Merge branch 'dev' into pull-request

Author: Anadris

README.md

@@ -19,6 +19,7 @@ Official [Helm chart](https://helm.sh/docs/) to deploy [BunkerWeb](https://www.b
 - Kubernetes 1.19+
 - Helm 3.8+
 - PV provisioner support in the underlying infrastructure (for persistence)
+- Kubernetes Gateway API CRDs installed (required for Gateway API support, see the [Gateway API install guide](https://gateway-api.sigs.k8s.io/guides/getting-started/#installing-gateway-api))
 
 **Important**: Please first refer to the [BunkerWeb documentation](https://docs.bunkerweb.io/latest/?utm_campaign=self&utm_source=github), particularly the [Kubernetes integration](https://docs.bunkerweb.io/latest/integrations/?utm_campaign=self&utm_source=bunkerwebio#kubernetes) section.
 
@@ -80,6 +81,8 @@ settings:
 
 ### Kubernetes Integration
 
+**Controller selection**: The controller runs as either a `GatewayController` or an `IngressController`, never both. If both are configured, `GatewayController` takes priority.
+
 ```yaml
 settings:
   kubernetes:
@@ -262,4 +265,4 @@ See [`examples/`](examples/) directory for complete configuration examples.
 
 ## License
 
-This Helm chart is licensed under the same terms as BunkerWeb itself.
+This Helm chart is licensed under the same terms as BunkerWeb itself.

charts/bunkerweb/Chart.yaml

@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.0.12
+version: 1.0.13
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

charts/bunkerweb/templates/api-httproute.yaml

@@ -0,0 +1,30 @@
+{{- if .Values.settings.api.httpRoutes.enabled -}}
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: api-{{ include "bunkerweb.fullname" . }}-httproute
+  namespace: {{ include "bunkerweb.namespace" . }}
+  labels:
+    {{- include "bunkerweb.labels" . | nindent 4 }}
+  annotations:
+    bunkerweb.io/USE_TEMPLATE: "api"
+    {{- with .Values.settings.api.httpRoutes.extraAnnotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  parentRefs:
+    - name: {{ include "bunkerweb.fullname" . }}-gateway
+      namespace: {{ include "bunkerweb.namespace" . }}
+  {{- if .Values.settings.api.httpRoutes.serverName }}
+  hostnames:
+    - {{ .Values.settings.api.httpRoutes.serverName | quote }}
+  {{- end }}
+  rules:
+    - matches:
+        - path:
+            type: PathPrefix
+            value: {{ .Values.settings.api.httpRoutes.serverPath | default "/" }}
+      backendRefs:
+        - name: api-{{ include "bunkerweb.fullname" . }}
+          port: 8888
+{{- end }}

charts/bunkerweb/templates/clusterrole.yaml

@@ -13,4 +13,20 @@ rules:
     verbs: ["get", "watch", "list"]
   - apiGroups: ["networking.k8s.io"]
     resources: ["ingresses/status"]
-    verbs: ["get", "watch", "list", "patch"]
+    verbs: ["get", "watch", "list", "patch"]
+  - apiGroups: ["gateway.networking.k8s.io"]
+    resources:
+      - gatewayclasses
+      - gatewayclasses/status
+      - gateways
+      - gateways/status
+      - httproutes
+      - httproutes/status
+      - tlsroutes
+      - tlsroutes/status
+      - tcproutes
+      - tcproutes/status
+      - udproutes
+      - udproutes/status
+      - referencegrants
+    verbs: ["get", "watch", "list", "patch", "update"]

charts/bunkerweb/templates/controller-deployment.yaml

@@ -44,6 +44,12 @@ spec:
             # Mandatory for k8s integration
             - name: KUBERNETES_MODE
               value: "yes"
+            - name: KUBERNETES_REVERSE_PROXY_SUFFIX_START
+              value: "0"
+            {{- if .Values.gatewayClass.enabled }}
+            - name: KUBERNETES_GATEWAY_MODE
+              value: "yes"
+            {{- end }}
             - name: DATABASE_URI
               {{- if not (empty .Values.settings.existingSecret) }}
               valueFrom:
@@ -61,9 +67,7 @@ spec:
               value: "{{ .Values.settings.kubernetes.domainName }}"
             - name: KUBERNETES_IGNORE_ANNOTATIONS
               value: "{{ .Values.settings.kubernetes.ignoreAnnotations }}"
-            {{- if .Values.controller.extraEnvs }}
-              {{- toYaml .Values.controller.extraEnvs | nindent 12 }}
-            {{- end }}
+            {{- toYaml .Values.controller.extraEnvs | nindent 12 }}
             {{- if .Values.ui.logs.enabled }}
             - name: LOG_TYPES
               value: "stderr syslog"

charts/bunkerweb/templates/gateway.yaml

@@ -0,0 +1,73 @@
+{{- if and .Values.gatewayClass.enabled (or .Values.settings.ui.httpRoutes.enabled .Values.settings.api.httpRoutes.enabled) -}}
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: {{ include "bunkerweb.fullname" . }}-gateway
+  namespace: {{ include "bunkerweb.namespace" . }}
+  labels:
+    {{- include "bunkerweb.labels" . | nindent 4 }}
+  {{- if or .Values.settings.ui.httpRoutes.extraAnnotations .Values.settings.api.httpRoutes.extraAnnotations }}
+  annotations:
+    {{- with .Values.settings.ui.httpRoutes.extraAnnotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- with .Values.settings.api.httpRoutes.extraAnnotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- end }}
+spec:
+  gatewayClassName: {{ .Values.gatewayClass.name }}
+  listeners:
+    {{- if .Values.settings.ui.httpRoutes.enabled }}
+    - name: ui-http
+      protocol: HTTP
+      port: 80
+      {{- if .Values.settings.ui.httpRoutes.serverName }}
+      hostname: {{ .Values.settings.ui.httpRoutes.serverName | quote }}
+      {{- end }}
+      allowedRoutes:
+        namespaces:
+          from: Same
+    {{- if .Values.settings.ui.httpRoutes.tlsSecretName }}
+    - name: ui-https
+      protocol: HTTPS
+      port: 443
+      {{- if .Values.settings.ui.httpRoutes.serverName }}
+      hostname: {{ .Values.settings.ui.httpRoutes.serverName | quote }}
+      {{- end }}
+      tls:
+        mode: Terminate
+        certificateRefs:
+          - name: {{ .Values.settings.ui.httpRoutes.tlsSecretName }}
+      allowedRoutes:
+        namespaces:
+          from: Same
+    {{- end }}
+    {{- end }}
+    {{- if .Values.settings.api.httpRoutes.enabled }}
+    - name: api-http
+      protocol: HTTP
+      port: 80
+      {{- if .Values.settings.api.httpRoutes.serverName }}
+      hostname: {{ .Values.settings.api.httpRoutes.serverName | quote }}
+      {{- end }}
+      allowedRoutes:
+        namespaces:
+          from: Same
+    {{- if .Values.settings.api.httpRoutes.tlsSecretName }}
+    - name: api-https
+      protocol: HTTPS
+      port: 443
+      {{- if .Values.settings.api.httpRoutes.serverName }}
+      hostname: {{ .Values.settings.api.httpRoutes.serverName | quote }}
+      {{- end }}
+      tls:
+        mode: Terminate
+        certificateRefs:
+          - name: {{ .Values.settings.api.httpRoutes.tlsSecretName }}
+      allowedRoutes:
+        namespaces:
+          from: Same
+    {{- end }}
+    {{- end }}
+{{- end }}

charts/bunkerweb/templates/gatewayclass.yaml

@@ -0,0 +1,11 @@
+{{- if .Values.gatewayClass.enabled -}}
+apiVersion: gateway.networking.k8s.io/v1
+kind: GatewayClass
+metadata:
+  name: {{ .Values.gatewayClass.name }}
+  labels:
+    {{- include "bunkerweb.labels" . | nindent 4 }}
+    app.kubernetes.io/component: controller
+spec:
+  controllerName: {{ .Values.gatewayClass.controller }}
+{{- end }}

charts/bunkerweb/templates/ui-httproute.yaml

@@ -0,0 +1,30 @@
+{{- if .Values.settings.ui.httpRoutes.enabled -}}
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: ui-{{ include "bunkerweb.fullname" . }}-httproute
+  namespace: {{ include "bunkerweb.namespace" . }}
+  labels:
+    {{- include "bunkerweb.labels" . | nindent 4 }}
+  annotations:
+    bunkerweb.io/USE_TEMPLATE: "ui"
+    {{- with .Values.settings.ui.httpRoutes.extraAnnotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  parentRefs:
+    - name: {{ include "bunkerweb.fullname" . }}-gateway
+      namespace: {{ include "bunkerweb.namespace" . }}
+  {{- if .Values.settings.ui.httpRoutes.serverName }}
+  hostnames:
+    - {{ .Values.settings.ui.httpRoutes.serverName | quote }}
+  {{- end }}
+  rules:
+    - matches:
+        - path:
+            type: PathPrefix
+            value: {{ .Values.settings.ui.httpRoutes.serverPath | default "/" }}
+      backendRefs:
+        - name: ui-{{ include "bunkerweb.fullname" . }}
+          port: 7000
+{{- end }}

charts/bunkerweb/values.yaml

@@ -108,25 +108,39 @@ settings:
     # Enable the setup wizard on first launch
     wizard: true
 
+    # if using new Gateway API integration instead of ingress resources
+    # HTTP routes configuration for UI access
+    httpRoutes:
+      # Enable HTTP routes for UI access
+      enabled: false
+      # GatewayClass name to use
+      gatewayClassName: ""
+      # Domain name for UI access
+      # Example: "bunkerweb-ui.example.com"
+      serverName: ""
+      # Path for UI access
+      serverPath: "/"
+      # Additional annotations for the httpRoute resource
+      # Example: {"cert-manager.io/cluster-issuer": "letsencrypt-prod"}
+      extraAnnotations: {}
+      # Secret name containing TLS certificate
+      # Leave empty to disable HTTPS
+      tlsSecretName: ""
+
     # Ingress configuration for UI access
     ingress:
       # Set to true to create an Ingress resource for the UI
       enabled: false
-
       # IngressClass name to use
       ingressClassName: ""
-
       # Domain name for UI access
       # Example: "bunkerweb-ui.example.com"
       serverName: ""
-
       # Path for UI access (usually "/")
       serverPath: "/"
-
       # Additional annotations for the Ingress resource
       # Example: {"cert-manager.io/cluster-issuer": "letsencrypt-prod"}
       extraAnnotations: {}
-
       # Secret name containing TLS certificate
       # Leave empty to disable HTTPS
       tlsSecretName: ""
@@ -198,25 +212,39 @@ settings:
       # https://limits.readthedocs.io/en/stable/quickstart.html#rate-limit-string-notation
       defaults: ["100/minute"]
 
+    # if using new Gateway API integration instead of ingress resources
+    # HTTP routes configuration for API access
+    httpRoutes:
+      # Enable HTTP routes for API access
+      enabled: false
+      # GatewayClass name to use
+      gatewayClassName: ""
+      # Domain name for API access
+      # Example: "bunkerweb-api.example.com"
+      serverName: ""
+      # Path for API access
+      serverPath: "/admin"
+      # Additional annotations for the Ingress resource
+      # Example: {"cert-manager.io/cluster-issuer": "letsencrypt-prod"}
+      extraAnnotations: {}
+      # Secret name containing TLS certificate
+      # Leave empty to disable HTTPS
+      tlsSecretName: ""
+
     # Ingress configuration for API access
     ingress:
       # Set to true to create an Ingress resource for the API
       enabled: false
-
       # IngressClass name to use
       ingressClassName: ""
-
       # Domain name for API access
       # Example: "bunkerweb-api.example.com"
       serverName: ""
-
       # Path for API access (usually "/")
       serverPath: "/"
-
       # Additional annotations for the Ingress resource
       # Example: {"cert-manager.io/cluster-issuer": "letsencrypt-prod"}
       extraAnnotations: {}
-
       # Secret name containing TLS certificate
       # Leave empty to disable HTTPS
       tlsSecretName: ""
@@ -1334,6 +1362,22 @@ redis:
   #     cpu: "500m"
   #     memory: "1024Mi"
 
+# =============================================================================
+# GATEWAY CLASS
+# =============================================================================
+# Kubernetes GatewayClass resource for BunkerWeb
+
+gatewayClass:
+  # Create GatewayClass resource
+  # Requires Kubernetes Gateway API CRDs to be installed in the cluster: https://gateway-api.sigs.k8s.io/guides/getting-started/#installing-gateway-api
+  enabled: false
+
+  # GatewayClass name (used in gateway resources)
+  name: "bunkerweb"
+
+  # Controller identifier for this GatewayClass
+  controller: "bunkerweb.io/gateway-controller"
+
 # =============================================================================
 # INGRESS CLASS
 # =============================================================================