apache · Gallardot · Jun 4, 2024 · Apr 29, 2024 · Apr 29, 2024 · Apr 29, 2024
diff --git a/charts/apisix/Chart.lock b/charts/apisix/Chart.lock
@@ -1,12 +1,12 @@
 dependencies:
 - name: etcd
   repository: https://charts.bitnami.com/bitnami
-  version: 8.7.7
+  version: 9.7.3
 - name: apisix-dashboard
   repository: https://charts.apiseven.com
-  version: 0.8.1
+  version: 0.8.2
 - name: apisix-ingress-controller
   repository: https://charts.apiseven.com
-  version: 0.13.0
-digest: sha256:6ca1fc0eb06fef4d4502a3153ed77c9cd5a382ebe65e676791afe4272ac7c796
-generated: "2023-12-14T20:21:52.603033345+02:00"
+  version: 0.14.0
+digest: sha256:8d727979670a2b62af7672c36ebb2a4d294bc967b16fb5d1e144ed77c948062d
+generated: "2024-04-29T09:07:03.535941+02:00"
diff --git a/charts/apisix/Chart.yaml b/charts/apisix/Chart.yaml
@@ -31,7 +31,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 2.7.0
+version: 2.8.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
@@ -42,16 +42,16 @@ sources:
 
 dependencies:
   - name: etcd
-    version: 8.7.7
+    version: 9.7.3
     repository: https://charts.bitnami.com/bitnami
     condition: etcd.enabled
   - name: apisix-dashboard
-    version: 0.8.1
+    version: 0.8.2
     repository: https://charts.apiseven.com
     condition: dashboard.enabled
     alias: dashboard
   - name: apisix-ingress-controller
-    version: 0.13.0
+    version: 0.14.0
     repository: https://charts.apiseven.com
     condition: ingress-controller.enabled
     alias: ingress-controller

diff --git a/charts/apisix/README.md b/charts/apisix/README.md
@@ -43,9 +43,11 @@ The command removes all the Kubernetes components associated with the chart and
 | affinity | object | `{}` | Set affinity for Apache APISIX deploy |
 | apisix.admin.allow.ipList | list | `["127.0.0.1/24"]` | The client IP CIDR allowed to access Apache APISIX Admin API service. |
 | apisix.admin.cors | bool | `true` | Admin API support CORS response headers |
-| apisix.admin.credentials | object | `{"admin":"edd1c9f034335f136f87ad84b625c8f1","secretName":"","viewer":"4054f7cf07e344346cd3f287985e76a2"}` | Admin API credentials |
+| apisix.admin.credentials | object | `{"admin":"edd1c9f034335f136f87ad84b625c8f1","secretAdminKey":"","secretName":"","secretViewerKey":"","viewer":"4054f7cf07e344346cd3f287985e76a2"}` | Admin API credentials |
 | apisix.admin.credentials.admin | string | `"edd1c9f034335f136f87ad84b625c8f1"` | Apache APISIX admin API admin role credentials |
+| apisix.admin.credentials.secretAdminKey | string | `""` | Name of the admin role key in the secret, overrides the default key name "admin" |
 | apisix.admin.credentials.secretName | string | `""` | The APISIX Helm chart supports storing user credentials in a secret. The secret needs to contain two keys, admin and viewer, with their respective values set. |
+| apisix.admin.credentials.secretViewerKey | string | `""` | Name of the viewer role key in the secret, overrides the default key name "viewer" |
 | apisix.admin.credentials.viewer | string | `"4054f7cf07e344346cd3f287985e76a2"` | Apache APISIX admin API viewer role credentials |
 | apisix.admin.enabled | bool | `true` | Enable Admin API |
 | apisix.admin.externalIPs | list | `[]` | IPs for which nodes in the cluster will also accept traffic for the servic |
@@ -138,7 +140,7 @@ The command removes all the Kubernetes components associated with the chart and
 | dashboard.config.conf.etcd.prefix | string | `"/apisix"` | apisix configurations prefix |
 | dashboard.config.conf.etcd.username | string | `nil` | Specifies etcd basic auth username if enable etcd auth |
 | dashboard.enabled | bool | `false` |  |
-| etcd | object | `{"auth":{"rbac":{"create":false,"rootPassword":""},"tls":{"certFilename":"","certKeyFilename":"","enabled":false,"existingSecret":"","sni":"","verify":true}},"enabled":true,"prefix":"/apisix","replicaCount":3,"service":{"port":2379},"timeout":30}` | etcd configuration use the FQDN address or the IP of the etcd |
+| etcd | object | `{"auth":{"rbac":{"create":false,"rootPassword":""},"tls":{"certFilename":"","certKeyFilename":"","enabled":false,"existingSecret":"","sni":"","verify":true}},"containerSecurityContext":{"enabled":false},"enabled":true,"prefix":"/apisix","replicaCount":3,"service":{"port":2379},"timeout":30}` | etcd configuration use the FQDN address or the IP of the etcd |
 | etcd.auth | object | `{"rbac":{"create":false,"rootPassword":""},"tls":{"certFilename":"","certKeyFilename":"","enabled":false,"existingSecret":"","sni":"","verify":true}}` | if etcd.enabled is true, set more values of bitnami/etcd helm chart |
 | etcd.auth.rbac.create | bool | `false` | No authentication by default. Switch to enable RBAC authentication |
 | etcd.auth.rbac.rootPassword | string | `""` | root password for etcd. Requires etcd.auth.rbac.create to be true. |
@@ -148,6 +150,7 @@ The command removes all the Kubernetes components associated with the chart and
 | etcd.auth.tls.existingSecret | string | `""` | name of the secret contains etcd client cert |
 | etcd.auth.tls.sni | string | `""` | specify the TLS Server Name Indication extension, the ETCD endpoint hostname will be used when this setting is unset. |
 | etcd.auth.tls.verify | bool | `true` | whether to verify the etcd endpoint certificate when setup a TLS connection to etcd |
+| etcd.containerSecurityContext | object | `{"enabled":false}` | added for backward compatibility with old kubernetes versions, as seccompProfile is not supported in kubernetes < 1.19 |
 | etcd.enabled | bool | `true` | install etcd(v3) by default, set false if do not want to install etcd(v3) together |
 | etcd.prefix | string | `"/apisix"` | apisix configurations prefix |
 | etcd.timeout | int | `30` | Set the timeout value in seconds for subsequent socket operations from apisix to etcd cluster |

diff --git a/charts/apisix/charts/apisix-dashboard-0.8.1.tgz b/charts/apisix/charts/apisix-dashboard-0.8.1.tgz
diff --git a/charts/apisix/charts/apisix-dashboard-0.8.2.tgz b/charts/apisix/charts/apisix-dashboard-0.8.2.tgz
diff --git a/charts/apisix/charts/apisix-ingress-controller-0.13.0.tgz b/charts/apisix/charts/apisix-ingress-controller-0.13.0.tgz
diff --git a/charts/apisix/charts/apisix-ingress-controller-0.14.0.tgz b/charts/apisix/charts/apisix-ingress-controller-0.14.0.tgz
diff --git a/charts/apisix/charts/etcd-8.7.7.tgz b/charts/apisix/charts/etcd-8.7.7.tgz
diff --git a/charts/apisix/charts/etcd-9.7.3.tgz b/charts/apisix/charts/etcd-9.7.3.tgz
diff --git a/charts/apisix/templates/_helpers.tpl b/charts/apisix/templates/_helpers.tpl
@@ -135,3 +135,25 @@ Return the password key name of etcd secret
 {{- print .Values.externalEtcd.secretPasswordKey }}
 {{- end }}
 {{- end -}}
+
+{{/*
+Key to use to fetch admin token from secret
+*/}}
+{{- define "apisix.admin.credentials.secretAdminKey" -}}
+{{- if .Values.admin.credentials.secretAdminKey }}
+{{- .Values.admin.credentials.secretAdminKey }}
+{{- else }}
+{{- "admin" }}
+{{- end }}
+{{- end }}
+
+{{/*
+Key to use to fetch viewer token from secret
+*/}}
+{{- define "apisix.admin.credentials.secretViewerKey" -}}
+{{- if .Values.admin.credentials.secretViewerKey }}
+{{- .Values.admin.credentials.secretViewerKey }}
+{{- else }}
+{{- "viewer" }}
+{{- end }}
+{{- end }}
diff --git a/charts/apisix/templates/deployment.yaml b/charts/apisix/templates/deployment.yaml
@@ -38,10 +38,8 @@ spec:
     metadata:
       annotations:
         checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
-        {{- if .Values.podAnnotations }}
-        {{- range $key, $value := $.Values.podAnnotations }}
-        {{ $key }}: {{ $value | quote }}
-        {{- end }}
+        {{- with .Values.podAnnotations }}
+        {{ tpl (toYaml .) $ | nindent 8 }}
         {{- end }}
       labels:
         {{- include "apisix.selectorLabels" . | nindent 8 }}
@@ -85,12 +83,12 @@ spec:
               valueFrom:
                 secretKeyRef:
                   name: {{ .Values.apisix.admin.credentials.secretName }}
-                  key: admin
+                  key: {{ include "apisix.admin.credentials.secretAdminKey" . }}
             - name: APISIX_VIEWER_KEY
               valueFrom:
                 secretKeyRef:
                   name: {{ .Values.apisix.admin.credentials.secretName }}
-                  key: viewer
+                  key: {{ include "apisix.admin.credentials.secretViewerKey" . }}
           {{- end }}
 
           {{- if or (and .Values.etcd.enabled .Values.etcd.auth.rbac.create) (and (not .Values.etcd.enabled) .Values.externalEtcd.user) }}

diff --git a/charts/apisix/values.yaml b/charts/apisix/values.yaml
@@ -333,6 +333,10 @@ apisix:
       # -- The APISIX Helm chart supports storing user credentials in a secret.
       # The secret needs to contain two keys, admin and viewer, with their respective values set.
       secretName: ""
+      # -- Name of the admin role key in the secret, overrides the default key name "admin"
+      secretAdminKey: ""
+      # -- Name of the viewer role key in the secret, overrides the default key name "viewer"
+      secretViewerKey: ""
 
     allow:
       # -- The client IP CIDR allowed to access Apache APISIX Admin API service.
@@ -566,6 +570,11 @@ etcd:
       # -- specify the TLS Server Name Indication extension, the ETCD endpoint hostname will be used when this setting is unset.
       sni: ""
 
+  # -- ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
+  # -- added for backward compatibility with old kubernetes versions, as seccompProfile is not supported in kubernetes < 1.19
+  containerSecurityContext:
+    enabled: false
+
   service:
     port: 2379