From 45198c8959df40691af5f5903f5b6b95bd8314b5 Mon Sep 17 00:00:00 2001 From: Chris Date: Fri, 8 Jan 2021 11:38:44 +0100 Subject: [PATCH 01/13] Microgateway documentation improvements (#54) * Add Makefile Make it easier for contributing README changes * Improve readme documentation --- Makefile | 3 ++ charts/microgateway/README.md | 41 ++++++++++++++-------------- charts/microgateway/README.md.gotmpl | 41 ++++++++++++++-------------- 3 files changed, 45 insertions(+), 40 deletions(-) create mode 100644 Makefile diff --git a/Makefile b/Makefile new file mode 100644 index 00000000..287fd1a1 --- /dev/null +++ b/Makefile @@ -0,0 +1,3 @@ +helm-docs: + @echo --- Generating Chart READMEs + @docker run --rm -v $$(pwd):/helm-docs -u $$(id -u) jnorwood/helm-docs:v0.13.0 diff --git a/charts/microgateway/README.md b/charts/microgateway/README.md index e7d0c8f6..d0eeba84 100644 --- a/charts/microgateway/README.md +++ b/charts/microgateway/README.md @@ -216,7 +216,8 @@ config: --------------------- ``` -2. Deploy the Microgateway with the license.yaml file: +2. [Create the image pull secret](#credentials-to-pull-image-from-docker-registry) to pull the microgateway image. +3. Deploy the Microgateway with the license.yaml file: ```console helm upgrade -i microgateway airlock/microgateway -f license.yaml ``` @@ -344,15 +345,15 @@ By default, the Airlock Microgateway is configured with the [Simple DSL configur entry_path: / operational_mode: integration deny_rules: - - level: strict - exceptions: - - parameter_name: - pattern: ^content$ - ignore_case: true - path: - pattern: ^/mail/ - method: - pattern: ^POST$ + level: strict + exceptions: + - parameter_name: + pattern: ^content$ + ignore_case: true + path: + pattern: ^/mail/ + method: + pattern: ^POST$ backend: protocol: https hostname: custom-backend-service @@ -408,15 +409,15 @@ The use cases outlined above can also occur slightly differently. But all of the operational_mode: integration session_handling: enforce_session deny_rules: - - level: standard - exceptions: - - parameter_name: - pattern: ^content$ - ignore_case: true - path: - pattern: ^/mail/ - method: - pattern: ^POST$ + level: standard + exceptions: + - parameter_name: + pattern: ^content$ + ignore_case: true + path: + pattern: ^/mail/ + method: + pattern: ^POST$ - name: api entry_path: /api/ session_handling: ignore_session @@ -624,7 +625,7 @@ In case that multiple hosts are configured, TLS-SNI is used to distinguish what ``` ### Openshift Route -Since the Route is already available in an Openshift environment, nothing has to be installed additionally. +Since the Route controller is already available in an Openshift environment, nothing has to be installed additionally. #### Route terminating HTTP diff --git a/charts/microgateway/README.md.gotmpl b/charts/microgateway/README.md.gotmpl index d927cf51..22650eeb 100644 --- a/charts/microgateway/README.md.gotmpl +++ b/charts/microgateway/README.md.gotmpl @@ -123,7 +123,8 @@ config: --------------------- ``` -2. Deploy the Microgateway with the license.yaml file: +2. [Create the image pull secret](#credentials-to-pull-image-from-docker-registry) to pull the microgateway image. +3. Deploy the Microgateway with the license.yaml file: ```console helm upgrade -i microgateway airlock/microgateway -f license.yaml ``` @@ -248,15 +249,15 @@ By default, the Airlock Microgateway is configured with the [Simple DSL configur entry_path: / operational_mode: integration deny_rules: - - level: strict - exceptions: - - parameter_name: - pattern: ^content$ - ignore_case: true - path: - pattern: ^/mail/ - method: - pattern: ^POST$ + level: strict + exceptions: + - parameter_name: + pattern: ^content$ + ignore_case: true + path: + pattern: ^/mail/ + method: + pattern: ^POST$ backend: protocol: https hostname: custom-backend-service @@ -312,15 +313,15 @@ The use cases outlined above can also occur slightly differently. But all of the operational_mode: integration session_handling: enforce_session deny_rules: - - level: standard - exceptions: - - parameter_name: - pattern: ^content$ - ignore_case: true - path: - pattern: ^/mail/ - method: - pattern: ^POST$ + level: standard + exceptions: + - parameter_name: + pattern: ^content$ + ignore_case: true + path: + pattern: ^/mail/ + method: + pattern: ^POST$ - name: api entry_path: /api/ session_handling: ignore_session @@ -528,7 +529,7 @@ In case that multiple hosts are configured, TLS-SNI is used to distinguish what ``` ### Openshift Route -Since the Route is already available in an Openshift environment, nothing has to be installed additionally. +Since the Route controller is already available in an Openshift environment, nothing has to be installed additionally. #### Route terminating HTTP From fc9642e185d96fc8f435f144b6ab7a4b2b0eb13c Mon Sep 17 00:00:00 2001 From: Roland Weber Date: Wed, 20 Jan 2021 11:45:55 +0100 Subject: [PATCH 02/13] Vshn fixes (#66) * Change image pull policy default value to IfNotPresent (#56) To help reduce Pod startup time since we are using SemVer images * Adjust resource requests and limits (#60) According to K8s best practices: * CPU limit should not be enabled unless it's a development environment * CPU request should not be set too high, else a node might be "full" with CPU requests very fast, preventing Pod scheduling. * Adjust liveness probe values (#57) Having the same failure threshold on the same endpoint combines the effect, resp. the readiness probe has no further value. Setting the failure threshold on the liveness probe higher than readiness gives the Pod more time to recover before restarting it. Adds a preStop handler to give time for finishing up existing client connections/requests before shutting down. * Mount config file in read-only mode fixes #43 Co-authored-by: Chris Co-authored-by: Roland Weber --- charts/microgateway/Chart.yaml | 2 +- charts/microgateway/README.md | 11 +++++++---- charts/microgateway/templates/deployment.yaml | 10 ++++++++++ charts/microgateway/values.yaml | 18 ++++++++++++------ 4 files changed, 30 insertions(+), 11 deletions(-) diff --git a/charts/microgateway/Chart.yaml b/charts/microgateway/Chart.yaml index 96079af5..459182d5 100644 --- a/charts/microgateway/Chart.yaml +++ b/charts/microgateway/Chart.yaml @@ -14,5 +14,5 @@ maintainers: - email: support@airlock.com name: Airlock name: microgateway -version: 0.6.0 +version: 0.6.1 appVersion: 1.0 diff --git a/charts/microgateway/README.md b/charts/microgateway/README.md index d0eeba84..068dc788 100644 --- a/charts/microgateway/README.md +++ b/charts/microgateway/README.md @@ -6,7 +6,7 @@ It is the lightweight, container-based deployment form of the *Airlock Gateway*, The Airlock helm charts are used internally for testing the *Airlock Microgateway*. We make them available publicly under the [MIT license](https://github.com/ergon/airlock-helm-charts/blob/master/LICENSE). -The current chart version is: 0.6.0 +The current chart version is: 0.6.1 ## About Ergon *Airlock* is a registered trademark of [Ergon](https://www.ergon.ch). Ergon is a Swiss leader in leveraging digitalisation to create unique and effective client benefits, from conception to market, the result of which is the international distribution of globally revered products. @@ -136,7 +136,7 @@ The following table lists configuration parameters of the Airlock Microgateway c | hpa.minReplicas | int | `1` | Minimum number of Microgateway replicas. | | hpa.resource.cpu | int | `50` | Average Microgateway CPU consumption in percentage to scale up/down. | | hpa.resource.memory | string | `"2Gi"` | Average Microgateway Memory consumption to scale up/down.

:exclamation: Update this setting accordingly to `resources.limits.memory`. | -| image.pullPolicy | string | `"Always"` | Pull policy (`Always`, `IfNotPresent`, `Never`) | +| image.pullPolicy | string | `"IfNotPresent"` | Pull policy (`Always`, `IfNotPresent`, `Never`) | | image.repository | string | `"ergon/airlock-microgateway"` | Image repository | | image.tag | string | `"1.0"` | Image tag | | imagePullSecrets | list | `[]` | Reference to one or more secrets to use when pulling images. | @@ -149,16 +149,19 @@ The following table lists configuration parameters of the Airlock Microgateway c | ingress.targetPort | string | `"http"` | Target port of the service (`http`, `https` or ``). | | ingress.tls | list | `[]` | [Ingress TLS](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) configuration. | | livenessProbe.enabled | bool | `true` | Enable liveness probes. | +| livenessProbe.failureThreshold | int | `9` | After how many subsequent failures the pod gets restarted. | | livenessProbe.initialDelaySeconds | int | `90` | Initial delay in seconds. | +| livenessProbe.timeoutSeconds | int | `5` | Timeout of liveness probes, should roughly reflect allowed timeouts from clients. | | nameOverride | string | `""` | Provide a name in place of `microgateway`. | | nodeSelector | object | `{}` | Define which nodes the pods are scheduled on. | | podSecurityContext | object | `{}` | [Security context for the pods](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod). | | readinessProbe.enabled | bool | `true` | Enable readiness probes. | -| readinessProbe.initialDelaySeconds | int | `30` | Initial delay in seconds. | +| readinessProbe.failureThreshold | int | `3` | After how many tries the pod stops receiving traffic. | +| readinessProbe.initialDelaySeconds | int | `10` | Initial delay in seconds. | | redis | object | See `redis.*`: | Pre-configured [Redis](#redis) service. | | redis.enabled | bool | `false` | Deploy pre-configured [Redis](#redis). | | replicaCount | int | `1` | Desired number of Microgateway pods. | -| resources | object | `{"limits":{"cpu":"4","memory":"4048Mi"},"requests":{"cpu":"500m","memory":"512Mi"}}` | [Resource limits](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container) | +| resources | object | `{"limits":{"memory":"4048Mi"},"requests":{"cpu":"30m","memory":"256Mi"}}` | [Resource limits](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container) | | route | object | See `route.*`: | [Openshift Route](#openshift-route) | | route.annotations | object | `{}` | Annotations to set on the route. | | route.enabled | bool | `false` | Create a route object. | diff --git a/charts/microgateway/templates/deployment.yaml b/charts/microgateway/templates/deployment.yaml index a5a2ce7f..1aedbcbb 100644 --- a/charts/microgateway/templates/deployment.yaml +++ b/charts/microgateway/templates/deployment.yaml @@ -41,6 +41,7 @@ spec: - name: config mountPath: /config/config.yaml subPath: config.yaml + readOnly: true - name: secret mountPath: /secret/config/ readOnly: true @@ -54,6 +55,8 @@ spec: {{- end }} {{- if .Values.livenessProbe.enabled }} livenessProbe: + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} + timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} httpGet: path: /healthz port: http @@ -61,11 +64,18 @@ spec: {{- end }} {{- if .Values.readinessProbe.enabled }} readinessProbe: + failureThreshold: {{ .Values.readinessProbe.failureThreshold }} httpGet: path: /healthz port: http initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} {{- end }} + lifecycle: + preStop: + exec: + command: + - /usr/bin/sleep + - "10" resources: {{- toYaml .Values.resources | nindent 10 }} securityContext: diff --git a/charts/microgateway/values.yaml b/charts/microgateway/values.yaml index 888b9fcf..6bea91f7 100644 --- a/charts/microgateway/values.yaml +++ b/charts/microgateway/values.yaml @@ -7,7 +7,7 @@ image: # image.tag -- Image tag tag: "1.0" # image.pullPolicy -- Pull policy (`Always`, `IfNotPresent`, `Never`) - pullPolicy: Always + pullPolicy: IfNotPresent ## Microgateway Config ## @@ -268,11 +268,10 @@ route: # resources -- [Resource limits](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container) resources: requests: - memory: "512Mi" - cpu: "500m" + memory: 256Mi + cpu: 30m limits: - memory: "4048Mi" - cpu: "4" + memory: 4048Mi ## Liveness and readiness probe values ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes @@ -282,12 +281,19 @@ livenessProbe: enabled: true # livenessProbe.initialDelaySeconds -- Initial delay in seconds. initialDelaySeconds: 90 + # livenessProbe.failureThreshold -- After how many subsequent failures the pod gets restarted. + failureThreshold: 9 + # livenessProbe.timeoutSeconds -- Timeout of liveness probes, should roughly reflect allowed timeouts from clients. + timeoutSeconds: 5 readinessProbe: # readinessProbe.enabled -- Enable readiness probes. enabled: true # readinessProbe.initialDelaySeconds -- Initial delay in seconds. - initialDelaySeconds: 30 + initialDelaySeconds: 10 + # readinessProbe.failureThreshold -- After how many tries the pod stops receiving traffic. + failureThreshold: 3 + # nodeSelector -- Define which nodes the pods are scheduled on. nodeSelector: {} # tolerations -- Tolerations for use with node [taints](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/). From 1e9e3ac06adbab840fb9a25581a71bf1f4234162 Mon Sep 17 00:00:00 2001 From: Roland Weber Date: Wed, 20 Jan 2021 13:10:21 +0100 Subject: [PATCH 03/13] use fixed version of helm/chart-releaser-action use version 1.1.0 --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index e2bc01a2..27564986 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -18,6 +18,6 @@ jobs: git config user.name "'${{ secrets.TECHNICAL_USER }}'" git config user.email "'${{ secrets.TECHNICAL_USER }}'@users.noreply.github.com" - name: Run chart-releaser - uses: helm/chart-releaser-action@master + uses: helm/chart-releaser-action@v1.1.0 env: CR_TOKEN: '${{ secrets.TECHNICAL_USER_TOKEN }}' From 0953d3f4c65c3dc063e6a4e2dde9a5233feacc99 Mon Sep 17 00:00:00 2001 From: Roland Weber Date: Wed, 20 Jan 2021 13:14:01 +0100 Subject: [PATCH 04/13] allow manual triggering of workflow --- .github/workflows/release.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 27564986..cebf899b 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -6,6 +6,7 @@ on: - master paths: - 'charts/**/Chart.yaml' + workflow_dispatch: jobs: release: From 390230d069393315ba348877df74ca3f87f7fa0d Mon Sep 17 00:00:00 2001 From: Roland Weber Date: Wed, 20 Jan 2021 13:25:48 +0100 Subject: [PATCH 05/13] install helm prior to release chart --- .github/workflows/release.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index cebf899b..c86802a3 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -18,6 +18,10 @@ jobs: run: | git config user.name "'${{ secrets.TECHNICAL_USER }}'" git config user.email "'${{ secrets.TECHNICAL_USER }}'@users.noreply.github.com" + - name: Install Helm + uses: azure/setup-helm@v1 + with: + version: v3.4.0 - name: Run chart-releaser uses: helm/chart-releaser-action@v1.1.0 env: From 9b73f2786010b5e4fefb3c03dfce2befd6b859b3 Mon Sep 17 00:00:00 2001 From: Roland Weber Date: Wed, 20 Jan 2021 15:04:06 +0100 Subject: [PATCH 06/13] set configuration file for chart releaser --- .github/workflows/release.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index c86802a3..b4fd4545 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -24,5 +24,7 @@ jobs: version: v3.4.0 - name: Run chart-releaser uses: helm/chart-releaser-action@v1.1.0 + with: + config: .github/ct.yaml env: CR_TOKEN: '${{ secrets.TECHNICAL_USER_TOKEN }}' From 1fd7fc965e3e373fb390c56ba7f91eb881e01f1b Mon Sep 17 00:00:00 2001 From: Roland Weber Date: Wed, 20 Jan 2021 15:09:52 +0100 Subject: [PATCH 07/13] add helm repo for dependencies in workflow --- .github/workflows/release.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index b4fd4545..221afcc2 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -21,7 +21,11 @@ jobs: - name: Install Helm uses: azure/setup-helm@v1 with: - version: v3.4.0 + version: v3.4.0 + - name: Add Helm Repo + run: | + helm repo add bitnami https://charts.bitnami.com/bitnami + helm repo add ealenn https://ealenn.github.io/charts - name: Run chart-releaser uses: helm/chart-releaser-action@v1.1.0 with: From 138a9991e6a40fb2e12482d3d7e354882c8606e3 Mon Sep 17 00:00:00 2001 From: Roland Weber Date: Fri, 22 Jan 2021 13:20:02 +0100 Subject: [PATCH 08/13] Remove reference to base_template_file configuration parameter. (#67) * Remove reference to base_template_file configuration parameter. Microgateway configuration using the base_template_file configuration paramater is no longer supported. * Increase chart version. * Automated README generation Co-authored-by: Roland Weber Co-authored-by: airlockgithubci --- charts/microgateway/Chart.yaml | 2 +- charts/microgateway/README.md | 5 ++--- charts/microgateway/README.md.gotmpl | 3 +-- 3 files changed, 4 insertions(+), 6 deletions(-) diff --git a/charts/microgateway/Chart.yaml b/charts/microgateway/Chart.yaml index 459182d5..cf70f9b5 100644 --- a/charts/microgateway/Chart.yaml +++ b/charts/microgateway/Chart.yaml @@ -14,5 +14,5 @@ maintainers: - email: support@airlock.com name: Airlock name: microgateway -version: 0.6.1 +version: 0.6.2 appVersion: 1.0 diff --git a/charts/microgateway/README.md b/charts/microgateway/README.md index 068dc788..c22d8c3c 100644 --- a/charts/microgateway/README.md +++ b/charts/microgateway/README.md @@ -6,7 +6,7 @@ It is the lightweight, container-based deployment form of the *Airlock Gateway*, The Airlock helm charts are used internally for testing the *Airlock Microgateway*. We make them available publicly under the [MIT license](https://github.com/ergon/airlock-helm-charts/blob/master/LICENSE). -The current chart version is: 0.6.1 +The current chart version is: 0.6.2 ## About Ergon *Airlock* is a registered trademark of [Ergon](https://www.ergon.ch). Ergon is a Swiss leader in leveraging digitalisation to create unique and effective client benefits, from conception to market, the result of which is the international distribution of globally revered products. @@ -445,7 +445,7 @@ The use cases outlined above can also occur slightly differently. But all of the ### Expert DSL configuration In case that the [Advanced DSL configuration](#advanced-dsl-configuration) does not suite, the expert configuration options must be used. There are a few reasons listed below: -* The Microgateway DSL configuration options are not available as Helm chart parameters (e.g. base_template_file, session.store_mode, ...) +* The Microgateway DSL configuration options are not available as Helm chart parameters (e.g. session.store_mode, ...) * The Microgateway DSL configuration file has already been used/tested thorougly. To reduce the risk of a broken or unsecure configuration, do not modify the pre-configured configuration file. @@ -456,7 +456,6 @@ In case that the [Advanced DSL configuration](#advanced-dsl-configuration) does config: expert: dsl: - base_template_file: /config/custom-base.xml license_file: /secret/config/license session: encryption_passphrase_file: /secret/config/passphrase diff --git a/charts/microgateway/README.md.gotmpl b/charts/microgateway/README.md.gotmpl index 22650eeb..1aff6d05 100644 --- a/charts/microgateway/README.md.gotmpl +++ b/charts/microgateway/README.md.gotmpl @@ -346,7 +346,7 @@ The use cases outlined above can also occur slightly differently. But all of the ### Expert DSL configuration In case that the [Advanced DSL configuration](#advanced-dsl-configuration) does not suite, the expert configuration options must be used. There are a few reasons listed below: -* The Microgateway DSL configuration options are not available as Helm chart parameters (e.g. base_template_file, session.store_mode, ...) +* The Microgateway DSL configuration options are not available as Helm chart parameters (e.g. session.store_mode, ...) * The Microgateway DSL configuration file has already been used/tested thorougly. To reduce the risk of a broken or unsecure configuration, do not modify the pre-configured configuration file. @@ -357,7 +357,6 @@ In case that the [Advanced DSL configuration](#advanced-dsl-configuration) does config: expert: dsl: - base_template_file: /config/custom-base.xml license_file: /secret/config/license session: encryption_passphrase_file: /secret/config/passphrase From c4e1d7dc21e55280aad6ea3931325f2cf4d8a445 Mon Sep 17 00:00:00 2001 From: Stefan Dietiker Date: Fri, 22 Jan 2021 16:52:29 +0100 Subject: [PATCH 09/13] FIX: Issue 71 (#72) * FIX: Issue 71 * Automated README generation Co-authored-by: airlockgithubci --- charts/microgateway/README.md | 1 + charts/microgateway/README.md.gotmpl | 1 + 2 files changed, 2 insertions(+) diff --git a/charts/microgateway/README.md b/charts/microgateway/README.md index c22d8c3c..69054bf4 100644 --- a/charts/microgateway/README.md +++ b/charts/microgateway/README.md @@ -619,6 +619,7 @@ In case that multiple hosts are configured, TLS-SNI is used to distinguish what annotations: nginx.ingress.kubernetes.io/rewrite-target: / kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/backend-protocol: https targetPort: https tls: - secretName: virtinc-tls-secret diff --git a/charts/microgateway/README.md.gotmpl b/charts/microgateway/README.md.gotmpl index 1aff6d05..d9ad45f5 100644 --- a/charts/microgateway/README.md.gotmpl +++ b/charts/microgateway/README.md.gotmpl @@ -520,6 +520,7 @@ In case that multiple hosts are configured, TLS-SNI is used to distinguish what annotations: nginx.ingress.kubernetes.io/rewrite-target: / kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/backend-protocol: https targetPort: https tls: - secretName: virtinc-tls-secret From 9ff05e101a8c63503561dcdd4618699c109518e6 Mon Sep 17 00:00:00 2001 From: Roland Weber Date: Wed, 27 Jan 2021 16:32:32 +0100 Subject: [PATCH 10/13] fix ci workflow (#74) * fix version of chart-testing to 1.1.0 * add workflow trigger if workflow has changed * use currently supported k8s versions in the lint action Co-authored-by: Roland Weber --- .github/workflows/ci.yaml | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index adb8173f..6a2ac49d 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -4,6 +4,7 @@ on: pull_request: paths: - 'charts/**' + - '.github/workflows/ci.yaml' jobs: lint-chart: @@ -44,9 +45,9 @@ jobs: strategy: matrix: k8s: - - v1.16.4 - - v1.17.2 - - v1.18.2 + - v1.18.15 + - v1.19.7 + - v1.20.2 steps: - name: Checkout uses: actions/checkout@v1 @@ -66,9 +67,9 @@ jobs: strategy: matrix: k8s: - - v1.16.4 - - v1.17.2 - - v1.18.2 + - v1.18.15 + - v1.19.7 + - v1.20.2 steps: - name: Checkout uses: actions/checkout@v1 @@ -89,7 +90,7 @@ jobs: kubectl describe secret dockersecret --namespace $_v_namespace kubectl describe secret microgatewaysecrets --namespace $_v_namespace - name: Run chart-testing (install) - uses: helm/chart-testing-action@master + uses: helm/chart-testing-action@v1.1.0 with: command: install config: .github/ct.yaml From 4a664f509718bc23361fcce9a66d10057b8b8b2f Mon Sep 17 00:00:00 2001 From: Stefan Dietiker Date: Fri, 5 Feb 2021 08:37:07 +0100 Subject: [PATCH 11/13] NEW: Allow to configure the LoadBalancerIP and externalTrafficPolicy (#79) * NEW: Allow to configure the LoadBalancerIP and externalTrafficPolicy * Automated README generation * CHG: CI pipeline can be started manually CHG: Timeout for CI tests set from 300 to 480 secs * CHG: Testing values adapted. * CHG: CI testing values. * CHG: CI Workflow optimized. * CHG: CI Workflow optimized. * CHG: Added label release to objects. * CHG: ct.yaml adapted and labels for microgateway reverted. * CHG: ci.yaml adapted. * CHG: ci.yaml * CHG: ci.yaml * CHG: ci.yaml * CHG: ci.yaml * CHG: ci.yaml * CHG: ci.yaml Co-authored-by: airlockgithubci --- .github/ct.yaml | 4 ++-- .github/workflows/ci.yaml | 14 +++----------- charts/microgateway/Chart.yaml | 2 +- charts/microgateway/README.md | 4 +++- charts/microgateway/ci/testing-values.yaml | 2 +- charts/microgateway/templates/service.yaml | 6 ++++++ charts/microgateway/values.yaml | 6 ++++++ 7 files changed, 22 insertions(+), 16 deletions(-) diff --git a/.github/ct.yaml b/.github/ct.yaml index 12c3792a..da789c40 100644 --- a/.github/ct.yaml +++ b/.github/ct.yaml @@ -1,8 +1,8 @@ helm-extra-args: --timeout 300s check-version-increment: false debug: true -namespace: validation-namespace -release-label: release +namespace: default +release-label: app.kubernetes.io/instance chart-repos: - bitnami=https://charts.bitnami.com/bitnami - ealenn=https://ealenn.github.io/charts diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 6a2ac49d..6f72db0b 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -5,6 +5,7 @@ on: paths: - 'charts/**' - '.github/workflows/ci.yaml' + workflow_dispatch: jobs: lint-chart: @@ -58,8 +59,6 @@ jobs: install-chart: name: install-chart runs-on: ubuntu-latest - env: - _v_namespace: validation-namespace needs: - lint-chart - lint-docs @@ -80,15 +79,8 @@ jobs: - name: Create Secrets run: | kubectl cluster-info - kubectl get pods -n kube-system - echo "current-context:" $(kubectl config current-context) - kubectl create namespace $_v_namespace - kubectl create secret docker-registry dockersecret --docker-username=${{ secrets.DOCKER_USER }} --docker-password=${{ secrets.DOCKER_USER_TOKEN }} --namespace $_v_namespace - echo "${{ secrets.WAF_LICENSE }}" >> tmplicense.txt - echo "${{ secrets.WAF_PASSPHRASE }}" >> tmppassphrase.txt - kubectl create secret generic microgatewaysecrets --from-file=license=tmplicense.txt --from-file=passphrase=tmppassphrase.txt --namespace $_v_namespace - kubectl describe secret dockersecret --namespace $_v_namespace - kubectl describe secret microgatewaysecrets --namespace $_v_namespace + kubectl create secret docker-registry dockersecret --docker-username=${{ secrets.DOCKER_USER }} --docker-password=${{ secrets.DOCKER_USER_TOKEN }} + kubectl create secret generic microgatewaysecrets --from-literal=license="${{ secrets.WAF_LICENSE }}" --from-literal=passphrase="${{ secrets.WAF_PASSPHRASE }}" - name: Run chart-testing (install) uses: helm/chart-testing-action@v1.1.0 with: diff --git a/charts/microgateway/Chart.yaml b/charts/microgateway/Chart.yaml index cf70f9b5..a747f8af 100644 --- a/charts/microgateway/Chart.yaml +++ b/charts/microgateway/Chart.yaml @@ -14,5 +14,5 @@ maintainers: - email: support@airlock.com name: Airlock name: microgateway -version: 0.6.2 +version: 0.6.3 appVersion: 1.0 diff --git a/charts/microgateway/README.md b/charts/microgateway/README.md index 69054bf4..602dc9e7 100644 --- a/charts/microgateway/README.md +++ b/charts/microgateway/README.md @@ -6,7 +6,7 @@ It is the lightweight, container-based deployment form of the *Airlock Gateway*, The Airlock helm charts are used internally for testing the *Airlock Microgateway*. We make them available publicly under the [MIT license](https://github.com/ergon/airlock-helm-charts/blob/master/LICENSE). -The current chart version is: 0.6.2 +The current chart version is: 0.6.3 ## About Ergon *Airlock* is a registered trademark of [Ergon](https://www.ergon.ch). Ergon is a Swiss leader in leveraging digitalisation to create unique and effective client benefits, from conception to market, the result of which is the international distribution of globally revered products. @@ -177,7 +177,9 @@ The following table lists configuration parameters of the Airlock Microgateway c | route.tls.termination | string | `"reencrypt"` | Termination of the route (`edge`, `reencrypt`, `passthrough`). | | securityContext | object | `{}` | [Security context for a container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container). | | service.annotations | object | `{}` | Annotations to set on the service. | +| service.externalTrafficPolicy | string | `Local` if `service.type=LoadBalancer` | [externalTrafficPolicy](https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip) | | service.labels | object | `{}` | Additional labels to add on the service. | +| service.loadBalancerIP | string | "" if `service.type=LoadBalancer` | [loadBalancerIP](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer) | | service.port | int | `80` | Service port | | service.tlsPort | int | `443` | Service TLS port | | service.type | string | `"ClusterIP"` | [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) | diff --git a/charts/microgateway/ci/testing-values.yaml b/charts/microgateway/ci/testing-values.yaml index c3f8842e..15e26923 100644 --- a/charts/microgateway/ci/testing-values.yaml +++ b/charts/microgateway/ci/testing-values.yaml @@ -8,4 +8,4 @@ redis: echo-server: enabled: true ingress: - enabled: true + enabled: true \ No newline at end of file diff --git a/charts/microgateway/templates/service.yaml b/charts/microgateway/templates/service.yaml index af6ef91b..ed56daa8 100644 --- a/charts/microgateway/templates/service.yaml +++ b/charts/microgateway/templates/service.yaml @@ -20,5 +20,11 @@ spec: - port: {{ .Values.service.tlsPort }} targetPort: https name: https + {{- if eq .Values.service.type "LoadBalancer" }} + externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy }} + {{- with .Values.service.loadBalancerIP }} + loadBalancerIP: {{ . }} + {{- end }} + {{- end }} selector: {{- include "microgateway.selectorLabels" . | nindent 4 }} diff --git a/charts/microgateway/values.yaml b/charts/microgateway/values.yaml index 6bea91f7..adb57e2a 100644 --- a/charts/microgateway/values.yaml +++ b/charts/microgateway/values.yaml @@ -157,6 +157,12 @@ securityContext: {} service: # service.type -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) type: ClusterIP + # service.externalTrafficPolicy -- [externalTrafficPolicy](https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip) + # @default -- `Local` if `service.type=LoadBalancer` + externalTrafficPolicy: Local + # service.loadBalancerIP -- [loadBalancerIP](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer) + # @default -- "" if `service.type=LoadBalancer` + loadBalancerIP: # service.port -- Service port port: 80 # service.tlsPort -- Service TLS port From 0970420f5dcc35115c65c146c23d3356345391a3 Mon Sep 17 00:00:00 2001 From: Stefan Dietiker Date: Fri, 5 Feb 2021 08:37:07 +0100 Subject: [PATCH 12/13] * NEW: Allow to configure the LoadBalancerIP and externalTrafficPolicy * CHG: CI Workflow optimized. Co-authored-by: airlockgithubci --- .github/ct.yaml | 4 ++-- .github/workflows/ci.yaml | 14 +++----------- charts/microgateway/Chart.yaml | 2 +- charts/microgateway/README.md | 4 +++- charts/microgateway/ci/testing-values.yaml | 2 +- charts/microgateway/templates/service.yaml | 6 ++++++ charts/microgateway/values.yaml | 6 ++++++ 7 files changed, 22 insertions(+), 16 deletions(-) diff --git a/.github/ct.yaml b/.github/ct.yaml index 12c3792a..da789c40 100644 --- a/.github/ct.yaml +++ b/.github/ct.yaml @@ -1,8 +1,8 @@ helm-extra-args: --timeout 300s check-version-increment: false debug: true -namespace: validation-namespace -release-label: release +namespace: default +release-label: app.kubernetes.io/instance chart-repos: - bitnami=https://charts.bitnami.com/bitnami - ealenn=https://ealenn.github.io/charts diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 6a2ac49d..6f72db0b 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -5,6 +5,7 @@ on: paths: - 'charts/**' - '.github/workflows/ci.yaml' + workflow_dispatch: jobs: lint-chart: @@ -58,8 +59,6 @@ jobs: install-chart: name: install-chart runs-on: ubuntu-latest - env: - _v_namespace: validation-namespace needs: - lint-chart - lint-docs @@ -80,15 +79,8 @@ jobs: - name: Create Secrets run: | kubectl cluster-info - kubectl get pods -n kube-system - echo "current-context:" $(kubectl config current-context) - kubectl create namespace $_v_namespace - kubectl create secret docker-registry dockersecret --docker-username=${{ secrets.DOCKER_USER }} --docker-password=${{ secrets.DOCKER_USER_TOKEN }} --namespace $_v_namespace - echo "${{ secrets.WAF_LICENSE }}" >> tmplicense.txt - echo "${{ secrets.WAF_PASSPHRASE }}" >> tmppassphrase.txt - kubectl create secret generic microgatewaysecrets --from-file=license=tmplicense.txt --from-file=passphrase=tmppassphrase.txt --namespace $_v_namespace - kubectl describe secret dockersecret --namespace $_v_namespace - kubectl describe secret microgatewaysecrets --namespace $_v_namespace + kubectl create secret docker-registry dockersecret --docker-username=${{ secrets.DOCKER_USER }} --docker-password=${{ secrets.DOCKER_USER_TOKEN }} + kubectl create secret generic microgatewaysecrets --from-literal=license="${{ secrets.WAF_LICENSE }}" --from-literal=passphrase="${{ secrets.WAF_PASSPHRASE }}" - name: Run chart-testing (install) uses: helm/chart-testing-action@v1.1.0 with: diff --git a/charts/microgateway/Chart.yaml b/charts/microgateway/Chart.yaml index cf70f9b5..a747f8af 100644 --- a/charts/microgateway/Chart.yaml +++ b/charts/microgateway/Chart.yaml @@ -14,5 +14,5 @@ maintainers: - email: support@airlock.com name: Airlock name: microgateway -version: 0.6.2 +version: 0.6.3 appVersion: 1.0 diff --git a/charts/microgateway/README.md b/charts/microgateway/README.md index 69054bf4..602dc9e7 100644 --- a/charts/microgateway/README.md +++ b/charts/microgateway/README.md @@ -6,7 +6,7 @@ It is the lightweight, container-based deployment form of the *Airlock Gateway*, The Airlock helm charts are used internally for testing the *Airlock Microgateway*. We make them available publicly under the [MIT license](https://github.com/ergon/airlock-helm-charts/blob/master/LICENSE). -The current chart version is: 0.6.2 +The current chart version is: 0.6.3 ## About Ergon *Airlock* is a registered trademark of [Ergon](https://www.ergon.ch). Ergon is a Swiss leader in leveraging digitalisation to create unique and effective client benefits, from conception to market, the result of which is the international distribution of globally revered products. @@ -177,7 +177,9 @@ The following table lists configuration parameters of the Airlock Microgateway c | route.tls.termination | string | `"reencrypt"` | Termination of the route (`edge`, `reencrypt`, `passthrough`). | | securityContext | object | `{}` | [Security context for a container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container). | | service.annotations | object | `{}` | Annotations to set on the service. | +| service.externalTrafficPolicy | string | `Local` if `service.type=LoadBalancer` | [externalTrafficPolicy](https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip) | | service.labels | object | `{}` | Additional labels to add on the service. | +| service.loadBalancerIP | string | "" if `service.type=LoadBalancer` | [loadBalancerIP](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer) | | service.port | int | `80` | Service port | | service.tlsPort | int | `443` | Service TLS port | | service.type | string | `"ClusterIP"` | [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) | diff --git a/charts/microgateway/ci/testing-values.yaml b/charts/microgateway/ci/testing-values.yaml index c3f8842e..15e26923 100644 --- a/charts/microgateway/ci/testing-values.yaml +++ b/charts/microgateway/ci/testing-values.yaml @@ -8,4 +8,4 @@ redis: echo-server: enabled: true ingress: - enabled: true + enabled: true \ No newline at end of file diff --git a/charts/microgateway/templates/service.yaml b/charts/microgateway/templates/service.yaml index af6ef91b..ed56daa8 100644 --- a/charts/microgateway/templates/service.yaml +++ b/charts/microgateway/templates/service.yaml @@ -20,5 +20,11 @@ spec: - port: {{ .Values.service.tlsPort }} targetPort: https name: https + {{- if eq .Values.service.type "LoadBalancer" }} + externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy }} + {{- with .Values.service.loadBalancerIP }} + loadBalancerIP: {{ . }} + {{- end }} + {{- end }} selector: {{- include "microgateway.selectorLabels" . | nindent 4 }} diff --git a/charts/microgateway/values.yaml b/charts/microgateway/values.yaml index 6bea91f7..adb57e2a 100644 --- a/charts/microgateway/values.yaml +++ b/charts/microgateway/values.yaml @@ -157,6 +157,12 @@ securityContext: {} service: # service.type -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) type: ClusterIP + # service.externalTrafficPolicy -- [externalTrafficPolicy](https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip) + # @default -- `Local` if `service.type=LoadBalancer` + externalTrafficPolicy: Local + # service.loadBalancerIP -- [loadBalancerIP](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer) + # @default -- "" if `service.type=LoadBalancer` + loadBalancerIP: # service.port -- Service port port: 80 # service.tlsPort -- Service TLS port From 410f412ab0c334af86aaf0bc45fc6922daba9d3d Mon Sep 17 00:00:00 2001 From: Roland Weber Date: Mon, 8 Feb 2021 08:33:31 +0100 Subject: [PATCH 13/13] use latest version of chart testing action (#80) * CHG: Workflow - Use latest version of chart testing action * FIX: Workflow - Kubeval step * FIX: Workflow - Chart directory for lint * FIX: Workflow - lint error * FIX: Workflow - AppVersion in Chart.yaml (lint finding) --- .github/ct.yaml | 3 +- .github/workflows/ci.yaml | 40 +++++++++------------- charts/microgateway/Chart.yaml | 2 +- charts/microgateway/ci/testing-values.yaml | 2 +- 4 files changed, 21 insertions(+), 26 deletions(-) diff --git a/.github/ct.yaml b/.github/ct.yaml index da789c40..5321f5b5 100644 --- a/.github/ct.yaml +++ b/.github/ct.yaml @@ -1,8 +1,9 @@ helm-extra-args: --timeout 300s check-version-increment: false +charts: charts/microgateway debug: true namespace: default release-label: app.kubernetes.io/instance -chart-repos: +chart-repos: - bitnami=https://charts.bitnami.com/bitnami - ealenn=https://ealenn.github.io/charts diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 6f72db0b..64fbb304 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -8,22 +8,11 @@ on: workflow_dispatch: jobs: - lint-chart: + generate-docs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v1 - - name: Run chart-testing (lint) - uses: helm/chart-testing-action@master - with: - command: lint - config: .github/ct.yaml - lint-docs: - runs-on: ubuntu-latest - needs: lint-chart - steps: - - name: Checkout - uses: actions/checkout@v1 + uses: actions/checkout@v2 - name: Install helm-docs run: .github/helm-docs-install.sh env: @@ -41,8 +30,7 @@ jobs: kubeval-chart: runs-on: ubuntu-latest needs: - - lint-chart - - lint-docs + - generate-docs strategy: matrix: k8s: @@ -60,8 +48,6 @@ jobs: name: install-chart runs-on: ubuntu-latest needs: - - lint-chart - - lint-docs - kubeval-chart strategy: matrix: @@ -71,9 +57,20 @@ jobs: - v1.20.2 steps: - name: Checkout - uses: actions/checkout@v1 + uses: actions/checkout@v2 + - name: Set up Helm + uses: azure/setup-helm@v1 + with: + version: v3.4.0 + - uses: actions/setup-python@v2 + with: + python-version: 3.7 + - name: Set up chart-testing + uses: helm/chart-testing-action@v2.0.1 + - name: Run chart-testing (lint) + run: ct lint --config .github/ct.yaml - name: Create kind ${{ matrix.k8s }} cluster - uses: helm/kind-action@master + uses: helm/kind-action@v1.0.0 with: node_image: kindest/node:${{ matrix.k8s }} - name: Create Secrets @@ -82,7 +79,4 @@ jobs: kubectl create secret docker-registry dockersecret --docker-username=${{ secrets.DOCKER_USER }} --docker-password=${{ secrets.DOCKER_USER_TOKEN }} kubectl create secret generic microgatewaysecrets --from-literal=license="${{ secrets.WAF_LICENSE }}" --from-literal=passphrase="${{ secrets.WAF_PASSPHRASE }}" - name: Run chart-testing (install) - uses: helm/chart-testing-action@v1.1.0 - with: - command: install - config: .github/ct.yaml + run: ct install --config .github/ct.yaml diff --git a/charts/microgateway/Chart.yaml b/charts/microgateway/Chart.yaml index a747f8af..ef32ba3d 100644 --- a/charts/microgateway/Chart.yaml +++ b/charts/microgateway/Chart.yaml @@ -15,4 +15,4 @@ maintainers: name: Airlock name: microgateway version: 0.6.3 -appVersion: 1.0 +appVersion: "1.0" diff --git a/charts/microgateway/ci/testing-values.yaml b/charts/microgateway/ci/testing-values.yaml index 15e26923..c3f8842e 100644 --- a/charts/microgateway/ci/testing-values.yaml +++ b/charts/microgateway/ci/testing-values.yaml @@ -8,4 +8,4 @@ redis: echo-server: enabled: true ingress: - enabled: true \ No newline at end of file + enabled: true