From 8c9dcc3da8f934bd7e6e0a3ae097987ad2e82e85 Mon Sep 17 00:00:00 2001 From: Matthew Penner Date: Mon, 20 May 2024 17:25:33 -0600 Subject: [PATCH] docs: add full deployment example Signed-off-by: Matthew Penner --- README.md | 10 +- example/README.md | 186 +++++++++++++++++++ example/caddy.yaml | 316 +++++++++++++++++++++++++++++++ example/internal-issuer.yaml | 38 ++++ example/letsencrypt.yaml | 18 ++ example/operator.yaml | 349 +++++++++++++++++++++++++++++++++++ 6 files changed, 911 insertions(+), 6 deletions(-) create mode 100644 example/README.md create mode 100644 example/caddy.yaml create mode 100644 example/internal-issuer.yaml create mode 100644 example/letsencrypt.yaml create mode 100644 example/operator.yaml diff --git a/README.md b/README.md index f3e4387..f7f2c45 100644 --- a/README.md +++ b/README.md @@ -64,11 +64,7 @@ kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/downloa kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.0.0/standard-install.yaml ``` -### Installing the Controller - -> TODO: deployment manifests - -### Installing Caddy +### Installing the Controller and Caddy The Controller requires you to provide your own Caddy instance, later we may provide a CRD that will allow us to automatically deploy and manage Caddy for you, but for now you can use our pre-made @@ -83,7 +79,9 @@ Before deploying Caddy however, there are a few things you need to consider. likely be exposed to the public internet and exposing the Caddy Admin API is extremely dangerous for security. -> TODO: reference deployment templates +The following example will get you up and running with the Controller and Caddy in a secure way. + +See the [example](./example). ## License diff --git a/example/README.md b/example/README.md new file mode 100644 index 0000000..1f7d6e7 --- /dev/null +++ b/example/README.md @@ -0,0 +1,186 @@ +# Example + +These examples rely on both [`cert-manager`](https://cert-manager.io/docs/installation/) and +[`cert-manager-csi-driver`](https://cert-manager.io/docs/usage/csi-driver/installation/). Please +ensure both are installed before proceeding. + +In the future, more examples and options for handling the issuance and verification of mTLS +certificates between the Gateway and Caddy will be provided. + +## Configuring TLS + +This step is used to configure TLS for HTTPRoute and TLSRoute resources. These certificates will be +used to provide public-facing TLS certificates. While this step is optional, it is strongly +recommended. + +This step shows you how to use `cert-manager` and an ACME provider to configure TLS for a Gateway. +If you already have your own certificate secret on your cluster, or want to use internally issued +certificates, you don't need to follow this guide. + +You will need to ensure `cert-manager` has Gateway API support enabled. Please read + +for more information. + +### DNS-01 + +If you would like to use wildcard certificates or issue trusted certificates without exposing the +Gateway to the public internet, you _must_ use an ACME issuer that supports DNS-01 challenges. For +more information on supported DNS providers, please read + for more +information. + +Here is an example issuer for Cloudflare: + +```yaml +--- +apiVersion: v1 +kind: Secret +metadata: + name: cloudflare-api-token-secret + namespace: cert-manager +type: Opaque +stringData: + # https://cert-manager.io/docs/configuration/acme/dns01/cloudflare/#api-tokens + api-token: "" +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-dns +spec: + acme: + server: https://acme-v02.api.letsencrypt.org/directory + privateKeySecretRef: + name: letsencrypt-issuer-account-key + solvers: + - dns01: + cloudflare: + apiTokenSecretRef: + name: cloudflare-api-token-secret + key: api-token +``` + +### HTTP-01 + +If you don't need DNS challenges you can install our default LetsEncrypt ClusterIssuer without any +additional configuration. + +```bash +kubectl apply -f https://raw.githubusercontent.com/caddyserver/gateway/master/example/letsencrypt.yaml +``` + +## Installation and Configuration + +### Internal TLS + +We require certificates to secure the communication between the Controller (this project) and Caddy. +Without mTLS between these two components, anyone could access the Caddy Admin API or potentially +view certificates referenced by Gateway resources in plain-text. + +The default resources assume that you have a `Issuer` configured named `caddy`. This issuer must not +be a `SelfSigned` issuer and must be a `CA` or similar (like `Vault`). Do not use a public `ACME` +issuer such as LetsEncrypt as it won't work. + +You are more than welcome to bring your own cert-manager issuer. Just update the +`csi.cert-manager.io/issuer-kind` and `csi.cert-manager.io/issuer-name` volume attributes for the +operator and Caddy, then skip the following `kubectl apply` command and move on to the +`Deploy the Operator` step. + +This example creates both a SelfSigned issuer that bootstraps a regular CA issuer. If you are fine +with the default settings, then no changes need to be made. + +```bash +kubectl apply -f https://raw.githubusercontent.com/caddyserver/gateway/master/example/internal-issuer.yaml +``` + +### Deploy the Operator + +This deploys the Caddy Gateway Controller (the code in this repository). This is required in order +to program the actual Caddy web-server instances. + +```bash +kubectl apply -f https://raw.githubusercontent.com/caddyserver/gateway/master/example/operator.yaml +``` + +### Deploy a Caddy instance + +This deploys a Deployment of three Caddy instances, alongside a Load Balancer. + +```bash +kubectl apply -f https://raw.githubusercontent.com/caddyserver/gateway/master/example/caddy.yaml +``` + +## Create the Gateway + +After the operator is installed, you will need to create the actual Gateway that will utilize the +Caddy instance you just deployed. + +```yaml +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: caddy + namespace: caddy-system + labels: + app.kubernetes.io/name: caddy + app.kubernetes.io/component: caddy + app.kubernetes.io/instance: caddy + app.kubernetes.io/part-of: caddy + annotations: + # These annotations are all optional if you don't want to use cert-manager to issue certificates. + # Please ensure you set the `cert-manager.io/cluster-issuer` or `cert-manager.io/issuer` to the + # correct issuer for your configuration. + cert-manager.io/cluster-issuer: letencrypt + cert-manager.io/private-key-rotation-policy: Always + cert-manager.io/usages: digital signature, server auth +spec: + gatewayClassName: caddy + listeners: + - name: http + protocol: HTTP + port: 80 + allowedRoutes: + namespaces: + from: All + - name: https + protocol: HTTPS + port: 443 + allowedRoutes: + namespaces: + from: All + # In-order to issue certificates or match requests, the Gateway API spec requires you specify + # a hostname here. This is a placeholder you *must* replace if you want to use HTTPS. + hostname: "*.example.com" + tls: + mode: Terminate + certificateRefs: + - kind: Secret + name: caddy-tls +``` + +Congratulations, you should now have a fully functional installation of the Caddy Gateway running on +your cluster. + +### Redirect HTTP to HTTPS + +Here is an example of how you can redirect all HTTP traffic to HTTPS. + +```yaml +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: caddy-https-redirect + namespace: caddy-system +spec: + parentRefs: + - name: caddy + namespace: caddy-system + sectionName: http + hostnames: [] + rules: + - filters: + - type: RequestRedirect + requestRedirect: + scheme: https + port: 443 +``` diff --git a/example/caddy.yaml b/example/caddy.yaml new file mode 100644 index 0000000..a554848 --- /dev/null +++ b/example/caddy.yaml @@ -0,0 +1,316 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: caddy + namespace: caddy-system + labels: + app.kubernetes.io/name: caddy + app.kubernetes.io/component: caddy + app.kubernetes.io/instance: caddy + app.kubernetes.io/part-of: caddy +automountServiceAccountToken: false +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: caddy-system:caddy + labels: + app.kubernetes.io/name: caddy-gateway + app.kubernetes.io/component: operator + app.kubernetes.io/instance: caddy-system + app.kubernetes.io/part-of: caddy-system +rules: + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: caddy-system:caddy + labels: + app.kubernetes.io/name: caddy-gateway + app.kubernetes.io/component: operator + app.kubernetes.io/instance: caddy-system + app.kubernetes.io/part-of: caddy-system +subjects: + - name: caddy + namespace: caddy-system + kind: ServiceAccount +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: caddy-system:caddy +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: caddy-kube-rbac-proxy + namespace: caddy-system + labels: + app.kubernetes.io/name: caddy-gateway + app.kubernetes.io/component: operator + app.kubernetes.io/instance: caddy-system + app.kubernetes.io/part-of: caddy-system +data: + config.yaml: | + authorization: + resourceAttributes: + namespace: caddy-system + apiVersion: v1 + resource: caddy + subresource: config + name: caddy +--- +apiVersion: v1 +kind: Service +metadata: + name: caddy + namespace: caddy-system + labels: + gateway.caddyserver.com/owning-gateway: caddy + app.kubernetes.io/name: caddy + app.kubernetes.io/component: caddy + app.kubernetes.io/instance: caddy + app.kubernetes.io/part-of: caddy +spec: + type: LoadBalancer + ipFamilyPolicy: PreferDualStack + selector: + app.kubernetes.io/name: caddy + app.kubernetes.io/component: caddy + app.kubernetes.io/instance: caddy + app.kubernetes.io/part-of: caddy + ports: + - name: admin + port: 2021 + targetPort: 2021 + protocol: TCP + appProtocol: http2 + - name: http + port: 80 + targetPort: 80 + protocol: TCP + appProtocol: http + - name: http2 + port: 443 + targetPort: 443 + protocol: TCP + appProtocol: http2 + - name: http3 + port: 443 + targetPort: 443 + protocol: UDP + appProtocol: http3 + - name: admin2 + port: 2019 + targetPort: 2019 + protocol: TCP + appProtocol: http +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: caddy + namespace: caddy-system + labels: + app.kubernetes.io/name: caddy + app.kubernetes.io/component: caddy + app.kubernetes.io/instance: caddy + app.kubernetes.io/part-of: caddy +spec: + replicas: 3 + selector: + matchLabels: + app.kubernetes.io/name: caddy + app.kubernetes.io/component: caddy + app.kubernetes.io/instance: caddy + app.kubernetes.io/part-of: caddy + template: + metadata: + labels: + app.kubernetes.io/name: caddy + app.kubernetes.io/component: caddy + app.kubernetes.io/instance: caddy + app.kubernetes.io/part-of: caddy + annotations: + kubectl.kubernetes.io/default-container: caddy + spec: + containers: + - name: kube-rbac-proxy + image: quay.io/brancz/kube-rbac-proxy:v0.15.0@sha256:2c7b120590cbe9f634f5099f2cbb91d0b668569023a81505ca124a5c437e7663 + args: + - --secure-listen-address=:2021 + - --upstream=http://[::1]:2019/ + - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 + - --client-ca-file=/var/run/secrets/tls/ca.crt + - --tls-cert-file=/var/run/secrets/tls/tls.crt + - --tls-private-key-file=/var/run/secrets/tls/tls.key + - --tls-reload-interval=12h + - --config-file=/etc/kube-rbac-proxy/config.yaml + ports: + - name: admin + containerPort: 2021 + protocol: TCP + env: + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + containerName: kube-rbac-proxy + resource: limits.memory + resources: + limits: + cpu: "0.2" + memory: 128Mi + requests: + cpu: "0.1" + memory: 64Mi + volumeMounts: + - name: kube-rbac-proxy + readOnly: true + mountPath: /etc/kube-rbac-proxy + - name: tls + readOnly: true + mountPath: /var/run/secrets/tls + - name: kube-api-access + readOnly: true + mountPath: /var/run/secrets/kubernetes.io/serviceaccount + securityContext: + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + - name: caddy + image: docker.io/library/caddy:2.8.0-beta.2@sha256:40f3fb52a1538e3e8a1a0e10218b6415f5b2fe017185243493b256bc64d59fbd + args: + - run + ports: + - name: http + containerPort: 80 + protocol: TCP + - name: http2 + containerPort: 443 + protocol: TCP + - name: http3 + containerPort: 443 + protocol: UDP + - name: admin2 + containerPort: 2019 + protocol: TCP + env: + - name: CADDY_ADMIN + value: :2019 + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + containerName: caddy + resource: limits.memory + resources: + limits: + cpu: "4" + memory: 4Gi + requests: + cpu: "0.25" + memory: 1Gi + volumeMounts: + - name: config + readOnly: false + mountPath: /config + - name: data + readOnly: false + mountPath: /data + - name: tmp + readOnly: false + mountPath: /tmp + livenessProbe: + httpGet: + path: /metrics + port: admin2 + readinessProbe: + httpGet: + path: /metrics + port: admin2 + initialDelaySeconds: 2 + timeoutSeconds: 1 + startupProbe: + httpGet: + path: /metrics + port: admin2 + failureThreshold: 10 + successThreshold: 1 + initialDelaySeconds: 3 + periodSeconds: 10 + timeoutSeconds: 3 + securityContext: + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + volumes: + - name: config + emptyDir: {} + - name: data + emptyDir: {} + - name: tmp + emptyDir: {} + - name: tls + csi: + driver: csi.cert-manager.io + readOnly: true + volumeAttributes: + csi.cert-manager.io/fs-group: "100" + csi.cert-manager.io/issuer-kind: Issuer + csi.cert-manager.io/issuer-name: caddy + csi.cert-manager.io/duration: 72h + csi.cert-manager.io/dns-names: ${POD_NAME},${POD_NAME}.${POD_NAMESPACE},caddy.${POD_NAMESPACE}.svc + csi.cert-manager.io/key-usages: server auth + - name: kube-rbac-proxy + configMap: + name: caddy-kube-rbac-proxy + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + - arm64 + - key: kubernetes.io/os + operator: In + values: + - linux + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLabels: + app.kubernetes.io/name: caddy + app.kubernetes.io/component: caddy + app.kubernetes.io/instance: caddy + app.kubernetes.io/part-of: caddy + matchLabelKeys: + - pod-template-hash + serviceAccountName: caddy + automountServiceAccountToken: true + enableServiceLinks: false + securityContext: + runAsUser: 1000 + runAsGroup: 100 + runAsNonRoot: true + fsGroup: 100 + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + seccompProfile: + type: RuntimeDefault diff --git a/example/internal-issuer.yaml b/example/internal-issuer.yaml new file mode 100644 index 0000000..972f0d2 --- /dev/null +++ b/example/internal-issuer.yaml @@ -0,0 +1,38 @@ +# https://cert-manager.io/docs/configuration/selfsigned/#bootstrapping-ca-issuers +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: selfsigned + namespace: caddy-system +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: caddy-selfsigned-ca + namespace: cert-manager +spec: + isCA: true + commonName: caddy-selfsigned-ca + secretName: caddy-selfsigned-ca + subject: + organizations: + - caddy-system + privateKey: + algorithm: ECDSA + size: 256 + issuerRef: + group: cert-manager.io + kind: Issuer + name: selfsigned +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: caddy + namespace: caddy-system +spec: + ca: + secretName: caddy-selfsigned-ca diff --git a/example/letsencrypt.yaml b/example/letsencrypt.yaml new file mode 100644 index 0000000..c65a5a1 --- /dev/null +++ b/example/letsencrypt.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt +spec: + acme: + server: https://acme-v02.api.letsencrypt.org/directory + privateKeySecretRef: + name: letsencrypt-issuer-account-key + solvers: + - http01: + gatewayHTTPRoute: + parentRefs: + - kind: Gateway + name: caddy + namespace: caddy-system + sectionName: http diff --git a/example/operator.yaml b/example/operator.yaml new file mode 100644 index 0000000..d6fd8cb --- /dev/null +++ b/example/operator.yaml @@ -0,0 +1,349 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: caddy-system + labels: + app.kubernetes.io/name: caddy-system + pod-security.kubernetes.io/enforce: restricted + pod-security.kubernetes.io/enforce-version: latest + pod-security.kubernetes.io/audit: restricted + pod-security.kubernetes.io/audit-version: latest + pod-security.kubernetes.io/warn: restricted + pod-security.kubernetes.io/warn-version: latest +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: caddy-gateway + namespace: caddy-system + labels: + app.kubernetes.io/name: caddy-gateway + app.kubernetes.io/component: operator + app.kubernetes.io/instance: caddy-system + app.kubernetes.io/part-of: caddy-system +automountServiceAccountToken: false +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: caddy-system:caddy-gateway + labels: + app.kubernetes.io/name: caddy-gateway + app.kubernetes.io/component: operator + app.kubernetes.io/instance: caddy-system + app.kubernetes.io/part-of: caddy-system +rules: + - apiGroups: + - "" + resources: + - configmaps + - endpoints + - namespaces + - secrets + - services + verbs: + - get + - list + - watch + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - apiGroups: + - gateway.networking.k8s.io + resources: + - backendtlspolicies + - gatewayclasses + - gateways + - grpcroutes + - httproutes + - referencegrants + - tcproutes + - tlsroutes + - udproutes + verbs: + - get + - list + - watch + - apiGroups: + - gateway.networking.k8s.io + resources: + - backendtlspolicies/finalizers + - gatewayclasses/finalizers + - gateways/finalizers + - grpcroutes/finalizers + - httproutes/finalizers + - referencegrants/finalizers + - tcproutes/finalizers + - tlsroutes/finalizers + - udproutes/finalizers + verbs: + - update + - apiGroups: + - gateway.networking.k8s.io + resources: + - backendtlspolicies/status + - gatewayclasses/status + - gateways/status + - grpcroutes/status + - httproutes/status + - referencegrants/status + - tcproutes/status + - tlsroutes/status + - udproutes/status + verbs: + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: caddy-system:caddy-gateway + labels: + app.kubernetes.io/name: caddy-gateway + app.kubernetes.io/component: operator + app.kubernetes.io/instance: caddy-system + app.kubernetes.io/part-of: caddy-system +subjects: + - name: caddy-gateway + namespace: caddy-system + kind: ServiceAccount +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: caddy-system:caddy-gateway +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: caddy-gateway + namespace: caddy-system + labels: + app.kubernetes.io/name: caddy-gateway + app.kubernetes.io/component: operator + app.kubernetes.io/instance: caddy-system + app.kubernetes.io/part-of: caddy-system +rules: + # This weird resource rule is used by kube-rbac-proxy to allow access to the Caddy Admin API. + - apiGroups: + - "" + resources: + - caddy/config + verbs: + - create + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - apiGroups: + - coordination.k8s.io + resources: + - leases + resourceNames: + - 657d83d7.caddyserver.com + verbs: + - get + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: caddy-gateway + namespace: caddy-system + labels: + app.kubernetes.io/name: caddy-gateway + app.kubernetes.io/component: operator + app.kubernetes.io/instance: caddy-system + app.kubernetes.io/part-of: caddy-system +subjects: + - name: caddy-gateway + namespace: caddy-system + kind: ServiceAccount +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: caddy-gateway +--- +apiVersion: v1 +kind: Service +metadata: + name: caddy-gateway + namespace: caddy-system + labels: + app.kubernetes.io/name: caddy-gateway + app.kubernetes.io/component: operator + app.kubernetes.io/instance: caddy-system + app.kubernetes.io/part-of: caddy-system +spec: + type: ClusterIP + ipFamilyPolicy: PreferDualStack + selector: + app.kubernetes.io/name: caddy-gateway + app.kubernetes.io/component: operator + app.kubernetes.io/instance: caddy-system + app.kubernetes.io/part-of: caddy-system + ports: + - name: metrics + port: 8080 + targetPort: 8080 + protocol: TCP +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: caddy-gateway + namespace: caddy-system + labels: + app.kubernetes.io/name: caddy-gateway + app.kubernetes.io/component: operator + app.kubernetes.io/instance: caddy-system + app.kubernetes.io/part-of: caddy-system +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: caddy-gateway + app.kubernetes.io/component: operator + app.kubernetes.io/instance: caddy-system + app.kubernetes.io/part-of: caddy-system + template: + metadata: + labels: + app.kubernetes.io/name: caddy-gateway + app.kubernetes.io/component: operator + app.kubernetes.io/instance: caddy-system + app.kubernetes.io/part-of: caddy-system + spec: + containers: + - name: caddy-gateway + image: ghcr.io/caddyserver/gateway:latest + args: + - --leader-elect + ports: + - name: metrics + containerPort: 8080 + protocol: TCP + - name: health + containerPort: 8081 + protocol: TCP + env: + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + containerName: caddy-gateway + resource: limits.memory + imagePullPolicy: Always + resources: + limits: + cpu: "0.5" + memory: 2Gi + requests: + cpu: "0.25" + memory: 1Gi + volumeMounts: + - name: tls + readOnly: true + mountPath: /var/run/secrets/tls + livenessProbe: + httpGet: + path: /healthz + port: health + scheme: HTTP + initialDelaySeconds: 5 + timeoutSeconds: 5 + periodSeconds: 5 + successThreshold: 1 + failureThreshold: 3 + readinessProbe: + httpGet: + path: /readyz + port: health + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + securityContext: + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + volumes: + - name: tls + csi: + driver: csi.cert-manager.io + readOnly: true + volumeAttributes: + csi.cert-manager.io/fs-group: "100" + csi.cert-manager.io/issuer-kind: Issuer + csi.cert-manager.io/issuer-name: caddy + csi.cert-manager.io/duration: 72h + csi.cert-manager.io/common-name: system:serviceaccount:caddy-system:caddy-gateway + csi.cert-manager.io/dns-names: caddy-gateway.${POD_NAMESPACE}.svc + csi.cert-manager.io/key-usages: client auth + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + - arm64 + - key: kubernetes.io/os + operator: In + values: + - linux + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLabels: + app.kubernetes.io/name: caddy-gateway + app.kubernetes.io/component: operator + app.kubernetes.io/instance: caddy-system + app.kubernetes.io/part-of: caddy-system + matchLabelKeys: + - pod-template-hash + tolerations: + - key: node-role.kubernetes.io/control-plane + effect: NoSchedule + - key: CriticalAddonsOnly + operator: Exists + serviceAccountName: caddy-gateway + automountServiceAccountToken: true + enableServiceLinks: false + securityContext: + runAsUser: 1000 + runAsGroup: 100 + runAsNonRoot: true + fsGroup: 100 + seccompProfile: + type: RuntimeDefault +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: GatewayClass +metadata: + name: caddy + labels: + app.kubernetes.io/name: caddy-gateway + app.kubernetes.io/component: operator + app.kubernetes.io/instance: caddy-system + app.kubernetes.io/part-of: caddy-system +spec: + controllerName: caddyserver.com/gateway-controller