apiVersion: gateway.tv2.dk/v1alpha1 kind: GatewayClassBlueprint metadata: name: aws-alb-crossplane spec: values: default: healthCheck: interval: 5 timeout: 4 threshold: 2 path: /healthz/ready port: 15021 ingressAcls: cidrs: - 0.0.0.0/0 port: 443 tags: [] # Values required by this blueprint without defaults: # providerConfigName: "example-crossplane-provider-name" # region: "example-region" # vpcId: "example-vpc" # subnets: # - "example-subnet1" # - "example-subnet2" # - "example-subnet3" # upstreamSecurityGroup: "example-cluster-sg" # certificateArn: "example-cert-arn" # The following are templates used to 'implement' a 'parent' Gateway gatewayTemplate: status: template: | addresses: - type: Hostname value: {{ .Resources.LB.status.atProvider.dnsName }} resourceTemplates: childGateway: | apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway metadata: name: {{ .Gateway.metadata.name }}-child namespace: {{ .Gateway.metadata.namespace }} annotations: networking.istio.io/service-type: ClusterIP {{ if .Values.tags }} {{ toYaml .Values.tags | nindent 4 }} {{ end }} spec: gatewayClassName: istio listeners: {{- range .Gateway.spec.listeners }} - name: {{ .name }} port: 80 protocol: HTTP {{ if get . "hostname" }} hostname: {{ .hostname | quote }} {{ end -}} {{ if get . "allowedRoutes" }} allowedRoutes: {{ toYaml .allowedRoutes | nindent 6 }} {{ end -}} {{- end }} LB: | apiVersion: elbv2.aws.upbound.io/v1beta1 kind: LB metadata: labels: tv2.dk/gw: {{ .Gateway.metadata.namespace }}-{{ .Gateway.metadata.name }} name: gw-{{ .Gateway.metadata.namespace }}-{{ .Gateway.metadata.name }} spec: providerConfigRef: name: {{ .Values.providerConfigName }} forProvider: name: gw-{{ .Gateway.metadata.namespace }}-{{ .Gateway.metadata.name }} region: {{ .Values.region }} internal: {{ .Values.internal }} securityGroupSelector: matchLabels: tv2.dk/gw: {{ .Gateway.metadata.namespace }}-{{ .Gateway.metadata.name }} subnetMapping: {{ range .Values.subnets }} - subnetId: {{ . }} {{ end }} {{ if .Values.tags }} tags: {{- toYaml .Values.tags | nindent 6 }} {{ end }} LBTargetGroup: | apiVersion: elbv2.aws.upbound.io/v1beta1 kind: LBTargetGroup metadata: labels: tv2.dk/gw: {{ .Gateway.metadata.namespace }}-{{ .Gateway.metadata.name }} name: gw-{{ .Gateway.metadata.namespace }}-{{ .Gateway.metadata.name }} spec: providerConfigRef: name: {{ .Values.providerConfigName }} forProvider: name: gw-{{ .Gateway.metadata.namespace }}-{{ .Gateway.metadata.name }} region: {{ .Values.region }} vpcId: {{ .Values.vpcId }} healthCheck: - enabled: true healthyThreshold: {{ .Values.healthCheck.threshold }} interval: {{ .Values.healthCheck.interval }} timeout: {{ .Values.healthCheck.timeout }} path: {{ .Values.healthCheck.path }} port: {{ .Values.healthCheck.port | quote }} port: 80 protocol: HTTP {{ if .Values.tags }} tags: {{- toYaml .Values.tags | nindent 6 }} {{ end }} targetType: ip LBListener: | apiVersion: elbv2.aws.upbound.io/v1beta1 kind: LBListener metadata: labels: tv2.dk/gw: {{ .Gateway.metadata.namespace }}-{{ .Gateway.metadata.name }} name: gw-{{ .Gateway.metadata.namespace }}-{{ .Gateway.metadata.name }} spec: providerConfigRef: name: {{ .Values.providerConfigName }} forProvider: region: {{ .Values.region }} port: 443 protocol: HTTPS certificateArn: {{ .Values.certificateArn }} defaultAction: - targetGroupArnSelector: matchLabels: tv2.dk/gw: {{ .Gateway.metadata.namespace }}-{{ .Gateway.metadata.name }} type: forward loadBalancerArnSelector: matchLabels: tv2.dk/gw: {{ .Gateway.metadata.namespace }}-{{ .Gateway.metadata.name }} {{ if .Values.tags }} tags: {{- toYaml .Values.tags | nindent 6 }} {{ end }} TargetGroupBinding: | apiVersion: elbv2.k8s.aws/v1beta1 kind: TargetGroupBinding metadata: name: gw-{{ .Gateway.metadata.namespace }}-{{ .Gateway.metadata.name }} namespace: {{ .Gateway.metadata.namespace }} {{ if .Values.tags }} annotations: {{- toYaml .Values.tags | nindent 4 }} {{ end }} spec: targetGroupARN: {{ .Resources.LBTargetGroup.status.atProvider.arn }} targetType: ip serviceRef: name: {{ .Gateway.metadata.name }}-child port: 80 SecurityGroup: | apiVersion: ec2.aws.upbound.io/v1beta1 kind: SecurityGroup metadata: labels: tv2.dk/gw: {{ .Gateway.metadata.namespace }}-{{ .Gateway.metadata.name }} name: gw-{{ .Gateway.metadata.namespace }}-{{ .Gateway.metadata.name }} spec: providerConfigRef: name: {{ .Values.providerConfigName }} forProvider: description: "SG for ALB" name: gw-{{ .Gateway.metadata.namespace }}-{{ .Gateway.metadata.name }} region: {{ .Values.region }} {{ if .Values.tags }} tags: {{- toYaml .Values.tags | nindent 6 }} {{ end }} vpcId: {{ .Values.vpcId}} SecurityGroupRuleEgress80: | apiVersion: ec2.aws.upbound.io/v1beta1 kind: SecurityGroupRule metadata: labels: tv2.dk/gw: {{ .Gateway.metadata.namespace }}-{{ .Gateway.metadata.name }} name: gw-{{ .Gateway.metadata.namespace }}-{{ .Gateway.metadata.name }}-egress80 spec: providerConfigRef: name: {{ .Values.providerConfigName }} forProvider: description: "Traffic towards Istio ingress gateway" cidrBlocks: - 0.0.0.0/0 fromPort: 80 protocol: tcp region: {{ .Values.region }} securityGroupIdSelector: matchLabels: tv2.dk/gw: {{ .Gateway.metadata.namespace }}-{{ .Gateway.metadata.name }} toPort: 80 type: egress SecurityGroupRuleEgress15021: | apiVersion: ec2.aws.upbound.io/v1beta1 kind: SecurityGroupRule metadata: labels: tv2.dk/gw: {{ .Gateway.metadata.namespace }}-{{ .Gateway.metadata.name }} name: gw-{{ .Gateway.metadata.namespace }}-{{ .Gateway.metadata.name }}-egress15021 spec: providerConfigRef: name: {{ .Values.providerConfigName }} forProvider: description: "Healthcheck towards Istio ingress gateway" cidrBlocks: - 0.0.0.0/0 fromPort: 15021 protocol: tcp region: {{ .Values.region }} securityGroupIdSelector: matchLabels: tv2.dk/gw: {{ .Gateway.metadata.namespace }}-{{ .Gateway.metadata.name }} toPort: 15021 type: egress SecurityGroupRuleIngress: | apiVersion: ec2.aws.upbound.io/v1beta1 kind: SecurityGroupRule metadata: labels: tv2.dk/gw: {{ .Gateway.metadata.namespace }}-{{ .Gateway.metadata.name }} name: gw-{{ .Gateway.metadata.namespace }}-{{ .Gateway.metadata.name }}-ingress spec: providerConfigRef: name: {{ .Values.providerConfigName }} forProvider: description: "External traffic towards ALB" cidrBlocks: {{ range .Values.ingressAcls.cidrs -}} - {{ . }} {{ end }} fromPort: {{ .Values.ingressAcls.port }} protocol: tcp region: {{ .Values.region }} securityGroupIdSelector: matchLabels: tv2.dk/gw: {{ .Gateway.metadata.namespace }}-{{ .Gateway.metadata.name }} toPort: {{ .Values.ingressAcls.port }} type: ingress SecurityGroupRuleUpstreamIngress80: | apiVersion: ec2.aws.upbound.io/v1beta1 kind: SecurityGroupRule metadata: labels: tv2.dk/gw: {{ .Gateway.metadata.namespace }}-{{ .Gateway.metadata.name }} name: gw-{{ .Gateway.metadata.namespace }}-{{ .Gateway.metadata.name }}-upstream80 spec: providerConfigRef: name: {{ .Values.providerConfigName }} forProvider: description: {{ printf "Ingress from gw-%s-%s" .Gateway.metadata.namespace .Gateway.metadata.name }} fromPort: 80 protocol: tcp region: {{ .Values.region }} securityGroupId: {{ .Values.upstreamSecurityGroup }} sourceSecurityGroupIdSelector: matchLabels: tv2.dk/gw: {{ .Gateway.metadata.namespace }}-{{ .Gateway.metadata.name }} toPort: 80 type: ingress SecurityGroupRuleUpstreamIngress15021: | apiVersion: ec2.aws.upbound.io/v1beta1 kind: SecurityGroupRule metadata: labels: tv2.dk/gw: {{ .Gateway.metadata.namespace }}-{{ .Gateway.metadata.name }} name: gw-{{ .Gateway.metadata.namespace }}-{{ .Gateway.metadata.name }}-upstream15021 spec: providerConfigRef: name: {{ .Values.providerConfigName }} forProvider: description: {{ printf "Healthcheck ingress from gw-%s-%s" .Gateway.metadata.namespace .Gateway.metadata.name }} fromPort: 15021 protocol: tcp region: {{ .Values.region }} securityGroupId: {{ .Values.upstreamSecurityGroup }} sourceSecurityGroupIdSelector: matchLabels: tv2.dk/gw: {{ .Gateway.metadata.namespace }}-{{ .Gateway.metadata.name }} toPort: 15021 type: ingress # The following are templates used to 'implement' a 'parent' HTTPRoute httpRouteTemplate: resourceTemplates: childHttproute: | apiVersion: gateway.networking.k8s.io/v1beta1 kind: HTTPRoute metadata: name: {{ .HTTPRoute.metadata.name }}-child namespace: {{ .HTTPRoute.metadata.namespace }} annotations: {{ if .Values.tags }} tags: {{- toYaml .Values.tags | nindent 4 }} {{ end }} spec: parentRefs: {{ range .HTTPRoute.spec.parentRefs -}} - kind: {{ .kind }} name: {{ .name }}-child {{ if get . "namespace" }} namespace: {{ .namespace }} {{ end -}} {{ end }} {{ if get .HTTPRoute.spec "hostnames" }} hostnames: {{- toYaml .HTTPRoute.spec.hostnames | nindent 4 }} {{ end }} {{ if get .HTTPRoute.spec "rules" }} rules: {{- toYaml .HTTPRoute.spec.rules | nindent 4 }} {{ end }}