diff --git a/projects/core/project.yml b/projects/core/project.yml index e5394290..ab7e86b5 100644 --- a/projects/core/project.yml +++ b/projects/core/project.yml @@ -55,6 +55,13 @@ apps: targetRevision: 10.19.5 syncWave: '0' +- name: apisix + existingNamespace: ingress-internal + repoURL: https://charts.apiseven.com + chart: apisix-ingress-controller + targetRevision: 0.9.2 + syncWave: '0' + - name: cilium existingNamespace: kube-system repoURL: https://helm.cilium.io diff --git a/projects/core/values/apisix.yaml b/projects/core/values/apisix.yaml new file mode 100644 index 00000000..96c170b0 --- /dev/null +++ b/projects/core/values/apisix.yaml @@ -0,0 +1,98 @@ +image: + repository: apache/apisix-ingress-controller + pullPolicy: IfNotPresent + tag: "1.4.1" + +service: + annotations: + metallb.universe.tf/address-pool: internal + port: 80 + +config: + logLevel: "info" + logOutput: "stderr" + # the TLS certificate file path. + certFile: "/etc/webhook/certs/cert.pem" + # the TLS key file path. + keyFile: "/etc/webhook/certs/key.pem" + # the HTTP Server listen address, default is ":8080" + httpListen: ":8080" + # the HTTPS Server listen address, default is ":8443" + httpsListen: ":8443" + # the controller will use the Endpoint of this Service to + # update the status information of the Ingress resource. + # The format is "namespace/svc-name" to solve the situation that + # the data plane and the controller are not deployed in the same namespace. + ingressPublishService: "" + ingressStatusAddress: [] + # enable profiling via web interfaces host:port/debug/pprof, default is true. + enableProfiling: true + # Kubernetes related configurations. + kubernetes: + # the Kubernetes configuration file path, default is "", so the in-cluster + # configuration will be used. + kubeconfig: "" + # how long should apisix-ingress-controller re-synchronizes with Kubernetes, + # default is 6h, + resyncInterval: "6h" + # namespace list that controller will watch for resources, + # by default all namespaces (represented by "*") are watched. + appNamespaces: ["*"] + # namespace_selector represent basis for selecting managed namespaces. + # the field is support since version 1.4.0 + # For example, "apisix.ingress=watching", so ingress will watching the namespaces which labels "apisix.ingress=watching" + namespaceSelector: [""] + # the election id for the controller leader campaign, + # only the leader will watch and delivery resource changes, + # other instances (as candidates) stand by. + electionId: "ingress-apisix-leader" + # The class of an Ingress object is set using the field IngressClassName in + # Kubernetes clusters version v1.18.0 or higher or the annotation + # "kubernetes.io/ingress.class" (deprecated). + ingressClass: "apisix" + # the supported ingress api group version, can be "networking/v1beta1", + # "networking/v1" (for Kubernetes version v1.19.0 or higher), and + # "extensions/v1beta1", default is "networking/v1". + ingressVersion: "networking/v1" + # whether to watch EndpointSlices rather than Endpoints. + watchEndpointSlices: false + # the supported apisixroute api group version, can be "apisix.apache.org/v2beta1" + # "apisix.apache.org/v2beta2" or "apisix.apache.org/v2beta3" + apisixRouteVersion: "apisix.apache.org/v2beta3" + # whether to enable support for Gateway API. + # Note: This feature is currently under development and may not work as expected. + # It is not recommended to use it in a production environment. + # Before we announce support for it to reach Beta level or GA. + enableGatewayAPI: false + # APISIX related configurations. + apisix: + serviceName: apisix-admin + serviceNamespace: ingress-apisix + servicePort: 9180 + adminKey: "edd1c9f034335f136f87ad84b625c8f1" + clusterName: "default" + +initContainer: + image: busybox + tag: 1.28 + +serviceMonitor: + enabled: true + namespace: "monitoring" + interval: 15s + # @param serviceMonitor.labels ServiceMonitor extra labels + labels: {} + # @param serviceMonitor.annotations ServiceMonitor annotations + annotations: {} + + +podSecurityContext: + fsGroup: 2000 + +securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000