[argocd] added kustomize ingress-nginx

apps/argocd/base/core/nginx-ingress.yaml

@@ -1,237 +1,15 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: nginx-ingress
+  name: ingress-nginx
 spec:
   project: cluster
   source:
-    repoURL: https://github.com/gruberdev/ingress-nginx.git
-    targetRevision: a87d38d
-    path: charts/ingress-nginx
-    helm:
-      releaseName: nginx
-      values: |
-        controller:
-          extraArgs:
-            enable-ssl-passthrough: ""
-          admissionWebhooks:
-            certManager:
-              enabled: false
-            certificate: /usr/local/certificates/cert
-            createSecretJob:
-              securityContext:
-                allowPrivilegeEscalation: false
-            enabled: true
-            failurePolicy: Fail
-            key: /usr/local/certificates/key
-            networkPolicyEnabled: false
-            patch:
-              enabled: true
-              image:
-                digest: sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f
-                image: ingress-nginx/kube-webhook-certgen
-                pullPolicy: IfNotPresent
-                registry: registry.k8s.io
-                tag: v20230312-helm-chart-4.5.2-28-g66a760794
-              nodeSelector:
-                kubernetes.io/os: linux
-              securityContext:
-                fsGroup: 2000
-                runAsNonRoot: true
-                runAsUser: 2000
-            patchWebhookJob:
-              securityContext:
-                allowPrivilegeEscalation: false
-            port: 8443
-            service:
-              servicePort: 443
-              type: ClusterIP
-          allowSnippetAnnotations: true
-          autoscaling:
-            apiVersion: autoscaling/v2
-            enabled: false
-            maxReplicas: 11
-            minReplicas: 1
-            targetCPUUtilizationPercentage: 50
-            targetMemoryUtilizationPercentage: 50
-          containerName: controller
-          containerPort:
-            http: 80
-            https: 443
-          dnsPolicy: ClusterFirst
-          enableMimalloc: true
-          enableTopologyAwareRouting: false
-          healthCheckPath: /healthz
-          hostNetwork: false
-          hostPort:
-            enabled: false
-            ports:
-              http: 80
-              https: 443
-          image:
-            allowPrivilegeEscalation: true
-            chroot: false
-            digest: sha256:7612338342a1e7b8090bef78f2a04fffcadd548ccaabe8a47bf7758ff549a5f7
-            digestChroot: sha256:e84ef3b44c8efeefd8b0aa08770a886bfea1f04c53b61b4ba9a7204e9f1a7edc
-            image: ingress-nginx/controller
-            pullPolicy: IfNotPresent
-            registry: registry.k8s.io
-            runAsUser: 101
-            tag: v1.7.0
-          ingressClass: nginx
-          ingressClassByName: false
-          ingressClassResource:
-            controllerValue: k8s.io/ingress-nginx
-            default: true
-            enabled: true
-            name: nginx
-          keda:
-            apiVersion: keda.sh/v1alpha1
-            cooldownPeriod: 300
-            enabled: false
-            maxReplicas: 11
-            minReplicas: 1
-            pollingInterval: 30
-            restoreToOriginalReplicaCount: false
-          kind: Deployment
-          lifecycle:
-            preStop:
-              exec:
-                command:
-                - /wait-shutdown
-          livenessProbe:
-            failureThreshold: 5
-            httpGet:
-              path: /healthz
-              port: 10254
-              scheme: HTTP
-            initialDelaySeconds: 10
-            periodSeconds: 10
-            successThreshold: 1
-            timeoutSeconds: 1
-          metrics:
-            enabled: false
-            port: 10254
-            portName: metrics
-            prometheusRule:
-              enabled: false
-            service:
-              servicePort: 10254
-              type: ClusterIP
-            serviceMonitor:
-              enabled: false
-              scrapeInterval: 30s
-          minAvailable: 1
-          minReadySeconds: 0
-          name: controller
-          nodeSelector:
-            kubernetes.io/os: linux
-          opentelemetry:
-            containerSecurityContext:
-              allowPrivilegeEscalation: false
-            enabled: false
-            image: registry.k8s.io/ingress-nginx/opentelemetry:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:40f766ac4a9832f36f217bb0e98d44c8d38faeccbfe861fbc1a76af7e9ab257f
-          publishService:
-            enabled: true
-          readinessProbe:
-            failureThreshold: 3
-            httpGet:
-              path: /healthz
-              port: 10254
-              scheme: HTTP
-            initialDelaySeconds: 10
-            periodSeconds: 10
-            successThreshold: 1
-            timeoutSeconds: 1
-          replicaCount: 1
-          reportNodeInternalIp: true
-          resources:
-            limits:
-              cpu: 300m
-              memory: 512Mi
-            requests:
-              cpu: 100m
-              memory: 256Mi
-          scope:
-            enabled: false
-          service:
-            appProtocol: true
-            enableHttp: true
-            enableHttps: true
-            enabled: true
-            external:
-              enabled: true
-            externalTrafficPolicy: Cluster
-            internal:
-              enabled: false
-            ipFamilies:
-            - IPv4
-            ipFamilyPolicy: SingleStack
-            loadBalancerClass: tailscale
-            ports:
-              http: 80
-              https: 443
-            targetPorts:
-              http: http
-              https: https
-            type: LoadBalancer
-          shareProcessNamespace: false
-          terminationGracePeriodSeconds: 300
-          watchIngressWithoutClass: true
-        defaultBackend:
-          autoscaling:
-            apiVersion: autoscaling/v2
-            enabled: false
-            maxReplicas: 2
-            minReplicas: 1
-            targetCPUUtilizationPercentage: 50
-            targetMemoryUtilizationPercentage: 50
-          enabled: false
-          image:
-            allowPrivilegeEscalation: false
-            image: defaultbackend-amd64
-            pullPolicy: IfNotPresent
-            readOnlyRootFilesystem: true
-            registry: registry.k8s.io
-            runAsNonRoot: true
-            runAsUser: 65534
-            tag: "1.5"
-          livenessProbe:
-            failureThreshold: 3
-            initialDelaySeconds: 60
-            periodSeconds: 10
-            successThreshold: 1
-            timeoutSeconds: 5
-          minAvailable: 1
-          minReadySeconds: 0
-          name: defaultbackend
-          nodeSelector:
-            kubernetes.io/os: linux
-          port: 8080
-          readinessProbe:
-            failureThreshold: 6
-            initialDelaySeconds: 0
-            periodSeconds: 5
-            successThreshold: 1
-            timeoutSeconds: 5
-          replicaCount: 1
-          service:
-            servicePort: 80
-            type: ClusterIP
-          serviceAccount:
-            automountServiceAccountToken: true
-            create: true
-        podSecurityPolicy:
-          enabled: false
-        rbac:
-          create: true
-          scope: false
-        revisionHistoryLimit: 10
-        serviceAccount:
-          automountServiceAccountToken: true
-          create: true
+    repoURL: 'https://github.com/gruberdev/homelab.git'
+    path: apps/networking/ingress-nginx
+    targetRevision: main
   destination:
-    namespace: networking
+    namespace: ingress
     name: in-cluster
   syncPolicy:
     automated:
@@ -242,12 +20,11 @@ spec:
     - Validate=false
     - CreateNamespace=false
     - PrunePropagationPolicy=foreground
-    - PruneLast=true
-    - ApplyOutOfSyncOnly=false
+    - PruneLast=false
     - Prune=true
     retry:
-      limit: 5
+      limit: 10
       backoff:
-        duration: 60s
+        duration: 20s
         factor: 2
         maxDuration: 15m

apps/networking/ingress-nginx/admission-webhooks/job-patch/cr.yaml

@@ -0,0 +1,17 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ingress-nginx-admission
+  labels:
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/component: admission-webhook
+rules:
+  - apiGroups:
+      - admissionregistration.k8s.io
+    resources:
+      - validatingwebhookconfigurations
+    verbs:
+      - get
+      - update

apps/networking/ingress-nginx/admission-webhooks/job-patch/crb.yaml

@@ -0,0 +1,17 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: ingress-nginx-admission
+  labels:
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/component: admission-webhook
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx-admission
+subjects:
+  - kind: ServiceAccount
+    name: ingress-nginx-admission
+    namespace: "ingress"

apps/networking/ingress-nginx/admission-webhooks/job-patch/jobs.yaml

@@ -0,0 +1,87 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: ingress-nginx-admission-create
+  labels:
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/component: admission-webhook
+spec:
+  template:
+    metadata:
+      name: ingress-nginx-admission-create
+      labels:
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/component: admission-webhook
+    spec:
+      containers:
+        - name: create
+          image: "registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230407@sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b"
+          imagePullPolicy: IfNotPresent
+          args:
+            - create
+            - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
+            - --namespace=$(POD_NAMESPACE)
+            - --secret-name=ingress-nginx-admission
+          env:
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+          securityContext:
+            allowPrivilegeEscalation: false
+      restartPolicy: OnFailure
+      serviceAccountName: ingress-nginx-admission
+      nodeSelector:
+        kubernetes.io/os: linux
+      securityContext:
+        fsGroup: 2000
+        runAsNonRoot: true
+        runAsUser: 2000
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: ingress-nginx-admission-patch
+
+  labels:
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/component: admission-webhook
+spec:
+  template:
+    metadata:
+      name: ingress-nginx-admission-patch
+      labels:
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/component: admission-webhook
+    spec:
+      containers:
+        - name: patch
+          image: "registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230407@sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b"
+          imagePullPolicy: IfNotPresent
+          args:
+            - patch
+            - --webhook-name=ingress-nginx-admission
+            - --namespace=$(POD_NAMESPACE)
+            - --patch-mutating=false
+            - --secret-name=ingress-nginx-admission
+            - --patch-failure-policy=Fail
+          env:
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+          securityContext:
+            allowPrivilegeEscalation: false
+      restartPolicy: OnFailure
+      serviceAccountName: ingress-nginx-admission
+      nodeSelector:
+        kubernetes.io/os: linux
+      securityContext:
+        fsGroup: 2000
+        runAsNonRoot: true
+        runAsUser: 2000