volker.raschek/athens-proxy-charts
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

feat: support gatewayAPI

Browse Source
This commit is contained in:
Markus Pesch
2026-05-31 18:25:55 +02:00
parent e102d1e251
commit e1f5a16542
14 changed files with 953 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitignore
+4 -5
View File
@@ -1,9 +1,8 @@
charts
node_modules
target
values2.yml
values2.yaml
!values.yaml
!values.yml
values*.yaml
values*.yml
*.tgz
install.sh
uninstall.sh
Makefile
+19
View File
@@ -18,6 +18,25 @@ NODE_IMAGE_FULLY_QUALIFIED=${NODE_IMAGE_REGISTRY_HOST}/${NODE_IMAGE_REPOSITORY}:
missing-dot:
grep --perl-regexp '## @(param|skip).*[^.]$$' values.yaml
# README
# ==============================================================================
readme: readme/link readme/lint readme/parameters
readme/link:
npm install && npm run readme:link
readme/lint:
npm install && npm run readme:lint
readme/parameters:
npm install && npm run readme:parameters
# HELM UNITTESTS
# ==============================================================================
PHONY+=helm/unittest
helm/unittest:
helm unittest --strict --file 'unittests/**/*.yaml' ./
# CONTAINER RUN - README
# ==============================================================================
PHONY+=container-run/readme
README.md
+139
View File
@@ -96,6 +96,10 @@ certificate can be used the [cert-manager](https://cert-manager.io/). The chart
certificate via `cert-manager.io/v1 Certificate` resource. Alternatively can be mounted a TLS certificate from a secret.
The secret must be from type `kubernetes.io/tls`.
If athens-proxy is deployed behind a reverse proxy, for example an ingress nginx controller or Gateway API, please
instruct the reverse proxy to establish a TLS encrypted connection to avoid connection problems. The documentation
describes configuring [Ingress NGINX](#ingress-nginx) as well as [NGINX Gateway Fabric](#gatewayapi-nginx-fabric).
> [!WARNING]
> The following example expects that the [cert-manager](https://cert-manager.io/) is deployed and the `Issuer` named
> `athens-proxy-ca` is present in the same namespace of the helm deployment.
@@ -111,6 +115,110 @@ helm install --version "${CHART_VERSION}" athens-proxy volker.raschek/athens-pro
The environment variables `ATHENS_TLSCERT_FILE` and `ATHENS_TLSKEY_FILE` are automatically added and the TLS certificate
and private key are mounted to a pre-defined destination inside the container file system.
##### Ingress NGINX
The following changes must be applied to enable TLS encryption and authentication on-top between the ingress and backend
service.
> [!IMPORTANT]
> The HTTP Version between the ingress nginx and backend must be set to `1.1`, as well as the TLS protocol must be set
> to `TLSv1.2`. Otherwise can't the nginx establish a TLS connection.
The secret `athens-proxy/ingress-nginx-controller-tls` contains TLS certificates for the nginx ingress controller. The
TLS certificate must be created manually, for example via [cert-manager](https://cert-manager.io/). It is used by the
nginx for TLS authentication.
```yaml
ingress:
enabled: true
className: "nginx"
annotations:
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
nginx.ingress.kubernetes.io/proxy-http-version: "1.1"
nginx.ingress.kubernetes.io/proxy-ssl-secret: athens-proxy/ingress-nginx-controller-tls
nginx.ingress.kubernetes.io/proxy-ssl-protocols: TLSv1.2
nginx.ingress.kubernetes.io/proxy-ssl-name: athens-proxy
nginx.ingress.kubernetes.io/proxy-ssl-verify: "on"
```
##### GatewayAPI: NGINX Fabric
The following changes must be applied to enable TLS encryption and authentication on-top between the gateway and backend
service.
> [!IMPORTANT]
> The HTTP Version between the nginx gateway fabric and backend must be set to `1.1`, as well as the TLS protocol must
> be set to `TLSv1.2`. Otherwise can't the nginx establish a TLS connection.
The `gatewayAPI.core.backendTLSPolicy.validation.caCertificateRefs` must contain at least one secret containing the
root or intermediate certificate of the issued TLS certificate used by athens-proxy to be able to validate the TLS
certificate.
```yaml
gatewayAPI:
enabled: true
core:
backendTLSPolicy:
enabled: true
validation:
caCertificateRefs:
- group: ""
kind: Secret
name: "athens-proxy-ca"
hostname: "athens-proxy"
httpRoute:
enabled: true
hostnames:
- athens-proxy.example.local
parentRefs:
- name: nginx
kind: Gateway
group: gateway.networking.k8s.io
namespace: my-gateway-namespace
sectionName: athens-proxy-https
```
The Gateway resource is not part of the helm chart, but for illustrating the configuration example, here a GatewayAPI
resource with configured backend TLS certificate. The TLS certificates `gateway-frontend-tls` and `gateway-backend-tls`
must also be created manually, for example via [cert-manager](https://cert-manager.io/).
```yaml
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: nginx
namespace: my-gateway-namespace
spec:
gatewayClassName: nginx
listeners:
- allowedRoutes:
kinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
namespaces:
from: All
hostname: athens-proxy.example.local
name: https
port: 443
protocol: HTTPS
tls:
certificateRefs:
- group: ''
kind: Secret
name: gateway-frontend-tls
namespace: my-gateway-namespace
mode: Terminate
tls:
backend:
clientCertificateRef:
group: ''
kind: Secret
name: gateway-backend-tls
namespace: my-gateway-namespace
```
#### TLS certificate rotation
If the application uses TLS certificates that are mounted as a secret in the container file system like the example
@@ -198,6 +306,13 @@ networkPolicies:
podSelector:
matchLabels:
app.kubernetes.io/name: ingress-nginx
# NGINX GatewayAPI Fabric
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: gateway-nginx
podSelector:
matchLabels:
app.kubernetes.io/name: gateway-nginx
ports:
- port: http
protocol: TCP
@@ -438,6 +553,30 @@ spec:
| `networkPolicy.egress` | Concrete egress network policy implementation. | `[]` |
| `networkPolicy.ingress` | Concrete ingress network policy implementation. | `[]` |
### GatewayAPI
| Name | Description | Value |
| ----------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
| `gatewayAPI.enabled` | Enable the Gateway API resources. Requires Kubernetes v1.19 or higher, the CRD's and a compatible gateway controller. | `false` |
| `gatewayAPI.core.backendTLSPolicy.enabled` | Enable the BackendTLSPolicy resource. Requires also `gatewayAPI.enabled` to be `true`. | `false` |
| `gatewayAPI.core.backendTLSPolicy.annotations` | Additional annotations for the BackendTLSPolicy. | `{}` |
| `gatewayAPI.core.backendTLSPolicy.labels` | Additional labels for the BackendTLSPolicy. | `{}` |
| `gatewayAPI.core.backendTLSPolicy.validation` | Validation configuration for the BackendTLSPolicy. For example, you can specify a trusted CA certificate to validate the TLS connection between the gateway and the athens-proxy pod. | `{}` |
| `gatewayAPI.core.httpRoute.enabled` | Enable the HTTPRoute resource. Requires also `gatewayAPI.enabled` and `services.http.enabled` to be `true`. | `false` |
| `gatewayAPI.core.httpRoute.annotations` | Additional annotations for the HTTPRoute. | `{}` |
| `gatewayAPI.core.httpRoute.labels` | Additional labels for the HTTPRoute. | `{}` |
| `gatewayAPI.core.httpRoute.hostnames` | Hostnames for the HTTPRoute. | `[]` |
| `gatewayAPI.core.httpRoute.parentRefs` | ParentRefs for the HTTPRoute. You can specify parentRefs to bind the HTTPRoute to specific Gateway resources. | `[]` |
| `gatewayAPI.nginx.clientSettingsPolicy.enabled` | Enable the ClientSettingsPolicy resource. Requires also `gatewayAPI.enabled` to be `true`. | `false` |
| `gatewayAPI.nginx.clientSettingsPolicy.annotations` | Additional annotations for the ClientSettingsPolicy. | `{}` |
| `gatewayAPI.nginx.clientSettingsPolicy.labels` | Additional labels for the ClientSettingsPolicy. | `{}` |
| `gatewayAPI.nginx.clientSettingsPolicy.clientMaxBodySize` | ClientMaxBodySize sets the maximum allowed size of the client request body. If not specified, the default of the nginx gateway controller is used. | `""` |
| `gatewayAPI.nginx.clientSettingsPolicy.clientBodyTimeout` | ClientBodyTimeout sets the timeout for reading the client request body. If not specified, the default of the nginx gateway controller is used. | `""` |
| `gatewayAPI.nginx.clientSettingsPolicy.keepaliveRequests` | KeepaliveRequests sets the maximum number of requests that can be served through one keepalive connection. If not specified, the default of the nginx gateway controller is used. | `nil` |
| `gatewayAPI.nginx.clientSettingsPolicy.keepaliveTime` | KeepaliveTime sets the time a keepalive connection is kept open. If not specified, the default of the nginx gateway controller is used. | `""` |
| `gatewayAPI.nginx.clientSettingsPolicy.keepaliveTimeout` | KeepaliveTimeout sets the time a client has to wait for the response of a request until the connection is closed. If not specified, the default of the nginx gateway controller is used. | `""` |
| `gatewayAPI.nginx.clientSettingsPolicy.keepaliveMinTimeout` | KeepaliveMinTimeout sets the minimum time a client has to wait for the response of a request until the connection is closed. If not specified, the default of the nginx gateway controller is used. | `""` |
### Service
| Name | Description | Value |
templates/_backendTLSPolicy.tpl
+32
View File
@@ -0,0 +1,32 @@
{{/* vim: set filetype=mustache: */}}
{{/* annotations */}}
{{- define "athens-proxy.backendTLSPolicy.annotations" -}}
{{ include "athens-proxy.annotations" . }}
{{- if .Values.gatewayAPI.core.backendTLSPolicy.annotations }}
{{ toYaml .Values.gatewayAPI.core.backendTLSPolicy.annotations }}
{{- end }}
{{- end }}
{{/* enabled */}}
{{- define "athens-proxy.backendTLSPolicy.enabled" -}}
{{- if and .Values.gatewayAPI.enabled
.Values.gatewayAPI.core.backendTLSPolicy.enabled
.Values.services.http.enabled
-}}
true
{{- else -}}
false
{{- end -}}
{{- end }}
{{/* labels */}}
{{- define "athens-proxy.backendTLSPolicy.labels" -}}
{{ include "athens-proxy.labels" . }}
{{- if .Values.gatewayAPI.core.backendTLSPolicy.labels }}
{{ toYaml .Values.gatewayAPI.core.backendTLSPolicy.labels }}
{{- end }}
{{- end }}
templates/_clientSettingsPolicy.tpl
+31
View File
@@ -0,0 +1,31 @@
{{/* vim: set filetype=mustache: */}}
{{/* annotations */}}
{{- define "athens-proxy.clientSettingsPolicy.annotations" -}}
{{ include "athens-proxy.annotations" . }}
{{- if .Values.gatewayAPI.nginx.clientSettingsPolicy.annotations }}
{{ toYaml .Values.gatewayAPI.nginx.clientSettingsPolicy.annotations }}
{{- end }}
{{- end }}
{{/* enabled */}}
{{- define "athens-proxy.clientSettingsPolicy.enabled" -}}
{{- if and (eq (include "athens-proxy.httpRoute.enabled" $) "true")
.Values.gatewayAPI.nginx.clientSettingsPolicy.enabled
-}}
true
{{- else -}}
false
{{- end -}}
{{- end }}
{{/* labels */}}
{{- define "athens-proxy.clientSettingsPolicy.labels" -}}
{{ include "athens-proxy.labels" . }}
{{- if .Values.gatewayAPI.nginx.clientSettingsPolicy.labels }}
{{ toYaml .Values.gatewayAPI.nginx.clientSettingsPolicy.labels }}
{{- end }}
{{- end }}
templates/_httpRoute.tpl
+32
View File
@@ -0,0 +1,32 @@
{{/* vim: set filetype=mustache: */}}
{{/* annotations */}}
{{- define "athens-proxy.httpRoute.annotations" -}}
{{ include "athens-proxy.annotations" . }}
{{- if .Values.gatewayAPI.core.httpRoute.annotations }}
{{ toYaml .Values.gatewayAPI.core.httpRoute.annotations }}
{{- end }}
{{- end }}
{{/* enabled */}}
{{- define "athens-proxy.httpRoute.enabled" -}}
{{- if and .Values.gatewayAPI.enabled
.Values.gatewayAPI.core.httpRoute.enabled
.Values.services.http.enabled
-}}
true
{{- else -}}
false
{{- end -}}
{{- end }}
{{/* labels */}}
{{- define "athens-proxy.httpRoute.labels" -}}
{{ include "athens-proxy.labels" . }}
{{- if .Values.gatewayAPI.core.httpRoute.labels }}
{{ toYaml .Values.gatewayAPI.core.httpRoute.labels }}
{{- end }}
{{- end }}
templates/_services.tpl
+1 -1
View File
@@ -24,6 +24,6 @@ app.kubernetes.io/service-name: http
{{- define "athens-proxy.services.http.name" -}}
{{- if .Values.services.http.enabled -}}
{{ include "athens-proxy.fullname" . }}-http
{{ include "athens-proxy.fullname" . }}
{{- end -}}
{{- end -}}
templates/backendTLSPolicy.yaml
+25
View File
@@ -0,0 +1,25 @@
{{- if eq (include "athens-proxy.backendTLSPolicy.enabled" $) "true" }}
---
apiVersion: gateway.networking.k8s.io/v1
kind: BackendTLSPolicy
metadata:
{{- with (include "athens-proxy.backendTLSPolicy.annotations" . | fromYaml) }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with (include "athens-proxy.backendTLSPolicy.labels" . | fromYaml) }}
labels:
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "athens-proxy.fullname" . }}
namespace: {{ .Release.Namespace }}
spec:
targetRefs:
- group: ""
kind: Service
name: {{ include "athens-proxy.services.http.name" . }}
{{- with .Values.gatewayAPI.core.backendTLSPolicy.validation }}
validation:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end -}}
templates/clientSettingsPolicy.yaml
+50
View File
@@ -0,0 +1,50 @@
{{- if eq (include "athens-proxy.clientSettingsPolicy.enabled" $) "true" }}
apiVersion: gateway.nginx.org/v1alpha1
kind: ClientSettingsPolicy
metadata:
{{- with (include "athens-proxy.clientSettingsPolicy.annotations" . | fromYaml) }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with (include "athens-proxy.clientSettingsPolicy.labels" . | fromYaml) }}
labels:
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "athens-proxy.fullname" . }}
namespace: {{ .Release.Namespace }}
spec:
targetRef:
group: gateway.networking.k8s.io
kind: HTTPRoute
name: {{ include "athens-proxy.fullname" . }}
{{- if or .Values.gatewayAPI.nginx.clientSettingsPolicy.clientMaxBodySize
.Values.gatewayAPI.nginx.clientSettingsPolicy.clientBodyTimeout
}}
body:
{{- with .Values.gatewayAPI.nginx.clientSettingsPolicy.clientMaxBodySize }}
maxSize: {{ . }}
{{- end }}
{{- with .Values.gatewayAPI.nginx.clientSettingsPolicy.clientBodyTimeout }}
timeout: {{ . }}
{{- end }}
{{- end }}
{{- if or .Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveRequests
.Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveTime
.Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveTimeout
.Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveMinTimeout
}}
keepAlive:
{{- with .Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveRequests }}
requests: {{ . }}
{{- end }}
{{- with .Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveTime }}
time: {{ . }}
{{- end }}
{{- with .Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveTimeout }}
timeout: {{ . }}
{{- end }}
{{- with .Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveMinTimeout }}
minTimeout: {{ . }}
{{- end }}
{{- end }}
{{- end -}}
templates/httpRoute.yaml
+36
View File
@@ -0,0 +1,36 @@
{{- if eq (include "athens-proxy.httpRoute.enabled" $) "true" }}
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
{{- with (include "athens-proxy.httpRoute.annotations" . | fromYaml) }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with (include "athens-proxy.httpRoute.labels" . | fromYaml) }}
labels:
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "athens-proxy.fullname" . }}
namespace: {{ .Release.Namespace }}
spec:
{{- with .Values.gatewayAPI.core.httpRoute.hostnames }}
hostnames:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.gatewayAPI.core.httpRoute.parentRefs }}
parentRefs:
{{- toYaml . | nindent 4 }}
{{- end }}
rules:
- backendRefs:
- kind: Service
name: {{ include "athens-proxy.services.http.name" . }}
namespace: {{ .Release.Namespace }}
port: {{ .Values.services.http.port }}
weight: 1
{{- with .Values.gatewayAPI.core.httpRoute.matches }}
matches:
{{- toYaml . | nindent 6 }}
{{- end }}
{{- end }}
unittests/backendTLSPolicy/backendTLSPolicy.yaml
+130
View File
@@ -0,0 +1,130 @@
chart:
appVersion: 0.1.0
version: 0.1.0
suite: backendTLSPolicy template
release:
name: athens-proxy-unittest
namespace: testing
templates:
- templates/backendTLSPolicy.yaml
tests:
- it: Skip rendering when disabled 1/6
set:
gatewayAPI.enabled: false
gatewayAPI.core.backendTLSPolicy.enabled: false
services.http.enabled: false
asserts:
- hasDocuments:
count: 0
- it: Skip rendering when disabled 2/6
set:
gatewayAPI.enabled: true
gatewayAPI.core.backendTLSPolicy.enabled: false
services.http.enabled: false
asserts:
- hasDocuments:
count: 0
- it: Skip rendering when disabled 3/6
set:
gatewayAPI.enabled: false
gatewayAPI.core.backendTLSPolicy.enabled: true
services.http.enabled: false
asserts:
- hasDocuments:
count: 0
- it: Skip rendering when disabled 4/6
set:
gatewayAPI.enabled: false
gatewayAPI.core.backendTLSPolicy.enabled: false
services.http.enabled: true
asserts:
- hasDocuments:
count: 0
- it: Skip rendering when disabled 5/6
set:
gatewayAPI.enabled: true
gatewayAPI.core.backendTLSPolicy.enabled: false
services.http.enabled: true
asserts:
- hasDocuments:
count: 0
- it: Skip rendering when disabled 6/6
set:
gatewayAPI.enabled: true
gatewayAPI.core.backendTLSPolicy.enabled: true
services.http.enabled: false
asserts:
- hasDocuments:
count: 0
- it: Render default values
set:
gatewayAPI.enabled: true
gatewayAPI.core.backendTLSPolicy.enabled: true
services.http.enabled: true
asserts:
- hasDocuments:
count: 1
- containsDocument:
apiVersion: gateway.networking.k8s.io/v1
kind: BackendTLSPolicy
name: athens-proxy-unittest
namespace: testing
- contains:
path: spec.targetRefs
content:
group: ""
kind: Service
name: athens-proxy-unittest-http
- notExists:
path: spec.validation.caCertificateRefs
- it: Render with custom annotations and labels
set:
gatewayAPI.enabled: true
gatewayAPI.core.backendTLSPolicy:
enabled: true
annotations:
foo: bar
labels:
bar: foo
services.http.enabled: true
asserts:
- equal:
path: metadata.annotations
value:
foo: bar
- equal:
path: metadata.labels
value:
app.kubernetes.io/instance: athens-proxy-unittest
app.kubernetes.io/name: athens-proxy
app.kubernetes.io/version: 0.1.0
app.kubernetes.io/managed-by: Helm
helm.sh/chart: athens-proxy-0.1.0
bar: foo
- it: Render with custom validation
set:
gatewayAPI.enabled: true
gatewayAPI.core.backendTLSPolicy.enabled: true
gatewayAPI.core.backendTLSPolicy.validation:
caCertificateRefs:
- group: ""
kind: Secret
name: athens-proxy-ca
hostname: athens-proxy.svc.cluster.local
services.http.enabled: true
asserts:
- isSubset:
path: spec.validation
content:
caCertificateRefs:
- group: ""
kind: Secret
name: athens-proxy-ca
unittests/clientSettingsPolicy/clientSettingsPolicy.yaml
+190
View File
@@ -0,0 +1,190 @@
chart:
appVersion: 0.1.0
version: 0.1.0
suite: ClientSettingsPolicy template
release:
name: athens-proxy-unittest
namespace: testing
templates:
- templates/clientSettingsPolicy.yaml
tests:
- it: Skip rendering when disabled 1/8
set:
gatewayAPI.enabled: false
gatewayAPI.core.httpRoute.enabled: false
gatewayAPI.nginx.clientSettingsPolicy.enabled: false
services.http.enabled: false
asserts:
- hasDocuments:
count: 0
- it: Skip rendering when disabled 2/8
set:
gatewayAPI.enabled: true
gatewayAPI.core.httpRoute.enabled: false
gatewayAPI.nginx.clientSettingsPolicy.enabled: false
services.http.enabled: false
asserts:
- hasDocuments:
count: 0
- it: Skip rendering when disabled 3/8
set:
gatewayAPI.enabled: false
gatewayAPI.core.httpRoute.enabled: true
gatewayAPI.nginx.clientSettingsPolicy.enabled: false
services.http.enabled: false
asserts:
- hasDocuments:
count: 0
- it: Skip rendering when disabled 4/8
set:
gatewayAPI.enabled: false
gatewayAPI.core.httpRoute.enabled: false
gatewayAPI.nginx.clientSettingsPolicy.enabled: true
services.http.enabled: false
asserts:
- hasDocuments:
count: 0
- it: Skip rendering when disabled 5/8
set:
gatewayAPI.enabled: false
gatewayAPI.core.httpRoute.enabled: false
gatewayAPI.nginx.clientSettingsPolicy.enabled: false
services.http.enabled: true
asserts:
- hasDocuments:
count: 0
- it: Skip rendering when disabled 6/8
set:
gatewayAPI.enabled: true
gatewayAPI.core.httpRoute.enabled: true
gatewayAPI.nginx.clientSettingsPolicy.enabled: false
services.http.enabled: false
asserts:
- hasDocuments:
count: 0
- it: Skip rendering when disabled 7/8
set:
gatewayAPI.enabled: true
gatewayAPI.core.httpRoute.enabled: false
gatewayAPI.nginx.clientSettingsPolicy.enabled: true
services.http.enabled: false
asserts:
- hasDocuments:
count: 0
- it: Skip rendering when disabled 8/8
set:
gatewayAPI.enabled: true
gatewayAPI.core.httpRoute.enabled: false
gatewayAPI.nginx.clientSettingsPolicy.enabled: false
services.http.enabled: true
asserts:
- hasDocuments:
count: 0
- it: Render default values
set:
gatewayAPI.enabled: true
gatewayAPI.core.httpRoute.enabled: true
gatewayAPI.nginx.clientSettingsPolicy.enabled: true
services.http.enabled: true
asserts:
- hasDocuments:
count: 1
- containsDocument:
apiVersion: gateway.nginx.org/v1alpha1
kind: ClientSettingsPolicy
name: athens-proxy-unittest
namespace: testing
- notExists:
path: metadata.annotations
- equal:
path: metadata.labels
value:
app.kubernetes.io/instance: athens-proxy-unittest
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: athens-proxy
app.kubernetes.io/version: 0.1.0
helm.sh/chart: athens-proxy-0.1.0
- isSubset:
path: spec.targetRef
content:
group: gateway.networking.k8s.io
kind: HTTPRoute
name: athens-proxy-unittest
- notExists:
path: spec.body
- notExists:
path: spec.keepAlive
- it: Render custom annotations and labels
set:
gatewayAPI.enabled: true
gatewayAPI.core.httpRoute.enabled: true
gatewayAPI.nginx.clientSettingsPolicy:
enabled: true
annotations:
foo: "bar"
labels:
bar: "foo"
services.http.enabled: true
asserts:
- equal:
path: metadata.annotations
value:
foo: "bar"
- equal:
path: metadata.labels
value:
app.kubernetes.io/instance: athens-proxy-unittest
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: athens-proxy
app.kubernetes.io/version: 0.1.0
helm.sh/chart: athens-proxy-0.1.0
bar: "foo"
- it: Render with custom body settings
set:
gatewayAPI.enabled: true
gatewayAPI.core.httpRoute.enabled: true
gatewayAPI.nginx.clientSettingsPolicy:
enabled: true
clientMaxBodySize: 10m
clientBodyTimeout: 30s
services.http.enabled: true
asserts:
- isSubset:
path: spec.body
content:
maxSize: 10m
timeout: 30s
- notExists:
path: spec.keepAlive
- it: Render with custom keepAlive settings
set:
gatewayAPI.enabled: true
gatewayAPI.core.httpRoute.enabled: true
gatewayAPI.nginx.clientSettingsPolicy:
enabled: true
keepaliveRequests: 100
keepaliveTime: 60s
keepaliveTimeout: 60s
keepaliveMinTimeout: 10s
services.http.enabled: true
asserts:
- notExists:
path: spec.body
- isSubset:
path: spec.keepAlive
content:
requests: 100
time: 60s
timeout: 60s
minTimeout: 10s
unittests/httpRoute/httpRoute.yaml
+194
View File
@@ -0,0 +1,194 @@
chart:
appVersion: 0.1.0
version: 0.1.0
suite: HTTPRoute template
release:
name: athens-proxy-unittest
namespace: testing
templates:
- templates/httpRoute.yaml
tests:
- it: Skip rendering when disabled 1/6
set:
gatewayAPI.enabled: false
gatewayAPI.core.httpRoute.enabled: false
services.http.enabled: false
asserts:
- hasDocuments:
count: 0
- it: Skip rendering when disabled 2/6
set:
gatewayAPI.enabled: true
gatewayAPI.core.httpRoute.enabled: false
services.http.enabled: false
asserts:
- hasDocuments:
count: 0
- it: Skip rendering when disabled 3/6
set:
gatewayAPI.enabled: false
gatewayAPI.core.httpRoute.enabled: true
services.http.enabled: false
asserts:
- hasDocuments:
count: 0
- it: Skip rendering when disabled 4/6
set:
gatewayAPI.enabled: false
gatewayAPI.core.httpRoute.enabled: false
services.http.enabled: true
asserts:
- hasDocuments:
count: 0
- it: Skip rendering when disabled 5/6
set:
gatewayAPI.enabled: true
gatewayAPI.core.httpRoute.enabled: false
services.http.enabled: true
asserts:
- hasDocuments:
count: 0
- it: Skip rendering when disabled 6/6
set:
gatewayAPI.enabled: true
gatewayAPI.core.httpRoute.enabled: true
services.http.enabled: false
asserts:
- hasDocuments:
count: 0
- it: Rendering default values
set:
gatewayAPI.enabled: true
gatewayAPI.core.httpRoute.enabled: true
services.http.enabled: true
asserts:
- hasDocuments:
count: 1
- containsDocument:
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
name: athens-proxy-unittest
namespace: testing
- notExists:
path: metadata.annotations
- equal:
path: metadata.labels
value:
app.kubernetes.io/instance: athens-proxy-unittest
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: athens-proxy
app.kubernetes.io/version: 0.1.0
helm.sh/chart: athens-proxy-0.1.0
- notExists:
path: spec.hostnames
- notExists:
path: spec.parentRefs
- contains:
path: spec.rules[0].backendRefs
content:
kind: Service
name: athens-proxy-unittest-http
namespace: testing
port: 3000
weight: 1
- contains:
path: spec.rules[0].matches
content:
path:
type: PathPrefix
value: /
- it: Rendering custom annotations and labels
set:
gatewayAPI.enabled: true
gatewayAPI.core.httpRoute:
enabled: true
annotations:
foo: bar
labels:
bar: foo
services.http.enabled: true
asserts:
- hasDocuments:
count: 1
- equal:
path: metadata.annotations
value:
foo: bar
- equal:
path: metadata.labels
value:
app.kubernetes.io/instance: athens-proxy-unittest
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: athens-proxy
app.kubernetes.io/version: 0.1.0
bar: foo
helm.sh/chart: athens-proxy-0.1.0
- it: Rendering custom service port
set:
gatewayAPI.enabled: true
gatewayAPI.core.httpRoute.enabled: true
services.http:
enabled: true
port: 9090
asserts:
- equal:
path: spec.rules[0].backendRefs[0].port
value: 9090
- it: Rendering custom matches
set:
gatewayAPI.enabled: true
gatewayAPI.core.httpRoute:
enabled: true
matches:
- path:
type: PathPrefix
value: /foo
services.http.enabled: true
asserts:
- contains:
path: spec.rules[0].matches
content:
path:
type: PathPrefix
value: /foo
- it: Rendering custom hostnames and parentRefs
set:
gatewayAPI.enabled: true
gatewayAPI.core.httpRoute:
enabled: true
hostnames:
- athens-proxy.example.local
parentRefs:
- name: gateway
namespace: testing
kind: Gateway
sectionName: athens-proxy-debug-gateway
services.http.enabled: true
asserts:
- lengthEqual:
path: spec.hostnames
count: 1
- contains:
path: spec.hostnames
content:
athens-proxy.example.local
- lengthEqual:
path: spec.parentRefs
count: 1
- contains:
path: spec.parentRefs
content:
name: gateway
namespace: testing
kind: Gateway
sectionName: athens-proxy-debug-gateway
values.yaml
+70 -2
View File
@@ -1,4 +1,5 @@
# Declare variables to be passed into your templates.
## @section Global
## @param nameOverride Individual release name suffix.
## @param fullnameOverride Override the complete release name logic.
@@ -520,6 +521,72 @@ deployment:
# secret:
# secretName: my-secret
## @section GatewayAPI
gatewayAPI:
## @param gatewayAPI.enabled Enable the Gateway API resources. Requires Kubernetes v1.19 or higher, the CRD's and a compatible gateway controller.
enabled: false
core:
## @param gatewayAPI.core.backendTLSPolicy.enabled Enable the BackendTLSPolicy resource. Requires also `gatewayAPI.enabled` to be `true`.
## @param gatewayAPI.core.backendTLSPolicy.annotations Additional annotations for the BackendTLSPolicy.
## @param gatewayAPI.core.backendTLSPolicy.labels Additional labels for the BackendTLSPolicy.
## @param gatewayAPI.core.backendTLSPolicy.validation Validation configuration for the BackendTLSPolicy. For example, you can specify a trusted CA certificate to validate the TLS connection between the gateway and the athens-proxy pod.
backendTLSPolicy:
enabled: false
annotations: {}
labels: {}
validation: {}
# caCertificateRefs:
# - group: ""
# kind: Secret
# name: "athens-proxy-ca"
# hostname: "athens-proxy"
## @param gatewayAPI.core.httpRoute.enabled Enable the HTTPRoute resource. Requires also `gatewayAPI.enabled` and `services.http.enabled` to be `true`.
## @param gatewayAPI.core.httpRoute.annotations Additional annotations for the HTTPRoute.
## @param gatewayAPI.core.httpRoute.labels Additional labels for the HTTPRoute.
## @param gatewayAPI.core.httpRoute.hostnames Hostnames for the HTTPRoute.
## @skip gatewayAPI.core.httpRoute.matches Match conditions for the HTTPRoute. You can specify path based match conditions to route traffic to the athens-proxy service.
## @param gatewayAPI.core.httpRoute.parentRefs ParentRefs for the HTTPRoute. You can specify parentRefs to bind the HTTPRoute to specific Gateway resources.
httpRoute:
enabled: false
annotations: {}
labels: {}
hostnames: []
matches:
- path:
type: PathPrefix
value: /
parentRefs: []
# - name: gateway
# kind: Gateway
# group: gateway.networking.k8s.io
# namespace: default
# sectionName: athens-proxy-http
nginx:
## @param gatewayAPI.nginx.clientSettingsPolicy.enabled Enable the ClientSettingsPolicy resource. Requires also `gatewayAPI.enabled` to be `true`.
## @param gatewayAPI.nginx.clientSettingsPolicy.annotations Additional annotations for the ClientSettingsPolicy.
## @param gatewayAPI.nginx.clientSettingsPolicy.labels Additional labels for the ClientSettingsPolicy.
## @param gatewayAPI.nginx.clientSettingsPolicy.clientMaxBodySize ClientMaxBodySize sets the maximum allowed size of the client request body. If not specified, the default of the nginx gateway controller is used.
## @param gatewayAPI.nginx.clientSettingsPolicy.clientBodyTimeout ClientBodyTimeout sets the timeout for reading the client request body. If not specified, the default of the nginx gateway controller is used.
## @param gatewayAPI.nginx.clientSettingsPolicy.keepaliveRequests KeepaliveRequests sets the maximum number of requests that can be served through one keepalive connection. If not specified, the default of the nginx gateway controller is used.
## @param gatewayAPI.nginx.clientSettingsPolicy.keepaliveTime KeepaliveTime sets the time a keepalive connection is kept open. If not specified, the default of the nginx gateway controller is used.
## @param gatewayAPI.nginx.clientSettingsPolicy.keepaliveTimeout KeepaliveTimeout sets the time a client has to wait for the response of a request until the connection is closed. If not specified, the default of the nginx gateway controller is used.
## @param gatewayAPI.nginx.clientSettingsPolicy.keepaliveMinTimeout KeepaliveMinTimeout sets the minimum time a client has to wait for the response of a request until the connection is closed. If not specified, the default of the nginx gateway controller is used.
clientSettingsPolicy:
enabled: false
annotations: {}
labels: {}
clientMaxBodySize: ""
clientBodyTimeout: ""
keepaliveRequests:
keepaliveTime: ""
keepaliveTimeout: ""
keepaliveMinTimeout: ""
## @section Horizontal Pod Autoscaler (HPA)
# In order for the HPA to function successfully, a metric server is required, especially for resource consumption. The
# metric server enables the CPU and memory utilisation to be recorded. If such a metric server is not available, the HPA
@@ -551,6 +618,7 @@ hpa:
minReplicas: 1
maxReplicas: 10
## @section Ingress
ingress:
## @param ingress.enabled Enable creation of an ingress resource. Requires, that the http service is also enabled.
@@ -562,7 +630,7 @@ ingress:
annotations: {}
labels: {}
## @param ingress.hosts Ingress specific configuration. Specification only required when another ingress controller is used instead of `t1k.
## @param ingress.hosts Ingress specific configuration.
## @skip ingress.hosts Skip individual host configuration.
hosts: []
# - host: athens-proxy.example.local
@@ -570,7 +638,7 @@ ingress:
# - path: /
# pathType: Prefix
## @param ingress.tls Ingress TLS settings. Specification only required when another ingress controller is used instead of `t1k``.
## @param ingress.tls Ingress TLS settings.
## @skip ingress.tls Skip individual TLS configuration.
tls: []
# - secretName: athens-proxy-http-tls