(apisix-helm-chart) branch master updated: feat: support configure gateway.tls and adding ingress class (#657)

Mon, 06 Nov 2023 00:12:56 -0800 

This is an automated email from the ASF dual-hosted git repository.

alinsran pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix-helm-chart.git


The following commit(s) were added to refs/heads/master by this push:
     new 0c05e7c  feat: support configure gateway.tls and adding ingress class 
(#657)
0c05e7c is described below

commit 0c05e7cf1f67ab603d94f595db5533cce4c9ce88
Author: Ghanil Mohamed Yusof <[email protected]>
AuthorDate: Mon Nov 6 16:12:45 2023 +0800

    feat: support configure gateway.tls and adding ingress class (#657)
---
 charts/apisix-ingress-controller/README.md            |  9 +++++++++
 .../templates/apisix-configmap.yaml                   | 17 +++++++++++++++++
 .../templates/deployment.yaml                         |  2 +-
 .../templates/ingress-class.yaml                      |  6 ++++++
 .../templates/service-apisix.yaml                     |  4 ++--
 charts/apisix-ingress-controller/values.yaml          | 19 +++++++++++++++++++
 6 files changed, 54 insertions(+), 3 deletions(-)

diff --git a/charts/apisix-ingress-controller/README.md 
b/charts/apisix-ingress-controller/README.md
index a2af3be..4f2bcf4 100644
--- a/charts/apisix-ingress-controller/README.md
+++ b/charts/apisix-ingress-controller/README.md
@@ -151,6 +151,15 @@ The same for container level, you need to set:
 | gateway.nginx.workerConnections | string | `"10620"` | Nginx worker 
connections |
 | gateway.nginx.workerProcesses | string | `"auto"` | Nginx worker processes |
 | gateway.nginx.workerRlimitNofile | string | `"20480"` | Nginx 
workerRlimitNoFile |
+| gateway.tls.additionalContainerPorts | list | `[]` | Support multiple https 
ports, See 
[Configuration](https://github.com/apache/apisix/blob/0bc65ea9acd726f79f80ae0abd8f50b7eb172e3d/conf/config-default.yaml#L99)
 |
+| gateway.tls.certCAFilename | string | `""` | Filename be used in the 
gateway.tls.existingCASecret |
+| gateway.tls.containerPort | int | `9443` |  |
+| gateway.tls.enabled | bool | `false` |  |
+| gateway.tls.existingCASecret | string | `""` | Specifies the name of Secret 
contains trusted CA certificates in the PEM format used to verify the 
certificate when APISIX needs to do SSL/TLS handshaking with external services 
(e.g. etcd) |
+| gateway.tls.fallbackSNI | string | `""` | Define SNI to fallback if none is 
presented by client |
+| gateway.tls.http2.enabled | bool | `true` |  |
+| gateway.tls.servicePort | int | `443` |  |
+| gateway.tls.sslProtocols | string | `"TLSv1.2 TLSv1.3"` | TLS protocols 
allowed to use. |
 | gateway.type | string | `"NodePort"` | Apache APISIX service type for user 
access itself |
 | image.pullPolicy | string | `"IfNotPresent"` |  |
 | image.repository | string | `"apache/apisix-ingress-controller"` |  |
diff --git a/charts/apisix-ingress-controller/templates/apisix-configmap.yaml 
b/charts/apisix-ingress-controller/templates/apisix-configmap.yaml
index 7310524..6cdd5a2 100644
--- a/charts/apisix-ingress-controller/templates/apisix-configmap.yaml
+++ b/charts/apisix-ingress-controller/templates/apisix-configmap.yaml
@@ -58,6 +58,23 @@ data:
       worker_rlimit_nofile: {{ .Values.gateway.nginx.workerRlimitNofile }}  # 
the number of files a worker process can open, should be larger than 
worker_connections
       event:
         worker_connections: {{ .Values.gateway.nginx.workerConnections  }}
+    
+    ssl:
+        enable: {{ .Values.gateway.tls.enabled }}
+        listen:
+          - port: {{ .Values.gateway.tls.containerPort }}
+            enable_http2: {{ .Values.gateway.tls.http2.enabled }}
+          {{- with .Values.gateway.tls.additionalContainerPorts }}
+          {{- toYaml . | nindent 10}}
+          {{- end }}
+        ssl_protocols: {{ .Values.gateway.tls.sslProtocols | quote }}
+        ssl_ciphers: 
"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-
 [...]
+        {{- if and .Values.gateway.tls.enabled 
.Values.gateway.tls.existingCASecret }}
+        ssl_trusted_certificate: "/usr/local/apisix/conf/ssl/{{ 
.Values.gateway.tls.certCAFilename }}"
+        {{- end }}
+        {{- if and .Values.gateway.tls.enabled .Values.gateway.tls.fallbackSNI 
}}
+        fallback_sni: {{ .Values.gateway.tls.fallbackSNI | quote }}
+        {{- end }}
 
     plugins:                          # plugin list (sorted by priority)
       - real-ip                        # priority: 23000
diff --git a/charts/apisix-ingress-controller/templates/deployment.yaml 
b/charts/apisix-ingress-controller/templates/deployment.yaml
index efa8361..ccddd9e 100644
--- a/charts/apisix-ingress-controller/templates/deployment.yaml
+++ b/charts/apisix-ingress-controller/templates/deployment.yaml
@@ -140,7 +140,7 @@ spec:
               containerPort: 9180
               protocol: TCP
             - name: https
-              containerPort: 9443
+              containerPort: {{ .Values.gateway.tls.containerPort }}
               protocol: TCP
             {{- if .Values.serviceMonitor.enabled }}
             - containerPort: 9091
diff --git a/charts/apisix-ingress-controller/templates/ingress-class.yaml 
b/charts/apisix-ingress-controller/templates/ingress-class.yaml
new file mode 100644
index 0000000..0120614
--- /dev/null
+++ b/charts/apisix-ingress-controller/templates/ingress-class.yaml
@@ -0,0 +1,6 @@
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  name: {{ .Values.config.kubernetes.ingressClass | quote }}
+spec:
+  controller: apisix.apache.org/apisix-ingress # fix: 
https://github.com/apache/apisix-ingress-controller/issues/1653
diff --git a/charts/apisix-ingress-controller/templates/service-apisix.yaml 
b/charts/apisix-ingress-controller/templates/service-apisix.yaml
index 5125974..4abf0f3 100644
--- a/charts/apisix-ingress-controller/templates/service-apisix.yaml
+++ b/charts/apisix-ingress-controller/templates/service-apisix.yaml
@@ -17,8 +17,8 @@ spec:
       targetPort: 9080
     - name: https
       protocol: TCP
-      port: 443
-      targetPort: 9443
+      port: {{ .Values.gateway.tls.servicePort }}
+      targetPort: {{ .Values.gateway.tls.containerPort }}
   selector:
     {{- include "apisix-ingress-controller.selectorLabels" . | nindent 4 }}
   type: {{ .Values.gateway.type }} # LoadBalancer or NodePort
diff --git a/charts/apisix-ingress-controller/values.yaml 
b/charts/apisix-ingress-controller/values.yaml
index 6b8d265..d395ad5 100644
--- a/charts/apisix-ingress-controller/values.yaml
+++ b/charts/apisix-ingress-controller/values.yaml
@@ -232,3 +232,22 @@ gateway:
     errorLog: stderr
     # -- Nginx error logs level
     errorLogLevel: warn
+  tls:
+    enabled: false
+    servicePort: 443
+    containerPort: 9443
+    # -- Support multiple https ports, See 
[Configuration](https://github.com/apache/apisix/blob/0bc65ea9acd726f79f80ae0abd8f50b7eb172e3d/conf/config-default.yaml#L99)
+    additionalContainerPorts: []
+      # - ip: 127.0.0.3           # Specific IP, If not set, the default value 
is `0.0.0.0`.
+      #   port: 9445
+      #   enable_http2: true
+    # -- Specifies the name of Secret contains trusted CA certificates in the 
PEM format used to verify the certificate when APISIX needs to do SSL/TLS 
handshaking with external services (e.g. etcd)
+    existingCASecret: ""
+    # -- Filename be used in the gateway.tls.existingCASecret
+    certCAFilename: ""
+    http2:
+      enabled: true
+    # -- TLS protocols allowed to use.
+    sslProtocols: "TLSv1.2 TLSv1.3"
+    # -- Define SNI to fallback if none is presented by client
+    fallbackSNI: ""

Reply via email to