Merge pull request #27 from nginxinc/helm-chart-1.2

Helm release - 1.2.0

Author: sjberman

helm-chart/Chart.yaml

@@ -1,6 +1,7 @@
 apiVersion: v2
 name: nginx-service-mesh
 description: NGINX Service Mesh
-version: 0.1.0
-appVersion: 1.1.0
-kubeVersion: ">= 1.16.0-0"
+version: 0.2.0
+appVersion: 1.2.0
+kubeVersion: "1.16-0 - 1.20-0"
+icon: https://raw.githubusercontent.com/nginxinc/nginx-service-mesh/master/helm-chart/chart-icon.png

helm-chart/README.md

@@ -0,0 +1,11 @@
+# NGINX Service Mesh
+
+Before deploying NGINX Service Mesh, see the [Platform Guide](https://docs.nginx.com/nginx-service-mesh/get-started/kubernetes-platform/) to ensure your environment is properly configured. If [Persistent Storage](https://docs.nginx.com/nginx-service-mesh/get-started/kubernetes-platform/persistent-storage/) is not configured in your cluster, set the `mTLS.persistentStorage` field to `off`. Verify that no other service meshes exist in your Kubernetes cluster. It is advised to install NGINX Service Mesh in a dedicated namespace.
+
+## Helm Installation and Configuration
+
+For information on the configuration options and installation process when using Helm with NGINX Service Mesh, see the [Installation Guide](https://docs.nginx.com/nginx-service-mesh/get-started/install-with-helm/).
+
+## Rancher users
+
+When deploying NGINX Service Mesh via the Rancher Apps and Marketplace, the Helm value `rancher` is set to `true` by default. This value causes Pods in the `cattle-*`, `ingress-nginx`, and `cert-manager` namespaces to be ignored by the automatic sidecar injection webhook. If this behavior is not desired, the `rancher` value can be set to `false`, or the `injector.nsm.nginx.com/auto-inject` label can be manually removed from these namespaces.

helm-chart/chart-icon.png

@@ -310,7 +310,7 @@
           "alertThreshold": true
         },
         "percentage": false,
-        "pluginVersion": "7.5.3",
+        "pluginVersion": "8.1.3",
         "pointradius": 5,
         "points": false,
         "renderer": "flot",
@@ -405,7 +405,7 @@
           "alertThreshold": true
         },
         "percentage": false,
-        "pluginVersion": "7.5.3",
+        "pluginVersion": "8.1.3",
         "pointradius": 5,
         "points": false,
         "renderer": "flot",
@@ -502,7 +502,7 @@
           "alertThreshold": true
         },
         "percentage": false,
-        "pluginVersion": "7.5.3",
+        "pluginVersion": "8.1.3",
         "pointradius": 2,
         "points": false,
         "renderer": "flot",
@@ -596,7 +596,7 @@
           "alertThreshold": true
         },
         "percentage": false,
-        "pluginVersion": "7.5.3",
+        "pluginVersion": "8.1.3",
         "pointradius": 2,
         "points": false,
         "renderer": "flot",

helm-chart/configs/grafana-top-dashboard.json

@@ -5,7 +5,7 @@
       "containerPort": 8443,
       "port": 443
     },
-    "autoInjectorPort": 443,
+    "autoInjectorPort": 9443,
     "injection": {
       "disabledNamespaces": {{ .Values.autoInjection.disabledNamespaces }},
       "enabledNamespaces": {{ .Values.autoInjection.enabledNamespaces }},

helm-chart/configs/mesh-config.conf

@@ -4,7 +4,7 @@ server {
   ca_ttl = {{ quote .Values.mtls.caTTL }}
   data_dir = "/run/spire/data"
   log_level = "DEBUG"
-  registration_uds_path = "/run/spire/sockets/spire-registration.sock"
+  socket_path = "/run/spire/sockets/spire-registration.sock"
   default_svid_ttl = {{ quote .Values.mtls.svidTTL }}
   trust_domain = {{ quote .Values.mtls.trustDomain }}
   ca_subject = {
@@ -26,16 +26,12 @@ plugins {
     plugin_data {
       clusters = {
         "nginx-mesh" = {
-          service_account_whitelist = [{{ printf "%s:spire-agent" .Release.Namespace | quote }}]
+          service_account_allow_list = [{{ printf "%s:spire-agent" .Release.Namespace | quote }}]
         }
       }
     }
   }
 
-  NodeResolver "noop" {
-    plugin_data {}
-  }
-
   Notifier "k8sbundle" {
      plugin_data {
        namespace = {{ quote .Release.Namespace }}

helm-chart/configs/spire-server.conf

@@ -48,6 +48,7 @@ spec:
                   name:
                     description: Name of the destination.
                     type: string
+                    minLength: 1
                   namespace:
                     description: Namespace of the destination.
                     type: string

helm-chart/crds/circuitbreaker.yaml

@@ -17,6 +17,73 @@ spec:
     singular: ratelimit
   versions:
   - name: v1alpha1
+    served: true
+    storage: false
+    schema:
+      openAPIV3Schema:
+        type: object
+        properties:
+          spec:
+            type: object
+            required:
+            - name
+            - destination
+            - rate
+            properties:
+              destination:
+                description: The destination of this rate limit.
+                type: object
+                required:
+                - name
+                - kind
+                properties:
+                  kind:
+                    description: Kind of the destination.
+                    type: string
+                    minLength: 1
+                  name:
+                    description: Name of the destination.
+                    type: string
+                    minLength: 1
+                  namespace:
+                    description: Namespace of the destination.
+                    type: string
+              sources:
+                description: Sources of this rate limit.
+                type: array
+                items:
+                  type: object
+                  required:
+                  - name
+                  - kind
+                  properties:
+                    kind:
+                      description: Kind of this source.
+                      type: string
+                      minLength: 1
+                    name:
+                      description: Name of this source.
+                      type: string
+                      minLength: 1
+                    namespace:
+                      description: Namespace of this source.
+                      type: string
+              name:
+                description: Name of this rate limit spec.
+                type: string
+                minLength: 1
+              rate:
+                description: The allowed rate of traffic.
+                type: string
+                pattern: "^[0-9]+r/[s,m]$"
+              burst:
+                description: The number of requests to allow beyond the given rate.
+                type: integer
+                minimum: 0
+              delay:
+                description: The number of requests after which to delay requests.
+                x-kubernetes-int-or-string: true
+  - name: v1alpha2
     served: true
     storage: true
     schema:
@@ -40,9 +107,11 @@ spec:
                   kind:
                     description: Kind of the destination.
                     type: string
+                    minLength: 1
                   name:
                     description: Name of the destination.
                     type: string
+                    minLength: 1
                   namespace:
                     description: Namespace of the destination.
                     type: string
@@ -58,15 +127,18 @@ spec:
                     kind:
                       description: Kind of this source.
                       type: string
+                      minLength: 1
                     name:
                       description: Name of this source.
                       type: string
+                      minLength: 1
                     namespace:
                       description: Namespace of this source.
                       type: string
               name:
                 description: Name of this rate limit spec.
                 type: string
+                minLength: 1
               rate:
                 description: The allowed rate of traffic.
                 type: string
@@ -78,3 +150,26 @@ spec:
               delay:
                 description: The number of requests after which to delay requests.
                 x-kubernetes-int-or-string: true
+              rules:
+                description: Routing rules of this rate limit.
+                type: array
+                items:
+                  type: object
+                  required:
+                  - name
+                  - kind
+                  properties:
+                    kind:
+                      description: Kind of this routing rule.
+                      type: string
+                      enum:
+                      - HTTPRouteGroup
+                    name:
+                      description: Name of this routing rule.
+                      type: string
+                      minLength: 1
+                    matches:
+                      description: Match conditions of this routing rule.
+                      type: array
+                      items:
+                        type: string

helm-chart/crds/ratelimit.yaml

@@ -100,7 +100,7 @@ spec:
       serviceAccountName: grafana
       containers:
       - name: grafana
-        image: {{ include "grafana.image-server" . }}/grafana:7.5.3
+        image: {{ include "grafana.image-server" . }}/grafana:8.1.3
         imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
         ports:
         - containerPort: 3000

helm-chart/templates/grafana.yaml

@@ -47,7 +47,7 @@ spec:
       - name: {{ include "registry-key-name" . }}
       containers:
       - name: jaeger
-        image: {{ include "jaeger.image-server" . }}/all-in-one:1.19.2
+        image: {{ include "jaeger.image-server" . }}/all-in-one:1.26.0
         imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
         ports:
         - containerPort: 16686

helm-chart/templates/jaeger.yaml

@@ -96,7 +96,7 @@ spec:
         - name: spire-agent-socket
           mountPath: "/run/spire/sockets"
       - name: nats-server
-        image: {{ include "nats.image-server" . }}nats:2.1.8-alpine3.11
+        image: {{ include "nats.image-server" . }}nats:2.4.0-alpine3.14
         imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
         ports:
         - containerPort: 4222

helm-chart/templates/nats.yaml

@@ -158,7 +158,7 @@ spec:
   ports:
   - name: admission
     port: 443
-    targetPort: 443
+    targetPort: 9443
     protocol: TCP
   selector:
     app.kubernetes.io/name: nginx-mesh-api

helm-chart/templates/nginx-mesh-api.yaml

@@ -134,3 +134,11 @@ spec:
         - |
           kubectl label namespace kube-system injector.nsm.nginx.com/auto-inject-
           kubectl label namespace {{ .Release.Namespace }} injector.nsm.nginx.com/auto-inject- app.kubernetes.io/part-of-
+          {{- if .Values.rancher }}
+          kubectl label namespace ingress-nginx cert-manager injector.nsm.nginx.com/auto-inject-
+          for ns in $(kubectl get ns | awk '{print $1}' | tail -n +2); do
+            case "$ns" in
+              cattle-*) kubectl label namespace $ns injector.nsm.nginx.com/auto-inject- ;;
+            esac
+          done
+          {{- end }}

helm-chart/templates/post-delete-hook.yaml

@@ -29,6 +29,7 @@ rules:
   - namespaces
   verbs:
   - get
+  - list
   - patch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -93,3 +94,11 @@ spec:
         - |
           kubectl label namespace kube-system injector.nsm.nginx.com/auto-inject=false
           kubectl label namespace {{ .Release.Namespace }} injector.nsm.nginx.com/auto-inject=false app.kubernetes.io/part-of=nginx-service-mesh
+          {{- if .Values.rancher }}
+          kubectl label namespace ingress-nginx cert-manager injector.nsm.nginx.com/auto-inject=false
+          for ns in $(kubectl get ns | awk '{print $1}' | tail -n +2); do
+            case "$ns" in
+              cattle-*) kubectl label namespace $ns injector.nsm.nginx.com/auto-inject=false ;;
+            esac
+          done
+          {{- end }}

helm-chart/templates/pre-install-hook.yaml

@@ -79,7 +79,7 @@ spec:
         - spire-server:8081
       containers:
       - name: spire-agent
-        image: {{ include "spire.image-server" . }}/spire-agent:0.12.3
+        image: {{ include "spire.image-server" . }}/spire-agent:1.0.2
         imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
         args:
         - "-config"

helm-chart/templates/spire-agent.yaml

@@ -174,7 +174,7 @@ data:
 {{- $caKey := genPrivateKey "ecdsa"}}
 {{- $caCrt := genCAWithKey "K8S WORKLOAD REGISTRAR CA" 9999 $caKey }}
 {{- $serverKey := genPrivateKey "ecdsa" }}
-{{- $serverCrt := genSignedCertWithKey "K8S WORKLOAD REGISTRAR SERVER" nil nil 9999 $caCrt $serverKey }}
+{{- $serverCrt := genSignedCertWithKey "K8S WORKLOAD REGISTRAR SERVER" nil (list (printf "k8s-workload-registrar.%s.svc" .Release.Namespace )) 9999 $caCrt $serverKey }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -220,7 +220,7 @@ spec:
   selector:
     app.kubernetes.io/name: spire-server
 ---
-apiVersion: admissionregistration.k8s.io/v1
+apiVersion: admissionregistration.k8s.io/v1beta1
 kind: ValidatingWebhookConfiguration
 metadata:
   name: k8s-workload-registrar.security.builtin.nsm.nginx
@@ -234,11 +234,6 @@ webhooks:
       name: k8s-workload-registrar
       namespace: {{ .Release.Namespace }}
       path: "/validate-spiffeid-spiffe-io-v1beta1-spiffeid"
-  sideEffects: None
-  admissionReviewVersions:
-  - v1
-  - v1beta1
-  failurePolicy: Ignore
   rules:
   - apiGroups:
     - spiffeid.spiffe.io
@@ -362,7 +357,7 @@ spec:
       shareProcessNamespace: true
       containers:
         - name: spire-server
-          image: {{ include "spire.image-server" . }}/spire-server:0.12.3
+          image: {{ include "spire.image-server" . }}/spire-server:1.0.2
           imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
           args:
             - '-config'
@@ -418,7 +413,7 @@ spec:
             initialDelaySeconds: 5
             periodSeconds: 5
         - name: k8s-workload-registrar
-          image: {{ include "spire.image-server" . }}/k8s-workload-registrar:0.12.3
+          image: {{ include "spire.image-server" . }}/k8s-workload-registrar:1.0.2
           imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
           args:
             - '-config'
@@ -450,9 +445,7 @@ spec:
               path: {{ include "ua-secret-name" . }}
         {{- end }}
         - name: spire-server-socket
-          hostPath:
-            path: /run/spire/sockets
-            type: DirectoryOrCreate
+          emptyDir: {}
         - name: k8s-workload-registrar-config
           configMap:
             name: k8s-workload-registrar

helm-chart/templates/spire-server.yaml

@@ -1,12 +1,12 @@
 # NGINX Service Mesh image registry settings.
 registry:
   # Hostname:port (if needed) for registry and path to images. 
-  # Affects: nginx-mesh-api, nginx-mesh-metrics, nginx-mesh-sidecar, nginx-mesh-init, nginx-mesh-cert-reloader
+  # Affects: nginx-mesh-api, nginx-mesh-cert-reloader, nginx-mesh-init, nginx-mesh-metrics, nginx-mesh-sidecar
   server: "docker-registry.nginx.com/nsm"
 
   # Tag used for pulling images from registry
-  # Affects: nginx-mesh-api, nginx-mesh-metrics, nginx-mesh-sidecar, nginx-mesh-init, nginx-mesh-cert-reloader
-  imageTag: "1.1.0"
+  # Affects: nginx-mesh-api, nginx-mesh-cert-reloader, nginx-mesh-init, nginx-mesh-metrics, nginx-mesh-sidecar
+  imageTag: "1.2.0"
 
   # Note: Currently only works with Google Cloud registry.
   # Contents of your Google Cloud JSON key file. Can be set via "--set-file registry.key=<your-key-file>.json"
@@ -96,7 +96,7 @@ mtls:
   # The TTL of certificates issued to workloads in hours(h) or minutes(m).
   svidTTL: "1h"
 
-  # The trust domain of the NGINX Service Mesh.
+  # The trust domain of NGINX Service Mesh.
   trustDomain: "example.org"
 
   # Use persistent storage; "on" assumes that a StorageClass exists.