-
Notifications
You must be signed in to change notification settings - Fork 228
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
added ingress-nginx kpt package #3380
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One question, but lgtm
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good. I think we can also add the set-labels
and set-namespace:v0.3.4
in Kptfile.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just some thoughts on future improvements
valueFrom: | ||
fieldRef: | ||
fieldPath: metadata.namespace | ||
image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We'll want to be able to use set-image to update the tag and digest.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So, this will be an imperative operation on this package, right.
securityContext: | ||
allowPrivilegeEscalation: false | ||
nodeSelector: | ||
kubernetes.io/os: linux |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We'll want something that can extract OS and arch info from a container image so that a function could then inject appropriate selectors.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good pt. Filed an issue #3386
fsGroup: 2000 | ||
runAsNonRoot: true | ||
runAsUser: 2000 | ||
serviceAccountName: ingress-nginx-admission |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We'll want to explore how to make this pattern easier. 3 resources are required: the ServiceAccount, the Role, and the RoleBinding. Of those, only the Role requires user input. The UI could guide the user through the creation process and provide autocompletion, but that wouldn't address the CLI experience.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes.
Actually, for the kubebuilder based controllers, kubebuilder will read the permissions for the Role from the comments (annotations) defined above the API types (or reconciler function).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the feedback everyone.
securityContext: | ||
allowPrivilegeEscalation: false | ||
nodeSelector: | ||
kubernetes.io/os: linux |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good pt. Filed an issue #3386
fsGroup: 2000 | ||
runAsNonRoot: true | ||
runAsUser: 2000 | ||
serviceAccountName: ingress-nginx-admission |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes.
Actually, for the kubebuilder based controllers, kubebuilder will read the permissions for the Role from the comments (annotations) defined above the API types (or reconciler function).
We don't need to use Regarding |
* added ingress-nginx package-example
This PR adds kpt package for
ingress-nginx
cluster addon.README.md in the package documents the steps that we used to create the package.
Note: This time we are using
kpt fn
to transform the static manifests released by ingress-nginx project.