From 28df4bf07d610df390104c1df9751bcf5242876b Mon Sep 17 00:00:00 2001 From: gruberdev Date: Sat, 9 Sep 2023 05:59:46 -0300 Subject: [PATCH] [argocd] added kustomize ingress-nginx --- apps/argocd/base/core/nginx-ingress.yaml | 239 +----------------- .../admission-webhooks/job-patch/cr.yaml | 17 ++ .../admission-webhooks/job-patch/crb.yaml | 17 ++ .../admission-webhooks/job-patch/jobs.yaml | 87 +++++++ .../job-patch/kustomization.yaml | 16 ++ .../admission-webhooks/job-patch/rb.yaml | 17 ++ .../admission-webhooks/job-patch/role.yaml | 17 ++ .../admission-webhooks/job-patch/sa.yaml | 9 + .../admission-webhooks/kustomization.yaml | 8 + .../admission-webhooks/webhook.yaml | 30 +++ apps/networking/ingress-nginx/cm.yaml | 11 + apps/networking/ingress-nginx/cr.yaml | 79 ++++++ apps/networking/ingress-nginx/crb.yaml | 17 ++ apps/networking/ingress-nginx/deployment.yaml | 109 ++++++++ .../ingress-nginx/ingressclass.yaml | 11 + .../ingress-nginx/kustomization.yaml | 18 ++ apps/networking/ingress-nginx/rb.yaml | 17 ++ apps/networking/ingress-nginx/role.yaml | 87 +++++++ apps/networking/ingress-nginx/sa.yaml | 10 + apps/networking/ingress-nginx/svc.yaml | 47 ++++ 20 files changed, 632 insertions(+), 231 deletions(-) create mode 100644 apps/networking/ingress-nginx/admission-webhooks/job-patch/cr.yaml create mode 100644 apps/networking/ingress-nginx/admission-webhooks/job-patch/crb.yaml create mode 100644 apps/networking/ingress-nginx/admission-webhooks/job-patch/jobs.yaml create mode 100644 apps/networking/ingress-nginx/admission-webhooks/job-patch/kustomization.yaml create mode 100644 apps/networking/ingress-nginx/admission-webhooks/job-patch/rb.yaml create mode 100644 apps/networking/ingress-nginx/admission-webhooks/job-patch/role.yaml create mode 100644 apps/networking/ingress-nginx/admission-webhooks/job-patch/sa.yaml create mode 100644 apps/networking/ingress-nginx/admission-webhooks/kustomization.yaml create mode 100644 apps/networking/ingress-nginx/admission-webhooks/webhook.yaml create mode 100644 apps/networking/ingress-nginx/cm.yaml create mode 100644 apps/networking/ingress-nginx/cr.yaml create mode 100644 apps/networking/ingress-nginx/crb.yaml create mode 100644 apps/networking/ingress-nginx/deployment.yaml create mode 100644 apps/networking/ingress-nginx/ingressclass.yaml create mode 100644 apps/networking/ingress-nginx/kustomization.yaml create mode 100644 apps/networking/ingress-nginx/rb.yaml create mode 100644 apps/networking/ingress-nginx/role.yaml create mode 100644 apps/networking/ingress-nginx/sa.yaml create mode 100644 apps/networking/ingress-nginx/svc.yaml diff --git a/apps/argocd/base/core/nginx-ingress.yaml b/apps/argocd/base/core/nginx-ingress.yaml index 485b3a972..51fedb5d4 100644 --- a/apps/argocd/base/core/nginx-ingress.yaml +++ b/apps/argocd/base/core/nginx-ingress.yaml @@ -1,237 +1,15 @@ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: nginx-ingress + name: ingress-nginx spec: project: cluster source: - repoURL: https://github.com/gruberdev/ingress-nginx.git - targetRevision: a87d38d - path: charts/ingress-nginx - helm: - releaseName: nginx - values: | - controller: - extraArgs: - enable-ssl-passthrough: "" - admissionWebhooks: - certManager: - enabled: false - certificate: /usr/local/certificates/cert - createSecretJob: - securityContext: - allowPrivilegeEscalation: false - enabled: true - failurePolicy: Fail - key: /usr/local/certificates/key - networkPolicyEnabled: false - patch: - enabled: true - image: - digest: sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f - image: ingress-nginx/kube-webhook-certgen - pullPolicy: IfNotPresent - registry: registry.k8s.io - tag: v20230312-helm-chart-4.5.2-28-g66a760794 - nodeSelector: - kubernetes.io/os: linux - securityContext: - fsGroup: 2000 - runAsNonRoot: true - runAsUser: 2000 - patchWebhookJob: - securityContext: - allowPrivilegeEscalation: false - port: 8443 - service: - servicePort: 443 - type: ClusterIP - allowSnippetAnnotations: true - autoscaling: - apiVersion: autoscaling/v2 - enabled: false - maxReplicas: 11 - minReplicas: 1 - targetCPUUtilizationPercentage: 50 - targetMemoryUtilizationPercentage: 50 - containerName: controller - containerPort: - http: 80 - https: 443 - dnsPolicy: ClusterFirst - enableMimalloc: true - enableTopologyAwareRouting: false - healthCheckPath: /healthz - hostNetwork: false - hostPort: - enabled: false - ports: - http: 80 - https: 443 - image: - allowPrivilegeEscalation: true - chroot: false - digest: sha256:7612338342a1e7b8090bef78f2a04fffcadd548ccaabe8a47bf7758ff549a5f7 - digestChroot: sha256:e84ef3b44c8efeefd8b0aa08770a886bfea1f04c53b61b4ba9a7204e9f1a7edc - image: ingress-nginx/controller - pullPolicy: IfNotPresent - registry: registry.k8s.io - runAsUser: 101 - tag: v1.7.0 - ingressClass: nginx - ingressClassByName: false - ingressClassResource: - controllerValue: k8s.io/ingress-nginx - default: true - enabled: true - name: nginx - keda: - apiVersion: keda.sh/v1alpha1 - cooldownPeriod: 300 - enabled: false - maxReplicas: 11 - minReplicas: 1 - pollingInterval: 30 - restoreToOriginalReplicaCount: false - kind: Deployment - lifecycle: - preStop: - exec: - command: - - /wait-shutdown - livenessProbe: - failureThreshold: 5 - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - metrics: - enabled: false - port: 10254 - portName: metrics - prometheusRule: - enabled: false - service: - servicePort: 10254 - type: ClusterIP - serviceMonitor: - enabled: false - scrapeInterval: 30s - minAvailable: 1 - minReadySeconds: 0 - name: controller - nodeSelector: - kubernetes.io/os: linux - opentelemetry: - containerSecurityContext: - allowPrivilegeEscalation: false - enabled: false - image: registry.k8s.io/ingress-nginx/opentelemetry:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:40f766ac4a9832f36f217bb0e98d44c8d38faeccbfe861fbc1a76af7e9ab257f - publishService: - enabled: true - readinessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - replicaCount: 1 - reportNodeInternalIp: true - resources: - limits: - cpu: 300m - memory: 512Mi - requests: - cpu: 100m - memory: 256Mi - scope: - enabled: false - service: - appProtocol: true - enableHttp: true - enableHttps: true - enabled: true - external: - enabled: true - externalTrafficPolicy: Cluster - internal: - enabled: false - ipFamilies: - - IPv4 - ipFamilyPolicy: SingleStack - loadBalancerClass: tailscale - ports: - http: 80 - https: 443 - targetPorts: - http: http - https: https - type: LoadBalancer - shareProcessNamespace: false - terminationGracePeriodSeconds: 300 - watchIngressWithoutClass: true - defaultBackend: - autoscaling: - apiVersion: autoscaling/v2 - enabled: false - maxReplicas: 2 - minReplicas: 1 - targetCPUUtilizationPercentage: 50 - targetMemoryUtilizationPercentage: 50 - enabled: false - image: - allowPrivilegeEscalation: false - image: defaultbackend-amd64 - pullPolicy: IfNotPresent - readOnlyRootFilesystem: true - registry: registry.k8s.io - runAsNonRoot: true - runAsUser: 65534 - tag: "1.5" - livenessProbe: - failureThreshold: 3 - initialDelaySeconds: 60 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 5 - minAvailable: 1 - minReadySeconds: 0 - name: defaultbackend - nodeSelector: - kubernetes.io/os: linux - port: 8080 - readinessProbe: - failureThreshold: 6 - initialDelaySeconds: 0 - periodSeconds: 5 - successThreshold: 1 - timeoutSeconds: 5 - replicaCount: 1 - service: - servicePort: 80 - type: ClusterIP - serviceAccount: - automountServiceAccountToken: true - create: true - podSecurityPolicy: - enabled: false - rbac: - create: true - scope: false - revisionHistoryLimit: 10 - serviceAccount: - automountServiceAccountToken: true - create: true + repoURL: 'https://github.com/gruberdev/homelab.git' + path: apps/networking/ingress-nginx + targetRevision: main destination: - namespace: networking + namespace: ingress name: in-cluster syncPolicy: automated: @@ -242,12 +20,11 @@ spec: - Validate=false - CreateNamespace=false - PrunePropagationPolicy=foreground - - PruneLast=true - - ApplyOutOfSyncOnly=false + - PruneLast=false - Prune=true retry: - limit: 5 + limit: 10 backoff: - duration: 60s + duration: 20s factor: 2 maxDuration: 15m diff --git a/apps/networking/ingress-nginx/admission-webhooks/job-patch/cr.yaml b/apps/networking/ingress-nginx/admission-webhooks/job-patch/cr.yaml new file mode 100644 index 000000000..4c6bcbcd1 --- /dev/null +++ b/apps/networking/ingress-nginx/admission-webhooks/job-patch/cr.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: ingress-nginx-admission + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/component: admission-webhook +rules: + - apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - get + - update diff --git a/apps/networking/ingress-nginx/admission-webhooks/job-patch/crb.yaml b/apps/networking/ingress-nginx/admission-webhooks/job-patch/crb.yaml new file mode 100644 index 000000000..4aa044863 --- /dev/null +++ b/apps/networking/ingress-nginx/admission-webhooks/job-patch/crb.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: ingress-nginx-admission + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/component: admission-webhook +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ingress-nginx-admission +subjects: + - kind: ServiceAccount + name: ingress-nginx-admission + namespace: "ingress" diff --git a/apps/networking/ingress-nginx/admission-webhooks/job-patch/jobs.yaml b/apps/networking/ingress-nginx/admission-webhooks/job-patch/jobs.yaml new file mode 100644 index 000000000..64bbf978e --- /dev/null +++ b/apps/networking/ingress-nginx/admission-webhooks/job-patch/jobs.yaml @@ -0,0 +1,87 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: ingress-nginx-admission-create + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/component: admission-webhook +spec: + template: + metadata: + name: ingress-nginx-admission-create + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/component: admission-webhook + spec: + containers: + - name: create + image: "registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230407@sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b" + imagePullPolicy: IfNotPresent + args: + - create + - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc + - --namespace=$(POD_NAMESPACE) + - --secret-name=ingress-nginx-admission + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + securityContext: + allowPrivilegeEscalation: false + restartPolicy: OnFailure + serviceAccountName: ingress-nginx-admission + nodeSelector: + kubernetes.io/os: linux + securityContext: + fsGroup: 2000 + runAsNonRoot: true + runAsUser: 2000 +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: ingress-nginx-admission-patch + + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/component: admission-webhook +spec: + template: + metadata: + name: ingress-nginx-admission-patch + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/component: admission-webhook + spec: + containers: + - name: patch + image: "registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230407@sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b" + imagePullPolicy: IfNotPresent + args: + - patch + - --webhook-name=ingress-nginx-admission + - --namespace=$(POD_NAMESPACE) + - --patch-mutating=false + - --secret-name=ingress-nginx-admission + - --patch-failure-policy=Fail + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + securityContext: + allowPrivilegeEscalation: false + restartPolicy: OnFailure + serviceAccountName: ingress-nginx-admission + nodeSelector: + kubernetes.io/os: linux + securityContext: + fsGroup: 2000 + runAsNonRoot: true + runAsUser: 2000 diff --git a/apps/networking/ingress-nginx/admission-webhooks/job-patch/kustomization.yaml b/apps/networking/ingress-nginx/admission-webhooks/job-patch/kustomization.yaml new file mode 100644 index 000000000..1de63531e --- /dev/null +++ b/apps/networking/ingress-nginx/admission-webhooks/job-patch/kustomization.yaml @@ -0,0 +1,16 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- cr.yaml +- crb.yaml +- rb.yaml +- jobs.yaml +- role.yaml +- sa.yaml + +commonAnnotations: + argocd.argoproj.io/hook: PreSync + argocd.argoproj.io/hook: PostSync + argocd.argoproj.io/hook-delete-policy: BeforeHookCreation + argocd.argoproj.io/hook-delete-policy: HookSucceeded \ No newline at end of file diff --git a/apps/networking/ingress-nginx/admission-webhooks/job-patch/rb.yaml b/apps/networking/ingress-nginx/admission-webhooks/job-patch/rb.yaml new file mode 100644 index 000000000..ee5e37098 --- /dev/null +++ b/apps/networking/ingress-nginx/admission-webhooks/job-patch/rb.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: ingress-nginx-admission + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/component: admission-webhook +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ingress-nginx-admission +subjects: + - kind: ServiceAccount + name: ingress-nginx-admission + namespace: "ingress" diff --git a/apps/networking/ingress-nginx/admission-webhooks/job-patch/role.yaml b/apps/networking/ingress-nginx/admission-webhooks/job-patch/role.yaml new file mode 100644 index 000000000..3ad174e93 --- /dev/null +++ b/apps/networking/ingress-nginx/admission-webhooks/job-patch/role.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: ingress-nginx-admission + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/component: admission-webhook +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create diff --git a/apps/networking/ingress-nginx/admission-webhooks/job-patch/sa.yaml b/apps/networking/ingress-nginx/admission-webhooks/job-patch/sa.yaml new file mode 100644 index 000000000..15ad2f2ce --- /dev/null +++ b/apps/networking/ingress-nginx/admission-webhooks/job-patch/sa.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: ingress-nginx-admission + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/component: admission-webhook diff --git a/apps/networking/ingress-nginx/admission-webhooks/kustomization.yaml b/apps/networking/ingress-nginx/admission-webhooks/kustomization.yaml new file mode 100644 index 000000000..2cf43fadf --- /dev/null +++ b/apps/networking/ingress-nginx/admission-webhooks/kustomization.yaml @@ -0,0 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +bases: +- ./job-patch + +resources: +- webhook.yaml diff --git a/apps/networking/ingress-nginx/admission-webhooks/webhook.yaml b/apps/networking/ingress-nginx/admission-webhooks/webhook.yaml new file mode 100644 index 000000000..52ccc0e7a --- /dev/null +++ b/apps/networking/ingress-nginx/admission-webhooks/webhook.yaml @@ -0,0 +1,30 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/component: admission-webhook + name: ingress-nginx-admission +webhooks: + - name: validate.nginx.ingress.kubernetes.io + matchPolicy: Equivalent + rules: + - apiGroups: + - networking.k8s.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - ingresses + failurePolicy: Fail + sideEffects: None + admissionReviewVersions: + - v1 + clientConfig: + service: + namespace: "ingress" + name: ingress-nginx-controller-admission + path: /networking/v1/ingresses diff --git a/apps/networking/ingress-nginx/cm.yaml b/apps/networking/ingress-nginx/cm.yaml new file mode 100644 index 000000000..f4d08e9f8 --- /dev/null +++ b/apps/networking/ingress-nginx/cm.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/component: controller + name: ingress-nginx-controller +data: + allow-snippet-annotations: "true" diff --git a/apps/networking/ingress-nginx/cr.yaml b/apps/networking/ingress-nginx/cr.yaml new file mode 100644 index 000000000..6680dd107 --- /dev/null +++ b/apps/networking/ingress-nginx/cr.yaml @@ -0,0 +1,79 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + name: ingress-nginx +rules: + - apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - secrets + - namespaces + verbs: + - list + - watch + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - list + - watch + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch + - apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update + - apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - list + - watch + - get diff --git a/apps/networking/ingress-nginx/crb.yaml b/apps/networking/ingress-nginx/crb.yaml new file mode 100644 index 000000000..3dc609e96 --- /dev/null +++ b/apps/networking/ingress-nginx/crb.yaml @@ -0,0 +1,17 @@ +--- +# Source: ingress-nginx/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + name: ingress-nginx +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ingress-nginx +subjects: + - kind: ServiceAccount + name: ingress-nginx + namespace: "ingress" diff --git a/apps/networking/ingress-nginx/deployment.yaml b/apps/networking/ingress-nginx/deployment.yaml new file mode 100644 index 000000000..44da95d53 --- /dev/null +++ b/apps/networking/ingress-nginx/deployment.yaml @@ -0,0 +1,109 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/component: controller + name: ingress-nginx-controller +spec: + selector: + matchLabels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/component: controller + replicas: 1 + revisionHistoryLimit: 10 + minReadySeconds: 0 + template: + metadata: + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/component: controller + spec: + dnsPolicy: ClusterFirst + containers: + - name: controller + image: "registry.k8s.io/ingress-nginx/controller:v1.8.1@sha256:e5c4824e7375fcf2a393e1c03c293b69759af37a9ca6abdb91b13d78a93da8bd" + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - /wait-shutdown + args: + - /nginx-ingress-controller + - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller + - --election-id=ingress-nginx-leader + - --controller-class=k8s.io/ingress-nginx + - --ingress-class=nginx + - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller + - --validating-webhook=:8443 + - --validating-webhook-certificate=/usr/local/certificates/cert + - --validating-webhook-key=/usr/local/certificates/key + securityContext: + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + runAsUser: 101 + allowPrivilegeEscalation: true + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LD_PRELOAD + value: /usr/local/lib/libmimalloc.so + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + ports: + - name: http + containerPort: 80 + protocol: TCP + - name: https + containerPort: 443 + protocol: TCP + - name: webhook + containerPort: 8443 + protocol: TCP + volumeMounts: + - name: webhook-cert + mountPath: /usr/local/certificates/ + readOnly: true + resources: + requests: + cpu: 100m + memory: 90Mi + nodeSelector: + kubernetes.io/os: linux + serviceAccountName: ingress-nginx + terminationGracePeriodSeconds: 300 + volumes: + - name: webhook-cert + secret: + secretName: ingress-nginx-admission diff --git a/apps/networking/ingress-nginx/ingressclass.yaml b/apps/networking/ingress-nginx/ingressclass.yaml new file mode 100644 index 000000000..53a174766 --- /dev/null +++ b/apps/networking/ingress-nginx/ingressclass.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/component: controller + name: nginx +spec: + controller: k8s.io/ingress-nginx diff --git a/apps/networking/ingress-nginx/kustomization.yaml b/apps/networking/ingress-nginx/kustomization.yaml new file mode 100644 index 000000000..3fab57a90 --- /dev/null +++ b/apps/networking/ingress-nginx/kustomization.yaml @@ -0,0 +1,18 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +bases: +- ./admission-webhooks + +resources: +- cr.yaml +- crb.yaml +- rb.yaml +- cm.yaml +- deployment.yaml +- ingressclass.yaml +- svc.yaml +- role.yaml +- sa.yaml + +namespace: ingress diff --git a/apps/networking/ingress-nginx/rb.yaml b/apps/networking/ingress-nginx/rb.yaml new file mode 100644 index 000000000..552903860 --- /dev/null +++ b/apps/networking/ingress-nginx/rb.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/component: controller + name: ingress-nginx +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ingress-nginx +subjects: + - kind: ServiceAccount + name: ingress-nginx + namespace: "ingress" diff --git a/apps/networking/ingress-nginx/role.yaml b/apps/networking/ingress-nginx/role.yaml new file mode 100644 index 000000000..ab7492399 --- /dev/null +++ b/apps/networking/ingress-nginx/role.yaml @@ -0,0 +1,87 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/component: controller + name: ingress-nginx +rules: + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - endpoints + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch + - apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update + - apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch + - apiGroups: + - coordination.k8s.io + resources: + - leases + resourceNames: + - ingress-nginx-leader + verbs: + - get + - update + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - list + - watch + - get diff --git a/apps/networking/ingress-nginx/sa.yaml b/apps/networking/ingress-nginx/sa.yaml new file mode 100644 index 000000000..d5d5af5ec --- /dev/null +++ b/apps/networking/ingress-nginx/sa.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/component: controller + name: ingress-nginx +automountServiceAccountToken: true diff --git a/apps/networking/ingress-nginx/svc.yaml b/apps/networking/ingress-nginx/svc.yaml new file mode 100644 index 000000000..4efe458d2 --- /dev/null +++ b/apps/networking/ingress-nginx/svc.yaml @@ -0,0 +1,47 @@ +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/component: controller + name: ingress-nginx-controller +spec: + type: LoadBalancer + ipFamilyPolicy: SingleStack + ipFamilies: + - IPv4 + ports: + - name: http + port: 80 + protocol: TCP + targetPort: http + appProtocol: http + - name: https + port: 443 + protocol: TCP + targetPort: https + appProtocol: https + selector: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/component: controller +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/component: controller + name: ingress-nginx-controller-admission +spec: + type: ClusterIP + ports: + - name: https-webhook + port: 443 + targetPort: webhook + appProtocol: https + selector: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/component: controller