[bitnami/chart] Add NLB load balancer support, run envoy container as root

bitnami/contour/Chart.yaml

@@ -12,7 +12,7 @@ sources:
   - https://github.com/projectcontour/contour
   - https://github.com/envoyproxy/envoy
   - https://github.com/bitnami/bitnami-docker-contour
-version: 1.0.1
+version: 1.0.2
 maintainers:
   - name: cellebyte
     url: https://github.com/Cellebyte

bitnami/contour/README.md

@@ -95,10 +95,14 @@ The following tables lists the configurable parameters of the contour chart and
 | `envoy.image.pullSecrets`                          | Specify docker-registry secret names as an array                                                       | `[]` (does not add image pull secrets to deployed pods) |
 | `envoy.resources.limits`                           | Specify resource limits which the container is not allowed to succeed.                                 | `{}` (does not add resource limits to deployed pods)    |
 | `envoy.resources.requests`                         | Specify resource requests which the container needs to spawn.                                          | `{}` (does not add resource limits to deployed pods)    |
-| `envoy.nodeSelector`                               | Node labels for envoy pod assignment                                                                   | `{}`                                                    | 
-| `envoy.tolerations`                                | Tolerations for envoy pod assignment                                                                   | `[]`                                                    | 
-| `envoy.affinity`                                   | Affinity for envoy pod assignment                                                                      | `{}`                                                    | 
-| `envoy.podAnnotations`                             | Envoy Pod annotations                                                                                  | `{}`                                                    | 
+| `envoy.nodeSelector`                               | Node labels for envoy pod assignment                                                                   | `{}`                                                    |
+| `envoy.tolerations`                                | Tolerations for envoy pod assignment                                                                   | `[]`                                                    |
+| `envoy.affinity`                                   | Affinity for envoy pod assignment                                                                      | `{}`                                                    |
+| `envoy.podAnnotations`                             | Envoy Pod annotations                                                                                  | `{}`                                                    |
+| `envoy.podSecurityContext`                         | Envoy Pod securityContext                                                                                  | `{}`                                                    |
+| `envoy.containerSecurityContext`                   | Envoy Container securityContext                                                                                  | `{}`                                                    |
+| `envoy.dnsPolicy`                                  | Envoy Pod Dns Policy                                                                                   | `ClusterFirst`                                                    |
+| `envoy.hostNetwork`                                | Envoy Pod host network access                                                                                   | `false`                                                    |
 | `envoy.readynessProbe.enabled`                     | Enable/disable the Readyness probe                                                                     | `true`                                                  |
 | `envoy.readynessProbe.initialDelaySeconds`         | Delay before readyness probe is initiated                                                              | `10`                                                    |
 | `envoy.readynessProbe.periodSeconds`               | How often to perform the probe                                                                         | `3`                                                     |
@@ -194,3 +198,16 @@ configInline:
   #   - "user_agent"
   #   - "x_forwarded_for"
 ```
+
+### Deploying Contour with an AWS NLB
+
+By default, Contour is launched with a AWS Classic ELB. To launch contour backed by a NLB, please set [these settings](https://github.com/projectcontour/contour/tree/master/examples/contour#deploying-with-host-networking-enabled-for-envoy):
+
+```yaml
+envoy:
+  hostNetwork: true
+  dnsPolicy: ClusterFirstWithHostNet
+  service:
+    annotations:
+      service.beta.kubernetes.io/aws-load-balancer-type: nlb
+```

bitnami/contour/templates/daemonset.yaml

@@ -32,6 +32,12 @@ spec:
       tolerations: {{- include "contour.tplValue" (dict "value" .Values.envoy.tolerations "context" $) | nindent 8 }}
       {{- end }}
       terminationGracePeriodSeconds: {{ .Values.envoy.terminationGracePeriodSeconds }}
+      hostNetwork: {{ .Values.envoy.hostNetwork }}
+      dnsPolicy: {{ .Values.envoy.dnsPolicy }}
+{{- with .Values.envoy.podSecurityContext }}
+      securityContext:
+{{ toYaml . | indent 8 }}
+{{- end }}
       containers:
       - command:
         - contour
@@ -69,6 +75,10 @@ spec:
         image: {{ include "envoy.image" . }}
         imagePullPolicy: {{ .Values.envoy.image.pullPolicy }}
         name: envoy
+{{- with .Values.envoy.containerSecurityContext }}
+        securityContext:
+{{ toYaml . | indent 10 }}
+{{- end }}
         env:
         - name: CONTOUR_NAMESPACE
           valueFrom:
@@ -92,6 +102,7 @@ spec:
         - containerPort: 8002
           name: metrics
           protocol: TCP
+
         {{- if .Values.envoy.readinessProbe.enabled }}
         readinessProbe:
           httpGet:

bitnami/contour/templates/deployment.yaml

@@ -105,13 +105,12 @@ spec:
               fieldPath: metadata.name
       dnsPolicy: ClusterFirst
       serviceAccountName: {{ include "contour.contourServiceAccountName" . }}
-      {{- if .Values.contour.securityContext.enabled }}
+{{- with .Values.contour.securityContext }}
+{{- if or (not (hasKey . "enabled")) .enabled }}
       securityContext:
-        runAsUser: {{ .Values.contour.securityContext.runAsUser }}
-        runAsGroup: {{ .Values.contour.securityContext.runAsGroup }}
-        fsGroup: {{ .Values.contour.securityContext.fsGroup }}
-        runAsNonRoot: {{ .Values.contour.securityContext.runAsNonRoot }}
-      {{- end }}
+{{ toYaml (omit . "enabled") | indent 8 }}
+{{- end }}
+{{- end }}
       volumes:
       - name: contourcert
         secret:

bitnami/contour/templates/service.yaml

@@ -28,13 +28,16 @@ metadata:
     {{- include "contour.tplValue" (dict "value" .Values.envoy.service.labels "context" $) | nindent 4 }}
     {{- end }}
   annotations:
+    {{- if (ne (get .Values.envoy.service.annotations "service.beta.kubernetes.io/aws-load-balancer-type") "nlb") }}
     # This annotation puts the AWS ELB into "TCP" mode so that it does not
     # do HTTP negotiation for HTTPS connections at the ELB edge.
     # The downside of this is the remote IP address of all connections will
     # appear to be the internal address of the ELB. See docs/proxy-proto.md
     # for information about enabling the PROXY protocol on the ELB to recover
     # the original remote IP address.
+    # We don't set this for nlb, per the contour docs.
     service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
+    {{- end }}
     {{- if .Values.envoy.service.annotations }}
     {{- include "contour.tplValue" (dict "value" .Values.envoy.service.annotations "context" $) | nindent 4 }}
     {{- end }}

bitnami/contour/values-production.yaml

@@ -257,6 +257,27 @@ envoy:
   ##
   podAnnotations: {}
 
+  ## Pod security context
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
+  ##
+  podSecurityContext: {}
+
+  ## Envoy container security context - envoy needs to run as root to bind to 80, 443
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
+  ##
+  containerSecurityContext:
+    runAsUser: 0
+
+  ## Pod host network access
+  ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
+  ##
+  hostNetwork: false
+
+  ## Pod's DNS Policy
+  ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy
+  ##
+  dnsPolicy: ClusterFirst
+
   serviceAccount:
     # Specifies whether a ServiceAccount should be created
     create: true
@@ -292,6 +313,10 @@ envoy:
     type: LoadBalancer
     externalTrafficPolicy: Local
 
+    ## Service annotations
+    ##
+    annotations: {}
+
     ports:
       ## HTTP Port
       ##

bitnami/contour/values.yaml

@@ -185,7 +185,6 @@ contour:
     successThreshold: 1
 
   securityContext:
-    enabled: true
     runAsNonRoot: true
     runAsUser: 1001
     runAsGroup: 1001
@@ -252,6 +251,27 @@ envoy:
   ##
   podAnnotations: {}
 
+  ## Pod security context
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
+  ##
+  podSecurityContext: {}
+
+  ## Envoy container security context - envoy needs to run as root to bind to 80, 443
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
+  ##
+  containerSecurityContext:
+    runAsUser: 0
+
+  ## Pod host network access
+  ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
+  ##
+  hostNetwork: false
+
+  ## Pod's DNS Policy
+  ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy
+  ##
+  dnsPolicy: ClusterFirst
+
   serviceAccount:
     # Specifies whether a ServiceAccount should be created
     create: true
@@ -287,6 +307,10 @@ envoy:
     type: LoadBalancer
     externalTrafficPolicy: Local
 
+    ## Service annotations
+    ##
+    annotations: {}
+
     ports:
       ## HTTP Port
       ##