You've already forked athens-proxy-charts
Compare commits
7 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 81f14405fd | |||
7b37bfc373
|
|||
bba0df90ff
|
|||
|
cb312817c3
|
|||
| fe428d83d2 | |||
|
4c94529eab
|
|||
|
297f36920a
|
57
README.md
57
README.md
@@ -40,7 +40,7 @@ version of the chart must be in sync with the `values.yaml`. Newer *minor* versi
|
||||
versions can break something!
|
||||
|
||||
```bash
|
||||
CHART_VERSION=1.0.3
|
||||
CHART_VERSION=1.1.1
|
||||
helm show values volker.raschek/athens-proxy --version "${CHART_VERSION}" > values.yaml
|
||||
```
|
||||
|
||||
@@ -54,7 +54,7 @@ The helm chart also contains a persistent volume claim definition. It persistent
|
||||
Use the `--set` argument to persist your data.
|
||||
|
||||
```bash
|
||||
CHART_VERSION=1.0.3
|
||||
CHART_VERSION=1.1.1
|
||||
helm install --version "${CHART_VERSION}" athens-proxy volker.raschek/athens-proxy \
|
||||
persistence.enabled=true
|
||||
```
|
||||
@@ -84,13 +84,64 @@ Further information about this topic can be found in one of Kanishk's blog
|
||||
> Please take care the a CPU limit < `1000m` can also lead to CPU throttling. Please read the linked documentation carefully.
|
||||
|
||||
```bash
|
||||
CHART_VERSION=1.0.3
|
||||
CHART_VERSION=1.1.1
|
||||
helm install --version "${CHART_VERSION}" athens-proxy volker.raschek/athens-proxy \
|
||||
--set 'deployment.athensProxy.env.name=GOMAXPROCS' \
|
||||
--set 'deployment.athensProxy.env.valueFrom.resourceFieldRef.resource=limits.cpu' \
|
||||
--set 'deployment.athensProxy.resources.limits.cpu=1000m'
|
||||
```
|
||||
|
||||
#### TLS encryption
|
||||
|
||||
The example shows how to deploy the application with TLS encryption. For example when **no** HTTP ingress is used for
|
||||
TLS determination and instead the application it self should determinate the TLS handshake. To generate the TLS
|
||||
certificate can be used the [cert-manager](https://cert-manager.io/). The chart supports the creation of such a TLS
|
||||
certificate via `cert-manager.io/v1 Certificate` resource. Alternatively can be mounted a TLS certificate from a secret.
|
||||
The secret must be from type `kubernetes.io/tls`.
|
||||
|
||||
> [!WARNING]
|
||||
> The following example expects that the [cert-manager](https://cert-manager.io/) is deployed and the `Issuer` named
|
||||
> `athens-proxy-ca` is present in the same namespace of the helm deployment.
|
||||
|
||||
```bash
|
||||
CHART_VERSION=1.1.1
|
||||
helm install --version "${CHART_VERSION}" athens-proxy volker.raschek/athens-proxy \
|
||||
--set 'config.certificate.enabled=true' \
|
||||
--set 'config.certificate.new.issuerRef.kind=Issuer' \
|
||||
--set 'config.certificate.new.issuerRef.name=athens-proxy-ca'
|
||||
```
|
||||
|
||||
The environment variables `ATHENS_TLSCERT_FILE` and `ATHENS_TLSKEY_FILE` are automatically added and the TLS certificate
|
||||
and private key are mounted to a pre-defined destination inside the container file system.
|
||||
|
||||
#### TLS certificate rotation
|
||||
|
||||
If the application uses TLS certificates that are mounted as a secret in the container file system like the example
|
||||
[above](#tls-encryption), the application will not automatically apply them when the TLS certificates are rotated. Such
|
||||
a rotation can be for example triggered, when the [cert-manager](https://cert-manager.io/) issues new TLS certificates
|
||||
before expiring.
|
||||
|
||||
Until the exporter does not support rotating TLS certificate a workaround can be applied. For example stakater's
|
||||
[reloader](https://github.com/stakater/Reloader) controller can be used to trigger a rolling update. The following
|
||||
annotation must be added to instruct the reloader controller to trigger a rolling update, when the mounted configMaps
|
||||
and secrets have been changed.
|
||||
|
||||
```yaml
|
||||
deployment:
|
||||
annotations:
|
||||
reloader.stakater.com/auto: "true"
|
||||
```
|
||||
|
||||
Instead of triggering a rolling update for configMap and secret resources, this action can also be defined for
|
||||
individual items. For example, when the secret named `athens-proxy-tls` is mounted and the reloader controller should
|
||||
only listen for changes of this secret:
|
||||
|
||||
```yaml
|
||||
deployment:
|
||||
annotations:
|
||||
secret.reloader.stakater.com/reload: "athens-proxy-tls"
|
||||
```
|
||||
|
||||
#### Network policies
|
||||
|
||||
Network policies can only take effect, when the used CNI plugin support network policies. The chart supports no custom
|
||||
|
||||
@@ -48,6 +48,15 @@ spec:
|
||||
secretTemplate:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if or .Values.certificate.new.subject.countries
|
||||
.Values.certificate.new.subject.localities
|
||||
.Values.certificate.new.subject.organizationalUnits
|
||||
.Values.certificate.new.subject.organizations
|
||||
.Values.certificate.new.subject.postalCodes
|
||||
.Values.certificate.new.subject.provinces
|
||||
.Values.certificate.new.subject.serialNumber
|
||||
.Values.certificate.new.subject.streetAddresses
|
||||
}}
|
||||
subject:
|
||||
{{- with .Values.certificate.new.subject.countries }}
|
||||
countries:
|
||||
@@ -80,6 +89,7 @@ spec:
|
||||
streetAddresses:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
usages:
|
||||
{{- range .Values.certificate.new.usages }}
|
||||
- {{ . }}
|
||||
|
||||
@@ -99,7 +99,7 @@ tests:
|
||||
path: spec.secretTemplate.annotations
|
||||
- exists:
|
||||
path: spec.secretTemplate.labels
|
||||
- exists:
|
||||
- notExists:
|
||||
path: spec.subject
|
||||
- notExists:
|
||||
path: spec.subject.countries
|
||||
|
||||
Reference in New Issue
Block a user