add(apisix): non-ingress

This commit is contained in:
nold 2022-05-17 20:40:00 +02:00
parent 482cedb64b
commit 6185d6ba50
3 changed files with 473 additions and 85 deletions

View file

@ -55,13 +55,20 @@ apps:
targetRevision: 10.19.5 targetRevision: 10.19.5
syncWave: '0' syncWave: '0'
- name: apisix - name: apisix-ingress
namespace: ingress-apisix namespace: ingress-apisix
repoURL: https://charts.apiseven.com repoURL: https://charts.apiseven.com
chart: apisix-ingress-controller chart: apisix-ingress-controller
targetRevision: 0.9.2 targetRevision: 0.9.2
syncWave: '0' syncWave: '0'
- name: apisix
namespace: ingress-apisix
repoURL: https://charts.apiseven.com
chart: apisix
targetRevision: 0.9.2
syncWave: '0'
- name: cilium - name: cilium
existingNamespace: kube-system existingNamespace: kube-system
repoURL: https://helm.cilium.io repoURL: https://helm.cilium.io

View file

@ -0,0 +1,98 @@
image:
repository: apache/apisix-ingress-controller
pullPolicy: IfNotPresent
tag: "1.4.1"
service:
annotations:
metallb.universe.tf/address-pool: internal
port: 80
config:
logLevel: "info"
logOutput: "stderr"
# the TLS certificate file path.
certFile: "/etc/webhook/certs/cert.pem"
# the TLS key file path.
keyFile: "/etc/webhook/certs/key.pem"
# the HTTP Server listen address, default is ":8080"
httpListen: ":8080"
# the HTTPS Server listen address, default is ":8443"
httpsListen: ":8443"
# the controller will use the Endpoint of this Service to
# update the status information of the Ingress resource.
# The format is "namespace/svc-name" to solve the situation that
# the data plane and the controller are not deployed in the same namespace.
ingressPublishService: ""
ingressStatusAddress: []
# enable profiling via web interfaces host:port/debug/pprof, default is true.
enableProfiling: true
# Kubernetes related configurations.
kubernetes:
# the Kubernetes configuration file path, default is "", so the in-cluster
# configuration will be used.
kubeconfig: ""
# how long should apisix-ingress-controller re-synchronizes with Kubernetes,
# default is 6h,
resyncInterval: "6h"
# namespace list that controller will watch for resources,
# by default all namespaces (represented by "*") are watched.
appNamespaces: ["*"]
# namespace_selector represent basis for selecting managed namespaces.
# the field is support since version 1.4.0
# For example, "apisix.ingress=watching", so ingress will watching the namespaces which labels "apisix.ingress=watching"
namespaceSelector: [""]
# the election id for the controller leader campaign,
# only the leader will watch and delivery resource changes,
# other instances (as candidates) stand by.
electionId: "ingress-apisix-leader"
# The class of an Ingress object is set using the field IngressClassName in
# Kubernetes clusters version v1.18.0 or higher or the annotation
# "kubernetes.io/ingress.class" (deprecated).
ingressClass: "apisix"
# the supported ingress api group version, can be "networking/v1beta1",
# "networking/v1" (for Kubernetes version v1.19.0 or higher), and
# "extensions/v1beta1", default is "networking/v1".
ingressVersion: "networking/v1"
# whether to watch EndpointSlices rather than Endpoints.
watchEndpointSlices: false
# the supported apisixroute api group version, can be "apisix.apache.org/v2beta1"
# "apisix.apache.org/v2beta2" or "apisix.apache.org/v2beta3"
apisixRouteVersion: "apisix.apache.org/v2beta3"
# whether to enable support for Gateway API.
# Note: This feature is currently under development and may not work as expected.
# It is not recommended to use it in a production environment.
# Before we announce support for it to reach Beta level or GA.
enableGatewayAPI: false
# APISIX related configurations.
apisix:
serviceName: apisix-admin
serviceNamespace: ingress-apisix
servicePort: 9180
adminKey: "edd1c9f034335f136f87ad84b625c8f1"
clusterName: "default"
initContainer:
image: busybox
tag: 1.28
serviceMonitor:
enabled: true
namespace: "grafana"
interval: 15s
# @param serviceMonitor.labels ServiceMonitor extra labels
labels: {}
# @param serviceMonitor.annotations ServiceMonitor annotations
annotations: {}
podSecurityContext:
fsGroup: 2000
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000

View file

@ -1,98 +1,381 @@
image: apisix:
repository: apache/apisix-ingress-controller # Enable or disable Apache APISIX itself
pullPolicy: IfNotPresent # Set it to false and ingress-controller.enabled=true will deploy only ingress-controller
tag: "1.4.1" enabled: true
service: # Enable nginx IPv6 resolver
enableIPv6: true
# Use Pod metadata.uid as the APISIX id.
setIDFromPodUID: false
customLuaSharedDicts: []
# - name: foo
# size: 10k
# - name: bar
# size: 1m
luaModuleHook:
enabled: false
# extend lua_package_path to load third party code
luaPath: ""
# the hook module which will be used to inject third party code into APISIX
# use the lua require style like: "module.say_hello"
hookPoint: ""
# configmap that stores the codes
configMapRef:
name: ""
# mounts decides how to mount the codes to the container.
mounts:
- key: ""
path: ""
enableCustomizedConfig: false
customizedConfig: {}
image:
repository: apache/apisix
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion.
tag: 2.13.1-alpine
# Use a `DaemonSet` or `Deployment`
kind: Deployment
# kind is DaemonSet,replicaCount not become effective
replicaCount: 1
podAnnotations: {}
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
# See https://kubernetes.io/docs/tasks/run-application/configure-pdb/ for more details
podDisruptionBudget:
enabled: false
minAvailable: 90%
maxUnavailable: 1
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
nodeSelector: {}
tolerations: []
affinity: {}
# If true, it will sets the anti-affinity of the Pod.
podAntiAffinity:
enabled: false
# timezone is the timezone where apisix uses.
# For example: "UTC" or "Asia/Shanghai"
# This value will be set on apisix container's environment variable TZ.
# You may need to set the timezone to be consistent with your local time zone,
# otherwise the apisix's logs may used to retrieve event maybe in wrong timezone.
timezone: ""
# extraEnvVars An array to add extra env vars
# e.g:
# extraEnvVars:
# - name: FOO
# value: "bar"
# - name: FOO2
# valueFrom:
# secretKeyRef:
# name: SECRET_NAME
# key: KEY
extraEnvVars: []
nameOverride: ""
fullnameOverride: ""
gateway:
#type: NodePort
# If you want to keep the client source IP, you can set this to Local.
# ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
externalTrafficPolicy: Cluster
type: LoadBalancer
annotations: annotations:
metallb.universe.tf/address-pool: internal metallb.universe.tf/address-pool: internal
port: 80 # service.beta.kubernetes.io/aws-load-balancer-type: nlb
externalIPs:
- 192.168.1.14
http:
enabled: true
servicePort: 80
containerPort: 9080
tls:
enabled: false
servicePort: 443
containerPort: 9443
existingCASecret: ""
certCAFilename: ""
http2:
enabled: true
stream: # L4 proxy (TCP/UDP)
enabled: false
only: false
tcp: []
udp: []
ingress:
enabled: false
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
hosts:
- host: apisix.local
paths: []
tls: []
# - secretName: apisix-tls
# hosts:
# - chart-example.local
config:
logLevel: "info"
logOutput: "stderr"
# the TLS certificate file path.
certFile: "/etc/webhook/certs/cert.pem"
# the TLS key file path.
keyFile: "/etc/webhook/certs/key.pem"
# the HTTP Server listen address, default is ":8080"
httpListen: ":8080"
# the HTTPS Server listen address, default is ":8443"
httpsListen: ":8443"
# the controller will use the Endpoint of this Service to
# update the status information of the Ingress resource.
# The format is "namespace/svc-name" to solve the situation that
# the data plane and the controller are not deployed in the same namespace.
ingressPublishService: ""
ingressStatusAddress: []
# enable profiling via web interfaces host:port/debug/pprof, default is true.
enableProfiling: true
# Kubernetes related configurations.
kubernetes:
# the Kubernetes configuration file path, default is "", so the in-cluster
# configuration will be used.
kubeconfig: ""
# how long should apisix-ingress-controller re-synchronizes with Kubernetes,
# default is 6h,
resyncInterval: "6h"
# namespace list that controller will watch for resources,
# by default all namespaces (represented by "*") are watched.
appNamespaces: ["*"]
# namespace_selector represent basis for selecting managed namespaces.
# the field is support since version 1.4.0
# For example, "apisix.ingress=watching", so ingress will watching the namespaces which labels "apisix.ingress=watching"
namespaceSelector: [""]
# the election id for the controller leader campaign,
# only the leader will watch and delivery resource changes,
# other instances (as candidates) stand by.
electionId: "ingress-apisix-leader"
# The class of an Ingress object is set using the field IngressClassName in
# Kubernetes clusters version v1.18.0 or higher or the annotation
# "kubernetes.io/ingress.class" (deprecated).
ingressClass: "apisix"
# the supported ingress api group version, can be "networking/v1beta1",
# "networking/v1" (for Kubernetes version v1.19.0 or higher), and
# "extensions/v1beta1", default is "networking/v1".
ingressVersion: "networking/v1"
# whether to watch EndpointSlices rather than Endpoints.
watchEndpointSlices: false
# the supported apisixroute api group version, can be "apisix.apache.org/v2beta1"
# "apisix.apache.org/v2beta2" or "apisix.apache.org/v2beta3"
apisixRouteVersion: "apisix.apache.org/v2beta3"
# whether to enable support for Gateway API.
# Note: This feature is currently under development and may not work as expected.
# It is not recommended to use it in a production environment.
# Before we announce support for it to reach Beta level or GA.
enableGatewayAPI: false
# APISIX related configurations.
apisix:
serviceName: apisix-admin
serviceNamespace: ingress-apisix
servicePort: 9180
adminKey: "edd1c9f034335f136f87ad84b625c8f1"
clusterName: "default"
initContainer: admin:
image: busybox # Enable Admin API
tag: 1.28
serviceMonitor:
enabled: true enabled: true
namespace: "grafana" # admin service type
type: ClusterIP
# loadBalancerIP: a.b.c.d
# loadBalancerSourceRanges:
# - "143.231.0.0/16"
externalIPs: []
#
port: 9180
servicePort: 9180
# Admin API support CORS response headers
cors: true
# Admin API credentials
credentials:
admin: edd1c9f034335f136f87ad84b625c8f1
viewer: 4054f7cf07e344346cd3f287985e76a2
allow:
# The ip range for allowing access to Apache APISIX
ipList:
- 127.0.0.1/24
# APISIX plugins to be enabled
plugins:
- api-breaker
- authz-keycloak
- basic-auth
- batch-requests
- consumer-restriction
- cors
- echo
- fault-injection
- grpc-transcode
- hmac-auth
- http-logger
- ip-restriction
- ua-restriction
- jwt-auth
- kafka-logger
- key-auth
- limit-conn
- limit-count
- limit-req
- node-status
- openid-connect
- authz-casbin
- prometheus
- proxy-cache
- proxy-mirror
- proxy-rewrite
- redirect
- referer-restriction
- request-id
- request-validation
- response-rewrite
- serverless-post-function
- serverless-pre-function
- sls-logger
- syslog
- tcp-logger
- udp-logger
- uri-blocker
- wolf-rbac
- zipkin
- traffic-split
- gzip
- real-ip
- ext-plugin-pre-req
- ext-plugin-post-req
stream_plugins:
- mqtt-proxy
- ip-restriction
- limit-conn
pluginAttrs: {}
extPlugin:
enabled: false
cmd: ["/path/to/apisix-plugin-runner/runner", "run"]
# customPlugins allows you to mount your own HTTP plugins.
customPlugins:
enabled: false
# the lua_path that tells APISIX where it can find plugins,
# note the last ';' is required.
luaPath: "/opts/custom_plugins/?.lua"
plugins:
# plugin name.
- name: ""
# plugin attrs
attrs: |
# plugin codes can be saved inside configmap object.
configMap:
# name of configmap.
name: ""
# since keys in configmap is flat, mountPath allows to define the mount
# path, so that plugin codes can be mounted hierarchically.
mounts:
- key: ""
path: ""
- key: ""
path: ""
updateStrategy: {}
# type: RollingUpdate
extraVolumes: []
# - name: extras
# emptyDir: {}
extraVolumeMounts: []
# - name: extras
# mountPath: /usr/share/extras
# readOnly: true
discovery:
enabled: false
registry:
# Integration service discovery registry. E.g eureka\dns\nacos\consul_kv
# reference:
# https://apisix.apache.org/docs/apisix/discovery#configuration-for-eureka
# https://apisix.apache.org/docs/apisix/discovery/dns#service-discovery-via-dns
# https://apisix.apache.org/docs/apisix/discovery/consul_kv#configuration-for-consul-kv
# https://apisix.apache.org/docs/apisix/discovery/nacos#configuration-for-nacos
#
# an eureka example:
# eureka:
# host:
# - "http://${username}:${password}@${eureka_host1}:${eureka_port1}"
# - "http://${username}:${password}@${eureka_host2}:${eureka_port2}"
# prefix: "/eureka/"
# fetch_interval: 30
# weight: 100
# timeout:
# connect: 2000
# send: 2000
# read: 5000
# access log and error log configuration
logs:
enableAccessLog: true
accessLog: "/dev/stdout"
accessLogFormat: '$remote_addr - $remote_user [$time_local] $http_host \"$request\" $status $body_bytes_sent $request_time \"$http_referer\" \"$http_user_agent\" $upstream_addr $upstream_status $upstream_response_time \"$upstream_scheme://$upstream_host$upstream_uri\"'
accessLogFormatEscape: default
errorLog: "/dev/stderr"
errorLogLevel: "warn"
dns:
resolvers:
- 192.168.1.53
- 192.168.1.1
validity: 30
timeout: 5
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 100
targetCPUUtilizationPercentage: 80
targetMemoryUtilizationPercentage: 80
# Custom configuration snippet.
configurationSnippet:
main: |
httpStart: |
httpEnd: |
httpSrv: |
httpAdmin: |
stream: |
# Observability configuration.
# ref: https://apisix.apache.org/docs/apisix/plugins/prometheus/
serviceMonitor:
enabled: false
# namespace where the serviceMonitor is deployed, by default, it is the same as the namespace of the apisix
namespace: ""
# name of the serviceMonitor, by default, it is the same as the apisix fullname
name: ""
# interval at which metrics should be scraped
interval: 15s interval: 15s
# path of the metrics endpoint
path: /apisix/prometheus/metrics
# prefix of the metrics
metricPrefix: apisix_
# container port where the metrics are exposed
containerPort: 9091
# @param serviceMonitor.labels ServiceMonitor extra labels # @param serviceMonitor.labels ServiceMonitor extra labels
labels: {} labels: {}
# @param serviceMonitor.annotations ServiceMonitor annotations # @param serviceMonitor.annotations ServiceMonitor annotations
annotations: {} annotations: {}
# etcd configuration
# use the FQDN address or the IP of the etcd
etcd:
# install etcd(v3) by default, set false if do not want to install etcd(v3) together
enabled: true
host:
- http://etcd.host:2379 # host or ip e.g. http://172.20.128.89:2379
prefix: "/apisix"
timeout: 30
podSecurityContext: # if etcd.enabled is true, set more values of bitnami/etcd helm chart
fsGroup: 2000 auth:
rbac:
# No authentication by default
create: false
user: ""
password: ""
tls:
enabled: false
existingSecret: ""
certFilename: ""
certKeyFilename: ""
verify: true
sni: ""
securityContext: service:
capabilities: port: 2379
drop:
- ALL replicaCount: 1
readOnlyRootFilesystem: true
runAsNonRoot: true dashboard:
runAsUser: 1000 enabled: true
ingress-controller:
enabled: true