This project provides an example that uses Kubernetes watch API to monitor ingress changes and create Twingate resources
- A working Kubernetes Cluster
- Kubectl
- Clone the project
git clone https://github.com/Twingate-Labs/tg-watch-api
cd tg-watch-api
- modify cluster-role-binding.yaml
- subjects.name: name of the service account if you do not want to use namespace default service account
- subjects.namespace: namespace of the cluster-role-binding, make sure this is the same namespace as the tg-watch-api application
- apply cluster-role.yaml and cluster-role-binding.yaml
kubectl -n {namespace} apply -f templates/cluster-role.yaml -f templates/cluster-role-binding.yaml
- modify .example-env
- TG_API_KEY: Twingate API Key
- TG_ACCOUNT: Full URL of the Twingate tenant e.g. acme.twingate.com
- TG_REMOTE_NETWORK: Twingate remote network to create the resource in
- TG_GROUP_NAME: Twingate group which can access the created resources
- DOMAIN_LIST: List of domain names to create Twingate resources i.e. the application would not create resource if the ingress host is not part of this list
- create secret using .example-env, this need to be created in the same namespace as the tg-watch-api application
kubectl -n {namespace} create secret generic tg-watch-api --from-env-file=.example-env
- deploy the tg-watch-api application
kubectl -n {namespace} apply -f templates/statefulset.yaml
kubectl -n {namespace} delete -f templates/statefulset.yaml -f templates/cluster-role.yaml -f templates/cluster-role-binding.yaml
kubectl -n {namespace} delete secrete tg-watch-api
- Ingress deletion events are not covered by this example as GKE does not fire delete events for ingress
- Ingress modification events are not covered by this example
- Currently, the statefulset only supports replica of 1