diff --git a/basic-nginx-ingress-1.26.2.tgz b/basic-nginx-ingress-1.26.2.tgz new file mode 100644 index 0000000..a76e4b7 Binary files /dev/null and b/basic-nginx-ingress-1.26.2.tgz differ diff --git a/basic-nginx-ingress/Chart.yaml b/basic-nginx-ingress/Chart.yaml new file mode 100755 index 0000000..1b66203 --- /dev/null +++ b/basic-nginx-ingress/Chart.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +appVersion: 0.26.1 +description: An nginx Ingress controller that uses ConfigMap to store the nginx configuration. +engine: gotpl +home: https://github.com/kubernetes/ingress-nginx +icon: https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Nginx_logo.svg/500px-Nginx_logo.svg.png +keywords: +- ingress +- nginx +kubeVersion: '>=1.10.0-0' +maintainers: +- name: ChiefAlexander +- email: Trevor.G.Wood@gmail.com + name: taharah +name: basic-nginx-ingress +sources: +- https://github.com/kubernetes/ingress-nginx +version: 1.26.2 diff --git a/basic-nginx-ingress/OWNERS b/basic-nginx-ingress/OWNERS new file mode 100755 index 0000000..0001de3 --- /dev/null +++ b/basic-nginx-ingress/OWNERS @@ -0,0 +1,6 @@ +approvers: +- ChiefAlexander +- taharah +reviewers: +- ChiefAlexander +- taharah diff --git a/basic-nginx-ingress/README.md b/basic-nginx-ingress/README.md new file mode 100755 index 0000000..f96aa53 --- /dev/null +++ b/basic-nginx-ingress/README.md @@ -0,0 +1,322 @@ +# nginx-ingress + +[nginx-ingress](https://github.com/kubernetes/ingress-nginx) is an Ingress controller that uses ConfigMap to store the nginx configuration. + +To use, add the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources. + +## TL;DR; + +```console +$ helm install stable/nginx-ingress +``` + +## Introduction + +This chart bootstraps an nginx-ingress deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +## Prerequisites + + - Kubernetes 1.6+ + +## Installing the Chart + +To install the chart with the release name `my-release`: + +```console +$ helm install --name my-release stable/nginx-ingress +``` + +The command deploys nginx-ingress on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation. + +> **Tip**: List all releases using `helm list` + +## Uninstalling the Chart + +To uninstall/delete the `my-release` deployment: + +```console +$ helm delete my-release +``` + +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Configuration + +The following table lists the configurable parameters of the nginx-ingress chart and their default values. + +Parameter | Description | Default +--- | --- | --- +`controller.name` | name of the controller component | `controller` +`controller.image.repository` | controller container image repository | `quay.io/kubernetes-ingress-controller/nginx-ingress-controller` +`controller.image.tag` | controller container image tag | `0.26.1` +`controller.image.pullPolicy` | controller container image pull policy | `IfNotPresent` +`controller.image.runAsUser` | User ID of the controller process. Value depends on the Linux distribution used inside of the container image. By default uses debian one. | `33` +`controller.containerPort.http` | The port that the controller container listens on for http connections. | `80` +`controller.containerPort.https` | The port that the controller container listens on for https connections. | `443` +`controller.config` | nginx [ConfigMap](https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/configmap.md) entries | none +`controller.hostNetwork` | If the nginx deployment / daemonset should run on the host's network namespace. Do not set this when `controller.service.externalIPs` is set and `kube-proxy` is used as there will be a port-conflict for port `80` | false +`controller.defaultBackendService` | default 404 backend service; needed only if `defaultBackend.enabled = false` | `""` +`controller.dnsPolicy` | If using `hostNetwork=true`, change to `ClusterFirstWithHostNet`. See [pod's dns policy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy) for details | `ClusterFirst` +`controller.reportNodeInternalIp` | If using `hostNetwork=true`, setting `reportNodeInternalIp=true`, will pass the flag `report-node-internal-ip-address` to nginx-ingress. This sets the status of all Ingress objects to the internal IP address of all nodes running the NGINX Ingress controller. +`controller.electionID` | election ID to use for the status update | `ingress-controller-leader` +`controller.extraEnvs` | any additional environment variables to set in the pods | `{}` +`controller.extraContainers` | Sidecar containers to add to the controller pod. See [LemonLDAP::NG controller](https://github.com/lemonldap-ng-controller/lemonldap-ng-controller) as example | `{}` +`controller.extraVolumeMounts` | Additional volumeMounts to the controller main container | `{}` +`controller.extraVolumes` | Additional volumes to the controller pod | `{}` +`controller.extraInitContainers` | Containers, which are run before the app containers are started | `[]` +`controller.ingressClass` | name of the ingress class to route through this controller | `nginx` +`controller.scope.enabled` | limit the scope of the ingress controller | `false` (watch all namespaces) +`controller.scope.namespace` | namespace to watch for ingress | `""` (use the release namespace) +`controller.extraArgs` | Additional controller container arguments | `{}` +`controller.kind` | install as Deployment, DaemonSet or Both | `Deployment` +`controller.autoscaling.enabled` | If true, creates Horizontal Pod Autoscaler | false +`controller.autoscaling.minReplicas` | If autoscaling enabled, this field sets minimum replica count | `2` +`controller.autoscaling.maxReplicas` | If autoscaling enabled, this field sets maximum replica count | `11` +`controller.autoscaling.targetCPUUtilizationPercentage` | Target CPU utilization percentage to scale | `"50"` +`controller.autoscaling.targetMemoryUtilizationPercentage` | Target memory utilization percentage to scale | `"50"` +`controller.daemonset.useHostPort` | If `controller.kind` is `DaemonSet`, this will enable `hostPort` for TCP/80 and TCP/443 | false +`controller.daemonset.hostPorts.http` | If `controller.daemonset.useHostPort` is `true` and this is non-empty, it sets the hostPort | `"80"` +`controller.daemonset.hostPorts.https` | If `controller.daemonset.useHostPort` is `true` and this is non-empty, it sets the hostPort | `"443"` +`controller.tolerations` | node taints to tolerate (requires Kubernetes >=1.6) | `[]` +`controller.affinity` | node/pod affinities (requires Kubernetes >=1.6) | `{}` +`controller.terminationGracePeriodSeconds` | how many seconds to wait before terminating a pod | `60` +`controller.minReadySeconds` | how many seconds a pod needs to be ready before killing the next, during update | `0` +`controller.nodeSelector` | node labels for pod assignment | `{}` +`controller.podAnnotations` | annotations to be added to pods | `{}` +`controller.podLabels` | labels to add to the pod container metadata | `{}` +`controller.podSecurityContext` | Security context policies to add to the controller pod | `{}` +`controller.replicaCount` | desired number of controller pods | `1` +`controller.minAvailable` | minimum number of available controller pods for PodDisruptionBudget | `1` +`controller.resources` | controller pod resource requests & limits | `{}` +`controller.priorityClassName` | controller priorityClassName | `nil` +`controller.lifecycle` | controller pod lifecycle hooks | `{}` +`controller.service.annotations` | annotations for controller service | `{}` +`controller.service.labels` | labels for controller service | `{}` +`controller.publishService.enabled` | if true, the controller will set the endpoint records on the ingress objects to reflect those on the service | `false` +`controller.publishService.pathOverride` | override of the default publish-service name | `""` +`controller.service.enabled` | if disabled no service will be created. This is especially useful when `controller.kind` is set to `DaemonSet` and `controller.daemonset.useHostPorts` is `true` | true +`controller.service.clusterIP` | internal controller cluster service IP | `nil` +`controller.service.omitClusterIP` | (Deprecated) To omit the `clusterIP` from the controller service | `false` +`controller.service.externalIPs` | controller service external IP addresses. Do not set this when `controller.hostNetwork` is set to `true` and `kube-proxy` is used as there will be a port-conflict for port `80` | `[]` +`controller.service.externalTrafficPolicy` | If `controller.service.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable [source IP preservation](https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typenodeport) | `"Cluster"` +`controller.service.healthCheckNodePort` | If `controller.service.type` is `NodePort` or `LoadBalancer` and `controller.service.externalTrafficPolicy` is set to `Local`, set this to [the managed health-check port the kube-proxy will expose](https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typenodeport). If blank, a random port in the `NodePort` range will be assigned | `""` +`controller.service.loadBalancerIP` | IP address to assign to load balancer (if supported) | `""` +`controller.service.loadBalancerSourceRanges` | list of IP CIDRs allowed access to load balancer (if supported) | `[]` +`controller.service.enableHttp` | if port 80 should be opened for service | `true` +`controller.service.enableHttps` | if port 443 should be opened for service | `true` +`controller.service.targetPorts.http` | Sets the targetPort that maps to the Ingress' port 80 | `80` +`controller.service.targetPorts.https` | Sets the targetPort that maps to the Ingress' port 443 | `443` +`controller.service.ports.http` | Sets service http port | `80` +`controller.service.ports.https` | Sets service https port | `443` +`controller.service.type` | type of controller service to create | `LoadBalancer` +`controller.service.nodePorts.http` | If `controller.service.type` is either `NodePort` or `LoadBalancer` and this is non-empty, it sets the nodePort that maps to the Ingress' port 80 | `""` +`controller.service.nodePorts.https` | If `controller.service.type` is either `NodePort` or `LoadBalancer` and this is non-empty, it sets the nodePort that maps to the Ingress' port 443 | `""` +`controller.service.nodePorts.tcp` | Sets the nodePort for an entry referenced by its key from `tcp` | `{}` +`controller.service.nodePorts.udp` | Sets the nodePort for an entry referenced by its key from `udp` | `{}` +`controller.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 10 +`controller.livenessProbe.periodSeconds` | How often to perform the probe | 10 +`controller.livenessProbe.timeoutSeconds` | When the probe times out | 5 +`controller.livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | 1 +`controller.livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 3 +`controller.livenessProbe.port` | The port number that the liveness probe will listen on. | 10254 +`controller.readinessProbe.initialDelaySeconds` | Delay before readiness probe is initiated | 10 +`controller.readinessProbe.periodSeconds` | How often to perform the probe | 10 +`controller.readinessProbe.timeoutSeconds` | When the probe times out | 1 +`controller.readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | 1 +`controller.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 3 +`controller.readinessProbe.port` | The port number that the readiness probe will listen on. | 10254 +`controller.metrics.enabled` | if `true`, enable Prometheus metrics | `false` +`controller.metrics.service.annotations` | annotations for Prometheus metrics service | `{}` +`controller.metrics.service.clusterIP` | cluster IP address to assign to service | `nil` +`controller.metrics.service.omitClusterIP` | (Deprecated) To omit the `clusterIP` from the metrics service | `false` +`controller.metrics.service.externalIPs` | Prometheus metrics service external IP addresses | `[]` +`controller.metrics.service.labels` | labels for metrics service | `{}` +`controller.metrics.service.loadBalancerIP` | IP address to assign to load balancer (if supported) | `""` +`controller.metrics.service.loadBalancerSourceRanges` | list of IP CIDRs allowed access to load balancer (if supported) | `[]` +`controller.metrics.service.servicePort` | Prometheus metrics service port | `9913` +`controller.metrics.service.type` | type of Prometheus metrics service to create | `ClusterIP` +`controller.metrics.serviceMonitor.enabled` | Set this to `true` to create ServiceMonitor for Prometheus operator | `false` +`controller.metrics.serviceMonitor.additionalLabels` | Additional labels that can be used so ServiceMonitor will be discovered by Prometheus | `{}` +`controller.metrics.serviceMonitor.honorLabels` | honorLabels chooses the metric's labels on collisions with target labels. | `false` +`controller.metrics.serviceMonitor.namespace` | namespace where servicemonitor resource should be created | `the same namespace as nginx ingress` +`controller.metrics.serviceMonitor.namespaceSelector` | [namespaceSelector](https://github.com/coreos/prometheus-operator/blob/v0.34.0/Documentation/api.md#namespaceselector) to configure what namespaces to scrape | `will scrape the helm release namespace only` +`controller.metrics.serviceMonitor.scrapeInterval` | interval between Prometheus scraping | `30s` +`controller.metrics.prometheusRule.enabled` | Set this to `true` to create prometheusRules for Prometheus operator | `false` +`controller.metrics.prometheusRule.additionalLabels` | Additional labels that can be used so prometheusRules will be discovered by Prometheus | `{}` +`controller.metrics.prometheusRule.namespace` | namespace where prometheusRules resource should be created | `the same namespace as nginx ingress` +`controller.metrics.prometheusRule.rules` | [rules](https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/) to be prometheus in YAML format, check values for an example. | `[]` +`controller.admissionWebhooks.enabled` | Create Ingress admission webhooks. Validating webhook will check the ingress syntax. | `false` +`controller.admissionWebhooks.failurePolicy` | Failure policy for admission webhooks | `Fail` +`controller.admissionWebhooks.port` | Admission webhook port | `8080` +`controller.admissionWebhooks.service.annotations` | Annotations for admission webhook service | `{}` +`controller.admissionWebhooks.service.omitClusterIP` | (Deprecated) To omit the `clusterIP` from the admission webhook service | `false` +`controller.admissionWebhooks.service.clusterIP` | cluster IP address to assign to admission webhook service | `nil` +`controller.admissionWebhooks.service.externalIPs` | Admission webhook service external IP addresses | `[]` +`controller.admissionWebhooks.service.loadBalancerIP` | IP address to assign to load balancer (if supported) | `""` +`controller.admissionWebhooks.service.loadBalancerSourceRanges` | List of IP CIDRs allowed access to load balancer (if supported) | `[]` +`controller.admissionWebhooks.service.servicePort` | Admission webhook service port | `443` +`controller.admissionWebhooks.service.type` | Type of admission webhook service to create | `ClusterIP` +`controller.admissionWebhooks.patch.enabled` | If true, will use a pre and post install hooks to generate a CA and certificate to use for the prometheus operator tls proxy, and patch the created webhooks with the CA. | `true` +`controller.admissionWebhooks.patch.image.repository` | Repository to use for the webhook integration jobs | `jettech/kube-webhook-certgen` +`controller.admissionWebhooks.patch.image.tag` | Tag to use for the webhook integration jobs | `v1.0.0` +`controller.admissionWebhooks.patch.image.pullPolicy` | Image pull policy for the webhook integration jobs | `IfNotPresent` +`controller.admissionWebhooks.patch.priorityClassName` | Priority class for the webhook integration jobs | `""` +`controller.admissionWebhooks.patch.podAnnotations` | Annotations for the webhook job pods | `{}` +`controller.admissionWebhooks.patch.nodeSelector` | Node selector for running admission hook patch jobs | `{}` +`controller.customTemplate.configMapName` | configMap containing a custom nginx template | `""` +`controller.customTemplate.configMapKey` | configMap key containing the nginx template | `""` +`controller.addHeaders` | configMap key:value pairs containing [custom headers](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#add-headers) added before sending response to the client | `{}` +`controller.proxySetHeaders` | configMap key:value pairs containing [custom headers](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#proxy-set-headers) added before sending request to the backends| `{}` +`controller.headers` | DEPRECATED, Use `controller.proxySetHeaders` instead. | `{}` +`controller.updateStrategy` | allows setting of RollingUpdate strategy | `{}` +`controller.configMapNamespace` | The nginx-configmap namespace name | `""` +`controller.tcp.configMapNamespace` | The tcp-services-configmap namespace name | `""` +`controller.udp.configMapNamespace` | The udp-services-configmap namespace name | `""` +`defaultBackend.enabled` | Use default backend component | `true` +`defaultBackend.name` | name of the default backend component | `default-backend` +`defaultBackend.image.repository` | default backend container image repository | `k8s.gcr.io/defaultbackend-amd64` +`defaultBackend.image.tag` | default backend container image tag | `1.5` +`defaultBackend.image.pullPolicy` | default backend container image pull policy | `IfNotPresent` +`defaultBackend.image.runAsUser` | User ID of the controller process. Value depends on the Linux distribution used inside of the container image. By default uses nobody user. | `65534` +`defaultBackend.extraArgs` | Additional default backend container arguments | `{}` +`defaultBackend.extraEnvs` | any additional environment variables to set in the defaultBackend pods | `[]` +`defaultBackend.port` | Http port number | `8080` +`defaultBackend.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 30 +`defaultBackend.livenessProbe.periodSeconds` | How often to perform the probe | 10 +`defaultBackend.livenessProbe.timeoutSeconds` | When the probe times out | 5 +`defaultBackend.livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | 1 +`defaultBackend.livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 3 +`defaultBackend.readinessProbe.initialDelaySeconds` | Delay before readiness probe is initiated | 0 +`defaultBackend.readinessProbe.periodSeconds` | How often to perform the probe | 5 +`defaultBackend.readinessProbe.timeoutSeconds` | When the probe times out | 5 +`defaultBackend.readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | 1 +`defaultBackend.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 6 +`defaultBackend.tolerations` | node taints to tolerate (requires Kubernetes >=1.6) | `[]` +`defaultBackend.affinity` | node/pod affinities (requires Kubernetes >=1.6) | `{}` +`defaultBackend.nodeSelector` | node labels for pod assignment | `{}` +`defaultBackend.podAnnotations` | annotations to be added to pods | `{}` +`defaultBackend.podLabels` | labels to add to the pod container metadata | `{}` +`defaultBackend.replicaCount` | desired number of default backend pods | `1` +`defaultBackend.minAvailable` | minimum number of available default backend pods for PodDisruptionBudget | `1` +`defaultBackend.resources` | default backend pod resource requests & limits | `{}` +`defaultBackend.priorityClassName` | default backend priorityClassName | `nil` +`defaultBackend.podSecurityContext` | Security context policies to add to the default backend | `{}` +`defaultBackend.service.annotations` | annotations for default backend service | `{}` +`defaultBackend.service.clusterIP` | internal default backend cluster service IP | `nil` +`defaultBackend.service.omitClusterIP` | (Deprecated) To omit the `clusterIP` from the default backend service | `false` +`defaultBackend.service.externalIPs` | default backend service external IP addresses | `[]` +`defaultBackend.service.loadBalancerIP` | IP address to assign to load balancer (if supported) | `""` +`defaultBackend.service.loadBalancerSourceRanges` | list of IP CIDRs allowed access to load balancer (if supported) | `[]` +`defaultBackend.service.type` | type of default backend service to create | `ClusterIP` +`defaultBackend.serviceAccount.create` | if `true`, create a backend service account. Only useful if you need a pod security policy to run the backend. | `true` +`defaultBackend.serviceAccount.name` | The name of the backend service account to use. If not set and `create` is `true`, a name is generated using the fullname template. Only useful if you need a pod security policy to run the backend. | `` +`imagePullSecrets` | name of Secret resource containing private registry credentials | `nil` +`rbac.create` | if `true`, create & use RBAC resources | `true` +`podSecurityPolicy.enabled` | if `true`, create & use Pod Security Policy resources | `false` +`serviceAccount.create` | if `true`, create a service account for the controller | `true` +`serviceAccount.name` | The name of the controller service account to use. If not set and `create` is `true`, a name is generated using the fullname template. | `` +`revisionHistoryLimit` | The number of old history to retain to allow rollback. | `10` +`tcp` | TCP service key:value pairs. The value is evaluated as a template. | `{}` +`udp` | UDP service key:value pairs The value is evaluated as a template. | `{}` + +These parameters can be passed via Helm's `--set` option +```console +$ helm install stable/nginx-ingress --name my-release \ + --set controller.metrics.enabled=true +``` + +Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, + +```console +$ helm install stable/nginx-ingress --name my-release -f values.yaml +``` + +A useful trick to debug issues with ingress is to increase the logLevel +as described [here](https://github.com/kubernetes/ingress-nginx/blob/master/docs/troubleshooting.md#debug) + +```console +$ helm install stable/nginx-ingress --set controller.extraArgs.v=2 +``` +> **Tip**: You can use the default [values.yaml](values.yaml) + +## PodDisruptionBudget + +Note that the PodDisruptionBudget resource will only be defined if the replicaCount is greater than one, +else it would make it impossible to evacuate a node. See [gh issue #7127](https://github.com/helm/charts/issues/7127) for more info. + +## Prometheus Metrics + +The Nginx ingress controller can export Prometheus metrics. + +```console +$ helm install stable/nginx-ingress --name my-release \ + --set controller.metrics.enabled=true +``` + +You can add Prometheus annotations to the metrics service using `controller.metrics.service.annotations`. Alternatively, if you use the Prometheus Operator, you can enable ServiceMonitor creation using `controller.metrics.serviceMonitor.enabled`. + +## nginx-ingress nginx\_status page/stats server + +Previous versions of this chart had a `controller.stats.*` configuration block, which is now obsolete due to the following changes in nginx ingress controller: +* in [0.16.1](https://github.com/kubernetes/ingress-nginx/blob/master/Changelog.md#0161), the vts (virtual host traffic status) dashboard was removed +* in [0.23.0](https://github.com/kubernetes/ingress-nginx/blob/master/Changelog.md#0230), the status page at port 18080 is now a unix socket webserver only available at localhost. + You can use `curl --unix-socket /tmp/nginx-status-server.sock http://localhost/nginx_status` inside the controller container to access it locally, or use the snippet from [nginx-ingress changelog](https://github.com/kubernetes/ingress-nginx/blob/master/Changelog.md#0230) to re-enable the http server + +## ExternalDNS Service configuration + +Add an [ExternalDNS](https://github.com/kubernetes-incubator/external-dns) annotation to the LoadBalancer service: + +```yaml +controller: + service: + annotations: + external-dns.alpha.kubernetes.io/hostname: kubernetes-example.com. +``` + +## AWS L7 ELB with SSL Termination + +Annotate the controller as shown in the [nginx-ingress l7 patch](https://github.com/kubernetes/ingress-nginx/blob/master/deploy/aws/l7/service-l7.yaml): + +```yaml +controller: + service: + targetPorts: + http: http + https: http + annotations: + service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:XX-XXXX-X:XXXXXXXXX:certificate/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX + service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http" + service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https" + service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600' +``` + +## AWS route53-mapper + +To configure the LoadBalancer service with the [route53-mapper addon](https://github.com/kubernetes/kops/tree/master/addons/route53-mapper), add the `domainName` annotation and `dns` label: + +```yaml +controller: + service: + labels: + dns: "route53" + annotations: + domainName: "kubernetes-example.com" +``` + +## Ingress Admission Webhooks + +With nginx-ingress-controller version 0.25+, the nginx ingress controller pod exposes an endpoint that will integrate with the `validatingwebhookconfiguration` Kubernetes feature to prevent bad ingress from being added to the cluster. + +With nginx-ingress-controller in 0.25.* work only with kubernetes 1.14+, 0.26 fix [this issue](https://github.com/kubernetes/ingress-nginx/pull/4521) + +## Helm error when upgrading: spec.clusterIP: Invalid value: "" + +If you are upgrading this chart from a version between 0.31.0 and 1.2.2 then you may get an error like this: + +``` +Error: UPGRADE FAILED: Service "?????-controller" is invalid: spec.clusterIP: Invalid value: "": field is immutable +``` + +Detail of how and why are in [this issue](https://github.com/helm/charts/pull/13646) but to resolve this you can set `xxxx.service.omitClusterIP` to `true` where `xxxx` is the service referenced in the error. + +As of version `1.26.0` of this chart, by simply not providing any clusterIP value, `invalid: spec.clusterIP: Invalid value: "": field is immutable` will no longer occur since `clusterIP: ""` will not be rendered. If you do wish to provide a clusterIP value in your values file, ensure that it is quoted. diff --git a/basic-nginx-ingress/ci/daemonset-customconfig-values.yaml b/basic-nginx-ingress/ci/daemonset-customconfig-values.yaml new file mode 100755 index 0000000..f12eac3 --- /dev/null +++ b/basic-nginx-ingress/ci/daemonset-customconfig-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + config: + use-proxy-protocol: "true" diff --git a/basic-nginx-ingress/ci/daemonset-customnodeport-values.yaml b/basic-nginx-ingress/ci/daemonset-customnodeport-values.yaml new file mode 100755 index 0000000..382bc50 --- /dev/null +++ b/basic-nginx-ingress/ci/daemonset-customnodeport-values.yaml @@ -0,0 +1,15 @@ +controller: + kind: DaemonSet + service: + type: NodePort + nodePorts: + tcp: + 9000: 30090 + udp: + 9001: 30091 + +tcp: + 9000: "default/test:8080" + +udp: + 9001: "default/test:8080" diff --git a/basic-nginx-ingress/ci/daemonset-headers-values.yaml b/basic-nginx-ingress/ci/daemonset-headers-values.yaml new file mode 100755 index 0000000..a29690f --- /dev/null +++ b/basic-nginx-ingress/ci/daemonset-headers-values.yaml @@ -0,0 +1,6 @@ +controller: + kind: DaemonSet + addHeaders: + X-Frame-Options: deny + proxySetHeaders: + X-Forwarded-Proto: https diff --git a/basic-nginx-ingress/ci/daemonset-nodeport-values.yaml b/basic-nginx-ingress/ci/daemonset-nodeport-values.yaml new file mode 100755 index 0000000..ebc8f10 --- /dev/null +++ b/basic-nginx-ingress/ci/daemonset-nodeport-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + service: + type: NodePort diff --git a/basic-nginx-ingress/ci/daemonset-tcp-udp-configMapNamespace-values.yaml b/basic-nginx-ingress/ci/daemonset-tcp-udp-configMapNamespace-values.yaml new file mode 100755 index 0000000..3484704 --- /dev/null +++ b/basic-nginx-ingress/ci/daemonset-tcp-udp-configMapNamespace-values.yaml @@ -0,0 +1,14 @@ +controller: + kind: DaemonSet + service: + type: ClusterIP + tcp: + configMapNamespace: default + udp: + configMapNamespace: default + +tcp: + 9000: "default/test:8080" + +udp: + 9001: "default/test:8080" diff --git a/basic-nginx-ingress/ci/daemonset-tcp-udp-values.yaml b/basic-nginx-ingress/ci/daemonset-tcp-udp-values.yaml new file mode 100755 index 0000000..e6866d7 --- /dev/null +++ b/basic-nginx-ingress/ci/daemonset-tcp-udp-values.yaml @@ -0,0 +1,10 @@ +controller: + kind: DaemonSet + service: + type: ClusterIP + +tcp: + 9000: "default/test:8080" + +udp: + 9001: "default/test:8080" diff --git a/basic-nginx-ingress/ci/daemonset-tcp-values.yaml b/basic-nginx-ingress/ci/daemonset-tcp-values.yaml new file mode 100755 index 0000000..f0a6060 --- /dev/null +++ b/basic-nginx-ingress/ci/daemonset-tcp-values.yaml @@ -0,0 +1,6 @@ +controller: + kind: DaemonSet + +tcp: + 9000: "default/test:8080" + 9001: "default/test:8080" diff --git a/basic-nginx-ingress/ci/deamonset-default-values.yaml b/basic-nginx-ingress/ci/deamonset-default-values.yaml new file mode 100755 index 0000000..ddb2562 --- /dev/null +++ b/basic-nginx-ingress/ci/deamonset-default-values.yaml @@ -0,0 +1,2 @@ +controller: + kind: DaemonSet diff --git a/basic-nginx-ingress/ci/deamonset-metrics-values.yaml b/basic-nginx-ingress/ci/deamonset-metrics-values.yaml new file mode 100755 index 0000000..5ce435d --- /dev/null +++ b/basic-nginx-ingress/ci/deamonset-metrics-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + metrics: + enabled: true diff --git a/basic-nginx-ingress/ci/deamonset-psp-values.yaml b/basic-nginx-ingress/ci/deamonset-psp-values.yaml new file mode 100755 index 0000000..b441c1a --- /dev/null +++ b/basic-nginx-ingress/ci/deamonset-psp-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + +podSecurityPolicy: + enabled: true diff --git a/basic-nginx-ingress/ci/deamonset-webhook-and-psp-values.yaml b/basic-nginx-ingress/ci/deamonset-webhook-and-psp-values.yaml new file mode 100755 index 0000000..2cf9d6f --- /dev/null +++ b/basic-nginx-ingress/ci/deamonset-webhook-and-psp-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + admissionWebhooks: + enabled: true + +podSecurityPolicy: + enabled: true diff --git a/basic-nginx-ingress/ci/deamonset-webhook-values.yaml b/basic-nginx-ingress/ci/deamonset-webhook-values.yaml new file mode 100755 index 0000000..2d2cb47 --- /dev/null +++ b/basic-nginx-ingress/ci/deamonset-webhook-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + admissionWebhooks: + enabled: true diff --git a/basic-nginx-ingress/ci/deployment-autoscaling-values.yaml b/basic-nginx-ingress/ci/deployment-autoscaling-values.yaml new file mode 100755 index 0000000..e9701da --- /dev/null +++ b/basic-nginx-ingress/ci/deployment-autoscaling-values.yaml @@ -0,0 +1,3 @@ +controller: + autoscaling: + enabled: true diff --git a/basic-nginx-ingress/ci/deployment-customconfig-values.yaml b/basic-nginx-ingress/ci/deployment-customconfig-values.yaml new file mode 100755 index 0000000..401aea4 --- /dev/null +++ b/basic-nginx-ingress/ci/deployment-customconfig-values.yaml @@ -0,0 +1,3 @@ +controller: + config: + use-proxy-protocol: "true" diff --git a/basic-nginx-ingress/ci/deployment-customnodeport-values.yaml b/basic-nginx-ingress/ci/deployment-customnodeport-values.yaml new file mode 100755 index 0000000..6958eaa --- /dev/null +++ b/basic-nginx-ingress/ci/deployment-customnodeport-values.yaml @@ -0,0 +1,14 @@ +controller: + service: + type: NodePort + nodePorts: + tcp: + 9000: 30090 + udp: + 9001: 30091 + +tcp: + 9000: "default/test:8080" + +udp: + 9001: "default/test:8080" diff --git a/basic-nginx-ingress/ci/deployment-default-values.yaml b/basic-nginx-ingress/ci/deployment-default-values.yaml new file mode 100755 index 0000000..b15f0e4 --- /dev/null +++ b/basic-nginx-ingress/ci/deployment-default-values.yaml @@ -0,0 +1 @@ +# Left blank to test default values diff --git a/basic-nginx-ingress/ci/deployment-headers-values.yaml b/basic-nginx-ingress/ci/deployment-headers-values.yaml new file mode 100755 index 0000000..f3873af --- /dev/null +++ b/basic-nginx-ingress/ci/deployment-headers-values.yaml @@ -0,0 +1,5 @@ +controller: + addHeaders: + X-Frame-Options: deny + proxySetHeaders: + X-Forwarded-Proto: https diff --git a/basic-nginx-ingress/ci/deployment-metrics-values.yaml b/basic-nginx-ingress/ci/deployment-metrics-values.yaml new file mode 100755 index 0000000..9a93fa5 --- /dev/null +++ b/basic-nginx-ingress/ci/deployment-metrics-values.yaml @@ -0,0 +1,3 @@ +controller: + metrics: + enabled: true diff --git a/basic-nginx-ingress/ci/deployment-nodeport-values.yaml b/basic-nginx-ingress/ci/deployment-nodeport-values.yaml new file mode 100755 index 0000000..ffdc47b --- /dev/null +++ b/basic-nginx-ingress/ci/deployment-nodeport-values.yaml @@ -0,0 +1,3 @@ +controller: + service: + type: NodePort diff --git a/basic-nginx-ingress/ci/deployment-psp-values.yaml b/basic-nginx-ingress/ci/deployment-psp-values.yaml new file mode 100755 index 0000000..7aae860 --- /dev/null +++ b/basic-nginx-ingress/ci/deployment-psp-values.yaml @@ -0,0 +1,2 @@ +podSecurityPolicy: + enabled: true diff --git a/basic-nginx-ingress/ci/deployment-tcp-udp-configMapNamespace-values.yaml b/basic-nginx-ingress/ci/deployment-tcp-udp-configMapNamespace-values.yaml new file mode 100755 index 0000000..7b06c1e --- /dev/null +++ b/basic-nginx-ingress/ci/deployment-tcp-udp-configMapNamespace-values.yaml @@ -0,0 +1,13 @@ +controller: + service: + type: ClusterIP + tcp: + configMapNamespace: default + udp: + configMapNamespace: default + +tcp: + 9000: "default/test:8080" + +udp: + 9001: "default/test:8080" diff --git a/basic-nginx-ingress/ci/deployment-tcp-udp-values.yaml b/basic-nginx-ingress/ci/deployment-tcp-udp-values.yaml new file mode 100755 index 0000000..7c55d44 --- /dev/null +++ b/basic-nginx-ingress/ci/deployment-tcp-udp-values.yaml @@ -0,0 +1,9 @@ +controller: + service: + type: ClusterIP + +tcp: + 9000: "default/test:8080" + +udp: + 9001: "default/test:8080" diff --git a/basic-nginx-ingress/ci/deployment-tcp-values.yaml b/basic-nginx-ingress/ci/deployment-tcp-values.yaml new file mode 100755 index 0000000..c8bc204 --- /dev/null +++ b/basic-nginx-ingress/ci/deployment-tcp-values.yaml @@ -0,0 +1,3 @@ +tcp: + 9000: "default/test:8080" + 9001: "default/test:8080" diff --git a/basic-nginx-ingress/ci/deployment-webhook-and-psp-values.yaml b/basic-nginx-ingress/ci/deployment-webhook-and-psp-values.yaml new file mode 100755 index 0000000..0590d7c --- /dev/null +++ b/basic-nginx-ingress/ci/deployment-webhook-and-psp-values.yaml @@ -0,0 +1,6 @@ +controller: + admissionWebhooks: + enabled: true + +podSecurityPolicy: + enabled: true diff --git a/basic-nginx-ingress/ci/deployment-webhook-values.yaml b/basic-nginx-ingress/ci/deployment-webhook-values.yaml new file mode 100755 index 0000000..07e1a92 --- /dev/null +++ b/basic-nginx-ingress/ci/deployment-webhook-values.yaml @@ -0,0 +1,3 @@ +controller: + admissionWebhooks: + enabled: true diff --git a/basic-nginx-ingress/templates/NOTES.txt b/basic-nginx-ingress/templates/NOTES.txt new file mode 100755 index 0000000..57bbc9e --- /dev/null +++ b/basic-nginx-ingress/templates/NOTES.txt @@ -0,0 +1,71 @@ +The nginx-ingress controller has been installed. + +{{- if contains "NodePort" .Values.controller.service.type }} +Get the application URL by running these commands: + +{{- if (not (empty .Values.controller.service.nodePorts.http)) }} + export HTTP_NODE_PORT={{ .Values.controller.service.nodePorts.http }} +{{- else }} + export HTTP_NODE_PORT=$(kubectl --namespace {{ .Release.Namespace }} get services -o jsonpath="{.spec.ports[0].nodePort}" {{ template "nginx-ingress.controller.fullname" . }}) +{{- end }} +{{- if (not (empty .Values.controller.service.nodePorts.https)) }} + export HTTPS_NODE_PORT={{ .Values.controller.service.nodePorts.https }} +{{- else }} + export HTTPS_NODE_PORT=$(kubectl --namespace {{ .Release.Namespace }} get services -o jsonpath="{.spec.ports[1].nodePort}" {{ template "nginx-ingress.controller.fullname" . }}) +{{- end }} + export NODE_IP=$(kubectl --namespace {{ .Release.Namespace }} get nodes -o jsonpath="{.items[0].status.addresses[1].address}") + + echo "Visit http://$NODE_IP:$HTTP_NODE_PORT to access your application via HTTP." + echo "Visit https://$NODE_IP:$HTTPS_NODE_PORT to access your application via HTTPS." +{{- else if contains "LoadBalancer" .Values.controller.service.type }} +It may take a few minutes for the LoadBalancer IP to be available. +You can watch the status by running 'kubectl --namespace {{ .Release.Namespace }} get services -o wide -w {{ template "nginx-ingress.controller.fullname" . }}' +{{- else if contains "ClusterIP" .Values.controller.service.type }} +Get the application URL by running these commands: + export POD_NAME=$(kubectl --namespace {{ .Release.Namespace }} get pods -o jsonpath="{.items[0].metadata.name}" -l "app={{ template "nginx-ingress.name" . }},component={{ .Values.controller.name }},release={{ .Release.Name }}") + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:80 + echo "Visit http://127.0.0.1:8080 to access your application." +{{- end }} + +An example Ingress that makes use of the controller: + + apiVersion: extensions/v1beta1 + kind: Ingress + metadata: + annotations: + kubernetes.io/ingress.class: {{ .Values.controller.ingressClass }} + name: example + namespace: foo + spec: + rules: + - host: www.example.com + http: + paths: + - backend: + serviceName: exampleService + servicePort: 80 + path: / + # This section is only required if TLS is to be enabled for the Ingress + tls: + - hosts: + - www.example.com + secretName: example-tls + +If TLS is enabled for the Ingress, a Secret containing the certificate and key must also be provided: + + apiVersion: v1 + kind: Secret + metadata: + name: example-tls + namespace: foo + data: + tls.crt: + tls.key: + type: kubernetes.io/tls + +{{- if .Values.controller.headers }} +################################################################################# +###### WARNING: `controller.headers` has been deprecated! ##### +###### It has been renamed to `controller.proxySetHeaders`. ##### +################################################################################# +{{- end }} diff --git a/basic-nginx-ingress/templates/_helpers.tpl b/basic-nginx-ingress/templates/_helpers.tpl new file mode 100755 index 0000000..0360253 --- /dev/null +++ b/basic-nginx-ingress/templates/_helpers.tpl @@ -0,0 +1,117 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "nginx-ingress.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "nginx-ingress.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "nginx-ingress.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified controller name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "nginx-ingress.controller.fullname" -}} +{{- printf "%s-%s" (include "nginx-ingress.fullname" .) .Values.controller.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct the path for the publish-service. + +By convention this will simply use the / to match the name of the +service generated. + +Users can provide an override for an explicit service they want bound via `.Values.controller.publishService.pathOverride` + +*/}} +{{- define "nginx-ingress.controller.publishServicePath" -}} +{{- $defServiceName := printf "%s/%s" .Release.Namespace (include "nginx-ingress.controller.fullname" .) -}} +{{- $servicePath := default $defServiceName .Values.controller.publishService.pathOverride }} +{{- print $servicePath | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified default backend name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "nginx-ingress.defaultBackend.fullname" -}} +{{- printf "%s-%s" (include "nginx-ingress.fullname" .) .Values.defaultBackend.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create the name of the controller service account to use +*/}} +{{- define "nginx-ingress.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "nginx-ingress.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled +*/}} +{{- define "nginx-ingress.defaultBackend.serviceAccountName" -}} +{{- if .Values.defaultBackend.serviceAccount.create -}} + {{ default (printf "%s-backend" (include "nginx-ingress.fullname" .)) .Values.defaultBackend.serviceAccount.name }} +{{- else -}} + {{ default "default-backend" .Values.defaultBackend.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for deployment. +*/}} +{{- define "deployment.apiVersion" -}} +{{- if semverCompare ">=1.9-0" .Capabilities.KubeVersion.GitVersion -}} +{{- print "apps/v1" -}} +{{- else -}} +{{- print "extensions/v1beta1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiGroup for PodSecurityPolicy. +*/}} +{{- define "podSecurityPolicy.apiGroup" -}} +{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +{{- print "policy" -}} +{{- else -}} +{{- print "extensions" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for podSecurityPolicy. +*/}} +{{- define "podSecurityPolicy.apiVersion" -}} +{{- if semverCompare ">=1.10-0" .Capabilities.KubeVersion.GitVersion -}} +{{- print "policy/v1beta1" -}} +{{- else -}} +{{- print "extensions/v1beta1" -}} +{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/basic-nginx-ingress/templates/addheaders-configmap.yaml b/basic-nginx-ingress/templates/addheaders-configmap.yaml new file mode 100755 index 0000000..04a04aa --- /dev/null +++ b/basic-nginx-ingress/templates/addheaders-configmap.yaml @@ -0,0 +1,14 @@ +{{- if .Values.controller.addHeaders }} +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app: {{ template "nginx-ingress.name" . }} + chart: {{ template "nginx-ingress.chart" . }} + component: "{{ .Values.controller.name }}" + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + name: {{ template "nginx-ingress.fullname" . }}-custom-add-headers +data: +{{ toYaml .Values.controller.addHeaders | indent 2 }} +{{- end }} diff --git a/basic-nginx-ingress/templates/admission-webhooks/job-patch/clusterrole.yaml b/basic-nginx-ingress/templates/admission-webhooks/job-patch/clusterrole.yaml new file mode 100755 index 0000000..97d7a2a --- /dev/null +++ b/basic-nginx-ingress/templates/admission-webhooks/job-patch/clusterrole.yaml @@ -0,0 +1,30 @@ +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "nginx-ingress.fullname" . }}-admission + annotations: + "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + app: {{ template "nginx-ingress.name" . }} + chart: {{ template "nginx-ingress.chart" . }} + component: "{{ .Values.controller.name }}" + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +rules: + - apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - get + - update +{{- if .Values.podSecurityPolicy.enabled }} + - apiGroups: ['extensions'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - {{ template "nginx-ingress.fullname" . }}-admission +{{- end }} +{{- end }} diff --git a/basic-nginx-ingress/templates/admission-webhooks/job-patch/clusterrolebinding.yaml b/basic-nginx-ingress/templates/admission-webhooks/job-patch/clusterrolebinding.yaml new file mode 100755 index 0000000..57c2104 --- /dev/null +++ b/basic-nginx-ingress/templates/admission-webhooks/job-patch/clusterrolebinding.yaml @@ -0,0 +1,23 @@ +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "nginx-ingress.fullname" . }}-admission + annotations: + "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + app: {{ template "nginx-ingress.name" . }} + chart: {{ template "nginx-ingress.chart" . }} + component: "{{ .Values.controller.name }}" + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "nginx-ingress.fullname" . }}-admission +subjects: + - kind: ServiceAccount + name: {{ template "nginx-ingress.fullname" . }}-admission + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/basic-nginx-ingress/templates/admission-webhooks/job-patch/job-createSecret.yaml b/basic-nginx-ingress/templates/admission-webhooks/job-patch/job-createSecret.yaml new file mode 100755 index 0000000..4e4b6b5 --- /dev/null +++ b/basic-nginx-ingress/templates/admission-webhooks/job-patch/job-createSecret.yaml @@ -0,0 +1,55 @@ +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "nginx-ingress.fullname" . }}-admission-create + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + app: {{ template "nginx-ingress.name" . }} + chart: {{ template "nginx-ingress.chart" . }} + component: "{{ .Values.controller.name }}" + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + {{- if .Capabilities.APIVersions.Has "batch/v1alpha1" }} + # Alpha feature since k8s 1.12 + ttlSecondsAfterFinished: 0 + {{- end }} + template: + metadata: + name: {{ template "nginx-ingress.fullname" . }}-admission-create +{{- with .Values.controller.admissionWebhooks.patch.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + labels: + app: {{ template "nginx-ingress.name" . }} + chart: {{ template "nginx-ingress.chart" . }} + component: "{{ .Values.controller.name }}" + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + spec: + {{- if .Values.controller.admissionWebhooks.patch.priorityClassName }} + priorityClassName: {{ .Values.controller.admissionWebhooks.patch.priorityClassName }} + {{- end }} + containers: + - name: create + image: {{ .Values.controller.admissionWebhooks.patch.image.repository }}:{{ .Values.controller.admissionWebhooks.patch.image.tag }} + imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }} + args: + - create + - --host={{ template "nginx-ingress.controller.fullname" . }}-admission,{{ template "nginx-ingress.controller.fullname" . }}-admission.{{ .Release.Namespace }}.svc + - --namespace={{ .Release.Namespace }} + - --secret-name={{ template "nginx-ingress.fullname". }}-admission + restartPolicy: OnFailure + serviceAccountName: {{ template "nginx-ingress.fullname" . }}-admission + {{- with .Values.controller.admissionWebhooks.patch.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + securityContext: + runAsNonRoot: true + runAsUser: 2000 +{{- end }} diff --git a/basic-nginx-ingress/templates/admission-webhooks/job-patch/job-patchWebhook.yaml b/basic-nginx-ingress/templates/admission-webhooks/job-patch/job-patchWebhook.yaml new file mode 100755 index 0000000..2182e53 --- /dev/null +++ b/basic-nginx-ingress/templates/admission-webhooks/job-patch/job-patchWebhook.yaml @@ -0,0 +1,57 @@ +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "nginx-ingress.fullname" . }}-admission-patch + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + app: {{ template "nginx-ingress.name" . }} + chart: {{ template "nginx-ingress.chart" . }} + component: "{{ .Values.controller.name }}" + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + {{- if .Capabilities.APIVersions.Has "batch/v1alpha1" }} + # Alpha feature since k8s 1.12 + ttlSecondsAfterFinished: 0 + {{- end }} + template: + metadata: + name: {{ template "nginx-ingress.fullname" . }}-admission-patch +{{- with .Values.controller.admissionWebhooks.patch.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + labels: + app: {{ template "nginx-ingress.name" . }} + chart: {{ template "nginx-ingress.chart" . }} + component: "{{ .Values.controller.name }}" + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + spec: + {{- if .Values.controller.admissionWebhooks.patch.priorityClassName }} + priorityClassName: {{ .Values.controller.admissionWebhooks.patch.priorityClassName }} + {{- end }} + containers: + - name: patch + image: {{ .Values.controller.admissionWebhooks.patch.image.repository }}:{{ .Values.controller.admissionWebhooks.patch.image.tag }} + imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.pullPolicy }} + args: + - patch + - --webhook-name={{ template "nginx-ingress.fullname" . }}-admission + - --namespace={{ .Release.Namespace }} + - --patch-mutating=false + - --secret-name={{ template "nginx-ingress.fullname". }}-admission + - --patch-failure-policy={{ .Values.controller.admissionWebhooks.failurePolicy }} + restartPolicy: OnFailure + serviceAccountName: {{ template "nginx-ingress.fullname" . }}-admission + {{- with .Values.controller.admissionWebhooks.patch.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + securityContext: + runAsNonRoot: true + runAsUser: 2000 +{{- end }} diff --git a/basic-nginx-ingress/templates/admission-webhooks/job-patch/psp.yaml b/basic-nginx-ingress/templates/admission-webhooks/job-patch/psp.yaml new file mode 100755 index 0000000..3b69e00 --- /dev/null +++ b/basic-nginx-ingress/templates/admission-webhooks/job-patch/psp.yaml @@ -0,0 +1,39 @@ +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.podSecurityPolicy.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "nginx-ingress.fullname" . }}-admission + annotations: + "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + app: {{ template "nginx-ingress.name" . }} + chart: {{ template "nginx-ingress.chart" . }} + component: "{{ .Values.controller.name }}" + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + allowPrivilegeEscalation: false + fsGroup: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + requiredDropCapabilities: + - ALL + runAsUser: + rule: MustRunAsNonRoot + seLinux: + rule: RunAsAny + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + volumes: + - configMap + - emptyDir + - projected + - secret + - downwardAPI +{{- end }} diff --git a/basic-nginx-ingress/templates/admission-webhooks/job-patch/role.yaml b/basic-nginx-ingress/templates/admission-webhooks/job-patch/role.yaml new file mode 100755 index 0000000..4557662 --- /dev/null +++ b/basic-nginx-ingress/templates/admission-webhooks/job-patch/role.yaml @@ -0,0 +1,23 @@ +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "nginx-ingress.fullname" . }}-admission + annotations: + "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + app: {{ template "nginx-ingress.name" . }} + chart: {{ template "nginx-ingress.chart" . }} + component: "{{ .Values.controller.name }}" + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create +{{- end }} diff --git a/basic-nginx-ingress/templates/admission-webhooks/job-patch/rolebinding.yaml b/basic-nginx-ingress/templates/admission-webhooks/job-patch/rolebinding.yaml new file mode 100755 index 0000000..0e0907d --- /dev/null +++ b/basic-nginx-ingress/templates/admission-webhooks/job-patch/rolebinding.yaml @@ -0,0 +1,23 @@ +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "nginx-ingress.fullname" . }}-admission + annotations: + "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + app: {{ template "nginx-ingress.name" . }} + chart: {{ template "nginx-ingress.chart" . }} + component: "{{ .Values.controller.name }}" + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "nginx-ingress.fullname" . }}-admission +subjects: + - kind: ServiceAccount + name: {{ template "nginx-ingress.fullname" . }}-admission + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/basic-nginx-ingress/templates/admission-webhooks/job-patch/serviceaccount.yaml b/basic-nginx-ingress/templates/admission-webhooks/job-patch/serviceaccount.yaml new file mode 100755 index 0000000..11d249c --- /dev/null +++ b/basic-nginx-ingress/templates/admission-webhooks/job-patch/serviceaccount.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "nginx-ingress.fullname" . }}-admission + annotations: + "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + app: {{ template "nginx-ingress.name" . }} + chart: {{ template "nginx-ingress.chart" . }} + component: "{{ .Values.controller.name }}" + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +{{- end }} diff --git a/basic-nginx-ingress/templates/admission-webhooks/validating-webhook.yaml b/basic-nginx-ingress/templates/admission-webhooks/validating-webhook.yaml new file mode 100755 index 0000000..53f37b2 --- /dev/null +++ b/basic-nginx-ingress/templates/admission-webhooks/validating-webhook.yaml @@ -0,0 +1,31 @@ +{{- if .Values.controller.admissionWebhooks.enabled }} +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + app: {{ template "nginx-ingress.name" . }}-admission + chart: {{ template "nginx-ingress.chart" . }} + component: "admission-webhook" + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + name: {{ template "nginx-ingress.fullname" . }}-admission +webhooks: + - name: validate.nginx.ingress.kubernetes.io + rules: + - apiGroups: + - extensions + - networking.k8s.io + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - ingresses + failurePolicy: Fail + clientConfig: + service: + namespace: {{ .Release.Namespace }} + name: {{ template "nginx-ingress.controller.fullname" . }}-admission + path: /extensions/v1beta1/ingresses +{{- end }} diff --git a/basic-nginx-ingress/templates/clusterrole.yaml b/basic-nginx-ingress/templates/clusterrole.yaml new file mode 100755 index 0000000..e39029b --- /dev/null +++ b/basic-nginx-ingress/templates/clusterrole.yaml @@ -0,0 +1,71 @@ +{{- if and .Values.rbac.create (not .Values.controller.scope.enabled) -}} +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + labels: + app: {{ template "nginx-ingress.name" . }} + chart: {{ template "nginx-ingress.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + name: {{ template "nginx-ingress.fullname" . }} +rules: + - apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - secrets + verbs: + - list + - watch +{{- if and .Values.controller.scope.enabled .Values.controller.scope.namespace }} + - apiGroups: + - "" + resources: + - namespaces + resourceNames: + - "{{ .Values.controller.scope.namespace }}" + verbs: + - get +{{- end }} + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - update + - watch + - apiGroups: + - extensions + - "networking.k8s.io" # k8s 1.14+ + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - extensions + - "networking.k8s.io" # k8s 1.14+ + resources: + - ingresses/status + verbs: + - update +{{- end -}} diff --git a/basic-nginx-ingress/templates/clusterrolebinding.yaml b/basic-nginx-ingress/templates/clusterrolebinding.yaml new file mode 100755 index 0000000..d5aa547 --- /dev/null +++ b/basic-nginx-ingress/templates/clusterrolebinding.yaml @@ -0,0 +1,19 @@ +{{- if and .Values.rbac.create (not .Values.controller.scope.enabled) -}} +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + labels: + app: {{ template "nginx-ingress.name" . }} + chart: {{ template "nginx-ingress.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + name: {{ template "nginx-ingress.fullname" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "nginx-ingress.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "nginx-ingress.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} diff --git a/basic-nginx-ingress/templates/controller-configmap.yaml b/basic-nginx-ingress/templates/controller-configmap.yaml new file mode 100755 index 0000000..e80dae2 --- /dev/null +++ b/basic-nginx-ingress/templates/controller-configmap.yaml @@ -0,0 +1,22 @@ +{{- if or .Values.controller.config (or (or .Values.controller.proxySetHeaders .Values.controller.headers) .Values.controller.addHeaders) }} +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app: {{ template "nginx-ingress.name" . }} + chart: {{ template "nginx-ingress.chart" . }} + component: "{{ .Values.controller.name }}" + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + name: {{ template "nginx-ingress.controller.fullname" . }} +data: +{{- if .Values.controller.addHeaders }} + add-headers: {{ .Release.Namespace }}/{{ template "nginx-ingress.fullname" . }}-custom-add-headers +{{- end }} +{{- if or .Values.controller.proxySetHeaders .Values.controller.headers }} + proxy-set-headers: {{ .Release.Namespace }}/{{ template "nginx-ingress.fullname" . }}-custom-proxy-headers +{{- end }} +{{- if .Values.controller.config }} +{{ toYaml .Values.controller.config | indent 2 }} +{{- end }} +{{- end }} diff --git a/basic-nginx-ingress/templates/controller-daemonset.yaml b/basic-nginx-ingress/templates/controller-daemonset.yaml new file mode 100755 index 0000000..1f11178 --- /dev/null +++ b/basic-nginx-ingress/templates/controller-daemonset.yaml @@ -0,0 +1,236 @@ +{{- if or (eq .Values.controller.kind "DaemonSet") (eq .Values.controller.kind "Both") }} +{{- $useHostPort := .Values.controller.daemonset.useHostPort -}} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +apiVersion: {{ template "deployment.apiVersion" . }} +kind: DaemonSet +metadata: + labels: + app: {{ template "nginx-ingress.name" . }} + chart: {{ template "nginx-ingress.chart" . }} + component: "{{ .Values.controller.name }}" + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + name: {{ template "nginx-ingress.controller.fullname" . }} +spec: + selector: + matchLabels: + app: {{ template "nginx-ingress.name" . }} + release: {{ .Release.Name }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + updateStrategy: +{{ toYaml .Values.controller.updateStrategy | indent 4 }} + minReadySeconds: {{ .Values.controller.minReadySeconds }} + template: + metadata: + {{- if .Values.controller.podAnnotations }} + annotations: + {{- range $key, $value := .Values.controller.podAnnotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} + labels: + app: {{ template "nginx-ingress.name" . }} + component: "{{ .Values.controller.name }}" + release: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8}} + {{- end }} + spec: + dnsPolicy: {{ .Values.controller.dnsPolicy }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: "{{ .Values.controller.priorityClassName }}" +{{- end }} + {{- if .Values.controller.podSecurityContext }} + securityContext: +{{ toYaml .Values.controller.podSecurityContext | indent 8 }} + {{- end }} + containers: + - name: {{ template "nginx-ingress.name" . }}-{{ .Values.controller.name }} + image: "{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag }}" + imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}" + {{- if .Values.controller.lifecycle }} + lifecycle: +{{ toYaml .Values.controller.lifecycle | indent 12 }} + {{- end }} + args: + - /nginx-ingress-controller + - --default-backend-service={{ if .Values.defaultBackend.enabled }}{{ .Release.Namespace }}/{{ template "nginx-ingress.defaultBackend.fullname" . }}{{ else }}{{ .Values.controller.defaultBackendService }}{{ end }} + {{- if and (semverCompare ">=0.9.0-beta.1" .Values.controller.image.tag) .Values.controller.publishService.enabled }} + - --publish-service={{ template "nginx-ingress.controller.publishServicePath" . }} + {{- end }} + {{- if (semverCompare ">=0.9.0-beta.1" .Values.controller.image.tag) }} + - --election-id={{ .Values.controller.electionID }} + {{- end }} + {{- if (semverCompare ">=0.9.0-beta.1" .Values.controller.image.tag) }} + - --ingress-class={{ .Values.controller.ingressClass }} + {{- end }} + {{- if (semverCompare ">=0.9.0-beta.1" .Values.controller.image.tag) }} + - --configmap={{ .Release.Namespace }}/{{ template "nginx-ingress.controller.fullname" . }} + {{- else }} + - --nginx-configmap={{ .Release.Namespace }}/{{ template "nginx-ingress.controller.fullname" . }} + {{- end }} + {{- if .Values.tcp }} + - --tcp-services-configmap={{ .Release.Namespace }}/{{ template "nginx-ingress.fullname" . }}-tcp + {{- end }} + {{- if .Values.udp }} + - --udp-services-configmap={{ .Release.Namespace }}/{{ template "nginx-ingress.fullname" . }}-udp + {{- end }} + {{- if .Values.controller.scope.enabled }} + - --watch-namespace={{ default .Release.Namespace .Values.controller.scope.namespace }} + {{- end }} + {{- if and (.Values.controller.reportNodeInternalIp) (.Values.controller.hostNetwork)}} + - --report-node-internal-ip-address={{ .Values.controller.reportNodeInternalIp }} + {{- end }} + {{- if .Values.controller.admissionWebhooks.enabled }} + - --validating-webhook=:{{ .Values.controller.admissionWebhooks.port }} + - --validating-webhook-certificate=/usr/local/certificates/cert + - --validating-webhook-key=/usr/local/certificates/key + {{- end }} + {{- range $key, $value := .Values.controller.extraArgs }} + {{- if $value }} + - --{{ $key }}={{ $value }} + {{- else }} + - --{{ $key }} + {{- end }} + {{- end }} + {{- if (semverCompare ">=0.16.0" .Values.controller.image.tag) }} + securityContext: + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + runAsUser: {{ .Values.controller.image.runAsUser }} + allowPrivilegeEscalation: {{ .Values.controller.image.allowPrivilegeEscalation }} + {{- end }} + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- if .Values.controller.extraEnvs }} +{{ toYaml .Values.controller.extraEnvs | indent 12 }} + {{- end }} + livenessProbe: + httpGet: + path: /healthz + port: {{ .Values.controller.livenessProbe.port }} + scheme: HTTP + initialDelaySeconds: {{ .Values.controller.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.controller.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.controller.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.controller.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.controller.livenessProbe.failureThreshold }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- if $useHostPort }} + hostPort: {{ index $hostPorts $key | default $value }} + {{- end }} + {{- end }} + {{- if .Values.controller.metrics.enabled }} + - name: metrics + containerPort: {{ .Values.controller.metrics.port }} + protocol: TCP + {{- end }} + {{- if .Values.controller.admissionWebhooks.enabled }} + - name: webhook + containerPort: {{ .Values.controller.admissionWebhooks.port }} + protocol: TCP + {{- end }} + {{- range $key, $value := .Values.tcp }} + - name: "{{ $key }}-tcp" + containerPort: {{ $key }} + protocol: TCP + {{- if $useHostPort }} + hostPort: {{ $key }} + {{- end }} + {{- end }} + {{- range $key, $value := .Values.udp }} + - name: "{{ $key }}-udp" + containerPort: {{ $key }} + protocol: UDP + {{- if $useHostPort }} + hostPort: {{ $key }} + {{- end }} + {{- end }} + readinessProbe: + httpGet: + path: /healthz + port: {{ .Values.controller.readinessProbe.port }} + scheme: HTTP + initialDelaySeconds: {{ .Values.controller.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.controller.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.controller.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.controller.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.controller.readinessProbe.failureThreshold }} +{{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled) }} + volumeMounts: +{{- end }} +{{- if .Values.controller.customTemplate.configMapName }} + - mountPath: /etc/nginx/template + name: nginx-template-volume + readOnly: true +{{- end }} +{{- if .Values.controller.admissionWebhooks.enabled }} + - name: webhook-cert + mountPath: "/usr/local/certificates/" + readOnly: true +{{- end }} +{{- if .Values.controller.extraVolumeMounts }} +{{ toYaml .Values.controller.extraVolumeMounts | indent 12}} +{{- end }} + resources: +{{ toYaml .Values.controller.resources | indent 12 }} +{{- if .Values.controller.extraContainers }} +{{ toYaml .Values.controller.extraContainers | indent 8}} +{{- end }} +{{- if .Values.controller.extraInitContainers }} + initContainers: +{{ toYaml .Values.controller.extraInitContainers | indent 8}} +{{- end }} + hostNetwork: {{ .Values.controller.hostNetwork }} + {{- if .Values.controller.nodeSelector }} + nodeSelector: +{{ toYaml .Values.controller.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.controller.tolerations }} + tolerations: +{{ toYaml .Values.controller.tolerations | indent 8 }} + {{- end }} + {{- if .Values.controller.affinity }} + affinity: +{{ toYaml .Values.controller.affinity | indent 8 }} + {{- end }} + serviceAccountName: {{ template "nginx-ingress.serviceAccountName" . }} + terminationGracePeriodSeconds: 60 +{{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes) }} + volumes: +{{- end }} +{{- if .Values.controller.customTemplate.configMapName }} + - name: nginx-template-volume + configMap: + name: {{ .Values.controller.customTemplate.configMapName }} + items: + - key: {{ .Values.controller.customTemplate.configMapKey }} + path: nginx.tmpl +{{- end }} +{{- if .Values.controller.admissionWebhooks.enabled }} + - name: webhook-cert + secret: + secretName: {{ template "nginx-ingress.fullname". }}-admission +{{- end }} +{{- if .Values.controller.extraVolumes }} +{{ toYaml .Values.controller.extraVolumes | indent 8}} +{{- end }} +{{- end }} diff --git a/basic-nginx-ingress/templates/controller-deployment.yaml b/basic-nginx-ingress/templates/controller-deployment.yaml new file mode 100755 index 0000000..7f52c69 --- /dev/null +++ b/basic-nginx-ingress/templates/controller-deployment.yaml @@ -0,0 +1,228 @@ +{{- if or (eq .Values.controller.kind "Deployment") (eq .Values.controller.kind "Both") }} +apiVersion: {{ template "deployment.apiVersion" . }} +kind: Deployment +metadata: + labels: + app: {{ template "nginx-ingress.name" . }} + chart: {{ template "nginx-ingress.chart" . }} + component: "{{ .Values.controller.name }}" + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + name: {{ template "nginx-ingress.controller.fullname" . }} +spec: + selector: + matchLabels: + app: {{ template "nginx-ingress.name" . }} + release: {{ .Release.Name }} +{{- if not .Values.controller.autoscaling.enabled }} + replicas: {{ .Values.controller.replicaCount }} +{{- end }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + strategy: +{{ toYaml .Values.controller.updateStrategy | indent 4 }} + minReadySeconds: {{ .Values.controller.minReadySeconds }} + template: + metadata: + {{- if .Values.controller.podAnnotations }} + annotations: + {{- range $key, $value := .Values.controller.podAnnotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} + labels: + app: {{ template "nginx-ingress.name" . }} + component: "{{ .Values.controller.name }}" + release: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + spec: + dnsPolicy: {{ .Values.controller.dnsPolicy }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: "{{ .Values.controller.priorityClassName }}" +{{- end }} + {{- if .Values.controller.podSecurityContext }} + securityContext: +{{ toYaml .Values.controller.podSecurityContext | indent 8 }} + {{- end }} + containers: + - name: {{ template "nginx-ingress.name" . }}-{{ .Values.controller.name }} + image: "{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag }}" + imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}" + {{- if .Values.controller.lifecycle }} + lifecycle: +{{ toYaml .Values.controller.lifecycle | indent 12 }} + {{- end }} + args: + - /nginx-ingress-controller + - --default-backend-service={{ if .Values.defaultBackend.enabled }}{{ .Release.Namespace }}/{{ template "nginx-ingress.defaultBackend.fullname" . }}{{ else }}{{ .Values.controller.defaultBackendService }}{{ end }} + {{- if and (semverCompare ">=0.9.0-beta.1" .Values.controller.image.tag) .Values.controller.publishService.enabled }} + - --publish-service={{ template "nginx-ingress.controller.publishServicePath" . }} + {{- end }} + {{- if (semverCompare ">=0.9.0-beta.1" .Values.controller.image.tag) }} + - --election-id={{ .Values.controller.electionID }} + {{- end }} + {{- if (semverCompare ">=0.9.0-beta.1" .Values.controller.image.tag) }} + - --ingress-class={{ .Values.controller.ingressClass }} + {{- end }} + {{- if (semverCompare ">=0.9.0-beta.1" .Values.controller.image.tag) }} + - --configmap={{ default .Release.Namespace .Values.controller.configMapNamespace }}/{{ template "nginx-ingress.controller.fullname" . }} + {{- else }} + - --nginx-configmap={{ default .Release.Namespace .Values.controller.configMapNamespace }}/{{ template "nginx-ingress.controller.fullname" . }} + {{- end }} + {{- if .Values.tcp }} + - --tcp-services-configmap={{ default .Release.Namespace .Values.controller.tcp.configMapNamespace }}/{{ template "nginx-ingress.fullname" . }}-tcp + {{- end }} + {{- if .Values.udp }} + - --udp-services-configmap={{ default .Release.Namespace .Values.controller.udp.configMapNamespace }}/{{ template "nginx-ingress.fullname" . }}-udp + {{- end }} + {{- if .Values.controller.scope.enabled }} + - --watch-namespace={{ default .Release.Namespace .Values.controller.scope.namespace }} + {{- end }} + {{- if and (.Values.controller.reportNodeInternalIp) (.Values.controller.hostNetwork) }} + - --report-node-internal-ip-address={{ .Values.controller.reportNodeInternalIp }} + {{- end }} + {{- if .Values.controller.admissionWebhooks.enabled }} + - --validating-webhook=:{{ .Values.controller.admissionWebhooks.port }} + - --validating-webhook-certificate=/usr/local/certificates/cert + - --validating-webhook-key=/usr/local/certificates/key + {{- end }} + {{- range $key, $value := .Values.controller.extraArgs }} + {{- if $value }} + - --{{ $key }}={{ $value }} + {{- else }} + - --{{ $key }} + {{- end }} + {{- end }} + {{- if (semverCompare ">=0.16.0" .Values.controller.image.tag) }} + securityContext: + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + runAsUser: {{ .Values.controller.image.runAsUser }} + allowPrivilegeEscalation: {{ .Values.controller.image.allowPrivilegeEscalation }} + {{- end }} + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- if .Values.controller.extraEnvs }} +{{ toYaml .Values.controller.extraEnvs | indent 12 }} + {{- end }} + livenessProbe: + httpGet: + path: /healthz + port: {{ .Values.controller.livenessProbe.port }} + scheme: HTTP + initialDelaySeconds: {{ .Values.controller.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.controller.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.controller.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.controller.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.controller.livenessProbe.failureThreshold }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- end }} + {{- if .Values.controller.metrics.enabled }} + - name: metrics + containerPort: {{ .Values.controller.metrics.port }} + protocol: TCP + {{- end }} + {{- if .Values.controller.admissionWebhooks.enabled }} + - name: webhook + containerPort: {{ .Values.controller.admissionWebhooks.port }} + protocol: TCP + {{- end }} + {{- range $key, $value := .Values.tcp }} + - name: "{{ $key }}-tcp" + containerPort: {{ $key }} + protocol: TCP + {{- end }} + {{- range $key, $value := .Values.udp }} + - name: "{{ $key }}-udp" + containerPort: {{ $key }} + protocol: UDP + {{- end }} + readinessProbe: + httpGet: + path: /healthz + port: {{ .Values.controller.readinessProbe.port }} + scheme: HTTP + initialDelaySeconds: {{ .Values.controller.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.controller.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.controller.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.controller.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.controller.readinessProbe.failureThreshold }} +{{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled) }} + volumeMounts: +{{- end }} +{{- if .Values.controller.customTemplate.configMapName }} + - mountPath: /etc/nginx/template + name: nginx-template-volume + readOnly: true +{{- end }} +{{- if .Values.controller.admissionWebhooks.enabled }} + - name: webhook-cert + mountPath: "/usr/local/certificates/" + readOnly: true +{{- end }} +{{- if .Values.controller.extraVolumeMounts }} +{{ toYaml .Values.controller.extraVolumeMounts | indent 12}} +{{- end }} + resources: +{{ toYaml .Values.controller.resources | indent 12 }} +{{- if .Values.controller.extraContainers }} +{{ toYaml .Values.controller.extraContainers | indent 8}} +{{- end }} +{{- if .Values.controller.extraInitContainers }} + initContainers: +{{ toYaml .Values.controller.extraInitContainers | indent 8}} +{{- end }} + hostNetwork: {{ .Values.controller.hostNetwork }} + {{- if .Values.controller.nodeSelector }} + nodeSelector: +{{ toYaml .Values.controller.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.controller.tolerations }} + tolerations: +{{ toYaml .Values.controller.tolerations | indent 8 }} + {{- end }} + {{- if .Values.controller.affinity }} + affinity: +{{ toYaml .Values.controller.affinity | indent 8 }} + {{- end }} + serviceAccountName: {{ template "nginx-ingress.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} +{{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes) }} + volumes: +{{- end }} +{{- if .Values.controller.customTemplate.configMapName }} + - name: nginx-template-volume + configMap: + name: {{ .Values.controller.customTemplate.configMapName }} + items: + - key: {{ .Values.controller.customTemplate.configMapKey }} + path: nginx.tmpl +{{- end }} +{{- if .Values.controller.admissionWebhooks.enabled }} + - name: webhook-cert + secret: + secretName: {{ template "nginx-ingress.fullname". }}-admission +{{- end }} +{{- if .Values.controller.extraVolumes }} +{{ toYaml .Values.controller.extraVolumes | indent 8}} +{{- end }} +{{- end }} diff --git a/basic-nginx-ingress/templates/controller-hpa.yaml b/basic-nginx-ingress/templates/controller-hpa.yaml new file mode 100755 index 0000000..dc993eb --- /dev/null +++ b/basic-nginx-ingress/templates/controller-hpa.yaml @@ -0,0 +1,34 @@ +{{- if or (eq .Values.controller.kind "Deployment") (eq .Values.controller.kind "Both") }} +{{- if .Values.controller.autoscaling.enabled }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + labels: + app: {{ template "nginx-ingress.name" . }} + chart: {{ template "nginx-ingress.chart" . }} + component: "{{ .Values.controller.name }}" + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + name: {{ template "nginx-ingress.controller.fullname" . }} +spec: + scaleTargetRef: + apiVersion: {{ template "deployment.apiVersion" . }} + kind: Deployment + name: {{ template "nginx-ingress.controller.fullname" . }} + minReplicas: {{ .Values.controller.autoscaling.minReplicas }} + maxReplicas: {{ .Values.controller.autoscaling.maxReplicas }} + metrics: +{{- with .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ . }} +{{- end }} +{{- with .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + targetAverageUtilization: {{ . }} +{{- end }} +{{- end }} +{{- end }} diff --git a/basic-nginx-ingress/templates/controller-metrics-service.yaml b/basic-nginx-ingress/templates/controller-metrics-service.yaml new file mode 100755 index 0000000..1cc0a71 --- /dev/null +++ b/basic-nginx-ingress/templates/controller-metrics-service.yaml @@ -0,0 +1,45 @@ +{{- if .Values.controller.metrics.enabled }} +apiVersion: v1 +kind: Service +metadata: +{{- if .Values.controller.metrics.service.annotations }} + annotations: + {{- range $key, $value := .Values.controller.metrics.service.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +{{- end }} + labels: +{{- if .Values.controller.metrics.service.labels }} +{{ toYaml .Values.controller.metrics.service.labels | indent 4 }} +{{- end }} + app: {{ template "nginx-ingress.name" . }} + chart: {{ template "nginx-ingress.chart" . }} + component: "{{ .Values.controller.name }}" + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + name: {{ template "nginx-ingress.controller.fullname" . }}-metrics +spec: +{{- if not .Values.controller.metrics.service.omitClusterIP }} + {{ with .Values.controller.metrics.service.clusterIP }}clusterIP: {{ . }}{{ end }} +{{- end }} +{{- if .Values.controller.metrics.service.externalIPs }} + externalIPs: +{{ toYaml .Values.controller.metrics.service.externalIPs | indent 4 }} +{{- end }} +{{- if .Values.controller.metrics.service.loadBalancerIP }} + loadBalancerIP: "{{ .Values.controller.metrics.service.loadBalancerIP }}" +{{- end }} +{{- if .Values.controller.metrics.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.controller.metrics.service.loadBalancerSourceRanges | indent 4 }} +{{- end }} + ports: + - name: metrics + port: {{ .Values.controller.metrics.service.servicePort }} + targetPort: metrics + selector: + app: {{ template "nginx-ingress.name" . }} + component: "{{ .Values.controller.name }}" + release: {{ .Release.Name }} + type: "{{ .Values.controller.metrics.service.type }}" +{{- end }} diff --git a/basic-nginx-ingress/templates/controller-poddisruptionbudget.yaml b/basic-nginx-ingress/templates/controller-poddisruptionbudget.yaml new file mode 100755 index 0000000..70a59c1 --- /dev/null +++ b/basic-nginx-ingress/templates/controller-poddisruptionbudget.yaml @@ -0,0 +1,19 @@ +{{- if or (and .Values.controller.autoscaling.enabled (gt (.Values.controller.autoscaling.minReplicas | int) 1)) (gt (.Values.controller.replicaCount | int) 1) }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + labels: + app: {{ template "nginx-ingress.name" . }} + chart: {{ template "nginx-ingress.chart" . }} + component: "{{ .Values.controller.name }}" + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + name: {{ template "nginx-ingress.controller.fullname" . }} +spec: + selector: + matchLabels: + app: {{ template "nginx-ingress.name" . }} + release: {{ .Release.Name }} + component: "{{ .Values.controller.name }}" + minAvailable: {{ .Values.controller.minAvailable }} +{{- end }} diff --git a/basic-nginx-ingress/templates/controller-prometheusrules.yaml b/basic-nginx-ingress/templates/controller-prometheusrules.yaml new file mode 100755 index 0000000..9cee0e9 --- /dev/null +++ b/basic-nginx-ingress/templates/controller-prometheusrules.yaml @@ -0,0 +1,24 @@ +{{- if and .Values.controller.metrics.enabled .Values.controller.metrics.prometheusRule.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: {{ template "nginx-ingress.controller.fullname" . }} + {{- if .Values.controller.metrics.prometheusRule.namespace }} + namespace: {{ .Values.controller.metrics.prometheusRule.namespace }} + {{- end }} + labels: + app: {{ template "nginx-ingress.name" . }} + chart: {{ template "nginx-ingress.chart" . }} + component: "{{ .Values.controller.name }}" + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + {{- if .Values.controller.metrics.prometheusRule.additionalLabels }} +{{ toYaml .Values.controller.metrics.prometheusRule.additionalLabels | indent 4 }} + {{- end }} +spec: + {{- with .Values.controller.metrics.prometheusRule.rules }} + groups: + - name: {{ template "nginx-ingress.name" $ }} + rules: {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/basic-nginx-ingress/templates/controller-psp.yaml b/basic-nginx-ingress/templates/controller-psp.yaml new file mode 100755 index 0000000..6e4a0e0 --- /dev/null +++ b/basic-nginx-ingress/templates/controller-psp.yaml @@ -0,0 +1,47 @@ +{{- if .Values.podSecurityPolicy.enabled}} +apiVersion: {{ template "podSecurityPolicy.apiVersion" . }} +kind: PodSecurityPolicy +metadata: + name: {{ template "nginx-ingress.fullname" . }} + labels: + app: {{ template "nginx-ingress.name" . }} + chart: {{ template "nginx-ingress.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + allowedCapabilities: + - NET_BIND_SERVICE + privileged: false + allowPrivilegeEscalation: true + # Allow core volume types. + volumes: + - 'configMap' + #- 'emptyDir' + #- 'projected' + - 'secret' + #- 'downwardAPI' + hostNetwork: {{ .Values.controller.hostNetwork }} + hostIPC: false + hostPID: false + runAsUser: + # Require the container to run without root privileges. + rule: 'MustRunAsNonRoot' + supplementalGroups: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + readOnlyRootFilesystem: false + seLinux: + rule: 'RunAsAny' + hostPorts: + - max: 65535 + min: 1 +{{- end }} diff --git a/basic-nginx-ingress/templates/controller-role.yaml b/basic-nginx-ingress/templates/controller-role.yaml new file mode 100755 index 0000000..30c5a9c --- /dev/null +++ b/basic-nginx-ingress/templates/controller-role.yaml @@ -0,0 +1,91 @@ +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + labels: + app: {{ template "nginx-ingress.name" . }} + chart: {{ template "nginx-ingress.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + name: {{ template "nginx-ingress.fullname" . }} +rules: + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - endpoints + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - update + - watch + - apiGroups: + - extensions + - "networking.k8s.io" # k8s 1.14+ + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - extensions + - "networking.k8s.io" # k8s 1.14+ + resources: + - ingresses/status + verbs: + - update + - apiGroups: + - "" + resources: + - configmaps + resourceNames: + - {{ .Values.controller.electionID }}-{{ .Values.controller.ingressClass }} + verbs: + - get + - update + - apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - apiGroups: + - "" + resources: + - endpoints + verbs: + - create + - get + - update + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +{{- if .Values.podSecurityPolicy.enabled }} + - apiGroups: ['{{ template "podSecurityPolicy.apiGroup" . }}'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: [{{ template "nginx-ingress.fullname" . }}] +{{- end }} + +{{- end -}} diff --git a/basic-nginx-ingress/templates/controller-rolebinding.yaml b/basic-nginx-ingress/templates/controller-rolebinding.yaml new file mode 100755 index 0000000..2022d9c --- /dev/null +++ b/basic-nginx-ingress/templates/controller-rolebinding.yaml @@ -0,0 +1,19 @@ +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + labels: + app: {{ template "nginx-ingress.name" . }} + chart: {{ template "nginx-ingress.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + name: {{ template "nginx-ingress.fullname" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "nginx-ingress.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "nginx-ingress.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} diff --git a/basic-nginx-ingress/templates/controller-service.yaml b/basic-nginx-ingress/templates/controller-service.yaml new file mode 100755 index 0000000..bf0abde --- /dev/null +++ b/basic-nginx-ingress/templates/controller-service.yaml @@ -0,0 +1,89 @@ +{{- if .Values.controller.service.enabled }} +apiVersion: v1 +kind: Service +metadata: +{{- if .Values.controller.service.annotations }} + annotations: + {{- range $key, $value := .Values.controller.service.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +{{- end }} + labels: +{{- if .Values.controller.service.labels }} +{{ toYaml .Values.controller.service.labels | indent 4 }} +{{- end }} + app: {{ template "nginx-ingress.name" . }} + chart: {{ template "nginx-ingress.chart" . }} + component: "{{ .Values.controller.name }}" + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + name: {{ template "nginx-ingress.controller.fullname" . }} +spec: +{{- if not .Values.controller.service.omitClusterIP }} + {{ with .Values.controller.service.clusterIP }}clusterIP: {{ . }}{{ end }} +{{- end }} +{{- if .Values.controller.service.externalIPs }} + externalIPs: +{{ toYaml .Values.controller.service.externalIPs | indent 4 }} +{{- end }} +{{- if .Values.controller.service.loadBalancerIP }} + loadBalancerIP: "{{ .Values.controller.service.loadBalancerIP }}" +{{- end }} +{{- if .Values.controller.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.controller.service.loadBalancerSourceRanges | indent 4 }} +{{- end }} +{{- if and (semverCompare ">=1.7-0" .Capabilities.KubeVersion.GitVersion) (.Values.controller.service.externalTrafficPolicy) }} + externalTrafficPolicy: "{{ .Values.controller.service.externalTrafficPolicy }}" +{{- end }} +{{- if and (semverCompare ">=1.7-0" .Capabilities.KubeVersion.GitVersion) (.Values.controller.service.healthCheckNodePort) }} + healthCheckNodePort: {{ .Values.controller.service.healthCheckNodePort }} +{{- end }} + ports: + {{- $setNodePorts := (or (eq .Values.controller.service.type "NodePort") (eq .Values.controller.service.type "LoadBalancer")) }} + {{- if .Values.controller.service.enableHttp }} + - name: http + port: {{ .Values.controller.service.ports.http }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.http }} + {{- if (and $setNodePorts (not (empty .Values.controller.service.nodePorts.http))) }} + nodePort: {{ .Values.controller.service.nodePorts.http }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enableHttps }} + - name: https + port: {{ .Values.controller.service.ports.https }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.https }} + {{- if (and $setNodePorts (not (empty .Values.controller.service.nodePorts.https))) }} + nodePort: {{ .Values.controller.service.nodePorts.https }} + {{- end }} + {{- end }} + {{- range $key, $value := .Values.tcp }} + - name: "{{ $key }}-tcp" + port: {{ $key }} + protocol: TCP + targetPort: "{{ $key }}-tcp" + {{- if $.Values.controller.service.nodePorts.tcp }} + {{- if index $.Values.controller.service.nodePorts.tcp $key }} + nodePort: {{ index $.Values.controller.service.nodePorts.tcp $key }} + {{- end }} + {{- end }} + {{- end }} + {{- range $key, $value := .Values.udp }} + - name: "{{ $key }}-udp" + port: {{ $key }} + protocol: UDP + targetPort: "{{ $key }}-udp" + {{- if $.Values.controller.service.nodePorts.udp }} + {{- if index $.Values.controller.service.nodePorts.udp $key }} + nodePort: {{ index $.Values.controller.service.nodePorts.udp $key }} + {{- end }} + {{- end }} + {{- end }} + selector: + app: {{ template "nginx-ingress.name" . }} + component: "{{ .Values.controller.name }}" + release: {{ .Release.Name }} + type: "{{ .Values.controller.service.type }}" +{{- end }} diff --git a/basic-nginx-ingress/templates/controller-serviceaccount.yaml b/basic-nginx-ingress/templates/controller-serviceaccount.yaml new file mode 100755 index 0000000..4ad9063 --- /dev/null +++ b/basic-nginx-ingress/templates/controller-serviceaccount.yaml @@ -0,0 +1,11 @@ +{{- if or .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: {{ template "nginx-ingress.name" . }} + chart: {{ template "nginx-ingress.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + name: {{ template "nginx-ingress.serviceAccountName" . }} +{{- end -}} diff --git a/basic-nginx-ingress/templates/controller-servicemonitor.yaml b/basic-nginx-ingress/templates/controller-servicemonitor.yaml new file mode 100755 index 0000000..e082b2f --- /dev/null +++ b/basic-nginx-ingress/templates/controller-servicemonitor.yaml @@ -0,0 +1,38 @@ +{{- if and .Values.controller.metrics.enabled .Values.controller.metrics.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "nginx-ingress.controller.fullname" . }} + {{- if .Values.controller.metrics.serviceMonitor.namespace }} + namespace: {{ .Values.controller.metrics.serviceMonitor.namespace }} + {{- end }} + labels: + app: {{ template "nginx-ingress.name" . }} + chart: {{ template "nginx-ingress.chart" . }} + component: "{{ .Values.controller.name }}" + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + {{- if .Values.controller.metrics.serviceMonitor.additionalLabels }} +{{ toYaml .Values.controller.metrics.serviceMonitor.additionalLabels | indent 4 }} + {{- end }} +spec: + endpoints: + - port: metrics + interval: {{ .Values.controller.metrics.serviceMonitor.scrapeInterval }} + {{- if .Values.controller.metrics.serviceMonitor.honorLabels }} + honorLabels: true + {{- end }} + {{- if .Values.controller.metrics.serviceMonitor.namespaceSelector }} + namespaceSelector: +{{ toYaml .Values.controller.metrics.serviceMonitor.namespaceSelector | indent 4 -}} + {{ else }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + {{- end }} + selector: + matchLabels: + app: {{ template "nginx-ingress.name" . }} + component: "{{ .Values.controller.name }}" + release: {{ .Release.Name }} +{{- end }} diff --git a/basic-nginx-ingress/templates/controller-webhook-service.yaml b/basic-nginx-ingress/templates/controller-webhook-service.yaml new file mode 100755 index 0000000..a3b2551 --- /dev/null +++ b/basic-nginx-ingress/templates/controller-webhook-service.yaml @@ -0,0 +1,42 @@ +{{- if .Values.controller.admissionWebhooks.enabled }} +apiVersion: v1 +kind: Service +metadata: +{{- if .Values.controller.admissionWebhooks.service.annotations }} + annotations: + {{- range $key, $value := .Values.controller.admissionWebhooks.service.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +{{- end }} + labels: + app: {{ template "nginx-ingress.name" . }} + chart: {{ template "nginx-ingress.chart" . }} + component: "{{ .Values.controller.name }}" + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + name: {{ template "nginx-ingress.controller.fullname" . }}-admission +spec: +{{- if not .Values.controller.admissionWebhooks.service.omitClusterIP }} + {{ with .Values.controller.admissionWebhooks.service.clusterIP }}clusterIP: {{ . }}{{ end }} +{{- end }} +{{- if .Values.controller.admissionWebhooks.service.externalIPs }} + externalIPs: +{{ toYaml .Values.controller.admissionWebhooks.service.externalIPs | indent 4 }} +{{- end }} +{{- if .Values.controller.admissionWebhooks.service.loadBalancerIP }} + loadBalancerIP: "{{ .Values.controller.admissionWebhooks.service.loadBalancerIP }}" +{{- end }} +{{- if .Values.controller.admissionWebhooks.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.controller.admissionWebhooks.service.loadBalancerSourceRanges | indent 4 }} +{{- end }} + ports: + - name: https-webhook + port: 443 + targetPort: webhook + selector: + app: {{ template "nginx-ingress.name" . }} + component: "{{ .Values.controller.name }}" + release: {{ .Release.Name }} + type: "{{ .Values.controller.admissionWebhooks.service.type }}" +{{- end }} diff --git a/basic-nginx-ingress/templates/default-backend-deployment.yaml b/basic-nginx-ingress/templates/default-backend-deployment.yaml new file mode 100755 index 0000000..835a737 --- /dev/null +++ b/basic-nginx-ingress/templates/default-backend-deployment.yaml @@ -0,0 +1,104 @@ +{{- if .Values.defaultBackend.enabled }} +apiVersion: {{ template "deployment.apiVersion" . }} +kind: Deployment +metadata: + labels: + app: {{ template "nginx-ingress.name" . }} + chart: {{ template "nginx-ingress.chart" . }} + component: "{{ .Values.defaultBackend.name }}" + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + name: {{ template "nginx-ingress.defaultBackend.fullname" . }} +spec: + selector: + matchLabels: + app: {{ template "nginx-ingress.name" . }} + release: {{ .Release.Name }} + replicas: {{ .Values.defaultBackend.replicaCount }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + template: + metadata: + {{- if .Values.defaultBackend.podAnnotations }} + annotations: + {{- range $key, $value := .Values.defaultBackend.podAnnotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} + labels: + app: {{ template "nginx-ingress.name" . }} + component: "{{ .Values.defaultBackend.name }}" + release: {{ .Release.Name }} + {{- if .Values.defaultBackend.podLabels }} +{{ toYaml .Values.defaultBackend.podLabels | indent 8 }} + {{- end }} + spec: + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} +{{- if .Values.defaultBackend.priorityClassName }} + priorityClassName: "{{ .Values.defaultBackend.priorityClassName }}" +{{- end }} + {{- if .Values.defaultBackend.podSecurityContext }} + securityContext: +{{ toYaml .Values.defaultBackend.podSecurityContext | indent 8 }} + {{- end }} + containers: + - name: {{ template "nginx-ingress.name" . }}-{{ .Values.defaultBackend.name }} + image: "{{ .Values.defaultBackend.image.repository }}:{{ .Values.defaultBackend.image.tag }}" + imagePullPolicy: "{{ .Values.defaultBackend.image.pullPolicy }}" + args: + {{- range $key, $value := .Values.defaultBackend.extraArgs }} + {{- if $value }} + - --{{ $key }}={{ $value }} + {{- else }} + - --{{ $key }} + {{- end }} + {{- end }} + securityContext: + runAsUser: {{ .Values.defaultBackend.image.runAsUser }} + {{- if .Values.defaultBackend.extraEnvs }} + env: +{{ toYaml .Values.defaultBackend.extraEnvs | indent 12 }} + {{- end }} + livenessProbe: + httpGet: + path: /healthz + port: {{ .Values.defaultBackend.port }} + scheme: HTTP + initialDelaySeconds: {{ .Values.defaultBackend.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.defaultBackend.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.defaultBackend.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.defaultBackend.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.defaultBackend.livenessProbe.failureThreshold }} + readinessProbe: + httpGet: + path: /healthz + port: {{ .Values.defaultBackend.port }} + scheme: HTTP + initialDelaySeconds: {{ .Values.defaultBackend.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.defaultBackend.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.defaultBackend.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.defaultBackend.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.defaultBackend.readinessProbe.failureThreshold }} + ports: + - name: http + containerPort: {{ .Values.defaultBackend.port }} + protocol: TCP + resources: +{{ toYaml .Values.defaultBackend.resources | indent 12 }} + {{- if .Values.defaultBackend.nodeSelector }} + nodeSelector: +{{ toYaml .Values.defaultBackend.nodeSelector | indent 8 }} + {{- end }} + serviceAccountName: {{ template "nginx-ingress.defaultBackend.serviceAccountName" . }} + {{- if .Values.defaultBackend.tolerations }} + tolerations: +{{ toYaml .Values.defaultBackend.tolerations | indent 8 }} + {{- end }} + {{- if .Values.defaultBackend.affinity }} + affinity: +{{ toYaml .Values.defaultBackend.affinity | indent 8 }} + {{- end }} + terminationGracePeriodSeconds: 60 +{{- end }} diff --git a/basic-nginx-ingress/templates/default-backend-poddisruptionbudget.yaml b/basic-nginx-ingress/templates/default-backend-poddisruptionbudget.yaml new file mode 100755 index 0000000..af0ec73 --- /dev/null +++ b/basic-nginx-ingress/templates/default-backend-poddisruptionbudget.yaml @@ -0,0 +1,19 @@ +{{- if gt (.Values.defaultBackend.replicaCount | int) 1 }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + labels: + app: {{ template "nginx-ingress.name" . }} + chart: {{ template "nginx-ingress.chart" . }} + component: "{{ .Values.defaultBackend.name }}" + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + name: {{ template "nginx-ingress.defaultBackend.fullname" . }} +spec: + selector: + matchLabels: + app: {{ template "nginx-ingress.name" . }} + release: {{ .Release.Name }} + component: "{{ .Values.defaultBackend.name }}" + minAvailable: {{ .Values.defaultBackend.minAvailable }} +{{- end }} diff --git a/basic-nginx-ingress/templates/default-backend-psp.yaml b/basic-nginx-ingress/templates/default-backend-psp.yaml new file mode 100755 index 0000000..beed249 --- /dev/null +++ b/basic-nginx-ingress/templates/default-backend-psp.yaml @@ -0,0 +1,35 @@ +{{- if and .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled -}} +apiVersion: {{ template "podSecurityPolicy.apiVersion" . }} +kind: PodSecurityPolicy +metadata: + name: {{ template "nginx-ingress.fullname" . }}-backend + labels: + app: {{ template "nginx-ingress.name" . }} + chart: {{ template "nginx-ingress.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + allowPrivilegeEscalation: false + fsGroup: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + requiredDropCapabilities: + - ALL + runAsUser: + rule: MustRunAsNonRoot + seLinux: + rule: RunAsAny + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + volumes: + - configMap + - emptyDir + - projected + - secret + - downwardAPI +{{- end -}} diff --git a/basic-nginx-ingress/templates/default-backend-role.yaml b/basic-nginx-ingress/templates/default-backend-role.yaml new file mode 100755 index 0000000..5770acb --- /dev/null +++ b/basic-nginx-ingress/templates/default-backend-role.yaml @@ -0,0 +1,16 @@ +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + labels: + app: {{ template "nginx-ingress.name" . }} + chart: {{ template "nginx-ingress.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + name: {{ template "nginx-ingress.fullname" . }}-backend +rules: + - apiGroups: ['{{ template "podSecurityPolicy.apiGroup" . }}'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: [{{ template "nginx-ingress.fullname" . }}-backend] +{{- end -}} diff --git a/basic-nginx-ingress/templates/default-backend-rolebinding.yaml b/basic-nginx-ingress/templates/default-backend-rolebinding.yaml new file mode 100755 index 0000000..589e4bd --- /dev/null +++ b/basic-nginx-ingress/templates/default-backend-rolebinding.yaml @@ -0,0 +1,19 @@ +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + labels: + app: {{ template "nginx-ingress.name" . }} + chart: {{ template "nginx-ingress.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + name: {{ template "nginx-ingress.fullname" . }}-backend +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "nginx-ingress.fullname" . }}-backend +subjects: + - kind: ServiceAccount + name: {{ template "nginx-ingress.defaultBackend.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} diff --git a/basic-nginx-ingress/templates/default-backend-service.yaml b/basic-nginx-ingress/templates/default-backend-service.yaml new file mode 100755 index 0000000..1f9e38b --- /dev/null +++ b/basic-nginx-ingress/templates/default-backend-service.yaml @@ -0,0 +1,43 @@ +{{- if .Values.defaultBackend.enabled }} +apiVersion: v1 +kind: Service +metadata: +{{- if .Values.defaultBackend.service.annotations }} + annotations: + {{- range $key, $value := .Values.defaultBackend.service.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +{{- end }} + labels: + app: {{ template "nginx-ingress.name" . }} + chart: {{ template "nginx-ingress.chart" . }} + component: "{{ .Values.defaultBackend.name }}" + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + name: {{ template "nginx-ingress.defaultBackend.fullname" . }} +spec: +{{- if not .Values.defaultBackend.service.omitClusterIP }} + {{ with .Values.defaultBackend.service.clusterIP }}clusterIP: {{ . }}{{ end }} +{{- end }} +{{- if .Values.defaultBackend.service.externalIPs }} + externalIPs: +{{ toYaml .Values.defaultBackend.service.externalIPs | indent 4 }} +{{- end }} +{{- if .Values.defaultBackend.service.loadBalancerIP }} + loadBalancerIP: "{{ .Values.defaultBackend.service.loadBalancerIP }}" +{{- end }} +{{- if .Values.defaultBackend.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.defaultBackend.service.loadBalancerSourceRanges | indent 4 }} +{{- end }} + ports: + - name: http + port: {{ .Values.defaultBackend.service.servicePort }} + protocol: TCP + targetPort: http + selector: + app: {{ template "nginx-ingress.name" . }} + component: "{{ .Values.defaultBackend.name }}" + release: {{ .Release.Name }} + type: "{{ .Values.defaultBackend.service.type }}" +{{- end }} diff --git a/basic-nginx-ingress/templates/default-backend-serviceaccount.yaml b/basic-nginx-ingress/templates/default-backend-serviceaccount.yaml new file mode 100755 index 0000000..39d3c65 --- /dev/null +++ b/basic-nginx-ingress/templates/default-backend-serviceaccount.yaml @@ -0,0 +1,11 @@ +{{- if and .Values.defaultBackend.enabled .Values.defaultBackend.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: {{ template "nginx-ingress.name" . }} + chart: {{ template "nginx-ingress.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + name: {{ template "nginx-ingress.defaultBackend.serviceAccountName" . }} +{{- end }} diff --git a/basic-nginx-ingress/templates/proxyheaders-configmap.yaml b/basic-nginx-ingress/templates/proxyheaders-configmap.yaml new file mode 100755 index 0000000..725e120 --- /dev/null +++ b/basic-nginx-ingress/templates/proxyheaders-configmap.yaml @@ -0,0 +1,18 @@ +{{- if or .Values.controller.proxySetHeaders .Values.controller.headers }} +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app: {{ template "nginx-ingress.name" . }} + chart: {{ template "nginx-ingress.chart" . }} + component: "{{ .Values.controller.name }}" + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + name: {{ template "nginx-ingress.fullname" . }}-custom-proxy-headers +data: +{{- if .Values.controller.proxySetHeaders }} +{{ toYaml .Values.controller.proxySetHeaders | indent 2 }} +{{ else if and .Values.controller.headers (not .Values.controller.proxySetHeaders) }} +{{ toYaml .Values.controller.headers | indent 2 }} +{{- end }} +{{- end }} diff --git a/basic-nginx-ingress/templates/tcp-configmap.yaml b/basic-nginx-ingress/templates/tcp-configmap.yaml new file mode 100755 index 0000000..d1a9901 --- /dev/null +++ b/basic-nginx-ingress/templates/tcp-configmap.yaml @@ -0,0 +1,14 @@ +{{- if .Values.tcp }} +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app: {{ template "nginx-ingress.name" . }} + chart: {{ template "nginx-ingress.chart" . }} + component: "{{ .Values.controller.name }}" + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + name: {{ template "nginx-ingress.fullname" . }}-tcp +data: +{{ tpl (toYaml .Values.tcp) . | indent 2 }} +{{- end }} diff --git a/basic-nginx-ingress/templates/udp-configmap.yaml b/basic-nginx-ingress/templates/udp-configmap.yaml new file mode 100755 index 0000000..945ecc9 --- /dev/null +++ b/basic-nginx-ingress/templates/udp-configmap.yaml @@ -0,0 +1,14 @@ +{{- if .Values.udp }} +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app: {{ template "nginx-ingress.name" . }} + chart: {{ template "nginx-ingress.chart" . }} + component: "{{ .Values.controller.name }}" + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + name: {{ template "nginx-ingress.fullname" . }}-udp +data: +{{ tpl (toYaml .Values.udp) . | indent 2 }} +{{- end }} diff --git a/basic-nginx-ingress/values.yaml b/basic-nginx-ingress/values.yaml new file mode 100755 index 0000000..185cfdb --- /dev/null +++ b/basic-nginx-ingress/values.yaml @@ -0,0 +1,540 @@ +## nginx configuration +## Ref: https://github.com/kubernetes/ingress/blob/master/controllers/nginx/configuration.md +## +controller: + name: controller + image: + repository: quay.io/kubernetes-ingress-controller/nginx-ingress-controller + tag: "0.26.1" + pullPolicy: IfNotPresent + # www-data -> uid 33 + runAsUser: 33 + allowPrivilegeEscalation: true + + # Configures the ports the nginx-controller listens on + containerPort: + http: 80 + https: 443 + + # Will add custom configuration options to Nginx https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/ + config: {} + + # Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/master/docs/examples/customization/custom-headers + proxySetHeaders: {} + + # Will add custom headers before sending response traffic to the client according to: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#add-headers + addHeaders: {} + + # Required for use with CNI based kubernetes installations (such as ones set up by kubeadm), + # since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920 + # is merged + hostNetwork: false + + # Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'. + # By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller + # to keep resolving names inside the k8s network, use ClusterFirstWithHostNet. + dnsPolicy: ClusterFirst + + # Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network + # Ingress status was blank because there is no Service exposing the NGINX Ingress controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply + reportNodeInternalIp: false + + ## Use host ports 80 and 443 + daemonset: + useHostPort: false + + hostPorts: + http: 80 + https: 443 + + ## Required only if defaultBackend.enabled = false + ## Must be / + ## + defaultBackendService: "" + + ## Election ID to use for status update + ## + electionID: ingress-controller-leader + + ## Name of the ingress class to route through this controller + ## + ingressClass: nginx + + # labels to add to the pod container metadata + podLabels: {} + # key: value + + ## Security Context policies for controller pods + ## See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for + ## notes on enabling and using sysctls + ## + podSecurityContext: {} + + ## Allows customization of the external service + ## the ingress will be bound to via DNS + publishService: + enabled: false + ## Allows overriding of the publish service to bind to + ## Must be / + ## + pathOverride: "" + + ## Limit the scope of the controller + ## + scope: + enabled: false + namespace: "" # defaults to .Release.Namespace + + ## Allows customization of the configmap / nginx-configmap namespace + ## + configMapNamespace: "" # defaults to .Release.Namespace + + ## Allows customization of the tcp-services-configmap namespace + ## + tcp: + configMapNamespace: "" # defaults to .Release.Namespace + + ## Allows customization of the udp-services-configmap namespace + ## + udp: + configMapNamespace: "" # defaults to .Release.Namespace + + ## Additional command line arguments to pass to nginx-ingress-controller + ## E.g. to specify the default SSL certificate you can use + ## extraArgs: + ## default-ssl-certificate: "/" + extraArgs: {} + + ## Additional environment variables to set + extraEnvs: [] + # extraEnvs: + # - name: FOO + # valueFrom: + # secretKeyRef: + # key: FOO + # name: secret-resource + + ## DaemonSet or Deployment + ## + kind: Deployment + + # The update strategy to apply to the Deployment or DaemonSet + ## + updateStrategy: {} + # rollingUpdate: + # maxUnavailable: 1 + # type: RollingUpdate + + # minReadySeconds to avoid killing pods before we are ready + ## + minReadySeconds: 0 + + + ## Node tolerations for server scheduling to nodes with taints + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + ## + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Affinity and anti-affinity + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## + affinity: {} + # # An example of preferred pod anti-affinity, weight is in the range 1-100 + # podAntiAffinity: + # preferredDuringSchedulingIgnoredDuringExecution: + # - weight: 100 + # podAffinityTerm: + # labelSelector: + # matchExpressions: + # - key: app + # operator: In + # values: + # - nginx-ingress + # topologyKey: kubernetes.io/hostname + + # # An example of required pod anti-affinity + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchExpressions: + # - key: app + # operator: In + # values: + # - nginx-ingress + # topologyKey: "kubernetes.io/hostname" + + ## terminationGracePeriodSeconds + ## + terminationGracePeriodSeconds: 60 + + ## Node labels for controller pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + + ## Liveness and readiness probe values + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + port: 10254 + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + port: 10254 + + ## Annotations to be added to controller pods + ## + podAnnotations: {} + + replicaCount: 1 + + minAvailable: 1 + + resources: {} + # limits: + # cpu: 100m + # memory: 64Mi + # requests: + # cpu: 100m + # memory: 64Mi + + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 11 + targetCPUUtilizationPercentage: 50 + targetMemoryUtilizationPercentage: 50 + + ## Override NGINX template + customTemplate: + configMapName: "" + configMapKey: "" + + service: + enabled: true + + annotations: {} + labels: {} + ## Deprecated, instead simply do not provide a clusterIP value + omitClusterIP: false + # clusterIP: "" + + ## List of IP addresses at which the controller services are available + ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## + externalIPs: [] + + loadBalancerIP: "" + loadBalancerSourceRanges: [] + + enableHttp: true + enableHttps: true + + ## Set external traffic policy to: "Local" to preserve source IP on + ## providers supporting it + ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer + externalTrafficPolicy: "" + + healthCheckNodePort: 0 + + ports: + http: 80 + https: 443 + + targetPorts: + http: http + https: https + + type: LoadBalancer + + # type: NodePort + # nodePorts: + # http: 32080 + # https: 32443 + # tcp: + # 8080: 32808 + nodePorts: + http: "" + https: "" + tcp: {} + udp: {} + + extraContainers: [] + ## Additional containers to be added to the controller pod. + ## See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example. + # - name: my-sidecar + # image: nginx:latest + # - name: lemonldap-ng-controller + # image: lemonldapng/lemonldap-ng-controller:0.2.0 + # args: + # - /lemonldap-ng-controller + # - --alsologtostderr + # - --configmap=$(POD_NAMESPACE)/lemonldap-ng-configuration + # env: + # - name: POD_NAME + # valueFrom: + # fieldRef: + # fieldPath: metadata.name + # - name: POD_NAMESPACE + # valueFrom: + # fieldRef: + # fieldPath: metadata.namespace + # volumeMounts: + # - name: copy-portal-skins + # mountPath: /srv/var/lib/lemonldap-ng/portal/skins + + extraVolumeMounts: [] + ## Additional volumeMounts to the controller main container. + # - name: copy-portal-skins + # mountPath: /var/lib/lemonldap-ng/portal/skins + + extraVolumes: [] + ## Additional volumes to the controller pod. + # - name: copy-portal-skins + # emptyDir: {} + + extraInitContainers: [] + ## Containers, which are run before the app containers are started. + # - name: init-myservice + # image: busybox + # command: ['sh', '-c', 'until nslookup myservice; do echo waiting for myservice; sleep 2; done;'] + + admissionWebhooks: + enabled: false + failurePolicy: Fail + port: 8443 + + service: + annotations: {} + ## Deprecated, instead simply do not provide a clusterIP value + omitClusterIP: false + # clusterIP: "" + externalIPs: [] + loadBalancerIP: "" + loadBalancerSourceRanges: [] + servicePort: 443 + type: ClusterIP + + patch: + enabled: true + image: + repository: jettech/kube-webhook-certgen + tag: v1.0.0 + pullPolicy: IfNotPresent + ## Provide a priority class name to the webhook patching job + ## + priorityClassName: "" + podAnnotations: {} + nodeSelector: {} + + metrics: + port: 10254 + # if this port is changed, change healthz-port: in extraArgs: accordingly + enabled: false + + service: + annotations: {} + # prometheus.io/scrape: "true" + # prometheus.io/port: "10254" + + ## Deprecated, instead simply do not provide a clusterIP value + omitClusterIP: false + # clusterIP: "" + + ## List of IP addresses at which the stats-exporter service is available + ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## + externalIPs: [] + + loadBalancerIP: "" + loadBalancerSourceRanges: [] + servicePort: 9913 + type: ClusterIP + + serviceMonitor: + enabled: false + additionalLabels: {} + namespace: "" + namespaceSelector: {} + # Default: scrape .Release.Namespace only + # To scrape all, use the following: + # namespaceSelector: + # any: true + scrapeInterval: 30s + # honorLabels: true + + prometheusRule: + enabled: false + additionalLabels: {} + namespace: "" + rules: [] + # # These are just examples rules, please adapt them to your needs + # - alert: TooMany500s + # expr: 100 * ( sum( nginx_ingress_controller_requests{status=~"5.+"} ) / sum(nginx_ingress_controller_requests) ) > 5 + # for: 1m + # labels: + # severity: critical + # annotations: + # description: Too many 5XXs + # summary: More than 5% of the all requests did return 5XX, this require your attention + # - alert: TooMany400s + # expr: 100 * ( sum( nginx_ingress_controller_requests{status=~"4.+"} ) / sum(nginx_ingress_controller_requests) ) > 5 + # for: 1m + # labels: + # severity: critical + # annotations: + # description: Too many 4XXs + # summary: More than 5% of the all requests did return 4XX, this require your attention + + + lifecycle: {} + + priorityClassName: "" + +## Rollback limit +## +revisionHistoryLimit: 10 + +## Default 404 backend +## +defaultBackend: + + ## If false, controller.defaultBackendService must be provided + ## + enabled: true + + name: default-backend + image: + repository: k8s.gcr.io/defaultbackend-amd64 + tag: "1.5" + pullPolicy: IfNotPresent + # nobody user -> uid 65534 + runAsUser: 65534 + + extraArgs: {} + + serviceAccount: + create: true + name: + ## Additional environment variables to set for defaultBackend pods + extraEnvs: [] + + port: 8080 + + ## Readiness and liveness probes for default backend + ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ + ## + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + failureThreshold: 6 + initialDelaySeconds: 0 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 5 + + ## Node tolerations for server scheduling to nodes with taints + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + ## + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + affinity: {} + + ## Security Context policies for controller pods + ## See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for + ## notes on enabling and using sysctls + ## + podSecurityContext: {} + + # labels to add to the pod container metadata + podLabels: {} + # key: value + + ## Node labels for default backend pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + + ## Annotations to be added to default backend pods + ## + podAnnotations: {} + + replicaCount: 1 + + minAvailable: 1 + + resources: {} + # limits: + # cpu: 10m + # memory: 20Mi + # requests: + # cpu: 10m + # memory: 20Mi + + service: + annotations: {} + ## Deprecated, instead simply do not provide a clusterIP value + omitClusterIP: false + # clusterIP: "" + + ## List of IP addresses at which the default backend service is available + ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## + externalIPs: [] + + loadBalancerIP: "" + loadBalancerSourceRanges: [] + servicePort: 80 + type: ClusterIP + + priorityClassName: "" + +## Enable RBAC as per https://github.com/kubernetes/ingress/tree/master/examples/rbac/nginx and https://github.com/kubernetes/ingress/issues/266 +rbac: + create: true + +# If true, create & use Pod Security Policy resources +# https://kubernetes.io/docs/concepts/policy/pod-security-policy/ +podSecurityPolicy: + enabled: false + +serviceAccount: + create: true + name: + +## Optional array of imagePullSecrets containing private registry credentials +## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ +imagePullSecrets: [] +# - name: secretName + +# TCP service key:value pairs +# Ref: https://github.com/kubernetes/contrib/tree/master/ingress/controllers/nginx/examples/tcp +## +tcp: {} +# 8080: "default/example-tcp-svc:9000" + +# UDP service key:value pairs +# Ref: https://github.com/kubernetes/contrib/tree/master/ingress/controllers/nginx/examples/udp +## +udp: {} +# 53: "kube-system/kube-dns:53" diff --git a/index.yaml b/index.yaml new file mode 100644 index 0000000..c91b58d --- /dev/null +++ b/index.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +entries: + basic-nginx-ingress: + - apiVersion: v1 + appVersion: 0.26.1 + created: "2019-12-05T10:32:22.951059+08:00" + description: An nginx Ingress controller that uses ConfigMap to store the nginx + configuration. + digest: 318b7bc67b15fbdbc0c17389348c0c3c89574c8142507613eeadb6debf2f1026 + home: https://github.com/kubernetes/ingress-nginx + icon: https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Nginx_logo.svg/500px-Nginx_logo.svg.png + keywords: + - ingress + - nginx + kubeVersion: '>=1.10.0-0' + maintainers: + - name: ChiefAlexander + - email: Trevor.G.Wood@gmail.com + name: taharah + name: basic-nginx-ingress + sources: + - https://github.com/kubernetes/ingress-nginx + urls: + - https://alauda.github.io/captain-test-charts/basic-nginx-ingress-1.26.2.tgz + version: 1.26.2 +generated: "2019-12-05T10:32:22.945811+08:00" diff --git a/robots.txt b/robots.txt new file mode 100644 index 0000000..954f34b --- /dev/null +++ b/robots.txt @@ -0,0 +1 @@ +“User-Agent: *nDisallow: /”