From 8f49233a244569469a18aadc286a3c0d492d0cdb Mon Sep 17 00:00:00 2001 From: DeveloperDurp Date: Sun, 30 Jul 2023 08:32:26 -0500 Subject: [PATCH] update --- kong/templates/certs.yaml | 32 ---- kong/templates/secrets.yaml | 66 +------- kong/values.yaml | 325 +++--------------------------------- 3 files changed, 24 insertions(+), 399 deletions(-) delete mode 100644 kong/templates/certs.yaml diff --git a/kong/templates/certs.yaml b/kong/templates/certs.yaml deleted file mode 100644 index 0951ce0..0000000 --- a/kong/templates/certs.yaml +++ /dev/null @@ -1,32 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: quickstart-kong-selfsigned-issuer-root -spec: - selfSigned: {} ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: quickstart-kong-selfsigned-issuer-ca -spec: - commonName: quickstart-kong-selfsigned-issuer-ca - duration: 2160h0m0s - isCA: true - issuerRef: - group: cert-manager.io - kind: Issuer - name: quickstart-kong-selfsigned-issuer-root - privateKey: - algorithm: ECDSA - size: 256 - renewBefore: 360h0m0s - secretName: quickstart-kong-selfsigned-issuer-ca ---- -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: quickstart-kong-selfsigned-issuer -spec: - ca: - secretName: quickstart-kong-selfsigned-issuer-ca diff --git a/kong/templates/secrets.yaml b/kong/templates/secrets.yaml index 03fe609..abe44d4 100644 --- a/kong/templates/secrets.yaml +++ b/kong/templates/secrets.yaml @@ -1,22 +1,11 @@ -apiVersion: v1 -data: - license: J3t9Jw== -kind: Secret -metadata: - creationTimestamp: null - name: kong-enterprise-license - namespace: kong - ---- - apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: kong-cluster-cert spec: secretStoreRef: - name: vault-kong - kind: SecretStore + name: vault + kind: ClusterSecretStore target: name: kong-cluster-cert data: @@ -28,54 +17,3 @@ spec: remoteRef: key: secrets/kong/tls property: key - ---- - -apiVersion: external-secrets.io/v1beta1 -kind: SecretStore -metadata: - name: vault-kong -spec: - provider: - vault: - server: "http://vault.vault.svc.cluster.local:8200" - path: "secrets" - version: "v2" - auth: - kubernetes: - mountPath: "kubernetes" - role: "external-secrets" - ---- - -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: kong-config-secret -spec: - secretStoreRef: - name: vault-kong - kind: SecretStore - target: - name: kong-config-secret - data: - - secretKey: admin_gui_session_conf - remoteRef: - key: secrets/kong/config - property: admin_gui_session_conf - - secretKey: kong_admin_password - remoteRef: - key: secrets/kong/config - property: kong_admin_password - - secretKey: password - remoteRef: - key: secrets/kong/config - property: password - - secretKey: pg_host - remoteRef: - key: secrets/kong/config - property: pg_host - - secretKey: portal_session_conf - remoteRef: - key: secrets/kong/config - property: portal_session_conf diff --git a/kong/values.yaml b/kong/values.yaml index 942de08..3359f25 100644 --- a/kong/values.yaml +++ b/kong/values.yaml @@ -1,309 +1,28 @@ kong: - admin: - annotations: - konghq.com/protocol: https - enabled: true - http: - enabled: false - ingress: - annotations: - konghq.com/https-redirect-status-code: "301" - konghq.com/protocols: https - konghq.com/strip-path: "true" - kubernetes.io/ingress.class: default - nginx.ingress.kubernetes.io/app-root: / - nginx.ingress.kubernetes.io/backend-protocol: HTTPS - nginx.ingress.kubernetes.io/permanent-redirect-code: "301" - enabled: true - hostname: kong.durp.info - path: /api - tls: quickstart-kong-admin-cert - tls: - containerPort: 8444 - enabled: true - parameters: - - http2 - servicePort: 8444 - type: ClusterIP - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app.kubernetes.io/instance - operator: In - values: - - dataplane - topologyKey: kubernetes.io/hostname - weight: 100 - certificates: - enabled: true - issuer: quickstart-kong-selfsigned-issuer - cluster: - enabled: true - admin: - enabled: true - commonName: kong.durp.info - portal: - enabled: true - commonName: developer.durp.info - proxy: - enabled: true - commonName: durp.info - dnsNames: - - '*.durp.info' - cluster: - enabled: true - labels: - konghq.com/service: cluster - tls: - containerPort: 8005 - enabled: true - servicePort: 8005 - type: ClusterIP - clustertelemetry: - enabled: true - tls: - containerPort: 8006 - enabled: true - servicePort: 8006 - type: ClusterIP - deployment: - kong: - daemonset: false - enabled: true - enterprise: - enabled: true - license_secret: kong-enterprise-license - portal: - enabled: true - rbac: - admin_api_auth: basic-auth - admin_gui_auth_conf_secret: kong-config-secret - enabled: true - session_conf_secret: kong-config-secret - smtp: - enabled: false - vitals: - enabled: true - env: - admin_access_log: /dev/stdout - admin_api_uri: https://kong.durp.info/api - admin_error_log: /dev/stdout - admin_gui_access_log: /dev/stdout - admin_gui_error_log: /dev/stdout - admin_gui_host: kong.durp.info - admin_gui_protocol: https - admin_gui_url: https://kong.durp.info/ - cluster_data_plane_purge_delay: 60 - cluster_listen: 0.0.0.0:8005 - cluster_telemetry_listen: 0.0.0.0:8006 - database: postgres - log_level: debug - lua_package_path: /opt/?.lua;; - nginx_worker_processes: "2" - password: - valueFrom: - secretKeyRef: - key: kong_admin_password - name: kong-config-secret - pg_database: kong - pg_host: - valueFrom: - secretKeyRef: - key: pg_host - name: kong-config-secret - pg_ssl: "off" - pg_ssl_verify: "off" - pg_user: kong - plugins: bundled,openid-connect - portal: true - portal_api_access_log: /dev/stdout - portal_api_error_log: /dev/stdout - portal_api_url: https://developer.durp.info/api - portal_auth: basic-auth - portal_cors_origins: '*' - portal_gui_access_log: /dev/stdout - portal_gui_error_log: /dev/stdout - portal_gui_host: developer.durp.info - portal_gui_protocol: https - portal_gui_url: https://developer.durp.info/ - portal_session_conf: - valueFrom: - secretKeyRef: - key: portal_session_conf - name: kong-config-secret - prefix: /kong_prefix/ - proxy_access_log: /dev/stdout - proxy_error_log: /dev/stdout - proxy_stream_access_log: /dev/stdout - proxy_stream_error_log: /dev/stdout - smtp_mock: "on" - status_listen: 0.0.0.0:8100 - trusted_ips: 0.0.0.0/0,::/0 - vitals: true - extraLabels: - konghq.com/component: quickstart image: repository: kong/kong-gateway tag: "3.3" + + secretVolumes: + - kong-cluster-cert + + admin: + enabled: false + + env: + role: data_plane + database: "off" + cluster_mtls: pki + cluster_control_plane: a0791ed975.us.cp0.konghq.com:443 + cluster_server_name: a0791ed975.us.cp0.konghq.com + cluster_telemetry_endpoint: a0791ed975.us.tp0.konghq.com:443 + cluster_telemetry_server_name: a0791ed975.us.tp0.konghq.com + cluster_cert: /etc/secrets/kong-cluster-cert/tls.crt + cluster_cert_key: /etc/secrets/kong-cluster-cert/tls.key + lua_ssl_trusted_certificate: system + konnect_mode: "on" + vitals: "off" + ingressController: - enabled: true - env: - kong_admin_filter_tag: ingress_controller_default - kong_admin_tls_skip_verify: true - kong_admin_token: - valueFrom: - secretKeyRef: - key: password - name: kong-config-secret - kong_admin_url: https://localhost:8444 - kong_workspace: default - publish_service: kong/quickstart-kong-proxy - image: - repository: docker.io/kong/kubernetes-ingress-controller - tag: "2.10" - ingressClass: default + enabled: false installCRDs: false - manager: - annotations: - konghq.com/protocol: https - enabled: true - http: - containerPort: 8002 - enabled: false - servicePort: 8002 - ingress: - annotations: - konghq.com/https-redirect-status-code: "301" - kubernetes.io/ingress.class: default - nginx.ingress.kubernetes.io/backend-protocol: HTTPS - enabled: true - hostname: kong.durp.info - path: / - tls: quickstart-kong-admin-cert - tls: - containerPort: 8445 - enabled: true - parameters: - - http2 - servicePort: 8445 - type: ClusterIP - migrations: - enabled: true - postUpgrade: true - preUpgrade: true - namespace: kong - podAnnotations: - kuma.io/gateway: enabled - portal: - annotations: - konghq.com/protocol: https - enabled: true - http: - containerPort: 8003 - enabled: false - servicePort: 8003 - ingress: - annotations: - konghq.com/https-redirect-status-code: "301" - konghq.com/protocols: https - konghq.com/strip-path: "false" - kubernetes.io/ingress.class: default - enabled: true - hostname: developer.durp.info - path: / - tls: quickstart-kong-portal-cert - tls: - containerPort: 8446 - enabled: true - parameters: - - http2 - servicePort: 8446 - type: ClusterIP - portalapi: - annotations: - konghq.com/protocol: https - enabled: true - http: - enabled: false - ingress: - annotations: - konghq.com/https-redirect-status-code: "301" - konghq.com/protocols: https - konghq.com/strip-path: "true" - kubernetes.io/ingress.class: default - nginx.ingress.kubernetes.io/app-root: / - enabled: true - hostname: developer.durp.info - path: /api - tls: quickstart-kong-portal-cert - tls: - containerPort: 8447 - enabled: true - parameters: - - http2 - servicePort: 8447 - type: ClusterIP - postgresql: - enabled: true - auth: - database: kong - username: kong - proxy: - annotations: - prometheus.io/port: "9542" - prometheus.io/scrape: "true" - enabled: true - http: - containerPort: 8080 - enabled: true - hostPort: 80 - ingress: - enabled: false - labels: - enable-metrics: true - tls: - containerPort: 8443 - enabled: true - hostPort: 443 - type: LoadBalancer - replicaCount: 1 - secretVolumes: [] - status: - enabled: true - http: - containerPort: 8100 - enabled: true - tls: - containerPort: 8543 - enabled: false - - #image: - # repository: kong/kong-gateway - # tag: "3.3" - - #secretVolumes: - #- kong-cluster-cert - - #admin: - # enabled: false - - #env: - # role: data_plane - # database: "off" - # cluster_mtls: pki - # cluster_control_plane: a0791ed975.us.cp0.konghq.com:443 - # cluster_server_name: a0791ed975.us.cp0.konghq.com - # cluster_telemetry_endpoint: a0791ed975.us.tp0.konghq.com:443 - # cluster_telemetry_server_name: a0791ed975.us.tp0.konghq.com - # cluster_cert: /etc/secrets/kong-cluster-cert/tls.crt - # cluster_cert_key: /etc/secrets/kong-cluster-cert/tls.key - # lua_ssl_trusted_certificate: system - # konnect_mode: "on" - # vitals: "off" - - #ingressController: - # enabled: false - # installCRDs: false