mirror of https://github.com/bitnami/charts.git synced 2026-03-18 23:37:14 +08:00

Files

Marco Kilchhofer 91fa2c0054 [bitnami/contour] Sync upstream changes and chart standardization (#3381 )

* Sync back most significant upstream projectcontour changes

The most important change is the refactoring of the shutdown sidecar:
7cd9f4a685

Signed-off-by: Marco Kilchhofer <marco@kilchhofer.info>

* Delete removed CRD ingressroutes.contour.heptio.com

> As a reminder, support for IngressRoute was officially dropped in v1.6.
> If you haven’t already migrated to HTTPProxy, see the IngressRoute to
> HTTPProxy migration guide for instructions on how to do so. Once you have
> migrated, delete the IngressRoute and related CRDs.
Ref: https://projectcontour.io/resources/upgrading/

Signed-off-by: Marco Kilchhofer <marco@kilchhofer.info>

* Sync HTTPProxy CRD

Signed-off-by: Marco Kilchhofer <marco@kilchhofer.info>

* Sync TLSCertificateDelegation CRD

* Drop old TLSCertificateDelegation CRD on API group contour.heptio.com

API group contour.heptio.com is no longer supported since 1.6.x

* Bump minor chart version as the change is no longer a patch

Signed-off-by: Marco Kilchhofer <marco@kilchhofer.info>

* Attempt to fix contour tests by upgrading to latest github actions

* Override envoy service type to ClusterIP to make tests happy

I found a hint in PR #2721 that it should be possible to override values
used in GH actions.

* Revert "Attempt to fix contour tests by upgrading to latest github actions"

This was requested during the review process by dani8art.
This reverts commit 253a8ecd60.

* Add bitnami/common as a dependency

Signed-off-by: Marco Kilchhofer <marco@kilchhofer.info>

* Also use bitnami/common subchart for image

* Implement extraVolumes and extraVolumeMounts on contour and envoy

Signed-off-by: Marco Kilchhofer <marco@kilchhofer.info>

* Implement extraEnvVars on contour and envoy

Signed-off-by: Marco Kilchhofer <marco@kilchhofer.info>

* Implement extraEnvVarsConfigMap and extraEnvVarsSecret

* Implement initContainers for contour and envoy

* Implement service.extraPorts on contour and envoy

* Implement rolling tags helpers

* Sync rbac with upstream

As George Goh (@georgegoh) mentioned in issue projectcontour/contour#2050
the leaderelection role is not needed anymore:
> 1. I remove the `contour-leaderelection` role as it's no longer needed
> in `templates/rbac.yaml`.
> 2. General matching of the rbac.yaml to the rbacs defined in this project.

Signed-off-by: Marco Kilchhofer <marco@kilchhofer.info>

* Update README.md

* Fix default values for image repositories
* Add quotes (`)
* Fix whitespaces in table

* Also use bitnami/common subchart for pullSecrets

The subchart bitnami/common now supports this (version 0.6.2 and newer).
See PR #3566

* Use same tpl functions for job

Inside the Deployment we can use templating with 'tpl'. Since we use the
same structure (affinity, nodeSelector and tolerations) for the
Deployment and the Job, we should also use the same template functions.

* Fix: affinity defined twice

* Use more specific keyword antiAffinity -> antiAffinityPolicy

* Bump chart major: 2.0.0

* Variant2: Implement certgen by using hooks (#2)

* Implement certgen via hooks
* Delete resources with helm hooks only if needed
* Revert "Delete resources with helm hooks only if needed"

This reverts commit 76449252d06b7bda0f16c490316478c3fb1004f1.

As documented inside the helm docs, we should remove unneeded resources:
~~~
The resources that a hook creates are currently not tracked or managed as part
of the release. Once Helm verifies that the hook has reached its ready state,
it will leave the hook resource alone. Garbage collection of hook resources
when the corresponding release is deleted may be added to Helm 3 in the future,
so any hook resources that must never be deleted should be annotated with
`helm.sh/resource-policy: keep`.

Practically speaking, this means that if you create resources in a hook, you
cannot rely upon helm uninstall to remove the resources. To destroy such
resources, you need to either add a custom `helm.sh/hook-delete-policy`
annotation to the hook template file, or set the time to live (TTL) field of
a Job resource.
~~~

* Replace colons with dashes (standardize even more)

This was requested during review by @dani8art

* Clearify README regarding CRDs and helm v3

* Add small upgrading notes to README

* Fix helm2 incompatibility due to PR #2961

Helm2 uses Sprig v2 and therefore the funtion "get" is not available
there. Since we need to guarantee helm v2 support, we need to workaround
this.

* Use consistent component labels on certgen resources

* Use bitnami/common for apiVersion of kind Deployment

* Rename parameter `contour.createCustomResource` to `contour.installCRDs`

* Do not allocate an IP address on metrics services

Services for ServiceMonitor do not need to allocate an IP address. We therefore do not
waste IPs from the services CIDR pool for this.

* Split into subfolders

2020-09-09 15:29:10 +02:00

[bitnami/contour] Sync upstream changes and chart standardization (#3381 )

2020-09-09 15:29:10 +02:00

crds

[bitnami/contour] Sync upstream changes and chart standardization (#3381 )

2020-09-09 15:29:10 +02:00

templates

[bitnami/contour] Sync upstream changes and chart standardization (#3381 )

2020-09-09 15:29:10 +02:00

.helmignore

[bitnami/contour] Adding the Contour Helm Chart. (#2069 )

2020-06-19 21:50:35 +02:00

Chart.yaml

[bitnami/contour] Sync upstream changes and chart standardization (#3381 )

2020-09-09 15:29:10 +02:00

README.md

[bitnami/contour] Sync upstream changes and chart standardization (#3381 )

2020-09-09 15:29:10 +02:00

requirements.yaml

[bitnami/contour] Sync upstream changes and chart standardization (#3381 )

2020-09-09 15:29:10 +02:00

values-production.yaml

[bitnami/contour] Sync upstream changes and chart standardization (#3381 )

2020-09-09 15:29:10 +02:00

values.yaml

[bitnami/contour] Sync upstream changes and chart standardization (#3381 )

2020-09-09 15:29:10 +02:00

README.md

contour

TL;DR

$ helm repo add bitnami https://charts.bitnami.com/bitnami
$ helm install my-release bitnami/contour

Introduction

Bitnami charts for Helm are carefully engineered, actively maintained and are the quickest and easiest way to deploy containers on a Kubernetes cluster that are ready to handle production workloads.

This chart bootstraps a Contour Ingress Controller Deployment and a Envoy Proxy Daemonset on a Kubernetes cluster using the Helm package manager.

Bitnami charts can be used with Kubeapps for deployment and management of Helm Charts in clusters. This Helm chart has been tested on top of Bitnami Kubernetes Production Runtime (BKPR). Deploy BKPR to get automated TLS certificates, logging and monitoring for your applications.

Prerequisites

Kubernetes 1.12+
Helm 2.11+ or Helm 3.0-beta3+
An Operator for ServiceType: LoadBalancer like MetalLB

Installing the Chart

To install the chart with the release name my-release:

$ helm repo add bitnami https://charts.bitnami.com/bitnami
$ helm install my-release bitnami/contour

These commands deploy contour on the Kubernetes cluster in the default configuration. The Parameters section lists the parameters that can be configured during installation.

Tip

: List all releases using helm list or helm ls --all-namespaces

Uninstalling the Chart

To uninstall/delete the my-release helm release:

$ helm uninstall my-release

The command removes all the Kubernetes components associated with the chart and deletes the release, except the CustomResourceDefinitions (CRD for short).
⚠️ To also remove the CRDs, please remember that all instances of the CRDs are removed too.
If you are okay with that, you can remove the CRDs like this:

$ kubectl delete crd httpproxies.projectcontour.io tlscertificatedelegations.projectcontour.io

Parameters

The following tables lists the configurable parameters of the contour chart and their default values.

Parameter	Description	Default
`global.imageRegistry`	Global Docker image registry	`nil`
`global.imagePullSecrets`	Global Docker registry secret names as an array	`[]` (does not add image pull secrets to deployed pods)
`rbac.create`	create the RBAC roles for API accessibility	`true`
`contour.enabled`	Contour Deployment creation.	`true`
`contour.image.registry`	Contour image registry	`docker.io`
`contour.image.repository`	Contour image name	`bitnami/contour`
`contour.image.tag`	Contour image tag	`{TAG_NAME}`
`contour.pullPolicy`	Contour image pull policy	`IfNotPresent`
`contour.image.pullSecrets`	Specify docker-registry secret names as an array	`[]` (does not add image pull secrets to deployed pods)
`contour.resources.limits`	Specify resource limits which the container is not allowed to succeed.	`{}` (does not add resource limits to deployed pods)
`contour.resources.requests`	Specify resource requests which the container needs to spawn.	`{}` (does not add resource limits to deployed pods)
`contour.installCRDs`	Install CustomResourceDefinitions via helm hooks (only helm v2, use `--skip-crds` on Helm 3)	`true`
`contour.customResourceDeletePolicy`	Deletion hook of CustomResourceDefinitions via helm hooks (only helm v2)	`nil`
`contour.nodeSelector`	Node labels for contour pod assignment	`{}`
`contour.tolerations`	Tolerations for contour pod assignment	`[]`
`contour.antiAffinityPolicy`	Contour anti-affinity policy (`soft`, `hard` or `""`)	`soft`
`contour.affinity`	Affinity for contour pod assignment	`{}`
`contour.podAnnotations`	Contour Pod annotations	`{}`
`contour.serviceAccount.create`	create a serviceAccount for the contour pod	`true`
`contour.serviceAccount.name`	use the serviceAccount with the specified name	`""`
`contour.livenessProbe.enabled`	Enable/disable the Liveness probe	`true`
`contour.livenessProbe.initialDelaySeconds`	Delay before liveness probe is initiated	`120`
`contour.livenessProbe.periodSeconds`	How often to perform the probe	`20`
`contour.livenessProbe.timeoutSeconds`	When the probe times out	`5`
`contour.livenessProbe.successThreshold`	Minimum consecutive successes for the probe to be considered successful after having failed.	`6`
`contour.livenessProbe.failureThreshold`	Minimum consecutive failures for the probe to be considered failed after having succeeded.	`1`
`contour.readynessProbe.enabled`	Enable/disable the Readyness probe	`true`
`contour.readynessProbe.initialDelaySeconds`	Delay before readyness probe is initiated	`15`
`contour.readynessProbe.periodSeconds`	How often to perform the probe	`10`
`contour.readynessProbe.timeoutSeconds`	When the probe times out	`5`
`contour.readynessProbe.successThreshold`	Minimum consecutive successes for the probe to be considered successful after having failed.	`3`
`contour.readynessProbe.failureThreshold`	Minimum consecutive failures for the probe to be considered failed after having succeeded.	`1`
`contour.certgen.serviceAccount.create`	create a serviceAccount for the contour pod	`true`
`contour.certgen.serviceAccount.name`	use the serviceAccount with the specified name	`""`
`contour.securityContext.enabled`	If the pod should run in a securityContext.	`true`
`contour.securityContext.runAsNonRoot`	If the pod should run as a non root container.	`true`
`contour.securityContext.runAsUser`	define the uid with which the pod will run	`65534`
`contour.securityContext.runAsGroup`	define the gid with which the pod will run	`65534`
`contour.service.extraPorts`	Service extra ports, normally used with the `sidecar` value. Evaluated as a template	`[]`
`contour.initContainers`	Attach additional init containers to contour pods (evaluated as a template)	`[]`
`contour.extraVolumes`	Array to add extra volumes	`[]`
`contour.extraVolumeMounts`	Array to add extra mounts (normally used with extraVolumes)	`[]`
`contour.extraEnvVars`	Array containing extra env vars to be added to all contour containers (evaluated as a template)	`[]`
`contour.extraEnvVarsConfigMap`	ConfigMap containing extra env vars to be added to all contour containers (evaluated as a template)	`""`
`contour.extraEnvVarsSecret`	Secret containing extra env vars to be added to all contour containers (evaluated as a template)	`""`
`envoy.enabled`	Envoy Proxy Daemonset creation.	`true`
`envoy.image.registry`	Envoy Proxy image registry	`docker.io`
`envoy.image.repository`	Envoy Proxy image name	`bitnami/envoy`
`envoy.image.tag`	Envoy Proxy image tag	`{TAG_NAME}`
`envoy.pullPolicy`	Envoy Proxy image pull policy	`IfNotPresent`
`envoy.image.pullSecrets`	Specify docker-registry secret names as an array	`[]` (does not add image pull secrets to deployed pods)
`envoy.resources.limits`	Specify resource limits which the container is not allowed to succeed.	`{}` (does not add resource limits to deployed pods)
`envoy.resources.requests`	Specify resource requests which the container needs to spawn.	`{}` (does not add resource limits to deployed pods)
`envoy.nodeSelector`	Node labels for envoy pod assignment	`{}`
`envoy.tolerations`	Tolerations for envoy pod assignment	`[]`
`envoy.affinity`	Affinity for envoy pod assignment	`{}`
`envoy.podAnnotations`	Envoy Pod annotations	`{}`
`envoy.podSecurityContext`	Envoy Pod securityContext	`{}`
`envoy.containerSecurityContext`	Envoy Container securityContext	`{}`
`envoy.dnsPolicy`	Envoy Pod Dns Policy	`ClusterFirst`
`envoy.hostNetwork`	Envoy Pod host network access	`false`
`envoy.readynessProbe.enabled`	Enable/disable the Readyness probe	`true`
`envoy.readynessProbe.initialDelaySeconds`	Delay before readyness probe is initiated	`10`
`envoy.readynessProbe.periodSeconds`	How often to perform the probe	`3`
`envoy.readynessProbe.timeoutSeconds`	When the probe times out	`1`
`envoy.readynessProbe.successThreshold`	Minimum consecutive successes for the probe to be considered successful after having failed.	`3`
`envoy.readynessProbe.failureThreshold`	Minimum consecutive failures for the probe to be considered failed after having succeeded.	`1`
`envoy.service.type`	Type of envoy service to create	`LoadBalancer`
`envoy.service.externalTrafficPolicy`	If `envoy.service.type` is NodePort or LoadBalancer, set this to Local to enable source IP preservation	`Local`
`envoy.service.clusterIP`	Internal envoy cluster service IP	`""`
`envoy.service.externalIPs`	Envoy service external IP addresses.	`[]`
`envoy.service.extraPorts`	Service extra ports, normally used with the `sidecar` value. Evaluated as a template	`[]`
`envoy.service.loadBalancerIP`	IP address to assign to load balancer (if supported)	`""`
`envoy.service.loadBalancerSourceRanges`	List of IP CIDRs allowed access to load balancer (if supported)	`[]`
`envoy.service.annotations`	Annotations for envoy service	`{}`
`envoy.service.ports.http`	Sets service http port	`80`
`envoy.service.ports.https`	Sets service https port	`443`
`envoy.service.nodePorts.http`	If `envoy.service.type` is NodePort and this is non-empty, it sets the nodePort that maps to envoys http port	`""`
`envoy.service.nodePorts.https`	If `envoy.service.type` is NodePort and this is non-empty, it sets the nodePort that maps to envoys https port	`""`
`envoy.initContainers`	Attach additional init containers to envoy pods (evaluated as a template)	`[]`
`envoy.extraVolumes`	Array to add extra volumes	`[]`
`envoy.extraVolumeMounts`	Array to add extra mounts (normally used with extraVolumes)	`[]`
`envoy.extraEnvVars`	Array containing extra env vars to be added to all envoy containers (evaluated as a template)	`[]`
`envoy.extraEnvVarsConfigMap`	ConfigMap containing extra env vars to be added to all envoy containers (evaluated as a template)	`""`
`envoy.extraEnvVarsSecret`	Secret containing extra env vars to be added to all envoy containers (evaluated as a template)	`""`
`existingConfigMap`	Specify an existing configMapName to use. (this mutually exclusive with existingConfigMap)	`nil`
`configInline`	Specify the config for contour as a new configMap inline.	`{Quickstart Config}` (evaluated as a template)
`ingressClass`	Name of the ingress class to route through this controller (defaults to `contour` if `nil`)	`nil`
`nameOverride`	String to partially override contour.fullname template with a string (will prepend the release name)	`nil`
`fullnameOverride`	String to fully override contour.fullname template with a string	`nil`
`prometheus.serviceMonitor.enabled`	Specify if a servicemonitor will be deployed for prometheus-operator.	`true`
`prometheus.serviceMonitor.jobLabel`	Specify the jobLabel to use for the prometheus-operator	`contour`
`prometheus.serviceMonitor.interval`	Specify the scrape interval if not specified use defaul prometheus scrapeIntervall	`""`
`prometheus.serviceMonitor.metricRelabelings`	Specify additional relabeling of metrics.	`[]`
`prometheus.serviceMonitor.relabelings`	Specify general relabeling.	`[]`

Specify each parameter using the --set key=value[,key=value] argument to helm install. For example,

$ helm install my-release \
  --set envoy.readynessProbe.successThreshold=5 \
    bitnami/contour

The above command sets the envoy.readynessProbe.successThreshold to 5.

Configuration and installation details

Rolling VS Immutable tags

It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image.

Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist.

To configure Contour please look into the configuration section Contour Configuration.

Example Quickstart Contour Confiuration

configInline:
  # should contour expect to be running inside a k8s cluster
  # incluster: true
  #
  # path to kubeconfig (if not running inside a k8s cluster)
  # kubeconfig: /path/to/.kube/config
  #
  # Client request timeout to be passed to Envoy
  # as the connection manager request_timeout.
  # Defaults to 0, which Envoy interprets as disabled.
  # Note that this is the timeout for the whole request,
  # not an idle timeout.
  # request-timeout: 0s
  # disable ingressroute permitInsecure field
  disablePermitInsecure: false
  tls:
  #   minimum TLS version that Contour will negotiate
  #   minimum-protocol-version: "1.1"
  # Defines the Kubernetes name/namespace matching a secret to use
  # as the fallback certificate when requests which don't match the
  # SNI defined for a vhost.
    fallback-certificate:
  #   name: fallback-secret-name
  #   namespace: projectcontour
  # The following config shows the defaults for the leader election.
  # leaderelection:
  #   configmap-name: leader-elect
  #   configmap-namespace: projectcontour
  ### Logging options
  # Default setting
  accesslog-format: envoy
  # To enable JSON logging in Envoy
  # accesslog-format: json
  # The default fields that will be logged are specified below.
  # To customise this list, just add or remove entries.
  # The canonical list is available at
  # https://godoc.org/github.com/projectcontour/contour/internal/envoy#JSONFields
  # json-fields:
  #   - "@timestamp"
  #   - "authority"
  #   - "bytes_received"
  #   - "bytes_sent"
  #   - "downstream_local_address"
  #   - "downstream_remote_address"
  #   - "duration"
  #   - "method"
  #   - "path"
  #   - "protocol"
  #   - "request_id"
  #   - "requested_server_name"
  #   - "response_code"
  #   - "response_flags"
  #   - "uber_trace_id"
  #   - "upstream_cluster"
  #   - "upstream_host"
  #   - "upstream_local_address"
  #   - "upstream_service_time"
  #   - "user_agent"
  #   - "x_forwarded_for"
  #
  # default-http-versions:
  # - "HTTP/2"
  # - "HTTP/1.1"
  #
  # The following shows the default proxy timeout settings.
  # timeouts:
  #   request-timeout: infinity
  #   connection-idle-timeout: 60s
  #   stream-idle-timeout: 5m
  #   max-connection-duration: infinity
  #   connection-shutdown-grace-period: 5s

Deploying Contour with an AWS NLB

By default, Contour is launched with a AWS Classic ELB. To launch contour backed by a NLB, please set these settings:

envoy:
  hostNetwork: true
  dnsPolicy: ClusterFirstWithHostNet
  service:
    annotations:
      service.beta.kubernetes.io/aws-load-balancer-type: nlb

Upgrading

Please carefully read through the guide "Upgrading Contour" at https://projectcontour.io/resources/upgrading/.

To 2.0.0

Most important changes are:

Using helm hooks to generate new TLS certificates for gRPC calls between Contour and Envoy. This enables us to use the same container image for the contour controller and the certgen job without upgrade issues due to JobSpec immutablility.
Rename parameter contour.createCustomResource to contour.installCRDs
Sync CRDs with upstream project examples. Please remember that helm does not touch existing CRDs. As of today, the most reliable way to update the CRDs is, to do it outside helm (Use --skip-crds when using helm v3 and --set contour.installCRDs=false when using helm v2). Read Upgrading Contour and execute the following kubectl command before helm upgrade:

$ kubectl apply -f https://raw.githubusercontent.com/projectcontour/contour/release-{{version}}/examples/contour/01-crds.yaml

This version also introduces bitnami/common, a library chart as a dependency. More documentation about this new utility could be found here. Please, make sure that you have updated the chart dependencies before executing any upgrade.