github.com/oam-dev/kubevela@v1.9.11/charts/vela-core/templates/cluster-gateway/cluster-gateway.yaml (about) 1 {{ if .Values.multicluster.enabled }} 2 apiVersion: apps/v1 3 kind: Deployment 4 metadata: 5 name: {{ .Release.Name }}-cluster-gateway 6 namespace: {{ .Release.Namespace }} 7 labels: 8 {{- include "kubevela.labels" . | nindent 4 }} 9 spec: 10 replicas: {{ .Values.multicluster.clusterGateway.replicaCount }} 11 selector: 12 matchLabels: 13 {{- include "kubevela-cluster-gateway.selectorLabels" . | nindent 6 }} 14 template: 15 metadata: 16 annotations: 17 prometheus.io/path: /metrics 18 prometheus.io/port: "9443" 19 prometheus.io/scrape: "true" 20 prometheus.io/scheme: "https" 21 labels: 22 {{- include "kubevela-cluster-gateway.selectorLabels" . | nindent 8 }} 23 spec: 24 {{- with .Values.imagePullSecrets }} 25 imagePullSecrets: 26 {{- toYaml . | nindent 8 }} 27 {{- end }} 28 serviceAccountName: {{ include "kubevela.serviceAccountName" . }} 29 securityContext: 30 {{- toYaml .Values.podSecurityContext | nindent 8 }} 31 containers: 32 - name: {{ include "kubevela.fullname" . }}-cluster-gateway 33 securityContext: 34 {{- toYaml .Values.securityContext | nindent 12 }} 35 args: 36 - "apiserver" 37 - "--secure-port={{ .Values.multicluster.clusterGateway.port }}" 38 - "--secret-namespace={{ .Release.Namespace }}" 39 - "--feature-gates=APIPriorityAndFairness=false,ClientIdentityPenetration={{ .Values.authentication.enabled }}" 40 - "--cluster-gateway-proxy-config=/etc/proxy-config/config.yaml" 41 {{- if .Values.multicluster.clusterGateway.secureTLS.enabled }} 42 - "--tls-cert-file={{ .Values.multicluster.clusterGateway.secureTLS.certPath }}/tls.crt" 43 - "--tls-private-key-file={{ .Values.multicluster.clusterGateway.secureTLS.certPath }}/tls.key" 44 {{- end }} 45 - "--authorization-always-allow-paths=/healthz,/readyz,/livez,/metrics" 46 image: {{ .Values.imageRegistry }}{{ .Values.multicluster.clusterGateway.image.repository }}:{{ .Values.multicluster.clusterGateway.image.tag }} 47 imagePullPolicy: {{ .Values.multicluster.clusterGateway.image.pullPolicy }} 48 resources: 49 {{- toYaml .Values.multicluster.clusterGateway.resources | nindent 12 }} 50 ports: 51 - containerPort: {{ .Values.multicluster.clusterGateway.port }} 52 volumeMounts: 53 - mountPath: /etc/proxy-config 54 name: proxy-config 55 {{ if .Values.multicluster.clusterGateway.secureTLS.enabled }} 56 - mountPath: {{ .Values.multicluster.clusterGateway.secureTLS.certPath }} 57 name: tls-cert-vol 58 readOnly: true 59 {{- end }} 60 volumes: 61 - configMap: 62 defaultMode: 420 63 name: {{ .Release.Name }}-cluster-gateway-proxy-config 64 name: proxy-config 65 {{ if .Values.multicluster.clusterGateway.secureTLS.enabled }} 66 - name: tls-cert-vol 67 secret: 68 defaultMode: 420 69 secretName: {{ template "kubevela.fullname" . }}-cluster-gateway-tls-v2 70 {{ end }} 71 {{- with .Values.nodeSelector }} 72 nodeSelector: 73 {{- toYaml . | nindent 8 }} 74 {{- end }} 75 affinity: 76 {{ if .Values.affinity }} 77 {{- toYaml .Values.affinity | nindent 8 }} 78 {{ else }} 79 podAntiAffinity: 80 preferredDuringSchedulingIgnoredDuringExecution: 81 - podAffinityTerm: 82 labelSelector: 83 matchLabels: 84 {{- include "kubevela-cluster-gateway.selectorLabels" . | nindent 20 }} 85 topologyKey: kubernetes.io/hostname 86 weight: 100 87 {{ end }} 88 {{- with .Values.tolerations }} 89 tolerations: 90 {{- toYaml . | nindent 8 }} 91 {{- end }} 92 strategy: 93 type: RollingUpdate 94 rollingUpdate: 95 maxSurge: 1 96 maxUnavailable: 1 97 --- 98 apiVersion: v1 99 kind: ConfigMap 100 metadata: 101 name: {{ .Release.Name }}-cluster-gateway-proxy-config 102 namespace: {{ .Release.Namespace }} 103 data: 104 config.yaml: | 105 apiVersion: cluster.core.oam.dev/v1alpha1 106 kind: ClusterGatewayProxyConfiguration 107 spec: 108 clientIdentityExchanger: 109 rules: 110 - name: super-user 111 source: 112 group: kubevela:ux 113 type: PrivilegedIdentityExchanger 114 --- 115 apiVersion: v1 116 kind: Service 117 metadata: 118 name: {{ .Release.Name }}-cluster-gateway-service 119 namespace: {{ .Release.Namespace }} 120 spec: 121 selector: 122 {{- include "kubevela-cluster-gateway.selectorLabels" . | nindent 4 }} 123 ports: 124 - protocol: TCP 125 port: {{ .Values.multicluster.clusterGateway.port }} 126 targetPort: {{ .Values.multicluster.clusterGateway.port }} 127 --- 128 # 1. Check whether APIService ""v1alpha1.cluster.core.oam.dev" is already present in the cluster 129 # 2.a If the APIService doesn't exist, create it. 130 # 2.b If the APIService exists without helm-chart related annotation, skip creating it to the 131 # cluster because the APIService can be managed by an external controller. 132 # 2.c If the APIService exists with valid helm-chart annotations, which means that the APIService 133 # is previously managed by helm commands, hence update the APIService consistently. 134 {{ $apiSvc := (lookup "apiregistration.k8s.io/v1" "APIService" "" "v1alpha1.cluster.core.oam.dev") }} 135 {{ $shouldAdopt := (not $apiSvc) }} 136 {{ if not $shouldAdopt }} 137 {{ if $apiSvc.metadata.annotations }} 138 {{ $shouldAdopt = (index ($apiSvc).metadata.annotations "meta.helm.sh/release-name") }} 139 {{ end }} 140 {{ end }} 141 {{ if $shouldAdopt }} 142 apiVersion: apiregistration.k8s.io/v1 143 kind: APIService 144 metadata: 145 name: v1alpha1.cluster.core.oam.dev 146 annotations: 147 {{- if and .Values.multicluster.clusterGateway.secureTLS.enabled .Values.multicluster.clusterGateway.secureTLS.certManager.enabled }} 148 cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/{{ template "kubevela.fullname" . }}-cluster-gateway-tls-v2" 149 {{- end }} 150 labels: 151 api: cluster-extension-apiserver 152 apiserver: "true" 153 spec: 154 version: v1alpha1 155 group: cluster.core.oam.dev 156 groupPriorityMinimum: 2000 157 service: 158 name: {{ .Release.Name }}-cluster-gateway-service 159 namespace: {{ .Release.Namespace }} 160 port: {{ .Values.multicluster.clusterGateway.port }} 161 versionPriority: 10 162 insecureSkipTLSVerify: {{ not .Values.multicluster.clusterGateway.secureTLS.enabled }} 163 {{ if .Values.multicluster.clusterGateway.secureTLS.enabled }} 164 caBundle: Cg== 165 {{ end }} 166 {{ end }} 167 --- 168 apiVersion: rbac.authorization.k8s.io/v1 169 kind: ClusterRole 170 metadata: 171 name: {{ include "kubevela.fullname" . }}:cluster-gateway:proxy 172 rules: 173 - apiGroups: [ "cluster.core.oam.dev" ] 174 resources: [ "clustergateways/proxy" ] 175 verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] 176 --- 177 apiVersion: rbac.authorization.k8s.io/v1 178 kind: ClusterRoleBinding 179 metadata: 180 name: {{ include "kubevela.fullname" . }}:cluster-gateway:proxy 181 roleRef: 182 apiGroup: rbac.authorization.k8s.io 183 kind: ClusterRole 184 name: {{ include "kubevela.fullname" . }}:cluster-gateway:proxy 185 subjects: 186 - kind: Group 187 name: kubevela:client 188 apiGroup: rbac.authorization.k8s.io 189 - kind: ServiceAccount 190 name: {{ include "kubevela.serviceAccountName" . }} 191 namespace: {{ .Release.Namespace }} 192 {{ end }}