mirror of
https://github.com/bitnami/charts.git
synced 2026-03-05 14:57:31 +08:00
[bitnami/chart] Add NLB load balancer support, run envoy container as root (#2961)
* Support nlb load balancer type, default envoy container security context to run as root
This commit is contained in:
Adrian Maceiras
@@ -1,7 +1,7 @@
|
||||
apiVersion: v1
|
||||
name: contour
|
||||
description: Contour Ingress controller for Kubernetes
|
||||
version: 1.0.4
|
||||
version: 1.1.0
|
||||
appVersion: 1.6.1
|
||||
keywords:
|
||||
- ingress
|
||||
|
||||
@@ -95,10 +95,14 @@ The following tables lists the configurable parameters of the contour chart and
|
||||
| `envoy.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) |
|
||||
| `envoy.resources.limits` | Specify resource limits which the container is not allowed to succeed. | `{}` (does not add resource limits to deployed pods) |
|
||||
| `envoy.resources.requests` | Specify resource requests which the container needs to spawn. | `{}` (does not add resource limits to deployed pods) |
|
||||
| `envoy.nodeSelector` | Node labels for envoy pod assignment | `{}` |
|
||||
| `envoy.tolerations` | Tolerations for envoy pod assignment | `[]` |
|
||||
| `envoy.affinity` | Affinity for envoy pod assignment | `{}` |
|
||||
| `envoy.podAnnotations` | Envoy Pod annotations | `{}` |
|
||||
| `envoy.nodeSelector` | Node labels for envoy pod assignment | `{}` |
|
||||
| `envoy.tolerations` | Tolerations for envoy pod assignment | `[]` |
|
||||
| `envoy.affinity` | Affinity for envoy pod assignment | `{}` |
|
||||
| `envoy.podAnnotations` | Envoy Pod annotations | `{}` |
|
||||
| `envoy.podSecurityContext` | Envoy Pod securityContext | `{}` |
|
||||
| `envoy.containerSecurityContext` | Envoy Container securityContext | `{}` |
|
||||
| `envoy.dnsPolicy` | Envoy Pod Dns Policy | `ClusterFirst` |
|
||||
| `envoy.hostNetwork` | Envoy Pod host network access | `false` |
|
||||
| `envoy.readynessProbe.enabled` | Enable/disable the Readyness probe | `true` |
|
||||
| `envoy.readynessProbe.initialDelaySeconds` | Delay before readyness probe is initiated | `10` |
|
||||
| `envoy.readynessProbe.periodSeconds` | How often to perform the probe | `3` |
|
||||
@@ -194,3 +198,16 @@ configInline:
|
||||
# - "user_agent"
|
||||
# - "x_forwarded_for"
|
||||
```
|
||||
|
||||
### Deploying Contour with an AWS NLB
|
||||
|
||||
By default, Contour is launched with a AWS Classic ELB. To launch contour backed by a NLB, please set [these settings](https://github.com/projectcontour/contour/tree/master/examples/contour#deploying-with-host-networking-enabled-for-envoy):
|
||||
|
||||
```yaml
|
||||
envoy:
|
||||
hostNetwork: true
|
||||
dnsPolicy: ClusterFirstWithHostNet
|
||||
service:
|
||||
annotations:
|
||||
service.beta.kubernetes.io/aws-load-balancer-type: nlb
|
||||
```
|
||||
|
||||
@@ -32,6 +32,16 @@ spec:
|
||||
tolerations: {{- include "contour.tplValue" (dict "value" .Values.envoy.tolerations "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
terminationGracePeriodSeconds: {{ .Values.envoy.terminationGracePeriodSeconds }}
|
||||
hostNetwork: {{ .Values.envoy.hostNetwork }}
|
||||
dnsPolicy: {{ .Values.envoy.dnsPolicy }}
|
||||
{{- if .Values.envoy.podSecurityContext.enabled }}
|
||||
securityContext:
|
||||
fsGroup: {{ .Values.envoy.podSecurityContext.fsGroup }}
|
||||
{{- if .Values.envoy.podSecurityContext.sysctls }}
|
||||
sysctls:
|
||||
{{- toYaml .Values.envoy.podSecurityContext.sysctls | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- command:
|
||||
- contour
|
||||
@@ -69,6 +79,10 @@ spec:
|
||||
image: {{ include "envoy.image" . }}
|
||||
imagePullPolicy: {{ .Values.envoy.image.pullPolicy }}
|
||||
name: envoy
|
||||
{{- if .Values.envoy.containerSecurityContext.enabled }}
|
||||
securityContext:
|
||||
runAsUser: {{ .Values.envoy.containerSecurityContext.runAsUser }}
|
||||
{{- end }}
|
||||
env:
|
||||
- name: CONTOUR_NAMESPACE
|
||||
valueFrom:
|
||||
@@ -92,6 +106,7 @@ spec:
|
||||
- containerPort: 8002
|
||||
name: metrics
|
||||
protocol: TCP
|
||||
|
||||
{{- if .Values.envoy.readinessProbe.enabled }}
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
|
||||
@@ -28,13 +28,16 @@ metadata:
|
||||
{{- include "contour.tplValue" (dict "value" .Values.envoy.service.labels "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
annotations:
|
||||
{{- if (ne (get .Values.envoy.service.annotations "service.beta.kubernetes.io/aws-load-balancer-type") "nlb") }}
|
||||
# This annotation puts the AWS ELB into "TCP" mode so that it does not
|
||||
# do HTTP negotiation for HTTPS connections at the ELB edge.
|
||||
# The downside of this is the remote IP address of all connections will
|
||||
# appear to be the internal address of the ELB. See docs/proxy-proto.md
|
||||
# for information about enabling the PROXY protocol on the ELB to recover
|
||||
# the original remote IP address.
|
||||
# We don't set this for nlb, per the contour docs.
|
||||
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
|
||||
{{- end }}
|
||||
{{- if .Values.envoy.service.annotations }}
|
||||
{{- include "contour.tplValue" (dict "value" .Values.envoy.service.annotations "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
|
||||
@@ -257,6 +257,29 @@ envoy:
|
||||
##
|
||||
podAnnotations: {}
|
||||
|
||||
## Pod security context
|
||||
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
|
||||
##
|
||||
podSecurityContext:
|
||||
enabled: false
|
||||
|
||||
## Envoy container security context - envoy needs to run as root to bind to 80, 443
|
||||
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
|
||||
##
|
||||
containerSecurityContext:
|
||||
enabled: true
|
||||
runAsUser: 0
|
||||
|
||||
## Pod host network access
|
||||
## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
|
||||
##
|
||||
hostNetwork: false
|
||||
|
||||
## Pod's DNS Policy
|
||||
## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy
|
||||
##
|
||||
dnsPolicy: ClusterFirst
|
||||
|
||||
serviceAccount:
|
||||
# Specifies whether a ServiceAccount should be created
|
||||
create: true
|
||||
@@ -292,6 +315,10 @@ envoy:
|
||||
type: LoadBalancer
|
||||
externalTrafficPolicy: Local
|
||||
|
||||
## Service annotations
|
||||
##
|
||||
annotations: {}
|
||||
|
||||
ports:
|
||||
## HTTP Port
|
||||
##
|
||||
|
||||
@@ -252,6 +252,29 @@ envoy:
|
||||
##
|
||||
podAnnotations: {}
|
||||
|
||||
## Pod security context
|
||||
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
|
||||
##
|
||||
podSecurityContext:
|
||||
enabled: false
|
||||
|
||||
## Envoy container security context - envoy needs to run as root to bind to 80, 443
|
||||
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
|
||||
##
|
||||
containerSecurityContext:
|
||||
enabled: true
|
||||
runAsUser: 0
|
||||
|
||||
## Pod host network access
|
||||
## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
|
||||
##
|
||||
hostNetwork: false
|
||||
|
||||
## Pod's DNS Policy
|
||||
## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy
|
||||
##
|
||||
dnsPolicy: ClusterFirst
|
||||
|
||||
serviceAccount:
|
||||
# Specifies whether a ServiceAccount should be created
|
||||
create: true
|
||||
@@ -287,6 +310,10 @@ envoy:
|
||||
type: LoadBalancer
|
||||
externalTrafficPolicy: Local
|
||||
|
||||
## Service annotations
|
||||
##
|
||||
annotations: {}
|
||||
|
||||
ports:
|
||||
## HTTP Port
|
||||
##
|
||||
|
||||
Reference in New Issue
Block a user