From 339b8803e5a142776fef2d423ce1f0de6071b211 Mon Sep 17 00:00:00 2001 From: Roman Willi Date: Tue, 10 Sep 2024 15:26:13 +0200 Subject: [PATCH 1/2] Update to Airlock Microgateway 3.4.12 --- charts/microgateway/Chart.yaml | 6 +- charts/microgateway/README.md | 220 ++++++++++++++++---------------- charts/microgateway/values.yaml | 2 +- 3 files changed, 114 insertions(+), 114 deletions(-) diff --git a/charts/microgateway/Chart.yaml b/charts/microgateway/Chart.yaml index 5a22a4c..d8e0739 100644 --- a/charts/microgateway/Chart.yaml +++ b/charts/microgateway/Chart.yaml @@ -21,12 +21,12 @@ maintainers: - email: support@airlock.com name: Airlock name: microgateway -version: 3.1.11 -appVersion: "3.4.11" +version: 3.1.12 +appVersion: "3.4.12" annotations: artifacthub.io/changes: | - kind: changed - description: Upgrade to Airlock Microgateway 3.4.11 + description: Upgrade to Airlock Microgateway 3.4.12 links: - name: Airlock Microgateway Release Notes url: https://docs.airlock.com/microgateway/3.4/#data/1697129073210.html diff --git a/charts/microgateway/README.md b/charts/microgateway/README.md index 0edd2b1..7abb0ee 100644 --- a/charts/microgateway/README.md +++ b/charts/microgateway/README.md @@ -99,117 +99,117 @@ This chapter provides a simple example to help you get the Airlock Microgateway ## Parameters The following table lists configuration parameters of the Airlock Microgateway chart and the default values. -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| affinity | string | `nil` | Assign custom [affinity rules](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/) (multiline string). | -| annotations | object | `{}` | Additional annotations for the Microgateway Deployment | -| commonLabels | object | `{}` | Labels to add to all resources. | -| config.dsl | object | `{}` | [DSL configuration](#dsl-configuration) Template rendering fails if `config.dslConfigMap` and `config.dsl` are specified. | -| config.dslConfigMap | string | "" | Name of the ConfigMap containing the Microgateway DSL configuration file.
The DSL is expected in a data entry called `config.yaml`.

Template rendering fails if `config.dslConfigMap` and `config.dsl` are specified. | -| config.env | object | "See `config.env.*`" | [DSL Environment Variables](#dsl-environment-variables) | -| config.env.configbuilder | list | `[]` | [DSL Environment Variables](#dsl-environment-variables) | -| config.env.runtime | list | `[]` | [Runtime Environment Variables](#runtime-environment-variables) | -| config.jwks | object | "see `config.jwks.*`" | [Secrets for JWKS services](#jwks-service-secrets) | -| config.jwks.clientCertificateSecretName | string | "" | Name of an existing secret containing:

Certificate: `client.crt`
Private key: `client.key`
CA Certificate: `client-ca.crt`
The files will be available in '/secret/auth/jwks/tls/client/'. | -| config.jwks.localJWKSSecretName | string | "" | Name of an existing secret with a jwks json file. The secret must contain:

JWKS File: `jwks.json`

The JWKS file will be available in '/secret/jwks/jwks.json' for reference in local JWKS service configurations in the DSL. | -| config.jwks.serverCASecretName | string | "" | Name of an existing secret containing:

Server CA Certificate: `server-validation.crt`
The files will be available in '/secret/auth/jwks/tls/server/'. | -| config.license | object | "" | Creates or mounts a secret with an Airlock Microgateway license.
If 'useExistingSecret: false' and no 'license.key' is given, the Airlock Microgateway runs in community mode.
If 'useExistingSecret: false' and the 'license.key' is given, a secret with the license will be created and mounted.
If 'useExistingSecret: true' and 'license.secretName' has a name, the referenced secret will be mounted.
If 'useExistingSecret: true' and 'license.key' is given, the license defined in 'secretName' will be used. | -| config.license.key | string | "" | The Airlock Microgateway license key which will be stored and used in a secret. | -| config.license.secretName | string | "" | Name of an existing secret containing:

license: `license` | -| config.license.useExistingSecret | bool | `false` | Specifies whether a pre-existing secret should be mounted. | -| config.passphrase | object | "" | Passphrase used for encryption.
If 'useExistingSecret: false' and no 'passphrase.value' is given, a random value will be created and stored in a secret.
If 'useExistingSecret: false' and a 'passphrase.value' is given, a secret with the passphrase will be created and mounted.
If 'useExistingSecret: true' and no 'passphrase.secretName' has a name, the referenced secret will be mounted.
If 'useExistingSecret: true' and 'passphrase.value' is given, the passphrase defined in 'secretName' will be used. | -| config.passphrase.secretName | string | "" | Name of an existing secret containing:

passphrase: `passphrase` | -| config.passphrase.useExistingSecret | bool | `false` | Specifies whether a pre-existing secret should be mounted. | -| config.passphrase.value | string | "" | The passhprase which will be stored and used in a secret. | -| config.tlsSecretName | string | "" | Name of an existing secret containing:

_Virtual Host:_
Certificate: `frontend-server.crt`
Private key: `frontend-server.key`
CA: `frontend-server-ca.crt`
:exclamation: Update `route.tls.destinationCACertificate` accordingly.

_Backend:_
Certificate: `backend-client.crt`
Private key: `backend-client.key`
CA: `backend-server-validation-ca.crt` | -| echo-server | object | See `echo-server.*`: | Pre-configured [Echo-Server](#echo-server). | -| echo-server.enabled | bool | `false` | Deploy pre-configured [Echo-Server](#echo-server). | -| extraVolumeMounts | list | `[]` | Add additional volume mounts. | -| extraVolumes | list | `[]` | Add additional volumes. [Volumes](https://kubernetes.io/docs/concepts/storage/volumes/) | -| fullnameOverride | string | `""` | Provide a name to substitute for the full names of resources. | -| hpa | object | See `hpa.*`: | [Horizontal Pod Autoscaler](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) to scale
Microgateway based on Memory and CPU consumption.

:exclamation: Check [API versioning](https://kubernetes.io/docs/concepts/overview/kubernetes-api/#api-versioning) when using this Beta feature. | -| hpa.enabled | bool | `false` | Deploy a horizontal pod autoscaler. | -| hpa.maxReplicas | int | `10` | Maximum number of Microgateway replicas. | -| hpa.minReplicas | int | `1` | Minimum number of Microgateway replicas. | -| hpa.resource.cpu | int | `50` | Average Microgateway CPU consumption in percentage to scale up/down.

:exclamation: Please set the resource request parameter `resources.cpu` to a value reflecting your actual resource needs if you use autoscaling based on cpu consumption. Otherwise autoscaling will not work as expected. | -| hpa.resource.memory | string | `"3Gi"` | Average Microgateway Memory consumption to scale up/down.

:exclamation: Update this setting depending on your `resources.limits.memory` setting. | -| image.pullPolicy | string | `"IfNotPresent"` | Pull policy (`Always`, `IfNotPresent`, `Never`) | -| image.repository | object | "See `image.repository.*`" | Image repositories for the Airlock Microgateway. | +| Key | Type | Default | Description | +|-----|------|--------------------------------------------------------|-------------| +| affinity | string | `nil` | Assign custom [affinity rules](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/) (multiline string). | +| annotations | object | `{}` | Additional annotations for the Microgateway Deployment | +| commonLabels | object | `{}` | Labels to add to all resources. | +| config.dsl | object | `{}` | [DSL configuration](#dsl-configuration) Template rendering fails if `config.dslConfigMap` and `config.dsl` are specified. | +| config.dslConfigMap | string | "" | Name of the ConfigMap containing the Microgateway DSL configuration file.
The DSL is expected in a data entry called `config.yaml`.

Template rendering fails if `config.dslConfigMap` and `config.dsl` are specified. | +| config.env | object | "See `config.env.*`" | [DSL Environment Variables](#dsl-environment-variables) | +| config.env.configbuilder | list | `[]` | [DSL Environment Variables](#dsl-environment-variables) | +| config.env.runtime | list | `[]` | [Runtime Environment Variables](#runtime-environment-variables) | +| config.jwks | object | "see `config.jwks.*`" | [Secrets for JWKS services](#jwks-service-secrets) | +| config.jwks.clientCertificateSecretName | string | "" | Name of an existing secret containing:

Certificate: `client.crt`
Private key: `client.key`
CA Certificate: `client-ca.crt`
The files will be available in '/secret/auth/jwks/tls/client/'. | +| config.jwks.localJWKSSecretName | string | "" | Name of an existing secret with a jwks json file. The secret must contain:

JWKS File: `jwks.json`

The JWKS file will be available in '/secret/jwks/jwks.json' for reference in local JWKS service configurations in the DSL. | +| config.jwks.serverCASecretName | string | "" | Name of an existing secret containing:

Server CA Certificate: `server-validation.crt`
The files will be available in '/secret/auth/jwks/tls/server/'. | +| config.license | object | "" | Creates or mounts a secret with an Airlock Microgateway license.
If 'useExistingSecret: false' and no 'license.key' is given, the Airlock Microgateway runs in community mode.
If 'useExistingSecret: false' and the 'license.key' is given, a secret with the license will be created and mounted.
If 'useExistingSecret: true' and 'license.secretName' has a name, the referenced secret will be mounted.
If 'useExistingSecret: true' and 'license.key' is given, the license defined in 'secretName' will be used. | +| config.license.key | string | "" | The Airlock Microgateway license key which will be stored and used in a secret. | +| config.license.secretName | string | "" | Name of an existing secret containing:

license: `license` | +| config.license.useExistingSecret | bool | `false` | Specifies whether a pre-existing secret should be mounted. | +| config.passphrase | object | "" | Passphrase used for encryption.
If 'useExistingSecret: false' and no 'passphrase.value' is given, a random value will be created and stored in a secret.
If 'useExistingSecret: false' and a 'passphrase.value' is given, a secret with the passphrase will be created and mounted.
If 'useExistingSecret: true' and no 'passphrase.secretName' has a name, the referenced secret will be mounted.
If 'useExistingSecret: true' and 'passphrase.value' is given, the passphrase defined in 'secretName' will be used. | +| config.passphrase.secretName | string | "" | Name of an existing secret containing:

passphrase: `passphrase` | +| config.passphrase.useExistingSecret | bool | `false` | Specifies whether a pre-existing secret should be mounted. | +| config.passphrase.value | string | "" | The passhprase which will be stored and used in a secret. | +| config.tlsSecretName | string | "" | Name of an existing secret containing:

_Virtual Host:_
Certificate: `frontend-server.crt`
Private key: `frontend-server.key`
CA: `frontend-server-ca.crt`
:exclamation: Update `route.tls.destinationCACertificate` accordingly.

_Backend:_
Certificate: `backend-client.crt`
Private key: `backend-client.key`
CA: `backend-server-validation-ca.crt` | +| echo-server | object | See `echo-server.*`: | Pre-configured [Echo-Server](#echo-server). | +| echo-server.enabled | bool | `false` | Deploy pre-configured [Echo-Server](#echo-server). | +| extraVolumeMounts | list | `[]` | Add additional volume mounts. | +| extraVolumes | list | `[]` | Add additional volumes. [Volumes](https://kubernetes.io/docs/concepts/storage/volumes/) | +| fullnameOverride | string | `""` | Provide a name to substitute for the full names of resources. | +| hpa | object | See `hpa.*`: | [Horizontal Pod Autoscaler](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) to scale
Microgateway based on Memory and CPU consumption.

:exclamation: Check [API versioning](https://kubernetes.io/docs/concepts/overview/kubernetes-api/#api-versioning) when using this Beta feature. | +| hpa.enabled | bool | `false` | Deploy a horizontal pod autoscaler. | +| hpa.maxReplicas | int | `10` | Maximum number of Microgateway replicas. | +| hpa.minReplicas | int | `1` | Minimum number of Microgateway replicas. | +| hpa.resource.cpu | int | `50` | Average Microgateway CPU consumption in percentage to scale up/down.

:exclamation: Please set the resource request parameter `resources.cpu` to a value reflecting your actual resource needs if you use autoscaling based on cpu consumption. Otherwise autoscaling will not work as expected. | +| hpa.resource.memory | string | `"3Gi"` | Average Microgateway Memory consumption to scale up/down.

:exclamation: Update this setting depending on your `resources.limits.memory` setting. | +| image.pullPolicy | string | `"IfNotPresent"` | Pull policy (`Always`, `IfNotPresent`, `Never`) | +| image.repository | object | "See `image.repository.*`" | Image repositories for the Airlock Microgateway. | | image.repository.configbuilder | string | `"docker.io/ergon/airlock-microgateway-configbuilder"` | Image repository for the Airlock Microgateway configbuilder image | -| image.repository.runtime | string | `"docker.io/ergon/airlock-microgateway"` | Image repository for the Airlock Microgateway runtime image | -| image.tag | string | `"3.4.11"` | Image tag for microgateway and configbuilder image | -| imageCredentials | object | See `imageCredentials.*`: | Creates a imagePullSecret with the provided values. | -| imageCredentials.enabled | bool | `false` | Enable the imagePullSecret creation. | -| imageCredentials.password | string | `""` | imagePullSecret password/Token | -| imageCredentials.registry | string | `"https://index.docker.io/v1/"` | imagePullSecret registry | -| imageCredentials.username | string | `""` | imagePullSecret username | -| imagePullSecrets | list | `[]` | Reference to one or more secrets to use when pulling images. | -| ingress | object | See `ingress.*`: | [Kubernetes Ingress](#kubernetes-ingress) | -| ingress.annotations | object | `{"nginx.ingress.kubernetes.io/rewrite-target":"/"}` | Annotations to set on the ingress. | -| ingress.enabled | bool | `false` | Create an ingress object. | -| ingress.hosts | list | `[]` | List of ingress hosts. A rule will be created for every host. Use an empty list to create a wildcard '*' rule. | -| ingress.labels | object | `{}` | Additional labels to add on the Microgateway ingress. | -| ingress.path | string | `"/"` | Path for the ingress. | -| ingress.pathType | string | `"Prefix"` | pathType of the ingress path (used with ingress v1 and higher) | -| ingress.servicePortName | string | `"http"` | Name of the service target port with ingress API version networking.k8s.io/v1 (Kubernetes version >= 1.19) `ingress.servicePortNumber` takes precedence over `ingress.servicePortName` if both are specified. Possible Values are: `http`, `https`. | -| ingress.servicePortNumber | string | `nil` | Number of the service target port with ingress API version networking.k8s.io/v1 (Kubernetes version >= 1.19) `ingress.servicePortNumber` takes precedence over `ingress.servicePortName` if both are specified. | -| ingress.targetPort | string | `"http"` | Target port of the service with ingress API version networking.k8s.io/v1beta1 (Kubernetes version < 1.19) Possible values are: `http`, `https` or ``. | -| ingress.tls | list | `[]` | [Ingress TLS](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) configuration. | -| initResources | object | See `initResources.*` | Resource requests/limits for the init container.
[Init container resource limits](https://kubernetes.io/docs/concepts/workloads/pods/init-containers/#resources) | -| initResources.limits | object | See `initResources.limits.*` | Resource limits for the init container. | -| initResources.limits.cpu | string | `"1000m"` | CPU limit for the init container. | -| initResources.limits.memory | string | `"512Mi"` | Memory limit for the init container. | -| initResources.requests | object | See `initResources.requests.*` | Resource requests for the init container. | -| initResources.requests.cpu | string | `"30m"` | CPU request for the init container. | -| initResources.requests.memory | string | `"256Mi"` | Memory request for the init container. | -| livenessProbe.enabled | bool | `true` | Enable liveness probes. | -| livenessProbe.failureThreshold | int | `9` | After how many subsequent failures the pod gets restarted. | -| livenessProbe.initialDelaySeconds | int | `90` | Initial delay in seconds. | -| livenessProbe.timeoutSeconds | int | `5` | Timeout of liveness probes, should roughly reflect allowed timeouts from clients. | -| nameOverride | string | `""` | Provide a name in place of `microgateway`. | -| nodeSelector | object | `{}` | Define which nodes the pods are scheduled on. | -| podAnnotations | object | `{}` | Additional annotations for the Microgateway Pod | -| podSecurityContext | object | `{}` | [Security context for the pods](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod). | -| readinessProbe.enabled | bool | `true` | Enable readiness probes. | -| readinessProbe.failureThreshold | int | `3` | After how many tries the pod stops receiving traffic. | -| readinessProbe.initialDelaySeconds | int | `10` | Initial delay in seconds. | -| redis | object | See `redis.*`: | Pre-configured [Redis](#redis) service. | -| redis.enabled | bool | `false` | Deploy pre-configured [Redis](#redis). | -| replicaCount | int | `1` | Desired number of Microgateway pods. | -| resources | object | See `resources.*` | Resource requests/limits for the runtime container.
[Resource limits](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container)
[Configure Quality of Service for Pods](https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/) | -| resources.limits | object | See `resources.limits.*` | Resource limits for the runtime container. | -| resources.limits.memory | string | `"4048Mi"` | Memory limit for the runtime container. | -| resources.requests | object | See `resources.requests.*` | Resource requests for the Microgateway runtime container. These values most like have to be adjusted depending on specific load and usage profiles.
Please consult [Microgateway resource requirements](https://docs.airlock.com/microgateway/3.4/#data/1581621320714.html) for some ideas about actual Microgateway resource requirements. | -| resources.requests.cpu | string | `"30m"` | CPU request for the runtime container. | -| resources.requests.memory | string | `"256Mi"` | Memory request for the runtime container. | -| route | object | See `route.*`: | [Openshift Route](#openshift-route) | -| route.annotations | object | `{}` | Annotations to set on the route. | -| route.enabled | bool | `false` | Create a route object. | -| route.hosts | list | `["virtinc.com"]` | List of host names.
A route will be created for every host name listed. No route will be created if no hosts are specified. Use an empty string to generate a route without hostname. | -| route.labels | object | `{}` | Additional labels add on the Microgateway route. | -| route.path | string | `"/"` | Path for the route. | -| route.targetPort | string | `"https"` | Target port of the service (`http`, `https` or ``). | -| route.tls.certificate | string | "" | Certificate to be used (multiline string). | -| route.tls.destinationCACertificate | string | Microgateway's default certificate | Validate the Microgateway server certificate against this CA. (multiline string).
:exclamation: Must be configured with termination `reencrypt`. | -| route.tls.enabled | bool | `true` | Enable TLS for the route. | -| route.tls.insecureEdgeTerminationPolicy | string | `"Redirect"` | Define the insecureEdgeTerminationPolicy of the route (`Allow`, `Redirect`, `None`). | -| route.tls.key | string | "" | Private key to be used for certificate (multiline string). | -| route.tls.termination | string | `"reencrypt"` | Termination of the route (`edge`, `reencrypt`, `passthrough`). | -| securityContext | object | `{}` | [Security context for a container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container). | -| service.annotations | object | `{}` | Annotations to set on the service. | -| service.externalTrafficPolicy | string | `Local` if `service.type=LoadBalancer` | [externalTrafficPolicy](https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip) | -| service.labels | object | `{}` | Additional labels to add on the service. | -| service.loadBalancerIP | string | "" if `service.type=LoadBalancer` | [loadBalancerIP](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer) | -| service.port | int | `80` | Service port | -| service.tlsPort | int | `443` | Service TLS port | -| service.type | string | `"ClusterIP"` | [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) | -| serviceAccount | object | "See `serviceAccount.*`" | Specifies the service account under which the microgateway will run. A dedicated service account is created and used by default.

If `serviceAccount.create=true` and no `serviceAccount.name` is given, a name is generated using the fullname template.

If `serviceAccount.create=false` and no `serviceAccount.name` is given, the microgateway runs under the default service account. | -| serviceAccount.annotations | object | `{}` | Annotations to set on the service account. | -| serviceAccount.create | bool | `true` | Specifies whether a ServiceAccount should be created | -| serviceAccount.labels | object | `{}` | Additional labels added on the service account. | -| serviceAccount.name | string | `nil` | The name of the ServiceAccount to use.

| -| test_request | string | `"/"` | Request that will be used as a smoketest when 'helm test' is invoked. | -| tolerations | list | `[]` | Tolerations for use with node [taints](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/). | +| image.repository.runtime | string | `"docker.io/ergon/airlock-microgateway"` | Image repository for the Airlock Microgateway runtime image | +| image.tag | string | `"3.4.12"` | Image tag for microgateway and configbuilder image | +| imageCredentials | object | See `imageCredentials.*`: | Creates a imagePullSecret with the provided values. | +| imageCredentials.enabled | bool | `false` | Enable the imagePullSecret creation. | +| imageCredentials.password | string | `""` | imagePullSecret password/Token | +| imageCredentials.registry | string | `"https://index.docker.io/v1/"` | imagePullSecret registry | +| imageCredentials.username | string | `""` | imagePullSecret username | +| imagePullSecrets | list | `[]` | Reference to one or more secrets to use when pulling images. | +| ingress | object | See `ingress.*`: | [Kubernetes Ingress](#kubernetes-ingress) | +| ingress.annotations | object | `{"nginx.ingress.kubernetes.io/rewrite-target":"/"}` | Annotations to set on the ingress. | +| ingress.enabled | bool | `false` | Create an ingress object. | +| ingress.hosts | list | `[]` | List of ingress hosts. A rule will be created for every host. Use an empty list to create a wildcard '*' rule. | +| ingress.labels | object | `{}` | Additional labels to add on the Microgateway ingress. | +| ingress.path | string | `"/"` | Path for the ingress. | +| ingress.pathType | string | `"Prefix"` | pathType of the ingress path (used with ingress v1 and higher) | +| ingress.servicePortName | string | `"http"` | Name of the service target port with ingress API version networking.k8s.io/v1 (Kubernetes version >= 1.19) `ingress.servicePortNumber` takes precedence over `ingress.servicePortName` if both are specified. Possible Values are: `http`, `https`. | +| ingress.servicePortNumber | string | `nil` | Number of the service target port with ingress API version networking.k8s.io/v1 (Kubernetes version >= 1.19) `ingress.servicePortNumber` takes precedence over `ingress.servicePortName` if both are specified. | +| ingress.targetPort | string | `"http"` | Target port of the service with ingress API version networking.k8s.io/v1beta1 (Kubernetes version < 1.19) Possible values are: `http`, `https` or ``. | +| ingress.tls | list | `[]` | [Ingress TLS](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) configuration. | +| initResources | object | See `initResources.*` | Resource requests/limits for the init container.
[Init container resource limits](https://kubernetes.io/docs/concepts/workloads/pods/init-containers/#resources) | +| initResources.limits | object | See `initResources.limits.*` | Resource limits for the init container. | +| initResources.limits.cpu | string | `"1000m"` | CPU limit for the init container. | +| initResources.limits.memory | string | `"512Mi"` | Memory limit for the init container. | +| initResources.requests | object | See `initResources.requests.*` | Resource requests for the init container. | +| initResources.requests.cpu | string | `"30m"` | CPU request for the init container. | +| initResources.requests.memory | string | `"256Mi"` | Memory request for the init container. | +| livenessProbe.enabled | bool | `true` | Enable liveness probes. | +| livenessProbe.failureThreshold | int | `9` | After how many subsequent failures the pod gets restarted. | +| livenessProbe.initialDelaySeconds | int | `90` | Initial delay in seconds. | +| livenessProbe.timeoutSeconds | int | `5` | Timeout of liveness probes, should roughly reflect allowed timeouts from clients. | +| nameOverride | string | `""` | Provide a name in place of `microgateway`. | +| nodeSelector | object | `{}` | Define which nodes the pods are scheduled on. | +| podAnnotations | object | `{}` | Additional annotations for the Microgateway Pod | +| podSecurityContext | object | `{}` | [Security context for the pods](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod). | +| readinessProbe.enabled | bool | `true` | Enable readiness probes. | +| readinessProbe.failureThreshold | int | `3` | After how many tries the pod stops receiving traffic. | +| readinessProbe.initialDelaySeconds | int | `10` | Initial delay in seconds. | +| redis | object | See `redis.*`: | Pre-configured [Redis](#redis) service. | +| redis.enabled | bool | `false` | Deploy pre-configured [Redis](#redis). | +| replicaCount | int | `1` | Desired number of Microgateway pods. | +| resources | object | See `resources.*` | Resource requests/limits for the runtime container.
[Resource limits](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container)
[Configure Quality of Service for Pods](https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/) | +| resources.limits | object | See `resources.limits.*` | Resource limits for the runtime container. | +| resources.limits.memory | string | `"4048Mi"` | Memory limit for the runtime container. | +| resources.requests | object | See `resources.requests.*` | Resource requests for the Microgateway runtime container. These values most like have to be adjusted depending on specific load and usage profiles.
Please consult [Microgateway resource requirements](https://docs.airlock.com/microgateway/3.4/#data/1581621320714.html) for some ideas about actual Microgateway resource requirements. | +| resources.requests.cpu | string | `"30m"` | CPU request for the runtime container. | +| resources.requests.memory | string | `"256Mi"` | Memory request for the runtime container. | +| route | object | See `route.*`: | [Openshift Route](#openshift-route) | +| route.annotations | object | `{}` | Annotations to set on the route. | +| route.enabled | bool | `false` | Create a route object. | +| route.hosts | list | `["virtinc.com"]` | List of host names.
A route will be created for every host name listed. No route will be created if no hosts are specified. Use an empty string to generate a route without hostname. | +| route.labels | object | `{}` | Additional labels add on the Microgateway route. | +| route.path | string | `"/"` | Path for the route. | +| route.targetPort | string | `"https"` | Target port of the service (`http`, `https` or ``). | +| route.tls.certificate | string | "" | Certificate to be used (multiline string). | +| route.tls.destinationCACertificate | string | Microgateway's default certificate | Validate the Microgateway server certificate against this CA. (multiline string).
:exclamation: Must be configured with termination `reencrypt`. | +| route.tls.enabled | bool | `true` | Enable TLS for the route. | +| route.tls.insecureEdgeTerminationPolicy | string | `"Redirect"` | Define the insecureEdgeTerminationPolicy of the route (`Allow`, `Redirect`, `None`). | +| route.tls.key | string | "" | Private key to be used for certificate (multiline string). | +| route.tls.termination | string | `"reencrypt"` | Termination of the route (`edge`, `reencrypt`, `passthrough`). | +| securityContext | object | `{}` | [Security context for a container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container). | +| service.annotations | object | `{}` | Annotations to set on the service. | +| service.externalTrafficPolicy | string | `Local` if `service.type=LoadBalancer` | [externalTrafficPolicy](https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip) | +| service.labels | object | `{}` | Additional labels to add on the service. | +| service.loadBalancerIP | string | "" if `service.type=LoadBalancer` | [loadBalancerIP](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer) | +| service.port | int | `80` | Service port | +| service.tlsPort | int | `443` | Service TLS port | +| service.type | string | `"ClusterIP"` | [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) | +| serviceAccount | object | "See `serviceAccount.*`" | Specifies the service account under which the microgateway will run. A dedicated service account is created and used by default.

If `serviceAccount.create=true` and no `serviceAccount.name` is given, a name is generated using the fullname template.

If `serviceAccount.create=false` and no `serviceAccount.name` is given, the microgateway runs under the default service account. | +| serviceAccount.annotations | object | `{}` | Annotations to set on the service account. | +| serviceAccount.create | bool | `true` | Specifies whether a ServiceAccount should be created | +| serviceAccount.labels | object | `{}` | Additional labels added on the service account. | +| serviceAccount.name | string | `nil` | The name of the ServiceAccount to use.

| +| test_request | string | `"/"` | Request that will be used as a smoketest when 'helm test' is invoked. | +| tolerations | list | `[]` | Tolerations for use with node [taints](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/). | ## Dependencies The Airlock Microgateway Helm chart has the following optional dependencies, which can be enabled for a smooth start. diff --git a/charts/microgateway/values.yaml b/charts/microgateway/values.yaml index 22f9852..dcf5393 100644 --- a/charts/microgateway/values.yaml +++ b/charts/microgateway/values.yaml @@ -10,7 +10,7 @@ image: # image.repository.configbuilder -- Image repository for the Airlock Microgateway configbuilder image configbuilder: docker.io/ergon/airlock-microgateway-configbuilder # image.tag -- Image tag for microgateway and configbuilder image - tag: "3.4.11" + tag: "3.4.12" # image.pullPolicy -- Pull policy (`Always`, `IfNotPresent`, `Never`) pullPolicy: IfNotPresent From a2a4ba1141ca0ba866dc60bec277bcab8b1baace Mon Sep 17 00:00:00 2001 From: airlockgithubci Date: Tue, 10 Sep 2024 14:31:08 +0000 Subject: [PATCH 2/2] Automated README generation --- charts/microgateway/README.md | 222 +++++++++++++++++----------------- 1 file changed, 111 insertions(+), 111 deletions(-) diff --git a/charts/microgateway/README.md b/charts/microgateway/README.md index 7abb0ee..22c1943 100644 --- a/charts/microgateway/README.md +++ b/charts/microgateway/README.md @@ -2,7 +2,7 @@ Airlock Microgateway helps you to protect your services and APIs from unauthorized or malicious access with little effort. It is a lightweight Web Application Firewall (WAF) and API security gateway designed specifically for use in container environments. -The current chart version is: 3.1.11 +The current chart version is: 3.1.12 ## Table of contents * [Introduction](#introduction) @@ -99,117 +99,117 @@ This chapter provides a simple example to help you get the Airlock Microgateway ## Parameters The following table lists configuration parameters of the Airlock Microgateway chart and the default values. -| Key | Type | Default | Description | -|-----|------|--------------------------------------------------------|-------------| -| affinity | string | `nil` | Assign custom [affinity rules](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/) (multiline string). | -| annotations | object | `{}` | Additional annotations for the Microgateway Deployment | -| commonLabels | object | `{}` | Labels to add to all resources. | -| config.dsl | object | `{}` | [DSL configuration](#dsl-configuration) Template rendering fails if `config.dslConfigMap` and `config.dsl` are specified. | -| config.dslConfigMap | string | "" | Name of the ConfigMap containing the Microgateway DSL configuration file.
The DSL is expected in a data entry called `config.yaml`.

Template rendering fails if `config.dslConfigMap` and `config.dsl` are specified. | -| config.env | object | "See `config.env.*`" | [DSL Environment Variables](#dsl-environment-variables) | -| config.env.configbuilder | list | `[]` | [DSL Environment Variables](#dsl-environment-variables) | -| config.env.runtime | list | `[]` | [Runtime Environment Variables](#runtime-environment-variables) | -| config.jwks | object | "see `config.jwks.*`" | [Secrets for JWKS services](#jwks-service-secrets) | -| config.jwks.clientCertificateSecretName | string | "" | Name of an existing secret containing:

Certificate: `client.crt`
Private key: `client.key`
CA Certificate: `client-ca.crt`
The files will be available in '/secret/auth/jwks/tls/client/'. | -| config.jwks.localJWKSSecretName | string | "" | Name of an existing secret with a jwks json file. The secret must contain:

JWKS File: `jwks.json`

The JWKS file will be available in '/secret/jwks/jwks.json' for reference in local JWKS service configurations in the DSL. | -| config.jwks.serverCASecretName | string | "" | Name of an existing secret containing:

Server CA Certificate: `server-validation.crt`
The files will be available in '/secret/auth/jwks/tls/server/'. | -| config.license | object | "" | Creates or mounts a secret with an Airlock Microgateway license.
If 'useExistingSecret: false' and no 'license.key' is given, the Airlock Microgateway runs in community mode.
If 'useExistingSecret: false' and the 'license.key' is given, a secret with the license will be created and mounted.
If 'useExistingSecret: true' and 'license.secretName' has a name, the referenced secret will be mounted.
If 'useExistingSecret: true' and 'license.key' is given, the license defined in 'secretName' will be used. | -| config.license.key | string | "" | The Airlock Microgateway license key which will be stored and used in a secret. | -| config.license.secretName | string | "" | Name of an existing secret containing:

license: `license` | -| config.license.useExistingSecret | bool | `false` | Specifies whether a pre-existing secret should be mounted. | -| config.passphrase | object | "" | Passphrase used for encryption.
If 'useExistingSecret: false' and no 'passphrase.value' is given, a random value will be created and stored in a secret.
If 'useExistingSecret: false' and a 'passphrase.value' is given, a secret with the passphrase will be created and mounted.
If 'useExistingSecret: true' and no 'passphrase.secretName' has a name, the referenced secret will be mounted.
If 'useExistingSecret: true' and 'passphrase.value' is given, the passphrase defined in 'secretName' will be used. | -| config.passphrase.secretName | string | "" | Name of an existing secret containing:

passphrase: `passphrase` | -| config.passphrase.useExistingSecret | bool | `false` | Specifies whether a pre-existing secret should be mounted. | -| config.passphrase.value | string | "" | The passhprase which will be stored and used in a secret. | -| config.tlsSecretName | string | "" | Name of an existing secret containing:

_Virtual Host:_
Certificate: `frontend-server.crt`
Private key: `frontend-server.key`
CA: `frontend-server-ca.crt`
:exclamation: Update `route.tls.destinationCACertificate` accordingly.

_Backend:_
Certificate: `backend-client.crt`
Private key: `backend-client.key`
CA: `backend-server-validation-ca.crt` | -| echo-server | object | See `echo-server.*`: | Pre-configured [Echo-Server](#echo-server). | -| echo-server.enabled | bool | `false` | Deploy pre-configured [Echo-Server](#echo-server). | -| extraVolumeMounts | list | `[]` | Add additional volume mounts. | -| extraVolumes | list | `[]` | Add additional volumes. [Volumes](https://kubernetes.io/docs/concepts/storage/volumes/) | -| fullnameOverride | string | `""` | Provide a name to substitute for the full names of resources. | -| hpa | object | See `hpa.*`: | [Horizontal Pod Autoscaler](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) to scale
Microgateway based on Memory and CPU consumption.

:exclamation: Check [API versioning](https://kubernetes.io/docs/concepts/overview/kubernetes-api/#api-versioning) when using this Beta feature. | -| hpa.enabled | bool | `false` | Deploy a horizontal pod autoscaler. | -| hpa.maxReplicas | int | `10` | Maximum number of Microgateway replicas. | -| hpa.minReplicas | int | `1` | Minimum number of Microgateway replicas. | -| hpa.resource.cpu | int | `50` | Average Microgateway CPU consumption in percentage to scale up/down.

:exclamation: Please set the resource request parameter `resources.cpu` to a value reflecting your actual resource needs if you use autoscaling based on cpu consumption. Otherwise autoscaling will not work as expected. | -| hpa.resource.memory | string | `"3Gi"` | Average Microgateway Memory consumption to scale up/down.

:exclamation: Update this setting depending on your `resources.limits.memory` setting. | -| image.pullPolicy | string | `"IfNotPresent"` | Pull policy (`Always`, `IfNotPresent`, `Never`) | -| image.repository | object | "See `image.repository.*`" | Image repositories for the Airlock Microgateway. | +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | string | `nil` | Assign custom [affinity rules](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/) (multiline string). | +| annotations | object | `{}` | Additional annotations for the Microgateway Deployment | +| commonLabels | object | `{}` | Labels to add to all resources. | +| config.dsl | object | `{}` | [DSL configuration](#dsl-configuration) Template rendering fails if `config.dslConfigMap` and `config.dsl` are specified. | +| config.dslConfigMap | string | "" | Name of the ConfigMap containing the Microgateway DSL configuration file.
The DSL is expected in a data entry called `config.yaml`.

Template rendering fails if `config.dslConfigMap` and `config.dsl` are specified. | +| config.env | object | "See `config.env.*`" | [DSL Environment Variables](#dsl-environment-variables) | +| config.env.configbuilder | list | `[]` | [DSL Environment Variables](#dsl-environment-variables) | +| config.env.runtime | list | `[]` | [Runtime Environment Variables](#runtime-environment-variables) | +| config.jwks | object | "see `config.jwks.*`" | [Secrets for JWKS services](#jwks-service-secrets) | +| config.jwks.clientCertificateSecretName | string | "" | Name of an existing secret containing:

Certificate: `client.crt`
Private key: `client.key`
CA Certificate: `client-ca.crt`
The files will be available in '/secret/auth/jwks/tls/client/'. | +| config.jwks.localJWKSSecretName | string | "" | Name of an existing secret with a jwks json file. The secret must contain:

JWKS File: `jwks.json`

The JWKS file will be available in '/secret/jwks/jwks.json' for reference in local JWKS service configurations in the DSL. | +| config.jwks.serverCASecretName | string | "" | Name of an existing secret containing:

Server CA Certificate: `server-validation.crt`
The files will be available in '/secret/auth/jwks/tls/server/'. | +| config.license | object | "" | Creates or mounts a secret with an Airlock Microgateway license.
If 'useExistingSecret: false' and no 'license.key' is given, the Airlock Microgateway runs in community mode.
If 'useExistingSecret: false' and the 'license.key' is given, a secret with the license will be created and mounted.
If 'useExistingSecret: true' and 'license.secretName' has a name, the referenced secret will be mounted.
If 'useExistingSecret: true' and 'license.key' is given, the license defined in 'secretName' will be used. | +| config.license.key | string | "" | The Airlock Microgateway license key which will be stored and used in a secret. | +| config.license.secretName | string | "" | Name of an existing secret containing:

license: `license` | +| config.license.useExistingSecret | bool | `false` | Specifies whether a pre-existing secret should be mounted. | +| config.passphrase | object | "" | Passphrase used for encryption.
If 'useExistingSecret: false' and no 'passphrase.value' is given, a random value will be created and stored in a secret.
If 'useExistingSecret: false' and a 'passphrase.value' is given, a secret with the passphrase will be created and mounted.
If 'useExistingSecret: true' and no 'passphrase.secretName' has a name, the referenced secret will be mounted.
If 'useExistingSecret: true' and 'passphrase.value' is given, the passphrase defined in 'secretName' will be used. | +| config.passphrase.secretName | string | "" | Name of an existing secret containing:

passphrase: `passphrase` | +| config.passphrase.useExistingSecret | bool | `false` | Specifies whether a pre-existing secret should be mounted. | +| config.passphrase.value | string | "" | The passhprase which will be stored and used in a secret. | +| config.tlsSecretName | string | "" | Name of an existing secret containing:

_Virtual Host:_
Certificate: `frontend-server.crt`
Private key: `frontend-server.key`
CA: `frontend-server-ca.crt`
:exclamation: Update `route.tls.destinationCACertificate` accordingly.

_Backend:_
Certificate: `backend-client.crt`
Private key: `backend-client.key`
CA: `backend-server-validation-ca.crt` | +| echo-server | object | See `echo-server.*`: | Pre-configured [Echo-Server](#echo-server). | +| echo-server.enabled | bool | `false` | Deploy pre-configured [Echo-Server](#echo-server). | +| extraVolumeMounts | list | `[]` | Add additional volume mounts. | +| extraVolumes | list | `[]` | Add additional volumes. [Volumes](https://kubernetes.io/docs/concepts/storage/volumes/) | +| fullnameOverride | string | `""` | Provide a name to substitute for the full names of resources. | +| hpa | object | See `hpa.*`: | [Horizontal Pod Autoscaler](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) to scale
Microgateway based on Memory and CPU consumption.

:exclamation: Check [API versioning](https://kubernetes.io/docs/concepts/overview/kubernetes-api/#api-versioning) when using this Beta feature. | +| hpa.enabled | bool | `false` | Deploy a horizontal pod autoscaler. | +| hpa.maxReplicas | int | `10` | Maximum number of Microgateway replicas. | +| hpa.minReplicas | int | `1` | Minimum number of Microgateway replicas. | +| hpa.resource.cpu | int | `50` | Average Microgateway CPU consumption in percentage to scale up/down.

:exclamation: Please set the resource request parameter `resources.cpu` to a value reflecting your actual resource needs if you use autoscaling based on cpu consumption. Otherwise autoscaling will not work as expected. | +| hpa.resource.memory | string | `"3Gi"` | Average Microgateway Memory consumption to scale up/down.

:exclamation: Update this setting depending on your `resources.limits.memory` setting. | +| image.pullPolicy | string | `"IfNotPresent"` | Pull policy (`Always`, `IfNotPresent`, `Never`) | +| image.repository | object | "See `image.repository.*`" | Image repositories for the Airlock Microgateway. | | image.repository.configbuilder | string | `"docker.io/ergon/airlock-microgateway-configbuilder"` | Image repository for the Airlock Microgateway configbuilder image | -| image.repository.runtime | string | `"docker.io/ergon/airlock-microgateway"` | Image repository for the Airlock Microgateway runtime image | -| image.tag | string | `"3.4.12"` | Image tag for microgateway and configbuilder image | -| imageCredentials | object | See `imageCredentials.*`: | Creates a imagePullSecret with the provided values. | -| imageCredentials.enabled | bool | `false` | Enable the imagePullSecret creation. | -| imageCredentials.password | string | `""` | imagePullSecret password/Token | -| imageCredentials.registry | string | `"https://index.docker.io/v1/"` | imagePullSecret registry | -| imageCredentials.username | string | `""` | imagePullSecret username | -| imagePullSecrets | list | `[]` | Reference to one or more secrets to use when pulling images. | -| ingress | object | See `ingress.*`: | [Kubernetes Ingress](#kubernetes-ingress) | -| ingress.annotations | object | `{"nginx.ingress.kubernetes.io/rewrite-target":"/"}` | Annotations to set on the ingress. | -| ingress.enabled | bool | `false` | Create an ingress object. | -| ingress.hosts | list | `[]` | List of ingress hosts. A rule will be created for every host. Use an empty list to create a wildcard '*' rule. | -| ingress.labels | object | `{}` | Additional labels to add on the Microgateway ingress. | -| ingress.path | string | `"/"` | Path for the ingress. | -| ingress.pathType | string | `"Prefix"` | pathType of the ingress path (used with ingress v1 and higher) | -| ingress.servicePortName | string | `"http"` | Name of the service target port with ingress API version networking.k8s.io/v1 (Kubernetes version >= 1.19) `ingress.servicePortNumber` takes precedence over `ingress.servicePortName` if both are specified. Possible Values are: `http`, `https`. | -| ingress.servicePortNumber | string | `nil` | Number of the service target port with ingress API version networking.k8s.io/v1 (Kubernetes version >= 1.19) `ingress.servicePortNumber` takes precedence over `ingress.servicePortName` if both are specified. | -| ingress.targetPort | string | `"http"` | Target port of the service with ingress API version networking.k8s.io/v1beta1 (Kubernetes version < 1.19) Possible values are: `http`, `https` or ``. | -| ingress.tls | list | `[]` | [Ingress TLS](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) configuration. | -| initResources | object | See `initResources.*` | Resource requests/limits for the init container.
[Init container resource limits](https://kubernetes.io/docs/concepts/workloads/pods/init-containers/#resources) | -| initResources.limits | object | See `initResources.limits.*` | Resource limits for the init container. | -| initResources.limits.cpu | string | `"1000m"` | CPU limit for the init container. | -| initResources.limits.memory | string | `"512Mi"` | Memory limit for the init container. | -| initResources.requests | object | See `initResources.requests.*` | Resource requests for the init container. | -| initResources.requests.cpu | string | `"30m"` | CPU request for the init container. | -| initResources.requests.memory | string | `"256Mi"` | Memory request for the init container. | -| livenessProbe.enabled | bool | `true` | Enable liveness probes. | -| livenessProbe.failureThreshold | int | `9` | After how many subsequent failures the pod gets restarted. | -| livenessProbe.initialDelaySeconds | int | `90` | Initial delay in seconds. | -| livenessProbe.timeoutSeconds | int | `5` | Timeout of liveness probes, should roughly reflect allowed timeouts from clients. | -| nameOverride | string | `""` | Provide a name in place of `microgateway`. | -| nodeSelector | object | `{}` | Define which nodes the pods are scheduled on. | -| podAnnotations | object | `{}` | Additional annotations for the Microgateway Pod | -| podSecurityContext | object | `{}` | [Security context for the pods](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod). | -| readinessProbe.enabled | bool | `true` | Enable readiness probes. | -| readinessProbe.failureThreshold | int | `3` | After how many tries the pod stops receiving traffic. | -| readinessProbe.initialDelaySeconds | int | `10` | Initial delay in seconds. | -| redis | object | See `redis.*`: | Pre-configured [Redis](#redis) service. | -| redis.enabled | bool | `false` | Deploy pre-configured [Redis](#redis). | -| replicaCount | int | `1` | Desired number of Microgateway pods. | -| resources | object | See `resources.*` | Resource requests/limits for the runtime container.
[Resource limits](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container)
[Configure Quality of Service for Pods](https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/) | -| resources.limits | object | See `resources.limits.*` | Resource limits for the runtime container. | -| resources.limits.memory | string | `"4048Mi"` | Memory limit for the runtime container. | -| resources.requests | object | See `resources.requests.*` | Resource requests for the Microgateway runtime container. These values most like have to be adjusted depending on specific load and usage profiles.
Please consult [Microgateway resource requirements](https://docs.airlock.com/microgateway/3.4/#data/1581621320714.html) for some ideas about actual Microgateway resource requirements. | -| resources.requests.cpu | string | `"30m"` | CPU request for the runtime container. | -| resources.requests.memory | string | `"256Mi"` | Memory request for the runtime container. | -| route | object | See `route.*`: | [Openshift Route](#openshift-route) | -| route.annotations | object | `{}` | Annotations to set on the route. | -| route.enabled | bool | `false` | Create a route object. | -| route.hosts | list | `["virtinc.com"]` | List of host names.
A route will be created for every host name listed. No route will be created if no hosts are specified. Use an empty string to generate a route without hostname. | -| route.labels | object | `{}` | Additional labels add on the Microgateway route. | -| route.path | string | `"/"` | Path for the route. | -| route.targetPort | string | `"https"` | Target port of the service (`http`, `https` or ``). | -| route.tls.certificate | string | "" | Certificate to be used (multiline string). | -| route.tls.destinationCACertificate | string | Microgateway's default certificate | Validate the Microgateway server certificate against this CA. (multiline string).
:exclamation: Must be configured with termination `reencrypt`. | -| route.tls.enabled | bool | `true` | Enable TLS for the route. | -| route.tls.insecureEdgeTerminationPolicy | string | `"Redirect"` | Define the insecureEdgeTerminationPolicy of the route (`Allow`, `Redirect`, `None`). | -| route.tls.key | string | "" | Private key to be used for certificate (multiline string). | -| route.tls.termination | string | `"reencrypt"` | Termination of the route (`edge`, `reencrypt`, `passthrough`). | -| securityContext | object | `{}` | [Security context for a container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container). | -| service.annotations | object | `{}` | Annotations to set on the service. | -| service.externalTrafficPolicy | string | `Local` if `service.type=LoadBalancer` | [externalTrafficPolicy](https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip) | -| service.labels | object | `{}` | Additional labels to add on the service. | -| service.loadBalancerIP | string | "" if `service.type=LoadBalancer` | [loadBalancerIP](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer) | -| service.port | int | `80` | Service port | -| service.tlsPort | int | `443` | Service TLS port | -| service.type | string | `"ClusterIP"` | [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) | -| serviceAccount | object | "See `serviceAccount.*`" | Specifies the service account under which the microgateway will run. A dedicated service account is created and used by default.

If `serviceAccount.create=true` and no `serviceAccount.name` is given, a name is generated using the fullname template.

If `serviceAccount.create=false` and no `serviceAccount.name` is given, the microgateway runs under the default service account. | -| serviceAccount.annotations | object | `{}` | Annotations to set on the service account. | -| serviceAccount.create | bool | `true` | Specifies whether a ServiceAccount should be created | -| serviceAccount.labels | object | `{}` | Additional labels added on the service account. | -| serviceAccount.name | string | `nil` | The name of the ServiceAccount to use.

| -| test_request | string | `"/"` | Request that will be used as a smoketest when 'helm test' is invoked. | -| tolerations | list | `[]` | Tolerations for use with node [taints](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/). | +| image.repository.runtime | string | `"docker.io/ergon/airlock-microgateway"` | Image repository for the Airlock Microgateway runtime image | +| image.tag | string | `"3.4.12"` | Image tag for microgateway and configbuilder image | +| imageCredentials | object | See `imageCredentials.*`: | Creates a imagePullSecret with the provided values. | +| imageCredentials.enabled | bool | `false` | Enable the imagePullSecret creation. | +| imageCredentials.password | string | `""` | imagePullSecret password/Token | +| imageCredentials.registry | string | `"https://index.docker.io/v1/"` | imagePullSecret registry | +| imageCredentials.username | string | `""` | imagePullSecret username | +| imagePullSecrets | list | `[]` | Reference to one or more secrets to use when pulling images. | +| ingress | object | See `ingress.*`: | [Kubernetes Ingress](#kubernetes-ingress) | +| ingress.annotations | object | `{"nginx.ingress.kubernetes.io/rewrite-target":"/"}` | Annotations to set on the ingress. | +| ingress.enabled | bool | `false` | Create an ingress object. | +| ingress.hosts | list | `[]` | List of ingress hosts. A rule will be created for every host. Use an empty list to create a wildcard '*' rule. | +| ingress.labels | object | `{}` | Additional labels to add on the Microgateway ingress. | +| ingress.path | string | `"/"` | Path for the ingress. | +| ingress.pathType | string | `"Prefix"` | pathType of the ingress path (used with ingress v1 and higher) | +| ingress.servicePortName | string | `"http"` | Name of the service target port with ingress API version networking.k8s.io/v1 (Kubernetes version >= 1.19) `ingress.servicePortNumber` takes precedence over `ingress.servicePortName` if both are specified. Possible Values are: `http`, `https`. | +| ingress.servicePortNumber | string | `nil` | Number of the service target port with ingress API version networking.k8s.io/v1 (Kubernetes version >= 1.19) `ingress.servicePortNumber` takes precedence over `ingress.servicePortName` if both are specified. | +| ingress.targetPort | string | `"http"` | Target port of the service with ingress API version networking.k8s.io/v1beta1 (Kubernetes version < 1.19) Possible values are: `http`, `https` or ``. | +| ingress.tls | list | `[]` | [Ingress TLS](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) configuration. | +| initResources | object | See `initResources.*` | Resource requests/limits for the init container.
[Init container resource limits](https://kubernetes.io/docs/concepts/workloads/pods/init-containers/#resources) | +| initResources.limits | object | See `initResources.limits.*` | Resource limits for the init container. | +| initResources.limits.cpu | string | `"1000m"` | CPU limit for the init container. | +| initResources.limits.memory | string | `"512Mi"` | Memory limit for the init container. | +| initResources.requests | object | See `initResources.requests.*` | Resource requests for the init container. | +| initResources.requests.cpu | string | `"30m"` | CPU request for the init container. | +| initResources.requests.memory | string | `"256Mi"` | Memory request for the init container. | +| livenessProbe.enabled | bool | `true` | Enable liveness probes. | +| livenessProbe.failureThreshold | int | `9` | After how many subsequent failures the pod gets restarted. | +| livenessProbe.initialDelaySeconds | int | `90` | Initial delay in seconds. | +| livenessProbe.timeoutSeconds | int | `5` | Timeout of liveness probes, should roughly reflect allowed timeouts from clients. | +| nameOverride | string | `""` | Provide a name in place of `microgateway`. | +| nodeSelector | object | `{}` | Define which nodes the pods are scheduled on. | +| podAnnotations | object | `{}` | Additional annotations for the Microgateway Pod | +| podSecurityContext | object | `{}` | [Security context for the pods](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod). | +| readinessProbe.enabled | bool | `true` | Enable readiness probes. | +| readinessProbe.failureThreshold | int | `3` | After how many tries the pod stops receiving traffic. | +| readinessProbe.initialDelaySeconds | int | `10` | Initial delay in seconds. | +| redis | object | See `redis.*`: | Pre-configured [Redis](#redis) service. | +| redis.enabled | bool | `false` | Deploy pre-configured [Redis](#redis). | +| replicaCount | int | `1` | Desired number of Microgateway pods. | +| resources | object | See `resources.*` | Resource requests/limits for the runtime container.
[Resource limits](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container)
[Configure Quality of Service for Pods](https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/) | +| resources.limits | object | See `resources.limits.*` | Resource limits for the runtime container. | +| resources.limits.memory | string | `"4048Mi"` | Memory limit for the runtime container. | +| resources.requests | object | See `resources.requests.*` | Resource requests for the Microgateway runtime container. These values most like have to be adjusted depending on specific load and usage profiles.
Please consult [Microgateway resource requirements](https://docs.airlock.com/microgateway/3.4/#data/1581621320714.html) for some ideas about actual Microgateway resource requirements. | +| resources.requests.cpu | string | `"30m"` | CPU request for the runtime container. | +| resources.requests.memory | string | `"256Mi"` | Memory request for the runtime container. | +| route | object | See `route.*`: | [Openshift Route](#openshift-route) | +| route.annotations | object | `{}` | Annotations to set on the route. | +| route.enabled | bool | `false` | Create a route object. | +| route.hosts | list | `["virtinc.com"]` | List of host names.
A route will be created for every host name listed. No route will be created if no hosts are specified. Use an empty string to generate a route without hostname. | +| route.labels | object | `{}` | Additional labels add on the Microgateway route. | +| route.path | string | `"/"` | Path for the route. | +| route.targetPort | string | `"https"` | Target port of the service (`http`, `https` or ``). | +| route.tls.certificate | string | "" | Certificate to be used (multiline string). | +| route.tls.destinationCACertificate | string | Microgateway's default certificate | Validate the Microgateway server certificate against this CA. (multiline string).
:exclamation: Must be configured with termination `reencrypt`. | +| route.tls.enabled | bool | `true` | Enable TLS for the route. | +| route.tls.insecureEdgeTerminationPolicy | string | `"Redirect"` | Define the insecureEdgeTerminationPolicy of the route (`Allow`, `Redirect`, `None`). | +| route.tls.key | string | "" | Private key to be used for certificate (multiline string). | +| route.tls.termination | string | `"reencrypt"` | Termination of the route (`edge`, `reencrypt`, `passthrough`). | +| securityContext | object | `{}` | [Security context for a container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container). | +| service.annotations | object | `{}` | Annotations to set on the service. | +| service.externalTrafficPolicy | string | `Local` if `service.type=LoadBalancer` | [externalTrafficPolicy](https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip) | +| service.labels | object | `{}` | Additional labels to add on the service. | +| service.loadBalancerIP | string | "" if `service.type=LoadBalancer` | [loadBalancerIP](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer) | +| service.port | int | `80` | Service port | +| service.tlsPort | int | `443` | Service TLS port | +| service.type | string | `"ClusterIP"` | [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) | +| serviceAccount | object | "See `serviceAccount.*`" | Specifies the service account under which the microgateway will run. A dedicated service account is created and used by default.

If `serviceAccount.create=true` and no `serviceAccount.name` is given, a name is generated using the fullname template.

If `serviceAccount.create=false` and no `serviceAccount.name` is given, the microgateway runs under the default service account. | +| serviceAccount.annotations | object | `{}` | Annotations to set on the service account. | +| serviceAccount.create | bool | `true` | Specifies whether a ServiceAccount should be created | +| serviceAccount.labels | object | `{}` | Additional labels added on the service account. | +| serviceAccount.name | string | `nil` | The name of the ServiceAccount to use.

| +| test_request | string | `"/"` | Request that will be used as a smoketest when 'helm test' is invoked. | +| tolerations | list | `[]` | Tolerations for use with node [taints](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/). | ## Dependencies The Airlock Microgateway Helm chart has the following optional dependencies, which can be enabled for a smooth start.