Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

added ingress-nginx kpt package #3380

Merged
merged 2 commits into from
Jul 19, 2022
Merged

added ingress-nginx kpt package #3380

merged 2 commits into from
Jul 19, 2022

Conversation

droot
Copy link
Contributor

@droot droot commented Jul 15, 2022

This PR adds kpt package for ingress-nginx cluster addon.

README.md in the package documents the steps that we used to create the package.

Note: This time we are using kpt fn to transform the static manifests released by ingress-nginx project.

@droot
Copy link
Contributor Author

droot commented Jul 15, 2022

/cc @yuwenma @bgrant0607 @justinsb

@droot droot marked this pull request as ready for review July 15, 2022 23:54
@droot droot changed the title added ingress-nginx package-example added ingress-nginx kpt package Jul 15, 2022
justinsb
justinsb approved these changes Jul 16, 2022
View reviewed changes
Copy link
Contributor

@justinsb justinsb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One question, but lgtm

package-examples/ingress-nginx/README.md Outdated Show resolved Hide resolved
yuwenma
yuwenma approved these changes Jul 17, 2022
View reviewed changes
Copy link
Contributor

@yuwenma yuwenma left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. I think we can also add the set-labels and set-namespace:v0.3.4 in Kptfile.

bgrant0607
bgrant0607 reviewed Jul 18, 2022
View reviewed changes
Copy link
Contributor

@bgrant0607 bgrant0607 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just some thoughts on future improvements

package-examples/ingress-nginx/admission-webhook/job-ingress-nginx-admission-patch.yaml
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We'll want to be able to use set-image to update the tag and digest.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So, this will be an imperative operation on this package, right.

package-examples/ingress-nginx/admission-webhook/job-ingress-nginx-admission-patch.yaml
securityContext:
allowPrivilegeEscalation: false
nodeSelector:
kubernetes.io/os: linux
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We'll want something that can extract OS and arch info from a container image so that a function could then inject appropriate selectors.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good pt. Filed an issue #3386

package-examples/ingress-nginx/admission-webhook/job-ingress-nginx-admission-patch.yaml
fsGroup: 2000
runAsNonRoot: true
runAsUser: 2000
serviceAccountName: ingress-nginx-admission
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We'll want to explore how to make this pattern easier. 3 resources are required: the ServiceAccount, the Role, and the RoleBinding. Of those, only the Role requires user input. The UI could guide the user through the creation process and provide autocompletion, but that wouldn't address the CLI experience.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes.

Actually, for the kubebuilder based controllers, kubebuilder will read the permissions for the Role from the comments (annotations) defined above the API types (or reconciler function).

droot
droot commented Jul 19, 2022
View reviewed changes
Copy link
Contributor Author

@droot droot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the feedback everyone.

package-examples/ingress-nginx/admission-webhook/job-ingress-nginx-admission-patch.yaml
securityContext:
allowPrivilegeEscalation: false
nodeSelector:
kubernetes.io/os: linux
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good pt. Filed an issue #3386

package-examples/ingress-nginx/admission-webhook/job-ingress-nginx-admission-patch.yaml
fsGroup: 2000
runAsNonRoot: true
runAsUser: 2000
serviceAccountName: ingress-nginx-admission
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes.

Actually, for the kubebuilder based controllers, kubebuilder will read the permissions for the Role from the comments (annotations) defined above the API types (or reconciler function).

@droot
Copy link
Contributor Author

droot commented Jul 19, 2022

Looks good. I think we can also add the set-labels and set-namespace:v0.3.4 in Kptfile.

We don't need to use set-namespace for this because there will be only one add-on per cluster. Configuring anything other than the ingress-nginx namespace is going to be exception rather than norm (Note all the docs etc use the default namespace so less likely someone will do it), so will add functions for the most common customizations.

Regarding set-labels, yes, this can be done. I will add it in the next iteration. I will have to use function target selector to selectively apply labels because multiple components are involved so want to play with it first.

@droot droot merged commit 9da6e8d into kptdev:main Jul 19, 2022
chunglu-chou pushed a commit to chunglu-chou/kpt that referenced this pull request Aug 20, 2022
@droot @chunglu-chou
added ingress-nginx kpt package (kptdev#3380)
afe8027 
* added ingress-nginx package-example
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bgrant0607 bgrant0607 bgrant0607 left review comments

@justinsb justinsb justinsb approved these changes

@yuwenma yuwenma yuwenma approved these changes

@mengqiy mengqiy Awaiting requested review from mengqiy

@mortent mortent Awaiting requested review from mortent

@natasha41575 natasha41575 Awaiting requested review from natasha41575

Assignees

@justinsb justinsb

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@droot @justinsb @yuwenma @bgrant0607