This is an automated email from the ASF dual-hosted git repository.
zhangjintao pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix-helm-chart.git
The following commit(s) were added to refs/heads/master by this push:
new 9efc9f3 feat: allow proxy protocol configuration for APISIX (#528)
9efc9f3 is described below
commit 9efc9f36efa3e47976c68445df227576a50c39f4
Author: Pierre P <[email protected]>
AuthorDate: Tue Jun 27 09:55:05 2023 +0200
feat: allow proxy protocol configuration for APISIX (#528)
Co-authored-by: Horacio Granillo <[email protected]>
---
charts/apisix/README.md | 8 +++++++
charts/apisix/templates/configmap.yaml | 18 +++++++++-------
charts/apisix/templates/service-gateway.yaml | 18 ++++++++++++++++
charts/apisix/values.yaml | 32 ++++++++++++++++++++++++++++
4 files changed, 68 insertions(+), 8 deletions(-)
diff --git a/charts/apisix/README.md b/charts/apisix/README.md
index b7c862b..feb67db 100644
--- a/charts/apisix/README.md
+++ b/charts/apisix/README.md
@@ -85,6 +85,11 @@ The command removes all the Kubernetes components associated
with the chart and
| apisix.podDisruptionBudget.minAvailable | string | `"90%"` | Set the
`minAvailable` of podDisruptionBudget. You can specify only one of
`maxUnavailable` and `minAvailable` in a single PodDisruptionBudget. See
[Specifying a Disruption Budget for your
Application](https://kubernetes.io/docs/tasks/run-application/configure-pdb/#specifying-a-poddisruptionbudget)
for more details |
| apisix.podSecurityContext | object | `{}` | Set the securityContext for
Apache APISIX pods |
| apisix.priorityClassName | string | `""` | Set
[priorityClassName](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#pod-priority)
for Apache APISIX pods |
+| apisix.proxyProtocol | object |
`{"enabled":false,"listenHttpPort":9181,"listenHttpsPort":9182,"tcp":true,"upstream":true}`
| Enable Proxy Protocol |
+| apisix.proxyProtocol.listenHttpPort | int | `9181` | The port with proxy
protocol for http, it differs from node_listen and admin_listen. |
+| apisix.proxyProtocol.listenHttpsPort | int | `9182` | The port with proxy
protocol for https |
+| apisix.proxyProtocol.tcp | bool | `true` | Enable the proxy protocol for tcp
proxy, it works for stream_proxy.tcp option |
+| apisix.proxyProtocol.upstream | bool | `true` | Enable the proxy protocol to
the upstream server |
| apisix.readinessProbe | object |
`{"failureThreshold":6,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"tcpSocket":{"port":9080},"timeoutSeconds":1}`
| Set the readinessProbe for Apache APISIX pods |
| apisix.replicaCount | int | `1` | kind is DaemonSet, replicaCount not become
effective |
| apisix.resources | object | `{}` | Set pod resource requests & limits |
@@ -168,6 +173,9 @@ The command removes all the Kubernetes components
associated with the chart and
| gateway.ingress | object |
`{"annotations":{},"enabled":false,"hosts":[{"host":"apisix.local","paths":[]}],"tls":[]}`
| Using ingress access Apache APISIX service |
| gateway.ingress.annotations | object | `{}` | Ingress annotations |
| gateway.labelsOverride | object | `{}` | Override default labels assigned to
Apache APISIX gateway resources |
+| gateway.proxyProtocol | object |
`{"http":{"containerPort":9181,"enabled":false,"servicePort":9181},"https":{"containerPort":9182,"enabled":false,"servicePort":9182}}`
| Proxy Protocol Configuration |
+| gateway.proxyProtocol.http | object |
`{"containerPort":9181,"enabled":false,"servicePort":9181}` | If you enable
proxy protocol, you must use this port to receive http request with proxy
protocol |
+| gateway.proxyProtocol.https | object |
`{"containerPort":9182,"enabled":false,"servicePort":9182}` | The port with
proxy protocol for https |
| gateway.stream | object | `{"enabled":false,"only":false,"tcp":[],"udp":[]}`
| Apache APISIX service settings for stream. L4 proxy (TCP/UDP) |
| gateway.tls | object |
`{"additionalContainerPorts":[],"certCAFilename":"","containerPort":9443,"enabled":false,"existingCASecret":"","fallbackSNI":"","http2":{"enabled":true},"servicePort":443,"sslProtocols":"TLSv1.2
TLSv1.3"}` | Apache APISIX service settings for tls |
| gateway.tls.additionalContainerPorts | list | `[]` | Support multiple https
ports, See
[Configuration](https://github.com/apache/apisix/blob/0bc65ea9acd726f79f80ae0abd8f50b7eb172e3d/conf/config-default.yaml#L99)
|
diff --git a/charts/apisix/templates/configmap.yaml
b/charts/apisix/templates/configmap.yaml
index 6cb25a9..ead25d4 100644
--- a/charts/apisix/templates/configmap.yaml
+++ b/charts/apisix/templates/configmap.yaml
@@ -69,14 +69,16 @@ data:
enable_ipv6: {{ .Values.apisix.enableIPv6 }} # Enable nginx IPv6 resolver
enable_server_tokens: {{ .Values.apisix.enableServerTokens }} # Whether
the APISIX version number should be shown in Server header
- # proxy_protocol: # Proxy Protocol configuration
- # listen_http_port: 9181 # The port with proxy protocol for
http, it differs from node_listen and admin_listen.
- # # This port can only receive http
request with proxy protocol, but node_listen & admin_listen
- # # can only receive http request. If
you enable proxy protocol, you must use this port to
- # # receive http request with proxy
protocol
- # listen_https_port: 9182 # The port with proxy protocol for
https
- # enable_tcp_pp: true # Enable the proxy protocol for tcp
proxy, it works for stream_proxy.tcp option
- # enable_tcp_pp_to_upstream: true # Enables the proxy protocol to the
upstream server
+ {{- if .Values.apisix.proxyProtocol.enabled }}
+ proxy_protocol:
# Proxy Protocol configuration
+ listen_http_port: {{ .Values.apisix.proxyProtocol.listenHttpPort }}
# The port with proxy protocol for http, it differs from node_listen and
port_admin.
+
# This port can only receive http request with proxy protocol, but node_listen
& port_admin
+
# can only receive http request. If you enable proxy protocol, you must use
this port to
+
# receive http request with proxy protocol
+ listen_https_port: {{ .Values.apisix.proxyProtocol.listenHttpsPort }}
# The port with proxy protocol for https
+ enable_tcp_pp: {{ .Values.apisix.proxyProtocol.tcp }}
# Enable the proxy protocol for tcp proxy, it works for stream_proxy.tcp option
+ enable_tcp_pp_to_upstream: {{ .Values.apisix.proxyProtocol.upstream }}
# Enable the proxy protocol to the upstream server
+ {{- end }}
proxy_cache: # Proxy Caching configuration
cache_ttl: 10s # The default caching time if the
upstream does not specify the cache time
diff --git a/charts/apisix/templates/service-gateway.yaml
b/charts/apisix/templates/service-gateway.yaml
index 1d4aafa..7ba5baf 100644
--- a/charts/apisix/templates/service-gateway.yaml
+++ b/charts/apisix/templates/service-gateway.yaml
@@ -77,6 +77,24 @@ spec:
port: {{ .port }}
targetPort: {{ .port }}
{{- end }}
+ {{- if or .Values.gateway.proxyProtocol.http.enabled }}
+ - name: apisix-gateway-pp-http
+ port: {{ .Values.gateway.proxyProtocol.http.servicePort }}
+ targetPort: {{ .Values.gateway.proxyProtocol.http.containerPort }}
+ {{- if (and (eq .Values.gateway.type "NodePort") (not (empty
.Values.gateway.proxyProtocol.http.nodePort))) }}
+ nodePort: {{ .Values.gateway.proxyProtocol.http.nodePort }}
+ {{- end }}
+ protocol: TCP
+ {{- end }}
+ {{- if or .Values.gateway.proxyProtocol.https.enabled }}
+ - name: apisix-gateway-pp-https
+ port: {{ .Values.gateway.proxyProtocol.https.servicePort }}
+ targetPort: {{ .Values.gateway.proxyProtocol.https.containerPort }}
+ {{- if (and (eq .Values.gateway.type "NodePort") (not (empty
.Values.gateway.proxyProtocol.https.nodePort))) }}
+ nodePort: {{ .Values.gateway.proxyProtocol.https.nodePort }}
+ {{- end }}
+ protocol: TCP
+ {{- end }}
{{- if and .Values.gateway.stream.enabled (or (gt (len
.Values.gateway.stream.tcp) 0) (gt (len .Values.gateway.stream.udp) 0)) }}
{{- with .Values.gateway.stream }}
{{- if (gt (len .tcp) 0) }}
diff --git a/charts/apisix/values.yaml b/charts/apisix/values.yaml
index 8b9aa9f..e946a21 100644
--- a/charts/apisix/values.yaml
+++ b/charts/apisix/values.yaml
@@ -68,6 +68,18 @@ apisix:
# - radixtree_uri_with_parameter: match route by uri with parameters
httpRouter: radixtree_host_uri
+ # -- Enable Proxy Protocol
+ proxyProtocol:
+ enabled: false
+ # -- The port with proxy protocol for http, it differs from node_listen
and admin_listen.
+ listenHttpPort: 9181
+ # -- The port with proxy protocol for https
+ listenHttpsPort: 9182
+ # -- Enable the proxy protocol for tcp proxy, it works for
stream_proxy.tcp option
+ tcp: true
+ # -- Enable the proxy protocol to the upstream server
+ upstream: true
+
# -- Enable full customized config.yaml
enableCustomizedConfig: false
# -- If apisix.enableCustomizedConfig is true, full customized config.yaml.
@@ -270,6 +282,26 @@ gateway:
sslProtocols: "TLSv1.2 TLSv1.3"
# -- Define SNI to fallback if none is presented by client
fallbackSNI: ""
+ # -- Proxy Protocol Configuration
+ proxyProtocol:
+ # -- If you enable proxy protocol, you must use this port to receive http
request with proxy protocol
+ http:
+ enabled: false
+ # - Specify NodePort (only if gateway.type is NodePort)
+ # nodePort:
+ # - Define a Service Port on which the gateway is listening
+ servicePort: 9181
+ # - Gateway Service Port to use as target
+ containerPort: 9181
+ # -- The port with proxy protocol for https
+ https:
+ enabled: false
+ # - Specify NodePort (only if gateway.type is NodePort)
+ # nodePort:
+ # - Define a Service Port on which the gateway is listening
+ servicePort: 9182
+ # - Gateway Service Port to use as target
+ containerPort: 9182
# -- Apache APISIX service settings for stream. L4 proxy (TCP/UDP)
stream:
enabled: false
