From 6185d6ba509bbf017fbf1807558d38effea00ec4 Mon Sep 17 00:00:00 2001 From: nold Date: Tue, 17 May 2022 20:40:00 +0200 Subject: [PATCH] add(apisix): non-ingress --- projects/core/project.yml | 9 +- projects/core/values/apisix-ingress.yaml | 98 +++++ projects/core/values/apisix.yaml | 451 ++++++++++++++++++----- 3 files changed, 473 insertions(+), 85 deletions(-) create mode 100644 projects/core/values/apisix-ingress.yaml diff --git a/projects/core/project.yml b/projects/core/project.yml index aa2a33b8..b423b483 100644 --- a/projects/core/project.yml +++ b/projects/core/project.yml @@ -55,13 +55,20 @@ apps: targetRevision: 10.19.5 syncWave: '0' -- name: apisix +- name: apisix-ingress namespace: ingress-apisix repoURL: https://charts.apiseven.com chart: apisix-ingress-controller targetRevision: 0.9.2 syncWave: '0' +- name: apisix + namespace: ingress-apisix + repoURL: https://charts.apiseven.com + chart: apisix + targetRevision: 0.9.2 + syncWave: '0' + - name: cilium existingNamespace: kube-system repoURL: https://helm.cilium.io diff --git a/projects/core/values/apisix-ingress.yaml b/projects/core/values/apisix-ingress.yaml new file mode 100644 index 00000000..9df5252e --- /dev/null +++ b/projects/core/values/apisix-ingress.yaml @@ -0,0 +1,98 @@ +image: + repository: apache/apisix-ingress-controller + pullPolicy: IfNotPresent + tag: "1.4.1" + +service: + annotations: + metallb.universe.tf/address-pool: internal + port: 80 + +config: + logLevel: "info" + logOutput: "stderr" + # the TLS certificate file path. + certFile: "/etc/webhook/certs/cert.pem" + # the TLS key file path. + keyFile: "/etc/webhook/certs/key.pem" + # the HTTP Server listen address, default is ":8080" + httpListen: ":8080" + # the HTTPS Server listen address, default is ":8443" + httpsListen: ":8443" + # the controller will use the Endpoint of this Service to + # update the status information of the Ingress resource. + # The format is "namespace/svc-name" to solve the situation that + # the data plane and the controller are not deployed in the same namespace. + ingressPublishService: "" + ingressStatusAddress: [] + # enable profiling via web interfaces host:port/debug/pprof, default is true. + enableProfiling: true + # Kubernetes related configurations. + kubernetes: + # the Kubernetes configuration file path, default is "", so the in-cluster + # configuration will be used. + kubeconfig: "" + # how long should apisix-ingress-controller re-synchronizes with Kubernetes, + # default is 6h, + resyncInterval: "6h" + # namespace list that controller will watch for resources, + # by default all namespaces (represented by "*") are watched. + appNamespaces: ["*"] + # namespace_selector represent basis for selecting managed namespaces. + # the field is support since version 1.4.0 + # For example, "apisix.ingress=watching", so ingress will watching the namespaces which labels "apisix.ingress=watching" + namespaceSelector: [""] + # the election id for the controller leader campaign, + # only the leader will watch and delivery resource changes, + # other instances (as candidates) stand by. + electionId: "ingress-apisix-leader" + # The class of an Ingress object is set using the field IngressClassName in + # Kubernetes clusters version v1.18.0 or higher or the annotation + # "kubernetes.io/ingress.class" (deprecated). + ingressClass: "apisix" + # the supported ingress api group version, can be "networking/v1beta1", + # "networking/v1" (for Kubernetes version v1.19.0 or higher), and + # "extensions/v1beta1", default is "networking/v1". + ingressVersion: "networking/v1" + # whether to watch EndpointSlices rather than Endpoints. + watchEndpointSlices: false + # the supported apisixroute api group version, can be "apisix.apache.org/v2beta1" + # "apisix.apache.org/v2beta2" or "apisix.apache.org/v2beta3" + apisixRouteVersion: "apisix.apache.org/v2beta3" + # whether to enable support for Gateway API. + # Note: This feature is currently under development and may not work as expected. + # It is not recommended to use it in a production environment. + # Before we announce support for it to reach Beta level or GA. + enableGatewayAPI: false + # APISIX related configurations. + apisix: + serviceName: apisix-admin + serviceNamespace: ingress-apisix + servicePort: 9180 + adminKey: "edd1c9f034335f136f87ad84b625c8f1" + clusterName: "default" + +initContainer: + image: busybox + tag: 1.28 + +serviceMonitor: + enabled: true + namespace: "grafana" + interval: 15s + # @param serviceMonitor.labels ServiceMonitor extra labels + labels: {} + # @param serviceMonitor.annotations ServiceMonitor annotations + annotations: {} + + +podSecurityContext: + fsGroup: 2000 + +securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 diff --git a/projects/core/values/apisix.yaml b/projects/core/values/apisix.yaml index 9df5252e..bf309939 100644 --- a/projects/core/values/apisix.yaml +++ b/projects/core/values/apisix.yaml @@ -1,98 +1,381 @@ -image: - repository: apache/apisix-ingress-controller - pullPolicy: IfNotPresent - tag: "1.4.1" +apisix: + # Enable or disable Apache APISIX itself + # Set it to false and ingress-controller.enabled=true will deploy only ingress-controller + enabled: true -service: + # Enable nginx IPv6 resolver + enableIPv6: true + + # Use Pod metadata.uid as the APISIX id. + setIDFromPodUID: false + + customLuaSharedDicts: [] + # - name: foo + # size: 10k + # - name: bar + # size: 1m + luaModuleHook: + enabled: false + # extend lua_package_path to load third party code + luaPath: "" + # the hook module which will be used to inject third party code into APISIX + # use the lua require style like: "module.say_hello" + hookPoint: "" + # configmap that stores the codes + configMapRef: + name: "" + # mounts decides how to mount the codes to the container. + mounts: + - key: "" + path: "" + + enableCustomizedConfig: false + customizedConfig: {} + + image: + repository: apache/apisix + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: 2.13.1-alpine + + # Use a `DaemonSet` or `Deployment` + kind: Deployment + # kind is DaemonSet,replicaCount not become effective + replicaCount: 1 + + podAnnotations: {} + podSecurityContext: {} + # fsGroup: 2000 + securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + + # See https://kubernetes.io/docs/tasks/run-application/configure-pdb/ for more details + podDisruptionBudget: + enabled: false + minAvailable: 90% + maxUnavailable: 1 + + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + nodeSelector: {} + tolerations: [] + affinity: {} + # If true, it will sets the anti-affinity of the Pod. + podAntiAffinity: + enabled: false + + # timezone is the timezone where apisix uses. + # For example: "UTC" or "Asia/Shanghai" + # This value will be set on apisix container's environment variable TZ. + # You may need to set the timezone to be consistent with your local time zone, + # otherwise the apisix's logs may used to retrieve event maybe in wrong timezone. + timezone: "" + + # extraEnvVars An array to add extra env vars + # e.g: + # extraEnvVars: + # - name: FOO + # value: "bar" + # - name: FOO2 + # valueFrom: + # secretKeyRef: + # name: SECRET_NAME + # key: KEY + extraEnvVars: [] + +nameOverride: "" +fullnameOverride: "" + + +gateway: + #type: NodePort + # If you want to keep the client source IP, you can set this to Local. + # ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + externalTrafficPolicy: Cluster + type: LoadBalancer annotations: metallb.universe.tf/address-pool: internal - port: 80 + # service.beta.kubernetes.io/aws-load-balancer-type: nlb + externalIPs: + - 192.168.1.14 + http: + enabled: true + servicePort: 80 + containerPort: 9080 + tls: + enabled: false + servicePort: 443 + containerPort: 9443 + existingCASecret: "" + certCAFilename: "" + http2: + enabled: true + stream: # L4 proxy (TCP/UDP) + enabled: false + only: false + tcp: [] + udp: [] + ingress: + enabled: false + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: apisix.local + paths: [] + tls: [] + # - secretName: apisix-tls + # hosts: + # - chart-example.local -config: - logLevel: "info" - logOutput: "stderr" - # the TLS certificate file path. - certFile: "/etc/webhook/certs/cert.pem" - # the TLS key file path. - keyFile: "/etc/webhook/certs/key.pem" - # the HTTP Server listen address, default is ":8080" - httpListen: ":8080" - # the HTTPS Server listen address, default is ":8443" - httpsListen: ":8443" - # the controller will use the Endpoint of this Service to - # update the status information of the Ingress resource. - # The format is "namespace/svc-name" to solve the situation that - # the data plane and the controller are not deployed in the same namespace. - ingressPublishService: "" - ingressStatusAddress: [] - # enable profiling via web interfaces host:port/debug/pprof, default is true. - enableProfiling: true - # Kubernetes related configurations. - kubernetes: - # the Kubernetes configuration file path, default is "", so the in-cluster - # configuration will be used. - kubeconfig: "" - # how long should apisix-ingress-controller re-synchronizes with Kubernetes, - # default is 6h, - resyncInterval: "6h" - # namespace list that controller will watch for resources, - # by default all namespaces (represented by "*") are watched. - appNamespaces: ["*"] - # namespace_selector represent basis for selecting managed namespaces. - # the field is support since version 1.4.0 - # For example, "apisix.ingress=watching", so ingress will watching the namespaces which labels "apisix.ingress=watching" - namespaceSelector: [""] - # the election id for the controller leader campaign, - # only the leader will watch and delivery resource changes, - # other instances (as candidates) stand by. - electionId: "ingress-apisix-leader" - # The class of an Ingress object is set using the field IngressClassName in - # Kubernetes clusters version v1.18.0 or higher or the annotation - # "kubernetes.io/ingress.class" (deprecated). - ingressClass: "apisix" - # the supported ingress api group version, can be "networking/v1beta1", - # "networking/v1" (for Kubernetes version v1.19.0 or higher), and - # "extensions/v1beta1", default is "networking/v1". - ingressVersion: "networking/v1" - # whether to watch EndpointSlices rather than Endpoints. - watchEndpointSlices: false - # the supported apisixroute api group version, can be "apisix.apache.org/v2beta1" - # "apisix.apache.org/v2beta2" or "apisix.apache.org/v2beta3" - apisixRouteVersion: "apisix.apache.org/v2beta3" - # whether to enable support for Gateway API. - # Note: This feature is currently under development and may not work as expected. - # It is not recommended to use it in a production environment. - # Before we announce support for it to reach Beta level or GA. - enableGatewayAPI: false - # APISIX related configurations. - apisix: - serviceName: apisix-admin - serviceNamespace: ingress-apisix - servicePort: 9180 - adminKey: "edd1c9f034335f136f87ad84b625c8f1" - clusterName: "default" -initContainer: - image: busybox - tag: 1.28 - -serviceMonitor: +admin: + # Enable Admin API enabled: true - namespace: "grafana" + # admin service type + type: ClusterIP + # loadBalancerIP: a.b.c.d + # loadBalancerSourceRanges: + # - "143.231.0.0/16" + externalIPs: [] + # + port: 9180 + servicePort: 9180 + # Admin API support CORS response headers + cors: true + # Admin API credentials + credentials: + admin: edd1c9f034335f136f87ad84b625c8f1 + viewer: 4054f7cf07e344346cd3f287985e76a2 + + allow: + # The ip range for allowing access to Apache APISIX + ipList: + - 127.0.0.1/24 + + +# APISIX plugins to be enabled +plugins: + - api-breaker + - authz-keycloak + - basic-auth + - batch-requests + - consumer-restriction + - cors + - echo + - fault-injection + - grpc-transcode + - hmac-auth + - http-logger + - ip-restriction + - ua-restriction + - jwt-auth + - kafka-logger + - key-auth + - limit-conn + - limit-count + - limit-req + - node-status + - openid-connect + - authz-casbin + - prometheus + - proxy-cache + - proxy-mirror + - proxy-rewrite + - redirect + - referer-restriction + - request-id + - request-validation + - response-rewrite + - serverless-post-function + - serverless-pre-function + - sls-logger + - syslog + - tcp-logger + - udp-logger + - uri-blocker + - wolf-rbac + - zipkin + - traffic-split + - gzip + - real-ip + - ext-plugin-pre-req + - ext-plugin-post-req +stream_plugins: + - mqtt-proxy + - ip-restriction + - limit-conn + +pluginAttrs: {} + +extPlugin: + enabled: false + cmd: ["/path/to/apisix-plugin-runner/runner", "run"] + +# customPlugins allows you to mount your own HTTP plugins. +customPlugins: + enabled: false + # the lua_path that tells APISIX where it can find plugins, + # note the last ';' is required. + luaPath: "/opts/custom_plugins/?.lua" + plugins: + # plugin name. + - name: "" + # plugin attrs + attrs: | + # plugin codes can be saved inside configmap object. + configMap: + # name of configmap. + name: "" + # since keys in configmap is flat, mountPath allows to define the mount + # path, so that plugin codes can be mounted hierarchically. + mounts: + - key: "" + path: "" + - key: "" + path: "" + +updateStrategy: {} + # type: RollingUpdate + +extraVolumes: [] +# - name: extras +# emptyDir: {} + +extraVolumeMounts: [] +# - name: extras +# mountPath: /usr/share/extras +# readOnly: true + +discovery: + enabled: false + registry: + # Integration service discovery registry. E.g eureka\dns\nacos\consul_kv + # reference: + # https://apisix.apache.org/docs/apisix/discovery#configuration-for-eureka + # https://apisix.apache.org/docs/apisix/discovery/dns#service-discovery-via-dns + # https://apisix.apache.org/docs/apisix/discovery/consul_kv#configuration-for-consul-kv + # https://apisix.apache.org/docs/apisix/discovery/nacos#configuration-for-nacos + # + # an eureka example: + # eureka: + # host: + # - "http://${username}:${password}@${eureka_host1}:${eureka_port1}" + # - "http://${username}:${password}@${eureka_host2}:${eureka_port2}" + # prefix: "/eureka/" + # fetch_interval: 30 + # weight: 100 + # timeout: + # connect: 2000 + # send: 2000 + # read: 5000 + +# access log and error log configuration +logs: + enableAccessLog: true + accessLog: "/dev/stdout" + accessLogFormat: '$remote_addr - $remote_user [$time_local] $http_host \"$request\" $status $body_bytes_sent $request_time \"$http_referer\" \"$http_user_agent\" $upstream_addr $upstream_status $upstream_response_time \"$upstream_scheme://$upstream_host$upstream_uri\"' + accessLogFormatEscape: default + errorLog: "/dev/stderr" + errorLogLevel: "warn" + +dns: + resolvers: + - 192.168.1.53 + - 192.168.1.1 + validity: 30 + timeout: 5 + + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + targetMemoryUtilizationPercentage: 80 + +# Custom configuration snippet. +configurationSnippet: + main: | + + httpStart: | + + httpEnd: | + + httpSrv: | + + httpAdmin: | + + stream: | + +# Observability configuration. +# ref: https://apisix.apache.org/docs/apisix/plugins/prometheus/ +serviceMonitor: + enabled: false + # namespace where the serviceMonitor is deployed, by default, it is the same as the namespace of the apisix + namespace: "" + # name of the serviceMonitor, by default, it is the same as the apisix fullname + name: "" + # interval at which metrics should be scraped interval: 15s + # path of the metrics endpoint + path: /apisix/prometheus/metrics + # prefix of the metrics + metricPrefix: apisix_ + # container port where the metrics are exposed + containerPort: 9091 # @param serviceMonitor.labels ServiceMonitor extra labels labels: {} # @param serviceMonitor.annotations ServiceMonitor annotations annotations: {} +# etcd configuration +# use the FQDN address or the IP of the etcd +etcd: + # install etcd(v3) by default, set false if do not want to install etcd(v3) together + enabled: true + host: + - http://etcd.host:2379 # host or ip e.g. http://172.20.128.89:2379 + prefix: "/apisix" + timeout: 30 -podSecurityContext: - fsGroup: 2000 + # if etcd.enabled is true, set more values of bitnami/etcd helm chart + auth: + rbac: + # No authentication by default + create: false + user: "" + password: "" + tls: + enabled: false + existingSecret: "" + certFilename: "" + certKeyFilename: "" + verify: true + sni: "" -securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 + service: + port: 2379 + + replicaCount: 1 + +dashboard: + enabled: true + +ingress-controller: + enabled: true