Skip to content
This repository has been archived by the owner on Nov 8, 2024. It is now read-only.

Commit

Permalink
Merge branch 'master' of https://github.com/ergon/airlock-helm-charts
Browse files Browse the repository at this point in the history
  • Loading branch information
@jbe99
jbe99 committed Feb 10, 2021
2 parents 1ade28f + 410f412 commit 5218092
Show file tree
Hide file tree
Showing 10 changed files with 137 additions and 100 deletions.
7 changes: 4 additions & 3 deletions .github/ct.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@
helm-extra-args: --timeout 300s
check-version-increment: false
charts: charts/microgateway
debug: true
namespace: validation-namespace
release-label: release
chart-repos:
namespace: default
release-label: app.kubernetes.io/instance
chart-repos:
- bitnami=https://charts.bitnami.com/bitnami
- ealenn=https://ealenn.github.io/charts
67 changes: 27 additions & 40 deletions .github/workflows/ci.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,24 +4,15 @@ on:
pull_request:
paths:
- 'charts/**'
- '.github/workflows/ci.yaml'
workflow_dispatch:

jobs:
lint-chart:
generate-docs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v1
- name: Run chart-testing (lint)
uses: helm/chart-testing-action@master
with:
command: lint
config: .github/ct.yaml
lint-docs:
runs-on: ubuntu-latest
needs: lint-chart
steps:
- name: Checkout
uses: actions/checkout@v1
uses: actions/checkout@v2
- name: Install helm-docs
run: .github/helm-docs-install.sh
env:
Expand All @@ -39,14 +30,13 @@ jobs:
kubeval-chart:
runs-on: ubuntu-latest
needs:
- lint-chart
- lint-docs
- generate-docs
strategy:
matrix:
k8s:
- v1.16.4
- v1.17.2
- v1.18.2
- v1.18.15
- v1.19.7
- v1.20.2
steps:
- name: Checkout
uses: actions/checkout@v1
Expand All @@ -57,39 +47,36 @@ jobs:
install-chart:
name: install-chart
runs-on: ubuntu-latest
env:
_v_namespace: validation-namespace
needs:
- lint-chart
- lint-docs
- kubeval-chart
strategy:
matrix:
k8s:
- v1.16.4
- v1.17.2
- v1.18.2
- v1.18.15
- v1.19.7
- v1.20.2
steps:
- name: Checkout
uses: actions/checkout@v1
uses: actions/checkout@v2
- name: Set up Helm
uses: azure/setup-helm@v1
with:
version: v3.4.0
- uses: actions/setup-python@v2
with:
python-version: 3.7
- name: Set up chart-testing
uses: helm/[email protected]
- name: Run chart-testing (lint)
run: ct lint --config .github/ct.yaml
- name: Create kind ${{ matrix.k8s }} cluster
uses: helm/kind-action@master
uses: helm/kind-action@v1.0.0
with:
node_image: kindest/node:${{ matrix.k8s }}
- name: Create Secrets
run: |
kubectl cluster-info
kubectl get pods -n kube-system
echo "current-context:" $(kubectl config current-context)
kubectl create namespace $_v_namespace
kubectl create secret docker-registry dockersecret --docker-username=${{ secrets.DOCKER_USER }} --docker-password=${{ secrets.DOCKER_USER_TOKEN }} --namespace $_v_namespace
echo "${{ secrets.WAF_LICENSE }}" >> tmplicense.txt
echo "${{ secrets.WAF_PASSPHRASE }}" >> tmppassphrase.txt
kubectl create secret generic microgatewaysecrets --from-file=license=tmplicense.txt --from-file=passphrase=tmppassphrase.txt --namespace $_v_namespace
kubectl describe secret dockersecret --namespace $_v_namespace
kubectl describe secret microgatewaysecrets --namespace $_v_namespace
kubectl create secret docker-registry dockersecret --docker-username=${{ secrets.DOCKER_USER }} --docker-password=${{ secrets.DOCKER_USER_TOKEN }}
kubectl create secret generic microgatewaysecrets --from-literal=license="${{ secrets.WAF_LICENSE }}" --from-literal=passphrase="${{ secrets.WAF_PASSPHRASE }}"
- name: Run chart-testing (install)
uses: helm/chart-testing-action@master
with:
command: install
config: .github/ct.yaml
run: ct install --config .github/ct.yaml
13 changes: 12 additions & 1 deletion .github/workflows/release.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ on:
- master
paths:
- 'charts/**/Chart.yaml'
workflow_dispatch:

jobs:
release:
Expand All @@ -17,7 +18,17 @@ jobs:
run: |
git config user.name "'${{ secrets.TECHNICAL_USER }}'"
git config user.email "'${{ secrets.TECHNICAL_USER }}'@users.noreply.github.com"
- name: Install Helm
uses: azure/setup-helm@v1
with:
version: v3.4.0
- name: Add Helm Repo
run: |
helm repo add bitnami https://charts.bitnami.com/bitnami
helm repo add ealenn https://ealenn.github.io/charts
- name: Run chart-releaser
uses: helm/chart-releaser-action@master
uses: helm/[email protected]
with:
config: .github/ct.yaml
env:
CR_TOKEN: '${{ secrets.TECHNICAL_USER_TOKEN }}'
3 changes: 3 additions & 0 deletions Makefile
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
helm-docs:
@echo --- Generating Chart READMEs
@docker run --rm -v $$(pwd):/helm-docs -u $$(id -u) jnorwood/helm-docs:v0.13.0
4 changes: 2 additions & 2 deletions charts/microgateway/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,5 +14,5 @@ maintainers:
- email: [email protected]
name: Airlock
name: microgateway
version: 0.6.0
appVersion: 1.0
version: 0.6.3
appVersion: "1.0"
58 changes: 32 additions & 26 deletions charts/microgateway/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ It is the lightweight, container-based deployment form of the *Airlock Gateway*,

The Airlock helm charts are used internally for testing the *Airlock Microgateway*. We make them available publicly under the [MIT license](https://github.com/ergon/airlock-helm-charts/blob/master/LICENSE).

The current chart version is: 0.6.0
The current chart version is: 0.6.3

## About Ergon
*Airlock* is a registered trademark of [Ergon](https://www.ergon.ch). Ergon is a Swiss leader in leveraging digitalisation to create unique and effective client benefits, from conception to market, the result of which is the international distribution of globally revered products.
Expand Down Expand Up @@ -136,7 +136,7 @@ The following table lists configuration parameters of the Airlock Microgateway c
| hpa.minReplicas | int | `1` | Minimum number of Microgateway replicas. |
| hpa.resource.cpu | int | `50` | Average Microgateway CPU consumption in percentage to scale up/down. |
| hpa.resource.memory | string | `"2Gi"` | Average Microgateway Memory consumption to scale up/down.<br><br> :exclamation: Update this setting accordingly to `resources.limits.memory`. |
| image.pullPolicy | string | `"Always"` | Pull policy (`Always`, `IfNotPresent`, `Never`) |
| image.pullPolicy | string | `"IfNotPresent"` | Pull policy (`Always`, `IfNotPresent`, `Never`) |
| image.repository | string | `"ergon/airlock-microgateway"` | Image repository |
| image.tag | string | `"1.0"` | Image tag |
| imagePullSecrets | list | `[]` | Reference to one or more secrets to use when pulling images. |
Expand All @@ -149,16 +149,19 @@ The following table lists configuration parameters of the Airlock Microgateway c
| ingress.targetPort | string | `"http"` | Target port of the service (`http`, `https` or `<number>`). |
| ingress.tls | list | `[]` | [Ingress TLS](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) configuration. |
| livenessProbe.enabled | bool | `true` | Enable liveness probes. |
| livenessProbe.failureThreshold | int | `9` | After how many subsequent failures the pod gets restarted. |
| livenessProbe.initialDelaySeconds | int | `90` | Initial delay in seconds. |
| livenessProbe.timeoutSeconds | int | `5` | Timeout of liveness probes, should roughly reflect allowed timeouts from clients. |
| nameOverride | string | `""` | Provide a name in place of `microgateway`. |
| nodeSelector | object | `{}` | Define which nodes the pods are scheduled on. |
| podSecurityContext | object | `{}` | [Security context for the pods](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod). |
| readinessProbe.enabled | bool | `true` | Enable readiness probes. |
| readinessProbe.initialDelaySeconds | int | `30` | Initial delay in seconds. |
| readinessProbe.failureThreshold | int | `3` | After how many tries the pod stops receiving traffic. |
| readinessProbe.initialDelaySeconds | int | `10` | Initial delay in seconds. |
| redis | object | See `redis.*`: | Pre-configured [Redis](#redis) service. |
| redis.enabled | bool | `false` | Deploy pre-configured [Redis](#redis). |
| replicaCount | int | `1` | Desired number of Microgateway pods. |
| resources | object | `{"limits":{"cpu":"4","memory":"4048Mi"},"requests":{"cpu":"500m","memory":"512Mi"}}` | [Resource limits](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container) |
| resources | object | `{"limits":{"memory":"4048Mi"},"requests":{"cpu":"30m","memory":"256Mi"}}` | [Resource limits](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container) |
| route | object | See `route.*`: | [Openshift Route](#openshift-route) |
| route.annotations | object | `{}` | Annotations to set on the route. |
| route.enabled | bool | `false` | Create a route object. |
Expand All @@ -174,7 +177,9 @@ The following table lists configuration parameters of the Airlock Microgateway c
| route.tls.termination | string | `"reencrypt"` | Termination of the route (`edge`, `reencrypt`, `passthrough`). |
| securityContext | object | `{}` | [Security context for a container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container). |
| service.annotations | object | `{}` | Annotations to set on the service. |
| service.externalTrafficPolicy | string | `Local` if `service.type=LoadBalancer` | [externalTrafficPolicy](https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip) |
| service.labels | object | `{}` | Additional labels to add on the service. |
| service.loadBalancerIP | string | "" if `service.type=LoadBalancer` | [loadBalancerIP](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer) |
| service.port | int | `80` | Service port |
| service.tlsPort | int | `443` | Service TLS port |
| service.type | string | `"ClusterIP"` | [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) |
Expand Down Expand Up @@ -216,7 +221,8 @@ config:
---------------------
```

2. Deploy the Microgateway with the license.yaml file:
2. [Create the image pull secret](#credentials-to-pull-image-from-docker-registry) to pull the microgateway image.
3. Deploy the Microgateway with the license.yaml file:
```console
helm upgrade -i microgateway airlock/microgateway -f license.yaml
```
Expand Down Expand Up @@ -344,15 +350,15 @@ By default, the Airlock Microgateway is configured with the [Simple DSL configur
entry_path: /
operational_mode: integration
deny_rules:
- level: strict
exceptions:
- parameter_name:
pattern: ^content$
ignore_case: true
path:
pattern: ^/mail/
method:
pattern: ^POST$
level: strict
exceptions:
- parameter_name:
pattern: ^content$
ignore_case: true
path:
pattern: ^/mail/
method:
pattern: ^POST$
backend:
protocol: https
hostname: custom-backend-service
Expand Down Expand Up @@ -408,15 +414,15 @@ The use cases outlined above can also occur slightly differently. But all of the
operational_mode: integration
session_handling: enforce_session
deny_rules:
- level: standard
exceptions:
- parameter_name:
pattern: ^content$
ignore_case: true
path:
pattern: ^/mail/
method:
pattern: ^POST$
level: standard
exceptions:
- parameter_name:
pattern: ^content$
ignore_case: true
path:
pattern: ^/mail/
method:
pattern: ^POST$
- name: api
entry_path: /api/
session_handling: ignore_session
Expand All @@ -441,7 +447,7 @@ The use cases outlined above can also occur slightly differently. But all of the
### Expert DSL configuration
In case that the [Advanced DSL configuration](#advanced-dsl-configuration) does not suite, the expert configuration options must be used. There are a few reasons listed below:

* The Microgateway DSL configuration options are not available as Helm chart parameters (e.g. base_template_file, session.store_mode, ...)
* The Microgateway DSL configuration options are not available as Helm chart parameters (e.g. session.store_mode, ...)
* The Microgateway DSL configuration file has already been used/tested thorougly. To reduce the risk of a broken or unsecure configuration, do not modify the pre-configured configuration file.


Expand All @@ -452,7 +458,6 @@ In case that the [Advanced DSL configuration](#advanced-dsl-configuration) does
config:
expert:
dsl:
base_template_file: /config/custom-base.xml
license_file: /secret/config/license
session:
encryption_passphrase_file: /secret/config/passphrase
Expand Down Expand Up @@ -616,6 +621,7 @@ In case that multiple hosts are configured, TLS-SNI is used to distinguish what
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/backend-protocol: https
targetPort: https
tls:
- secretName: virtinc-tls-secret
Expand All @@ -624,7 +630,7 @@ In case that multiple hosts are configured, TLS-SNI is used to distinguish what
```

### Openshift Route
Since the Route is already available in an Openshift environment, nothing has to be installed additionally.
Since the Route controller is already available in an Openshift environment, nothing has to be installed additionally.

#### Route terminating HTTP

Expand Down
45 changes: 23 additions & 22 deletions charts/microgateway/README.md.gotmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -123,7 +123,8 @@ config:
---------------------
```

2. Deploy the Microgateway with the license.yaml file:
2. [Create the image pull secret](#credentials-to-pull-image-from-docker-registry) to pull the microgateway image.
3. Deploy the Microgateway with the license.yaml file:
```console
helm upgrade -i microgateway airlock/microgateway -f license.yaml
```
Expand Down Expand Up @@ -248,15 +249,15 @@ By default, the Airlock Microgateway is configured with the [Simple DSL configur
entry_path: /
operational_mode: integration
deny_rules:
- level: strict
exceptions:
- parameter_name:
pattern: ^content$
ignore_case: true
path:
pattern: ^/mail/
method:
pattern: ^POST$
level: strict
exceptions:
- parameter_name:
pattern: ^content$
ignore_case: true
path:
pattern: ^/mail/
method:
pattern: ^POST$
backend:
protocol: https
hostname: custom-backend-service
Expand Down Expand Up @@ -312,15 +313,15 @@ The use cases outlined above can also occur slightly differently. But all of the
operational_mode: integration
session_handling: enforce_session
deny_rules:
- level: standard
exceptions:
- parameter_name:
pattern: ^content$
ignore_case: true
path:
pattern: ^/mail/
method:
pattern: ^POST$
level: standard
exceptions:
- parameter_name:
pattern: ^content$
ignore_case: true
path:
pattern: ^/mail/
method:
pattern: ^POST$
- name: api
entry_path: /api/
session_handling: ignore_session
Expand All @@ -345,7 +346,7 @@ The use cases outlined above can also occur slightly differently. But all of the
### Expert DSL configuration
In case that the [Advanced DSL configuration](#advanced-dsl-configuration) does not suite, the expert configuration options must be used. There are a few reasons listed below:

* The Microgateway DSL configuration options are not available as Helm chart parameters (e.g. base_template_file, session.store_mode, ...)
* The Microgateway DSL configuration options are not available as Helm chart parameters (e.g. session.store_mode, ...)
* The Microgateway DSL configuration file has already been used/tested thorougly. To reduce the risk of a broken or unsecure configuration, do not modify the pre-configured configuration file.


Expand All @@ -356,7 +357,6 @@ In case that the [Advanced DSL configuration](#advanced-dsl-configuration) does
config:
expert:
dsl:
base_template_file: /config/custom-base.xml
license_file: /secret/config/license
session:
encryption_passphrase_file: /secret/config/passphrase
Expand Down Expand Up @@ -520,6 +520,7 @@ In case that multiple hosts are configured, TLS-SNI is used to distinguish what
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/backend-protocol: https
targetPort: https
tls:
- secretName: virtinc-tls-secret
Expand All @@ -528,7 +529,7 @@ In case that multiple hosts are configured, TLS-SNI is used to distinguish what
```

### Openshift Route
Since the Route is already available in an Openshift environment, nothing has to be installed additionally.
Since the Route controller is already available in an Openshift environment, nothing has to be installed additionally.

#### Route terminating HTTP

Expand Down
Loading

0 comments on commit 5218092

Please sign in to comment.