diff --git a/charts/gateway/Chart.yaml b/charts/gateway/Chart.yaml index e21af62..54a0c1d 100644 --- a/charts/gateway/Chart.yaml +++ b/charts/gateway/Chart.yaml @@ -14,7 +14,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.2.27 +version: 0.2.28 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/charts/gateway/README.md b/charts/gateway/README.md index 3f3aebd..935ca81 100644 --- a/charts/gateway/README.md +++ b/charts/gateway/README.md @@ -152,7 +152,7 @@ The command removes all the Kubernetes components associated with the chart and | dns.resolvers[5] | string | `"8.8.8.8"` | | | dns.timeout | int | `5` | | | dns.validity | int | `30` | | -| etcd | object | `{"auth":{"rbac":{"create":false,"rootPassword":""},"tls":{"certFilename":"","certKeyFilename":"","enabled":false,"existingSecret":"","sni":"","verify":false}},"enabled":false,"host":["http://etcd.host:2379"],"password":"","prefix":"/apisix","replicaCount":3,"service":{"port":2379},"timeout":30,"user":""}` | etcd configuration use the FQDN address or the IP of the etcd | +| etcd | object | `{"auth":{"rbac":{"create":false,"rootPassword":""},"tls":{"certFilename":"","certKeyFilename":"","enabled":false,"existingSecret":"","sni":"","verify":false}},"enabled":false,"host":["http://etcd.host:2379"],"image":{"repository":"api7/etcd"},"password":"","prefix":"/apisix","replicaCount":3,"service":{"port":2379},"timeout":30,"user":""}` | etcd configuration use the FQDN address or the IP of the etcd | | etcd.auth | object | `{"rbac":{"create":false,"rootPassword":""},"tls":{"certFilename":"","certKeyFilename":"","enabled":false,"existingSecret":"","sni":"","verify":false}}` | if etcd.enabled is true, set more values of bitnami/etcd helm chart | | etcd.auth.rbac.create | bool | `false` | No authentication by default. Switch to enable RBAC authentication | | etcd.auth.rbac.rootPassword | string | `""` | root password for etcd. Requires etcd.auth.rbac.create to be true. | @@ -183,10 +183,11 @@ The command removes all the Kubernetes components associated with the chart and | gateway.livenessProbe | object | `{}` | kubernetes liveness probe. | | gateway.readinessProbe | object | `{}` | kubernetes readiness probe, we will provide a probe based on tcpSocket to gateway's HTTP port by default. | | gateway.stream | object | `{"enabled":false,"only":false,"tcp":[],"udp":[]}` | API7 Gateway service settings for stream. L4 proxy (TCP/UDP) | -| gateway.tls | object | `{"additionalContainerPorts":[],"certCAFilename":"","containerPort":9443,"enabled":true,"existingCASecret":"","http2":{"enabled":true},"ip":"0.0.0.0","servicePort":443,"sslProtocols":"TLSv1.2 TLSv1.3"}` | API7 Gateway service settings for tls | +| gateway.tls | object | `{"additionalContainerPorts":[],"certCAFilename":"","containerPort":9443,"enabled":true,"existingCASecret":"","fallbackSNI":"","http2":{"enabled":true},"ip":"0.0.0.0","servicePort":443,"sslProtocols":"TLSv1.2 TLSv1.3"}` | API7 Gateway service settings for tls | | gateway.tls.additionalContainerPorts | list | `[]` | Support multiple https ports, See [Configuration](https://github.com/apache/apisix/blob/0bc65ea9acd726f79f80ae0abd8f50b7eb172e3d/conf/config-default.yaml#L99) | | gateway.tls.certCAFilename | string | `""` | Filename be used in the gateway.tls.existingCASecret | | gateway.tls.existingCASecret | string | `""` | Specifies the name of Secret contains trusted CA certificates in the PEM format used to verify the certificate when APISIX needs to do SSL/TLS handshaking with external services (e.g. etcd) | +| gateway.tls.fallbackSNI | string | `""` | If set this, when the client doesn't send SNI during handshake, the fallback SNI will be used instead | | gateway.tls.ip | string | `"0.0.0.0"` | which ip to listen on for API7 Gateway https service. | | gateway.tls.sslProtocols | string | `"TLSv1.2 TLSv1.3"` | TLS protocols allowed to use. | | gateway.type | string | `"NodePort"` | API7 Gateway service type for user access itself | diff --git a/charts/gateway/templates/configmap.yaml b/charts/gateway/templates/configmap.yaml index dce7bf9..dced225 100644 --- a/charts/gateway/templates/configmap.yaml +++ b/charts/gateway/templates/configmap.yaml @@ -126,6 +126,9 @@ data: {{- if and .Values.gateway.tls.enabled .Values.gateway.tls.existingCASecret }} ssl_trusted_certificate: "system,/usr/local/apisix/conf/ssl/{{ .Values.gateway.tls.certCAFilename }}" {{- end }} + {{- if .Values.gateway.tls.fallbackSNI }} + fallback_sni: {{ .Values.gateway.tls.fallbackSNI }} + {{- end }} {{- if .Values.api7ee.status_endpoint.enabled }} status: diff --git a/charts/gateway/values.yaml b/charts/gateway/values.yaml index c1623c3..64cc572 100644 --- a/charts/gateway/values.yaml +++ b/charts/gateway/values.yaml @@ -297,6 +297,8 @@ gateway: enabled: true # -- TLS protocols allowed to use. sslProtocols: "TLSv1.2 TLSv1.3" + # -- If set this, when the client doesn't send SNI during handshake, the fallback SNI will be used instead + fallbackSNI: "" # -- API7 Gateway service settings for stream. L4 proxy (TCP/UDP) stream: enabled: false @@ -514,6 +516,8 @@ serviceMonitor: etcd: # -- install etcd(v3) by default, set false if do not want to install etcd(v3) together enabled: false + image: + repository: api7/etcd # -- if etcd.enabled is false, use external etcd, support multiple address, if your etcd cluster enables TLS, please use https scheme, e.g. https://127.0.0.1:2379. host: # host or ip e.g. http://172.20.128.89:2379