2 # Copyright © 2019-2021 Orange, Samsung
3 # Copyright © 2022 Deutsche Telekom
5 # Licensed under the Apache License, Version 2.0 (the "License");
6 # you may not use this file except in compliance with the License.
7 # You may obtain a copy of the License at
9 # http://www.apache.org/licenses/LICENSE-2.0
11 # Unless required by applicable law or agreed to in writing, software
12 # distributed under the License is distributed on an "AS IS" BASIS,
13 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 # See the License for the specific language governing permissions and
15 # limitations under the License.
18 Helper function to check, if Ingress is globally enabled
20 {{- define "common.ingressEnabled" -}}
21 {{- $dot := default . .dot -}}
22 {{- if $dot.Values.ingress -}}
23 {{- if $dot.Values.global.ingress -}}
24 {{- if (default false $dot.Values.global.ingress.enabled) -}}
32 Helper function to check, if Ingress is enabled
34 {{- define "common.ingress._enabled" -}}
35 {{- $dot := default . .dot -}}
36 {{- if $dot.Values.ingress -}}
37 {{- if $dot.Values.global.ingress -}}
38 {{- if (default false $dot.Values.global.ingress.enabled) -}}
39 {{- if (default false $dot.Values.global.ingress.enable_all) -}}
42 {{- if $dot.Values.ingress.enabled -}}
52 Helper function to check, if TLS redirect is enabled
54 {{- define "common.ingress._tlsRedirect" -}}
55 {{- $dot := default . .dot -}}
56 {{- if $dot.Values.global.ingress.config }}
57 {{- if $dot.Values.global.ingress.config.ssl }}
58 {{- if eq $dot.Values.global.ingress.config.ssl "redirect" }}
66 Helper function to get the Ingress Provider (default is "ingress")
68 {{- define "common.ingress._provider" -}}
69 {{- $dot := default . .dot -}}
70 {{- $provider := "ingress" -}}
71 {{- if $dot.Values.global.ingress -}}
72 {{- if $dot.Values.global.ingress.provider -}}
73 {{- if ne $dot.Values.global.ingress.provider "" -}}
74 {{ $provider = $dot.Values.global.ingress.provider }}
82 Helper function to get the Ingress Class (default is "nginx")
84 {{- define "common.ingress._class" -}}
85 {{- $dot := default . .dot -}}
86 {{- $class := "nginx" -}}
87 {{- if $dot.Values.global.ingress -}}
88 {{- if $dot.Values.global.ingress.ingressClass -}}
89 {{- if ne $dot.Values.global.ingress.ingressClass "" -}}
90 {{ $class = $dot.Values.global.ingress.ingressClass }}
98 Helper function to get the Ingress Selector (default is "ingress")
100 {{- define "common.ingress._selector" -}}
101 {{- $dot := default . .dot -}}
102 {{- $selector := "ingress" -}}
103 {{- if $dot.Values.global.ingress -}}
104 {{- if $dot.Values.global.ingress.ingressSelector -}}
105 {{- if ne $dot.Values.global.ingress.ingressSelector "" -}}
106 {{ $selector = $dot.Values.global.ingress.ingressSelector }}
114 Helper function to get the common Gateway, if exists
116 {{- define "common.ingress._commonGateway" -}}
117 {{- $dot := default . .dot -}}
118 {{- $gateway := "-" -}}
119 {{- if $dot.Values.global.ingress -}}
120 {{- if $dot.Values.global.ingress.commonGateway -}}
121 {{- if $dot.Values.global.ingress.commonGateway.name -}}
122 {{ $gateway = $dot.Values.global.ingress.commonGateway.name }}
130 Helper function to get the common Gateway HTTP Listener name, if exists
132 {{- define "common.ingress._gatewayHTTPListener" -}}
133 {{- $dot := default . .dot -}}
134 {{- $listener := "http-80" -}}
135 {{- if $dot.Values.global.ingress -}}
136 {{- if $dot.Values.global.ingress.commonGateway -}}
137 {{- if $dot.Values.global.ingress.commonGateway.name -}}
138 {{ $listener = $dot.Values.global.ingress.commonGateway.httpListener }}
146 Helper function to get the common Gateway HTTPS Listener name, if exists
148 {{- define "common.ingress._gatewayHTTPSListener" -}}
149 {{- $dot := default . .dot -}}
150 {{- $listener := "https-443" -}}
151 {{- if $dot.Values.global.ingress -}}
152 {{- if $dot.Values.global.ingress.commonGateway -}}
153 {{- if $dot.Values.global.ingress.commonGateway.name -}}
154 {{ $listener = $dot.Values.global.ingress.commonGateway.httpsListener }}
162 Helper function to check the existance of an override value
164 {{- define "common.ingress._overrideIfDefined" -}}
165 {{- $currValue := .currVal }}
166 {{- $parent := .parent }}
169 {{- if hasKey $parent $var }}
170 {{- default "" (index $parent $var) }}
172 {{- default "" $currValue -}}
175 {{- default "" $currValue }}
180 Helper function to get the protocol of the service
182 {{- define "common.ingress._protocol" -}}
183 {{- $dot := default . .dot -}}
184 {{- $protocol := "http" -}}
185 {{- if $dot.tcpRoutes }}
186 {{- $protocol = "tcp" -}}
188 {{- if $dot.udpRoutes }}
189 {{- $protocol = "tcp" -}}
191 {{- if $dot.protocol }}
192 {{- $protocol = (lower $dot.protocol) -}}
198 Create the hostname as concatination <baseaddr>.<baseurl>
199 - baseaddr: from component values: ingress.service.baseaddr
200 - baseurl: from values: global.ingress.virtualhost.baseurl
201 which van be overwritten in the component via: ingress.baseurlOverride
203 {{- define "ingress.config.host" -}}
204 {{- $dot := default . .dot -}}
205 {{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) -}}
206 {{- $preaddr := default "" $dot.Values.global.ingress.virtualhost.preaddr -}}
207 {{- $preaddr := include "common.ingress._overrideIfDefined" (dict "currVal" $preaddr "parent" (default (dict) $dot.Values.ingress) "var" "preaddrOverride") -}}
208 {{- $postaddr := default "" $dot.Values.global.ingress.virtualhost.postaddr -}}
209 {{- $postaddr := include "common.ingress._overrideIfDefined" (dict "currVal" $postaddr "parent" (default (dict) $dot.Values.ingress) "var" "postaddrOverride") -}}
210 {{- $burl := (required "'baseurl' param, set to the generic part of the fqdn, is required." $dot.Values.global.ingress.virtualhost.baseurl) -}}
211 {{- $burl := include "common.ingress._overrideIfDefined" (dict "currVal" $burl "parent" (default (dict) $dot.Values.ingress) "var" "baseurlOverride") -}}
212 {{ printf "%s%s%s.%s" $preaddr $baseaddr $postaddr $burl }}
216 Istio Helper function to add the tls route
218 {{- define "istio.config.tls_simple" -}}
219 {{- $dot := default . .dot -}}
221 {{- if $dot.Values.global.ingress.config }}
222 {{- if $dot.Values.global.ingress.config.tls }}
223 credentialName: {{ default "ingress-tls-secret" $dot.Values.global.ingress.config.tls.secret }}
225 credentialName: "ingress-tls-secret"
228 credentialName: "ingress-tls-secret"
234 Istio Helper function to add the tls route
236 {{- define "istio.config.tls" -}}
237 {{- $dot := default . .dot -}}
238 {{- $service := (required "'service' param, set to the specific service, is required." .service) -}}
239 {{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) -}}
240 {{- if $service.exposedPort }}
241 {{- if $service.exposedProtocol }}
242 {{- if eq $service.exposedProtocol "TLS" }}
243 {{ include "istio.config.tls_simple" (dict "dot" $dot ) }}
247 {{- if $dot.Values.global.ingress.config }}
248 {{- if $dot.Values.global.ingress.config.ssl }}
249 {{- if eq $dot.Values.global.ingress.config.ssl "redirect" }}
256 {{ include "istio.config.tls_simple" (dict "dot" $dot ) }}
258 - {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }}
266 Istio Helper function to add the external port of the service
268 {{- define "istio.config.port" -}}
269 {{- $dot := default . .dot -}}
270 {{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) -}}
271 {{- $protocol := (required "'protocol' param, set to the name of the port, is required." .protocol) -}}
272 {{- if $dot.exposedPort }}
273 number: {{ $dot.exposedPort }}
274 {{- if $dot.exposedProtocol }}
275 name: {{ $protocol }}-{{ $dot.exposedPort }}
276 protocol: {{ $dot.exposedProtocol }}
278 name: {{ $protocol }}
283 name: {{ $protocol }}
289 Create Port entry in the Gateway resource
291 {{- define "istio.config.gatewayPort" -}}
292 {{- $dot := default . .dot -}}
293 {{- $service := (required "'service' param, set to the specific service, is required." .service) -}}
294 {{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) -}}
295 {{- $protocol := (required "'protocol' param, set to the specific port, is required." .protocol) -}}
297 {{- include "istio.config.port" (dict "dot" $service "baseaddr" $baseaddr "protocol" $protocol) }}
299 - {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }}
300 {{- include "istio.config.tls" (dict "dot" $dot "service" $service "baseaddr" $baseaddr) }}
304 Helper function to add the route to the service
306 {{- define "ingress.config.port" -}}
307 {{- $dot := default . .dot -}}
308 {{ range $dot.Values.ingress.service }}
309 {{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) }}
310 - host: {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }}
317 {{- if kindIs "string" .port }}
325 pathType: ImplementationSpecific
330 Istio Helper function to add the route to the service
332 {{- define "istio.config.route" -}}
333 {{- $dot := default . .dot -}}
334 {{- $protocol := (required "'protocol' param, is required." .protocol) -}}
335 {{- if eq $protocol "tcp" }}
337 - port: {{ $dot.exposedPort }}
341 {{- if $dot.plain_port }}
342 {{- if kindIs "string" $dot.plain_port }}
343 name: {{ $dot.plain_port }}
345 number: {{ $dot.plain_port }}
348 {{- if kindIs "string" $dot.port }}
349 name: {{ $dot.port }}
351 number: {{ $dot.port }}
354 host: {{ $dot.name }}
355 {{- else if eq $protocol "http" }}
359 {{- if $dot.plain_port }}
360 {{- if kindIs "string" $dot.plain_port }}
361 name: {{ $dot.plain_port }}
363 number: {{ $dot.plain_port }}
366 {{- if kindIs "string" $dot.port }}
367 name: {{ $dot.port }}
369 number: {{ $dot.port }}
372 host: {{ $dot.name }}
377 Helper function to add ssl annotations
379 {{- define "ingress.config.annotations.ssl" -}}
380 {{- $class := include "common.ingress._class" (dict "dot" .) }}
381 {{- if .Values.ingress.config -}}
382 {{- if .Values.ingress.config.ssl -}}
383 {{- if eq .Values.ingress.config.ssl "redirect" -}}
384 kubernetes.io/ingress.class: {{ $class }}
385 {{ $class }}.ingress.kubernetes.io/ssl-passthrough: "true"
386 {{ $class }}.ingress.kubernetes.io/ssl-redirect: "true"
387 {{- else if eq .Values.ingress.config.ssl "native" -}}
388 {{ $class }}.ingress.kubernetes.io/ssl-redirect: "true"
389 {{- else if eq .Values.ingress.config.ssl "none" -}}
390 {{ $class }}.ingress.kubernetes.io/ssl-redirect: "false"
398 Helper function to add annotations
400 {{- define "ingress.config.annotations" -}}
401 {{- if .Values.ingress -}}
402 {{- if .Values.ingress.annotations -}}
403 {{ toYaml .Values.ingress.annotations | indent 4 | trim }}
406 {{ include "ingress.config.annotations.ssl" . | indent 4 | trim }}
410 Create Istio Ingress resources per defined service
412 {{- define "common.istioIngress" -}}
413 {{- $dot := default . .dot -}}
414 {{- $selector := include "common.ingress._selector" (dict "dot" $dot) }}
415 {{- $gateway := include "common.ingress._commonGateway" (dict "dot" $dot) }}
416 {{ range $dot.Values.ingress.service }}
417 {{ if or ( eq (include "common.ingress._protocol" (dict "dot" .)) "http" ) ( eq (include "common.ingress._protocol" (dict "dot" .)) "tcp" )}}
418 {{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) }}
419 {{- if eq $gateway "-" }}
421 apiVersion: networking.istio.io/v1beta1
424 name: {{ $baseaddr }}-gateway
427 istio: {{ $selector }}
430 {{ range .tcpRoutes }}
431 {{ include "istio.config.gatewayPort" (dict "dot" $dot "service" . "baseaddr" $baseaddr "protocol" "tcp") | trim }}
435 {{ include "istio.config.gatewayPort" (dict "dot" $dot "service" . "baseaddr" $baseaddr "protocol" .protocol) | trim }}
437 {{ include "istio.config.gatewayPort" (dict "dot" $dot "service" . "baseaddr" $baseaddr "protocol" "http") | trim }}
442 apiVersion: networking.istio.io/v1beta1
445 name: {{ $baseaddr }}-service
448 - {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }}
450 {{- if eq $gateway "-" }}
451 - {{ $baseaddr }}-gateway
457 {{ range .tcpRoutes }}
458 {{ include "istio.config.route" (dict "dot" . "protocol" "tcp") | trim }}
463 {{ include "istio.config.route" (dict "dot" . "protocol" .protocol) | trim }}
466 {{ include "istio.config.route" (dict "dot" . "protocol" "http") | trim }}
474 GW-API Helper function to add the tls route
476 {{- define "gwapi.config.tls_simple" -}}
477 {{- $dot := default . .dot -}}
479 {{- if $dot.Values.global.ingress.config }}
480 {{- if $dot.Values.global.ingress.config.tls }}
484 name: {{ default "ingress-tls-secret" $dot.Values.global.ingress.config.tls.secret }}
489 name: "ingress-tls-secret"
495 name: "ingress-tls-secret"
501 GW-API Helper function to add the tls route
503 {{- define "gwapi.config.tls" -}}
504 {{- $dot := default . .dot -}}
505 {{- $service := (required "'service' param, set to the specific service, is required." .service) -}}
506 {{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) -}}
507 {{- if $service.exposedPort }}
508 {{- if $service.exposedProtocol }}
509 {{- if eq $service.exposedProtocol "TLS" }}
510 {{ include "gwapi.config.tls_simple" (dict "dot" $dot ) }}
514 {{- if (include "common.ingress._tlsRedirect" (dict "dot" $dot)) }}
518 hostname: {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }}
519 {{ include "gwapi.config.tls_simple" (dict "dot" $dot ) }}
525 Create Listener entry in the Gateway resource
527 {{- define "gwapi.config.listener" -}}
528 {{- $dot := default . .dot -}}
529 {{- $service := (required "'service' param, set to the specific service, is required." .service) -}}
530 {{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) -}}
531 {{- $protocol := (required "'protocol' param, set to the specific port, is required." .protocol) -}}
532 {{- $port := default 80 $service.exposedPort -}}
533 - name: {{ $protocol }}-{{ $port }}
535 {{- if $service.exposedProtocol }}
536 protocol: {{ upper $service.exposedProtocol }}
540 hostname: {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }}
544 {{- if eq $service.protocol "tcp" }}
547 {{- else if eq $service.protocol "tcp" }}
551 {{- include "gwapi.config.tls" (dict "dot" $dot "service" $service "baseaddr" $baseaddr) }}
555 Create *Route entry for the Gateway-API
557 {{- define "gwapi.config.route" -}}
558 {{- $dot := default . .dot -}}
559 {{- $service := (required "'service' param, set to the specific service, is required." .service) -}}
560 {{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) -}}
561 {{- $protocol := (required "'protocol' param, set to the specific port, is required." .protocol) -}}
562 {{- $gateway := include "common.ingress._commonGateway" (dict "dot" $dot) -}}
563 {{- $namespace := default "istio-ingress" $dot.Values.global.ingress.namespace -}}
564 {{- $path := default "/" $service.path -}}
565 {{- if eq $protocol "udp" -}}
567 apiVersion: gateway.networking.k8s.io/v1alpha2
570 name: {{ $baseaddr }}-{{ $service.exposedPort }}-route
573 - group: gateway.networking.k8s.io
575 {{- if eq $gateway "-" }}
576 name: {{ $baseaddr }}-gateway
580 namespace: {{ $namespace }}
581 sectionName: udp-{{ $service.exposedPort }}
586 name: {{ $service.name }}
587 port: {{ $service.port }}
589 {{- else if eq $protocol "tcp" }}
591 apiVersion: gateway.networking.k8s.io/v1alpha2
594 name: {{ $baseaddr }}-{{ $service.exposedPort }}-route
597 - group: gateway.networking.k8s.io
599 {{- if eq $gateway "-" }}
600 name: {{ $baseaddr }}-gateway
604 namespace: {{ $namespace }}
605 sectionName: tcp-{{ $service.exposedPort }}
610 name: {{ $service.name }}
611 port: {{ $service.port }}
613 {{- else if eq $protocol "http" }}
615 apiVersion: gateway.networking.k8s.io/v1beta1
618 name: {{ $baseaddr }}-http-route
621 - group: gateway.networking.k8s.io
623 {{- if eq $gateway "-" }}
624 name: {{ $baseaddr }}-gateway
628 namespace: {{ $namespace }}
629 {{- if (include "common.ingress._tlsRedirect" (dict "dot" $dot)) }}
630 sectionName: {{ include "common.ingress._gatewayHTTPSListener" (dict "dot" $dot) }}
632 sectionName: {{ include "common.ingress._gatewayHTTPListener" (dict "dot" $dot) }}
635 - {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }}
640 name: {{ $service.name }}
641 port: {{ $service.port }}
647 {{- if (include "common.ingress._tlsRedirect" (dict "dot" $dot)) }}
649 apiVersion: gateway.networking.k8s.io/v1beta1
652 name: {{ $baseaddr }}-redirect-route
655 - group: gateway.networking.k8s.io
657 {{- if eq $gateway "-" }}
658 name: {{ $baseaddr }}-gateway
662 namespace: {{ $namespace }}
663 sectionName: {{ include "common.ingress._gatewayHTTPListener" (dict "dot" $dot) }}
665 - {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }}
668 - type: RequestRedirect
682 Create GW-API Ingress resources per defined service
684 {{- define "common.gwapiIngress" -}}
685 {{- $dot := default . .dot -}}
686 {{- $selector := include "common.ingress._selector" (dict "dot" $dot) }}
687 {{- $gateway := include "common.ingress._commonGateway" (dict "dot" $dot) }}
688 {{ range $dot.Values.ingress.service }}
689 {{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) }}
690 {{- if eq $gateway "-" }}
692 apiVersion: gateway.networking.k8s.io/v1beta1
695 name: {{ $baseaddr }}-gateway
697 gatewayClassName: {{ $dot.Values.global.serviceMesh.engine }}
700 {{ range .tcpRoutes }}
701 {{ include "gwapi.config.listener" (dict "dot" $dot "service" . "baseaddr" $baseaddr "protocol" "tcp") | trim }}
703 {{- else if .udpRoutes }}
704 {{ range .udpRoutes }}
705 {{ include "gwapi.config.listener" (dict "dot" $dot "service" . "baseaddr" $baseaddr "protocol" "udp") | trim }}
709 {{ include "gwapi.config.listener" (dict "dot" $dot "service" . "baseaddr" $baseaddr "protocol" (lower .protocol)) | trim }}
711 {{ include "gwapi.config.listener" (dict "dot" $dot "service" . "baseaddr" $baseaddr "protocol" "http") | trim }}
716 {{ range .tcpRoutes }}
717 {{ include "gwapi.config.route" (dict "dot" $dot "service" . "baseaddr" $baseaddr "protocol" "tcp") | trim }}
719 {{- else if .udpRoutes }}
720 {{ range .udpRoutes }}
721 {{ include "gwapi.config.route" (dict "dot" $dot "service" . "baseaddr" $baseaddr "protocol" "udp") | trim }}
725 {{ include "gwapi.config.route" (dict "dot" $dot "service" . "baseaddr" $baseaddr "protocol" (lower .protocol)) | trim }}
727 {{ include "gwapi.config.route" (dict "dot" $dot "service" . "baseaddr" $baseaddr "protocol" "http") | trim }}
734 Create default Ingress resource
736 {{- define "common.nginxIngress" -}}
737 {{- $dot := default . .dot -}}
738 {{ range $dot.Values.ingress.service }}
739 {{ if eq (include "common.ingress._protocol" (dict "dot" $dot)) "http" }}
740 {{ $baseaddr := required "baseaddr" .baseaddr }}
741 apiVersion: networking.k8s.io/v1
744 name: {{ include "common.fullname" $dot }}-ingress
746 {{ include "ingress.config.annotations" $dot }}
748 app: {{ $dot.Chart.Name }}
749 chart: {{ $dot.Chart.Name }}-{{ $dot.Chart.Version | replace "+" "_" }}
750 release: {{ include "common.release" $dot }}
751 heritage: {{ $dot.Release.Service }}
754 {{ include "ingress.config.port" $dot | trim }}
755 {{- if $dot.Values.ingress.tls }}
757 {{ toYaml $dot.Values.ingress.tls | indent 4 }}
759 {{- if $dot.Values.ingress.config -}}
760 {{- if $dot.Values.ingress.config.tls }}
763 - {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }}
764 secretName: {{ required "secret" (tpl (default "" $dot.Values.ingress.config.tls.secret) $dot) }}
772 Create ingress template
773 Will create ingress template depending on the following values:
774 - .Values.global.ingress.enabled : enables Ingress globally
775 - .Values.global.ingress.enable_all : override default Ingress for all charts
776 - .Values.ingress.enabled : sets Ingress per chart basis
778 | global.ingress.enabled | global.ingress.enable_all |ingress.enabled | result |
779 |------------------------|---------------------------|----------------|------------|
780 | false | any | any | no ingress |
781 | true | false | false | no ingress |
782 | true | true | any | ingress |
783 | true | false | true | ingress |
785 If ServiceMesh (Ingress-Provider: Istio) is enabled the respective resources
790 If ServiceMesh (Ingress-Provider: GatewayAPI) is enabled the respective resources
793 - HTTPRoute, TCPRoute, UDPRoute (depending)
795 If ServiceMesh is disabled the standard Ingress resource is creates:
798 {{- define "common.ingress" -}}
799 {{- $dot := default . .dot -}}
800 {{- $provider := include "common.ingress._provider" (dict "dot" $dot) -}}
801 {{- if (include "common.ingress._enabled" (dict "dot" $dot)) }}
802 {{- if eq $provider "ingress" -}}
803 {{ include "common.nginxIngress" (dict "dot" $dot) }}
804 {{- else if eq $provider "istio" -}}
805 {{ include "common.istioIngress" (dict "dot" $dot) }}
806 {{- else if eq $provider "gw-api" -}}
807 {{ include "common.gwapiIngress" (dict "dot" $dot) }}