diff --git a/.github/ct.yaml b/.github/ct.yaml
index 12c3792a..5321f5b5 100644
--- a/.github/ct.yaml
+++ b/.github/ct.yaml
@@ -1,8 +1,9 @@
helm-extra-args: --timeout 300s
check-version-increment: false
+charts: charts/microgateway
debug: true
-namespace: validation-namespace
-release-label: release
-chart-repos:
+namespace: default
+release-label: app.kubernetes.io/instance
+chart-repos:
- bitnami=https://charts.bitnami.com/bitnami
- ealenn=https://ealenn.github.io/charts
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index adb8173f..64fbb304 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -4,24 +4,15 @@ on:
pull_request:
paths:
- 'charts/**'
+ - '.github/workflows/ci.yaml'
+ workflow_dispatch:
jobs:
- lint-chart:
+ generate-docs:
runs-on: ubuntu-latest
steps:
- name: Checkout
- uses: actions/checkout@v1
- - name: Run chart-testing (lint)
- uses: helm/chart-testing-action@master
- with:
- command: lint
- config: .github/ct.yaml
- lint-docs:
- runs-on: ubuntu-latest
- needs: lint-chart
- steps:
- - name: Checkout
- uses: actions/checkout@v1
+ uses: actions/checkout@v2
- name: Install helm-docs
run: .github/helm-docs-install.sh
env:
@@ -39,14 +30,13 @@ jobs:
kubeval-chart:
runs-on: ubuntu-latest
needs:
- - lint-chart
- - lint-docs
+ - generate-docs
strategy:
matrix:
k8s:
- - v1.16.4
- - v1.17.2
- - v1.18.2
+ - v1.18.15
+ - v1.19.7
+ - v1.20.2
steps:
- name: Checkout
uses: actions/checkout@v1
@@ -57,39 +47,36 @@ jobs:
install-chart:
name: install-chart
runs-on: ubuntu-latest
- env:
- _v_namespace: validation-namespace
needs:
- - lint-chart
- - lint-docs
- kubeval-chart
strategy:
matrix:
k8s:
- - v1.16.4
- - v1.17.2
- - v1.18.2
+ - v1.18.15
+ - v1.19.7
+ - v1.20.2
steps:
- name: Checkout
- uses: actions/checkout@v1
+ uses: actions/checkout@v2
+ - name: Set up Helm
+ uses: azure/setup-helm@v1
+ with:
+ version: v3.4.0
+ - uses: actions/setup-python@v2
+ with:
+ python-version: 3.7
+ - name: Set up chart-testing
+ uses: helm/chart-testing-action@v2.0.1
+ - name: Run chart-testing (lint)
+ run: ct lint --config .github/ct.yaml
- name: Create kind ${{ matrix.k8s }} cluster
- uses: helm/kind-action@master
+ uses: helm/kind-action@v1.0.0
with:
node_image: kindest/node:${{ matrix.k8s }}
- name: Create Secrets
run: |
kubectl cluster-info
- kubectl get pods -n kube-system
- echo "current-context:" $(kubectl config current-context)
- kubectl create namespace $_v_namespace
- kubectl create secret docker-registry dockersecret --docker-username=${{ secrets.DOCKER_USER }} --docker-password=${{ secrets.DOCKER_USER_TOKEN }} --namespace $_v_namespace
- echo "${{ secrets.WAF_LICENSE }}" >> tmplicense.txt
- echo "${{ secrets.WAF_PASSPHRASE }}" >> tmppassphrase.txt
- kubectl create secret generic microgatewaysecrets --from-file=license=tmplicense.txt --from-file=passphrase=tmppassphrase.txt --namespace $_v_namespace
- kubectl describe secret dockersecret --namespace $_v_namespace
- kubectl describe secret microgatewaysecrets --namespace $_v_namespace
+ kubectl create secret docker-registry dockersecret --docker-username=${{ secrets.DOCKER_USER }} --docker-password=${{ secrets.DOCKER_USER_TOKEN }}
+ kubectl create secret generic microgatewaysecrets --from-literal=license="${{ secrets.WAF_LICENSE }}" --from-literal=passphrase="${{ secrets.WAF_PASSPHRASE }}"
- name: Run chart-testing (install)
- uses: helm/chart-testing-action@master
- with:
- command: install
- config: .github/ct.yaml
+ run: ct install --config .github/ct.yaml
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index e2bc01a2..221afcc2 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -6,6 +6,7 @@ on:
- master
paths:
- 'charts/**/Chart.yaml'
+ workflow_dispatch:
jobs:
release:
@@ -17,7 +18,17 @@ jobs:
run: |
git config user.name "'${{ secrets.TECHNICAL_USER }}'"
git config user.email "'${{ secrets.TECHNICAL_USER }}'@users.noreply.github.com"
+ - name: Install Helm
+ uses: azure/setup-helm@v1
+ with:
+ version: v3.4.0
+ - name: Add Helm Repo
+ run: |
+ helm repo add bitnami https://charts.bitnami.com/bitnami
+ helm repo add ealenn https://ealenn.github.io/charts
- name: Run chart-releaser
- uses: helm/chart-releaser-action@master
+ uses: helm/chart-releaser-action@v1.1.0
+ with:
+ config: .github/ct.yaml
env:
CR_TOKEN: '${{ secrets.TECHNICAL_USER_TOKEN }}'
diff --git a/Makefile b/Makefile
new file mode 100644
index 00000000..287fd1a1
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,3 @@
+helm-docs:
+ @echo --- Generating Chart READMEs
+ @docker run --rm -v $$(pwd):/helm-docs -u $$(id -u) jnorwood/helm-docs:v0.13.0
diff --git a/charts/microgateway/Chart.yaml b/charts/microgateway/Chart.yaml
index 96079af5..ef32ba3d 100644
--- a/charts/microgateway/Chart.yaml
+++ b/charts/microgateway/Chart.yaml
@@ -14,5 +14,5 @@ maintainers:
- email: support@airlock.com
name: Airlock
name: microgateway
-version: 0.6.0
-appVersion: 1.0
+version: 0.6.3
+appVersion: "1.0"
diff --git a/charts/microgateway/README.md b/charts/microgateway/README.md
index e7d0c8f6..602dc9e7 100644
--- a/charts/microgateway/README.md
+++ b/charts/microgateway/README.md
@@ -6,7 +6,7 @@ It is the lightweight, container-based deployment form of the *Airlock Gateway*,
The Airlock helm charts are used internally for testing the *Airlock Microgateway*. We make them available publicly under the [MIT license](https://github.com/ergon/airlock-helm-charts/blob/master/LICENSE).
-The current chart version is: 0.6.0
+The current chart version is: 0.6.3
## About Ergon
*Airlock* is a registered trademark of [Ergon](https://www.ergon.ch). Ergon is a Swiss leader in leveraging digitalisation to create unique and effective client benefits, from conception to market, the result of which is the international distribution of globally revered products.
@@ -136,7 +136,7 @@ The following table lists configuration parameters of the Airlock Microgateway c
| hpa.minReplicas | int | `1` | Minimum number of Microgateway replicas. |
| hpa.resource.cpu | int | `50` | Average Microgateway CPU consumption in percentage to scale up/down. |
| hpa.resource.memory | string | `"2Gi"` | Average Microgateway Memory consumption to scale up/down.
:exclamation: Update this setting accordingly to `resources.limits.memory`. |
-| image.pullPolicy | string | `"Always"` | Pull policy (`Always`, `IfNotPresent`, `Never`) |
+| image.pullPolicy | string | `"IfNotPresent"` | Pull policy (`Always`, `IfNotPresent`, `Never`) |
| image.repository | string | `"ergon/airlock-microgateway"` | Image repository |
| image.tag | string | `"1.0"` | Image tag |
| imagePullSecrets | list | `[]` | Reference to one or more secrets to use when pulling images. |
@@ -149,16 +149,19 @@ The following table lists configuration parameters of the Airlock Microgateway c
| ingress.targetPort | string | `"http"` | Target port of the service (`http`, `https` or ``). |
| ingress.tls | list | `[]` | [Ingress TLS](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) configuration. |
| livenessProbe.enabled | bool | `true` | Enable liveness probes. |
+| livenessProbe.failureThreshold | int | `9` | After how many subsequent failures the pod gets restarted. |
| livenessProbe.initialDelaySeconds | int | `90` | Initial delay in seconds. |
+| livenessProbe.timeoutSeconds | int | `5` | Timeout of liveness probes, should roughly reflect allowed timeouts from clients. |
| nameOverride | string | `""` | Provide a name in place of `microgateway`. |
| nodeSelector | object | `{}` | Define which nodes the pods are scheduled on. |
| podSecurityContext | object | `{}` | [Security context for the pods](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod). |
| readinessProbe.enabled | bool | `true` | Enable readiness probes. |
-| readinessProbe.initialDelaySeconds | int | `30` | Initial delay in seconds. |
+| readinessProbe.failureThreshold | int | `3` | After how many tries the pod stops receiving traffic. |
+| readinessProbe.initialDelaySeconds | int | `10` | Initial delay in seconds. |
| redis | object | See `redis.*`: | Pre-configured [Redis](#redis) service. |
| redis.enabled | bool | `false` | Deploy pre-configured [Redis](#redis). |
| replicaCount | int | `1` | Desired number of Microgateway pods. |
-| resources | object | `{"limits":{"cpu":"4","memory":"4048Mi"},"requests":{"cpu":"500m","memory":"512Mi"}}` | [Resource limits](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container) |
+| resources | object | `{"limits":{"memory":"4048Mi"},"requests":{"cpu":"30m","memory":"256Mi"}}` | [Resource limits](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container) |
| route | object | See `route.*`: | [Openshift Route](#openshift-route) |
| route.annotations | object | `{}` | Annotations to set on the route. |
| route.enabled | bool | `false` | Create a route object. |
@@ -174,7 +177,9 @@ The following table lists configuration parameters of the Airlock Microgateway c
| route.tls.termination | string | `"reencrypt"` | Termination of the route (`edge`, `reencrypt`, `passthrough`). |
| securityContext | object | `{}` | [Security context for a container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container). |
| service.annotations | object | `{}` | Annotations to set on the service. |
+| service.externalTrafficPolicy | string | `Local` if `service.type=LoadBalancer` | [externalTrafficPolicy](https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip) |
| service.labels | object | `{}` | Additional labels to add on the service. |
+| service.loadBalancerIP | string | "" if `service.type=LoadBalancer` | [loadBalancerIP](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer) |
| service.port | int | `80` | Service port |
| service.tlsPort | int | `443` | Service TLS port |
| service.type | string | `"ClusterIP"` | [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) |
@@ -216,7 +221,8 @@ config:
---------------------
```
-2. Deploy the Microgateway with the license.yaml file:
+2. [Create the image pull secret](#credentials-to-pull-image-from-docker-registry) to pull the microgateway image.
+3. Deploy the Microgateway with the license.yaml file:
```console
helm upgrade -i microgateway airlock/microgateway -f license.yaml
```
@@ -344,15 +350,15 @@ By default, the Airlock Microgateway is configured with the [Simple DSL configur
entry_path: /
operational_mode: integration
deny_rules:
- - level: strict
- exceptions:
- - parameter_name:
- pattern: ^content$
- ignore_case: true
- path:
- pattern: ^/mail/
- method:
- pattern: ^POST$
+ level: strict
+ exceptions:
+ - parameter_name:
+ pattern: ^content$
+ ignore_case: true
+ path:
+ pattern: ^/mail/
+ method:
+ pattern: ^POST$
backend:
protocol: https
hostname: custom-backend-service
@@ -408,15 +414,15 @@ The use cases outlined above can also occur slightly differently. But all of the
operational_mode: integration
session_handling: enforce_session
deny_rules:
- - level: standard
- exceptions:
- - parameter_name:
- pattern: ^content$
- ignore_case: true
- path:
- pattern: ^/mail/
- method:
- pattern: ^POST$
+ level: standard
+ exceptions:
+ - parameter_name:
+ pattern: ^content$
+ ignore_case: true
+ path:
+ pattern: ^/mail/
+ method:
+ pattern: ^POST$
- name: api
entry_path: /api/
session_handling: ignore_session
@@ -441,7 +447,7 @@ The use cases outlined above can also occur slightly differently. But all of the
### Expert DSL configuration
In case that the [Advanced DSL configuration](#advanced-dsl-configuration) does not suite, the expert configuration options must be used. There are a few reasons listed below:
-* The Microgateway DSL configuration options are not available as Helm chart parameters (e.g. base_template_file, session.store_mode, ...)
+* The Microgateway DSL configuration options are not available as Helm chart parameters (e.g. session.store_mode, ...)
* The Microgateway DSL configuration file has already been used/tested thorougly. To reduce the risk of a broken or unsecure configuration, do not modify the pre-configured configuration file.
@@ -452,7 +458,6 @@ In case that the [Advanced DSL configuration](#advanced-dsl-configuration) does
config:
expert:
dsl:
- base_template_file: /config/custom-base.xml
license_file: /secret/config/license
session:
encryption_passphrase_file: /secret/config/passphrase
@@ -616,6 +621,7 @@ In case that multiple hosts are configured, TLS-SNI is used to distinguish what
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
kubernetes.io/ingress.class: nginx
+ nginx.ingress.kubernetes.io/backend-protocol: https
targetPort: https
tls:
- secretName: virtinc-tls-secret
@@ -624,7 +630,7 @@ In case that multiple hosts are configured, TLS-SNI is used to distinguish what
```
### Openshift Route
-Since the Route is already available in an Openshift environment, nothing has to be installed additionally.
+Since the Route controller is already available in an Openshift environment, nothing has to be installed additionally.
#### Route terminating HTTP
diff --git a/charts/microgateway/README.md.gotmpl b/charts/microgateway/README.md.gotmpl
index d927cf51..d9ad45f5 100644
--- a/charts/microgateway/README.md.gotmpl
+++ b/charts/microgateway/README.md.gotmpl
@@ -123,7 +123,8 @@ config:
---------------------
```
-2. Deploy the Microgateway with the license.yaml file:
+2. [Create the image pull secret](#credentials-to-pull-image-from-docker-registry) to pull the microgateway image.
+3. Deploy the Microgateway with the license.yaml file:
```console
helm upgrade -i microgateway airlock/microgateway -f license.yaml
```
@@ -248,15 +249,15 @@ By default, the Airlock Microgateway is configured with the [Simple DSL configur
entry_path: /
operational_mode: integration
deny_rules:
- - level: strict
- exceptions:
- - parameter_name:
- pattern: ^content$
- ignore_case: true
- path:
- pattern: ^/mail/
- method:
- pattern: ^POST$
+ level: strict
+ exceptions:
+ - parameter_name:
+ pattern: ^content$
+ ignore_case: true
+ path:
+ pattern: ^/mail/
+ method:
+ pattern: ^POST$
backend:
protocol: https
hostname: custom-backend-service
@@ -312,15 +313,15 @@ The use cases outlined above can also occur slightly differently. But all of the
operational_mode: integration
session_handling: enforce_session
deny_rules:
- - level: standard
- exceptions:
- - parameter_name:
- pattern: ^content$
- ignore_case: true
- path:
- pattern: ^/mail/
- method:
- pattern: ^POST$
+ level: standard
+ exceptions:
+ - parameter_name:
+ pattern: ^content$
+ ignore_case: true
+ path:
+ pattern: ^/mail/
+ method:
+ pattern: ^POST$
- name: api
entry_path: /api/
session_handling: ignore_session
@@ -345,7 +346,7 @@ The use cases outlined above can also occur slightly differently. But all of the
### Expert DSL configuration
In case that the [Advanced DSL configuration](#advanced-dsl-configuration) does not suite, the expert configuration options must be used. There are a few reasons listed below:
-* The Microgateway DSL configuration options are not available as Helm chart parameters (e.g. base_template_file, session.store_mode, ...)
+* The Microgateway DSL configuration options are not available as Helm chart parameters (e.g. session.store_mode, ...)
* The Microgateway DSL configuration file has already been used/tested thorougly. To reduce the risk of a broken or unsecure configuration, do not modify the pre-configured configuration file.
@@ -356,7 +357,6 @@ In case that the [Advanced DSL configuration](#advanced-dsl-configuration) does
config:
expert:
dsl:
- base_template_file: /config/custom-base.xml
license_file: /secret/config/license
session:
encryption_passphrase_file: /secret/config/passphrase
@@ -520,6 +520,7 @@ In case that multiple hosts are configured, TLS-SNI is used to distinguish what
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
kubernetes.io/ingress.class: nginx
+ nginx.ingress.kubernetes.io/backend-protocol: https
targetPort: https
tls:
- secretName: virtinc-tls-secret
@@ -528,7 +529,7 @@ In case that multiple hosts are configured, TLS-SNI is used to distinguish what
```
### Openshift Route
-Since the Route is already available in an Openshift environment, nothing has to be installed additionally.
+Since the Route controller is already available in an Openshift environment, nothing has to be installed additionally.
#### Route terminating HTTP
diff --git a/charts/microgateway/templates/deployment.yaml b/charts/microgateway/templates/deployment.yaml
index a5a2ce7f..1aedbcbb 100644
--- a/charts/microgateway/templates/deployment.yaml
+++ b/charts/microgateway/templates/deployment.yaml
@@ -41,6 +41,7 @@ spec:
- name: config
mountPath: /config/config.yaml
subPath: config.yaml
+ readOnly: true
- name: secret
mountPath: /secret/config/
readOnly: true
@@ -54,6 +55,8 @@ spec:
{{- end }}
{{- if .Values.livenessProbe.enabled }}
livenessProbe:
+ failureThreshold: {{ .Values.livenessProbe.failureThreshold }}
+ timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }}
httpGet:
path: /healthz
port: http
@@ -61,11 +64,18 @@ spec:
{{- end }}
{{- if .Values.readinessProbe.enabled }}
readinessProbe:
+ failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
httpGet:
path: /healthz
port: http
initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
{{- end }}
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - /usr/bin/sleep
+ - "10"
resources:
{{- toYaml .Values.resources | nindent 10 }}
securityContext:
diff --git a/charts/microgateway/templates/service.yaml b/charts/microgateway/templates/service.yaml
index af6ef91b..ed56daa8 100644
--- a/charts/microgateway/templates/service.yaml
+++ b/charts/microgateway/templates/service.yaml
@@ -20,5 +20,11 @@ spec:
- port: {{ .Values.service.tlsPort }}
targetPort: https
name: https
+ {{- if eq .Values.service.type "LoadBalancer" }}
+ externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy }}
+ {{- with .Values.service.loadBalancerIP }}
+ loadBalancerIP: {{ . }}
+ {{- end }}
+ {{- end }}
selector:
{{- include "microgateway.selectorLabels" . | nindent 4 }}
diff --git a/charts/microgateway/values.yaml b/charts/microgateway/values.yaml
index 888b9fcf..adb57e2a 100644
--- a/charts/microgateway/values.yaml
+++ b/charts/microgateway/values.yaml
@@ -7,7 +7,7 @@ image:
# image.tag -- Image tag
tag: "1.0"
# image.pullPolicy -- Pull policy (`Always`, `IfNotPresent`, `Never`)
- pullPolicy: Always
+ pullPolicy: IfNotPresent
## Microgateway Config
##
@@ -157,6 +157,12 @@ securityContext: {}
service:
# service.type -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types)
type: ClusterIP
+ # service.externalTrafficPolicy -- [externalTrafficPolicy](https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip)
+ # @default -- `Local` if `service.type=LoadBalancer`
+ externalTrafficPolicy: Local
+ # service.loadBalancerIP -- [loadBalancerIP](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer)
+ # @default -- "" if `service.type=LoadBalancer`
+ loadBalancerIP:
# service.port -- Service port
port: 80
# service.tlsPort -- Service TLS port
@@ -268,11 +274,10 @@ route:
# resources -- [Resource limits](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container)
resources:
requests:
- memory: "512Mi"
- cpu: "500m"
+ memory: 256Mi
+ cpu: 30m
limits:
- memory: "4048Mi"
- cpu: "4"
+ memory: 4048Mi
## Liveness and readiness probe values
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
@@ -282,12 +287,19 @@ livenessProbe:
enabled: true
# livenessProbe.initialDelaySeconds -- Initial delay in seconds.
initialDelaySeconds: 90
+ # livenessProbe.failureThreshold -- After how many subsequent failures the pod gets restarted.
+ failureThreshold: 9
+ # livenessProbe.timeoutSeconds -- Timeout of liveness probes, should roughly reflect allowed timeouts from clients.
+ timeoutSeconds: 5
readinessProbe:
# readinessProbe.enabled -- Enable readiness probes.
enabled: true
# readinessProbe.initialDelaySeconds -- Initial delay in seconds.
- initialDelaySeconds: 30
+ initialDelaySeconds: 10
+ # readinessProbe.failureThreshold -- After how many tries the pod stops receiving traffic.
+ failureThreshold: 3
+
# nodeSelector -- Define which nodes the pods are scheduled on.
nodeSelector: {}
# tolerations -- Tolerations for use with node [taints](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/).