From 0dbd246c71c5b323f504672992ad98eb8f0a4962 Mon Sep 17 00:00:00 2001 From: Gerald Pape Date: Mon, 3 Feb 2025 08:48:55 +0100 Subject: [PATCH] feat(pdb) Add unhealthyPodEvictionPolicy config Enable users to configure the `spec.unhealthyPodEvictionPolicy` field of PodDisruptionBudget generated by the chart. The default is `IfHealthyBudget` More information about `unhealthyPodEvictionPolicy` is available at https://kubernetes.io/docs/tasks/run-application/configure-pdb/#unhealthy-pod-eviction-policy Signed-off-by: Gerald Pape --- charts/kong/CHANGELOG.md | 7 + charts/kong/README.md | 1 + .../__snapshots__/pdb-If-healthy-budget.snap | 1202 +++++++++++++++++ .../ci/__snapshots__/pdb-always-allow.snap | 1202 +++++++++++++++++ charts/kong/ci/__snapshots__/pdb-default.snap | 1202 +++++++++++++++++ charts/kong/ci/pdb-always-allow.yaml | 6 + charts/kong/ci/pdb-default.yaml | 5 + charts/kong/templates/pdb.yaml | 1 + charts/kong/values.yaml | 1 + 9 files changed, 3627 insertions(+) create mode 100644 charts/kong/ci/__snapshots__/pdb-If-healthy-budget.snap create mode 100644 charts/kong/ci/__snapshots__/pdb-always-allow.snap create mode 100644 charts/kong/ci/__snapshots__/pdb-default.snap create mode 100644 charts/kong/ci/pdb-always-allow.yaml create mode 100644 charts/kong/ci/pdb-default.yaml diff --git a/charts/kong/CHANGELOG.md b/charts/kong/CHANGELOG.md index de2254fc5..03513f653 100644 --- a/charts/kong/CHANGELOG.md +++ b/charts/kong/CHANGELOG.md @@ -1,5 +1,12 @@ # Changelog +## Unreleased + +* Add support for custom `unhealthyPodEvictionPolicy` in PodDisruptionBudget + [#1244](https://github.com/Kong/charts/pull/1244) + +### Changes + ## 2.47.0 ### Changes diff --git a/charts/kong/README.md b/charts/kong/README.md index ae7b4e15e..808afa854 100644 --- a/charts/kong/README.md +++ b/charts/kong/README.md @@ -904,6 +904,7 @@ On the Gateway release side, set either `admin.tls.client.secretName` to the nam | podDisruptionBudget.enabled | Enable PodDisruptionBudget for Kong | `false` | | podDisruptionBudget.maxUnavailable | Represents the minimum number of Pods that can be unavailable (integer or percentage) | `50%` | | podDisruptionBudget.minAvailable | Represents the number of Pods that must be available (integer or percentage) | | +| podDisruptionBudget.unhealthyPodEvictionPolicy | Controls the criteria when unhealthy Pods should be considered for eviction. Either `AlwaysAllow` or `IfHealthyBudget` | `IfHealthyBudget` | | podSecurityPolicy.enabled | Enable podSecurityPolicy for Kong | `false` | | podSecurityPolicy.labels | Labels to add to podSecurityPolicy for Kong | `{}` | | podSecurityPolicy.annotations | Annotations to add to podSecurityPolicy for Kong | `{}` | diff --git a/charts/kong/ci/__snapshots__/pdb-If-healthy-budget.snap b/charts/kong/ci/__snapshots__/pdb-If-healthy-budget.snap new file mode 100644 index 000000000..de35c6cdc --- /dev/null +++ b/charts/kong/ci/__snapshots__/pdb-If-healthy-budget.snap @@ -0,0 +1,1202 @@ +# chartsnap: snapshot_version=v3 +--- +# Source: kong/templates/pdb.yaml +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: chartsnap-kong + namespace: default + labels: + app.kubernetes.io/name: kong + helm.sh/chart: kong-2.47.0 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.9" +spec: + maxUnavailable: 50% + unhealthyPodEvictionPolicy: IfHealthyBudget + selector: + matchLabels: + app.kubernetes.io/name: kong + helm.sh/chart: kong-2.47.0 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.9" + app.kubernetes.io/component: app +--- +# Source: kong/templates/service-account.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: chartsnap-kong + namespace: default + labels: + app.kubernetes.io/name: kong + helm.sh/chart: kong-2.47.0 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.9" +--- +# Source: kong/templates/admission-webhook.yaml +apiVersion: v1 +kind: Secret +metadata: + name: chartsnap-kong-validation-webhook-ca-keypair + namespace: default + labels: + app.kubernetes.io/name: kong + helm.sh/chart: kong-2.47.0 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.9" +type: kubernetes.io/tls +data: + tls.crt: '###DYNAMIC_FIELD###' + tls.key: '###DYNAMIC_FIELD###' +--- +# Source: kong/templates/admission-webhook.yaml +apiVersion: v1 +kind: Secret +metadata: + name: chartsnap-kong-validation-webhook-keypair + namespace: default + labels: + app.kubernetes.io/name: kong + helm.sh/chart: kong-2.47.0 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.9" +type: kubernetes.io/tls +data: + tls.crt: '###DYNAMIC_FIELD###' + tls.key: '###DYNAMIC_FIELD###' +--- +# Source: kong/templates/controller-rbac-resources.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: kong + helm.sh/chart: kong-2.47.0 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.9" + name: chartsnap-kong +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - backendtlspolicies + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - backendtlspolicies/status + verbs: + - patch + - update +- apiGroups: + - configuration.konghq.com + resources: + - kongcustomentities + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - kongcustomentities/status + verbs: + - get + - patch + - update +- apiGroups: + - configuration.konghq.com + resources: + - kongupstreampolicies + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - kongupstreampolicies/status + verbs: + - get + - patch + - update +- apiGroups: + - configuration.konghq.com + resources: + - kongconsumergroups + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - kongconsumergroups/status + verbs: + - get + - patch + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - "" + resources: + - nodes + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services/status + verbs: + - get + - patch + - update +- apiGroups: + - configuration.konghq.com + resources: + - ingressclassparameterses + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - kongconsumers + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - kongconsumers/status + verbs: + - get + - patch + - update +- apiGroups: + - configuration.konghq.com + resources: + - kongingresses + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - kongingresses/status + verbs: + - get + - patch + - update +- apiGroups: + - configuration.konghq.com + resources: + - kongplugins + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - kongplugins/status + verbs: + - get + - patch + - update +- apiGroups: + - configuration.konghq.com + resources: + - tcpingresses + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - tcpingresses/status + verbs: + - get + - patch + - update +- apiGroups: + - configuration.konghq.com + resources: + - udpingresses + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - udpingresses/status + verbs: + - get + - patch + - update +- apiGroups: + - extensions + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - extensions + resources: + - ingresses/status + verbs: + - get + - patch + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways + verbs: + - get + - list + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/status + verbs: + - get + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes/status + verbs: + - get + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - referencegrants + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - referencegrants/status + verbs: + - get +- apiGroups: + - gateway.networking.k8s.io + resources: + - tcproutes + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - tcproutes/status + verbs: + - get + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - tlsroutes + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - tlsroutes/status + verbs: + - get + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - udproutes + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - udproutes/status + verbs: + - get + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - grpcroutes + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - grpcroutes/status + verbs: + - get + - patch + - update +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - get + - patch + - update +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - konglicenses + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - konglicenses/status + verbs: + - get + - patch + - update +- apiGroups: + - configuration.konghq.com + resources: + - kongvaults + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - kongvaults/status + verbs: + - get + - patch + - update +- apiGroups: + - configuration.konghq.com + resources: + - kongclusterplugins + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - kongclusterplugins/status + verbs: + - get + - patch + - update +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + verbs: + - get + - update +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +--- +# Source: kong/templates/controller-rbac-resources.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: chartsnap-kong + labels: + app.kubernetes.io/name: kong + helm.sh/chart: kong-2.47.0 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.9" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: chartsnap-kong +subjects: +- kind: ServiceAccount + name: chartsnap-kong + namespace: default +--- +# Source: kong/templates/controller-rbac-resources.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: chartsnap-kong + namespace: default + labels: + app.kubernetes.io/name: kong + helm.sh/chart: kong-2.47.0 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.9" +rules: +- apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - namespaces + verbs: + - get +- apiGroups: + - "" + resources: + - configmaps + resourceNames: + # Defaults to "-" + # Here: "-" + # This has to be adapted if you change either parameter + # when launching the nginx-ingress-controller. + - "kong-ingress-controller-leader-kong-kong" + verbs: + - get + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create +# Begin KIC 2.x leader permissions +- apiGroups: + - "" + - coordination.k8s.io + resources: + - configmaps + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - "" + resources: + - services + verbs: + - get +--- +# Source: kong/templates/controller-rbac-resources.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: chartsnap-kong + namespace: default + labels: + app.kubernetes.io/name: kong + helm.sh/chart: kong-2.47.0 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.9" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: chartsnap-kong +subjects: +- kind: ServiceAccount + name: chartsnap-kong + namespace: default +--- +# Source: kong/templates/admission-webhook.yaml +apiVersion: v1 +kind: Service +metadata: + name: chartsnap-kong-validation-webhook + namespace: default + labels: + app.kubernetes.io/name: kong + helm.sh/chart: kong-2.47.0 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.9" +spec: + ports: + - name: webhook + port: 443 + protocol: TCP + targetPort: webhook + selector: + app.kubernetes.io/name: kong + helm.sh/chart: kong-2.47.0 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.9" + app.kubernetes.io/component: app +--- +# Source: kong/templates/controller-service-metrics.yaml +apiVersion: v1 +kind: Service +metadata: + name: chartsnap-kong-metrics + namespace: default + labels: + app.kubernetes.io/name: kong + helm.sh/chart: kong-2.47.0 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.9" +spec: + ports: + - name: cmetrics + port: 10255 + protocol: TCP + targetPort: cmetrics + - name: status + port: 10254 + protocol: TCP + targetPort: cstatus + selector: + app.kubernetes.io/name: kong + helm.sh/chart: kong-2.47.0 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.9" + app.kubernetes.io/component: app +--- +# Source: kong/templates/service-kong-manager.yaml +apiVersion: v1 +kind: Service +metadata: + name: chartsnap-kong-manager + namespace: default + labels: + app.kubernetes.io/name: kong + helm.sh/chart: kong-2.47.0 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.9" +spec: + type: NodePort + ports: + - name: kong-manager + port: 8002 + targetPort: 8002 + protocol: TCP + - name: kong-manager-tls + port: 8445 + targetPort: 8445 + protocol: TCP + selector: + app.kubernetes.io/name: kong + app.kubernetes.io/component: app + app.kubernetes.io/instance: "chartsnap" +--- +# Source: kong/templates/service-kong-proxy.yaml +apiVersion: v1 +kind: Service +metadata: + name: chartsnap-kong-proxy + namespace: default + labels: + app.kubernetes.io/name: kong + helm.sh/chart: kong-2.47.0 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.9" + enable-metrics: "true" +spec: + type: LoadBalancer + ports: + - name: kong-proxy + port: 80 + targetPort: 8000 + protocol: TCP + - name: kong-proxy-tls + port: 443 + targetPort: 8443 + protocol: TCP + selector: + app.kubernetes.io/name: kong + app.kubernetes.io/component: app + app.kubernetes.io/instance: "chartsnap" +--- +# Source: kong/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: chartsnap-kong + namespace: default + labels: + app.kubernetes.io/name: kong + helm.sh/chart: kong-2.47.0 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.9" + app.kubernetes.io/component: app +spec: + replicas: 2 + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/name: kong + app.kubernetes.io/component: app + app.kubernetes.io/instance: "chartsnap" + template: + metadata: + annotations: + kuma.io/service-account-token-volume: chartsnap-kong-token + kuma.io/gateway: "enabled" + traffic.sidecar.istio.io/includeInboundPorts: "" + labels: + app.kubernetes.io/name: kong + helm.sh/chart: kong-2.47.0 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.9" + app.kubernetes.io/component: app + app: chartsnap-kong + version: "3.9" + spec: + serviceAccountName: chartsnap-kong + automountServiceAccountToken: false + initContainers: + - name: clear-stale-pid + image: kong:3.9 + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + resources: {} + command: + - "rm" + - "-vrf" + - "$KONG_PREFIX/pids" + env: + - name: KONG_ADMIN_ACCESS_LOG + value: "/dev/stdout" + - name: KONG_ADMIN_ERROR_LOG + value: "/dev/stderr" + - name: KONG_ADMIN_GUI_ACCESS_LOG + value: "/dev/stdout" + - name: KONG_ADMIN_GUI_ERROR_LOG + value: "/dev/stderr" + - name: KONG_ADMIN_LISTEN + value: "127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl" + - name: KONG_CLUSTER_LISTEN + value: "off" + - name: KONG_DATABASE + value: "off" + - name: KONG_KIC + value: "on" + - name: KONG_LUA_PACKAGE_PATH + value: "/opt/?.lua;/opt/?/init.lua;;" + - name: KONG_NGINX_WORKER_PROCESSES + value: "2" + - name: KONG_PORTAL_API_ACCESS_LOG + value: "/dev/stdout" + - name: KONG_PORTAL_API_ERROR_LOG + value: "/dev/stderr" + - name: KONG_PORT_MAPS + value: "80:8000, 443:8443" + - name: KONG_PREFIX + value: "/kong_prefix/" + - name: KONG_PROXY_ACCESS_LOG + value: "/dev/stdout" + - name: KONG_PROXY_ERROR_LOG + value: "/dev/stderr" + - name: KONG_PROXY_LISTEN + value: "0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl" + - name: KONG_PROXY_STREAM_ACCESS_LOG + value: "/dev/stdout basic" + - name: KONG_PROXY_STREAM_ERROR_LOG + value: "/dev/stderr" + - name: KONG_ROUTER_FLAVOR + value: "traditional" + - name: KONG_STATUS_ACCESS_LOG + value: "off" + - name: KONG_STATUS_ERROR_LOG + value: "/dev/stderr" + - name: KONG_STATUS_LISTEN + value: "0.0.0.0:8100, [::]:8100" + - name: KONG_STREAM_LISTEN + value: "off" + volumeMounts: + - name: chartsnap-kong-prefix-dir + mountPath: /kong_prefix/ + - name: chartsnap-kong-tmp + mountPath: /tmp + containers: + - name: ingress-controller + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + args: + ports: + - name: webhook + containerPort: 8080 + protocol: TCP + - name: cmetrics + containerPort: 10255 + protocol: TCP + - name: cstatus + containerPort: 10254 + protocol: TCP + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: CONTROLLER_ADMISSION_WEBHOOK_LISTEN + value: "0.0.0.0:8080" + - name: CONTROLLER_ELECTION_ID + value: "kong-ingress-controller-leader-kong" + - name: CONTROLLER_INGRESS_CLASS + value: "kong" + - name: CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY + value: "true" + - name: CONTROLLER_KONG_ADMIN_URL + value: "https://localhost:8444" + - name: CONTROLLER_PUBLISH_SERVICE + value: "default/chartsnap-kong-proxy" + image: kong/kubernetes-ingress-controller:3.4 + imagePullPolicy: IfNotPresent + readinessProbe: + failureThreshold: 3 + httpGet: + path: /readyz + port: 10254 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + livenessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + resources: {} + volumeMounts: + - name: webhook-cert + mountPath: /admission-webhook + readOnly: true + - name: chartsnap-kong-token + mountPath: /var/run/secrets/kubernetes.io/serviceaccount + readOnly: true + - name: "proxy" + image: kong:3.9 + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + env: + - name: KONG_ADMIN_ACCESS_LOG + value: "/dev/stdout" + - name: KONG_ADMIN_ERROR_LOG + value: "/dev/stderr" + - name: KONG_ADMIN_GUI_ACCESS_LOG + value: "/dev/stdout" + - name: KONG_ADMIN_GUI_ERROR_LOG + value: "/dev/stderr" + - name: KONG_ADMIN_LISTEN + value: "127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl" + - name: KONG_CLUSTER_LISTEN + value: "off" + - name: KONG_DATABASE + value: "off" + - name: KONG_KIC + value: "on" + - name: KONG_LUA_PACKAGE_PATH + value: "/opt/?.lua;/opt/?/init.lua;;" + - name: KONG_NGINX_WORKER_PROCESSES + value: "2" + - name: KONG_PORTAL_API_ACCESS_LOG + value: "/dev/stdout" + - name: KONG_PORTAL_API_ERROR_LOG + value: "/dev/stderr" + - name: KONG_PORT_MAPS + value: "80:8000, 443:8443" + - name: KONG_PREFIX + value: "/kong_prefix/" + - name: KONG_PROXY_ACCESS_LOG + value: "/dev/stdout" + - name: KONG_PROXY_ERROR_LOG + value: "/dev/stderr" + - name: KONG_PROXY_LISTEN + value: "0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl" + - name: KONG_PROXY_STREAM_ACCESS_LOG + value: "/dev/stdout basic" + - name: KONG_PROXY_STREAM_ERROR_LOG + value: "/dev/stderr" + - name: KONG_ROUTER_FLAVOR + value: "traditional" + - name: KONG_STATUS_ACCESS_LOG + value: "off" + - name: KONG_STATUS_ERROR_LOG + value: "/dev/stderr" + - name: KONG_STATUS_LISTEN + value: "0.0.0.0:8100, [::]:8100" + - name: KONG_STREAM_LISTEN + value: "off" + - name: KONG_NGINX_DAEMON + value: "off" + lifecycle: + preStop: + exec: + command: + - kong + - quit + - --wait=15 + ports: + - name: proxy + containerPort: 8000 + protocol: TCP + - name: proxy-tls + containerPort: 8443 + protocol: TCP + - name: status + containerPort: 8100 + protocol: TCP + volumeMounts: + - name: chartsnap-kong-prefix-dir + mountPath: /kong_prefix/ + - name: chartsnap-kong-tmp + mountPath: /tmp + readinessProbe: + failureThreshold: 3 + httpGet: + path: /status/ready + port: status + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + livenessProbe: + failureThreshold: 3 + httpGet: + path: /status + port: status + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + resources: {} + securityContext: {} + terminationGracePeriodSeconds: 30 + volumes: + - name: chartsnap-kong-prefix-dir + emptyDir: + sizeLimit: 256Mi + - name: chartsnap-kong-tmp + emptyDir: + sizeLimit: 1Gi + - name: chartsnap-kong-token + projected: + sources: + - serviceAccountToken: + expirationSeconds: 3607 + path: token + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace + - name: webhook-cert + secret: + secretName: chartsnap-kong-validation-webhook-keypair +--- +# Source: kong/templates/admission-webhook.yaml +kind: ValidatingWebhookConfiguration +apiVersion: admissionregistration.k8s.io/v1 +metadata: + name: chartsnap-kong-default-validations + labels: + app.kubernetes.io/name: kong + helm.sh/chart: kong-2.47.0 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.9" +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + caBundle: '###DYNAMIC_FIELD###' + service: + name: chartsnap-kong-validation-webhook + namespace: default + failurePolicy: Ignore + matchPolicy: Equivalent + name: secrets.credentials.validation.ingress-controller.konghq.com + objectSelector: + matchExpressions: + - key: "konghq.com/credential" + operator: "Exists" + - key: "konghq.com/credential" + operator: "NotIn" + values: + - "konnect" + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - secrets + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + caBundle: '###DYNAMIC_FIELD###' + service: + name: chartsnap-kong-validation-webhook + namespace: default + failurePolicy: Ignore + matchPolicy: Equivalent + name: secrets.plugins.validation.ingress-controller.konghq.com + objectSelector: + matchExpressions: + - key: owner + operator: NotIn + values: + - helm + - key: "konghq.com/credential" + operator: "NotIn" + values: + - "konnect" + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - secrets + sideEffects: None +- name: validations.kong.konghq.com + matchPolicy: Equivalent + objectSelector: + matchExpressions: + - key: owner + operator: NotIn + values: + - helm + failurePolicy: Ignore + sideEffects: None + admissionReviewVersions: ["v1beta1"] + rules: + - apiGroups: + - configuration.konghq.com + apiVersions: + - '*' + operations: + - CREATE + - UPDATE + resources: + - kongconsumers + - kongplugins + - kongclusterplugins + - kongingresses + - apiGroups: + - '' + apiVersions: + - 'v1' + operations: + - CREATE + - UPDATE + resources: + - services + - apiGroups: + - networking.k8s.io + apiVersions: + - 'v1' + operations: + - CREATE + - UPDATE + resources: + - ingresses + - apiGroups: + - gateway.networking.k8s.io + apiVersions: + - 'v1alpha2' + - 'v1beta1' + - 'v1' + operations: + - CREATE + - UPDATE + resources: + - gateways + - httproutes + clientConfig: + caBundle: '###DYNAMIC_FIELD###' + service: + name: chartsnap-kong-validation-webhook + namespace: default diff --git a/charts/kong/ci/__snapshots__/pdb-always-allow.snap b/charts/kong/ci/__snapshots__/pdb-always-allow.snap new file mode 100644 index 000000000..3d5cb8a3e --- /dev/null +++ b/charts/kong/ci/__snapshots__/pdb-always-allow.snap @@ -0,0 +1,1202 @@ +# chartsnap: snapshot_version=v3 +--- +# Source: kong/templates/pdb.yaml +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: chartsnap-kong + namespace: default + labels: + app.kubernetes.io/name: kong + helm.sh/chart: kong-2.47.0 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.9" +spec: + maxUnavailable: 50% + unhealthyPodEvictionPolicy: AlwaysAllow + selector: + matchLabels: + app.kubernetes.io/name: kong + helm.sh/chart: kong-2.47.0 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.9" + app.kubernetes.io/component: app +--- +# Source: kong/templates/service-account.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: chartsnap-kong + namespace: default + labels: + app.kubernetes.io/name: kong + helm.sh/chart: kong-2.47.0 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.9" +--- +# Source: kong/templates/admission-webhook.yaml +apiVersion: v1 +kind: Secret +metadata: + name: chartsnap-kong-validation-webhook-ca-keypair + namespace: default + labels: + app.kubernetes.io/name: kong + helm.sh/chart: kong-2.47.0 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.9" +type: kubernetes.io/tls +data: + tls.crt: '###DYNAMIC_FIELD###' + tls.key: '###DYNAMIC_FIELD###' +--- +# Source: kong/templates/admission-webhook.yaml +apiVersion: v1 +kind: Secret +metadata: + name: chartsnap-kong-validation-webhook-keypair + namespace: default + labels: + app.kubernetes.io/name: kong + helm.sh/chart: kong-2.47.0 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.9" +type: kubernetes.io/tls +data: + tls.crt: '###DYNAMIC_FIELD###' + tls.key: '###DYNAMIC_FIELD###' +--- +# Source: kong/templates/controller-rbac-resources.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: kong + helm.sh/chart: kong-2.47.0 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.9" + name: chartsnap-kong +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - backendtlspolicies + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - backendtlspolicies/status + verbs: + - patch + - update +- apiGroups: + - configuration.konghq.com + resources: + - kongcustomentities + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - kongcustomentities/status + verbs: + - get + - patch + - update +- apiGroups: + - configuration.konghq.com + resources: + - kongupstreampolicies + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - kongupstreampolicies/status + verbs: + - get + - patch + - update +- apiGroups: + - configuration.konghq.com + resources: + - kongconsumergroups + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - kongconsumergroups/status + verbs: + - get + - patch + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - "" + resources: + - nodes + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services/status + verbs: + - get + - patch + - update +- apiGroups: + - configuration.konghq.com + resources: + - ingressclassparameterses + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - kongconsumers + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - kongconsumers/status + verbs: + - get + - patch + - update +- apiGroups: + - configuration.konghq.com + resources: + - kongingresses + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - kongingresses/status + verbs: + - get + - patch + - update +- apiGroups: + - configuration.konghq.com + resources: + - kongplugins + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - kongplugins/status + verbs: + - get + - patch + - update +- apiGroups: + - configuration.konghq.com + resources: + - tcpingresses + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - tcpingresses/status + verbs: + - get + - patch + - update +- apiGroups: + - configuration.konghq.com + resources: + - udpingresses + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - udpingresses/status + verbs: + - get + - patch + - update +- apiGroups: + - extensions + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - extensions + resources: + - ingresses/status + verbs: + - get + - patch + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways + verbs: + - get + - list + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/status + verbs: + - get + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes/status + verbs: + - get + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - referencegrants + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - referencegrants/status + verbs: + - get +- apiGroups: + - gateway.networking.k8s.io + resources: + - tcproutes + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - tcproutes/status + verbs: + - get + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - tlsroutes + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - tlsroutes/status + verbs: + - get + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - udproutes + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - udproutes/status + verbs: + - get + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - grpcroutes + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - grpcroutes/status + verbs: + - get + - patch + - update +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - get + - patch + - update +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - konglicenses + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - konglicenses/status + verbs: + - get + - patch + - update +- apiGroups: + - configuration.konghq.com + resources: + - kongvaults + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - kongvaults/status + verbs: + - get + - patch + - update +- apiGroups: + - configuration.konghq.com + resources: + - kongclusterplugins + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - kongclusterplugins/status + verbs: + - get + - patch + - update +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + verbs: + - get + - update +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +--- +# Source: kong/templates/controller-rbac-resources.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: chartsnap-kong + labels: + app.kubernetes.io/name: kong + helm.sh/chart: kong-2.47.0 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.9" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: chartsnap-kong +subjects: +- kind: ServiceAccount + name: chartsnap-kong + namespace: default +--- +# Source: kong/templates/controller-rbac-resources.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: chartsnap-kong + namespace: default + labels: + app.kubernetes.io/name: kong + helm.sh/chart: kong-2.47.0 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.9" +rules: +- apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - namespaces + verbs: + - get +- apiGroups: + - "" + resources: + - configmaps + resourceNames: + # Defaults to "-" + # Here: "-" + # This has to be adapted if you change either parameter + # when launching the nginx-ingress-controller. + - "kong-ingress-controller-leader-kong-kong" + verbs: + - get + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create +# Begin KIC 2.x leader permissions +- apiGroups: + - "" + - coordination.k8s.io + resources: + - configmaps + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - "" + resources: + - services + verbs: + - get +--- +# Source: kong/templates/controller-rbac-resources.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: chartsnap-kong + namespace: default + labels: + app.kubernetes.io/name: kong + helm.sh/chart: kong-2.47.0 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.9" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: chartsnap-kong +subjects: +- kind: ServiceAccount + name: chartsnap-kong + namespace: default +--- +# Source: kong/templates/admission-webhook.yaml +apiVersion: v1 +kind: Service +metadata: + name: chartsnap-kong-validation-webhook + namespace: default + labels: + app.kubernetes.io/name: kong + helm.sh/chart: kong-2.47.0 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.9" +spec: + ports: + - name: webhook + port: 443 + protocol: TCP + targetPort: webhook + selector: + app.kubernetes.io/name: kong + helm.sh/chart: kong-2.47.0 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.9" + app.kubernetes.io/component: app +--- +# Source: kong/templates/controller-service-metrics.yaml +apiVersion: v1 +kind: Service +metadata: + name: chartsnap-kong-metrics + namespace: default + labels: + app.kubernetes.io/name: kong + helm.sh/chart: kong-2.47.0 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.9" +spec: + ports: + - name: cmetrics + port: 10255 + protocol: TCP + targetPort: cmetrics + - name: status + port: 10254 + protocol: TCP + targetPort: cstatus + selector: + app.kubernetes.io/name: kong + helm.sh/chart: kong-2.47.0 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.9" + app.kubernetes.io/component: app +--- +# Source: kong/templates/service-kong-manager.yaml +apiVersion: v1 +kind: Service +metadata: + name: chartsnap-kong-manager + namespace: default + labels: + app.kubernetes.io/name: kong + helm.sh/chart: kong-2.47.0 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.9" +spec: + type: NodePort + ports: + - name: kong-manager + port: 8002 + targetPort: 8002 + protocol: TCP + - name: kong-manager-tls + port: 8445 + targetPort: 8445 + protocol: TCP + selector: + app.kubernetes.io/name: kong + app.kubernetes.io/component: app + app.kubernetes.io/instance: "chartsnap" +--- +# Source: kong/templates/service-kong-proxy.yaml +apiVersion: v1 +kind: Service +metadata: + name: chartsnap-kong-proxy + namespace: default + labels: + app.kubernetes.io/name: kong + helm.sh/chart: kong-2.47.0 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.9" + enable-metrics: "true" +spec: + type: LoadBalancer + ports: + - name: kong-proxy + port: 80 + targetPort: 8000 + protocol: TCP + - name: kong-proxy-tls + port: 443 + targetPort: 8443 + protocol: TCP + selector: + app.kubernetes.io/name: kong + app.kubernetes.io/component: app + app.kubernetes.io/instance: "chartsnap" +--- +# Source: kong/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: chartsnap-kong + namespace: default + labels: + app.kubernetes.io/name: kong + helm.sh/chart: kong-2.47.0 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.9" + app.kubernetes.io/component: app +spec: + replicas: 2 + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/name: kong + app.kubernetes.io/component: app + app.kubernetes.io/instance: "chartsnap" + template: + metadata: + annotations: + kuma.io/service-account-token-volume: chartsnap-kong-token + kuma.io/gateway: "enabled" + traffic.sidecar.istio.io/includeInboundPorts: "" + labels: + app.kubernetes.io/name: kong + helm.sh/chart: kong-2.47.0 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.9" + app.kubernetes.io/component: app + app: chartsnap-kong + version: "3.9" + spec: + serviceAccountName: chartsnap-kong + automountServiceAccountToken: false + initContainers: + - name: clear-stale-pid + image: kong:3.9 + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + resources: {} + command: + - "rm" + - "-vrf" + - "$KONG_PREFIX/pids" + env: + - name: KONG_ADMIN_ACCESS_LOG + value: "/dev/stdout" + - name: KONG_ADMIN_ERROR_LOG + value: "/dev/stderr" + - name: KONG_ADMIN_GUI_ACCESS_LOG + value: "/dev/stdout" + - name: KONG_ADMIN_GUI_ERROR_LOG + value: "/dev/stderr" + - name: KONG_ADMIN_LISTEN + value: "127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl" + - name: KONG_CLUSTER_LISTEN + value: "off" + - name: KONG_DATABASE + value: "off" + - name: KONG_KIC + value: "on" + - name: KONG_LUA_PACKAGE_PATH + value: "/opt/?.lua;/opt/?/init.lua;;" + - name: KONG_NGINX_WORKER_PROCESSES + value: "2" + - name: KONG_PORTAL_API_ACCESS_LOG + value: "/dev/stdout" + - name: KONG_PORTAL_API_ERROR_LOG + value: "/dev/stderr" + - name: KONG_PORT_MAPS + value: "80:8000, 443:8443" + - name: KONG_PREFIX + value: "/kong_prefix/" + - name: KONG_PROXY_ACCESS_LOG + value: "/dev/stdout" + - name: KONG_PROXY_ERROR_LOG + value: "/dev/stderr" + - name: KONG_PROXY_LISTEN + value: "0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl" + - name: KONG_PROXY_STREAM_ACCESS_LOG + value: "/dev/stdout basic" + - name: KONG_PROXY_STREAM_ERROR_LOG + value: "/dev/stderr" + - name: KONG_ROUTER_FLAVOR + value: "traditional" + - name: KONG_STATUS_ACCESS_LOG + value: "off" + - name: KONG_STATUS_ERROR_LOG + value: "/dev/stderr" + - name: KONG_STATUS_LISTEN + value: "0.0.0.0:8100, [::]:8100" + - name: KONG_STREAM_LISTEN + value: "off" + volumeMounts: + - name: chartsnap-kong-prefix-dir + mountPath: /kong_prefix/ + - name: chartsnap-kong-tmp + mountPath: /tmp + containers: + - name: ingress-controller + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + args: + ports: + - name: webhook + containerPort: 8080 + protocol: TCP + - name: cmetrics + containerPort: 10255 + protocol: TCP + - name: cstatus + containerPort: 10254 + protocol: TCP + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: CONTROLLER_ADMISSION_WEBHOOK_LISTEN + value: "0.0.0.0:8080" + - name: CONTROLLER_ELECTION_ID + value: "kong-ingress-controller-leader-kong" + - name: CONTROLLER_INGRESS_CLASS + value: "kong" + - name: CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY + value: "true" + - name: CONTROLLER_KONG_ADMIN_URL + value: "https://localhost:8444" + - name: CONTROLLER_PUBLISH_SERVICE + value: "default/chartsnap-kong-proxy" + image: kong/kubernetes-ingress-controller:3.4 + imagePullPolicy: IfNotPresent + readinessProbe: + failureThreshold: 3 + httpGet: + path: /readyz + port: 10254 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + livenessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + resources: {} + volumeMounts: + - name: webhook-cert + mountPath: /admission-webhook + readOnly: true + - name: chartsnap-kong-token + mountPath: /var/run/secrets/kubernetes.io/serviceaccount + readOnly: true + - name: "proxy" + image: kong:3.9 + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + env: + - name: KONG_ADMIN_ACCESS_LOG + value: "/dev/stdout" + - name: KONG_ADMIN_ERROR_LOG + value: "/dev/stderr" + - name: KONG_ADMIN_GUI_ACCESS_LOG + value: "/dev/stdout" + - name: KONG_ADMIN_GUI_ERROR_LOG + value: "/dev/stderr" + - name: KONG_ADMIN_LISTEN + value: "127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl" + - name: KONG_CLUSTER_LISTEN + value: "off" + - name: KONG_DATABASE + value: "off" + - name: KONG_KIC + value: "on" + - name: KONG_LUA_PACKAGE_PATH + value: "/opt/?.lua;/opt/?/init.lua;;" + - name: KONG_NGINX_WORKER_PROCESSES + value: "2" + - name: KONG_PORTAL_API_ACCESS_LOG + value: "/dev/stdout" + - name: KONG_PORTAL_API_ERROR_LOG + value: "/dev/stderr" + - name: KONG_PORT_MAPS + value: "80:8000, 443:8443" + - name: KONG_PREFIX + value: "/kong_prefix/" + - name: KONG_PROXY_ACCESS_LOG + value: "/dev/stdout" + - name: KONG_PROXY_ERROR_LOG + value: "/dev/stderr" + - name: KONG_PROXY_LISTEN + value: "0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl" + - name: KONG_PROXY_STREAM_ACCESS_LOG + value: "/dev/stdout basic" + - name: KONG_PROXY_STREAM_ERROR_LOG + value: "/dev/stderr" + - name: KONG_ROUTER_FLAVOR + value: "traditional" + - name: KONG_STATUS_ACCESS_LOG + value: "off" + - name: KONG_STATUS_ERROR_LOG + value: "/dev/stderr" + - name: KONG_STATUS_LISTEN + value: "0.0.0.0:8100, [::]:8100" + - name: KONG_STREAM_LISTEN + value: "off" + - name: KONG_NGINX_DAEMON + value: "off" + lifecycle: + preStop: + exec: + command: + - kong + - quit + - --wait=15 + ports: + - name: proxy + containerPort: 8000 + protocol: TCP + - name: proxy-tls + containerPort: 8443 + protocol: TCP + - name: status + containerPort: 8100 + protocol: TCP + volumeMounts: + - name: chartsnap-kong-prefix-dir + mountPath: /kong_prefix/ + - name: chartsnap-kong-tmp + mountPath: /tmp + readinessProbe: + failureThreshold: 3 + httpGet: + path: /status/ready + port: status + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + livenessProbe: + failureThreshold: 3 + httpGet: + path: /status + port: status + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + resources: {} + securityContext: {} + terminationGracePeriodSeconds: 30 + volumes: + - name: chartsnap-kong-prefix-dir + emptyDir: + sizeLimit: 256Mi + - name: chartsnap-kong-tmp + emptyDir: + sizeLimit: 1Gi + - name: chartsnap-kong-token + projected: + sources: + - serviceAccountToken: + expirationSeconds: 3607 + path: token + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace + - name: webhook-cert + secret: + secretName: chartsnap-kong-validation-webhook-keypair +--- +# Source: kong/templates/admission-webhook.yaml +kind: ValidatingWebhookConfiguration +apiVersion: admissionregistration.k8s.io/v1 +metadata: + name: chartsnap-kong-default-validations + labels: + app.kubernetes.io/name: kong + helm.sh/chart: kong-2.47.0 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.9" +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + caBundle: '###DYNAMIC_FIELD###' + service: + name: chartsnap-kong-validation-webhook + namespace: default + failurePolicy: Ignore + matchPolicy: Equivalent + name: secrets.credentials.validation.ingress-controller.konghq.com + objectSelector: + matchExpressions: + - key: "konghq.com/credential" + operator: "Exists" + - key: "konghq.com/credential" + operator: "NotIn" + values: + - "konnect" + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - secrets + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + caBundle: '###DYNAMIC_FIELD###' + service: + name: chartsnap-kong-validation-webhook + namespace: default + failurePolicy: Ignore + matchPolicy: Equivalent + name: secrets.plugins.validation.ingress-controller.konghq.com + objectSelector: + matchExpressions: + - key: owner + operator: NotIn + values: + - helm + - key: "konghq.com/credential" + operator: "NotIn" + values: + - "konnect" + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - secrets + sideEffects: None +- name: validations.kong.konghq.com + matchPolicy: Equivalent + objectSelector: + matchExpressions: + - key: owner + operator: NotIn + values: + - helm + failurePolicy: Ignore + sideEffects: None + admissionReviewVersions: ["v1beta1"] + rules: + - apiGroups: + - configuration.konghq.com + apiVersions: + - '*' + operations: + - CREATE + - UPDATE + resources: + - kongconsumers + - kongplugins + - kongclusterplugins + - kongingresses + - apiGroups: + - '' + apiVersions: + - 'v1' + operations: + - CREATE + - UPDATE + resources: + - services + - apiGroups: + - networking.k8s.io + apiVersions: + - 'v1' + operations: + - CREATE + - UPDATE + resources: + - ingresses + - apiGroups: + - gateway.networking.k8s.io + apiVersions: + - 'v1alpha2' + - 'v1beta1' + - 'v1' + operations: + - CREATE + - UPDATE + resources: + - gateways + - httproutes + clientConfig: + caBundle: '###DYNAMIC_FIELD###' + service: + name: chartsnap-kong-validation-webhook + namespace: default diff --git a/charts/kong/ci/__snapshots__/pdb-default.snap b/charts/kong/ci/__snapshots__/pdb-default.snap new file mode 100644 index 000000000..de35c6cdc --- /dev/null +++ b/charts/kong/ci/__snapshots__/pdb-default.snap @@ -0,0 +1,1202 @@ +# chartsnap: snapshot_version=v3 +--- +# Source: kong/templates/pdb.yaml +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: chartsnap-kong + namespace: default + labels: + app.kubernetes.io/name: kong + helm.sh/chart: kong-2.47.0 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.9" +spec: + maxUnavailable: 50% + unhealthyPodEvictionPolicy: IfHealthyBudget + selector: + matchLabels: + app.kubernetes.io/name: kong + helm.sh/chart: kong-2.47.0 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.9" + app.kubernetes.io/component: app +--- +# Source: kong/templates/service-account.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: chartsnap-kong + namespace: default + labels: + app.kubernetes.io/name: kong + helm.sh/chart: kong-2.47.0 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.9" +--- +# Source: kong/templates/admission-webhook.yaml +apiVersion: v1 +kind: Secret +metadata: + name: chartsnap-kong-validation-webhook-ca-keypair + namespace: default + labels: + app.kubernetes.io/name: kong + helm.sh/chart: kong-2.47.0 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.9" +type: kubernetes.io/tls +data: + tls.crt: '###DYNAMIC_FIELD###' + tls.key: '###DYNAMIC_FIELD###' +--- +# Source: kong/templates/admission-webhook.yaml +apiVersion: v1 +kind: Secret +metadata: + name: chartsnap-kong-validation-webhook-keypair + namespace: default + labels: + app.kubernetes.io/name: kong + helm.sh/chart: kong-2.47.0 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.9" +type: kubernetes.io/tls +data: + tls.crt: '###DYNAMIC_FIELD###' + tls.key: '###DYNAMIC_FIELD###' +--- +# Source: kong/templates/controller-rbac-resources.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: kong + helm.sh/chart: kong-2.47.0 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.9" + name: chartsnap-kong +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - backendtlspolicies + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - backendtlspolicies/status + verbs: + - patch + - update +- apiGroups: + - configuration.konghq.com + resources: + - kongcustomentities + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - kongcustomentities/status + verbs: + - get + - patch + - update +- apiGroups: + - configuration.konghq.com + resources: + - kongupstreampolicies + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - kongupstreampolicies/status + verbs: + - get + - patch + - update +- apiGroups: + - configuration.konghq.com + resources: + - kongconsumergroups + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - kongconsumergroups/status + verbs: + - get + - patch + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - "" + resources: + - nodes + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services/status + verbs: + - get + - patch + - update +- apiGroups: + - configuration.konghq.com + resources: + - ingressclassparameterses + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - kongconsumers + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - kongconsumers/status + verbs: + - get + - patch + - update +- apiGroups: + - configuration.konghq.com + resources: + - kongingresses + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - kongingresses/status + verbs: + - get + - patch + - update +- apiGroups: + - configuration.konghq.com + resources: + - kongplugins + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - kongplugins/status + verbs: + - get + - patch + - update +- apiGroups: + - configuration.konghq.com + resources: + - tcpingresses + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - tcpingresses/status + verbs: + - get + - patch + - update +- apiGroups: + - configuration.konghq.com + resources: + - udpingresses + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - udpingresses/status + verbs: + - get + - patch + - update +- apiGroups: + - extensions + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - extensions + resources: + - ingresses/status + verbs: + - get + - patch + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways + verbs: + - get + - list + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/status + verbs: + - get + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes/status + verbs: + - get + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - referencegrants + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - referencegrants/status + verbs: + - get +- apiGroups: + - gateway.networking.k8s.io + resources: + - tcproutes + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - tcproutes/status + verbs: + - get + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - tlsroutes + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - tlsroutes/status + verbs: + - get + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - udproutes + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - udproutes/status + verbs: + - get + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - grpcroutes + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - grpcroutes/status + verbs: + - get + - patch + - update +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - get + - patch + - update +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - konglicenses + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - konglicenses/status + verbs: + - get + - patch + - update +- apiGroups: + - configuration.konghq.com + resources: + - kongvaults + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - kongvaults/status + verbs: + - get + - patch + - update +- apiGroups: + - configuration.konghq.com + resources: + - kongclusterplugins + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - kongclusterplugins/status + verbs: + - get + - patch + - update +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + verbs: + - get + - update +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +--- +# Source: kong/templates/controller-rbac-resources.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: chartsnap-kong + labels: + app.kubernetes.io/name: kong + helm.sh/chart: kong-2.47.0 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.9" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: chartsnap-kong +subjects: +- kind: ServiceAccount + name: chartsnap-kong + namespace: default +--- +# Source: kong/templates/controller-rbac-resources.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: chartsnap-kong + namespace: default + labels: + app.kubernetes.io/name: kong + helm.sh/chart: kong-2.47.0 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.9" +rules: +- apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - namespaces + verbs: + - get +- apiGroups: + - "" + resources: + - configmaps + resourceNames: + # Defaults to "-" + # Here: "-" + # This has to be adapted if you change either parameter + # when launching the nginx-ingress-controller. + - "kong-ingress-controller-leader-kong-kong" + verbs: + - get + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create +# Begin KIC 2.x leader permissions +- apiGroups: + - "" + - coordination.k8s.io + resources: + - configmaps + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - "" + resources: + - services + verbs: + - get +--- +# Source: kong/templates/controller-rbac-resources.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: chartsnap-kong + namespace: default + labels: + app.kubernetes.io/name: kong + helm.sh/chart: kong-2.47.0 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.9" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: chartsnap-kong +subjects: +- kind: ServiceAccount + name: chartsnap-kong + namespace: default +--- +# Source: kong/templates/admission-webhook.yaml +apiVersion: v1 +kind: Service +metadata: + name: chartsnap-kong-validation-webhook + namespace: default + labels: + app.kubernetes.io/name: kong + helm.sh/chart: kong-2.47.0 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.9" +spec: + ports: + - name: webhook + port: 443 + protocol: TCP + targetPort: webhook + selector: + app.kubernetes.io/name: kong + helm.sh/chart: kong-2.47.0 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.9" + app.kubernetes.io/component: app +--- +# Source: kong/templates/controller-service-metrics.yaml +apiVersion: v1 +kind: Service +metadata: + name: chartsnap-kong-metrics + namespace: default + labels: + app.kubernetes.io/name: kong + helm.sh/chart: kong-2.47.0 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.9" +spec: + ports: + - name: cmetrics + port: 10255 + protocol: TCP + targetPort: cmetrics + - name: status + port: 10254 + protocol: TCP + targetPort: cstatus + selector: + app.kubernetes.io/name: kong + helm.sh/chart: kong-2.47.0 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.9" + app.kubernetes.io/component: app +--- +# Source: kong/templates/service-kong-manager.yaml +apiVersion: v1 +kind: Service +metadata: + name: chartsnap-kong-manager + namespace: default + labels: + app.kubernetes.io/name: kong + helm.sh/chart: kong-2.47.0 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.9" +spec: + type: NodePort + ports: + - name: kong-manager + port: 8002 + targetPort: 8002 + protocol: TCP + - name: kong-manager-tls + port: 8445 + targetPort: 8445 + protocol: TCP + selector: + app.kubernetes.io/name: kong + app.kubernetes.io/component: app + app.kubernetes.io/instance: "chartsnap" +--- +# Source: kong/templates/service-kong-proxy.yaml +apiVersion: v1 +kind: Service +metadata: + name: chartsnap-kong-proxy + namespace: default + labels: + app.kubernetes.io/name: kong + helm.sh/chart: kong-2.47.0 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.9" + enable-metrics: "true" +spec: + type: LoadBalancer + ports: + - name: kong-proxy + port: 80 + targetPort: 8000 + protocol: TCP + - name: kong-proxy-tls + port: 443 + targetPort: 8443 + protocol: TCP + selector: + app.kubernetes.io/name: kong + app.kubernetes.io/component: app + app.kubernetes.io/instance: "chartsnap" +--- +# Source: kong/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: chartsnap-kong + namespace: default + labels: + app.kubernetes.io/name: kong + helm.sh/chart: kong-2.47.0 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.9" + app.kubernetes.io/component: app +spec: + replicas: 2 + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/name: kong + app.kubernetes.io/component: app + app.kubernetes.io/instance: "chartsnap" + template: + metadata: + annotations: + kuma.io/service-account-token-volume: chartsnap-kong-token + kuma.io/gateway: "enabled" + traffic.sidecar.istio.io/includeInboundPorts: "" + labels: + app.kubernetes.io/name: kong + helm.sh/chart: kong-2.47.0 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.9" + app.kubernetes.io/component: app + app: chartsnap-kong + version: "3.9" + spec: + serviceAccountName: chartsnap-kong + automountServiceAccountToken: false + initContainers: + - name: clear-stale-pid + image: kong:3.9 + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + resources: {} + command: + - "rm" + - "-vrf" + - "$KONG_PREFIX/pids" + env: + - name: KONG_ADMIN_ACCESS_LOG + value: "/dev/stdout" + - name: KONG_ADMIN_ERROR_LOG + value: "/dev/stderr" + - name: KONG_ADMIN_GUI_ACCESS_LOG + value: "/dev/stdout" + - name: KONG_ADMIN_GUI_ERROR_LOG + value: "/dev/stderr" + - name: KONG_ADMIN_LISTEN + value: "127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl" + - name: KONG_CLUSTER_LISTEN + value: "off" + - name: KONG_DATABASE + value: "off" + - name: KONG_KIC + value: "on" + - name: KONG_LUA_PACKAGE_PATH + value: "/opt/?.lua;/opt/?/init.lua;;" + - name: KONG_NGINX_WORKER_PROCESSES + value: "2" + - name: KONG_PORTAL_API_ACCESS_LOG + value: "/dev/stdout" + - name: KONG_PORTAL_API_ERROR_LOG + value: "/dev/stderr" + - name: KONG_PORT_MAPS + value: "80:8000, 443:8443" + - name: KONG_PREFIX + value: "/kong_prefix/" + - name: KONG_PROXY_ACCESS_LOG + value: "/dev/stdout" + - name: KONG_PROXY_ERROR_LOG + value: "/dev/stderr" + - name: KONG_PROXY_LISTEN + value: "0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl" + - name: KONG_PROXY_STREAM_ACCESS_LOG + value: "/dev/stdout basic" + - name: KONG_PROXY_STREAM_ERROR_LOG + value: "/dev/stderr" + - name: KONG_ROUTER_FLAVOR + value: "traditional" + - name: KONG_STATUS_ACCESS_LOG + value: "off" + - name: KONG_STATUS_ERROR_LOG + value: "/dev/stderr" + - name: KONG_STATUS_LISTEN + value: "0.0.0.0:8100, [::]:8100" + - name: KONG_STREAM_LISTEN + value: "off" + volumeMounts: + - name: chartsnap-kong-prefix-dir + mountPath: /kong_prefix/ + - name: chartsnap-kong-tmp + mountPath: /tmp + containers: + - name: ingress-controller + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + args: + ports: + - name: webhook + containerPort: 8080 + protocol: TCP + - name: cmetrics + containerPort: 10255 + protocol: TCP + - name: cstatus + containerPort: 10254 + protocol: TCP + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: CONTROLLER_ADMISSION_WEBHOOK_LISTEN + value: "0.0.0.0:8080" + - name: CONTROLLER_ELECTION_ID + value: "kong-ingress-controller-leader-kong" + - name: CONTROLLER_INGRESS_CLASS + value: "kong" + - name: CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY + value: "true" + - name: CONTROLLER_KONG_ADMIN_URL + value: "https://localhost:8444" + - name: CONTROLLER_PUBLISH_SERVICE + value: "default/chartsnap-kong-proxy" + image: kong/kubernetes-ingress-controller:3.4 + imagePullPolicy: IfNotPresent + readinessProbe: + failureThreshold: 3 + httpGet: + path: /readyz + port: 10254 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + livenessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + resources: {} + volumeMounts: + - name: webhook-cert + mountPath: /admission-webhook + readOnly: true + - name: chartsnap-kong-token + mountPath: /var/run/secrets/kubernetes.io/serviceaccount + readOnly: true + - name: "proxy" + image: kong:3.9 + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + env: + - name: KONG_ADMIN_ACCESS_LOG + value: "/dev/stdout" + - name: KONG_ADMIN_ERROR_LOG + value: "/dev/stderr" + - name: KONG_ADMIN_GUI_ACCESS_LOG + value: "/dev/stdout" + - name: KONG_ADMIN_GUI_ERROR_LOG + value: "/dev/stderr" + - name: KONG_ADMIN_LISTEN + value: "127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl" + - name: KONG_CLUSTER_LISTEN + value: "off" + - name: KONG_DATABASE + value: "off" + - name: KONG_KIC + value: "on" + - name: KONG_LUA_PACKAGE_PATH + value: "/opt/?.lua;/opt/?/init.lua;;" + - name: KONG_NGINX_WORKER_PROCESSES + value: "2" + - name: KONG_PORTAL_API_ACCESS_LOG + value: "/dev/stdout" + - name: KONG_PORTAL_API_ERROR_LOG + value: "/dev/stderr" + - name: KONG_PORT_MAPS + value: "80:8000, 443:8443" + - name: KONG_PREFIX + value: "/kong_prefix/" + - name: KONG_PROXY_ACCESS_LOG + value: "/dev/stdout" + - name: KONG_PROXY_ERROR_LOG + value: "/dev/stderr" + - name: KONG_PROXY_LISTEN + value: "0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl" + - name: KONG_PROXY_STREAM_ACCESS_LOG + value: "/dev/stdout basic" + - name: KONG_PROXY_STREAM_ERROR_LOG + value: "/dev/stderr" + - name: KONG_ROUTER_FLAVOR + value: "traditional" + - name: KONG_STATUS_ACCESS_LOG + value: "off" + - name: KONG_STATUS_ERROR_LOG + value: "/dev/stderr" + - name: KONG_STATUS_LISTEN + value: "0.0.0.0:8100, [::]:8100" + - name: KONG_STREAM_LISTEN + value: "off" + - name: KONG_NGINX_DAEMON + value: "off" + lifecycle: + preStop: + exec: + command: + - kong + - quit + - --wait=15 + ports: + - name: proxy + containerPort: 8000 + protocol: TCP + - name: proxy-tls + containerPort: 8443 + protocol: TCP + - name: status + containerPort: 8100 + protocol: TCP + volumeMounts: + - name: chartsnap-kong-prefix-dir + mountPath: /kong_prefix/ + - name: chartsnap-kong-tmp + mountPath: /tmp + readinessProbe: + failureThreshold: 3 + httpGet: + path: /status/ready + port: status + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + livenessProbe: + failureThreshold: 3 + httpGet: + path: /status + port: status + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + resources: {} + securityContext: {} + terminationGracePeriodSeconds: 30 + volumes: + - name: chartsnap-kong-prefix-dir + emptyDir: + sizeLimit: 256Mi + - name: chartsnap-kong-tmp + emptyDir: + sizeLimit: 1Gi + - name: chartsnap-kong-token + projected: + sources: + - serviceAccountToken: + expirationSeconds: 3607 + path: token + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace + - name: webhook-cert + secret: + secretName: chartsnap-kong-validation-webhook-keypair +--- +# Source: kong/templates/admission-webhook.yaml +kind: ValidatingWebhookConfiguration +apiVersion: admissionregistration.k8s.io/v1 +metadata: + name: chartsnap-kong-default-validations + labels: + app.kubernetes.io/name: kong + helm.sh/chart: kong-2.47.0 + app.kubernetes.io/instance: "chartsnap" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/version: "3.9" +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + caBundle: '###DYNAMIC_FIELD###' + service: + name: chartsnap-kong-validation-webhook + namespace: default + failurePolicy: Ignore + matchPolicy: Equivalent + name: secrets.credentials.validation.ingress-controller.konghq.com + objectSelector: + matchExpressions: + - key: "konghq.com/credential" + operator: "Exists" + - key: "konghq.com/credential" + operator: "NotIn" + values: + - "konnect" + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - secrets + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + caBundle: '###DYNAMIC_FIELD###' + service: + name: chartsnap-kong-validation-webhook + namespace: default + failurePolicy: Ignore + matchPolicy: Equivalent + name: secrets.plugins.validation.ingress-controller.konghq.com + objectSelector: + matchExpressions: + - key: owner + operator: NotIn + values: + - helm + - key: "konghq.com/credential" + operator: "NotIn" + values: + - "konnect" + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - secrets + sideEffects: None +- name: validations.kong.konghq.com + matchPolicy: Equivalent + objectSelector: + matchExpressions: + - key: owner + operator: NotIn + values: + - helm + failurePolicy: Ignore + sideEffects: None + admissionReviewVersions: ["v1beta1"] + rules: + - apiGroups: + - configuration.konghq.com + apiVersions: + - '*' + operations: + - CREATE + - UPDATE + resources: + - kongconsumers + - kongplugins + - kongclusterplugins + - kongingresses + - apiGroups: + - '' + apiVersions: + - 'v1' + operations: + - CREATE + - UPDATE + resources: + - services + - apiGroups: + - networking.k8s.io + apiVersions: + - 'v1' + operations: + - CREATE + - UPDATE + resources: + - ingresses + - apiGroups: + - gateway.networking.k8s.io + apiVersions: + - 'v1alpha2' + - 'v1beta1' + - 'v1' + operations: + - CREATE + - UPDATE + resources: + - gateways + - httproutes + clientConfig: + caBundle: '###DYNAMIC_FIELD###' + service: + name: chartsnap-kong-validation-webhook + namespace: default diff --git a/charts/kong/ci/pdb-always-allow.yaml b/charts/kong/ci/pdb-always-allow.yaml new file mode 100644 index 000000000..df352319d --- /dev/null +++ b/charts/kong/ci/pdb-always-allow.yaml @@ -0,0 +1,6 @@ +replicaCount: 2 + +podDisruptionBudget: + enabled: true + maxUnavailable: "50%" + unhealthyPodEvictionPolicy: AlwaysAllow diff --git a/charts/kong/ci/pdb-default.yaml b/charts/kong/ci/pdb-default.yaml new file mode 100644 index 000000000..5be8a74c7 --- /dev/null +++ b/charts/kong/ci/pdb-default.yaml @@ -0,0 +1,5 @@ +replicaCount: 2 + +podDisruptionBudget: + enabled: true + maxUnavailable: "50%" diff --git a/charts/kong/templates/pdb.yaml b/charts/kong/templates/pdb.yaml index 8d918c5a5..b37c63fcf 100644 --- a/charts/kong/templates/pdb.yaml +++ b/charts/kong/templates/pdb.yaml @@ -19,6 +19,7 @@ spec: {{- if .Values.podDisruptionBudget.maxUnavailable }} maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }} {{- end }} + unhealthyPodEvictionPolicy: {{ .Values.podDisruptionBudget.unhealthyPodEvictionPolicy }} selector: matchLabels: {{- include "kong.metaLabels" . | nindent 6 }} diff --git a/charts/kong/values.yaml b/charts/kong/values.yaml index 91c2fdae5..4383bc668 100644 --- a/charts/kong/values.yaml +++ b/charts/kong/values.yaml @@ -951,6 +951,7 @@ podDisruptionBudget: # Uncomment only one of the following when enabled is set to true # maxUnavailable: "50%" # minAvailable: "50%" + unhealthyPodEvictionPolicy: IfHealthyBudget podSecurityPolicy: enabled: false