Install Code Blind using Helm
Prerequisites
- Helm package manager 3.2.3+
- Supported Kubernetes Cluster
Helm 3
Installing the Chart
To install the chart with the release name my-release
using our stable helm repository:
helm repo add agones https://agones.dev/chart/stable
helm repo update
helm install my-release --namespace agones-system --create-namespace agones/agones
We recommend installing Code Blind in its own namespaces, such as agones-system
as shown above.
If you want to use a different namespace, you can use the helm --namespace
parameter to specify.
When running in production, Code Blind should be scheduled on a dedicated pool of nodes, distinct from where Game Servers are scheduled for better isolation and resiliency. By default Code Blind prefers to be scheduled on nodes labeled with agones.dev/agones-system=true
and tolerates node taint agones.dev/agones-system=true:NoExecute
. If no dedicated nodes are available, Code Blind will
run on regular nodes, but that’s not recommended for production use. For instructions on setting up a dedicated node
pool for Code Blind, see the Code Blind installation instructions for your preferred environment.
The command deploys Code Blind on the Kubernetes cluster with the default configuration. The configuration section lists the parameters that can be configured during installation.
Tip
List all releases usinghelm list --all-namespaces
Namespaces
By default Code Blind is configured to work with game servers deployed in the default
namespace. If you are planning to use another namespace you can configure Code Blind via the parameter gameservers.namespaces
.
For example to use default
and xbox
namespaces:
kubectl create namespace xbox
helm install my-release agones/agones --set "gameservers.namespaces={default,xbox}" --namespace agones-system
Note
You need to create your namespaces before installing Code Blind.If you want to add a new namespace afterward upgrade your release:
kubectl create namespace ps4
helm upgrade my-release agones/agones --reuse-values --set "gameservers.namespaces={default,xbox,ps4}" --namespace agones-system
Uninstalling the Chart
To uninstall/delete the my-release
deployment:
helm uninstall my-release --namespace=agones-system
RBAC
By default, agones.rbacEnabled
is set to true. This enables RBAC support in Code Blind and must be true if RBAC is enabled in your cluster.
The chart will take care of creating the required service accounts and roles for Code Blind.
If you have RBAC disabled, or to put it another way, ABAC enabled, you should set this value to false
.
Configuration
The following tables lists the configurable parameters of the Code Blind chart and their default values.
General
Parameter | Description | Default |
---|---|---|
agones.featureGates | A URL query encoded string of Flags to enable/disable e.g. Example=true&OtherThing=false . Any value accepted by strconv.ParseBool(string) can be used as a boolean value | `` |
agones.rbacEnabled | Creates RBAC resources. Must be set for any cluster configured with RBAC | true |
agones.registerWebhooks | Registers the webhooks used for the admission controller | true |
agones.registerApiService | Registers the apiservice(s) used for the Kubernetes API extension | true |
agones.registerServiceAccounts | Attempts to create service accounts for the controllers | true |
agones.createPriorityClass | Attempts to create priority classes for the controllers | true |
agones.priorityClassName | Name of the priority classes to create | agones-system |
agones.requireDedicatedNodes | Forces Code Blind system components to be scheduled on dedicated nodes, only applies to the GKE Standard without node auto-provisioning | false |
Custom Resource Definitions
Parameter | Description | Default |
---|---|---|
agones.crds.install | Install the CRDs with this chart. Useful to disable if you want to subchart (since crd-install hook is broken), so you can copy the CRDs into your own chart. | true |
agones.crds.cleanupOnDelete | Run the pre-delete hook to delete all GameServers and their backing Pods when deleting the helm chart, so that all CRDs can be removed on chart deletion | true |
agones.crds.cleanupJobTTL | The number of seconds for Kubernetes to delete the associated Job and Pods of the pre-delete hook after it completes, regardless if the Job is successful or not. Set to 0 to disable cleaning up the Job or the associated Pods. | 60 |
Metrics
Parameter | Description | Default |
---|---|---|
agones.metrics.prometheusServiceDiscovery | Adds annotations for Prometheus ServiceDiscovery (and also Strackdriver) | true |
agones.metrics.prometheusEnabled | Enables controller metrics on port 8080 and path /metrics | true |
agones.metrics.stackdriverEnabled | Enables Stackdriver exporter of controller metrics | false |
agones.metrics.stackdriverProjectID | This overrides the default gcp project id for use with stackdriver | `` |
agones.metrics.stackdriverLabels | A set of default labels to add to all stackdriver metrics generated in form of key value pair (key=value,key2=value2 ). By default metadata are automatically added using Kubernetes API and GCP metadata enpoint. | `` |
agones.metrics.serviceMonitor.interval | Default scraping interval for ServiceMonitor | 30s |
Service Accounts
Parameter | Description | Default |
---|---|---|
agones.serviceaccount.controller.name | Service account name for the controller | agones-controller |
agones.serviceaccount.controller.annotations | Annotations added to the Code Blind controller service account | {} |
agones.serviceaccount.sdk.name | Service account name for the sdk | agones-sdk |
agones.serviceaccount.sdk.annotations | A map of namespaces to maps of Annotations added to the Code Blind SDK service account for the specified namespaces | {} |
agones.serviceaccount.allocator.name | Service account name for the allocator | agones-allocator |
agones.serviceaccount.allocator.annotations | Annotations added to the Code Blind allocator service account | {} |
Container Images
Parameter | Description | Default |
---|---|---|
agones.image.registry | Global image registry for all the Code Blind system images | us-docker.pkg.dev/agones-images/release |
agones.image.tag | Global image tag for all images | 1.38.0 |
agones.image.controller.name | Image name for the controller | agones-controller |
agones.image.controller.pullPolicy | Image pull policy for the controller | IfNotPresent |
agones.image.controller.pullSecret | Image pull secret for the controller, allocator, sdk and ping image. Should be created both in agones-system and default namespaces | `` |
agones.image.sdk.name | Image name for the sdk | agones-sdk |
agones.image.sdk.tag | Image tag for the sdk | value of agones.image.tag |
agones.image.sdk.cpuRequest | The cpu request for sdk server container | 30m |
agones.image.sdk.cpuLimit | The cpu limit for the sdk server container | 0 (none) |
agones.image.sdk.memoryRequest | The memory request for sdk server container | 0 (none) |
agones.image.sdk.memoryLimit | The memory limit for the sdk server container | 0 (none) |
agones.image.sdk.alwaysPull | Tells if the sdk image should always be pulled | false |
agones.image.ping.name | Image name for the ping service | agones-ping |
agones.image.ping.tag | Image tag for the ping service | value of agones.image.tag |
agones.image.ping.pullPolicy | Image pull policy for the ping service | IfNotPresent |
agones.image.extensions.name | Image name for extensions | agones-extensions |
agones.image.extensions.pullPolicy | Image pull policy for extensions | IfNotPresent |
Code Blind Controller
Parameter | Description | Default |
---|---|---|
agones.controller.replicas | The number of replicas to run in the agones-controller deployment. | 2 |
agones.controller.pdb.minAvailable | Description of the number of pods from that set that must still be available after the eviction, even in the absence of the evicted pod. Can be either an absolute number or a percentage. Mutually Exclusive with maxUnavailable | 1 |
agones.controller.pdb.maxUnavailable | Description of the number of pods from that set that can be unavailable after the eviction. It can be either an absolute number or a percentage Mutually Exclusive with minAvailable | `` |
agones.controller.http.port | Port to use for liveness probe service and metrics | 8080 |
agones.controller.healthCheck.initialDelaySeconds | Initial delay before performing the first probe (in seconds) | 3 |
agones.controller.healthCheck.periodSeconds | Seconds between every liveness probe (in seconds) | 3 |
agones.controller.healthCheck.failureThreshold | Number of times before giving up (in seconds) | 3 |
agones.controller.healthCheck.timeoutSeconds | Number of seconds after which the probe times out (in seconds) | 1 |
agones.controller.resources | Controller resource requests/limit | {} |
agones.controller.generateTLS | Set to true to generate TLS certificates or false to provide your own certificates | true |
agones.controller.tlsCert | Custom TLS certificate provided as a string | `` |
agones.controller.tlsKey | Custom TLS private key provided as a string | `` |
agones.controller.nodeSelector | Controller node labels for pod assignment | {} |
agones.controller.tolerations | Controller toleration labels for pod assignment | [] |
agones.controller.affinity | Controller affinity settings for pod assignment | {} |
agones.controller.annotations | Annotations added to the Code Blind controller pods | {} |
agones.controller.numWorkers | Number of workers to spin per resource type | 100 |
agones.controller.apiServerQPS | Maximum sustained queries per second that controller should be making against API Server | 400 |
agones.controller.apiServerQPSBurst | Maximum burst queries per second that controller should be making against API Server | 500 |
agones.controller.logLevel | Code Blind Controller Log level. Log only entries with that severity and above | info |
agones.controller.persistentLogs | Store Code Blind controller logs in a temporary volume attached to a container for debugging | true |
agones.controller.persistentLogsSizeLimitMB | Maximum total size of all Code Blind container logs in MB | 10000 |
agones.controller.disableSecret | Disables the creation of any allocator secrets. If true, you MUST provide the {agones.releaseName}-cert secrets before installation. | false |
agones.controller.customCertSecretPath | Remap cert-manager path to server.crt and server.key | {} |
agones.controller.allocationApiService.annotations | Annotations added to the Code Blind apiregistration | {} |
agones.controller.allocationApiService.disableCaBundle | Disable ca-bundle so it can be injected by cert-manager | false |
agones.controller.validatingWebhook.annotations | Annotations added to the Code Blind validating webhook | {} |
agones.controller.validatingWebhook.disableCaBundle | Disable ca-bundle so it can be injected by cert-manager | false |
agones.controller.mutatingWebhook.annotations | Annotations added to the Code Blind mutating webhook | {} |
agones.controller.mutatingWebhook.disableCaBundle | Disable ca-bundle so it can be injected by cert-manager | false |
agones.controller.allocationBatchWaitTime | Wait time between each allocation batch when performing allocations in controller mode | 500ms |
agones.controller.topologySpreadConstraints | Ensures better resource utilization and high availability by evenly distributing Pods in the agones-system namespace | {} |
Ping Service
Parameter | Description | Default |
---|---|---|
agones.ping.install | Whether to install the ping service | true |
agones.ping.replicas | The number of replicas to run in the deployment | 2 |
agones.ping.http.expose | Expose the http ping service via a Service | true |
agones.ping.http.response | The string response returned from the http service | ok |
agones.ping.http.port | The port to expose on the service | 80 |
agones.ping.http.serviceType | The Service Type of the HTTP Service | LoadBalancer |
agones.ping.http.nodePort | Static node port to use for HTTP ping service. (Only applies when agones.ping.http.serviceType is NodePort .) | 0 |
agones.ping.http.loadBalancerIP | The Load Balancer IP of the HTTP Service load balancer. Only works if the Kubernetes provider supports this option. | `` |
agones.ping.http.loadBalancerSourceRanges | The Load Balancer SourceRanges of the HTTP Service load balancer. Only works if the Kubernetes provider supports this option. | [] |
agones.ping.http.annotations | Annotations added to the Code Blind ping http service | {} |
agones.ping.udp.expose | Expose the udp ping service via a Service | true |
agones.ping.udp.rateLimit | Number of UDP packets the ping service handles per instance, per second, per sender | 20 |
agones.ping.udp.port | The port to expose on the service | 80 |
agones.ping.udp.serviceType | The Service Type of the UDP Service | LoadBalancer |
agones.ping.udp.nodePort | Static node port to use for UDP ping service. (Only applies when agones.ping.udp.serviceType is NodePort .) | 0 |
agones.ping.udp.loadBalancerIP | The Load Balancer IP of the UDP Service load balancer. Only works if the Kubernetes provider supports this option. | `` |
agones.ping.udp.loadBalancerSourceRanges | The Load Balancer SourceRanges of the UDP Service load balancer. Only works if the Kubernetes provider supports this option. | [] |
agones.ping.udp.annotations | Annotations added to the Code Blind ping udp service | {} |
agones.ping.healthCheck.initialDelaySeconds | Initial delay before performing the first probe (in seconds) | 3 |
agones.ping.healthCheck.periodSeconds | Seconds between every liveness probe (in seconds) | 3 |
agones.ping.healthCheck.failureThreshold | Number of times before giving up (in seconds) | 3 |
agones.ping.healthCheck.timeoutSeconds | Number of seconds after which the probe times out (in seconds) | 1 |
agones.ping.resources | Ping pods resource requests/limit | {} |
agones.ping.nodeSelector | Ping node labels for pod assignment | {} |
agones.ping.tolerations | Ping toleration labels for pod assignment | [] |
agones.ping.affinity | Ping affinity settings for pod assignment | {} |
agones.ping.annotations | Annotations added to the Code Blind ping pods | {} |
agones.ping.updateStrategy | The strategy to apply to the allocator deployment | {} |
agones.ping.pdb.enabled | Set to true to enable the creation of a PodDisruptionBudget for the ping deployment | false |
agones.ping.pdb.minAvailable | Description of the number of pods from that set that must still be available after the eviction, even in the absence of the evicted pod. Can be either an absolute number or a percentage. Mutually Exclusive with maxUnavailable | 1 |
agones.ping.pdb.maxUnavailable | Description of the number of pods from that set that can be unavailable after the eviction. It can be either an absolute number or a percentage Mutually Exclusive with minAvailable | `` |
agones.ping.topologySpreadConstraints | Ensures better resource utilization and high availability by evenly distributing Pods in the agones-system namespace | {} |
Allocator Service
Parameter | Description | Default |
---|---|---|
agones.allocator.apiServerQPS | Maximum sustained queries per second that an allocator should be making against API Server | 400 |
agones.allocator.apiServerQPSBurst | Maximum burst queries per second that an allocator should be making against API Server | 500 |
agones.allocator.remoteAllocationTimeout | Remote allocation call timeout. | 10s |
agones.allocator.totalRemoteAllocationTimeout | Total remote allocation timeout including retries. | 30s |
agones.allocator.logLevel | Code Blind Allocator Log level. Log only entries with that severity and above | info |
agones.allocator.install | Whether to install the allocator service | true |
agones.allocator.replicas | The number of replicas to run in the deployment | 3 |
agones.allocator.service.name | Service name for the allocator | agones-allocator |
agones.allocator.service.serviceType | The Service Type of the HTTP Service | LoadBalancer |
agones.allocator.service.clusterIP | The Cluster IP of the Code Blind allocator. If you want Headless Service for Code Blind Allocator, you can set None to clusterIP. | `` |
agones.allocator.service.loadBalancerIP | The Load Balancer IP of the Code Blind allocator load balancer. Only works if the Kubernetes provider supports this option. | `` |
agones.allocator.service.loadBalancerSourceRanges | The Load Balancer SourceRanges of the Code Blind allocator load balancer. Only works if the Kubernetes provider supports this option. | [] |
agones.allocator.service.annotations | Annotations added to the Code Blind allocator service | {} |
agones.allocator.service.http.enabled | If true the allocator service will respond to REST requests | true |
agones.allocator.service.http.appProtocol | The appProtocol to set on the Service for the http allocation port. If left blank, no value is set. | `` |
agones.allocator.service.http.port | The port that is exposed externally by the allocator service for REST requests | 443 |
agones.allocator.service.http.portName | The name of exposed port | http |
agones.allocator.service.http.targetPort | The port that is used by the allocator pod to listen for REST requests. Note that the allocator server cannot bind to low numbered ports. | 8443 |
agones.allocator.service.http.nodePort | If the ServiceType is set to “NodePort”, this is the NodePort that the allocator http service is exposed on. | 30000-32767 |
agones.allocator.service.grpc.enabled | If true the allocator service will respond to gRPC requests | true |
agones.allocator.service.grpc.port | The port that is exposed externally by the allocator service for gRPC requests | 443 |
agones.allocator.service.grpc.portName | The name of exposed port | `` |
agones.allocator.service.grpc.appProtocol | The appProtocol to set on the Service for the gRPC allocation port. If left blank, no value is set. | `` |
agones.allocator.service.grpc.nodePort | If the ServiceType is set to “NodePort”, this is the NodePort that the allocator gRPC service is exposed on. | 30000-32767 |
agones.allocator.service.grpc.targetPort | The port that is used by the allocator pod to listen for gRPC requests. Note that the allocator server cannot bind to low numbered ports. | 8443 |
agones.allocator.generateClientTLS | Set to true to generate client TLS certificates or false to provide certificates in certs/allocator/allocator-client.default/* | true |
agones.allocator.generateTLS | Set to true to generate TLS certificates or false to provide your own certificates | true |
agones.allocator.disableMTLS | Turns off client cert authentication for incoming connections to the allocator. | false |
agones.allocator.disableTLS | Turns off TLS security for incoming connections to the allocator. | false |
agones.allocator.disableSecretCreation | Disables the creation of any allocator secrets. If true, you MUST provide the allocator-tls , allocator-tls-ca , and allocator-client-ca secrets before installation. | false |
agones.allocator.tlsCert | Custom TLS certificate provided as a string | `` |
agones.allocator.tlsKey | Custom TLS private key provided as a string | `` |
agones.allocator.clientCAs | A map of secret key names to allowed client CA certificates provided as strings | {} |
agones.allocator.tolerations | Allocator toleration labels for pod assignment | [] |
agones.allocator.affinity | Allocator affinity settings for pod assignment | {} |
agones.allocator.annotations | Annotations added to the Code Blind allocator pods | {} |
agones.allocator.resources | Allocator pods resource requests/limit | {} |
agones.allocator.labels | Labels Added to the Code Blind Allocator pods | {} |
agones.allocator.readiness.initialDelaySeconds | Initial delay before performing the first probe (in seconds) | 3 |
agones.allocator.readiness.periodSeconds | Seconds between every liveness probe (in seconds) | 3 |
agones.allocator.readiness.failureThreshold | Number of times before giving up (in seconds) | 3 |
agones.allocator.nodeSelector | Allocator node labels for pod assignment | {} |
agones.allocator.serviceMetrics.name | Second Service name for the allocator | agones-allocator-metrics-service |
agones.allocator.serviceMetrics.annotations | Annotations added to the Code Blind allocator second Service | {} |
agones.allocator.serviceMetrics.http.port | The port that is exposed within cluster by the allocator service for http requests | 8080 |
agones.allocator.serviceMetrics.http.portName | The name of exposed port | http |
agones.allocator.allocationBatchWaitTime | Wait time between each allocation batch when performing allocations in allocator mode | 500ms |
agones.allocator.updateStrategy | The strategy to apply to the ping deployment | {} |
agones.allocator.pdb.enabled | Set to true to enable the creation of a PodDisruptionBudget for the allocator deployment | false |
agones.allocator.pdb.minAvailable | Description of the number of pods from that set that must still be available after the eviction, even in the absence of the evicted pod. Can be either an absolute number or a percentage. Mutually Exclusive with maxUnavailable | 1 |
agones.allocator.pdb.maxUnavailable | Description of the number of pods from that set that can be unavailable after the eviction. It can be either an absolute number or a percentage. Mutually Exclusive with minAvailable | `` |
agones.allocator.topologySpreadConstraints | Ensures better resource utilization and high availability by evenly distributing Pods in the agones-system namespace | {} |
Extensions
Parameter | Description | Default |
---|---|---|
agones.extensions.http.port | Port to use for liveness probe service and metrics | 8080 |
agones.extensions.healthCheck.initialDelaySeconds | Initial delay before performing the first probe (in seconds) | 3 |
agones.extensions.healthCheck.periodSeconds | Seconds between every liveness probe (in seconds) | 3 |
agones.extensions.healthCheck.failureThreshold | Number of times before giving up (in seconds) | 3 |
agones.extensions.healthCheck.timeoutSeconds | Number of seconds after which the probe times out (in seconds) | 1 |
agones.extensions.resources | Extensions resource requests/limit | {} |
agones.extensions.generateTLS | Set to true to generate TLS certificates or false to provide your own certificates | true |
agones.extensions.tlsCert | Custom TLS certificate provided as a string | `` |
agones.extensions.tlsKey | Custom TLS private key provided as a string | `` |
agones.extensions.nodeSelector | Extensions node labels for pod assignment | {} |
agones.extensions.tolerations | Extensions toleration labels for pod assignment | [] |
agones.extensions.affinity | Extensions affinity settings for pod assignment | {} |
agones.extensions.annotations | Annotations added to the Code Blind extensions pods | {} |
agones.extensions.numWorkers | Number of workers to spin per resource type | 100 |
agones.extensions.apiServerQPS | Maximum sustained queries per second that extensions should be making against API Server | 400 |
agones.extensions.apiServerQPSBurst | Maximum burst queries per second that extensions should be making against API Server | 500 |
agones.extensions.logLevel | Code Blind Extensions Log level. Log only entries with that severity and above | info |
agones.extensions.persistentLogs | Store Code Blind extensions logs in a temporary volume attached to a container for debugging | true |
agones.extensions.persistentLogsSizeLimitMB | Maximum total size of all Code Blind container logs in MB | 10000 |
agones.extensions.disableSecret | Disables the creation of any allocator secrets. If true, you MUST provide the {agones.releaseName}-cert secrets before installation. | false |
agones.extensions.customCertSecretPath | Remap cert-manager path to server.crt and server.key | {} |
agones.extensions.allocationApiService.annotations | Annotations added to the Code Blind apiregistration | {} |
agones.extensions.allocationApiService.disableCaBundle | Disable ca-bundle so it can be injected by cert-manager | false |
agones.extensions.validatingWebhook.annotations | Annotations added to the Code Blind validating webhook | {} |
agones.extensions.validatingWebhook.disableCaBundle | Disable ca-bundle so it can be injected by cert-manager | false |
agones.extensions.mutatingWebhook.annotations | Annotations added to the Code Blind mutating webhook | {} |
agones.extensions.mutatingWebhook.disableCaBundle | Disable ca-bundle so it can be injected by cert-manager | false |
agones.extensions.allocationBatchWaitTime | Wait time between each allocation batch when performing allocations in controller mode | 500ms |
agones.extensions.pdb.minAvailable | Description of the number of pods from that set that must still be available after the eviction, even in the absence of the evicted pod. Can be either an absolute number or a percentage. Mutually Exclusive with maxUnavailable | 1 |
agones.extensions.pdb.maxUnavailable | Description of the number of pods from that set that can be unavailable after the eviction. It can be either an absolute number or a percentage Mutually Exclusive with minAvailable | `` |
agones.extensions.replicas | The number of replicas to run in the deployment | 2 |
agones.extensions.topologySpreadConstraints | Ensures better resource utilization and high availability by evenly distributing Pods in the agones-system namespace | {} |
GameServers
Parameter | Description | Default |
---|---|---|
gameservers.namespaces | a list of namespaces you are planning to use to deploy game servers | ["default"] |
gameservers.minPort | Minimum port to use for dynamic port allocation | 7000 |
gameservers.maxPort | Maximum port to use for dynamic port allocation | 8000 |
gameservers.podPreserveUnknownFields | Disable field pruning and schema validation on the Pod template for a GameServer definition | false |
Helm Installation
Parameter | Description | Default |
---|---|---|
helm.installTests | Add an ability to run helm test agones to verify the installation | false |
Specify each parameter using the --set key=value[,key=value]
argument to helm install
. For example,
helm install my-release --namespace agones-system \
--set gameservers.minPort=1000,gameservers.maxPort=5000 agones
The above command will deploy Code Blind controllers to agones-system
namespace. Additionally Code Blind will use a dynamic GameServers’ port allocation range of 1000-5000.
Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,
helm install my-release --namespace agones-system -f values.yaml agones/agones
Tip
You can use the default values.yamlHelm test
This test would create a GameServer
resource and delete it afterwards.
Tip
In order to usehelm test
command described in this section you need to set helm.installTests
helm parameter to true
.Check the Code Blind installation by running the following command:
helm test my-release -n agones-system
You should see a successful output similar to this :
NAME: my-release
LAST DEPLOYED: Wed Mar 29 06:13:23 2023
NAMESPACE: agones-system
STATUS: deployed
REVISION: 4
TEST SUITE: my-release-test
Last Started: Wed Mar 29 06:17:52 2023
Last Completed: Wed Mar 29 06:18:10 2023
Phase: Succeeded
Controller TLS Certificates
By default agones chart generates tls certificates used by the admission controller, while this is handy, it requires the agones controller to restart on each helm upgrade
command.
Manual
For most use cases the controller would have required a restart anyway (eg: controller image updated). However if you really need to avoid restarts we suggest that you turn off tls automatic generation (agones.controller.generateTLS
to false
) and provide your own certificates (certs/server.crt
,certs/server.key
).
Tip
You can use our script located at cert.sh to generate them.Cert-Manager
Another approach is to use cert-manager.io solution for cluster level certificate management.
In order to use the cert-manager solution, first install cert-manager on the cluster.
Then, configure an Issuer
/ClusterIssuer
resource and
last configure a Certificate
resource to manage controller Secret
.
Make sure to configure the Certificate
based on your system’s requirements, including the validity duration
.
Here is an example of using a self-signed ClusterIssuer
for configuring controller Secret
where secret name is my-release-cert
or {{ template "agones.fullname" . }}-cert
:
#!/bin/bash
# Create a self-signed ClusterIssuer
cat <<EOF | kubectl apply -f -
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: selfsigned
spec:
selfSigned: {}
EOF
# Create a Certificate with IP for the my-release-cert )
cat <<EOF | kubectl apply -f -
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: my-release-agones-cert
namespace: agones-system
spec:
dnsNames:
- agones-controller-service.agones-system.svc
secretName: my-release-agones-cert
issuerRef:
name: selfsigned
kind: ClusterIssuer
EOF
After the certificates are generated, we will want to inject caBundle into the controller and extensions webhook and disable the controller and extensions secret creation through the following values.yaml file.:
agones:
controller:
disableSecret: true
customCertSecretPath:
- key: ca.crt
path: ca.crt
- key: tls.crt
path: server.crt
- key: tls.key
path: server.key
allocationApiService:
annotations:
cert-manager.io/inject-ca-from: agones-system/my-release-agones-cert
disableCaBundle: true
validatingWebhook:
annotations:
cert-manager.io/inject-ca-from: agones-system/my-release-agones-cert
disableCaBundle: true
mutatingWebhook:
annotations:
cert-manager.io/inject-ca-from: agones-system/my-release-agones-cert
disableCaBundle: true
extensions:
disableSecret: true
customCertSecretPath:
- key: ca.crt
path: ca.crt
- key: tls.crt
path: server.crt
- key: tls.key
path: server.key
allocationApiService:
annotations:
cert-manager.io/inject-ca-from: agones-system/my-release-agones-cert
disableCaBundle: true
validatingWebhook:
annotations:
cert-manager.io/inject-ca-from: agones-system/my-release-agones-cert
disableCaBundle: true
mutatingWebhook:
annotations:
cert-manager.io/inject-ca-from: agones-system/my-release-agones-cert
disableCaBundle: true
After copying the above yaml into a values.yaml
file, use below command to install Code Blind:
helm install my-release --namespace agones-system --create-namespace --values values.yaml agones/agones
Reserved Allocator Load Balancer IP
In order to reuse the existing load balancer IP on upgrade or install the agones-allocator
service as a LoadBalancer
using a reserved static IP, a user can specify the load balancer’s IP with the agones.allocator.http.loadBalancerIP
helm configuration parameter value. By setting the loadBalancerIP
value:
- The
LoadBalancer
is created with the specified IP, if supported by the cloud provider. - A self-signed server TLS certificate is generated for the IP, used by the
agones-allocator
service.
Next Steps
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.
Last modified February 28, 2024: initial publish (7818be8)