From b12dcfb83f9a474a5ef7b85cf46a99dd9c4f147c Mon Sep 17 00:00:00 2001 From: Giovanni Lo Vecchio Date: Fri, 25 Aug 2023 11:09:28 +0200 Subject: [PATCH 1/4] Added Traefik IngressRoute for the Manager component --- charts/core/templates/manager-ingress.yaml | 4 +-- .../manager-traefik-ingressroute.yaml | 32 +++++++++++++++++++ charts/core/values.yaml | 1 + 3 files changed, 35 insertions(+), 2 deletions(-) create mode 100644 charts/core/templates/manager-traefik-ingressroute.yaml diff --git a/charts/core/templates/manager-ingress.yaml b/charts/core/templates/manager-ingress.yaml index d6e2e335..b9c6d6aa 100644 --- a/charts/core/templates/manager-ingress.yaml +++ b/charts/core/templates/manager-ingress.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.manager.enabled .Values.manager.ingress.enabled -}} +{{- if and .Values.manager.enabled .Values.manager.ingress.enabled (not (.Values.manager.ingress.traefikIngressRoute)) -}} {{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} apiVersion: networking.k8s.io/v1 kind: Ingress @@ -68,4 +68,4 @@ spec: serviceName: neuvector-service-webui servicePort: 8443 {{- end }} -{{- end -}} \ No newline at end of file +{{- end -}} diff --git a/charts/core/templates/manager-traefik-ingressroute.yaml b/charts/core/templates/manager-traefik-ingressroute.yaml new file mode 100644 index 00000000..6e197be7 --- /dev/null +++ b/charts/core/templates/manager-traefik-ingressroute.yaml @@ -0,0 +1,32 @@ +{{- if and .Values.manager.enabled .Values.manager.ingress.enabled .Values.manager.ingress.traefikIngressRoute -}} +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: neuvector-webui-ingress + namespace: {{ .Release.Namespace }} +{{- with .Values.manager.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + entryPoints: + - websecure + routes: + - match: Host(`{{ .Values.manager.ingress.host }}`) + kind: Rule + services: + - name: neuvector-service-webui + passHostHeader: true + port: 8443 + scheme: https +{{- if .Values.manager.ingress.tls }} + tls: +{{- if .Values.manager.ingress.secretName }} + secretName: {{ .Values.manager.ingress.secretName }} +{{- end }} +{{- end }} +{{- end -}} diff --git a/charts/core/values.yaml b/charts/core/values.yaml index 6f1b36b4..8390d000 100644 --- a/charts/core/values.yaml +++ b/charts/core/values.yaml @@ -300,6 +300,7 @@ manager: pemFile: tls.pem ingress: enabled: false + traefikIngressRoute: false host: # MUST be set, if ingress is enabled ingressClassName: "" path: "/" From bc491a3f50d87d8ab236d97f8655bcc2001ebef5 Mon Sep 17 00:00:00 2001 From: Giovanni Lo Vecchio Date: Fri, 25 Aug 2023 13:14:15 +0200 Subject: [PATCH 2/4] Added Traefik IngressRoute for the Controller and Registry Adapter components --- charts/core/templates/controller-ingress.yaml | 6 +- .../controller-traefik-ingressroute.yaml | 102 ++++++++++++++++++ .../manager-traefik-ingressroute.yaml | 2 +- .../templates/registry-adapter-ingress.yaml | 2 +- ...registry-adapter-traefik-ingressroute.yaml | 32 ++++++ charts/core/values.yaml | 4 + 6 files changed, 143 insertions(+), 5 deletions(-) create mode 100644 charts/core/templates/controller-traefik-ingressroute.yaml create mode 100644 charts/core/templates/registry-adapter-traefik-ingressroute.yaml diff --git a/charts/core/templates/controller-ingress.yaml b/charts/core/templates/controller-ingress.yaml index b36fbbdc..c0e5175e 100644 --- a/charts/core/templates/controller-ingress.yaml +++ b/charts/core/templates/controller-ingress.yaml @@ -1,5 +1,5 @@ {{- if .Values.controller.enabled }} -{{- if .Values.controller.ingress.enabled }} +{{- if and .Values.controller.ingress.enabled (not (.Values.controller.ingress.traefikIngressRoute)) }} {{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} apiVersion: networking.k8s.io/v1 kind: Ingress @@ -70,7 +70,7 @@ spec: servicePort: 10443 {{- end }} {{- end }} -{{- if .Values.controller.federation.mastersvc.ingress.enabled }} +{{- if and .Values.controller.federation.mastersvc.ingress.enabled (not (.Values.controller.federation.mastersvc.ingress.traefikIngressRoute)) }} {{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} --- apiVersion: networking.k8s.io/v1 @@ -143,7 +143,7 @@ spec: servicePort: 11443 {{- end }} {{- end }} -{{- if .Values.controller.federation.managedsvc.ingress.enabled }} +{{- if and .Values.controller.federation.managedsvc.ingress.enabled (not (.Values.controller.federation.managedsvc.ingress.traefikIngressRoute)) }} {{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} --- apiVersion: networking.k8s.io/v1 diff --git a/charts/core/templates/controller-traefik-ingressroute.yaml b/charts/core/templates/controller-traefik-ingressroute.yaml new file mode 100644 index 00000000..8d78abda --- /dev/null +++ b/charts/core/templates/controller-traefik-ingressroute.yaml @@ -0,0 +1,102 @@ +{{- if .Values.controller.enabled }} +--- +{{- if and .Values.controller.ingress.enabled .Values.controller.ingress.traefikIngressRoute }} +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: neuvector-restapi-ingress + namespace: {{ .Release.Namespace }} +{{- with .Values.controller.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + entryPoints: + - websecure + routes: + - match: Host(`{{ .Values.controller.ingress.host }}`) && PathPrefix(`{{ .Values.controller.ingress.path }}`) + kind: Rule + services: + - name: neuvector-svc-controller-api + passHostHeader: true + port: 10443 + scheme: https +{{- if .Values.controller.ingress.tls }} + tls: +{{- if .Values.controller.ingress.secretName }} + secretName: {{ .Values.controller.ingress.secretName }} +{{- end }} +{{- end }} +{{- end }} +--- +{{- if and .Values.controller.federation.mastersvc.ingress.enabled .Values.controller.federation.mastersvc.ingress.traefikIngressRoute }} +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: neuvector-mastersvc-ingress + namespace: {{ .Release.Namespace }} +{{- with .Values.controller.federation.mastersvc.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + entryPoints: + - websecure + routes: + - match: Host(`{{ .Values.controller.federation.mastersvc.ingress.host }}`) && PathPrefix(`{{ .Values.controller.federation.mastersvc.ingress.path }}`) + kind: Rule + services: + - name: neuvector-svc-controller-fed-master + passHostHeader: true + port: 11443 + scheme: https +{{- if .Values.controller.federation.mastersvc.ingress.tls }} + tls: +{{- if .Values.controller.ingress.secretName }} + secretName: {{ .Values.controller.federation.mastersvc.ingress.secretName }} +{{- end }} +{{- end }} +{{- end }} +--- +{{- if and .Values.controller.federation.managedsvc.ingress.enabled .Values.controller.federation.managedsvc.ingress.traefikIngressRoute }} +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: neuvector-managedsvc-ingress + namespace: {{ .Release.Namespace }} +{{- with .Values.controller.federation.managedsvc.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + entryPoints: + - websecure + routes: + - match: Host(`{{ .Values.controller.federation.managedsvc.ingress.host }}`) && PathPrefix(`{{ .Values.controller.federation.managedsvc.ingress.path }}`) + kind: Rule + services: + - name: neuvector-svc-controller-fed-managed + passHostHeader: true + port: 10443 + scheme: https +{{- if .Values.controller.federation.managedsvc.ingress.tls }} + tls: +{{- if .Values.controller.federation.managedsvc.ingress.secretName }} + secretName: {{ .Values.controller.federation.managedsvc.ingress.secretName }} +{{- end }} +{{- end }} +{{- end }} +--- +{{- end -}} diff --git a/charts/core/templates/manager-traefik-ingressroute.yaml b/charts/core/templates/manager-traefik-ingressroute.yaml index 6e197be7..417d9382 100644 --- a/charts/core/templates/manager-traefik-ingressroute.yaml +++ b/charts/core/templates/manager-traefik-ingressroute.yaml @@ -16,7 +16,7 @@ spec: entryPoints: - websecure routes: - - match: Host(`{{ .Values.manager.ingress.host }}`) + - match: Host(`{{ .Values.manager.ingress.host }}`) && PathPrefix(`{{ .Values.cve.adapter.ingress.path }}`) kind: Rule services: - name: neuvector-service-webui diff --git a/charts/core/templates/registry-adapter-ingress.yaml b/charts/core/templates/registry-adapter-ingress.yaml index 22c7244a..28a78d71 100644 --- a/charts/core/templates/registry-adapter-ingress.yaml +++ b/charts/core/templates/registry-adapter-ingress.yaml @@ -1,6 +1,6 @@ {{- if .Values.cve.adapter.enabled -}} -{{- if .Values.cve.adapter.ingress.enabled }} +{{- if and .Values.cve.adapter.ingress.enabled (not (.Values.cve.adapter.ingress.traefikIngressRoute)) }} {{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} apiVersion: networking.k8s.io/v1 kind: Ingress diff --git a/charts/core/templates/registry-adapter-traefik-ingressroute.yaml b/charts/core/templates/registry-adapter-traefik-ingressroute.yaml new file mode 100644 index 00000000..916100e7 --- /dev/null +++ b/charts/core/templates/registry-adapter-traefik-ingressroute.yaml @@ -0,0 +1,32 @@ +{{- if and .Values.cve.adapter.ingress.enabled .Values.cve.adapter.ingress.traefikIngressRoute -}} +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: neuvector-registry-adapter-ingress + namespace: {{ .Release.Namespace }} +{{- with .Values.cve.adapter.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + entryPoints: + - websecure + routes: + - match: Host(`{{ .Values.cve.adapter.ingress.host }}`) && PathPrefix(`{{ .Values.cve.adapter.ingress.path }}`) + kind: Rule + services: + - name: neuvector-service-registry-adapter + passHostHeader: true + port: 9443 + scheme: https +{{- if .Values.cve.adapter.ingress.tls }} + tls: +{{- if .Values.cve.adapter.ingress.secretName }} + secretName: {{ .Values.cve.adapter.ingress.secretName }} +{{- end }} +{{- end }} +{{- end -}} diff --git a/charts/core/values.yaml b/charts/core/values.yaml index 8390d000..27d94c9a 100644 --- a/charts/core/values.yaml +++ b/charts/core/values.yaml @@ -107,6 +107,7 @@ controller: # Federation Master Ingress ingress: enabled: false + traefikIngressRoute: false host: # MUST be set, if ingress is enabled ingressClassName: "" path: "/" # or this could be "/api", but might need "rewrite-target" annotation @@ -140,6 +141,7 @@ controller: # Federation Managed Ingress ingress: enabled: false + traefikIngressRoute: false host: # MUST be set, if ingress is enabled ingressClassName: "" path: "/" # or this could be "/api", but might need "rewrite-target" annotation @@ -170,6 +172,7 @@ controller: # -----END PRIVATE KEY----- ingress: enabled: false + traefikIngressRoute: false host: # MUST be set, if ingress is enabled ingressClassName: "" path: "/" # or this could be "/api", but might need "rewrite-target" annotation @@ -387,6 +390,7 @@ cve: # -----END PRIVATE KEY----- ingress: enabled: false + traefikIngressRoute: false host: # MUST be set, if ingress is enabled ingressClassName: "" path: "/" From 70ca06c140ad8062240382548b5586804118d9f2 Mon Sep 17 00:00:00 2001 From: Giovanni Lo Vecchio Date: Fri, 25 Aug 2023 13:17:15 +0200 Subject: [PATCH 3/4] Fixed templates/manager-traefik-ingressroute.yaml PathPrefix --- charts/core/templates/manager-traefik-ingressroute.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/core/templates/manager-traefik-ingressroute.yaml b/charts/core/templates/manager-traefik-ingressroute.yaml index 417d9382..1cb77291 100644 --- a/charts/core/templates/manager-traefik-ingressroute.yaml +++ b/charts/core/templates/manager-traefik-ingressroute.yaml @@ -16,7 +16,7 @@ spec: entryPoints: - websecure routes: - - match: Host(`{{ .Values.manager.ingress.host }}`) && PathPrefix(`{{ .Values.cve.adapter.ingress.path }}`) + - match: Host(`{{ .Values.manager.ingress.host }}`) && PathPrefix(`{{ .Values.manager.ingress.path }}`) kind: Rule services: - name: neuvector-service-webui From 4c104f780a4156ec30b3d59b84c0d09ca9342620 Mon Sep 17 00:00:00 2001 From: Giovanni Lo Vecchio Date: Fri, 25 Aug 2023 13:19:46 +0200 Subject: [PATCH 4/4] Fixed templates/controller-traefik-ingressroute.yaml secretName --- charts/core/templates/controller-traefik-ingressroute.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/core/templates/controller-traefik-ingressroute.yaml b/charts/core/templates/controller-traefik-ingressroute.yaml index 8d78abda..ef2be282 100644 --- a/charts/core/templates/controller-traefik-ingressroute.yaml +++ b/charts/core/templates/controller-traefik-ingressroute.yaml @@ -60,7 +60,7 @@ spec: scheme: https {{- if .Values.controller.federation.mastersvc.ingress.tls }} tls: -{{- if .Values.controller.ingress.secretName }} +{{- if .Values.controller.federation.mastersvc.ingress.secretName }} secretName: {{ .Values.controller.federation.mastersvc.ingress.secretName }} {{- end }} {{- end }}