters/{{ $clusterRefId }}{{- end -}}
{{- end -}}

39
templates/fluent-bit/calico.netpol.yaml Normal file
View File

@@ -0,0 +1,39 @@
{{- if .Values.fluentBit.calicoNetpol.enabled }}
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
name: {{ template "fluent-bit.appName" . }}
namespace: {{ .Release.Namespace }}
spec:
order: 10
selector: dplane == 'fluent-bit'
types:
- Egress
egress:
# allow to communicate to DNS pods
- action: Allow
protocol: UDP
destination:
namespaceSelector: projectcalico.org/name == 'kube-system'
ports:
- 53
- action: Allow
protocol: TCP
destination:
namespaceSelector: projectcalico.org/name == 'kube-system'
ports:
- 53
# allow to communicate with itself for clustering
- action: Allow
destination:
selector: dplane == 'fluent-bit'
namespaceSelector: projectcalico.org/name == '{{ .Release.Namespace }}'
protocol: TCP
# allow to communicate with k8s api server
- action: Allow
destination:
services:
name: kubernetes
namespace: default
protocol: TCP
{{- end}}

104
templates/fluent-bit/configmap-luascript.yaml Normal file
View File

@@ -0,0 +1,104 @@
{{- if and .Values.fluentBit.enabled (eq .Values.fluentBit.kind "DaemonSet") -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "fluent-bit.appName" . }}-luascript
namespace: {{ .Release.Namespace }}
labels:
{{- include "fluent-bit.labels" . | nindent 4 }}
data:
create_runtime_Directories.lua: |
local function resolve_folder_path(folder_path, file_name)
if file_name == "inbound" then
folder_path = folder_path .. "/" .. file_name
end
return folder_path
end
local function write_log(folder_path, file_name, log_content)
local file_path = folder_path .. "/" .. file_name .. ".log"
local file, err = io.open(file_path, "a")
if file then
-- Write log content to the file
file:write(log_content .. "\n")
file:close()
print(string.format("Successfully wrote log to file: %s", file_path))
else
print(string.format("Failed to open file: %s, error: %s", file_path, err))
end
end
local function handle_txn_logs(tag, timestamp, record, file_name)
local orgId = record["orgSchema"]
local modeId = record["modeId"]
local transactionId = record["transactionId"]
local log_content = record["log"]
if not orgId or not modeId then
print("Skipping directory creation: orgId or modeId is nil")
return 1, timestamp, record
end
local efs_root = os.getenv("efs_root")
print(string.format("efs root value...: %s", efs_root))
local folder_path = string.format("%s/logs/%s/%s/transaction/%s", efs_root, orgId, modeId, transactionId)
folder_path = resolve_folder_path(folder_path, file_name)
local success, exit_type, exit_code = os.execute("mkdir -p " .. folder_path)
if success then
write_log(folder_path, file_name, log_content)
else
print(string.format("Failed to create folder: %s", folder_path))
end
return 1, timestamp, record
end
local function handle_app_logs(tag, timestamp, record, dir_name, file_name)
local log_content = record["log"]
local pod_name = record["kubernetes"]["pod_name"]
print(string.format("pod name...: %s", pod_name))
local efs_root = os.getenv("efs_root")
print(string.format("efs root value...: %s", efs_root))
local folder_path = string.format("%s/logs/%s/%s", efs_root, dir_name, pod_name)
folder_path = resolve_folder_path(folder_path, file_name)
write_log(folder_path, file_name, log_content)
return 1, timestamp, record
end
function handle_orchestrator_txn_logs(tag, timestamp, record)
return handle_txn_logs(tag, timestamp, record, "ir")
end
function handle_inbound_txn_logs(tag, timestamp, record)
return handle_txn_logs(tag, timestamp, record, "inbound")
end
function handle_fusion_operator_logs(tag, timestamp, record)
return handle_app_logs(tag, timestamp, record, "fusion-operator", "fusion-operator")
end
function handle_envoy_logs(tag, timestamp, record)
return handle_app_logs(tag, timestamp, record, "envoy", "envoy")
end
function handle_orchestrator_logs(tag, timestamp, record)
return handle_app_logs(tag, timestamp, record, "ir", "orchestrator")
end
function handle_inbound_logs(tag, timestamp, record)
return handle_app_logs(tag, timestamp, record, "inbound", "inbound")
end
function handle_pep_server_logs(tag, timestamp, record)
return handle_app_logs(tag, timestamp, record, "pep-server", "pep-server")
end
function handle_sink_agent_logs(tag, timestamp, record)
return handle_app_logs(tag, timestamp, record, "sinkagent", "sinkagent")
end
{{- end }}

242
templates/fluent-bit/configmap_daemonset.yaml Normal file
View File

@@ -0,0 +1,242 @@
{{- if and .Values.fluentBit.enabled (eq .Values.fluentBit.kind "DaemonSet") -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "fluent-bit.appName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "fluent-bit.labels" . | nindent 4 }}
data:
custom_parsers.conf: |
[PARSER]
Name docker_no_time
Format json
Time_Keep Off
Time_Key time
Time_Format %Y-%m-%dT%H:%M:%S.%L
[PARSER]
Name parser
Format regex
Regex ^(?<orgSchema>[^\s]+) (?<modeId>[0-9a-fA-F-]{36}) (?<transactionId>[0-9a-fA-F-]{36}) (?<time>\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}:\d{3}) \[(?<thread>[^\]]+)\] (?<level>\w+) +(?<class>[^\s]+) \((?<traceId>[^,]*),(?<spanId>[^\)]*)\) - (?<message>.*)$
fluent-bit.conf: |
[SERVICE]
Daemon Off
Flush 1
Log_Level info
storage.path /var/log/fluent-bit/storage
storage.backlog.flush_on_shutdown On
Parsers_File /fluent-bit/etc/parsers.conf
Parsers_File /fluent-bit/etc/conf/custom_parsers.conf
HTTP_Server On
HTTP_Listen 0.0.0.0
HTTP_Port 2020
Health_Check On
{{- with .Values.fluentBit.config.service }}
{{ tpl . $ | nindent 4 }}
{{- end }}
[INPUT]
Name tail
Path /var/log/containers/*orchestrator*.log
multiline.parser docker, cri
DB /var/log/fluent-bit/storage/orchestrator-txn-tail.db
storage.type filesystem
read_from_head true
Tag orchestrator.txn.*
Skip_Long_Lines On
[INPUT]
Name tail
Path /var/log/containers/*orchestrator*.log
multiline.parser docker, cri
DB /var/log/fluent-bit/storage/orchestrator-tail.db
storage.type filesystem
read_from_head true
Tag orchestrator.app.log*
Skip_Long_Lines On
[INPUT]
Name tail
Path /var/log/containers/*sink-agent*.log
multiline.parser docker, cri
DB /var/log/fluent-bit/storage/sink-agent-tail.db
storage.type filesystem
read_from_head true
Tag sink-agent.*
Skip_Long_Lines On
[INPUT]
Name tail
Path /var/log/containers/*pep-server*.log
multiline.parser docker, cri
DB /var/log/fluent-bit/storage/pep-server-tail.db
storage.type filesystem
read_from_head true
Tag pep_server.*
Skip_Long_Lines On
[INPUT]
Name tail
Path /var/log/containers/*fusion-operator*.log
multiline.parser docker, cri
DB /var/log/fluent-bit/storage/fusion-operator-tail.db
storage.type filesystem
read_from_head true
Tag fusion_operator.*
Skip_Long_Lines On
[INPUT]
Name tail
Path /var/log/containers/*envoy*.log
multiline.parser docker, cri
DB /var/log/fluent-bit/storage/envoy-tail.db
storage.type filesystem
read_from_head true
Tag envoy.*
Skip_Long_Lines On
[INPUT]
Name tail
Path /var/log/containers/*inbound*.log
multiline.parser docker, cri
DB /var/log/fluent-bit/storage/inbound-worker-txn-tail.db
storage.type filesystem
read_from_head true
Tag inbound.txn.*
Skip_Long_Lines On
[INPUT]
Name tail
Path /var/log/containers/*inbound*.log
multiline.parser docker, cri
DB /var/log/fluent-bit/storage/inbound-worker-tail.db
storage.type filesystem
read_from_head true
Tag inbound.app.log*
Skip_Long_Lines On
{{- with .Values.fluentBit.config.inputs }}
{{ tpl . $ | nindent 4 }}
{{- end }}
[FILTER]
Name kubernetes
Match orchestrator.txn.*
Kube_Tag_Prefix orchestrator.txn.var.log.containers.
Merge_Log On
[FILTER]
Name parser
Match orchestrator.txn.*
Key_Name log
Parser parser
Reserve_Data On
Preserve_Key On
[FILTER]
Name lua
Match orchestrator.txn.*
Script /fluent-bit/etc/lua/create_runtime_Directories.lua
Call handle_orchestrator_txn_logs
[FILTER]
Name kubernetes
Match orchestrator.app.log*
Kube_Tag_Prefix orchestrator.app.log.var.log.containers.
Merge_Log On
[FILTER]
Name lua
Match orchestrator.app.log*
Script /fluent-bit/etc/lua/create_runtime_Directories.lua
Call handle_orchestrator_logs
[FILTER]
Name kubernetes
Match sink-agent.*
Kube_Tag_Prefix sink-agent.var.log.containers.
Merge_Log On
[FILTER]
Name lua
Match sink-agent.*
Script /fluent-bit/etc/lua/create_runtime_Directories.lua
Call handle_sink_agent_logs
[FILTER]
Name kubernetes
Match pep_server.*
Kube_Tag_Prefix pep-server.var.log.containers.
Merge_Log On
[FILTER]
Name lua
Match pep_server.*
Script /fluent-bit/etc/lua/create_runtime_Directories.lua
Call handle_pep_server_logs
[FILTER]
Name kubernetes
Match fusion_operator.*
Kube_Tag_Prefix fusion-operator.var.log.containers.
Merge_Log On
[FILTER]
Name lua
Match fusion_operator.*
Script /fluent-bit/etc/lua/create_runtime_Directories.lua
Call handle_fusion_operator_logs
[FILTER]
Name kubernetes
Match envoy.*
Kube_Tag_Prefix envoy.var.log.containers.
Merge_Log On
[FILTER]
Name lua
Match envoy.*
Script /fluent-bit/etc/lua/create_runtime_Directories.lua
Call handle_envoy_logs
[FILTER]
Name kubernetes
Match inbound.txn.*
Kube_Tag_Prefix inbound.txn.var.log.containers.
Merge_Log On
[FILTER]
Name parser
Match inbound.txn.*
Key_Name log
Parser parser
Reserve_Data On
Preserve_Key On
[FILTER]
Name lua
Match inbound.txn.*
Script /fluent-bit/etc/lua/create_runtime_Directories.lua
Call handle_inbound_txn_logs
[FILTER]
Name kubernetes
Match inbound.app.log*
Kube_Tag_Prefix inbound.app.log.var.log.containers.
Merge_Log On
[FILTER]
Name lua
Match inbound.app.log*
Script /fluent-bit/etc/lua/create_runtime_Directories.lua
Call handle_inbound_logs
{{- with .Values.fluentBit.config.filters }}
{{ tpl . $ | nindent 4 }}
{{- end }}
{{- with .Values.fluentBit.config.outputs }}
{{ tpl . $ | nindent 4 }}
{{- end }}
{{- end }}

63
templates/fluent-bit/configmap_deployment.yaml Normal file
View File

@@ -0,0 +1,63 @@
{{- if and .Values.fluentBit.enabled (eq .Values.fluentBit.kind "Deployment") -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "fluent-bit.appName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "fluent-bit.labels" . | nindent 4 }}
data:
fluent-bit.conf: |
[SERVICE]
Daemon Off
Flush 1
Log_Level info
storage.path {{ include "efs_root.value" . -}}/fluent-bit/storage
storage.backlog.flush_on_shutdown On
Parsers_File /fluent-bit/etc/parsers.conf
HTTP_Server On
HTTP_Listen 0.0.0.0
HTTP_Port 2020
Health_Check On
{{- with .Values.fluentBit.config.service }}
{{ tpl . $ | nindent 4 }}
{{- end }}
{{- $inputs := list
(dict "name" "inbound" "path" "inbound/*/inbound/inbound.log" "tag" "inbound.app.log*")
(dict "name" "ir" "path" "ir/*/orchestrator.log" "tag" "orchestrator.app.log*")
(dict "name" "pep-server" "path" "pep-server/*/pep-server.log" "tag" "pep-server.app.log*")
(dict "name" "sinkagent" "path" "sinkagent/*/sinkagent.log" "tag" "sinkagent.app.log*")
-}}
{{- if eq (include "parent.dataplaneMode" . ) "shared" }}
{{- $inputs = append $inputs (dict "name" "fusion-operator" "path" "fusion-operator/*/fusion-operator*.log" "tag" "fusion-operator.app.log*") }}
{{- end}}
{{- $efsRoot := include "efs_root.value" . }}
{{- range $inputs }}
[INPUT]
Name tail
Path {{ $efsRoot }}/logs/{{ .path }}
multiline.parser docker, cri
DB {{ $efsRoot }}/fluent-bit/storage/{{ .name }}-tail.db
DB.locking true
Ignore_Older 1d
storage.type filesystem
read_from_head true
Tag {{ .tag }}
Skip_Long_Lines On
{{- end }}
{{- with .Values.fluentBit.config.inputs }}
{{ tpl . $ | nindent 4 }}
{{- end }}
{{- with .Values.fluentBit.config.filters }}
{{ tpl . $ | nindent 4 }}
{{- end }}
{{- with .Values.fluentBit.config.outputs }}
{{ tpl . $ | nindent 4 }}
{{- end }}
{{- end }}

175
templates/fluent-bit/fluentbit.yaml Normal file
View File

@@ -0,0 +1,175 @@
{{- if .Values.fluentBit.enabled -}}
apiVersion: apps/v1
kind: {{ .Values.fluentBit.kind }}
metadata:
name: {{ template "fluent-bit.appName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "fluent-bit.labels" . | nindent 4 }}
{{- with .Values.fluentBit.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.fluentBit.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
selector:
matchLabels:
{{- include "fluent-bit.selectorLabels" . | nindent 6 }}
{{- if eq .Values.fluentBit.kind "Deployment" }}
strategy:
type: Recreate
{{- else if eq .Values.fluentBit.kind "DaemonSet" }}
{{- with .Values.fluentBit.updateStrategy }}
updateStrategy:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
{{- with .Values.fluentBit.minReadySeconds }}
minReadySeconds: {{ . }}
{{- end }}
template:
metadata:
labels:
{{- include "fluent-bit.selectorLabels" . | nindent 8 }}
{{- with .Values.fluentBit.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
annotations:
checksum/config: {{ include (print $.Template.BasePath "/fluent-bit/configmap_" ( lower .Values.fluentBit.kind ) ".yaml") . | sha256sum }}
{{- if eq .Values.fluentBit.kind "DaemonSet" }}
checksum/luascripts: {{ include (print $.Template.BasePath "/fluent-bit/configmap-luascript.yaml") . | sha256sum }}
{{- end }}
{{- with .Values.fluentBit.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
serviceAccountName: {{ include "fluent-bit.serviceAccountName" . }}
{{- with .Values.global.image.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 6 }}
{{- end }}
{{- if .Values.fluentBit.podSecurityContextEnabled -}}
{{- with .Values.fluentBit.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}
{{- with .Values.fluentBit.terminationGracePeriodSeconds }}
terminationGracePeriodSeconds: {{ . }}
{{- end }}
hostNetwork: {{ .Values.fluentBit.hostNetwork }}
dnsPolicy: {{ .Values.fluentBit.dnsPolicy }}
restartPolicy: {{ .Values.fluentBit.restartPolicy }}
schedulerName: {{ .Values.fluentBit.schedulerName }}
{{- with .Values.fluentBit.initContainers }}
initContainers:
{{- if kindIs "string" . }}
{{- tpl . $ | nindent 6 }}
{{- else }}
{{- toYaml . | nindent 6 }}
{{- end -}}
{{- end }}
containers:
- name: {{ include "fluent-bit.appName" . }}
{{- with .Values.fluentBit.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
image: {{ include "fluent-bit.image" . }}
imagePullPolicy: {{ .Values.global.image.pullPolicy }}
{{- if or .Values.fluentBit.env .Values.fluentBit.envWithTpl }}
env:
{{- with .Values.fluentBit.env }}
{{- toYaml . | nindent 10 }}
{{- end }}
{{- range $item := .Values.fluentBit.envWithTpl }}
- name: {{ $item.name }}
value: {{ tpl $item.value $ | quote }}
{{- end }}
{{- end }}
envFrom:
- configMapRef:
name: configmap-common
{{- if .Values.fluentBit.envFrom }}
{{- toYaml .Values.fluentBit.envFrom | nindent 12 }}
{{- end }}
{{- with .Values.fluentBit.command }}
command:
{{- toYaml . | nindent 10 }}
{{- end }}
{{- if .Values.fluentBit.args }}
args:
{{- toYaml .Values.fluentBit.args | nindent 10 }}
{{- end}}
ports:
- name: http
containerPort: {{ .Values.fluentBit.metricsPort }}
protocol: TCP
{{- if .Values.fluentBit.extraPorts }}
{{- range .Values.fluentBit.extraPorts }}
- name: {{ .name }}
containerPort: {{ .containerPort }}
protocol: {{ .protocol }}
{{- end }}
{{- end }}
livenessProbe: {{- toYaml .Values.fluentBit.livenessProbe | nindent 12 }}
startupProbe: {{- toYaml .Values.fluentBit.startupProbe | nindent 12 }}
readinessProbe: {{- toYaml .Values.fluentBit.readinessProbe | nindent 12 }}
{{- with .Values.fluentBit.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
volumeMounts:
- name: config
mountPath: /fluent-bit/etc/conf
- mountPath: /efs
name: {{ .Values.global.volumeStorageName }}
{{- if eq .Values.fluentBit.kind "DaemonSet" }}
- mountPath: /fluent-bit/etc/lua
name: lua-scripts
{{- toYaml .Values.fluentBit.daemonSetVolumeMounts | nindent 12 }}
{{- end }}
{{- if .Values.fluentBit.extraVolumeMounts }}
{{- toYaml .Values.fluentBit.extraVolumeMounts | nindent 12 }}
{{- end }}
{{- if .Values.fluentBit.extraContainers }}
{{- if kindIs "string" .Values.fluentBit.extraContainers }}
{{- tpl .Values.fluentBit.extraContainers $ | nindent 2 }}
{{- else }}
{{- toYaml .Values.fluentBit.extraContainers | nindent 2 }}
{{- end -}}
{{- end }}
{{- if eq .Values.fluentBit.kind "Deployment" }}
{{- with .Values.fluentBit.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.fluentBit.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}
{{- with .Values.fluentBit.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
- name: {{ .Values.global.volumeStorageName }}
persistentVolumeClaim:
claimName: {{ .Release.Namespace }}-{{ .Values.global.claimName }}
- name: config
configMap:
name: {{ default (include "fluent-bit.appName" .) .Values.fluentBit.existingConfigMap }}
{{- if eq .Values.fluentBit.kind "DaemonSet" }}
- name: lua-scripts
configMap:
defaultMode: 420
name: {{ default (include "fluent-bit.appName" .) .Values.fluentBit.existingConfigMap }}-luascript
{{- toYaml .Values.fluentBit.daemonSetVolumes | nindent 8 }}
{{- end }}
{{- if .Values.fluentBit.extraVolumes }}
{{- toYaml .Values.fluentBit.extraVolumes | nindent 8 }}
{{- end }}
{{- end }}

33
templates/fluent-bit/hpa.yaml Normal file
View File

@@ -0,0 +1,33 @@
{{- if and .Values.fluentBit.autoscaling.enabled (eq .Values.fluentBit.kind "Deployment") }}
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: {{ template "fluent-bit.appName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "fluent-bit.labels" . | nindent 4 }}
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ template "fluent-bit.appName" . }}
minReplicas: {{ .Values.fluentBit.autoscaling.minReplicas }}
maxReplicas: {{ .Values.fluentBit.autoscaling.maxReplicas }}
metrics:
{{- if .Values.fluentBit.autoscaling.targetCPUUtilizationPercentage }}
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: {{ .Values.fluentBit.autoscaling.targetCPUUtilizationPercentage }}
{{- end }}
{{- if .Values.fluentBit.autoscaling.targetMemoryUtilizationPercentage }}
- type: Resource
resource:
name: memory
target:
type: Utilization
averageUtilization: {{ .Values.fluentBit.autoscaling.targetMemoryUtilizationPercentage }}
{{- end }}
{{- end }}

33
templates/fluent-bit/logrotate/calico.netpol.yaml Normal file
View File

@@ -0,0 +1,33 @@
{{- if .Values.fluentBit.logrotate.calicoNetpol.enabled }}
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
name: logrotate-network-policy
namespace: {{ .Release.Namespace }}
spec:
order: 10
selector: dplane == 'logrotate-job'
types:
- Egress
egress:
# allow to communicate to DNS pods
- action: Allow
protocol: UDP
destination:
namespaceSelector: projectcalico.org/name == 'kube-system'
ports:
- 53
- action: Allow
protocol: TCP
destination:
namespaceSelector: projectcalico.org/name == 'kube-system'
ports:
- 53
# allow to communicate with k8s api server
- action: Allow
destination:
services:
name: kubernetes
namespace: default
protocol: TCP
{{- end}}

76
templates/fluent-bit/logrotate/logrotate-configmap.yaml Normal file
View File

@@ -0,0 +1,76 @@
{{- if and .Values.fluentBit.enabled .Values.fluentBit.logrotate.enabled -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: logrotate-{{ template "fluent-bit.appName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "dataplane.labels" . | nindent 4 }}
data:
dynamic-logrotate.sh: |
#!/bin/sh
set -e
STATE_FILE="/tmp/logrotate.status"
LOGROTATE_CONFIG="/tmp/dynamic-logrotate.conf"
# Determine base path based on dataplane mode
BASE_PATH="{{- if eq (include "parent.dataplaneMode" .) "shared" -}}/efs/logs{{- else -}}/efs/clusters/{{ tpl .Values.common.clusterRefId . }}/logs{{- end }}"
# List of service folders to scan
SERVICES="sink-agent inbound-worker pep-server orchestrator envoy fusion-operator"
# Clean up the old config file
echo "" > "$LOGROTATE_CONFIG"
# Get running pod names in current namespace
POD_NAMES=$(kubectl get pods -n $(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace) \
--field-selector=status.phase=Running \
-o jsonpath='{.items[*].metadata.name}')
for svc in $SERVICES; do
for pod in $POD_NAMES; do
case "$svc" in
"envoy")
[[ "$pod" != *envoy* ]] && continue
LOG_PATH="$BASE_PATH/envoy/$pod/envoy.log"
;;
"fusion-operator")
[[ "$pod" != *fusion-operator* ]] && continue
LOG_PATH="$BASE_PATH/fusion-operator/$pod/fusion-operator.log"
;;
"sink-agent")
[[ "$pod" != *sink-agent* ]] && continue
LOG_PATH="$BASE_PATH/sinkagent/$pod/sinkagent.log"
;;
"inbound-worker")
[[ "$pod" != *inbound-worker* ]] && continue
LOG_PATH="$BASE_PATH/inbound/$pod/inbound/inbound.log"
;;
"pep-server")
[[ "$pod" != *pep-server* ]] && continue
LOG_PATH="$BASE_PATH/pep-server/$pod/pep-server.log"
;;
"orchestrator")
[[ "$pod" != *orchestrator* ]] && continue
LOG_PATH="$BASE_PATH/ir/$pod/orchestrator.log"
;;
esac
if [ -f "$LOG_PATH" ]; then
echo "$LOG_PATH {
size 10M
rotate -1
missingok
dateext
dateformat .%Y-%m-%d-%H-%M
notifempty
create
nocompress
}" >> "$LOGROTATE_CONFIG"
fi
done
done
# Run logrotate with the generated config
/usr/sbin/logrotate -v --state "$STATE_FILE" "$LOGROTATE_CONFIG"
{{- end }}

64
templates/fluent-bit/logrotate/logrotate-cronjob.yaml Normal file
View File

@@ -0,0 +1,64 @@
{{- if and .Values.fluentBit.enabled .Values.fluentBit.logrotate.enabled -}}
apiVersion: batch/v1
kind: CronJob
metadata:
name: logrotate-{{ template "fluent-bit.appName" . }}
namespace: {{ .Release.Namespace }}
labels:
dplane: "logrotate-job"
spec:
concurrencyPolicy: Forbid
failedJobsHistoryLimit: 1
jobTemplate:
spec:
ttlSecondsAfterFinished: {{ .Values.fluentBit.logrotate.job_ttl }}
template:
metadata:
labels:
dplane: "logrotate-job"
spec:
serviceAccountName: {{ include "logrotate.serviceAccountName" . }}
containers:
- image: "{{ default .Values.global.image.repository .Values.global.alpinetools.image.repository }}/{{ .Values.global.alpinetools.image.name }}:{{ .Values.global.alpinetools.image.tag }}"
imagePullPolicy: {{ .Values.global.image.pullPolicy }}
command: [ "/bin/sh", "-c" ]
args:
- |
sh /etc/logrotate.d/dynamic-logrotate.sh
name: logrotate
{{- with .Values.fluentBit.logrotate.securityContext }}
securityContext:
{{- toYaml . | nindent 16 }}
{{- end }}
volumeMounts:
- mountPath: /etc/logrotate.d
name: logrotate-config
- mountPath: /efs
name: {{ .Values.global.volumeStorageName }}
- mountPath: /tmp
name: tmpdir
restartPolicy: OnFailure
{{- with .Values.global.image.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 10 }}
{{- end }}
{{- if .Values.fluentBit.logrotate.podSecurityContextEnabled -}}
{{- with .Values.fluentBit.logrotate.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- end }}
volumes:
- configMap:
defaultMode: 420
name: logrotate-{{ template "fluent-bit.appName" . }}
name: logrotate-config
- name: {{ .Values.global.volumeStorageName }}
persistentVolumeClaim:
claimName: {{ .Release.Namespace }}-{{ .Values.global.claimName }}
- emptyDir: {}
name: tmpdir
schedule: "{{ .Values.fluentBit.logrotate.schedule }}"
successfulJobsHistoryLimit: 1
suspend: false
{{- end }}

17
templates/fluent-bit/logrotate/role.yaml Normal file
View File

@@ -0,0 +1,17 @@
{{- if ( and .Values.fluentBit.logrotate.serviceAccount.enabled ( not .Values.fluentBit.logrotate.serviceAccount.preexisting ) ) -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: logrotate-{{ template "fluent-bit.appName" . }}-role
labels:
{{- include "dataplane.labels" . | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- namespaces
- pods
verbs:
- get
- list
{{- end }}

16
templates/fluent-bit/logrotate/roleBinding.yaml Normal file
View File

@@ -0,0 +1,16 @@
{{- if ( and .Values.fluentBit.logrotate.serviceAccount.enabled ( not .Values.fluentBit.logrotate.serviceAccount.preexisting ) ) -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: logrotate-{{ template "fluent-bit.appName" . }}-role-binding
labels:
{{- include "dataplane.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: logrotate-{{ template "fluent-bit.appName" . }}-role
subjects:
- kind: ServiceAccount
name: {{ include "logrotate.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end }}

12
templates/fluent-bit/logrotate/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,12 @@
{{- if .Values.fluentBit.logrotate.serviceAccount.enabled -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "logrotate.serviceAccountName" . }}
labels:
{{- include "dataplane.labels" . | nindent 4 }}
{{- with .Values.fluentBit.logrotate.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end -}}

12
templates/fluent-bit/poddisruptionbudget.yaml Normal file
View File

@@ -0,0 +1,12 @@
{{- if and .Values.fluentBit.podDisruptionBudget.enabled (eq .Values.fluentBit.kind "Deployment") }}
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ template "fluent-bit.appName" . }}
namespace: {{ .Release.Namespace }}
spec:
minAvailable: {{ .Values.fluentBit.podDisruptionBudget.minPods }}
selector:
matchLabels:
dplane: {{ .Chart.Name }}
{{- end}}

18
templates/fluent-bit/role.yaml Normal file
View File

@@ -0,0 +1,18 @@
{{- if ( and .Values.fluentBit.serviceAccount.enabled ( not .Values.fluentBit.serviceAccount.preexisting ) ) -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "fluent-bit.appName" . }}-role
labels:
{{- include "fluent-bit.labels" . | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- namespaces
- pods
verbs:
- get
- list
- watch
{{- end }}

16
templates/fluent-bit/roleBinding.yaml Normal file
View File

@@ -0,0 +1,16 @@
{{- if ( and .Values.fluentBit.serviceAccount.enabled ( not .Values.fluentBit.serviceAccount.preexisting ) ) -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "fluent-bit.appName" . }}-role-binding
labels:
{{- include "fluent-bit.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "fluent-bit.appName" . }}-role
subjects:
- kind: ServiceAccount
name: {{ include "fluent-bit.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end }}

12
templates/fluent-bit/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,12 @@
{{- if .Values.fluentBit.serviceAccount.enabled -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "fluent-bit.serviceAccountName" . }}
labels:
{{- include "fluent-bit.labels" . | nindent 4 }}
{{- with .Values.fluentBit.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end -}}

66
templates/fusion-operator/_helpers.tpl Normal file
View File

@@ -0,0 +1,66 @@
{{- define "fusionOperator.name" -}}
{{- default "fusion-operator" .Values.fusionOperator.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "fusionOperator.fullname" -}}
{{- if .Values.fusionOperator.fullnameOverride }}
{{- .Values.fusionOperator.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default "fusionOperator" .Values.fusionOperator.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "fusionOperator.labels" -}}
{{ include "dataplane.labels" . }}
{{ include "fusionOperator.selectorLabels" . }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "fusionOperator.selectorLabels" -}}
app.kubernetes.io/name: {{ include "fusionOperator.name" . }}
app: {{ include "fusionOperator.appName" . }}
dplane: "fusion-operator"
{{- end }}
{{- define "fusionOperator.appName" -}}
{{- $name := default "fusion-operator" .Values.fusionOperator.nameOverride -}}
{{- $env := default "fusion-operator" .Values.global.appEnv -}}
{{- printf "%s-%s" $name $env | trunc 63 | trimSuffix "-" -}}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "fusionOperator.serviceAccountName" -}}
{{- if .Values.fusionOperator.serviceAccount.enabled }}
{{- default (include "fusionOperator.fullname" .) .Values.fusionOperator.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.fusionOperator.serviceAccount.name }}
{{- end }}
{{- end }}
{{/*
Create the name of the service account for jobs to use
*/}}
{{- define "fusionOperator.job.serviceAccountName" -}}
{{- if .Values.fusionOperator.job.serviceAccount.enabled }}
{{- default (include "fusionOperator.fullname" .) .Values.fusionOperator.job.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.fusionOperator.job.serviceAccount.name }}
{{- end }}
{{- end }}

38
templates/fusion-operator/calico.netpol.yaml Normal file
View File

@@ -0,0 +1,38 @@
{{- if and .Values.fusionOperator.calicoNetpol.enabled (eq (include "parent.dataplaneMode" . ) "shared") }}
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
name: {{ template "fusionOperator.appName" . }}
namespace: {{ .Release.Namespace }}
spec:
order: 10
selector: dplane == 'fusion-operator'
types:
- Ingress
- Egress
egress:
# allow to communicate to DNS pods
- action: Allow
protocol: UDP
destination:
namespaceSelector: projectcalico.org/name == 'kube-system'
ports:
- 53
- action: Allow
protocol: TCP
destination:
namespaceSelector: projectcalico.org/name == 'kube-system'
ports:
- 53
# allow to communicate with k8s api server
- action: Allow
destination:
services:
name: kubernetes
namespace: default
protocol: TCP
### Traffic to the internet ###
- action: Allow
protocol: TCP
destination: {{ toYaml .Values.fusionOperator.calicoNetpol.outboundRule | nindent 8 }}
{{- end}}

20
templates/fusion-operator/configmap.yaml Normal file
View File

@@ -0,0 +1,20 @@
{{- if .Values.fusionOperator.enabled }}
{{- if and (eq .Values.common.externalConfigMaps false) (eq (include "parent.dataplaneMode" . ) "shared") }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "fusionOperator.appName" . }}
namespace: {{ .Release.Namespace }}
data:
app_env: {{ .Values.global.appEnv }}
release_namespace: {{ .Release.Namespace }}
deployment_spec: |-
{{- include "orchestrator.deployment" . | nindent 4 }}
pdb_spec: |-
{{- include "orchestrator.podDisruptionBudget" . | nindent 4 }}
service_spec: |-
{{- include "orchestrator.service" . | nindent 4 }}
hpa_spec: |-
{{- include "orchestrator.hpa" . | nindent 4 }}
{{- end }}
{{- end }}

78
templates/fusion-operator/deployment.yaml Normal file
View File

@@ -0,0 +1,78 @@
{{- if and .Values.fusionOperator.enabled (eq (include "parent.dataplaneMode" . ) "shared") }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "fusionOperator.appName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "fusionOperator.labels" . | nindent 4 }}
spec:
{{- if not .Values.fusionOperator.autoscaling.enabled }}
replicas: {{ .Values.fusionOperator.replicaCount }}
{{- end }}
strategy:
type: {{ .Values.fusionOperator.strategy.type }}
rollingUpdate:
maxSurge: {{ .Values.fusionOperator.strategy.rollingUpdate.maxSurge }}
maxUnavailable: {{ .Values.fusionOperator.strategy.rollingUpdate.maxUnavailable }}
selector:
matchLabels:
{{- include "fusionOperator.selectorLabels" . | nindent 6 }}
template:
metadata:
labels:
{{- include "fusionOperator.selectorLabels" . | nindent 8 }}
spec:
{{- if .Values.fusionOperator.serviceAccount.enabled }}
serviceAccountName: {{ include "fusionOperator.serviceAccountName" . }}
{{- end }}
{{- with .Values.global.image.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.fusionOperator.podSecurityContextEnabled }}
securityContext:
{{ toYaml .Values.fusionOperator.podSecurityContext | nindent 8 }}
{{- end }}
{{- if .Values.fluentBit.enabled }}
{{- include "dataplane.createLogDirectoryInitContainer" (dict "serviceName" "fusion-operator" "securityContext" .Values.fusionOperator.securityContext "additionalPathParam" "" "root" .) | nindent 6 }}
{{- end }}
containers:
- name: {{ template "fusionOperator.appName" . }}
{{- if .Values.fusionOperator.leaderElection.enabled }}
command:
- /manager
args:
- --leader-elect
{{- end }}
securityContext:
{{- toYaml .Values.fusionOperator.securityContext | nindent 12 }}
image: "{{ default .Values.global.image.repository .Values.fusionOperator.image.repository }}/{{ .Values.fusionOperator.image.name }}:{{ .Values.fusionOperator.image.buildTag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.global.image.pullPolicy }}
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
{{- with .Values.fusionOperator.env }}
{{- toYaml . | nindent 12 }}
{{- end }}
envFrom:
- configMapRef:
name: configmap-common
- configMapRef:
name: {{ template "fusionOperator.appName" . }}
resources:
{{- toYaml .Values.fusionOperator.resources | nindent 12 }}
livenessProbe: {{- toYaml .Values.fusionOperator.livenessProbe | nindent 12 }}
startupProbe: {{- toYaml .Values.fusionOperator.startupProbe | nindent 12 }}
readinessProbe: {{- toYaml .Values.fusionOperator.readinessProbe | nindent 12 }}
volumeMounts:
- name: {{ .Values.global.volumeStorageName }}
mountPath: /efs
volumes:
- name: {{ .Values.global.volumeStorageName }}
persistentVolumeClaim:
claimName: {{ .Release.Namespace }}-{{ .Values.global.claimName }}
{{- end }}

35
templates/fusion-operator/hpa.yaml Normal file
View File

@@ -0,0 +1,35 @@
{{- if .Values.fusionOperator.enabled }}
{{- if and .Values.fusionOperator.autoscaling.enabled (ne (include "parent.dataplaneMode" . ) "shared") }}
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: {{ template "fusionOperator.appName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "fusionOperator.labels" . | nindent 4 }}
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ template "fusionOperator.appName" . }}
minReplicas: {{ .Values.fusionOperator.autoscaling.minReplicas }}
maxReplicas: {{ .Values.fusionOperator.autoscaling.maxReplicas }}
metrics:
{{- if .Values.fusionOperator.autoscaling.targetCPUUtilizationPercentage }}
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: {{ .Values.fusionOperator.autoscaling.targetCPUUtilizationPercentage }}
{{- end }}
{{- if .Values.fusionOperator.autoscaling.targetMemoryUtilizationPercentage }}
- type: Resource
resource:
name: memory
target:
type: Utilization
averageUtilization: {{ .Values.fusionOperator.autoscaling.targetMemoryUtilizationPercentage }}
{{- end }}
{{- end }}
{{- end}}

40
templates/fusion-operator/jobs/calico.netpol.yaml Normal file
View File

@@ -0,0 +1,40 @@
{{- if and .Values.fusionOperator.enabled (eq (include "parent.dataplaneMode" . ) "shared") }}
{{- if .Values.fusionOperator.calicoNetpol.enabled }}
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
name: crd-netpol
namespace: {{ .Release.Namespace }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade,pre-delete
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
spec:
order: 10
selector: dplane == 'crd-job'
types:
- Ingress
- Egress
egress:
# allow to communicate to DNS pods
- action: Allow
protocol: UDP
destination:
namespaceSelector: projectcalico.org/name == 'kube-system'
ports:
- 53
- action: Allow
protocol: TCP
destination:
namespaceSelector: projectcalico.org/name == 'kube-system'
ports:
- 53
# allow to communicate with k8s api server
- action: Allow
destination:
services:
name: kubernetes
namespace: default
protocol: TCP
{{- end }}
{{- end }}

21
templates/fusion-operator/jobs/clusterrole.yaml Normal file
View File

@@ -0,0 +1,21 @@
{{- if and .Values.fusionOperator.enabled (eq (include "parent.dataplaneMode" . ) "shared") }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "fusionOperator.name" . }}-role
annotations:
"helm.sh/hook": pre-install,pre-upgrade,pre-delete
"helm.sh/hook-weight": "-1"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
rules:
- apiGroups: ["apiextensions.k8s.io"]
resources:
- customresourcedefinitions
verbs:
- delete
- create
- update
- get
- list
- watch
{{- end }}

18
templates/fusion-operator/jobs/clusterrolebinding.yaml Normal file
View File

@@ -0,0 +1,18 @@
{{- if and .Values.fusionOperator.enabled (eq (include "parent.dataplaneMode" . ) "shared") }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "fusionOperator.name" . }}-role-binding
annotations:
"helm.sh/hook": pre-install,pre-upgrade,pre-delete
"helm.sh/hook-weight": "-1"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "fusionOperator.name" . }}-role
subjects:
- kind: ServiceAccount
name: {{ .Values.fusionOperator.job.serviceAccount.enabled | ternary .Values.fusionOperator.job.serviceAccount.name "default" }}
namespace: {{ .Release.Namespace }}
{{- end }}

38
templates/fusion-operator/jobs/crd_remove.yaml Normal file
View File

@@ -0,0 +1,38 @@
{{- if and .Values.fusionOperator.enabled (eq (include "parent.dataplaneMode" . ) "shared") }}
apiVersion: batch/v1
kind: Job
metadata:
name: remove-crd
annotations:
"helm.sh/hook": pre-delete
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
labels:
dplane: "crd-job"
spec:
ttlSecondsAfterFinished: {{ .Values.fusionOperator.job.removeJob_ttl }}
template:
metadata:
labels:
dplane: "crd-job"
spec:
{{- with .Values.global.image.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.fusionOperator.job.serviceAccount.enabled }}
serviceAccountName: {{ include "fusionOperator.job.serviceAccountName" . }}
{{- end }}
{{- if .Values.fusionOperator.podSecurityContextEnabled }}
securityContext: {{- toYaml .Values.fusionOperator.podSecurityContext | nindent 8 }}
{{- end }}
restartPolicy: OnFailure
containers:
- name: delete-crd
securityContext: {{- toYaml .Values.fusionOperator.securityContext | nindent 12 }}
image: "{{ default .Values.global.image.repository .Values.global.alpinetools.image.repository }}/{{ .Values.global.alpinetools.image.name }}:{{ .Values.global.alpinetools.image.tag }}"
command:
- /bin/sh
- -c
- |
kubectl delete crd orchestrators.operator.fusion.axway.com --ignore-not-found=true
{{- end }}

40
templates/fusion-operator/jobs/crd_update.yaml Normal file
View File

@@ -0,0 +1,40 @@
{{- if and .Values.fusionOperator.enabled (eq (include "parent.dataplaneMode" . ) "shared") }}
apiVersion: batch/v1
kind: Job
metadata:
name: apply-crd
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
labels:
dplane: "crd-job"
spec:
ttlSecondsAfterFinished: {{ .Values.fusionOperator.job.updateJob_ttl }}
template:
metadata:
labels:
dplane: "crd-job"
spec:
{{- with .Values.global.image.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.fusionOperator.job.serviceAccount.enabled }}
serviceAccountName: {{ include "fusionOperator.job.serviceAccountName" . }}
{{- end }}
{{- if .Values.fusionOperator.podSecurityContextEnabled }}
securityContext: {{- toYaml .Values.fusionOperator.podSecurityContext | nindent 8 }}
{{- end }}
restartPolicy: OnFailure
containers:
- name: apply-crd
securityContext: {{- toYaml .Values.fusionOperator.securityContext | nindent 12 }}
image: "{{ default .Values.global.image.repository .Values.global.alpinetools.image.repository }}/{{ .Values.global.alpinetools.image.name }}:{{ .Values.global.alpinetools.image.tag }}"
command:
- /bin/sh
- -c
- |
cat <<EOF | kubectl apply -f -
{{ .Files.Get "crd/orchestrator.yaml" | nindent 14 }}
EOF
{{- end }}

18
templates/fusion-operator/jobs/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,18 @@
{{- if and .Values.fusionOperator.enabled (eq (include "parent.dataplaneMode" . ) "shared") }}
{{- if ( and .Values.fusionOperator.job.serviceAccount.enabled ( not .Values.fusionOperator.job.serviceAccount.preexisting ) ) -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "fusionOperator.job.serviceAccountName" . }}
labels:
{{- include "fusionOperator.labels" . | nindent 4 }}
annotations:
{{- with .Values.fusionOperator.job.serviceAccount.annotations }}
{{- toYaml . }}
{{- end }}
"helm.sh/hook": pre-install,pre-upgrade,pre-delete
"helm.sh/hook-weight": "-1"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
automountServiceAccountToken: {{ .Values.fusionOperator.job.serviceAccount.automountServiceAccountToken }}
{{- end }}
{{- end }}

155
templates/fusion-operator/role.yaml Normal file
View File

@@ -0,0 +1,155 @@
{{- if and .Values.fusionOperator.enabled (eq (include "parent.dataplaneMode" . ) "shared") }}
{{- if ( and .Values.fusionOperator.serviceAccount.enabled ( not .Values.fusionOperator.serviceAccount.preexisting ) ) -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "fusionOperator.name" . }}-role
rules:
- apiGroups:
- apps
resources:
- deployments
verbs:
- create
- delete
- get
- list
- update
- watch
- apiGroups:
- apps
resources:
- deployments/status
verbs:
- get
- patch
- update
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- get
- list
- watch
- update
- delete
- apiGroups:
- ""
resources:
- services
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
# Rules for managing Roles and RoleBindings (RBAC)
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
- rolebindings
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
# Rules for managing ServiceAccounts
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
# Rules for managing PodDisruptionBudget (PDB)
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- operator.fusion.axway.com
resources:
- orchestrators
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- operator.fusion.axway.com
resources:
- orchestrators/status
verbs:
- get
- patch
- update
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
{{- if .Values.fusionOperator.leaderElection.enabled }}
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- events
verbs:
- create
{{- end }}
- apiGroups: ["apiextensions.k8s.io"]
resources:
- customresourcedefinitions
verbs:
- delete
- create
- update
- get
- list
- watch
{{- end }}
{{- end }}

16
templates/fusion-operator/role_binding.yaml Normal file
View File

@@ -0,0 +1,16 @@
{{- if and .Values.fusionOperator.enabled (eq (include "parent.dataplaneMode" . ) "shared") }}
{{- if ( and .Values.fusionOperator.serviceAccount.enabled ( not .Values.fusionOperator.serviceAccount.preexisting ) ) -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "fusionOperator.name" . }}-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "fusionOperator.name" . }}-role
subjects:
- kind: ServiceAccount
name: {{ .Values.fusionOperator.serviceAccount.enabled | ternary .Values.fusionOperator.serviceAccount.name "default" }}
namespace: {{ .Release.Namespace }}
{{- end }}
{{- end }}

15
templates/fusion-operator/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,15 @@
{{- if and .Values.fusionOperator.enabled (eq (include "parent.dataplaneMode" . ) "shared") }}
{{- if ( and .Values.fusionOperator.serviceAccount.enabled ( not .Values.fusionOperator.serviceAccount.preexisting ) ) -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "fusionOperator.serviceAccountName" . }}
labels:
{{- include "fusionOperator.labels" . | nindent 4 }}
annotations:
{{- with .Values.fusionOperator.serviceAccount.annotations }}
{{- toYaml . }}
{{- end }}
automountServiceAccountToken: {{ .Values.fusionOperator.serviceAccount.automountServiceAccountToken }}
{{- end }}
{{- end }}

8
templates/inbound-worker/NOTES.txt Normal file
View File

@@ -0,0 +1,8 @@
Thank you for installing the {{ .Chart.Name }} chart for the Amplify Integration Platform.
Your release is named {{ .Release.Name }}.
To learn more about the release, try:
$ helm status {{ .Release.Name }}
$ helm get all {{ .Release.Name }}

76
templates/inbound-worker/_helpers.tpl Normal file
View File

@@ -0,0 +1,76 @@
{{- define "inbound-worker.name" -}}
{{- default "inbound-worker" .Values.inboundWorker.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "inbound-worker.fullname" -}}
{{- if .Values.inboundWorker.fullnameOverride }}
{{- .Values.inboundWorker.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default "inbound-worker" .Values.inboundWorker.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "inbound-worker.labels" -}}
{{ include "dataplane.labels" . }}
{{ include "inbound-worker.selectorLabels" . }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "inbound-worker.selectorLabels" -}}
app.kubernetes.io/name: {{ include "inbound-worker.name" . }}
app: {{ include "inbound-worker.appName" . }}
dplane: "inbound-worker"
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "inbound-worker.serviceAccountName" -}}
{{- if .Values.inboundWorker.serviceAccount.enabled }}
{{- default (include "inbound-worker.fullname" .) .Values.inboundWorker.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.inboundWorker.serviceAccount.name }}
{{- end }}
{{- end }}
{{/*
Custom templates start here
*/}}
{{- define "inbound-worker.appName" -}}
{{- $name := default "inbound-worker" .Values.inboundWorker.nameOverride -}}
{{- $env := default "inbound-worker" .Values.global.appEnv -}}
{{- printf "%s-%s" $name $env | trunc 63 | trimSuffix "-" -}}
{{- end }}
{{/*
Image name
*/}}
{{- define "image.finalname" -}}
{{- printf "%s/%s:%s" .Values.inboundWorker.image.server "inbound-worker" .Chart.AppVersion }}
{{- end }}
{{/*
Cpu min request
*/}}
{{- define "microserviceChart.minCpuUnits" -}}
"
{{- index .Values.inboundWorker.valuesPerEnvironment.cpuUnits ((pluck .Values.inboundWorker.environment .Values.inboundWorker.environments | first | default .Values.inboundWorker.environments.sandbox) | int) -}}
m"
{{- end }}

80
templates/inbound-worker/calico.netpol.yaml Normal file
View File

@@ -0,0 +1,80 @@
{{- if .Values.inboundWorker.calicoNetpol.enabled }}
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
name: {{ template "inbound-worker.appName" .}}
namespace: {{ .Release.Namespace }}
spec:
order: 10
selector: dplane == 'inbound-worker'
types:
- Ingress
- Egress
ingress:
### traffic from inbound-worker & orchestrator,ingress###
- action: Allow
protocol: TCP
source:
selector: dplane == 'orchestrator' || dplane == 'inbound-worker' || dplane == 'envoy'
namespaceSelector: projectcalico.org/name == '{{ .Release.Namespace }}'
destination:
ports:
{{- range .Values.inboundWorker.service.ports}}
- {{ .targetPort }}
{{- end}}
egress:
# allow to communicate to DNS pods
- action: Allow
protocol: UDP
destination:
namespaceSelector: projectcalico.org/name == 'kube-system'
ports:
- 53
- action: Allow
protocol: TCP
destination:
namespaceSelector: projectcalico.org/name == 'kube-system'
ports:
- 53
### Traffic to Valkey ###
{{- if .Values.valkey.enabled }}
- action: Allow
protocol: TCP
destination:
{{- if and .Values.valkey.internal.enabled .Values.valkey.internal.calicoNetpol.enabled }}
selector: dplane == 'valkey'
namespaceSelector: projectcalico.org/name == '{{ .Release.Namespace }}'
{{- else if and .Values.valkey.external.enabled .Values.valkey.external.calicoNetpol.enabled }}
ports:
{{- include "dataplane.collectPorts" (dict "hosts" .Values.valkey.hosts "defaultPort" 6379) | trim | nindent 10 }}
{{- $rule := .Values.valkey.external.calicoNetpol.outboundRule }}
{{- if $rule.nets }}
nets:
{{- range $rule.nets }}
- {{ . }}
{{- end }}
{{- else if $rule.selector }}
selector: {{ $rule.selector }}
{{- else }}
namespaceSelector: projectcalico.org/name == '{{ .Release.Namespace }}'
{{- end }}
{{- end }}
{{- end }}
### traffic to the orchestrator ###
- action: Allow
protocol: TCP
destination:
selector: dplane == 'orchestrator'
namespaceSelector: projectcalico.org/name == '{{ .Release.Namespace }}'
# allow to communicate with k8s api server
- action: Allow
destination:
services:
name: kubernetes
namespace: default
protocol: TCP
### Traffic to the internet ###
- action: Allow
protocol: TCP
destination: {{ toYaml .Values.inboundWorker.calicoNetpol.outboundRule | nindent 8 }}
{{- end }}

85
templates/inbound-worker/configmap-inbound.yaml Normal file
View File

@@ -0,0 +1,85 @@
{{- if eq .Values.common.externalConfigMaps false }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "inbound-worker.appName" . }}
namespace: {{ .Release.Namespace }}
data:
kubernetes_service_name: {{ template "inbound-worker.appName" . }}
environment: "{{ .Values.global.appEnv }}"
domain: "{{ .Values.global.external_domain }}"
JAVA_OPTS: "{{ .Values.inboundWorker.javaOpts }}"
sftp_enable: "{{ .Values.inboundWorker.sftp_enable }}"
http_enable: "{{ .Values.inboundWorker.http_enable }}"
https_enable: "{{ .Values.inboundWorker.https_enable }}"
api_enable: "{{ .Values.inboundWorker.api_enable }}"
api_mtls_enable: "{{ .Values.inboundWorker.api_mtls_enable }}"
enable_legacy_tls: "{{ .Values.inboundWorker.enable_legacy_tls }}"
host_name: "{{ .Values.global.external_domain }}"
mailTriggerInterval: "{{ .Values.inboundWorker.mailTriggerInterval }}"
txn_log_base_path: "{{ .Values.inboundWorker.hostPath.enabled | ternary .Values.inboundWorker.txn_log_base_path .Values.inboundWorker.efs_txn_log_path }}"
{{- if .Values.inboundWorker.hostPath.enabled }}
ebs_root: "{{ .Values.inboundWorker.ebs_root }}"
{{- end }}
{{- if .Values.valkey.enabled }}
datagrid_subscriptions_per_connection: "{{ .Values.inboundWorker.datagrid_subscriptions_per_connection }}"
datagrid_subscription_connection_pool_size: "{{ .Values.inboundWorker.datagrid_subscription_connection_pool_size }}"
{{- end }}
only_reschedule_missed_events_newer_than: "{{ .Values.inboundWorker.only_reschedule_missed_events_newer_than }}"
stale_process_interval: "{{ .Values.inboundWorker.stale_process_interval }}"
QUARKUS_LOG_CONSOLE_LEVEL: "{{ .Values.inboundWorker.QUARKUS_LOG_CONSOLE_LEVEL }}"
TERMINATION_GRACE_PERIOD_SECS: "{{ .Values.inboundWorker.terminationGracePeriodSeconds }}"
QUARKUS_SHUTDOWN_DELAY: "{{ .Values.inboundWorker.preStopSleepSeconds }}"
max_payload_size_kbs: "{{ .Values.inboundWorker.max_payload_size_kbs }}"
heartbeat_time_interval_sec: "{{ .Values.inboundWorker.heartbeat_time_interval_sec }}"
heartbeat_timeout_sec: "{{ .Values.inboundWorker.heartbeat_timeout_sec }}"
leader_lease_duration: "{{ .Values.inboundWorker.leader_lease_duration }}"
leader_lease_renew_period: "{{ .Values.inboundWorker.leader_lease_renew_period }}"
leader_lease_retry_period: "{{ .Values.inboundWorker.leader_lease_retry_period }}"
delegate_inoperative_pod_events_interval_sec: "{{ .Values.inboundWorker.delegate_inoperative_pod_events_interval_sec }}"
http_tls_termination: "{{ .Values.inboundWorker.http_tls_termination }}"
{{- if eq .Values.inboundWorker.aws.enabled true }}
Access_Key: {{ .Values.inboundWorker.aws.Access_Key }}
Secret_Key: {{ .Values.inboundWorker.aws.Secret_Key }}
region: {{ .Values.inboundWorker.aws.Region }}
{{- end }}
{{- if regexMatch "^ampint-[0-9.]+_[0-9][0-9][0-9][0-9].*$" .Values.inboundWorker.image.buildTag }}
deployed_version: "{{ regexReplaceAll "^ampint-([0-9.]+)_[0-9][0-9][0-9][0-9].*$" .Values.inboundWorker.image.buildTag "${1}" }}"
{{- else if regexMatch "^([^_]+)_[0-9][0-9][0-9][0-9].*$" .Values.inboundWorker.image.buildTag }}
deployed_version: "{{ regexReplaceAll "^([^_]+)_[0-9][0-9][0-9][0-9].*$" .Values.inboundWorker.image.buildTag "${1}" }}"
{{- else if regexMatch "^(.+)-SNAPSHOT$" .Values.inboundWorker.image.buildTag }}
deployed_version: "{{ regexReplaceAll "^(.+)-SNAPSHOT$" .Values.inboundWorker.image.buildTag "${1}" }}"
{{- else }}
deployed_version: "{{ .Values.inboundWorker.image.buildTag }}"
{{- end }}
multihost_enabled: "{{ .Values.global.multihost.enabled }}"
api_external_host: "{{ .Values.global.multihost.listeners.tls.api.hostPrefix }}.{{ .Values.global.external_domain }}"
api_mtls_external_host: "{{ .Values.global.multihost.listeners.tls.api_mtls.hostPrefix }}.{{ .Values.global.external_domain }}"
http_sse_external_host: "{{ .Values.global.multihost.listeners.tls.api.hostPrefix }}.{{ .Values.global.external_domain }}"
http_external_host: "{{ .Values.global.multihost.listeners.tcp.http.hostPrefix }}.{{ .Values.global.external_domain }}"
https_external_host: "{{ .Values.global.multihost.listeners.tls.https.hostPrefix }}.{{ .Values.global.external_domain }}"
sftp_external_host: "{{ .Values.global.multihost.listeners.ssh.sftp.hostPrefix }}.{{ .Values.global.external_domain }}"
webhook_external_host: "{{ .Values.global.multihost.listeners.tls.webhook.hostPrefix }}.{{ .Values.global.external_domain }}"
sftp_external_port: {{ .Values.global.multihost.enabled | ternary .Values.global.multihost.listeners.ssh.port "9022" | quote }}
https_external_port: {{ .Values.global.multihost.enabled | ternary .Values.global.multihost.listeners.tls.port "9443" | quote }}
http_external_port: {{ .Values.global.multihost.enabled | ternary .Values.global.multihost.listeners.tcp.port "9080" | quote }}
webhook_external_port: {{ .Values.global.multihost.enabled | ternary .Values.global.multihost.listeners.tls.port "443" | quote }}
api_external_port: {{ .Values.global.multihost.enabled | ternary .Values.global.multihost.listeners.tls.port "4443" | quote }}
api_mtls_external_port: {{ .Values.global.multihost.enabled | ternary .Values.global.multihost.listeners.tls.port "5443" | quote }}
http_sse_external_port: {{ .Values.global.multihost.enabled | ternary .Values.global.multihost.listeners.tls.port "4443" | quote }}
sap_enabled: "{{ .Values.inboundWorker.sap_enabled }}"
sap_lib_directory: "{{ .Values.inboundWorker.sap_lib_directory }}"
{{- if not (eq .Values.inboundWorker.salesforce.pubsub_api_url "") }}
EVENT_SALESFORCE_PUBSUB_API_URL: {{ .Values.inboundWorker.salesforce.pubsub_api_url | quote }}
{{- end }}
{{- if not (eq .Values.inboundWorker.salesforce.retry_initial_backoff_duration "") }}
EVENT_SALESFORCE_RETRY_INITIAL_BACKOFF: {{ .Values.inboundWorker.salesforce.retry_initial_backoff_duration | quote }}
{{- end }}
{{- if not (eq .Values.inboundWorker.salesforce.retry_max_backoff_duration "") }}
EVENT_SALESFORCE_RETRY_MAX_BACKOFF: {{ .Values.inboundWorker.salesforce.retry_max_backoff_duration | quote }}
{{- end }}
{{- if not (eq .Values.inboundWorker.salesforce.retry_status_code_list "") }}
EVENT_SALESFORCE_RETRY_GRPC_STATUS_CODES: {{ .Values.inboundWorker.salesforce.retry_status_code_list | quote }}
{{- end }}
{{- end }}

196
templates/inbound-worker/deployment.yaml Normal file
View File

@@ -0,0 +1,196 @@
{{- if .Values.inboundWorker.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "inbound-worker.appName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "inbound-worker.labels" . | nindent 4 }}
spec:
{{- if not .Values.inboundWorker.autoscaling.enabled }}
replicas: {{ .Values.inboundWorker.replicaCount }}
{{- end }}
strategy:
type: {{ .Values.inboundWorker.strategy.type }}
rollingUpdate:
maxSurge: {{ .Values.inboundWorker.strategy.rollingUpdate.maxSurge }}
maxUnavailable: {{ .Values.inboundWorker.strategy.rollingUpdate.maxUnavailable }}
selector:
matchLabels:
{{- include "inbound-worker.selectorLabels" . | nindent 6 }}
template:
metadata:
{{- with .Values.inboundWorker.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "inbound-worker.selectorLabels" . | nindent 8 }}
spec:
terminationGracePeriodSeconds: {{ .Values.inboundWorker.terminationGracePeriodSeconds }}
{{- with .Values.global.image.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.inboundWorker.serviceAccount.enabled }}
serviceAccountName: {{ include "inbound-worker.serviceAccountName" . }}
{{- end }}
{{- if .Values.inboundWorker.podSecurityContextEnabled }}
securityContext: {{- toYaml .Values.inboundWorker.podSecurityContext | nindent 8 }}
{{- end }}
dnsConfig:
options:
- name: use-vc
initContainers:
- name: {{ .Chart.Name }}-init
securityContext:
{{- toYaml .Values.inboundWorker.securityContext | nindent 12 }}
image: "{{ default .Values.global.image.repository .Values.global.alpinetools.image.repository }}/{{ .Values.global.alpinetools.image.name }}:{{ .Values.global.alpinetools.image.tag }}"
imagePullPolicy: {{ .Values.global.image.pullPolicy }}
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
envFrom:
- configMapRef:
name: configmap-common
volumeMounts:
- name: {{ .Values.global.volumeStorageName }}
mountPath: /efs
command:
- "/bin/sh"
- "-c"
- |
{{- if .Values.valkey.internal.enabled }}
{{ include "dataplane.commonInit" (dict "context" . "buildTag" .Values.inboundWorker.image.buildTag "internal" true "replicas" .Values.valkey.internal.clusterSize) | nindent 14 }}
{{- else if .Values.valkey.external.enabled }}
{{ include "dataplane.commonInit" (dict "context" . "buildTag" .Values.inboundWorker.image.buildTag) | nindent 14 }}
{{- end }}
{{- if .Values.fluentBit.enabled }}
{{ include "dataplane.createLogDirectory" (dict "serviceName" "inbound" "efsRoot" "${efs_root}" "podName" "${POD_NAME}" "additionalPathParam" "inbound") | nindent 14 }}
{{- end }}
{{- with .Values.global.initContainers.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
containers:
- name: {{ template "inbound-worker.appName" . }}
securityContext:
{{- toYaml .Values.inboundWorker.securityContext | nindent 12 }}
image: "{{ default .Values.global.image.repository .Values.inboundWorker.image.repository }}/{{ .Values.inboundWorker.image.name }}:{{ .Values.inboundWorker.image.buildTag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.global.image.pullPolicy }}
envFrom:
- secretRef:
name: {{ .Values.common.clusterDetails.name }}
{{- if .Values.common.email_authentication }}
- secretRef:
name: {{ .Values.common.fromMail.name }}
{{- end }}
{{- if .Values.valkey.enabled }}
- secretRef:
name: {{ .Values.common.datagridCredentials.name }}
{{- end }}
- configMapRef:
name: configmap-common
- configMapRef:
name: {{ template "inbound-worker.appName" . }}
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: local_ip
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: server_truststore_password
valueFrom:
secretKeyRef:
key: password
name: certificate-password
- name: server_cert_password
valueFrom:
secretKeyRef:
key: password
name: certificate-password
- name: sftp_server_cert_password
valueFrom:
secretKeyRef:
key: password
name: certificate-password
{{- with .Values.inboundWorker.env }}
{{- toYaml . | nindent 12 }}
{{- end }}
ports:
- containerPort: 8080
name: internal
- containerPort: 9080
name: openapi
- containerPort: 9443
name: service
- containerPort: 2222
name: ssh
- containerPort: 9090
name: xds
volumeMounts:
- name: {{ .Values.global.volumeStorageName }}
mountPath: /efs
- name: tmpdir
mountPath: /tmp
{{- if .Values.inboundWorker.hostPath.enabled }}
- name: payloads-txn-data
mountPath: "{{ .Values.inboundWorker.ebs_root }}"
- name: txn-log-base-path
mountPath: "{{ .Values.inboundWorker.txn_log_base_path }}"
{{- end }}
- mountPath: "/certificate"
name: cert
- mountPath: "/certificate/{{ .Values.common.certificate.name }}"
subPath: {{ .Values.common.certificate.name }}
name: domain-certificate
resources:
{{- toYaml .Values.inboundWorker.resources | nindent 12 }}
livenessProbe: {{- toYaml .Values.inboundWorker.livenessProbe | nindent 12 }}
startupProbe: {{- toYaml .Values.inboundWorker.startupProbe | nindent 12 }}
readinessProbe: {{- toYaml .Values.inboundWorker.readinessProbe | nindent 12 }}
volumes:
- name: tmpdir
emptyDir: {}
{{- if .Values.inboundWorker.hostPath.enabled }}
- name: payloads-txn-data
hostPath:
path: /local/dx-data/data
type: DirectoryOrCreate
- name: txn-log-base-path
hostPath:
path: /local/dx-data/logs
type: DirectoryOrCreate
{{- end }}
- name: {{ .Values.global.volumeStorageName }}
persistentVolumeClaim:
claimName: {{ .Release.Namespace }}-{{ .Values.global.claimName }}
- name: cert
emptyDir: {}
- name: domain-certificate
secret:
secretName: domain-certificate
items:
- key: {{ .Values.common.certificate.name }}
path: {{ .Values.common.certificate.name }}
{{- with .Values.inboundWorker.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.inboundWorker.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.inboundWorker.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}

33
templates/inbound-worker/hpa.yaml Normal file
View File

@@ -0,0 +1,33 @@
{{- if .Values.inboundWorker.autoscaling.enabled }}
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: {{ template "inbound-worker.appName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "inbound-worker.labels" . | nindent 4 }}
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ template "inbound-worker.appName" . }}
minReplicas: {{ .Values.inboundWorker.autoscaling.minReplicas }}
maxReplicas: {{ .Values.inboundWorker.autoscaling.maxReplicas }}
metrics:
{{- if .Values.inboundWorker.autoscaling.targetCPUUtilizationPercentage }}
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: {{ .Values.inboundWorker.autoscaling.targetCPUUtilizationPercentage }}
{{- end }}
{{- if .Values.inboundWorker.autoscaling.targetMemoryUtilizationPercentage }}
- type: Resource
resource:
name: memory
target:
type: Utilization
averageUtilization: {{ .Values.inboundWorker.autoscaling.targetMemoryUtilizationPercentage }}
{{- end }}
{{- end }}

12
templates/inbound-worker/poddisruptionbudget.yaml Normal file
View File

@@ -0,0 +1,12 @@
{{- if .Values.inboundWorker.podDisruptionBudget.enabled }}
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ template "inbound-worker.appName" . }}
namespace: {{ .Release.Namespace }}
spec:
minAvailable: {{ .Values.inboundWorker.podDisruptionBudget.minPods }}
selector:
matchLabels:
dplane: {{ .Chart.Name }}
{{- end}}

38
templates/inbound-worker/role.yaml Normal file
View File

@@ -0,0 +1,38 @@
{{- if ( and .Values.inboundWorker.serviceAccount.enabled ( not .Values.inboundWorker.serviceAccount.preexisting ) ) -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "inbound-worker.name" . }}-role
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- get
- update
- delete
- patch
{{- if eq (include "parent.dataplaneMode" . ) "shared" }}
- apiGroups:
- operator.fusion.axway.com
resources:
- orchestrators
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
{{- end }}
{{- end }}

14
templates/inbound-worker/roleBinding.yaml Normal file
View File

@@ -0,0 +1,14 @@
{{- if ( and .Values.inboundWorker.serviceAccount.enabled ( not .Values.inboundWorker.serviceAccount.preexisting ) ) -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "inbound-worker.name" . }}-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "inbound-worker.name" . }}-role
subjects:
- kind: ServiceAccount
name: {{ .Values.inboundWorker.serviceAccount.enabled | ternary .Values.inboundWorker.serviceAccount.name "default" }}
namespace: {{ .Release.Namespace }}
{{- end }}

18
templates/inbound-worker/service.yaml Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: v1
kind: Service
metadata:
name: {{ template "inbound-worker.appName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "inbound-worker.labels" . | nindent 4 }}
spec:
type: {{ .Values.inboundWorker.service.type }}
selector:
{{- include "inbound-worker.selectorLabels" . | nindent 4 }}
ports:
{{- range $port := .Values.inboundWorker.service.ports }}
- name: {{ $port.name }}
protocol: {{ $port.protocol }}
port: {{ $port.port }}
targetPort: {{ $port.targetPort }}
{{- end }}

21
templates/inbound-worker/service_sftp.yaml Normal file
View File

@@ -0,0 +1,21 @@
{{- if .Values.inboundWorker.sftpService.enabled }}
apiVersion: v1
kind: Service
metadata:
name: sftp-{{ template "inbound-worker.appName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "inbound-worker.labels" . | nindent 4 }}
spec:
type: {{ .Values.inboundWorker.sftpService.type }}
selector:
{{- include "inbound-worker.selectorLabels" . | nindent 4 }}
ports:
{{- range $port := .Values.inboundWorker.sftpService.ports }}
- name: {{ $port.name }}
protocol: {{ $port.protocol }}
port: {{ $port.port }}
targetPort: {{ $port.targetPort }}
nodePort: {{ $port.nodePort }}
{{- end }}
{{- end }}

13
templates/inbound-worker/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,13 @@
{{- if ( and .Values.inboundWorker.serviceAccount.enabled ( not .Values.inboundWorker.serviceAccount.preexisting ) ) -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "inbound-worker.serviceAccountName" . }}
labels:
{{- include "inbound-worker.labels" . | nindent 4 }}
{{- with .Values.inboundWorker.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
automountServiceAccountToken: {{ .Values.inboundWorker.serviceAccount.automountServiceAccountToken }}
{{- end }}

8
templates/orchestrator/NOTES.txt Normal file
View File

@@ -0,0 +1,8 @@
Thank you for installing the {{ .Chart.Name }} chart for the Amplify Integration Platform.
Your release is named {{ .Release.Name }}.
To learn more about the release, try:
$ helm status {{ .Release.Name }}
$ helm get all {{ .Release.Name }}

76
templates/orchestrator/_helpers.tpl Normal file
View File

@@ -0,0 +1,76 @@
{{- define "orchestrator.name" -}}
{{- default "orchestrator" .Values.orchestrator.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "orchestrator.fullname" -}}
{{- if .Values.orchestrator.fullnameOverride }}
{{- .Values.orchestrator.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default "orchestrator" .Values.orchestrator.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "orchestrator.labels" -}}
{{ include "dataplane.labels" . }}
{{ include "orchestrator.selectorLabels" . }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "orchestrator.selectorLabels" -}}
app.kubernetes.io/name: {{ include "orchestrator.name" . }}
app: {{ include "orchestrator.appName" . }}
dplane: "orchestrator"
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "orchestrator.serviceAccountName" -}}
{{- if .Values.orchestrator.serviceAccount.enabled }}
{{- default (include "orchestrator.fullname" .) .Values.orchestrator.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.orchestrator.serviceAccount.name }}
{{- end }}
{{- end }}
{{/*
Custom templates start here
*/}}
{{- define "orchestrator.appName" -}}
{{- $name := default "orchestrator" .Values.orchestrator.nameOverride -}}
{{- $env := default "orchestrator" .Values.global.appEnv -}}
{{- printf "%s-%s" $name $env | trunc 63 | trimSuffix "-" -}}
{{- end }}
{{/*
Image name
*/}}
{{- define "image.finalname" -}}
{{- printf "%s/%s:%s" .Values.orchestrator.image.server "orchestrator" .Chart.AppVersion }}
{{- end }}
{{/*
Cpu min request
*/}}
{{- define "microserviceChart.minCpuUnits" -}}
"
{{- index .Values.orchestrator.valuesPerEnvironment.cpuUnits ((pluck .Values.orchestrator.environment .Values.orchestrator.environments | first | default .Values.orchestrator.environments.sandbox) | int) -}}
m"
{{- end }}

80
templates/orchestrator/calico.netpol.yaml Normal file
View File

@@ -0,0 +1,80 @@
{{- if .Values.orchestrator.calicoNetpol.enabled }}
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
name: {{ template "orchestrator.appName" .}}
namespace: {{ .Release.Namespace }}
spec:
order: 10
selector: dplane == 'orchestrator'
types:
- Ingress
- Egress
ingress:
### traffic from inbound-worker & orchestrator###
- action: Allow
protocol: TCP
source:
selector: dplane == 'orchestrator' || dplane == 'inbound-worker' || dplane == 'envoy'
namespaceSelector: projectcalico.org/name == '{{ .Release.Namespace }}'
destination:
ports:
{{- range .Values.orchestrator.service.ports}}
- {{ .targetPort }}
{{- end}}
egress:
# allow to communicate to DNS pods
- action: Allow
protocol: UDP
destination:
namespaceSelector: projectcalico.org/name == 'kube-system'
ports:
- 53
- action: Allow
protocol: TCP
destination:
namespaceSelector: projectcalico.org/name == 'kube-system'
ports:
- 53
### Traffic to Valkey ###
{{- if .Values.valkey.enabled }}
- action: Allow
protocol: TCP
destination:
{{- if and .Values.valkey.internal.enabled .Values.valkey.internal.calicoNetpol.enabled }}
selector: dplane == 'valkey'
namespaceSelector: projectcalico.org/name == '{{ .Release.Namespace }}'
{{- else if and .Values.valkey.external.enabled .Values.valkey.external.calicoNetpol.enabled }}
ports:
{{- include "dataplane.collectPorts" (dict "hosts" .Values.valkey.hosts "defaultPort" 6379) | trim | nindent 10 }}
{{- $rule := .Values.valkey.external.calicoNetpol.outboundRule }}
{{- if $rule.nets }}
nets:
{{- range $rule.nets }}
- {{ . }}
{{- end }}
{{- else if $rule.selector }}
selector: {{ $rule.selector }}
{{- else }}
namespaceSelector: projectcalico.org/name == '{{ .Release.Namespace }}'
{{- end }}
{{- end }}
{{- end }}
### Traffic to inbound-worker ###
- action: Allow
protocol: TCP
destination:
selector: dplane == 'inbound-worker'
namespaceSelector: projectcalico.org/name == '{{ .Release.Namespace }}'
# allow to communicate with k8s api server
- action: Allow
destination:
services:
name: kubernetes
namespace: default
protocol: TCP
### Traffic to the internet ###
- action: Allow
protocol: TCP
destination: {{ toYaml .Values.orchestrator.calicoNetpol.outboundRule | nindent 8 }}
{{- end}}

52
templates/orchestrator/configmap.yaml Normal file
View File

@@ -0,0 +1,52 @@
{{- if eq .Values.common.externalConfigMaps false }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "orchestrator.appName" . }}
namespace: {{ .Release.Namespace }}
data:
kubernetes_service_name: {{ template "orchestrator.appName" . }}
domain: "{{ .Values.global.external_domain }}"
jwtExpirationTimeout: "{{ .Values.orchestrator.jwtExpirationTimeout }}"
environment: {{ .Values.global.appEnv }}
txn_log_base_path: "{{ .Values.orchestrator.hostPath.enabled | ternary .Values.orchestrator.txn_log_base_path .Values.orchestrator.efs_txn_log_path }}"
{{- if .Values.orchestrator.hostPath.enabled }}
ebs_root: "{{ .Values.orchestrator.ebs_root }}"
{{- end }}
JAVA_OPTS: "{{ .Values.orchestrator.javaOpts }}"
orchestrator_service: "{{ .Chart.Name }}-{{ .Values.global.appEnv }}"
max_executions_limit: "{{ .Values.orchestrator.max_executions_limit }}"
critical_memory_buffer: "{{ .Values.orchestrator.critical_memory_buffer }}"
enable_legacy_tls: "{{ .Values.orchestrator.enable_legacy_tls }}"
k8_namespace: {{ .Release.Namespace }}
stale_process_interval: "{{ .Values.orchestrator.stale_process_interval }}"
QUARKUS_LOG_CONSOLE_LEVEL: "{{ .Values.orchestrator.QUARKUS_LOG_CONSOLE_LEVEL }}"
TERMINATION_GRACE_PERIOD_SECS: "{{ .Values.orchestrator.terminationGracePeriodSeconds }}"
QUARKUS_SHUTDOWN_DELAY: "{{ .Values.orchestrator.preStopSleepSeconds }}"
{{- range .Values.orchestrator.service.ports }}
{{- if eq .name "grpc-port" }}
QUARKUS_GRPC_PORT: {{ .port | quote }}
{{- end }}
{{- end }}
max_payload_size_kbs: "{{ .Values.orchestrator.max_payload_size_kbs }}"
heartbeat_time_interval_sec: "{{ .Values.orchestrator.heartbeat_time_interval_sec}}"
heartbeat_timeout_sec: "{{ .Values.orchestrator.heartbeat_timeout_sec }}"
{{- if eq .Values.orchestrator.aws.enabled true }}
Access_Key: {{ .Values.orchestrator.aws.Access_Key }}
Secret_Key: {{ .Values.orchestrator.aws.Secret_Key }}
region: {{ .Values.orchestrator.aws.Region }}
{{- end }}
{{- if .Values.orchestrator.cidr_range }}
cidr_range: "{{ .Values.orchestrator.cidr_range }}"
{{- end }}
{{- if .Values.orchestrator.enable_legacy_tls }}
LEGACY_OPTS: " -Djava.security.properties=/app/java.security.with-TLSv1TLSv1.1 "
{{- else }}
LEGACY_OPTS : ""
{{- end }}
{{- if .Values.orchestrator.sap_enabled }}
CLASSPATH: "{{ .Values.orchestrator.sap_lib_directory }}/*:/app/orchestrator.jar"
{{- else }}
CLASSPATH: "/app/orchestrator.jar"
{{- end }}
{{- end }}

185
templates/orchestrator/deployment.tpl Normal file
View File

@@ -0,0 +1,185 @@
{{- define "orchestrator.deployment" -}}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "orchestrator.appName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "orchestrator.labels" . | nindent 4 }}
spec:
{{- if not .Values.orchestrator.autoscaling.enabled }}
replicas: {{ .Values.orchestrator.replicaCount }}
{{- end }}
strategy:
type: {{ .Values.orchestrator.strategy.type }}
rollingUpdate:
maxSurge: {{ .Values.orchestrator.strategy.rollingUpdate.maxSurge }}
maxUnavailable: {{ .Values.orchestrator.strategy.rollingUpdate.maxUnavailable }}
selector:
matchLabels:
{{- include "orchestrator.selectorLabels" . | nindent 6 }}
template:
metadata:
{{- with .Values.orchestrator.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "orchestrator.selectorLabels" . | nindent 8 }}
spec:
terminationGracePeriodSeconds: {{ .Values.orchestrator.terminationGracePeriodSeconds }}
{{- with .Values.global.image.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.orchestrator.serviceAccount.enabled }}
serviceAccountName: {{ include "orchestrator.serviceAccountName" . }}
{{- end }}
{{- if .Values.orchestrator.podSecurityContextEnabled }}
securityContext: {{- toYaml .Values.orchestrator.podSecurityContext| nindent 8 }}
{{- end }}
dnsConfig:
options:
- name: use-vc
initContainers:
- name: {{ .Chart.Name }}-init
securityContext:
{{- toYaml .Values.orchestrator.securityContext | nindent 12 }}
image: "{{ default .Values.global.image.repository .Values.global.alpinetools.image.repository }}/{{ .Values.global.alpinetools.image.name }}:{{ .Values.global.alpinetools.image.tag }}"
imagePullPolicy: {{ .Values.global.image.pullPolicy }}
volumeMounts:
- name: {{ .Values.global.volumeStorageName }}
mountPath: /efs
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
envFrom:
- configMapRef:
name: configmap-common
command:
- "/bin/sh"
- "-c"
- |
{{- if .Values.valkey.internal.enabled }}
{{ include "dataplane.commonInit" (dict "context" . "buildTag" .Values.orchestrator.image.buildTag "internal" true "replicas" .Values.valkey.internal.clusterSize) | nindent 14 }}
{{- else if .Values.valkey.external.enabled }}
{{ include "dataplane.commonInit" (dict "context" . "buildTag" .Values.orchestrator.image.buildTag) | nindent 14 }}
{{- end }}
{{- if .Values.fluentBit.enabled }}
{{ include "dataplane.createLogDirectory" (dict "serviceName" "ir" "efsRoot" "${efs_root}" "podName" "${POD_NAME}" "additionalPathParam" "") | nindent 14 }}
{{- end }}
{{- with .Values.global.initContainers.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
containers:
- name: {{ template "orchestrator.appName" . }}
securityContext:
{{- toYaml .Values.orchestrator.securityContext | nindent 12 }}
image: "{{ default .Values.global.image.repository .Values.orchestrator.image.repository }}/{{ .Values.orchestrator.image.name }}:{{ .Values.orchestrator.image.buildTag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.global.image.pullPolicy }}
envFrom:
{{- if .Values.common.email_authentication }}
- secretRef:
name: {{ .Values.common.fromMail.name }}
{{- end }}
- configMapRef:
name: {{ template "orchestrator.appName" . }}
- configMapRef:
name: configmap-common
{{- if .Values.valkey.enabled }}
- secretRef:
name: {{ .Values.common.datagridCredentials.name }}
{{- end }}
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: local_ip
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: orchestrator_service
value: orchestrator-{{ .Values.global.appEnv }}.{{ .Release.Namespace }}.svc.cluster.local
{{- with .Values.orchestrator.env }}
{{- toYaml . | nindent 12 }}
{{- end }}
ports:
- containerPort: 1919
name: port1
protocol: TCP
- containerPort: 50051
name: grpc
protocol: TCP
- containerPort: 50052
name: sse
protocol: TCP
volumeMounts:
- name: {{ .Values.global.volumeStorageName }}
mountPath: /efs
- name: tmpdir
mountPath: /tmp
{{- if .Values.orchestrator.hostPath.enabled }}
- name: payloads-txn-data
mountPath: "{{ .Values.orchestrator.ebs_root }}"
- name: txn-log-base-path
mountPath: "{{ .Values.orchestrator.txn_log_base_path }}"
{{- end }}
{{- if .Values.orchestrator.connectors.nfs.enabled }}
{{- range $index, $volume := .Values.orchestrator.connectors.nfs.volumes -}}
{{- with $volume }}
- name: "connector-nfs-{{ $index }}"
mountPath: "/connectors/nfs/{{ .name }}"
{{- end }}
{{- end }}
{{- end }}
resources:
{{- toYaml .Values.orchestrator.resources | nindent 12 }}
livenessProbe: {{- toYaml .Values.orchestrator.livenessProbe | nindent 12 }}
startupProbe: {{- toYaml .Values.orchestrator.startupProbe | nindent 12 }}
readinessProbe: {{- toYaml .Values.orchestrator.readinessProbe | nindent 12 }}
volumes:
- name: tmpdir
emptyDir: {}
{{- if .Values.orchestrator.hostPath.enabled }}
- name: payloads-txn-data
hostPath:
path: /local/dx-data/data
type: DirectoryOrCreate
- name: txn-log-base-path
hostPath:
path: /local/dx-data/logs
type: DirectoryOrCreate
{{- end }}
- name: {{ .Values.global.volumeStorageName }}
persistentVolumeClaim:
claimName: {{ .Release.Namespace }}-{{ .Values.global.claimName }}
{{- if .Values.orchestrator.connectors.nfs.enabled }}
{{- range $index, $volume := .Values.orchestrator.connectors.nfs.volumes -}}
{{- with $volume }}
- name: "connector-nfs-{{ $index }}"
persistentVolumeClaim:
claimName: "ampint-connector-nfs-pvc-{{ .name }}"
{{- end }}
{{- end }}
{{- end }}
{{- with .Values.orchestrator.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.orchestrator.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.orchestrator.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end -}}

3
templates/orchestrator/deployment.yaml Normal file
View File

@@ -0,0 +1,3 @@
{{- if and .Values.orchestrator.enabled (ne (include "parent.dataplaneMode" . ) "shared") }}
{{- include "orchestrator.deployment" . }}
{{- end }}

35
templates/orchestrator/hpa.tpl Normal file
View File

@@ -0,0 +1,35 @@
{{- define "orchestrator.hpa" -}}
{{- if .Values.orchestrator.autoscaling.enabled -}}
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: {{ template "orchestrator.appName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "orchestrator.labels" . | nindent 4 }}
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ template "orchestrator.appName" . }}
minReplicas: {{ .Values.orchestrator.autoscaling.minReplicas }}
maxReplicas: {{ .Values.orchestrator.autoscaling.maxReplicas }}
metrics:
{{- if .Values.orchestrator.autoscaling.targetCPUUtilizationPercentage }}
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: {{ .Values.orchestrator.autoscaling.targetCPUUtilizationPercentage }}
{{- end }}
{{- if .Values.orchestrator.autoscaling.targetMemoryUtilizationPercentage }}
- type: Resource
resource:
name: memory
target:
type: Utilization
averageUtilization: {{ .Values.orchestrator.autoscaling.targetMemoryUtilizationPercentage }}
{{- end }}
{{- end }}
{{- end -}}

3
templates/orchestrator/hpa.yaml Normal file
View File

@@ -0,0 +1,3 @@
{{- if ne (include "parent.dataplaneMode" . ) "shared" }}
{{- include "orchestrator.hpa" . }}
{{- end }}

37
templates/orchestrator/persistentVolume-connector-nfs.yaml Normal file
View File

@@ -0,0 +1,37 @@
{{- if .Values.orchestrator.connectors.nfs.enabled }}
{{- range $index, $volume := .Values.orchestrator.connectors.nfs.volumes -}}
{{- if and $volume.name $volume.server $volume.share $volume.mountOptions }}
apiVersion: v1
kind: PersistentVolume
metadata:
name: "{{ $.Release.Namespace }}-connector-nfs-pv-{{ $volume.name }}"
namespace: {{ $.Release.Namespace }}
spec:
capacity:
storage: 10Gi
volumeMode: Filesystem
accessModes:
- ReadWriteMany
persistentVolumeReclaimPolicy: Retain
storageClassName: ""
claimRef:
name: "ampint-connector-nfs-pvc-{{ $volume.name }}"
namespace: {{ $.Release.Namespace }}
mountOptions: {{ toYaml $volume.mountOptions | nindent 2 }}
{{- if eq $.Values.orchestrator.connectors.nfs.mode "csi" }}
csi:
driver: nfs.csi.k8s.io
readOnly: false
volumeHandle: "{{ $volume.server }}{{ $volume.share }}{{ $volume.name }}"
volumeAttributes:
server: {{ $volume.server }}
share: {{ $volume.share }}
{{- else }}
nfs:
server: {{ $volume.server }}
path: {{ $volume.share }}
{{- end }}
---
{{- end }}
{{- end }}
{{- end }}

18
templates/orchestrator/persistentVolumeClaim-connector-nfs.yaml Normal file
View File

@@ -0,0 +1,18 @@
{{- if .Values.orchestrator.connectors.nfs.enabled }}
{{- range $index, $volume := .Values.orchestrator.connectors.nfs.volumes -}}
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: "ampint-connector-nfs-pvc-{{ $volume.name }}"
namespace: {{ $.Release.Namespace }}
spec:
accessModes:
- ReadWriteMany
storageClassName: ""
volumeName: "{{ $.Release.Namespace }}-connector-nfs-pv-{{ $volume.name }}"
resources:
requests:
storage: 2Gi
---
{{- end }}
{{- end }}

14
templates/orchestrator/poddisruptionbudget.tpl Normal file
View File

@@ -0,0 +1,14 @@
{{- define "orchestrator.podDisruptionBudget" -}}
{{- if .Values.orchestrator.podDisruptionBudget.enabled -}}
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ template "orchestrator.appName" . }}
namespace: {{ .Release.Namespace }}
spec:
minAvailable: {{ .Values.orchestrator.podDisruptionBudget.minPods }}
selector:
matchLabels:
{{- include "orchestrator.selectorLabels" . | nindent 6 }}
{{- end }}
{{- end -}}

3
templates/orchestrator/poddisruptionbudget.yaml Normal file
View File

@@ -0,0 +1,3 @@
{{- if ne (include "parent.dataplaneMode" . ) "shared" }}
{{- include "orchestrator.podDisruptionBudget" . }}
{{- end }}

14
templates/orchestrator/role.yaml Normal file
View File

@@ -0,0 +1,14 @@
{{- if ( and .Values.orchestrator.serviceAccount.enabled ( not .Values.orchestrator.serviceAccount.preexisting ) ) -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "orchestrator.name" . }}-role
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
{{- end }}

14
templates/orchestrator/roleBinding.yaml Normal file
View File

@@ -0,0 +1,14 @@
{{- if ( and .Values.orchestrator.serviceAccount.enabled ( not .Values.orchestrator.serviceAccount.preexisting ) ) -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "orchestrator.name" . }}-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "orchestrator.name" . }}-role
subjects:
- kind: ServiceAccount
name: {{ .Values.orchestrator.serviceAccount.enabled | ternary .Values.orchestrator.serviceAccount.name "default" }}
namespace: {{ .Release.Namespace }}
{{- end }}

20
templates/orchestrator/service.tpl Normal file
View File

@@ -0,0 +1,20 @@
{{- define "orchestrator.service" -}}
apiVersion: v1
kind: Service
metadata:
name: {{ template "orchestrator.appName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "orchestrator.labels" . | nindent 4 }}
spec:
clusterIP: None
selector:
{{- include "orchestrator.selectorLabels" . | nindent 4 }}
ports:
{{- range $port := .Values.orchestrator.service.ports }}
- name: {{ $port.name }}
protocol: {{ $port.protocol }}
port: {{ $port.port }}
targetPort: {{ $port.targetPort }}
{{- end }}
{{- end -}}

3
templates/orchestrator/service.yaml Normal file
View File

@@ -0,0 +1,3 @@
{{- if and .Values.orchestrator.enabled (ne (include "parent.dataplaneMode" . ) "shared") }}
{{- include "orchestrator.service" . }}
{{- end }}

13
templates/orchestrator/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,13 @@
{{- if ( and .Values.orchestrator.serviceAccount.enabled ( not .Values.orchestrator.serviceAccount.preexisting ) ) -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "orchestrator.serviceAccountName" . }}
labels:
{{- include "orchestrator.labels" . | nindent 4 }}
{{- with .Values.orchestrator.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
automountServiceAccountToken: {{ .Values.orchestrator.serviceAccount.automountServiceAccountToken }}
{{- end }}

8
templates/pep-server/NOTES.txt Normal file
View File

@@ -0,0 +1,8 @@
Thank you for installing the {{ .Chart.Name }} chart for the Amplify Integration Platform.
Your release is named {{ .Release.Name }}.
To learn more about the release, try:
$ helm status {{ .Release.Name }}
$ helm get all {{ .Release.Name }}

76
templates/pep-server/_helpers.tpl Normal file
View File

@@ -0,0 +1,76 @@
{{- define "pep-server.name" -}}
{{- default "pep-server" .Values.pepServer.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "pep-server.fullname" -}}
{{- if .Values.pepServer.fullnameOverride }}
{{- .Values.pepServer.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default "pep-server" .Values.pepServer.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "pep-server.labels" -}}
{{ include "dataplane.labels" . }}
{{ include "pep-server.selectorLabels" . }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "pep-server.selectorLabels" -}}
app.kubernetes.io/name: {{ include "pep-server.name" . }}
app: {{ include "pep-server.appName" . }}
dplane: "pep-server"
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "pep-server.serviceAccountName" -}}
{{- if .Values.pepServer.serviceAccount.enabled }}
{{- default (include "pep-server.fullname" .) .Values.pepServer.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.pepServer.serviceAccount.name }}
{{- end }}
{{- end }}
{{/*
Custom templates start here
*/}}
{{- define "pep-server.appName" -}}
{{- $name := default "pep-server" .Values.pepServer.nameOverride -}}
{{- $env := default "pep-server" .Values.global.appEnv -}}
{{- printf "%s-%s" $name $env | trunc 63 | trimSuffix "-" -}}
{{- end }}
{{/*
Image name
*/}}
{{- define "image.finalname" -}}
{{- printf "%s/%s:%s" .Values.pepServer.image.server "pep-server" .Chart.AppVersion }}
{{- end }}
{{/*
Cpu min request
*/}}
{{- define "microserviceChart.minCpuUnits" -}}
"
{{- index .Values.pepServer.valuesPerEnvironment.cpuUnits ((pluck .Values.pepServer.environment .Values.pepServer.environments | first | default .Values.pepServer.environments.sandbox) | int) -}}
m"
{{- end }}

Some files were not shown because too many files have changed in this diff Show More