diff --git a/.env.alfajores b/.env.alfajores index dec5baa399..d2923c2b74 100644 --- a/.env.alfajores +++ b/.env.alfajores @@ -8,14 +8,6 @@ CLUSTER_DOMAIN_NAME="celo-testnet" TESTNET_PROJECT_NAME="celo-testnet-production" -AZURE_KOMENCI_EASTUS_AZURE_SUBSCRIPTION_ID=97e2b592-255b-4f92-bce0-127257163c36 -AZURE_KOMENCI_EASTUS_AZURE_TENANT_ID=7cb7628a-e37c-4afb-8332-2029e418980e -AZURE_KOMENCI_EASTUS_AZURE_REGION_NAME=eus - -AZURE_KOMENCI_WESTEU_AZURE_SUBSCRIPTION_ID=97e2b592-255b-4f92-bce0-127257163c36 -AZURE_KOMENCI_WESTEU_AZURE_TENANT_ID=7cb7628a-e37c-4afb-8332-2029e418980e -AZURE_KOMENCI_WESTEU_AZURE_REGION_NAME=weu - BLOCKSCOUT_DOCKER_IMAGE_TAG="0362f9f4d1d4842f27adb634d628f969f53c046d" # Assign a new value everytime you redeploy blockscout. Or else the deployment will fail due to the # existing database. @@ -129,7 +121,7 @@ MOBILE_WALLET_PLAYSTORE_LINK="https://play.google.com/apps/internaltest/47009904 # each context should have its own environment variables, generally of the form # _* -CONTEXTS=azure-komenci-eastus,azure-komenci-westeu,azure-oracle-centralus,azure-odis-eastus-1,azure-odis-eastus-2,azure-odis-eastus-3 +CONTEXTS=azure-oracle-centralus,azure-odis-eastus-1,azure-odis-eastus-2,azure-odis-eastus-3 # --- ODIS --- @@ -240,64 +232,6 @@ AZURE_ODIS_EASTUS_3_PROM_SIDECAR_GCP_PROJECT=celo-phone-number-privacy AZURE_ODIS_EASTUS_3_PROM_SIDECAR_GCP_REGION=us-east1 AZURE_ODIS_EASTUS_3_PROM_SIDECAR_DISABLED="true" -# --- Komenci --- - -KOMENCI_DOCKER_IMAGE_REPOSITORY="celotestnet.azurecr.io/komenci/komenci" -KOMENCI_DOCKER_IMAGE_TAG="08081d2d276a6fd0d420805f3bbe3866e866a63a" - -AZURE_KOMENCI_EASTUS_AZURE_KUBERNETES_RESOURCE_GROUP=staging-komenci-eastus -AZURE_KOMENCI_EASTUS_KUBERNETES_CLUSTER_NAME=staging-komenci-eastus -AZURE_KOMENCI_EASTUS_REGION_NAME=eus - -AZURE_KOMENCI_EASTUS_KOMENCI_DB_HOST=staging-komenci-eastus.postgres.database.azure.com -AZURE_KOMENCI_EASTUS_KOMENCI_DB_PORT=5432 -AZURE_KOMENCI_EASTUS_KOMENCI_DB_USERNAME=postgres@staging-komenci-eastus -AZURE_KOMENCI_EASTUS_KOMENCI_DB_PASSWORD_VAULT_NAME=staging-komenci-eus - -AZURE_KOMENCI_WESTEU_AZURE_KUBERNETES_RESOURCE_GROUP=staging-komenci-weu -AZURE_KOMENCI_WESTEU_KUBERNETES_CLUSTER_NAME=staging-komenci-weu -AZURE_KOMENCI_WESTEU_REGION_NAME=weu - -AZURE_KOMENCI_WESTEU_KOMENCI_DB_HOST=staging-komenci-weu.postgres.database.azure.com -AZURE_KOMENCI_WESTEU_KOMENCI_DB_PORT=5432 -AZURE_KOMENCI_WESTEU_KOMENCI_DB_USERNAME=postgres@staging-komenci-weu -AZURE_KOMENCI_WESTEU_KOMENCI_DB_PASSWORD_VAULT_NAME=staging-komenci-weu - -AZURE_KOMENCI_EASTUS_KOMENCI_REWARD_SERVICE_DB_HOST=staging-komenci-weu.postgres.database.azure.com -AZURE_KOMENCI_EASTUS_KOMENCI_REWARD_SERVICE_DB_PORT=5432 -AZURE_KOMENCI_EASTUS_KOMENCI_REWARD_SERVICE_DB_USERNAME=postgres@staging-komenci-weu -AZURE_KOMENCI_EASTUS_KOMENCI_REWARD_SERVICE_DB_PASSWORD_VAULT_NAME=staging-komenci-weu - -AZURE_KOMENCI_WESTEU_KOMENCI_REWARD_SERVICE_DB_HOST=staging-komenci-weu.postgres.database.azure.com -AZURE_KOMENCI_WESTEU_KOMENCI_REWARD_SERVICE_DB_PORT=5432 -AZURE_KOMENCI_WESTEU_KOMENCI_REWARD_SERVICE_DB_USERNAME=postgres@staging-komenci-weu -AZURE_KOMENCI_WESTEU_KOMENCI_REWARD_SERVICE_DB_PASSWORD_VAULT_NAME=staging-komenci-weu - -# Secrets -AZURE_KOMENCI_EASTUS_KOMENCI_APP_SECRETS_VAULT_NAME=staging-komenci-eus -AZURE_KOMENCI_WESTEU_KOMENCI_APP_SECRETS_VAULT_NAME=staging-komenci-weu - -# Rule config > Captcha -KOMENCI_RULE_CONFIG_CAPTCHA_BYPASS_TOKEN=special-captcha-bypass-token -AZURE_KOMENCI_EASTUS_KOMENCI_RULE_CONFIG_CAPTCHA_BYPASS_ENABLED=true -AZURE_KOMENCI_WESTEU_KOMENCI_RULE_CONFIG_CAPTCHA_BYPASS_ENABLED=true - -# Format should be a comma-separated sequence of: -#
:: -AZURE_KOMENCI_EASTUS_KOMENCI_ADDRESS_AZURE_KEY_VAULTS=0x00454cac6dae53f8800f71395b9a174f07a784b1:staging-komenci-eus,0xc6f0f9bfb1aed83620ece3eac0add98a65a8574e:staging-komenci-eus -AZURE_KOMENCI_WESTEU_KOMENCI_ADDRESS_AZURE_KEY_VAULTS=0x0f812be74511b90ea6b2f80e77bea047e69a0b2a:staging-komenci-weu,0xb354d3d2908ba6a2b791683b0f454a38f69cb282:staging-komenci-weu -AZURE_KOMENCI_EASTUS_KOMENCI_CELOLABS_REWARDS_ADDRESS_AZURE_KEY_VAULTS=0xb04390478a57e3c2147599d5380434f25fa5234d:staging-komenci-rewards -AZURE_KOMENCI_WESTEU_KOMENCI_CELOLABS_REWARDS_ADDRESS_AZURE_KEY_VAULTS=0xb04390478a57e3c2147599d5380434f25fa5234d:staging-komenci-rewards - -# Celo Rewards -AZURE_KOMENCI_EASTUS_KOMENCI_REWARD_SERVICE_INSTANCE_COUNT = 1 -AZURE_KOMENCI_WESTEU_KOMENCI_REWARD_SERVICE_INSTANCE_COUNT = 1 -KOMENCI_SHOULD_SEND_REWARDS=true - -# Network -AZURE_KOMENCI_EASTUS_KOMENCI_NETWORK=alfajores -AZURE_KOMENCI_WESTEU_KOMENCI_NETWORK=alfajores - # For WalletConnect relay WALLET_CONNECT_IMAGE_REPOSITORY = 'us.gcr.io/celo-testnet/walletconnect' WALLET_CONNECT_IMAGE_TAG = '1472bcaad57e3746498f7a661c42ff5cf9acaf5a' diff --git a/.env.oracledev b/.env.oracledev index f9ddf450ab..2cda4367b3 100644 --- a/.env.oracledev +++ b/.env.oracledev @@ -5,7 +5,7 @@ ORACLE_UNUSED_ORACLE_ADDRESSES= # each context should have its own environment variables, generally of the form # _* -CONTEXTS=azure-eastus,aws-test,gcp-test,gcp-test-asia +CONTEXTS=azure-eastus,gcp-test,gcp-test-asia FORNO_FULL_NODE_CONTEXTS=gcp-test,gcp-test-asia FORNO_DOMAINS=oracledev-forno.celo-networks-dev.org. @@ -23,15 +23,8 @@ AZURE_EASTUS_CELOUSD_ORACLE_ADDRESS_AZURE_KEY_VAULTS=0x21860ca3a0a6f7e450b8f24bd AZURE_EASTUS_FULL_NODES_COUNT=2 AZURE_EASTUS_FULL_NODES_DISK_SIZE=10 -AWS_TEST_AWS_KUBERNETES_CLUSTER_REGION=us-west-2 -AWS_TEST_AWS_KUBERNETES_RESOURCE_GROUP=adorable-monster-1597251246 -AWS_TEST_KUBERNETES_CLUSTER_NAME=adorable-monster-1597251246 # Format should be a comma-separated sequence of: #
:: -AWS_TEST_CELOUSD_ORACLE_ADDRESS_AWS_KEY_ALIASES=0xf7af8e3f613e5cb210f6f96b46da41fb91338e95:test-ecc-key:eu-central-1,0x3ec7d9e8e13c85b9ed38039d8f9807534f73f713:trevor-test-ecc-key:eu-central-1 -AWS_TEST_FULL_NODES_COUNT=2 -AWS_TEST_FULL_NODES_DISK_SIZE=10 - GCP_TEST_GCP_PROJECT_NAME=celo-testnet GCP_TEST_GCP_ZONE=us-west4-a GCP_TEST_KUBERNETES_CLUSTER_NAME=federated-dev-us-west4-a diff --git a/.env.rc1 b/.env.rc1 index 3628fd8861..02d0a5574b 100644 --- a/.env.rc1 +++ b/.env.rc1 @@ -13,13 +13,6 @@ CLUSTER_DOMAIN_NAME="celo-testnet" TESTNET_PROJECT_NAME="celo-testnet-production" -AZURE_KOMENCI_SOUTHBR_AZURE_SUBSCRIPTION_ID=7a6f5f20-bd43-4267-8c35-a734efca140c -AZURE_KOMENCI_SOUTHBR_AZURE_TENANT_ID=7cb7628a-e37c-4afb-8332-2029e418980e -AZURE_KOMENCI_SOUTHBR_AZURE_REGION_NAME=br -AZURE_KOMENCI_SEA_AZURE_SUBSCRIPTION_ID=7a6f5f20-bd43-4267-8c35-a734efca140c -AZURE_KOMENCI_SEA_AZURE_TENANT_ID=7cb7628a-e37c-4afb-8332-2029e418980e -AZURE_KOMENCI_SEA_AZURE_REGION_NAME=sea - BLOCKSCOUT_DOCKER_IMAGE_TAG="0362f9f4d1d4842f27adb634d628f969f53c046d" BLOCKSCOUT_DB_SUFFIX=3 @@ -63,10 +56,10 @@ GSTORAGE_DATA_BUCKET=celo-chain-backup/mainnet # ---- Contexts ---- -# A list of every valid context. Must start with one of: gcp,aws,azure +# A list of every valid context. Must start with one of: gcp,azure # each context should have its own environment variables, generally of the form # _* -CONTEXTS=azure-oracle-westus,azure-oracle-westeurope,azure-oracle-eastus2,gcp-forno-us-west1,gcp-forno-us-east1,gcp-forno-asia-east1,gcp-forno-europe-west1,gcp-forno-southamerica-east1,azure-komenci-southbr,azure-komenci-sea,azure-odis-westus2-a,azure-odis-eastasia-a,azure-odis-westeurope-a,azure-odis-brazilsouth-a,gcp-private-txnodes +CONTEXTS=azure-oracle-westus,azure-oracle-westeurope,azure-oracle-eastus2,gcp-forno-us-west1,gcp-forno-us-east1,gcp-forno-asia-east1,gcp-forno-europe-west1,gcp-forno-southamerica-east1,azure-odis-westus2-a,azure-odis-eastasia-a,azure-odis-westeurope-a,azure-odis-brazilsouth-a,gcp-private-txnodes # ---- Oracle Contexts ---- @@ -465,71 +458,6 @@ AZURE_ODIS_BRAZILSOUTH_A_PROM_SIDECAR_GCP_PROJECT=celo-pgpnp-mainnet AZURE_ODIS_BRAZILSOUTH_A_PROM_SIDECAR_GCP_REGION=southamerica-east1-a AZURE_ODIS_BRAZILSOUTH_A_PROM_SIDECAR_DISABLED="true" -# --- Komenci --- - -KOMENCI_DOCKER_IMAGE_REPOSITORY="celotestnet.azurecr.io/komenci/komenci" -KOMENCI_DOCKER_IMAGE_TAG="e220c5610e196a1d674edde0f24be0d5eca30c00" - -AZURE_KOMENCI_SOUTHBR_AZURE_KUBERNETES_RESOURCE_GROUP=mainnet-komenci-brazil -AZURE_KOMENCI_SOUTHBR_KUBERNETES_CLUSTER_NAME=mainnet-komenci-brazil - -AZURE_KOMENCI_SOUTHBR_KOMENCI_DB_HOST=mainnet-komenci-brazil.postgres.database.azure.com -AZURE_KOMENCI_SOUTHBR_KOMENCI_DB_PORT=5432 -AZURE_KOMENCI_SOUTHBR_KOMENCI_DB_USERNAME=postgres@mainnet-komenci-brazil -AZURE_KOMENCI_SOUTHBR_KOMENCI_DB_PASSWORD_VAULT_NAME=mainnet-komenci-brazil - -AZURE_KOMENCI_SEA_AZURE_KUBERNETES_RESOURCE_GROUP=mainnet-komenci-southeastasia -AZURE_KOMENCI_SEA_KUBERNETES_CLUSTER_NAME=mainnet-komenci-southeastasia - -AZURE_KOMENCI_SEA_KOMENCI_DB_HOST=mainnet-komenci-southeastasia.postgres.database.azure.com -AZURE_KOMENCI_SEA_KOMENCI_DB_PORT=5432 -AZURE_KOMENCI_SEA_KOMENCI_DB_USERNAME=postgres@mainnet-komenci-southeastasia -AZURE_KOMENCI_SEA_KOMENCI_DB_PASSWORD_VAULT_NAME=mainnet-komenci-sea - -AZURE_SEA_KOMENCI_AZURE_KUBERNETES_RESOURCE_GROUP=mainnet-komenci-southeastasia -AZURE_SEA_KOMENCI_KUBERNETES_CLUSTER_NAME=mainnet-komenci-southeastasia - -AZURE_SEA_KOMENCI_DB_HOST=mainnet-komenci-southeastasia.postgres.database.azure.com -AZURE_SEA_KOMENCI_DB_PORT=5432 -AZURE_SEA_KOMENCI_DB_USERNAME=postgres@mainnet-komenci-southeastasia -AZURE_SEA_KOMENCI_DB_PASSWORD_VAULT_NAME=mainnet-komenci-sea - -AZURE_KOMENCI_SOUTHBR_KOMENCI_REWARD_SERVICE_DB_HOST=mainnet-komenci-brazil.postgres.database.azure.com -AZURE_KOMENCI_SOUTHBR_KOMENCI_REWARD_SERVICE_DB_PORT=5432 -AZURE_KOMENCI_SOUTHBR_KOMENCI_REWARD_SERVICE_DB_USERNAME=postgres@mainnet-komenci-brazil -AZURE_KOMENCI_SOUTHBR_KOMENCI_REWARD_SERVICE_DB_PASSWORD_VAULT_NAME=mainnet-komenci-brazil - -AZURE_KOMENCI_SEA_KOMENCI_REWARD_SERVICE_DB_HOST=mainnet-komenci-brazil.postgres.database.azure.com -AZURE_KOMENCI_SEA_KOMENCI_REWARD_SERVICE_DB_PORT=5432 -AZURE_KOMENCI_SEA_KOMENCI_REWARD_SERVICE_DB_USERNAME=postgres@mainnet-komenci-brazil -AZURE_KOMENCI_SEA_KOMENCI_REWARD_SERVICE_DB_PASSWORD_VAULT_NAME=mainnet-komenci-brazil - -# App Secrets -AZURE_KOMENCI_SOUTHBR_KOMENCI_APP_SECRETS_VAULT_NAME=mainnet-komenci-brazil -AZURE_KOMENCI_SEA_KOMENCI_APP_SECRETS_VAULT_NAME=mainnet-komenci-sea - -# Rule config > Captcha -KOMENCI_RULE_CONFIG_CAPTCHA_BYPASS_TOKEN=special-captcha-bypass-token -AZURE_KOMENCI_SOUTHBR_KOMENCI_RULE_CONFIG_CAPTCHA_BYPASS_ENABLED=false -AZURE_KOMENCI_SEA_KOMENCI_RULE_CONFIG_CAPTCHA_BYPASS_ENABLED=false - -# Relayer identities -# Format should be a comma-separated sequence of: -#
:: -AZURE_KOMENCI_SOUTHBR_KOMENCI_ADDRESS_AZURE_KEY_VAULTS=0x21888ae301658cdff7ce8c33cdf83a330a5e6273:mainnet-relayer0,0x1438128a2dcc645f0b9706350c1f5dad04845fe6:mainnet-relayer1,0x1e36bf42272a0693eba69332a6f623ce37694a27:mainnet-relayer2,0xd5afaaa7256c9eb86376c4214635dd56dffbd3a8:mainnet-relayer3,0xb09eba8bc1c8bedadd634a8219c0b09042170903:mainnet-relayer4 -AZURE_KOMENCI_SEA_KOMENCI_ADDRESS_AZURE_KEY_VAULTS=0x85a1e716608a84f455d7e07befb76c9b540ac040:mainnet-relayer5,0x2a094e77acf3faebb63279eb60e26d144b9048a2:mainnet-relayer6,0x2f23f9a8f68294a9d6b479c3dbe3dff4de510ced:mainnet-relayer7,0x3db3150c1267d3adeb7f960f3eef11c1dd47a38b:mainnet-relayer8,0xe170915ce32bb8e2ce2a4fcd9113e5298a2e10d2:mainnet-relayer9 -AZURE_KOMENCI_SOUTHBR_KOMENCI_CELOLABS_REWARDS_ADDRESS_AZURE_KEY_VAULTS=0x198e0D8601AB509ABf1B0B99Fd8f234583Ef1309:mainnet-komenci-rewards0 -AZURE_KOMENCI_SEA_KOMENCI_CELOLABS_REWARDS_ADDRESS_AZURE_KEY_VAULTS=0xbDD68B64e288171B37F01346042BEe6Eb7dFAE4f:mainnet-komenci-rewards1 - -# Celo Rewards -AZURE_KOMENCI_SOUTHBR_KOMENCI_REWARD_SERVICE_INSTANCE_COUNT=1 -AZURE_KOMENCI_SEA_KOMENCI_REWARD_SERVICE_INSTANCE_COUNT=1 -KOMENCI_SHOULD_SEND_REWARDS=false - -# Network -AZURE_KOMENCI_SOUTHBR_KOMENCI_NETWORK=rc1 -AZURE_KOMENCI_SEA_KOMENCI_NETWORK=rc1 - # For WalletConnect relay WALLET_CONNECT_IMAGE_REPOSITORY='us.gcr.io/celo-testnet/walletconnect' WALLET_CONNECT_IMAGE_TAG='1472bcaad57e3746498f7a661c42ff5cf9acaf5a' diff --git a/.gitignore b/.gitignore index e16846bfe9..27019af91b 100644 --- a/.gitignore +++ b/.gitignore @@ -96,7 +96,6 @@ packages/docs/_book/ # old packages packages/reserve-site/* packages/blockchain-api/* -packages/komencikit/* packages/mobile/* packages/faucet/* packages/moonpay-auth/* diff --git a/.vscode/launch.json b/.vscode/launch.json index f0d42e1317..79c6a7e4ae 100644 --- a/.vscode/launch.json +++ b/.vscode/launch.json @@ -48,22 +48,6 @@ "console": "integratedTerminal", "internalConsoleOptions": "neverOpen", "port": 9229 - }, - { - "name": "Debug Komencikit Tests", - "type": "node", - "request": "launch", - "runtimeArgs": [ - "--inspect-brk", - "${workspaceRoot}/node_modules/.bin/jest", - "--rootDir", - "${workspaceFolder}/packages/komencikit", - "--runInBand", - "${workspaceFolder}/packages/komencikit/src/kit.spec.ts", - ], - "console": "integratedTerminal", - "internalConsoleOptions": "neverOpen", - "port": 9229 } ] } \ No newline at end of file diff --git a/packages/celotool/src/cmds/deploy/destroy/komenci.ts b/packages/celotool/src/cmds/deploy/destroy/komenci.ts deleted file mode 100644 index 85cc44189b..0000000000 --- a/packages/celotool/src/cmds/deploy/destroy/komenci.ts +++ /dev/null @@ -1,18 +0,0 @@ -import { addContextMiddleware, ContextArgv, switchToContextCluster } from 'src/lib/context-utils' -import { exitIfCelotoolHelmDryRun } from 'src/lib/helm_deploy' -import { removeHelmRelease } from 'src/lib/komenci' -import { DestroyArgv } from '../destroy' - -export const command = 'komenci' - -export const describe = 'destroy the komenci package' - -type KomenciDestroyArgv = DestroyArgv & ContextArgv - -export const builder = addContextMiddleware - -export const handler = async (argv: KomenciDestroyArgv) => { - exitIfCelotoolHelmDryRun() - await switchToContextCluster(argv.celoEnv, argv.context) - await removeHelmRelease(argv.celoEnv, argv.context) -} diff --git a/packages/celotool/src/cmds/deploy/initial/komenci.ts b/packages/celotool/src/cmds/deploy/initial/komenci.ts deleted file mode 100644 index a008b1fb55..0000000000 --- a/packages/celotool/src/cmds/deploy/initial/komenci.ts +++ /dev/null @@ -1,29 +0,0 @@ -import { InitialArgv } from 'src/cmds/deploy/initial' -import { addContextMiddleware, ContextArgv, switchToContextCluster } from 'src/lib/context-utils' -import { exitIfCelotoolHelmDryRun } from 'src/lib/helm_deploy' -import { installHelmChart } from 'src/lib/komenci' -import yargs from 'yargs' - -export const command = 'komenci' - -export const describe = 'deploy the komenci for the specified network' - -type KomenciInitialArgv = InitialArgv & - ContextArgv & { - useForno: boolean - } - -export const builder = (argv: yargs.Argv) => { - return addContextMiddleware(argv).option('useForno', { - description: 'Uses forno for RPCs from the komenci clients', - default: false, - type: 'boolean', - }) -} - -export const handler = async (argv: KomenciInitialArgv) => { - // Do not allow --helmdryrun because komenciIdentityHelmParameters function. It could be refactored to allow - exitIfCelotoolHelmDryRun() - await switchToContextCluster(argv.celoEnv, argv.context) - await installHelmChart(argv.celoEnv, argv.context, argv.useForno) -} diff --git a/packages/celotool/src/cmds/deploy/initial/kong.ts b/packages/celotool/src/cmds/deploy/initial/kong.ts deleted file mode 100644 index daac49b877..0000000000 --- a/packages/celotool/src/cmds/deploy/initial/kong.ts +++ /dev/null @@ -1,20 +0,0 @@ -import { InitialArgv } from 'src/cmds/deploy/initial' -import { switchToClusterFromEnvOrContext } from 'src/lib/cluster' -import { addContextMiddleware, ContextArgv } from 'src/lib/context-utils' -import { installKong, installKonga } from 'src/lib/kong' - -export const command = 'kong' - -export const describe = 'deploy Kong and Konga packages' - -export type KongInitialArgv = InitialArgv & ContextArgv - -export const builder = (argv: KongInitialArgv) => { - return addContextMiddleware(argv) -} - -export const handler = async (argv: KongInitialArgv) => { - await switchToClusterFromEnvOrContext(argv, true) - await installKong(argv.celoEnv) - await installKonga(argv.celoEnv) -} diff --git a/packages/celotool/src/cmds/deploy/initial/setup-cluster.ts b/packages/celotool/src/cmds/deploy/initial/setup-cluster.ts deleted file mode 100644 index 187dcc43f3..0000000000 --- a/packages/celotool/src/cmds/deploy/initial/setup-cluster.ts +++ /dev/null @@ -1,19 +0,0 @@ -import { switchToClusterFromEnvOrContext } from 'src/lib/cluster' -import { addContextMiddleware, ContextArgv } from 'src/lib/context-utils' -import { exitIfCelotoolHelmDryRun } from 'src/lib/helm_deploy' -import { InitialArgv } from '../initial' - -export const command = 'setup-cluster' - -export const describe = 'Create K8s cluster and deploy common tools' - -export type SetupClusterInitialArgv = InitialArgv & ContextArgv - -export const builder = (argv: SetupClusterInitialArgv) => { - return addContextMiddleware(argv) -} - -export const handler = async (argv: SetupClusterInitialArgv) => { - exitIfCelotoolHelmDryRun() - await switchToClusterFromEnvOrContext(argv, false) -} diff --git a/packages/celotool/src/cmds/deploy/upgrade/komenci.ts b/packages/celotool/src/cmds/deploy/upgrade/komenci.ts deleted file mode 100644 index 153505c414..0000000000 --- a/packages/celotool/src/cmds/deploy/upgrade/komenci.ts +++ /dev/null @@ -1,29 +0,0 @@ -import { UpgradeArgv } from 'src/cmds/deploy/upgrade' -import { addContextMiddleware, ContextArgv, switchToContextCluster } from 'src/lib/context-utils' -import { exitIfCelotoolHelmDryRun } from 'src/lib/helm_deploy' -import { upgradeKomenciChart } from 'src/lib/komenci' -import yargs from 'yargs' - -export const command = 'komenci' - -export const describe = 'upgrade komenci on an AKS cluster' - -type OracleUpgradeArgv = UpgradeArgv & - ContextArgv & { - useForno: boolean - } - -export const builder = (argv: yargs.Argv) => { - return addContextMiddleware(argv).option('useForno', { - description: 'Uses forno for RPCs from the komenci clients', - default: false, - type: 'boolean', - }) -} - -export const handler = async (argv: OracleUpgradeArgv) => { - // Do not allow --helmdryrun because komenciIdentityHelmParameters function. It could be refactored to allow - exitIfCelotoolHelmDryRun() - await switchToContextCluster(argv.celoEnv, argv.context) - await upgradeKomenciChart(argv.celoEnv, argv.context, argv.useForno) -} diff --git a/packages/celotool/src/cmds/deploy/upgrade/kong.ts b/packages/celotool/src/cmds/deploy/upgrade/kong.ts deleted file mode 100644 index 497324c4cd..0000000000 --- a/packages/celotool/src/cmds/deploy/upgrade/kong.ts +++ /dev/null @@ -1,20 +0,0 @@ -import { UpgradeArgv } from 'src/cmds/deploy/upgrade' -import { switchToClusterFromEnvOrContext } from 'src/lib/cluster' -import { addContextMiddleware, ContextArgv } from 'src/lib/context-utils' -import { upgradeKong, upgradeKonga } from 'src/lib/kong' - -export const command = 'kong' - -export const describe = 'upgrade Kong and Konga packages' - -export type KongUpgradeArgv = UpgradeArgv & ContextArgv - -export const builder = (argv: KongUpgradeArgv) => { - return addContextMiddleware(argv) -} - -export const handler = async (argv: KongUpgradeArgv) => { - await switchToClusterFromEnvOrContext(argv, true) - await upgradeKong(argv.celoEnv) - await upgradeKonga(argv.celoEnv) -} diff --git a/packages/celotool/src/cmds/gcp.ts b/packages/celotool/src/cmds/gcp.ts deleted file mode 100644 index 438093b2fa..0000000000 --- a/packages/celotool/src/cmds/gcp.ts +++ /dev/null @@ -1,7 +0,0 @@ -import yargs from 'yargs' - -export const command = 'gcp ' - -export const describe = 'commands for interacting with GCP' - -export const builder = (argv: yargs.Argv) => argv.commandDir('gcp', { extensions: ['ts'] }) diff --git a/packages/celotool/src/cmds/links.ts b/packages/celotool/src/cmds/links.ts deleted file mode 100644 index 14291bf205..0000000000 --- a/packages/celotool/src/cmds/links.ts +++ /dev/null @@ -1,134 +0,0 @@ -import { execCmdWithExitOnFailure } from 'src/lib/cmd-utils' -import { getBlockchainApiUrl, getBlockscoutUrl, getEthstatsUrl } from 'src/lib/endpoints' -import { - addCeloEnvMiddleware, - CeloEnvArgv, - envVar, - fetchEnv, - fetchEnvOrFallback, - getEnvFile, -} from 'src/lib/env-utils' -import { Arguments, Argv } from 'yargs' - -export const command = 'links ' -export const describe = 'commands for various useful links' - -interface LinkArgEnv extends CeloEnvArgv { - open: boolean - explanation: boolean -} - -export const builder = (yargs: Argv) => { - const config = addCeloEnvMiddleware(yargs) - .option('open', { - alias: 'o', - type: 'boolean', - description: 'Whether to open the link automatically', - default: false, - }) - .option('explanation', { - type: 'boolean', - description: 'Whether to print out explanation of the link', - default: true, - }) - .command('all', 'prints out all links', {}, async (rawArgs: Arguments) => { - commands.forEach(async (cmd) => { - const argv = rawArgs as any as LinkArgEnv - const url = cmd.url(argv) - - console.info(`$ celotooljs links ${cmd.command}\n`) - if (argv.explanation) { - console.info(cmd.explanation) - } - - if (argv.open) { - await execCmdWithExitOnFailure(`open "${url}"`) - } - console.info(url) - console.info('') - }) - }) - - return commands.reduce((pYargs: Argv, cmd) => { - return pYargs.command(cmd.command, cmd.description, {}, async (rawArgs: Arguments) => { - const argv = rawArgs as any as LinkArgEnv - const url = cmd.url(argv) - if (argv.explanation) { - console.info(cmd.explanation) - } - - if (argv.open) { - await execCmdWithExitOnFailure(`open "${url}"`) - } - console.info(url) - }) - }, config) -} - -export const handler = () => { - // empty -} - -const commands = [ - { - command: 'k8s-workloads', - description: 'Kubernetes Workloads Page in Google Cloud', - url: (argv: LinkArgEnv) => - `https://console.cloud.google.com/kubernetes/workload?project=${fetchEnv( - envVar.TESTNET_PROJECT_NAME - )}&workload_list_tablesize=50&workload_list_tablequery=%255B%257B_22k_22_3A_22is_system_22_2C_22t_22_3A10_2C_22v_22_3A_22_5C_22false_5C_22_22_2C_22s_22_3Atrue%257D_2C%257B_22k_22_3A_22metadata%252Fnamespace_22_2C_22t_22_3A10_2C_22v_22_3A_22_5C_22${ - argv.celoEnv - }_5C_22_22%257D%255D`, - explanation: - 'This links to the Google Cloud Console that lists all the Kubernetes Workloads running in the specified CELO_ENV. That currently includes things like our geth nodes, Blockscout, EthStats, CronJobs that check healthiness of the network etc. This is a good first place to check that workloads are running as we expect', - }, - - { - command: 'geth-logs', - description: 'logs of all geth nodes', - url: (argv: LinkArgEnv) => - `https://console.cloud.google.com/logs/viewer\?interval\=NO_LIMIT\&project\=${fetchEnv( - envVar.TESTNET_PROJECT_NAME - )}\&minLogLevel\=0\&expandAll\=false\&customFacets\=\&limitCustomFacetWidth\=true\&advancedFilter\=resource.type%3D%22container%22%0Aresource.labels.namespace_id%3D%22${ - argv.celoEnv - }%22%0Aresource.labels.container_name%3D%22geth%22`, - explanation: - 'For issues with geth nodes not behaving the way you expect, you can take a look at the logs they output.', - }, - { - command: 'blockscout', - description: 'blockscout, the block explorer', - url: (argv: CeloEnvArgv) => getBlockscoutUrl(argv.celoEnv), - explanation: - 'Blockscout can be useful to take a look at Blocks, Transactions and Token Transfers and they made it onto the blockchain.', - }, - { - command: 'ethstats', - description: 'ethstats', - url: (argv: CeloEnvArgv) => getEthstatsUrl(argv.celoEnv), - explanation: - 'Ethstats gives us quick insight into what the geth nodes are reporting as their peer number, their latest block, etc.', - }, - { - command: 'blockchain-api', - description: 'blockchain-api', - url: (argv: CeloEnvArgv) => getBlockchainApiUrl(argv.celoEnv), - explanation: - 'The blockchain-api exposes a GraphQL Explorer through which you can verify some queries the service itself uses', - }, - { - command: '.env', - description: 'the currently applied configuration', - url: (argv: LinkArgEnv) => getEnvFile(argv.celoEnv), - explanation: - 'The path to the .env file that is used with the current specification of CELO_ENV', - }, - { - command: 'mobile-wallet-playstore', - description: 'Mobile Wallet in the Playstore', - url: (_argv: LinkArgEnv) => - fetchEnvOrFallback(envVar.MOBILE_WALLET_PLAYSTORE_LINK, 'No Mobile Wallet link'), - explanation: - "Gives you the link to the playstore page for this environment's mobile wallet app", - }, -] diff --git a/packages/celotool/src/lib/aws.ts b/packages/celotool/src/lib/aws.ts deleted file mode 100644 index 02e611bdc4..0000000000 --- a/packages/celotool/src/lib/aws.ts +++ /dev/null @@ -1,172 +0,0 @@ -import { execCmd, execCmdAndParseJson } from './cmd-utils' -import { AwsClusterConfig } from './k8s-cluster/aws' - -export async function getKeyArnFromAlias(alias: string, region: string) { - const fullAliasName = `alias/${alias}` - /** - * Expected output example: - * [ - * { - * "AliasName": "alias/test-ecc-key", - * "AliasArn": "arn:aws:kms:eu-central-1:243983831780:alias/test-ecc-key", - * "TargetKeyId": "1d6db902-9a45-4dd5-bd1e-7250b2306f18" - * } - * ] - */ - const [parsed] = await execCmdAndParseJson( - `aws kms list-aliases --region ${region} --query 'Aliases[?AliasName == \`${fullAliasName}\`]' --output json` - ) - if (!parsed) { - throw Error(`Could not find key with alias ${alias} and region ${region}`) - } - return parsed.AliasArn.replace(fullAliasName, `key/${parsed.TargetKeyId}`) -} - -export function deleteRole(roleName: string) { - return execCmd(`aws iam delete-role --role-name ${roleName}`) -} - -export function detachPolicyIdempotent(roleName: string, policyArn: string) { - return execCmd(`aws iam detach-role-policy --role-name ${roleName} --policy-arn ${policyArn}`) -} - -/** - * Deletes all policy versions and the policy itself - */ -export async function deletePolicy(policyArn: string) { - // First, delete all non-default policy versions - const policyVersions = await getPolicyVersions(policyArn) - await Promise.all( - policyVersions - .filter((version: any) => !version.IsDefaultVersion) // cannot delete the default version - .map((version: any) => deletePolicyVersion(policyArn, version.VersionId)) - ) - return execCmd(`aws iam delete-policy --policy-arn ${policyArn}`) -} - -function deletePolicyVersion(policyArn: string, versionId: string) { - return execCmd( - `aws iam delete-policy-version --policy-arn ${policyArn} --version-id ${versionId}` - ) -} - -async function getPolicyVersions(policyArn: string) { - return execCmdAndParseJson( - `aws iam list-policy-versions --policy-arn ${policyArn} --query 'Versions' --output json` - ) -} - -export async function getPolicyArn(policyName: string) { - const [policy] = await execCmdAndParseJson( - `aws iam list-policies --query 'Policies[?PolicyName == \`${policyName}\`]' --output json` - ) - if (!policy) { - return undefined - } - return policy.Arn -} - -/** - * Given a cluster name, finds the NodeInstanceRole that's used by the nodes. - * There's no easy way to query this directly, so this command searches through - * roles and finds the correct one. - */ -export async function getEKSNodeInstanceGroupRoleArn(clusterName: string) { - const existingRoles = await execCmdAndParseJson( - `aws iam list-roles --query 'Roles' --output json` - ) - const potentialRoles = existingRoles.filter((role: any) => { - // The role name doesn't necessarily include the cluster name, but it will include - // 'NodeInstanceRole'. - const re = new RegExp(`.+-NodeInstanceRole-.+`) - return re.test(role.RoleName) - }) - let roleArn: string | undefined - for (const role of potentialRoles) { - const [clusterNameTag] = await execCmdAndParseJson( - `aws iam list-role-tags --role-name ${role.RoleName} --query 'Tags[?Key == \`alpha.eksctl.io/cluster-name\`]'` - ) - if (clusterNameTag && clusterNameTag.Value === clusterName) { - roleArn = role.Arn - break - } - } - if (!roleArn) { - throw Error(`Could not find NodeInstanceRole for cluster ${clusterName}`) - } - return roleArn -} - -export function attachPolicyIdempotent(roleName: string, policyArn: string) { - return execCmd(`aws iam attach-role-policy --role-name ${roleName} --policy-arn ${policyArn}`) -} - -export async function createRoleIdempotent(roleName: string, policyDocumentJson: string) { - const [existing] = await execCmdAndParseJson( - `aws iam list-roles --query 'Roles[?RoleName == \`${roleName}\`]' --output json` - ) - if (existing) { - console.info(`Role ${roleName} exists`) - return existing.Arn - } - console.info(`Creating role ${roleName}`) - const [outputRaw] = await execCmd( - `aws iam create-role --role-name ${roleName} --assume-role-policy-document '${policyDocumentJson}' --query 'Role.Arn' --output text` - ) - return outputRaw.trim() -} - -export async function createPolicyIdempotent(policyName: string, policyDocumentJson: string) { - const [existing] = await execCmdAndParseJson( - `aws iam list-policies --query 'Policies[?PolicyName == \`${policyName}\`]' --output json` - ) - if (existing) { - console.info(`Policy ${policyName} exists`) - return existing.Arn - } - console.info(`Creating policy ${policyName}`) - const [output] = await execCmd( - `aws iam create-policy --policy-name ${policyName} --policy-document '${policyDocumentJson}' --query 'Policy.Arn' --output text` - ) - return output.trim() -} - -/** - * A cluster will have a security group that applies to all nodes (ie VMs) in the cluster. - * This returns a description of that security group. - */ -export function getClusterSharedNodeSecurityGroup(clusterConfig: AwsClusterConfig) { - return execCmdAndParseJson( - `aws ec2 describe-security-groups --filters "Name=tag:aws:cloudformation:logical-id,Values=ClusterSharedNodeSecurityGroup" "Name=tag:eksctl.cluster.k8s.io/v1alpha1/cluster-name,Values=${clusterConfig.clusterName}" --query "SecurityGroups[0]" --output json` - ) -} - -/** - * For a given security group, authorizes ingress traffic on a provided port - * for a given protocol and CIDR range. - */ -export function authorizeSecurityGroupIngress( - groupID: string, - port: number, - protocol: string, - cidrRange: string -) { - return execCmd( - `aws ec2 authorize-security-group-ingress --group-id ${groupID} --ip-permissions IpProtocol=${protocol},FromPort=${port},ToPort=${port},IpRanges='[{CidrIp=${cidrRange}}]'` - ) -} - -/** - * For a given security group, revokes authorized ingress traffic on a provided port - * for a given protocol and CIDR range. - */ -export function revokeSecurityGroupIngress( - groupID: string, - port: number, - protocol: string, - cidrRange: string -) { - return execCmd( - `aws ec2 revoke-security-group-ingress --group-id ${groupID} --ip-permissions IpProtocol=${protocol},FromPort=${port},ToPort=${port},IpRanges='[{CidrIp=${cidrRange}}]'` - ) -} diff --git a/packages/celotool/src/lib/context-utils.ts b/packages/celotool/src/lib/context-utils.ts index 2e0c143ded..f14d9eb2c0 100644 --- a/packages/celotool/src/lib/context-utils.ts +++ b/packages/celotool/src/lib/context-utils.ts @@ -8,7 +8,6 @@ import { getDynamicEnvVarValue, } from './env-utils' import { AksClusterConfig } from './k8s-cluster/aks' -import { AwsClusterConfig } from './k8s-cluster/aws' import { BaseClusterConfig, BaseClusterManager, CloudProvider } from './k8s-cluster/base' import { GCPClusterConfig } from './k8s-cluster/gcp' import { getClusterManager } from './k8s-cluster/utils' @@ -26,17 +25,6 @@ const contextAksClusterConfigDynamicEnvVars: { regionName: DynamicEnvVar.AZURE_REGION_NAME, } -/** - * Env vars corresponding to each value for the AwsClusterConfig for a particular context - */ -const contextAwsClusterConfigDynamicEnvVars: { - [k in keyof Omit]: DynamicEnvVar -} = { - clusterName: DynamicEnvVar.KUBERNETES_CLUSTER_NAME, - clusterRegion: DynamicEnvVar.AWS_CLUSTER_REGION, - resourceGroupTag: DynamicEnvVar.AWS_RESOURCE_GROUP_TAG, -} - /** * Env vars corresponding to each value for the GCPClusterConfig for a particular context */ @@ -51,7 +39,6 @@ const contextGCPClusterConfigDynamicEnvVars: { const clusterConfigGetterByCloudProvider: { [key in CloudProvider]: (context: string) => BaseClusterConfig } = { - [CloudProvider.AWS]: getAwsClusterConfig, [CloudProvider.AZURE]: getAksClusterConfig, [CloudProvider.GCP]: getGCPClusterConfig, } @@ -85,24 +72,7 @@ export function getAksClusterConfig(context: string): AksClusterConfig { /** * Fetches the env vars for a particular context * @param context the context to use - * @return an AwsClusterConfig for the context - */ -export function getAwsClusterConfig(context: string): AwsClusterConfig { - const awsDynamicEnvVars = getContextDynamicEnvVarValues( - contextAwsClusterConfigDynamicEnvVars, - context - ) - const clusterConfig: AwsClusterConfig = { - cloudProvider: CloudProvider.AZURE, - ...awsDynamicEnvVars, - } - return clusterConfig -} - -/** - * Fetches the env vars for a particular context - * @param context the context to use - * @return an AwsClusterConfig for the context + * @return an GCPClusterConfig for the context */ export function getGCPClusterConfig(context: string): GCPClusterConfig { const gcpDynamicEnvVars = getContextDynamicEnvVarValues( @@ -166,7 +136,7 @@ export function getContextDynamicEnvVarValues( } /** - * Reads the context and switches to the appropriate Azure or AWS Cluster + * Reads the context and switches to the appropriate Azure Cluster */ export async function switchToContextCluster( celoEnv: string, diff --git a/packages/celotool/src/lib/env-utils.ts b/packages/celotool/src/lib/env-utils.ts index cc79a4be9e..7d6898a17e 100644 --- a/packages/celotool/src/lib/env-utils.ts +++ b/packages/celotool/src/lib/env-utils.ts @@ -73,11 +73,6 @@ export enum envVar { GRAFANA_LOCAL_OAUTH2_CLIENT_SECRET = 'GRAFANA_LOCAL_OAUTH2_CLIENT_SECRET', IN_MEMORY_DISCOVERY_TABLE = 'IN_MEMORY_DISCOVERY_TABLE', ISTANBUL_REQUEST_TIMEOUT_MS = 'ISTANBUL_REQUEST_TIMEOUT_MS', - KOMENCI_DOCKER_IMAGE_REPOSITORY = 'KOMENCI_DOCKER_IMAGE_REPOSITORY', - KOMENCI_DOCKER_IMAGE_TAG = 'KOMENCI_DOCKER_IMAGE_TAG', - KOMENCI_RULE_CONFIG_CAPTCHA_BYPASS_TOKEN = 'KOMENCI_RULE_CONFIG_CAPTCHA_BYPASS_TOKEN', - KOMENCI_SHOULD_SEND_REWARDS = 'KOMENCI_SHOULD_SEND_REWARDS', - KOMENCI_UNUSED_KOMENCI_ADDRESSES = 'KOMENCI_UNUSED_KOMENCI_ADDRESSES', KUBECONFIG = 'KUBECONFIG', KUBERNETES_CLUSTER_NAME = 'KUBERNETES_CLUSTER_NAME', KUBERNETES_CLUSTER_ZONE = 'KUBERNETES_CLUSTER_ZONE', @@ -159,8 +154,6 @@ export enum envVar { */ export enum DynamicEnvVar { - AWS_CLUSTER_REGION = '{{ context }}_AWS_KUBERNETES_CLUSTER_REGION', - AWS_RESOURCE_GROUP_TAG = '{{ context }}_AWS_KUBERNETES_RESOURCE_GROUP', AZURE_SUBSCRIPTION_ID = '{{ context }}_AZURE_SUBSCRIPTION_ID', AZURE_KUBERNETES_RESOURCE_GROUP = '{{ context }}_AZURE_KUBERNETES_RESOURCE_GROUP', AZURE_REGION_NAME = '{{ context }}_AZURE_REGION_NAME', @@ -177,23 +170,6 @@ export enum DynamicEnvVar { GCP_PROJECT_NAME = '{{ context }}_GCP_PROJECT_NAME', GCP_ZONE = '{{ context }}_GCP_ZONE', KUBERNETES_CLUSTER_NAME = '{{ context }}_KUBERNETES_CLUSTER_NAME', - KOMENCI_ADDRESS_AZURE_KEY_VAULTS = '{{ context }}_KOMENCI_ADDRESS_AZURE_KEY_VAULTS', - KOMENCI_ADDRESSES_FROM_MNEMONIC_COUNT = '{{ context }}_KOMENCI_ADDRESSES_FROM_MNEMONIC_COUNT', - KOMENCI_CELOLABS_REWARDS_ADDRESS_AZURE_KEY_VAULTS = '{{ context }}_KOMENCI_CELOLABS_REWARDS_ADDRESS_AZURE_KEY_VAULTS', - KOMENCI_FOUNDATION_REWARDS_ADDRESS_AZURE_KEY_VAULTS = '{{ context }}_KOMENCI_FOUNDATION_REWARDS_ADDRESS_AZURE_KEY_VAULTS', - KOMENCI_REWARD_SERVICE_INSTANCE_COUNT = '{{ context }}_KOMENCI_REWARD_SERVICE_INSTANCE_COUNT', - KOMENCI_DB_HOST = '{{ context }}_KOMENCI_DB_HOST', - KOMENCI_DB_PORT = '{{ context }}_KOMENCI_DB_PORT', - KOMENCI_DB_USERNAME = '{{ context }}_KOMENCI_DB_USERNAME', - KOMENCI_DB_PASSWORD_VAULT_NAME = '{{ context }}_KOMENCI_DB_PASSWORD_VAULT_NAME', - KOMENCI_REWARD_SERVICE_DB_HOST = '{{ context }}_KOMENCI_REWARD_SERVICE_DB_HOST', - KOMENCI_REWARD_SERVICE_DB_PORT = '{{ context }}_KOMENCI_REWARD_SERVICE_DB_PORT', - KOMENCI_REWARD_SERVICE_DB_USERNAME = '{{ context }}_KOMENCI_REWARD_SERVICE_DB_USERNAME', - KOMENCI_REWARD_SERVICE_DB_PASSWORD_VAULT_NAME = '{{ context }}_KOMENCI_REWARD_SERVICE_DB_PASSWORD_VAULT_NAME', - KOMENCI_NETWORK = '{{ context }}_KOMENCI_NETWORK', - KOMENCI_APP_SECRETS_VAULT_NAME = '{{ context }}_KOMENCI_APP_SECRETS_VAULT_NAME', - KOMENCI_RULE_CONFIG_CAPTCHA_BYPASS_ENABLED = '{{ context }}_KOMENCI_RULE_CONFIG_CAPTCHA_BYPASS_ENABLED', - ORACLE_ADDRESS_AWS_KEY_ALIASES = '{{ context }}_{{ currencyPair }}_ORACLE_ADDRESS_AWS_KEY_ALIASES', ORACLE_ADDRESS_AZURE_KEY_VAULTS = '{{ context }}_{{ currencyPair }}_ORACLE_ADDRESS_AZURE_KEY_VAULTS', ORACLE_ADDRESSES_FROM_MNEMONIC_COUNT = '{{ context }}_{{ currencyPair}}_ORACLE_ADDRESSES_FROM_MNEMONIC_COUNT', ODIS_SIGNER_BLOCKCHAIN_API_KEY = '{{ context }}_ODIS_SIGNER_BLOCKCHAIN_API_KEY', diff --git a/packages/celotool/src/lib/fullnodes.ts b/packages/celotool/src/lib/fullnodes.ts index 824a094bb4..bdbbae673d 100644 --- a/packages/celotool/src/lib/fullnodes.ts +++ b/packages/celotool/src/lib/fullnodes.ts @@ -1,7 +1,6 @@ import stringHash from 'string-hash' import { getAksClusterConfig, - getAwsClusterConfig, getCloudProviderFromContext, getContextDynamicEnvVarValues, getGCPClusterConfig, @@ -9,7 +8,6 @@ import { import { DynamicEnvVar, envVar, fetchEnv, getDynamicEnvVarValue } from './env-utils' import { CloudProvider } from './k8s-cluster/base' import { AksFullNodeDeploymentConfig } from './k8s-fullnode/aks' -import { AwsFullNodeDeploymentConfig } from './k8s-fullnode/aws' import { BaseFullNodeDeploymentConfig } from './k8s-fullnode/base' import { GCPFullNodeDeploymentConfig } from './k8s-fullnode/gcp' import { getFullNodeDeployer } from './k8s-fullnode/utils' @@ -37,7 +35,6 @@ const contextFullNodeDeploymentEnvVars: { const deploymentConfigGetterByCloudProvider: { [key in CloudProvider]: (context: string) => BaseFullNodeDeploymentConfig } = { - [CloudProvider.AWS]: getAwsFullNodeDeploymentConfig, [CloudProvider.AZURE]: getAksFullNodeDeploymentConfig, [CloudProvider.GCP]: getGCPFullNodeDeploymentConfig, } @@ -174,18 +171,6 @@ function getAksFullNodeDeploymentConfig(context: string): AksFullNodeDeploymentC } } -/** - * For a given context, returns the appropriate AwsFullNodeDeploymentConfig - */ -function getAwsFullNodeDeploymentConfig(context: string): AwsFullNodeDeploymentConfig { - const fullNodeDeploymentConfig: BaseFullNodeDeploymentConfig = - getFullNodeDeploymentConfig(context) - return { - ...fullNodeDeploymentConfig, - clusterConfig: getAwsClusterConfig(context), - } -} - /** * For a given context, returns the appropriate getGCPFullNodeDeploymentConfig */ diff --git a/packages/celotool/src/lib/k8s-cluster/aws.ts b/packages/celotool/src/lib/k8s-cluster/aws.ts deleted file mode 100644 index eda452c94a..0000000000 --- a/packages/celotool/src/lib/k8s-cluster/aws.ts +++ /dev/null @@ -1,68 +0,0 @@ -import { execCmdWithExitOnFailure } from '../cmd-utils' -import { installGenericHelmChart } from '../helm_deploy' -import { outputIncludes } from '../utils' -import { BaseClusterConfig, BaseClusterManager, CloudProvider } from './base' - -/** - * Basic info for an EKS cluster - */ -export interface AwsClusterConfig extends BaseClusterConfig { - clusterRegion: string - resourceGroupTag: string -} - -export class AwsClusterManager extends BaseClusterManager { - async switchToSubscription() { - // TODO: not supported at the moment - } - - async getAndSwitchToClusterContext() { - await execCmdWithExitOnFailure( - `aws eks --region ${this.clusterConfig.clusterRegion} update-kubeconfig --name ${this.clusterConfig.clusterName} --alias ${this.clusterConfig.clusterName}` - ) - } - - async setupCluster(context?: string) { - await super.setupCluster(context) - await this.installKube2Iam() - } - - // installs kube2iam if it doesn't exist, which allows us to give AWS roles to pods - async installKube2Iam() { - const releaseName = 'kube2iam' - const exists = await outputIncludes( - `helm list`, - releaseName, - `${releaseName} exists, skipping install` - ) - if (!exists) { - console.info(`Installing ${releaseName}`) - await installGenericHelmChart({ - namespace: 'default', - releaseName, - chartDir: 'stable/kube2iam', - parameters: [ - // Modifies node iptables to have AWS api requests be proxied by kube2iam - `--set host.iptables=true`, - // The network interface EKS uses - `--set host.interface="eni+"`, - // enable rbac - `--set rbac.create=true`, - ], - buildDependencies: false, - }) - } - } - - get clusterConfig(): AwsClusterConfig { - return this._clusterConfig as AwsClusterConfig - } - - get kubernetesContextName(): string { - return this.clusterConfig.clusterName - } - - get cloudProvider(): CloudProvider { - return CloudProvider.AWS - } -} diff --git a/packages/celotool/src/lib/k8s-cluster/base.ts b/packages/celotool/src/lib/k8s-cluster/base.ts index 18771caec1..0a18f49d6f 100644 --- a/packages/celotool/src/lib/k8s-cluster/base.ts +++ b/packages/celotool/src/lib/k8s-cluster/base.ts @@ -7,7 +7,6 @@ import { } from '../helm_deploy' export enum CloudProvider { - AWS, AZURE, GCP, } diff --git a/packages/celotool/src/lib/k8s-cluster/utils.ts b/packages/celotool/src/lib/k8s-cluster/utils.ts index ab340d376f..a1584306a8 100644 --- a/packages/celotool/src/lib/k8s-cluster/utils.ts +++ b/packages/celotool/src/lib/k8s-cluster/utils.ts @@ -1,13 +1,10 @@ import { AksClusterConfig, AksClusterManager } from './aks' -import { AwsClusterConfig, AwsClusterManager } from './aws' import { BaseClusterConfig, BaseClusterManager, CloudProvider } from './base' import { GCPClusterConfig, GCPClusterManager } from './gcp' const clusterManagerByCloudProvider: { [key in CloudProvider]: (clusterConfig: BaseClusterConfig, celoEnv: string) => BaseClusterManager } = { - [CloudProvider.AWS]: (clusterConfig: BaseClusterConfig, celoEnv: string) => - new AwsClusterManager(clusterConfig as AwsClusterConfig, celoEnv), [CloudProvider.AZURE]: (clusterConfig: BaseClusterConfig, celoEnv: string) => new AksClusterManager(clusterConfig as AksClusterConfig, celoEnv), [CloudProvider.GCP]: (clusterConfig: BaseClusterConfig, celoEnv: string) => diff --git a/packages/celotool/src/lib/k8s-fullnode/aws.ts b/packages/celotool/src/lib/k8s-fullnode/aws.ts deleted file mode 100644 index 671016104b..0000000000 --- a/packages/celotool/src/lib/k8s-fullnode/aws.ts +++ /dev/null @@ -1,113 +0,0 @@ -import { - authorizeSecurityGroupIngress, - getClusterSharedNodeSecurityGroup, - revokeSecurityGroupIngress, -} from '../aws' -import { AwsClusterConfig } from '../k8s-cluster/aws' -import { BaseFullNodeDeploymentConfig } from './base' -import { BaseNodePortFullNodeDeployer } from './base-nodeport' - -export interface AwsFullNodeDeploymentConfig extends BaseFullNodeDeploymentConfig { - clusterConfig: AwsClusterConfig -} - -enum Protocols { - tcp = 'tcp', - udp = 'udp', -} - -/** - * At the moment, there is no way to use a Network Load Balancer on EKS - * with ingress TCP & UDP traffic on the same port. Instead, we use NodePort - * services. - */ -export class AwsFullNodeDeployer extends BaseNodePortFullNodeDeployer { - /** - * Gets AWS-specific helm parameters. - */ - async additionalHelmParameters() { - return [ - ...(await super.additionalHelmParameters()), - `--set aws=true`, - `--set storage.storageClass=gp2`, - // A single element because we will be using tcp and udp on a single service - `--set geth.service_protocols='{tcp-and-udp}'`, - ] - } - - /** - * Prints action required to remove the node ports, and removes the chart - */ - async removeChart() { - const nodePortSet = await this.getExistingNodePortSet() - await this.setIngressRulesTCPAndUDP(Array.from(nodePortSet), false) - await super.removeChart() - } - - /** - * When authorize is true, will ensure that the cluster's shared security group - * allows ingress tcp & udp traffic from 0.0.0.0/0 for the specified ports. - * When authorize is false, removes any of the roles corresponding to the ports - * as just described. - */ - async setIngressRulesTCPAndUDP(ports: number[], authorize: boolean) { - const cidrRange = '0.0.0.0/0' - const securityGroup = await getClusterSharedNodeSecurityGroup( - this.deploymentConfig.clusterConfig - ) - - // Record the existing relevant rules on the security group. We want to know - // if both udp and tcp ingress traffic has been enabled for the ports. - const existingRulesByPort: { - [port: number]: { - [protocol in Protocols]: boolean - } - } = {} - for (const rule of securityGroup.IpPermissions) { - // We assume that all rules that have been created by previous full node - // deployments are for a single port, and not port ranges. - // Don't consider rules that do not apply to node port ranges or do not have the - // desired cidr range. - if ( - rule.FromPort !== rule.ToPort || - !this.isNodePort(rule.FromPort) || - !rule.IpRanges.find((rangeSpec: any) => rangeSpec.CidrIp === cidrRange) - ) { - continue - } - const port = rule.FromPort - existingRulesByPort[port] = Object.values(Protocols).reduce( - (obj: any, protocol: Protocols) => ({ - ...obj, - [protocol]: obj[protocol] || rule.IpProtocol === protocol, - }), - existingRulesByPort[port] || {} - ) - } - - // Iterate over all the provided ports and protocols, and either authorize - // or revoke ingress permission. - for (const port of ports) { - for (const protocol of Object.values(Protocols)) { - const infoStr = `${port}/${protocol}` - // If the rule already exists, either skip or revoke - if (existingRulesByPort[port] && existingRulesByPort[port][protocol]) { - if (authorize) { - console.info(`Already authorized ${infoStr}`) - } else { - console.info(`Revoking ${infoStr} authorization`) - await revokeSecurityGroupIngress(securityGroup.GroupId, port, protocol, cidrRange) - } - continue - } else if (authorize) { - console.info(`Authorizing ${infoStr}`) - await authorizeSecurityGroupIngress(securityGroup.GroupId, port, protocol, cidrRange) - } - } - } - } - - get deploymentConfig(): AwsFullNodeDeploymentConfig { - return this._deploymentConfig as AwsFullNodeDeploymentConfig - } -} diff --git a/packages/celotool/src/lib/k8s-fullnode/utils.ts b/packages/celotool/src/lib/k8s-fullnode/utils.ts index 6cb0200d81..67d6e839d6 100644 --- a/packages/celotool/src/lib/k8s-fullnode/utils.ts +++ b/packages/celotool/src/lib/k8s-fullnode/utils.ts @@ -1,6 +1,5 @@ import { CloudProvider } from '../k8s-cluster/base' import { AksFullNodeDeployer, AksFullNodeDeploymentConfig } from './aks' -import { AwsFullNodeDeployer, AwsFullNodeDeploymentConfig } from './aws' import { BaseFullNodeDeployer, BaseFullNodeDeploymentConfig } from './base' import { GCPFullNodeDeployer, GCPFullNodeDeploymentConfig } from './gcp' @@ -10,8 +9,6 @@ const fullNodeDeployerByCloudProvider: { celoEnv: string ) => BaseFullNodeDeployer } = { - [CloudProvider.AWS]: (deploymentConfig: BaseFullNodeDeploymentConfig, celoEnv: string) => - new AwsFullNodeDeployer(deploymentConfig as AwsFullNodeDeploymentConfig, celoEnv), [CloudProvider.AZURE]: (deploymentConfig: BaseFullNodeDeploymentConfig, celoEnv: string) => new AksFullNodeDeployer(deploymentConfig as AksFullNodeDeploymentConfig, celoEnv), [CloudProvider.GCP]: (deploymentConfig: BaseFullNodeDeploymentConfig, celoEnv: string) => diff --git a/packages/celotool/src/lib/k8s-oracle/aws-hsm.ts b/packages/celotool/src/lib/k8s-oracle/aws-hsm.ts deleted file mode 100644 index 0a8a6b09a8..0000000000 --- a/packages/celotool/src/lib/k8s-oracle/aws-hsm.ts +++ /dev/null @@ -1,161 +0,0 @@ -import { - attachPolicyIdempotent, - createPolicyIdempotent, - createRoleIdempotent, - deletePolicy, - deleteRole, - detachPolicyIdempotent, - getEKSNodeInstanceGroupRoleArn, - getKeyArnFromAlias, - getPolicyArn, -} from '../aws' -import { AwsClusterConfig } from '../k8s-cluster/aws' -import { BaseOracleDeploymentConfig, OracleIdentity } from './base' -import { RbacOracleDeployer } from './rbac' - -/** - * Contains information needed when using Azure HSM signing - */ -export interface AwsHsmOracleIdentity extends OracleIdentity { - keyAlias: string - region: string -} - -export interface AwsHsmOracleDeploymentConfig extends BaseOracleDeploymentConfig { - identities: AwsHsmOracleIdentity[] - clusterConfig: AwsClusterConfig -} - -/** - * AwsHsmOracleDeployer manages deployments for HSM-based oracles on AWS - */ -export class AwsHsmOracleDeployer extends RbacOracleDeployer { - // Explicitly specify this so we enforce AwsHsmOracleDeploymentConfig - constructor(deploymentConfig: AwsHsmOracleDeploymentConfig, celoEnv: string) { - super(deploymentConfig, celoEnv) - } - - async removeChart() { - await super.removeChart() - for (const identity of this.deploymentConfig.identities) { - await this.deleteAwsHsmRoleAndPolicyIdempotent(identity) - } - } - - async helmParameters() { - return [ - ...(await super.helmParameters()), - `--set kube.cloudProvider=aws`, - `--set oracle.walletType=AWS_HSM`, - ] - } - - async oracleIdentityHelmParameters() { - let params = await super.oracleIdentityHelmParameters() - for (let i = 0; i < this.replicas; i++) { - const identity = this.deploymentConfig.identities[i] - const prefix = `--set oracle.identities[${i}]` - const awsRoleArn = await this.createAwsHsmRoleIdempotent(identity) - params = params.concat([`${prefix}.aws.roleArn=${awsRoleArn}`]) - } - return params - } - - /** - * Creates an AWS role for a specific oracle identity with the - * appropriate permissions to use its HSM. - * Idempotent. - */ - async createAwsHsmRoleIdempotent(identity: AwsHsmOracleIdentity) { - // The role that each node (ie VM) uses - const nodeInstanceGroupRoleArn = await getEKSNodeInstanceGroupRoleArn( - this.deploymentConfig.clusterConfig.clusterName - ) - // This is a "trust relationship" that allows the node instance group role - // to assume this role (via kube2iam). - const rolePolicy = { - Version: '2012-10-17', - Statement: [ - { - Sid: '', - Effect: 'Allow', - Principal: { - AWS: nodeInstanceGroupRoleArn, - }, - Action: 'sts:AssumeRole', - }, - ], - } - const roleName = this.awsHsmRoleName(identity) - const roleArn = await createRoleIdempotent(roleName, JSON.stringify(rolePolicy)) - const policyName = this.awsHsmPolicyName(identity) - const keyArn = await getKeyArnFromAlias(identity.keyAlias, identity.region) - const policyArn = await this.createAwsHsmSignPolicyIdempotent(policyName, keyArn) - await attachPolicyIdempotent(roleName, policyArn) - return roleArn - } - - /** - * Creates an AWS policy to allow usage of an HSM. - * Idempotent. - */ - async createAwsHsmSignPolicyIdempotent(policyName: string, keyArn: string) { - const policy = { - Version: '2012-10-17', - Statement: [ - { - Sid: 'VisualEditor0', - Effect: 'Allow', - Action: ['kms:GetPublicKey', 'kms:DescribeKey', 'kms:Sign'], - Resource: keyArn, - }, - { - Sid: 'VisualEditor1', - Effect: 'Allow', - Action: 'kms:ListKeys', - Resource: '*', - }, - ], - } - return createPolicyIdempotent(policyName, JSON.stringify(policy)) - } - - /** - * Deletes both the AWS role and policy for a particular identity. - * Note this assumes that the policy has only been attached to the corresponding - * role and no others. This may not be the case if someone manually attaches - * the policy to a different role in the AWS console. - */ - async deleteAwsHsmRoleAndPolicyIdempotent(identity: AwsHsmOracleIdentity) { - const roleName = this.awsHsmRoleName(identity) - const policyName = this.awsHsmPolicyName(identity) - console.info(`Deleting AWS role ${roleName} and policy ${policyName}`) - const policyArn = await getPolicyArn(policyName) - if (policyArn) { - // Don't throw if it's not attached - try { - await detachPolicyIdempotent(roleName, policyArn) - } catch (e: any) { - console.info(`Could not detatch policy ${policyArn} from role ${roleName}:`, e.message) - } - await deletePolicy(policyArn) - } - try { - await deleteRole(roleName) - } catch (e: any) { - console.info(`Could not delete role ${roleName}:`, e.message) - } - } - - awsHsmRoleName(identity: AwsHsmOracleIdentity) { - return `${identity.keyAlias}-${identity.currencyPair}-${identity.address}`.substring(0, 64) - } - - awsHsmPolicyName(identity: AwsHsmOracleIdentity) { - return `${identity.keyAlias}-${identity.currencyPair}-${identity.address}` - } - - get deploymentConfig(): AwsHsmOracleDeploymentConfig { - return this._deploymentConfig as AwsHsmOracleDeploymentConfig - } -} diff --git a/packages/celotool/src/lib/k8s-oracle/rbac.ts b/packages/celotool/src/lib/k8s-oracle/rbac.ts index 4ad47cd5cf..92ea572719 100644 --- a/packages/celotool/src/lib/k8s-oracle/rbac.ts +++ b/packages/celotool/src/lib/k8s-oracle/rbac.ts @@ -16,7 +16,7 @@ const rbacHelmChartPath = '../helm-charts/oracle-rbac' /** * RbacOracleDeployer cloud-agnostically manages deployments for oracles * whose pods must change their metadata in order to accomodate limitations - * in pod identity solutions (like Azure's aad-pod-identity and AWS's kube2iam). + * in pod identity solutions (like Azure's aad-pod-identity). * This will create a k8s service account for each oracle pod that can modify * pod metadata, and will ensure each SA's credentials make their way to the helm chart. */ diff --git a/packages/celotool/src/lib/komenci.ts b/packages/celotool/src/lib/komenci.ts deleted file mode 100644 index 7edeab3d0c..0000000000 --- a/packages/celotool/src/lib/komenci.ts +++ /dev/null @@ -1,537 +0,0 @@ -import { ensureLeading0x, privateKeyToAddress } from '@celo/utils/src/address' -import { execCmdWithExitOnFailure } from 'src/lib/cmd-utils' -import { - getFornoUrl, - getFullNodeHttpRpcInternalUrl, - getFullNodeWebSocketRpcInternalUrl, -} from 'src/lib/endpoints' -import { DynamicEnvVar, envVar, fetchEnv, fetchEnvOrFallback } from 'src/lib/env-utils' -import { AccountType, getPrivateKeysFor } from 'src/lib/generate_utils' -import { - installGenericHelmChart, - removeGenericHelmChart, - upgradeGenericHelmChart, -} from 'src/lib/helm_deploy' -import { createKeyVaultIdentityIfNotExists, deleteAzureKeyVaultIdentity } from './azure' -import { getAksClusterConfig, getContextDynamicEnvVarValues } from './context-utils' -const helmChartPath = '../helm-charts/komenci' -const rbacHelmChartPath = '../helm-charts/komenci-rbac' - -/** - * Contains information needed when using Azure HSM signing - */ -interface KomenciAzureHsmIdentity { - identityName: string - keyVaultName: string - // If a resource group is not specified, it is assumed to be the same - // as the kubernetes cluster resource group specified in the AKSClusterConfig - resourceGroup?: string -} - -/** - * Represents the identity of a single komenci relayer - */ -interface KomenciIdentity { - address: string - // Used if generating komenci relayers from a mnemonic - privateKey?: string - // Used if using Azure HSM signing - azureHsmIdentity?: KomenciAzureHsmIdentity -} - -/** - * Configuration of multiple relayers - */ -interface KomenciConfig { - relayerIdentities: KomenciIdentity[] - // TODO: For Signup rewards - // foundationRewardsIdentities: KomenciIdentity[] - cLabsRewardsIdentities: KomenciIdentity[] -} - -interface KomenciKeyVaultIdentityConfig { - addressAzureKeyVaults: string -} - -interface KomenciMnemonicIdentityConfig { - addressesFromMnemonicCount: string -} - -interface KomenciRewardServiceConfig { - instanceCount: number -} - -interface KomenciDatabaseConfig { - host: string - port: string - username: string - passwordVaultName: string -} - -enum RewardType { - Foundation, - CeloLabs, -} - -/** - * Env vars corresponding to each value for the KomenciKeyVaultIdentityConfig for a particular context - */ -const contextKomenciKeyVaultIdentityConfigDynamicEnvVars: { - [k in keyof KomenciKeyVaultIdentityConfig]: DynamicEnvVar -} = { - addressAzureKeyVaults: DynamicEnvVar.KOMENCI_ADDRESS_AZURE_KEY_VAULTS, -} - -/** - * Env vars corresponding to each value for the KomenciMnemonicIdentityConfig for a particular context - */ -const contextKomenciMnemonicIdentityConfigDynamicEnvVars: { - [k in keyof KomenciMnemonicIdentityConfig]: DynamicEnvVar -} = { - addressesFromMnemonicCount: DynamicEnvVar.KOMENCI_ADDRESSES_FROM_MNEMONIC_COUNT, -} - -/** - * Env vars corresponding to each value for the KomenciFoundationRewardsKeyVaultIdentityConfig for a particular context - */ -const contextKomenciFoundationRewardsKeyVaultIdentityConfigDynamicEnvVars: { - [k in keyof KomenciKeyVaultIdentityConfig]: DynamicEnvVar -} = { - addressAzureKeyVaults: DynamicEnvVar.KOMENCI_FOUNDATION_REWARDS_ADDRESS_AZURE_KEY_VAULTS, -} - -/** - * Env vars corresponding to each value for the KomenciCeloLabsRewardsKeyVaultIdentityConfig for a particular context - */ -const contextKomenciCeloLabsRewardsKeyVaultIdentityConfigDynamicEnvVars: { - [k in keyof KomenciKeyVaultIdentityConfig]: DynamicEnvVar -} = { - addressAzureKeyVaults: DynamicEnvVar.KOMENCI_CELOLABS_REWARDS_ADDRESS_AZURE_KEY_VAULTS, -} - -/** - * Env vars corresponding to each value for the KomenciCeloLabsRewardsKeyVaultIdentityConfig for a particular context - */ -const contextKomenciRewardsServiceConfigDynamicEnvVars: { - [k in keyof KomenciRewardServiceConfig]: DynamicEnvVar -} = { - instanceCount: DynamicEnvVar.KOMENCI_REWARD_SERVICE_INSTANCE_COUNT, -} - -const contextDatabaseConfigDynamicEnvVars: { [k in keyof KomenciDatabaseConfig]: DynamicEnvVar } = { - host: DynamicEnvVar.KOMENCI_DB_HOST, - port: DynamicEnvVar.KOMENCI_DB_PORT, - username: DynamicEnvVar.KOMENCI_DB_USERNAME, - passwordVaultName: DynamicEnvVar.KOMENCI_DB_PASSWORD_VAULT_NAME, -} - -const contextRewardServiceDatabaseConfigDynamicEnvVars: { - [k in keyof KomenciDatabaseConfig]: DynamicEnvVar -} = { - host: DynamicEnvVar.KOMENCI_REWARD_SERVICE_DB_HOST, - port: DynamicEnvVar.KOMENCI_REWARD_SERVICE_DB_PORT, - username: DynamicEnvVar.KOMENCI_REWARD_SERVICE_DB_USERNAME, - passwordVaultName: DynamicEnvVar.KOMENCI_REWARD_SERVICE_DB_PASSWORD_VAULT_NAME, -} - -function releaseName(celoEnv: string) { - return `${celoEnv}-komenci` -} - -export async function installHelmChart(celoEnv: string, context: string, useForno: boolean) { - // First install the komenci-rbac helm chart. - // This must be deployed before so we can use a resulting auth token so that - // komenci pods can reach the K8s API server to change their aad labels - await installKomenciRBACHelmChart(celoEnv, context) - // Then install the komenci helm chart - return installGenericHelmChart({ - namespace: celoEnv, - releaseName: releaseName(celoEnv), - chartDir: helmChartPath, - parameters: await helmParameters(celoEnv, context, useForno), - }) -} - -export async function upgradeKomenciChart(celoEnv: string, context: string, useFullNodes: boolean) { - await upgradeKomenciRBACHelmChart(celoEnv, context) - return upgradeGenericHelmChart({ - namespace: celoEnv, - releaseName: releaseName(celoEnv), - chartDir: helmChartPath, - parameters: await helmParameters(celoEnv, context, useFullNodes), - }) -} - -export async function removeHelmRelease(celoEnv: string, context: string) { - await removeGenericHelmChart(releaseName(celoEnv), celoEnv) - await removeKomenciRBACHelmRelease(celoEnv) - const komenciConfig = getKomenciConfig(context) - for (const identity of komenciConfig.relayerIdentities) { - // If the identity is using Azure HSM signing, clean it up too - if (identity.azureHsmIdentity) { - await deleteAzureKeyVaultIdentity( - context, - identity.azureHsmIdentity.identityName, - identity.azureHsmIdentity.keyVaultName - ) - } - } -} - -async function getKeyVaultSecret(vaultName: string, secretName: string) { - const [secret] = await execCmdWithExitOnFailure( - `az keyvault secret show --name ${secretName} --vault-name ${vaultName} --query value` - ) - return secret -} - -async function getPasswordFromKeyVaultSecret(vaultName: string, secretName: string) { - const password = await getKeyVaultSecret(vaultName, secretName) - return password.replace(/\n|"/g, '') -} - -async function helmParameters(celoEnv: string, context: string, useForno: boolean) { - const komenciConfig = getKomenciConfig(context) - - const onboardingRelayerCount = komenciConfig.relayerIdentities.length - const rewardsRelayerCount = komenciConfig.cLabsRewardsIdentities.length - const kubeServiceAccountSecretNames = await rbacServiceAccountSecretNames( - celoEnv, - '', - onboardingRelayerCount - ) - const kubeRewardsServiceAccountSecretNames = await rbacServiceAccountSecretNames( - celoEnv, - 'rewards-', - rewardsRelayerCount - ) - - const databaseConfig = getContextDynamicEnvVarValues(contextDatabaseConfigDynamicEnvVars, context) - const rewardDatabaseConfig = getContextDynamicEnvVarValues( - contextRewardServiceDatabaseConfigDynamicEnvVars, - context - ) - const vars = getContextDynamicEnvVarValues( - { - network: DynamicEnvVar.KOMENCI_NETWORK, - appSecretsKeyVault: DynamicEnvVar.KOMENCI_APP_SECRETS_VAULT_NAME, - captchaBypassEnabled: DynamicEnvVar.KOMENCI_RULE_CONFIG_CAPTCHA_BYPASS_ENABLED, - }, - context - ) - const httpRpcProviderUrl = useForno - ? getFornoUrl(celoEnv) - : getFullNodeHttpRpcInternalUrl(celoEnv) - // TODO: let forno support websockets - const wsRpcProviderUrl = getFullNodeWebSocketRpcInternalUrl(celoEnv) - const databasePassword = await getPasswordFromKeyVaultSecret( - databaseConfig.passwordVaultName, - 'DB-PASSWORD' - ) - const rewardDatabasePassword = await getPasswordFromKeyVaultSecret( - rewardDatabaseConfig.passwordVaultName, - 'DB-PASSWORD' - ) - const recaptchaToken = await getPasswordFromKeyVaultSecret( - vars.appSecretsKeyVault, - 'RECAPTCHA-SECRET-KEY' - ) - const loggerCredentials = await getPasswordFromKeyVaultSecret( - vars.appSecretsKeyVault, - 'LOGGER-SERVICE-ACCOUNT' - ) - const segmentApiKey = await getPasswordFromKeyVaultSecret( - vars.appSecretsKeyVault, - 'SEGMENT-API-KEY' - ) - const rewardServiceConfig = getContextDynamicEnvVarValues( - contextKomenciRewardsServiceConfigDynamicEnvVars, - context - ) - const clusterConfig = getAksClusterConfig(context) - - return [ - `--set domain.name=${fetchEnv(envVar.CLUSTER_DOMAIN_NAME)}`, - `--set environment.name=${celoEnv}`, - `--set environment.network=${vars.network}`, - `--set environment.cluster.name=${clusterConfig.clusterName}`, - `--set environment.cluster.location=${clusterConfig.regionName}`, - `--set loggingAgent.credentials=${loggerCredentials}`, - `--set image.repository=${fetchEnv(envVar.KOMENCI_DOCKER_IMAGE_REPOSITORY)}`, - `--set image.tag=${fetchEnv(envVar.KOMENCI_DOCKER_IMAGE_TAG)}`, - `--set kube.serviceAccountSecretNames='{${kubeServiceAccountSecretNames.join(',')}}'`, - `--set komenci.azureHsm.initTryCount=5`, - `--set komenci.azureHsm.initMaxRetryBackoffMs=30000`, - `--set onboarding.recaptchaToken=${recaptchaToken}`, - `--set onboarding.replicas=${onboardingRelayerCount}`, - `--set onboarding.relayer.host=${celoEnv + '-relayer'}`, - `--set onboarding.db.host=${databaseConfig.host}`, - `--set onboarding.db.port=${databaseConfig.port}`, - `--set onboarding.db.username=${databaseConfig.username}`, - `--set onboarding.db.password=${databasePassword}`, - `--set onboarding.publicHostname=${getPublicHostname(clusterConfig.regionName, celoEnv)}`, - `--set onboarding.publicUrl=${ - 'https://' + getPublicHostname(clusterConfig.regionName, celoEnv) - }`, - `--set onboarding.ruleConfig.captcha.bypassEnabled=${vars.captchaBypassEnabled}`, - `--set onboarding.ruleConfig.captcha.bypassToken=${fetchEnv( - envVar.KOMENCI_RULE_CONFIG_CAPTCHA_BYPASS_TOKEN - )}`, - `--set relayer.replicas=${onboardingRelayerCount}`, - `--set relayer.rpcProviderUrls.http=${httpRpcProviderUrl}`, - `--set relayer.rpcProviderUrls.ws=${wsRpcProviderUrl}`, - `--set relayer.metrics.enabled=true`, - `--set relayer.metrics.prometheusPort=9090`, - `--set-string relayer.unusedKomenciAddresses='${fetchEnvOrFallback( - envVar.KOMENCI_UNUSED_KOMENCI_ADDRESSES, - '' - ) - .split(',') - .join('\\,')}'`, - `--set rewards.replicas=${rewardServiceConfig.instanceCount}`, - `--set rewards.db.host=${rewardDatabaseConfig.host}`, - `--set rewards.db.port=${rewardDatabaseConfig.port}`, - `--set rewards.db.username=${rewardDatabaseConfig.username}`, - `--set rewards.db.password=${rewardDatabasePassword}`, - `--set rewards.segmentApiKey=${segmentApiKey}`, - `--set rewards.shouldSendRewards=${fetchEnv(envVar.KOMENCI_SHOULD_SEND_REWARDS)}`, - `--set rewards.metrics.enabled=true`, - `--set rewards.metrics.prometheusPort=9090`, - `--set rewards.relayer.replicas=${rewardsRelayerCount}`, - `--set rewards.relayer.rpcProviderUrls.http=${httpRpcProviderUrl}`, - `--set rewards.relayer.rpcProviderUrls.ws=${wsRpcProviderUrl}`, - `--set rewards.relayer.metrics.enabled=true`, - `--set rewards.relayer.metrics.prometheusPort=9090`, - `--set rewards.relayer.host=${celoEnv + '-rewards-relayer'}`, - `--set kube.rewardsServiceAccountSecretNames='{${kubeRewardsServiceAccountSecretNames.join( - ',' - )}}'`, - ] - .concat( - await komenciIdentityHelmParameters(context, komenciConfig.relayerIdentities, 'relayer') - ) - .concat( - await komenciIdentityHelmParameters( - context, - komenciConfig.cLabsRewardsIdentities, - 'rewards.relayer' - ) - ) -} - -function getPublicHostname(regionName: string, celoEnv: string): string { - return regionName + '.komenci.' + celoEnv + '.' + fetchEnv(envVar.CLUSTER_DOMAIN_NAME) + '.org' -} - -/** - * Returns an array of helm command line parameters for the komenci relayer identities. - * Supports both private key and Azure HSM signing. - */ -async function komenciIdentityHelmParameters( - context: string, - relayerIdentities: KomenciIdentity[], - envVarPrefix: string -) { - const replicas = relayerIdentities.length - let params: string[] = [] - for (let i = 0; i < replicas; i++) { - const komenciIdentity = relayerIdentities[i] - const prefix = `--set ${envVarPrefix}.identities[${i}]` - params.push(`${prefix}.address=${komenciIdentity.address}`) - // An komenci identity can specify either a private key or some information - // about an Azure Key Vault that houses an HSM with the address provided. - // We provide the appropriate parameters for both of those types of identities. - if (komenciIdentity.azureHsmIdentity) { - const azureIdentity = await createKeyVaultIdentityIfNotExists( - context, - komenciIdentity.azureHsmIdentity.identityName, - komenciIdentity.azureHsmIdentity.keyVaultName, - komenciIdentity.azureHsmIdentity.resourceGroup, - ['get', 'list', 'sign'], - null - ) - params = params.concat([ - `${prefix}.azure.id=${azureIdentity.id}`, - `${prefix}.azure.clientId=${azureIdentity.clientId}`, - `${prefix}.azure.keyVaultName=${komenciIdentity.azureHsmIdentity.keyVaultName}`, - ]) - } else if (komenciIdentity.privateKey) { - params.push(`${prefix}.privateKey=${komenciIdentity.privateKey}`) - } else { - throw Error(`Incomplete relayer identity: ${komenciIdentity}`) - } - } - return params -} - -/** - * Gives a config for all komenci services for a particular context - */ -function getKomenciConfig(context: string): KomenciConfig { - return { - relayerIdentities: getKomenciRelayerIdentities(context), - cLabsRewardsIdentities: getKomenciRewardIdentities(context, RewardType.CeloLabs), - // foundationRewardsIdentities: getKomenciRewardIdentities(context, RewardType.Foundation), - } -} - -/** - * Returns an array of komenci identities. If the Azure Key Vault env var is specified, - * the identities are created from that. Otherwise, the identities are created - * with private keys generated by the mnemonic. - */ -function getKomenciRelayerIdentities(context: string): KomenciIdentity[] { - const { addressAzureKeyVaults } = getContextDynamicEnvVarValues( - contextKomenciKeyVaultIdentityConfigDynamicEnvVars, - context, - { - addressAzureKeyVaults: '', - } - ) - // Give priority to key vault - if (addressAzureKeyVaults) { - return getAzureHsmKomenciIdentities(addressAzureKeyVaults) - } - - // If key vaults are not set, try from mnemonic - const { addressesFromMnemonicCount } = getContextDynamicEnvVarValues( - contextKomenciMnemonicIdentityConfigDynamicEnvVars, - context, - { - addressesFromMnemonicCount: '', - } - ) - if (addressesFromMnemonicCount) { - const addressesFromMnemonicCountNum = parseInt(addressesFromMnemonicCount, 10) - return getMnemonicBasedKomenciIdentities(addressesFromMnemonicCountNum) - } - - throw Error('No komenci identity env vars specified') -} - -/** - * Returns an array of komenci reward identities. The identities are created from the Azure Key Vault env var. - */ -function getKomenciRewardIdentities(context: string, rewardType: RewardType): KomenciIdentity[] { - const envVars = - rewardType === RewardType.Foundation - ? contextKomenciFoundationRewardsKeyVaultIdentityConfigDynamicEnvVars - : contextKomenciCeloLabsRewardsKeyVaultIdentityConfigDynamicEnvVars - const { addressAzureKeyVaults } = getContextDynamicEnvVarValues(envVars, context, { - addressAzureKeyVaults: '', - }) - - if (addressAzureKeyVaults) { - return getAzureHsmKomenciIdentities(addressAzureKeyVaults) - } - - throw Error('No komenci reward identity env vars specified') -} - -/** - * Given a string addressAzureKeyVaults of the form: - *
:,
: - * eg: 0x0000000000000000000000000000000000000000:keyVault0,0x0000000000000000000000000000000000000001:keyVault1 - * returns an array of KomenciIdentity in the same order - */ -function getAzureHsmKomenciIdentities(addressAzureKeyVaults: string): KomenciIdentity[] { - const identityStrings = addressAzureKeyVaults.split(',') - const identities = [] - for (const identityStr of identityStrings) { - const [address, keyVaultName, resourceGroup] = identityStr.split(':') - // resourceGroup can be undefined - if (!address || !keyVaultName) { - throw Error( - `Address or key vault name is invalid. Address: ${address} Key Vault Name: ${keyVaultName}` - ) - } - identities.push({ - address, - azureHsmIdentity: { - identityName: getKomenciAzureIdentityName(keyVaultName, address), - keyVaultName, - resourceGroup, - }, - }) - } - return identities -} - -/** - * Returns komenci identities with private keys and addresses generated from the mnemonic - */ -function getMnemonicBasedKomenciIdentities(count: number): KomenciIdentity[] { - return getPrivateKeysFor(AccountType.PRICE_ORACLE, fetchEnv(envVar.MNEMONIC), count).map( - (pkey) => ({ - address: privateKeyToAddress(pkey), - privateKey: ensureLeading0x(pkey), - }) - ) -} - -/** - * @return the intended name of an azure identity given a key vault name and address - */ -function getKomenciAzureIdentityName(keyVaultName: string, address: string) { - // from https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/resource-name-rules#microsoftmanagedidentity - const maxIdentityNameLength = 128 - return `${keyVaultName}-${address}`.substring(0, maxIdentityNameLength) -} - -// Komenci RBAC------ -// We need the relayer pods to be able to change their label to accommodate -// limitations in aad-pod-identity & statefulsets (see https://github.com/Azure/aad-pod-identity/issues/237#issuecomment-611672987) -// To do this, we use an auth token that we get using the resources in the `komenci-rbac` chart - -async function installKomenciRBACHelmChart(celoEnv: string, context: string) { - return installGenericHelmChart({ - namespace: celoEnv, - releaseName: rbacReleaseName(celoEnv, ''), - chartDir: rbacHelmChartPath, - parameters: rbacHelmParameters(celoEnv, context), - }) -} - -async function upgradeKomenciRBACHelmChart(celoEnv: string, context: string) { - return upgradeGenericHelmChart({ - namespace: celoEnv, - releaseName: rbacReleaseName(celoEnv, ''), - chartDir: rbacHelmChartPath, - parameters: rbacHelmParameters(celoEnv, context), - }) -} - -function removeKomenciRBACHelmRelease(celoEnv: string) { - return removeGenericHelmChart(rbacReleaseName(celoEnv, ''), celoEnv) -} - -function rbacHelmParameters(celoEnv: string, context: string) { - const komenciConfig = getKomenciConfig(context) - console.info(komenciConfig) - const relayerReplicas = komenciConfig.relayerIdentities.length - const rewardsRelayerReplicas = komenciConfig.cLabsRewardsIdentities.length - return [ - `--set environment.name=${celoEnv}`, - `--set relayer.replicas=${relayerReplicas}`, - `--set rewards.relayer.replicas=${rewardsRelayerReplicas}`, - ] -} - -function rbacReleaseName(celoEnv: string, prefix: string) { - return `${celoEnv}-komenci-${prefix}rbac` -} - -async function rbacServiceAccountSecretNames(celoEnv: string, prefix: string, replicas: number) { - const names = [...Array(replicas).keys()].map((i) => `${rbacReleaseName(celoEnv, prefix)}-${i}`) - let jsonSecretPath = '"{.items[*].secrets[0][\'name\']}"' - if (names.length === 1) { - jsonSecretPath = '"{.secrets[0][\'name\']}"' - } - const [tokenName] = await execCmdWithExitOnFailure( - `kubectl get serviceaccount --namespace=${celoEnv} ${names.join( - ' ' - )} -o=jsonpath=${jsonSecretPath}` - ) - const tokenNames = tokenName.trim().split(' ') - return tokenNames -} diff --git a/packages/celotool/src/lib/kong.ts b/packages/celotool/src/lib/kong.ts deleted file mode 100644 index 2f191ceae9..0000000000 --- a/packages/celotool/src/lib/kong.ts +++ /dev/null @@ -1,110 +0,0 @@ -import { readFileSync, writeFileSync } from 'fs' -import { execCmdWithExitOnFailure } from 'src/lib/cmd-utils' -import { outputIncludes } from 'src/lib/utils' -import { createNamespaceIfNotExists } from './cluster' -import { installGenericHelmChart, retrieveIPAddress, upgradeGenericHelmChart } from './helm_deploy' - -const kongChartPath = '../helm-charts/kong' -const kongaChartPath = '../helm-charts/konga' - -// One unique kong/a deployment per cluster -const kongReleaseName = 'kong' -const kongNamespace = 'kong' -const kongaReleaseName = 'konga' -const kongaNamespace = 'kong' - -export async function installKong(celoEnv: string) { - await createNamespaceIfNotExists(kongNamespace) - await createUpdateKongConfigMap(celoEnv) - // Update values in values-clabs.yaml file - return installGenericHelmChart({ - namespace: kongNamespace, - releaseName: kongReleaseName, - chartDir: kongChartPath, - parameters: await kongHelmParamenters(celoEnv), - buildDependencies: true, - valuesOverrideFile: 'values-clabs.yaml', - }) -} - -export async function upgradeKong(celoEnv: string) { - await createUpdateKongConfigMap(celoEnv) - return upgradeGenericHelmChart({ - namespace: kongNamespace, - releaseName: kongReleaseName, - chartDir: kongChartPath, - parameters: await kongHelmParamenters(celoEnv), - buildDependencies: true, - valuesOverrideFile: 'values-clabs.yaml', - }) -} - -export async function installKonga(celoEnv: string) { - await createNamespaceIfNotExists(kongaNamespace) - // Update values in values.yaml file - return installGenericHelmChart({ - namespace: kongaNamespace, - releaseName: kongaReleaseName, - chartDir: kongaChartPath, - parameters: kongaHelmParamenters(celoEnv), - }) -} - -export async function upgradeKonga(celoEnv: string) { - return upgradeGenericHelmChart({ - namespace: kongaNamespace, - releaseName: kongaReleaseName, - chartDir: kongaChartPath, - parameters: kongaHelmParamenters(celoEnv), - }) -} - -export async function destroyKongAndKonga() { - await execCmdWithExitOnFailure(`kubectl delete ns ${kongNamespace} ${kongaNamespace}`) -} - -async function kongHelmParamenters(celoEnv: string) { - // GCP Internal infra ips - let trustedIPs = '130.211.0.0/22,35.191.0.0/16' - const fornoPublicGlobalIp = await retrieveIPAddress(`${celoEnv}-forno-global-address`, 'global') - trustedIPs = `${trustedIPs},${fornoPublicGlobalIp}/32` - return [ - `--set kong.extraEnvVars[0].name=KONG_TRUSTED_IPS`, - `--set kong.extraEnvVars[0].value='${trustedIPs.replace(/,/g, '\\,')}'`, - ] -} - -function kongaHelmParamenters(celoEnv: string) { - return [`--set geth_rpc_service=${celoEnv}-fullnodes-rpc.${celoEnv}`] -} - -/** - * Creates a configMap with the kong configuration - * Configuration is read from a kong config file inside the kong chart folder - */ -export async function createUpdateKongConfigMap(celoEnv: string) { - const kongConfig = readFileSync(`${kongChartPath}/kong.conf`).toString() - // We need to patch this file with the forno public ip as this ip will forward - // the requests and need to put in the config file so kong/nginx can consider - // that ip as internal - let trustedIPs = '130.211.0.0/22,35.191.0.0/16' - const fornoPublicGlobalIp = await retrieveIPAddress(`${celoEnv}-forno-global-address`, 'global') - trustedIPs = `${trustedIPs},${fornoPublicGlobalIp}/32` - const re = '/^trusted_ips = .+$/g' - kongConfig.replace(re, `trusted_ips = ${trustedIPs}`) - const kongConfigTmpFile = '/tmp/kong.conf' - writeFileSync(kongConfigTmpFile, kongConfig) - const configMapExists = await outputIncludes( - `kubectl get cm -n ${kongNamespace} kong-config || true`, - 'kong-config' - ) - if (configMapExists) { - await execCmdWithExitOnFailure( - `kubectl create cm kong-config -n ${kongNamespace} --from-file ${kongConfigTmpFile} -o yaml --dry-run | kubectl replace -f -` - ) - } else { - await execCmdWithExitOnFailure( - `kubectl create cm kong-config -n ${kongNamespace} --from-file ${kongConfigTmpFile}` - ) - } -} diff --git a/packages/celotool/src/lib/oracle.ts b/packages/celotool/src/lib/oracle.ts index 8a42599eb1..dc765bb348 100644 --- a/packages/celotool/src/lib/oracle.ts +++ b/packages/celotool/src/lib/oracle.ts @@ -4,18 +4,12 @@ import yargs from 'yargs' import { getCloudProviderFromContext, getDynamicEnvVarValues } from './context-utils' import { getOraclePrivateKeysFor, privateKeyToAddress } from './generate_utils' import { AksClusterConfig } from './k8s-cluster/aks' -import { AwsClusterConfig } from './k8s-cluster/aws' import { BaseClusterManager, CloudProvider } from './k8s-cluster/base' import { AksHsmOracleDeployer, AksHsmOracleDeploymentConfig, AksHsmOracleIdentity, } from './k8s-oracle/aks-hsm' -import { - AwsHsmOracleDeployer, - AwsHsmOracleDeploymentConfig, - AwsHsmOracleIdentity, -} from './k8s-oracle/aws-hsm' import { BaseOracleDeployer, CurrencyPair } from './k8s-oracle/base' import { PrivateKeyOracleDeployer, @@ -36,7 +30,6 @@ const hsmOracleDeployerGetterByCloudProvider: { clusterManager: BaseClusterManager ) => BaseOracleDeployer } = { - [CloudProvider.AWS]: getAwsHsmOracleDeployer, [CloudProvider.AZURE]: getAksHsmOracleDeployer, } @@ -170,89 +163,12 @@ const aksHsmOracleIdentityConfigDynamicEnvVars: { addressKeyVaults: DynamicEnvVar.ORACLE_ADDRESS_AZURE_KEY_VAULTS, } -/** - * ----------- AwsHsmOracleDeployer helpers ----------- - */ - -/** - * Gets an AwsHsmOracleDeployer by looking at env var values - */ -function getAwsHsmOracleDeployer( - celoEnv: string, - context: string, - currencyPair: CurrencyPair, - useForno: boolean, - clusterManager: BaseClusterManager -) { - const { addressKeyAliases } = getDynamicEnvVarValues( - awsHsmOracleIdentityConfigDynamicEnvVars, - { context, currencyPair }, - { - addressKeyAliases: '', - } - ) - - const identities = getAwsHsmOracleIdentities(addressKeyAliases, currencyPair) - const deploymentConfig: AwsHsmOracleDeploymentConfig = { - context, - clusterConfig: clusterManager.clusterConfig as AwsClusterConfig, - currencyPair, - identities, - useForno, - } - return new AwsHsmOracleDeployer(deploymentConfig, celoEnv) -} - -/** - * Given a string addressKeyAliases containing comma separated info of the form: - *
:: - * eg: 0x0000000000000000000000000000000000000000:keyAlias0,0x0000000000000000000000000000000000000001:keyAlias1:region1 - * returns an array of AwsHsmOracleIdentity in the same order - */ -export function getAwsHsmOracleIdentities( - addressKeyAliases: string, - currencyPair: CurrencyPair -): AwsHsmOracleIdentity[] { - const identityStrings = addressKeyAliases.split(',') - const identities = [] - for (const identityStr of identityStrings) { - const [address, keyAlias, region] = identityStr.split(':') - // region can be undefined - if (!address || !keyAlias) { - throw Error(`Address or key alias is invalid. Address: ${address} Key Alias: ${keyAlias}`) - } - identities.push({ - address, - currencyPair, - keyAlias, - region, - }) - } - return identities -} - -/** - * Config values pulled from env vars used for generating an AwsHsmOracleIdentity - */ -interface AwsHsmOracleIdentityConfig { - addressKeyAliases: string -} - -/** - * Env vars corresponding to each value for the AwsHsmOracleIdentityConfig for a particular context - */ -const awsHsmOracleIdentityConfigDynamicEnvVars: { - [k in keyof AwsHsmOracleIdentityConfig]: DynamicEnvVar -} = { - addressKeyAliases: DynamicEnvVar.ORACLE_ADDRESS_AWS_KEY_ALIASES, -} - /** * ----------- PrivateKeyOracleDeployer helpers ----------- */ /** - * Gets an AwsHsmOracleDeployer by looking at env var values and generating private keys + * Gets an PrivateKeyOracleDeployer by looking at env var values and generating private keys * from the mnemonic */ function getPrivateKeyOracleDeployer( diff --git a/packages/celotool/src/lib/prometheus.ts b/packages/celotool/src/lib/prometheus.ts index 0d3462a822..704b6caa2e 100644 --- a/packages/celotool/src/lib/prometheus.ts +++ b/packages/celotool/src/lib/prometheus.ts @@ -290,7 +290,6 @@ async function createPrometheusGcloudServiceAccount( function getCloudProviderPrefix(clusterConfig: BaseClusterConfig) { const prefixByCloudProvider: { [key in CloudProvider]: string } = { - [CloudProvider.AWS]: 'aws', [CloudProvider.AZURE]: 'aks', [CloudProvider.GCP]: 'gcp', } diff --git a/packages/celotool/src/lib/promtail.ts b/packages/celotool/src/lib/promtail.ts index 2101b2a924..3a4144684f 100644 --- a/packages/celotool/src/lib/promtail.ts +++ b/packages/celotool/src/lib/promtail.ts @@ -91,11 +91,6 @@ async function helmParameters(clusterConfig?: BaseClusterConfig) { `--set extraArgs[0]='-client.external-labels=cluster_name=${clusterConfig?.clusterName}'` ) break - - case CloudProvider.AWS: - default: - console.error(`Unrecognised or unsupported cloud provider: ${cloudProvider}`) - process.exit(1) } const user = fetchEnv(envVar.LOKI_USERNAME) diff --git a/packages/helm-charts/komenci-rbac/Chart.yaml b/packages/helm-charts/komenci-rbac/Chart.yaml deleted file mode 100644 index 5fa277e324..0000000000 --- a/packages/helm-charts/komenci-rbac/Chart.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v1 -appVersion: "1.0" -description: A Helm chart to get the RBAC token needed by the komenci to reach the K8s API server -name: komenci-rbac -version: 0.1.0 diff --git a/packages/helm-charts/komenci-rbac/templates/_helper.tpl b/packages/helm-charts/komenci-rbac/templates/_helper.tpl deleted file mode 100644 index 1527741e2c..0000000000 --- a/packages/helm-charts/komenci-rbac/templates/_helper.tpl +++ /dev/null @@ -1,15 +0,0 @@ -{{- define "name" -}} -{{- .Values.environment.name -}}-komenci-rbac-{{- .index -}} -{{- end -}} - -{{- define "komenci-pod-name" -}} -{{- .Values.environment.name -}}-relayer-{{- .index -}} -{{- end -}} - -{{- define "rewards-name" -}} -{{- .Values.environment.name -}}-komenci-rewards-rbac-{{- .index -}} -{{- end -}} - -{{- define "komenci-rewards-pod-name" -}} -{{- .Values.environment.name -}}-rewards-relayer-{{- .index -}} -{{- end -}} \ No newline at end of file diff --git a/packages/helm-charts/komenci-rbac/templates/role.yaml b/packages/helm-charts/komenci-rbac/templates/role.yaml deleted file mode 100644 index df04f4e72b..0000000000 --- a/packages/helm-charts/komenci-rbac/templates/role.yaml +++ /dev/null @@ -1,27 +0,0 @@ -{{ range $index, $e := until (.Values.relayer.replicas | int) }} -{{- $index_counter := (dict "Values" $.Values "index" $index) -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ template "name" $index_counter }} -rules: -- apiGroups: [""] - resources: ["pods"] - resourceNames: ["{{ template "komenci-pod-name" $index_counter }}"] - verbs: ["get", "patch"] ---- -{{ end }} - -{{ range $index, $e := until (.Values.rewards.relayer.replicas | int) }} -{{- $index_counter := (dict "Values" $.Values "index" $index) -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ template "rewards-name" $index_counter }} -rules: -- apiGroups: [""] - resources: ["pods"] - resourceNames: ["{{ template "komenci-rewards-pod-name" $index_counter }}"] - verbs: ["get", "patch"] ---- -{{ end }} diff --git a/packages/helm-charts/komenci-rbac/templates/rolebinding.yaml b/packages/helm-charts/komenci-rbac/templates/rolebinding.yaml deleted file mode 100644 index f9ebfb2482..0000000000 --- a/packages/helm-charts/komenci-rbac/templates/rolebinding.yaml +++ /dev/null @@ -1,31 +0,0 @@ -{{ range $index, $e := until (.Values.relayer.replicas | int) }} -{{- $index_counter := (dict "Values" $.Values "index" $index) -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ template "name" $index_counter }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ template "name" $index_counter }} -subjects: -- kind: ServiceAccount - name: {{ template "name" $index_counter }} ---- -{{ end }} - -{{ range $index, $e := until (.Values.rewards.relayer.replicas | int) }} -{{- $index_counter := (dict "Values" $.Values "index" $index) -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ template "rewards-name" $index_counter }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ template "rewards-name" $index_counter }} -subjects: -- kind: ServiceAccount - name: {{ template "rewards-name" $index_counter }} ---- -{{ end }} diff --git a/packages/helm-charts/komenci-rbac/templates/service-account.yaml b/packages/helm-charts/komenci-rbac/templates/service-account.yaml deleted file mode 100644 index da8ea5730d..0000000000 --- a/packages/helm-charts/komenci-rbac/templates/service-account.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{ range $index, $e := until (.Values.relayer.replicas | int) }} -{{- $index_counter := (dict "Values" $.Values "index" $index) -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ template "name" $index_counter}} ---- -{{ end }} - -{{ range $index, $e := until (.Values.rewards.relayer.replicas | int) }} -{{- $index_counter := (dict "Values" $.Values "index" $index) -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ template "rewards-name" $index_counter}} ---- -{{ end }} diff --git a/packages/helm-charts/komenci-rbac/values.yaml b/packages/helm-charts/komenci-rbac/values.yaml deleted file mode 100644 index 8b4bfd1fc5..0000000000 --- a/packages/helm-charts/komenci-rbac/values.yaml +++ /dev/null @@ -1,5 +0,0 @@ -environment: - name: default - -relayer: - replicas: 2 diff --git a/packages/helm-charts/komenci/Chart.yaml b/packages/helm-charts/komenci/Chart.yaml deleted file mode 100644 index d4b70b8f48..0000000000 --- a/packages/helm-charts/komenci/Chart.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -appVersion: "0.2.0" -description: A Helm chart for the Komenci app -name: komenci -version: 0.1.0 -dependencies: - - name: common - repository: oci://us-west1-docker.pkg.dev/devopsre/clabs-public-oci - version: 0.2.0 diff --git a/packages/helm-charts/komenci/templates/_helpers.tpl b/packages/helm-charts/komenci/templates/_helpers.tpl deleted file mode 100644 index df8bc9c4a7..0000000000 --- a/packages/helm-charts/komenci/templates/_helpers.tpl +++ /dev/null @@ -1,92 +0,0 @@ -{{/* -The name of the deployment -*/}} -{{- define "name" -}} -{{- .Values.environment.name -}}-relayer -{{- end -}} - -{{- define "rewards-relayer-name" -}} -{{- .Values.environment.name -}}-rewards-relayer -{{- end -}} - -{{- define "komenci-onboarding-fullname" -}} -{{- .Values.environment.name -}}-onboarding -{{- end -}} - -{{- define "komenci-rewards-fullname" -}} -{{- .Values.environment.name -}}-rewards -{{- end -}} - -{{/* -Common labels that are recommended to be used by Helm and Kubernetes -*/}} -{{- define "labels" -}} -app.kubernetes.io/name: {{ template "name" . }} -helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- end -}} - -{{/* -Annotations to indicate to the prometheus server that this node should be scraped for metrics -*/}} -{{- define "metric-annotations" -}} -prometheus.io/scrape: "true" -prometheus.io/port: "{{ .Values.relayer.metrics.prometheusPort }}" -{{- end -}} - -{{/* -Label specific to the komenci relayer component -*/}} -{{- define "komenci-relayer-component-label" -}} -app.kubernetes.io/component: komenci-relayer -{{- end -}} - -{{/* -Label specific to the komenci onboarding component -*/}} -{{- define "komenci-onboarding-component-label" -}} -app.kubernetes.io/component: komenci-onboarding -{{- end -}} - -{{/* -Label specific to the komenci rewards component -*/}} -{{- define "komenci-rewards-component-label" -}} -app.kubernetes.io/component: komenci-rewards -{{- end -}} - -{{/* -Label specific to the komenci rewards relayer component -*/}} -{{- define "komenci-rewards-relayer-component-label" -}} -app.kubernetes.io/component: komenci-rewards-relayer -{{- end -}} - -{{/* -The name of the azure identity binding for all relayers -*/}} -{{- define "azure-identity-binding-name" -}} -{{- with .dot -}}{{ template "name" . }}{{- end -}}-{{ .index }}-identity-binding -{{- end -}} - -{{/* -The name of the azure identity binding for all rewards relayers -*/}} -{{- define "azure-rewards-identity-binding-name" -}} -{{- with .dot -}}{{ template "rewards-relayer-name" . }}{{- end -}}-{{ .index }}-identity-binding -{{- end -}} - -{{/* -The name of the azure identity for all relayers -*/}} -{{- define "azure-identity-name" -}} -{{- with .dot -}}{{ template "name" . }}{{- end -}}-{{ .index }}-identity -{{- end -}} - -{{/* -The name of the azure identity for all rewards relayers -*/}} -{{- define "azure-rewards-identity-name" -}} -{{- with .dot -}}{{ template "rewards-relayer-name" . }}{{- end -}}-{{ .index }}-identity -{{- end -}} \ No newline at end of file diff --git a/packages/helm-charts/komenci/templates/azure-identity-binding.yaml b/packages/helm-charts/komenci/templates/azure-identity-binding.yaml deleted file mode 100644 index 6160db6910..0000000000 --- a/packages/helm-charts/komenci/templates/azure-identity-binding.yaml +++ /dev/null @@ -1,25 +0,0 @@ -{{- range $index, $identity := .Values.relayer.identities -}} -{{ if (hasKey $identity "azure") }} -apiVersion: "aadpodidentity.k8s.io/v1" -kind: AzureIdentityBinding -metadata: - name: {{ template "azure-identity-binding-name" (dict "dot" $ "index" $index) }} -spec: - azureIdentity: {{ template "azure-identity-name" (dict "dot" $ "index" $index) }} - selector: {{ template "azure-identity-binding-name" (dict "dot" $ "index" $index) }} ---- -{{ end }} -{{ end }} - -{{- range $index, $identity := .Values.rewards.relayer.identities -}} -{{ if (hasKey $identity "azure") }} -apiVersion: "aadpodidentity.k8s.io/v1" -kind: AzureIdentityBinding -metadata: - name: {{ template "azure-rewards-identity-binding-name" (dict "dot" $ "index" $index) }} -spec: - azureIdentity: {{ template "azure-rewards-identity-name" (dict "dot" $ "index" $index) }} - selector: {{ template "azure-rewards-identity-binding-name" (dict "dot" $ "index" $index) }} ---- -{{ end }} -{{ end }} diff --git a/packages/helm-charts/komenci/templates/azure-identity.yaml b/packages/helm-charts/komenci/templates/azure-identity.yaml deleted file mode 100644 index b93930624c..0000000000 --- a/packages/helm-charts/komenci/templates/azure-identity.yaml +++ /dev/null @@ -1,31 +0,0 @@ -{{- range $index, $identity := .Values.relayer.identities -}} -{{ if (hasKey $identity "azure") }} -apiVersion: aadpodidentity.k8s.io/v1 -kind: AzureIdentity -metadata: - name: {{ template "azure-identity-name" (dict "dot" $ "index" $index) }} - annotations: - aadpodidentity.k8s.io/Behavior: namespaced -spec: - type: 0 - resourceID: {{ $identity.azure.id }} - clientID: {{ $identity.azure.clientId }} ---- -{{ end }} -{{ end }} - -{{- range $index, $identity := .Values.rewards.relayer.identities -}} -{{ if (hasKey $identity "azure") }} -apiVersion: aadpodidentity.k8s.io/v1 -kind: AzureIdentity -metadata: - name: {{ template "azure-rewards-identity-name" (dict "dot" $ "index" $index) }} - annotations: - aadpodidentity.k8s.io/Behavior: namespaced -spec: - type: 0 - resourceID: {{ $identity.azure.id }} - clientID: {{ $identity.azure.clientId }} ---- -{{ end }} -{{ end }} diff --git a/packages/helm-charts/komenci/templates/logging-agent-config.yaml b/packages/helm-charts/komenci/templates/logging-agent-config.yaml deleted file mode 100644 index 2130bad90f..0000000000 --- a/packages/helm-charts/komenci/templates/logging-agent-config.yaml +++ /dev/null @@ -1,124 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: logging-agent-config - namespace: default -data: - credentials-json: | -{{ .Values.loggingAgent.credentials | b64dec | indent 4 }} - app-conf: | - # Tails the container logs into standard JSON - - @type tail - path /var/log/containers/*.log - path_key file_path - pos_file /opt/containers.log.pos - tag komenci.app.{{ .Values.environment.network }} - limit_recently_modified 1d - - @type multi_format - - format json - time_key time - time_format %Y-%m-%dT%H:%M:%S.%NZ - - - format /^(? - - - - # Parses the kubernetes context from the container log name - - @type parser - format /var\/log\/containers\/(?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)_(?[^_]+)_(?.+)-(?[a-z0-9]{64})\.log$/ - reserve_data true - emit_invalid_record_to_error false - key_name file_path - - - - @type grep - - key namespace - pattern /{{ .Values.environment.name }}/ - - - - - @type parser - key_name log - reserve_time true - reserve_data true - - - @type multi_format - - format json - - - format none - - - - - # Transforms the container log into a user friendly format - - @type record_transformer - enable_ruby - - message ${record['message'] || record['msg'] || record['log']} - severity ${record['severity'] || if record['stream'] == 'stderr' then 'ERROR' else 'INFO' end} - "logging.googleapis.com/local_resource_id" ${"k8s_container.#{record['namespace']}.#{record['pod_name']}.#{record['container_name']}"} - - remove_keys stream,log,file_path,msg,namespace,pod_name,container_name - - - google-fluentd-conf: | - @include config.d/*.conf - - # Prometheus monitoring. - - @type prometheus - port 24231 - - - @type prometheus_monitor - - - # Do not collect fluentd's own logs to avoid infinite loops. - - - # Add a unique insertId to each log entry that doesn't already have it. - # This helps guarantee the order and prevent log duplication. - - @type add_insert_ids - - - # Configure all sources to output to Google Cloud Logging - - @type google_cloud - label_map { - "container_id": "container_id" - } - use_metadata_service false - buffer_type file - buffer_path /var/log/google-fluentd/buffers - buffer_chunk_limit 512KB - flush_interval 5s - disable_retry_limit false - retry_limit 3 - retry_wait 10 - max_retry_wait 300 - num_threads 8 - detect_json true - use_grpc true - k8s_cluster_name {{ .Values.environment.cluster.name }} - k8s_cluster_location {{ .Values.environment.cluster.location }} - - diff --git a/packages/helm-charts/komenci/templates/logging-agent.yaml b/packages/helm-charts/komenci/templates/logging-agent.yaml deleted file mode 100644 index 7513771194..0000000000 --- a/packages/helm-charts/komenci/templates/logging-agent.yaml +++ /dev/null @@ -1,84 +0,0 @@ -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: fluentd-log-agent - namespace: default -spec: - selector: - matchLabels: - name: fluentd-log-agent - template: - metadata: - creationTimestamp: null - annotations: - checksum/config: {{ include (print $.Template.BasePath "/logging-agent-config.yaml") . | sha256sum }} - labels: - name: fluentd-log-agent - spec: - serviceAccountName: default - tolerations: - - key: node-role.kubernetes.io/master - effect: NoSchedule - containers: - - image: celotestnet.azurecr.io/fluentd/google-fluentd:latest - imagePullPolicy: Always - name: fluentd-log-agent - resources: - limits: - memory: "250Mi" - cpu: 250m - requests: - memory: "250Mi" - cpu: 100m - volumeMounts: - - mountPath: /var/log - name: varlog - - mountPath: /var/lib/docker/containers - name: varlibdockercontainers - readOnly: true - - mountPath: /opt/credentials.json - name: credentials-json - subPath: credentials-json-path - readOnly: true - - mountPath: /etc/google-fluentd/google-fluentd.conf - name: google-fluentd-conf - subPath: google-fluentd-conf-path - readOnly: true - - mountPath: /etc/google-fluentd/config.d/app.conf - name: app-conf - subPath: app-conf-path - readOnly: true - env: - - name: GOOGLE_APPLICATION_CREDENTIALS - value: /opt/credentials.json - restartPolicy: Always - terminationGracePeriodSeconds: 30 - volumes: - - hostPath: - path: /var/log - name: varlog - - hostPath: - path: /var/lib/docker/containers - name: varlibdockercontainers - - name: credentials-json - configMap: - name: logging-agent-config - items: - - key: credentials-json - path: credentials-json-path - - name: app-conf - configMap: - name: logging-agent-config - items: - - key: app-conf - path: app-conf-path - - name: google-fluentd-conf - configMap: - name: logging-agent-config - items: - - key: google-fluentd-conf - path: google-fluentd-conf-path - - - - diff --git a/packages/helm-charts/komenci/templates/onboarding-deployment.yaml b/packages/helm-charts/komenci/templates/onboarding-deployment.yaml deleted file mode 100644 index fd6bf98290..0000000000 --- a/packages/helm-charts/komenci/templates/onboarding-deployment.yaml +++ /dev/null @@ -1,84 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "komenci-onboarding-fullname" . }} - labels: -{{- include "komenci-onboarding-component-label" . | nindent 4 }} -spec: - replicas: {{ .Values.onboarding.replicaCount }} - selector: - matchLabels: - {{- include "komenci-onboarding-component-label" . | nindent 6 }} - template: - metadata: - labels: -{{- include "komenci-onboarding-component-label" . | nindent 8 }} - spec: - containers: - - name: komenci-onboarding - securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} - image: {{ .Values.image.repository }}:{{ .Values.image.tag }} - imagePullPolicy: Always - ports: - - name: http - containerPort: 3000 - command: - - bash - - "-c" - - | - node packages/apps/api/dist/main.js - resources: - {{- toYaml .Values.onboarding.resources | nindent 12 }} - env: - - name: REPLICA_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name -{{ include "common.env-var" (dict "name" "RULE_SIGNATURE_ENABLED" "dict" .Values.onboarding.ruleEnabled "value_name" "signature") | indent 10 }} -{{ include "common.env-var" (dict "name" "RULE_CAPTCHA_ENABLED" "dict" .Values.onboarding.ruleEnabled "value_name" "captcha") | indent 10 }} -{{ include "common.env-var" (dict "name" "RULE_CAPTCHA_CONFIG_BYPASS_ENABLED" "dict" .Values.onboarding.ruleConfig.captcha "value_name" "bypassEnabled") | indent 10 }} -{{ include "common.env-var" (dict "name" "RULE_CAPTCHA_CONFIG_BYPASS_TOKEN" "dict" .Values.onboarding.ruleConfig.captcha "value_name" "bypassToken") | indent 10 }} -{{ include "common.env-var" (dict "name" "RECAPTCHA_TOKEN" "dict" .Values.onboarding "value_name" "recaptchaToken") | indent 10 }} -{{ include "common.env-var" (dict "name" "QUOTA_DISTRIBUTED_BLINDED_PEPPER" "dict" .Values.onboarding.quota "value_name" "distributedBlindePepper") | indent 10 }} -{{ include "common.env-var" (dict "name" "QUOTA_REQUEST_SUBSIDISED_ATTESTATION" "dict" .Values.onboarding.quota "value_name" "requestSubsidisedAttestation") | indent 10 }} -{{ include "common.env-var" (dict "name" "QUOTA_SUBMIT_META_TRANSACTION" "dict" .Values.onboarding.quota "value_name" "submitMetaTransaction") | indent 10 }} -{{ include "common.env-var" (dict "name" "DB_HOST" "dict" .Values.onboarding.db "value_name" "host" "optional" true) | indent 10 }} -{{ include "common.env-var" (dict "name" "DB_PORT" "dict" .Values.onboarding.db "value_name" "port" "optional" true) | indent 10 }} -{{ include "common.env-var" (dict "name" "DB_USERNAME" "dict" .Values.onboarding.db "value_name" "username") | indent 10 }} -{{ include "common.env-var" (dict "name" "DB_PASSWORD" "dict" .Values.onboarding.db "value_name" "password") | indent 10 }} -{{ include "common.env-var" (dict "name" "DB_DATABASE" "dict" .Values.onboarding.db "value_name" "database") | indent 10 }} -{{ include "common.env-var" (dict "name" "DB_SYNCHRONIZE" "dict" .Values.onboarding.db "value_name" "synchronize") | indent 10 }} -{{ include "common.env-var" (dict "name" "DB_SSL" "dict" .Values.onboarding.db "value_name" "ssl") | indent 10 }} -{{ include "common.env-var" (dict "name" "NODE_ENV" "dict" .Values.onboarding "value_name" "node_env") | indent 10 }} -{{ include "common.env-var" (dict "name" "RELAYER_HOST" "dict" .Values.onboarding.relayer "value_name" "host") | indent 10 }} -{{ include "common.env-var" (dict "name" "RELAYER_PORT" "dict" .Values.onboarding.relayer "value_name" "port") | indent 10 }} -{{ include "common.env-var" (dict "name" "RELAYER_RPC_TIMEOUT_MS" "dict" .Values.onboarding.relayer "value_name" "rpcTimeoutMs") | indent 10 }} -{{ include "common.env-var" (dict "name" "THROTTLE_TTL" "dict" .Values.onboarding.throttle "value_name" "ttl") | indent 10 }} -{{ include "common.env-var" (dict "name" "THROTTLE_LIMIT" "dict" .Values.onboarding.throttle "value_name" "limit") | indent 10 }} -{{ include "common.env-var" (dict "name" "NETWORK" "dict" .Values.environment "value_name" "network") | indent 10 }} -{{ include "common.env-var" (dict "name" "PUBLIC_URL" "dict" .Values.onboarding "value_name" "publicUrl") | indent 10 }} - readinessProbe: - httpGet: - path: /v1/health - port: 3000 - initialDelaySeconds: 3 - periodSeconds: 3 - livenessProbe: - httpGet: - path: /v1/health - port: 3000 - initialDelaySeconds: 3 - periodSeconds: 10 - {{- with .Values.onboarding.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.onboarding.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.onboarding.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} diff --git a/packages/helm-charts/komenci/templates/onboarding-ingress.yaml b/packages/helm-charts/komenci/templates/onboarding-ingress.yaml deleted file mode 100644 index d1269a49d5..0000000000 --- a/packages/helm-charts/komenci/templates/onboarding-ingress.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: komenci-onboarding-ingress - annotations: - kubernetes.io/tls-acme: "true" -spec: - ingressClassName: {{ default "nginx" .Values.ingressClassName }} - tls: - - hosts: - - {{ .Values.onboarding.publicHostname }} - secretName: {{ .Release.Namespace }}-web-tls - rules: - - host: {{ .Values.onboarding.publicHostname }} - http: - paths: - - path: /rewards - pathType: Prefix - backend: - service: - name: {{ .Release.Namespace }}-rewards - port: - number: 3000 - - path: / - pathType: Prefix - backend: - service: - name: {{ .Release.Namespace }}-onboarding - port: - number: 3000 diff --git a/packages/helm-charts/komenci/templates/onboarding-service.yaml b/packages/helm-charts/komenci/templates/onboarding-service.yaml deleted file mode 100644 index 0928dd40e5..0000000000 --- a/packages/helm-charts/komenci/templates/onboarding-service.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ include "komenci-onboarding-fullname" . }} - labels: -{{ include "labels" . | indent 4 }} -{{ include "komenci-onboarding-component-label" . | indent 4 }} -spec: - clusterIP: None - selector: -{{ include "komenci-onboarding-component-label" . | indent 4 }} - ports: - - name: http - port: 3000 \ No newline at end of file diff --git a/packages/helm-charts/komenci/templates/relayer-statefulset.yaml b/packages/helm-charts/komenci/templates/relayer-statefulset.yaml deleted file mode 100644 index a6e9fd4dea..0000000000 --- a/packages/helm-charts/komenci/templates/relayer-statefulset.yaml +++ /dev/null @@ -1,135 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ template "name" . }} - labels: -{{ include "labels" . | indent 4 }} -{{ include "komenci-relayer-component-label" . | indent 4 }} -spec: - ports: - - name: http - port: 3000 - clusterIP: None - selector: -{{ include "komenci-relayer-component-label" . | indent 4 }} ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ template "name" . }} - labels: -{{ include "labels" . | indent 4 }} -{{ include "komenci-relayer-component-label" . | indent 4 }} -spec: - podManagementPolicy: Parallel - updateStrategy: - type: RollingUpdate - replicas: {{ .Values.relayer.replicas }} - serviceName: relayer - selector: - matchLabels: -{{ include "labels" . | indent 6 }} -{{ include "komenci-relayer-component-label" . | indent 6 }} - template: - metadata: - labels: -{{ include "labels" . | indent 8 }} -{{ include "komenci-relayer-component-label" . | indent 8 }} - annotations: -{{ if .Values.relayer.metrics.enabled }} -{{ include "metric-annotations" . | indent 8 }} -{{ end }} - spec: - initContainers: - - name: set-label - image: {{ .Values.kubectl.image.repository }}:{{ .Values.kubectl.image.tag }} - command: - - /bin/bash - - -c - args: - - | - RID=${POD_NAME##*-} - TOKEN_ENV_VAR_NAME="TOKEN_$RID" - kubectl \ - --namespace "$POD_NAMESPACE" \ - --server="https://kubernetes.default.svc" \ - --token="${!TOKEN_ENV_VAR_NAME}" \ - --certificate-authority="/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" \ - label pod "$POD_NAME" \ - --overwrite \ - "aadpodidbinding=$POD_NAME-identity-binding" - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - {{ range $index, $e := .Values.kube.serviceAccountSecretNames }} - - name: TOKEN_{{ $index }} - valueFrom: - secretKeyRef: - key: token - name: {{ $e }} - {{ end }} - containers: - - name: komenci-relayer - image: {{ .Values.image.repository }}:{{ .Values.image.tag }} - imagePullPolicy: Always - ports: - - name: prometheus - containerPort: {{ .Values.relayer.metrics.prometheusPort }} - - name: relayer - containerPort: 3000 - command: - - bash - - "-c" - - | - [[ $REPLICA_NAME =~ -([0-9]+)$ ]] || exit 1 - RID=${BASH_REMATCH[1]} - - # Set the private key path. If Azure HSM signing is specified, - # it will take precedence. - export PRIVATE_KEY_PATH="/private-keys/private-key-$RID" - - # Get the correct key vault name. If this relayer's identity is not - # using Azure HSM signing, the key vault name will be empty and ignored - AZURE_KEY_VAULT_NAMES={{- range $index, $identity := .Values.relayer.identities -}}{{- if (hasKey $identity "azure" ) -}}{{ $identity.azure.keyVaultName | default "" }}{{- end }},{{- end }} - export AZURE_KEY_NAME=`echo -n $AZURE_KEY_VAULT_NAMES | cut -d ',' -f $((RID + 1))` - export AZURE_VAULT_NAME=`echo -n $AZURE_KEY_VAULT_NAMES | cut -d ',' -f $((RID + 1))` - - # Get the correct relayer account address - ADDRESSES={{- range $index, $identity := .Values.relayer.identities -}}{{ $identity.address }},{{- end }} - export WALLET_ADDRESS=`echo -n $ADDRESSES | cut -d ',' -f $((RID + 1))` - - node packages/apps/relayer/dist/main.js - env: - - name: REPLICA_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name -{{ include "common.env-var" (dict "name" "AZURE_HSM_INIT_TRY_COUNT" "dict" .Values.relayer.azureHsm "value_name" "initTryCount") | indent 8 }} -{{ include "common.env-var" (dict "name" "AZURE_HSM_INIT_MAX_RETRY_BACKOFF_MS" "dict" .Values.relayer.azureHsm "value_name" "initMaxRetryBackoffMs") | indent 8 }} -{{ include "common.env-var" (dict "name" "METRICS" "dict" .Values.relayer.metrics "value_name" "enabled") | indent 8 }} -{{ include "common.env-var" (dict "name" "OVERRIDE_INDEX" "dict" .Values.relayer "value_name" "overrideIndex" "optional" true) | indent 8 }} -{{ include "common.env-var" (dict "name" "OVERRIDE_ORACLE_COUNT" "dict" .Values.relayer "value_name" "overrideOracleCount" "optional" true) | indent 8 }} -{{ include "common.env-var" (dict "name" "PRIVATE_KEY_PATH" "dict" .Values.relayer "value_name" "privateKeyPath" "optional" true) | indent 8 }} -{{ include "common.env-var" (dict "name" "PROMETHEUS_PORT" "dict" .Values.relayer.metrics "value_name" "prometheusPort") | indent 8 }} -{{ include "common.env-var" (dict "name" "NODE_ENV" "dict" .Values.relayer "value_name" "node_env") | indent 8 }} -{{ include "common.env-var" (dict "name" "RELAYER_PORT" "dict" .Values.relayer "value_name" "port") | indent 8 }} -{{ include "common.env-var" (dict "name" "NETWORK" "dict" .Values.environment "value_name" "network") | indent 8 }} -{{ include "common.env-var" (dict "name" "WALLET_TYPE" "dict" .Values.relayer "value_name" "walletType") | indent 8 }} -{{ include "common.env-var" (dict "name" "GAS_PRICE_UPDATE_INTERVAL_MS" "dict" .Values.relayer "value_name" "gasPriceUpdateIntervalMs") | indent 8 }} -{{ include "common.env-var" (dict "name" "GAS_PRICE_MULTIPLIER" "dict" .Values.relayer "value_name" "gasPriceMultiplier") | indent 8 }} - readinessProbe: - tcpSocket: - port: 3000 - initialDelaySeconds: 5 - periodSeconds: 10 - livenessProbe: - tcpSocket: - port: 3000 - initialDelaySeconds: 15 - periodSeconds: 20 diff --git a/packages/helm-charts/komenci/templates/rewards-deployment.yaml b/packages/helm-charts/komenci/templates/rewards-deployment.yaml deleted file mode 100644 index 61f77c8d3b..0000000000 --- a/packages/helm-charts/komenci/templates/rewards-deployment.yaml +++ /dev/null @@ -1,47 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "komenci-rewards-fullname" . }} - labels: -{{- include "komenci-rewards-component-label" . | nindent 4 }} -spec: - replicas: {{ .Values.rewards.replicaCount }} - selector: - matchLabels: - {{- include "komenci-rewards-component-label" . | nindent 6 }} - template: - metadata: - labels: -{{- include "komenci-rewards-component-label" . | nindent 8 }} - spec: - containers: - - name: komenci-rewards - securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} - image: {{ .Values.image.repository }}:{{ .Values.image.tag }} - imagePullPolicy: Always - ports: - - name: http - containerPort: 3000 - command: - - bash - - "-c" - - | - node packages/apps/rewards/dist/main.js - env: - - name: REPLICA_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name -{{ include "common.env-var" (dict "name" "DB_HOST" "dict" .Values.rewards.db "value_name" "host" "optional" true) | indent 10 }} -{{ include "common.env-var" (dict "name" "DB_PORT" "dict" .Values.rewards.db "value_name" "port" "optional" true) | indent 10 }} -{{ include "common.env-var" (dict "name" "DB_USERNAME" "dict" .Values.rewards.db "value_name" "username") | indent 10 }} -{{ include "common.env-var" (dict "name" "DB_PASSWORD" "dict" .Values.rewards.db "value_name" "password") | indent 10 }} -{{ include "common.env-var" (dict "name" "DB_DATABASE" "dict" .Values.rewards.db "value_name" "database") | indent 10 }} -{{ include "common.env-var" (dict "name" "DB_SYNCHRONIZE" "dict" .Values.rewards.db "value_name" "synchronize") | indent 10 }} -{{ include "common.env-var" (dict "name" "DB_SSL" "dict" .Values.rewards.db "value_name" "ssl") | indent 10 }} -{{ include "common.env-var" (dict "name" "RELAYER_HOST" "dict" .Values.rewards.relayer "value_name" "host") | indent 10 }} -{{ include "common.env-var" (dict "name" "RELAYER_PORT" "dict" .Values.rewards.relayer "value_name" "port") | indent 10 }} -{{ include "common.env-var" (dict "name" "NETWORK" "dict" .Values.environment "value_name" "network") | indent 10 }} -{{ include "common.env-var" (dict "name" "SEGMENT_API_KEY" "dict" .Values.rewards "value_name" "segmentApiKey") | indent 10 }} -{{ include "common.env-var" (dict "name" "SHOULD_SEND_REWARDS" "dict" .Values.rewards "value_name" "shouldSendRewards") | indent 10 }} diff --git a/packages/helm-charts/komenci/templates/rewards-relayer-statefulset.yaml b/packages/helm-charts/komenci/templates/rewards-relayer-statefulset.yaml deleted file mode 100644 index 70fc0e4a12..0000000000 --- a/packages/helm-charts/komenci/templates/rewards-relayer-statefulset.yaml +++ /dev/null @@ -1,128 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ template "rewards-relayer-name" . }} - labels: -{{ include "labels" . | indent 4 }} -{{ include "komenci-rewards-relayer-component-label" . | indent 4 }} -spec: - ports: - - name: http - port: 3000 - clusterIP: None - selector: -{{ include "komenci-rewards-relayer-component-label" . | indent 4 }} ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ template "rewards-relayer-name" . }} - labels: -{{ include "labels" . | indent 4 }} -{{ include "komenci-rewards-relayer-component-label" . | indent 4 }} -spec: - podManagementPolicy: Parallel - updateStrategy: - type: RollingUpdate - replicas: {{ .Values.rewards.relayer.replicas }} - serviceName: relayer - selector: - matchLabels: -{{ include "labels" . | indent 6 }} -{{ include "komenci-rewards-relayer-component-label" . | indent 6 }} - template: - metadata: - labels: -{{ include "labels" . | indent 8 }} -{{ include "komenci-rewards-relayer-component-label" . | indent 8 }} - annotations: -{{ if .Values.rewards.relayer.metrics.enabled }} -{{ include "metric-annotations" . | indent 8 }} -{{ end }} - spec: - initContainers: - - name: set-label - image: {{ .Values.kubectl.image.repository }}:{{ .Values.kubectl.image.tag }} - command: - - /bin/bash - - -c - args: - - | - RID=${POD_NAME##*-} - TOKEN_ENV_VAR_NAME="TOKEN_$RID" - kubectl \ - --namespace "$POD_NAMESPACE" \ - --server="https://kubernetes.default.svc" \ - --token="${!TOKEN_ENV_VAR_NAME}" \ - --certificate-authority="/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" \ - label pod "$POD_NAME" \ - --overwrite \ - "aadpodidbinding=$POD_NAME-identity-binding" - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - {{ range $index, $e := .Values.kube.rewardsServiceAccountSecretNames }} - - name: TOKEN_{{ $index }} - valueFrom: - secretKeyRef: - key: token - name: {{ $e }} - {{ end }} - containers: - - name: komenci-rewards-relayer - image: {{ .Values.image.repository }}:{{ .Values.image.tag }} - imagePullPolicy: Always - ports: - - name: prometheus - containerPort: {{ .Values.rewards.relayer.metrics.prometheusPort }} - - name: relayer - containerPort: 3000 - command: - - bash - - "-c" - - | - [[ $REPLICA_NAME =~ -([0-9]+)$ ]] || exit 1 - RID=${BASH_REMATCH[1]} - - # Get the correct key vault name. If this relayer's identity is not - # using Azure HSM signing, the key vault name will be empty and ignored - AZURE_KEY_VAULT_NAMES={{- range $index, $identity := .Values.rewards.relayer.identities -}}{{- if (hasKey $identity "azure" ) -}}{{ $identity.azure.keyVaultName | default "" }}{{- end }},{{- end }} - export AZURE_KEY_NAME=`echo -n $AZURE_KEY_VAULT_NAMES | cut -d ',' -f $((RID + 1))` - export AZURE_VAULT_NAME=`echo -n $AZURE_KEY_VAULT_NAMES | cut -d ',' -f $((RID + 1))` - - # Get the correct relayer account address - ADDRESSES={{- range $index, $identity := .Values.rewards.relayer.identities -}}{{ $identity.address }},{{- end }} - export WALLET_ADDRESS=`echo -n $ADDRESSES | cut -d ',' -f $((RID + 1))` - - node packages/apps/relayer/dist/main.js - env: - - name: REPLICA_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name -{{ include "common.env-var" (dict "name" "AZURE_HSM_INIT_TRY_COUNT" "dict" .Values.komenci.azureHsm "value_name" "initTryCount") | indent 8 }} -{{ include "common.env-var" (dict "name" "AZURE_HSM_INIT_MAX_RETRY_BACKOFF_MS" "dict" .Values.komenci.azureHsm "value_name" "initMaxRetryBackoffMs") | indent 8 }} -{{ include "common.env-var" (dict "name" "METRICS" "dict" .Values.rewards.relayer.metrics "value_name" "enabled") | indent 8 }} -{{ include "common.env-var" (dict "name" "OVERRIDE_INDEX" "dict" .Values.rewards.relayer "value_name" "overrideIndex" "optional" true) | indent 8 }} -{{ include "common.env-var" (dict "name" "PROMETHEUS_PORT" "dict" .Values.rewards.relayer.metrics "value_name" "prometheusPort") | indent 8 }} -{{ include "common.env-var" (dict "name" "NODE_ENV" "dict" .Values.rewards.relayer "value_name" "node_env") | indent 8 }} -{{ include "common.env-var" (dict "name" "RELAYER_PORT" "dict" .Values.rewards.relayer "value_name" "port") | indent 8 }} -{{ include "common.env-var" (dict "name" "NETWORK" "dict" .Values.environment "value_name" "network") | indent 8 }} -{{ include "common.env-var" (dict "name" "WALLET_TYPE" "dict" .Values.rewards.relayer "value_name" "walletType") | indent 8 }} -{{ include "common.env-var" (dict "name" "GAS_PRICE_UPDATE_INTERVAL_MS" "dict" .Values.rewards.relayer "value_name" "gasPriceUpdateIntervalMs") | indent 8 }} - readinessProbe: - tcpSocket: - port: 3000 - initialDelaySeconds: 5 - periodSeconds: 10 - livenessProbe: - tcpSocket: - port: 3000 - initialDelaySeconds: 15 - periodSeconds: 20 \ No newline at end of file diff --git a/packages/helm-charts/komenci/templates/rewards-service.yaml b/packages/helm-charts/komenci/templates/rewards-service.yaml deleted file mode 100644 index 0653de5454..0000000000 --- a/packages/helm-charts/komenci/templates/rewards-service.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ include "komenci-rewards-fullname" . }} - labels: -{{ include "labels" . | indent 4 }} -{{ include "komenci-rewards-component-label" . | indent 4 }} -spec: - clusterIP: None - selector: -{{ include "komenci-rewards-component-label" . | indent 4 }} - ports: - - name: http - port: 3000 diff --git a/packages/helm-charts/komenci/values.yaml b/packages/helm-charts/komenci/values.yaml deleted file mode 100644 index fc557f48fb..0000000000 --- a/packages/helm-charts/komenci/values.yaml +++ /dev/null @@ -1,125 +0,0 @@ -# This file is intended to show the expected value structure with placeholder values. -# Many values are optional, and the defaults are left up to the client. -# These values are commented out in this file, but show the correct structure -# if they were to be specified. - -ingressClassName: nginx - -kube: - serviceAccountSecretNames: - - "secret1" - - "secret2" - -environment: - name: test - network: alfajores - cluster: - name: test-cluster - location: location - -image: - repository: celotestnet.azurecr.io/komenci/komenci - tag: 5f2ef23e6c51eda8e5288490eab8ec2cbd058b11 - -kubectl: - image: - repository: bitnami/kubectl - tag: 1.17.4 - -relayer: - node_env: production - image: - repository: celotestnet.azurecr.io/komenci/relayer - tag: dae43ddce108a73da07dce73875b980ff077c7d4 - replicas: 2 - port: 3000 - identities: - - address: 0x00454cac6dae53f8800f71395b9a174f07a784b1 - azure: - id: defaultId - clientId: defaultClientId - keyVaultName: staging-komenci-eus - - address: 0xc6f0f9bfb1aed83620ece3eac0add98a65a8574e - azure: - id: defaultId1 - clientId: defaultClientId1 - keyVaultName: staging-komenci-eus - azureHsm: - initTryCount: 5 - initMaxRetryBackoffMs: 30000 - metrics: - enabled: true - prometheusPort: 9090 - walletType: azure-hsm - gasPriceUpdateIntervalMs: "1200000" - gasPriceMultiplier: 5 - maxGasPrice: "30000000000" # 30 gwei - -onboarding: - node_env: production - image: - repository: celotestnet.azurecr.io/komenci/onboarding - tag: dae43ddce108a73da07dce73875b980ff077c7d4 - replicas: 2 - throttle: - ttl: 60 - limit: 25 - ruleEnabled: - signature: true - captcha: true - ruleConfig: - captcha: - bypassEnabled: false - bypassToken: "special-bypass-captcha-token" - recaptchaToken: 'from-secret' - quota: - distributedBlindePepper: 1 - requestSubsidisedAttestation: 10 - submitMetaTransaction: 20 - relayer: - host: alfajores-relayer - port: 3000 - rpcTimeoutMs: 12000 - db: - host: komenci-komenci-postgresql - port: 5432 - username: 'postgres' - database: 'postgres' - synchronize: true - ssl: true - -rewards: - segmentApiKey: 'writeApiKey' - shouldSendRewards: false - relayer: - node_env: production - image: - repository: celotestnet.azurecr.io/komenci/relayer - tag: dae43ddce108a73da07dce73875b980ff077c7d4 - replicas: 2 - port: 3000 - identities: - - address: 0xb04390478A57E3C2147599D5380434f25fa5234d - privateKey: 0x000 - azure: - id: defaultId - clientId: defaultClientId - keyVaultName: staging-komenci-rewards - azureHsm: - initTryCount: 5 - initMaxRetryBackoffMs: 30000 - metrics: - enabled: true - prometheusPort: 9090 - walletType: azure-hsm - gasPriceUpdateIntervalMs: "1200000" - db: - host: komenci-komenci-postgresql - port: 5432 - username: 'postgres' - database: 'postgres' - synchronize: true - ssl: true - -loggingAgent: - credentials: eydleGFtcGxlJzogJ2NyZWRlbnRpYWxzJ30K # base64 credentials.json of a gcloud service account \ No newline at end of file diff --git a/packages/helm-charts/kong/.helmignore b/packages/helm-charts/kong/.helmignore deleted file mode 100644 index f0c1319444..0000000000 --- a/packages/helm-charts/kong/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/packages/helm-charts/kong/Chart.lock b/packages/helm-charts/kong/Chart.lock deleted file mode 100644 index ec9d6b4435..0000000000 --- a/packages/helm-charts/kong/Chart.lock +++ /dev/null @@ -1,12 +0,0 @@ -dependencies: -- name: postgresql - repository: https://charts.bitnami.com/bitnami - version: 10.4.6 -- name: cassandra - repository: https://charts.bitnami.com/bitnami - version: 7.5.5 -- name: common - repository: https://charts.bitnami.com/bitnami - version: 1.5.2 -digest: sha256:821ac1123fff0767b608586096c4b200cefb37cd1b27541f901d70adffcefbc3 -generated: "2021-05-22T08:23:02.029976706Z" diff --git a/packages/helm-charts/kong/Chart.yaml b/packages/helm-charts/kong/Chart.yaml deleted file mode 100644 index 9e4a5cd483..0000000000 --- a/packages/helm-charts/kong/Chart.yaml +++ /dev/null @@ -1,37 +0,0 @@ -annotations: - category: Infrastructure -apiVersion: v2 -appVersion: 2.4.1 -dependencies: - - condition: postgresql.enabled - name: postgresql - repository: https://charts.bitnami.com/bitnami - version: 10.x.x - - condition: cassandra.enabled - name: cassandra - repository: https://charts.bitnami.com/bitnami - version: 7.x.x - - name: common - repository: https://charts.bitnami.com/bitnami - version: 1.x.x -description: Kong is a scalable, open source API layer (aka API gateway or API middleware) that runs in front of any RESTful API. Extra functionalities beyond the core platform are extended through plugins. Kong is built on top of reliable technologies like NGINX and provides an easy-to-use RESTful API to operate and configure the system. -engine: gotpl -home: https://github.com/bitnami/charts/tree/master/bitnami/kong -icon: https://bitnami.com/assets/stacks/kong/img/kong-stack-220x234.png -keywords: - - kong - - ingress - - openresty - - controller - - http - - web - - www - - reverse proxy -maintainers: - - email: containers@bitnami.com - name: Bitnami -name: kong -sources: - - https://github.com/bitnami/bitnami-docker-kong - - https://konghq.com/ -version: 3.7.4 diff --git a/packages/helm-charts/kong/README.md b/packages/helm-charts/kong/README.md deleted file mode 100644 index 8995564c29..0000000000 --- a/packages/helm-charts/kong/README.md +++ /dev/null @@ -1,502 +0,0 @@ -# Kong - -[Kong](https://konghq.com/kong/) is a scalable, open source API layer (aka API gateway or API middleware) that runs in front of any RESTful API. Extra functionalities beyond the core platform are extended through plugins. Kong is built on top of reliable technologies like NGINX and provides an easy-to-use RESTful API to operate and configure the system. - -## TL;DR - -```console - helm repo add bitnami https://charts.bitnami.com/bitnami - helm install my-release bitnami/kong -``` - -## Introduction - -This chart bootstraps a [kong](https://github.com/bitnami/bitnami-docker-kong) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. It also includes the [kong-ingress-controller](https://github.com/bitnami/bitnami-docker-kong-ingress-controller) container for managing Ingress resources using Kong. - -Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment and management of Helm Charts in clusters. - -## Prerequisites - -- Kubernetes 1.12+ -- Helm 3.1.0 -- PV provisioner support in the underlying infrastructure - -## Installing the Chart - -To install the chart with the release name `my-release`: - -```console - helm repo add bitnami https://charts.bitnami.com/bitnami - helm install my-release bitnami/kong -``` - -These commands deploy kong on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. - -> **Tip**: List all releases using `helm list` - -## Uninstalling the Chart - -To uninstall/delete the `my-release` deployment: - -```console - helm delete my-release -``` - -## Parameters - -The following tables list the configurable parameters of the kong chart and their default values per section/component: - -### Global Parameters - -| Parameter | Description | Default | -|---------------------------|-------------------------------------------------|---------------------------------------------------------| -| `global.imageRegistry` | Global Docker image registry | `nil` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) | -| `global.storageClass` | Global storage class for dynamic provisioning | `nil` | - -### Common Parameters - -| Parameter | Description | Default | -|---------------------|---------------------------------------------------------------------------------------------------|-----------------| -| `nameOverride` | String to partially override kong.fullname template with a string (will prepend the release name) | `nil` | -| `fullnameOverride` | String to fully override kong.fullname template with a string | `nil` | -| `commonLabels` | Labels to add to all deployed objects | `nil` | -| `commonAnnotations` | Annotations to add to all deployed objects | `[]` | -| `clusterDomain` | Kubernetes cluster domain | `cluster.local` | -| `kubeVersion` | Force target Kubernetes version (using Helm capabilities if not set) | `nil` | - -### Deployment Parameters - -| Parameter | Description | Default | -|------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------| -| `image.registry` | kong image registry | `docker.io` | -| `image.repository` | kong image name | `bitnami/kong` | -| `image.tag` | kong image tag | `{TAG_NAME}` | -| `image.pullPolicy` | kong image pull policy | `IfNotPresent` | -| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) | -| `useDaemonset` | Use a daemonset instead of a deployment. `replicaCount` will not take effect. | `false` | -| `replicaCount` | Number of replicas of the kong Pod | `2` | -| `updateStrategy` | Update strategy for deployment | `{type: "RollingUpdate"}` | -| `schedulerName` | Alternative scheduler | `nil` | -| `database` | Select which database backend Kong will use. Can be 'postgresql' or 'cassandra' | `postgresql` | -| `containerSecurityContext` | Container security podSecurityContext | `{ runAsUser: 1001, runAsNonRoot: true}` | -| `podSecurityContext` | Pod security context | `{}` | -| `hostAliases` | Add deployment host aliases | `[]` | -| `nodeSelector` | Node labels for pod assignment | `{}` | -| `tolerations` | Tolerations for pod assignment | `[]` | -| `affinity` | Affinity for pod assignment | `{}` | -| `podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | -| `nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `nodeAffinityPreset.key` | Node label key to match Ignored if `affinity` is set. | `""` | -| `nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set. | `[]` | -| `podAnnotations` | Pod annotations | `{}` | -| `podLabels` | Pod labels | `{}` | -| `sidecars` | Attach additional containers to the pod (evaluated as a template) | `nil` | -| `initContainers` | Add additional init containers to the pod (evaluated as a template) | `nil` | -| `pdb.enabled` | Deploy a pdb object for the Kong pod | `false` | -| `pdb.maxUnavailable` | Maximum unavailable Kong replicas (expressed in percentage) | `50%` | -| `autoscaling.enabled` | Deploy a HorizontalPodAutoscaler object for the Kong deployment | `false` | -| `autoscaling.apiVersion` | API Version of the HPA object (for compatibility with Openshift) | `v1beta1` | -| `autoscaling.minReplicas` | Minimum number of replicas to scale back | `2` | -| `autoscaling.maxReplicas` | Maximum number of replicas to scale out | `2` | -| `autoscaling.metrics` | Metrics to use when deciding to scale the deployment (evaluated as a template) | `Check values.yaml` | -| `extraVolumes` | Array of extra volumes to be added to the Kong deployment deployment (evaluated as template). Requires setting `extraVolumeMounts` | `nil` | -| `kong.livenessProbe` | Liveness probe (kong container) | `Check values.yaml` | -| `kong.readinessProbe` | Readiness probe (kong container) | `Check values.yaml` | -| `kong.lifecycleHooks` | Lifecycle hooks (kong container) | `Check deployment.yaml` | -| `kong.customLivenessProbe` | Override default liveness probe (kong container) | `nil` | -| `kong.customReadinessProbe` | Override default readiness probe (kong container) | `nil` | -| `kong.resources` | Configure resource requests and limits (kong container) | `nil` | -| `kong.extraVolumeMounts` | Array of extra volume mounts to be added to the Kong Container (evaluated as template). Normally used with `extraVolumes`. | `nil` | -| `ingressController.livenessProbe` | Liveness probe (kong ingress controller container) | `Check values.yaml` | -| `ingressController.readinessProbe` | Readiness probe (kong ingress controller container) | `Check values.yaml` | -| `ingressController.customLivenessProbe` | Override default liveness probe (kong ingress controller container) | `nil` | -| `ingressController.customReadinessProbe` | Override default readiness probe (kong ingress controller container) | `nil` | -| `ingressController.resources` | Configure resource requests and limits (kong ingress controller container) | `nil` | -| `ingressController.extraVolumeMounts` | Array of extra volume mounts to be added to the Kong Ingress Controller container (evaluated as template). Normally used with `extraVolumes`. | `nil` | -| `migration.resources` | Configure resource requests and limits (migration container) | `nil` | -| `migration.hostAliases` | Add deployment host aliases | `[]` | -| `migration.extraVolumeMounts` | Array of extra volume mounts to be added to the Kong Container (evaluated as template). Normally used with `extraVolumes`. | `nil` | -| `extraDeploy` | Array of extra objects to deploy with the release (evaluated as a template). | `nil` | - -### Traffic Exposure Parameters - -| Parameter | Description | Default | -|----------------------------------|------------------------------------------------------------------|--------------------------------| -| `service.type` | Kubernetes Service type | `ClusterIP` | -| `service.externalTrafficPolicy` | external traffic policy managing client source IP preservation | `Cluster` | -| `service.exposeAdmin` | Add the Kong Admin ports to the service | `false` | -| `service.proxyHttpPort` | kong proxy HTTP service port port | `80` | -| `service.proxyHttpsPort` | kong proxy HTTPS service port port | `443` | -| `service.adminHttpPort` | kong admin HTTPS service port (only if service.exposeAdmin=true) | `8001` | -| `service.adminHttpsPort` | kong admin HTTPS service port (only if service.exposeAdmin=true) | `8443` | -| `service.proxyHttpNodePort` | Port to bind to for NodePort service type (proxy HTTP) | `nil` | -| `service.proxyHttpsNodePort` | Port to bind to for NodePort service type (proxy HTTPS) | `nil` | -| `service.adminHttpNodePort` | Port to bind to for NodePort service type (admin HTTP) | `nil` | -| `service.aminHttpsNodePort` | Port to bind to for NodePort service type (proxy HTTP) | `nil` | -| `service.annotations` | Annotations for kong service | `{}` | -| `service.clusterIP` | Cluster internal IP of the service | `nil` | -| `service.loadBalancerIP` | loadBalancerIP if kong service type is `LoadBalancer` | `nil` | -| `ingress.enabled` | Enable ingress controller resource | `false` | -| `ingress.certManager` | Add annotations for cert-manager | `false` | -| `ingress.hostname` | Default host for the ingress resource | `kong.local` | -| `ingress.apiVersion` | Force Ingress API version (automatically detected if not set) | `` | -| `ingress.path` | Ingress path | `/` | -| `ingress.pathType` | Ingress path type | `ImplementationSpecific` | -| `ingress.tls` | Create TLS Secret | `false` | -| `ingress.annotations` | Ingress annotations | `[]` (evaluated as a template) | -| `ingress.extraHosts[0].name` | Additional hostnames to be covered | `nil` | -| `ingress.extraHosts[0].path` | Additional hostnames to be covered | `nil` | -| `ingress.extraPaths` | Additional arbitrary path/backend objects | `nil` | -| `ingress.extraTls[0].hosts[0]` | TLS configuration for additional hostnames to be covered | `nil` | -| `ingress.extraTls[0].secretName` | TLS configuration for additional hostnames to be covered | `nil` | -| `ingress.secrets[0].name` | TLS Secret Name | `nil` | -| `ingress.secrets[0].certificate` | TLS Secret Certificate | `nil` | -| `ingress.secrets[0].key` | TLS Secret Key | `nil` | - -### Kong Container Parameters - -| Parameter | Description | Default | -|---------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------|---------| -| `kong.extraEnvVars` | Array containing extra env vars to configure Kong | `nil` | -| `kong.extraEnvVarsCM` | ConfigMap containing extra env vars to configure Kong | `nil` | -| `kong.extraEnvVarsSecret` | Secret containing extra env vars to configure Kong (in case of sensitive data) | `nil` | -| `kong.command` | Override default container command (useful when using custom images) | `nil` | -| `kong.args` | Override default container args (useful when using custom images) | `nil` | -| `kong.initScriptsCM` | ConfigMap containing `/docker-entrypoint-initdb.d` scripts to be executed at initialization time (evaluated as a template) | `nil` | -| `kong.initScriptsSecret` | Secret containing `/docker-entrypoint-initdb.d` scripts to be executed at initialization time (that contain sensitive data). Evaluated as a template. | `nil` | - -### Kong Migration job Parameters - -| Parameter | Description | Default | -|--------------------------------|--------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------| -| `migration.image.registry` | Override Kong migration job image registry (Kong image if not set) | `nil` | -| `migration.image.repository` | Override Kong migration job image name (Kong image if not set) | `nil` | -| `migration.image.tag` | Override Kong migration job image tag (Kong image if not set) | `nil` | -| `migration.extraEnvVars` | Array containing extra env vars to configure the Kong migration job | `nil` | -| `migration.extraEnvVarsCM` | ConfigMap containing extra env vars to configure the Kong migration job | `nil` | -| `migration.extraEnvVarsSecret` | Secret containing extra env vars to configure the Kong migration job (in case of sensitive data) | `nil` | -| `migration.command` | Override default container command (useful when using custom images) | `nil` | -| `migration.args` | Override default container args (useful when using custom images) | `nil` | -| `migration.annotations` | Add annotations to the job | `helm.sh/hook: post-install, post-upgrade, helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded` | - -### Kong Ingress Controller Container Parameters - -| Parameter | Description | Default | -|-------------------------------------------------|---------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------| -| `ingressController.enabled` | Enable/disable the Kong Ingress Controller | `true` | -| `ingressController.image.registry` | Kong Ingress Controller image registry | `docker.io` | -| `ingressController.image.repository` | Kong Ingress Controller image name | `bitnami/kong` | -| `ingressController.image.tag` | Kong Ingress Controller image tag | `{TAG_NAME}` | -| `ingressController.image.pullPolicy` | kong ingress controller image pull policy | `IfNotPresent` | -| `ingressController.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) | -| `ingressController.proxyReadyTimeout` | Maximum time (in seconds) to wait for the Kong container to be ready | `300` | -| `ingressController.extraEnvVars` | Array containing extra env vars to configure Kong | `nil` | -| `ingressController.extraEnvVarsCM` | ConfigMap containing extra env vars to configure Kong Ingress Controller | `nil` | -| `ingressController.extraEnvVarsSecret` | Secret containing extra env vars to configure Kong Ingress Controller (in case of sensitive data) | `nil` | -| `ingressController.rbac.create` | Create the necessary Service Accounts, Roles and Rolebindings for the Ingress Controller to work | `true` | -| `ingressController.rbac.existingServiceAccount` | Use an existing service account for all the RBAC operations | `nil` | -| `ingressController.customResourceDeletePolicy` | Add custom CRD resource delete policy (for Helm 2 support) | `nil` | -| `ingressController.rbac.existingServiceAccount` | Use an existing service account for all the RBAC operations | `nil` | -| `ingressController.ingressClass` | Name of the class to register Kong Ingress Controller (useful when having other Ingress Controllers in the cluster) | `nil` | -| `ingressController.command` | Override default container command (useful when using custom images) | `nil` | -| `ingressController.args` | Override default container args (useful when using custom images) | `nil` | - -### PostgreSQL Parameters - -| Parameter | Description | Default | -|---------------------------------|--------------------------------------------------------------------------------------------------------------------------------|---------| -| `postgresql.enabled` | Deploy the PostgreSQL sub-chart | `true` | -| `postgresql.usePasswordFile` | Mount the PostgreSQL secret as a file | `no` | -| `postgresql.existingSecret` | Use an existing secret file with the PostgreSQL password (can be used with the bundled chart or with an existing installation) | `nil` | -| `postgresql.postgresqlDatabase` | Database name to be used by Kong | `kong` | -| `postgresql.postgresqlUsername` | Username to be created by the PostgreSQL bundled chart | `kong` | -| `postgresql.external.host` | Host of an external PostgreSQL installation | `nil` | -| `postgresql.external.user` | Username of the external PostgreSQL installation | `nil` | -| `postgresql.external.password` | Password of the external PostgreSQL installation | `nil` | - -### Cassandra Parameters - -| Parameter | Description | Default | -|-------------------------------|-------------------------------------------------------------------------------------------------------------------------------|---------| -| `cassandra.enabled` | Deploy the Cassandra sub-chart | `false` | -| `cassandra.usePasswordFile` | Mount the Cassandra secret as a file | `no` | -| `cassandra.existingSecret` | Use an existing secret file with the Cassandra password (can be used with the bundled chart or with an existing installation) | `nil` | -| `cassandra.dbUser.user` | Username to be created by the cassandra bundled chart | `kong` | -| `cassandra.external.hosts` | Hosts of an external cassandra installation | `nil` | -| `cassandra.external.port` | Port of an external cassandra installation | `nil` | -| `cassandra.external.user` | Username of the external cassandra installation | `nil` | -| `cassandra.external.password` | Password of the external cassandra installation | `nil` | - -### Metrics Parameters - -| Parameter | Description | Default | -|-----------------------------------------|--------------------------------------------------------------------------------------------------------|-------------------------------------------| -| `metrics.enabled` | Enable the export of Prometheus metrics | `false` | -| `metrics.service.type` | Type of the Prometheus metrics service | `ClusterIP file` | -| `metrics.service.port` | Port of the Prometheus metrics service | `9119` | -| `metrics.service.annotations` | Port for Prometheus metrics service | `9119` | -| `metrics.service.annotations` | Annotations for Prometheus metrics service | `Check values.yaml file` | -| `metrics.serviceMonitor.enabled` | if `true`, creates a Prometheus Operator ServiceMonitor (also requires `metrics.enabled` to be `true`) | `false` | -| `metrics.serviceMonitor.namespace` | Namespace in which Prometheus is running | `nil` | -| `metrics.serviceMonitor.serviceAccount` | Service account used by Prometheus | `nil` | -| `metrics.serviceMonitor.rbac.create` | if `true`, creates a Role and Role binding for Prometheus so it can reach kong's namespace | `true` | -| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped. | `nil` (Prometheus Operator default value) | -| `metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `nil` (Prometheus Operator default value) | -| `metrics.serviceMonitor.selector` | Prometheus instance selector labels | `nil` | - -Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, - -```console - helm install my-release \ - --set service.exposeAdmin=true bitnami/kong -``` - -The above command exposes the Kong admin ports inside the Kong service. - -Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, - -```console - helm install my-release -f values.yaml bitnami/kong -``` - -> **Tip**: You can use the default [values.yaml](values.yaml) - -## Configuration and installation details - -### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/) - -It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. - -Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. - -### Database backend - -The Bitnami Kong chart allows setting two database backends: PostgreSQL or Cassandra. For each option, there are two extra possibilities: deploy a sub-chart with the database installation or use an existing one. The list below details the different options (replace the placeholders specified between _UNDERSCORES_): - -- Deploy the PostgreSQL sub-chart (default) - -```console - helm install my-release bitnami/kong -``` - -- Use an external PostgreSQL database - -```console - helm install my-release bitnami/kong \ - --set postgresql.enabled=false \ - --set postgresql.external.host=_HOST_OF_YOUR_POSTGRESQL_INSTALLATION_ \ - --set postgresql.external.password=_PASSWORD_OF_YOUR_POSTGRESQL_INSTALLATION_ \ - --set postgresql.external.user=_USER_OF_YOUR_POSTGRESQL_INSTALLATION_ -``` - -- Deploy the Cassandra sub-chart - -```console - helm install my-release bitnami/kong \ - --set database=cassandra \ - --set postgresql.enabled=false \ - --set cassandra.enabled=true -``` - -- Use an existing Cassandra installation - -```console - helm install my-release bitnami/kong \ - --set database=cassandra \ - --set postgresql.enabled=false \ - --set cassandra.enabled=false \ - --set cassandra.external.hosts[0]=_CONTACT_POINT_0_OF_YOUR_CASSANDRA_CLUSTER_ \ - --set cassandra.external.hosts[1]=_CONTACT_POINT_1_OF_YOUR_CASSANDRA_CLUSTER_ \ - ... - --set cassandra.external.user=_USER_OF_YOUR_CASSANDRA_INSTALLATION_ \ - --set cassandra.external.password=_PASSWORD_OF_YOUR_CASSANDRA_INSTALLATION_ -``` - -### DB-less - -Kong 1.1 added the capability to run Kong without a database, using only in-memory storage for entities: we call this DB-less mode. When running Kong DB-less, the configuration of entities is done in a second configuration file, in YAML or JSON, using declarative configuration (ref. [Link](https://docs.konghq.com/gateway-oss/1.1.x/db-less-and-declarative-config/)). -As is said in step 4 of [kong official docker installation](https://docs.konghq.com/install/docker#db-less-mode), just add the env variable "KONG_DATABASE=off". - -#### How to enable it - -1. Set `database` value with any value other than "postgresql" or "cassandra". For example `database: "off"` -2. Use `kong.extraEnvVars` value to set the `KONG_DATABASE` environment variable: -```yaml -kong.extraEnvVars: -- name: KONG_DATABASE - value: "off" -``` - -### Sidecars and Init Containers - -If you have a need for additional containers to run within the same pod as Kong (e.g. an additional metrics or logging exporter), you can do so via the `sidecars` config parameter. Simply define your container according to the Kubernetes container spec. - -```yaml -sidecars: - - name: your-image-name - image: your-image - imagePullPolicy: Always - ports: - - name: portname - containerPort: 1234 -``` - -Similarly, you can add extra init containers using the `initContainers` parameter. - -```yaml -initContainers: - - name: your-image-name - image: your-image - imagePullPolicy: Always - ports: - - name: portname - containerPort: 1234 -``` - -### Adding extra environment variables - -In case you want to add extra environment variables (useful for advanced operations like custom init scripts), you can use the `kong.extraEnvVars` property. - -```yaml -kong: - extraEnvVars: - - name: KONG_LOG_LEVEL - value: error -``` - -Alternatively, you can use a ConfigMap or a Secret with the environment variables. To do so, use the `kong.extraEnvVarsCM` or the `kong.extraEnvVarsSecret` values. - -The Kong Ingress Controller and the Kong Migration job also allow this kind of configuration via the `ingressController.extraEnvVars`, `ingressController.extraEnvVarsCM`, `ingressController.extraEnvVarsSecret`, `migration.extraEnvVars`, `migration.extraEnvVarsCM` and `migration.extraEnvVarsSecret` values. - -### Using custom init scripts - -For advanced operations, the Bitnami Kong charts allows using custom init scripts that will be mounted in `/docker-entrypoint.init-db`. You can use a ConfigMap or a Secret (in case of sensitive data) for mounting these extra scripts. Then use the `kong.initScriptsCM` and `kong.initScriptsSecret` values. - -```console -elasticsearch.hosts[0]=elasticsearch-host -elasticsearch.port=9200 -initScriptsCM=special-scripts -initScriptsSecret=special-scripts-sensitive -``` - -### Deploying extra resources - -There are cases where you may want to deploy extra objects, such as KongPlugins, KongConsumers, amongst others. For covering this case, the chart allows adding the full specification of other objects using the `extraDeploy` parameter. The following example would activate a plugin at deployment time. - -```yaml -## Extra objects to deploy (value evaluated as a template) -## -extraDeploy: |- - - apiVersion: configuration.konghq.com/v1 - kind: KongPlugin - metadata: - name: {{ include "common.names.fullname" . }}-plugin-correlation - namespace: {{ .Release.Namespace }} - labels: {{- include "common.labels.standard" . | nindent 6 }} - config: - header_name: my-request-id - plugin: correlation-id -``` - -### Setting Pod's affinity - -This chart allows you to set your custom affinity using the `affinity` parameter. Find more information about Pod's affinity in the [kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). - -As an alternative, you can use of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/master/bitnami/common#affinities) chart. To do so, set the `podAffinityPreset`, `podAntiAffinityPreset`, or `nodeAffinityPreset` parameters. - -## Troubleshooting - -Find more information about how to deal with common errors related to Bitnami’s Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues). - -## Upgrading - -It's necessary to specify the existing passwords while performing a upgrade to ensure the secrets are not updated with invalid randomly generated passwords. Remember to specify the existing values of the `postgresql.postgresqlPassword` or `cassandra.password` parameters when upgrading the chart: - -```bash -$ helm upgrade my-release bitnami/kong \ - --set database=postgresql - --set postgresql.enabled=true - --set - --set postgresql.postgresqlPassword=[POSTGRESQL_PASSWORD] -``` - -> Note: you need to substitute the placeholders _[POSTGRESQL_PASSWORD]_ with the values obtained from instructions in the installation notes. - -### To 3.1.0 - -Kong Ingress Controller version was bumped to new major version, `1.x.x`. The associated CRDs were updated accordingly. - -### To 3.0.0 - -[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. - -**What changes were introduced in this major version?** - -- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field. -- Move dependency information from the *requirements.yaml* to the *Chart.yaml* -- After running `helm dependency update`, a *Chart.lock* file is generated containing the same structure used in the previous *requirements.lock* -- The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Charts -- This chart depends on the **PostgreSQL 10** instead of **PostgreSQL 9**. Apart from the same changes that are described in this section, there are also other major changes due to the master/slave nomenclature was replaced by primary/readReplica. [Here](https://github.com/bitnami/charts/pull/4385) you can find more information about the changes introduced. - -**Considerations when upgrading to this version** - -- If you want to upgrade to this version using Helm v2, this scenario is not supported as this version doesn't support Helm v2 anymore -- If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3 -- If you want to upgrade to this version from a previous one installed with Helm v3, it should be done reusing the PVC used to hold the PostgreSQL data on your previous release. To do so, follow the instructions below (the following example assumes that the release name is `kong`): - -> NOTE: Please, create a backup of your database before running any of those actions. - -##### Export secrets and required values to update - -```console -$ export POSTGRESQL_PASSWORD=$(kubectl get secret --namespace default kong-postgresql -o jsonpath="{.data.postgresql-password}" | base64 --decode) -$ export POSTGRESQL_PVC=$(kubectl get pvc -l app.kubernetes.io/instance=kong,app.kubernetes.io/name=postgresql,role=master -o jsonpath="{.items[0].metadata.name}") -``` - -##### Delete statefulsets - -Delete PostgreSQL statefulset. Notice the option `--cascade=false`: - -``` -$ kubectl delete statefulsets.apps kong-postgresql --cascade=false -``` - -##### Upgrade the chart release - -```console -$ helm upgrade kong bitnami/kong \ - --set postgresql.postgresqlPassword=$POSTGRESQL_PASSWORD \ - --set postgresql.persistence.existingClaim=$POSTGRESQL_PVC -``` - -##### Force new statefulset to create a new pod for postgresql - -```console -$ kubectl delete pod kong-postgresql-0 -``` -Finally, you should see the lines below in MariaDB container logs: - -```console -$ kubectl logs $(kubectl get pods -l app.kubernetes.io/instance=postgresql,app.kubernetes.io/name=postgresql,role=primary -o jsonpath="{.items[0].metadata.name}") -... -postgresql 08:05:12.59 INFO ==> Deploying PostgreSQL with persisted data... -... -``` - -**Useful links** - -- https://docs.bitnami.com/tutorials/resolve-helm2-helm3-post-migration-issues/ -- https://helm.sh/docs/topics/v2_v3_migration/ -- https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/ - -### To 2.0.0 - -PostgreSQL and Cassandra dependencies versions were bumped to new major versions, `9.x.x` and `6.x.x` respectively. Both of these include breaking changes and hence backwards compatibility is no longer guaranteed. - -In order to properly migrate your data to this new version: - -* If you were using PostgreSQL as your database, please refer to the [PostgreSQL Upgrade Notes](https://github.com/bitnami/charts/tree/master/bitnami/postgresql#900). - -* If you were using Cassandra as your database, please refer to the [Cassandra Upgrade Notes](https://github.com/bitnami/charts/tree/master/bitnami/cassandra#to-600). diff --git a/packages/helm-charts/kong/ci/values-editing-containers.yaml b/packages/helm-charts/kong/ci/values-editing-containers.yaml deleted file mode 100644 index f8a1225bce..0000000000 --- a/packages/helm-charts/kong/ci/values-editing-containers.yaml +++ /dev/null @@ -1,116 +0,0 @@ -## Edit kong container -## -kong: - command: - - sleep - args: - - "3600" - initScriptsCM: kong-initscripts - initScriptsSecret: kong-initscripts-secret - extraEnvVars: - - name: KONG_LOG_LEVEL - value: error - extraEnvVarsCM: kong-extraenv-cm - extraEnvVarsSecret: kong-extraenv-secret - extraVolumeMounts: - - name: kong-certs - mountPath: /bitnami/kong/certs - resources: - limits: - cpu: 500m - memory: 1Gi - -## Edit migration container -## -migration: - command: - - echo - args: - - test - extraEnvVars: - - name: KONG_CASSANDRA_USER - value: cassandra - extraEnvVarsCM: kong-migrate-extraenv-cm - extraEnvVarsSecret: kong-migrate-extraenv-secret - extraVolumeMounts: - - name: kong-migrate-credentials - mountPath: /bitnami/kong/credentials - resources: - limits: - cpu: 300m - memory: 2Gi - -## Edit migration container -## -ingressController: - command: - - echo - args: - - hello - extraEnvVars: - - name: CONTROLLER_LOG_LEVEL - value: error - extraEnvVarsCM: kong-controller-extraenv-cm - extraEnvVarsSecret: kong-controller-extraenv-secret - extraVolumeMounts: - - name: kong-controller-credentials - mountPath: /bitnami/kong/credentials - resources: - limits: - cpu: 1000m - memory: 2Gi - -sidecars: |- - - name: test-sidecar - image: bitnami/minideb - command: - - echo - - hi - -initContainers: |- - - name: test-init - image: bitnami/git - command: - - git - - clone - - github.com/bitnami/bitnami-docker-kong" - -volumes: - - name: kong-controller-credentials - hostPath: /tmp/credentials - - name: kong-migrate-credentials - hostPath: /tmp/migrate/credentials - - name: kong-certs - persistentVolumeClaim: - claimName: kong-certs-pvc - -nodeSelector: - disktype: ssd - -tolerations: - - key: "key" - operator: "Equal" - value: "value" - effect: "NoSchedule" - -affinity: |- - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/e2e-az-name - operator: In - values: - - e2e-az1 - - e2e-az2 - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 1 - preference: - matchExpressions: - - key: another-node-label-key - operator: In - values: - - another-node-label-value - -podAnnotations: - k8s/annotation: test diff --git a/packages/helm-charts/kong/ci/values-external-cassandra.yaml b/packages/helm-charts/kong/ci/values-external-cassandra.yaml deleted file mode 100644 index 22fa2caa59..0000000000 --- a/packages/helm-charts/kong/ci/values-external-cassandra.yaml +++ /dev/null @@ -1,13 +0,0 @@ -database: cassandra - -postgresql: - enabled: false -cassandra: - enabled: false - external: - hosts: - - test-cassandra1 - - test-cassandra2 - - test-cassandra3 - user: test - password: test diff --git a/packages/helm-charts/kong/ci/values-external-postgresql.yaml b/packages/helm-charts/kong/ci/values-external-postgresql.yaml deleted file mode 100644 index 31de2af466..0000000000 --- a/packages/helm-charts/kong/ci/values-external-postgresql.yaml +++ /dev/null @@ -1,8 +0,0 @@ -database: postgresql - -postgresql: - enabled: false - external: - host: test-postgresql - user: test - password: test diff --git a/packages/helm-charts/kong/ci/values-ingress.yaml b/packages/helm-charts/kong/ci/values-ingress.yaml deleted file mode 100644 index f6ccc628a9..0000000000 --- a/packages/helm-charts/kong/ci/values-ingress.yaml +++ /dev/null @@ -1,2 +0,0 @@ -ingress: - enabled: true diff --git a/packages/helm-charts/kong/ci/values-metrics-hpa-pdb.yaml b/packages/helm-charts/kong/ci/values-metrics-hpa-pdb.yaml deleted file mode 100644 index b5177a061f..0000000000 --- a/packages/helm-charts/kong/ci/values-metrics-hpa-pdb.yaml +++ /dev/null @@ -1,7 +0,0 @@ -metrics: - enabled: true -autoscaling: - enabled: true - -pdb: - enabled: true diff --git a/packages/helm-charts/kong/crds/custom-resource-definitions.yaml b/packages/helm-charts/kong/crds/custom-resource-definitions.yaml deleted file mode 100644 index 33ec280552..0000000000 --- a/packages/helm-charts/kong/crds/custom-resource-definitions.yaml +++ /dev/null @@ -1,426 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: kongconsumers.configuration.konghq.com -spec: - group: configuration.konghq.com - version: v1 - scope: Namespaced - names: - kind: KongConsumer - plural: kongconsumers - shortNames: - - kc - additionalPrinterColumns: - - name: Username - type: string - description: Username of a Kong Consumer - JSONPath: .username - - name: Age - type: date - description: Age - JSONPath: .metadata.creationTimestamp - validation: - openAPIV3Schema: - properties: - username: - type: string - custom_id: - type: string - credentials: - type: array - items: - type: string - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: kongplugins.configuration.konghq.com -spec: - group: configuration.konghq.com - version: v1 - scope: Namespaced - names: - kind: KongPlugin - plural: kongplugins - shortNames: - - kp - additionalPrinterColumns: - - name: Plugin-Type - type: string - description: Name of the plugin - JSONPath: .plugin - - name: Age - type: date - description: Age - JSONPath: .metadata.creationTimestamp - - name: Disabled - type: boolean - description: Indicates if the plugin is disabled - JSONPath: .disabled - priority: 1 - - name: Config - type: string - description: Configuration of the plugin - JSONPath: .config - priority: 1 - validation: - openAPIV3Schema: - required: - - plugin - properties: - plugin: - type: string - disabled: - type: boolean - config: - type: object - configFrom: - type: object - properties: - secretKeyRef: - required: - - name - - key - type: object - properties: - name: - type: string - key: - type: string - run_on: - type: string - enum: - - first - - second - - all - protocols: - type: array - items: - type: string - enum: - - http - - https - - grpc - - grpcs - - tcp - - tls - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: kongclusterplugins.configuration.konghq.com -spec: - group: configuration.konghq.com - version: v1 - scope: Cluster - names: - kind: KongClusterPlugin - plural: kongclusterplugins - shortNames: - - kcp - additionalPrinterColumns: - - name: Plugin-Type - type: string - description: Name of the plugin - JSONPath: .plugin - - name: Age - type: date - description: Age - JSONPath: .metadata.creationTimestamp - - name: Disabled - type: boolean - description: Indicates if the plugin is disabled - JSONPath: .disabled - priority: 1 - - name: Config - type: string - description: Configuration of the plugin - JSONPath: .config - priority: 1 - validation: - openAPIV3Schema: - required: - - plugin - properties: - plugin: - type: string - disabled: - type: boolean - config: - type: object - configFrom: - type: object - properties: - secretKeyRef: - required: - - name - - namespace - - key - type: object - properties: - namespace: - type: string - name: - type: string - key: - type: string - run_on: - type: string - enum: - - first - - second - - all - protocols: - type: array - items: - type: string - enum: - - http - - https - - grpc - - grpcs - - tcp - - tls - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: kongingresses.configuration.konghq.com -spec: - group: configuration.konghq.com - version: v1 - scope: Namespaced - names: - kind: KongIngress - plural: kongingresses - shortNames: - - ki - validation: - openAPIV3Schema: - properties: - route: - properties: - methods: - type: array - items: - type: string - headers: - type: object - additionalProperties: - type: array - items: - type: string - regex_priority: - type: integer - strip_path: - type: boolean - preserve_host: - type: boolean - path_handling: - type: string - enum: - - "v0" - - "v1" - protocols: - type: array - items: - type: string - enum: - - http - - https - - grpc - - grpcs - - tcp - - tls - https_redirect_status_code: - type: integer - proxy: - type: object - properties: - protocol: - type: string - enum: - - http - - https - - grpc - - grpcs - - tcp - - tls - path: - type: string - pattern: ^/.*$ - retries: - type: integer - minimum: 0 - connect_timeout: - type: integer - minimum: 0 - read_timeout: - type: integer - minimum: 0 - write_timeout: - type: integer - minimum: 0 - upstream: - type: object - properties: - algorithm: - type: string - enum: - - "round-robin" - - "consistent-hashing" - - "least-connections" - host_header: - type: string - hash_on: - type: string - hash_on_cookie: - type: string - hash_on_cookie_path: - type: string - hash_on_header: - type: string - hash_fallback_header: - type: string - hash_fallback: - type: string - slots: - type: integer - minimum: 10 - healthchecks: - type: object - properties: - threshold: - type: integer - active: - type: object - properties: - concurrency: - type: integer - minimum: 1 - timeout: - type: integer - minimum: 0 - http_path: - type: string - pattern: ^/.*$ - healthy: &healthy - type: object - properties: - http_statuses: - type: array - items: - type: integer - interval: - type: integer - minimum: 0 - successes: - type: integer - minimum: 0 - unhealthy: &unhealthy - type: object - properties: - http_failures: - type: integer - minimum: 0 - http_statuses: - type: array - items: - type: integer - interval: - type: integer - minimum: 0 - tcp_failures: - type: integer - minimum: 0 - timeout: - type: integer - minimum: 0 - passive: - type: object - properties: - healthy: *healthy - unhealthy: *unhealthy - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: tcpingresses.configuration.konghq.com -spec: - group: configuration.konghq.com - version: v1beta1 - scope: Namespaced - names: - kind: TCPIngress - plural: tcpingresses - additionalPrinterColumns: - - name: Address - type: string - description: Address of the load balancer - JSONPath: .status.loadBalancer.ingress[*].ip - - name: Age - type: date - description: Age - JSONPath: .metadata.creationTimestamp - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - apiVersion: - type: string - kind: - type: string - metadata: - type: object - spec: - type: object - properties: - tls: - type: array - items: - type: object - properties: - hosts: - type: array - items: - type: string - secretName: - type: string - rules: - type: array - items: - type: object - properties: - host: - type: string - port: - type: integer - format: int32 - backend: - type: object - properties: - serviceName: - type: string - servicePort: - format: int32 - type: integer - status: - type: object - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/packages/helm-charts/kong/kong.conf b/packages/helm-charts/kong/kong.conf deleted file mode 100644 index b4102ed3fb..0000000000 --- a/packages/helm-charts/kong/kong.conf +++ /dev/null @@ -1,1512 +0,0 @@ -# ----------------------- -# Kong configuration file -# ----------------------- -# -# The commented-out settings shown in this file represent the default values. -# -# This file is read when `kong start` or `kong prepare` are used. Kong -# generates the Nginx configuration with the settings specified in this file. -# -# All environment variables prefixed with `KONG_` and capitalized will override -# the settings specified in this file. -# Example: -# `log_level` setting -> `KONG_LOG_LEVEL` env variable -# -# Boolean values can be specified as `on`/`off` or `true`/`false`. -# Lists must be specified as comma-separated strings. -# -# All comments in this file can be removed safely, including the -# commented-out properties. -# You can verify the integrity of your settings with `kong check `. - -#------------------------------------------------------------------------------ -# GENERAL -#------------------------------------------------------------------------------ - -prefix = /opt/bitnami/kong/server # Working directory. Equivalent to Nginx's - # prefix path, containing temporary files - # and logs. - # Each Kong process must have a separate - # working directory. - -log_level = notice # Log level of the Nginx server. Logs are - # found at `/logs/error.log`. - -# See http://nginx.org/en/docs/ngx_core_module.html#error_log for a list -# of accepted values. - -proxy_access_log = logs/access.log # Path for proxy port request access - # logs. Set this value to `off` to - # disable logging proxy requests. - # If this value is a relative path, - # it will be placed under the - # `prefix` location. - - -proxy_error_log = logs/error.log # Path for proxy port request error - # logs. The granularity of these logs - # is adjusted by the `log_level` - # property. - -proxy_stream_access_log = logs/access.log basic # Path for tcp streams proxy port access - # logs. Set this value to `off` to - # disable logging proxy requests. - # If this value is a relative path, - # it will be placed under the - # `prefix` location. - # `basic` is defined as `'$remote_addr [$time_local] ' - # '$protocol $status $bytes_sent $bytes_received ' - # '$session_time'` - -proxy_stream_error_log = logs/error.log # Path for tcp streams proxy port request error - # logs. The granularity of these logs - # is adjusted by the `log_level` - # property. - -admin_access_log = logs/admin_access.log # Path for Admin API request access - # logs. If Hybrid Mode is enabled - # and the current node is set to be - # the Control Plane, then the - # connection requests from Data Planes - # are also written to this file with - # server name "kong_cluster_listener". - # - # Set this value to `off` to - # disable logging Admin API requests. - # If this value is a relative path, - # it will be placed under the - # `prefix` location. - -admin_error_log = logs/error.log # Path for Admin API request error - # logs. The granularity of these logs - # is adjusted by the `log_level` - # property. - -status_access_log = off # Path for Status API request access - # logs. The default value of `off` - # implies that logging for this API - # is disabled by default. - # If this value is a relative path, - # it will be placed under the - # `prefix` location. - -status_error_log = logs/status_error.log # Path for Status API request error - # logs. The granularity of these logs - # is adjusted by the `log_level` - # property. - -plugins = bundled # Comma-separated list of plugins this node - # should load. By default, only plugins - # bundled in official distributions are - # loaded via the `bundled` keyword. - # - # Loading a plugin does not enable it by - # default, but only instructs Kong to load its - # source code, and allows to configure the - # plugin via the various related Admin API - # endpoints. - # - # The specified name(s) will be substituted as - # such in the Lua namespace: - # `kong.plugins.{name}.*`. - # - # When the `off` keyword is specified as the - # only value, no plugins will be loaded. - # - # `bundled` and plugin names can be mixed - # together, as the following examples suggest: - # - # - `plugins = bundled,custom-auth,custom-log` - # will include the bundled plugins plus two - # custom ones - # - `plugins = custom-auth,custom-log` will - # *only* include the `custom-auth` and - # `custom-log` plugins. - # - `plugins = off` will not include any - # plugins - # - # **Note:** Kong will not start if some - # plugins were previously configured (i.e. - # have rows in the database) and are not - # specified in this list. Before disabling a - # plugin, ensure all instances of it are - # removed before restarting Kong. - # - # **Note:** Limiting the amount of available - # plugins can improve P99 latency when - # experiencing LRU churning in the database - # cache (i.e. when the configured - # `mem_cache_size`) is full. - -#pluginserver_names = # Comma-separated list of names for pluginserver - # processes. The actual names are used for - # log messages and to relate the actual settings. - -#pluginserver_XXX_socket = /.socket # Path to the unix socket - # used by the pluginserver. -#pluginserver_XXX_start_cmd = /usr/local/bin/ # Full command (including - # any needed arguments) to - # start the pluginserver -#pluginserver_XXX_query_cmd = /usr/local/bin/query_ # Full command to "query" the - # pluginserver. Should - # produce a JSON with the - # dump info of all plugins it - # manages - -#port_maps = # With this configuration parameter, you can - # let the Kong to know about the port from - # which the packets are forwarded to it. This - # is fairly common when running Kong in a - # containerized or virtualized environment. - # For example, `port_maps=80:8000, 443:8443` - # instructs Kong that the port 80 is mapped - # to 8000 (and the port 443 to 8443), where - # 8000 and 8443 are the ports that Kong is - # listening to. - # - # This parameter helps Kong set a proper - # forwarded upstream HTTP request header or to - # get the proper forwarded port with the Kong PDK - # (in case other means determining it has - # failed). It changes routing by a destination - # port to route by a port from which packets - # are forwarded to Kong, and similarly it - # changes the default plugin log serializer to - # use the port according to this mapping - # instead of reporting the port Kong is - # listening to. - -anonymous_reports = on # Send anonymous usage data such as error - # stack traces to help improve Kong. - -#------------------------------------------------------------------------------ -# HYBRID MODE -#------------------------------------------------------------------------------ - -role = traditional # Use this setting to enable Hybrid Mode, - # This allows running some Kong nodes in a - # control plane role with a database and - # have them deliver configuration updates - # to other nodes running to DB-less running in - # a Data Plane role. - # - # Valid values to this setting are: - # - # - `traditional`: do not use Hybrid Mode. - # - `control_plane`: this node runs in a - # control plane role. It can use a database - # and will deliver configuration updates - # to data plane nodes. - # - `data_plane`: this is a data plane node. - # It runs DB-less and receives configuration - # updates from a control plane node. - -cluster_mtls = shared # Sets the verification between nodes of the - # cluster. - # - # Valid values to this setting are: - # - # - `shared`: use a shared certificate/key - # pair specified with the `cluster_cert` - # and `cluster_cert_key` settings. - # Note that CP and DP nodes have to present - # the same certificate to establish mTLS - # connections. - # - `pki`: use `cluster_ca_cert`, - # `cluster_server_name` and `cluster_cert` - # for verification. - # These are different certificates for each - # DP node, but issued by a cluster-wide - # common CA certificate: `cluster_ca_cert`. - -#cluster_cert = # Filename of the cluster certificate to use - # when establishing secure communication - # between control and data plane nodes. - # You can use the `kong hybrid` command to - # generate the certificate/key pair. - # Under `shared` mode, it must be the same - # for all nodes. Under `pki` mode it - # should be a different certificate for each - # DP node. - -#cluster_cert_key = # Filename of the cluster certificate key to - # use when establishing secure communication - # between control and data plane nodes. - # You can use the `kong hybrid` command to - # generate the certificate/key pair. - # Under `shared` mode, it must be the same - # for all nodes. Under `pki` mode it - # should be a different certificate for each - # DP node. - -#cluster_ca_cert = # The trusted CA certificate file in PEM - # format used to verify the `cluster_cert`. - # Required if `cluster_mtls` is set to `pki`, - # ignored otherwise. - -#------------------------------------------------------------------------------ -# HYBRID MODE DATA PLANE -#------------------------------------------------------------------------------ - -#cluster_server_name = # The server name used in the SNI of the TLS - # connection from a DP node to a CP node. - # Must match the Common Name (CN) or Subject - # Alternative Name (SAN) found in the CP - # certificate. - # If `cluster_mtls` is set to - # `shared`, this setting is ignored and - # `kong_clustering` is used. - -#cluster_control_plane = # To be used by data plane nodes only: - # address of the control plane node from - # which configuration updates will be fetched, - # in `host:port` format. - -#------------------------------------------------------------------------------ -# HYBRID MODE CONTROL PLANE -#------------------------------------------------------------------------------ - -cluster_listen = 0.0.0.0:8005 - # Comma-separated list of addresses and ports on - # which the cluster control plane server should listen - # for data plane connections. - # The cluster communication port of the control plane - # must be accessible by all the data planes - # within the same cluster. This port is mTLS protected - # to ensure end-to-end security and integrity. - # - # This setting has no effect if `role` is not set to - # `control_plane`. - # - # Connection made to this endpoint are logged - # to the same location as Admin API access logs. - # See `admin_access_log` config description for more - # information. - -cluster_data_plane_purge_delay = 1209600 - # How many seconds must pass from the time a DP node - # becomes offline to the time its entry gets removed - # from the database, as returned by the - # /clustering/data-planes Admin API endpoint. - # - # This is to prevent the cluster data plane table from - # growing indefinitely. The default is set to - # 14 days. That is, if CP haven't heard from a DP for - # 14 days, its entry will be removed. - -cluster_ocsp = off - # Whether to check for revocation status of DP - # certificates using OCSP (Online Certificate Status Protocol). - # If enabled, the DP certificate should contain the - # "Certificate Authority Information Access" extension - # and the OCSP method with URI of which the OCSP responder - # can be reached from CP. - # - # OCSP checks are only performed on CP nodes, it has no - # effect on DP nodes. - # - # Valid values to this setting are: - # - # - `on`: OCSP revocation check is enabled and DP - # must pass the check in order to establish - # connection with CP. - # - `off`: OCSP revocation check is disabled. - # - `optional`: OCSP revocation check will be attempted, - # however, if the required extension is not - # found inside DP provided certificate - # or communication with the OCSP responder - # failed, then DP is still allowed through. -#------------------------------------------------------------------------------ -# NGINX -#------------------------------------------------------------------------------ - -proxy_listen = 0.0.0.0:8000 reuseport backlog=16384, 0.0.0.0:8443 http2 ssl reuseport backlog=16384 - # Comma-separated list of addresses and ports on - # which the proxy server should listen for - # HTTP/HTTPS traffic. - # The proxy server is the public entry point of Kong, - # which proxies traffic from your consumers to your - # backend services. This value accepts IPv4, IPv6, and - # hostnames. - # - # Some suffixes can be specified for each pair: - # - # - `ssl` will require that all connections made - # through a particular address/port be made with TLS - # enabled. - # - `http2` will allow for clients to open HTTP/2 - # connections to Kong's proxy server. - # - `proxy_protocol` will enable usage of the - # PROXY protocol for a given address/port. - # - `deferred` instructs to use a deferred accept on - # Linux (the TCP_DEFER_ACCEPT socket option). - # - `bind` instructs to make a separate bind() call - # for a given address:port pair. - # - `reuseport` instructs to create an individual - # listening socket for each worker process - # allowing the Kernel to better distribute incoming - # connections between worker processes - # - `backlog=N` sets the maximum length for the queue - # of pending TCP connections. This number should - # not be too small in order to prevent clients - # seeing "Connection refused" error connecting to - # a busy Kong instance. - # **Note:** on Linux, this value is limited by the - # setting of `net.core.somaxconn` Kernel parameter. - # In order for the larger `backlog` set here to take - # effect it is necessary to raise - # `net.core.somaxconn` at the same time to match or - # exceed the `backlog` number set. - # - # This value can be set to `off`, thus disabling - # the HTTP/HTTPS proxy port for this node. - # If stream_listen is also set to `off`, this enables - # 'control-plane' mode for this node - # (in which all traffic proxying capabilities are - # disabled). This node can then be used only to - # configure a cluster of Kong - # nodes connected to the same datastore. - # - # Example: - # `proxy_listen = 0.0.0.0:443 ssl, 0.0.0.0:444 http2 ssl` - # - # See http://nginx.org/en/docs/http/ngx_http_core_module.html#listen - # for a description of the accepted formats for this - # and other `*_listen` values. - # - # See https://www.nginx.com/resources/admin-guide/proxy-protocol/ - # for more details about the `proxy_protocol` - # parameter. - # - # Not all `*_listen` values accept all formats - # specified in nginx's documentation. - -stream_listen = off - # Comma-separated list of addresses and ports on - # which the stream mode should listen. - # - # This value accepts IPv4, IPv6, and hostnames. - # Some suffixes can be specified for each pair: - # - `ssl` will require that all connections made - # through a particular address/port be made with TLS - # enabled. - # - `proxy_protocol` will enable usage of the - # PROXY protocol for a given address/port. - # - `bind` instructs to make a separate bind() call - # for a given address:port pair. - # - `reuseport` instructs to create an individual - # listening socket for each worker process - # allowing the Kernel to better distribute incoming - # connections between worker processes - # - `backlog=N` sets the maximum length for the queue - # of pending TCP connections. This number should - # not be too small in order to prevent clients - # seeing "Connection refused" error connecting to - # a busy Kong instance. - # **Note:** on Linux, this value is limited by the - # setting of `net.core.somaxconn` Kernel parameter. - # In order for the larger `backlog` set here to take - # effect it is necessary to raise - # `net.core.somaxconn` at the same time to match or - # exceed the `backlog` number set. - # - # Examples: - # - # ``` - # stream_listen = 127.0.0.1:7000 reuseport backlog=16384 - # stream_listen = 0.0.0.0:989 reuseport backlog=65536, 0.0.0.0:20 - # stream_listen = [::1]:1234 backlog=16384 - # ``` - # - # By default this value is set to `off`, thus - # disabling the stream proxy port for this node. - -# See http://nginx.org/en/docs/stream/ngx_stream_core_module.html#listen -# for a description of the formats that Kong might accept in stream_listen. - -admin_listen = 127.0.0.1:8001 reuseport backlog=16384, 127.0.0.1:8444 http2 ssl reuseport backlog=16384 - # Comma-separated list of addresses and ports on - # which the Admin interface should listen. - # The Admin interface is the API allowing you to - # configure and manage Kong. - # Access to this interface should be *restricted* - # to Kong administrators *only*. This value accepts - # IPv4, IPv6, and hostnames. - # - # Some suffixes can be specified for each pair: - # - # - `ssl` will require that all connections made - # through a particular address/port be made with TLS - # enabled. - # - `http2` will allow for clients to open HTTP/2 - # connections to Kong's proxy server. - # - `proxy_protocol` will enable usage of the - # PROXY protocol for a given address/port. - # - `deferred` instructs to use a deferred accept on - # Linux (the TCP_DEFER_ACCEPT socket option). - # - `bind` instructs to make a separate bind() call - # for a given address:port pair. - # - `reuseport` instructs to create an individual - # listening socket for each worker process - # allowing the Kernel to better distribute incoming - # connections between worker processes - # - `backlog=N` sets the maximum length for the queue - # of pending TCP connections. This number should - # not be too small in order to prevent clients - # seeing "Connection refused" error connecting to - # a busy Kong instance. - # **Note:** on Linux, this value is limited by the - # setting of `net.core.somaxconn` Kernel parameter. - # In order for the larger `backlog` set here to take - # effect it is necessary to raise - # `net.core.somaxconn` at the same time to match or - # exceed the `backlog` number set. - # - # This value can be set to `off`, thus disabling - # the Admin interface for this node, enabling a - # 'data-plane' mode (without configuration - # capabilities) pulling its configuration changes - # from the database. - # - # Example: `admin_listen = 127.0.0.1:8444 http2 ssl` - -status_listen = off # Comma-separated list of addresses and ports on - # which the Status API should listen. - # The Status API is a read-only endpoint - # allowing monitoring tools to retrieve metrics, - # healthiness, and other non-sensitive information - # of the current Kong node. - # - # The following suffix can be specified for each pair: - # - # - `ssl` will require that all connections made - # through a particular address/port be made with TLS - # enabled. - # - # This value can be set to `off`, disabling - # the Status API for this node. - # - # Example: `status_listen = 0.0.0.0:8100` - - -#nginx_user = # Defines user and group credentials used by - # worker processes. If group is omitted, a - # group whose name equals that of user is - # used. - # - # Example: `nginx_user = nginx www` - # - # **Note**: If the `kong` user and the `kong` - # group are not available, the default user - # and group credentials will be - # `nobody nobody`. - -nginx_worker_processes = auto # Determines the number of worker processes - # spawned by Nginx. - # - # See http://nginx.org/en/docs/ngx_core_module.html#worker_processes - # for detailed usage of the equivalent Nginx - # directive and a description of accepted - # values. - -nginx_daemon = off # Determines whether Nginx will run as a daemon - # or as a foreground process. Mainly useful - # for development or when running Kong inside - # a Docker environment. - # - # See http://nginx.org/en/docs/ngx_core_module.html#daemon. - -mem_cache_size = 128m # Size of each of the two in-memory caches - # for database entities. The accepted units are - # `k` and `m`, with a minimum recommended value of - # a few MBs. - # - # **Note**: As this option controls the size of two - # different cache entries, the total memory Kong - # uses to cache entities might be double this value. - -ssl_cipher_suite = intermediate # Defines the TLS ciphers served by Nginx. - # Accepted values are `modern`, - # `intermediate`, `old`, or `custom`. - # - # See https://wiki.mozilla.org/Security/Server_Side_TLS - # for detailed descriptions of each cipher - # suite. - -#ssl_ciphers = # Defines a custom list of TLS ciphers to be - # served by Nginx. This list must conform to - # the pattern defined by `openssl ciphers`. - # This value is ignored if `ssl_cipher_suite` - # is not `custom`. - -ssl_protocols = TLSv1.1 TLSv1.2 TLSv1.3 - # Enables the specified protocols for - # client-side connections. The set of - # supported protocol versions also depends - # on the version of OpenSSL Kong was built - # with. This value is ignored if - # `ssl_cipher_suite` is not `custom`. - # - # See http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols - -ssl_prefer_server_ciphers = on # Specifies that server ciphers should be - # preferred over client ciphers when using - # the SSLv3 and TLS protocols. This value is - # ignored if `ssl_cipher_suite` is not `custom`. - # - # See http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_prefer_server_ciphers - -#ssl_dhparam = # Defines DH parameters for DHE ciphers from the - # predefined groups: `ffdhe2048`, `ffdhe3072`, - # `ffdhe4096`, `ffdhe6144`, `ffdhe8192`, or - # from the absolute path to a parameters file. - # - # This value is ignored if `ssl_cipher_suite` - # is `modern` or `intermediate`. The reason is - # that `modern` has no ciphers that needs this, - # and `intermediate` uses `ffdhe2048`. - # - # See http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam - -ssl_session_tickets = on # Enables or disables session resumption through - # TLS session tickets. This has no impact when - # used with TLSv1.3. - # - # Kong enables this by default for performance - # reasons, but it has security implications: - # https://github.com/mozilla/server-side-tls/issues/135 - # - # See http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_tickets - -ssl_session_timeout = 1d # Specifies a time during which a client may - # reuse the session parameters. See the rationale: - # https://github.com/mozilla/server-side-tls/issues/198 - # - # See http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_timeout - -#ssl_cert = # Comma-separated list of the absolute path to the certificates for - # `proxy_listen` values with TLS enabled. - # - # If more than one certificates are specified, it can be used to provide - # alternate type of certificate (for example, ECC certificate) that will be served - # to clients that supports them. Note to properly serve using ECC certificates, - # it is recommended to also set `ssl_cipher_suite` to - # `modern` or `intermediate`. - # - # Unless this option is explicitly set, Kong will auto-generate - # a pair of default certificates (RSA + ECC) first time it starts up and use - # it for serving TLS requests. - -#ssl_cert_key = # Comma-separated list of the absolute path to the keys for - # `proxy_listen` values with TLS enabled. - # - # If more than one certificate was specified for `ssl_cert`, then this - # option should contain the corresponding key for all certificates - # provided in the same order. - # - # Unless this option is explicitly set, Kong will auto-generate - # a pair of default private keys (RSA + ECC) first time it starts up and use - # it for serving TLS requests. - -client_ssl = off # Determines if Nginx should attempt to send client-side - # TLS certificates and perform Mutual TLS Authentication - # with upstream service when proxying requests. - -#client_ssl_cert = # If `client_ssl` is enabled, the absolute - # path to the client certificate for the `proxy_ssl_certificate` directive. - # - # This value can be overwritten dynamically with the `client_certificate` - # attribute of the `Service` object. - -#client_ssl_cert_key = # If `client_ssl` is enabled, the absolute - # path to the client TLS key for the `proxy_ssl_certificate_key` directive. - # - # This value can be overwritten dynamically with the `client_certificate` - # attribute of the `Service` object. - -#admin_ssl_cert = # Comma-separated list of the absolute path to the certificates for - # `admin_listen` values with TLS enabled. - # - # See docs for `ssl_cert` for detailed usage. - -#admin_ssl_cert_key = # Comma-separated list of the absolute path to the keys for - # `admin_listen` values with TLS enabled. - # - # See docs for `ssl_cert_key` for detailed usage. - -#status_ssl_cert = # Comma-separated list of the absolute path to the certificates for - # `status_listen` values with TLS enabled. - # - # See docs for `ssl_cert` for detailed usage. - -#status_ssl_cert_key = # Comma-separated list of the absolute path to the keys for - # `status_listen` values with TLS enabled. - # - # See docs for `ssl_cert_key` for detailed usage. - -headers = server_tokens, latency_tokens - # Comma-separated list of headers Kong should - # inject in client responses. - # - # Accepted values are: - # - `Server`: Injects `Server: kong/x.y.z` - # on Kong-produced response (e.g. Admin - # API, rejected requests from auth plugin). - # - `Via`: Injects `Via: kong/x.y.z` for - # successfully proxied requests. - # - `X-Kong-Proxy-Latency`: Time taken - # (in milliseconds) by Kong to process - # a request and run all plugins before - # proxying the request upstream. - # - `X-Kong-Response-Latency`: time taken - # (in millisecond) by Kong to produce - # a response in case of e.g. plugin - # short-circuiting the request, or in - # in case of an error. - # - `X-Kong-Upstream-Latency`: Time taken - # (in milliseconds) by the upstream - # service to send response headers. - # - `X-Kong-Admin-Latency`: Time taken - # (in milliseconds) by Kong to process - # an Admin API request. - # - `X-Kong-Upstream-Status`: The HTTP status - # code returned by the upstream service. - # This is particularly useful for clients to - # distinguish upstream statuses if the - # response is rewritten by a plugin. - # - `server_tokens`: Same as specifying both - # `Server` and `Via`. - # - `latency_tokens`: Same as specifying - # `X-Kong-Proxy-Latency`, - # `X-Kong-Response-Latency`, - # `X-Kong-Admin-Latency` and - # `X-Kong-Upstream-Latency` - # - # In addition to those, this value can be set - # to `off`, which prevents Kong from injecting - # any of the above headers. Note that this - # does not prevent plugins from injecting - # headers of their own. - # - # Example: `headers = via, latency_tokens` - -#trusted_ips = # Defines trusted IP addresses blocks that are - # known to send correct `X-Forwarded-*` - # headers. - # Requests from trusted IPs make Kong forward - # their `X-Forwarded-*` headers upstream. - # Non-trusted requests make Kong insert its - # own `X-Forwarded-*` headers. - # - # This property also sets the - # `set_real_ip_from` directive(s) in the Nginx - # configuration. It accepts the same type of - # values (CIDR blocks) but as a - # comma-separated list. - # - # To trust *all* /!\ IPs, set this value to - # `0.0.0.0/0,::/0`. - # - # If the special value `unix:` is specified, - # all UNIX-domain sockets will be trusted. - # - # See http://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from - # for examples of accepted values. -# GCP ips -trusted_ips = 130.211.0.0/22,35.191.0.0/16,34.120.148.61/32 - -# real_ip_header = X-Real-IP -real_ip_header = X-Forwarded-For # Defines the request header field whose value - # will be used to replace the client address. - # This value sets the `ngx_http_realip_module` - # directive of the same name in the Nginx - # configuration. - # - # If this value receives `proxy_protocol`: - # - # - at least one of the `proxy_listen` entries - # must have the `proxy_protocol` flag - # enabled. - # - the `proxy_protocol` parameter will be - # appended to the `listen` directive of the - # Nginx template. - # - # See http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header - # for a description of this directive. - -real_ip_recursive = on # This value sets the `ngx_http_realip_module` - # directive of the same name in the Nginx - # configuration. - # - # See http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_recursive - # for a description of this directive. - -error_default_type = text/plain # Default MIME type to use when the request - # `Accept` header is missing and Nginx - # is returning an error for the request. - # Accepted values are `text/plain`, - # `text/html`, `application/json`, and - # `application/xml`. - -upstream_keepalive_pool_size = 60 # Sets the default size of the upstream - # keepalive connection pools. - # Upstream keepalive connection pools - # are segmented by the `dst ip/dst - # port/SNI` attributes of a connection. - # A value of `0` will disable upstream - # keepalive connections by default, forcing - # each upstream request to open a new - # connection. - -upstream_keepalive_max_requests = 100 # Sets the default maximum number of - # requests than can be proxied upstream - # through one keepalive connection. - # After the maximum number of requests - # is reached, the connection will be - # closed. - # A value of `0` will disable this - # behavior, and a keepalive connection - # can be used to proxy an indefinite - # number of requests. - -upstream_keepalive_idle_timeout = 60 # Sets the default timeout (in seconds) - # for which an upstream keepalive - # connection should be kept open. When - # the timeout is reached while the - # connection has not been reused, it - # will be closed. - # A value of `0` will disable this - # behavior, and an idle keepalive - # connection may be kept open - # indefinitely. - -#------------------------------------------------------------------------------ -# NGINX injected directives -#------------------------------------------------------------------------------ - -# Nginx directives can be dynamically injected in the runtime nginx.conf file -# without requiring a custom Nginx configuration template. -# -# All configuration properties respecting the naming scheme -# `nginx__` will result in `` being injected in -# the Nginx configuration block corresponding to the property's ``. -# Example: -# `nginx_proxy_large_client_header_buffers = 8 24k` -# -# Will inject the following directive in Kong's proxy `server {}` block: -# -# `large_client_header_buffers 8 24k;` -# -# The following namespaces are supported: -# -# - `nginx_main_`: Injects `` in Kong's configuration -# `main` context. -# - `nginx_events_`: Injects `` in Kong's `events {}` -# block. -# - `nginx_http_`: Injects `` in Kong's `http {}` block. -# - `nginx_proxy_`: Injects `` in Kong's proxy -# `server {}` block. -# - `nginx_upstream_`: Injects `` in Kong's proxy -# `upstream {}` block. -# - `nginx_admin_`: Injects `` in Kong's Admin API -# `server {}` block. -# - `nginx_status_`: Injects `` in Kong's Status API -# `server {}` block (only effective if `status_listen` is enabled). -# - `nginx_stream_`: Injects `` in Kong's stream module -# `stream {}` block (only effective if `stream_listen` is enabled). -# - `nginx_sproxy_`: Injects `` in Kong's stream module -# `server {}` block (only effective if `stream_listen` is enabled). -# - `nginx_supstream_`: Injects `` in Kong's stream -# module `upstream {}` block. -# -# As with other configuration properties, Nginx directives can be injected via -# environment variables when capitalized and prefixed with `KONG_`. -# Example: -# `KONG_NGINX_HTTP_SSL_PROTOCOLS` -> `nginx_http_ssl_protocols` -# -# Will inject the following directive in Kong's `http {}` block: -# -# `ssl_protocols ;` -# -# If different sets of protocols are desired between the proxy and Admin API -# server, you may specify `nginx_proxy_ssl_protocols` and/or -# `nginx_admin_ssl_protocols`, both of which taking precedence over the -# `http {}` block. - -nginx_main_worker_rlimit_nofile = auto - # Changes the limit on the maximum number of open files - # for worker processes. - # - # The special and default value of `auto` sets this - # value to `ulimit -n` with the upper bound limited to - # 16384 as a measure to protect against excess memory use. - # - # See http://nginx.org/en/docs/ngx_core_module.html#worker_rlimit_nofile - -nginx_events_worker_connections = auto - # Sets the maximum number of simultaneous - # connections that can be opened by a worker process. - # - # The special and default value of `auto` sets this - # value to `ulimit -n` with the upper bound limited to - # 16384 as a measure to protect against excess memory use. - # - # See http://nginx.org/en/docs/ngx_core_module.html#worker_connections - -nginx_http_client_header_buffer_size = 1k # Sets buffer size for reading the - # client request headers. - # See http://nginx.org/en/docs/http/ngx_http_core_module.html#client_header_buffer_size - -nginx_http_large_client_header_buffers = 4 8k # Sets the maximum number and - # size of buffers used for - # reading large clients - # requests headers. - # See http://nginx.org/en/docs/http/ngx_http_core_module.html#large_client_header_buffers - -nginx_http_client_max_body_size = 0 # Defines the maximum request body size - # allowed by requests proxied by Kong, - # specified in the Content-Length request - # header. If a request exceeds this - # limit, Kong will respond with a 413 - # (Request Entity Too Large). Setting - # this value to 0 disables checking the - # request body size. - # See http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size - -nginx_admin_client_max_body_size = 10m # Defines the maximum request body size for - # Admin API. - -nginx_http_client_body_buffer_size = 8k # Defines the buffer size for reading - # the request body. If the client - # request body is larger than this - # value, the body will be buffered to - # disk. Note that when the body is - # buffered to disk, Kong plugins that - # access or manipulate the request - # body may not work, so it is - # advisable to set this value as high - # as possible (e.g., set it as high - # as `client_max_body_size` to force - # request bodies to be kept in - # memory). Do note that - # high-concurrency environments will - # require significant memory - # allocations to process many - # concurrent large request bodies. - # See http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size - -nginx_admin_client_body_buffer_size = 10m # Defines the buffer size for reading - # the request body on Admin API. - -#------------------------------------------------------------------------------ -# DATASTORE -#------------------------------------------------------------------------------ - -# Kong can run with a database to store coordinated data between Kong nodes in -# a cluster, or without a database, where each node stores its information -# independently in memory. -# -# When using a database, Kong will store data for all its entities (such as -# Routes, Services, Consumers, and Plugins) in either Cassandra or PostgreSQL, -# and all Kong nodes belonging to the same cluster must connect themselves -# to the same database. -# -# Kong supports the following database versions: -# - **PostgreSQL**: 9.5 and above. -# - **Cassandra**: 2.2 and above. -# -# When not using a database, Kong is said to be in "DB-less mode": it will keep -# its entities in memory, and each node needs to have this data entered via a -# declarative configuration file, which can be specified through the -# `declarative_config` property, or via the Admin API using the `/config` -# endpoint. -# -# When using Postgres as the backend storage, you can optionally enable Kong -# to serve read queries from a separate database instance. -# When the number of proxies is large, this can greatly reduce the load -# on the main Postgres instance and achieve better scalability. It may also -# reduce the latency jitter if the Kong proxy node's latency to the main -# Postgres instance is high. -# -# The read-only Postgres instance only serves read queries and write -# queries still goes to the main connection. The read-only Postgres instance -# can be eventually consistent while replicating changes from the main -# instance. -# -# At least the `pg_ro_host` config is needed to enable this feature. -# By default, all other database config for the read-only connection are -# inherited from the corresponding main connection config described above but -# may be optionally overwritten explicitly using the `pg_ro_*` config below. - -database = postgres # Determines which of PostgreSQL or Cassandra - # this node will use as its datastore. - # Accepted values are `postgres`, - # `cassandra`, and `off`. - -pg_host = 127.0.0.1 # Host of the Postgres server. -pg_port = 5432 # Port of the Postgres server. -pg_timeout = 5000 # Defines the timeout (in ms), for connecting, - # reading and writing. - -pg_user = kong # Postgres user. -#pg_password = # Postgres user's password. -pg_database = kong # The database name to connect to. - -#pg_schema = # The database schema to use. If unspecified, - # Kong will respect the `search_path` value of - # your PostgreSQL instance. - -pg_ssl = off # Toggles client-server TLS connections - # between Kong and PostgreSQL. - # Because PostgreSQL uses the same port for TLS - # and non-TLS, this is only a hint. If the - # server does not support TLS, the established - # connection will be a plain one. - -pg_ssl_verify = off # Toggles server certificate verification if - # `pg_ssl` is enabled. - # See the `lua_ssl_trusted_certificate` - # setting to specify a certificate authority. - -pg_max_concurrent_queries = 0 # Sets the maximum number of concurrent queries - # that can be executing at any given time. This - # limit is enforced per worker process; the - # total number of concurrent queries for this - # node will be will be: - # `pg_max_concurrent_queries * nginx_worker_processes`. - # - # The default value of 0 removes this - # concurrency limitation. - -pg_semaphore_timeout = 60000 # Defines the timeout (in ms) after which - # PostgreSQL query semaphore resource - # acquisition attempts will fail. Such - # failures will generally result in the - # associated proxy or Admin API request - # failing with an HTTP 500 status code. - # Detailed discussion of this behavior is - # available in the online documentation. - -#pg_ro_host = # Same as `pg_host`, but for the - # read-only connection. - # **Note:** Refer to the documentation - # section above for detailed usage. - -#pg_ro_port = # Same as `pg_port`, but for the - # read-only connection. - -#pg_ro_timeout = # Same as `pg_timeout`, but for the - # read-only connection. - -#pg_ro_user = # Same as `pg_user`, but for the - # read-only connection. - -#pg_ro_password = # Same as `pg_password`, but for the - # read-only connection. - -#pg_ro_database = # Same as `pg_database`, but for the - # read-only connection. - -#pg_ro_schema = # Same as `pg_schema`, but for the - # read-only connection. - -#pg_ro_ssl = # Same as `pg_ssl`, but for the - # read-only connection. - -#pg_ro_ssl_verify = - # Same as `pg_ssl_verify`, but for the - # read-only connection. - -#pg_ro_max_concurrent_queries = - # Same as `pg_max_concurrent_queries`, but for - # the read-only connection. - # Note: read-only concurrency is not shared - # with the main (read-write) connection. - -#pg_ro_semaphore_timeout = - # Same as `pg_semaphore_timeout`, but for the - # read-only connection. - -cassandra_contact_points = 127.0.0.1 # A comma-separated list of contact - # points to your cluster. - # You may specify IP addresses or - # hostnames. Note that the port - # component of SRV records will be - # ignored in favor of `cassandra_port`. - # When connecting to a multi-DC cluster, - # ensure that contact points from the - # local datacenter are specified first - # in this list. - -cassandra_port = 9042 # The port on which your nodes are listening - # on. All your nodes and contact points must - # listen on the same port. Will be created if - # it doesn't exist. - -cassandra_keyspace = kong # The keyspace to use in your cluster. - -cassandra_write_consistency = ONE # Consistency setting to use when - # writing to the Cassandra cluster. - -cassandra_read_consistency = ONE # Consistency setting to use when - # reading from the Cassandra cluster. - -cassandra_timeout = 5000 # Defines the timeout (in ms) for reading - # and writing. - -cassandra_ssl = off # Toggles client-to-node TLS connections - # between Kong and Cassandra. - -cassandra_ssl_verify = off # Toggles server certificate verification if - # `cassandra_ssl` is enabled. - # See the `lua_ssl_trusted_certificate` - # setting to specify a certificate authority. - -cassandra_username = kong # Username when using the - # `PasswordAuthenticator` scheme. - -#cassandra_password = # Password when using the - # `PasswordAuthenticator` scheme. - -cassandra_lb_policy = RequestRoundRobin # Load balancing policy to use when - # distributing queries across your - # Cassandra cluster. - # Accepted values are: - # `RoundRobin`, `RequestRoundRobin`, - # `DCAwareRoundRobin`, and - # `RequestDCAwareRoundRobin`. - # Policies prefixed with "Request" - # make efficient use of established - # connections throughout the same - # request. - # Prefer "DCAware" policies if and - # only if you are using a - # multi-datacenter cluster. - -#cassandra_local_datacenter = # When using the `DCAwareRoundRobin` - # or `RequestDCAwareRoundRobin` load - # balancing policy, you must specify the name - # of the local (closest) datacenter for this - # Kong node. - -cassandra_refresh_frequency = 60 # Frequency (in seconds) at which - # the cluster topology will be - # checked for new or decommissioned - # nodes. - # A value of `0` will disable this - # check, and the cluster topology - # will never be refreshed. - -cassandra_repl_strategy = SimpleStrategy # When migrating for the first time, - # Kong will use this setting to - # create your keyspace. - # Accepted values are - # `SimpleStrategy` and - # `NetworkTopologyStrategy`. - -cassandra_repl_factor = 1 # When migrating for the first time, Kong - # will create the keyspace with this - # replication factor when using the - # `SimpleStrategy`. - -cassandra_data_centers = dc1:2,dc2:3 # When migrating for the first time, - # will use this setting when using the - # `NetworkTopologyStrategy`. - # The format is a comma-separated list - # made of `:`. - -cassandra_schema_consensus_timeout = 10000 # Defines the timeout (in ms) for - # the waiting period to reach a - # schema consensus between your - # Cassandra nodes. - # This value is only used during - # migrations. - -#declarative_config = # The path to the declarative configuration - # file which holds the specification of all - # entities (Routes, Services, Consumers, etc.) - # to be used when the `database` is set to - # `off`. - # - # Entities are stored in Kong's in-memory cache, - # so you must ensure that enough memory is - # allocated to it via the `mem_cache_size` - # property. You must also ensure that items - # in the cache never expire, which means that - # `db_cache_ttl` should preserve its default - # value of 0. - # - # If the Hybrid mode `role` is set to `data_plane` - # and there's no configuration cache file, - # this configuration is used before connecting - # to the Control Plane node as a user-controlled - # fallback. - -#------------------------------------------------------------------------------ -# DATASTORE CACHE -#------------------------------------------------------------------------------ - -# In order to avoid unnecessary communication with the datastore, Kong caches -# entities (such as APIs, Consumers, Credentials...) for a configurable period -# of time. It also handles invalidations if such an entity is updated. -# -# This section allows for configuring the behavior of Kong regarding the -# caching of such configuration entities. - -db_update_frequency = 5 # Frequency (in seconds) at which to check for - # updated entities with the datastore. - # - # When a node creates, updates, or deletes an - # entity via the Admin API, other nodes need - # to wait for the next poll (configured by - # this value) to eventually purge the old - # cached entity and start using the new one. - -db_update_propagation = 0 # Time (in seconds) taken for an entity in the - # datastore to be propagated to replica nodes - # of another datacenter. - # - # When in a distributed environment such as - # a multi-datacenter Cassandra cluster, this - # value should be the maximum number of - # seconds taken by Cassandra to propagate a - # row to other datacenters. - # - # When set, this property will increase the - # time taken by Kong to propagate the change - # of an entity. - # - # Single-datacenter setups or PostgreSQL - # servers should suffer no such delays, and - # this value can be safely set to 0. - -db_cache_ttl = 0 # Time-to-live (in seconds) of an entity from - # the datastore when cached by this node. - # - # Database misses (no entity) are also cached - # according to this setting if you do not - # configure `db_cache_neg_ttl`. - # - # If set to 0 (default), such cached entities - # or misses never expire. - -#db_cache_neg_ttl = # Time-to-live (in seconds) of a datastore - # miss (no entity). - # - # If not specified (default), `db_cache_ttl` - # value will be used instead. - # - # If set to 0, misses will never expire. - -db_resurrect_ttl = 30 # Time (in seconds) for which stale entities - # from the datastore should be resurrected for - # when they cannot be refreshed (e.g., the - # datastore is unreachable). When this TTL - # expires, a new attempt to refresh the stale - # entities will be made. - -db_cache_warmup_entities = services - # Entities to be pre-loaded from the datastore - # into the in-memory cache at Kong start-up. - # This speeds up the first access of endpoints - # that use the given entities. - # - # When the `services` entity is configured - # for warmup, the DNS entries for values in - # its `host` attribute are pre-resolved - # asynchronously as well. - # - # Cache size set in `mem_cache_size` should - # be set to a value large enough to hold all - # instances of the specified entities. - # If the size is insufficient, Kong will log - # a warning. - -#------------------------------------------------------------------------------ -# DNS RESOLVER -#------------------------------------------------------------------------------ - -# By default, the DNS resolver will use the standard configuration files -# `/etc/hosts` and `/etc/resolv.conf`. The settings in the latter file will be -# overridden by the environment variables `LOCALDOMAIN` and `RES_OPTIONS` if -# they have been set. -# -# Kong will resolve hostnames as either `SRV` or `A` records (in that order, and -# `CNAME` records will be dereferenced in the process). -# In case a name was resolved as an `SRV` record it will also override any given -# port number by the `port` field contents received from the DNS server. -# -# The DNS options `SEARCH` and `NDOTS` (from the `/etc/resolv.conf` file) will -# be used to expand short names to fully qualified ones. So it will first try -# the entire `SEARCH` list for the `SRV` type, if that fails it will try the -# `SEARCH` list for `A`, etc. -# -# For the duration of the `ttl`, the internal DNS resolver will loadbalance each -# request it gets over the entries in the DNS record. For `SRV` records the -# `weight` fields will be honored, but it will only use the lowest `priority` -# field entries in the record. - -#dns_resolver = # Comma separated list of nameservers, each - # entry in `ip[:port]` format to be used by - # Kong. If not specified the nameservers in - # the local `resolv.conf` file will be used. - # Port defaults to 53 if omitted. Accepts - # both IPv4 and IPv6 addresses. - -dns_hostsfile = /etc/hosts # The hosts file to use. This file is read - # once and its content is static in memory. - # To read the file again after modifying it, - # Kong must be reloaded. - -dns_order = LAST,SRV,A,CNAME # The order in which to resolve different - # record types. The `LAST` type means the - # type of the last successful lookup (for the - # specified name). The format is a (case - # insensitive) comma separated list. - -#dns_valid_ttl = # By default, DNS records are cached using - # the TTL value of a response. If this - # property receives a value (in seconds), it - # will override the TTL for all records. - -dns_stale_ttl = 4 # Defines, in seconds, how long a record will - # remain in cache past its TTL. This value - # will be used while the new DNS record is - # fetched in the background. - # Stale data will be used from expiry of a - # record until either the refresh query - # completes, or the `dns_stale_ttl` number of - # seconds have passed. - -dns_not_found_ttl = 30 # TTL in seconds for empty DNS responses and - # "(3) name error" responses. - -dns_error_ttl = 1 # TTL in seconds for error responses. - -dns_no_sync = off # If enabled, then upon a cache-miss every - # request will trigger its own dns query. - # When disabled multiple requests for the - # same name/type will be synchronised to a - # single query. - -#------------------------------------------------------------------------------ -# TUNING & BEHAVIOR -#------------------------------------------------------------------------------ - -worker_consistency = strict - # Defines whether this node should rebuild its - # state synchronously or asynchronously (the - # balancers and the router are rebuilt on - # updates that affects them, e.g., updates to - # Routes, Services or Upstreams, via the Admin - # API or loading a declarative configuration - # file). - # - # Accepted values are: - # - # - `strict`: the router will be rebuilt - # synchronously, causing incoming requests to - # be delayed until the rebuild is finished. - # - `eventual`: the router will be rebuilt - # asynchronously via a recurring background - # job running every second inside of each - # worker. - # - # Note that `strict` ensures that all workers - # of a given node will always proxy requests - # with an identical router, but that increased - # long tail latency can be observed if - # frequent Routes and Services updates are - # expected. - # Using `eventual` will help preventing long - # tail latency issues in such cases, but may - # cause workers to route requests differently - # for a short period of time after Routes and - # Services updates. - -worker_state_update_frequency = 5 - # Defines how often the worker state changes are - # checked with a background job. When a change - # is detected, a new router or balancer will be - # built, as needed. Raising this value will - # decrease the load on database servers and - # result in less jitter in proxy latency, but - # it might take more time to propagate changes - # to each individual worker. - -#------------------------------------------------------------------------------ -# MISCELLANEOUS -#------------------------------------------------------------------------------ - -# Additional settings inherited from lua-nginx-module allowing for more -# flexibility and advanced usage. -# -# See the lua-nginx-module documentation for more information: -# https://github.com/openresty/lua-nginx-module - - -#lua_ssl_trusted_certificate = # Comma-separated list of paths to certificate - # authority files for Lua cosockets in PEM format. - # - # The special value `system` attempts to search for the - # "usual default" provided by each distro, according - # to an arbitrary heuristic. In the current implementation, - # The following pathnames will be tested in order, - # and the first one found will be used: - # - # - /etc/ssl/certs/ca-certificates.crt (Debian/Ubuntu/Gentoo) - # - /etc/pki/tls/certs/ca-bundle.crt (Fedora/RHEL 6) - # - /etc/ssl/ca-bundle.pem (OpenSUSE) - # - /etc/pki/tls/cacert.pem (OpenELEC) - # - /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem (CentOS/RHEL 7) - # - /etc/ssl/cert.pem (OpenBSD, Alpine) - # - # If no file is found on any of these paths, an error will - # be raised. - # - # `system` can be used by itself or in conjunction with other - # CA filepaths. - # - # When `pg_ssl_verify` or `cassandra_ssl_verify` - # are enabled, these certificate authority files will be - # used for verifying Kong's database connections. - # - # See https://github.com/openresty/lua-nginx-module#lua_ssl_trusted_certificate - -lua_ssl_verify_depth = 1 # Sets the verification depth in the server - # certificates chain used by Lua cosockets, - # set by `lua_ssl_trusted_certificate`. - # This includes the certificates configured - # for Kong's database connections. - # If the maximum depth is reached before - # reaching the end of the chain, verification - # will fail. This helps mitigate certificate - # based DoS attacks. - # - # See https://github.com/openresty/lua-nginx-module#lua_ssl_verify_depth - -lua_ssl_protocols = TLSv1.1 TLSv1.2 TLSv1.3 # Defines the TLS versions supported - # when handshaking with OpenResty's - # TCP cosocket APIs. - # - # This affects connections made by Lua - # code, such as connections to the - # database Kong uses, or when sending logs - # using a logging plugin. It does *not* - # affect connections made to the upstream - # Service or from downstream clients. - -#lua_package_path = # Sets the Lua module search path - # (LUA_PATH). Useful when developing - # or using custom plugins not stored - # in the default search path. - # - # See https://github.com/openresty/lua-nginx-module#lua_package_path - -#lua_package_cpath = # Sets the Lua C module search path - # (LUA_CPATH). - # - # See https://github.com/openresty/lua-nginx-module#lua_package_cpath - -lua_socket_pool_size = 30 # Specifies the size limit for every cosocket - # connection pool associated with every remote - # server. - # - # See https://github.com/openresty/lua-nginx-module#lua_socket_pool_size - -untrusted_lua = sandbox - # Controls loading of Lua functions from admin-supplied - # sources such as the Admin API. LuaJIT bytecode - # loading is always disabled. - # - # **Warning:** LuaJIT is not designed as a secure - # runtime for running malicious code, therefore - # you should properly protect your Admin API endpoint - # even with sandboxing enabled. The sandbox only - # provides protection against trivial attackers or - # unintentional modification of the Kong global - # environment. - # - # Accepted values are: `off`, `sandbox`, or - # `on`: - # - # * `off`: Disallow loading of any arbitrary - # Lua functions. The `off` option - # disables any functionality that runs - # arbitrary Lua code, including the - # Serverless Functions plugins and any - # transformation plugin that allows - # custom Lua functions. - # - # * `sandbox`: Allow loading of Lua functions, - # but use a sandbox when executing - # them. The sandboxed function has - # restricted access to the global - # environment and only has access - # to standard Lua functions that - # will generally not cause harm to - # the Kong Gateway node. - # - # * `on`: Functions have unrestricted - # access to the global environment and - # can load any Lua modules. This is - # similar to the behavior in - # Kong Gateway prior to 2.3.0. - # - # The default `sandbox` environment does not - # allow importing other modules or libraries, - # or executing anything at the OS level (for - # example, file read/write). The global - # environment is also not accessible. - # - # Examples of `untrusted_lua = sandbox` - # behavior: - # - # * You can't access or change global values - # such as `kong.configuration.pg_password` - # * You can run harmless lua: - # `local foo = 1 + 1`. However, OS level - # functions are not allowed, like: - # `os.execute('rm -rf /*')`. - # - # For a full allowed/disallowed list, see: - # https://github.com/kikito/sandbox.lua/blob/master/sandbox.lua - # - # To customize the sandbox environment, use - # the `untrusted_lua_sandbox_requires` and - # `untrusted_lua_sandbox_environment` - # parameters below. - -#untrusted_lua_sandbox_requires = # Comma-separated list of modules allowed to - # be loaded with `require` inside the - # sandboxed environment. Ignored - # if `untrusted_lua` is not `sandbox`. - # - # For example, say you have configured the - # Serverless pre-function plugin and it - # contains the following `requires`: - # - # ``` - # local template = require "resty.template" - # local split = require "kong.tools.utils".split - # ``` - # - # To run the plugin, add the modules to the - # allowed list: - # ``` - # untrusted_lua_sandbox_requires = resty.template, kong.tools.utils - # ``` - # - # **Warning:** Allowing certain modules may - # create opportunities to escape the - # sandbox. For example, allowing `os` or - # `luaposix` may be unsafe. - -#untrusted_lua_sandbox_environment = # Comma-separated list of global Lua - # variables that should be made available - # inside the sandboxed environment. Ignored - # if `untrusted_lua` is not `sandbox`. - # - # **Warning**: Certain variables, when made - # available, may create opportunities to - # escape the sandbox. diff --git a/packages/helm-charts/kong/templates/NOTES.txt b/packages/helm-charts/kong/templates/NOTES.txt deleted file mode 100644 index 9542a8b954..0000000000 --- a/packages/helm-charts/kong/templates/NOTES.txt +++ /dev/null @@ -1,95 +0,0 @@ -** Please be patient while the chart is being deployed ** - -{{- if .Values.ingress.enabled }} - Kong URL(s): -{{- if .Values.ingress.hostname }} - - http://{{ .Values.ingress.hostname }} -{{- end }} -{{- range $host := .Values.ingress.hosts }} - {{- range .paths }} - - http://{{ $host.name }}{{ . }} - {{- end }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - - Get the Kubernetes node IP by using the following command - export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") - - Access the Kong proxy by using the following commands - - export PROXY_NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.names.fullname" . }}) - echo http://$NODE_IP:$PROXY_NODE_PORT - - {{- if .Values.service.exposeAdmin }} - - Access the Kong admin by using the following commands - - export ADMIN_NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[2].nodePort}" services {{ include "common.names.fullname" . }}) - echo http://$NODE_IP:$ADMIN_NODE_PORT - - {{- end }} -{{- else if contains "LoadBalancer" .Values.service.type }} - - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "common.names.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "common.names.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.proxyHttpPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - - Access the Kong proxy by using the following commands - - echo "Browse to http://127.0.0.1:8000" - kubectl port-forward svc/{{ include "common.names.fullname" . }} 8080:{{ .Values.service.proxyHttpPort }} & - - Access the Kong admin by using the following commands - - echo "Browse to http://127.0.0.1:8001" - {{- if .Values.service.exposeAdmin }} - kubectl port-forward svc/{{ include "common.names.fullname" . }} 8001:{{ .Values.service.adminHttpPort }} & - {{- else }} - export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name:{{ include "common.names.name" . }},app.kubernetes.io/instance:{{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - - kubectl port-forward pod/$POD_NAME 8001:8001 & - {{- end }} -{{- end }} - -{{- if .Values.ingressController.enabled }} - - The Kong Ingress Controller was deployed as part of the Kong pods. The following objects are available in the Kubernetes API: - - kubectl get kongconsumers - kubectl get kongcredentials - kubectl get kongingresses - kubectl get kongplugins - -{{- end }} - -{{- include "common.warnings.rollingTag" .Values.image }} -{{- if .Values.ingressController.enabled }} -{{- include "common.warnings.rollingTag" .Values.ingressController.image }} -{{- end }} - -{{- $passwordValidationErrors := list }} - -If you want to upgrade the installation you will need to re-set the database credentials. Execute the following command -{{- if eq .Values.database "postgresql" }} -{{- $dbSecretName := include "kong.postgresql.secretName" . -}} -{{- $dbPasswordValidationErrors := include "common.validations.values.postgresql.passwords" (dict "secret" $dbSecretName "subchart" true "context" $) -}} -{{- $passwordValidationErrors = append $passwordValidationErrors $dbPasswordValidationErrors -}} - - kubectl get secret --namespace {{ .Release.Namespace }} {{ include "kong.postgresql.secretName" . }} -o jsonpath="{.data.postgresql-password}" | base64 --decode -{{- else }} - {{- $dbSecretName := include "kong.cassandra.secretName" . -}} - {{- $dbPasswordValidationErrors := include "common.validations.values.cassandra.passwords" (dict "secret" $dbSecretName "subchart" true "context" $) -}} - {{- $passwordValidationErrors = append $passwordValidationErrors $dbPasswordValidationErrors -}} - - kubectl get secret --namespace {{ .Release.Namespace }} {{ include "kong.cassandra.secretName" . }} -o jsonpath="{.data.cassandra-password}" | base64 --decode -{{- end }} - -{{- if .Values.service.exposeAdmin }} - -WARNING: You made the Kong admin {{ if contains "ClusterIP" .Values.service.type }}accessible from other pods in the cluster{{ else }}externally accessible{{- end }}. We do not recommend this configuration in production. For accessing the admin, using pod port-forwarding or using the Kong Ingress Controller is preferred. -{{- end }} - -{{ include "kong.validateValues" . }} -{{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" $passwordValidationErrors "context" $) -}} diff --git a/packages/helm-charts/kong/templates/_helpers.tpl b/packages/helm-charts/kong/templates/_helpers.tpl deleted file mode 100644 index 67b5ea3a98..0000000000 --- a/packages/helm-charts/kong/templates/_helpers.tpl +++ /dev/null @@ -1,217 +0,0 @@ -{{/* -Return the proper kong image name -*/}} -{{- define "kong.image" -}} -{{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) }} -{{- end -}} - -{{/* -Return the proper kong image name -*/}} -{{- define "kong.ingress-controller.image" -}} -{{ include "common.images.image" (dict "imageRoot" .Values.ingressController.image "global" .Values.global) }} -{{- end -}} - -{{/* -Return the proper kong migration image name -*/}} -{{- define "kong.migration.image" -}} -{{- if .Values.migration.image -}} -{{ include "common.images.image" (dict "imageRoot" .Values.migration.image "global" .Values.global) }} -{{- else -}} -{{- template "kong.image" . -}} -{{- end -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -*/}} -{{- define "kong.postgresql.fullname" -}} -{{- printf "%s-%s" .Release.Name "postgresql" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -*/}} -{{- define "kong.cassandra.fullname" -}} -{{- printf "%s-%s" .Release.Name "cassandra" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Get Cassandra port -*/}} -{{- define "kong.cassandra.port" -}} -{{- if .Values.cassandra.enabled -}} -{{- .Values.cassandra.service.port -}} -{{- else -}} -{{- .Values.cassandra.external.port -}} -{{- end -}} -{{- end -}} - -{{/* -Get Cassandra contact points -*/}} -{{- define "kong.cassandra.contactPoints" -}} -{{- $global := . -}} -{{- if .Values.cassandra.enabled -}} - {{- $replicas := int .Values.cassandra.cluster.replicaCount -}} - {{- $domain := .Values.clusterDomain -}} - {{- range $i, $e := until $replicas }} - {{- include "kong.cassandra.fullname" $global }}-{{ $i }}.{{ include "kong.cassandra.fullname" $global }}-headless.{{ $global.Release.Namespace }}.svc.{{ $domain }} - {{- if (lt ( add1 $i ) $replicas ) -}} - , - {{- end -}} - {{- end -}} -{{- else -}} - {{- $replicas := len .Values.cassandra.external.hosts -}} - {{- range $i, $e := until $replicas }} - {{- index $global.Values.cassandra.external.hosts $i -}} - {{- if (lt ( add1 $i ) $replicas ) -}} - , - {{- end -}} - {{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Get PostgreSQL host -*/}} -{{- define "kong.postgresql.host" -}} -{{- if .Values.postgresql.enabled -}} - {{- template "kong.postgresql.fullname" . -}} -{{- else -}} - {{ .Values.postgresql.external.host }} -{{- end -}} -{{- end -}} - -{{/* -Get PostgreSQL user -*/}} -{{- define "kong.postgresql.user" -}} -{{- if .Values.postgresql.enabled -}} - {{- .Values.postgresql.postgresqlUsername -}} -{{- else -}} - {{ .Values.postgresql.external.user }} -{{- end -}} -{{- end -}} - -{{/* -Get Cassandra user -*/}} -{{- define "kong.cassandra.user" -}} -{{- if .Values.postgresql.enabled -}} - {{- .Values.cassandra.dbUser.user -}} -{{- else -}} - {{ .Values.cassandra.external.user }} -{{- end -}} -{{- end -}} - -{{/* -Get Cassandra secret -*/}} -{{- define "kong.cassandra.secretName" -}} -{{- if .Values.cassandra.existingSecret -}} - {{- .Values.cassandra.existingSecret -}} -{{- else if .Values.cassandra.enabled }} - {{- template "kong.cassandra.fullname" . -}} -{{- else -}} - {{- printf "%s-external-secret" ( include "common.names.fullname" . ) -}} -{{- end -}} -{{- end -}} - -{{/* -Get PostgreSQL secret -*/}} -{{- define "kong.postgresql.secretName" -}} -{{- if .Values.postgresql.existingSecret -}} - {{- .Values.postgresql.existingSecret -}} -{{- else if .Values.postgresql.enabled }} - {{- template "kong.postgresql.fullname" . -}} -{{- else -}} - {{- printf "%s-external-secret" ( include "common.names.fullname" . ) -}} -{{- end -}} -{{- end -}} - -{{/* -Return the proper Docker Image Registry Secret Names -*/}} -{{- define "kong.imagePullSecrets" -}} -{{ include "common.images.pullSecrets" (dict "images" (list .Values.image .Values.ingressController.image) "global" .Values.global) }} -{{- end -}} - -{{/* -Return true if a secret for a external database should be created -*/}} -{{- define "kong.createExternalDBSecret" -}} -{{- if and (not .Values.postgresql.enabled) (not .Values.cassandra.enabled) (not .Values.cassandra.existingSecret) (not .Values.postgresql.existingSecret) -}} - {{- true -}} -{{- end -}} -{{- end -}} - -{{/* -Get proper service account -*/}} -{{- define "kong.serviceAccount" -}} -{{- if .Values.ingressController.rbac.existingServiceAccount -}} -{{ .Values.ingressController.rbac.existingServiceAccount }} -{{- else -}} -{{- include "common.names.fullname" . -}} -{{- end -}} -{{- end -}} - -{{/* -Validate values for kong. -*/}} -{{- define "kong.validateValues" -}} -{{- $messages := list -}} -{{- $messages := append $messages (include "kong.validateValues.database" .) -}} -{{- $messages := append $messages (include "kong.validateValues.rbac" .) -}} -{{- $messages := without $messages "" -}} -{{- $message := join "\n" $messages -}} - -{{- if $message -}} -{{- printf "\nVALUES VALIDATION:\n%s" $message -}} -{{- end -}} -{{- end -}} - -{{/* -Function to validate the RBAC -*/}} -{{- define "kong.validateValues.rbac" -}} -{{- if and .Values.ingressController.enabled (not .Values.ingressController.rbac.existingServiceAccount) (not .Values.ingressController.rbac.create) -}} -INVALID RBAC: You enabled the Kong Ingress Controller sidecar without creating RBAC objects and not -specifying an existing Service Account. Specify an existing Service Account in ingressController.rbac.existingServiceAccount -or allow the chart to create the proper RBAC objects with ingressController.rbac.create -{{- end -}} -{{- end -}} -{{/* -Function to validate the external database -*/}} -{{- define "kong.validateValues.database" -}} - -{{- if and (not (eq .Values.database "postgresql")) (not (eq .Values.database "cassandra")) -}} -INVALID DATABASE: The value "{{ .Values.database }}" is not allowed for the "database" value. It -must be one either "postgresql" or "cassandra". -{{- end }} - -{{- if and (eq .Values.database "postgresql") (not .Values.postgresql.enabled) (not .Values.postgresql.external.host) -}} -NO DATABASE: You disabled the Cassandra sub-chart but did not specify external Cassandra hosts. Either deploy the PostgreSQL sub-chart by setting cassandra.enabled=true or set a value for cassandra.external.hosts. -{{- end }} - -{{- if and (eq .Values.database "postgresql") (not .Values.postgresql.enabled) (not .Values.postgresql.external.host) -}} -NO DATABASE: You disabled the PostgreSQL sub-chart but did not specify an external PostgreSQL host. Either deploy the PostgreSQL sub-chart by setting postgresql.enabled=true or set a value for postgresql.external.host. -{{- end }} - - -{{- if and (eq .Values.database "postgresql") .Values.postgresql.enabled .Values.postgresql.external.host -}} -CONFLICT: You specified to deploy the PostgreSQL sub-chart and also specified an external -PostgreSQL instance. Only one of postgresql.enabled (deploy sub-chart) and postgresql.external.host can be set -{{- end }} - -{{- if and (eq .Values.database "cassandra") .Values.cassandra.enabled .Values.cassandra.external.hosts -}} -CONFLICT: You specified to deploy the Cassandra sub-chart and also specified external -Cassandra hosts. Only one of cassandra.enabled (deploy sub-chart) and cassandra.external.hosts can be set -{{- end }} -{{- end -}} diff --git a/packages/helm-charts/kong/templates/dep-ds.yaml b/packages/helm-charts/kong/templates/dep-ds.yaml deleted file mode 100644 index c24a738576..0000000000 --- a/packages/helm-charts/kong/templates/dep-ds.yaml +++ /dev/null @@ -1,359 +0,0 @@ -apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} -{{- if .Values.useDaemonset }} -kind: DaemonSet -{{- else }} -kind: Deployment -{{- end }} -metadata: - name: {{ include "common.names.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: server - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - {{- if not .Values.useDaemonset }} - replicas: {{ .Values.replicaCount }} - {{- end }} - selector: - matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} - app.kubernetes.io/component: server - {{- if .Values.updateStrategy }} - {{- if .Values.useDaemonset }} - updateStrategy: {{- toYaml .Values.updateStrategy | nindent 4 }} - {{- else }} - strategy: {{- toYaml .Values.updateStrategy | nindent 4 }} - {{- end }} - {{- end }} - template: - metadata: - labels: {{- include "common.labels.standard" . | nindent 8 }} - app.kubernetes.io/component: server - {{- if .Values.podLabels }} - {{- include "common.tplvalues.render" (dict "value" .Values.podLabels "context" $) | nindent 8 }} - {{- end }} - annotations: - {{- if (include "kong.createExternalDBSecret" .) }} - checksum/secret: {{ include (print $.Template.BasePath "/external-database-secret.yaml") . | sha256sum }} - {{- end }} - checksum/configmap-kong: {{ include (print $.Template.BasePath "/kong-script-configmap.yaml") . | sha256sum }} - {{- if .Values.metrics.enabled }} - checksum/configmap-metrics-plugin: {{ include (print $.Template.BasePath "/metrics-script-configmap.yaml") . | sha256sum }} - {{- end }} - {{- if .Values.podAnnotations }} - {{- include "common.tplvalues.render" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }} - {{- end }} - spec: - {{- if .Values.hostAliases }} - hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.ingressController.enabled }} - serviceAccountName: {{ include "kong.serviceAccount" . }} - {{- end }} - {{- if .Values.podSecurityContext }} - securityContext: {{- include "common.tplvalues.render" (dict "value" .Values.podSecurityContext "context" $) | nindent 8 }} - {{- end }} - {{- include "kong.imagePullSecrets" . | nindent 6 }} - {{- if .Values.schedulerName }} - schedulerName: {{ .Values.schedulerName | quote }} - {{- end }} - {{- if .Values.affinity }} - affinity: {{- include "common.tplvalues.render" (dict "value" .Values.affinity "context" $) | nindent 8 }} - {{- else }} - affinity: - podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAffinityPreset "component" "server" "context" $) | nindent 10 }} - podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAntiAffinityPreset "component" "server" "context" $) | nindent 10 }} - nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.nodeAffinityPreset.type "key" .Values.nodeAffinityPreset.key "values" .Values.nodeAffinityPreset.values) | nindent 10 }} - {{- end }} - {{- if .Values.nodeSelector }} - nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.nodeSelector "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.tolerations }} - tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.initContainers }} - initContainers: {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }} - {{- end }} - containers: - - name: kong - image: {{ template "kong.image" . }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - {{- if .Values.containerSecurityContext }} - securityContext: {{- include "common.tplvalues.render" (dict "value" .Values.containerSecurityContext "context" $) | nindent 12 }} - {{- end }} - {{- if .Values.kong.command }} - command: {{- include "common.tplvalues.render" (dict "value" .Values.kong.command "context" $) | nindent 12 }} - {{- end }} - {{- if .Values.kong.args }} - args: {{- include "common.tplvalues.render" (dict "value" .Values.kong.args "context" $) | nindent 12 }} - {{- end }} - {{- if not .Values.kong.lifecycleHooks }} - lifecycle: - preStop: - exec: - command: - - /bin/sh - - -c - - kong quit - {{ else }} - lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.kong.lifecycleHooks "context" $) | nindent 12 }} - {{- end }} - env: - {{- if .Values.service.exposeAdmin }} - - name: KONG_ADMIN_LISTEN_ADDRESS - value: "0.0.0.0" - {{- end }} - {{- if (eq .Values.database "postgresql") }} - - name: KONG_DATABASE - value: "postgres" - {{- if .Values.postgresql.usePasswordFile }} - - name: KONG_POSTGRESQL_PASSWORD_FILE - value: "/bitnami/kong/secrets/postgresql-password" - {{- else }} - - name: KONG_PG_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "kong.postgresql.secretName" . }} - key: postgresql-password - {{- end }} - - name: KONG_PG_HOST - value: {{ include "kong.postgresql.host" . }} - - name: KONG_PG_USER - value: {{ include "kong.postgresql.user" . }} - {{- end }} - {{- if (eq .Values.database "cassandra") }} - - name: KONG_DATABASE - value: "cassandra" - {{- if .Values.cassandra.usePasswordFile }} - - name: KONG_CASSANDRA_PASSWORD_FILE - value: "/bitnami/kong/secrets/cassandra-password" - {{- else }} - - name: KONG_CASSANDRA_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "kong.cassandra.secretName" . }} - key: cassandra-password - {{- end }} - - name: KONG_CASSANDRA_CONTACT_POINTS - value: {{ include "kong.cassandra.contactPoints" . }} - - name: KONG_CASSANDRA_PORT - value: {{ include "kong.cassandra.port" . | quote }} - - name: KONG_CASSANDRA_USER - value: {{ include "kong.cassandra.user" . | quote }} - {{- end }} - {{- if .Values.metrics.enabled }} - - name: KONG_NGINX_HTTP_INCLUDE - value: "/bitnami/kong/metrics-exporter/exporter.conf" - {{- end }} - {{- if .Values.kong.extraEnvVars }} - {{- include "common.tplvalues.render" (dict "value" .Values.kong.extraEnvVars "context" $) | nindent 12 }} - {{- end }} - {{- if or .Values.kong.extraEnvVarsCM .Values.kong.extraEnvVarsSecret }} - envFrom: - {{- if .Values.kong.extraEnvVarsCM }} - - configMapRef: - name: {{ .Values.kong.extraEnvVarsCM }} - {{- end }} - {{- if .Values.kong.extraEnvVarsSecret }} - - secretRef: - name: {{ .Values.kong.extraEnvVarsSecret }} - {{- end }} - {{- end }} - ports: - - name: http-proxy - containerPort: 8000 - protocol: TCP - - name: https-proxy - containerPort: 8443 - protocol: TCP - - name: http-admin - containerPort: 8001 - protocol: TCP - - name: https-admin - containerPort: 8444 - protocol: TCP - {{- if .Values.metrics.enabled }} - - name: http-metrics - containerPort: {{ .Values.metrics.service.port }} - protocol: TCP - {{- end }} - {{- if .Values.kong.livenessProbe.enabled }} - livenessProbe: - exec: - command: - - /bin/bash - - -ec - - /health/kong-container-health.sh - initialDelaySeconds: {{ .Values.kong.livenessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.kong.livenessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.kong.livenessProbe.timeoutSeconds }} - failureThreshold: {{ .Values.kong.livenessProbe.failureThreshold }} - successThreshold: {{ .Values.kong.livenessProbe.successThreshold }} - {{- else if .Values.kong.customLivenessProbe }} - livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.kong.customLivenessProbe "context" $) | nindent 12 }} - {{- end }} - {{- if .Values.kong.readinessProbe.enabled }} - readinessProbe: - exec: - command: - - /bin/bash - - -ec - - /health/kong-container-health.sh - initialDelaySeconds: {{ .Values.kong.readinessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.kong.readinessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.kong.readinessProbe.timeoutSeconds }} - failureThreshold: {{ .Values.kong.readinessProbe.failureThreshold }} - successThreshold: {{ .Values.kong.readinessProbe.successThreshold }} - {{- else if .Values.kong.customReadinessProbe }} - readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.kong.customReadinessProbe "context" $) | nindent 12 }} - {{- end }} - {{- if .Values.kong.resources }} - resources: {{- toYaml .Values.kong.resources | nindent 12 }} - {{- end }} - volumeMounts: - - name: health - mountPath: /health - {{- if .Values.metrics.enabled }} - - name: metrics-init-scripts - mountPath: /docker-entrypoint-initdb.d/metrics-init - - name: metrics-server-block - mountPath: "/bitnami/kong/metrics-exporter" - {{ end }} - {{- if .Values.kong.initScriptsCM }} - - name: custom-init-scripts-cm - mountPath: /docker-entrypoint-initdb.d/cm - {{- end }} - {{- if .Values.kong.initScriptsSecret }} - - name: custom-init-scripts-secret - mountPath: /docker-entrypoint-initdb.d/secret - {{- end }} - {{- if .Values.kong.extraVolumeMounts }} - {{- include "common.tplvalues.render" (dict "value" .Values.kong.extraVolumeMounts "context" $) | nindent 12 }} - {{- end }} - {{- if .Values.ingressController.enabled }} - - name: kong-ingress-controller - image: {{ template "kong.ingress-controller.image" . }} - imagePullPolicy: {{ .Values.ingressController.image.pullPolicy }} - {{- if .Values.containerSecurityContext }} - securityContext: {{- include "common.tplvalues.render" (dict "value" .Values.containerSecurityContext "context" $) | nindent 12 }} - {{- end }} - {{- if .Values.ingressController.args }} - command: {{- include "common.tplvalues.render" (dict "value" .Values.ingressController.command "context" $) | nindent 12 }} - {{- else }} - command: - - bash - - -ec - - /health/ingress-container-start.sh - {{- end }} - {{- if .Values.ingressController.args }} - args: {{- include "common.tplvalues.render" (dict "value" .Values.ingressController.args "context" $) | nindent 12 }} - {{- end }} - env: - - name: CONTROLLER_KONG_ADMIN_URL - value: http://127.0.0.1:8001 - - name: CONTROLLER_PUBLISH_SERVICE - value: {{ printf "%s/%s" .Release.Namespace (include "common.names.fullname" .) | quote }} - - name: CONTROLLER_INGRESS_CLASS - value: {{ .Values.ingressController.ingressClass }} - - name: CONTROLLER_ELECTION_ID - value: {{ printf "kong-ingress-controller-leader-%s" .Values.ingressController.ingressClass }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - {{- if .Values.ingressController.extraEnvVars }} - {{- include "common.tplvalues.render" (dict "value" .Values.ingressController.extraEnvVars "context" $) | nindent 12 }} - {{- end }} - {{- if or .Values.ingressController.extraEnvVarsCM .Values.ingressController.extraEnvVarsSecret }} - envFrom: - {{- if .Values.ingressController.extraEnvVarsCM }} - - configMapRef: - name: {{ .Values.ingressController.extraEnvVarsCM }} - {{- end }} - {{- if .Values.ingressController.extraEnvVarsSecret }} - - secretRef: - name: {{ .Values.ingressController.extraEnvVarsSecret }} - {{- end }} - {{- end }} - ports: - - name: http-health - containerPort: 10254 - protocol: TCP - {{- if .Values.ingressController.livenessProbe.enabled }} - livenessProbe: - httpGet: - path: "/healthz" - port: http-health - scheme: HTTP - initialDelaySeconds: {{ .Values.ingressController.livenessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.ingressController.livenessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.ingressController.livenessProbe.timeoutSeconds }} - failureThreshold: {{ .Values.ingressController.livenessProbe.failureThreshold }} - successThreshold: {{ .Values.ingressController.livenessProbe.successThreshold }} - {{- else if .Values.ingressController.customLivenessProbe }} - livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.ingressController.customLivenessProbe "context" $) | nindent 12 }} - {{- end }} - {{- if .Values.ingressController.readinessProbe.enabled }} - readinessProbe: - httpGet: - path: "/healthz" - port: http-health - scheme: HTTP - initialDelaySeconds: {{ .Values.ingressController.readinessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.ingressController.readinessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.ingressController.readinessProbe.timeoutSeconds }} - failureThreshold: {{ .Values.ingressController.readinessProbe.failureThreshold }} - successThreshold: {{ .Values.ingressController.readinessProbe.successThreshold }} - {{- else if .Values.ingressController.customReadinessProbe }} - readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.ingressController.customReadinessProbe "context" $) | nindent 12 }} - {{- end }} - {{- if .Values.ingressController.resources }} - resources: {{- toYaml .Values.ingressController.resources | nindent 12 }} - {{- end }} - volumeMounts: - - name: health - mountPath: /health - {{- if .Values.ingressController.extraVolumeMounts }} - {{- include "common.tplvalues.render" (dict "value" .Values.ingressController.extraVolumeMounts "context" $) | nindent 12 }} - {{- end }} - {{- end }} - {{- if .Values.sidecars }} - {{- include "common.tplvalues.render" (dict "value" .Values.sidecars "context" $) | nindent 8 }} - {{- end }} - volumes: - - name: health - configMap: - name: {{ template "common.names.fullname" . }}-scripts - defaultMode: 0755 - {{- if .Values.metrics.enabled }} - - name: metrics-init-scripts - configMap: - name: {{ template "common.names.fullname" . }}-metrics-scripts - defaultMode: 0755 - - name: metrics-server-block - configMap: - name: {{ template "common.names.fullname" . }}-metrics-exporter - {{- end }} - {{- if .Values.kong.initScriptsCM }} - - name: custom-init-scripts-cm - configMap: - name: {{ .Values.kong.initScriptsCM }} - defaultMode: 0755 - {{- end }} - {{- if .Values.kong.initScriptsSecret }} - - name: custom-init-scripts-secret - secret: - secretName: {{ .Values.kong.initScriptsSecret }} - defaultMode: 0755 - {{- end }} - {{- if .Values.extraVolumes }} - {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }} - {{- end }} diff --git a/packages/helm-charts/kong/templates/external-database-secret.yaml b/packages/helm-charts/kong/templates/external-database-secret.yaml deleted file mode 100644 index 35755dc716..0000000000 --- a/packages/helm-charts/kong/templates/external-database-secret.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if (include "kong.createExternalDBSecret" .) }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.names.fullname" . }}-external-secret - namespace: {{ .Release.Namespace }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: server - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -type: Opaque -data: - {{- if .Values.cassandra.external.password }} - cassandra-password: {{ .Values.cassandra.external.password | b64enc | quote }} - {{- end }} - {{- if .Values.postgresql.external.password }} - postgresql-password: {{ .Values.postgresql.external.password | b64enc | quote }} - {{- end }} -{{- end }} diff --git a/packages/helm-charts/kong/templates/extra-list.yaml b/packages/helm-charts/kong/templates/extra-list.yaml deleted file mode 100644 index 9ac65f9e16..0000000000 --- a/packages/helm-charts/kong/templates/extra-list.yaml +++ /dev/null @@ -1,4 +0,0 @@ -{{- range .Values.extraDeploy }} ---- -{{ include "common.tplvalues.render" (dict "value" . "context" $) }} -{{- end }} diff --git a/packages/helm-charts/kong/templates/hpa.yaml b/packages/helm-charts/kong/templates/hpa.yaml deleted file mode 100644 index 9b3abb6e0a..0000000000 --- a/packages/helm-charts/kong/templates/hpa.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{- if .Values.autoscaling.enabled }} -apiVersion: {{ .Values.autoscaling.apiVersion }} -kind: HorizontalPodAutoscaler -metadata: - name: {{ include "common.names.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: server - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - scaleTargetRef: - apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} - kind: Deployment - name: {{ include "common.names.fullname" . }} - minReplicas: {{ .Values.autoscaling.minReplicas }} - maxReplicas: {{ .Values.autoscaling.maxReplicas }} - metrics: - {{- include "common.tplvalues.render" (dict "value" .Values.autoscaling.metrics "context" $) | nindent 4 }} -{{- end }} diff --git a/packages/helm-charts/kong/templates/ingress-controller-rbac.yaml b/packages/helm-charts/kong/templates/ingress-controller-rbac.yaml deleted file mode 100644 index 0ecac2238f..0000000000 --- a/packages/helm-charts/kong/templates/ingress-controller-rbac.yaml +++ /dev/null @@ -1,187 +0,0 @@ -{{- if and .Values.ingressController.rbac.create .Values.ingressController.enabled }} -apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} -kind: Role -metadata: - name: {{ include "common.names.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: server - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -rules: - - apiGroups: - - "" - resources: - - configmaps - - pods - - secrets - - namespaces - verbs: - - get - - apiGroups: - - "" - resources: - - configmaps - resourceNames: - - "kong-ingress-controller-leader-{{ .Values.ingressController.ingressClass }}-{{ .Values.ingressController.ingressClass }}" - verbs: - - get - - update - - apiGroups: - - "" - resources: - - configmaps - verbs: - - create - - apiGroups: - - "" - resources: - - endpoints - verbs: - - get ---- -apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} -kind: RoleBinding -metadata: - name: {{ template "common.names.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: server - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ template "common.names.fullname" . }} -subjects: - - kind: ServiceAccount - name: {{ template "kong.serviceAccount" . }} - namespace: {{ .Release.Namespace }} ---- -apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} -kind: ClusterRole -metadata: - labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: server - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} - name: {{ template "common.names.fullname" . }} -rules: - - apiGroups: - - "" - resources: - - endpoints - - nodes - - pods - - secrets - verbs: - - list - - watch - - apiGroups: - - "" - resources: - - nodes - verbs: - - get - - apiGroups: - - "" - resources: - - services - verbs: - - get - - list - - watch - - apiGroups: - - "extensions" - - "networking.k8s.io" - - "networking.internal.knative.dev" - resources: - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - apiGroups: - - "extensions" - - "networking.k8s.io" - - "networking.internal.knative.dev" - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - "configuration.konghq.com" - resources: - - tcpingresses/status - verbs: - - update - - apiGroups: - - "configuration.konghq.com" - resources: - - kongplugins - - kongclusterplugins - - kongcredentials - - kongconsumers - - kongingresses - - tcpingresses - verbs: - - get - - list - - watch ---- -apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} -kind: ClusterRoleBinding -metadata: - name: {{ template "common.names.fullname" . }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: server - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "common.names.fullname" . }} -subjects: - - kind: ServiceAccount - name: {{ template "kong.serviceAccount" . }} - namespace: {{ .Release.Namespace }} ---- -{{- if not .Values.ingressController.rbac.existingServiceAccount }} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ template "common.names.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: server - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -{{- end }} -{{- end }} diff --git a/packages/helm-charts/kong/templates/ingress.yaml b/packages/helm-charts/kong/templates/ingress.yaml deleted file mode 100644 index 0210d8edad..0000000000 --- a/packages/helm-charts/kong/templates/ingress.yaml +++ /dev/null @@ -1,58 +0,0 @@ -{{- if .Values.ingress.enabled -}} -apiVersion: {{ template "common.capabilities.ingress.apiVersion" . }} -kind: Ingress -metadata: - name: {{ include "common.names.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: server - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - annotations: - {{- if .Values.ingress.certManager }} - kubernetes.io/tls-acme: "true" - {{- end }} - {{- if .Values.ingress.annotations }} - {{- include "common.tplvalues.render" (dict "value" .Values.ingress.annotations "context" $) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - rules: - {{- if .Values.ingress.hostname }} - - host: {{ .Values.ingress.hostname }} - http: - paths: - {{- if .Values.ingress.extraPaths }} - {{- toYaml .Values.ingress.extraPaths | nindent 10 }} - {{- end }} - - path: {{ .Values.ingress.path }} - {{- if eq "true" (include "common.ingress.supportsPathType" .) }} - pathType: {{ .Values.ingress.pathType }} - {{- end }} - backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" .) "servicePort" "http-proxy" "context" $) | nindent 14 }} - {{- end }} - {{- range .Values.ingress.extraHosts }} - - host: {{ .name | quote }} - http: - paths: - - path: {{ default "/" .path }} - {{- if eq "true" (include "common.ingress.supportsPathType" $) }} - pathType: {{ default "ImplementationSpecific" .pathType }} - {{- end }} - backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" $) "servicePort" "http-proxy" "context" $) | nindent 14 }} - {{- end }} - {{- if or .Values.ingress.tls .Values.ingress.extraTls }} - tls: - {{- if .Values.ingress.tls }} - - hosts: - - {{ .Values.ingress.hostname }} - secretName: {{ printf "%s-tls" .Values.ingress.hostname }} - {{- end }} - {{- if .Values.ingress.extraTls }} - {{- include "common.tplvalues.render" ( dict "value" .Values.ingress.extraTls "context" $ ) | nindent 4 }} - {{- end }} - {{- end }} -{{- end }} diff --git a/packages/helm-charts/kong/templates/kong-prometheus-role.yaml b/packages/helm-charts/kong/templates/kong-prometheus-role.yaml deleted file mode 100644 index 36e85ef122..0000000000 --- a/packages/helm-charts/kong/templates/kong-prometheus-role.yaml +++ /dev/null @@ -1,11 +0,0 @@ -{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled .Values.metrics.serviceMonitor.rbac.create }} -apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} -kind: Role -metadata: - name: {{ template "common.names.fullname" . }}-prometheus - namespace: {{ .Release.Namespace }} -rules: -- apiGroups: [""] - resources: ["endpoints", "services", "pods"] - verbs: ["get", "list", "watch"] -{{- end }} diff --git a/packages/helm-charts/kong/templates/kong-prometheus-rolebinding.yaml b/packages/helm-charts/kong/templates/kong-prometheus-rolebinding.yaml deleted file mode 100644 index ce4cb8b909..0000000000 --- a/packages/helm-charts/kong/templates/kong-prometheus-rolebinding.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled .Values.metrics.serviceMonitor.rbac.create }} -apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} -kind: RoleBinding -metadata: - name: {{ template "common.names.fullname" . }}-prometheus - namespace: {{ .Release.Namespace }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ template "common.names.fullname" . }}-prometheus -subjects: - {{- if .Values.metrics.serviceMonitor.namespace }} - - namespace: {{ .Values.metrics.serviceMonitor.namespace }} - {{- else }} - - namespace: {{ .Release.Namespace }} - {{- end }} - kind: ServiceAccount - name: {{ required "A valid .Values.metrics.serviceMonitor.serviceAccount entry required!" .Values.metrics.serviceMonitor.serviceAccount }} -{{- end }} diff --git a/packages/helm-charts/kong/templates/kong-script-configmap.yaml b/packages/helm-charts/kong/templates/kong-script-configmap.yaml deleted file mode 100644 index d20d873ae3..0000000000 --- a/packages/helm-charts/kong/templates/kong-script-configmap.yaml +++ /dev/null @@ -1,47 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.names.fullname" . }}-scripts - namespace: {{ .Release.Namespace }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: server - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -data: - kong-container-health.sh: |- - #!/bin/bash - - set -o errexit - set -o nounset - set -o pipefail - - # Load libraries - . /opt/bitnami/scripts/libos.sh - . /opt/bitnami/scripts/libkong.sh - - # Load Kong environment variables - eval "$(kong_env)" - - is_kong_running - - ingress-container-wait-for-kong.sh: |- - #!/bin/bash - - echo "Waiting for the Kong container to be ready" - if wait-for-port --timeout={{ .Values.ingressController.proxyReadyTimeout }} --host=127.0.0.1 --state=inuse 8000; then - echo "Kong container ready" - else - echo "Kong not ready after {{ .Values.ingressController.proxyReadyTimeout }} seconds" - exit 1 - fi - - ingress-container-start.sh: |- - #!/bin/bash - - . /health/ingress-container-wait-for-kong.sh - - kong-ingress-controller diff --git a/packages/helm-charts/kong/templates/metrics-exporter-configmap.yaml b/packages/helm-charts/kong/templates/metrics-exporter-configmap.yaml deleted file mode 100644 index fd99cebad1..0000000000 --- a/packages/helm-charts/kong/templates/metrics-exporter-configmap.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{- if .Values.metrics.enabled -}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.names.fullname" . }}-metrics-exporter - namespace: {{ .Release.Namespace }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: server - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -data: - exporter.conf: |- - # Prometheus metrics - server { - server_name kong_prometheus_exporter; - listen 0.0.0.0:{{ .Values.metrics.service.port }}; - access_log off; - location /metrics { - default_type text/plain; - content_by_lua_block { - local prometheus = require "kong.plugins.prometheus.exporter" - prometheus:collect() - } - } - } -{{- end }} diff --git a/packages/helm-charts/kong/templates/metrics-script-configmap.yaml b/packages/helm-charts/kong/templates/metrics-script-configmap.yaml deleted file mode 100644 index e38816c992..0000000000 --- a/packages/helm-charts/kong/templates/metrics-script-configmap.yaml +++ /dev/null @@ -1,36 +0,0 @@ -{{- if .Values.metrics.enabled -}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.names.fullname" . }}-metrics-scripts - namespace: {{ .Release.Namespace }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: server - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -data: - enable-metrics-plugin.sh: |- - #!/bin/bash - . /opt/bitnami/scripts/libos.sh - . /opt/bitnami/scripts/libkong.sh - - info "Enabling prometheus plugin" - - if curl --silent http://localhost:8001/ | grep -Eo '"prometheus":false' > /dev/null; then - if ! curl --silent http://localhost:8001/plugins -d name=prometheus; then - info "Issue enabling prometheus plugin, this could be due to a race condition with another kong node. Checking status" - fi - if curl http://localhost:8001/ | grep -Eo '"prometheus":true' > /dev/null; then - info "Prometheus metrics plugin enabled" - else - error "Error enabling Prometheus plugin" - exit 1 - fi - else - info "Prometheus plugin already enabled" - fi -{{- end }} diff --git a/packages/helm-charts/kong/templates/metrics-service.yaml b/packages/helm-charts/kong/templates/metrics-service.yaml deleted file mode 100644 index ea30093a77..0000000000 --- a/packages/helm-charts/kong/templates/metrics-service.yaml +++ /dev/null @@ -1,36 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.names.fullname" . }}-metrics - namespace: {{ .Release.Namespace }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: server - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if or .Values.metrics.service.annotations .Values.commonAnnotations }} - annotations: - {{- if .Values.commonAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.metrics.service.annotations }} - {{- include "common.tplvalues.render" (dict "value" .Values.metrics.service.annotations "context" $) | nindent 4 }} - {{- end }} - {{- end }} -spec: - type: {{ .Values.metrics.service.type }} - {{- if and (eq .Values.metrics.service.type "LoadBalancer") (not (empty .Values.metrics.service.loadBalancerIP)) }} - loadBalancerIP: {{ .Values.metrics.service.loadBalancerIP }} - {{- end }} - ports: - - port: {{ .Values.metrics.service.port }} - targetPort: http-metrics - protocol: TCP - name: http-metrics - {{- if and (or (eq .Values.metrics.service.type "NodePort") (eq .Values.metrics.service.type "LoadBalancer")) (not (empty .Values.metrics.service.nodePort)) }} - nodePort: {{ .Values.metrics.service.nodePort }} - {{- else if eq .Values.metrics.service.type "ClusterIP" }} - nodePort: null - {{- end }} - selector: {{- include "common.labels.matchLabels" . | nindent 4 }} - app.kubernetes.io/component: server diff --git a/packages/helm-charts/kong/templates/migrate-job.yaml b/packages/helm-charts/kong/templates/migrate-job.yaml deleted file mode 100644 index 3fdf2ee5e8..0000000000 --- a/packages/helm-charts/kong/templates/migrate-job.yaml +++ /dev/null @@ -1,113 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ include "common.names.fullname" . }}-migrate - namespace: {{ .Release.Namespace }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: server - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.migration.annotations "context" $ ) | nindent 4 }} - {{- if .Values.commonAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - template: - metadata: - labels: {{- include "common.labels.standard" . | nindent 8 }} - app.kubernetes.io/component: migration - annotations: - {{- if .Values.migration.podAnnotations }} - {{- include "common.tplvalues.render" (dict "value" .Values.migration.podAnnotations "context" $) | nindent 8 }} - {{- end }} - spec: - {{- include "kong.imagePullSecrets" . | nindent 6 }} - restartPolicy: OnFailure - {{- if .Values.podSecurityContext }} - securityContext: {{- include "common.tplvalues.render" (dict "value" .Values.podSecurityContext "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.migration.hostAliases }} - hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.migration.hostAliases "context" $) | nindent 8 }} - {{- end }} - containers: - - name: kong-migrate - image: {{ template "kong.migration.image" . }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - {{- if .Values.migration.command }} - command: {{- include "common.tplvalues.render" (dict "value" .Values.migration.command "context" $) | nindent 12 }} - {{- end }} - {{- if .Values.migration.args }} - args: {{- include "common.tplvalues.render" (dict "value" .Values.migration.args "context" $) | nindent 12 }} - {{- end }} - {{- if .Values.containerSecurityContext }} - securityContext: {{- include "common.tplvalues.render" (dict "value" .Values.containerSecurityContext "context" $) | nindent 12 }} - {{- end }} - env: - - name: KONG_MIGRATE - value: "yes" - - name: KONG_EXIT_AFTER_MIGRATE - value: "yes" - {{- if (eq .Values.database "postgresql") }} - - name: KONG_DATABASE - value: "postgres" - {{- if .Values.postgresql.usePasswordFile }} - - name: KONG_POSTGRESQL_PASSWORD_FILE - value: "/bitnami/kong/secrets/postgresql-password" - {{- else }} - - name: KONG_PG_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "kong.postgresql.secretName" . }} - key: postgresql-password - {{- end }} - - name: KONG_PG_HOST - value: {{ include "kong.postgresql.host" . }} - - name: KONG_PG_USER - value: {{ include "kong.postgresql.user" . }} - {{- end }} - {{- if (eq .Values.database "cassandra") }} - - name: KONG_DATABASE - value: "cassandra" - {{- if .Values.cassandra.usePasswordFile }} - - name: KONG_CASSANDRA_PASSWORD_FILE - value: "/bitnami/kong/secrets/cassandra-password" - {{- else }} - - name: KONG_CASSANDRA_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "kong.cassandra.secretName" . }} - key: cassandra-password - {{- end }} - - name: KONG_CASSANDRA_CONTACT_POINTS - value: {{ include "kong.cassandra.contactPoints" . }} - - name: KONG_CASSANDRA_PORT - value: {{ include "kong.cassandra.port" . | quote }} - - name: KONG_CASSANDRA_USER - value: {{ include "kong.cassandra.user" . | quote }} - {{- end }} - {{- if .Values.migration.extraEnvVars }} - {{- include "common.tplvalues.render" (dict "value" .Values.migration.extraEnvVars "context" $) | nindent 12 }} - {{- end }} - {{- if or .Values.migration.extraEnvVarsCM .Values.migration.extraEnvVarsSecret }} - envFrom: - {{- if .Values.migration.extraEnvVarsCM }} - - configMapRef: - name: {{ .Values.migration.extraEnvVarsCM }} - {{- end }} - {{- if .Values.migration.extraEnvVarsSecret }} - - secretRef: - name: {{ .Values.migration.extraEnvVarsSecret }} - {{- end }} - {{- end }} - {{- if .Values.migration.extraVolumeMounts }} - volumeMounts: - {{- include "common.tplvalues.render" (dict "value" .Values.migration.extraVolumeMounts "context" $) | nindent 12 }} - {{- end }} - {{- if .Values.migration.resources }} - resources: {{- toYaml .Values.migration.resources | nindent 12 }} - {{- end }} - {{- if .Values.extraVolumes }} - volumes: - {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 6 }} - {{- end }} diff --git a/packages/helm-charts/kong/templates/pdb.yaml b/packages/helm-charts/kong/templates/pdb.yaml deleted file mode 100644 index 61a43a0bcc..0000000000 --- a/packages/helm-charts/kong/templates/pdb.yaml +++ /dev/null @@ -1,25 +0,0 @@ -{{- if .Values.pdb.enabled }} -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget -metadata: - name: {{ include "common.names.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: server - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - {{- if .Values.pdb.minAvailable }} - minAvailable: {{ .Values.pdb.minAvailable }} - {{- end }} - {{- if .Values.pdb.maxUnavailable }} - maxUnavailable: {{ .Values.pdb.maxUnavailable }} - {{- end }} - selector: - matchLabels: - {{- include "common.labels.matchLabels" . | nindent 6 }} -{{- end }} diff --git a/packages/helm-charts/kong/templates/service.yaml b/packages/helm-charts/kong/templates/service.yaml deleted file mode 100644 index a5af0c99ec..0000000000 --- a/packages/helm-charts/kong/templates/service.yaml +++ /dev/null @@ -1,74 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.names.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: server - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if or .Values.service.annotations .Values.commonAnnotations }} - annotations: - {{- if .Values.service.annotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.service.annotations "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} - {{- end }} -spec: - type: {{ .Values.service.type }} - {{- if and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) (not (empty .Values.service.externalTrafficPolicy)) }} - externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy }} - {{- end }} - {{- if not (empty .Values.service.clusterIP) }} - clusterIP: {{ .Values.service.clusterIP }} - {{- end }} - {{- if and (eq .Values.service.type "LoadBalancer") (not (empty .Values.service.loadBalancerIP)) }} - loadBalancerIP: {{ .Values.service.loadBalancerIP }} - {{- end }} - ports: - - port: {{ .Values.service.proxyHttpPort }} - targetPort: http-proxy - protocol: TCP - name: http-proxy - {{- if and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) (not (empty .Values.service.proxyHttpNodePort)) }} - nodePort: {{ .Values.service.proxyHttpNodePort }} - {{- else if eq .Values.service.type "ClusterIP" }} - nodePort: null - {{- end }} - - port: {{ .Values.service.proxyHttpsPort }} - targetPort: https-proxy - protocol: TCP - name: https-proxy - {{- if and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) (not (empty .Values.service.proxyHttpsNodePort)) }} - nodePort: {{ .Values.service.proxyHttpsNodePort }} - {{- else if eq .Values.service.type "ClusterIP" }} - nodePort: null - {{- end }} - {{- if .Values.service.exposeAdmin }} - - port: {{ .Values.service.adminHttpPort }} - targetPort: http-admin - protocol: TCP - name: http-admin - {{- if and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) (not (empty .Values.service.adminHttpNodePort)) }} - nodePort: {{ .Values.service.adminHttpNodePort }} - {{- else if eq .Values.service.type "ClusterIP" }} - nodePort: null - {{- end }} - - port: {{ .Values.service.adminHttpsPort }} - targetPort: https-admin - protocol: TCP - name: https-admin - {{- if and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) (not (empty .Values.service.adminHttpsNodePort)) }} - nodePort: {{ .Values.service.adminHttpsNodePort }} - {{- else if eq .Values.service.type "ClusterIP" }} - nodePort: null - {{- end }} - {{- end }} - {{- if .Values.service.extraPorts }} - {{- include "common.tplvalues.render" (dict "value" .Values.service.extraPorts "context" $) | nindent 4 }} - {{- end }} - selector: {{- include "common.labels.matchLabels" . | nindent 4 }} - app.kubernetes.io/component: server diff --git a/packages/helm-charts/kong/templates/servicemonitor.yaml b/packages/helm-charts/kong/templates/servicemonitor.yaml deleted file mode 100644 index 66baec8ae8..0000000000 --- a/packages/helm-charts/kong/templates/servicemonitor.yaml +++ /dev/null @@ -1,37 +0,0 @@ -{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }} -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ include "common.names.fullname" . }} - {{- if .Values.metrics.serviceMonitor.namespace }} - namespace: {{ .Values.metrics.serviceMonitor.namespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: server - {{- if .Values.metrics.serviceMonitor.selector }} - {{- include "common.tplvalues.render" (dict "value" .Values.metrics.serviceMonitor.selector "context" $) | nindent 4 }} - {{- end }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - selector: - matchLabels: {{ include "common.labels.matchLabels" . | nindent 6 }} - endpoints: - - port: metrics - path: "/metrics" - {{- if .Values.metrics.serviceMonitor.interval }} - interval: {{ .Values.metrics.serviceMonitor.interval }} - {{- end }} - {{- if .Values.metrics.serviceMonitor.scrapeTimeout }} - scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }} - {{- end }} - namespaceSelector: - matchNames: - - {{ .Release.Namespace }} -{{- end }} diff --git a/packages/helm-charts/kong/templates/tls-secrets.yaml b/packages/helm-charts/kong/templates/tls-secrets.yaml deleted file mode 100644 index 3c187eae12..0000000000 --- a/packages/helm-charts/kong/templates/tls-secrets.yaml +++ /dev/null @@ -1,43 +0,0 @@ -{{- if .Values.ingress.enabled }} -{{- if .Values.ingress.secrets }} -{{- range .Values.ingress.secrets }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ .name }} - namespace: {{ $.Release.Namespace }} - labels: {{- include "common.labels.standard" $ | nindent 4 }} - {{- if $.Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" $.Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if $.Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" $.Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -type: kubernetes.io/tls -data: - tls.crt: {{ .certificate | b64enc }} - tls.key: {{ .key | b64enc }} ---- -{{- end }} -{{- else if and .Values.ingress.tls (not .Values.ingress.certManager) }} -{{- $ca := genCA "kong-ca" 365 }} -{{- $cert := genSignedCert .Values.ingress.hostname nil (list .Values.ingress.hostname) 365 $ca }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ printf "%s-tls" .Values.ingress.hostname }} - namespace: {{ .Release.Namespace }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -type: kubernetes.io/tls -data: - tls.crt: {{ $cert.Cert | b64enc | quote }} - tls.key: {{ $cert.Key | b64enc | quote }} - ca.crt: {{ $ca.Cert | b64enc | quote }} -{{- end }} -{{- end }} diff --git a/packages/helm-charts/kong/values-clabs.yaml b/packages/helm-charts/kong/values-clabs.yaml deleted file mode 100644 index 4f2cb190fc..0000000000 --- a/packages/helm-charts/kong/values-clabs.yaml +++ /dev/null @@ -1,39 +0,0 @@ -ingress: - enabled: true - hostname: kong.local - -ingressController: - ingressClass: kong - -postgresql: - postgresqlPassword: kong - -service: - exposeAdmin: true - annotations: - cloud.google.com/neg: '{"exposed_ports": {"80":{}}}' - -extraVolumes: -- name: kong-config - configMap: - name: kong-config - -kong: - extraVolumeMounts: - - name: kong-config - mountPath: /opt/bitnami/kong/conf/kong.conf.backup - subPath: kong.conf - - extraEnvVars: - - name: KONG_TRUSTED_IPS - value: 130.211.0.0/22,35.191.0.0/16,34.120.148.61/32 - - name: KONG_REAL_IP_HEADER - value: X-Forwarded-For - - name: KONG_REAL_IP_RECURSIVE - value: "on" - - name: KONG_PROXY_ACCESS_LOG - value: /dev/stdout geth - - name: KONG_ADMIN_ACCESS_LOG - value: /dev/stdout geth - - name: KONG_NGINX_HTTP_LOG_FORMAT - value: geth '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for" "$remote_addr"' diff --git a/packages/helm-charts/kong/values.yaml b/packages/helm-charts/kong/values.yaml deleted file mode 100644 index 215c0f8c00..0000000000 --- a/packages/helm-charts/kong/values.yaml +++ /dev/null @@ -1,694 +0,0 @@ -## Global Docker image parameters -## Please, note that this will override the image parameters, including dependencies, configured to use the global value -## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass -## -# global: -# imageRegistry: myRegistryName -# imagePullSecrets: -# - myRegistryKeySecretName -# storageClass: myStorageClass - -## Bitnami kong image version -## ref: https://hub.docker.com/r/bitnami/kong/tags/ -## -image: - registry: docker.io - repository: bitnami/kong - tag: 2.4.1-debian-10-r9 - ## Specify a imagePullPolicy - ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images - ## - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## - # pullSecrets: - # - myRegistryKeySecretName - -## Force target Kubernetes version (using Helm capabilites if not set) -## -kubeVersion: - -## Select database: can be either postgresql or cassandra -## -database: postgresql - -## String to partially override kong.fullname template (will maintain the release name) -## -nameOverride: - -## String to fully override kong.fullname template -## -fullnameOverride: - -## Number of kong Pod replicas -## -replicaCount: 2 - -## Deployment pod host aliases -## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ -## -hostAliases: [] - -## Set up update strategy for kong installation. Set to Recreate if you use persistent volume that cannot be mounted by more than one pods to makesure the pods is destroyed first. -## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy -## Example: -# updateStrategy: -# type: RollingUpdate -# rollingUpdate: -# maxSurge: 25% -# maxUnavailable: 25% -updateStrategy: - type: RollingUpdate - -## Use an alternate scheduler, e.g. "stork". -## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ -## -schedulerName: - -## Common annotations to add to all Kong resources (sub-charts are not considered). Evaluated as a template -## -commonAnnotations: {} - -## Common labels to add to all Kong resources (sub-charts are not considered). Evaluated as a template -## -commonLabels: {} - -## Use a daemonset instead of a deployment -## -useDaemonset: false - -kong: - ## Command and args for running the container (set to default if not set). Use array form - ## - command: - args: - ## Configmap with init scripts to execute - ## - initScriptsCM: - - ## Secret with init scripts to execute (for sensitive data) - ## - initScriptsSecret: - - ## An array to add extra env vars - ## For example: - ## extraEnvVars: - ## - name: GF_DEFAULT_INSTANCE_NAME - ## value: my-instance - ## - extraEnvVars: [] - - ## ConfigMap with extra env vars: - ## - extraEnvVarsCM: - - ## Secret with extra env vars: - ## - extraEnvVarsSecret: - ## Array to add extra mounts (normally used with extraVolumes) - ## - extraVolumeMounts: [] - - ## Custom Liveness probe - ## - customLivenessProbe: {} - - ## Custom Rediness probe - ## - customReadinessProbe: {} - - ## - ## Liveness and readiness probes - ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes - ## - livenessProbe: - enabled: true - initialDelaySeconds: 120 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 6 - successThreshold: 1 - - readinessProbe: - enabled: true - initialDelaySeconds: 30 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 6 - successThreshold: 1 - ## - ## Container lifecycle hooks - ## ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/ - ## - lifecycleHooks: {} - - ## Container resource requests and limits - ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ - ## - resources: - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - limits: {} - # cpu: 500m - # memory: 1Gi - requests: {} - # cpu: 250m - # memory: 256Mi - -ingressController: - enabled: true - customResourceDeletePolicy: {} - image: - registry: docker.io - repository: bitnami/kong-ingress-controller - tag: 1.2.0-debian-10-r53 - ## Specify a imagePullPolicy - ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images - ## - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## - # pullSecrets: - # - myRegistryKeySecretName - proxyReadyTimeout: 300 - rbac: - create: true - existingServiceAccount: - ingressClass: kong - ## Command and args for running the container (set to default if not set). Use array form - ## - command: - args: - ## An array to add extra env vars - ## For example: - ## extraEnvVars: - ## - name: GF_DEFAULT_INSTANCE_NAME - ## value: my-instance - ## - extraEnvVars: [] - - ## ConfigMap with extra env vars: - ## - extraEnvVarsCM: - - ## Secret with extra env vars: - ## - extraEnvVarsSecret: - ## Array to add extra mounts (normally used with extraVolumes) - ## - extraVolumeMounts: [] - - ## Custom Liveness probe - ## - customLivenessProbe: {} - - ## Custom Rediness probe - ## - customReadinessProbe: {} - - ## - ## Liveness and readiness probes - ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes - ## - livenessProbe: - enabled: true - initialDelaySeconds: 120 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 6 - successThreshold: 1 - readinessProbe: - enabled: true - initialDelaySeconds: 30 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 6 - successThreshold: 1 - ## Container resource requests and limits - ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ - ## - resources: - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - limits: {} - # cpu: 500m - # memory: 1Gi - requests: {} - # cpu: 250m - # memory: 256Mi - -migration: - ## In case you want to use a custom image for Kong migration, set this value - ## - # image: - # registry: - # repository: - # tag: - ## Command and args for running the container (set to default if not set). Use array form - ## - command: - args: - - ## Deployment pod host aliases - ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ - ## - hostAliases: [] - - ## Job annotation. By defeault set to post-install and post-upgrade - ## - annotations: - helm.sh/hook: post-install, post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - - ## An array to add extra env vars - ## For example: - ## extraEnvVars: - ## - name: GF_DEFAULT_INSTANCE_NAME - ## value: my-instance - ## - extraEnvVars: [] - - ## ConfigMap with extra env vars: - ## - extraEnvVarsCM: - - ## Secret with extra env vars: - ## - extraEnvVarsSecret: - ## Array to add extra mounts (normally used with extraVolumes) - ## - extraVolumeMounts: - ## Liveness and readiness probes - ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes - ## - ## Container resource requests and limits - ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ - ## - resources: - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - limits: {} - # cpu: 500m - # memory: 1Gi - requests: {} - # cpu: 250m - # memory: 256Mi - -## Array to add extra volumes -## -extraVolumes: [] - -## Add init containers to the pod -## -initContainers: -## e.g. -# - name: your-image-name -# image: your-image -# imagePullPolicy: Always -# ports: -# - name: portname -# containerPort: 1234 - -## Add sidecar containers to the pod -## -sidecars: -## e.g. -# - name: your-image-name -# image: your-image -# imagePullPolicy: Always -# ports: -# - name: portname -# containerPort: 1234 - -## Service parameters -## -service: - ## K8s service type - ## - type: ClusterIP - - ## clusterIP for the service (optional) - ## This is the internal IP address of the service and is usually assigned randomly. - ## ref: https://kubernetes.io/docs/reference/kubernetes-api/service-resources/service-v1/#ServiceSpec - ## - clusterIP: - - ## externalTrafficPolicy for the service - ## default to "Cluster" - ## set to "Local" in order to preserve the client source IP (only on service of type LoadBalancer or NodePort) - ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/ - ## - externalTrafficPolicy: - - ## kong proxy HTTP service port - ## - proxyHttpPort: 80 - ## kong proxy HTTPS service port - ## - proxyHttpsPort: 443 - - ## Include the admin ports in the service - ## - exposeAdmin: false - ## kong proxy HTTP service port - ## - adminHttpPort: 8001 - ## kong proxy HTTPS service port - ## - adminHttpsPort: 8444 - - ## Specify the nodePort value for the LoadBalancer and NodePort service types. - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - ## - # proxyHttpNodePort: - # proxyHttpsNodePort: - # adminHttpNodePort: - # adminHttpsNodePort: - - ## loadBalancerIP for the Kong Service (optional, cloud specific) - ## ref: http://kubernetes.io/docs/user-guide/services/#type-loadbalancer - ## - loadBalancerIP: - - ## Provide any additional annotations which may be required. This can be used to - ## set the LoadBalancer service type to internal only. - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer - ## - annotations: {} - ## Extra ports to expose (normally used with the `sidecar` value) - # extraPorts: - -## Kong cluster domain -## -clusterDomain: cluster.local - -## Configure the ingress resource that allows you to access the -## Kong installation. Set up the URL -## ref: http://kubernetes.io/docs/user-guide/ingress/ -## -ingress: - ## Set to true to enable ingress record generation - ## - enabled: false - - ## Set this to true in order to add the corresponding annotations for cert-manager - ## - certManager: false - - ## Ingress Path type - ## - pathType: ImplementationSpecific - - ## Override API Version (automatically detected if not set) - ## - apiVersion: - - ## When the ingress is enabled, a host pointing to this will be created - ## - hostname: kong.local - - ## The Path to Kong. You may need to set this to '/*' in order to use this - ## with ALB ingress controllers. - ## - path: / - - ## Ingress annotations done as key:value pairs - ## For a full list of possible ingress annotations, please see - ## ref: https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md - ## - ## If certManager is set to true, annotation kubernetes.io/tls-acme: "true" will automatically be set - ## - annotations: {} - - ## Enable TLS configuration for the hostname defined at ingress.hostname parameter - ## TLS certificates will be retrieved from a TLS secret with name: {{- printf "%s-tls" .Values.ingress.hostname }} - ## You can use the ingress.secrets parameter to create this TLS secret or relay on cert-manager to create it - ## - tls: false - - ## The list of additional hostnames to be covered with this ingress record. - ## Most likely the hostname above will be enough, but in the event more hosts are needed, this is an array - ## extraHosts: - ## - name: kong.local - ## path: / - ## - - ## Any additional arbitrary paths that may need to be added to the ingress under the main host. - ## For example: The ALB ingress controller requires a special rule for handling SSL redirection. - ## extraPaths: - ## - path: /* - ## backend: - ## serviceName: ssl-redirect - ## servicePort: use-annotation - ## - - ## The tls configuration for additional hostnames to be covered with this ingress record. - ## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls - ## extraTls: - ## - hosts: - ## - kong.local - ## secretName: kong.local-tls - ## - - ## If you're providing your own certificates, please use this to add the certificates as secrets - ## key and certificate should start with -----BEGIN CERTIFICATE----- or - ## -----BEGIN RSA PRIVATE KEY----- - ## - ## name should line up with a tlsSecret set further up - ## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set - ## - ## It is also possible to create and manage the certificates outside of this helm chart - ## Please see README.md for more information - ## - secrets: [] - ## - name: kong.local-tls - ## key: - ## certificate: - ## - -## SecurityContext configuration -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ -## -containerSecurityContext: - runAsUser: 1001 - runAsNonRoot: true - -podSecurityContext: {} - -## Node labels for pod assignment -## Ref: https://kubernetes.io/docs/user-guide/node-selection/ -## -nodeSelector: {} - -## Tolerations for pod assignment -## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ -## -tolerations: [] - -## Pod affinity preset -## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity -## Allowed values: soft, hard -## -podAffinityPreset: "" - -## Pod anti-affinity preset -## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity -## Allowed values: soft, hard -## -podAntiAffinityPreset: soft - -## Node affinity preset -## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity -## Allowed values: soft, hard -## -nodeAffinityPreset: - ## Node affinity type - ## Allowed values: soft, hard - ## - type: "" - ## Node label key to match - ## E.g. - ## key: "kubernetes.io/e2e-az-name" - ## - key: "" - ## Node label values to match - ## E.g. - ## values: - ## - e2e-az1 - ## - e2e-az2 - ## - values: [] - -## Affinity for pod assignment -## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity -## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set -## -affinity: {} - -## Pod annotations -## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ -## -podAnnotations: {} - -## Pod labels -## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ -## -podLabels: {} - -## Prometheus metrics -## -metrics: - enabled: false - - ## Kong metrics service configuration - ## - service: - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "{{ .Values.metrics.service.port }}" - prometheus.io/path: "/metrics" - type: ClusterIP - port: 9119 - - ## Kong ServiceMonitor configuration - ## - serviceMonitor: - enabled: false - ## Namespace in which Prometheus is running - ## - # namespace: monitoring - - ## Service Account used by Prometheus - ## - # serviceAccount: prometheus - - ## Interval at which metrics should be scraped. - ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint - ## - # interval: 10s - - ## Timeout after which the scrape is ended - ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint - ## - # scrapeTimeout: 10s - - ## ServiceMonitor selector labels - ## ref: https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#prometheus-configuration - ## - # selector: - # prometheus: my-prometheus - - ## If RBAC enabled on the cluster, Additional resources will be required - ## so Prometheus can reach kong's namespace - ## - rbac: - enabled: true - -## Add an horizontal pod autoscaler -## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ -## -autoscaling: - enabled: false - apiVersion: autoscaling/v2beta1 - minReplicas: 2 - maxReplicas: 5 - metrics: - - type: Resource - resource: - name: cpu - targetAverageUtilization: 80 - -## Kong Pod Disruption Budget -## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ -## -pdb: - enabled: false - maxUnavailable: "50%" - -## Extra objects to deploy (value evaluated as a template) -## -extraDeploy: [] - -## PostgreSQL properties -## -postgresql: - ## Deploy the postgresql sub-chart - ## - enabled: true - ## Mounts secrets as a file - ## - usePasswordFile: false - ## Properties for using an existing PostgreSQL installation - ## - external: - ## Host of the external PostgreSQL installation - ## - host: - ## Username of the external PostgreSQL installation - ## - user: - ## Password of the external PostgreSQL installation - ## - password: - - ## Use an existing secret with the PostgreSQL password - ## - existingSecret: - - ## Name of the Database for Kong to access - ## - postgresqlDatabase: kong - - ## Create a username in the bundled PostgreSQL installation - ## - postgresqlUsername: kong - -## Cassandra properties -## -cassandra: - ## Deploy the cassandra sub-chart - ## - enabled: false - ## Database user to create - ## - dbUser: - user: kong - ## Mount secrets as files - ## - usePasswordFile: false - ## Properties for using an existing Cassandra installation - ## - external: - ## Array with the contact points - ## - hosts: [] - # - host1 - # - host2 - - ## Port for accessing the external cassandra installation - ## - port: 9042 - - ## Username of the external Cassandra installation - ## - user: - - ## Password of the external Cassandra installation - ## - password: - - ## Use an existing secret with the Cassandra password - ## - existingSecret: diff --git a/packages/helm-charts/konga/.helmignore b/packages/helm-charts/konga/.helmignore deleted file mode 100644 index 50af031725..0000000000 --- a/packages/helm-charts/konga/.helmignore +++ /dev/null @@ -1,22 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/packages/helm-charts/konga/Chart.yaml b/packages/helm-charts/konga/Chart.yaml deleted file mode 100644 index e9e2fe0ba4..0000000000 --- a/packages/helm-charts/konga/Chart.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v1 -appVersion: "1.0" -description: A Helm chart for Kubernetes -name: konga -version: 1.0.0 diff --git a/packages/helm-charts/konga/README.md b/packages/helm-charts/konga/README.md deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/packages/helm-charts/konga/httpie-jq.Dockerfile b/packages/helm-charts/konga/httpie-jq.Dockerfile deleted file mode 100644 index 7274d83973..0000000000 --- a/packages/helm-charts/konga/httpie-jq.Dockerfile +++ /dev/null @@ -1,3 +0,0 @@ -FROM alpine/httpie:latest - -RUN apk add --no-cache jq diff --git a/packages/helm-charts/konga/templates/NOTES.txt b/packages/helm-charts/konga/templates/NOTES.txt deleted file mode 100644 index 16772ddd69..0000000000 --- a/packages/helm-charts/konga/templates/NOTES.txt +++ /dev/null @@ -1,21 +0,0 @@ -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range $host := .Values.ingress.hosts }} - {{- range .paths }} - http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ . }} - {{- end }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "konga.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "konga.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "konga.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.port }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "konga.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:80 -{{- end }} diff --git a/packages/helm-charts/konga/templates/_helpers.tpl b/packages/helm-charts/konga/templates/_helpers.tpl deleted file mode 100644 index 19a1d008fd..0000000000 --- a/packages/helm-charts/konga/templates/_helpers.tpl +++ /dev/null @@ -1,43 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "konga.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "konga.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "konga.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - - -{{/* -Valdiate an env value -{{ include "konga.validate_config_var" ( dict "name" "" "value" .Values.path.to.value.to.check) }} -*/}} -{{- define "konga.validate_config_var" -}} -{{- if .value -}} -{{ .name }}: {{ .value }} -{{- end -}} -{{- end -}} diff --git a/packages/helm-charts/konga/templates/configmap-snapshot.yaml b/packages/helm-charts/konga/templates/configmap-snapshot.yaml deleted file mode 100644 index 5e2c295689..0000000000 --- a/packages/helm-charts/konga/templates/configmap-snapshot.yaml +++ /dev/null @@ -1,449 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "konga.fullname" . }}-snapshot - labels: - app.kubernetes.io/name: {{ include "konga.name" . }} - helm.sh/chart: {{ include "konga.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} -data: - kong_node.data: | - module.exports = [ - { - "name": "Kong", - "type": "default", - "kong_admin_url": "http://{{ .Values.kong.service }}:{{ .Values.kong.admin_port }}", - "health_checks": false, - "active" : true, - } - ] - snapshot.json: | - { - "createdUser": null, - "updatedUser": null, - "id": 5, - "name": "snapshot_May2022", - "kong_node_name": "Kong", - "kong_node_url": "http://kong:8001", - "kong_version": "0-10-x", - "data": { - "services": [ - { - "retries": 5, - "id": "90a37cb9-2c01-472b-8fff-715835e56156", - "name": "status", - "port": 8000, - "client_certificate": null, - "updated_at": 1635786900, - "read_timeout": 60000, - "tags": [], - "ca_certificates": null, - "connect_timeout": 60000, - "write_timeout": 60000, - "protocol": "http", - "created_at": 1623859719, - "host": "localhost", - "path": null, - "tls_verify_depth": null, - "tls_verify": null, - "extras": {} - }, - { - "retries": 5, - "id": "d98c9e59-dc44-4bad-81ca-d399724462b0", - "name": "Forno", - "port": 8545, - "client_certificate": null, - "updated_at": 1635786900, - "read_timeout": 60000, - "tags": [], - "ca_certificates": null, - "connect_timeout": 60000, - "write_timeout": 60000, - "protocol": "http", - "created_at": 1623232145, - "host": "rc1-fullnodes-rpc.rc1", - "path": null, - "tls_verify_depth": null, - "tls_verify": null, - "extras": {} - } - ], - "routes": [ - { - "request_buffering": true, - "response_buffering": true, - "id": "37f4e0db-fbc9-4aa3-9f47-5c957c54efdc", - "name": "health-check", - "preserve_host": false, - "created_at": 1623859737, - "updated_at": 1635786900, - "protocols": [ - "http", - "https" - ], - "tags": null, - "hosts": null, - "headers": null, - "service": { - "id": "90a37cb9-2c01-472b-8fff-715835e56156" - }, - "paths": [ - "/status", - "/status*", - "/kong/status", - "/kong/status*" - ], - "methods": [ - "GET" - ], - "sources": null, - "destinations": null, - "path_handling": "v0", - "strip_path": true, - "https_redirect_status_code": 426, - "snis": null, - "regex_priority": 100 - }, - { - "request_buffering": true, - "response_buffering": true, - "id": "536b91df-0542-4c78-8ef4-de35c237050c", - "name": "forno", - "preserve_host": false, - "created_at": 1634898059, - "updated_at": 1635764767, - "protocols": [ - "http", - "https" - ], - "tags": null, - "hosts": null, - "headers": null, - "service": { - "id": "d98c9e59-dc44-4bad-81ca-d399724462b0" - }, - "paths": [ - "/", - "/*" - ], - "methods": null, - "sources": null, - "destinations": null, - "path_handling": "v0", - "strip_path": true, - "https_redirect_status_code": 426, - "snis": null, - "regex_priority": 0 - }, - { - "request_buffering": true, - "response_buffering": true, - "id": "798f63dd-60bc-4bf9-a640-e8177b747d69", - "name": "kong-path", - "preserve_host": false, - "created_at": 1635430090, - "updated_at": 1635786900, - "protocols": [ - "http", - "https" - ], - "tags": null, - "hosts": null, - "headers": null, - "service": { - "id": "d98c9e59-dc44-4bad-81ca-d399724462b0" - }, - "paths": [ - "/kong" - ], - "methods": null, - "sources": null, - "destinations": null, - "path_handling": "v1", - "strip_path": true, - "https_redirect_status_code": 426, - "snis": null, - "regex_priority": 11 - } - ], - "consumers": [ - { - "custom_id": null, - "created_at": 1623404756, - "id": "1532538d-cb47-48fa-8a8e-b21952644a6e", - "tags": [], - "username": "anonymous", - "credentials": { - "key-auths": [] - } - }, - { - "custom_id": null, - "created_at": 1623404316, - "id": "bdfbe991-2e69-4d50-bf79-4681be7f5949", - "tags": [], - "username": "komenci", - "credentials": { - "key-auths": [ - { - "key": "komenci", - "created_at": 1636497435, - "ttl": null, - "id": "5c085269-23d8-4dda-9dfe-2661507c2c27", - "tags": null, - "consumer": { - "id": "bdfbe991-2e69-4d50-bf79-4681be7f5949" - } - }, - { - "key": "odisMainnetAPIKey-9029667", - "created_at": 1651575802, - "ttl": null, - "id": "b2d3bc17-185d-415a-a76e-941586bc66ef", - "tags": null, - "consumer": { - "id": "bdfbe991-2e69-4d50-bf79-4681be7f5949" - } - } - ] - } - } - ], - "plugins": [ - { - "config": { - "path": "/tmp/kong.log", - "custom_fields_by_lua": null, - "reopen": false - }, - "enabled": false, - "service": null, - "id": "0e6fe9fe-c218-4b72-a9b5-4d09359f7906", - "route": null, - "created_at": 1635780419, - "protocols": [ - "grpc", - "grpcs", - "http", - "https" - ], - "consumer": { - "id": "1532538d-cb47-48fa-8a8e-b21952644a6e" - }, - "tags": null, - "name": "file-log" - }, - { - "config": { - "hide_client_headers": false, - "minute": 1000000000, - "hour": null, - "day": null, - "month": null, - "header_name": "CF-Connecting-IP", - "limit_by": "header", - "policy": "local", - "second": 10000000, - "redis_timeout": 2000, - "redis_database": 0, - "redis_host": null, - "redis_port": 6379, - "path": null, - "year": null, - "redis_password": null, - "fault_tolerant": true - }, - "enabled": true, - "service": { - "id": "d98c9e59-dc44-4bad-81ca-d399724462b0" - }, - "id": "175852a3-9891-4b26-b0f3-f2832bceadbf", - "route": null, - "created_at": 1624889602, - "protocols": [ - "grpc", - "grpcs", - "http", - "https" - ], - "consumer": { - "id": "bdfbe991-2e69-4d50-bf79-4681be7f5949" - }, - "tags": null, - "name": "rate-limiting" - }, - { - "config": { - "status_code": 200, - "message": "ok", - "body": null, - "content_type": null - }, - "enabled": true, - "service": { - "id": "90a37cb9-2c01-472b-8fff-715835e56156" - }, - "id": "18ccb4e4-b09c-4251-af1d-d3367f7ca667", - "route": null, - "created_at": 1623859751, - "protocols": [ - "grpc", - "grpcs", - "http", - "https" - ], - "consumer": null, - "tags": null, - "name": "request-termination" - }, - { - "config": { - "path": "/tmp/kong.log", - "custom_fields_by_lua": null, - "reopen": false - }, - "enabled": false, - "service": null, - "id": "5ae582e9-db79-4fd2-b973-1ba1ae7ab622", - "route": null, - "created_at": 1635767630, - "protocols": [ - "grpc", - "grpcs", - "http", - "https" - ], - "consumer": null, - "tags": null, - "name": "file-log" - }, - { - "config": { - "hide_client_headers": false, - "minute": 20000, - "hour": 500000, - "day": null, - "month": null, - "header_name": "CF-Connecting-IP", - "limit_by": "header", - "policy": "local", - "second": null, - "redis_timeout": 2000, - "redis_database": 0, - "redis_host": null, - "redis_port": 6379, - "path": null, - "year": null, - "redis_password": null, - "fault_tolerant": true - }, - "enabled": true, - "service": { - "id": "d98c9e59-dc44-4bad-81ca-d399724462b0" - }, - "id": "6060fd61-cf04-4bb2-a426-0aea585ac159", - "route": null, - "created_at": 1624889534, - "protocols": [ - "grpc", - "grpcs", - "http", - "https" - ], - "consumer": { - "id": "1532538d-cb47-48fa-8a8e-b21952644a6e" - }, - "tags": null, - "name": "rate-limiting" - }, - { - "config": { - "key_names": [ - "apikey" - ], - "anonymous": "1532538d-cb47-48fa-8a8e-b21952644a6e", - "hide_credentials": false, - "key_in_header": true, - "key_in_query": true, - "key_in_body": false, - "run_on_preflight": true - }, - "enabled": true, - "service": { - "id": "d98c9e59-dc44-4bad-81ca-d399724462b0" - }, - "id": "96259f8e-0484-4c98-9f4d-d4406c354407", - "route": null, - "created_at": 1624889633, - "protocols": [ - "grpc", - "grpcs", - "http", - "https" - ], - "consumer": null, - "tags": null, - "name": "key-auth" - }, - { - "config": { - "allow": null, - "deny": [ - "186.189.238.210/32" - ] - }, - "enabled": true, - "service": null, - "id": "a0b3939d-2976-4369-8c8a-f00e9e39d171", - "route": null, - "created_at": 1635965325, - "protocols": [ - "grpc", - "grpcs", - "http", - "https" - ], - "consumer": null, - "tags": null, - "name": "ip-restriction" - }, - { - "config": { - "per_consumer": true - }, - "enabled": true, - "service": null, - "id": "cf0c9419-69b5-4143-b863-2fa86f094841", - "route": null, - "created_at": 1626078855, - "protocols": [ - "grpc", - "grpcs", - "http", - "https" - ], - "consumer": null, - "tags": null, - "name": "prometheus" - } - ], - "acls": [ - { - "group": "noratelimit", - "created_at": 1623404350, - "id": "57187a97-d48b-4128-b007-281c0ed33659", - "tags": null, - "consumer": { - "id": "bdfbe991-2e69-4d50-bf79-4681be7f5949" - } - } - ], - "upstreams": [], - "certificates": [], - "snis": [] - }, - "createdAt": "2022-05-27T07:14:08.000Z", - "updatedAt": "2022-05-27T07:14:08.000Z" - } diff --git a/packages/helm-charts/konga/templates/configmap.yaml b/packages/helm-charts/konga/templates/configmap.yaml deleted file mode 100644 index 5f92cad0c8..0000000000 --- a/packages/helm-charts/konga/templates/configmap.yaml +++ /dev/null @@ -1,52 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "konga.fullname" . }}-config - labels: - app.kubernetes.io/name: {{ include "konga.name" . }} - helm.sh/chart: {{ include "konga.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} -data: - {{- if .Values.config }} - PORT: "{{ default 1337 .Values.config.port }}" - NODE_ENV: {{ default "development" .Values.config.node_env }} - {{ include "konga.validate_config_var" ( dict "name" "SSL_KEY_PATH" "value" .Values.config.ssl_key_path ) }} - {{ include "konga.validate_config_var" ( dict "name" "SSL_CRT_PATH" "value" .Values.config.ssl_crt_path ) }} - KONGA_HOOK_TIMEOUT: "{{ default 60000 .Values.config.konga_hook_timeout }}" - DB_ADAPTER: {{ default "postgres" .Values.config.db_adapter }} - {{ include "konga.validate_config_var" ( dict "name" "DB_URI" "value" .Values.config.db_uri ) }} - DB_HOST: {{ default "localhost" .Values.config.db_host }} - DB_PORT: "{{ default 5432 .Values.config.db_port }}" - {{ include "konga.validate_config_var" ( dict "name" "DB_USER" "value" .Values.config.db_user ) }} - {{ include "konga.validate_config_var" ( dict "name" "DB_PASSWORD" "value" .Values.config.db_password ) }} - DB_DATABASE: {{ default "konga_database" .Values.config.db_database }} - DB_PG_SCHEMA: {{ default "public" .Values.config.db_pg_schema }} - {{- if eq .Values.config.node_env "development" }} - KONGA_LOG_LEVEL: {{ default "debug" .Values.config.log_level }} - {{ else if eq .Values.config.node_env "production" }} - KONGA_LOG_LEVEL: {{ default "warn" .Values.config.log_level }} - {{- end }} - {{ include "konga.validate_config_var" ( dict "name" "TOKEN_SECRET" "value" .Values.config.token_secret ) }} - {{ include "konga.validate_config_var" ( dict "name" "KONGA_SEED_KONG_NODE_DATA_SOURCE_FILE" "value" .Values.config.konga_node_data ) }} - {{ include "konga.validate_config_var" ( dict "name" "KONGA_SEED_USER_DATA_SOURCE_FILE" "value" .Values.config.konga_user_data ) }} - NO_AUTH: "true" - {{- end }} - - {{- if .Values.ldap }} - KONGA_AUTH_PROVIDER: {{ default "local" .Values.ldap.auth_provider }} - KONGA_LDAP_HOST: {{ default "ldap://localhost:389" .Values.ldap.host }} - KONGA_LDAP_BIND_DN: {{ .Values.ldap.bind_dn }} - KONGA_LDAP_BIND_PASSWORD: {{ .Values.ldap.bind_pass }} - KONGA_LDAP_USER_SEARCH_BASE: {{ default "ou=users,dc=com" .Values.ldap.user_search_base }} - KONGA_LDAP_USER_SEARCH_FILTER: {{ default "(|(uid={{username}})(sAMAccountName={{username}}))" .Values.ldap.user_search_filter }} - KONGA_LDAP_USER_ATTRS: {{ default "uid,uidNumber,givenName,sn,mail" .Values.ldap.user_attrs }} - KONGA_LDAP_GROUP_SEARCH_BASE: {{ default "ou=groups,dc=com" .Values.ldap.group_search_base }} - KONGA_LDAP_GROUP_SEARCH_FILTER: {{ default "(|(memberUid={{uid}})(memberUid={{uidNumber}})(sAMAccountName={{uid}}))" .Values.ldap.group_search_filter }} - KONGA_LDAP_GROUP_ATTRS: {{ default "cn" .Values.ldap.group_attrs }} - KONGA_ADMIN_GROUP_REG: {{ default "^(admin|konga)$" .Values.ldap.group_reg }} - KONGA_LDAP_ATTR_USERNAME: {{ default "uid" .Values.ldap.attr_username }} - KONGA_LDAP_ATTR_FIRSTNAME: {{ default "givenName" .Values.ldap.attr_firstname }} - KONGA_LDAP_ATTR_LASTNAME: {{ default "sn" .Values.ldap.attr_lastname }} - KONGA_LDAP_ATTR_EMAIL: {{ default "mail" .Values.ldap.attr_email }} - {{- end }} diff --git a/packages/helm-charts/konga/templates/deployment.yaml b/packages/helm-charts/konga/templates/deployment.yaml deleted file mode 100644 index 14ae1eee31..0000000000 --- a/packages/helm-charts/konga/templates/deployment.yaml +++ /dev/null @@ -1,104 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "konga.fullname" . }} - labels: - app.kubernetes.io/name: {{ include "konga.name" . }} - helm.sh/chart: {{ include "konga.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app.kubernetes.io/name: {{ include "konga.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - template: - metadata: - labels: - app.kubernetes.io/name: {{ include "konga.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - spec: - volumes: - - configMap: - defaultMode: 420 - name: {{ include "konga.fullname" . }}-snapshot - name: {{ include "konga.fullname" . }}-snapshot -{{- if .Values.extraVolumes }} -{{ toYaml .Values.extraVolumes | indent 8 }} -{{- end }} - containers: - - name: konga - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - ports: - - name: http - containerPort: 1337 - protocol: TCP - livenessProbe: - httpGet: - path: / - port: http - readinessProbe: - httpGet: - path: / - port: http - envFrom: - - configMapRef: - name: {{ include "konga.fullname" . }}-config - resources: - {{- toYaml .Values.resources | nindent 12 }} - volumeMounts: - - mountPath: /opt/clabs/files/ - name: {{ include "konga.fullname" . }}-snapshot -{{- if .Values.extraVolumeMounts }} -{{ toYaml .Values.extraVolumeMounts | nindent 12 }} -{{- end }} - - name: restore-snapshot - image: jcortejoso/httpie-jq:latest - imagePullPolicy: IfNotPresent - stdin: true - tty: true - command: - - /bin/sh - - -c - args: - - | - while :; do - # Check if konga api is ready - if http HEAD localhost:1337 --follow --check-status >/dev/null 2>&1; then - break - fi - done - # Check if snapshot already exists - snapshot_name="$(cat /opt/clabs/files/snapshot.json | jq -r '.name')" - if http GET localhost:1337/api/snapshot | jq -e -r ".[] | select (.name==\"$snapshot_name\")" >/dev/null 2>&1; then - echo "Snapshot already present" - else - # Upload snapshot - http POST localhost:1337/api/snapshot Authorization:'Bearer noauthtoken' 'Content-Type: application/json' < /opt/clabs/files/snapshot.json - # Restore snapshot - ## Connection id field can be non-unique. It should be 1 - connection_id=$(http GET localhost:1337/api/kongnode | jq -r '.[] | select (.name=="Kong") | .id' | head -n1) - snapshot_id=$(http GET localhost:1337/api/snapshot | jq -e -r ".[] | select (.name==\"$snapshot_name\") | .id") - sleep 90 - http POST localhost:1337/api/snapshots/$snapshot_id/restore Authorization:'Bearer noauthtoken' "Connection-Id:$connection_id" imports\\:='["services","routes","consumers","plugins","acls","upstreams","certificates","snis"]' token=noauthtoken - sleep 90 - http POST localhost:1337/api/snapshots/$snapshot_id/restore Authorization:'Bearer noauthtoken' "Connection-Id:$connection_id" imports\\:='["services","routes","consumers","plugins","acls","upstreams","certificates","snis"]' token=noauthtoken - fi - tail -f /dev/null - volumeMounts: - - mountPath: /opt/clabs/files/ - name: {{ include "konga.fullname" . }}-snapshot - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} diff --git a/packages/helm-charts/konga/templates/ingress.yaml b/packages/helm-charts/konga/templates/ingress.yaml deleted file mode 100644 index 9b51db3368..0000000000 --- a/packages/helm-charts/konga/templates/ingress.yaml +++ /dev/null @@ -1,39 +0,0 @@ -{{- if .Values.ingress.enabled -}} -{{- $fullName := include "konga.fullname" . -}} -apiVersion: extensions/v1beta1 -kind: Ingress -metadata: - name: {{ $fullName }} - labels: - app.kubernetes.io/name: {{ include "konga.name" . }} - helm.sh/chart: {{ include "konga.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - {{- with .Values.ingress.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: -{{- if .Values.ingress.tls }} - tls: - {{- range .Values.ingress.tls }} - - hosts: - {{- range .hosts }} - - {{ . | quote }} - {{- end }} - secretName: {{ .secretName }} - {{- end }} -{{- end }} - rules: - {{- range .Values.ingress.hosts }} - - host: {{ .host | quote }} - http: - paths: - {{- range .paths }} - - path: {{ . }} - backend: - serviceName: {{ $fullName }} - servicePort: http - {{- end }} - {{- end }} -{{- end }} diff --git a/packages/helm-charts/konga/templates/service.yaml b/packages/helm-charts/konga/templates/service.yaml deleted file mode 100644 index aa8cf7ba1e..0000000000 --- a/packages/helm-charts/konga/templates/service.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ include "konga.fullname" . }} - labels: - app.kubernetes.io/name: {{ include "konga.name" . }} - helm.sh/chart: {{ include "konga.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - - port: {{ .Values.service.port }} - targetPort: http - protocol: TCP - name: http - selector: - app.kubernetes.io/name: {{ include "konga.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/packages/helm-charts/konga/templates/tests/test-connection.yaml b/packages/helm-charts/konga/templates/tests/test-connection.yaml deleted file mode 100644 index 61bca6a257..0000000000 --- a/packages/helm-charts/konga/templates/tests/test-connection.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: "{{ include "konga.fullname" . }}-test-connection" - labels: - app.kubernetes.io/name: {{ include "konga.name" . }} - helm.sh/chart: {{ include "konga.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - annotations: - "helm.sh/hook": test-success -spec: - containers: - - name: wget - image: busybox - command: ['wget'] - args: ['{{ include "konga.fullname" . }}:{{ .Values.service.port }}'] - restartPolicy: Never diff --git a/packages/helm-charts/konga/values.yaml b/packages/helm-charts/konga/values.yaml deleted file mode 100644 index 1d4fbc33c1..0000000000 --- a/packages/helm-charts/konga/values.yaml +++ /dev/null @@ -1,93 +0,0 @@ -# Default values for konga. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -replicaCount: 1 - -image: - repository: pantsel/konga - tag: next - pullPolicy: IfNotPresent - -nameOverride: "" -fullnameOverride: "" - -service: - type: ClusterIP - port: 80 - -# Konga default configuration -config: -# port: 1337 - node_env: development -# ssl_key_path: -# ssl_crt_path: -# konga_hook_timeout: 60000 - db_adapter: postgres - # db_uri: - db_host: kong-postgresql - db_port: 5432 - db_user: kong - db_password: kong - db_database: kong -# db_pg_schema: public -# log_level: debug - token_secret: kong - konga_node_data: /opt/clabs/files/kong_node.data - # konga_user_data: - -# LDAP configuration for Konga -ldap: {} -# ldap: -# auth_provider: -# host: -# bind_dn: -# bind_pass: -# user_search_base: -# user_search_filter: -# user_attrs: -# group_search_base: -# group_search_filter: -# group_attrs: -# group_reg: -# attr_username: -# attr_firstname: -# attr_lastname: -# attr_email: - -# Ingress Configuration for Konga -ingress: - enabled: false - annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - hosts: - - host: chart-example.local - paths: [] - - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local - -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - -nodeSelector: {} - -tolerations: [] - -affinity: {} - -kong: - service: kong - admin_port: 8001