diff --git a/charts/apisix/Chart.lock b/charts/apisix/Chart.lock index 632b1d7b..fe7b0bf5 100644 --- a/charts/apisix/Chart.lock +++ b/charts/apisix/Chart.lock @@ -1,12 +1,12 @@ dependencies: - name: etcd repository: https://charts.bitnami.com/bitnami - version: 8.7.7 + version: 9.7.3 - name: apisix-dashboard repository: https://charts.apiseven.com - version: 0.8.1 + version: 0.8.2 - name: apisix-ingress-controller repository: https://charts.apiseven.com - version: 0.13.0 -digest: sha256:6ca1fc0eb06fef4d4502a3153ed77c9cd5a382ebe65e676791afe4272ac7c796 -generated: "2023-12-14T20:21:52.603033345+02:00" + version: 0.14.0 +digest: sha256:8d727979670a2b62af7672c36ebb2a4d294bc967b16fb5d1e144ed77c948062d +generated: "2024-04-29T09:07:03.535941+02:00" diff --git a/charts/apisix/Chart.yaml b/charts/apisix/Chart.yaml index 8c885996..0d390e0c 100644 --- a/charts/apisix/Chart.yaml +++ b/charts/apisix/Chart.yaml @@ -31,7 +31,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 2.7.0 +version: 2.8.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to @@ -42,16 +42,16 @@ sources: dependencies: - name: etcd - version: 8.7.7 + version: 9.7.3 repository: https://charts.bitnami.com/bitnami condition: etcd.enabled - name: apisix-dashboard - version: 0.8.1 + version: 0.8.2 repository: https://charts.apiseven.com condition: dashboard.enabled alias: dashboard - name: apisix-ingress-controller - version: 0.13.0 + version: 0.14.0 repository: https://charts.apiseven.com condition: ingress-controller.enabled alias: ingress-controller diff --git a/charts/apisix/README.md b/charts/apisix/README.md index ce40aba2..0d178667 100644 --- a/charts/apisix/README.md +++ b/charts/apisix/README.md @@ -43,9 +43,11 @@ The command removes all the Kubernetes components associated with the chart and | affinity | object | `{}` | Set affinity for Apache APISIX deploy | | apisix.admin.allow.ipList | list | `["127.0.0.1/24"]` | The client IP CIDR allowed to access Apache APISIX Admin API service. | | apisix.admin.cors | bool | `true` | Admin API support CORS response headers | -| apisix.admin.credentials | object | `{"admin":"edd1c9f034335f136f87ad84b625c8f1","secretName":"","viewer":"4054f7cf07e344346cd3f287985e76a2"}` | Admin API credentials | +| apisix.admin.credentials | object | `{"admin":"edd1c9f034335f136f87ad84b625c8f1","secretAdminKey":"","secretName":"","secretViewerKey":"","viewer":"4054f7cf07e344346cd3f287985e76a2"}` | Admin API credentials | | apisix.admin.credentials.admin | string | `"edd1c9f034335f136f87ad84b625c8f1"` | Apache APISIX admin API admin role credentials | +| apisix.admin.credentials.secretAdminKey | string | `""` | Name of the admin role key in the secret, overrides the default key name "admin" | | apisix.admin.credentials.secretName | string | `""` | The APISIX Helm chart supports storing user credentials in a secret. The secret needs to contain two keys, admin and viewer, with their respective values set. | +| apisix.admin.credentials.secretViewerKey | string | `""` | Name of the viewer role key in the secret, overrides the default key name "viewer" | | apisix.admin.credentials.viewer | string | `"4054f7cf07e344346cd3f287985e76a2"` | Apache APISIX admin API viewer role credentials | | apisix.admin.enabled | bool | `true` | Enable Admin API | | apisix.admin.externalIPs | list | `[]` | IPs for which nodes in the cluster will also accept traffic for the servic | @@ -138,7 +140,7 @@ The command removes all the Kubernetes components associated with the chart and | dashboard.config.conf.etcd.prefix | string | `"/apisix"` | apisix configurations prefix | | dashboard.config.conf.etcd.username | string | `nil` | Specifies etcd basic auth username if enable etcd auth | | dashboard.enabled | bool | `false` | | -| etcd | object | `{"auth":{"rbac":{"create":false,"rootPassword":""},"tls":{"certFilename":"","certKeyFilename":"","enabled":false,"existingSecret":"","sni":"","verify":true}},"enabled":true,"prefix":"/apisix","replicaCount":3,"service":{"port":2379},"timeout":30}` | etcd configuration use the FQDN address or the IP of the etcd | +| etcd | object | `{"auth":{"rbac":{"create":false,"rootPassword":""},"tls":{"certFilename":"","certKeyFilename":"","enabled":false,"existingSecret":"","sni":"","verify":true}},"containerSecurityContext":{"enabled":false},"enabled":true,"prefix":"/apisix","replicaCount":3,"service":{"port":2379},"timeout":30}` | etcd configuration use the FQDN address or the IP of the etcd | | etcd.auth | object | `{"rbac":{"create":false,"rootPassword":""},"tls":{"certFilename":"","certKeyFilename":"","enabled":false,"existingSecret":"","sni":"","verify":true}}` | if etcd.enabled is true, set more values of bitnami/etcd helm chart | | etcd.auth.rbac.create | bool | `false` | No authentication by default. Switch to enable RBAC authentication | | etcd.auth.rbac.rootPassword | string | `""` | root password for etcd. Requires etcd.auth.rbac.create to be true. | @@ -148,6 +150,7 @@ The command removes all the Kubernetes components associated with the chart and | etcd.auth.tls.existingSecret | string | `""` | name of the secret contains etcd client cert | | etcd.auth.tls.sni | string | `""` | specify the TLS Server Name Indication extension, the ETCD endpoint hostname will be used when this setting is unset. | | etcd.auth.tls.verify | bool | `true` | whether to verify the etcd endpoint certificate when setup a TLS connection to etcd | +| etcd.containerSecurityContext | object | `{"enabled":false}` | added for backward compatibility with old kubernetes versions, as seccompProfile is not supported in kubernetes < 1.19 | | etcd.enabled | bool | `true` | install etcd(v3) by default, set false if do not want to install etcd(v3) together | | etcd.prefix | string | `"/apisix"` | apisix configurations prefix | | etcd.timeout | int | `30` | Set the timeout value in seconds for subsequent socket operations from apisix to etcd cluster | diff --git a/charts/apisix/charts/apisix-dashboard-0.8.1.tgz b/charts/apisix/charts/apisix-dashboard-0.8.1.tgz deleted file mode 100644 index 0a93cd59..00000000 Binary files a/charts/apisix/charts/apisix-dashboard-0.8.1.tgz and /dev/null differ diff --git a/charts/apisix/charts/apisix-dashboard-0.8.2.tgz b/charts/apisix/charts/apisix-dashboard-0.8.2.tgz new file mode 100644 index 00000000..3a9992e6 Binary files /dev/null and b/charts/apisix/charts/apisix-dashboard-0.8.2.tgz differ diff --git a/charts/apisix/charts/apisix-ingress-controller-0.13.0.tgz b/charts/apisix/charts/apisix-ingress-controller-0.13.0.tgz deleted file mode 100644 index 6f741aac..00000000 Binary files a/charts/apisix/charts/apisix-ingress-controller-0.13.0.tgz and /dev/null differ diff --git a/charts/apisix/charts/apisix-ingress-controller-0.14.0.tgz b/charts/apisix/charts/apisix-ingress-controller-0.14.0.tgz new file mode 100644 index 00000000..9d8693f4 Binary files /dev/null and b/charts/apisix/charts/apisix-ingress-controller-0.14.0.tgz differ diff --git a/charts/apisix/charts/etcd-8.7.7.tgz b/charts/apisix/charts/etcd-8.7.7.tgz deleted file mode 100644 index 5f68f5d9..00000000 Binary files a/charts/apisix/charts/etcd-8.7.7.tgz and /dev/null differ diff --git a/charts/apisix/charts/etcd-9.7.3.tgz b/charts/apisix/charts/etcd-9.7.3.tgz new file mode 100644 index 00000000..dd19be34 Binary files /dev/null and b/charts/apisix/charts/etcd-9.7.3.tgz differ diff --git a/charts/apisix/templates/_helpers.tpl b/charts/apisix/templates/_helpers.tpl index 1b920600..7dd454ab 100644 --- a/charts/apisix/templates/_helpers.tpl +++ b/charts/apisix/templates/_helpers.tpl @@ -135,3 +135,25 @@ Return the password key name of etcd secret {{- print .Values.externalEtcd.secretPasswordKey }} {{- end }} {{- end -}} + +{{/* +Key to use to fetch admin token from secret +*/}} +{{- define "apisix.admin.credentials.secretAdminKey" -}} +{{- if .Values.admin.credentials.secretAdminKey }} +{{- .Values.admin.credentials.secretAdminKey }} +{{- else }} +{{- "admin" }} +{{- end }} +{{- end }} + +{{/* +Key to use to fetch viewer token from secret +*/}} +{{- define "apisix.admin.credentials.secretViewerKey" -}} +{{- if .Values.admin.credentials.secretViewerKey }} +{{- .Values.admin.credentials.secretViewerKey }} +{{- else }} +{{- "viewer" }} +{{- end }} +{{- end }} diff --git a/charts/apisix/templates/deployment.yaml b/charts/apisix/templates/deployment.yaml index 2a92928c..07734c39 100644 --- a/charts/apisix/templates/deployment.yaml +++ b/charts/apisix/templates/deployment.yaml @@ -38,10 +38,8 @@ spec: metadata: annotations: checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} - {{- if .Values.podAnnotations }} - {{- range $key, $value := $.Values.podAnnotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} + {{- with .Values.podAnnotations }} + {{ tpl (toYaml .) $ | nindent 8 }} {{- end }} labels: {{- include "apisix.selectorLabels" . | nindent 8 }} @@ -85,12 +83,12 @@ spec: valueFrom: secretKeyRef: name: {{ .Values.apisix.admin.credentials.secretName }} - key: admin + key: {{ include "apisix.admin.credentials.secretAdminKey" . }} - name: APISIX_VIEWER_KEY valueFrom: secretKeyRef: name: {{ .Values.apisix.admin.credentials.secretName }} - key: viewer + key: {{ include "apisix.admin.credentials.secretViewerKey" . }} {{- end }} {{- if or (and .Values.etcd.enabled .Values.etcd.auth.rbac.create) (and (not .Values.etcd.enabled) .Values.externalEtcd.user) }} diff --git a/charts/apisix/values.yaml b/charts/apisix/values.yaml index 7020cde3..1b5241e4 100644 --- a/charts/apisix/values.yaml +++ b/charts/apisix/values.yaml @@ -333,6 +333,10 @@ apisix: # -- The APISIX Helm chart supports storing user credentials in a secret. # The secret needs to contain two keys, admin and viewer, with their respective values set. secretName: "" + # -- Name of the admin role key in the secret, overrides the default key name "admin" + secretAdminKey: "" + # -- Name of the viewer role key in the secret, overrides the default key name "viewer" + secretViewerKey: "" allow: # -- The client IP CIDR allowed to access Apache APISIX Admin API service. @@ -566,6 +570,11 @@ etcd: # -- specify the TLS Server Name Indication extension, the ETCD endpoint hostname will be used when this setting is unset. sni: "" + # -- ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + # -- added for backward compatibility with old kubernetes versions, as seccompProfile is not supported in kubernetes < 1.19 + containerSecurityContext: + enabled: false + service: port: 2379