diff --git a/CHANGELOG.md b/CHANGELOG.md index fd4a8a7a76..d07c5d6a6c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -30,6 +30,8 @@ - prometheus-operator from v0.38.1 to v0.43.2 (PR [#2948](https://github.com/scality/metalk8s/pull/2948)) +- Bump `ingress-nginx` chart to 3.13.0 (PR[#2961](https://github.com/scality/metalk8s/pull/2961)) + ### Bug fixes - [#2908](https://github.com/scality/metalk8s/issues/2908) - Make upgrade script diff --git a/buildchain/buildchain/constants.py b/buildchain/buildchain/constants.py index e9d893d267..570de85bec 100644 --- a/buildchain/buildchain/constants.py +++ b/buildchain/buildchain/constants.py @@ -23,7 +23,7 @@ DOCKER_REPOSITORY : str = 'docker.io/library' GOOGLE_REPOSITORY : str = 'k8s.gcr.io' GRAFANA_REPOSITORY : str = 'docker.io/grafana' -INGRESS_REPOSITORY : str = 'quay.io/kubernetes-ingress-controller' +INGRESS_REPOSITORY : str = 'k8s.gcr.io/ingress-nginx' JIMMIDYSON_REPOSITORY : str = 'docker.io/jimmidyson' KIWIGRID_REPOSITORY : str = 'docker.io/kiwigrid' PROMETHEUS_ADAPTER_REPOSITORY : str = 'docker.io/directxman12' diff --git a/buildchain/buildchain/image.py b/buildchain/buildchain/image.py index b6a4432b3c..14ef103b38 100644 --- a/buildchain/buildchain/image.py +++ b/buildchain/buildchain/image.py @@ -211,6 +211,7 @@ def _operator_image(name: str, **kwargs: Any) -> targets.OperatorImage: REMOTE_NAMES : Dict[str, str] = { 'calico-node': 'node', 'calico-kube-controllers': 'kube-controllers', + 'nginx-ingress-controller': 'controller', 'nginx-ingress-defaultbackend-amd64': 'defaultbackend-amd64', } diff --git a/buildchain/buildchain/salt_tree.py b/buildchain/buildchain/salt_tree.py index 9c5e6d5a2b..5bd4f36961 100644 --- a/buildchain/buildchain/salt_tree.py +++ b/buildchain/buildchain/salt_tree.py @@ -433,6 +433,7 @@ def _get_parts(self) -> Iterator[str]: Path('salt/metalk8s/addons/nginx-ingress/deployed/chart.sls'), Path('salt/metalk8s/addons/nginx-ingress/deployed/namespace.sls'), Path('salt/metalk8s/addons/nginx-ingress/deployed/tls-secret.sls'), + Path('salt/metalk8s/addons/nginx-ingress/post-upgrade-downgrade.sls'), Path('salt/metalk8s/addons/nginx-ingress-control-plane/certs/init.sls'), Path('salt/metalk8s/addons/nginx-ingress-control-plane/certs/server.sls'), @@ -442,6 +443,8 @@ def _get_parts(self) -> Iterator[str]: 'tls-secret.sls'), Path('salt/metalk8s/addons/nginx-ingress-control-plane/', 'control-plane-ip.sls'), + Path('salt/metalk8s/addons/nginx-ingress-control-plane/', + 'post-upgrade-downgrade.sls'), Path('salt/metalk8s/container-engine/containerd/configured.sls'), Path('salt/metalk8s/container-engine/containerd/files/50-metalk8s.conf.j2'), diff --git a/buildchain/buildchain/versions.py b/buildchain/buildchain/versions.py index 79d281aa57..997fadbce1 100644 --- a/buildchain/buildchain/versions.py +++ b/buildchain/buildchain/versions.py @@ -151,8 +151,8 @@ def _version_prefix(version: str, prefix: str = 'v') -> str: ), Image( name='nginx-ingress-controller', - version='0.30.0', - digest='sha256:b312c91d0de688a21075078982b5e3a48b13b46eda4df743317d3059fc3ca0d9', + version='v0.41.2', + digest='sha256:1f4f402b9c14f3ae92b11ada1dfe9893a88f0faeb0b2f4b903e2c67a0c3bf0de', ), Image( name='nginx-ingress-defaultbackend-amd64', diff --git a/charts/nginx-ingress-control-plane.yaml b/charts/ingress-nginx-control-plane.yaml similarity index 94% rename from charts/nginx-ingress-control-plane.yaml rename to charts/ingress-nginx-control-plane.yaml index 4af84b50f7..6537e860a3 100644 --- a/charts/nginx-ingress-control-plane.yaml +++ b/charts/ingress-nginx-control-plane.yaml @@ -1,5 +1,6 @@ controller: image: + digest: null repository: '{%- endraw -%}{{ build_image_name(\"nginx-ingress-controller\", False) }}{%- raw -%}' defaultBackendService: 'metalk8s-ingress/nginx-ingress-default-backend' @@ -8,6 +9,9 @@ controller: ingressClass: nginx-control-plane + admissionWebhooks: + enabled: false + kind: DaemonSet updateStrategy: diff --git a/charts/nginx-ingress.yaml b/charts/ingress-nginx.yaml similarity index 89% rename from charts/nginx-ingress.yaml rename to charts/ingress-nginx.yaml index de9e2638d6..f2597152ca 100644 --- a/charts/nginx-ingress.yaml +++ b/charts/ingress-nginx.yaml @@ -1,9 +1,13 @@ controller: image: + digest: null repository: '{%- endraw -%}{{ build_image_name(\"nginx-ingress-controller\", False) }}{%- raw -%}' - daemonset: - useHostPort: true + hostPort: + enabled: true + + admissionWebhooks: + enabled: false kind: DaemonSet @@ -22,6 +26,8 @@ controller: default-ssl-certificate: "metalk8s-ingress/ingress-workload-plane-default-certificate" defaultBackend: + enabled: true + image: repository: '{%- endraw -%}{{ build_image_name(\"nginx-ingress-defaultbackend-amd64\", False) }}{%- raw -%}' diff --git a/charts/nginx-ingress/.helmignore b/charts/ingress-nginx/.helmignore similarity index 97% rename from charts/nginx-ingress/.helmignore rename to charts/ingress-nginx/.helmignore index f0c1319444..50af031725 100644 --- a/charts/nginx-ingress/.helmignore +++ b/charts/ingress-nginx/.helmignore @@ -19,3 +19,4 @@ .project .idea/ *.tmproj +.vscode/ diff --git a/charts/ingress-nginx/CHANGELOG.md b/charts/ingress-nginx/CHANGELOG.md new file mode 100644 index 0000000000..3aa8e4a3d5 --- /dev/null +++ b/charts/ingress-nginx/CHANGELOG.md @@ -0,0 +1,150 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### Unreleased + +### 3.13.0 + +- [X] [#6544](https://github.com/kubernetes/ingress-nginx/pull/6544) Fix default backend HPA name variable + +### 3.12.0 + +- [X] [#6514](https://github.com/kubernetes/ingress-nginx/pull/6514) Remove helm2 support and update docs + +### 3.11.1 + +- [X] [#6505](https://github.com/kubernetes/ingress-nginx/pull/6505) Reorder HPA resource list to work with GitOps tooling + +### 3.11.0 + +- Support Keda Autoscaling + +### 3.10.1 + +- Fix regression introduced in 0.41.0 with external authentication + +### 3.10.0 + +- Fix routing regression introduced in 0.41.0 with PathType Exact + +### 3.9.0 + +- [X] [#6423](https://github.com/kubernetes/ingress-nginx/pull/6423) Add Default backend HPA autoscaling + +### 3.8.0 + +- [X] [#6395](https://github.com/kubernetes/ingress-nginx/pull/6395) Update jettech/kube-webhook-certgen image +- [X] [#6377](https://github.com/kubernetes/ingress-nginx/pull/6377) Added loadBalancerSourceRanges for internal lbs +- [X] [#6356](https://github.com/kubernetes/ingress-nginx/pull/6356) Add securitycontext settings on defaultbackend +- [X] [#6401](https://github.com/kubernetes/ingress-nginx/pull/6401) Fix controller service annotations +- [X] [#6403](https://github.com/kubernetes/ingress-nginx/pull/6403) Initial helm chart changelog + +### 3.7.1 + +- [X] [#6326](https://github.com/kubernetes/ingress-nginx/pull/6326) Fix liveness and readiness probe path in daemonset chart + +### 3.7.0 + +- [X] [#6316](https://github.com/kubernetes/ingress-nginx/pull/6316) Numerals in podAnnotations in quotes [#6315](https://github.com/kubernetes/ingress-nginx/issues/6315) + +### 3.6.0 + +- [X] [#6305](https://github.com/kubernetes/ingress-nginx/pull/6305) Add default linux nodeSelector + +### 3.5.1 + +- [X] [#6299](https://github.com/kubernetes/ingress-nginx/pull/6299) Fix helm chart release + +### 3.5.0 + +- [X] [#6260](https://github.com/kubernetes/ingress-nginx/pull/6260) Allow Helm Chart to customize admission webhook's annotations, timeoutSeconds, namespaceSelector, objectSelector and cert files locations + +### 3.4.0 + +- [X] [#6268](https://github.com/kubernetes/ingress-nginx/pull/6268) Update to 0.40.2 in helm chart #6288 + +### 3.3.1 + +- [X] [#6259](https://github.com/kubernetes/ingress-nginx/pull/6259) Release helm chart +- [X] [#6258](https://github.com/kubernetes/ingress-nginx/pull/6258) Fix chart markdown link +- [X] [#6253](https://github.com/kubernetes/ingress-nginx/pull/6253) Release v0.40.0 + +### 3.3.1 + +- [X] [#6233](https://github.com/kubernetes/ingress-nginx/pull/6233) Add admission controller e2e test + +### 3.3.0 + +- [X] [#6203](https://github.com/kubernetes/ingress-nginx/pull/6203) Refactor parsing of key values +- [X] [#6162](https://github.com/kubernetes/ingress-nginx/pull/6162) Add helm chart options to expose metrics service as NodePort +- [X] [#6180](https://github.com/kubernetes/ingress-nginx/pull/6180) Fix helm chart admissionReviewVersions regression +- [X] [#6169](https://github.com/kubernetes/ingress-nginx/pull/6169) Fix Typo in example prometheus rules + +### 3.0.0 + +- [X] [#6167](https://github.com/kubernetes/ingress-nginx/pull/6167) Update chart requirements + +### 2.16.0 + +- [X] [#6154](https://github.com/kubernetes/ingress-nginx/pull/6154) add `topologySpreadConstraint` to controller + +### 2.15.0 + +- [X] [#6087](https://github.com/kubernetes/ingress-nginx/pull/6087) Adding parameter for externalTrafficPolicy in internal controller service spec + +### 2.14.0 + +- [X] [#6104](https://github.com/kubernetes/ingress-nginx/pull/6104) Misc fixes for nginx-ingress chart for better keel and prometheus-operator integration + +### 2.13.0 + +- [X] [#6093](https://github.com/kubernetes/ingress-nginx/pull/6093) Release v0.35.0 + +### 2.13.0 + +- [X] [#6093](https://github.com/kubernetes/ingress-nginx/pull/6093) Release v0.35.0 +- [X] [#6080](https://github.com/kubernetes/ingress-nginx/pull/6080) Switch images to k8s.gcr.io after Vanity Domain Flip + +### 2.12.1 + +- [X] [#6075](https://github.com/kubernetes/ingress-nginx/pull/6075) Sync helm chart affinity examples + +### 2.12.0 + +- [X] [#6039](https://github.com/kubernetes/ingress-nginx/pull/6039) Add configurable serviceMonitor metricRelabelling and targetLabels +- [X] [#6044](https://github.com/kubernetes/ingress-nginx/pull/6044) Fix YAML linting + +### 2.11.3 + +- [X] [#6038](https://github.com/kubernetes/ingress-nginx/pull/6038) Bump chart version PATCH + +### 2.11.2 + +- [X] [#5951](https://github.com/kubernetes/ingress-nginx/pull/5951) Bump chart patch version + +### 2.11.1 + +- [X] [#5900](https://github.com/kubernetes/ingress-nginx/pull/5900) Release helm chart for v0.34.1 + +### 2.11.0 + +- [X] [#5879](https://github.com/kubernetes/ingress-nginx/pull/5879) Update helm chart for v0.34.0 +- [X] [#5671](https://github.com/kubernetes/ingress-nginx/pull/5671) Make liveness probe more fault tolerant than readiness probe + +### 2.10.0 + +- [X] [#5843](https://github.com/kubernetes/ingress-nginx/pull/5843) Update jettech/kube-webhook-certgen image + +### 2.9.1 + +- [X] [#5823](https://github.com/kubernetes/ingress-nginx/pull/5823) Add quoting to sysctls because numeric values need to be presented as strings (#5823) + +### 2.9.0 + +- [X] [#5795](https://github.com/kubernetes/ingress-nginx/pull/5795) Use fully qualified images to avoid cri-o issues + + +### TODO + +Keep building the changelog using *git log charts* checking the tag diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml new file mode 100644 index 0000000000..5af4b497a4 --- /dev/null +++ b/charts/ingress-nginx/Chart.yaml @@ -0,0 +1,19 @@ +annotations: + artifacthub.io/changes: | + - Fix default backend HPA name variable +apiVersion: v2 +appVersion: 0.41.2 +description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer +home: https://github.com/kubernetes/ingress-nginx +icon: https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Nginx_logo.svg/500px-Nginx_logo.svg.png +keywords: +- ingress +- nginx +kubeVersion: '>=1.16.0-0' +maintainers: +- name: ChiefAlexander +name: ingress-nginx +sources: +- https://github.com/kubernetes/ingress-nginx +type: application +version: 3.13.0 diff --git a/charts/ingress-nginx/OWNERS b/charts/ingress-nginx/OWNERS new file mode 100644 index 0000000000..7aadb8dc29 --- /dev/null +++ b/charts/ingress-nginx/OWNERS @@ -0,0 +1,5 @@ +approvers: + - ChiefAlexander + +reviewers: + - ChiefAlexander diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md new file mode 100644 index 0000000000..37b0ca1fbd --- /dev/null +++ b/charts/ingress-nginx/README.md @@ -0,0 +1,209 @@ +# ingress-nginx + +[ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer + +To use, add the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources. + +This chart bootstraps an ingress-nginx deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +## Prerequisites + +- Kubernetes v1.16+ + +## Get Repo Info + +```console +helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx +helm repo update +``` + +## Install Chart + +**Important:** only helm3 is supported + +```console +helm install [RELEASE_NAME] ingress-nginx/ingress-nginx +``` + +The command deploys ingress-nginx on the Kubernetes cluster in the default configuration. + +_See [configuration](#configuration) below._ + +_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._ + +## Uninstall Chart + +```console +helm uninstall [RELEASE_NAME] +``` + +This removes all the Kubernetes components associated with the chart and deletes the release. + +_See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall/) for command documentation._ + +## Upgrading Chart + +```console +helm upgrade [RELEASE_NAME] [CHART] --install +``` + +_See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documentation._ + +### Upgrading With Zero Downtime in Production + +By default the ingress-nginx controller has service interruptions whenever it's pods are restarted or redeployed. In order to fix that, see the excellent blog post by Lindsay Landry from Codecademy: [Kubernetes: Nginx and Zero Downtime in Production](https://medium.com/codecademy-engineering/kubernetes-nginx-and-zero-downtime-in-production-2c910c6a5ed8). + +### Migrating from stable/nginx-ingress + +There are two main ways to migrate a release from `stable/nginx-ingress` to `ingress-nginx/ingress-nginx` chart: + +1. For Nginx Ingress controllers used for non-critical services, the easiest method is to [uninstall](#uninstall-chart) the old release and [install](#install-chart) the new one +1. For critical services in production that require zero-downtime, you will want to: + 1. [Install](#install-chart) a second Ingress controller + 1. Redirect your DNS traffic from the old controller to the new controller + 1. Log traffic from both controllers during this changeover + 1. [Uninstall](#uninstall-chart) the old controller once traffic has fully drained from it + 1. For details on all of these steps see [Upgrading With Zero Downtime in Production](#upgrading-with-zero-downtime-in-production) + +Note that there are some different and upgraded configurations between the two charts, described by Rimas Mocevicius from JFrog in the "Upgrading to ingress-nginx Helm chart" section of [Migrating from Helm chart nginx-ingress to ingress-nginx](https://rimusz.net/migrating-to-ingress-nginx). As the `ingress-nginx/ingress-nginx` chart continues to update, you will want to check current differences by running [helm configuration](#configuration) commands on both charts. + +## Configuration + +See [Customizing the Chart Before Installing](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing). To see all configurable options with detailed comments, visit the chart's [values.yaml](./values.yaml), or run these configuration commands: + +```console +helm show values ingress-nginx/ingress-nginx +``` + +### PodDisruptionBudget + +Note that the PodDisruptionBudget resource will only be defined if the replicaCount is greater than one, +else it would make it impossible to evacuate a node. See [gh issue #7127](https://github.com/helm/charts/issues/7127) for more info. + +### Prometheus Metrics + +The Nginx ingress controller can export Prometheus metrics, by setting `controller.metrics.enabled` to `true`. + +You can add Prometheus annotations to the metrics service using `controller.metrics.service.annotations`. Alternatively, if you use the Prometheus Operator, you can enable ServiceMonitor creation using `controller.metrics.serviceMonitor.enabled`. + +### ingress-nginx nginx\_status page/stats server + +Previous versions of this chart had a `controller.stats.*` configuration block, which is now obsolete due to the following changes in nginx ingress controller: + +- In [0.16.1](https://github.com/kubernetes/ingress-nginx/blob/master/Changelog.md#0161), the vts (virtual host traffic status) dashboard was removed +- In [0.23.0](https://github.com/kubernetes/ingress-nginx/blob/master/Changelog.md#0230), the status page at port 18080 is now a unix socket webserver only available at localhost. + You can use `curl --unix-socket /tmp/nginx-status-server.sock http://localhost/nginx_status` inside the controller container to access it locally, or use the snippet from [nginx-ingress changelog](https://github.com/kubernetes/ingress-nginx/blob/master/Changelog.md#0230) to re-enable the http server + +### ExternalDNS Service Configuration + +Add an [ExternalDNS](https://github.com/kubernetes-incubator/external-dns) annotation to the LoadBalancer service: + +```yaml +controller: + service: + annotations: + external-dns.alpha.kubernetes.io/hostname: kubernetes-example.com. +``` + +### AWS L7 ELB with SSL Termination + +Annotate the controller as shown in the [nginx-ingress l7 patch](https://github.com/kubernetes/ingress-nginx/blob/master/deploy/aws/l7/service-l7.yaml): + +```yaml +controller: + service: + targetPorts: + http: http + https: http + annotations: + service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:XX-XXXX-X:XXXXXXXXX:certificate/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX + service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http" + service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https" + service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600' +``` + +### AWS route53-mapper + +To configure the LoadBalancer service with the [route53-mapper addon](https://github.com/kubernetes/kops/tree/master/addons/route53-mapper), add the `domainName` annotation and `dns` label: + +```yaml +controller: + service: + labels: + dns: "route53" + annotations: + domainName: "kubernetes-example.com" +``` + +### Additional Internal Load Balancer + +This setup is useful when you need both external and internal load balancers but don't want to have multiple ingress controllers and multiple ingress objects per application. + +By default, the ingress object will point to the external load balancer address, but if correctly configured, you can make use of the internal one if the URL you are looking up resolves to the internal load balancer's URL. + +You'll need to set both the following values: + +`controller.service.internal.enabled` +`controller.service.internal.annotations` + +If one of them is missing the internal load balancer will not be deployed. Example you may have `controller.service.internal.enabled=true` but no annotations set, in this case no action will be taken. + +`controller.service.internal.annotations` varies with the cloud service you're using. + +Example for AWS: + +```yaml +controller: + service: + internal: + enabled: true + annotations: + # Create internal ELB + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 + # Any other annotation can be declared here. +``` + +Example for GCE: + +```yaml +controller: + service: + internal: + enabled: true + annotations: + # Create internal LB + cloud.google.com/load-balancer-type: "Internal" + # Any other annotation can be declared here. +``` + +Example for Azure: + +```yaml +controller: + service: + annotations: + # Create internal LB + service.beta.kubernetes.io/azure-load-balancer-internal: "true" + # Any other annotation can be declared here. +``` + +An use case for this scenario is having a split-view DNS setup where the public zone CNAME records point to the external balancer URL while the private zone CNAME records point to the internal balancer URL. This way, you only need one ingress kubernetes object. + +### Ingress Admission Webhooks + +With nginx-ingress-controller version 0.25+, the nginx ingress controller pod exposes an endpoint that will integrate with the `validatingwebhookconfiguration` Kubernetes feature to prevent bad ingress from being added to the cluster. +**This feature is enabled by default since 0.31.0.** + +With nginx-ingress-controller in 0.25.* work only with kubernetes 1.14+, 0.26 fix [this issue](https://github.com/kubernetes/ingress-nginx/pull/4521) + +### Helm Error When Upgrading: spec.clusterIP: Invalid value: "" + +If you are upgrading this chart from a version between 0.31.0 and 1.2.2 then you may get an error like this: + +```console +Error: UPGRADE FAILED: Service "?????-controller" is invalid: spec.clusterIP: Invalid value: "": field is immutable +``` + +Detail of how and why are in [this issue](https://github.com/helm/charts/pull/13646) but to resolve this you can set `xxxx.service.omitClusterIP` to `true` where `xxxx` is the service referenced in the error. + +As of version `1.26.0` of this chart, by simply not providing any clusterIP value, `invalid: spec.clusterIP: Invalid value: "": field is immutable` will no longer occur since `clusterIP: ""` will not be rendered. diff --git a/charts/ingress-nginx/ci/daemonset-customconfig-values.yaml b/charts/ingress-nginx/ci/daemonset-customconfig-values.yaml new file mode 100644 index 0000000000..e12b53421b --- /dev/null +++ b/charts/ingress-nginx/ci/daemonset-customconfig-values.yaml @@ -0,0 +1,9 @@ +controller: + kind: DaemonSet + admissionWebhooks: + enabled: false + service: + type: ClusterIP + + config: + use-proxy-protocol: "true" diff --git a/charts/nginx-ingress/ci/daemonset-customnodeport-values.yaml b/charts/ingress-nginx/ci/daemonset-customnodeport-values.yaml similarity index 83% rename from charts/nginx-ingress/ci/daemonset-customnodeport-values.yaml rename to charts/ingress-nginx/ci/daemonset-customnodeport-values.yaml index 382bc50e2c..cfc545f69f 100644 --- a/charts/nginx-ingress/ci/daemonset-customnodeport-values.yaml +++ b/charts/ingress-nginx/ci/daemonset-customnodeport-values.yaml @@ -1,5 +1,8 @@ controller: kind: DaemonSet + admissionWebhooks: + enabled: false + service: type: NodePort nodePorts: diff --git a/charts/nginx-ingress/ci/daemonset-headers-values.yaml b/charts/ingress-nginx/ci/daemonset-headers-values.yaml similarity index 62% rename from charts/nginx-ingress/ci/daemonset-headers-values.yaml rename to charts/ingress-nginx/ci/daemonset-headers-values.yaml index a29690f1b4..ff82cd9c70 100644 --- a/charts/nginx-ingress/ci/daemonset-headers-values.yaml +++ b/charts/ingress-nginx/ci/daemonset-headers-values.yaml @@ -1,6 +1,10 @@ controller: kind: DaemonSet + admissionWebhooks: + enabled: false addHeaders: X-Frame-Options: deny proxySetHeaders: X-Forwarded-Proto: https + service: + type: ClusterIP diff --git a/charts/ingress-nginx/ci/daemonset-internal-lb-values.yaml b/charts/ingress-nginx/ci/daemonset-internal-lb-values.yaml new file mode 100644 index 0000000000..443e39d8ba --- /dev/null +++ b/charts/ingress-nginx/ci/daemonset-internal-lb-values.yaml @@ -0,0 +1,10 @@ +controller: + kind: DaemonSet + admissionWebhooks: + enabled: false + service: + type: ClusterIP + internal: + enabled: true + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/charts/nginx-ingress/ci/daemonset-nodeport-values.yaml b/charts/ingress-nginx/ci/daemonset-nodeport-values.yaml similarity index 60% rename from charts/nginx-ingress/ci/daemonset-nodeport-values.yaml rename to charts/ingress-nginx/ci/daemonset-nodeport-values.yaml index ebc8f10202..6d6605f0e1 100644 --- a/charts/nginx-ingress/ci/daemonset-nodeport-values.yaml +++ b/charts/ingress-nginx/ci/daemonset-nodeport-values.yaml @@ -1,4 +1,6 @@ controller: kind: DaemonSet + admissionWebhooks: + enabled: false service: type: NodePort diff --git a/charts/ingress-nginx/ci/daemonset-podannotations-values.yaml b/charts/ingress-nginx/ci/daemonset-podannotations-values.yaml new file mode 100644 index 0000000000..04ac58dbd8 --- /dev/null +++ b/charts/ingress-nginx/ci/daemonset-podannotations-values.yaml @@ -0,0 +1,13 @@ +controller: + kind: DaemonSet + admissionWebhooks: + enabled: false + metrics: + enabled: true + service: + type: ClusterIP + podAnnotations: + prometheus.io/path: /metrics + prometheus.io/port: "10254" + prometheus.io/scheme: http + prometheus.io/scrape: "true" diff --git a/charts/nginx-ingress/ci/daemonset-tcp-udp-configMapNamespace-values.yaml b/charts/ingress-nginx/ci/daemonset-tcp-udp-configMapNamespace-values.yaml similarity index 83% rename from charts/nginx-ingress/ci/daemonset-tcp-udp-configMapNamespace-values.yaml rename to charts/ingress-nginx/ci/daemonset-tcp-udp-configMapNamespace-values.yaml index 3484704f85..afb5487c57 100644 --- a/charts/nginx-ingress/ci/daemonset-tcp-udp-configMapNamespace-values.yaml +++ b/charts/ingress-nginx/ci/daemonset-tcp-udp-configMapNamespace-values.yaml @@ -1,5 +1,7 @@ controller: kind: DaemonSet + admissionWebhooks: + enabled: false service: type: ClusterIP tcp: diff --git a/charts/nginx-ingress/ci/daemonset-tcp-udp-values.yaml b/charts/ingress-nginx/ci/daemonset-tcp-udp-values.yaml similarity index 76% rename from charts/nginx-ingress/ci/daemonset-tcp-udp-values.yaml rename to charts/ingress-nginx/ci/daemonset-tcp-udp-values.yaml index e6866d7caa..7b4d7cbe7d 100644 --- a/charts/nginx-ingress/ci/daemonset-tcp-udp-values.yaml +++ b/charts/ingress-nginx/ci/daemonset-tcp-udp-values.yaml @@ -1,5 +1,7 @@ controller: kind: DaemonSet + admissionWebhooks: + enabled: false service: type: ClusterIP diff --git a/charts/nginx-ingress/ci/daemonset-tcp-values.yaml b/charts/ingress-nginx/ci/daemonset-tcp-values.yaml similarity index 56% rename from charts/nginx-ingress/ci/daemonset-tcp-values.yaml rename to charts/ingress-nginx/ci/daemonset-tcp-values.yaml index f0a6060877..a359a6a401 100644 --- a/charts/nginx-ingress/ci/daemonset-tcp-values.yaml +++ b/charts/ingress-nginx/ci/daemonset-tcp-values.yaml @@ -1,5 +1,9 @@ controller: kind: DaemonSet + admissionWebhooks: + enabled: false + service: + type: ClusterIP tcp: 9000: "default/test:8080" diff --git a/charts/ingress-nginx/ci/deamonset-default-values.yaml b/charts/ingress-nginx/ci/deamonset-default-values.yaml new file mode 100644 index 0000000000..e63a7f5db3 --- /dev/null +++ b/charts/ingress-nginx/ci/deamonset-default-values.yaml @@ -0,0 +1,6 @@ +controller: + kind: DaemonSet + admissionWebhooks: + enabled: false + service: + type: ClusterIP diff --git a/charts/ingress-nginx/ci/deamonset-metrics-values.yaml b/charts/ingress-nginx/ci/deamonset-metrics-values.yaml new file mode 100644 index 0000000000..1e5190afc0 --- /dev/null +++ b/charts/ingress-nginx/ci/deamonset-metrics-values.yaml @@ -0,0 +1,8 @@ +controller: + kind: DaemonSet + admissionWebhooks: + enabled: false + metrics: + enabled: true + service: + type: ClusterIP diff --git a/charts/ingress-nginx/ci/deamonset-psp-values.yaml b/charts/ingress-nginx/ci/deamonset-psp-values.yaml new file mode 100644 index 0000000000..017b60a9c6 --- /dev/null +++ b/charts/ingress-nginx/ci/deamonset-psp-values.yaml @@ -0,0 +1,9 @@ +controller: + kind: DaemonSet + admissionWebhooks: + enabled: false + service: + type: ClusterIP + +podSecurityPolicy: + enabled: true diff --git a/charts/nginx-ingress/ci/deamonset-webhook-and-psp-values.yaml b/charts/ingress-nginx/ci/deamonset-webhook-and-psp-values.yaml similarity index 77% rename from charts/nginx-ingress/ci/deamonset-webhook-and-psp-values.yaml rename to charts/ingress-nginx/ci/deamonset-webhook-and-psp-values.yaml index 2cf9d6fd10..88aafc66fd 100644 --- a/charts/nginx-ingress/ci/deamonset-webhook-and-psp-values.yaml +++ b/charts/ingress-nginx/ci/deamonset-webhook-and-psp-values.yaml @@ -2,6 +2,8 @@ controller: kind: DaemonSet admissionWebhooks: enabled: true + service: + type: ClusterIP podSecurityPolicy: enabled: true diff --git a/charts/nginx-ingress/ci/deamonset-webhook-values.yaml b/charts/ingress-nginx/ci/deamonset-webhook-values.yaml similarity index 69% rename from charts/nginx-ingress/ci/deamonset-webhook-values.yaml rename to charts/ingress-nginx/ci/deamonset-webhook-values.yaml index 2d2cb47936..6e3b371da6 100644 --- a/charts/nginx-ingress/ci/deamonset-webhook-values.yaml +++ b/charts/ingress-nginx/ci/deamonset-webhook-values.yaml @@ -2,3 +2,5 @@ controller: kind: DaemonSet admissionWebhooks: enabled: true + service: + type: ClusterIP diff --git a/charts/ingress-nginx/ci/deployment-autoscaling-values.yaml b/charts/ingress-nginx/ci/deployment-autoscaling-values.yaml new file mode 100644 index 0000000000..5314cecb38 --- /dev/null +++ b/charts/ingress-nginx/ci/deployment-autoscaling-values.yaml @@ -0,0 +1,7 @@ +controller: + autoscaling: + enabled: true + admissionWebhooks: + enabled: false + service: + type: ClusterIP diff --git a/charts/ingress-nginx/ci/deployment-customconfig-values.yaml b/charts/ingress-nginx/ci/deployment-customconfig-values.yaml new file mode 100644 index 0000000000..f232531acb --- /dev/null +++ b/charts/ingress-nginx/ci/deployment-customconfig-values.yaml @@ -0,0 +1,7 @@ +controller: + config: + use-proxy-protocol: "true" + admissionWebhooks: + enabled: false + service: + type: ClusterIP diff --git a/charts/nginx-ingress/ci/deployment-customnodeport-values.yaml b/charts/ingress-nginx/ci/deployment-customnodeport-values.yaml similarity index 82% rename from charts/nginx-ingress/ci/deployment-customnodeport-values.yaml rename to charts/ingress-nginx/ci/deployment-customnodeport-values.yaml index 6958eaac67..9eda282b13 100644 --- a/charts/nginx-ingress/ci/deployment-customnodeport-values.yaml +++ b/charts/ingress-nginx/ci/deployment-customnodeport-values.yaml @@ -1,4 +1,6 @@ controller: + admissionWebhooks: + enabled: false service: type: NodePort nodePorts: diff --git a/charts/ingress-nginx/ci/deployment-default-values.yaml b/charts/ingress-nginx/ci/deployment-default-values.yaml new file mode 100644 index 0000000000..93a393c975 --- /dev/null +++ b/charts/ingress-nginx/ci/deployment-default-values.yaml @@ -0,0 +1,4 @@ +# Left blank to test default values +controller: + service: + type: ClusterIP diff --git a/charts/nginx-ingress/ci/deployment-headers-values.yaml b/charts/ingress-nginx/ci/deployment-headers-values.yaml similarity index 58% rename from charts/nginx-ingress/ci/deployment-headers-values.yaml rename to charts/ingress-nginx/ci/deployment-headers-values.yaml index f3873af06e..665fd48d35 100644 --- a/charts/nginx-ingress/ci/deployment-headers-values.yaml +++ b/charts/ingress-nginx/ci/deployment-headers-values.yaml @@ -1,5 +1,9 @@ controller: + admissionWebhooks: + enabled: false addHeaders: X-Frame-Options: deny proxySetHeaders: X-Forwarded-Proto: https + service: + type: ClusterIP diff --git a/charts/ingress-nginx/ci/deployment-internal-lb-values.yaml b/charts/ingress-nginx/ci/deployment-internal-lb-values.yaml new file mode 100644 index 0000000000..892f6de3f0 --- /dev/null +++ b/charts/ingress-nginx/ci/deployment-internal-lb-values.yaml @@ -0,0 +1,9 @@ +controller: + admissionWebhooks: + enabled: false + service: + type: ClusterIP + internal: + enabled: true + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/charts/ingress-nginx/ci/deployment-metrics-values.yaml b/charts/ingress-nginx/ci/deployment-metrics-values.yaml new file mode 100644 index 0000000000..887ed0f620 --- /dev/null +++ b/charts/ingress-nginx/ci/deployment-metrics-values.yaml @@ -0,0 +1,7 @@ +controller: + admissionWebhooks: + enabled: false + metrics: + enabled: true + service: + type: ClusterIP diff --git a/charts/nginx-ingress/ci/deployment-nodeport-values.yaml b/charts/ingress-nginx/ci/deployment-nodeport-values.yaml similarity index 51% rename from charts/nginx-ingress/ci/deployment-nodeport-values.yaml rename to charts/ingress-nginx/ci/deployment-nodeport-values.yaml index ffdc47b2d0..84f1f7582e 100644 --- a/charts/nginx-ingress/ci/deployment-nodeport-values.yaml +++ b/charts/ingress-nginx/ci/deployment-nodeport-values.yaml @@ -1,3 +1,5 @@ controller: + admissionWebhooks: + enabled: false service: type: NodePort diff --git a/charts/ingress-nginx/ci/deployment-podannotations-values.yaml b/charts/ingress-nginx/ci/deployment-podannotations-values.yaml new file mode 100644 index 0000000000..b65a0910b3 --- /dev/null +++ b/charts/ingress-nginx/ci/deployment-podannotations-values.yaml @@ -0,0 +1,12 @@ +controller: + admissionWebhooks: + enabled: false + metrics: + enabled: true + service: + type: ClusterIP + podAnnotations: + prometheus.io/path: /metrics + prometheus.io/port: "10254" + prometheus.io/scheme: http + prometheus.io/scrape: "true" diff --git a/charts/nginx-ingress/ci/deamonset-psp-values.yaml b/charts/ingress-nginx/ci/deployment-psp-values.yaml similarity index 60% rename from charts/nginx-ingress/ci/deamonset-psp-values.yaml rename to charts/ingress-nginx/ci/deployment-psp-values.yaml index b441c1ad80..e339c69c32 100644 --- a/charts/nginx-ingress/ci/deamonset-psp-values.yaml +++ b/charts/ingress-nginx/ci/deployment-psp-values.yaml @@ -1,5 +1,6 @@ controller: - kind: DaemonSet + service: + type: ClusterIP podSecurityPolicy: enabled: true diff --git a/charts/nginx-ingress/ci/deployment-tcp-udp-configMapNamespace-values.yaml b/charts/ingress-nginx/ci/deployment-tcp-udp-configMapNamespace-values.yaml similarity index 82% rename from charts/nginx-ingress/ci/deployment-tcp-udp-configMapNamespace-values.yaml rename to charts/ingress-nginx/ci/deployment-tcp-udp-configMapNamespace-values.yaml index 7b06c1eb62..141e06b687 100644 --- a/charts/nginx-ingress/ci/deployment-tcp-udp-configMapNamespace-values.yaml +++ b/charts/ingress-nginx/ci/deployment-tcp-udp-configMapNamespace-values.yaml @@ -1,4 +1,6 @@ controller: + admissionWebhooks: + enabled: false service: type: ClusterIP tcp: diff --git a/charts/ingress-nginx/ci/deployment-tcp-udp-values.yaml b/charts/ingress-nginx/ci/deployment-tcp-udp-values.yaml new file mode 100644 index 0000000000..bc29abeba7 --- /dev/null +++ b/charts/ingress-nginx/ci/deployment-tcp-udp-values.yaml @@ -0,0 +1,11 @@ +controller: + admissionWebhooks: + enabled: false + service: + type: ClusterIP + +tcp: + 9000: "default/test:8080" + +udp: + 9001: "default/test:8080" diff --git a/charts/nginx-ingress/ci/deployment-tcp-udp-values.yaml b/charts/ingress-nginx/ci/deployment-tcp-values.yaml similarity index 94% rename from charts/nginx-ingress/ci/deployment-tcp-udp-values.yaml rename to charts/ingress-nginx/ci/deployment-tcp-values.yaml index 7c55d44795..b7f54c09fa 100644 --- a/charts/nginx-ingress/ci/deployment-tcp-udp-values.yaml +++ b/charts/ingress-nginx/ci/deployment-tcp-values.yaml @@ -4,6 +4,4 @@ controller: tcp: 9000: "default/test:8080" - -udp: 9001: "default/test:8080" diff --git a/charts/nginx-ingress/ci/deployment-webhook-and-psp-values.yaml b/charts/ingress-nginx/ci/deployment-webhook-and-psp-values.yaml similarity index 73% rename from charts/nginx-ingress/ci/deployment-webhook-and-psp-values.yaml rename to charts/ingress-nginx/ci/deployment-webhook-and-psp-values.yaml index 0590d7c9f3..a829c36144 100644 --- a/charts/nginx-ingress/ci/deployment-webhook-and-psp-values.yaml +++ b/charts/ingress-nginx/ci/deployment-webhook-and-psp-values.yaml @@ -1,6 +1,8 @@ controller: admissionWebhooks: enabled: true + service: + type: ClusterIP podSecurityPolicy: enabled: true diff --git a/charts/nginx-ingress/ci/deployment-webhook-values.yaml b/charts/ingress-nginx/ci/deployment-webhook-values.yaml similarity index 62% rename from charts/nginx-ingress/ci/deployment-webhook-values.yaml rename to charts/ingress-nginx/ci/deployment-webhook-values.yaml index 07e1a925bf..4f18a70b9f 100644 --- a/charts/nginx-ingress/ci/deployment-webhook-values.yaml +++ b/charts/ingress-nginx/ci/deployment-webhook-values.yaml @@ -1,3 +1,5 @@ controller: admissionWebhooks: enabled: true + service: + type: ClusterIP diff --git a/charts/nginx-ingress/templates/NOTES.txt b/charts/ingress-nginx/templates/NOTES.txt similarity index 85% rename from charts/nginx-ingress/templates/NOTES.txt rename to charts/ingress-nginx/templates/NOTES.txt index e18a9010c4..60fb2c1f62 100644 --- a/charts/nginx-ingress/templates/NOTES.txt +++ b/charts/ingress-nginx/templates/NOTES.txt @@ -1,4 +1,4 @@ -The nginx-ingress controller has been installed. +The ingress-nginx controller has been installed. {{- if contains "NodePort" .Values.controller.service.type }} Get the application URL by running these commands: @@ -6,12 +6,12 @@ Get the application URL by running these commands: {{- if (not (empty .Values.controller.service.nodePorts.http)) }} export HTTP_NODE_PORT={{ .Values.controller.service.nodePorts.http }} {{- else }} - export HTTP_NODE_PORT=$(kubectl --namespace {{ .Release.Namespace }} get services -o jsonpath="{.spec.ports[0].nodePort}" {{ template "nginx-ingress.controller.fullname" . }}) + export HTTP_NODE_PORT=$(kubectl --namespace {{ .Release.Namespace }} get services -o jsonpath="{.spec.ports[0].nodePort}" {{ include "ingress-nginx.controller.fullname" . }}) {{- end }} {{- if (not (empty .Values.controller.service.nodePorts.https)) }} export HTTPS_NODE_PORT={{ .Values.controller.service.nodePorts.https }} {{- else }} - export HTTPS_NODE_PORT=$(kubectl --namespace {{ .Release.Namespace }} get services -o jsonpath="{.spec.ports[1].nodePort}" {{ template "nginx-ingress.controller.fullname" . }}) + export HTTPS_NODE_PORT=$(kubectl --namespace {{ .Release.Namespace }} get services -o jsonpath="{.spec.ports[1].nodePort}" {{ include "ingress-nginx.controller.fullname" . }}) {{- end }} export NODE_IP=$(kubectl --namespace {{ .Release.Namespace }} get nodes -o jsonpath="{.items[0].status.addresses[1].address}") @@ -19,17 +19,17 @@ Get the application URL by running these commands: echo "Visit https://$NODE_IP:$HTTPS_NODE_PORT to access your application via HTTPS." {{- else if contains "LoadBalancer" .Values.controller.service.type }} It may take a few minutes for the LoadBalancer IP to be available. -You can watch the status by running 'kubectl --namespace {{ .Release.Namespace }} get services -o wide -w {{ template "nginx-ingress.controller.fullname" . }}' +You can watch the status by running 'kubectl --namespace {{ .Release.Namespace }} get services -o wide -w {{ include "ingress-nginx.controller.fullname" . }}' {{- else if contains "ClusterIP" .Values.controller.service.type }} Get the application URL by running these commands: - export POD_NAME=$(kubectl --namespace {{ .Release.Namespace }} get pods -o jsonpath="{.items[0].metadata.name}" -l "app={{ template "nginx-ingress.name" . }},component={{ .Values.controller.name }},release={{ template "nginx-ingress.releaseLabel" . }}") + export POD_NAME=$(kubectl --namespace {{ .Release.Namespace }} get pods -o jsonpath="{.items[0].metadata.name}" -l "app={{ template "ingress-nginx.name" . }},component={{ .Values.controller.name }},release={{ .Release.Name }}") kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:80 echo "Visit http://127.0.0.1:8080 to access your application." {{- end }} An example Ingress that makes use of the controller: - apiVersion: extensions/v1beta1 + apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: annotations: diff --git a/charts/nginx-ingress/templates/_helpers.tpl b/charts/ingress-nginx/templates/_helpers.tpl similarity index 62% rename from charts/nginx-ingress/templates/_helpers.tpl rename to charts/ingress-nginx/templates/_helpers.tpl index 2dbf8cf231..d516a593cb 100644 --- a/charts/nginx-ingress/templates/_helpers.tpl +++ b/charts/ingress-nginx/templates/_helpers.tpl @@ -2,14 +2,14 @@ {{/* Expand the name of the chart. */}} -{{- define "nginx-ingress.name" -}} +{{- define "ingress-nginx.name" -}} {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} {{- end -}} {{/* Create chart name and version as used by the chart label. */}} -{{- define "nginx-ingress.chart" -}} +{{- define "ingress-nginx.chart" -}} {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} {{- end -}} @@ -17,7 +17,7 @@ Create chart name and version as used by the chart label. Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). */}} -{{- define "nginx-ingress.fullname" -}} +{{- define "ingress-nginx.fullname" -}} {{- if .Values.fullnameOverride -}} {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} {{- else -}} @@ -34,16 +34,8 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this Create a default fully qualified controller name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). */}} -{{- define "nginx-ingress.controller.fullname" -}} -{{- printf "%s-%s" (include "nginx-ingress.fullname" .) .Values.controller.name | trunc 63 | trimSuffix "-" -}} -{{- end -}} - - -{{/* -Allow for the ability to override the release name used as a label in many places. -*/}} -{{- define "nginx-ingress.releaseLabel" -}} -{{- .Values.releaseLabelOverride | default .Release.Name | trunc 63 -}} +{{- define "ingress-nginx.controller.fullname" -}} +{{- printf "%s-%s" (include "ingress-nginx.fullname" .) "controller" | trunc 63 | trimSuffix "-" -}} {{- end -}} {{/* @@ -55,8 +47,8 @@ service generated. Users can provide an override for an explicit service they want bound via `.Values.controller.publishService.pathOverride` */}} -{{- define "nginx-ingress.controller.publishServicePath" -}} -{{- $defServiceName := printf "%s/%s" .Release.Namespace (include "nginx-ingress.controller.fullname" .) -}} +{{- define "ingress-nginx.controller.publishServicePath" -}} +{{- $defServiceName := printf "%s/%s" "$(POD_NAMESPACE)" (include "ingress-nginx.controller.fullname" .) -}} {{- $servicePath := default $defServiceName .Values.controller.publishService.pathOverride }} {{- print $servicePath | trimSuffix "-" -}} {{- end -}} @@ -65,16 +57,36 @@ Users can provide an override for an explicit service they want bound via `.Valu Create a default fully qualified default backend name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). */}} -{{- define "nginx-ingress.defaultBackend.fullname" -}} -{{- printf "%s-%s" (include "nginx-ingress.fullname" .) .Values.defaultBackend.name | trunc 63 | trimSuffix "-" -}} +{{- define "ingress-nginx.defaultBackend.fullname" -}} +{{- printf "%s-%s" (include "ingress-nginx.fullname" .) "defaultbackend" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "ingress-nginx.labels" -}} +helm.sh/chart: {{ include "ingress-nginx.chart" . }} +{{ include "ingress-nginx.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Selector labels +*/}} +{{- define "ingress-nginx.selectorLabels" -}} +app.kubernetes.io/name: {{ include "ingress-nginx.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} {{- end -}} {{/* Create the name of the controller service account to use */}} -{{- define "nginx-ingress.serviceAccountName" -}} +{{- define "ingress-nginx.serviceAccountName" -}} {{- if .Values.serviceAccount.create -}} - {{ default (include "nginx-ingress.fullname" .) .Values.serviceAccount.name }} + {{ default (include "ingress-nginx.fullname" .) .Values.serviceAccount.name }} {{- else -}} {{ default "default" .Values.serviceAccount.name }} {{- end -}} @@ -83,25 +95,14 @@ Create the name of the controller service account to use {{/* Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled */}} -{{- define "nginx-ingress.defaultBackend.serviceAccountName" -}} +{{- define "ingress-nginx.defaultBackend.serviceAccountName" -}} {{- if .Values.defaultBackend.serviceAccount.create -}} - {{ default (printf "%s-backend" (include "nginx-ingress.fullname" .)) .Values.defaultBackend.serviceAccount.name }} + {{ default (printf "%s-backend" (include "ingress-nginx.fullname" .)) .Values.defaultBackend.serviceAccount.name }} {{- else -}} {{ default "default-backend" .Values.defaultBackend.serviceAccount.name }} {{- end -}} {{- end -}} -{{/* -Return the appropriate apiVersion for deployment. -*/}} -{{- define "deployment.apiVersion" -}} -{{- if semverCompare ">=1.9-0" .Capabilities.KubeVersion.GitVersion -}} -{{- print "apps/v1" -}} -{{- else -}} -{{- print "extensions/v1beta1" -}} -{{- end -}} -{{- end -}} - {{/* Return the appropriate apiGroup for PodSecurityPolicy. */}} @@ -114,12 +115,10 @@ Return the appropriate apiGroup for PodSecurityPolicy. {{- end -}} {{/* -Return the appropriate apiVersion for podSecurityPolicy. +Check the ingress controller version tag is at most three versions behind the last release */}} -{{- define "podSecurityPolicy.apiVersion" -}} -{{- if semverCompare ">=1.10-0" .Capabilities.KubeVersion.GitVersion -}} -{{- print "policy/v1beta1" -}} -{{- else -}} -{{- print "extensions/v1beta1" -}} +{{- define "isControllerTagValid" -}} +{{- if not (semverCompare ">=0.27.0-0" .Values.controller.image.tag) -}} +{{- fail "Controller container image tag should be 0.27.0 or higher" -}} +{{- end -}} {{- end -}} -{{- end -}} \ No newline at end of file diff --git a/charts/nginx-ingress/templates/admission-webhooks/job-patch/clusterrole.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml similarity index 60% rename from charts/nginx-ingress/templates/admission-webhooks/job-patch/clusterrole.yaml rename to charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml index a2483265f1..7eb57388d2 100644 --- a/charts/nginx-ingress/templates/admission-webhooks/job-patch/clusterrole.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml @@ -1,17 +1,14 @@ -{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled }} +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: {{ template "nginx-ingress.fullname" . }}-admission + name: {{ include "ingress-nginx.fullname" . }}-admission annotations: "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded labels: - app: {{ template "nginx-ingress.name" . }} - chart: {{ template "nginx-ingress.chart" . }} - component: "{{ .Values.controller.name }}" - heritage: {{ .Release.Service }} - release: {{ template "nginx-ingress.releaseLabel" . }} + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: admission-webhook rules: - apiGroups: - admissionregistration.k8s.io @@ -25,6 +22,6 @@ rules: resources: ['podsecuritypolicies'] verbs: ['use'] resourceNames: - - {{ template "nginx-ingress.fullname" . }}-admission + - {{ include "ingress-nginx.fullname" . }}-admission {{- end }} {{- end }} diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml new file mode 100644 index 0000000000..97931250ce --- /dev/null +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "ingress-nginx.fullname" . }}-admission + annotations: + "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: admission-webhook +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "ingress-nginx.fullname" . }}-admission +subjects: + - kind: ServiceAccount + name: {{ include "ingress-nginx.fullname" . }}-admission + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml new file mode 100644 index 0000000000..d9ca4607c0 --- /dev/null +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml @@ -0,0 +1,60 @@ +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "ingress-nginx.fullname" . }}-admission-create + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: admission-webhook +spec: +{{- if .Capabilities.APIVersions.Has "batch/v1alpha1" }} + # Alpha feature since k8s 1.12 + ttlSecondsAfterFinished: 0 +{{- end }} + template: + metadata: + name: {{ include "ingress-nginx.fullname" . }}-admission-create + {{- if .Values.controller.admissionWebhooks.patch.podAnnotations }} + annotations: {{ toYaml .Values.controller.admissionWebhooks.patch.podAnnotations | nindent 8 }} + {{- end }} + labels: + {{- include "ingress-nginx.labels" . | nindent 8 }} + app.kubernetes.io/component: admission-webhook + spec: + {{- if .Values.controller.admissionWebhooks.patch.priorityClassName }} + priorityClassName: {{ .Values.controller.admissionWebhooks.patch.priorityClassName }} + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }} + {{- end }} + containers: + - name: create + {{- with .Values.controller.admissionWebhooks.patch.image }} + image: "{{.repository}}:{{ .tag }}{{- if (.digest) -}} @{{.digest}} {{- end -}}" + {{- end }} + imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }} + args: + - create + - --host={{ include "ingress-nginx.controller.fullname" . }}-admission,{{ include "ingress-nginx.controller.fullname" . }}-admission.$(POD_NAMESPACE).svc + - --namespace=$(POD_NAMESPACE) + - --secret-name={{ include "ingress-nginx.fullname" . }}-admission + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + restartPolicy: OnFailure + serviceAccountName: {{ include "ingress-nginx.fullname" . }}-admission + {{- if .Values.controller.admissionWebhooks.patch.nodeSelector }} + nodeSelector: {{ toYaml .Values.controller.admissionWebhooks.patch.nodeSelector | nindent 8 }} + {{- end }} + {{- if .Values.controller.admissionWebhooks.patch.tolerations }} + tolerations: {{ toYaml .Values.controller.admissionWebhooks.patch.tolerations | nindent 8 }} + {{- end }} + securityContext: + runAsNonRoot: true + runAsUser: {{ .Values.controller.admissionWebhooks.patch.runAsUser }} +{{- end }} diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml new file mode 100644 index 0000000000..d297854cb2 --- /dev/null +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml @@ -0,0 +1,62 @@ +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "ingress-nginx.fullname" . }}-admission-patch + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: admission-webhook +spec: +{{- if .Capabilities.APIVersions.Has "batch/v1alpha1" }} + # Alpha feature since k8s 1.12 + ttlSecondsAfterFinished: 0 +{{- end }} + template: + metadata: + name: {{ include "ingress-nginx.fullname" . }}-admission-patch + {{- if .Values.controller.admissionWebhooks.patch.podAnnotations }} + annotations: {{ toYaml .Values.controller.admissionWebhooks.patch.podAnnotations | nindent 8 }} + {{- end }} + labels: + {{- include "ingress-nginx.labels" . | nindent 8 }} + app.kubernetes.io/component: admission-webhook + spec: + {{- if .Values.controller.admissionWebhooks.patch.priorityClassName }} + priorityClassName: {{ .Values.controller.admissionWebhooks.patch.priorityClassName }} + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }} + {{- end }} + containers: + - name: patch + {{- with .Values.controller.admissionWebhooks.patch.image }} + image: "{{.repository}}:{{ .tag }}{{- if (.digest) -}} @{{.digest}} {{- end -}}" + {{- end }} + imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }} + args: + - patch + - --webhook-name={{ include "ingress-nginx.fullname" . }}-admission + - --namespace=$(POD_NAMESPACE) + - --patch-mutating=false + - --secret-name={{ include "ingress-nginx.fullname" . }}-admission + - --patch-failure-policy={{ .Values.controller.admissionWebhooks.failurePolicy }} + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + restartPolicy: OnFailure + serviceAccountName: {{ include "ingress-nginx.fullname" . }}-admission + {{- if .Values.controller.admissionWebhooks.patch.nodeSelector }} + nodeSelector: {{ toYaml .Values.controller.admissionWebhooks.patch.nodeSelector | nindent 8 }} + {{- end }} + {{- if .Values.controller.admissionWebhooks.patch.tolerations }} + tolerations: {{ toYaml .Values.controller.admissionWebhooks.patch.tolerations | nindent 8 }} + {{- end }} + securityContext: + runAsNonRoot: true + runAsUser: {{ .Values.controller.admissionWebhooks.patch.runAsUser }} +{{- end }} diff --git a/charts/nginx-ingress/templates/admission-webhooks/job-patch/psp.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml similarity index 70% rename from charts/nginx-ingress/templates/admission-webhooks/job-patch/psp.yaml rename to charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml index a23f9271ba..e8c8da94ba 100644 --- a/charts/nginx-ingress/templates/admission-webhooks/job-patch/psp.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml @@ -1,17 +1,14 @@ -{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.podSecurityPolicy.enabled }} +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.podSecurityPolicy.enabled -}} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: - name: {{ template "nginx-ingress.fullname" . }}-admission + name: {{ include "ingress-nginx.fullname" . }}-admission annotations: "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded labels: - app: {{ template "nginx-ingress.name" . }} - chart: {{ template "nginx-ingress.chart" . }} - component: "{{ .Values.controller.name }}" - heritage: {{ .Release.Service }} - release: {{ template "nginx-ingress.releaseLabel" . }} + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: admission-webhook spec: allowPrivilegeEscalation: false fsGroup: diff --git a/charts/nginx-ingress/templates/admission-webhooks/job-patch/role.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml similarity index 53% rename from charts/nginx-ingress/templates/admission-webhooks/job-patch/role.yaml rename to charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml index 665769fd3f..fe1c2ee7f1 100644 --- a/charts/nginx-ingress/templates/admission-webhooks/job-patch/role.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml @@ -1,17 +1,14 @@ -{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled }} +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: {{ template "nginx-ingress.fullname" . }}-admission + name: {{ include "ingress-nginx.fullname" . }}-admission annotations: "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded labels: - app: {{ template "nginx-ingress.name" . }} - chart: {{ template "nginx-ingress.chart" . }} - component: "{{ .Values.controller.name }}" - heritage: {{ .Release.Service }} - release: {{ template "nginx-ingress.releaseLabel" . }} + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: admission-webhook rules: - apiGroups: - "" diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml new file mode 100644 index 0000000000..391e5e9a33 --- /dev/null +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml @@ -0,0 +1,20 @@ +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "ingress-nginx.fullname" . }}-admission + annotations: + "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: admission-webhook +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "ingress-nginx.fullname" . }}-admission +subjects: + - kind: ServiceAccount + name: {{ include "ingress-nginx.fullname" . }}-admission + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml new file mode 100644 index 0000000000..5dfdd345a3 --- /dev/null +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "ingress-nginx.fullname" . }}-admission + annotations: + "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: admission-webhook +{{- end }} diff --git a/charts/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml b/charts/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml new file mode 100644 index 0000000000..731536bdd7 --- /dev/null +++ b/charts/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml @@ -0,0 +1,46 @@ +{{- if .Values.controller.admissionWebhooks.enabled -}} +# before changing this value, check the required kubernetes version +# https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + {{- if .Values.controller.admissionWebhooks.annotations }} + annotations: {{ toYaml .Values.controller.admissionWebhooks.annotations | nindent 4 }} + {{- end }} + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: admission-webhook + name: {{ include "ingress-nginx.fullname" . }}-admission +webhooks: + - name: validate.nginx.ingress.kubernetes.io + matchPolicy: Equivalent + rules: + - apiGroups: + - networking.k8s.io + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - ingresses + failurePolicy: {{ .Values.controller.admissionWebhooks.failurePolicy | default "Fail" }} + sideEffects: None + admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + namespace: {{ .Release.Namespace }} + name: {{ include "ingress-nginx.controller.fullname" . }}-admission + path: /networking/v1beta1/ingresses + {{- if .Values.controller.admissionWebhooks.timeoutSeconds }} + timeoutSeconds: {{ .Values.controller.admissionWebhooks.timeoutSeconds }} + {{- end }} + {{- if .Values.controller.admissionWebhooks.namespaceSelector }} + namespaceSelector: {{ toYaml .Values.controller.admissionWebhooks.namespaceSelector | nindent 6 }} + {{- end }} + {{- if .Values.controller.admissionWebhooks.objectSelector }} + objectSelector: {{ toYaml .Values.controller.admissionWebhooks.objectSelector | nindent 6 }} + {{- end }} +{{- end }} diff --git a/charts/nginx-ingress/templates/clusterrole.yaml b/charts/ingress-nginx/templates/clusterrole.yaml similarity index 77% rename from charts/nginx-ingress/templates/clusterrole.yaml rename to charts/ingress-nginx/templates/clusterrole.yaml index 14667eba37..2035f549a2 100644 --- a/charts/nginx-ingress/templates/clusterrole.yaml +++ b/charts/ingress-nginx/templates/clusterrole.yaml @@ -1,13 +1,10 @@ -{{- if and (.Values.rbac.create) (not .Values.rbac.scope) -}} +{{- if and .Values.rbac.create (not .Values.rbac.scope) -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - app: {{ template "nginx-ingress.name" . }} - chart: {{ template "nginx-ingress.chart" . }} - heritage: {{ .Release.Service }} - release: {{ template "nginx-ingress.releaseLabel" . }} - name: {{ template "nginx-ingress.fullname" . }} + {{- include "ingress-nginx.labels" . | nindent 4 }} + name: {{ include "ingress-nginx.fullname" . }} rules: - apiGroups: - "" @@ -68,4 +65,12 @@ rules: - ingresses/status verbs: - update -{{- end -}} + - apiGroups: + - "networking.k8s.io" # k8s 1.14+ + resources: + - ingressclasses + verbs: + - get + - list + - watch +{{- end }} diff --git a/charts/ingress-nginx/templates/clusterrolebinding.yaml b/charts/ingress-nginx/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..a341f5280e --- /dev/null +++ b/charts/ingress-nginx/templates/clusterrolebinding.yaml @@ -0,0 +1,16 @@ +{{- if and .Values.rbac.create (not .Values.rbac.scope) -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + name: {{ include "ingress-nginx.fullname" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "ingress-nginx.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "ingress-nginx.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/ingress-nginx/templates/controller-configmap-addheaders.yaml b/charts/ingress-nginx/templates/controller-configmap-addheaders.yaml new file mode 100644 index 0000000000..c064589581 --- /dev/null +++ b/charts/ingress-nginx/templates/controller-configmap-addheaders.yaml @@ -0,0 +1,10 @@ +{{- if .Values.controller.addHeaders -}} +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller + name: {{ include "ingress-nginx.fullname" . }}-custom-add-headers +data: {{ toYaml .Values.controller.addHeaders | nindent 2 }} +{{- end }} diff --git a/charts/nginx-ingress/templates/proxyheaders-configmap.yaml b/charts/ingress-nginx/templates/controller-configmap-proxyheaders.yaml similarity index 54% rename from charts/nginx-ingress/templates/proxyheaders-configmap.yaml rename to charts/ingress-nginx/templates/controller-configmap-proxyheaders.yaml index ae918ae1d1..5a1b25229b 100644 --- a/charts/nginx-ingress/templates/proxyheaders-configmap.yaml +++ b/charts/ingress-nginx/templates/controller-configmap-proxyheaders.yaml @@ -1,14 +1,11 @@ -{{- if or .Values.controller.proxySetHeaders .Values.controller.headers }} +{{- if or .Values.controller.proxySetHeaders .Values.controller.headers -}} apiVersion: v1 kind: ConfigMap metadata: labels: - app: {{ template "nginx-ingress.name" . }} - chart: {{ template "nginx-ingress.chart" . }} - component: "{{ .Values.controller.name }}" - heritage: {{ .Release.Service }} - release: {{ template "nginx-ingress.releaseLabel" . }} - name: {{ template "nginx-ingress.fullname" . }}-custom-proxy-headers + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller + name: {{ include "ingress-nginx.fullname" . }}-custom-proxy-headers data: {{- if .Values.controller.proxySetHeaders }} {{ toYaml .Values.controller.proxySetHeaders | indent 2 }} diff --git a/charts/ingress-nginx/templates/controller-configmap-tcp.yaml b/charts/ingress-nginx/templates/controller-configmap-tcp.yaml new file mode 100644 index 0000000000..bc972517c7 --- /dev/null +++ b/charts/ingress-nginx/templates/controller-configmap-tcp.yaml @@ -0,0 +1,13 @@ +{{- if .Values.tcp -}} +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller +{{- if .Values.controller.tcp.annotations }} + annotations: {{ toYaml .Values.controller.tcp.annotations | nindent 4 }} +{{- end }} + name: {{ include "ingress-nginx.fullname" . }}-tcp +data: {{ tpl (toYaml .Values.tcp) . | nindent 2 }} +{{- end }} diff --git a/charts/ingress-nginx/templates/controller-configmap-udp.yaml b/charts/ingress-nginx/templates/controller-configmap-udp.yaml new file mode 100644 index 0000000000..a9dc388f10 --- /dev/null +++ b/charts/ingress-nginx/templates/controller-configmap-udp.yaml @@ -0,0 +1,13 @@ +{{- if .Values.udp -}} +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller +{{- if .Values.controller.udp.annotations }} + annotations: {{ toYaml .Values.controller.udp.annotations | nindent 4 }} +{{- end }} + name: {{ include "ingress-nginx.fullname" . }}-udp +data: {{ tpl (toYaml .Values.udp) . | nindent 2 }} +{{- end }} diff --git a/charts/ingress-nginx/templates/controller-configmap.yaml b/charts/ingress-nginx/templates/controller-configmap.yaml new file mode 100644 index 0000000000..5b0d371055 --- /dev/null +++ b/charts/ingress-nginx/templates/controller-configmap.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller +{{- if .Values.controller.configAnnotations }} + annotations: {{ toYaml .Values.controller.configAnnotations | nindent 4 }} +{{- end }} + name: {{ include "ingress-nginx.controller.fullname" . }} +data: +{{- if .Values.controller.addHeaders }} + add-headers: {{ .Release.Namespace }}/{{ include "ingress-nginx.fullname" . }}-custom-add-headers +{{- end }} +{{- if or .Values.controller.proxySetHeaders .Values.controller.headers }} + proxy-set-headers: {{ .Release.Namespace }}/{{ include "ingress-nginx.fullname" . }}-custom-proxy-headers +{{- end }} +{{- if .Values.controller.config }} + {{ toYaml .Values.controller.config | nindent 2 }} +{{- end }} diff --git a/charts/nginx-ingress/templates/controller-daemonset.yaml b/charts/ingress-nginx/templates/controller-daemonset.yaml similarity index 50% rename from charts/nginx-ingress/templates/controller-daemonset.yaml rename to charts/ingress-nginx/templates/controller-daemonset.yaml index 514e78bca3..aa8693b47e 100644 --- a/charts/nginx-ingress/templates/controller-daemonset.yaml +++ b/charts/ingress-nginx/templates/controller-daemonset.yaml @@ -1,124 +1,117 @@ -{{- if or (eq .Values.controller.kind "DaemonSet") (eq .Values.controller.kind "Both") }} -{{- $useHostPort := .Values.controller.daemonset.useHostPort -}} -{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} -apiVersion: {{ template "deployment.apiVersion" . }} +{{- if or (eq .Values.controller.kind "DaemonSet") (eq .Values.controller.kind "Both") -}} +{{- include "isControllerTagValid" . -}} +apiVersion: apps/v1 kind: DaemonSet metadata: labels: - app: {{ template "nginx-ingress.name" . }} - chart: {{ template "nginx-ingress.chart" . }} - heritage: {{ .Release.Service }} - release: {{ template "nginx-ingress.releaseLabel" . }} + {{- include "ingress-nginx.labels" . | nindent 4 }} app.kubernetes.io/component: controller - name: {{ template "nginx-ingress.controller.fullname" . }} - annotations: -{{ toYaml .Values.controller.deploymentAnnotations | indent 4}} + {{- with .Values.controller.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ include "ingress-nginx.controller.fullname" . }} + {{- if .Values.controller.annotations }} + annotations: {{ toYaml .Values.controller.annotations | nindent 4 }} + {{- end }} spec: selector: matchLabels: - app: {{ template "nginx-ingress.name" . }} - release: {{ template "nginx-ingress.releaseLabel" . }} - {{- if .Values.controller.useComponentLabel }} + {{- include "ingress-nginx.selectorLabels" . | nindent 6 }} app.kubernetes.io/component: controller - {{- end }} revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} - updateStrategy: -{{ toYaml .Values.controller.updateStrategy | indent 4 }} + {{- if .Values.controller.updateStrategy }} + updateStrategy: {{ toYaml .Values.controller.updateStrategy | nindent 4 }} + {{- end }} minReadySeconds: {{ .Values.controller.minReadySeconds }} template: metadata: - {{- if .Values.controller.podAnnotations }} - annotations: + {{- if .Values.controller.podAnnotations }} + annotations: {{- range $key, $value := .Values.controller.podAnnotations }} {{ $key }}: {{ $value | quote }} - {{- end }} - {{- end }} + {{- end }} + {{- end }} labels: - app: {{ template "nginx-ingress.name" . }} - release: {{ template "nginx-ingress.releaseLabel" . }} - component: "{{ .Values.controller.name }}" + {{- include "ingress-nginx.selectorLabels" . | nindent 8 }} app.kubernetes.io/component: controller - {{- if .Values.controller.podLabels }} -{{ toYaml .Values.controller.podLabels | indent 8}} - {{- end }} + {{- if .Values.controller.podLabels }} + {{- toYaml .Values.controller.podLabels | nindent 8 }} + {{- end }} spec: -{{- if .Values.controller.dnsConfig }} - dnsConfig: -{{ toYaml .Values.controller.dnsConfig | indent 8 }} -{{- end }} + {{- if .Values.controller.dnsConfig }} + dnsConfig: {{ toYaml .Values.controller.dnsConfig | nindent 8 }} + {{- end }} dnsPolicy: {{ .Values.controller.dnsPolicy }} - {{- if .Values.imagePullSecrets }} - imagePullSecrets: -{{ toYaml .Values.imagePullSecrets | indent 8 }} - {{- end }} -{{- if .Values.controller.priorityClassName }} - priorityClassName: "{{ .Values.controller.priorityClassName }}" -{{- end }} - {{- if .Values.controller.podSecurityContext }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }} + {{- end }} + {{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} + {{- end }} + {{- if or .Values.controller.podSecurityContext .Values.controller.sysctls }} securityContext: -{{ toYaml .Values.controller.podSecurityContext | indent 8 }} - {{- end }} + {{- end }} + {{- if .Values.controller.podSecurityContext }} + {{- toYaml .Values.controller.podSecurityContext | nindent 8 }} + {{- end }} + {{- if .Values.controller.sysctls }} + sysctls: + {{- range $sysctl, $value := .Values.controller.sysctls }} + - name: {{ $sysctl | quote }} + value: {{ $value | quote }} + {{- end }} + {{- end }} containers: - - name: {{ template "nginx-ingress.name" . }}-{{ .Values.controller.name }} - image: "{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag }}" - imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}" - {{- if .Values.controller.lifecycle }} - lifecycle: -{{ toYaml .Values.controller.lifecycle | indent 12 }} + - name: controller + {{- with .Values.controller.image }} + image: "{{.repository}}:{{ .tag }}{{- if (.digest) -}} @{{.digest}} {{- end -}}" {{- end }} + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + {{- if .Values.controller.lifecycle }} + lifecycle: {{ toYaml .Values.controller.lifecycle | nindent 12 }} + {{- end }} args: - /nginx-ingress-controller {{- if .Values.defaultBackend.enabled }} - - --default-backend-service={{ .Release.Namespace }}/{{ template "nginx-ingress.defaultBackend.fullname" . }} - {{- else }} - {{- if (semverCompare "<0.21.0" .Values.controller.image.tag) }} - - --default-backend-service={{ required ".Values.controller.defaultBackendService is required if .Values.defaultBackend.enabled=false and .Values.controller.image.tag < 0.21.0" .Values.controller.defaultBackendService }} - {{- else if .Values.controller.defaultBackendService }} - - --default-backend-service={{ .Values.controller.defaultBackendService }} - {{- end }} + - --default-backend-service={{ .Release.Namespace }}/{{ include "ingress-nginx.defaultBackend.fullname" . }} {{- end }} - {{- if and (semverCompare ">=0.9.0-beta.1" .Values.controller.image.tag) .Values.controller.publishService.enabled }} - - --publish-service={{ template "nginx-ingress.controller.publishServicePath" . }} + {{- if .Values.controller.publishService.enabled }} + - --publish-service={{ template "ingress-nginx.controller.publishServicePath" . }} {{- end }} - {{- if (semverCompare ">=0.9.0-beta.1" .Values.controller.image.tag) }} - --election-id={{ .Values.controller.electionID }} - {{- end }} - {{- if (semverCompare ">=0.9.0-beta.1" .Values.controller.image.tag) }} - --ingress-class={{ .Values.controller.ingressClass }} - {{- end }} - {{- if (semverCompare ">=0.9.0-beta.1" .Values.controller.image.tag) }} - - --configmap={{ .Release.Namespace }}/{{ template "nginx-ingress.controller.fullname" . }} - {{- else }} - - --nginx-configmap={{ .Release.Namespace }}/{{ template "nginx-ingress.controller.fullname" . }} - {{- end }} + - --configmap={{ .Release.Namespace }}/{{ include "ingress-nginx.controller.fullname" . }} {{- if .Values.tcp }} - - --tcp-services-configmap={{ .Release.Namespace }}/{{ template "nginx-ingress.fullname" . }}-tcp + - --tcp-services-configmap={{ .Release.Namespace }}/{{ include "ingress-nginx.fullname" . }}-tcp {{- end }} {{- if .Values.udp }} - - --udp-services-configmap={{ .Release.Namespace }}/{{ template "nginx-ingress.fullname" . }}-udp + - --udp-services-configmap={{ .Release.Namespace }}/{{ include "ingress-nginx.fullname" . }}-udp {{- end }} {{- if .Values.controller.scope.enabled }} - --watch-namespace={{ default .Release.Namespace .Values.controller.scope.namespace }} {{- end }} - {{- if and (.Values.controller.reportNodeInternalIp) (.Values.controller.hostNetwork)}} + {{- if and .Values.controller.reportNodeInternalIp .Values.controller.hostNetwork }} - --report-node-internal-ip-address={{ .Values.controller.reportNodeInternalIp }} {{- end }} {{- if .Values.controller.admissionWebhooks.enabled }} - --validating-webhook=:{{ .Values.controller.admissionWebhooks.port }} - - --validating-webhook-certificate=/usr/local/certificates/cert - - --validating-webhook-key=/usr/local/certificates/key + - --validating-webhook-certificate={{ .Values.controller.admissionWebhooks.certificate }} + - --validating-webhook-key={{ .Values.controller.admissionWebhooks.key }} {{- end }} {{- if .Values.controller.maxmindLicenseKey }} - --maxmind-license-key={{ .Values.controller.maxmindLicenseKey }} {{- end }} + {{- if not (eq .Values.controller.healthCheckPath "/healthz") }} + - --health-check-path={{ .Values.controller.healthCheckPath }} + {{- end }} {{- range $key, $value := .Values.controller.extraArgs }} - {{- if $value }} - - --{{ $key }}={{ $value }} - {{- else }} + {{- /* Accept keys without values or with false as value */}} + {{- if eq ($value | quote | len) 2 }} - --{{ $key }} + {{- else }} + - --{{ $key }}={{ $value }} {{- end }} {{- end }} - {{- if (semverCompare ">=0.16.0" .Values.controller.image.tag) }} securityContext: capabilities: drop: @@ -127,7 +120,6 @@ spec: - NET_BIND_SERVICE runAsUser: {{ .Values.controller.image.runAsUser }} allowPrivilegeEscalation: {{ .Values.controller.image.allowPrivilegeEscalation }} - {{- end }} env: - name: POD_NAME valueFrom: @@ -137,12 +129,16 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + {{- if .Values.controller.enableMimalloc }} + - name: LD_PRELOAD + value: /usr/local/lib/libmimalloc.so + {{- end }} {{- if .Values.controller.extraEnvs }} -{{ toYaml .Values.controller.extraEnvs | indent 12 }} + {{- toYaml .Values.controller.extraEnvs | nindent 12 }} {{- end }} livenessProbe: httpGet: - path: /healthz + path: {{ .Values.controller.healthCheckPath }} port: {{ .Values.controller.livenessProbe.port }} scheme: HTTP initialDelaySeconds: {{ .Values.controller.livenessProbe.initialDelaySeconds }} @@ -150,13 +146,23 @@ spec: timeoutSeconds: {{ .Values.controller.livenessProbe.timeoutSeconds }} successThreshold: {{ .Values.controller.livenessProbe.successThreshold }} failureThreshold: {{ .Values.controller.livenessProbe.failureThreshold }} + readinessProbe: + httpGet: + path: {{ .Values.controller.healthCheckPath }} + port: {{ .Values.controller.readinessProbe.port }} + scheme: HTTP + initialDelaySeconds: {{ .Values.controller.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.controller.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.controller.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.controller.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.controller.readinessProbe.failureThreshold }} ports: {{- range $key, $value := .Values.controller.containerPort }} - name: {{ $key }} containerPort: {{ $value }} protocol: TCP - {{- if $useHostPort }} - hostPort: {{ index $hostPorts $key | default $value }} + {{- if $.Values.controller.hostPort.enabled }} + hostPort: {{ index $.Values.controller.hostPort.ports $key | default $value }} {{- end }} {{- end }} {{- if .Values.controller.metrics.enabled }} @@ -170,88 +176,80 @@ spec: protocol: TCP {{- end }} {{- range $key, $value := .Values.tcp }} - - name: "{{ $key }}-tcp" + - name: {{ $key }}-tcp containerPort: {{ $key }} protocol: TCP - {{- if $useHostPort }} + {{- if $.Values.controller.hostPort.enabled }} hostPort: {{ $key }} {{- end }} {{- end }} {{- range $key, $value := .Values.udp }} - - name: "{{ $key }}-udp" + - name: {{ $key }}-udp containerPort: {{ $key }} protocol: UDP - {{- if $useHostPort }} + {{- if $.Values.controller.hostPort.enabled }} hostPort: {{ $key }} {{- end }} {{- end }} - readinessProbe: - httpGet: - path: /healthz - port: {{ .Values.controller.readinessProbe.port }} - scheme: HTTP - initialDelaySeconds: {{ .Values.controller.readinessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.controller.readinessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.controller.readinessProbe.timeoutSeconds }} - successThreshold: {{ .Values.controller.readinessProbe.successThreshold }} - failureThreshold: {{ .Values.controller.readinessProbe.failureThreshold }} -{{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled) }} + {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled) }} volumeMounts: -{{- end }} -{{- if .Values.controller.customTemplate.configMapName }} + {{- if .Values.controller.customTemplate.configMapName }} - mountPath: /etc/nginx/template name: nginx-template-volume readOnly: true -{{- end }} -{{- if .Values.controller.admissionWebhooks.enabled }} + {{- end }} + {{- if .Values.controller.admissionWebhooks.enabled }} - name: webhook-cert - mountPath: "/usr/local/certificates/" + mountPath: /usr/local/certificates/ readOnly: true -{{- end }} -{{- if .Values.controller.extraVolumeMounts }} -{{ toYaml .Values.controller.extraVolumeMounts | indent 12}} -{{- end }} - resources: -{{ toYaml .Values.controller.resources | indent 12 }} -{{- if .Values.controller.extraContainers }} -{{ toYaml .Values.controller.extraContainers | indent 8}} -{{- end }} -{{- if .Values.controller.extraInitContainers }} - initContainers: -{{ toYaml .Values.controller.extraInitContainers | indent 8}} -{{- end }} + {{- end }} + {{- if .Values.controller.extraVolumeMounts }} + {{- toYaml .Values.controller.extraVolumeMounts | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.controller.resources }} + resources: {{ toYaml .Values.controller.resources | nindent 12 }} + {{- end }} + {{- if .Values.controller.extraContainers }} + {{ toYaml .Values.controller.extraContainers | nindent 8 }} + {{- end }} + {{- if .Values.controller.extraInitContainers }} + initContainers: {{ toYaml .Values.controller.extraInitContainers | nindent 8 }} + {{- end }} + {{- if .Values.controller.hostNetwork }} hostNetwork: {{ .Values.controller.hostNetwork }} + {{- end }} {{- if .Values.controller.nodeSelector }} - nodeSelector: -{{ toYaml .Values.controller.nodeSelector | indent 8 }} + nodeSelector: {{ toYaml .Values.controller.nodeSelector | nindent 8 }} {{- end }} {{- if .Values.controller.tolerations }} - tolerations: -{{ toYaml .Values.controller.tolerations | indent 8 }} + tolerations: {{ toYaml .Values.controller.tolerations | nindent 8 }} {{- end }} {{- if .Values.controller.affinity }} - affinity: -{{ toYaml .Values.controller.affinity | indent 8 }} + affinity: {{ toYaml .Values.controller.affinity | nindent 8 }} {{- end }} - serviceAccountName: {{ template "nginx-ingress.serviceAccountName" . }} - terminationGracePeriodSeconds: 60 -{{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes) }} + {{- if .Values.controller.topologySpreadConstraints }} + topologySpreadConstraints: {{ toYaml .Values.controller.topologySpreadConstraints | nindent 8 }} + {{- end }} + serviceAccountName: {{ template "ingress-nginx.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} + {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes) }} volumes: -{{- end }} -{{- if .Values.controller.customTemplate.configMapName }} + {{- if .Values.controller.customTemplate.configMapName }} - name: nginx-template-volume configMap: name: {{ .Values.controller.customTemplate.configMapName }} items: - key: {{ .Values.controller.customTemplate.configMapKey }} path: nginx.tmpl -{{- end }} -{{- if .Values.controller.admissionWebhooks.enabled }} + {{- end }} + {{- if .Values.controller.admissionWebhooks.enabled }} - name: webhook-cert secret: - secretName: {{ template "nginx-ingress.fullname". }}-admission -{{- end }} -{{- if .Values.controller.extraVolumes }} -{{ toYaml .Values.controller.extraVolumes | indent 8}} -{{- end }} + secretName: {{ include "ingress-nginx.fullname" . }}-admission + {{- end }} + {{- if .Values.controller.extraVolumes }} + {{ toYaml .Values.controller.extraVolumes | nindent 8 }} + {{- end }} + {{- end }} {{- end }} diff --git a/charts/ingress-nginx/templates/controller-deployment.yaml b/charts/ingress-nginx/templates/controller-deployment.yaml new file mode 100644 index 0000000000..5b9162b745 --- /dev/null +++ b/charts/ingress-nginx/templates/controller-deployment.yaml @@ -0,0 +1,259 @@ +{{- if or (eq .Values.controller.kind "Deployment") (eq .Values.controller.kind "Both") -}} +{{- include "isControllerTagValid" . -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller + {{- with .Values.controller.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ include "ingress-nginx.controller.fullname" . }} + {{- if .Values.controller.annotations }} + annotations: {{ toYaml .Values.controller.annotations | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: + {{- include "ingress-nginx.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: controller + {{- if not .Values.controller.autoscaling.enabled }} + replicas: {{ .Values.controller.replicaCount }} + {{- end }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + {{- if .Values.controller.updateStrategy }} + strategy: + {{ toYaml .Values.controller.updateStrategy | nindent 4 }} + {{- end }} + minReadySeconds: {{ .Values.controller.minReadySeconds }} + template: + metadata: + {{- if .Values.controller.podAnnotations }} + annotations: + {{- range $key, $value := .Values.controller.podAnnotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} + labels: + {{- include "ingress-nginx.selectorLabels" . | nindent 8 }} + app.kubernetes.io/component: controller + {{- if .Values.controller.podLabels }} + {{- toYaml .Values.controller.podLabels | nindent 8 }} + {{- end }} + spec: + {{- if .Values.controller.dnsConfig }} + dnsConfig: {{ toYaml .Values.controller.dnsConfig | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }} + {{- end }} + {{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} + {{- end }} + {{- if or .Values.controller.podSecurityContext .Values.controller.sysctls }} + securityContext: + {{- end }} + {{- if .Values.controller.podSecurityContext }} + {{- toYaml .Values.controller.podSecurityContext | nindent 8 }} + {{- end }} + {{- if .Values.controller.sysctls }} + sysctls: + {{- range $sysctl, $value := .Values.controller.sysctls }} + - name: {{ $sysctl | quote }} + value: {{ $value | quote }} + {{- end }} + {{- end }} + containers: + - name: controller + {{- with .Values.controller.image }} + image: "{{.repository}}:{{ .tag }}{{- if (.digest) -}} @{{.digest}} {{- end -}}" + {{- end }} + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + {{- if .Values.controller.lifecycle }} + lifecycle: {{ toYaml .Values.controller.lifecycle | nindent 12 }} + {{- end }} + args: + - /nginx-ingress-controller + {{- if .Values.defaultBackend.enabled }} + - --default-backend-service=$(POD_NAMESPACE)/{{ include "ingress-nginx.defaultBackend.fullname" . }} + {{- end }} + {{- if .Values.controller.publishService.enabled }} + - --publish-service={{ template "ingress-nginx.controller.publishServicePath" . }} + {{- end }} + - --election-id={{ .Values.controller.electionID }} + - --ingress-class={{ .Values.controller.ingressClass }} + - --configmap=$(POD_NAMESPACE)/{{ include "ingress-nginx.controller.fullname" . }} + {{- if .Values.tcp }} + - --tcp-services-configmap=$(POD_NAMESPACE)/{{ include "ingress-nginx.fullname" . }}-tcp + {{- end }} + {{- if .Values.udp }} + - --udp-services-configmap=$(POD_NAMESPACE)/{{ include "ingress-nginx.fullname" . }}-udp + {{- end }} + {{- if .Values.controller.scope.enabled }} + - --watch-namespace={{ default "$(POD_NAMESPACE)" .Values.controller.scope.namespace }} + {{- end }} + {{- if and .Values.controller.reportNodeInternalIp .Values.controller.hostNetwork }} + - --report-node-internal-ip-address={{ .Values.controller.reportNodeInternalIp }} + {{- end }} + {{- if .Values.controller.admissionWebhooks.enabled }} + - --validating-webhook=:{{ .Values.controller.admissionWebhooks.port }} + - --validating-webhook-certificate={{ .Values.controller.admissionWebhooks.certificate }} + - --validating-webhook-key={{ .Values.controller.admissionWebhooks.key }} + {{- end }} + {{- if .Values.controller.maxmindLicenseKey }} + - --maxmind-license-key={{ .Values.controller.maxmindLicenseKey }} + {{- end }} + {{- if not (eq .Values.controller.healthCheckPath "/healthz") }} + - --health-check-path={{ .Values.controller.healthCheckPath }} + {{- end }} + {{- range $key, $value := .Values.controller.extraArgs }} + {{- /* Accept keys without values or with false as value */}} + {{- if eq ($value | quote | len) 2 }} + - --{{ $key }} + {{- else }} + - --{{ $key }}={{ $value }} + {{- end }} + {{- end }} + securityContext: + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + runAsUser: {{ .Values.controller.image.runAsUser }} + allowPrivilegeEscalation: {{ .Values.controller.image.allowPrivilegeEscalation }} + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- if .Values.controller.enableMimalloc }} + - name: LD_PRELOAD + value: /usr/local/lib/libmimalloc.so + {{- end }} + {{- if .Values.controller.extraEnvs }} + {{- toYaml .Values.controller.extraEnvs | nindent 12 }} + {{- end }} + livenessProbe: + httpGet: + path: {{ .Values.controller.healthCheckPath }} + port: {{ .Values.controller.livenessProbe.port }} + scheme: HTTP + initialDelaySeconds: {{ .Values.controller.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.controller.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.controller.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.controller.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.controller.livenessProbe.failureThreshold }} + readinessProbe: + httpGet: + path: {{ .Values.controller.healthCheckPath }} + port: {{ .Values.controller.readinessProbe.port }} + scheme: HTTP + initialDelaySeconds: {{ .Values.controller.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.controller.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.controller.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.controller.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.controller.readinessProbe.failureThreshold }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- if $.Values.controller.hostPort.enabled }} + hostPort: {{ index $.Values.controller.hostPort.ports $key | default $value }} + {{- end }} + {{- end }} + {{- if .Values.controller.metrics.enabled }} + - name: metrics + containerPort: {{ .Values.controller.metrics.port }} + protocol: TCP + {{- end }} + {{- if .Values.controller.admissionWebhooks.enabled }} + - name: webhook + containerPort: {{ .Values.controller.admissionWebhooks.port }} + protocol: TCP + {{- end }} + {{- range $key, $value := .Values.tcp }} + - name: {{ $key }}-tcp + containerPort: {{ $key }} + protocol: TCP + {{- if $.Values.controller.hostPort.enabled }} + hostPort: {{ $key }} + {{- end }} + {{- end }} + {{- range $key, $value := .Values.udp }} + - name: {{ $key }}-udp + containerPort: {{ $key }} + protocol: UDP + {{- if $.Values.controller.hostPort.enabled }} + hostPort: {{ $key }} + {{- end }} + {{- end }} + {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled) }} + volumeMounts: + {{- if .Values.controller.customTemplate.configMapName }} + - mountPath: /etc/nginx/template + name: nginx-template-volume + readOnly: true + {{- end }} + {{- if .Values.controller.admissionWebhooks.enabled }} + - name: webhook-cert + mountPath: /usr/local/certificates/ + readOnly: true + {{- end }} + {{- if .Values.controller.extraVolumeMounts }} + {{- toYaml .Values.controller.extraVolumeMounts | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.controller.resources }} + resources: {{ toYaml .Values.controller.resources | nindent 12 }} + {{- end }} + {{- if .Values.controller.extraContainers }} + {{ toYaml .Values.controller.extraContainers | nindent 8 }} + {{- end }} + {{- if .Values.controller.extraInitContainers }} + initContainers: {{ toYaml .Values.controller.extraInitContainers | nindent 8 }} + {{- end }} + {{- if .Values.controller.hostNetwork }} + hostNetwork: {{ .Values.controller.hostNetwork }} + {{- end }} + {{- if .Values.controller.nodeSelector }} + nodeSelector: {{ toYaml .Values.controller.nodeSelector | nindent 8 }} + {{- end }} + {{- if .Values.controller.tolerations }} + tolerations: {{ toYaml .Values.controller.tolerations | nindent 8 }} + {{- end }} + {{- if .Values.controller.affinity }} + affinity: {{ toYaml .Values.controller.affinity | nindent 8 }} + {{- end }} + {{- if .Values.controller.topologySpreadConstraints }} + topologySpreadConstraints: {{ toYaml .Values.controller.topologySpreadConstraints | nindent 8 }} + {{- end }} + serviceAccountName: {{ template "ingress-nginx.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} + {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes) }} + volumes: + {{- if .Values.controller.customTemplate.configMapName }} + - name: nginx-template-volume + configMap: + name: {{ .Values.controller.customTemplate.configMapName }} + items: + - key: {{ .Values.controller.customTemplate.configMapKey }} + path: nginx.tmpl + {{- end }} + {{- if .Values.controller.admissionWebhooks.enabled }} + - name: webhook-cert + secret: + secretName: {{ include "ingress-nginx.fullname" . }}-admission + {{- end }} + {{- if .Values.controller.extraVolumes }} + {{ toYaml .Values.controller.extraVolumes | nindent 8 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/ingress-nginx/templates/controller-hpa.yaml b/charts/ingress-nginx/templates/controller-hpa.yaml new file mode 100644 index 0000000000..b46807fc1f --- /dev/null +++ b/charts/ingress-nginx/templates/controller-hpa.yaml @@ -0,0 +1,40 @@ +{{- if and .Values.controller.autoscaling.enabled (or (eq .Values.controller.kind "Deployment") (eq .Values.controller.kind "Both")) -}} +{{- if not .Values.controller.keda.enabled }} + +apiVersion: autoscaling/v2beta2 +kind: HorizontalPodAutoscaler +metadata: + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller + name: {{ include "ingress-nginx.controller.fullname" . }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "ingress-nginx.controller.fullname" . }} + minReplicas: {{ .Values.controller.autoscaling.minReplicas }} + maxReplicas: {{ .Values.controller.autoscaling.maxReplicas }} + metrics: + {{- with .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ . }} + {{- end }} + {{- with .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ . }} + {{- end }} + {{- with .Values.controller.autoscalingTemplate }} +{{- toYaml . | nindent 2 }} + {{- end }} +{{- end }} +{{- end }} + diff --git a/charts/ingress-nginx/templates/controller-keda.yaml b/charts/ingress-nginx/templates/controller-keda.yaml new file mode 100644 index 0000000000..7c391de9dc --- /dev/null +++ b/charts/ingress-nginx/templates/controller-keda.yaml @@ -0,0 +1,33 @@ +{{- if .Values.controller.keda.enabled }} +# https://keda.sh/docs/ + +apiVersion: {{ .Values.controller.keda.apiVersion }} +kind: ScaledObject +metadata: + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller + name: {{ include "ingress-nginx.controller.fullname" . }} + +spec: + scaleTargetRef: + deploymentName: {{ include "ingress-nginx.controller.fullname" . }} + pollingInterval: {{ .Values.controller.keda.pollingInterval }} + cooldownPeriod: {{ .Values.controller.keda.cooldownPeriod }} + minReplicaCount: {{ .Values.controller.keda.minReplicas }} + maxReplicaCount: {{ .Values.controller.keda.maxReplicas }} + triggers: +{{- with .Values.controller.keda.triggers }} +{{ toYaml . | indent 2 }} +{{ end }} + advanced: + restoreToOriginalReplicaCount: {{ .Values.controller.keda.restoreToOriginalReplicaCount }} +{{- if .Values.controller.keda.behavior }} + horizontalPodAutoscalerConfig: + behavior: +{{ with .Values.controller.keda.behavior -}} +{{ toYaml . | indent 8 }} +{{ end }} + +{{- end }} +{{- end }} diff --git a/charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml b/charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml new file mode 100644 index 0000000000..9dc8789112 --- /dev/null +++ b/charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml @@ -0,0 +1,15 @@ +{{- if or (and .Values.controller.autoscaling.enabled (gt (.Values.controller.autoscaling.minReplicas | int) 1)) (gt (.Values.controller.replicaCount | int) 1) -}} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller + name: {{ include "ingress-nginx.controller.fullname" . }} +spec: + selector: + matchLabels: + {{- include "ingress-nginx.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: controller + minAvailable: {{ .Values.controller.minAvailable }} +{{- end }} diff --git a/charts/ingress-nginx/templates/controller-prometheusrules.yaml b/charts/ingress-nginx/templates/controller-prometheusrules.yaml new file mode 100644 index 0000000000..c0b7e89ca5 --- /dev/null +++ b/charts/ingress-nginx/templates/controller-prometheusrules.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.controller.metrics.enabled .Values.controller.metrics.prometheusRule.enabled -}} +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: {{ include "ingress-nginx.controller.fullname" . }} +{{- if .Values.controller.metrics.prometheusRule.namespace }} + namespace: {{ .Values.controller.metrics.prometheusRule.namespace }} +{{- end }} + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller + {{- if .Values.controller.metrics.prometheusRule.additionalLabels }} + {{- toYaml .Values.controller.metrics.prometheusRule.additionalLabels | nindent 4 }} + {{- end }} +spec: +{{- if .Values.controller.metrics.prometheusRule.rules }} + groups: + - name: {{ template "ingress-nginx.name" . }} + rules: {{- toYaml .Values.controller.metrics.prometheusRule.rules | nindent 4 }} +{{- end }} +{{- end }} diff --git a/charts/nginx-ingress/templates/controller-psp.yaml b/charts/ingress-nginx/templates/controller-psp.yaml similarity index 71% rename from charts/nginx-ingress/templates/controller-psp.yaml rename to charts/ingress-nginx/templates/controller-psp.yaml index ccbf636ba4..bcf588c3c4 100644 --- a/charts/nginx-ingress/templates/controller-psp.yaml +++ b/charts/ingress-nginx/templates/controller-psp.yaml @@ -1,27 +1,33 @@ -{{- if .Values.podSecurityPolicy.enabled}} -apiVersion: {{ template "podSecurityPolicy.apiVersion" . }} +{{- if .Values.podSecurityPolicy.enabled -}} +apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: - name: {{ template "nginx-ingress.fullname" . }} + name: {{ include "ingress-nginx.fullname" . }} labels: - app: {{ template "nginx-ingress.name" . }} - chart: {{ template "nginx-ingress.chart" . }} - heritage: {{ .Release.Service }} - release: {{ template "nginx-ingress.releaseLabel" . }} + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller spec: allowedCapabilities: - NET_BIND_SERVICE +{{- if .Values.controller.sysctls }} + allowedUnsafeSysctls: + {{- range $sysctl, $value := .Values.controller.sysctls }} + - {{ $sysctl }} + {{- end }} +{{- end }} privileged: false allowPrivilegeEscalation: true # Allow core volume types. volumes: - 'configMap' #- 'emptyDir' - - 'projected' + #- 'projected' - 'secret' #- 'downwardAPI' +{{- if .Values.controller.hostNetwork }} hostNetwork: {{ .Values.controller.hostNetwork }} -{{- if or .Values.controller.hostNetwork .Values.controller.daemonset.useHostPort }} +{{- end }} +{{- if or .Values.controller.hostNetwork .Values.controller.hostPort.enabled }} hostPorts: {{- if .Values.controller.hostNetwork }} {{- range $key, $value := .Values.controller.containerPort }} @@ -29,8 +35,8 @@ spec: - min: {{ $value }} max: {{ $value }} {{- end }} -{{- else if .Values.controller.daemonset.useHostPort }} -{{- range $key, $value := .Values.controller.daemonset.hostPorts }} +{{- else if .Values.controller.hostPort.enabled }} +{{- range $key, $value := .Values.controller.hostPort.ports }} # {{ $key }} - min: {{ $value }} max: {{ $value }} diff --git a/charts/nginx-ingress/templates/controller-role.yaml b/charts/ingress-nginx/templates/controller-role.yaml similarity index 76% rename from charts/nginx-ingress/templates/controller-role.yaml rename to charts/ingress-nginx/templates/controller-role.yaml index bb9ff14afe..f2e3927448 100644 --- a/charts/nginx-ingress/templates/controller-role.yaml +++ b/charts/ingress-nginx/templates/controller-role.yaml @@ -3,11 +3,9 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: - app: {{ template "nginx-ingress.name" . }} - chart: {{ template "nginx-ingress.chart" . }} - heritage: {{ .Release.Service }} - release: {{ template "nginx-ingress.releaseLabel" . }} - name: {{ template "nginx-ingress.fullname" . }} + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller + name: {{ include "ingress-nginx.fullname" . }} rules: - apiGroups: - "" @@ -51,6 +49,14 @@ rules: - ingresses/status verbs: - update + - apiGroups: + - "networking.k8s.io" # k8s 1.14+ + resources: + - ingressclasses + verbs: + - get + - list + - watch - apiGroups: - "" resources: @@ -82,10 +88,9 @@ rules: - create - patch {{- if .Values.podSecurityPolicy.enabled }} - - apiGroups: ['{{ template "podSecurityPolicy.apiGroup" . }}'] + - apiGroups: [{{ template "podSecurityPolicy.apiGroup" . }}] resources: ['podsecuritypolicies'] verbs: ['use'] - resourceNames: [{{ template "nginx-ingress.fullname" . }}] + resourceNames: [{{ include "ingress-nginx.fullname" . }}] +{{- end }} {{- end }} - -{{- end -}} diff --git a/charts/ingress-nginx/templates/controller-rolebinding.yaml b/charts/ingress-nginx/templates/controller-rolebinding.yaml new file mode 100644 index 0000000000..5031350884 --- /dev/null +++ b/charts/ingress-nginx/templates/controller-rolebinding.yaml @@ -0,0 +1,17 @@ +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller + name: {{ include "ingress-nginx.fullname" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "ingress-nginx.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "ingress-nginx.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/ingress-nginx/templates/controller-service-internal.yaml b/charts/ingress-nginx/templates/controller-service-internal.yaml new file mode 100644 index 0000000000..54888e9658 --- /dev/null +++ b/charts/ingress-nginx/templates/controller-service-internal.yaml @@ -0,0 +1,47 @@ +{{- if and .Values.controller.service.enabled .Values.controller.service.internal.enabled .Values.controller.service.internal.annotations}} +apiVersion: v1 +kind: Service +metadata: + annotations: + {{- range $key, $value := .Values.controller.service.internal.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller + {{- if .Values.controller.service.labels }} + {{- toYaml .Values.controller.service.labels | nindent 4 }} + {{- end }} + name: {{ include "ingress-nginx.controller.fullname" . }}-internal +spec: + type: "{{ .Values.controller.service.type }}" +{{- if .Values.controller.service.internal.loadBalancerSourceRanges }} + loadBalancerSourceRanges: {{ toYaml .Values.controller.service.internal.loadBalancerSourceRanges | nindent 4 }} +{{- end }} +{{- if .Values.controller.service.internal.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.controller.service.internal.externalTrafficPolicy }} +{{- end }} + ports: + {{- $setNodePorts := (or (eq .Values.controller.service.type "NodePort") (eq .Values.controller.service.type "LoadBalancer")) }} + {{- if .Values.controller.service.enableHttp }} + - name: http + port: {{ .Values.controller.service.ports.http }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.http }} + {{- if (and $setNodePorts (not (empty .Values.controller.service.nodePorts.http))) }} + nodePort: {{ .Values.controller.service.nodePorts.http }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enableHttps }} + - name: https + port: {{ .Values.controller.service.ports.https }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.https }} + {{- if (and $setNodePorts (not (empty .Values.controller.service.nodePorts.https))) }} + nodePort: {{ .Values.controller.service.nodePorts.https }} + {{- end }} + {{- end }} + selector: + {{- include "ingress-nginx.selectorLabels" . | nindent 4 }} + app.kubernetes.io/component: controller +{{- end }} diff --git a/charts/ingress-nginx/templates/controller-service-metrics.yaml b/charts/ingress-nginx/templates/controller-service-metrics.yaml new file mode 100644 index 0000000000..b01f460afd --- /dev/null +++ b/charts/ingress-nginx/templates/controller-service-metrics.yaml @@ -0,0 +1,43 @@ +{{- if .Values.controller.metrics.enabled -}} +apiVersion: v1 +kind: Service +metadata: +{{- if .Values.controller.metrics.service.annotations }} + annotations: {{ toYaml .Values.controller.metrics.service.annotations | nindent 4 }} +{{- end }} + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller + {{- if .Values.controller.metrics.service.labels }} + {{- toYaml .Values.controller.metrics.service.labels | nindent 4 }} + {{- end }} + name: {{ include "ingress-nginx.controller.fullname" . }}-metrics +spec: + type: {{ .Values.controller.metrics.service.type }} +{{- if .Values.controller.metrics.service.clusterIP }} + clusterIP: {{ .Values.controller.metrics.service.clusterIP }} +{{- end }} +{{- if .Values.controller.metrics.service.externalIPs }} + externalIPs: {{ toYaml .Values.controller.metrics.service.externalIPs | nindent 4 }} +{{- end }} +{{- if .Values.controller.metrics.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.controller.metrics.service.loadBalancerIP }} +{{- end }} +{{- if .Values.controller.metrics.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: {{ toYaml .Values.controller.metrics.service.loadBalancerSourceRanges | nindent 4 }} +{{- end }} +{{- if .Values.controller.metrics.service.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.controller.metrics.service.externalTrafficPolicy }} +{{- end }} + ports: + - name: metrics + port: {{ .Values.controller.metrics.service.servicePort }} + targetPort: metrics + {{- $setNodePorts := (or (eq .Values.controller.metrics.service.type "NodePort") (eq .Values.controller.metrics.service.type "LoadBalancer")) }} + {{- if (and $setNodePorts (not (empty .Values.controller.metrics.service.nodePort))) }} + nodePort: {{ .Values.controller.metrics.service.nodePort }} + {{- end }} + selector: + {{- include "ingress-nginx.selectorLabels" . | nindent 4 }} + app.kubernetes.io/component: controller +{{- end }} diff --git a/charts/ingress-nginx/templates/controller-service-webhook.yaml b/charts/ingress-nginx/templates/controller-service-webhook.yaml new file mode 100644 index 0000000000..7a4dd51db2 --- /dev/null +++ b/charts/ingress-nginx/templates/controller-service-webhook.yaml @@ -0,0 +1,33 @@ +{{- if .Values.controller.admissionWebhooks.enabled -}} +apiVersion: v1 +kind: Service +metadata: +{{- if .Values.controller.admissionWebhooks.service.annotations }} + annotations: {{ toYaml .Values.controller.admissionWebhooks.service.annotations | nindent 4 }} +{{- end }} + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller + name: {{ include "ingress-nginx.controller.fullname" . }}-admission +spec: + type: {{ .Values.controller.admissionWebhooks.service.type }} +{{- if .Values.controller.admissionWebhooks.service.clusterIP }} + clusterIP: {{ .Values.controller.admissionWebhooks.service.clusterIP }} +{{- end }} +{{- if .Values.controller.admissionWebhooks.service.externalIPs }} + externalIPs: {{ toYaml .Values.controller.admissionWebhooks.service.externalIPs | nindent 4 }} +{{- end }} +{{- if .Values.controller.admissionWebhooks.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.controller.admissionWebhooks.service.loadBalancerIP }} +{{- end }} +{{- if .Values.controller.admissionWebhooks.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: {{ toYaml .Values.controller.admissionWebhooks.service.loadBalancerSourceRanges | nindent 4 }} +{{- end }} + ports: + - name: https-webhook + port: 443 + targetPort: webhook + selector: + {{- include "ingress-nginx.selectorLabels" . | nindent 4 }} + app.kubernetes.io/component: controller +{{- end }} diff --git a/charts/ingress-nginx/templates/controller-service.yaml b/charts/ingress-nginx/templates/controller-service.yaml new file mode 100644 index 0000000000..9db734deb6 --- /dev/null +++ b/charts/ingress-nginx/templates/controller-service.yaml @@ -0,0 +1,84 @@ +{{- if .Values.controller.service.enabled -}} +apiVersion: v1 +kind: Service +metadata: + annotations: + {{- range $key, $value := .Values.controller.service.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller + {{- if .Values.controller.service.labels }} + {{- toYaml .Values.controller.service.labels | nindent 4 }} + {{- end }} + name: {{ include "ingress-nginx.controller.fullname" . }} +spec: + type: {{ .Values.controller.service.type }} +{{- if .Values.controller.service.clusterIP }} + clusterIP: {{ .Values.controller.service.clusterIP }} +{{- end }} +{{- if .Values.controller.service.externalIPs }} + externalIPs: {{ toYaml .Values.controller.service.externalIPs | nindent 4 }} +{{- end }} +{{- if .Values.controller.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.controller.service.loadBalancerIP }} +{{- end }} +{{- if .Values.controller.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: {{ toYaml .Values.controller.service.loadBalancerSourceRanges | nindent 4 }} +{{- end }} +{{- if .Values.controller.service.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.controller.service.externalTrafficPolicy }} +{{- end }} +{{- if .Values.controller.service.sessionAffinity }} + sessionAffinity: {{ .Values.controller.service.sessionAffinity }} +{{- end }} +{{- if .Values.controller.service.healthCheckNodePort }} + healthCheckNodePort: {{ .Values.controller.service.healthCheckNodePort }} +{{- end }} + ports: + {{- $setNodePorts := (or (eq .Values.controller.service.type "NodePort") (eq .Values.controller.service.type "LoadBalancer")) }} + {{- if .Values.controller.service.enableHttp }} + - name: http + port: {{ .Values.controller.service.ports.http }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.http }} + {{- if (and $setNodePorts (not (empty .Values.controller.service.nodePorts.http))) }} + nodePort: {{ .Values.controller.service.nodePorts.http }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enableHttps }} + - name: https + port: {{ .Values.controller.service.ports.https }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.https }} + {{- if (and $setNodePorts (not (empty .Values.controller.service.nodePorts.https))) }} + nodePort: {{ .Values.controller.service.nodePorts.https }} + {{- end }} + {{- end }} + {{- range $key, $value := .Values.tcp }} + - name: {{ $key }}-tcp + port: {{ $key }} + protocol: TCP + targetPort: {{ $key }}-tcp + {{- if $.Values.controller.service.nodePorts.tcp }} + {{- if index $.Values.controller.service.nodePorts.tcp $key }} + nodePort: {{ index $.Values.controller.service.nodePorts.tcp $key }} + {{- end }} + {{- end }} + {{- end }} + {{- range $key, $value := .Values.udp }} + - name: {{ $key }}-udp + port: {{ $key }} + protocol: UDP + targetPort: {{ $key }}-udp + {{- if $.Values.controller.service.nodePorts.udp }} + {{- if index $.Values.controller.service.nodePorts.udp $key }} + nodePort: {{ index $.Values.controller.service.nodePorts.udp $key }} + {{- end }} + {{- end }} + {{- end }} + selector: + {{- include "ingress-nginx.selectorLabels" . | nindent 4 }} + app.kubernetes.io/component: controller +{{- end }} diff --git a/charts/ingress-nginx/templates/controller-serviceaccount.yaml b/charts/ingress-nginx/templates/controller-serviceaccount.yaml new file mode 100644 index 0000000000..43585076c6 --- /dev/null +++ b/charts/ingress-nginx/templates/controller-serviceaccount.yaml @@ -0,0 +1,9 @@ +{{- if or .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller + name: {{ template "ingress-nginx.serviceAccountName" . }} +{{- end }} diff --git a/charts/ingress-nginx/templates/controller-servicemonitor.yaml b/charts/ingress-nginx/templates/controller-servicemonitor.yaml new file mode 100644 index 0000000000..68b1c922ba --- /dev/null +++ b/charts/ingress-nginx/templates/controller-servicemonitor.yaml @@ -0,0 +1,42 @@ +{{- if and .Values.controller.metrics.enabled .Values.controller.metrics.serviceMonitor.enabled -}} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "ingress-nginx.controller.fullname" . }} +{{- if .Values.controller.metrics.serviceMonitor.namespace }} + namespace: {{ .Values.controller.metrics.serviceMonitor.namespace }} +{{- end }} + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller + {{- if .Values.controller.metrics.serviceMonitor.additionalLabels }} + {{- toYaml .Values.controller.metrics.serviceMonitor.additionalLabels | nindent 4 }} + {{- end }} +spec: + endpoints: + - port: metrics + interval: {{ .Values.controller.metrics.serviceMonitor.scrapeInterval }} + {{- if .Values.controller.metrics.serviceMonitor.honorLabels }} + honorLabels: true + {{- end }} + {{- if .Values.controller.metrics.serviceMonitor.metricRelabelings }} + metricRelabelings: {{ toYaml .Values.controller.metrics.serviceMonitor.metricRelabelings | nindent 8 }} + {{- end }} +{{- if .Values.controller.metrics.serviceMonitor.namespaceSelector }} + namespaceSelector: {{ toYaml .Values.controller.metrics.serviceMonitor.namespaceSelector | nindent 4 }} +{{ else }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} +{{- end }} +{{- if .Values.controller.metrics.serviceMonitor.targetLabels }} + targetLabels: + {{- range .Values.controller.metrics.serviceMonitor.targetLabels }} + - {{ . }} + {{- end }} +{{- end }} + selector: + matchLabels: + {{- include "ingress-nginx.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: controller +{{- end }} diff --git a/charts/nginx-ingress/templates/default-backend-deployment.yaml b/charts/ingress-nginx/templates/default-backend-deployment.yaml similarity index 51% rename from charts/nginx-ingress/templates/default-backend-deployment.yaml rename to charts/ingress-nginx/templates/default-backend-deployment.yaml index c2b41ed762..0baec8b46a 100644 --- a/charts/nginx-ingress/templates/default-backend-deployment.yaml +++ b/charts/ingress-nginx/templates/default-backend-deployment.yaml @@ -1,72 +1,69 @@ -{{- if .Values.defaultBackend.enabled }} -apiVersion: {{ template "deployment.apiVersion" . }} +{{- if .Values.defaultBackend.enabled -}} +apiVersion: apps/v1 kind: Deployment metadata: labels: - app: {{ template "nginx-ingress.name" . }} - chart: {{ template "nginx-ingress.chart" . }} - heritage: {{ .Release.Service }} - release: {{ template "nginx-ingress.releaseLabel" . }} + {{- include "ingress-nginx.labels" . | nindent 4 }} app.kubernetes.io/component: default-backend - {{- if .Values.defaultBackend.deploymentLabels }} -{{ toYaml .Values.defaultBackend.deploymentLabels | indent 4 }} - {{- end }} - name: {{ template "nginx-ingress.defaultBackend.fullname" . }} + name: {{ include "ingress-nginx.defaultBackend.fullname" . }} spec: selector: matchLabels: - app: {{ template "nginx-ingress.name" . }} - release: {{ template "nginx-ingress.releaseLabel" . }} - {{- if .Values.defaultBackend.useComponentLabel }} + {{- include "ingress-nginx.selectorLabels" . | nindent 6 }} app.kubernetes.io/component: default-backend - {{- end }} +{{- if not .Values.defaultBackend.autoscaling.enabled }} replicas: {{ .Values.defaultBackend.replicaCount }} +{{- end }} revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} template: metadata: {{- if .Values.defaultBackend.podAnnotations }} - annotations: - {{- range $key, $value := .Values.defaultBackend.podAnnotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} + annotations: {{ toYaml .Values.defaultBackend.podAnnotations | nindent 8 }} {{- end }} labels: - app: {{ template "nginx-ingress.name" . }} - release: {{ template "nginx-ingress.releaseLabel" . }} + {{- include "ingress-nginx.selectorLabels" . | nindent 8 }} app.kubernetes.io/component: default-backend - {{- if .Values.defaultBackend.podLabels }} -{{ toYaml .Values.defaultBackend.podLabels | indent 8 }} - {{- end }} - spec: - {{- if .Values.imagePullSecrets }} - imagePullSecrets: -{{ toYaml .Values.imagePullSecrets | indent 8 }} - {{- end }} -{{- if .Values.defaultBackend.priorityClassName }} - priorityClassName: "{{ .Values.defaultBackend.priorityClassName }}" -{{- end }} - {{- if .Values.defaultBackend.podSecurityContext }} - securityContext: -{{ toYaml .Values.defaultBackend.podSecurityContext | indent 8 }} + {{- if .Values.defaultBackend.podLabels }} + {{- toYaml .Values.defaultBackend.podLabels | nindent 8 }} {{- end }} + spec: + {{- if .Values.imagePullSecrets }} + imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }} + {{- end }} + {{- if .Values.defaultBackend.priorityClassName }} + priorityClassName: {{ .Values.defaultBackend.priorityClassName }} + {{- end }} + {{- if .Values.defaultBackend.podSecurityContext }} + securityContext: {{ toYaml .Values.defaultBackend.podSecurityContext | nindent 8 }} + {{- end }} containers: - - name: {{ template "nginx-ingress.name" . }}-{{ .Values.defaultBackend.name }} - image: "{{ .Values.defaultBackend.image.repository }}:{{ .Values.defaultBackend.image.tag }}" - imagePullPolicy: "{{ .Values.defaultBackend.image.pullPolicy }}" + - name: {{ template "ingress-nginx.name" . }}-default-backend + {{- with .Values.defaultBackend.image }} + image: "{{.repository}}:{{ .tag }}{{- if (.digest) -}} @{{.digest}} {{- end -}}" + {{- end }} + imagePullPolicy: {{ .Values.defaultBackend.image.pullPolicy }} + {{- if .Values.defaultBackend.extraArgs }} args: {{- range $key, $value := .Values.defaultBackend.extraArgs }} - {{- if $value }} - - --{{ $key }}={{ $value }} - {{- else }} + {{- /* Accept keys without values or with false as value */}} + {{- if eq ($value | quote | len) 2 }} - --{{ $key }} + {{- else }} + - --{{ $key }}={{ $value }} {{- end }} {{- end }} + {{- end }} securityContext: + capabilities: + drop: + - ALL runAsUser: {{ .Values.defaultBackend.image.runAsUser }} - {{- if .Values.defaultBackend.extraEnvs }} - env: -{{ toYaml .Values.defaultBackend.extraEnvs | indent 12 }} - {{- end }} + runAsNonRoot: {{ .Values.defaultBackend.image.runAsNonRoot }} + allowPrivilegeEscalation: {{ .Values.defaultBackend.image.allowPrivilegeEscalation }} + readOnlyRootFilesystem: {{ .Values.defaultBackend.image.readOnlyRootFilesystem}} + {{- if .Values.defaultBackend.extraEnvs }} + env: {{ toYaml .Values.defaultBackend.extraEnvs | nindent 12 }} + {{- end }} livenessProbe: httpGet: path: /healthz @@ -91,20 +88,18 @@ spec: - name: http containerPort: {{ .Values.defaultBackend.port }} protocol: TCP - resources: -{{ toYaml .Values.defaultBackend.resources | indent 12 }} + {{- if .Values.defaultBackend.resources }} + resources: {{ toYaml .Values.defaultBackend.resources | nindent 12 }} + {{- end }} {{- if .Values.defaultBackend.nodeSelector }} - nodeSelector: -{{ toYaml .Values.defaultBackend.nodeSelector | indent 8 }} + nodeSelector: {{ toYaml .Values.defaultBackend.nodeSelector | nindent 8 }} {{- end }} - serviceAccountName: {{ template "nginx-ingress.defaultBackend.serviceAccountName" . }} + serviceAccountName: {{ template "ingress-nginx.defaultBackend.serviceAccountName" . }} {{- if .Values.defaultBackend.tolerations }} - tolerations: -{{ toYaml .Values.defaultBackend.tolerations | indent 8 }} + tolerations: {{ toYaml .Values.defaultBackend.tolerations | nindent 8 }} {{- end }} {{- if .Values.defaultBackend.affinity }} - affinity: -{{ toYaml .Values.defaultBackend.affinity | indent 8 }} + affinity: {{ toYaml .Values.defaultBackend.affinity | nindent 8 }} {{- end }} terminationGracePeriodSeconds: 60 {{- end }} diff --git a/charts/ingress-nginx/templates/default-backend-hpa.yaml b/charts/ingress-nginx/templates/default-backend-hpa.yaml new file mode 100644 index 0000000000..36b8bf221e --- /dev/null +++ b/charts/ingress-nginx/templates/default-backend-hpa.yaml @@ -0,0 +1,29 @@ +{{- if .Values.defaultBackend.autoscaling.enabled }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: default-backend + name: {{ template "ingress-nginx.defaultBackend.fullname" . }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ template "ingress-nginx.defaultBackend.fullname" . }} + minReplicas: {{ .Values.defaultBackend.autoscaling.minReplicas }} + maxReplicas: {{ .Values.defaultBackend.autoscaling.maxReplicas }} + metrics: +{{- with .Values.defaultBackend.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ . }} +{{- end }} +{{- with .Values.defaultBackend.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + targetAverageUtilization: {{ . }} +{{- end }} +{{- end }} diff --git a/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml b/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml new file mode 100644 index 0000000000..327d809b95 --- /dev/null +++ b/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml @@ -0,0 +1,15 @@ +{{- if or (gt (.Values.defaultBackend.replicaCount | int) 1) (gt (.Values.defaultBackend.autoscaling.minReplicas | int) 1) }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: default-backend + name: {{ include "ingress-nginx.defaultBackend.fullname" . }} +spec: + selector: + matchLabels: + {{- include "ingress-nginx.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: default-backend + minAvailable: {{ .Values.defaultBackend.minAvailable }} +{{- end }} diff --git a/charts/nginx-ingress/templates/default-backend-psp.yaml b/charts/ingress-nginx/templates/default-backend-psp.yaml similarity index 61% rename from charts/nginx-ingress/templates/default-backend-psp.yaml rename to charts/ingress-nginx/templates/default-backend-psp.yaml index 38191d4f81..055f434dbe 100644 --- a/charts/nginx-ingress/templates/default-backend-psp.yaml +++ b/charts/ingress-nginx/templates/default-backend-psp.yaml @@ -1,13 +1,11 @@ {{- if and .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled -}} -apiVersion: {{ template "podSecurityPolicy.apiVersion" . }} +apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: - name: {{ template "nginx-ingress.fullname" . }}-backend + name: {{ include "ingress-nginx.fullname" . }}-backend labels: - app: {{ template "nginx-ingress.name" . }} - chart: {{ template "nginx-ingress.chart" . }} - heritage: {{ .Release.Service }} - release: {{ template "nginx-ingress.releaseLabel" . }} + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: default-backend spec: allowPrivilegeEscalation: false fsGroup: @@ -32,4 +30,4 @@ spec: - projected - secret - downwardAPI -{{- end -}} +{{- end }} diff --git a/charts/ingress-nginx/templates/default-backend-role.yaml b/charts/ingress-nginx/templates/default-backend-role.yaml new file mode 100644 index 0000000000..23498de22e --- /dev/null +++ b/charts/ingress-nginx/templates/default-backend-role.yaml @@ -0,0 +1,14 @@ +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: default-backend + name: {{ include "ingress-nginx.fullname" . }}-backend +rules: + - apiGroups: [{{ template "podSecurityPolicy.apiGroup" . }}] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: [{{ include "ingress-nginx.fullname" . }}-backend] +{{- end }} diff --git a/charts/ingress-nginx/templates/default-backend-rolebinding.yaml b/charts/ingress-nginx/templates/default-backend-rolebinding.yaml new file mode 100644 index 0000000000..45558aac1a --- /dev/null +++ b/charts/ingress-nginx/templates/default-backend-rolebinding.yaml @@ -0,0 +1,17 @@ +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: default-backend + name: {{ include "ingress-nginx.fullname" . }}-backend +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "ingress-nginx.fullname" . }}-backend +subjects: + - kind: ServiceAccount + name: {{ template "ingress-nginx.defaultBackend.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/ingress-nginx/templates/default-backend-service.yaml b/charts/ingress-nginx/templates/default-backend-service.yaml new file mode 100644 index 0000000000..e74714d924 --- /dev/null +++ b/charts/ingress-nginx/templates/default-backend-service.yaml @@ -0,0 +1,34 @@ +{{- if .Values.defaultBackend.enabled -}} +apiVersion: v1 +kind: Service +metadata: +{{- if .Values.defaultBackend.service.annotations }} + annotations: {{ toYaml .Values.defaultBackend.service.annotations | nindent 4 }} +{{- end }} + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: default-backend + name: {{ include "ingress-nginx.defaultBackend.fullname" . }} +spec: + type: {{ .Values.defaultBackend.service.type }} +{{- if .Values.defaultBackend.service.clusterIP }} + clusterIP: {{ .Values.defaultBackend.service.clusterIP }} +{{- end }} +{{- if .Values.defaultBackend.service.externalIPs }} + externalIPs: {{ toYaml .Values.defaultBackend.service.externalIPs | nindent 4 }} +{{- end }} +{{- if .Values.defaultBackend.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.defaultBackend.service.loadBalancerIP }} +{{- end }} +{{- if .Values.defaultBackend.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: {{ toYaml .Values.defaultBackend.service.loadBalancerSourceRanges | nindent 4 }} +{{- end }} + ports: + - name: http + port: {{ .Values.defaultBackend.service.servicePort }} + protocol: TCP + targetPort: http + selector: + {{- include "ingress-nginx.selectorLabels" . | nindent 4 }} + app.kubernetes.io/component: default-backend +{{- end }} diff --git a/charts/ingress-nginx/templates/default-backend-serviceaccount.yaml b/charts/ingress-nginx/templates/default-backend-serviceaccount.yaml new file mode 100644 index 0000000000..96419cfa0a --- /dev/null +++ b/charts/ingress-nginx/templates/default-backend-serviceaccount.yaml @@ -0,0 +1,9 @@ +{{- if and .Values.defaultBackend.enabled .Values.defaultBackend.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: default-backend + name: {{ template "ingress-nginx.defaultBackend.serviceAccountName" . }} +{{- end }} diff --git a/charts/nginx-ingress/values.yaml b/charts/ingress-nginx/values.yaml similarity index 61% rename from charts/nginx-ingress/values.yaml rename to charts/ingress-nginx/values.yaml index 130b63cb64..7e2e54c723 100644 --- a/charts/nginx-ingress/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -1,21 +1,16 @@ ## nginx configuration -## Ref: https://github.com/kubernetes/ingress/blob/master/controllers/nginx/configuration.md +## Ref: https://github.com/kubernetes/ingress-nginx/blob/master/controllers/nginx/configuration.md ## controller: - name: controller image: - repository: quay.io/kubernetes-ingress-controller/nginx-ingress-controller - tag: "0.30.0" + repository: k8s.gcr.io/ingress-nginx/controller + tag: "v0.41.2" + digest: sha256:1f4f402b9c14f3ae92b11ada1dfe9893a88f0faeb0b2f4b903e2c67a0c3bf0de pullPolicy: IfNotPresent # www-data -> uid 101 runAsUser: 101 allowPrivilegeEscalation: true - # This will fix the issue of HPA not being able to read the metrics. - # Note that if you enable it for existing deployments, it won't work as the labels are immutable. - # We recommend setting this to true for new deployments. - useComponentLabel: false - # Configures the ports the nginx-controller listens on containerPort: http: 80 @@ -24,9 +19,9 @@ controller: # Will add custom configuration options to Nginx https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/ config: {} - # Maxmind license key to download GeoLite2 Databases - # https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases - maxmindLicenseKey: "" + ## Annotations to be added to the controller config configuration configmap + ## + configAnnotations: {} # Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/master/docs/examples/customization/custom-headers proxySetHeaders: {} @@ -34,11 +29,6 @@ controller: # Will add custom headers before sending response traffic to the client according to: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#add-headers addHeaders: {} - # Required for use with CNI based kubernetes installations (such as ones set up by kubeadm), - # since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920 - # is merged - hostNetwork: false - # Optionally customize the pod dnsConfig. dnsConfig: {} @@ -51,19 +41,20 @@ controller: # Ingress status was blank because there is no Service exposing the NGINX Ingress controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply reportNodeInternalIp: false - ## Use host ports 80 and 443 - daemonset: - useHostPort: false + # Required for use with CNI based kubernetes installations (such as ones set up by kubeadm), + # since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920 + # is merged + hostNetwork: false - hostPorts: + ## Use host ports 80 and 443 + ## Disabled by default + ## + hostPort: + enabled: false + ports: http: 80 https: 443 - ## Required only if defaultBackend.enabled = false - ## Must be / - ## - defaultBackendService: "" - ## Election ID to use for status update ## electionID: ingress-controller-leader @@ -72,23 +63,27 @@ controller: ## ingressClass: nginx - # labels to add to the deployment metadata - deploymentLabels: {} - # labels to add to the pod container metadata podLabels: {} # key: value ## Security Context policies for controller pods - ## See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for - ## notes on enabling and using sysctls ## podSecurityContext: {} - ## Allows customization of the external service - ## the ingress will be bound to via DNS + ## See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for + ## notes on enabling and using sysctls + ### + sysctls: {} + # sysctls: + # "net.core.somaxconn": "8192" + + ## Allows customization of the source of the IP address or FQDN to report + ## in the ingress status field. By default, it reads the information provided + ## by the service. If disable, the status field reports the IP address of the + ## node or nodes where an ingress controller pod is running. publishService: - enabled: false + enabled: true ## Allows overriding of the publish service to bind to ## Must be / ## @@ -104,15 +99,19 @@ controller: ## configMapNamespace: "" # defaults to .Release.Namespace - ## Allows customization of the tcp-services-configmap namespace + ## Allows customization of the tcp-services-configmap ## tcp: configMapNamespace: "" # defaults to .Release.Namespace + ## Annotations to be added to the tcp config configmap + annotations: {} - ## Allows customization of the udp-services-configmap namespace + ## Allows customization of the udp-services-configmap ## udp: configMapNamespace: "" # defaults to .Release.Namespace + ## Annotations to be added to the udp config configmap + annotations: {} ## Additional command line arguments to pass to nginx-ingress-controller ## E.g. to specify the default SSL certificate you can use @@ -133,9 +132,17 @@ controller: ## kind: Deployment - ## Annotations to be added to the controller deployment + ## Annotations to be added to the controller Deployment or DaemonSet + ## + annotations: {} + # keel.sh/pollSchedule: "@every 60m" + + ## Labels to be added to the controller Deployment or DaemonSet ## - deploymentAnnotations: {} + labels: {} + # keel.sh/policy: patch + # keel.sh/trigger: poll + # The update strategy to apply to the Deployment or DaemonSet ## @@ -169,10 +176,18 @@ controller: # podAffinityTerm: # labelSelector: # matchExpressions: - # - key: app + # - key: app.kubernetes.io/name + # operator: In + # values: + # - ingress-nginx + # - key: app.kubernetes.io/instance + # operator: In + # values: + # - ingress-nginx + # - key: app.kubernetes.io/component # operator: In # values: - # - nginx-ingress + # - controller # topologyKey: kubernetes.io/hostname # # An example of required pod anti-affinity @@ -180,26 +195,47 @@ controller: # requiredDuringSchedulingIgnoredDuringExecution: # - labelSelector: # matchExpressions: - # - key: app + # - key: app.kubernetes.io/name + # operator: In + # values: + # - ingress-nginx + # - key: app.kubernetes.io/instance # operator: In # values: - # - nginx-ingress + # - ingress-nginx + # - key: app.kubernetes.io/component + # operator: In + # values: + # - controller # topologyKey: "kubernetes.io/hostname" + ## Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: failure-domain.beta.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app.kubernetes.io/instance: ingress-nginx-internal + ## terminationGracePeriodSeconds + ## wait up to five minutes for the drain of connections ## - terminationGracePeriodSeconds: 60 + terminationGracePeriodSeconds: 300 ## Node labels for controller pod assignment ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ ## - nodeSelector: {} + nodeSelector: + kubernetes.io/os: linux ## Liveness and readiness probe values ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes ## livenessProbe: - failureThreshold: 3 + failureThreshold: 5 initialDelaySeconds: 10 periodSeconds: 10 successThreshold: 1 @@ -213,6 +249,10 @@ controller: timeoutSeconds: 1 port: 10254 + # Path of the health check endpoint. All requests received on the port defined by + # the healthz-port parameter are forwarded internally to this path. + healthCheckPath: "/healthz" + ## Annotations to be added to controller pods ## podAnnotations: {} @@ -221,21 +261,76 @@ controller: minAvailable: 1 - resources: {} + # Define requests resources to avoid probe issues due to CPU utilization in busy nodes + # ref: https://github.com/kubernetes/ingress-nginx/issues/4735#issuecomment-551204903 + # Ideally, there should be no limits. + # https://engineering.indeedblog.com/blog/2019/12/cpu-throttling-regression-fix/ + resources: # limits: # cpu: 100m - # memory: 64Mi - # requests: - # cpu: 100m - # memory: 64Mi + # memory: 90Mi + requests: + cpu: 100m + memory: 90Mi + # Mutually exclusive with keda autoscaling autoscaling: enabled: false - minReplicas: 2 + minReplicas: 1 maxReplicas: 11 targetCPUUtilizationPercentage: 50 targetMemoryUtilizationPercentage: 50 + autoscalingTemplate: [] + # Custom or additional autoscaling metrics + # ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#support-for-custom-metrics + # - type: Pods + # pods: + # metric: + # name: nginx_ingress_controller_nginx_process_requests_total + # target: + # type: AverageValue + # averageValue: 10000m + + # Mutually exclusive with hpa autoscaling + keda: + apiVersion: "keda.sh/v1alpha1" + # apiVersion changes with keda 1.x vs 2.x + # 2.x = keda.sh/v1alpha1 + # 1.x = keda.k8s.io/v1alpha1 + enabled: false + minReplicas: 1 + maxReplicas: 11 + pollingInterval: 30 + cooldownPeriod: 300 + restoreToOriginalReplicaCount: false + triggers: [] + # - type: prometheus + # metadata: + # serverAddress: http://:9090 + # metricName: http_requests_total + # threshold: '100' + # query: sum(rate(http_requests_total{deployment="my-deployment"}[2m])) + + behavior: {} + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 1 + # periodSeconds: 180 + # scaleUp: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 2 + # periodSeconds: 60 + + ## Enable mimalloc as a drop-in replacement for malloc. + ## ref: https://github.com/microsoft/mimalloc + ## + enableMimalloc: true + ## Override NGINX template customTemplate: configMapName: "" @@ -246,8 +341,6 @@ controller: annotations: {} labels: {} - ## Deprecated, instead simply do not provide a clusterIP value - omitClusterIP: false # clusterIP: "" ## List of IP addresses at which the controller services are available @@ -255,7 +348,7 @@ controller: ## externalIPs: [] - loadBalancerIP: "" + # loadBalancerIP: "" loadBalancerSourceRanges: [] enableHttp: true @@ -264,13 +357,16 @@ controller: ## Set external traffic policy to: "Local" to preserve source IP on ## providers supporting it ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer - externalTrafficPolicy: "" + # externalTrafficPolicy: "" # Must be either "None" or "ClientIP" if set. Kubernetes will default to "None". # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - sessionAffinity: "" + # sessionAffinity: "" - healthCheckNodePort: 0 + # specifies the health check node port (numeric port number) for the service. If healthCheckNodePort isn’t specified, + # the service controller allocates a port from your cluster’s NodePort range. + # Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + # healthCheckNodePort: 0 ports: http: 80 @@ -294,6 +390,20 @@ controller: tcp: {} udp: {} + ## Enables an additional internal load balancer (besides the external one). + ## Annotations are mandatory for the load balancer to come up. Varies with the cloud service. + internal: + enabled: false + annotations: {} + + ## Restrict access For LoadBalancer service. Defaults to 0.0.0.0/0. + loadBalancerSourceRanges: [] + + ## Set external traffic policy to: "Local" to preserve source IP on + ## providers supporting it + ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer + # externalTrafficPolicy: "" + extraContainers: [] ## Additional containers to be added to the controller pod. ## See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example. @@ -335,17 +445,21 @@ controller: # command: ['sh', '-c', 'until nslookup myservice; do echo waiting for myservice; sleep 2; done;'] admissionWebhooks: - enabled: false + annotations: {} + enabled: true failurePolicy: Fail + # timeoutSeconds: 10 port: 8443 + certificate: "/usr/local/certificates/cert" + key: "/usr/local/certificates/key" + namespaceSelector: {} + objectSelector: {} service: annotations: {} - ## Deprecated, instead simply do not provide a clusterIP value - omitClusterIP: false # clusterIP: "" externalIPs: [] - loadBalancerIP: "" + # loadBalancerIP: "" loadBalancerSourceRanges: [] servicePort: 443 type: ClusterIP @@ -353,14 +467,16 @@ controller: patch: enabled: true image: - repository: jettech/kube-webhook-certgen - tag: v1.0.0 + repository: docker.io/jettech/kube-webhook-certgen + tag: v1.5.0 pullPolicy: IfNotPresent ## Provide a priority class name to the webhook patching job ## priorityClassName: "" podAnnotations: {} nodeSelector: {} + tolerations: [] + runAsUser: 2000 metrics: port: 10254 @@ -372,8 +488,6 @@ controller: # prometheus.io/scrape: "true" # prometheus.io/port: "10254" - ## Deprecated, instead simply do not provide a clusterIP value - omitClusterIP: false # clusterIP: "" ## List of IP addresses at which the stats-exporter service is available @@ -381,10 +495,12 @@ controller: ## externalIPs: [] - loadBalancerIP: "" + # loadBalancerIP: "" loadBalancerSourceRanges: [] servicePort: 9913 type: ClusterIP + # externalTrafficPolicy: "" + # nodePort: "" serviceMonitor: enabled: false @@ -397,32 +513,60 @@ controller: # any: true scrapeInterval: 30s # honorLabels: true + targetLabels: [] + metricRelabelings: [] prometheusRule: enabled: false additionalLabels: {} - namespace: "" + # namespace: "" rules: [] # # These are just examples rules, please adapt them to your needs - # - alert: TooMany500s + # - alert: NGINXConfigFailed + # expr: count(nginx_ingress_controller_config_last_reload_successful == 0) > 0 + # for: 1s + # labels: + # severity: critical + # annotations: + # description: bad ingress config - nginx config test failed + # summary: uninstall the latest ingress changes to allow config reloads to resume + # - alert: NGINXCertificateExpiry + # expr: (avg(nginx_ingress_controller_ssl_expire_time_seconds) by (host) - time()) < 604800 + # for: 1s + # labels: + # severity: critical + # annotations: + # description: ssl certificate(s) will expire in less then a week + # summary: renew expiring certificates to avoid downtime + # - alert: NGINXTooMany500s # expr: 100 * ( sum( nginx_ingress_controller_requests{status=~"5.+"} ) / sum(nginx_ingress_controller_requests) ) > 5 # for: 1m # labels: - # severity: critical + # severity: warning # annotations: # description: Too many 5XXs - # summary: More than 5% of the all requests did return 5XX, this require your attention - # - alert: TooMany400s + # summary: More than 5% of all requests returned 5XX, this requires your attention + # - alert: NGINXTooMany400s # expr: 100 * ( sum( nginx_ingress_controller_requests{status=~"4.+"} ) / sum(nginx_ingress_controller_requests) ) > 5 # for: 1m # labels: - # severity: critical + # severity: warning # annotations: # description: Too many 4XXs - # summary: More than 5% of the all requests did return 4XX, this require your attention - - - lifecycle: {} + # summary: More than 5% of all requests returned 4XX, this requires your attention + + ## Improve connection draining when ingress controller pod is deleted using a lifecycle hook: + ## With this new hook, we increased the default terminationGracePeriodSeconds from 30 seconds + ## to 300, allowing the draining of connections up to five minutes. + ## If the active connections end before that, the pod will terminate gracefully at that time. + ## To effectively take advantage of this feature, the Configmap feature + ## worker-shutdown-timeout new value is 240s instead of 10s. + ## + lifecycle: + preStop: + exec: + command: + - /wait-shutdown priorityClassName: "" @@ -430,26 +574,25 @@ controller: ## revisionHistoryLimit: 10 +# Maxmind license key to download GeoLite2 Databases +# https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases +maxmindLicenseKey: "" + ## Default 404 backend ## defaultBackend: - - ## If false, controller.defaultBackendService must be provided ## - enabled: true + enabled: false - name: default-backend image: repository: k8s.gcr.io/defaultbackend-amd64 tag: "1.5" pullPolicy: IfNotPresent # nobody user -> uid 65534 runAsUser: 65534 - - # This will fix the issue of HPA not being able to read the metrics. - # Note that if you enable it for existing deployments, it won't work as the labels are immutable. - # We recommend setting this to true for new deployments. - useComponentLabel: false + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false extraArgs: {} @@ -494,9 +637,6 @@ defaultBackend: ## podSecurityContext: {} - # labels to add to the deployment metadata - deploymentLabels: {} - # labels to add to the pod container metadata podLabels: {} # key: value @@ -522,10 +662,16 @@ defaultBackend: # cpu: 10m # memory: 20Mi + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 2 + targetCPUUtilizationPercentage: 50 + targetMemoryUtilizationPercentage: 50 + service: annotations: {} - ## Deprecated, instead simply do not provide a clusterIP value - omitClusterIP: false + # clusterIP: "" ## List of IP addresses at which the default backend service is available @@ -533,16 +679,13 @@ defaultBackend: ## externalIPs: [] - loadBalancerIP: "" + # loadBalancerIP: "" loadBalancerSourceRanges: [] servicePort: 80 type: ClusterIP priorityClassName: "" -# If provided, the value will be used as the `release` label instead of .Release.Name -releaseLabelOverride: "" - ## Enable RBAC as per https://github.com/kubernetes/ingress/tree/master/examples/rbac/nginx and https://github.com/kubernetes/ingress/issues/266 rbac: create: true diff --git a/charts/nginx-ingress/Chart.yaml b/charts/nginx-ingress/Chart.yaml deleted file mode 100644 index c5ae506fcc..0000000000 --- a/charts/nginx-ingress/Chart.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: v1 -appVersion: 0.30.0 -description: An nginx Ingress controller that uses ConfigMap to store the nginx configuration. -engine: gotpl -home: https://github.com/kubernetes/ingress-nginx -icon: https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Nginx_logo.svg/500px-Nginx_logo.svg.png -keywords: -- ingress -- nginx -kubeVersion: '>=1.10.0-0' -maintainers: -- name: ChiefAlexander -- email: Trevor.G.Wood@gmail.com - name: taharah -name: nginx-ingress -sources: -- https://github.com/kubernetes/ingress-nginx -version: 1.36.3 diff --git a/charts/nginx-ingress/OWNERS b/charts/nginx-ingress/OWNERS deleted file mode 100644 index 0001de36cf..0000000000 --- a/charts/nginx-ingress/OWNERS +++ /dev/null @@ -1,6 +0,0 @@ -approvers: -- ChiefAlexander -- taharah -reviewers: -- ChiefAlexander -- taharah diff --git a/charts/nginx-ingress/README.md b/charts/nginx-ingress/README.md deleted file mode 100644 index 87dfdb4387..0000000000 --- a/charts/nginx-ingress/README.md +++ /dev/null @@ -1,361 +0,0 @@ -# nginx-ingress - -[nginx-ingress](https://github.com/kubernetes/ingress-nginx) is an Ingress controller that uses ConfigMap to store the nginx configuration. - -To use, add the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources. - -## TL;DR; - -```console -$ helm install stable/nginx-ingress -``` - -## Introduction - -This chart bootstraps an nginx-ingress deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. - -## Prerequisites - - - Kubernetes 1.6+ - -## Installing the Chart - -To install the chart with the release name `my-release`: - -```console -$ helm install --name my-release stable/nginx-ingress -``` - -The command deploys nginx-ingress on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation. - -> **Tip**: List all releases using `helm list` - -## Uninstalling the Chart - -To uninstall/delete the `my-release` deployment: - -```console -$ helm delete my-release -``` - -The command removes all the Kubernetes components associated with the chart and deletes the release. - -## Configuration - -The following table lists the configurable parameters of the nginx-ingress chart and their default values. - -Parameter | Description | Default ---- | --- | --- -`controller.name` | name of the controller component | `controller` -`controller.image.repository` | controller container image repository | `quay.io/kubernetes-ingress-controller/nginx-ingress-controller` -`controller.image.tag` | controller container image tag | `0.30.0` -`controller.image.pullPolicy` | controller container image pull policy | `IfNotPresent` -`controller.image.runAsUser` | User ID of the controller process. Value depends on the Linux distribution used inside of the container image. | `101` -`controller.useComponentLabel` | Wether to add component label so the HPA can work separately for controller and defaultBackend. *Note: don't change this if you have an already running deployment as it will need the recreation of the controller deployment* | `false` -`controller.containerPort.http` | The port that the controller container listens on for http connections. | `80` -`controller.containerPort.https` | The port that the controller container listens on for https connections. | `443` -`controller.config` | nginx [ConfigMap](https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/configmap.md) entries | none -`controller.hostNetwork` | If the nginx deployment / daemonset should run on the host's network namespace. Do not set this when `controller.service.externalIPs` is set and `kube-proxy` is used as there will be a port-conflict for port `80` | false -`controller.defaultBackendService` | default 404 backend service; needed only if `defaultBackend.enabled = false` and version < 0.21.0| `""` -`controller.dnsPolicy` | If using `hostNetwork=true`, change to `ClusterFirstWithHostNet`. See [pod's dns policy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy) for details | `ClusterFirst` -`controller.dnsConfig` | custom pod dnsConfig. See [pod's dns config](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-config) for details | `{}` -`controller.reportNodeInternalIp` | If using `hostNetwork=true`, setting `reportNodeInternalIp=true`, will pass the flag `report-node-internal-ip-address` to nginx-ingress. This sets the status of all Ingress objects to the internal IP address of all nodes running the NGINX Ingress controller. -`controller.electionID` | election ID to use for the status update | `ingress-controller-leader` -`controller.extraEnvs` | any additional environment variables to set in the pods | `{}` -`controller.extraContainers` | Sidecar containers to add to the controller pod. See [LemonLDAP::NG controller](https://github.com/lemonldap-ng-controller/lemonldap-ng-controller) as example | `{}` -`controller.extraVolumeMounts` | Additional volumeMounts to the controller main container | `{}` -`controller.extraVolumes` | Additional volumes to the controller pod | `{}` -`controller.extraInitContainers` | Containers, which are run before the app containers are started | `[]` -`controller.ingressClass` | name of the ingress class to route through this controller | `nginx` -`controller.maxmindLicenseKey` | Maxmind license key to download GeoLite2 Databases. See [Accessing and using GeoLite2 database](https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/) | `""` -`controller.scope.enabled` | limit the scope of the ingress controller | `false` (watch all namespaces) -`controller.scope.namespace` | namespace to watch for ingress | `""` (use the release namespace) -`controller.extraArgs` | Additional controller container arguments | `{}` -`controller.kind` | install as Deployment, DaemonSet or Both | `Deployment` -`controller.deploymentAnnotations` | annotations to be added to deployment | `{}` -`controller.autoscaling.enabled` | If true, creates Horizontal Pod Autoscaler | false -`controller.autoscaling.minReplicas` | If autoscaling enabled, this field sets minimum replica count | `2` -`controller.autoscaling.maxReplicas` | If autoscaling enabled, this field sets maximum replica count | `11` -`controller.autoscaling.targetCPUUtilizationPercentage` | Target CPU utilization percentage to scale | `"50"` -`controller.autoscaling.targetMemoryUtilizationPercentage` | Target memory utilization percentage to scale | `"50"` -`controller.daemonset.useHostPort` | If `controller.kind` is `DaemonSet`, this will enable `hostPort` for TCP/80 and TCP/443 | false -`controller.daemonset.hostPorts.http` | If `controller.daemonset.useHostPort` is `true` and this is non-empty, it sets the hostPort | `"80"` -`controller.daemonset.hostPorts.https` | If `controller.daemonset.useHostPort` is `true` and this is non-empty, it sets the hostPort | `"443"` -`controller.tolerations` | node taints to tolerate (requires Kubernetes >=1.6) | `[]` -`controller.affinity` | node/pod affinities (requires Kubernetes >=1.6) | `{}` -`controller.terminationGracePeriodSeconds` | how many seconds to wait before terminating a pod | `60` -`controller.minReadySeconds` | how many seconds a pod needs to be ready before killing the next, during update | `0` -`controller.nodeSelector` | node labels for pod assignment | `{}` -`controller.podAnnotations` | annotations to be added to pods | `{}` -`controller.deploymentLabels` | labels to add to the deployment metadata | `{}` -`controller.podLabels` | labels to add to the pod container metadata | `{}` -`controller.podSecurityContext` | Security context policies to add to the controller pod | `{}` -`controller.replicaCount` | desired number of controller pods | `1` -`controller.minAvailable` | minimum number of available controller pods for PodDisruptionBudget | `1` -`controller.resources` | controller pod resource requests & limits | `{}` -`controller.priorityClassName` | controller priorityClassName | `nil` -`controller.lifecycle` | controller pod lifecycle hooks | `{}` -`controller.service.annotations` | annotations for controller service | `{}` -`controller.service.labels` | labels for controller service | `{}` -`controller.publishService.enabled` | if true, the controller will set the endpoint records on the ingress objects to reflect those on the service | `false` -`controller.publishService.pathOverride` | override of the default publish-service name | `""` -`controller.service.enabled` | if disabled no service will be created. This is especially useful when `controller.kind` is set to `DaemonSet` and `controller.daemonset.useHostPorts` is `true` | true -`controller.service.clusterIP` | internal controller cluster service IP (set to `"-"` to pass an empty value) | `nil` -`controller.service.omitClusterIP` | (Deprecated) To omit the `clusterIP` from the controller service | `false` -`controller.service.externalIPs` | controller service external IP addresses. Do not set this when `controller.hostNetwork` is set to `true` and `kube-proxy` is used as there will be a port-conflict for port `80` | `[]` -`controller.service.externalTrafficPolicy` | If `controller.service.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable [source IP preservation](https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typenodeport) | `"Cluster"` -`controller.service.sessionAffinity` | Enables client IP based session affinity. Must be `ClientIP` or `None` if set. | `""` -`controller.service.healthCheckNodePort` | If `controller.service.type` is `NodePort` or `LoadBalancer` and `controller.service.externalTrafficPolicy` is set to `Local`, set this to [the managed health-check port the kube-proxy will expose](https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typenodeport). If blank, a random port in the `NodePort` range will be assigned | `""` -`controller.service.loadBalancerIP` | IP address to assign to load balancer (if supported) | `""` -`controller.service.loadBalancerSourceRanges` | list of IP CIDRs allowed access to load balancer (if supported) | `[]` -`controller.service.enableHttp` | if port 80 should be opened for service | `true` -`controller.service.enableHttps` | if port 443 should be opened for service | `true` -`controller.service.targetPorts.http` | Sets the targetPort that maps to the Ingress' port 80 | `80` -`controller.service.targetPorts.https` | Sets the targetPort that maps to the Ingress' port 443 | `443` -`controller.service.ports.http` | Sets service http port | `80` -`controller.service.ports.https` | Sets service https port | `443` -`controller.service.type` | type of controller service to create | `LoadBalancer` -`controller.service.nodePorts.http` | If `controller.service.type` is either `NodePort` or `LoadBalancer` and this is non-empty, it sets the nodePort that maps to the Ingress' port 80 | `""` -`controller.service.nodePorts.https` | If `controller.service.type` is either `NodePort` or `LoadBalancer` and this is non-empty, it sets the nodePort that maps to the Ingress' port 443 | `""` -`controller.service.nodePorts.tcp` | Sets the nodePort for an entry referenced by its key from `tcp` | `{}` -`controller.service.nodePorts.udp` | Sets the nodePort for an entry referenced by its key from `udp` | `{}` -`controller.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 10 -`controller.livenessProbe.periodSeconds` | How often to perform the probe | 10 -`controller.livenessProbe.timeoutSeconds` | When the probe times out | 5 -`controller.livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | 1 -`controller.livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 3 -`controller.livenessProbe.port` | The port number that the liveness probe will listen on. | 10254 -`controller.readinessProbe.initialDelaySeconds` | Delay before readiness probe is initiated | 10 -`controller.readinessProbe.periodSeconds` | How often to perform the probe | 10 -`controller.readinessProbe.timeoutSeconds` | When the probe times out | 1 -`controller.readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | 1 -`controller.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 3 -`controller.readinessProbe.port` | The port number that the readiness probe will listen on. | 10254 -`controller.metrics.enabled` | if `true`, enable Prometheus metrics | `false` -`controller.metrics.service.annotations` | annotations for Prometheus metrics service | `{}` -`controller.metrics.service.clusterIP` | cluster IP address to assign to service (set to `"-"` to pass an empty value) | `nil` -`controller.metrics.service.omitClusterIP` | (Deprecated) To omit the `clusterIP` from the metrics service | `false` -`controller.metrics.service.externalIPs` | Prometheus metrics service external IP addresses | `[]` -`controller.metrics.service.labels` | labels for metrics service | `{}` -`controller.metrics.service.loadBalancerIP` | IP address to assign to load balancer (if supported) | `""` -`controller.metrics.service.loadBalancerSourceRanges` | list of IP CIDRs allowed access to load balancer (if supported) | `[]` -`controller.metrics.service.servicePort` | Prometheus metrics service port | `9913` -`controller.metrics.service.type` | type of Prometheus metrics service to create | `ClusterIP` -`controller.metrics.serviceMonitor.enabled` | Set this to `true` to create ServiceMonitor for Prometheus operator | `false` -`controller.metrics.serviceMonitor.additionalLabels` | Additional labels that can be used so ServiceMonitor will be discovered by Prometheus | `{}` -`controller.metrics.serviceMonitor.honorLabels` | honorLabels chooses the metric's labels on collisions with target labels. | `false` -`controller.metrics.serviceMonitor.namespace` | namespace where servicemonitor resource should be created | `the same namespace as nginx ingress` -`controller.metrics.serviceMonitor.namespaceSelector` | [namespaceSelector](https://github.com/coreos/prometheus-operator/blob/v0.34.0/Documentation/api.md#namespaceselector) to configure what namespaces to scrape | `will scrape the helm release namespace only` -`controller.metrics.serviceMonitor.scrapeInterval` | interval between Prometheus scraping | `30s` -`controller.metrics.prometheusRule.enabled` | Set this to `true` to create prometheusRules for Prometheus operator | `false` -`controller.metrics.prometheusRule.additionalLabels` | Additional labels that can be used so prometheusRules will be discovered by Prometheus | `{}` -`controller.metrics.prometheusRule.namespace` | namespace where prometheusRules resource should be created | `the same namespace as nginx ingress` -`controller.metrics.prometheusRule.rules` | [rules](https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/) to be prometheus in YAML format, check values for an example. | `[]` -`controller.admissionWebhooks.enabled` | Create Ingress admission webhooks. Validating webhook will check the ingress syntax. | `false` -`controller.admissionWebhooks.failurePolicy` | Failure policy for admission webhooks | `Fail` -`controller.admissionWebhooks.port` | Admission webhook port | `8080` -`controller.admissionWebhooks.service.annotations` | Annotations for admission webhook service | `{}` -`controller.admissionWebhooks.service.omitClusterIP` | (Deprecated) To omit the `clusterIP` from the admission webhook service | `false` -`controller.admissionWebhooks.service.clusterIP` | cluster IP address to assign to admission webhook service (set to `"-"` to pass an empty value) | `nil` -`controller.admissionWebhooks.service.externalIPs` | Admission webhook service external IP addresses | `[]` -`controller.admissionWebhooks.service.loadBalancerIP` | IP address to assign to load balancer (if supported) | `""` -`controller.admissionWebhooks.service.loadBalancerSourceRanges` | List of IP CIDRs allowed access to load balancer (if supported) | `[]` -`controller.admissionWebhooks.service.servicePort` | Admission webhook service port | `443` -`controller.admissionWebhooks.service.type` | Type of admission webhook service to create | `ClusterIP` -`controller.admissionWebhooks.patch.enabled` | If true, will use a pre and post install hooks to generate a CA and certificate to use for validating webhook endpoint, and patch the created webhooks with the CA. | `true` -`controller.admissionWebhooks.patch.image.repository` | Repository to use for the webhook integration jobs | `jettech/kube-webhook-certgen` -`controller.admissionWebhooks.patch.image.tag` | Tag to use for the webhook integration jobs | `v1.0.0` -`controller.admissionWebhooks.patch.image.pullPolicy` | Image pull policy for the webhook integration jobs | `IfNotPresent` -`controller.admissionWebhooks.patch.priorityClassName` | Priority class for the webhook integration jobs | `""` -`controller.admissionWebhooks.patch.podAnnotations` | Annotations for the webhook job pods | `{}` -`controller.admissionWebhooks.patch.nodeSelector` | Node selector for running admission hook patch jobs | `{}` -`controller.customTemplate.configMapName` | configMap containing a custom nginx template | `""` -`controller.customTemplate.configMapKey` | configMap key containing the nginx template | `""` -`controller.addHeaders` | configMap key:value pairs containing [custom headers](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#add-headers) added before sending response to the client | `{}` -`controller.proxySetHeaders` | configMap key:value pairs containing [custom headers](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#proxy-set-headers) added before sending request to the backends| `{}` -`controller.headers` | DEPRECATED, Use `controller.proxySetHeaders` instead. | `{}` -`controller.updateStrategy` | allows setting of RollingUpdate strategy | `{}` -`controller.configMapNamespace` | The nginx-configmap namespace name | `""` -`controller.tcp.configMapNamespace` | The tcp-services-configmap namespace name | `""` -`controller.udp.configMapNamespace` | The udp-services-configmap namespace name | `""` -`defaultBackend.enabled` | Use default backend component | `true` -`defaultBackend.name` | name of the default backend component | `default-backend` -`defaultBackend.image.repository` | default backend container image repository | `k8s.gcr.io/defaultbackend-amd64` -`defaultBackend.image.tag` | default backend container image tag | `1.5` -`defaultBackend.image.pullPolicy` | default backend container image pull policy | `IfNotPresent` -`defaultBackend.image.runAsUser` | User ID of the controller process. Value depends on the Linux distribution used inside of the container image. By default uses nobody user. | `65534` -`defaultBackend.useComponentLabel` | Whether to add component label so the HPA can work separately for controller and defaultBackend. *Note: don't change this if you have an already running deployment as it will need the recreation of the defaultBackend deployment* | `false` -`defaultBackend.extraArgs` | Additional default backend container arguments | `{}` -`defaultBackend.extraEnvs` | any additional environment variables to set in the defaultBackend pods | `[]` -`defaultBackend.port` | Http port number | `8080` -`defaultBackend.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 30 -`defaultBackend.livenessProbe.periodSeconds` | How often to perform the probe | 10 -`defaultBackend.livenessProbe.timeoutSeconds` | When the probe times out | 5 -`defaultBackend.livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | 1 -`defaultBackend.livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 3 -`defaultBackend.readinessProbe.initialDelaySeconds` | Delay before readiness probe is initiated | 0 -`defaultBackend.readinessProbe.periodSeconds` | How often to perform the probe | 5 -`defaultBackend.readinessProbe.timeoutSeconds` | When the probe times out | 5 -`defaultBackend.readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | 1 -`defaultBackend.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 6 -`defaultBackend.tolerations` | node taints to tolerate (requires Kubernetes >=1.6) | `[]` -`defaultBackend.affinity` | node/pod affinities (requires Kubernetes >=1.6) | `{}` -`defaultBackend.nodeSelector` | node labels for pod assignment | `{}` -`defaultBackend.podAnnotations` | annotations to be added to pods | `{}` -`defaultBackend.deploymentLabels` | labels to add to the deployment metadata | `{}` -`defaultBackend.podLabels` | labels to add to the pod container metadata | `{}` -`defaultBackend.replicaCount` | desired number of default backend pods | `1` -`defaultBackend.minAvailable` | minimum number of available default backend pods for PodDisruptionBudget | `1` -`defaultBackend.resources` | default backend pod resource requests & limits | `{}` -`defaultBackend.priorityClassName` | default backend priorityClassName | `nil` -`defaultBackend.podSecurityContext` | Security context policies to add to the default backend | `{}` -`defaultBackend.service.annotations` | annotations for default backend service | `{}` -`defaultBackend.service.clusterIP` | internal default backend cluster service IP (set to `"-"` to pass an empty value) | `nil` -`defaultBackend.service.omitClusterIP` | (Deprecated) To omit the `clusterIP` from the default backend service | `false` -`defaultBackend.service.externalIPs` | default backend service external IP addresses | `[]` -`defaultBackend.service.loadBalancerIP` | IP address to assign to load balancer (if supported) | `""` -`defaultBackend.service.loadBalancerSourceRanges` | list of IP CIDRs allowed access to load balancer (if supported) | `[]` -`defaultBackend.service.type` | type of default backend service to create | `ClusterIP` -`defaultBackend.serviceAccount.create` | if `true`, create a backend service account. Only useful if you need a pod security policy to run the backend. | `true` -`defaultBackend.serviceAccount.name` | The name of the backend service account to use. If not set and `create` is `true`, a name is generated using the fullname template. Only useful if you need a pod security policy to run the backend. | `` -`imagePullSecrets` | name of Secret resource containing private registry credentials | `nil` -`rbac.create` | if `true`, create & use RBAC resources | `true` -`rbac.scope` | if `true`, do not create & use clusterrole and -binding. Set to `true` in combination with `controller.scope.enabled=true` to disable load-balancer status updates and scope the ingress entirely. | `false` -`podSecurityPolicy.enabled` | if `true`, create & use Pod Security Policy resources | `false` -`serviceAccount.create` | if `true`, create a service account for the controller | `true` -`serviceAccount.name` | The name of the controller service account to use. If not set and `create` is `true`, a name is generated using the fullname template. | `` -`revisionHistoryLimit` | The number of old history to retain to allow rollback. | `10` -`tcp` | TCP service key:value pairs. The value is evaluated as a template. | `{}` -`udp` | UDP service key:value pairs The value is evaluated as a template. | `{}` -`releaseLabelOverride` | If provided, the value will be used as the `release` label instead of .Release.Name | `""` - -These parameters can be passed via Helm's `--set` option -```console -$ helm install stable/nginx-ingress --name my-release \ - --set controller.metrics.enabled=true -``` - -Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, - -```console -$ helm install stable/nginx-ingress --name my-release -f values.yaml -``` - -A useful trick to debug issues with ingress is to increase the logLevel -as described [here](https://github.com/kubernetes/ingress-nginx/blob/master/docs/troubleshooting.md#debug) - -```console -$ helm install stable/nginx-ingress --set controller.extraArgs.v=2 -``` -> **Tip**: You can use the default [values.yaml](values.yaml) - -## PodDisruptionBudget - -Note that the PodDisruptionBudget resource will only be defined if the replicaCount is greater than one, -else it would make it impossible to evacuate a node. See [gh issue #7127](https://github.com/helm/charts/issues/7127) for more info. - -## Prometheus Metrics - -The Nginx ingress controller can export Prometheus metrics. - -```console -$ helm install stable/nginx-ingress --name my-release \ - --set controller.metrics.enabled=true -``` - -You can add Prometheus annotations to the metrics service using `controller.metrics.service.annotations`. Alternatively, if you use the Prometheus Operator, you can enable ServiceMonitor creation using `controller.metrics.serviceMonitor.enabled`. - -## nginx-ingress nginx\_status page/stats server - -Previous versions of this chart had a `controller.stats.*` configuration block, which is now obsolete due to the following changes in nginx ingress controller: -* in [0.16.1](https://github.com/kubernetes/ingress-nginx/blob/master/Changelog.md#0161), the vts (virtual host traffic status) dashboard was removed -* in [0.23.0](https://github.com/kubernetes/ingress-nginx/blob/master/Changelog.md#0230), the status page at port 18080 is now a unix socket webserver only available at localhost. - You can use `curl --unix-socket /tmp/nginx-status-server.sock http://localhost/nginx_status` inside the controller container to access it locally, or use the snippet from [nginx-ingress changelog](https://github.com/kubernetes/ingress-nginx/blob/master/Changelog.md#0230) to re-enable the http server - -## ExternalDNS Service configuration - -Add an [ExternalDNS](https://github.com/kubernetes-sigs/external-dns) annotation to the LoadBalancer service: - -```yaml -controller: - service: - annotations: - external-dns.alpha.kubernetes.io/hostname: kubernetes-example.com. -``` - -## AWS L7 ELB with SSL Termination - -Annotate the controller as shown in the [nginx-ingress l7 patch](https://github.com/kubernetes/ingress-nginx/blob/master/deploy/aws/l7/service-l7.yaml): - -```yaml -controller: - service: - targetPorts: - http: http - https: http - annotations: - service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:XX-XXXX-X:XXXXXXXXX:certificate/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX - service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http" - service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https" - service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600' -``` - -## AWS L4 NLB with SSL Redirection - -`ssl-redirect` and `force-ssl-redirect` flag are not working with AWS Network Load Balancer. You need to turn if off and add additional port with `server-snippet` in order to make it work. - -The port NLB `80` will be mapped to nginx container port `80` and NLB port `443` will be mapped to nginx container port `8000` (special). Then we use `$server_port` to manage redirection on port `80` -``` -controller: - config: - ssl-redirect: "false" # we use `special` port to control ssl redirection - server-snippet: | - listen 8000; - if ( $server_port = 80 ) { - return 308 https://$host$request_uri; - } - containerPort: - http: 80 - https: 443 - special: 8000 - service: - targetPorts: - http: http - https: special - annotations: - service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "tcp" - service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443" - service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "your-arn" - service.beta.kubernetes.io/aws-load-balancer-type: "nlb" -``` - -## AWS route53-mapper - -To configure the LoadBalancer service with the [route53-mapper addon](https://github.com/kubernetes/kops/tree/master/addons/route53-mapper), add the `domainName` annotation and `dns` label: - -```yaml -controller: - service: - labels: - dns: "route53" - annotations: - domainName: "kubernetes-example.com" -``` - -## Ingress Admission Webhooks - -With nginx-ingress-controller version 0.25+, the nginx ingress controller pod exposes an endpoint that will integrate with the `validatingwebhookconfiguration` Kubernetes feature to prevent bad ingress from being added to the cluster. - -With nginx-ingress-controller in 0.25.* work only with kubernetes 1.14+, 0.26 fix [this issue](https://github.com/kubernetes/ingress-nginx/pull/4521) - -## Helm error when upgrading: spec.clusterIP: Invalid value: "" - -If you are upgrading this chart from a version between 0.31.0 and 1.2.2 then you may get an error like this: - -``` -Error: UPGRADE FAILED: Service "?????-controller" is invalid: spec.clusterIP: Invalid value: "": field is immutable -``` - -Detail of how and why are in [this issue](https://github.com/helm/charts/pull/13646) but to resolve this you can set `xxxx.service.omitClusterIP` to `true` where `xxxx` is the service referenced in the error. - -As of version `1.26.0` of this chart, by simply not providing any clusterIP value, `invalid: spec.clusterIP: Invalid value: "": field is immutable` will no longer occur since `clusterIP: ""` will not be rendered. diff --git a/charts/nginx-ingress/ci/daemonset-customconfig-values.yaml b/charts/nginx-ingress/ci/daemonset-customconfig-values.yaml deleted file mode 100644 index f12eac3f91..0000000000 --- a/charts/nginx-ingress/ci/daemonset-customconfig-values.yaml +++ /dev/null @@ -1,4 +0,0 @@ -controller: - kind: DaemonSet - config: - use-proxy-protocol: "true" diff --git a/charts/nginx-ingress/ci/deamonset-default-values.yaml b/charts/nginx-ingress/ci/deamonset-default-values.yaml deleted file mode 100644 index ddb25623a3..0000000000 --- a/charts/nginx-ingress/ci/deamonset-default-values.yaml +++ /dev/null @@ -1,2 +0,0 @@ -controller: - kind: DaemonSet diff --git a/charts/nginx-ingress/ci/deamonset-metrics-values.yaml b/charts/nginx-ingress/ci/deamonset-metrics-values.yaml deleted file mode 100644 index 5ce435d532..0000000000 --- a/charts/nginx-ingress/ci/deamonset-metrics-values.yaml +++ /dev/null @@ -1,4 +0,0 @@ -controller: - kind: DaemonSet - metrics: - enabled: true diff --git a/charts/nginx-ingress/ci/deployment-autoscaling-values.yaml b/charts/nginx-ingress/ci/deployment-autoscaling-values.yaml deleted file mode 100644 index e9701daa7f..0000000000 --- a/charts/nginx-ingress/ci/deployment-autoscaling-values.yaml +++ /dev/null @@ -1,3 +0,0 @@ -controller: - autoscaling: - enabled: true diff --git a/charts/nginx-ingress/ci/deployment-customconfig-values.yaml b/charts/nginx-ingress/ci/deployment-customconfig-values.yaml deleted file mode 100644 index 401aea4228..0000000000 --- a/charts/nginx-ingress/ci/deployment-customconfig-values.yaml +++ /dev/null @@ -1,3 +0,0 @@ -controller: - config: - use-proxy-protocol: "true" diff --git a/charts/nginx-ingress/ci/deployment-default-values.yaml b/charts/nginx-ingress/ci/deployment-default-values.yaml deleted file mode 100644 index b15f0e4152..0000000000 --- a/charts/nginx-ingress/ci/deployment-default-values.yaml +++ /dev/null @@ -1 +0,0 @@ -# Left blank to test default values diff --git a/charts/nginx-ingress/ci/deployment-metrics-values.yaml b/charts/nginx-ingress/ci/deployment-metrics-values.yaml deleted file mode 100644 index 9a93fa5264..0000000000 --- a/charts/nginx-ingress/ci/deployment-metrics-values.yaml +++ /dev/null @@ -1,3 +0,0 @@ -controller: - metrics: - enabled: true diff --git a/charts/nginx-ingress/ci/deployment-psp-values.yaml b/charts/nginx-ingress/ci/deployment-psp-values.yaml deleted file mode 100644 index 7aae8605d5..0000000000 --- a/charts/nginx-ingress/ci/deployment-psp-values.yaml +++ /dev/null @@ -1,2 +0,0 @@ -podSecurityPolicy: - enabled: true diff --git a/charts/nginx-ingress/ci/deployment-tcp-values.yaml b/charts/nginx-ingress/ci/deployment-tcp-values.yaml deleted file mode 100644 index c8bc20494d..0000000000 --- a/charts/nginx-ingress/ci/deployment-tcp-values.yaml +++ /dev/null @@ -1,3 +0,0 @@ -tcp: - 9000: "default/test:8080" - 9001: "default/test:8080" diff --git a/charts/nginx-ingress/templates/addheaders-configmap.yaml b/charts/nginx-ingress/templates/addheaders-configmap.yaml deleted file mode 100644 index 534b133c68..0000000000 --- a/charts/nginx-ingress/templates/addheaders-configmap.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- if .Values.controller.addHeaders }} -apiVersion: v1 -kind: ConfigMap -metadata: - labels: - app: {{ template "nginx-ingress.name" . }} - chart: {{ template "nginx-ingress.chart" . }} - component: "{{ .Values.controller.name }}" - heritage: {{ .Release.Service }} - release: {{ template "nginx-ingress.releaseLabel" . }} - name: {{ template "nginx-ingress.fullname" . }}-custom-add-headers -data: -{{ toYaml .Values.controller.addHeaders | indent 2 }} -{{- end }} diff --git a/charts/nginx-ingress/templates/admission-webhooks/job-patch/clusterrolebinding.yaml b/charts/nginx-ingress/templates/admission-webhooks/job-patch/clusterrolebinding.yaml deleted file mode 100644 index c99fdf853b..0000000000 --- a/charts/nginx-ingress/templates/admission-webhooks/job-patch/clusterrolebinding.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ template "nginx-ingress.fullname" . }}-admission - annotations: - "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded - labels: - app: {{ template "nginx-ingress.name" . }} - chart: {{ template "nginx-ingress.chart" . }} - component: "{{ .Values.controller.name }}" - heritage: {{ .Release.Service }} - release: {{ template "nginx-ingress.releaseLabel" . }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "nginx-ingress.fullname" . }}-admission -subjects: - - kind: ServiceAccount - name: {{ template "nginx-ingress.fullname" . }}-admission - namespace: {{ .Release.Namespace }} -{{- end }} diff --git a/charts/nginx-ingress/templates/admission-webhooks/job-patch/job-createSecret.yaml b/charts/nginx-ingress/templates/admission-webhooks/job-patch/job-createSecret.yaml deleted file mode 100644 index 0a409a7096..0000000000 --- a/charts/nginx-ingress/templates/admission-webhooks/job-patch/job-createSecret.yaml +++ /dev/null @@ -1,55 +0,0 @@ -{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled }} -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ template "nginx-ingress.fullname" . }}-admission-create - annotations: - "helm.sh/hook": pre-install,pre-upgrade - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded - labels: - app: {{ template "nginx-ingress.name" . }} - chart: {{ template "nginx-ingress.chart" . }} - component: "{{ .Values.controller.name }}" - heritage: {{ .Release.Service }} - release: {{ template "nginx-ingress.releaseLabel" . }} -spec: - {{- if .Capabilities.APIVersions.Has "batch/v1alpha1" }} - # Alpha feature since k8s 1.12 - ttlSecondsAfterFinished: 0 - {{- end }} - template: - metadata: - name: {{ template "nginx-ingress.fullname" . }}-admission-create -{{- with .Values.controller.admissionWebhooks.patch.podAnnotations }} - annotations: -{{ toYaml . | indent 8 }} -{{- end }} - labels: - app: {{ template "nginx-ingress.name" . }} - chart: {{ template "nginx-ingress.chart" . }} - component: "{{ .Values.controller.name }}" - heritage: {{ .Release.Service }} - release: {{ template "nginx-ingress.releaseLabel" . }} - spec: - {{- if .Values.controller.admissionWebhooks.patch.priorityClassName }} - priorityClassName: {{ .Values.controller.admissionWebhooks.patch.priorityClassName }} - {{- end }} - containers: - - name: create - image: {{ .Values.controller.admissionWebhooks.patch.image.repository }}:{{ .Values.controller.admissionWebhooks.patch.image.tag }} - imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }} - args: - - create - - --host={{ template "nginx-ingress.controller.fullname" . }}-admission,{{ template "nginx-ingress.controller.fullname" . }}-admission.{{ .Release.Namespace }}.svc - - --namespace={{ .Release.Namespace }} - - --secret-name={{ template "nginx-ingress.fullname". }}-admission - restartPolicy: OnFailure - serviceAccountName: {{ template "nginx-ingress.fullname" . }}-admission - {{- with .Values.controller.admissionWebhooks.patch.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - securityContext: - runAsNonRoot: true - runAsUser: 2000 -{{- end }} diff --git a/charts/nginx-ingress/templates/admission-webhooks/job-patch/job-patchWebhook.yaml b/charts/nginx-ingress/templates/admission-webhooks/job-patch/job-patchWebhook.yaml deleted file mode 100644 index 0b890582b5..0000000000 --- a/charts/nginx-ingress/templates/admission-webhooks/job-patch/job-patchWebhook.yaml +++ /dev/null @@ -1,57 +0,0 @@ -{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled }} -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ template "nginx-ingress.fullname" . }}-admission-patch - annotations: - "helm.sh/hook": post-install,post-upgrade - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded - labels: - app: {{ template "nginx-ingress.name" . }} - chart: {{ template "nginx-ingress.chart" . }} - component: "{{ .Values.controller.name }}" - heritage: {{ .Release.Service }} - release: {{ template "nginx-ingress.releaseLabel" . }} -spec: - {{- if .Capabilities.APIVersions.Has "batch/v1alpha1" }} - # Alpha feature since k8s 1.12 - ttlSecondsAfterFinished: 0 - {{- end }} - template: - metadata: - name: {{ template "nginx-ingress.fullname" . }}-admission-patch -{{- with .Values.controller.admissionWebhooks.patch.podAnnotations }} - annotations: -{{ toYaml . | indent 8 }} -{{- end }} - labels: - app: {{ template "nginx-ingress.name" . }} - chart: {{ template "nginx-ingress.chart" . }} - component: "{{ .Values.controller.name }}" - heritage: {{ .Release.Service }} - release: {{ template "nginx-ingress.releaseLabel" . }} - spec: - {{- if .Values.controller.admissionWebhooks.patch.priorityClassName }} - priorityClassName: {{ .Values.controller.admissionWebhooks.patch.priorityClassName }} - {{- end }} - containers: - - name: patch - image: {{ .Values.controller.admissionWebhooks.patch.image.repository }}:{{ .Values.controller.admissionWebhooks.patch.image.tag }} - imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.pullPolicy }} - args: - - patch - - --webhook-name={{ template "nginx-ingress.fullname" . }}-admission - - --namespace={{ .Release.Namespace }} - - --patch-mutating=false - - --secret-name={{ template "nginx-ingress.fullname". }}-admission - - --patch-failure-policy={{ .Values.controller.admissionWebhooks.failurePolicy }} - restartPolicy: OnFailure - serviceAccountName: {{ template "nginx-ingress.fullname" . }}-admission - {{- with .Values.controller.admissionWebhooks.patch.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - securityContext: - runAsNonRoot: true - runAsUser: 2000 -{{- end }} diff --git a/charts/nginx-ingress/templates/admission-webhooks/job-patch/rolebinding.yaml b/charts/nginx-ingress/templates/admission-webhooks/job-patch/rolebinding.yaml deleted file mode 100644 index 0e4873fc58..0000000000 --- a/charts/nginx-ingress/templates/admission-webhooks/job-patch/rolebinding.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ template "nginx-ingress.fullname" . }}-admission - annotations: - "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded - labels: - app: {{ template "nginx-ingress.name" . }} - chart: {{ template "nginx-ingress.chart" . }} - component: "{{ .Values.controller.name }}" - heritage: {{ .Release.Service }} - release: {{ template "nginx-ingress.releaseLabel" . }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ template "nginx-ingress.fullname" . }}-admission -subjects: - - kind: ServiceAccount - name: {{ template "nginx-ingress.fullname" . }}-admission - namespace: {{ .Release.Namespace }} -{{- end }} diff --git a/charts/nginx-ingress/templates/admission-webhooks/job-patch/serviceaccount.yaml b/charts/nginx-ingress/templates/admission-webhooks/job-patch/serviceaccount.yaml deleted file mode 100644 index c0822f9c31..0000000000 --- a/charts/nginx-ingress/templates/admission-webhooks/job-patch/serviceaccount.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled }} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ template "nginx-ingress.fullname" . }}-admission - annotations: - "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded - labels: - app: {{ template "nginx-ingress.name" . }} - chart: {{ template "nginx-ingress.chart" . }} - component: "{{ .Values.controller.name }}" - heritage: {{ .Release.Service }} - release: {{ template "nginx-ingress.releaseLabel" . }} -{{- end }} diff --git a/charts/nginx-ingress/templates/admission-webhooks/validating-webhook.yaml b/charts/nginx-ingress/templates/admission-webhooks/validating-webhook.yaml deleted file mode 100644 index cd962e5eb3..0000000000 --- a/charts/nginx-ingress/templates/admission-webhooks/validating-webhook.yaml +++ /dev/null @@ -1,31 +0,0 @@ -{{- if .Values.controller.admissionWebhooks.enabled }} -apiVersion: admissionregistration.k8s.io/v1beta1 -kind: ValidatingWebhookConfiguration -metadata: - labels: - app: {{ template "nginx-ingress.name" . }}-admission - chart: {{ template "nginx-ingress.chart" . }} - component: "admission-webhook" - heritage: {{ .Release.Service }} - release: {{ template "nginx-ingress.releaseLabel" . }} - name: {{ template "nginx-ingress.fullname" . }}-admission -webhooks: - - name: validate.nginx.ingress.kubernetes.io - rules: - - apiGroups: - - extensions - - networking.k8s.io - apiVersions: - - v1beta1 - operations: - - CREATE - - UPDATE - resources: - - ingresses - failurePolicy: Fail - clientConfig: - service: - namespace: {{ .Release.Namespace }} - name: {{ template "nginx-ingress.controller.fullname" . }}-admission - path: /extensions/v1beta1/ingresses -{{- end }} diff --git a/charts/nginx-ingress/templates/clusterrolebinding.yaml b/charts/nginx-ingress/templates/clusterrolebinding.yaml deleted file mode 100644 index 39decdac14..0000000000 --- a/charts/nginx-ingress/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- if and (.Values.rbac.create) (not .Values.rbac.scope) -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app: {{ template "nginx-ingress.name" . }} - chart: {{ template "nginx-ingress.chart" . }} - heritage: {{ .Release.Service }} - release: {{ template "nginx-ingress.releaseLabel" . }} - name: {{ template "nginx-ingress.fullname" . }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "nginx-ingress.fullname" . }} -subjects: - - kind: ServiceAccount - name: {{ template "nginx-ingress.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- end -}} diff --git a/charts/nginx-ingress/templates/controller-configmap.yaml b/charts/nginx-ingress/templates/controller-configmap.yaml deleted file mode 100644 index 25625b4447..0000000000 --- a/charts/nginx-ingress/templates/controller-configmap.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if or .Values.controller.config (or (or .Values.controller.proxySetHeaders .Values.controller.headers) .Values.controller.addHeaders) }} -apiVersion: v1 -kind: ConfigMap -metadata: - labels: - app: {{ template "nginx-ingress.name" . }} - chart: {{ template "nginx-ingress.chart" . }} - component: "{{ .Values.controller.name }}" - heritage: {{ .Release.Service }} - release: {{ template "nginx-ingress.releaseLabel" . }} - name: {{ template "nginx-ingress.controller.fullname" . }} -data: -{{- if .Values.controller.addHeaders }} - add-headers: {{ .Release.Namespace }}/{{ template "nginx-ingress.fullname" . }}-custom-add-headers -{{- end }} -{{- if or .Values.controller.proxySetHeaders .Values.controller.headers }} - proxy-set-headers: {{ .Release.Namespace }}/{{ template "nginx-ingress.fullname" . }}-custom-proxy-headers -{{- end }} -{{- if .Values.controller.config }} -{{ toYaml .Values.controller.config | indent 2 }} -{{- end }} -{{- end }} diff --git a/charts/nginx-ingress/templates/controller-deployment.yaml b/charts/nginx-ingress/templates/controller-deployment.yaml deleted file mode 100644 index f8b5c66a21..0000000000 --- a/charts/nginx-ingress/templates/controller-deployment.yaml +++ /dev/null @@ -1,255 +0,0 @@ -{{- if or (eq .Values.controller.kind "Deployment") (eq .Values.controller.kind "Both") }} -apiVersion: {{ template "deployment.apiVersion" . }} -kind: Deployment -metadata: - labels: - app: {{ template "nginx-ingress.name" . }} - chart: {{ template "nginx-ingress.chart" . }} - heritage: {{ .Release.Service }} - release: {{ template "nginx-ingress.releaseLabel" . }} - app.kubernetes.io/component: controller - {{- if .Values.controller.deploymentLabels }} -{{ toYaml .Values.controller.deploymentLabels | indent 4 }} - {{- end }} - name: {{ template "nginx-ingress.controller.fullname" . }} - annotations: -{{ toYaml .Values.controller.deploymentAnnotations | indent 4}} -spec: - selector: - matchLabels: - app: {{ template "nginx-ingress.name" . }} - release: {{ template "nginx-ingress.releaseLabel" . }} - {{- if .Values.controller.useComponentLabel }} - app.kubernetes.io/component: controller - {{- end }} -{{- if not .Values.controller.autoscaling.enabled }} - replicas: {{ .Values.controller.replicaCount }} -{{- end }} - revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} - strategy: -{{ toYaml .Values.controller.updateStrategy | indent 4 }} - minReadySeconds: {{ .Values.controller.minReadySeconds }} - template: - metadata: - {{- if .Values.controller.podAnnotations }} - annotations: - {{- range $key, $value := .Values.controller.podAnnotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} - {{- end }} - labels: - app: {{ template "nginx-ingress.name" . }} - release: {{ template "nginx-ingress.releaseLabel" . }} - component: "{{ .Values.controller.name }}" - app.kubernetes.io/component: controller - {{- if .Values.controller.podLabels }} -{{ toYaml .Values.controller.podLabels | indent 8 }} - {{- end }} - spec: -{{- if .Values.controller.dnsConfig }} - dnsConfig: -{{ toYaml .Values.controller.dnsConfig | indent 8 }} -{{- end }} - dnsPolicy: {{ .Values.controller.dnsPolicy }} - {{- if .Values.imagePullSecrets }} - imagePullSecrets: -{{ toYaml .Values.imagePullSecrets | indent 8 }} - {{- end }} -{{- if .Values.controller.priorityClassName }} - priorityClassName: "{{ .Values.controller.priorityClassName }}" -{{- end }} - {{- if .Values.controller.podSecurityContext }} - securityContext: -{{ toYaml .Values.controller.podSecurityContext | indent 8 }} - {{- end }} - containers: - - name: {{ template "nginx-ingress.name" . }}-{{ .Values.controller.name }} - image: "{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag }}" - imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}" - {{- if .Values.controller.lifecycle }} - lifecycle: -{{ toYaml .Values.controller.lifecycle | indent 12 }} - {{- end }} - args: - - /nginx-ingress-controller - {{- if .Values.defaultBackend.enabled }} - - --default-backend-service={{ .Release.Namespace }}/{{ template "nginx-ingress.defaultBackend.fullname" . }} - {{- else }} - {{- if (semverCompare "<0.21.0" .Values.controller.image.tag) }} - - --default-backend-service={{ required ".Values.controller.defaultBackendService is required if .Values.defaultBackend.enabled=false and .Values.controller.image.tag < 0.21.0" .Values.controller.defaultBackendService }} - {{- else if .Values.controller.defaultBackendService }} - - --default-backend-service={{ .Values.controller.defaultBackendService }} - {{- end }} - {{- end }} - {{- if and (semverCompare ">=0.9.0-beta.1" .Values.controller.image.tag) .Values.controller.publishService.enabled }} - - --publish-service={{ template "nginx-ingress.controller.publishServicePath" . }} - {{- end }} - {{- if (semverCompare ">=0.9.0-beta.1" .Values.controller.image.tag) }} - - --election-id={{ .Values.controller.electionID }} - {{- end }} - {{- if (semverCompare ">=0.9.0-beta.1" .Values.controller.image.tag) }} - - --ingress-class={{ .Values.controller.ingressClass }} - {{- end }} - {{- if (semverCompare ">=0.9.0-beta.1" .Values.controller.image.tag) }} - - --configmap={{ default .Release.Namespace .Values.controller.configMapNamespace }}/{{ template "nginx-ingress.controller.fullname" . }} - {{- else }} - - --nginx-configmap={{ default .Release.Namespace .Values.controller.configMapNamespace }}/{{ template "nginx-ingress.controller.fullname" . }} - {{- end }} - {{- if .Values.tcp }} - - --tcp-services-configmap={{ default .Release.Namespace .Values.controller.tcp.configMapNamespace }}/{{ template "nginx-ingress.fullname" . }}-tcp - {{- end }} - {{- if .Values.udp }} - - --udp-services-configmap={{ default .Release.Namespace .Values.controller.udp.configMapNamespace }}/{{ template "nginx-ingress.fullname" . }}-udp - {{- end }} - {{- if .Values.controller.scope.enabled }} - - --watch-namespace={{ default .Release.Namespace .Values.controller.scope.namespace }} - {{- end }} - {{- if and (.Values.controller.scope.enabled) (.Values.rbac.scope) }} - - --update-status=false - {{- end }} - {{- if and (.Values.controller.reportNodeInternalIp) (.Values.controller.hostNetwork) }} - - --report-node-internal-ip-address={{ .Values.controller.reportNodeInternalIp }} - {{- end }} - {{- if .Values.controller.admissionWebhooks.enabled }} - - --validating-webhook=:{{ .Values.controller.admissionWebhooks.port }} - - --validating-webhook-certificate=/usr/local/certificates/cert - - --validating-webhook-key=/usr/local/certificates/key - {{- end }} - {{- if .Values.controller.maxmindLicenseKey }} - - --maxmind-license-key={{ .Values.controller.maxmindLicenseKey }} - {{- end }} - {{- range $key, $value := .Values.controller.extraArgs }} - {{- if $value }} - - --{{ $key }}={{ $value }} - {{- else }} - - --{{ $key }} - {{- end }} - {{- end }} - {{- if (semverCompare ">=0.16.0" .Values.controller.image.tag) }} - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - runAsUser: {{ .Values.controller.image.runAsUser }} - allowPrivilegeEscalation: {{ .Values.controller.image.allowPrivilegeEscalation }} - {{- end }} - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - {{- if .Values.controller.extraEnvs }} -{{ toYaml .Values.controller.extraEnvs | indent 12 }} - {{- end }} - livenessProbe: - httpGet: - path: /healthz - port: {{ .Values.controller.livenessProbe.port }} - scheme: HTTP - initialDelaySeconds: {{ .Values.controller.livenessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.controller.livenessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.controller.livenessProbe.timeoutSeconds }} - successThreshold: {{ .Values.controller.livenessProbe.successThreshold }} - failureThreshold: {{ .Values.controller.livenessProbe.failureThreshold }} - ports: - {{- range $key, $value := .Values.controller.containerPort }} - - name: {{ $key }} - containerPort: {{ $value }} - protocol: TCP - {{- end }} - {{- if .Values.controller.metrics.enabled }} - - name: metrics - containerPort: {{ .Values.controller.metrics.port }} - protocol: TCP - {{- end }} - {{- if .Values.controller.admissionWebhooks.enabled }} - - name: webhook - containerPort: {{ .Values.controller.admissionWebhooks.port }} - protocol: TCP - {{- end }} - {{- range $key, $value := .Values.tcp }} - - name: "{{ $key }}-tcp" - containerPort: {{ $key }} - protocol: TCP - {{- end }} - {{- range $key, $value := .Values.udp }} - - name: "{{ $key }}-udp" - containerPort: {{ $key }} - protocol: UDP - {{- end }} - readinessProbe: - httpGet: - path: /healthz - port: {{ .Values.controller.readinessProbe.port }} - scheme: HTTP - initialDelaySeconds: {{ .Values.controller.readinessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.controller.readinessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.controller.readinessProbe.timeoutSeconds }} - successThreshold: {{ .Values.controller.readinessProbe.successThreshold }} - failureThreshold: {{ .Values.controller.readinessProbe.failureThreshold }} -{{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled) }} - volumeMounts: -{{- end }} -{{- if .Values.controller.customTemplate.configMapName }} - - mountPath: /etc/nginx/template - name: nginx-template-volume - readOnly: true -{{- end }} -{{- if .Values.controller.admissionWebhooks.enabled }} - - name: webhook-cert - mountPath: "/usr/local/certificates/" - readOnly: true -{{- end }} -{{- if .Values.controller.extraVolumeMounts }} -{{ toYaml .Values.controller.extraVolumeMounts | indent 12}} -{{- end }} - resources: -{{ toYaml .Values.controller.resources | indent 12 }} -{{- if .Values.controller.extraContainers }} -{{ toYaml .Values.controller.extraContainers | indent 8}} -{{- end }} -{{- if .Values.controller.extraInitContainers }} - initContainers: -{{ toYaml .Values.controller.extraInitContainers | indent 8}} -{{- end }} - hostNetwork: {{ .Values.controller.hostNetwork }} - {{- if .Values.controller.nodeSelector }} - nodeSelector: -{{ toYaml .Values.controller.nodeSelector | indent 8 }} - {{- end }} - {{- if .Values.controller.tolerations }} - tolerations: -{{ toYaml .Values.controller.tolerations | indent 8 }} - {{- end }} - {{- if .Values.controller.affinity }} - affinity: -{{ toYaml .Values.controller.affinity | indent 8 }} - {{- end }} - serviceAccountName: {{ template "nginx-ingress.serviceAccountName" . }} - terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} -{{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes) }} - volumes: -{{- end }} -{{- if .Values.controller.customTemplate.configMapName }} - - name: nginx-template-volume - configMap: - name: {{ .Values.controller.customTemplate.configMapName }} - items: - - key: {{ .Values.controller.customTemplate.configMapKey }} - path: nginx.tmpl -{{- end }} -{{- if .Values.controller.admissionWebhooks.enabled }} - - name: webhook-cert - secret: - secretName: {{ template "nginx-ingress.fullname". }}-admission -{{- end }} -{{- if .Values.controller.extraVolumes }} -{{ toYaml .Values.controller.extraVolumes | indent 8}} -{{- end }} -{{- end }} diff --git a/charts/nginx-ingress/templates/controller-hpa.yaml b/charts/nginx-ingress/templates/controller-hpa.yaml deleted file mode 100644 index 77d353389b..0000000000 --- a/charts/nginx-ingress/templates/controller-hpa.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{- if or (eq .Values.controller.kind "Deployment") (eq .Values.controller.kind "Both") }} -{{- if .Values.controller.autoscaling.enabled }} -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler -metadata: - labels: - app: {{ template "nginx-ingress.name" . }} - chart: {{ template "nginx-ingress.chart" . }} - component: "{{ .Values.controller.name }}" - heritage: {{ .Release.Service }} - release: {{ template "nginx-ingress.releaseLabel" . }} - name: {{ template "nginx-ingress.controller.fullname" . }} -spec: - scaleTargetRef: - apiVersion: {{ template "deployment.apiVersion" . }} - kind: Deployment - name: {{ template "nginx-ingress.controller.fullname" . }} - minReplicas: {{ .Values.controller.autoscaling.minReplicas }} - maxReplicas: {{ .Values.controller.autoscaling.maxReplicas }} - metrics: -{{- with .Values.controller.autoscaling.targetCPUUtilizationPercentage }} - - type: Resource - resource: - name: cpu - targetAverageUtilization: {{ . }} -{{- end }} -{{- with .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} - - type: Resource - resource: - name: memory - targetAverageUtilization: {{ . }} -{{- end }} -{{- end }} -{{- end }} diff --git a/charts/nginx-ingress/templates/controller-metrics-service.yaml b/charts/nginx-ingress/templates/controller-metrics-service.yaml deleted file mode 100644 index 9e991d69de..0000000000 --- a/charts/nginx-ingress/templates/controller-metrics-service.yaml +++ /dev/null @@ -1,47 +0,0 @@ -{{- if .Values.controller.metrics.enabled }} -apiVersion: v1 -kind: Service -metadata: -{{- if .Values.controller.metrics.service.annotations }} - annotations: - {{- range $key, $value := .Values.controller.metrics.service.annotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} -{{- end }} - labels: -{{- if .Values.controller.metrics.service.labels }} -{{ toYaml .Values.controller.metrics.service.labels | indent 4 }} -{{- end }} - app: {{ template "nginx-ingress.name" . }} - chart: {{ template "nginx-ingress.chart" . }} - component: "{{ .Values.controller.name }}" - heritage: {{ .Release.Service }} - release: {{ template "nginx-ingress.releaseLabel" . }} - name: {{ template "nginx-ingress.controller.fullname" . }}-metrics -spec: -{{- if not .Values.controller.metrics.service.omitClusterIP }} - {{- with .Values.controller.metrics.service.clusterIP }} - clusterIP: {{ if eq "-" . }}""{{ else }}{{ . | quote }}{{ end }} - {{- end }} -{{- end }} -{{- if .Values.controller.metrics.service.externalIPs }} - externalIPs: -{{ toYaml .Values.controller.metrics.service.externalIPs | indent 4 }} -{{- end }} -{{- if .Values.controller.metrics.service.loadBalancerIP }} - loadBalancerIP: "{{ .Values.controller.metrics.service.loadBalancerIP }}" -{{- end }} -{{- if .Values.controller.metrics.service.loadBalancerSourceRanges }} - loadBalancerSourceRanges: -{{ toYaml .Values.controller.metrics.service.loadBalancerSourceRanges | indent 4 }} -{{- end }} - ports: - - name: metrics - port: {{ .Values.controller.metrics.service.servicePort }} - targetPort: metrics - selector: - app: {{ template "nginx-ingress.name" . }} - release: {{ template "nginx-ingress.releaseLabel" . }} - app.kubernetes.io/component: controller - type: "{{ .Values.controller.metrics.service.type }}" -{{- end }} diff --git a/charts/nginx-ingress/templates/controller-poddisruptionbudget.yaml b/charts/nginx-ingress/templates/controller-poddisruptionbudget.yaml deleted file mode 100644 index 888515a25a..0000000000 --- a/charts/nginx-ingress/templates/controller-poddisruptionbudget.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- if or (and .Values.controller.autoscaling.enabled (gt (.Values.controller.autoscaling.minReplicas | int) 1)) (gt (.Values.controller.replicaCount | int) 1) }} -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget -metadata: - labels: - app: {{ template "nginx-ingress.name" . }} - chart: {{ template "nginx-ingress.chart" . }} - app.kubernetes.io/component: controller - heritage: {{ .Release.Service }} - release: {{ template "nginx-ingress.releaseLabel" . }} - name: {{ template "nginx-ingress.controller.fullname" . }} -spec: - selector: - matchLabels: - app: {{ template "nginx-ingress.name" . }} - release: {{ template "nginx-ingress.releaseLabel" . }} - app.kubernetes.io/component: controller - minAvailable: {{ .Values.controller.minAvailable }} -{{- end }} diff --git a/charts/nginx-ingress/templates/controller-prometheusrules.yaml b/charts/nginx-ingress/templates/controller-prometheusrules.yaml deleted file mode 100644 index 4a4395737b..0000000000 --- a/charts/nginx-ingress/templates/controller-prometheusrules.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{- if and .Values.controller.metrics.enabled .Values.controller.metrics.prometheusRule.enabled }} -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: {{ template "nginx-ingress.controller.fullname" . }} - {{- if .Values.controller.metrics.prometheusRule.namespace }} - namespace: {{ .Values.controller.metrics.prometheusRule.namespace }} - {{- end }} - labels: - app: {{ template "nginx-ingress.name" . }} - chart: {{ template "nginx-ingress.chart" . }} - component: "{{ .Values.controller.name }}" - heritage: {{ .Release.Service }} - release: {{ template "nginx-ingress.releaseLabel" . }} - {{- if .Values.controller.metrics.prometheusRule.additionalLabels }} -{{ toYaml .Values.controller.metrics.prometheusRule.additionalLabels | indent 4 }} - {{- end }} -spec: - {{- with .Values.controller.metrics.prometheusRule.rules }} - groups: - - name: {{ template "nginx-ingress.name" $ }} - rules: {{- toYaml . | nindent 4 }} - {{- end }} -{{- end }} diff --git a/charts/nginx-ingress/templates/controller-rolebinding.yaml b/charts/nginx-ingress/templates/controller-rolebinding.yaml deleted file mode 100644 index c1186c0cd0..0000000000 --- a/charts/nginx-ingress/templates/controller-rolebinding.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- if .Values.rbac.create -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app: {{ template "nginx-ingress.name" . }} - chart: {{ template "nginx-ingress.chart" . }} - heritage: {{ .Release.Service }} - release: {{ template "nginx-ingress.releaseLabel" . }} - name: {{ template "nginx-ingress.fullname" . }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ template "nginx-ingress.fullname" . }} -subjects: - - kind: ServiceAccount - name: {{ template "nginx-ingress.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- end -}} diff --git a/charts/nginx-ingress/templates/controller-service.yaml b/charts/nginx-ingress/templates/controller-service.yaml deleted file mode 100644 index 15d51a03cb..0000000000 --- a/charts/nginx-ingress/templates/controller-service.yaml +++ /dev/null @@ -1,94 +0,0 @@ -{{- if .Values.controller.service.enabled }} -apiVersion: v1 -kind: Service -metadata: -{{- if .Values.controller.service.annotations }} - annotations: - {{- range $key, $value := .Values.controller.service.annotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} -{{- end }} - labels: -{{- if .Values.controller.service.labels }} -{{ toYaml .Values.controller.service.labels | indent 4 }} -{{- end }} - app: {{ template "nginx-ingress.name" . }} - chart: {{ template "nginx-ingress.chart" . }} - component: "{{ .Values.controller.name }}" - heritage: {{ .Release.Service }} - release: {{ template "nginx-ingress.releaseLabel" . }} - name: {{ template "nginx-ingress.controller.fullname" . }} -spec: -{{- if not .Values.controller.service.omitClusterIP }} - {{- with .Values.controller.service.clusterIP }} - clusterIP: {{ if eq "-" . }}""{{ else }}{{ . | quote }}{{ end }} - {{- end }} -{{- end }} -{{- if .Values.controller.service.externalIPs }} - externalIPs: -{{ toYaml .Values.controller.service.externalIPs | indent 4 }} -{{- end }} -{{- if .Values.controller.service.loadBalancerIP }} - loadBalancerIP: "{{ .Values.controller.service.loadBalancerIP }}" -{{- end }} -{{- if .Values.controller.service.loadBalancerSourceRanges }} - loadBalancerSourceRanges: -{{ toYaml .Values.controller.service.loadBalancerSourceRanges | indent 4 }} -{{- end }} -{{- if and (semverCompare ">=1.7-0" .Capabilities.KubeVersion.GitVersion) (.Values.controller.service.externalTrafficPolicy) }} - externalTrafficPolicy: "{{ .Values.controller.service.externalTrafficPolicy }}" -{{- end }} -{{- if .Values.controller.service.sessionAffinity }} - sessionAffinity: "{{ .Values.controller.service.sessionAffinity }}" -{{- end }} -{{- if and (semverCompare ">=1.7-0" .Capabilities.KubeVersion.GitVersion) (.Values.controller.service.healthCheckNodePort) }} - healthCheckNodePort: {{ .Values.controller.service.healthCheckNodePort }} -{{- end }} - ports: - {{- $setNodePorts := (or (eq .Values.controller.service.type "NodePort") (eq .Values.controller.service.type "LoadBalancer")) }} - {{- if .Values.controller.service.enableHttp }} - - name: http - port: {{ .Values.controller.service.ports.http }} - protocol: TCP - targetPort: {{ .Values.controller.service.targetPorts.http }} - {{- if (and $setNodePorts (not (empty .Values.controller.service.nodePorts.http))) }} - nodePort: {{ .Values.controller.service.nodePorts.http }} - {{- end }} - {{- end }} - {{- if .Values.controller.service.enableHttps }} - - name: https - port: {{ .Values.controller.service.ports.https }} - protocol: TCP - targetPort: {{ .Values.controller.service.targetPorts.https }} - {{- if (and $setNodePorts (not (empty .Values.controller.service.nodePorts.https))) }} - nodePort: {{ .Values.controller.service.nodePorts.https }} - {{- end }} - {{- end }} - {{- range $key, $value := .Values.tcp }} - - name: "{{ $key }}-tcp" - port: {{ $key }} - protocol: TCP - targetPort: "{{ $key }}-tcp" - {{- if $.Values.controller.service.nodePorts.tcp }} - {{- if index $.Values.controller.service.nodePorts.tcp $key }} - nodePort: {{ index $.Values.controller.service.nodePorts.tcp $key }} - {{- end }} - {{- end }} - {{- end }} - {{- range $key, $value := .Values.udp }} - - name: "{{ $key }}-udp" - port: {{ $key }} - protocol: UDP - targetPort: "{{ $key }}-udp" - {{- if $.Values.controller.service.nodePorts.udp }} - {{- if index $.Values.controller.service.nodePorts.udp $key }} - nodePort: {{ index $.Values.controller.service.nodePorts.udp $key }} - {{- end }} - {{- end }} - {{- end }} - selector: - app: {{ template "nginx-ingress.name" . }} - release: {{ template "nginx-ingress.releaseLabel" . }} - app.kubernetes.io/component: controller - type: "{{ .Values.controller.service.type }}" -{{- end }} diff --git a/charts/nginx-ingress/templates/controller-serviceaccount.yaml b/charts/nginx-ingress/templates/controller-serviceaccount.yaml deleted file mode 100644 index 7b688e683f..0000000000 --- a/charts/nginx-ingress/templates/controller-serviceaccount.yaml +++ /dev/null @@ -1,11 +0,0 @@ -{{- if or .Values.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app: {{ template "nginx-ingress.name" . }} - chart: {{ template "nginx-ingress.chart" . }} - heritage: {{ .Release.Service }} - release: {{ template "nginx-ingress.releaseLabel" . }} - name: {{ template "nginx-ingress.serviceAccountName" . }} -{{- end -}} diff --git a/charts/nginx-ingress/templates/controller-servicemonitor.yaml b/charts/nginx-ingress/templates/controller-servicemonitor.yaml deleted file mode 100644 index f3129ea664..0000000000 --- a/charts/nginx-ingress/templates/controller-servicemonitor.yaml +++ /dev/null @@ -1,38 +0,0 @@ -{{- if and .Values.controller.metrics.enabled .Values.controller.metrics.serviceMonitor.enabled }} -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ template "nginx-ingress.controller.fullname" . }} - {{- if .Values.controller.metrics.serviceMonitor.namespace }} - namespace: {{ .Values.controller.metrics.serviceMonitor.namespace }} - {{- end }} - labels: - app: {{ template "nginx-ingress.name" . }} - chart: {{ template "nginx-ingress.chart" . }} - component: "{{ .Values.controller.name }}" - heritage: {{ .Release.Service }} - release: {{ template "nginx-ingress.releaseLabel" . }} - {{- if .Values.controller.metrics.serviceMonitor.additionalLabels }} -{{ toYaml .Values.controller.metrics.serviceMonitor.additionalLabels | indent 4 }} - {{- end }} -spec: - endpoints: - - port: metrics - interval: {{ .Values.controller.metrics.serviceMonitor.scrapeInterval }} - {{- if .Values.controller.metrics.serviceMonitor.honorLabels }} - honorLabels: true - {{- end }} - {{- if .Values.controller.metrics.serviceMonitor.namespaceSelector }} - namespaceSelector: -{{ toYaml .Values.controller.metrics.serviceMonitor.namespaceSelector | indent 4 -}} - {{ else }} - namespaceSelector: - matchNames: - - {{ .Release.Namespace }} - {{- end }} - selector: - matchLabels: - app: {{ template "nginx-ingress.name" . }} - component: "{{ .Values.controller.name }}" - release: {{ template "nginx-ingress.releaseLabel" . }} -{{- end }} diff --git a/charts/nginx-ingress/templates/controller-webhook-service.yaml b/charts/nginx-ingress/templates/controller-webhook-service.yaml deleted file mode 100644 index 5c4ad85aa3..0000000000 --- a/charts/nginx-ingress/templates/controller-webhook-service.yaml +++ /dev/null @@ -1,44 +0,0 @@ -{{- if .Values.controller.admissionWebhooks.enabled }} -apiVersion: v1 -kind: Service -metadata: -{{- if .Values.controller.admissionWebhooks.service.annotations }} - annotations: - {{- range $key, $value := .Values.controller.admissionWebhooks.service.annotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} -{{- end }} - labels: - app: {{ template "nginx-ingress.name" . }} - chart: {{ template "nginx-ingress.chart" . }} - component: "{{ .Values.controller.name }}" - heritage: {{ .Release.Service }} - release: {{ template "nginx-ingress.releaseLabel" . }} - name: {{ template "nginx-ingress.controller.fullname" . }}-admission -spec: -{{- if not .Values.controller.admissionWebhooks.service.omitClusterIP }} - {{- with .Values.controller.admissionWebhooks.service.clusterIP }} - clusterIP: {{ if eq "-" . }}""{{ else }}{{ . | quote }}{{ end }} - {{- end }} -{{- end }} -{{- if .Values.controller.admissionWebhooks.service.externalIPs }} - externalIPs: -{{ toYaml .Values.controller.admissionWebhooks.service.externalIPs | indent 4 }} -{{- end }} -{{- if .Values.controller.admissionWebhooks.service.loadBalancerIP }} - loadBalancerIP: "{{ .Values.controller.admissionWebhooks.service.loadBalancerIP }}" -{{- end }} -{{- if .Values.controller.admissionWebhooks.service.loadBalancerSourceRanges }} - loadBalancerSourceRanges: -{{ toYaml .Values.controller.admissionWebhooks.service.loadBalancerSourceRanges | indent 4 }} -{{- end }} - ports: - - name: https-webhook - port: 443 - targetPort: webhook - selector: - app: {{ template "nginx-ingress.name" . }} - release: {{ template "nginx-ingress.releaseLabel" . }} - app.kubernetes.io/component: controller - type: "{{ .Values.controller.admissionWebhooks.service.type }}" -{{- end }} diff --git a/charts/nginx-ingress/templates/default-backend-poddisruptionbudget.yaml b/charts/nginx-ingress/templates/default-backend-poddisruptionbudget.yaml deleted file mode 100644 index 0713c012ed..0000000000 --- a/charts/nginx-ingress/templates/default-backend-poddisruptionbudget.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- if gt (.Values.defaultBackend.replicaCount | int) 1 }} -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget -metadata: - labels: - app: {{ template "nginx-ingress.name" . }} - chart: {{ template "nginx-ingress.chart" . }} - app.kubernetes.io/component: default-backend - heritage: {{ .Release.Service }} - release: {{ template "nginx-ingress.releaseLabel" . }} - name: {{ template "nginx-ingress.defaultBackend.fullname" . }} -spec: - selector: - matchLabels: - app: {{ template "nginx-ingress.name" . }} - release: {{ template "nginx-ingress.releaseLabel" . }} - app.kubernetes.io/component: default-backend - minAvailable: {{ .Values.defaultBackend.minAvailable }} -{{- end }} diff --git a/charts/nginx-ingress/templates/default-backend-role.yaml b/charts/nginx-ingress/templates/default-backend-role.yaml deleted file mode 100644 index 11fbba9a3e..0000000000 --- a/charts/nginx-ingress/templates/default-backend-role.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - app: {{ template "nginx-ingress.name" . }} - chart: {{ template "nginx-ingress.chart" . }} - heritage: {{ .Release.Service }} - release: {{ template "nginx-ingress.releaseLabel" . }} - name: {{ template "nginx-ingress.fullname" . }}-backend -rules: - - apiGroups: ['{{ template "podSecurityPolicy.apiGroup" . }}'] - resources: ['podsecuritypolicies'] - verbs: ['use'] - resourceNames: [{{ template "nginx-ingress.fullname" . }}-backend] -{{- end -}} diff --git a/charts/nginx-ingress/templates/default-backend-rolebinding.yaml b/charts/nginx-ingress/templates/default-backend-rolebinding.yaml deleted file mode 100644 index 7d03ef4071..0000000000 --- a/charts/nginx-ingress/templates/default-backend-rolebinding.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app: {{ template "nginx-ingress.name" . }} - chart: {{ template "nginx-ingress.chart" . }} - heritage: {{ .Release.Service }} - release: {{ template "nginx-ingress.releaseLabel" . }} - name: {{ template "nginx-ingress.fullname" . }}-backend -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ template "nginx-ingress.fullname" . }}-backend -subjects: - - kind: ServiceAccount - name: {{ template "nginx-ingress.defaultBackend.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- end -}} diff --git a/charts/nginx-ingress/templates/default-backend-service.yaml b/charts/nginx-ingress/templates/default-backend-service.yaml deleted file mode 100644 index 23dba195e7..0000000000 --- a/charts/nginx-ingress/templates/default-backend-service.yaml +++ /dev/null @@ -1,45 +0,0 @@ -{{- if .Values.defaultBackend.enabled }} -apiVersion: v1 -kind: Service -metadata: -{{- if .Values.defaultBackend.service.annotations }} - annotations: - {{- range $key, $value := .Values.defaultBackend.service.annotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} -{{- end }} - labels: - app: {{ template "nginx-ingress.name" . }} - chart: {{ template "nginx-ingress.chart" . }} - component: "{{ .Values.defaultBackend.name }}" - heritage: {{ .Release.Service }} - release: {{ template "nginx-ingress.releaseLabel" . }} - name: {{ template "nginx-ingress.defaultBackend.fullname" . }} -spec: -{{- if not .Values.defaultBackend.service.omitClusterIP }} - {{- with .Values.defaultBackend.service.clusterIP }} - clusterIP: {{ if eq "-" . }}""{{ else }}{{ . | quote }}{{ end }} - {{- end }} -{{- end }} -{{- if .Values.defaultBackend.service.externalIPs }} - externalIPs: -{{ toYaml .Values.defaultBackend.service.externalIPs | indent 4 }} -{{- end }} -{{- if .Values.defaultBackend.service.loadBalancerIP }} - loadBalancerIP: "{{ .Values.defaultBackend.service.loadBalancerIP }}" -{{- end }} -{{- if .Values.defaultBackend.service.loadBalancerSourceRanges }} - loadBalancerSourceRanges: -{{ toYaml .Values.defaultBackend.service.loadBalancerSourceRanges | indent 4 }} -{{- end }} - ports: - - name: http - port: {{ .Values.defaultBackend.service.servicePort }} - protocol: TCP - targetPort: http - selector: - app: {{ template "nginx-ingress.name" . }} - release: {{ template "nginx-ingress.releaseLabel" . }} - app.kubernetes.io/component: default-backend - type: "{{ .Values.defaultBackend.service.type }}" -{{- end }} diff --git a/charts/nginx-ingress/templates/default-backend-serviceaccount.yaml b/charts/nginx-ingress/templates/default-backend-serviceaccount.yaml deleted file mode 100644 index 94689a6b20..0000000000 --- a/charts/nginx-ingress/templates/default-backend-serviceaccount.yaml +++ /dev/null @@ -1,11 +0,0 @@ -{{- if and .Values.defaultBackend.enabled .Values.defaultBackend.serviceAccount.create }} -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app: {{ template "nginx-ingress.name" . }} - chart: {{ template "nginx-ingress.chart" . }} - heritage: {{ .Release.Service }} - release: {{ template "nginx-ingress.releaseLabel" . }} - name: {{ template "nginx-ingress.defaultBackend.serviceAccountName" . }} -{{- end }} diff --git a/charts/nginx-ingress/templates/tcp-configmap.yaml b/charts/nginx-ingress/templates/tcp-configmap.yaml deleted file mode 100644 index 96de14fc42..0000000000 --- a/charts/nginx-ingress/templates/tcp-configmap.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- if .Values.tcp }} -apiVersion: v1 -kind: ConfigMap -metadata: - labels: - app: {{ template "nginx-ingress.name" . }} - chart: {{ template "nginx-ingress.chart" . }} - component: "{{ .Values.controller.name }}" - heritage: {{ .Release.Service }} - release: {{ template "nginx-ingress.releaseLabel" . }} - name: {{ template "nginx-ingress.fullname" . }}-tcp -data: -{{ tpl (toYaml .Values.tcp) . | indent 2 }} -{{- end }} diff --git a/charts/nginx-ingress/templates/udp-configmap.yaml b/charts/nginx-ingress/templates/udp-configmap.yaml deleted file mode 100644 index 69ee361cd8..0000000000 --- a/charts/nginx-ingress/templates/udp-configmap.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- if .Values.udp }} -apiVersion: v1 -kind: ConfigMap -metadata: - labels: - app: {{ template "nginx-ingress.name" . }} - chart: {{ template "nginx-ingress.chart" . }} - component: "{{ .Values.controller.name }}" - heritage: {{ .Release.Service }} - release: {{ template "nginx-ingress.releaseLabel" . }} - name: {{ template "nginx-ingress.fullname" . }}-udp -data: -{{ tpl (toYaml .Values.udp) . | indent 2 }} -{{- end }} diff --git a/charts/render.py b/charts/render.py index 08cdc27c04..0b0beb8a3c 100755 --- a/charts/render.py +++ b/charts/render.py @@ -129,8 +129,8 @@ def keep_doc(doc): if not doc: return False - if doc.get('metadata', {}) \ - .get('annotations', {}) \ + if ((doc.get('metadata') or {}) + .get('annotations') or {}) \ .get('helm.sh/hook') == 'test-success': return False diff --git a/salt/metalk8s/addons/nginx-ingress-control-plane/deployed/chart.sls b/salt/metalk8s/addons/nginx-ingress-control-plane/deployed/chart.sls index 6ba5a14dfb..526f7d1235 100644 --- a/salt/metalk8s/addons/nginx-ingress-control-plane/deployed/chart.sls +++ b/salt/metalk8s/addons/nginx-ingress-control-plane/deployed/chart.sls @@ -3,34 +3,52 @@ {%- from "metalk8s/repo/macro.sls" import build_image_name with context %} + {% raw %} apiVersion: v1 kind: ServiceAccount metadata: labels: - app: nginx-ingress + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx-control-plane + app.kubernetes.io/managed-by: salt + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: metalk8s + app.kubernetes.io/version: 0.41.2 + helm.sh/chart: ingress-nginx-3.13.0 + heritage: metalk8s + name: ingress-nginx-control-plane + namespace: metalk8s-ingress +--- +apiVersion: v1 +data: null +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx-control-plane app.kubernetes.io/managed-by: salt - app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: metalk8s - chart: nginx-ingress-1.36.3 + app.kubernetes.io/version: 0.41.2 + helm.sh/chart: ingress-nginx-3.13.0 heritage: metalk8s - release: nginx-ingress-control-plane - name: nginx-ingress-control-plane + name: ingress-nginx-control-plane-controller namespace: metalk8s-ingress --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - app: nginx-ingress + app.kubernetes.io/instance: ingress-nginx-control-plane app.kubernetes.io/managed-by: salt - app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: metalk8s - chart: nginx-ingress-1.36.3 + app.kubernetes.io/version: 0.41.2 + helm.sh/chart: ingress-nginx-3.13.0 heritage: metalk8s - release: nginx-ingress-control-plane - name: nginx-ingress-control-plane + name: ingress-nginx-control-plane namespace: metalk8s-ingress rules: - apiGroups: @@ -82,41 +100,50 @@ rules: - ingresses/status verbs: - update +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: - app: nginx-ingress + app.kubernetes.io/instance: ingress-nginx-control-plane app.kubernetes.io/managed-by: salt - app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: metalk8s - chart: nginx-ingress-1.36.3 + app.kubernetes.io/version: 0.41.2 + helm.sh/chart: ingress-nginx-3.13.0 heritage: metalk8s - release: nginx-ingress-control-plane - name: nginx-ingress-control-plane + name: ingress-nginx-control-plane namespace: metalk8s-ingress roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: nginx-ingress-control-plane + name: ingress-nginx-control-plane subjects: - kind: ServiceAccount - name: nginx-ingress-control-plane + name: ingress-nginx-control-plane namespace: metalk8s-ingress --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: - app: nginx-ingress + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx-control-plane app.kubernetes.io/managed-by: salt - app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: metalk8s - chart: nginx-ingress-1.36.3 + app.kubernetes.io/version: 0.41.2 + helm.sh/chart: ingress-nginx-3.13.0 heritage: metalk8s - release: nginx-ingress-control-plane - name: nginx-ingress-control-plane + name: ingress-nginx-control-plane namespace: metalk8s-ingress rules: - apiGroups: @@ -161,6 +188,14 @@ rules: - ingresses/status verbs: - update +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch - apiGroups: - '' resourceNames: @@ -196,38 +231,39 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: - app: nginx-ingress + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx-control-plane app.kubernetes.io/managed-by: salt - app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: metalk8s - chart: nginx-ingress-1.36.3 + app.kubernetes.io/version: 0.41.2 + helm.sh/chart: ingress-nginx-3.13.0 heritage: metalk8s - release: nginx-ingress-control-plane - name: nginx-ingress-control-plane + name: ingress-nginx-control-plane namespace: metalk8s-ingress roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: nginx-ingress-control-plane + name: ingress-nginx-control-plane subjects: - kind: ServiceAccount - name: nginx-ingress-control-plane + name: ingress-nginx-control-plane namespace: metalk8s-ingress --- apiVersion: v1 kind: Service metadata: + annotations: null labels: - app: nginx-ingress app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx-control-plane app.kubernetes.io/managed-by: salt - app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: metalk8s - chart: nginx-ingress-1.36.3 - component: controller + app.kubernetes.io/version: 0.41.2 + helm.sh/chart: ingress-nginx-3.13.0 heritage: metalk8s - release: nginx-ingress-control-plane - name: nginx-ingress-control-plane-controller + name: ingress-nginx-control-plane-controller namespace: metalk8s-ingress spec: externalIPs: @@ -238,48 +274,47 @@ spec: protocol: TCP targetPort: https selector: - app: nginx-ingress app.kubernetes.io/component: controller - release: nginx-ingress-control-plane + app.kubernetes.io/instance: ingress-nginx-control-plane + app.kubernetes.io/name: ingress-nginx type: ClusterIP --- apiVersion: apps/v1 kind: DaemonSet metadata: - annotations: {} labels: - app: nginx-ingress app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx-control-plane app.kubernetes.io/managed-by: salt - app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: metalk8s - chart: nginx-ingress-1.36.3 + app.kubernetes.io/version: 0.41.2 + helm.sh/chart: ingress-nginx-3.13.0 heritage: metalk8s - release: nginx-ingress-control-plane - name: nginx-ingress-control-plane-controller + name: ingress-nginx-control-plane-controller namespace: metalk8s-ingress spec: minReadySeconds: 0 revisionHistoryLimit: 10 selector: matchLabels: - app: nginx-ingress - release: nginx-ingress-control-plane + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx-control-plane + app.kubernetes.io/name: ingress-nginx template: metadata: labels: - app: nginx-ingress app.kubernetes.io/component: controller - component: controller - release: nginx-ingress-control-plane + app.kubernetes.io/instance: ingress-nginx-control-plane + app.kubernetes.io/name: ingress-nginx spec: containers: - args: - /nginx-ingress-controller - - --default-backend-service=metalk8s-ingress/nginx-ingress-default-backend + - --publish-service=$(POD_NAMESPACE)/ingress-nginx-control-plane-controller - --election-id=ingress-control-plane-controller-leader - --ingress-class=nginx-control-plane - - --configmap=metalk8s-ingress/nginx-ingress-control-plane-controller + - --configmap=metalk8s-ingress/ingress-nginx-control-plane-controller - --default-ssl-certificate=metalk8s-ingress/ingress-control-plane-default-certificate env: - name: POD_NAME @@ -290,11 +325,18 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: LD_PRELOAD + value: /usr/local/lib/libmimalloc.so image: '{%- endraw -%}{{ build_image_name("nginx-ingress-controller", False) - }}{%- raw -%}:0.30.0' + }}{%- raw -%}:v0.41.2' imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - /wait-shutdown livenessProbe: - failureThreshold: 3 + failureThreshold: 5 httpGet: path: /healthz port: 10254 @@ -303,7 +345,7 @@ spec: periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 - name: nginx-ingress-controller + name: controller ports: - containerPort: 80 name: http @@ -321,7 +363,10 @@ spec: periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 - resources: {} + resources: + requests: + cpu: 100m + memory: 90Mi securityContext: allowPrivilegeEscalation: true capabilities: @@ -331,11 +376,11 @@ spec: - ALL runAsUser: 101 dnsPolicy: ClusterFirst - hostNetwork: false nodeSelector: + kubernetes.io/os: linux node-role.kubernetes.io/master: '' - serviceAccountName: nginx-ingress-control-plane - terminationGracePeriodSeconds: 60 + serviceAccountName: ingress-nginx-control-plane + terminationGracePeriodSeconds: 300 tolerations: - effect: NoSchedule key: node-role.kubernetes.io/bootstrap diff --git a/salt/metalk8s/addons/nginx-ingress-control-plane/post-upgrade-downgrade.sls b/salt/metalk8s/addons/nginx-ingress-control-plane/post-upgrade-downgrade.sls new file mode 100644 index 0000000000..e0d85a875a --- /dev/null +++ b/salt/metalk8s/addons/nginx-ingress-control-plane/post-upgrade-downgrade.sls @@ -0,0 +1,53 @@ +# This state is called right after the upgrade or downgrade + +# NOTE: This can be removed in development/2.8 +# When upgrading from 2.6.x (or downgrading to 2.6.x) nginx ingress get +# renamed from `nginx-ingress` to `ingress-nginx` we need to cleanup +# `nginx-ingress` objects when upgrading (and `ingress-nginx` objects when +# downgrading) + +{%- if salt.pkg.version_cmp(pillar.metalk8s.cluster_version, '2.7.0') == -1 %} + {%- set ingress_name = "ingress-nginx-control-plane" %} +{%- else %} + {%- set ingress_name = "nginx-ingress-control-plane" %} +{%- endif %} + +# NOTE: We remove the DaemonSet first and do not remove anything else if this +# one failed as we do not want to break the ingress controller if we are +# not able to remove the DaemonSet for controller. +Ensure {{ ingress_name }}-controller DaemonSet no longer exists: + metalk8s_kubernetes.object_absent: + - apiVersion: apps/v1 + - kind: DaemonSet + - name: {{ ingress_name }}-controller + - namespace: metalk8s-ingress + +# List of object to remove (, , ) +{%- set object_list = [ + ('v1', 'ServiceAccount', ingress_name), + ('rbac.authorization.k8s.io/v1', 'ClusterRole', ingress_name), + ('rbac.authorization.k8s.io/v1', 'ClusterRoleBinding', ingress_name), + ('rbac.authorization.k8s.io/v1', 'Role', ingress_name), + ('rbac.authorization.k8s.io/v1', 'RoleBinding', ingress_name), + ('v1', 'Service', ingress_name ~ '-controller') +] %} + +# With `ingress-nginx` a ConfigMap is also created +{%- if ingress_name == 'ingress-nginx' %} + {%- do object_list.extend([ + ('v1', 'ConfigMap', ingress_name ~ '-controller') + ]) %} +{%- endif %} + +{%- for api_version, kind, obj_name in object_list %} + +Ensure {{ obj_name }} {{ kind }} no longer exists: + metalk8s_kubernetes.object_absent: + - apiVersion: {{ api_version }} + - kind: {{ kind }} + - name: {{ obj_name }} + - namespace: metalk8s-ingress + - require: + - metalk8s_kubernetes: Ensure {{ ingress_name }}-controller DaemonSet no longer exists + +{%- endfor %} diff --git a/salt/metalk8s/addons/nginx-ingress/deployed/chart.sls b/salt/metalk8s/addons/nginx-ingress/deployed/chart.sls index dc85ee2f3f..dc5fd4cadc 100644 --- a/salt/metalk8s/addons/nginx-ingress/deployed/chart.sls +++ b/salt/metalk8s/addons/nginx-ingress/deployed/chart.sls @@ -3,48 +3,67 @@ {%- from "metalk8s/repo/macro.sls" import build_image_name with context %} + {% raw %} apiVersion: v1 kind: ServiceAccount metadata: labels: - app: nginx-ingress + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/managed-by: salt - app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: metalk8s - chart: nginx-ingress-1.36.3 + app.kubernetes.io/version: 0.41.2 + helm.sh/chart: ingress-nginx-3.13.0 heritage: metalk8s - release: nginx-ingress - name: nginx-ingress + name: ingress-nginx namespace: metalk8s-ingress --- apiVersion: v1 kind: ServiceAccount metadata: labels: - app: nginx-ingress + app.kubernetes.io/component: default-backend + app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/managed-by: salt - app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: metalk8s - chart: nginx-ingress-1.36.3 + app.kubernetes.io/version: 0.41.2 + helm.sh/chart: ingress-nginx-3.13.0 heritage: metalk8s - release: nginx-ingress - name: nginx-ingress-backend + name: ingress-nginx-backend + namespace: metalk8s-ingress +--- +apiVersion: v1 +data: null +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: salt + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: metalk8s + app.kubernetes.io/version: 0.41.2 + helm.sh/chart: ingress-nginx-3.13.0 + heritage: metalk8s + name: ingress-nginx-controller namespace: metalk8s-ingress --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - app: nginx-ingress + app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/managed-by: salt - app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: metalk8s - chart: nginx-ingress-1.36.3 + app.kubernetes.io/version: 0.41.2 + helm.sh/chart: ingress-nginx-3.13.0 heritage: metalk8s - release: nginx-ingress - name: nginx-ingress + name: ingress-nginx namespace: metalk8s-ingress rules: - apiGroups: @@ -96,41 +115,50 @@ rules: - ingresses/status verbs: - update +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: - app: nginx-ingress + app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/managed-by: salt - app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: metalk8s - chart: nginx-ingress-1.36.3 + app.kubernetes.io/version: 0.41.2 + helm.sh/chart: ingress-nginx-3.13.0 heritage: metalk8s - release: nginx-ingress - name: nginx-ingress + name: ingress-nginx namespace: metalk8s-ingress roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: nginx-ingress + name: ingress-nginx subjects: - kind: ServiceAccount - name: nginx-ingress + name: ingress-nginx namespace: metalk8s-ingress --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: - app: nginx-ingress + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/managed-by: salt - app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: metalk8s - chart: nginx-ingress-1.36.3 + app.kubernetes.io/version: 0.41.2 + helm.sh/chart: ingress-nginx-3.13.0 heritage: metalk8s - release: nginx-ingress - name: nginx-ingress + name: ingress-nginx namespace: metalk8s-ingress rules: - apiGroups: @@ -175,6 +203,14 @@ rules: - ingresses/status verbs: - update +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch - apiGroups: - '' resourceNames: @@ -210,38 +246,39 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: - app: nginx-ingress + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/managed-by: salt - app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: metalk8s - chart: nginx-ingress-1.36.3 + app.kubernetes.io/version: 0.41.2 + helm.sh/chart: ingress-nginx-3.13.0 heritage: metalk8s - release: nginx-ingress - name: nginx-ingress + name: ingress-nginx namespace: metalk8s-ingress roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: nginx-ingress + name: ingress-nginx subjects: - kind: ServiceAccount - name: nginx-ingress + name: ingress-nginx namespace: metalk8s-ingress --- apiVersion: v1 kind: Service metadata: + annotations: null labels: - app: nginx-ingress app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/managed-by: salt - app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: metalk8s - chart: nginx-ingress-1.36.3 - component: controller + app.kubernetes.io/version: 0.41.2 + helm.sh/chart: ingress-nginx-3.13.0 heritage: metalk8s - release: nginx-ingress - name: nginx-ingress-controller + name: ingress-nginx-controller namespace: metalk8s-ingress spec: ports: @@ -254,25 +291,24 @@ spec: protocol: TCP targetPort: https selector: - app: nginx-ingress app.kubernetes.io/component: controller - release: nginx-ingress + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx type: ClusterIP --- apiVersion: v1 kind: Service metadata: labels: - app: nginx-ingress app.kubernetes.io/component: default-backend + app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/managed-by: salt - app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: metalk8s - chart: nginx-ingress-1.36.3 - component: default-backend + app.kubernetes.io/version: 0.41.2 + helm.sh/chart: ingress-nginx-3.13.0 heritage: metalk8s - release: nginx-ingress - name: nginx-ingress-default-backend + name: ingress-nginx-defaultbackend namespace: metalk8s-ingress spec: ports: @@ -281,48 +317,48 @@ spec: protocol: TCP targetPort: http selector: - app: nginx-ingress app.kubernetes.io/component: default-backend - release: nginx-ingress + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx type: ClusterIP --- apiVersion: apps/v1 kind: DaemonSet metadata: - annotations: {} labels: - app: nginx-ingress app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/managed-by: salt - app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: metalk8s - chart: nginx-ingress-1.36.3 + app.kubernetes.io/version: 0.41.2 + helm.sh/chart: ingress-nginx-3.13.0 heritage: metalk8s - release: nginx-ingress - name: nginx-ingress-controller + name: ingress-nginx-controller namespace: metalk8s-ingress spec: minReadySeconds: 0 revisionHistoryLimit: 10 selector: matchLabels: - app: nginx-ingress - release: nginx-ingress + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx template: metadata: labels: - app: nginx-ingress app.kubernetes.io/component: controller - component: controller - release: nginx-ingress + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx spec: containers: - args: - /nginx-ingress-controller - - --default-backend-service=metalk8s-ingress/nginx-ingress-default-backend + - --default-backend-service=metalk8s-ingress/ingress-nginx-defaultbackend + - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller - --election-id=ingress-controller-leader - --ingress-class=nginx - - --configmap=metalk8s-ingress/nginx-ingress-controller + - --configmap=metalk8s-ingress/ingress-nginx-controller - --default-ssl-certificate=metalk8s-ingress/ingress-workload-plane-default-certificate env: - name: POD_NAME @@ -333,11 +369,18 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: LD_PRELOAD + value: /usr/local/lib/libmimalloc.so image: '{%- endraw -%}{{ build_image_name("nginx-ingress-controller", False) - }}{%- raw -%}:0.30.0' + }}{%- raw -%}:v0.41.2' imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - /wait-shutdown livenessProbe: - failureThreshold: 3 + failureThreshold: 5 httpGet: path: /healthz port: 10254 @@ -346,7 +389,7 @@ spec: periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 - name: nginx-ingress-controller + name: controller ports: - containerPort: 80 hostPort: 80 @@ -366,7 +409,10 @@ spec: periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 - resources: {} + resources: + requests: + cpu: 100m + memory: 90Mi securityContext: allowPrivilegeEscalation: true capabilities: @@ -376,9 +422,10 @@ spec: - ALL runAsUser: 101 dnsPolicy: ClusterFirst - hostNetwork: false - serviceAccountName: nginx-ingress - terminationGracePeriodSeconds: 60 + nodeSelector: + kubernetes.io/os: linux + serviceAccountName: ingress-nginx + terminationGracePeriodSeconds: 300 tolerations: - effect: NoSchedule key: node-role.kubernetes.io/bootstrap @@ -386,39 +433,38 @@ spec: - effect: NoSchedule key: node-role.kubernetes.io/infra operator: Exists - updateStrategy: {} --- apiVersion: apps/v1 kind: Deployment metadata: labels: - app: nginx-ingress app.kubernetes.io/component: default-backend + app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/managed-by: salt - app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: metalk8s - chart: nginx-ingress-1.36.3 + app.kubernetes.io/version: 0.41.2 + helm.sh/chart: ingress-nginx-3.13.0 heritage: metalk8s - release: nginx-ingress - name: nginx-ingress-default-backend + name: ingress-nginx-defaultbackend namespace: metalk8s-ingress spec: replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: - app: nginx-ingress - release: nginx-ingress + app.kubernetes.io/component: default-backend + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx template: metadata: labels: - app: nginx-ingress app.kubernetes.io/component: default-backend - release: nginx-ingress + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx spec: containers: - - args: null - image: '{%- endraw -%}{{ build_image_name("nginx-ingress-defaultbackend-amd64", + - image: '{%- endraw -%}{{ build_image_name("nginx-ingress-defaultbackend-amd64", False) }}{%- raw -%}:1.5' imagePullPolicy: IfNotPresent livenessProbe: @@ -431,7 +477,7 @@ spec: periodSeconds: 10 successThreshold: 1 timeoutSeconds: 5 - name: nginx-ingress-default-backend + name: ingress-nginx-default-backend ports: - containerPort: 8080 name: http @@ -446,12 +492,17 @@ spec: periodSeconds: 5 successThreshold: 1 timeoutSeconds: 5 - resources: {} securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true runAsUser: 65534 nodeSelector: node-role.kubernetes.io/infra: '' - serviceAccountName: nginx-ingress-backend + serviceAccountName: ingress-nginx-backend terminationGracePeriodSeconds: 60 tolerations: - effect: NoSchedule diff --git a/salt/metalk8s/addons/nginx-ingress/post-upgrade-downgrade.sls b/salt/metalk8s/addons/nginx-ingress/post-upgrade-downgrade.sls new file mode 100644 index 0000000000..119b33a2ac --- /dev/null +++ b/salt/metalk8s/addons/nginx-ingress/post-upgrade-downgrade.sls @@ -0,0 +1,62 @@ +# This state is called right after the upgrade or downgrade + +# NOTE: This can be removed in development/2.8 +# When upgrading from 2.6.x (or downgrading to 2.6.x) nginx ingress get +# renamed from `nginx-ingress` to `ingress-nginx` we need to cleanup +# `nginx-ingress` objects when upgrading (and `ingress-nginx` objects when +# downgrading) + +{%- if salt.pkg.version_cmp(pillar.metalk8s.cluster_version, '2.7.0') == -1 %} + {%- set ingress_name = "ingress-nginx" %} +{%- else %} + {%- set ingress_name = "nginx-ingress" %} +{%- endif %} + +# NOTE: We remove the DaemonSet first and do not remove anything else if this +# one failed as we do not want to break the ingress controller if we are +# not able to remove the DaemonSet for controller. +Ensure {{ ingress_name }}-controller DaemonSet no longer exists: + metalk8s_kubernetes.object_absent: + - apiVersion: apps/v1 + - kind: DaemonSet + - name: {{ ingress_name }}-controller + - namespace: metalk8s-ingress + +# List of object to remove (, , ) +{%- set object_list = [ + ('v1', 'ServiceAccount', ingress_name), + ('v1', 'ServiceAccount', ingress_name ~ '-backend'), + ('rbac.authorization.k8s.io/v1', 'ClusterRole', ingress_name), + ('rbac.authorization.k8s.io/v1', 'ClusterRoleBinding', ingress_name), + ('rbac.authorization.k8s.io/v1', 'Role', ingress_name), + ('rbac.authorization.k8s.io/v1', 'RoleBinding', ingress_name), + ('v1', 'Service', ingress_name ~ '-controller') +] %} + +# Default backend name is different between `nginx-ingress` and `ingress-nginx` +# And also with `ingress-nginx` a ConfigMap is also created +{%- if ingress_name == 'ingress-nginx' %} + {%- do object_list.extend([ + ('v1', 'Service', ingress_name ~ '-defaultbackend'), + ('apps/v1', 'Deployment', ingress_name ~ '-defaultbackend'), + ('v1', 'ConfigMap', ingress_name ~ '-controller') + ]) %} +{%- else %} + {%- do object_list.extend([ + ('v1', 'Service', ingress_name ~ '-default-backend'), + ('apps/v1', 'Deployment', ingress_name ~ '-default-backend'), + ]) %} +{%- endif %} + +{%- for api_version, kind, obj_name in object_list %} + +Ensure {{ obj_name }} {{ kind }} no longer exists: + metalk8s_kubernetes.object_absent: + - apiVersion: {{ api_version }} + - kind: {{ kind }} + - name: {{ obj_name }} + - namespace: metalk8s-ingress + - require: + - metalk8s_kubernetes: Ensure {{ ingress_name }}-controller DaemonSet no longer exists + +{%- endfor %} diff --git a/salt/metalk8s/orchestrate/downgrade/post.sls b/salt/metalk8s/orchestrate/downgrade/post.sls index 8bb69ef3a6..b6b7c0a10a 100644 --- a/salt/metalk8s/orchestrate/downgrade/post.sls +++ b/salt/metalk8s/orchestrate/downgrade/post.sls @@ -2,3 +2,5 @@ include: - metalk8s.addons.prometheus-operator.post-downgrade + - metalk8s.addons.nginx-ingress.post-upgrade-downgrade + - metalk8s.addons.nginx-ingress-control-plane.post-upgrade-downgrade diff --git a/salt/metalk8s/orchestrate/upgrade/post.sls b/salt/metalk8s/orchestrate/upgrade/post.sls index f6c8b8d350..2d9381b35b 100644 --- a/salt/metalk8s/orchestrate/upgrade/post.sls +++ b/salt/metalk8s/orchestrate/upgrade/post.sls @@ -2,3 +2,5 @@ include: - metalk8s.addons.prometheus-operator.post-upgrade + - metalk8s.addons.nginx-ingress.post-upgrade-downgrade + - metalk8s.addons.nginx-ingress-control-plane.post-upgrade-downgrade diff --git a/tests/post/features/authentication.feature b/tests/post/features/authentication.feature index c515f7402d..4665ba64cd 100644 --- a/tests/post/features/authentication.feature +++ b/tests/post/features/authentication.feature @@ -6,7 +6,6 @@ Feature: Authentication is up and running Scenario: Expected Pods Given the Kubernetes API is available - And pods with label 'release=nginx-ingress-control-plane' are 'Ready' Then we have 2 running pod labeled 'app.kubernetes.io/name=dex' in namespace 'metalk8s-auth' Scenario: Reach the OpenID Config diff --git a/tests/post/features/ingress.feature b/tests/post/features/ingress.feature index 88e439f612..3a06c69424 100644 --- a/tests/post/features/ingress.feature +++ b/tests/post/features/ingress.feature @@ -2,19 +2,19 @@ Feature: Ingress Scenario: Access HTTP services Given the Kubernetes API is available - And pods with label 'app=nginx-ingress' are 'Ready' + And pods with label 'app.kubernetes.io/name=ingress-nginx' are 'Ready' When we perform an HTTP request on port 80 on a workload-plane IP Then the server returns 404 'Not Found' Scenario: Access HTTPS services Given the Kubernetes API is available - And pods with label 'app=nginx-ingress' are 'Ready' + And pods with label 'app.kubernetes.io/name=ingress-nginx' are 'Ready' When we perform an HTTPS request on port 443 on a workload-plane IP Then the server returns 404 'Not Found' Scenario: Access HTTP services on control-plane IP Given the Kubernetes API is available - And pods with label 'app=nginx-ingress' are 'Ready' + And pods with label 'app.kubernetes.io/name=ingress-nginx' are 'Ready' And the node control-plane IP is not equal to its workload-plane IP When we perform an HTTP request on port 80 on a control-plane IP Then the server should not respond diff --git a/tests/post/steps/test_authentication.py b/tests/post/steps/test_authentication.py index 22e0047cd8..fe83c86672 100644 --- a/tests/post/steps/test_authentication.py +++ b/tests/post/steps/test_authentication.py @@ -74,7 +74,7 @@ def check_cp_ingress_pod_and_container( control_plane_ip ): ssh_config = request.config.getoption('--ssh-config') - label = "release=nginx-ingress-control-plane" + label = "app.kubernetes.io/instance=ingress-nginx-control-plane" namespace = "metalk8s-ingress" def _wait_for_ingress_pod_and_container(): diff --git a/tests/post/steps/test_logs.py b/tests/post/steps/test_logs.py index 3ea010b584..6d5b0e14aa 100644 --- a/tests/post/steps/test_logs.py +++ b/tests/post/steps/test_logs.py @@ -18,7 +18,7 @@ def test_logs(host): 'kube-rbac-proxy-main', 'kube-rbac-proxy-self', 'rules-configmap-reloader', - 'nginx-ingress-default-backend', + 'ingress-nginx-default-backend', ))