From 21c6073c22cb152403c5221a6ff8278bcb19c829 Mon Sep 17 00:00:00 2001 From: GeorgeRaven Date: Sun, 22 Jun 2025 14:31:38 +0100 Subject: [PATCH] Split controller from configuration --- charts/envoy-gateway-controller/.helmignore | 23 +++++ charts/envoy-gateway-controller/Chart.lock | 6 ++ charts/envoy-gateway-controller/Chart.yaml | 13 +++ charts/envoy-gateway-controller/README.md | 41 ++++++++ charts/envoy-gateway-controller/values.yaml | 43 +++++++++ charts/envoy-gateway/Chart.lock | 6 -- charts/envoy-gateway/Chart.yaml | 6 -- charts/envoy-gateway/README.md | 30 +----- charts/envoy-gateway/values.yaml | 44 +-------- .../templates/envoy-gateway-controller.yaml | 93 +++++++++++++++++++ .../templates/envoy-gateway.yaml | 15 +-- 11 files changed, 228 insertions(+), 92 deletions(-) create mode 100644 charts/envoy-gateway-controller/.helmignore create mode 100644 charts/envoy-gateway-controller/Chart.lock create mode 100644 charts/envoy-gateway-controller/Chart.yaml create mode 100644 charts/envoy-gateway-controller/README.md create mode 100644 charts/envoy-gateway-controller/values.yaml delete mode 100644 charts/envoy-gateway/Chart.lock create mode 100644 charts/infrastructure/templates/envoy-gateway-controller.yaml diff --git a/charts/envoy-gateway-controller/.helmignore b/charts/envoy-gateway-controller/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/charts/envoy-gateway-controller/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/envoy-gateway-controller/Chart.lock b/charts/envoy-gateway-controller/Chart.lock new file mode 100644 index 00000000..842f7fec --- /dev/null +++ b/charts/envoy-gateway-controller/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: gateway-helm + repository: oci://docker.io/envoyproxy + version: v1.4.1 +digest: sha256:033c3f49f2642c2c50bed2a0169bbef8da4aa29d5296430c3a3d170a82deeaa3 +generated: "2025-06-22T14:29:46.146880015+01:00" diff --git a/charts/envoy-gateway-controller/Chart.yaml b/charts/envoy-gateway-controller/Chart.yaml new file mode 100644 index 00000000..c562d0f2 --- /dev/null +++ b/charts/envoy-gateway-controller/Chart.yaml @@ -0,0 +1,13 @@ +apiVersion: v2 +name: envoy-gateway-controller +description: A Helm chart for Kubernetes +type: application +version: 0.1.0 +appVersion: "1.16.0" + +dependencies: +- alias: envoy-gateway-controller + name: gateway-helm + # https://gateway.envoyproxy.io/news/releases/matrix/ + version: v1.4.1 + repository: "oci://docker.io/envoyproxy" diff --git a/charts/envoy-gateway-controller/README.md b/charts/envoy-gateway-controller/README.md new file mode 100644 index 00000000..d839b538 --- /dev/null +++ b/charts/envoy-gateway-controller/README.md @@ -0,0 +1,41 @@ +# envoy-gateway + +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.16.0](https://img.shields.io/badge/AppVersion-1.16.0-informational?style=flat-square) + +A Helm chart for Kubernetes + +## Requirements + +| Repository | Name | Version | +|------------|------|---------| +| oci://docker.io/envoyproxy | envoy-gateway(gateway-helm) | v1.4.1 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| envoy-gateway.deployment.envoyGateway.resources.limits.memory | string | `"256Mi"` | | +| envoy-gateway.deployment.envoyGateway.resources.requests.cpu | string | `"100m"` | | +| envoy-gateway.deployment.envoyGateway.resources.requests.memory | string | `"256Mi"` | | +| envoy-gateway.hpa.behavior.scaleDown.policies[0].periodSeconds | int | `15` | | +| envoy-gateway.hpa.behavior.scaleDown.policies[0].type | string | `"Percent"` | | +| envoy-gateway.hpa.behavior.scaleDown.policies[0].value | int | `100` | | +| envoy-gateway.hpa.behavior.scaleDown.selectPolicy | string | `"Max"` | | +| envoy-gateway.hpa.behavior.scaleDown.stabilizationWindowSeconds | int | `300` | | +| envoy-gateway.hpa.behavior.scaleUp.policies[0].periodSeconds | int | `15` | | +| envoy-gateway.hpa.behavior.scaleUp.policies[0].type | string | `"Percent"` | | +| envoy-gateway.hpa.behavior.scaleUp.policies[0].value | int | `100` | | +| envoy-gateway.hpa.behavior.scaleUp.policies[1].periodSeconds | int | `15` | | +| envoy-gateway.hpa.behavior.scaleUp.policies[1].type | string | `"Pods"` | | +| envoy-gateway.hpa.behavior.scaleUp.policies[1].value | int | `4` | | +| envoy-gateway.hpa.behavior.scaleUp.selectPolicy | string | `"Max"` | | +| envoy-gateway.hpa.behavior.scaleUp.stabilizationWindowSeconds | int | `0` | | +| envoy-gateway.hpa.enabled | bool | `true` | | +| envoy-gateway.hpa.maxReplicas | int | `5` | | +| envoy-gateway.hpa.metrics[0].resource.name | string | `"cpu"` | | +| envoy-gateway.hpa.metrics[0].resource.target.averageUtilization | int | `80` | | +| envoy-gateway.hpa.metrics[0].resource.target.type | string | `"Utilization"` | | +| envoy-gateway.hpa.metrics[0].type | string | `"Resource"` | | +| envoy-gateway.hpa.minReplicas | int | `3` | | +| envoy-gateway.podDistruptionBudget.minAvailable | int | `1` | | + diff --git a/charts/envoy-gateway-controller/values.yaml b/charts/envoy-gateway-controller/values.yaml new file mode 100644 index 00000000..8aed03a8 --- /dev/null +++ b/charts/envoy-gateway-controller/values.yaml @@ -0,0 +1,43 @@ +envoy-gateway-controller: + + deployment: + envoyGateway: + resources: + limits: + memory: 256Mi # default is 1024Mi + requests: + cpu: 100m + memory: 256Mi + + hpa: + enabled: true + minReplicas: 3 + maxReplicas: 5 + metrics: + - type: Resource + resource: + name: cpu + target: + averageUtilization: 80 + type: Utilization + behavior: + scaleDown: + stabilizationWindowSeconds: 300 + policies: + - type: Percent + value: 100 + periodSeconds: 15 + selectPolicy: Max + scaleUp: + stabilizationWindowSeconds: 0 + policies: + - type: Percent + value: 100 + periodSeconds: 15 + - type: Pods + value: 4 + periodSeconds: 15 + selectPolicy: Max + + podDistruptionBudget: + minAvailable: 1 diff --git a/charts/envoy-gateway/Chart.lock b/charts/envoy-gateway/Chart.lock deleted file mode 100644 index 3e593550..00000000 --- a/charts/envoy-gateway/Chart.lock +++ /dev/null @@ -1,6 +0,0 @@ -dependencies: -- name: gateway-helm - repository: oci://docker.io/envoyproxy - version: v1.4.1 -digest: sha256:6c7b2cadacc5deb812a239ef3cf642e2c98b8d56310954c30c24d233beb97e68 -generated: "2025-06-22T12:09:47.981924268+01:00" diff --git a/charts/envoy-gateway/Chart.yaml b/charts/envoy-gateway/Chart.yaml index 9509f4de..7318e76e 100644 --- a/charts/envoy-gateway/Chart.yaml +++ b/charts/envoy-gateway/Chart.yaml @@ -4,9 +4,3 @@ description: A Helm chart for Kubernetes type: application version: 0.1.0 appVersion: "1.16.0" - -dependencies: -- alias: envoy-gateway - name: gateway-helm - version: v1.4.1 - repository: "oci://docker.io/envoyproxy" diff --git a/charts/envoy-gateway/README.md b/charts/envoy-gateway/README.md index d839b538..d9aef4b3 100644 --- a/charts/envoy-gateway/README.md +++ b/charts/envoy-gateway/README.md @@ -8,34 +8,14 @@ A Helm chart for Kubernetes | Repository | Name | Version | |------------|------|---------| -| oci://docker.io/envoyproxy | envoy-gateway(gateway-helm) | v1.4.1 | +| https://charts.bitnami.com/bitnami | envoy-gateway | 2.5.15 | ## Values | Key | Type | Default | Description | |-----|------|---------|-------------| -| envoy-gateway.deployment.envoyGateway.resources.limits.memory | string | `"256Mi"` | | -| envoy-gateway.deployment.envoyGateway.resources.requests.cpu | string | `"100m"` | | -| envoy-gateway.deployment.envoyGateway.resources.requests.memory | string | `"256Mi"` | | -| envoy-gateway.hpa.behavior.scaleDown.policies[0].periodSeconds | int | `15` | | -| envoy-gateway.hpa.behavior.scaleDown.policies[0].type | string | `"Percent"` | | -| envoy-gateway.hpa.behavior.scaleDown.policies[0].value | int | `100` | | -| envoy-gateway.hpa.behavior.scaleDown.selectPolicy | string | `"Max"` | | -| envoy-gateway.hpa.behavior.scaleDown.stabilizationWindowSeconds | int | `300` | | -| envoy-gateway.hpa.behavior.scaleUp.policies[0].periodSeconds | int | `15` | | -| envoy-gateway.hpa.behavior.scaleUp.policies[0].type | string | `"Percent"` | | -| envoy-gateway.hpa.behavior.scaleUp.policies[0].value | int | `100` | | -| envoy-gateway.hpa.behavior.scaleUp.policies[1].periodSeconds | int | `15` | | -| envoy-gateway.hpa.behavior.scaleUp.policies[1].type | string | `"Pods"` | | -| envoy-gateway.hpa.behavior.scaleUp.policies[1].value | int | `4` | | -| envoy-gateway.hpa.behavior.scaleUp.selectPolicy | string | `"Max"` | | -| envoy-gateway.hpa.behavior.scaleUp.stabilizationWindowSeconds | int | `0` | | -| envoy-gateway.hpa.enabled | bool | `true` | | -| envoy-gateway.hpa.maxReplicas | int | `5` | | -| envoy-gateway.hpa.metrics[0].resource.name | string | `"cpu"` | | -| envoy-gateway.hpa.metrics[0].resource.target.averageUtilization | int | `80` | | -| envoy-gateway.hpa.metrics[0].resource.target.type | string | `"Utilization"` | | -| envoy-gateway.hpa.metrics[0].type | string | `"Resource"` | | -| envoy-gateway.hpa.minReplicas | int | `3` | | -| envoy-gateway.podDistruptionBudget.minAvailable | int | `1` | | +| envoy-gateway.createController | bool | `true` | | +| envoy-gateway.ingress.enabled | bool | `false` | | +| envoy-gateway.ingress.hostname | string | `"secrets.deepcypher.me"` | | +| envoy-gateway.networkPolicy.enabled | bool | `true` | | diff --git a/charts/envoy-gateway/values.yaml b/charts/envoy-gateway/values.yaml index a14f11e4..514302d4 100644 --- a/charts/envoy-gateway/values.yaml +++ b/charts/envoy-gateway/values.yaml @@ -1,43 +1 @@ -envoy-gateway: - - deployment: - envoyGateway: - resources: - limits: - memory: 256Mi # default is 1024Mi - requests: - cpu: 100m - memory: 256Mi - - hpa: - enabled: true - minReplicas: 3 - maxReplicas: 5 - metrics: - - type: Resource - resource: - name: cpu - target: - averageUtilization: 80 - type: Utilization - behavior: - scaleDown: - stabilizationWindowSeconds: 300 - policies: - - type: Percent - value: 100 - periodSeconds: 15 - selectPolicy: Max - scaleUp: - stabilizationWindowSeconds: 0 - policies: - - type: Percent - value: 100 - periodSeconds: 15 - - type: Pods - value: 4 - periodSeconds: 15 - selectPolicy: Max - - podDistruptionBudget: - minAvailable: 1 +envoy-gateway: {} diff --git a/charts/infrastructure/templates/envoy-gateway-controller.yaml b/charts/infrastructure/templates/envoy-gateway-controller.yaml new file mode 100644 index 00000000..f028a93c --- /dev/null +++ b/charts/infrastructure/templates/envoy-gateway-controller.yaml @@ -0,0 +1,93 @@ +apiVersion: v1 +kind: Namespace +metadata: + # annotations: + # volsync.backube/privileged-movers: "true" + labels: + kubernetes.io/metadata.name: envoy-gateway-system + name: envoy-gateway-system +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: envoy-gateway-controller + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + ignoreDifferences: + # ignore deployment .spec.replicas as it is managed by HPA + - group: 'apps' + kind: Deployment + name: envoy-gateway-controller + jsonPointers: + - /spec/replicas + destination: + name: '' + namespace: envoy-gateway-system + server: 'https://kubernetes.default.svc' + source: + path: charts/envoy-gateway-controller + repoURL: {{ .Values.global.repo }} + targetRevision: {{ .Values.environment.revision }} + helm: + values: | + {{- include "defaultEnvironment" . | indent 8 }} + {{- if eq .Values.environment.mode "staging" }} + {{- else if eq .Values.environment.mode "production" }} + {{- end }} + #project: envoy-gateway-controller + project: default + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + - ApplyOutOfSyncOnly=true + - ServerSideApply=true + - RespectIgnoreDifferences=true +--- +apiVersion: argoproj.io/v1alpha1 +kind: AppProject +metadata: + name: envoy-gateway-controller + namespace: argocd + # Finalizer that ensures that project is not deleted until it is not referenced by any application + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + description: Infra-level project to isolate envoy-gateway-controller + # Allow manifests to deploy from any Git repos + sourceRepos: + - '*' + # Only permit applications to deploy to the guestbook namespace in the same cluster + destinations: + - namespace: envoy-gateway-controller + server: https://kubernetes.default.svc + # Deny all cluster-scoped resources from being created, except for Namespace + clusterResourceWhitelist: + - group: '' + kind: Namespace + # Allow all namespaced-scoped resources to be created, except for ResourceQuota, LimitRange, NetworkPolicy + namespaceResourceBlacklist: + - group: '' + kind: ResourceQuota + - group: '' + kind: LimitRange + #- group: '' + # kind: NetworkPolicy + # # Deny all namespaced-scoped resources from being created, except for Deployment and StatefulSet + # namespaceResourceWhitelist: + # - group: 'apps' + # kind: Deployment + # - group: 'apps' + # kind: StatefulSet + roles: + # A role which provides read-only access to all applications in the project + - name: read-only + description: Read-only privileges to envoy-gateway-controller + policies: + - p, proj:my-project:read-only, applications, get, envoy-gateway-controller/*, allow + groups: + - my-oidc-group diff --git a/charts/infrastructure/templates/envoy-gateway.yaml b/charts/infrastructure/templates/envoy-gateway.yaml index 8d137a52..c5cadb19 100644 --- a/charts/infrastructure/templates/envoy-gateway.yaml +++ b/charts/infrastructure/templates/envoy-gateway.yaml @@ -4,8 +4,8 @@ metadata: # annotations: # volsync.backube/privileged-movers: "true" labels: - kubernetes.io/metadata.name: envoy-gateway-system - name: envoy-gateway-system + kubernetes.io/metadata.name: envoy-gateway + name: envoy-gateway --- apiVersion: argoproj.io/v1alpha1 kind: Application @@ -15,16 +15,9 @@ metadata: finalizers: - resources-finalizer.argocd.argoproj.io spec: - ignoreDifferences: - # ignore deployment .spec.replicas as it is managed by HPA - - group: 'apps' - kind: Deployment - name: envoy-gateway - jsonPointers: - - /spec/replicas destination: name: '' - namespace: envoy-gateway-system + namespace: envoy-gateway server: 'https://kubernetes.default.svc' source: path: charts/envoy-gateway @@ -45,8 +38,6 @@ spec: syncOptions: - CreateNamespace=true - ApplyOutOfSyncOnly=true - - ServerSideApply=true - - RespectIgnoreDifferences=true --- apiVersion: argoproj.io/v1alpha1 kind: AppProject