feat: Provide support for enabling ingress controller (experimental, …

…breaking) (#245)

* Basic setup without RBAC

* RBAC support

* Add link to repo

Signed-off-by: Tom Kerkhove <kerkhove.tom@gmail.com>

---------

Signed-off-by: Tom Kerkhove <kerkhove.tom@gmail.com>

helm-charts/azure-api-management-gateway/templates/configmap.yaml

@@ -18,6 +18,10 @@ data:
   {{- if .Values.gateway.auth.azureAd.authority }}
   config.service.auth.azureAd.authority : {{ .Values.gateway.auth.azureAd.authority | quote }}
   {{- end }}
+{{- end }}
+{{- if .Values.ingress.controller.enabled }}
+  k8s.ingress.enabled : {{ .Values.ingress.controller.enabled | quote }}
+  k8s.ingress.namespace : {{ .Values.ingress.controller.namespace | default ( .Release.Namespace ) | quote }}
 {{- end }}
   telemetry.metrics.cloud: {{ .Values.observability.azureMonitor.metrics.enabled | quote }}
   telemetry.logs.std: {{ .Values.observability.logs.std.format | quote }}

helm-charts/azure-api-management-gateway/templates/ingress-controller.yaml

@@ -0,0 +1,63 @@
+{{- $doesSupportStableIngress := .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" -}}
+{{- if  and (.Values.ingress.controller.enabled) ($doesSupportStableIngress) -}}
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  name: {{ include "azure-api-management-gateway.fullname" . }}
+  labels:
+    {{- include "azure-api-management-gateway.labels" . | nindent 4 }}
+  {{- with .Values.ingress.controller.ingressClass.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  controller: {{ .Values.ingress.controller.ingressClass.controller | quote }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "azure-api-management-gateway.fullname" . }}-rbac
+  labels:
+    {{- include "azure-api-management-gateway.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+      - namespaces
+    verbs:
+      - get
+      - watch
+      - get
+  - apiGroups:
+      - ""
+    resources:
+      - services
+    verbs:
+      - get
+      - watch
+      - get
+  - apiGroups:
+      - networking.k8s.io
+    resources:
+      - ingresses
+    verbs:
+      - list
+      - watch
+      - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "azure-api-management-gateway.fullname" . }}
+  labels:
+    {{- include "azure-api-management-gateway.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "azure-api-management-gateway.fullname" . }}-rbac
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Values.serviceAccountName }}
+    namespace: {{ .Release.Namespace }}
+{{- end }}

helm-charts/azure-api-management-gateway/values.yaml

@@ -127,19 +127,14 @@ service:
   annotations: {}
 
 ingress:
-  enabled: false
-  annotations: {}
-    # kubernetes.io/ingress.class: nginx
-    # kubernetes.io/tls-acme: "true"
-  hosts:
-    - host: chart-example.local
-      useHttpsBackend: false
-      paths: []
-
-  tls: []
-  #  - secretName: chart-example-tls
-  #    hosts:
-  #      - chart-example.local
+  # Experimental feature: See https://github.com/Azure/api-management-self-hosted-gateway-ingress
+  controller:
+    enabled: false
+    namespace: ""
+    annotations: []
+    ingressClass:    
+      controller: "azure-api-management/gateway"
+      annotations: []
 
 serviceAccountName: default