From a92a8fab4018fc03b3473e65e128fceb4fb6e4c2 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Thu, 3 Dec 2020 12:22:38 -0500 Subject: [PATCH 01/16] Import ingress-nginx chart version 3.12.0 Imports ingress-nginx chart from https://github.com/kubernetes/ingress-nginx.git. --- charts/ingress-nginx/.helmignore | 22 + charts/ingress-nginx/CHANGELOG.md | 146 ++++ charts/ingress-nginx/Chart.yaml | 24 + charts/ingress-nginx/OWNERS | 5 + charts/ingress-nginx/README.md | 209 +++++ .../ci/daemonset-customconfig-values.yaml | 9 + .../ci/daemonset-customnodeport-values.yaml | 18 + .../ci/daemonset-headers-values.yaml | 10 + .../ci/daemonset-internal-lb-values.yaml | 10 + .../ci/daemonset-nodeport-values.yaml | 6 + .../ci/daemonset-podannotations-values.yaml | 13 + ...set-tcp-udp-configMapNamespace-values.yaml | 16 + .../ci/daemonset-tcp-udp-values.yaml | 12 + .../ci/daemonset-tcp-values.yaml | 10 + .../ci/deamonset-default-values.yaml | 6 + .../ci/deamonset-metrics-values.yaml | 8 + .../ci/deamonset-psp-values.yaml | 9 + .../ci/deamonset-webhook-and-psp-values.yaml | 9 + .../ci/deamonset-webhook-values.yaml | 6 + .../ci/deployment-autoscaling-values.yaml | 7 + .../ci/deployment-customconfig-values.yaml | 7 + .../ci/deployment-customnodeport-values.yaml | 16 + .../ci/deployment-default-values.yaml | 4 + .../ci/deployment-headers-values.yaml | 9 + .../ci/deployment-internal-lb-values.yaml | 9 + .../ci/deployment-metrics-values.yaml | 7 + .../ci/deployment-nodeport-values.yaml | 5 + .../ci/deployment-podannotations-values.yaml | 12 + .../ci/deployment-psp-values.yaml | 6 + ...ent-tcp-udp-configMapNamespace-values.yaml | 15 + .../ci/deployment-tcp-udp-values.yaml | 11 + .../ci/deployment-tcp-values.yaml | 7 + .../ci/deployment-webhook-and-psp-values.yaml | 8 + .../ci/deployment-webhook-values.yaml | 5 + charts/ingress-nginx/templates/NOTES.txt | 71 ++ charts/ingress-nginx/templates/_helpers.tpl | 124 +++ .../job-patch/clusterrole.yaml | 27 + .../job-patch/clusterrolebinding.yaml | 20 + .../job-patch/job-createSecret.yaml | 60 ++ .../job-patch/job-patchWebhook.yaml | 62 ++ .../admission-webhooks/job-patch/psp.yaml | 36 + .../admission-webhooks/job-patch/role.yaml | 20 + .../job-patch/rolebinding.yaml | 20 + .../job-patch/serviceaccount.yaml | 12 + .../validating-webhook.yaml | 46 ++ .../ingress-nginx/templates/clusterrole.yaml | 76 ++ .../templates/clusterrolebinding.yaml | 16 + .../controller-configmap-addheaders.yaml | 10 + .../controller-configmap-proxyheaders.yaml | 15 + .../templates/controller-configmap-tcp.yaml | 13 + .../templates/controller-configmap-udp.yaml | 13 + .../templates/controller-configmap.yaml | 20 + .../templates/controller-daemonset.yaml | 255 +++++++ .../templates/controller-deployment.yaml | 259 +++++++ .../templates/controller-hpa.yaml | 40 + .../templates/controller-keda.yaml | 33 + .../controller-poddisruptionbudget.yaml | 15 + .../templates/controller-prometheusrules.yaml | 21 + .../templates/controller-psp.yaml | 86 +++ .../templates/controller-role.yaml | 96 +++ .../templates/controller-rolebinding.yaml | 17 + .../controller-service-internal.yaml | 47 ++ .../templates/controller-service-metrics.yaml | 43 ++ .../templates/controller-service-webhook.yaml | 33 + .../templates/controller-service.yaml | 84 ++ .../templates/controller-serviceaccount.yaml | 9 + .../templates/controller-servicemonitor.yaml | 42 + .../templates/default-backend-deployment.yaml | 105 +++ .../templates/default-backend-hpa.yaml | 29 + .../default-backend-poddisruptionbudget.yaml | 15 + .../templates/default-backend-psp.yaml | 33 + .../templates/default-backend-role.yaml | 14 + .../default-backend-rolebinding.yaml | 17 + .../templates/default-backend-service.yaml | 34 + .../default-backend-serviceaccount.yaml | 9 + charts/ingress-nginx/values.yaml | 718 ++++++++++++++++++ 76 files changed, 3391 insertions(+) create mode 100644 charts/ingress-nginx/.helmignore create mode 100644 charts/ingress-nginx/CHANGELOG.md create mode 100644 charts/ingress-nginx/Chart.yaml create mode 100644 charts/ingress-nginx/OWNERS create mode 100644 charts/ingress-nginx/README.md create mode 100644 charts/ingress-nginx/ci/daemonset-customconfig-values.yaml create mode 100644 charts/ingress-nginx/ci/daemonset-customnodeport-values.yaml create mode 100644 charts/ingress-nginx/ci/daemonset-headers-values.yaml create mode 100644 charts/ingress-nginx/ci/daemonset-internal-lb-values.yaml create mode 100644 charts/ingress-nginx/ci/daemonset-nodeport-values.yaml create mode 100644 charts/ingress-nginx/ci/daemonset-podannotations-values.yaml create mode 100644 charts/ingress-nginx/ci/daemonset-tcp-udp-configMapNamespace-values.yaml create mode 100644 charts/ingress-nginx/ci/daemonset-tcp-udp-values.yaml create mode 100644 charts/ingress-nginx/ci/daemonset-tcp-values.yaml create mode 100644 charts/ingress-nginx/ci/deamonset-default-values.yaml create mode 100644 charts/ingress-nginx/ci/deamonset-metrics-values.yaml create mode 100644 charts/ingress-nginx/ci/deamonset-psp-values.yaml create mode 100644 charts/ingress-nginx/ci/deamonset-webhook-and-psp-values.yaml create mode 100644 charts/ingress-nginx/ci/deamonset-webhook-values.yaml create mode 100644 charts/ingress-nginx/ci/deployment-autoscaling-values.yaml create mode 100644 charts/ingress-nginx/ci/deployment-customconfig-values.yaml create mode 100644 charts/ingress-nginx/ci/deployment-customnodeport-values.yaml create mode 100644 charts/ingress-nginx/ci/deployment-default-values.yaml create mode 100644 charts/ingress-nginx/ci/deployment-headers-values.yaml create mode 100644 charts/ingress-nginx/ci/deployment-internal-lb-values.yaml create mode 100644 charts/ingress-nginx/ci/deployment-metrics-values.yaml create mode 100644 charts/ingress-nginx/ci/deployment-nodeport-values.yaml create mode 100644 charts/ingress-nginx/ci/deployment-podannotations-values.yaml create mode 100644 charts/ingress-nginx/ci/deployment-psp-values.yaml create mode 100644 charts/ingress-nginx/ci/deployment-tcp-udp-configMapNamespace-values.yaml create mode 100644 charts/ingress-nginx/ci/deployment-tcp-udp-values.yaml create mode 100644 charts/ingress-nginx/ci/deployment-tcp-values.yaml create mode 100644 charts/ingress-nginx/ci/deployment-webhook-and-psp-values.yaml create mode 100644 charts/ingress-nginx/ci/deployment-webhook-values.yaml create mode 100644 charts/ingress-nginx/templates/NOTES.txt create mode 100644 charts/ingress-nginx/templates/_helpers.tpl create mode 100644 charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml create mode 100644 charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml create mode 100644 charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml create mode 100644 charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml create mode 100644 charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml create mode 100644 charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml create mode 100644 charts/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml create mode 100644 charts/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml create mode 100644 charts/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml create mode 100644 charts/ingress-nginx/templates/clusterrole.yaml create mode 100644 charts/ingress-nginx/templates/clusterrolebinding.yaml create mode 100644 charts/ingress-nginx/templates/controller-configmap-addheaders.yaml create mode 100644 charts/ingress-nginx/templates/controller-configmap-proxyheaders.yaml create mode 100644 charts/ingress-nginx/templates/controller-configmap-tcp.yaml create mode 100644 charts/ingress-nginx/templates/controller-configmap-udp.yaml create mode 100644 charts/ingress-nginx/templates/controller-configmap.yaml create mode 100644 charts/ingress-nginx/templates/controller-daemonset.yaml create mode 100644 charts/ingress-nginx/templates/controller-deployment.yaml create mode 100644 charts/ingress-nginx/templates/controller-hpa.yaml create mode 100644 charts/ingress-nginx/templates/controller-keda.yaml create mode 100644 charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml create mode 100644 charts/ingress-nginx/templates/controller-prometheusrules.yaml create mode 100644 charts/ingress-nginx/templates/controller-psp.yaml create mode 100644 charts/ingress-nginx/templates/controller-role.yaml create mode 100644 charts/ingress-nginx/templates/controller-rolebinding.yaml create mode 100644 charts/ingress-nginx/templates/controller-service-internal.yaml create mode 100644 charts/ingress-nginx/templates/controller-service-metrics.yaml create mode 100644 charts/ingress-nginx/templates/controller-service-webhook.yaml create mode 100644 charts/ingress-nginx/templates/controller-service.yaml create mode 100644 charts/ingress-nginx/templates/controller-serviceaccount.yaml create mode 100644 charts/ingress-nginx/templates/controller-servicemonitor.yaml create mode 100644 charts/ingress-nginx/templates/default-backend-deployment.yaml create mode 100644 charts/ingress-nginx/templates/default-backend-hpa.yaml create mode 100644 charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml create mode 100644 charts/ingress-nginx/templates/default-backend-psp.yaml create mode 100644 charts/ingress-nginx/templates/default-backend-role.yaml create mode 100644 charts/ingress-nginx/templates/default-backend-rolebinding.yaml create mode 100644 charts/ingress-nginx/templates/default-backend-service.yaml create mode 100644 charts/ingress-nginx/templates/default-backend-serviceaccount.yaml create mode 100644 charts/ingress-nginx/values.yaml diff --git a/charts/ingress-nginx/.helmignore b/charts/ingress-nginx/.helmignore new file mode 100644 index 0000000000..50af031725 --- /dev/null +++ b/charts/ingress-nginx/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/ingress-nginx/CHANGELOG.md b/charts/ingress-nginx/CHANGELOG.md new file mode 100644 index 0000000000..4208983586 --- /dev/null +++ b/charts/ingress-nginx/CHANGELOG.md @@ -0,0 +1,146 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### Unreleased + +### 3.12.0 + +- [X] [#6514](https://github.com/kubernetes/ingress-nginx/pull/6514) Remove helm2 support and update docs + +### 3.11.1 + +- [X] [#6505](https://github.com/kubernetes/ingress-nginx/pull/6505) Reorder HPA resource list to work with GitOps tooling + +### 3.11.0 + +- Support Keda Autoscaling + +### 3.10.1 + +- Fix regression introduced in 0.41.0 with external authentication + +### 3.10.0 + +- Fix routing regression introduced in 0.41.0 with PathType Exact + +### 3.9.0 + +- [X] [#6423](https://github.com/kubernetes/ingress-nginx/pull/6423) Add Default backend HPA autoscaling + +### 3.8.0 + +- [X] [#6395](https://github.com/kubernetes/ingress-nginx/pull/6395) Update jettech/kube-webhook-certgen image +- [X] [#6377](https://github.com/kubernetes/ingress-nginx/pull/6377) Added loadBalancerSourceRanges for internal lbs +- [X] [#6356](https://github.com/kubernetes/ingress-nginx/pull/6356) Add securitycontext settings on defaultbackend +- [X] [#6401](https://github.com/kubernetes/ingress-nginx/pull/6401) Fix controller service annotations +- [X] [#6403](https://github.com/kubernetes/ingress-nginx/pull/6403) Initial helm chart changelog + +### 3.7.1 + +- [X] [#6326](https://github.com/kubernetes/ingress-nginx/pull/6326) Fix liveness and readiness probe path in daemonset chart + +### 3.7.0 + +- [X] [#6316](https://github.com/kubernetes/ingress-nginx/pull/6316) Numerals in podAnnotations in quotes [#6315](https://github.com/kubernetes/ingress-nginx/issues/6315) + +### 3.6.0 + +- [X] [#6305](https://github.com/kubernetes/ingress-nginx/pull/6305) Add default linux nodeSelector + +### 3.5.1 + +- [X] [#6299](https://github.com/kubernetes/ingress-nginx/pull/6299) Fix helm chart release + +### 3.5.0 + +- [X] [#6260](https://github.com/kubernetes/ingress-nginx/pull/6260) Allow Helm Chart to customize admission webhook's annotations, timeoutSeconds, namespaceSelector, objectSelector and cert files locations + +### 3.4.0 + +- [X] [#6268](https://github.com/kubernetes/ingress-nginx/pull/6268) Update to 0.40.2 in helm chart #6288 + +### 3.3.1 + +- [X] [#6259](https://github.com/kubernetes/ingress-nginx/pull/6259) Release helm chart +- [X] [#6258](https://github.com/kubernetes/ingress-nginx/pull/6258) Fix chart markdown link +- [X] [#6253](https://github.com/kubernetes/ingress-nginx/pull/6253) Release v0.40.0 + +### 3.3.1 + +- [X] [#6233](https://github.com/kubernetes/ingress-nginx/pull/6233) Add admission controller e2e test + +### 3.3.0 + +- [X] [#6203](https://github.com/kubernetes/ingress-nginx/pull/6203) Refactor parsing of key values +- [X] [#6162](https://github.com/kubernetes/ingress-nginx/pull/6162) Add helm chart options to expose metrics service as NodePort +- [X] [#6180](https://github.com/kubernetes/ingress-nginx/pull/6180) Fix helm chart admissionReviewVersions regression +- [X] [#6169](https://github.com/kubernetes/ingress-nginx/pull/6169) Fix Typo in example prometheus rules + +### 3.0.0 + +- [X] [#6167](https://github.com/kubernetes/ingress-nginx/pull/6167) Update chart requirements + +### 2.16.0 + +- [X] [#6154](https://github.com/kubernetes/ingress-nginx/pull/6154) add `topologySpreadConstraint` to controller + +### 2.15.0 + +- [X] [#6087](https://github.com/kubernetes/ingress-nginx/pull/6087) Adding parameter for externalTrafficPolicy in internal controller service spec + +### 2.14.0 + +- [X] [#6104](https://github.com/kubernetes/ingress-nginx/pull/6104) Misc fixes for nginx-ingress chart for better keel and prometheus-operator integration + +### 2.13.0 + +- [X] [#6093](https://github.com/kubernetes/ingress-nginx/pull/6093) Release v0.35.0 + +### 2.13.0 + +- [X] [#6093](https://github.com/kubernetes/ingress-nginx/pull/6093) Release v0.35.0 +- [X] [#6080](https://github.com/kubernetes/ingress-nginx/pull/6080) Switch images to k8s.gcr.io after Vanity Domain Flip + +### 2.12.1 + +- [X] [#6075](https://github.com/kubernetes/ingress-nginx/pull/6075) Sync helm chart affinity examples + +### 2.12.0 + +- [X] [#6039](https://github.com/kubernetes/ingress-nginx/pull/6039) Add configurable serviceMonitor metricRelabelling and targetLabels +- [X] [#6044](https://github.com/kubernetes/ingress-nginx/pull/6044) Fix YAML linting + +### 2.11.3 + +- [X] [#6038](https://github.com/kubernetes/ingress-nginx/pull/6038) Bump chart version PATCH + +### 2.11.2 + +- [X] [#5951](https://github.com/kubernetes/ingress-nginx/pull/5951) Bump chart patch version + +### 2.11.1 + +- [X] [#5900](https://github.com/kubernetes/ingress-nginx/pull/5900) Release helm chart for v0.34.1 + +### 2.11.0 + +- [X] [#5879](https://github.com/kubernetes/ingress-nginx/pull/5879) Update helm chart for v0.34.0 +- [X] [#5671](https://github.com/kubernetes/ingress-nginx/pull/5671) Make liveness probe more fault tolerant than readiness probe + +### 2.10.0 + +- [X] [#5843](https://github.com/kubernetes/ingress-nginx/pull/5843) Update jettech/kube-webhook-certgen image + +### 2.9.1 + +- [X] [#5823](https://github.com/kubernetes/ingress-nginx/pull/5823) Add quoting to sysctls because numeric values need to be presented as strings (#5823) + +### 2.9.0 + +- [X] [#5795](https://github.com/kubernetes/ingress-nginx/pull/5795) Use fully qualified images to avoid cri-o issues + + +### TODO + +Keep building the changelog using *git log charts* checking the tag diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml new file mode 100644 index 0000000000..b209497718 --- /dev/null +++ b/charts/ingress-nginx/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: ingress-nginx +# When the version is modified, make sure the artifacthub.io/changes list is updated +# Also update CHANGELOG.md +version: 3.12.0 +appVersion: 0.41.2 +home: https://github.com/kubernetes/ingress-nginx +description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer +icon: https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Nginx_logo.svg/500px-Nginx_logo.svg.png +keywords: + - ingress + - nginx +sources: + - https://github.com/kubernetes/ingress-nginx +type: application +maintainers: + - name: ChiefAlexander +engine: gotpl +kubeVersion: ">=1.16.0-0" +annotations: + # List of changes for the release in artifacthub.io + # https://artifacthub.io/packages/helm/ingress-nginx/ingress-nginx?modal=changelog + artifacthub.io/changes: | + - Remove helm2 support and update docs diff --git a/charts/ingress-nginx/OWNERS b/charts/ingress-nginx/OWNERS new file mode 100644 index 0000000000..7aadb8dc29 --- /dev/null +++ b/charts/ingress-nginx/OWNERS @@ -0,0 +1,5 @@ +approvers: + - ChiefAlexander + +reviewers: + - ChiefAlexander diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md new file mode 100644 index 0000000000..37b0ca1fbd --- /dev/null +++ b/charts/ingress-nginx/README.md @@ -0,0 +1,209 @@ +# ingress-nginx + +[ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer + +To use, add the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources. + +This chart bootstraps an ingress-nginx deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +## Prerequisites + +- Kubernetes v1.16+ + +## Get Repo Info + +```console +helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx +helm repo update +``` + +## Install Chart + +**Important:** only helm3 is supported + +```console +helm install [RELEASE_NAME] ingress-nginx/ingress-nginx +``` + +The command deploys ingress-nginx on the Kubernetes cluster in the default configuration. + +_See [configuration](#configuration) below._ + +_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._ + +## Uninstall Chart + +```console +helm uninstall [RELEASE_NAME] +``` + +This removes all the Kubernetes components associated with the chart and deletes the release. + +_See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall/) for command documentation._ + +## Upgrading Chart + +```console +helm upgrade [RELEASE_NAME] [CHART] --install +``` + +_See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documentation._ + +### Upgrading With Zero Downtime in Production + +By default the ingress-nginx controller has service interruptions whenever it's pods are restarted or redeployed. In order to fix that, see the excellent blog post by Lindsay Landry from Codecademy: [Kubernetes: Nginx and Zero Downtime in Production](https://medium.com/codecademy-engineering/kubernetes-nginx-and-zero-downtime-in-production-2c910c6a5ed8). + +### Migrating from stable/nginx-ingress + +There are two main ways to migrate a release from `stable/nginx-ingress` to `ingress-nginx/ingress-nginx` chart: + +1. For Nginx Ingress controllers used for non-critical services, the easiest method is to [uninstall](#uninstall-chart) the old release and [install](#install-chart) the new one +1. For critical services in production that require zero-downtime, you will want to: + 1. [Install](#install-chart) a second Ingress controller + 1. Redirect your DNS traffic from the old controller to the new controller + 1. Log traffic from both controllers during this changeover + 1. [Uninstall](#uninstall-chart) the old controller once traffic has fully drained from it + 1. For details on all of these steps see [Upgrading With Zero Downtime in Production](#upgrading-with-zero-downtime-in-production) + +Note that there are some different and upgraded configurations between the two charts, described by Rimas Mocevicius from JFrog in the "Upgrading to ingress-nginx Helm chart" section of [Migrating from Helm chart nginx-ingress to ingress-nginx](https://rimusz.net/migrating-to-ingress-nginx). As the `ingress-nginx/ingress-nginx` chart continues to update, you will want to check current differences by running [helm configuration](#configuration) commands on both charts. + +## Configuration + +See [Customizing the Chart Before Installing](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing). To see all configurable options with detailed comments, visit the chart's [values.yaml](./values.yaml), or run these configuration commands: + +```console +helm show values ingress-nginx/ingress-nginx +``` + +### PodDisruptionBudget + +Note that the PodDisruptionBudget resource will only be defined if the replicaCount is greater than one, +else it would make it impossible to evacuate a node. See [gh issue #7127](https://github.com/helm/charts/issues/7127) for more info. + +### Prometheus Metrics + +The Nginx ingress controller can export Prometheus metrics, by setting `controller.metrics.enabled` to `true`. + +You can add Prometheus annotations to the metrics service using `controller.metrics.service.annotations`. Alternatively, if you use the Prometheus Operator, you can enable ServiceMonitor creation using `controller.metrics.serviceMonitor.enabled`. + +### ingress-nginx nginx\_status page/stats server + +Previous versions of this chart had a `controller.stats.*` configuration block, which is now obsolete due to the following changes in nginx ingress controller: + +- In [0.16.1](https://github.com/kubernetes/ingress-nginx/blob/master/Changelog.md#0161), the vts (virtual host traffic status) dashboard was removed +- In [0.23.0](https://github.com/kubernetes/ingress-nginx/blob/master/Changelog.md#0230), the status page at port 18080 is now a unix socket webserver only available at localhost. + You can use `curl --unix-socket /tmp/nginx-status-server.sock http://localhost/nginx_status` inside the controller container to access it locally, or use the snippet from [nginx-ingress changelog](https://github.com/kubernetes/ingress-nginx/blob/master/Changelog.md#0230) to re-enable the http server + +### ExternalDNS Service Configuration + +Add an [ExternalDNS](https://github.com/kubernetes-incubator/external-dns) annotation to the LoadBalancer service: + +```yaml +controller: + service: + annotations: + external-dns.alpha.kubernetes.io/hostname: kubernetes-example.com. +``` + +### AWS L7 ELB with SSL Termination + +Annotate the controller as shown in the [nginx-ingress l7 patch](https://github.com/kubernetes/ingress-nginx/blob/master/deploy/aws/l7/service-l7.yaml): + +```yaml +controller: + service: + targetPorts: + http: http + https: http + annotations: + service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:XX-XXXX-X:XXXXXXXXX:certificate/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX + service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http" + service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https" + service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600' +``` + +### AWS route53-mapper + +To configure the LoadBalancer service with the [route53-mapper addon](https://github.com/kubernetes/kops/tree/master/addons/route53-mapper), add the `domainName` annotation and `dns` label: + +```yaml +controller: + service: + labels: + dns: "route53" + annotations: + domainName: "kubernetes-example.com" +``` + +### Additional Internal Load Balancer + +This setup is useful when you need both external and internal load balancers but don't want to have multiple ingress controllers and multiple ingress objects per application. + +By default, the ingress object will point to the external load balancer address, but if correctly configured, you can make use of the internal one if the URL you are looking up resolves to the internal load balancer's URL. + +You'll need to set both the following values: + +`controller.service.internal.enabled` +`controller.service.internal.annotations` + +If one of them is missing the internal load balancer will not be deployed. Example you may have `controller.service.internal.enabled=true` but no annotations set, in this case no action will be taken. + +`controller.service.internal.annotations` varies with the cloud service you're using. + +Example for AWS: + +```yaml +controller: + service: + internal: + enabled: true + annotations: + # Create internal ELB + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 + # Any other annotation can be declared here. +``` + +Example for GCE: + +```yaml +controller: + service: + internal: + enabled: true + annotations: + # Create internal LB + cloud.google.com/load-balancer-type: "Internal" + # Any other annotation can be declared here. +``` + +Example for Azure: + +```yaml +controller: + service: + annotations: + # Create internal LB + service.beta.kubernetes.io/azure-load-balancer-internal: "true" + # Any other annotation can be declared here. +``` + +An use case for this scenario is having a split-view DNS setup where the public zone CNAME records point to the external balancer URL while the private zone CNAME records point to the internal balancer URL. This way, you only need one ingress kubernetes object. + +### Ingress Admission Webhooks + +With nginx-ingress-controller version 0.25+, the nginx ingress controller pod exposes an endpoint that will integrate with the `validatingwebhookconfiguration` Kubernetes feature to prevent bad ingress from being added to the cluster. +**This feature is enabled by default since 0.31.0.** + +With nginx-ingress-controller in 0.25.* work only with kubernetes 1.14+, 0.26 fix [this issue](https://github.com/kubernetes/ingress-nginx/pull/4521) + +### Helm Error When Upgrading: spec.clusterIP: Invalid value: "" + +If you are upgrading this chart from a version between 0.31.0 and 1.2.2 then you may get an error like this: + +```console +Error: UPGRADE FAILED: Service "?????-controller" is invalid: spec.clusterIP: Invalid value: "": field is immutable +``` + +Detail of how and why are in [this issue](https://github.com/helm/charts/pull/13646) but to resolve this you can set `xxxx.service.omitClusterIP` to `true` where `xxxx` is the service referenced in the error. + +As of version `1.26.0` of this chart, by simply not providing any clusterIP value, `invalid: spec.clusterIP: Invalid value: "": field is immutable` will no longer occur since `clusterIP: ""` will not be rendered. diff --git a/charts/ingress-nginx/ci/daemonset-customconfig-values.yaml b/charts/ingress-nginx/ci/daemonset-customconfig-values.yaml new file mode 100644 index 0000000000..e12b53421b --- /dev/null +++ b/charts/ingress-nginx/ci/daemonset-customconfig-values.yaml @@ -0,0 +1,9 @@ +controller: + kind: DaemonSet + admissionWebhooks: + enabled: false + service: + type: ClusterIP + + config: + use-proxy-protocol: "true" diff --git a/charts/ingress-nginx/ci/daemonset-customnodeport-values.yaml b/charts/ingress-nginx/ci/daemonset-customnodeport-values.yaml new file mode 100644 index 0000000000..cfc545f69f --- /dev/null +++ b/charts/ingress-nginx/ci/daemonset-customnodeport-values.yaml @@ -0,0 +1,18 @@ +controller: + kind: DaemonSet + admissionWebhooks: + enabled: false + + service: + type: NodePort + nodePorts: + tcp: + 9000: 30090 + udp: + 9001: 30091 + +tcp: + 9000: "default/test:8080" + +udp: + 9001: "default/test:8080" diff --git a/charts/ingress-nginx/ci/daemonset-headers-values.yaml b/charts/ingress-nginx/ci/daemonset-headers-values.yaml new file mode 100644 index 0000000000..ff82cd9c70 --- /dev/null +++ b/charts/ingress-nginx/ci/daemonset-headers-values.yaml @@ -0,0 +1,10 @@ +controller: + kind: DaemonSet + admissionWebhooks: + enabled: false + addHeaders: + X-Frame-Options: deny + proxySetHeaders: + X-Forwarded-Proto: https + service: + type: ClusterIP diff --git a/charts/ingress-nginx/ci/daemonset-internal-lb-values.yaml b/charts/ingress-nginx/ci/daemonset-internal-lb-values.yaml new file mode 100644 index 0000000000..443e39d8ba --- /dev/null +++ b/charts/ingress-nginx/ci/daemonset-internal-lb-values.yaml @@ -0,0 +1,10 @@ +controller: + kind: DaemonSet + admissionWebhooks: + enabled: false + service: + type: ClusterIP + internal: + enabled: true + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/charts/ingress-nginx/ci/daemonset-nodeport-values.yaml b/charts/ingress-nginx/ci/daemonset-nodeport-values.yaml new file mode 100644 index 0000000000..6d6605f0e1 --- /dev/null +++ b/charts/ingress-nginx/ci/daemonset-nodeport-values.yaml @@ -0,0 +1,6 @@ +controller: + kind: DaemonSet + admissionWebhooks: + enabled: false + service: + type: NodePort diff --git a/charts/ingress-nginx/ci/daemonset-podannotations-values.yaml b/charts/ingress-nginx/ci/daemonset-podannotations-values.yaml new file mode 100644 index 0000000000..04ac58dbd8 --- /dev/null +++ b/charts/ingress-nginx/ci/daemonset-podannotations-values.yaml @@ -0,0 +1,13 @@ +controller: + kind: DaemonSet + admissionWebhooks: + enabled: false + metrics: + enabled: true + service: + type: ClusterIP + podAnnotations: + prometheus.io/path: /metrics + prometheus.io/port: "10254" + prometheus.io/scheme: http + prometheus.io/scrape: "true" diff --git a/charts/ingress-nginx/ci/daemonset-tcp-udp-configMapNamespace-values.yaml b/charts/ingress-nginx/ci/daemonset-tcp-udp-configMapNamespace-values.yaml new file mode 100644 index 0000000000..afb5487c57 --- /dev/null +++ b/charts/ingress-nginx/ci/daemonset-tcp-udp-configMapNamespace-values.yaml @@ -0,0 +1,16 @@ +controller: + kind: DaemonSet + admissionWebhooks: + enabled: false + service: + type: ClusterIP + tcp: + configMapNamespace: default + udp: + configMapNamespace: default + +tcp: + 9000: "default/test:8080" + +udp: + 9001: "default/test:8080" diff --git a/charts/ingress-nginx/ci/daemonset-tcp-udp-values.yaml b/charts/ingress-nginx/ci/daemonset-tcp-udp-values.yaml new file mode 100644 index 0000000000..7b4d7cbe7d --- /dev/null +++ b/charts/ingress-nginx/ci/daemonset-tcp-udp-values.yaml @@ -0,0 +1,12 @@ +controller: + kind: DaemonSet + admissionWebhooks: + enabled: false + service: + type: ClusterIP + +tcp: + 9000: "default/test:8080" + +udp: + 9001: "default/test:8080" diff --git a/charts/ingress-nginx/ci/daemonset-tcp-values.yaml b/charts/ingress-nginx/ci/daemonset-tcp-values.yaml new file mode 100644 index 0000000000..a359a6a401 --- /dev/null +++ b/charts/ingress-nginx/ci/daemonset-tcp-values.yaml @@ -0,0 +1,10 @@ +controller: + kind: DaemonSet + admissionWebhooks: + enabled: false + service: + type: ClusterIP + +tcp: + 9000: "default/test:8080" + 9001: "default/test:8080" diff --git a/charts/ingress-nginx/ci/deamonset-default-values.yaml b/charts/ingress-nginx/ci/deamonset-default-values.yaml new file mode 100644 index 0000000000..e63a7f5db3 --- /dev/null +++ b/charts/ingress-nginx/ci/deamonset-default-values.yaml @@ -0,0 +1,6 @@ +controller: + kind: DaemonSet + admissionWebhooks: + enabled: false + service: + type: ClusterIP diff --git a/charts/ingress-nginx/ci/deamonset-metrics-values.yaml b/charts/ingress-nginx/ci/deamonset-metrics-values.yaml new file mode 100644 index 0000000000..1e5190afc0 --- /dev/null +++ b/charts/ingress-nginx/ci/deamonset-metrics-values.yaml @@ -0,0 +1,8 @@ +controller: + kind: DaemonSet + admissionWebhooks: + enabled: false + metrics: + enabled: true + service: + type: ClusterIP diff --git a/charts/ingress-nginx/ci/deamonset-psp-values.yaml b/charts/ingress-nginx/ci/deamonset-psp-values.yaml new file mode 100644 index 0000000000..017b60a9c6 --- /dev/null +++ b/charts/ingress-nginx/ci/deamonset-psp-values.yaml @@ -0,0 +1,9 @@ +controller: + kind: DaemonSet + admissionWebhooks: + enabled: false + service: + type: ClusterIP + +podSecurityPolicy: + enabled: true diff --git a/charts/ingress-nginx/ci/deamonset-webhook-and-psp-values.yaml b/charts/ingress-nginx/ci/deamonset-webhook-and-psp-values.yaml new file mode 100644 index 0000000000..88aafc66fd --- /dev/null +++ b/charts/ingress-nginx/ci/deamonset-webhook-and-psp-values.yaml @@ -0,0 +1,9 @@ +controller: + kind: DaemonSet + admissionWebhooks: + enabled: true + service: + type: ClusterIP + +podSecurityPolicy: + enabled: true diff --git a/charts/ingress-nginx/ci/deamonset-webhook-values.yaml b/charts/ingress-nginx/ci/deamonset-webhook-values.yaml new file mode 100644 index 0000000000..6e3b371da6 --- /dev/null +++ b/charts/ingress-nginx/ci/deamonset-webhook-values.yaml @@ -0,0 +1,6 @@ +controller: + kind: DaemonSet + admissionWebhooks: + enabled: true + service: + type: ClusterIP diff --git a/charts/ingress-nginx/ci/deployment-autoscaling-values.yaml b/charts/ingress-nginx/ci/deployment-autoscaling-values.yaml new file mode 100644 index 0000000000..5314cecb38 --- /dev/null +++ b/charts/ingress-nginx/ci/deployment-autoscaling-values.yaml @@ -0,0 +1,7 @@ +controller: + autoscaling: + enabled: true + admissionWebhooks: + enabled: false + service: + type: ClusterIP diff --git a/charts/ingress-nginx/ci/deployment-customconfig-values.yaml b/charts/ingress-nginx/ci/deployment-customconfig-values.yaml new file mode 100644 index 0000000000..f232531acb --- /dev/null +++ b/charts/ingress-nginx/ci/deployment-customconfig-values.yaml @@ -0,0 +1,7 @@ +controller: + config: + use-proxy-protocol: "true" + admissionWebhooks: + enabled: false + service: + type: ClusterIP diff --git a/charts/ingress-nginx/ci/deployment-customnodeport-values.yaml b/charts/ingress-nginx/ci/deployment-customnodeport-values.yaml new file mode 100644 index 0000000000..9eda282b13 --- /dev/null +++ b/charts/ingress-nginx/ci/deployment-customnodeport-values.yaml @@ -0,0 +1,16 @@ +controller: + admissionWebhooks: + enabled: false + service: + type: NodePort + nodePorts: + tcp: + 9000: 30090 + udp: + 9001: 30091 + +tcp: + 9000: "default/test:8080" + +udp: + 9001: "default/test:8080" diff --git a/charts/ingress-nginx/ci/deployment-default-values.yaml b/charts/ingress-nginx/ci/deployment-default-values.yaml new file mode 100644 index 0000000000..93a393c975 --- /dev/null +++ b/charts/ingress-nginx/ci/deployment-default-values.yaml @@ -0,0 +1,4 @@ +# Left blank to test default values +controller: + service: + type: ClusterIP diff --git a/charts/ingress-nginx/ci/deployment-headers-values.yaml b/charts/ingress-nginx/ci/deployment-headers-values.yaml new file mode 100644 index 0000000000..665fd48d35 --- /dev/null +++ b/charts/ingress-nginx/ci/deployment-headers-values.yaml @@ -0,0 +1,9 @@ +controller: + admissionWebhooks: + enabled: false + addHeaders: + X-Frame-Options: deny + proxySetHeaders: + X-Forwarded-Proto: https + service: + type: ClusterIP diff --git a/charts/ingress-nginx/ci/deployment-internal-lb-values.yaml b/charts/ingress-nginx/ci/deployment-internal-lb-values.yaml new file mode 100644 index 0000000000..892f6de3f0 --- /dev/null +++ b/charts/ingress-nginx/ci/deployment-internal-lb-values.yaml @@ -0,0 +1,9 @@ +controller: + admissionWebhooks: + enabled: false + service: + type: ClusterIP + internal: + enabled: true + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/charts/ingress-nginx/ci/deployment-metrics-values.yaml b/charts/ingress-nginx/ci/deployment-metrics-values.yaml new file mode 100644 index 0000000000..887ed0f620 --- /dev/null +++ b/charts/ingress-nginx/ci/deployment-metrics-values.yaml @@ -0,0 +1,7 @@ +controller: + admissionWebhooks: + enabled: false + metrics: + enabled: true + service: + type: ClusterIP diff --git a/charts/ingress-nginx/ci/deployment-nodeport-values.yaml b/charts/ingress-nginx/ci/deployment-nodeport-values.yaml new file mode 100644 index 0000000000..84f1f7582e --- /dev/null +++ b/charts/ingress-nginx/ci/deployment-nodeport-values.yaml @@ -0,0 +1,5 @@ +controller: + admissionWebhooks: + enabled: false + service: + type: NodePort diff --git a/charts/ingress-nginx/ci/deployment-podannotations-values.yaml b/charts/ingress-nginx/ci/deployment-podannotations-values.yaml new file mode 100644 index 0000000000..b65a0910b3 --- /dev/null +++ b/charts/ingress-nginx/ci/deployment-podannotations-values.yaml @@ -0,0 +1,12 @@ +controller: + admissionWebhooks: + enabled: false + metrics: + enabled: true + service: + type: ClusterIP + podAnnotations: + prometheus.io/path: /metrics + prometheus.io/port: "10254" + prometheus.io/scheme: http + prometheus.io/scrape: "true" diff --git a/charts/ingress-nginx/ci/deployment-psp-values.yaml b/charts/ingress-nginx/ci/deployment-psp-values.yaml new file mode 100644 index 0000000000..e339c69c32 --- /dev/null +++ b/charts/ingress-nginx/ci/deployment-psp-values.yaml @@ -0,0 +1,6 @@ +controller: + service: + type: ClusterIP + +podSecurityPolicy: + enabled: true diff --git a/charts/ingress-nginx/ci/deployment-tcp-udp-configMapNamespace-values.yaml b/charts/ingress-nginx/ci/deployment-tcp-udp-configMapNamespace-values.yaml new file mode 100644 index 0000000000..141e06b687 --- /dev/null +++ b/charts/ingress-nginx/ci/deployment-tcp-udp-configMapNamespace-values.yaml @@ -0,0 +1,15 @@ +controller: + admissionWebhooks: + enabled: false + service: + type: ClusterIP + tcp: + configMapNamespace: default + udp: + configMapNamespace: default + +tcp: + 9000: "default/test:8080" + +udp: + 9001: "default/test:8080" diff --git a/charts/ingress-nginx/ci/deployment-tcp-udp-values.yaml b/charts/ingress-nginx/ci/deployment-tcp-udp-values.yaml new file mode 100644 index 0000000000..bc29abeba7 --- /dev/null +++ b/charts/ingress-nginx/ci/deployment-tcp-udp-values.yaml @@ -0,0 +1,11 @@ +controller: + admissionWebhooks: + enabled: false + service: + type: ClusterIP + +tcp: + 9000: "default/test:8080" + +udp: + 9001: "default/test:8080" diff --git a/charts/ingress-nginx/ci/deployment-tcp-values.yaml b/charts/ingress-nginx/ci/deployment-tcp-values.yaml new file mode 100644 index 0000000000..b7f54c09fa --- /dev/null +++ b/charts/ingress-nginx/ci/deployment-tcp-values.yaml @@ -0,0 +1,7 @@ +controller: + service: + type: ClusterIP + +tcp: + 9000: "default/test:8080" + 9001: "default/test:8080" diff --git a/charts/ingress-nginx/ci/deployment-webhook-and-psp-values.yaml b/charts/ingress-nginx/ci/deployment-webhook-and-psp-values.yaml new file mode 100644 index 0000000000..a829c36144 --- /dev/null +++ b/charts/ingress-nginx/ci/deployment-webhook-and-psp-values.yaml @@ -0,0 +1,8 @@ +controller: + admissionWebhooks: + enabled: true + service: + type: ClusterIP + +podSecurityPolicy: + enabled: true diff --git a/charts/ingress-nginx/ci/deployment-webhook-values.yaml b/charts/ingress-nginx/ci/deployment-webhook-values.yaml new file mode 100644 index 0000000000..4f18a70b9f --- /dev/null +++ b/charts/ingress-nginx/ci/deployment-webhook-values.yaml @@ -0,0 +1,5 @@ +controller: + admissionWebhooks: + enabled: true + service: + type: ClusterIP diff --git a/charts/ingress-nginx/templates/NOTES.txt b/charts/ingress-nginx/templates/NOTES.txt new file mode 100644 index 0000000000..60fb2c1f62 --- /dev/null +++ b/charts/ingress-nginx/templates/NOTES.txt @@ -0,0 +1,71 @@ +The ingress-nginx controller has been installed. + +{{- if contains "NodePort" .Values.controller.service.type }} +Get the application URL by running these commands: + +{{- if (not (empty .Values.controller.service.nodePorts.http)) }} + export HTTP_NODE_PORT={{ .Values.controller.service.nodePorts.http }} +{{- else }} + export HTTP_NODE_PORT=$(kubectl --namespace {{ .Release.Namespace }} get services -o jsonpath="{.spec.ports[0].nodePort}" {{ include "ingress-nginx.controller.fullname" . }}) +{{- end }} +{{- if (not (empty .Values.controller.service.nodePorts.https)) }} + export HTTPS_NODE_PORT={{ .Values.controller.service.nodePorts.https }} +{{- else }} + export HTTPS_NODE_PORT=$(kubectl --namespace {{ .Release.Namespace }} get services -o jsonpath="{.spec.ports[1].nodePort}" {{ include "ingress-nginx.controller.fullname" . }}) +{{- end }} + export NODE_IP=$(kubectl --namespace {{ .Release.Namespace }} get nodes -o jsonpath="{.items[0].status.addresses[1].address}") + + echo "Visit http://$NODE_IP:$HTTP_NODE_PORT to access your application via HTTP." + echo "Visit https://$NODE_IP:$HTTPS_NODE_PORT to access your application via HTTPS." +{{- else if contains "LoadBalancer" .Values.controller.service.type }} +It may take a few minutes for the LoadBalancer IP to be available. +You can watch the status by running 'kubectl --namespace {{ .Release.Namespace }} get services -o wide -w {{ include "ingress-nginx.controller.fullname" . }}' +{{- else if contains "ClusterIP" .Values.controller.service.type }} +Get the application URL by running these commands: + export POD_NAME=$(kubectl --namespace {{ .Release.Namespace }} get pods -o jsonpath="{.items[0].metadata.name}" -l "app={{ template "ingress-nginx.name" . }},component={{ .Values.controller.name }},release={{ .Release.Name }}") + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:80 + echo "Visit http://127.0.0.1:8080 to access your application." +{{- end }} + +An example Ingress that makes use of the controller: + + apiVersion: networking.k8s.io/v1beta1 + kind: Ingress + metadata: + annotations: + kubernetes.io/ingress.class: {{ .Values.controller.ingressClass }} + name: example + namespace: foo + spec: + rules: + - host: www.example.com + http: + paths: + - backend: + serviceName: exampleService + servicePort: 80 + path: / + # This section is only required if TLS is to be enabled for the Ingress + tls: + - hosts: + - www.example.com + secretName: example-tls + +If TLS is enabled for the Ingress, a Secret containing the certificate and key must also be provided: + + apiVersion: v1 + kind: Secret + metadata: + name: example-tls + namespace: foo + data: + tls.crt: + tls.key: + type: kubernetes.io/tls + +{{- if .Values.controller.headers }} +################################################################################# +###### WARNING: `controller.headers` has been deprecated! ##### +###### It has been renamed to `controller.proxySetHeaders`. ##### +################################################################################# +{{- end }} diff --git a/charts/ingress-nginx/templates/_helpers.tpl b/charts/ingress-nginx/templates/_helpers.tpl new file mode 100644 index 0000000000..0e04c27b42 --- /dev/null +++ b/charts/ingress-nginx/templates/_helpers.tpl @@ -0,0 +1,124 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "ingress-nginx.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "ingress-nginx.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "ingress-nginx.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified controller name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "ingress-nginx.controller.fullname" -}} +{{- printf "%s-%s" (include "ingress-nginx.fullname" .) "controller" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct the path for the publish-service. + +By convention this will simply use the / to match the name of the +service generated. + +Users can provide an override for an explicit service they want bound via `.Values.controller.publishService.pathOverride` + +*/}} +{{- define "ingress-nginx.controller.publishServicePath" -}} +{{- $defServiceName := printf "%s/%s" "$(POD_NAMESPACE)" (include "ingress-nginx.controller.fullname" .) -}} +{{- $servicePath := default $defServiceName .Values.controller.publishService.pathOverride }} +{{- print $servicePath | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified default backend name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "ingress-nginx.defaultBackend.fullname" -}} +{{- printf "%s-%s" (include "ingress-nginx.fullname" .) "defaultbackend" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "ingress-nginx.labels" -}} +helm.sh/chart: {{ include "ingress-nginx.chart" . }} +{{ include "ingress-nginx.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Selector labels +*/}} +{{- define "ingress-nginx.selectorLabels" -}} +app.kubernetes.io/name: {{ include "ingress-nginx.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + +{{/* +Create the name of the controller service account to use +*/}} +{{- define "ingress-nginx.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "ingress-nginx.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled +*/}} +{{- define "ingress-nginx.defaultBackend.serviceAccountName" -}} +{{- if .Values.defaultBackend.serviceAccount.create -}} + {{ default (printf "%s-backend" (include "ingress-nginx.fullname" .)) .Values.defaultBackend.serviceAccount.name }} +{{- else -}} + {{ default "default-backend" .Values.defaultBackend.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiGroup for PodSecurityPolicy. +*/}} +{{- define "podSecurityPolicy.apiGroup" -}} +{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +{{- print "policy" -}} +{{- else -}} +{{- print "extensions" -}} +{{- end -}} +{{- end -}} + +{{/* +Check the ingress controller version tag is at most three versions behind the last release +*/}} +{{- define "isControllerTagValid" -}} +{{- if not (semverCompare ">=0.27.0-0" .Values.controller.image.tag) -}} +{{- fail "Controller container image tag should be 0.27.0 or higher" -}} +{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml new file mode 100644 index 0000000000..7eb57388d2 --- /dev/null +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml @@ -0,0 +1,27 @@ +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "ingress-nginx.fullname" . }}-admission + annotations: + "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: admission-webhook +rules: + - apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - get + - update +{{- if .Values.podSecurityPolicy.enabled }} + - apiGroups: ['extensions'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - {{ include "ingress-nginx.fullname" . }}-admission +{{- end }} +{{- end }} diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml new file mode 100644 index 0000000000..97931250ce --- /dev/null +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "ingress-nginx.fullname" . }}-admission + annotations: + "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: admission-webhook +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "ingress-nginx.fullname" . }}-admission +subjects: + - kind: ServiceAccount + name: {{ include "ingress-nginx.fullname" . }}-admission + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml new file mode 100644 index 0000000000..d9ca4607c0 --- /dev/null +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml @@ -0,0 +1,60 @@ +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "ingress-nginx.fullname" . }}-admission-create + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: admission-webhook +spec: +{{- if .Capabilities.APIVersions.Has "batch/v1alpha1" }} + # Alpha feature since k8s 1.12 + ttlSecondsAfterFinished: 0 +{{- end }} + template: + metadata: + name: {{ include "ingress-nginx.fullname" . }}-admission-create + {{- if .Values.controller.admissionWebhooks.patch.podAnnotations }} + annotations: {{ toYaml .Values.controller.admissionWebhooks.patch.podAnnotations | nindent 8 }} + {{- end }} + labels: + {{- include "ingress-nginx.labels" . | nindent 8 }} + app.kubernetes.io/component: admission-webhook + spec: + {{- if .Values.controller.admissionWebhooks.patch.priorityClassName }} + priorityClassName: {{ .Values.controller.admissionWebhooks.patch.priorityClassName }} + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }} + {{- end }} + containers: + - name: create + {{- with .Values.controller.admissionWebhooks.patch.image }} + image: "{{.repository}}:{{ .tag }}{{- if (.digest) -}} @{{.digest}} {{- end -}}" + {{- end }} + imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }} + args: + - create + - --host={{ include "ingress-nginx.controller.fullname" . }}-admission,{{ include "ingress-nginx.controller.fullname" . }}-admission.$(POD_NAMESPACE).svc + - --namespace=$(POD_NAMESPACE) + - --secret-name={{ include "ingress-nginx.fullname" . }}-admission + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + restartPolicy: OnFailure + serviceAccountName: {{ include "ingress-nginx.fullname" . }}-admission + {{- if .Values.controller.admissionWebhooks.patch.nodeSelector }} + nodeSelector: {{ toYaml .Values.controller.admissionWebhooks.patch.nodeSelector | nindent 8 }} + {{- end }} + {{- if .Values.controller.admissionWebhooks.patch.tolerations }} + tolerations: {{ toYaml .Values.controller.admissionWebhooks.patch.tolerations | nindent 8 }} + {{- end }} + securityContext: + runAsNonRoot: true + runAsUser: {{ .Values.controller.admissionWebhooks.patch.runAsUser }} +{{- end }} diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml new file mode 100644 index 0000000000..d297854cb2 --- /dev/null +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml @@ -0,0 +1,62 @@ +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "ingress-nginx.fullname" . }}-admission-patch + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: admission-webhook +spec: +{{- if .Capabilities.APIVersions.Has "batch/v1alpha1" }} + # Alpha feature since k8s 1.12 + ttlSecondsAfterFinished: 0 +{{- end }} + template: + metadata: + name: {{ include "ingress-nginx.fullname" . }}-admission-patch + {{- if .Values.controller.admissionWebhooks.patch.podAnnotations }} + annotations: {{ toYaml .Values.controller.admissionWebhooks.patch.podAnnotations | nindent 8 }} + {{- end }} + labels: + {{- include "ingress-nginx.labels" . | nindent 8 }} + app.kubernetes.io/component: admission-webhook + spec: + {{- if .Values.controller.admissionWebhooks.patch.priorityClassName }} + priorityClassName: {{ .Values.controller.admissionWebhooks.patch.priorityClassName }} + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }} + {{- end }} + containers: + - name: patch + {{- with .Values.controller.admissionWebhooks.patch.image }} + image: "{{.repository}}:{{ .tag }}{{- if (.digest) -}} @{{.digest}} {{- end -}}" + {{- end }} + imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }} + args: + - patch + - --webhook-name={{ include "ingress-nginx.fullname" . }}-admission + - --namespace=$(POD_NAMESPACE) + - --patch-mutating=false + - --secret-name={{ include "ingress-nginx.fullname" . }}-admission + - --patch-failure-policy={{ .Values.controller.admissionWebhooks.failurePolicy }} + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + restartPolicy: OnFailure + serviceAccountName: {{ include "ingress-nginx.fullname" . }}-admission + {{- if .Values.controller.admissionWebhooks.patch.nodeSelector }} + nodeSelector: {{ toYaml .Values.controller.admissionWebhooks.patch.nodeSelector | nindent 8 }} + {{- end }} + {{- if .Values.controller.admissionWebhooks.patch.tolerations }} + tolerations: {{ toYaml .Values.controller.admissionWebhooks.patch.tolerations | nindent 8 }} + {{- end }} + securityContext: + runAsNonRoot: true + runAsUser: {{ .Values.controller.admissionWebhooks.patch.runAsUser }} +{{- end }} diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml new file mode 100644 index 0000000000..e8c8da94ba --- /dev/null +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml @@ -0,0 +1,36 @@ +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.podSecurityPolicy.enabled -}} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "ingress-nginx.fullname" . }}-admission + annotations: + "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: admission-webhook +spec: + allowPrivilegeEscalation: false + fsGroup: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + requiredDropCapabilities: + - ALL + runAsUser: + rule: MustRunAsNonRoot + seLinux: + rule: RunAsAny + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + volumes: + - configMap + - emptyDir + - projected + - secret + - downwardAPI +{{- end }} diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml new file mode 100644 index 0000000000..fe1c2ee7f1 --- /dev/null +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml @@ -0,0 +1,20 @@ +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "ingress-nginx.fullname" . }}-admission + annotations: + "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: admission-webhook +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create +{{- end }} diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml new file mode 100644 index 0000000000..391e5e9a33 --- /dev/null +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml @@ -0,0 +1,20 @@ +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "ingress-nginx.fullname" . }}-admission + annotations: + "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: admission-webhook +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "ingress-nginx.fullname" . }}-admission +subjects: + - kind: ServiceAccount + name: {{ include "ingress-nginx.fullname" . }}-admission + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml new file mode 100644 index 0000000000..5dfdd345a3 --- /dev/null +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "ingress-nginx.fullname" . }}-admission + annotations: + "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: admission-webhook +{{- end }} diff --git a/charts/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml b/charts/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml new file mode 100644 index 0000000000..731536bdd7 --- /dev/null +++ b/charts/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml @@ -0,0 +1,46 @@ +{{- if .Values.controller.admissionWebhooks.enabled -}} +# before changing this value, check the required kubernetes version +# https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + {{- if .Values.controller.admissionWebhooks.annotations }} + annotations: {{ toYaml .Values.controller.admissionWebhooks.annotations | nindent 4 }} + {{- end }} + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: admission-webhook + name: {{ include "ingress-nginx.fullname" . }}-admission +webhooks: + - name: validate.nginx.ingress.kubernetes.io + matchPolicy: Equivalent + rules: + - apiGroups: + - networking.k8s.io + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - ingresses + failurePolicy: {{ .Values.controller.admissionWebhooks.failurePolicy | default "Fail" }} + sideEffects: None + admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + namespace: {{ .Release.Namespace }} + name: {{ include "ingress-nginx.controller.fullname" . }}-admission + path: /networking/v1beta1/ingresses + {{- if .Values.controller.admissionWebhooks.timeoutSeconds }} + timeoutSeconds: {{ .Values.controller.admissionWebhooks.timeoutSeconds }} + {{- end }} + {{- if .Values.controller.admissionWebhooks.namespaceSelector }} + namespaceSelector: {{ toYaml .Values.controller.admissionWebhooks.namespaceSelector | nindent 6 }} + {{- end }} + {{- if .Values.controller.admissionWebhooks.objectSelector }} + objectSelector: {{ toYaml .Values.controller.admissionWebhooks.objectSelector | nindent 6 }} + {{- end }} +{{- end }} diff --git a/charts/ingress-nginx/templates/clusterrole.yaml b/charts/ingress-nginx/templates/clusterrole.yaml new file mode 100644 index 0000000000..2035f549a2 --- /dev/null +++ b/charts/ingress-nginx/templates/clusterrole.yaml @@ -0,0 +1,76 @@ +{{- if and .Values.rbac.create (not .Values.rbac.scope) -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + name: {{ include "ingress-nginx.fullname" . }} +rules: + - apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - secrets + verbs: + - list + - watch +{{- if and .Values.controller.scope.enabled .Values.controller.scope.namespace }} + - apiGroups: + - "" + resources: + - namespaces + resourceNames: + - "{{ .Values.controller.scope.namespace }}" + verbs: + - get +{{- end }} + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - update + - watch + - apiGroups: + - extensions + - "networking.k8s.io" # k8s 1.14+ + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - extensions + - "networking.k8s.io" # k8s 1.14+ + resources: + - ingresses/status + verbs: + - update + - apiGroups: + - "networking.k8s.io" # k8s 1.14+ + resources: + - ingressclasses + verbs: + - get + - list + - watch +{{- end }} diff --git a/charts/ingress-nginx/templates/clusterrolebinding.yaml b/charts/ingress-nginx/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..a341f5280e --- /dev/null +++ b/charts/ingress-nginx/templates/clusterrolebinding.yaml @@ -0,0 +1,16 @@ +{{- if and .Values.rbac.create (not .Values.rbac.scope) -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + name: {{ include "ingress-nginx.fullname" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "ingress-nginx.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "ingress-nginx.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/ingress-nginx/templates/controller-configmap-addheaders.yaml b/charts/ingress-nginx/templates/controller-configmap-addheaders.yaml new file mode 100644 index 0000000000..c064589581 --- /dev/null +++ b/charts/ingress-nginx/templates/controller-configmap-addheaders.yaml @@ -0,0 +1,10 @@ +{{- if .Values.controller.addHeaders -}} +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller + name: {{ include "ingress-nginx.fullname" . }}-custom-add-headers +data: {{ toYaml .Values.controller.addHeaders | nindent 2 }} +{{- end }} diff --git a/charts/ingress-nginx/templates/controller-configmap-proxyheaders.yaml b/charts/ingress-nginx/templates/controller-configmap-proxyheaders.yaml new file mode 100644 index 0000000000..5a1b25229b --- /dev/null +++ b/charts/ingress-nginx/templates/controller-configmap-proxyheaders.yaml @@ -0,0 +1,15 @@ +{{- if or .Values.controller.proxySetHeaders .Values.controller.headers -}} +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller + name: {{ include "ingress-nginx.fullname" . }}-custom-proxy-headers +data: +{{- if .Values.controller.proxySetHeaders }} +{{ toYaml .Values.controller.proxySetHeaders | indent 2 }} +{{ else if and .Values.controller.headers (not .Values.controller.proxySetHeaders) }} +{{ toYaml .Values.controller.headers | indent 2 }} +{{- end }} +{{- end }} diff --git a/charts/ingress-nginx/templates/controller-configmap-tcp.yaml b/charts/ingress-nginx/templates/controller-configmap-tcp.yaml new file mode 100644 index 0000000000..bc972517c7 --- /dev/null +++ b/charts/ingress-nginx/templates/controller-configmap-tcp.yaml @@ -0,0 +1,13 @@ +{{- if .Values.tcp -}} +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller +{{- if .Values.controller.tcp.annotations }} + annotations: {{ toYaml .Values.controller.tcp.annotations | nindent 4 }} +{{- end }} + name: {{ include "ingress-nginx.fullname" . }}-tcp +data: {{ tpl (toYaml .Values.tcp) . | nindent 2 }} +{{- end }} diff --git a/charts/ingress-nginx/templates/controller-configmap-udp.yaml b/charts/ingress-nginx/templates/controller-configmap-udp.yaml new file mode 100644 index 0000000000..a9dc388f10 --- /dev/null +++ b/charts/ingress-nginx/templates/controller-configmap-udp.yaml @@ -0,0 +1,13 @@ +{{- if .Values.udp -}} +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller +{{- if .Values.controller.udp.annotations }} + annotations: {{ toYaml .Values.controller.udp.annotations | nindent 4 }} +{{- end }} + name: {{ include "ingress-nginx.fullname" . }}-udp +data: {{ tpl (toYaml .Values.udp) . | nindent 2 }} +{{- end }} diff --git a/charts/ingress-nginx/templates/controller-configmap.yaml b/charts/ingress-nginx/templates/controller-configmap.yaml new file mode 100644 index 0000000000..5b0d371055 --- /dev/null +++ b/charts/ingress-nginx/templates/controller-configmap.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller +{{- if .Values.controller.configAnnotations }} + annotations: {{ toYaml .Values.controller.configAnnotations | nindent 4 }} +{{- end }} + name: {{ include "ingress-nginx.controller.fullname" . }} +data: +{{- if .Values.controller.addHeaders }} + add-headers: {{ .Release.Namespace }}/{{ include "ingress-nginx.fullname" . }}-custom-add-headers +{{- end }} +{{- if or .Values.controller.proxySetHeaders .Values.controller.headers }} + proxy-set-headers: {{ .Release.Namespace }}/{{ include "ingress-nginx.fullname" . }}-custom-proxy-headers +{{- end }} +{{- if .Values.controller.config }} + {{ toYaml .Values.controller.config | nindent 2 }} +{{- end }} diff --git a/charts/ingress-nginx/templates/controller-daemonset.yaml b/charts/ingress-nginx/templates/controller-daemonset.yaml new file mode 100644 index 0000000000..aa8693b47e --- /dev/null +++ b/charts/ingress-nginx/templates/controller-daemonset.yaml @@ -0,0 +1,255 @@ +{{- if or (eq .Values.controller.kind "DaemonSet") (eq .Values.controller.kind "Both") -}} +{{- include "isControllerTagValid" . -}} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller + {{- with .Values.controller.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ include "ingress-nginx.controller.fullname" . }} + {{- if .Values.controller.annotations }} + annotations: {{ toYaml .Values.controller.annotations | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: + {{- include "ingress-nginx.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: controller + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + {{- if .Values.controller.updateStrategy }} + updateStrategy: {{ toYaml .Values.controller.updateStrategy | nindent 4 }} + {{- end }} + minReadySeconds: {{ .Values.controller.minReadySeconds }} + template: + metadata: + {{- if .Values.controller.podAnnotations }} + annotations: + {{- range $key, $value := .Values.controller.podAnnotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} + labels: + {{- include "ingress-nginx.selectorLabels" . | nindent 8 }} + app.kubernetes.io/component: controller + {{- if .Values.controller.podLabels }} + {{- toYaml .Values.controller.podLabels | nindent 8 }} + {{- end }} + spec: + {{- if .Values.controller.dnsConfig }} + dnsConfig: {{ toYaml .Values.controller.dnsConfig | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }} + {{- end }} + {{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} + {{- end }} + {{- if or .Values.controller.podSecurityContext .Values.controller.sysctls }} + securityContext: + {{- end }} + {{- if .Values.controller.podSecurityContext }} + {{- toYaml .Values.controller.podSecurityContext | nindent 8 }} + {{- end }} + {{- if .Values.controller.sysctls }} + sysctls: + {{- range $sysctl, $value := .Values.controller.sysctls }} + - name: {{ $sysctl | quote }} + value: {{ $value | quote }} + {{- end }} + {{- end }} + containers: + - name: controller + {{- with .Values.controller.image }} + image: "{{.repository}}:{{ .tag }}{{- if (.digest) -}} @{{.digest}} {{- end -}}" + {{- end }} + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + {{- if .Values.controller.lifecycle }} + lifecycle: {{ toYaml .Values.controller.lifecycle | nindent 12 }} + {{- end }} + args: + - /nginx-ingress-controller + {{- if .Values.defaultBackend.enabled }} + - --default-backend-service={{ .Release.Namespace }}/{{ include "ingress-nginx.defaultBackend.fullname" . }} + {{- end }} + {{- if .Values.controller.publishService.enabled }} + - --publish-service={{ template "ingress-nginx.controller.publishServicePath" . }} + {{- end }} + - --election-id={{ .Values.controller.electionID }} + - --ingress-class={{ .Values.controller.ingressClass }} + - --configmap={{ .Release.Namespace }}/{{ include "ingress-nginx.controller.fullname" . }} + {{- if .Values.tcp }} + - --tcp-services-configmap={{ .Release.Namespace }}/{{ include "ingress-nginx.fullname" . }}-tcp + {{- end }} + {{- if .Values.udp }} + - --udp-services-configmap={{ .Release.Namespace }}/{{ include "ingress-nginx.fullname" . }}-udp + {{- end }} + {{- if .Values.controller.scope.enabled }} + - --watch-namespace={{ default .Release.Namespace .Values.controller.scope.namespace }} + {{- end }} + {{- if and .Values.controller.reportNodeInternalIp .Values.controller.hostNetwork }} + - --report-node-internal-ip-address={{ .Values.controller.reportNodeInternalIp }} + {{- end }} + {{- if .Values.controller.admissionWebhooks.enabled }} + - --validating-webhook=:{{ .Values.controller.admissionWebhooks.port }} + - --validating-webhook-certificate={{ .Values.controller.admissionWebhooks.certificate }} + - --validating-webhook-key={{ .Values.controller.admissionWebhooks.key }} + {{- end }} + {{- if .Values.controller.maxmindLicenseKey }} + - --maxmind-license-key={{ .Values.controller.maxmindLicenseKey }} + {{- end }} + {{- if not (eq .Values.controller.healthCheckPath "/healthz") }} + - --health-check-path={{ .Values.controller.healthCheckPath }} + {{- end }} + {{- range $key, $value := .Values.controller.extraArgs }} + {{- /* Accept keys without values or with false as value */}} + {{- if eq ($value | quote | len) 2 }} + - --{{ $key }} + {{- else }} + - --{{ $key }}={{ $value }} + {{- end }} + {{- end }} + securityContext: + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + runAsUser: {{ .Values.controller.image.runAsUser }} + allowPrivilegeEscalation: {{ .Values.controller.image.allowPrivilegeEscalation }} + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- if .Values.controller.enableMimalloc }} + - name: LD_PRELOAD + value: /usr/local/lib/libmimalloc.so + {{- end }} + {{- if .Values.controller.extraEnvs }} + {{- toYaml .Values.controller.extraEnvs | nindent 12 }} + {{- end }} + livenessProbe: + httpGet: + path: {{ .Values.controller.healthCheckPath }} + port: {{ .Values.controller.livenessProbe.port }} + scheme: HTTP + initialDelaySeconds: {{ .Values.controller.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.controller.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.controller.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.controller.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.controller.livenessProbe.failureThreshold }} + readinessProbe: + httpGet: + path: {{ .Values.controller.healthCheckPath }} + port: {{ .Values.controller.readinessProbe.port }} + scheme: HTTP + initialDelaySeconds: {{ .Values.controller.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.controller.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.controller.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.controller.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.controller.readinessProbe.failureThreshold }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- if $.Values.controller.hostPort.enabled }} + hostPort: {{ index $.Values.controller.hostPort.ports $key | default $value }} + {{- end }} + {{- end }} + {{- if .Values.controller.metrics.enabled }} + - name: metrics + containerPort: {{ .Values.controller.metrics.port }} + protocol: TCP + {{- end }} + {{- if .Values.controller.admissionWebhooks.enabled }} + - name: webhook + containerPort: {{ .Values.controller.admissionWebhooks.port }} + protocol: TCP + {{- end }} + {{- range $key, $value := .Values.tcp }} + - name: {{ $key }}-tcp + containerPort: {{ $key }} + protocol: TCP + {{- if $.Values.controller.hostPort.enabled }} + hostPort: {{ $key }} + {{- end }} + {{- end }} + {{- range $key, $value := .Values.udp }} + - name: {{ $key }}-udp + containerPort: {{ $key }} + protocol: UDP + {{- if $.Values.controller.hostPort.enabled }} + hostPort: {{ $key }} + {{- end }} + {{- end }} + {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled) }} + volumeMounts: + {{- if .Values.controller.customTemplate.configMapName }} + - mountPath: /etc/nginx/template + name: nginx-template-volume + readOnly: true + {{- end }} + {{- if .Values.controller.admissionWebhooks.enabled }} + - name: webhook-cert + mountPath: /usr/local/certificates/ + readOnly: true + {{- end }} + {{- if .Values.controller.extraVolumeMounts }} + {{- toYaml .Values.controller.extraVolumeMounts | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.controller.resources }} + resources: {{ toYaml .Values.controller.resources | nindent 12 }} + {{- end }} + {{- if .Values.controller.extraContainers }} + {{ toYaml .Values.controller.extraContainers | nindent 8 }} + {{- end }} + {{- if .Values.controller.extraInitContainers }} + initContainers: {{ toYaml .Values.controller.extraInitContainers | nindent 8 }} + {{- end }} + {{- if .Values.controller.hostNetwork }} + hostNetwork: {{ .Values.controller.hostNetwork }} + {{- end }} + {{- if .Values.controller.nodeSelector }} + nodeSelector: {{ toYaml .Values.controller.nodeSelector | nindent 8 }} + {{- end }} + {{- if .Values.controller.tolerations }} + tolerations: {{ toYaml .Values.controller.tolerations | nindent 8 }} + {{- end }} + {{- if .Values.controller.affinity }} + affinity: {{ toYaml .Values.controller.affinity | nindent 8 }} + {{- end }} + {{- if .Values.controller.topologySpreadConstraints }} + topologySpreadConstraints: {{ toYaml .Values.controller.topologySpreadConstraints | nindent 8 }} + {{- end }} + serviceAccountName: {{ template "ingress-nginx.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} + {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes) }} + volumes: + {{- if .Values.controller.customTemplate.configMapName }} + - name: nginx-template-volume + configMap: + name: {{ .Values.controller.customTemplate.configMapName }} + items: + - key: {{ .Values.controller.customTemplate.configMapKey }} + path: nginx.tmpl + {{- end }} + {{- if .Values.controller.admissionWebhooks.enabled }} + - name: webhook-cert + secret: + secretName: {{ include "ingress-nginx.fullname" . }}-admission + {{- end }} + {{- if .Values.controller.extraVolumes }} + {{ toYaml .Values.controller.extraVolumes | nindent 8 }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/ingress-nginx/templates/controller-deployment.yaml b/charts/ingress-nginx/templates/controller-deployment.yaml new file mode 100644 index 0000000000..5b9162b745 --- /dev/null +++ b/charts/ingress-nginx/templates/controller-deployment.yaml @@ -0,0 +1,259 @@ +{{- if or (eq .Values.controller.kind "Deployment") (eq .Values.controller.kind "Both") -}} +{{- include "isControllerTagValid" . -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller + {{- with .Values.controller.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ include "ingress-nginx.controller.fullname" . }} + {{- if .Values.controller.annotations }} + annotations: {{ toYaml .Values.controller.annotations | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: + {{- include "ingress-nginx.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: controller + {{- if not .Values.controller.autoscaling.enabled }} + replicas: {{ .Values.controller.replicaCount }} + {{- end }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + {{- if .Values.controller.updateStrategy }} + strategy: + {{ toYaml .Values.controller.updateStrategy | nindent 4 }} + {{- end }} + minReadySeconds: {{ .Values.controller.minReadySeconds }} + template: + metadata: + {{- if .Values.controller.podAnnotations }} + annotations: + {{- range $key, $value := .Values.controller.podAnnotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} + labels: + {{- include "ingress-nginx.selectorLabels" . | nindent 8 }} + app.kubernetes.io/component: controller + {{- if .Values.controller.podLabels }} + {{- toYaml .Values.controller.podLabels | nindent 8 }} + {{- end }} + spec: + {{- if .Values.controller.dnsConfig }} + dnsConfig: {{ toYaml .Values.controller.dnsConfig | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }} + {{- end }} + {{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} + {{- end }} + {{- if or .Values.controller.podSecurityContext .Values.controller.sysctls }} + securityContext: + {{- end }} + {{- if .Values.controller.podSecurityContext }} + {{- toYaml .Values.controller.podSecurityContext | nindent 8 }} + {{- end }} + {{- if .Values.controller.sysctls }} + sysctls: + {{- range $sysctl, $value := .Values.controller.sysctls }} + - name: {{ $sysctl | quote }} + value: {{ $value | quote }} + {{- end }} + {{- end }} + containers: + - name: controller + {{- with .Values.controller.image }} + image: "{{.repository}}:{{ .tag }}{{- if (.digest) -}} @{{.digest}} {{- end -}}" + {{- end }} + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + {{- if .Values.controller.lifecycle }} + lifecycle: {{ toYaml .Values.controller.lifecycle | nindent 12 }} + {{- end }} + args: + - /nginx-ingress-controller + {{- if .Values.defaultBackend.enabled }} + - --default-backend-service=$(POD_NAMESPACE)/{{ include "ingress-nginx.defaultBackend.fullname" . }} + {{- end }} + {{- if .Values.controller.publishService.enabled }} + - --publish-service={{ template "ingress-nginx.controller.publishServicePath" . }} + {{- end }} + - --election-id={{ .Values.controller.electionID }} + - --ingress-class={{ .Values.controller.ingressClass }} + - --configmap=$(POD_NAMESPACE)/{{ include "ingress-nginx.controller.fullname" . }} + {{- if .Values.tcp }} + - --tcp-services-configmap=$(POD_NAMESPACE)/{{ include "ingress-nginx.fullname" . }}-tcp + {{- end }} + {{- if .Values.udp }} + - --udp-services-configmap=$(POD_NAMESPACE)/{{ include "ingress-nginx.fullname" . }}-udp + {{- end }} + {{- if .Values.controller.scope.enabled }} + - --watch-namespace={{ default "$(POD_NAMESPACE)" .Values.controller.scope.namespace }} + {{- end }} + {{- if and .Values.controller.reportNodeInternalIp .Values.controller.hostNetwork }} + - --report-node-internal-ip-address={{ .Values.controller.reportNodeInternalIp }} + {{- end }} + {{- if .Values.controller.admissionWebhooks.enabled }} + - --validating-webhook=:{{ .Values.controller.admissionWebhooks.port }} + - --validating-webhook-certificate={{ .Values.controller.admissionWebhooks.certificate }} + - --validating-webhook-key={{ .Values.controller.admissionWebhooks.key }} + {{- end }} + {{- if .Values.controller.maxmindLicenseKey }} + - --maxmind-license-key={{ .Values.controller.maxmindLicenseKey }} + {{- end }} + {{- if not (eq .Values.controller.healthCheckPath "/healthz") }} + - --health-check-path={{ .Values.controller.healthCheckPath }} + {{- end }} + {{- range $key, $value := .Values.controller.extraArgs }} + {{- /* Accept keys without values or with false as value */}} + {{- if eq ($value | quote | len) 2 }} + - --{{ $key }} + {{- else }} + - --{{ $key }}={{ $value }} + {{- end }} + {{- end }} + securityContext: + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + runAsUser: {{ .Values.controller.image.runAsUser }} + allowPrivilegeEscalation: {{ .Values.controller.image.allowPrivilegeEscalation }} + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- if .Values.controller.enableMimalloc }} + - name: LD_PRELOAD + value: /usr/local/lib/libmimalloc.so + {{- end }} + {{- if .Values.controller.extraEnvs }} + {{- toYaml .Values.controller.extraEnvs | nindent 12 }} + {{- end }} + livenessProbe: + httpGet: + path: {{ .Values.controller.healthCheckPath }} + port: {{ .Values.controller.livenessProbe.port }} + scheme: HTTP + initialDelaySeconds: {{ .Values.controller.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.controller.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.controller.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.controller.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.controller.livenessProbe.failureThreshold }} + readinessProbe: + httpGet: + path: {{ .Values.controller.healthCheckPath }} + port: {{ .Values.controller.readinessProbe.port }} + scheme: HTTP + initialDelaySeconds: {{ .Values.controller.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.controller.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.controller.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.controller.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.controller.readinessProbe.failureThreshold }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- if $.Values.controller.hostPort.enabled }} + hostPort: {{ index $.Values.controller.hostPort.ports $key | default $value }} + {{- end }} + {{- end }} + {{- if .Values.controller.metrics.enabled }} + - name: metrics + containerPort: {{ .Values.controller.metrics.port }} + protocol: TCP + {{- end }} + {{- if .Values.controller.admissionWebhooks.enabled }} + - name: webhook + containerPort: {{ .Values.controller.admissionWebhooks.port }} + protocol: TCP + {{- end }} + {{- range $key, $value := .Values.tcp }} + - name: {{ $key }}-tcp + containerPort: {{ $key }} + protocol: TCP + {{- if $.Values.controller.hostPort.enabled }} + hostPort: {{ $key }} + {{- end }} + {{- end }} + {{- range $key, $value := .Values.udp }} + - name: {{ $key }}-udp + containerPort: {{ $key }} + protocol: UDP + {{- if $.Values.controller.hostPort.enabled }} + hostPort: {{ $key }} + {{- end }} + {{- end }} + {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled) }} + volumeMounts: + {{- if .Values.controller.customTemplate.configMapName }} + - mountPath: /etc/nginx/template + name: nginx-template-volume + readOnly: true + {{- end }} + {{- if .Values.controller.admissionWebhooks.enabled }} + - name: webhook-cert + mountPath: /usr/local/certificates/ + readOnly: true + {{- end }} + {{- if .Values.controller.extraVolumeMounts }} + {{- toYaml .Values.controller.extraVolumeMounts | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.controller.resources }} + resources: {{ toYaml .Values.controller.resources | nindent 12 }} + {{- end }} + {{- if .Values.controller.extraContainers }} + {{ toYaml .Values.controller.extraContainers | nindent 8 }} + {{- end }} + {{- if .Values.controller.extraInitContainers }} + initContainers: {{ toYaml .Values.controller.extraInitContainers | nindent 8 }} + {{- end }} + {{- if .Values.controller.hostNetwork }} + hostNetwork: {{ .Values.controller.hostNetwork }} + {{- end }} + {{- if .Values.controller.nodeSelector }} + nodeSelector: {{ toYaml .Values.controller.nodeSelector | nindent 8 }} + {{- end }} + {{- if .Values.controller.tolerations }} + tolerations: {{ toYaml .Values.controller.tolerations | nindent 8 }} + {{- end }} + {{- if .Values.controller.affinity }} + affinity: {{ toYaml .Values.controller.affinity | nindent 8 }} + {{- end }} + {{- if .Values.controller.topologySpreadConstraints }} + topologySpreadConstraints: {{ toYaml .Values.controller.topologySpreadConstraints | nindent 8 }} + {{- end }} + serviceAccountName: {{ template "ingress-nginx.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} + {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes) }} + volumes: + {{- if .Values.controller.customTemplate.configMapName }} + - name: nginx-template-volume + configMap: + name: {{ .Values.controller.customTemplate.configMapName }} + items: + - key: {{ .Values.controller.customTemplate.configMapKey }} + path: nginx.tmpl + {{- end }} + {{- if .Values.controller.admissionWebhooks.enabled }} + - name: webhook-cert + secret: + secretName: {{ include "ingress-nginx.fullname" . }}-admission + {{- end }} + {{- if .Values.controller.extraVolumes }} + {{ toYaml .Values.controller.extraVolumes | nindent 8 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/ingress-nginx/templates/controller-hpa.yaml b/charts/ingress-nginx/templates/controller-hpa.yaml new file mode 100644 index 0000000000..b46807fc1f --- /dev/null +++ b/charts/ingress-nginx/templates/controller-hpa.yaml @@ -0,0 +1,40 @@ +{{- if and .Values.controller.autoscaling.enabled (or (eq .Values.controller.kind "Deployment") (eq .Values.controller.kind "Both")) -}} +{{- if not .Values.controller.keda.enabled }} + +apiVersion: autoscaling/v2beta2 +kind: HorizontalPodAutoscaler +metadata: + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller + name: {{ include "ingress-nginx.controller.fullname" . }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "ingress-nginx.controller.fullname" . }} + minReplicas: {{ .Values.controller.autoscaling.minReplicas }} + maxReplicas: {{ .Values.controller.autoscaling.maxReplicas }} + metrics: + {{- with .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ . }} + {{- end }} + {{- with .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ . }} + {{- end }} + {{- with .Values.controller.autoscalingTemplate }} +{{- toYaml . | nindent 2 }} + {{- end }} +{{- end }} +{{- end }} + diff --git a/charts/ingress-nginx/templates/controller-keda.yaml b/charts/ingress-nginx/templates/controller-keda.yaml new file mode 100644 index 0000000000..7c391de9dc --- /dev/null +++ b/charts/ingress-nginx/templates/controller-keda.yaml @@ -0,0 +1,33 @@ +{{- if .Values.controller.keda.enabled }} +# https://keda.sh/docs/ + +apiVersion: {{ .Values.controller.keda.apiVersion }} +kind: ScaledObject +metadata: + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller + name: {{ include "ingress-nginx.controller.fullname" . }} + +spec: + scaleTargetRef: + deploymentName: {{ include "ingress-nginx.controller.fullname" . }} + pollingInterval: {{ .Values.controller.keda.pollingInterval }} + cooldownPeriod: {{ .Values.controller.keda.cooldownPeriod }} + minReplicaCount: {{ .Values.controller.keda.minReplicas }} + maxReplicaCount: {{ .Values.controller.keda.maxReplicas }} + triggers: +{{- with .Values.controller.keda.triggers }} +{{ toYaml . | indent 2 }} +{{ end }} + advanced: + restoreToOriginalReplicaCount: {{ .Values.controller.keda.restoreToOriginalReplicaCount }} +{{- if .Values.controller.keda.behavior }} + horizontalPodAutoscalerConfig: + behavior: +{{ with .Values.controller.keda.behavior -}} +{{ toYaml . | indent 8 }} +{{ end }} + +{{- end }} +{{- end }} diff --git a/charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml b/charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml new file mode 100644 index 0000000000..9dc8789112 --- /dev/null +++ b/charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml @@ -0,0 +1,15 @@ +{{- if or (and .Values.controller.autoscaling.enabled (gt (.Values.controller.autoscaling.minReplicas | int) 1)) (gt (.Values.controller.replicaCount | int) 1) -}} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller + name: {{ include "ingress-nginx.controller.fullname" . }} +spec: + selector: + matchLabels: + {{- include "ingress-nginx.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: controller + minAvailable: {{ .Values.controller.minAvailable }} +{{- end }} diff --git a/charts/ingress-nginx/templates/controller-prometheusrules.yaml b/charts/ingress-nginx/templates/controller-prometheusrules.yaml new file mode 100644 index 0000000000..c0b7e89ca5 --- /dev/null +++ b/charts/ingress-nginx/templates/controller-prometheusrules.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.controller.metrics.enabled .Values.controller.metrics.prometheusRule.enabled -}} +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: {{ include "ingress-nginx.controller.fullname" . }} +{{- if .Values.controller.metrics.prometheusRule.namespace }} + namespace: {{ .Values.controller.metrics.prometheusRule.namespace }} +{{- end }} + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller + {{- if .Values.controller.metrics.prometheusRule.additionalLabels }} + {{- toYaml .Values.controller.metrics.prometheusRule.additionalLabels | nindent 4 }} + {{- end }} +spec: +{{- if .Values.controller.metrics.prometheusRule.rules }} + groups: + - name: {{ template "ingress-nginx.name" . }} + rules: {{- toYaml .Values.controller.metrics.prometheusRule.rules | nindent 4 }} +{{- end }} +{{- end }} diff --git a/charts/ingress-nginx/templates/controller-psp.yaml b/charts/ingress-nginx/templates/controller-psp.yaml new file mode 100644 index 0000000000..bcf588c3c4 --- /dev/null +++ b/charts/ingress-nginx/templates/controller-psp.yaml @@ -0,0 +1,86 @@ +{{- if .Values.podSecurityPolicy.enabled -}} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "ingress-nginx.fullname" . }} + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller +spec: + allowedCapabilities: + - NET_BIND_SERVICE +{{- if .Values.controller.sysctls }} + allowedUnsafeSysctls: + {{- range $sysctl, $value := .Values.controller.sysctls }} + - {{ $sysctl }} + {{- end }} +{{- end }} + privileged: false + allowPrivilegeEscalation: true + # Allow core volume types. + volumes: + - 'configMap' + #- 'emptyDir' + #- 'projected' + - 'secret' + #- 'downwardAPI' +{{- if .Values.controller.hostNetwork }} + hostNetwork: {{ .Values.controller.hostNetwork }} +{{- end }} +{{- if or .Values.controller.hostNetwork .Values.controller.hostPort.enabled }} + hostPorts: +{{- if .Values.controller.hostNetwork }} +{{- range $key, $value := .Values.controller.containerPort }} + # {{ $key }} + - min: {{ $value }} + max: {{ $value }} +{{- end }} +{{- else if .Values.controller.hostPort.enabled }} +{{- range $key, $value := .Values.controller.hostPort.ports }} + # {{ $key }} + - min: {{ $value }} + max: {{ $value }} +{{- end }} +{{- end }} +{{- if .Values.controller.metrics.enabled }} + # metrics + - min: {{ .Values.controller.metrics.port }} + max: {{ .Values.controller.metrics.port }} +{{- end }} +{{- if .Values.controller.admissionWebhooks.enabled }} + # admission webhooks + - min: {{ .Values.controller.admissionWebhooks.port }} + max: {{ .Values.controller.admissionWebhooks.port }} +{{- end }} +{{- range $key, $value := .Values.tcp }} + # {{ $key }}-tcp + - min: {{ $key }} + max: {{ $key }} +{{- end }} +{{- range $key, $value := .Values.udp }} + # {{ $key }}-udp + - min: {{ $key }} + max: {{ $key }} +{{- end }} +{{- end }} + hostIPC: false + hostPID: false + runAsUser: + # Require the container to run without root privileges. + rule: 'MustRunAsNonRoot' + supplementalGroups: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + readOnlyRootFilesystem: false + seLinux: + rule: 'RunAsAny' +{{- end }} diff --git a/charts/ingress-nginx/templates/controller-role.yaml b/charts/ingress-nginx/templates/controller-role.yaml new file mode 100644 index 0000000000..f2e3927448 --- /dev/null +++ b/charts/ingress-nginx/templates/controller-role.yaml @@ -0,0 +1,96 @@ +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller + name: {{ include "ingress-nginx.fullname" . }} +rules: + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - endpoints + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - update + - watch + - apiGroups: + - extensions + - "networking.k8s.io" # k8s 1.14+ + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - extensions + - "networking.k8s.io" # k8s 1.14+ + resources: + - ingresses/status + verbs: + - update + - apiGroups: + - "networking.k8s.io" # k8s 1.14+ + resources: + - ingressclasses + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - configmaps + resourceNames: + - {{ .Values.controller.electionID }}-{{ .Values.controller.ingressClass }} + verbs: + - get + - update + - apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - apiGroups: + - "" + resources: + - endpoints + verbs: + - create + - get + - update + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +{{- if .Values.podSecurityPolicy.enabled }} + - apiGroups: [{{ template "podSecurityPolicy.apiGroup" . }}] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: [{{ include "ingress-nginx.fullname" . }}] +{{- end }} +{{- end }} diff --git a/charts/ingress-nginx/templates/controller-rolebinding.yaml b/charts/ingress-nginx/templates/controller-rolebinding.yaml new file mode 100644 index 0000000000..5031350884 --- /dev/null +++ b/charts/ingress-nginx/templates/controller-rolebinding.yaml @@ -0,0 +1,17 @@ +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller + name: {{ include "ingress-nginx.fullname" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "ingress-nginx.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "ingress-nginx.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/ingress-nginx/templates/controller-service-internal.yaml b/charts/ingress-nginx/templates/controller-service-internal.yaml new file mode 100644 index 0000000000..54888e9658 --- /dev/null +++ b/charts/ingress-nginx/templates/controller-service-internal.yaml @@ -0,0 +1,47 @@ +{{- if and .Values.controller.service.enabled .Values.controller.service.internal.enabled .Values.controller.service.internal.annotations}} +apiVersion: v1 +kind: Service +metadata: + annotations: + {{- range $key, $value := .Values.controller.service.internal.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller + {{- if .Values.controller.service.labels }} + {{- toYaml .Values.controller.service.labels | nindent 4 }} + {{- end }} + name: {{ include "ingress-nginx.controller.fullname" . }}-internal +spec: + type: "{{ .Values.controller.service.type }}" +{{- if .Values.controller.service.internal.loadBalancerSourceRanges }} + loadBalancerSourceRanges: {{ toYaml .Values.controller.service.internal.loadBalancerSourceRanges | nindent 4 }} +{{- end }} +{{- if .Values.controller.service.internal.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.controller.service.internal.externalTrafficPolicy }} +{{- end }} + ports: + {{- $setNodePorts := (or (eq .Values.controller.service.type "NodePort") (eq .Values.controller.service.type "LoadBalancer")) }} + {{- if .Values.controller.service.enableHttp }} + - name: http + port: {{ .Values.controller.service.ports.http }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.http }} + {{- if (and $setNodePorts (not (empty .Values.controller.service.nodePorts.http))) }} + nodePort: {{ .Values.controller.service.nodePorts.http }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enableHttps }} + - name: https + port: {{ .Values.controller.service.ports.https }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.https }} + {{- if (and $setNodePorts (not (empty .Values.controller.service.nodePorts.https))) }} + nodePort: {{ .Values.controller.service.nodePorts.https }} + {{- end }} + {{- end }} + selector: + {{- include "ingress-nginx.selectorLabels" . | nindent 4 }} + app.kubernetes.io/component: controller +{{- end }} diff --git a/charts/ingress-nginx/templates/controller-service-metrics.yaml b/charts/ingress-nginx/templates/controller-service-metrics.yaml new file mode 100644 index 0000000000..b01f460afd --- /dev/null +++ b/charts/ingress-nginx/templates/controller-service-metrics.yaml @@ -0,0 +1,43 @@ +{{- if .Values.controller.metrics.enabled -}} +apiVersion: v1 +kind: Service +metadata: +{{- if .Values.controller.metrics.service.annotations }} + annotations: {{ toYaml .Values.controller.metrics.service.annotations | nindent 4 }} +{{- end }} + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller + {{- if .Values.controller.metrics.service.labels }} + {{- toYaml .Values.controller.metrics.service.labels | nindent 4 }} + {{- end }} + name: {{ include "ingress-nginx.controller.fullname" . }}-metrics +spec: + type: {{ .Values.controller.metrics.service.type }} +{{- if .Values.controller.metrics.service.clusterIP }} + clusterIP: {{ .Values.controller.metrics.service.clusterIP }} +{{- end }} +{{- if .Values.controller.metrics.service.externalIPs }} + externalIPs: {{ toYaml .Values.controller.metrics.service.externalIPs | nindent 4 }} +{{- end }} +{{- if .Values.controller.metrics.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.controller.metrics.service.loadBalancerIP }} +{{- end }} +{{- if .Values.controller.metrics.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: {{ toYaml .Values.controller.metrics.service.loadBalancerSourceRanges | nindent 4 }} +{{- end }} +{{- if .Values.controller.metrics.service.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.controller.metrics.service.externalTrafficPolicy }} +{{- end }} + ports: + - name: metrics + port: {{ .Values.controller.metrics.service.servicePort }} + targetPort: metrics + {{- $setNodePorts := (or (eq .Values.controller.metrics.service.type "NodePort") (eq .Values.controller.metrics.service.type "LoadBalancer")) }} + {{- if (and $setNodePorts (not (empty .Values.controller.metrics.service.nodePort))) }} + nodePort: {{ .Values.controller.metrics.service.nodePort }} + {{- end }} + selector: + {{- include "ingress-nginx.selectorLabels" . | nindent 4 }} + app.kubernetes.io/component: controller +{{- end }} diff --git a/charts/ingress-nginx/templates/controller-service-webhook.yaml b/charts/ingress-nginx/templates/controller-service-webhook.yaml new file mode 100644 index 0000000000..7a4dd51db2 --- /dev/null +++ b/charts/ingress-nginx/templates/controller-service-webhook.yaml @@ -0,0 +1,33 @@ +{{- if .Values.controller.admissionWebhooks.enabled -}} +apiVersion: v1 +kind: Service +metadata: +{{- if .Values.controller.admissionWebhooks.service.annotations }} + annotations: {{ toYaml .Values.controller.admissionWebhooks.service.annotations | nindent 4 }} +{{- end }} + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller + name: {{ include "ingress-nginx.controller.fullname" . }}-admission +spec: + type: {{ .Values.controller.admissionWebhooks.service.type }} +{{- if .Values.controller.admissionWebhooks.service.clusterIP }} + clusterIP: {{ .Values.controller.admissionWebhooks.service.clusterIP }} +{{- end }} +{{- if .Values.controller.admissionWebhooks.service.externalIPs }} + externalIPs: {{ toYaml .Values.controller.admissionWebhooks.service.externalIPs | nindent 4 }} +{{- end }} +{{- if .Values.controller.admissionWebhooks.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.controller.admissionWebhooks.service.loadBalancerIP }} +{{- end }} +{{- if .Values.controller.admissionWebhooks.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: {{ toYaml .Values.controller.admissionWebhooks.service.loadBalancerSourceRanges | nindent 4 }} +{{- end }} + ports: + - name: https-webhook + port: 443 + targetPort: webhook + selector: + {{- include "ingress-nginx.selectorLabels" . | nindent 4 }} + app.kubernetes.io/component: controller +{{- end }} diff --git a/charts/ingress-nginx/templates/controller-service.yaml b/charts/ingress-nginx/templates/controller-service.yaml new file mode 100644 index 0000000000..9db734deb6 --- /dev/null +++ b/charts/ingress-nginx/templates/controller-service.yaml @@ -0,0 +1,84 @@ +{{- if .Values.controller.service.enabled -}} +apiVersion: v1 +kind: Service +metadata: + annotations: + {{- range $key, $value := .Values.controller.service.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller + {{- if .Values.controller.service.labels }} + {{- toYaml .Values.controller.service.labels | nindent 4 }} + {{- end }} + name: {{ include "ingress-nginx.controller.fullname" . }} +spec: + type: {{ .Values.controller.service.type }} +{{- if .Values.controller.service.clusterIP }} + clusterIP: {{ .Values.controller.service.clusterIP }} +{{- end }} +{{- if .Values.controller.service.externalIPs }} + externalIPs: {{ toYaml .Values.controller.service.externalIPs | nindent 4 }} +{{- end }} +{{- if .Values.controller.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.controller.service.loadBalancerIP }} +{{- end }} +{{- if .Values.controller.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: {{ toYaml .Values.controller.service.loadBalancerSourceRanges | nindent 4 }} +{{- end }} +{{- if .Values.controller.service.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.controller.service.externalTrafficPolicy }} +{{- end }} +{{- if .Values.controller.service.sessionAffinity }} + sessionAffinity: {{ .Values.controller.service.sessionAffinity }} +{{- end }} +{{- if .Values.controller.service.healthCheckNodePort }} + healthCheckNodePort: {{ .Values.controller.service.healthCheckNodePort }} +{{- end }} + ports: + {{- $setNodePorts := (or (eq .Values.controller.service.type "NodePort") (eq .Values.controller.service.type "LoadBalancer")) }} + {{- if .Values.controller.service.enableHttp }} + - name: http + port: {{ .Values.controller.service.ports.http }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.http }} + {{- if (and $setNodePorts (not (empty .Values.controller.service.nodePorts.http))) }} + nodePort: {{ .Values.controller.service.nodePorts.http }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enableHttps }} + - name: https + port: {{ .Values.controller.service.ports.https }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.https }} + {{- if (and $setNodePorts (not (empty .Values.controller.service.nodePorts.https))) }} + nodePort: {{ .Values.controller.service.nodePorts.https }} + {{- end }} + {{- end }} + {{- range $key, $value := .Values.tcp }} + - name: {{ $key }}-tcp + port: {{ $key }} + protocol: TCP + targetPort: {{ $key }}-tcp + {{- if $.Values.controller.service.nodePorts.tcp }} + {{- if index $.Values.controller.service.nodePorts.tcp $key }} + nodePort: {{ index $.Values.controller.service.nodePorts.tcp $key }} + {{- end }} + {{- end }} + {{- end }} + {{- range $key, $value := .Values.udp }} + - name: {{ $key }}-udp + port: {{ $key }} + protocol: UDP + targetPort: {{ $key }}-udp + {{- if $.Values.controller.service.nodePorts.udp }} + {{- if index $.Values.controller.service.nodePorts.udp $key }} + nodePort: {{ index $.Values.controller.service.nodePorts.udp $key }} + {{- end }} + {{- end }} + {{- end }} + selector: + {{- include "ingress-nginx.selectorLabels" . | nindent 4 }} + app.kubernetes.io/component: controller +{{- end }} diff --git a/charts/ingress-nginx/templates/controller-serviceaccount.yaml b/charts/ingress-nginx/templates/controller-serviceaccount.yaml new file mode 100644 index 0000000000..43585076c6 --- /dev/null +++ b/charts/ingress-nginx/templates/controller-serviceaccount.yaml @@ -0,0 +1,9 @@ +{{- if or .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller + name: {{ template "ingress-nginx.serviceAccountName" . }} +{{- end }} diff --git a/charts/ingress-nginx/templates/controller-servicemonitor.yaml b/charts/ingress-nginx/templates/controller-servicemonitor.yaml new file mode 100644 index 0000000000..68b1c922ba --- /dev/null +++ b/charts/ingress-nginx/templates/controller-servicemonitor.yaml @@ -0,0 +1,42 @@ +{{- if and .Values.controller.metrics.enabled .Values.controller.metrics.serviceMonitor.enabled -}} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "ingress-nginx.controller.fullname" . }} +{{- if .Values.controller.metrics.serviceMonitor.namespace }} + namespace: {{ .Values.controller.metrics.serviceMonitor.namespace }} +{{- end }} + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller + {{- if .Values.controller.metrics.serviceMonitor.additionalLabels }} + {{- toYaml .Values.controller.metrics.serviceMonitor.additionalLabels | nindent 4 }} + {{- end }} +spec: + endpoints: + - port: metrics + interval: {{ .Values.controller.metrics.serviceMonitor.scrapeInterval }} + {{- if .Values.controller.metrics.serviceMonitor.honorLabels }} + honorLabels: true + {{- end }} + {{- if .Values.controller.metrics.serviceMonitor.metricRelabelings }} + metricRelabelings: {{ toYaml .Values.controller.metrics.serviceMonitor.metricRelabelings | nindent 8 }} + {{- end }} +{{- if .Values.controller.metrics.serviceMonitor.namespaceSelector }} + namespaceSelector: {{ toYaml .Values.controller.metrics.serviceMonitor.namespaceSelector | nindent 4 }} +{{ else }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} +{{- end }} +{{- if .Values.controller.metrics.serviceMonitor.targetLabels }} + targetLabels: + {{- range .Values.controller.metrics.serviceMonitor.targetLabels }} + - {{ . }} + {{- end }} +{{- end }} + selector: + matchLabels: + {{- include "ingress-nginx.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: controller +{{- end }} diff --git a/charts/ingress-nginx/templates/default-backend-deployment.yaml b/charts/ingress-nginx/templates/default-backend-deployment.yaml new file mode 100644 index 0000000000..0baec8b46a --- /dev/null +++ b/charts/ingress-nginx/templates/default-backend-deployment.yaml @@ -0,0 +1,105 @@ +{{- if .Values.defaultBackend.enabled -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: default-backend + name: {{ include "ingress-nginx.defaultBackend.fullname" . }} +spec: + selector: + matchLabels: + {{- include "ingress-nginx.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: default-backend +{{- if not .Values.defaultBackend.autoscaling.enabled }} + replicas: {{ .Values.defaultBackend.replicaCount }} +{{- end }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + template: + metadata: + {{- if .Values.defaultBackend.podAnnotations }} + annotations: {{ toYaml .Values.defaultBackend.podAnnotations | nindent 8 }} + {{- end }} + labels: + {{- include "ingress-nginx.selectorLabels" . | nindent 8 }} + app.kubernetes.io/component: default-backend + {{- if .Values.defaultBackend.podLabels }} + {{- toYaml .Values.defaultBackend.podLabels | nindent 8 }} + {{- end }} + spec: + {{- if .Values.imagePullSecrets }} + imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }} + {{- end }} + {{- if .Values.defaultBackend.priorityClassName }} + priorityClassName: {{ .Values.defaultBackend.priorityClassName }} + {{- end }} + {{- if .Values.defaultBackend.podSecurityContext }} + securityContext: {{ toYaml .Values.defaultBackend.podSecurityContext | nindent 8 }} + {{- end }} + containers: + - name: {{ template "ingress-nginx.name" . }}-default-backend + {{- with .Values.defaultBackend.image }} + image: "{{.repository}}:{{ .tag }}{{- if (.digest) -}} @{{.digest}} {{- end -}}" + {{- end }} + imagePullPolicy: {{ .Values.defaultBackend.image.pullPolicy }} + {{- if .Values.defaultBackend.extraArgs }} + args: + {{- range $key, $value := .Values.defaultBackend.extraArgs }} + {{- /* Accept keys without values or with false as value */}} + {{- if eq ($value | quote | len) 2 }} + - --{{ $key }} + {{- else }} + - --{{ $key }}={{ $value }} + {{- end }} + {{- end }} + {{- end }} + securityContext: + capabilities: + drop: + - ALL + runAsUser: {{ .Values.defaultBackend.image.runAsUser }} + runAsNonRoot: {{ .Values.defaultBackend.image.runAsNonRoot }} + allowPrivilegeEscalation: {{ .Values.defaultBackend.image.allowPrivilegeEscalation }} + readOnlyRootFilesystem: {{ .Values.defaultBackend.image.readOnlyRootFilesystem}} + {{- if .Values.defaultBackend.extraEnvs }} + env: {{ toYaml .Values.defaultBackend.extraEnvs | nindent 12 }} + {{- end }} + livenessProbe: + httpGet: + path: /healthz + port: {{ .Values.defaultBackend.port }} + scheme: HTTP + initialDelaySeconds: {{ .Values.defaultBackend.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.defaultBackend.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.defaultBackend.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.defaultBackend.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.defaultBackend.livenessProbe.failureThreshold }} + readinessProbe: + httpGet: + path: /healthz + port: {{ .Values.defaultBackend.port }} + scheme: HTTP + initialDelaySeconds: {{ .Values.defaultBackend.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.defaultBackend.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.defaultBackend.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.defaultBackend.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.defaultBackend.readinessProbe.failureThreshold }} + ports: + - name: http + containerPort: {{ .Values.defaultBackend.port }} + protocol: TCP + {{- if .Values.defaultBackend.resources }} + resources: {{ toYaml .Values.defaultBackend.resources | nindent 12 }} + {{- end }} + {{- if .Values.defaultBackend.nodeSelector }} + nodeSelector: {{ toYaml .Values.defaultBackend.nodeSelector | nindent 8 }} + {{- end }} + serviceAccountName: {{ template "ingress-nginx.defaultBackend.serviceAccountName" . }} + {{- if .Values.defaultBackend.tolerations }} + tolerations: {{ toYaml .Values.defaultBackend.tolerations | nindent 8 }} + {{- end }} + {{- if .Values.defaultBackend.affinity }} + affinity: {{ toYaml .Values.defaultBackend.affinity | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: 60 +{{- end }} diff --git a/charts/ingress-nginx/templates/default-backend-hpa.yaml b/charts/ingress-nginx/templates/default-backend-hpa.yaml new file mode 100644 index 0000000000..7f345ce9cd --- /dev/null +++ b/charts/ingress-nginx/templates/default-backend-hpa.yaml @@ -0,0 +1,29 @@ +{{- if .Values.defaultBackend.autoscaling.enabled }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: default-backend + name: {{ template "nginx-ingress.defaultBackend.fullname" . }} +spec: + scaleTargetRef: + apiVersion: {{ template "deployment.apiVersion" . }} + kind: Deployment + name: {{ template "nginx-ingress.defaultBackend.fullname" . }} + minReplicas: {{ .Values.defaultBackend.autoscaling.minReplicas }} + maxReplicas: {{ .Values.defaultBackend.autoscaling.maxReplicas }} + metrics: +{{- with .Values.defaultBackend.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ . }} +{{- end }} +{{- with .Values.defaultBackend.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + targetAverageUtilization: {{ . }} +{{- end }} +{{- end }} diff --git a/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml b/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml new file mode 100644 index 0000000000..327d809b95 --- /dev/null +++ b/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml @@ -0,0 +1,15 @@ +{{- if or (gt (.Values.defaultBackend.replicaCount | int) 1) (gt (.Values.defaultBackend.autoscaling.minReplicas | int) 1) }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: default-backend + name: {{ include "ingress-nginx.defaultBackend.fullname" . }} +spec: + selector: + matchLabels: + {{- include "ingress-nginx.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: default-backend + minAvailable: {{ .Values.defaultBackend.minAvailable }} +{{- end }} diff --git a/charts/ingress-nginx/templates/default-backend-psp.yaml b/charts/ingress-nginx/templates/default-backend-psp.yaml new file mode 100644 index 0000000000..055f434dbe --- /dev/null +++ b/charts/ingress-nginx/templates/default-backend-psp.yaml @@ -0,0 +1,33 @@ +{{- if and .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled -}} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "ingress-nginx.fullname" . }}-backend + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: default-backend +spec: + allowPrivilegeEscalation: false + fsGroup: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + requiredDropCapabilities: + - ALL + runAsUser: + rule: MustRunAsNonRoot + seLinux: + rule: RunAsAny + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + volumes: + - configMap + - emptyDir + - projected + - secret + - downwardAPI +{{- end }} diff --git a/charts/ingress-nginx/templates/default-backend-role.yaml b/charts/ingress-nginx/templates/default-backend-role.yaml new file mode 100644 index 0000000000..23498de22e --- /dev/null +++ b/charts/ingress-nginx/templates/default-backend-role.yaml @@ -0,0 +1,14 @@ +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: default-backend + name: {{ include "ingress-nginx.fullname" . }}-backend +rules: + - apiGroups: [{{ template "podSecurityPolicy.apiGroup" . }}] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: [{{ include "ingress-nginx.fullname" . }}-backend] +{{- end }} diff --git a/charts/ingress-nginx/templates/default-backend-rolebinding.yaml b/charts/ingress-nginx/templates/default-backend-rolebinding.yaml new file mode 100644 index 0000000000..45558aac1a --- /dev/null +++ b/charts/ingress-nginx/templates/default-backend-rolebinding.yaml @@ -0,0 +1,17 @@ +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: default-backend + name: {{ include "ingress-nginx.fullname" . }}-backend +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "ingress-nginx.fullname" . }}-backend +subjects: + - kind: ServiceAccount + name: {{ template "ingress-nginx.defaultBackend.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/ingress-nginx/templates/default-backend-service.yaml b/charts/ingress-nginx/templates/default-backend-service.yaml new file mode 100644 index 0000000000..e74714d924 --- /dev/null +++ b/charts/ingress-nginx/templates/default-backend-service.yaml @@ -0,0 +1,34 @@ +{{- if .Values.defaultBackend.enabled -}} +apiVersion: v1 +kind: Service +metadata: +{{- if .Values.defaultBackend.service.annotations }} + annotations: {{ toYaml .Values.defaultBackend.service.annotations | nindent 4 }} +{{- end }} + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: default-backend + name: {{ include "ingress-nginx.defaultBackend.fullname" . }} +spec: + type: {{ .Values.defaultBackend.service.type }} +{{- if .Values.defaultBackend.service.clusterIP }} + clusterIP: {{ .Values.defaultBackend.service.clusterIP }} +{{- end }} +{{- if .Values.defaultBackend.service.externalIPs }} + externalIPs: {{ toYaml .Values.defaultBackend.service.externalIPs | nindent 4 }} +{{- end }} +{{- if .Values.defaultBackend.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.defaultBackend.service.loadBalancerIP }} +{{- end }} +{{- if .Values.defaultBackend.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: {{ toYaml .Values.defaultBackend.service.loadBalancerSourceRanges | nindent 4 }} +{{- end }} + ports: + - name: http + port: {{ .Values.defaultBackend.service.servicePort }} + protocol: TCP + targetPort: http + selector: + {{- include "ingress-nginx.selectorLabels" . | nindent 4 }} + app.kubernetes.io/component: default-backend +{{- end }} diff --git a/charts/ingress-nginx/templates/default-backend-serviceaccount.yaml b/charts/ingress-nginx/templates/default-backend-serviceaccount.yaml new file mode 100644 index 0000000000..96419cfa0a --- /dev/null +++ b/charts/ingress-nginx/templates/default-backend-serviceaccount.yaml @@ -0,0 +1,9 @@ +{{- if and .Values.defaultBackend.enabled .Values.defaultBackend.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: default-backend + name: {{ template "ingress-nginx.defaultBackend.serviceAccountName" . }} +{{- end }} diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml new file mode 100644 index 0000000000..7e2e54c723 --- /dev/null +++ b/charts/ingress-nginx/values.yaml @@ -0,0 +1,718 @@ +## nginx configuration +## Ref: https://github.com/kubernetes/ingress-nginx/blob/master/controllers/nginx/configuration.md +## +controller: + image: + repository: k8s.gcr.io/ingress-nginx/controller + tag: "v0.41.2" + digest: sha256:1f4f402b9c14f3ae92b11ada1dfe9893a88f0faeb0b2f4b903e2c67a0c3bf0de + pullPolicy: IfNotPresent + # www-data -> uid 101 + runAsUser: 101 + allowPrivilegeEscalation: true + + # Configures the ports the nginx-controller listens on + containerPort: + http: 80 + https: 443 + + # Will add custom configuration options to Nginx https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/ + config: {} + + ## Annotations to be added to the controller config configuration configmap + ## + configAnnotations: {} + + # Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/master/docs/examples/customization/custom-headers + proxySetHeaders: {} + + # Will add custom headers before sending response traffic to the client according to: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#add-headers + addHeaders: {} + + # Optionally customize the pod dnsConfig. + dnsConfig: {} + + # Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'. + # By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller + # to keep resolving names inside the k8s network, use ClusterFirstWithHostNet. + dnsPolicy: ClusterFirst + + # Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network + # Ingress status was blank because there is no Service exposing the NGINX Ingress controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply + reportNodeInternalIp: false + + # Required for use with CNI based kubernetes installations (such as ones set up by kubeadm), + # since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920 + # is merged + hostNetwork: false + + ## Use host ports 80 and 443 + ## Disabled by default + ## + hostPort: + enabled: false + ports: + http: 80 + https: 443 + + ## Election ID to use for status update + ## + electionID: ingress-controller-leader + + ## Name of the ingress class to route through this controller + ## + ingressClass: nginx + + # labels to add to the pod container metadata + podLabels: {} + # key: value + + ## Security Context policies for controller pods + ## + podSecurityContext: {} + + ## See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for + ## notes on enabling and using sysctls + ### + sysctls: {} + # sysctls: + # "net.core.somaxconn": "8192" + + ## Allows customization of the source of the IP address or FQDN to report + ## in the ingress status field. By default, it reads the information provided + ## by the service. If disable, the status field reports the IP address of the + ## node or nodes where an ingress controller pod is running. + publishService: + enabled: true + ## Allows overriding of the publish service to bind to + ## Must be / + ## + pathOverride: "" + + ## Limit the scope of the controller + ## + scope: + enabled: false + namespace: "" # defaults to .Release.Namespace + + ## Allows customization of the configmap / nginx-configmap namespace + ## + configMapNamespace: "" # defaults to .Release.Namespace + + ## Allows customization of the tcp-services-configmap + ## + tcp: + configMapNamespace: "" # defaults to .Release.Namespace + ## Annotations to be added to the tcp config configmap + annotations: {} + + ## Allows customization of the udp-services-configmap + ## + udp: + configMapNamespace: "" # defaults to .Release.Namespace + ## Annotations to be added to the udp config configmap + annotations: {} + + ## Additional command line arguments to pass to nginx-ingress-controller + ## E.g. to specify the default SSL certificate you can use + ## extraArgs: + ## default-ssl-certificate: "/" + extraArgs: {} + + ## Additional environment variables to set + extraEnvs: [] + # extraEnvs: + # - name: FOO + # valueFrom: + # secretKeyRef: + # key: FOO + # name: secret-resource + + ## DaemonSet or Deployment + ## + kind: Deployment + + ## Annotations to be added to the controller Deployment or DaemonSet + ## + annotations: {} + # keel.sh/pollSchedule: "@every 60m" + + ## Labels to be added to the controller Deployment or DaemonSet + ## + labels: {} + # keel.sh/policy: patch + # keel.sh/trigger: poll + + + # The update strategy to apply to the Deployment or DaemonSet + ## + updateStrategy: {} + # rollingUpdate: + # maxUnavailable: 1 + # type: RollingUpdate + + # minReadySeconds to avoid killing pods before we are ready + ## + minReadySeconds: 0 + + + ## Node tolerations for server scheduling to nodes with taints + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + ## + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Affinity and anti-affinity + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## + affinity: {} + # # An example of preferred pod anti-affinity, weight is in the range 1-100 + # podAntiAffinity: + # preferredDuringSchedulingIgnoredDuringExecution: + # - weight: 100 + # podAffinityTerm: + # labelSelector: + # matchExpressions: + # - key: app.kubernetes.io/name + # operator: In + # values: + # - ingress-nginx + # - key: app.kubernetes.io/instance + # operator: In + # values: + # - ingress-nginx + # - key: app.kubernetes.io/component + # operator: In + # values: + # - controller + # topologyKey: kubernetes.io/hostname + + # # An example of required pod anti-affinity + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchExpressions: + # - key: app.kubernetes.io/name + # operator: In + # values: + # - ingress-nginx + # - key: app.kubernetes.io/instance + # operator: In + # values: + # - ingress-nginx + # - key: app.kubernetes.io/component + # operator: In + # values: + # - controller + # topologyKey: "kubernetes.io/hostname" + + ## Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: failure-domain.beta.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app.kubernetes.io/instance: ingress-nginx-internal + + ## terminationGracePeriodSeconds + ## wait up to five minutes for the drain of connections + ## + terminationGracePeriodSeconds: 300 + + ## Node labels for controller pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: + kubernetes.io/os: linux + + ## Liveness and readiness probe values + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## + livenessProbe: + failureThreshold: 5 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + port: 10254 + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + port: 10254 + + # Path of the health check endpoint. All requests received on the port defined by + # the healthz-port parameter are forwarded internally to this path. + healthCheckPath: "/healthz" + + ## Annotations to be added to controller pods + ## + podAnnotations: {} + + replicaCount: 1 + + minAvailable: 1 + + # Define requests resources to avoid probe issues due to CPU utilization in busy nodes + # ref: https://github.com/kubernetes/ingress-nginx/issues/4735#issuecomment-551204903 + # Ideally, there should be no limits. + # https://engineering.indeedblog.com/blog/2019/12/cpu-throttling-regression-fix/ + resources: + # limits: + # cpu: 100m + # memory: 90Mi + requests: + cpu: 100m + memory: 90Mi + + # Mutually exclusive with keda autoscaling + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 11 + targetCPUUtilizationPercentage: 50 + targetMemoryUtilizationPercentage: 50 + + autoscalingTemplate: [] + # Custom or additional autoscaling metrics + # ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#support-for-custom-metrics + # - type: Pods + # pods: + # metric: + # name: nginx_ingress_controller_nginx_process_requests_total + # target: + # type: AverageValue + # averageValue: 10000m + + # Mutually exclusive with hpa autoscaling + keda: + apiVersion: "keda.sh/v1alpha1" + # apiVersion changes with keda 1.x vs 2.x + # 2.x = keda.sh/v1alpha1 + # 1.x = keda.k8s.io/v1alpha1 + enabled: false + minReplicas: 1 + maxReplicas: 11 + pollingInterval: 30 + cooldownPeriod: 300 + restoreToOriginalReplicaCount: false + triggers: [] + # - type: prometheus + # metadata: + # serverAddress: http://:9090 + # metricName: http_requests_total + # threshold: '100' + # query: sum(rate(http_requests_total{deployment="my-deployment"}[2m])) + + behavior: {} + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 1 + # periodSeconds: 180 + # scaleUp: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 2 + # periodSeconds: 60 + + ## Enable mimalloc as a drop-in replacement for malloc. + ## ref: https://github.com/microsoft/mimalloc + ## + enableMimalloc: true + + ## Override NGINX template + customTemplate: + configMapName: "" + configMapKey: "" + + service: + enabled: true + + annotations: {} + labels: {} + # clusterIP: "" + + ## List of IP addresses at which the controller services are available + ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## + externalIPs: [] + + # loadBalancerIP: "" + loadBalancerSourceRanges: [] + + enableHttp: true + enableHttps: true + + ## Set external traffic policy to: "Local" to preserve source IP on + ## providers supporting it + ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer + # externalTrafficPolicy: "" + + # Must be either "None" or "ClientIP" if set. Kubernetes will default to "None". + # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + # sessionAffinity: "" + + # specifies the health check node port (numeric port number) for the service. If healthCheckNodePort isn’t specified, + # the service controller allocates a port from your cluster’s NodePort range. + # Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + # healthCheckNodePort: 0 + + ports: + http: 80 + https: 443 + + targetPorts: + http: http + https: https + + type: LoadBalancer + + # type: NodePort + # nodePorts: + # http: 32080 + # https: 32443 + # tcp: + # 8080: 32808 + nodePorts: + http: "" + https: "" + tcp: {} + udp: {} + + ## Enables an additional internal load balancer (besides the external one). + ## Annotations are mandatory for the load balancer to come up. Varies with the cloud service. + internal: + enabled: false + annotations: {} + + ## Restrict access For LoadBalancer service. Defaults to 0.0.0.0/0. + loadBalancerSourceRanges: [] + + ## Set external traffic policy to: "Local" to preserve source IP on + ## providers supporting it + ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer + # externalTrafficPolicy: "" + + extraContainers: [] + ## Additional containers to be added to the controller pod. + ## See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example. + # - name: my-sidecar + # image: nginx:latest + # - name: lemonldap-ng-controller + # image: lemonldapng/lemonldap-ng-controller:0.2.0 + # args: + # - /lemonldap-ng-controller + # - --alsologtostderr + # - --configmap=$(POD_NAMESPACE)/lemonldap-ng-configuration + # env: + # - name: POD_NAME + # valueFrom: + # fieldRef: + # fieldPath: metadata.name + # - name: POD_NAMESPACE + # valueFrom: + # fieldRef: + # fieldPath: metadata.namespace + # volumeMounts: + # - name: copy-portal-skins + # mountPath: /srv/var/lib/lemonldap-ng/portal/skins + + extraVolumeMounts: [] + ## Additional volumeMounts to the controller main container. + # - name: copy-portal-skins + # mountPath: /var/lib/lemonldap-ng/portal/skins + + extraVolumes: [] + ## Additional volumes to the controller pod. + # - name: copy-portal-skins + # emptyDir: {} + + extraInitContainers: [] + ## Containers, which are run before the app containers are started. + # - name: init-myservice + # image: busybox + # command: ['sh', '-c', 'until nslookup myservice; do echo waiting for myservice; sleep 2; done;'] + + admissionWebhooks: + annotations: {} + enabled: true + failurePolicy: Fail + # timeoutSeconds: 10 + port: 8443 + certificate: "/usr/local/certificates/cert" + key: "/usr/local/certificates/key" + namespaceSelector: {} + objectSelector: {} + + service: + annotations: {} + # clusterIP: "" + externalIPs: [] + # loadBalancerIP: "" + loadBalancerSourceRanges: [] + servicePort: 443 + type: ClusterIP + + patch: + enabled: true + image: + repository: docker.io/jettech/kube-webhook-certgen + tag: v1.5.0 + pullPolicy: IfNotPresent + ## Provide a priority class name to the webhook patching job + ## + priorityClassName: "" + podAnnotations: {} + nodeSelector: {} + tolerations: [] + runAsUser: 2000 + + metrics: + port: 10254 + # if this port is changed, change healthz-port: in extraArgs: accordingly + enabled: false + + service: + annotations: {} + # prometheus.io/scrape: "true" + # prometheus.io/port: "10254" + + # clusterIP: "" + + ## List of IP addresses at which the stats-exporter service is available + ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## + externalIPs: [] + + # loadBalancerIP: "" + loadBalancerSourceRanges: [] + servicePort: 9913 + type: ClusterIP + # externalTrafficPolicy: "" + # nodePort: "" + + serviceMonitor: + enabled: false + additionalLabels: {} + namespace: "" + namespaceSelector: {} + # Default: scrape .Release.Namespace only + # To scrape all, use the following: + # namespaceSelector: + # any: true + scrapeInterval: 30s + # honorLabels: true + targetLabels: [] + metricRelabelings: [] + + prometheusRule: + enabled: false + additionalLabels: {} + # namespace: "" + rules: [] + # # These are just examples rules, please adapt them to your needs + # - alert: NGINXConfigFailed + # expr: count(nginx_ingress_controller_config_last_reload_successful == 0) > 0 + # for: 1s + # labels: + # severity: critical + # annotations: + # description: bad ingress config - nginx config test failed + # summary: uninstall the latest ingress changes to allow config reloads to resume + # - alert: NGINXCertificateExpiry + # expr: (avg(nginx_ingress_controller_ssl_expire_time_seconds) by (host) - time()) < 604800 + # for: 1s + # labels: + # severity: critical + # annotations: + # description: ssl certificate(s) will expire in less then a week + # summary: renew expiring certificates to avoid downtime + # - alert: NGINXTooMany500s + # expr: 100 * ( sum( nginx_ingress_controller_requests{status=~"5.+"} ) / sum(nginx_ingress_controller_requests) ) > 5 + # for: 1m + # labels: + # severity: warning + # annotations: + # description: Too many 5XXs + # summary: More than 5% of all requests returned 5XX, this requires your attention + # - alert: NGINXTooMany400s + # expr: 100 * ( sum( nginx_ingress_controller_requests{status=~"4.+"} ) / sum(nginx_ingress_controller_requests) ) > 5 + # for: 1m + # labels: + # severity: warning + # annotations: + # description: Too many 4XXs + # summary: More than 5% of all requests returned 4XX, this requires your attention + + ## Improve connection draining when ingress controller pod is deleted using a lifecycle hook: + ## With this new hook, we increased the default terminationGracePeriodSeconds from 30 seconds + ## to 300, allowing the draining of connections up to five minutes. + ## If the active connections end before that, the pod will terminate gracefully at that time. + ## To effectively take advantage of this feature, the Configmap feature + ## worker-shutdown-timeout new value is 240s instead of 10s. + ## + lifecycle: + preStop: + exec: + command: + - /wait-shutdown + + priorityClassName: "" + +## Rollback limit +## +revisionHistoryLimit: 10 + +# Maxmind license key to download GeoLite2 Databases +# https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases +maxmindLicenseKey: "" + +## Default 404 backend +## +defaultBackend: + ## + enabled: false + + image: + repository: k8s.gcr.io/defaultbackend-amd64 + tag: "1.5" + pullPolicy: IfNotPresent + # nobody user -> uid 65534 + runAsUser: 65534 + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + + extraArgs: {} + + serviceAccount: + create: true + name: + ## Additional environment variables to set for defaultBackend pods + extraEnvs: [] + + port: 8080 + + ## Readiness and liveness probes for default backend + ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ + ## + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + failureThreshold: 6 + initialDelaySeconds: 0 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 5 + + ## Node tolerations for server scheduling to nodes with taints + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + ## + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + affinity: {} + + ## Security Context policies for controller pods + ## See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for + ## notes on enabling and using sysctls + ## + podSecurityContext: {} + + # labels to add to the pod container metadata + podLabels: {} + # key: value + + ## Node labels for default backend pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + + ## Annotations to be added to default backend pods + ## + podAnnotations: {} + + replicaCount: 1 + + minAvailable: 1 + + resources: {} + # limits: + # cpu: 10m + # memory: 20Mi + # requests: + # cpu: 10m + # memory: 20Mi + + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 2 + targetCPUUtilizationPercentage: 50 + targetMemoryUtilizationPercentage: 50 + + service: + annotations: {} + + # clusterIP: "" + + ## List of IP addresses at which the default backend service is available + ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## + externalIPs: [] + + # loadBalancerIP: "" + loadBalancerSourceRanges: [] + servicePort: 80 + type: ClusterIP + + priorityClassName: "" + +## Enable RBAC as per https://github.com/kubernetes/ingress/tree/master/examples/rbac/nginx and https://github.com/kubernetes/ingress/issues/266 +rbac: + create: true + scope: false + +# If true, create & use Pod Security Policy resources +# https://kubernetes.io/docs/concepts/policy/pod-security-policy/ +podSecurityPolicy: + enabled: false + +serviceAccount: + create: true + name: + +## Optional array of imagePullSecrets containing private registry credentials +## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ +imagePullSecrets: [] +# - name: secretName + +# TCP service key:value pairs +# Ref: https://github.com/kubernetes/contrib/tree/master/ingress/controllers/nginx/examples/tcp +## +tcp: {} +# 8080: "default/example-tcp-svc:9000" + +# UDP service key:value pairs +# Ref: https://github.com/kubernetes/contrib/tree/master/ingress/controllers/nginx/examples/udp +## +udp: {} +# 53: "kube-system/kube-dns:53" -- GitLab From cc53d99463f64fc018514bbb008dc169e2ae4550 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Thu, 3 Dec 2020 12:36:02 -0500 Subject: [PATCH 02/16] Add 'if .Values.enabled' to each template Adds `if .Values.enabled` to each template so we can conditionally disable it from the values file. This would be built-in if importing it in requirements.yaml, but since we're currently importing this chart, we have to do this part by hand. --- charts/ingress-nginx/templates/clusterrole.yaml | 2 ++ charts/ingress-nginx/templates/clusterrolebinding.yaml | 2 ++ .../templates/controller-configmap-addheaders.yaml | 2 ++ .../templates/controller-configmap-proxyheaders.yaml | 2 ++ charts/ingress-nginx/templates/controller-configmap-tcp.yaml | 2 ++ charts/ingress-nginx/templates/controller-configmap-udp.yaml | 2 ++ charts/ingress-nginx/templates/controller-configmap.yaml | 2 ++ charts/ingress-nginx/templates/controller-daemonset.yaml | 2 ++ charts/ingress-nginx/templates/controller-deployment.yaml | 2 ++ charts/ingress-nginx/templates/controller-hpa.yaml | 3 ++- charts/ingress-nginx/templates/controller-keda.yaml | 2 ++ .../templates/controller-poddisruptionbudget.yaml | 2 ++ charts/ingress-nginx/templates/controller-prometheusrules.yaml | 2 ++ charts/ingress-nginx/templates/controller-psp.yaml | 2 ++ charts/ingress-nginx/templates/controller-role.yaml | 2 ++ charts/ingress-nginx/templates/controller-rolebinding.yaml | 2 ++ .../ingress-nginx/templates/controller-service-internal.yaml | 2 ++ charts/ingress-nginx/templates/controller-service-metrics.yaml | 2 ++ charts/ingress-nginx/templates/controller-service-webhook.yaml | 2 ++ charts/ingress-nginx/templates/controller-service.yaml | 2 ++ charts/ingress-nginx/templates/controller-serviceaccount.yaml | 2 ++ charts/ingress-nginx/templates/controller-servicemonitor.yaml | 2 ++ charts/ingress-nginx/templates/default-backend-deployment.yaml | 2 ++ charts/ingress-nginx/templates/default-backend-hpa.yaml | 2 ++ .../templates/default-backend-poddisruptionbudget.yaml | 2 ++ charts/ingress-nginx/templates/default-backend-psp.yaml | 2 ++ charts/ingress-nginx/templates/default-backend-role.yaml | 2 ++ .../ingress-nginx/templates/default-backend-rolebinding.yaml | 2 ++ charts/ingress-nginx/templates/default-backend-service.yaml | 2 ++ .../templates/default-backend-serviceaccount.yaml | 2 ++ 30 files changed, 60 insertions(+), 1 deletion(-) diff --git a/charts/ingress-nginx/templates/clusterrole.yaml b/charts/ingress-nginx/templates/clusterrole.yaml index 2035f549a2..3356ce289d 100644 --- a/charts/ingress-nginx/templates/clusterrole.yaml +++ b/charts/ingress-nginx/templates/clusterrole.yaml @@ -1,3 +1,4 @@ +{{- if .Values.enabled -}} {{- if and .Values.rbac.create (not .Values.rbac.scope) -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -74,3 +75,4 @@ rules: - list - watch {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/ingress-nginx/templates/clusterrolebinding.yaml b/charts/ingress-nginx/templates/clusterrolebinding.yaml index a341f5280e..bf651c07c3 100644 --- a/charts/ingress-nginx/templates/clusterrolebinding.yaml +++ b/charts/ingress-nginx/templates/clusterrolebinding.yaml @@ -1,3 +1,4 @@ +{{- if .Values.enabled -}} {{- if and .Values.rbac.create (not .Values.rbac.scope) -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -14,3 +15,4 @@ subjects: name: {{ template "ingress-nginx.serviceAccountName" . }} namespace: {{ .Release.Namespace }} {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/ingress-nginx/templates/controller-configmap-addheaders.yaml b/charts/ingress-nginx/templates/controller-configmap-addheaders.yaml index c064589581..08687e5fd4 100644 --- a/charts/ingress-nginx/templates/controller-configmap-addheaders.yaml +++ b/charts/ingress-nginx/templates/controller-configmap-addheaders.yaml @@ -1,3 +1,4 @@ +{{- if .Values.enabled -}} {{- if .Values.controller.addHeaders -}} apiVersion: v1 kind: ConfigMap @@ -8,3 +9,4 @@ metadata: name: {{ include "ingress-nginx.fullname" . }}-custom-add-headers data: {{ toYaml .Values.controller.addHeaders | nindent 2 }} {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/ingress-nginx/templates/controller-configmap-proxyheaders.yaml b/charts/ingress-nginx/templates/controller-configmap-proxyheaders.yaml index 5a1b25229b..64e6bc1b6f 100644 --- a/charts/ingress-nginx/templates/controller-configmap-proxyheaders.yaml +++ b/charts/ingress-nginx/templates/controller-configmap-proxyheaders.yaml @@ -1,3 +1,4 @@ +{{- if .Values.enabled -}} {{- if or .Values.controller.proxySetHeaders .Values.controller.headers -}} apiVersion: v1 kind: ConfigMap @@ -13,3 +14,4 @@ data: {{ toYaml .Values.controller.headers | indent 2 }} {{- end }} {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/ingress-nginx/templates/controller-configmap-tcp.yaml b/charts/ingress-nginx/templates/controller-configmap-tcp.yaml index bc972517c7..0e465a1a86 100644 --- a/charts/ingress-nginx/templates/controller-configmap-tcp.yaml +++ b/charts/ingress-nginx/templates/controller-configmap-tcp.yaml @@ -1,3 +1,4 @@ +{{- if .Values.enabled -}} {{- if .Values.tcp -}} apiVersion: v1 kind: ConfigMap @@ -11,3 +12,4 @@ metadata: name: {{ include "ingress-nginx.fullname" . }}-tcp data: {{ tpl (toYaml .Values.tcp) . | nindent 2 }} {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/ingress-nginx/templates/controller-configmap-udp.yaml b/charts/ingress-nginx/templates/controller-configmap-udp.yaml index a9dc388f10..d487b99ce7 100644 --- a/charts/ingress-nginx/templates/controller-configmap-udp.yaml +++ b/charts/ingress-nginx/templates/controller-configmap-udp.yaml @@ -1,3 +1,4 @@ +{{- if .Values.enabled -}} {{- if .Values.udp -}} apiVersion: v1 kind: ConfigMap @@ -11,3 +12,4 @@ metadata: name: {{ include "ingress-nginx.fullname" . }}-udp data: {{ tpl (toYaml .Values.udp) . | nindent 2 }} {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/ingress-nginx/templates/controller-configmap.yaml b/charts/ingress-nginx/templates/controller-configmap.yaml index 5b0d371055..a6b0a8af31 100644 --- a/charts/ingress-nginx/templates/controller-configmap.yaml +++ b/charts/ingress-nginx/templates/controller-configmap.yaml @@ -1,3 +1,4 @@ +{{- if .Values.enabled -}} apiVersion: v1 kind: ConfigMap metadata: @@ -18,3 +19,4 @@ data: {{- if .Values.controller.config }} {{ toYaml .Values.controller.config | nindent 2 }} {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/ingress-nginx/templates/controller-daemonset.yaml b/charts/ingress-nginx/templates/controller-daemonset.yaml index aa8693b47e..69ed96ecaa 100644 --- a/charts/ingress-nginx/templates/controller-daemonset.yaml +++ b/charts/ingress-nginx/templates/controller-daemonset.yaml @@ -1,3 +1,4 @@ +{{- if .Values.enabled -}} {{- if or (eq .Values.controller.kind "DaemonSet") (eq .Values.controller.kind "Both") -}} {{- include "isControllerTagValid" . -}} apiVersion: apps/v1 @@ -253,3 +254,4 @@ spec: {{- end }} {{- end }} {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/ingress-nginx/templates/controller-deployment.yaml b/charts/ingress-nginx/templates/controller-deployment.yaml index 5b9162b745..36666184c5 100644 --- a/charts/ingress-nginx/templates/controller-deployment.yaml +++ b/charts/ingress-nginx/templates/controller-deployment.yaml @@ -1,3 +1,4 @@ +{{- if .Values.enabled }} {{- if or (eq .Values.controller.kind "Deployment") (eq .Values.controller.kind "Both") -}} {{- include "isControllerTagValid" . -}} apiVersion: apps/v1 @@ -256,4 +257,5 @@ spec: {{ toYaml .Values.controller.extraVolumes | nindent 8 }} {{- end }} {{- end }} +{{- end }} {{- end }} \ No newline at end of file diff --git a/charts/ingress-nginx/templates/controller-hpa.yaml b/charts/ingress-nginx/templates/controller-hpa.yaml index b46807fc1f..2faab35cc0 100644 --- a/charts/ingress-nginx/templates/controller-hpa.yaml +++ b/charts/ingress-nginx/templates/controller-hpa.yaml @@ -1,3 +1,4 @@ +{{- if .Values.enabled -}} {{- if and .Values.controller.autoscaling.enabled (or (eq .Values.controller.kind "Deployment") (eq .Values.controller.kind "Both")) -}} {{- if not .Values.controller.keda.enabled }} @@ -37,4 +38,4 @@ spec: {{- end }} {{- end }} {{- end }} - +{{- end }} \ No newline at end of file diff --git a/charts/ingress-nginx/templates/controller-keda.yaml b/charts/ingress-nginx/templates/controller-keda.yaml index 7c391de9dc..4e0ddea9cd 100644 --- a/charts/ingress-nginx/templates/controller-keda.yaml +++ b/charts/ingress-nginx/templates/controller-keda.yaml @@ -1,3 +1,4 @@ +{{- if .Values.enabled -}} {{- if .Values.controller.keda.enabled }} # https://keda.sh/docs/ @@ -31,3 +32,4 @@ spec: {{- end }} {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml b/charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml index 9dc8789112..ab7457f4b4 100644 --- a/charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml +++ b/charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml @@ -1,3 +1,4 @@ +{{- if .Values.enabled -}} {{- if or (and .Values.controller.autoscaling.enabled (gt (.Values.controller.autoscaling.minReplicas | int) 1)) (gt (.Values.controller.replicaCount | int) 1) -}} apiVersion: policy/v1beta1 kind: PodDisruptionBudget @@ -13,3 +14,4 @@ spec: app.kubernetes.io/component: controller minAvailable: {{ .Values.controller.minAvailable }} {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/ingress-nginx/templates/controller-prometheusrules.yaml b/charts/ingress-nginx/templates/controller-prometheusrules.yaml index c0b7e89ca5..b44b0d7284 100644 --- a/charts/ingress-nginx/templates/controller-prometheusrules.yaml +++ b/charts/ingress-nginx/templates/controller-prometheusrules.yaml @@ -1,3 +1,4 @@ +{{- if .Values.enabled -}} {{- if and .Values.controller.metrics.enabled .Values.controller.metrics.prometheusRule.enabled -}} apiVersion: monitoring.coreos.com/v1 kind: PrometheusRule @@ -19,3 +20,4 @@ spec: rules: {{- toYaml .Values.controller.metrics.prometheusRule.rules | nindent 4 }} {{- end }} {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/ingress-nginx/templates/controller-psp.yaml b/charts/ingress-nginx/templates/controller-psp.yaml index bcf588c3c4..8c6ff53e2a 100644 --- a/charts/ingress-nginx/templates/controller-psp.yaml +++ b/charts/ingress-nginx/templates/controller-psp.yaml @@ -1,3 +1,4 @@ +{{- if .Values.enabled -}} {{- if .Values.podSecurityPolicy.enabled -}} apiVersion: policy/v1beta1 kind: PodSecurityPolicy @@ -84,3 +85,4 @@ spec: seLinux: rule: 'RunAsAny' {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/ingress-nginx/templates/controller-role.yaml b/charts/ingress-nginx/templates/controller-role.yaml index f2e3927448..3e6bcf1490 100644 --- a/charts/ingress-nginx/templates/controller-role.yaml +++ b/charts/ingress-nginx/templates/controller-role.yaml @@ -1,3 +1,4 @@ +{{- if .Values.enabled -}} {{- if .Values.rbac.create -}} apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -94,3 +95,4 @@ rules: resourceNames: [{{ include "ingress-nginx.fullname" . }}] {{- end }} {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/ingress-nginx/templates/controller-rolebinding.yaml b/charts/ingress-nginx/templates/controller-rolebinding.yaml index 5031350884..75125cc039 100644 --- a/charts/ingress-nginx/templates/controller-rolebinding.yaml +++ b/charts/ingress-nginx/templates/controller-rolebinding.yaml @@ -1,3 +1,4 @@ +{{- if .Values.enabled -}} {{- if .Values.rbac.create -}} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -15,3 +16,4 @@ subjects: name: {{ template "ingress-nginx.serviceAccountName" . }} namespace: {{ .Release.Namespace }} {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/ingress-nginx/templates/controller-service-internal.yaml b/charts/ingress-nginx/templates/controller-service-internal.yaml index 54888e9658..d4d5279d82 100644 --- a/charts/ingress-nginx/templates/controller-service-internal.yaml +++ b/charts/ingress-nginx/templates/controller-service-internal.yaml @@ -1,3 +1,4 @@ +{{- if .Values.enabled -}} {{- if and .Values.controller.service.enabled .Values.controller.service.internal.enabled .Values.controller.service.internal.annotations}} apiVersion: v1 kind: Service @@ -45,3 +46,4 @@ spec: {{- include "ingress-nginx.selectorLabels" . | nindent 4 }} app.kubernetes.io/component: controller {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/ingress-nginx/templates/controller-service-metrics.yaml b/charts/ingress-nginx/templates/controller-service-metrics.yaml index b01f460afd..9c5cf5c1cf 100644 --- a/charts/ingress-nginx/templates/controller-service-metrics.yaml +++ b/charts/ingress-nginx/templates/controller-service-metrics.yaml @@ -1,3 +1,4 @@ +{{- if .Values.enabled -}} {{- if .Values.controller.metrics.enabled -}} apiVersion: v1 kind: Service @@ -41,3 +42,4 @@ spec: {{- include "ingress-nginx.selectorLabels" . | nindent 4 }} app.kubernetes.io/component: controller {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/ingress-nginx/templates/controller-service-webhook.yaml b/charts/ingress-nginx/templates/controller-service-webhook.yaml index 7a4dd51db2..f5277b8bf4 100644 --- a/charts/ingress-nginx/templates/controller-service-webhook.yaml +++ b/charts/ingress-nginx/templates/controller-service-webhook.yaml @@ -1,3 +1,4 @@ +{{- if .Values.enabled -}} {{- if .Values.controller.admissionWebhooks.enabled -}} apiVersion: v1 kind: Service @@ -31,3 +32,4 @@ spec: {{- include "ingress-nginx.selectorLabels" . | nindent 4 }} app.kubernetes.io/component: controller {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/ingress-nginx/templates/controller-service.yaml b/charts/ingress-nginx/templates/controller-service.yaml index 9db734deb6..238b0f2a2c 100644 --- a/charts/ingress-nginx/templates/controller-service.yaml +++ b/charts/ingress-nginx/templates/controller-service.yaml @@ -1,3 +1,4 @@ +{{- if .Values.enabled -}} {{- if .Values.controller.service.enabled -}} apiVersion: v1 kind: Service @@ -82,3 +83,4 @@ spec: {{- include "ingress-nginx.selectorLabels" . | nindent 4 }} app.kubernetes.io/component: controller {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/ingress-nginx/templates/controller-serviceaccount.yaml b/charts/ingress-nginx/templates/controller-serviceaccount.yaml index 43585076c6..bb7fae27f5 100644 --- a/charts/ingress-nginx/templates/controller-serviceaccount.yaml +++ b/charts/ingress-nginx/templates/controller-serviceaccount.yaml @@ -1,3 +1,4 @@ +{{- if .Values.enabled -}} {{- if or .Values.serviceAccount.create -}} apiVersion: v1 kind: ServiceAccount @@ -7,3 +8,4 @@ metadata: app.kubernetes.io/component: controller name: {{ template "ingress-nginx.serviceAccountName" . }} {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/ingress-nginx/templates/controller-servicemonitor.yaml b/charts/ingress-nginx/templates/controller-servicemonitor.yaml index 68b1c922ba..8ba38f997c 100644 --- a/charts/ingress-nginx/templates/controller-servicemonitor.yaml +++ b/charts/ingress-nginx/templates/controller-servicemonitor.yaml @@ -1,3 +1,4 @@ +{{- if .Values.enabled -}} {{- if and .Values.controller.metrics.enabled .Values.controller.metrics.serviceMonitor.enabled -}} apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor @@ -40,3 +41,4 @@ spec: {{- include "ingress-nginx.selectorLabels" . | nindent 6 }} app.kubernetes.io/component: controller {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/ingress-nginx/templates/default-backend-deployment.yaml b/charts/ingress-nginx/templates/default-backend-deployment.yaml index 0baec8b46a..ae1c2f4ccd 100644 --- a/charts/ingress-nginx/templates/default-backend-deployment.yaml +++ b/charts/ingress-nginx/templates/default-backend-deployment.yaml @@ -1,3 +1,4 @@ +{{- if .Values.enabled -}} {{- if .Values.defaultBackend.enabled -}} apiVersion: apps/v1 kind: Deployment @@ -103,3 +104,4 @@ spec: {{- end }} terminationGracePeriodSeconds: 60 {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/ingress-nginx/templates/default-backend-hpa.yaml b/charts/ingress-nginx/templates/default-backend-hpa.yaml index 7f345ce9cd..e19e32773a 100644 --- a/charts/ingress-nginx/templates/default-backend-hpa.yaml +++ b/charts/ingress-nginx/templates/default-backend-hpa.yaml @@ -1,3 +1,4 @@ +{{- if .Values.enabled -}} {{- if .Values.defaultBackend.autoscaling.enabled }} apiVersion: autoscaling/v2beta1 kind: HorizontalPodAutoscaler @@ -27,3 +28,4 @@ spec: targetAverageUtilization: {{ . }} {{- end }} {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml b/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml index 327d809b95..b2446020a2 100644 --- a/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml +++ b/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml @@ -1,3 +1,4 @@ +{{- if .Values.enabled -}} {{- if or (gt (.Values.defaultBackend.replicaCount | int) 1) (gt (.Values.defaultBackend.autoscaling.minReplicas | int) 1) }} apiVersion: policy/v1beta1 kind: PodDisruptionBudget @@ -13,3 +14,4 @@ spec: app.kubernetes.io/component: default-backend minAvailable: {{ .Values.defaultBackend.minAvailable }} {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/ingress-nginx/templates/default-backend-psp.yaml b/charts/ingress-nginx/templates/default-backend-psp.yaml index 055f434dbe..207c8df26e 100644 --- a/charts/ingress-nginx/templates/default-backend-psp.yaml +++ b/charts/ingress-nginx/templates/default-backend-psp.yaml @@ -1,3 +1,4 @@ +{{- if .Values.enabled -}} {{- if and .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled -}} apiVersion: policy/v1beta1 kind: PodSecurityPolicy @@ -31,3 +32,4 @@ spec: - secret - downwardAPI {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/ingress-nginx/templates/default-backend-role.yaml b/charts/ingress-nginx/templates/default-backend-role.yaml index 23498de22e..a19e265053 100644 --- a/charts/ingress-nginx/templates/default-backend-role.yaml +++ b/charts/ingress-nginx/templates/default-backend-role.yaml @@ -1,3 +1,4 @@ +{{- if .Values.enabled -}} {{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled -}} apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -12,3 +13,4 @@ rules: verbs: ['use'] resourceNames: [{{ include "ingress-nginx.fullname" . }}-backend] {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/ingress-nginx/templates/default-backend-rolebinding.yaml b/charts/ingress-nginx/templates/default-backend-rolebinding.yaml index 45558aac1a..fcfcd27aec 100644 --- a/charts/ingress-nginx/templates/default-backend-rolebinding.yaml +++ b/charts/ingress-nginx/templates/default-backend-rolebinding.yaml @@ -1,3 +1,4 @@ +{{- if .Values.enabled -}} {{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled -}} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -15,3 +16,4 @@ subjects: name: {{ template "ingress-nginx.defaultBackend.serviceAccountName" . }} namespace: {{ .Release.Namespace }} {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/ingress-nginx/templates/default-backend-service.yaml b/charts/ingress-nginx/templates/default-backend-service.yaml index e74714d924..4e8ad42d67 100644 --- a/charts/ingress-nginx/templates/default-backend-service.yaml +++ b/charts/ingress-nginx/templates/default-backend-service.yaml @@ -1,3 +1,4 @@ +{{- if .Values.enabled -}} {{- if .Values.defaultBackend.enabled -}} apiVersion: v1 kind: Service @@ -32,3 +33,4 @@ spec: {{- include "ingress-nginx.selectorLabels" . | nindent 4 }} app.kubernetes.io/component: default-backend {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/ingress-nginx/templates/default-backend-serviceaccount.yaml b/charts/ingress-nginx/templates/default-backend-serviceaccount.yaml index 96419cfa0a..bfb21c1164 100644 --- a/charts/ingress-nginx/templates/default-backend-serviceaccount.yaml +++ b/charts/ingress-nginx/templates/default-backend-serviceaccount.yaml @@ -1,3 +1,4 @@ +{{- if .Values.enabled -}} {{- if and .Values.defaultBackend.enabled .Values.defaultBackend.serviceAccount.create -}} apiVersion: v1 kind: ServiceAccount @@ -7,3 +8,4 @@ metadata: app.kubernetes.io/component: default-backend name: {{ template "ingress-nginx.defaultBackend.serviceAccountName" . }} {{- end }} +{{- end }} \ No newline at end of file -- GitLab From 9b3c078ac9c1e7e1cd4d07843f34080f96ff63d4 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Thu, 3 Dec 2020 12:50:18 -0500 Subject: [PATCH 03/16] Add GitLab-provided helpers Adds GitLab-provided helpers to the ingress-nginx chart related to templating the names of the TCP configmap and ingress class. --- charts/ingress-nginx/templates/_helpers.tpl | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/charts/ingress-nginx/templates/_helpers.tpl b/charts/ingress-nginx/templates/_helpers.tpl index 0e04c27b42..1606cf3a02 100644 --- a/charts/ingress-nginx/templates/_helpers.tpl +++ b/charts/ingress-nginx/templates/_helpers.tpl @@ -121,4 +121,18 @@ Check the ingress controller version tag is at most three versions behind the la {{- if not (semverCompare ">=0.27.0-0" .Values.controller.image.tag) -}} {{- fail "Controller container image tag should be 0.27.0 or higher" -}} {{- end -}} +{{- end -}} + +{{/* GitLab-provided partials starting below */}} + +{{- define "nginx-ingress.tcp-configmap" -}} +{{ default (printf "%s-%s" (include "nginx-ingress.fullname" .) "tcp") .Values.tcpExternalConfig }} +{{- end -}} + +{{- define "nginx-ingress.controller.ingress-class" -}} +{{- if not .Values.controller.ingressClass -}} +{{ .Release.Name }}-nginx +{{- else -}} +nginx +{{- end -}} {{- end -}} \ No newline at end of file -- GitLab From 6693bd84728f1b4cf4938458baf8a42a5da93a49 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Thu, 3 Dec 2020 12:51:24 -0500 Subject: [PATCH 04/16] Inject GitLab-provided templates Injects the GitLab-provided templates into the relevant places in the ingress chart. These are the core of what we're changing in the chart, and ideally we can genericize these enough to submit an MR upstream and then directly import the chart in requirements.yaml rather than "forking" (copy/pasting). --- .../templates/controller-configmap-tcp.yaml | 5 +++-- charts/ingress-nginx/templates/controller-daemonset.yaml | 9 ++++++--- .../ingress-nginx/templates/controller-deployment.yaml | 9 ++++++--- charts/ingress-nginx/templates/controller-role.yaml | 2 +- 4 files changed, 16 insertions(+), 9 deletions(-) diff --git a/charts/ingress-nginx/templates/controller-configmap-tcp.yaml b/charts/ingress-nginx/templates/controller-configmap-tcp.yaml index 0e465a1a86..f019430c27 100644 --- a/charts/ingress-nginx/templates/controller-configmap-tcp.yaml +++ b/charts/ingress-nginx/templates/controller-configmap-tcp.yaml @@ -1,5 +1,5 @@ {{- if .Values.enabled -}} -{{- if .Values.tcp -}} +{{- if and .Values.tcp (not .Values.tcpExternalConfig) -}} apiVersion: v1 kind: ConfigMap metadata: @@ -9,7 +9,8 @@ metadata: {{- if .Values.controller.tcp.annotations }} annotations: {{ toYaml .Values.controller.tcp.annotations | nindent 4 }} {{- end }} - name: {{ include "ingress-nginx.fullname" . }}-tcp + name: {{ template "nginx-ingress.tcp-configmap" . }} + namespace: {{ $.Release.Namespace }} data: {{ tpl (toYaml .Values.tcp) . | nindent 2 }} {{- end }} {{- end }} \ No newline at end of file diff --git a/charts/ingress-nginx/templates/controller-daemonset.yaml b/charts/ingress-nginx/templates/controller-daemonset.yaml index 69ed96ecaa..f6b3d81b67 100644 --- a/charts/ingress-nginx/templates/controller-daemonset.yaml +++ b/charts/ingress-nginx/templates/controller-daemonset.yaml @@ -80,10 +80,10 @@ spec: - --publish-service={{ template "ingress-nginx.controller.publishServicePath" . }} {{- end }} - --election-id={{ .Values.controller.electionID }} - - --ingress-class={{ .Values.controller.ingressClass }} + - --ingress-class={{ template "nginx-ingress.controller.ingress-class" . }} - --configmap={{ .Release.Namespace }}/{{ include "ingress-nginx.controller.fullname" . }} - {{- if .Values.tcp }} - - --tcp-services-configmap={{ .Release.Namespace }}/{{ include "ingress-nginx.fullname" . }}-tcp + {{- if or .Values.tcp (include "gitlab.shell.port" $ ) }} + - --tcp-services-configmap={{ .Release.Namespace }}/{{ template "nginx-ingress.fullname" . }}-tcp {{- end }} {{- if .Values.udp }} - --udp-services-configmap={{ .Release.Namespace }}/{{ include "ingress-nginx.fullname" . }}-udp @@ -176,6 +176,9 @@ spec: containerPort: {{ .Values.controller.admissionWebhooks.port }} protocol: TCP {{- end }} + - name: gitlab-shell + containerPort: {{ include "gitlab.shell.port" $ | int }} + protocol: TCP {{- range $key, $value := .Values.tcp }} - name: {{ $key }}-tcp containerPort: {{ $key }} diff --git a/charts/ingress-nginx/templates/controller-deployment.yaml b/charts/ingress-nginx/templates/controller-deployment.yaml index 36666184c5..67503425c8 100644 --- a/charts/ingress-nginx/templates/controller-deployment.yaml +++ b/charts/ingress-nginx/templates/controller-deployment.yaml @@ -84,10 +84,10 @@ spec: - --publish-service={{ template "ingress-nginx.controller.publishServicePath" . }} {{- end }} - --election-id={{ .Values.controller.electionID }} - - --ingress-class={{ .Values.controller.ingressClass }} + - --ingress-class={{ template "nginx-ingress.controller.ingress-class" . }} - --configmap=$(POD_NAMESPACE)/{{ include "ingress-nginx.controller.fullname" . }} - {{- if .Values.tcp }} - - --tcp-services-configmap=$(POD_NAMESPACE)/{{ include "ingress-nginx.fullname" . }}-tcp + {{- if or .Values.tcp ( include "gitlab.shell.port" $ ) }} + - --tcp-services-configmap={{ .Release.Namespace }}/{{ template "nginx-ingress.tcp-configmap" . }} {{- end }} {{- if .Values.udp }} - --udp-services-configmap=$(POD_NAMESPACE)/{{ include "ingress-nginx.fullname" . }}-udp @@ -180,6 +180,9 @@ spec: containerPort: {{ .Values.controller.admissionWebhooks.port }} protocol: TCP {{- end }} + - name: gitlab-shell + containerPort: {{ include "gitlab.shell.port" $ | int }} + protocol: TCP {{- range $key, $value := .Values.tcp }} - name: {{ $key }}-tcp containerPort: {{ $key }} diff --git a/charts/ingress-nginx/templates/controller-role.yaml b/charts/ingress-nginx/templates/controller-role.yaml index 3e6bcf1490..69467c8d9c 100644 --- a/charts/ingress-nginx/templates/controller-role.yaml +++ b/charts/ingress-nginx/templates/controller-role.yaml @@ -63,7 +63,7 @@ rules: resources: - configmaps resourceNames: - - {{ .Values.controller.electionID }}-{{ .Values.controller.ingressClass }} + - {{ .Values.controller.electionID }}-{{ template "nginx-ingress.controller.ingress-class" . }} verbs: - get - update -- GitLab From 547d9e445a2098efd125e5e33f237243f853dabb Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Thu, 3 Dec 2020 12:52:41 -0500 Subject: [PATCH 05/16] Add index.md from previous nginx chart Adds the index.md that was in the previous/old nginx chart directory. --- charts/ingress-nginx/index.md | 288 ++++++++++++++++++++++++++++++++++ 1 file changed, 288 insertions(+) create mode 100644 charts/ingress-nginx/index.md diff --git a/charts/ingress-nginx/index.md b/charts/ingress-nginx/index.md new file mode 100644 index 0000000000..10c2595830 --- /dev/null +++ b/charts/ingress-nginx/index.md @@ -0,0 +1,288 @@ +Forked from https://github.com/kubernetes/charts/tree/master/stable/nginx-ingress +* tcp-configmap.yaml: is optional depending on new `tcpExternalConfig` setting +* Ability to use a templated tcp configmap name from another chart + * tcp-configmap.yaml: `.metadata.name` is a template `nginx-ingress.tcp-configmap` + * controller-deployment.yaml: `.spec.template.spec.containers[0].args` uses `nginx-ingress.tcp-configmap` template for configmap name + * gitlab chart overrides `nginx-ingress.tcp-configmap` so that gitlab/gitlab-org/charts/gitlab-shell can configure its tcp service +* Ability to use a templated ingress name based on the release name + * controller-deployment.yaml: `.spec.template.spec.containers[0].args` uses `nginx-ingress.controller.ingress-class` + * role.yaml: rule for editing leader configmap uses `nginx-ingress.controller.ingress-class` +* Replace `controller.service.loadBalancerIP` with `global.hosts.externalIP` + +# nginx-ingress + +[nginx-ingress](https://github.com/kubernetes/ingress-nginx) is an Ingress controller that uses ConfigMap to store the nginx configuration. + +To use, add the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources. + +## TL;DR; + +```console +$ helm install gitlab-nginx stable/nginx-ingress +``` + +NOTE: **Note**: +All Helm commands are specified using Helm v3 syntax. If the +Helm v2 syntax differs every effort is made to provide a note that details +the difference. + +## Introduction + +This chart bootstraps an nginx-ingress deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +## Prerequisites + - Kubernetes 1.6+ + +## Installing the Chart + +To install the chart with the release name `my-release`: + +```console +$ helm install my-release stable/nginx-ingress +``` + +NOTE: **Note**: +When using Helm v2 if a release name was not specified with the `--name` +option it would randomly generate the release name. Helm v3 requires that +the release name be specified as a positional argument on the command line +unless the `--generate-name` option is used. + +The command deploys nginx-ingress on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation. + +> **Tip**: List all releases using `helm list` + +## Uninstalling the Chart + +To uninstall/delete the `my-release` deployment: + +```console +$ helm uninstall my-release +``` + +NOTE: **Note:** +With Helm v2, you need to use the command `helm delete --purge gitlab`. + +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Configuration + +The following table lists the configurable parameters of the nginx-ingress chart and their default values. + +Parameter | Description | Default +--- | --- | --- +`controller.name` | name of the controller component | `controller` +`controller.image.repository` | controller container image repository | `quay.io/kubernetes-ingress-controller/nginx-ingress-controller` +`controller.image.tag` | controller container image tag | `0.20.0` +`controller.image.pullPolicy` | controller container image pull policy | `IfNotPresent` +`controller.image.runAsUser` | User ID of the controller process. Value depends on the Linux distribution used inside of the container image. By default uses Debian one. | `33` +`controller.config` | nginx ConfigMap entries | none +`controller.hostNetwork` | If the nginx deployment / daemonset should run on the host's network namespace. Do not set this when `controller.service.externalIPs` is set and `kube-proxy` is used as there will be a port-conflict for port `80` | false +`controller.defaultBackendService` | default 404 backend service; required only if `defaultBackend.enabled = false` | `""` +`controller.electionID` | election ID to use for the status update | `ingress-controller-leader` +`controller.extraEnvs` | any additional environment variables to set in the pods | `{}` +`controller.extraContainers` | Sidecar containers to add to the controller pod. See [LemonLDAP::NG controller](https://github.com/lemonldap-ng-controller/lemonldap-ng-controller) as example | `{}` +`controller.extraVolumeMounts` | Additional volumeMounts to the controller main container | `{}` +`controller.extraVolumes` | Additional volumes to the controller pod | `{}` +`controller.extraInitContainers` | Containers, which are run before the app containers are started | `[]` +`controller.ingressClass` | name of the ingress class to route through this controller | `nginx` +`controller.scope.enabled` | limit the scope of the ingress controller | `false` (watch all namespaces) +`controller.scope.namespace` | namespace to watch for ingress | `""` (use the release namespace) +`controller.extraArgs` | Additional controller container arguments | `{}` +`controller.kind` | install as Deployment or DaemonSet | `Deployment` +`controller.daemonset.useHostPort` | If `controller.kind` is `DaemonSet`, this will enable `hostPort` for TCP/80 and TCP/443 | false +`controller.daemonset.hostPorts.http` | If `controller.daemonset.useHostPort` is `true` and this is non-empty, it sets the hostPort | `"80"` +`controller.daemonset.hostPorts.https` | If `controller.daemonset.useHostPort` is `true` and this is non-empty, it sets the hostPort | `"443"` +`controller.tolerations` | node taints to tolerate (requires Kubernetes >=1.6) | `[]` +`controller.affinity` | node/pod affinities (requires Kubernetes >=1.6) | `{}` +`controller.minReadySeconds` | how many seconds a pod needs to be ready before killing the next, during update | `0` +`controller.nodeSelector` | node labels for pod assignment | `{}` +`controller.podAnnotations` | annotations to be added to pods | `{}` +`controller.podLabels` | labels to add to the pod container metadata | `{}` +`controller.replicaCount` | desired number of controller pods | `1` +`controller.minAvailable` | minimum number of available controller pods for PodDisruptionBudget | `1` +`controller.resources` | controller pod resource requests & limits | `{}` +`controller.priorityClassName` | controller priorityClassName | `nil` +`controller.lifecycle` | controller pod lifecycle hooks | `{}` +`controller.service.annotations` | annotations for controller service | `{}` +`controller.service.labels` | labels for controller service | `{}` +`controller.publishService.enabled` | if true, the controller will set the endpoint records on the ingress objects to reflect those on the service | `false` +`controller.publishService.pathOverride` | override of the default publish-service name | `""` +`controller.service.clusterIP` | internal controller cluster service IP | `""` +`controller.service.externalIPs` | controller service external IP addresses. Do not set this when `controller.hostNetwork` is set to `true` and `kube-proxy` is used as there will be a port-conflict for port `80` | `[]` +`controller.service.externalTrafficPolicy` | If `controller.service.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable [source IP preservation](https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typenodeport) | `"Local"` +`controller.service.healthCheckNodePort` | If `controller.service.type` is `NodePort` or `LoadBalancer` and `controller.service.externalTrafficPolicy` is set to `Local`, set this to [the managed health-check port the kube-proxy will expose](https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typenodeport). If blank, a random port in the `NodePort` range will be assigned | `""` +`global.hosts.externalIP` | IP address to assign to load balancer (if supported) | `""` +`controller.service.loadBalancerSourceRanges` | list of IP CIDRs allowed access to load balancer (if supported) | `[]` +`controller.service.enableHttp` | if port 80 should be opened for service | `true` +`controller.service.enableHttps` | if port 443 should be opened for service | `true` +`controller.service.targetPorts.http` | Sets the targetPort that maps to the Ingress' port 80 | `80` +`controller.service.targetPorts.https` | Sets the targetPort that maps to the Ingress' port 443 | `443` +`controller.service.type` | type of controller service to create | `LoadBalancer` +`controller.service.nodePorts.http` | If `controller.service.type` is `NodePort` and this is non-empty, it sets the nodePort that maps to the Ingress' port 80 | `""` +`controller.service.nodePorts.https` | If `controller.service.type` is `NodePort` and this is non-empty, it sets the nodePort that maps to the Ingress' port 443 | `""` +`controller.service.nodePorts.gitlab-shell` | If `controller.service.type` is `NodePort` and this (or `global.shell.port`, with lower priority) is non-empty, it sets the nodePort that maps to the Ingress' port for GitLab-Shell | `""` +`controller.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 10 +`controller.livenessProbe.periodSeconds` | How often to perform the probe | 10 +`controller.livenessProbe.timeoutSeconds` | When the probe times out | 5 +`controller.livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | 1 +`controller.livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 3 +`controller.livenessProbe.port` | The port number that the liveness probe will listen on. | 10254 +`controller.readinessProbe.initialDelaySeconds` | Delay before readiness probe is initiated | 10 +`controller.readinessProbe.periodSeconds` | How often to perform the probe | 10 +`controller.readinessProbe.timeoutSeconds` | When the probe times out | 1 +`controller.readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | 1 +`controller.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 3 +`controller.readinessProbe.port` | The port number that the readiness probe will listen on. | 10254 +`controller.stats.enabled` | if `true`, enable "vts-status" page | `false` +`controller.stats.service.annotations` | annotations for controller stats service | `{}` +`controller.stats.service.clusterIP` | internal controller stats cluster service IP | `""` +`controller.stats.service.externalIPs` | controller service stats external IP addresses | `[]` +`controller.stats.service.loadBalancerIP` | IP address to assign to load balancer (if supported) | `""` +`controller.stats.service.loadBalancerSourceRanges` | list of IP CIDRs allowed access to load balancer (if supported) | `[]` +`controller.stats.service.type` | type of controller stats service to create | `ClusterIP` +`controller.metrics.enabled` | if `true`, enable Prometheus metrics (`controller.stats.enabled` must be `true` as well) | `false` +`controller.metrics.service.annotations` | annotations for Prometheus metrics service | `{}` +`controller.metrics.service.clusterIP` | cluster IP address to assign to service | `""` +`controller.metrics.service.externalIPs` | Prometheus metrics service external IP addresses | `[]` +`controller.metrics.service.loadBalancerIP` | IP address to assign to load balancer (if supported) | `""` +`controller.metrics.service.loadBalancerSourceRanges` | list of IP CIDRs allowed access to load balancer (if supported) | `[]` +`controller.metrics.service.servicePort` | Prometheus metrics service port | `9913` +`controller.metrics.service.targetPort` | Prometheus metrics target port | `10254` +`controller.metrics.service.type` | type of Prometheus metrics service to create | `ClusterIP` +`controller.customTemplate.configMapName` | configMap containing a custom nginx template | `""` +`controller.customTemplate.configMapKey` | configMap key containing the nginx template | `""` +`controller.headers` | configMap key:value pairs containing the [custom headers](https://github.com/kubernetes/ingress-nginx/tree/master/docs/examples/customization/custom-headers) for Nginx | `{Referrer-Policy: strict-origin-when-cross-origin}` +`controller.updateStrategy` | allows setting of RollingUpdate strategy | `{}` +`defaultBackend.enabled` | If false, controller.defaultBackendService must be provided | `true` +`defaultBackend.name` | name of the default backend component | `default-backend` +`defaultBackend.image.repository` | default backend container image repository | `k8s.gcr.io/defaultbackend` +`defaultBackend.image.tag` | default backend container image tag | `1.4` +`defaultBackend.image.pullPolicy` | default backend container image pull policy | `IfNotPresent` +`defaultBackend.extraArgs` | Additional default backend container arguments | `{}` +`defaultBackend.port` | Http port number | `8080` +`defaultBackend.tolerations` | node taints to tolerate (requires Kubernetes >=1.6) | `[]` +`defaultBackend.affinity` | node/pod affinities (requires Kubernetes >=1.6) | `{}` +`defaultBackend.nodeSelector` | node labels for pod assignment | `{}` +`defaultBackend.podAnnotations` | annotations to be added to pods | `{}` +`defaultBackend.podLabels` | labels to add to the pod container metadata | `{}` +`defaultBackend.replicaCount` | desired number of default backend pods | `1` +`defaultBackend.minAvailable` | minimum number of available default backend pods for PodDisruptionBudget | `1` +`defaultBackend.resources` | default backend pod resource requests & limits | `{}` +`defaultBackend.priorityClassName` | default backend priorityClassName | `nil` +`defaultBackend.service.annotations` | annotations for default backend service | `{}` +`defaultBackend.service.clusterIP` | internal default backend cluster service IP | `""` +`defaultBackend.service.externalIPs` | default backend service external IP addresses | `[]` +`defaultBackend.service.loadBalancerIP` | IP address to assign to load balancer (if supported) | `""` +`defaultBackend.service.loadBalancerSourceRanges` | list of IP CIDRs allowed access to load balancer (if supported) | `[]` +`defaultBackend.service.type` | type of default backend service to create | `ClusterIP` +`imagePullSecrets` | name of Secret resource containing private registry credentials | `nil` +`rbac.create` | If true, create & use RBAC resources | `true` +`podSecurityPolicy.enabled` | if `true`, create & use Pod Security Policy resources | `false` +`serviceAccount.create` | if `true`, create a service account | `` +`serviceAccount.name` | The name of the service account to use. If not set and `create` is `true`, a name is generated using the fullname template. | `` +`revisionHistoryLimit` | The number of old history to retain to allow rollback. | `10` +`tcp` | TCP service key:value pairs | `{}` +`udp` | UDP service key:value pairs | `{}` + +```console +$ helm install my-release stable/nginx-ingress \ + --set controller.stats.enabled=true +``` + +NOTE: **Note**: +Helm v2 handles specifying the release name differently than Helm v3. +Please see the note in the [Installing the Chart](#installing-the-chart) +section for more information. + +Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, + +```console +$ helm install my-release stable/nginx-ingress -f values.yaml +``` + +A useful trick to debug issues with ingress is to increase the logLevel +as described [here](https://github.com/kubernetes/ingress-nginx/blob/master/docs/troubleshooting.md#debug) + +```console +$ helm install my-release stable/nginx-ingress --set controller.extraArgs.v=2 +``` + +## PodDisruptionBudget +Note that the PodDisruptionBudget resource will only be defined if the replicaCount is greater than one, +else it would make it impossible to evacuate a node. See [gh issue #7127](https://github.com/helm/charts/issues/7127) for more info. + +## Prometheus Metrics + +The Nginx ingress controller can export Prometheus metrics. In order for this to work, the VTS dashboard must be enabled as well. + +```console +$ helm install my-release stable/nginx-ingress \ + --set controller.stats.enabled=true \ + --set controller.metrics.enabled=true +``` + +NOTE: **Note**: +Helm v2 handles specifying the release name differently than Helm v3. +Please see the note in the [Installing the Chart](#installing-the-chart) +section for more information. + +You can add Prometheus annotations to the metrics service using `controller.metrics.service.annotations`. Alternatively, if you use the Prometheus Operator, you need to create a ServiceMonitor as follows: + +```yaml +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: nginx-ingress-service-monitor +spec: + jobLabel: nginx-ingress + selector: + matchLabels: + app: nginx-ingress + release: + namespaceSelector: + matchNames: + - + endpoints: + - port: metrics + interval: 30s +``` +> **Tip**: You can use the default [values.yaml](values.yaml) + +## ExternalDNS Service configuration + +Add an [ExternalDNS](https://github.com/kubernetes-sigs/external-dns) annotation to the LoadBalancer service: + +```yaml +annotations: + external-dns.alpha.kubernetes.io/hostname: kubernetes-example.com. +``` + +## AWS L7 ELB with SSL Termination + +Annotate the controller as shown in the [nginx-ingress l7 patch](https://github.com/kubernetes/ingress-nginx/blob/master/deploy/provider/aws/service-l7.yaml): + +```yaml +controller: + service: + targetPorts: + http: http + https: http + annotations: + service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:XX-XXXX-X:XXXXXXXXX:certificate/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX + service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http" + service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https" + service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600' +``` + +## AWS route53-mapper + +To configure the LoadBalancer service with the [route53-mapper addon](https://github.com/kubernetes/kops/tree/master/addons/route53-mapper), add the `domainName` annotation and `dns` label: + +```yaml +controller: + service: + labels: + dns: "route53" + annotations: + domainName: "kubernetes-example.com" +``` -- GitLab From aeb8c02f1a208d61ee9cdfd6f2b9f164a02522ef Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Thu, 3 Dec 2020 13:06:32 -0500 Subject: [PATCH 06/16] Add forked changes info to readme Adds list of changes made to the fork for tracking purposes. --- charts/ingress-nginx/README.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index 37b0ca1fbd..c09522303f 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -1,3 +1,14 @@ +Forked from https://github.com/kubernetes/ingress-nginx +* tcp-configmap.yaml: is optional depending on new `tcpExternalConfig` setting +* Ability to use a templated tcp configmap name from another chart + * controller-configmap-tcp.yaml: `.metadata.name` is a template `nginx-ingress.tcp-configmap` + * controller-deployment.yaml: `.spec.template.spec.containers[0].args` uses `nginx-ingress.tcp-configmap` template for configmap name + * gitlab chart overrides `nginx-ingress.tcp-configmap` so that gitlab/gitlab-org/charts/gitlab-shell can configure its tcp service +* Ability to use a templated ingress name based on the release name + * controller-deployment.yaml: `.spec.template.spec.containers[0].args` uses `nginx-ingress.controller.ingress-class` + * role.yaml: rule for editing leader configmap uses `nginx-ingress.controller.ingress-class` +* Replace `controller.service.loadBalancerIP` with `global.hosts.externalIP` + # ingress-nginx [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer -- GitLab From 0c34cde3c612b8257c1c442052b7d81660718995 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Thu, 3 Dec 2020 13:06:57 -0500 Subject: [PATCH 07/16] Remove index.md Index.md was actually moved to README.md, so we don't need both. --- charts/ingress-nginx/index.md | 288 ---------------------------------- 1 file changed, 288 deletions(-) delete mode 100644 charts/ingress-nginx/index.md diff --git a/charts/ingress-nginx/index.md b/charts/ingress-nginx/index.md deleted file mode 100644 index 10c2595830..0000000000 --- a/charts/ingress-nginx/index.md +++ /dev/null @@ -1,288 +0,0 @@ -Forked from https://github.com/kubernetes/charts/tree/master/stable/nginx-ingress -* tcp-configmap.yaml: is optional depending on new `tcpExternalConfig` setting -* Ability to use a templated tcp configmap name from another chart - * tcp-configmap.yaml: `.metadata.name` is a template `nginx-ingress.tcp-configmap` - * controller-deployment.yaml: `.spec.template.spec.containers[0].args` uses `nginx-ingress.tcp-configmap` template for configmap name - * gitlab chart overrides `nginx-ingress.tcp-configmap` so that gitlab/gitlab-org/charts/gitlab-shell can configure its tcp service -* Ability to use a templated ingress name based on the release name - * controller-deployment.yaml: `.spec.template.spec.containers[0].args` uses `nginx-ingress.controller.ingress-class` - * role.yaml: rule for editing leader configmap uses `nginx-ingress.controller.ingress-class` -* Replace `controller.service.loadBalancerIP` with `global.hosts.externalIP` - -# nginx-ingress - -[nginx-ingress](https://github.com/kubernetes/ingress-nginx) is an Ingress controller that uses ConfigMap to store the nginx configuration. - -To use, add the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources. - -## TL;DR; - -```console -$ helm install gitlab-nginx stable/nginx-ingress -``` - -NOTE: **Note**: -All Helm commands are specified using Helm v3 syntax. If the -Helm v2 syntax differs every effort is made to provide a note that details -the difference. - -## Introduction - -This chart bootstraps an nginx-ingress deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. - -## Prerequisites - - Kubernetes 1.6+ - -## Installing the Chart - -To install the chart with the release name `my-release`: - -```console -$ helm install my-release stable/nginx-ingress -``` - -NOTE: **Note**: -When using Helm v2 if a release name was not specified with the `--name` -option it would randomly generate the release name. Helm v3 requires that -the release name be specified as a positional argument on the command line -unless the `--generate-name` option is used. - -The command deploys nginx-ingress on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation. - -> **Tip**: List all releases using `helm list` - -## Uninstalling the Chart - -To uninstall/delete the `my-release` deployment: - -```console -$ helm uninstall my-release -``` - -NOTE: **Note:** -With Helm v2, you need to use the command `helm delete --purge gitlab`. - -The command removes all the Kubernetes components associated with the chart and deletes the release. - -## Configuration - -The following table lists the configurable parameters of the nginx-ingress chart and their default values. - -Parameter | Description | Default ---- | --- | --- -`controller.name` | name of the controller component | `controller` -`controller.image.repository` | controller container image repository | `quay.io/kubernetes-ingress-controller/nginx-ingress-controller` -`controller.image.tag` | controller container image tag | `0.20.0` -`controller.image.pullPolicy` | controller container image pull policy | `IfNotPresent` -`controller.image.runAsUser` | User ID of the controller process. Value depends on the Linux distribution used inside of the container image. By default uses Debian one. | `33` -`controller.config` | nginx ConfigMap entries | none -`controller.hostNetwork` | If the nginx deployment / daemonset should run on the host's network namespace. Do not set this when `controller.service.externalIPs` is set and `kube-proxy` is used as there will be a port-conflict for port `80` | false -`controller.defaultBackendService` | default 404 backend service; required only if `defaultBackend.enabled = false` | `""` -`controller.electionID` | election ID to use for the status update | `ingress-controller-leader` -`controller.extraEnvs` | any additional environment variables to set in the pods | `{}` -`controller.extraContainers` | Sidecar containers to add to the controller pod. See [LemonLDAP::NG controller](https://github.com/lemonldap-ng-controller/lemonldap-ng-controller) as example | `{}` -`controller.extraVolumeMounts` | Additional volumeMounts to the controller main container | `{}` -`controller.extraVolumes` | Additional volumes to the controller pod | `{}` -`controller.extraInitContainers` | Containers, which are run before the app containers are started | `[]` -`controller.ingressClass` | name of the ingress class to route through this controller | `nginx` -`controller.scope.enabled` | limit the scope of the ingress controller | `false` (watch all namespaces) -`controller.scope.namespace` | namespace to watch for ingress | `""` (use the release namespace) -`controller.extraArgs` | Additional controller container arguments | `{}` -`controller.kind` | install as Deployment or DaemonSet | `Deployment` -`controller.daemonset.useHostPort` | If `controller.kind` is `DaemonSet`, this will enable `hostPort` for TCP/80 and TCP/443 | false -`controller.daemonset.hostPorts.http` | If `controller.daemonset.useHostPort` is `true` and this is non-empty, it sets the hostPort | `"80"` -`controller.daemonset.hostPorts.https` | If `controller.daemonset.useHostPort` is `true` and this is non-empty, it sets the hostPort | `"443"` -`controller.tolerations` | node taints to tolerate (requires Kubernetes >=1.6) | `[]` -`controller.affinity` | node/pod affinities (requires Kubernetes >=1.6) | `{}` -`controller.minReadySeconds` | how many seconds a pod needs to be ready before killing the next, during update | `0` -`controller.nodeSelector` | node labels for pod assignment | `{}` -`controller.podAnnotations` | annotations to be added to pods | `{}` -`controller.podLabels` | labels to add to the pod container metadata | `{}` -`controller.replicaCount` | desired number of controller pods | `1` -`controller.minAvailable` | minimum number of available controller pods for PodDisruptionBudget | `1` -`controller.resources` | controller pod resource requests & limits | `{}` -`controller.priorityClassName` | controller priorityClassName | `nil` -`controller.lifecycle` | controller pod lifecycle hooks | `{}` -`controller.service.annotations` | annotations for controller service | `{}` -`controller.service.labels` | labels for controller service | `{}` -`controller.publishService.enabled` | if true, the controller will set the endpoint records on the ingress objects to reflect those on the service | `false` -`controller.publishService.pathOverride` | override of the default publish-service name | `""` -`controller.service.clusterIP` | internal controller cluster service IP | `""` -`controller.service.externalIPs` | controller service external IP addresses. Do not set this when `controller.hostNetwork` is set to `true` and `kube-proxy` is used as there will be a port-conflict for port `80` | `[]` -`controller.service.externalTrafficPolicy` | If `controller.service.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable [source IP preservation](https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typenodeport) | `"Local"` -`controller.service.healthCheckNodePort` | If `controller.service.type` is `NodePort` or `LoadBalancer` and `controller.service.externalTrafficPolicy` is set to `Local`, set this to [the managed health-check port the kube-proxy will expose](https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typenodeport). If blank, a random port in the `NodePort` range will be assigned | `""` -`global.hosts.externalIP` | IP address to assign to load balancer (if supported) | `""` -`controller.service.loadBalancerSourceRanges` | list of IP CIDRs allowed access to load balancer (if supported) | `[]` -`controller.service.enableHttp` | if port 80 should be opened for service | `true` -`controller.service.enableHttps` | if port 443 should be opened for service | `true` -`controller.service.targetPorts.http` | Sets the targetPort that maps to the Ingress' port 80 | `80` -`controller.service.targetPorts.https` | Sets the targetPort that maps to the Ingress' port 443 | `443` -`controller.service.type` | type of controller service to create | `LoadBalancer` -`controller.service.nodePorts.http` | If `controller.service.type` is `NodePort` and this is non-empty, it sets the nodePort that maps to the Ingress' port 80 | `""` -`controller.service.nodePorts.https` | If `controller.service.type` is `NodePort` and this is non-empty, it sets the nodePort that maps to the Ingress' port 443 | `""` -`controller.service.nodePorts.gitlab-shell` | If `controller.service.type` is `NodePort` and this (or `global.shell.port`, with lower priority) is non-empty, it sets the nodePort that maps to the Ingress' port for GitLab-Shell | `""` -`controller.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 10 -`controller.livenessProbe.periodSeconds` | How often to perform the probe | 10 -`controller.livenessProbe.timeoutSeconds` | When the probe times out | 5 -`controller.livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | 1 -`controller.livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 3 -`controller.livenessProbe.port` | The port number that the liveness probe will listen on. | 10254 -`controller.readinessProbe.initialDelaySeconds` | Delay before readiness probe is initiated | 10 -`controller.readinessProbe.periodSeconds` | How often to perform the probe | 10 -`controller.readinessProbe.timeoutSeconds` | When the probe times out | 1 -`controller.readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | 1 -`controller.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 3 -`controller.readinessProbe.port` | The port number that the readiness probe will listen on. | 10254 -`controller.stats.enabled` | if `true`, enable "vts-status" page | `false` -`controller.stats.service.annotations` | annotations for controller stats service | `{}` -`controller.stats.service.clusterIP` | internal controller stats cluster service IP | `""` -`controller.stats.service.externalIPs` | controller service stats external IP addresses | `[]` -`controller.stats.service.loadBalancerIP` | IP address to assign to load balancer (if supported) | `""` -`controller.stats.service.loadBalancerSourceRanges` | list of IP CIDRs allowed access to load balancer (if supported) | `[]` -`controller.stats.service.type` | type of controller stats service to create | `ClusterIP` -`controller.metrics.enabled` | if `true`, enable Prometheus metrics (`controller.stats.enabled` must be `true` as well) | `false` -`controller.metrics.service.annotations` | annotations for Prometheus metrics service | `{}` -`controller.metrics.service.clusterIP` | cluster IP address to assign to service | `""` -`controller.metrics.service.externalIPs` | Prometheus metrics service external IP addresses | `[]` -`controller.metrics.service.loadBalancerIP` | IP address to assign to load balancer (if supported) | `""` -`controller.metrics.service.loadBalancerSourceRanges` | list of IP CIDRs allowed access to load balancer (if supported) | `[]` -`controller.metrics.service.servicePort` | Prometheus metrics service port | `9913` -`controller.metrics.service.targetPort` | Prometheus metrics target port | `10254` -`controller.metrics.service.type` | type of Prometheus metrics service to create | `ClusterIP` -`controller.customTemplate.configMapName` | configMap containing a custom nginx template | `""` -`controller.customTemplate.configMapKey` | configMap key containing the nginx template | `""` -`controller.headers` | configMap key:value pairs containing the [custom headers](https://github.com/kubernetes/ingress-nginx/tree/master/docs/examples/customization/custom-headers) for Nginx | `{Referrer-Policy: strict-origin-when-cross-origin}` -`controller.updateStrategy` | allows setting of RollingUpdate strategy | `{}` -`defaultBackend.enabled` | If false, controller.defaultBackendService must be provided | `true` -`defaultBackend.name` | name of the default backend component | `default-backend` -`defaultBackend.image.repository` | default backend container image repository | `k8s.gcr.io/defaultbackend` -`defaultBackend.image.tag` | default backend container image tag | `1.4` -`defaultBackend.image.pullPolicy` | default backend container image pull policy | `IfNotPresent` -`defaultBackend.extraArgs` | Additional default backend container arguments | `{}` -`defaultBackend.port` | Http port number | `8080` -`defaultBackend.tolerations` | node taints to tolerate (requires Kubernetes >=1.6) | `[]` -`defaultBackend.affinity` | node/pod affinities (requires Kubernetes >=1.6) | `{}` -`defaultBackend.nodeSelector` | node labels for pod assignment | `{}` -`defaultBackend.podAnnotations` | annotations to be added to pods | `{}` -`defaultBackend.podLabels` | labels to add to the pod container metadata | `{}` -`defaultBackend.replicaCount` | desired number of default backend pods | `1` -`defaultBackend.minAvailable` | minimum number of available default backend pods for PodDisruptionBudget | `1` -`defaultBackend.resources` | default backend pod resource requests & limits | `{}` -`defaultBackend.priorityClassName` | default backend priorityClassName | `nil` -`defaultBackend.service.annotations` | annotations for default backend service | `{}` -`defaultBackend.service.clusterIP` | internal default backend cluster service IP | `""` -`defaultBackend.service.externalIPs` | default backend service external IP addresses | `[]` -`defaultBackend.service.loadBalancerIP` | IP address to assign to load balancer (if supported) | `""` -`defaultBackend.service.loadBalancerSourceRanges` | list of IP CIDRs allowed access to load balancer (if supported) | `[]` -`defaultBackend.service.type` | type of default backend service to create | `ClusterIP` -`imagePullSecrets` | name of Secret resource containing private registry credentials | `nil` -`rbac.create` | If true, create & use RBAC resources | `true` -`podSecurityPolicy.enabled` | if `true`, create & use Pod Security Policy resources | `false` -`serviceAccount.create` | if `true`, create a service account | `` -`serviceAccount.name` | The name of the service account to use. If not set and `create` is `true`, a name is generated using the fullname template. | `` -`revisionHistoryLimit` | The number of old history to retain to allow rollback. | `10` -`tcp` | TCP service key:value pairs | `{}` -`udp` | UDP service key:value pairs | `{}` - -```console -$ helm install my-release stable/nginx-ingress \ - --set controller.stats.enabled=true -``` - -NOTE: **Note**: -Helm v2 handles specifying the release name differently than Helm v3. -Please see the note in the [Installing the Chart](#installing-the-chart) -section for more information. - -Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, - -```console -$ helm install my-release stable/nginx-ingress -f values.yaml -``` - -A useful trick to debug issues with ingress is to increase the logLevel -as described [here](https://github.com/kubernetes/ingress-nginx/blob/master/docs/troubleshooting.md#debug) - -```console -$ helm install my-release stable/nginx-ingress --set controller.extraArgs.v=2 -``` - -## PodDisruptionBudget -Note that the PodDisruptionBudget resource will only be defined if the replicaCount is greater than one, -else it would make it impossible to evacuate a node. See [gh issue #7127](https://github.com/helm/charts/issues/7127) for more info. - -## Prometheus Metrics - -The Nginx ingress controller can export Prometheus metrics. In order for this to work, the VTS dashboard must be enabled as well. - -```console -$ helm install my-release stable/nginx-ingress \ - --set controller.stats.enabled=true \ - --set controller.metrics.enabled=true -``` - -NOTE: **Note**: -Helm v2 handles specifying the release name differently than Helm v3. -Please see the note in the [Installing the Chart](#installing-the-chart) -section for more information. - -You can add Prometheus annotations to the metrics service using `controller.metrics.service.annotations`. Alternatively, if you use the Prometheus Operator, you need to create a ServiceMonitor as follows: - -```yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: nginx-ingress-service-monitor -spec: - jobLabel: nginx-ingress - selector: - matchLabels: - app: nginx-ingress - release: - namespaceSelector: - matchNames: - - - endpoints: - - port: metrics - interval: 30s -``` -> **Tip**: You can use the default [values.yaml](values.yaml) - -## ExternalDNS Service configuration - -Add an [ExternalDNS](https://github.com/kubernetes-sigs/external-dns) annotation to the LoadBalancer service: - -```yaml -annotations: - external-dns.alpha.kubernetes.io/hostname: kubernetes-example.com. -``` - -## AWS L7 ELB with SSL Termination - -Annotate the controller as shown in the [nginx-ingress l7 patch](https://github.com/kubernetes/ingress-nginx/blob/master/deploy/provider/aws/service-l7.yaml): - -```yaml -controller: - service: - targetPorts: - http: http - https: http - annotations: - service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:XX-XXXX-X:XXXXXXXXX:certificate/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX - service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http" - service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https" - service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600' -``` - -## AWS route53-mapper - -To configure the LoadBalancer service with the [route53-mapper addon](https://github.com/kubernetes/kops/tree/master/addons/route53-mapper), add the `domainName` annotation and `dns` label: - -```yaml -controller: - service: - labels: - dns: "route53" - annotations: - domainName: "kubernetes-example.com" -``` -- GitLab From afbcf8e324fdcfa335c30cc9a880cb7a84b10691 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Thu, 3 Dec 2020 13:07:54 -0500 Subject: [PATCH 08/16] Replace loadBalancerIP with externalIP Replaces controller.service.loadBalancerIP with global.hosts.externalIP in the controller service to match what was done in the previous version of the forked chart. --- charts/ingress-nginx/templates/controller-service.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/ingress-nginx/templates/controller-service.yaml b/charts/ingress-nginx/templates/controller-service.yaml index 238b0f2a2c..54d53fdcce 100644 --- a/charts/ingress-nginx/templates/controller-service.yaml +++ b/charts/ingress-nginx/templates/controller-service.yaml @@ -22,8 +22,8 @@ spec: {{- if .Values.controller.service.externalIPs }} externalIPs: {{ toYaml .Values.controller.service.externalIPs | nindent 4 }} {{- end }} -{{- if .Values.controller.service.loadBalancerIP }} - loadBalancerIP: {{ .Values.controller.service.loadBalancerIP }} +{{- if .Values.global.hosts.externalIP }} + loadBalancerIP: {{ .Values.global.hosts.externalIP }} {{- end }} {{- if .Values.controller.service.loadBalancerSourceRanges }} loadBalancerSourceRanges: {{ toYaml .Values.controller.service.loadBalancerSourceRanges | nindent 4 }} @@ -83,4 +83,4 @@ spec: {{- include "ingress-nginx.selectorLabels" . | nindent 4 }} app.kubernetes.io/component: controller {{- end }} -{{- end }} \ No newline at end of file +{{- end }} -- GitLab From d14881185d91d783546ec4e3fa66406299260ec0 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Thu, 3 Dec 2020 13:08:41 -0500 Subject: [PATCH 09/16] Add externalTcpConfig value Adds exernalTcpConfig value to the values file to match what was done in the previous version of the forked chart, allowing an external tcp configmap to be provided in place of the bundled one. --- charts/ingress-nginx/values.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index 7e2e54c723..d975b59194 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -716,3 +716,15 @@ tcp: {} ## udp: {} # 53: "kube-system/kube-dns:53" + + +## GitLab-provided values starting below + +# Use an external configmap instead of generating the configmap from this chart. +# Contents must match spec format for nginx-ingress and tcp ports must still be specified +# using `tcp` setting above (although service name is meaningless with an external config) +# e.g +# --set tcp.22=ssh --set tcpExternalConfig=mynamespace/customconfigmap +# Ref: https://github.com/kubernetes/contrib/tree/master/ingress/controllers/nginx/examples/tcp +## +tcpExternalConfig: "" \ No newline at end of file -- GitLab From 213c4c72b0a5a5c8daf0e2615d56dcf97d2f6e82 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Thu, 3 Dec 2020 13:10:26 -0500 Subject: [PATCH 10/16] Remove old forked nginx chart Removes the old forked nginx chart in favor of ingress-nginx --- charts/nginx/.helmignore | 21 - charts/nginx/Chart.yaml | 18 - charts/nginx/index.md | 288 ------------- charts/nginx/templates/NOTES.txt | 66 --- charts/nginx/templates/_helpers.tpl | 84 ---- charts/nginx/templates/clusterrole.yaml | 69 --- .../nginx/templates/clusterrolebinding.yaml | 19 - .../nginx/templates/controller-configmap.yaml | 18 - .../nginx/templates/controller-daemonset.yaml | 203 --------- .../templates/controller-deployment.yaml | 222 ---------- charts/nginx/templates/controller-hpa.yaml | 30 -- .../templates/controller-metrics-service.yaml | 42 -- .../controller-poddisruptionbudget.yaml | 17 - .../nginx/templates/controller-service.yaml | 84 ---- .../templates/controller-stats-service.yaml | 42 -- .../templates/default-backend-deployment.yaml | 83 ---- .../default-backend-poddisruptionbudget.yaml | 17 - .../templates/default-backend-service.yaml | 43 -- charts/nginx/templates/headers-configmap.yaml | 14 - charts/nginx/templates/podsecuritypolicy.yaml | 45 -- charts/nginx/templates/role.yaml | 89 ---- charts/nginx/templates/rolebinding.yaml | 19 - charts/nginx/templates/serviceaccount.yaml | 11 - charts/nginx/templates/tcp-configmap.yaml | 14 - charts/nginx/templates/udp-configmap.yaml | 14 - charts/nginx/values.yaml | 401 ------------------ 26 files changed, 1973 deletions(-) delete mode 100644 charts/nginx/.helmignore delete mode 100755 charts/nginx/Chart.yaml delete mode 100644 charts/nginx/index.md delete mode 100644 charts/nginx/templates/NOTES.txt delete mode 100644 charts/nginx/templates/_helpers.tpl delete mode 100644 charts/nginx/templates/clusterrole.yaml delete mode 100644 charts/nginx/templates/clusterrolebinding.yaml delete mode 100644 charts/nginx/templates/controller-configmap.yaml delete mode 100644 charts/nginx/templates/controller-daemonset.yaml delete mode 100644 charts/nginx/templates/controller-deployment.yaml delete mode 100644 charts/nginx/templates/controller-hpa.yaml delete mode 100644 charts/nginx/templates/controller-metrics-service.yaml delete mode 100644 charts/nginx/templates/controller-poddisruptionbudget.yaml delete mode 100644 charts/nginx/templates/controller-service.yaml delete mode 100644 charts/nginx/templates/controller-stats-service.yaml delete mode 100644 charts/nginx/templates/default-backend-deployment.yaml delete mode 100644 charts/nginx/templates/default-backend-poddisruptionbudget.yaml delete mode 100644 charts/nginx/templates/default-backend-service.yaml delete mode 100644 charts/nginx/templates/headers-configmap.yaml delete mode 100755 charts/nginx/templates/podsecuritypolicy.yaml delete mode 100644 charts/nginx/templates/role.yaml delete mode 100644 charts/nginx/templates/rolebinding.yaml delete mode 100644 charts/nginx/templates/serviceaccount.yaml delete mode 100644 charts/nginx/templates/tcp-configmap.yaml delete mode 100644 charts/nginx/templates/udp-configmap.yaml delete mode 100755 charts/nginx/values.yaml diff --git a/charts/nginx/.helmignore b/charts/nginx/.helmignore deleted file mode 100644 index f0c1319444..0000000000 --- a/charts/nginx/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/charts/nginx/Chart.yaml b/charts/nginx/Chart.yaml deleted file mode 100755 index cb13209402..0000000000 --- a/charts/nginx/Chart.yaml +++ /dev/null @@ -1,18 +0,0 @@ -appVersion: 0.20.0 -description: An nginx Ingress controller that uses ConfigMap to store the nginx configuration. -details: Nginx for use as part of GitLab deployment. -engine: gotpl -home: https://github.com/kubernetes/ingress-nginx -icon: https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Nginx_logo.svg/500px-Nginx_logo.svg.png -keywords: -- ingress -- nginx -- gitlab -maintainers: -- name: GitLab Inc. - email: support@gitlab.com -name: nginx-ingress -sources: -- https://github.com/kubernetes/ingress-nginx -- https://gitlab.com/gitlab-org/charts/gitlab/charts/nginx -version: 0.30.0-1 diff --git a/charts/nginx/index.md b/charts/nginx/index.md deleted file mode 100644 index 10c2595830..0000000000 --- a/charts/nginx/index.md +++ /dev/null @@ -1,288 +0,0 @@ -Forked from https://github.com/kubernetes/charts/tree/master/stable/nginx-ingress -* tcp-configmap.yaml: is optional depending on new `tcpExternalConfig` setting -* Ability to use a templated tcp configmap name from another chart - * tcp-configmap.yaml: `.metadata.name` is a template `nginx-ingress.tcp-configmap` - * controller-deployment.yaml: `.spec.template.spec.containers[0].args` uses `nginx-ingress.tcp-configmap` template for configmap name - * gitlab chart overrides `nginx-ingress.tcp-configmap` so that gitlab/gitlab-org/charts/gitlab-shell can configure its tcp service -* Ability to use a templated ingress name based on the release name - * controller-deployment.yaml: `.spec.template.spec.containers[0].args` uses `nginx-ingress.controller.ingress-class` - * role.yaml: rule for editing leader configmap uses `nginx-ingress.controller.ingress-class` -* Replace `controller.service.loadBalancerIP` with `global.hosts.externalIP` - -# nginx-ingress - -[nginx-ingress](https://github.com/kubernetes/ingress-nginx) is an Ingress controller that uses ConfigMap to store the nginx configuration. - -To use, add the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources. - -## TL;DR; - -```console -$ helm install gitlab-nginx stable/nginx-ingress -``` - -NOTE: **Note**: -All Helm commands are specified using Helm v3 syntax. If the -Helm v2 syntax differs every effort is made to provide a note that details -the difference. - -## Introduction - -This chart bootstraps an nginx-ingress deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. - -## Prerequisites - - Kubernetes 1.6+ - -## Installing the Chart - -To install the chart with the release name `my-release`: - -```console -$ helm install my-release stable/nginx-ingress -``` - -NOTE: **Note**: -When using Helm v2 if a release name was not specified with the `--name` -option it would randomly generate the release name. Helm v3 requires that -the release name be specified as a positional argument on the command line -unless the `--generate-name` option is used. - -The command deploys nginx-ingress on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation. - -> **Tip**: List all releases using `helm list` - -## Uninstalling the Chart - -To uninstall/delete the `my-release` deployment: - -```console -$ helm uninstall my-release -``` - -NOTE: **Note:** -With Helm v2, you need to use the command `helm delete --purge gitlab`. - -The command removes all the Kubernetes components associated with the chart and deletes the release. - -## Configuration - -The following table lists the configurable parameters of the nginx-ingress chart and their default values. - -Parameter | Description | Default ---- | --- | --- -`controller.name` | name of the controller component | `controller` -`controller.image.repository` | controller container image repository | `quay.io/kubernetes-ingress-controller/nginx-ingress-controller` -`controller.image.tag` | controller container image tag | `0.20.0` -`controller.image.pullPolicy` | controller container image pull policy | `IfNotPresent` -`controller.image.runAsUser` | User ID of the controller process. Value depends on the Linux distribution used inside of the container image. By default uses Debian one. | `33` -`controller.config` | nginx ConfigMap entries | none -`controller.hostNetwork` | If the nginx deployment / daemonset should run on the host's network namespace. Do not set this when `controller.service.externalIPs` is set and `kube-proxy` is used as there will be a port-conflict for port `80` | false -`controller.defaultBackendService` | default 404 backend service; required only if `defaultBackend.enabled = false` | `""` -`controller.electionID` | election ID to use for the status update | `ingress-controller-leader` -`controller.extraEnvs` | any additional environment variables to set in the pods | `{}` -`controller.extraContainers` | Sidecar containers to add to the controller pod. See [LemonLDAP::NG controller](https://github.com/lemonldap-ng-controller/lemonldap-ng-controller) as example | `{}` -`controller.extraVolumeMounts` | Additional volumeMounts to the controller main container | `{}` -`controller.extraVolumes` | Additional volumes to the controller pod | `{}` -`controller.extraInitContainers` | Containers, which are run before the app containers are started | `[]` -`controller.ingressClass` | name of the ingress class to route through this controller | `nginx` -`controller.scope.enabled` | limit the scope of the ingress controller | `false` (watch all namespaces) -`controller.scope.namespace` | namespace to watch for ingress | `""` (use the release namespace) -`controller.extraArgs` | Additional controller container arguments | `{}` -`controller.kind` | install as Deployment or DaemonSet | `Deployment` -`controller.daemonset.useHostPort` | If `controller.kind` is `DaemonSet`, this will enable `hostPort` for TCP/80 and TCP/443 | false -`controller.daemonset.hostPorts.http` | If `controller.daemonset.useHostPort` is `true` and this is non-empty, it sets the hostPort | `"80"` -`controller.daemonset.hostPorts.https` | If `controller.daemonset.useHostPort` is `true` and this is non-empty, it sets the hostPort | `"443"` -`controller.tolerations` | node taints to tolerate (requires Kubernetes >=1.6) | `[]` -`controller.affinity` | node/pod affinities (requires Kubernetes >=1.6) | `{}` -`controller.minReadySeconds` | how many seconds a pod needs to be ready before killing the next, during update | `0` -`controller.nodeSelector` | node labels for pod assignment | `{}` -`controller.podAnnotations` | annotations to be added to pods | `{}` -`controller.podLabels` | labels to add to the pod container metadata | `{}` -`controller.replicaCount` | desired number of controller pods | `1` -`controller.minAvailable` | minimum number of available controller pods for PodDisruptionBudget | `1` -`controller.resources` | controller pod resource requests & limits | `{}` -`controller.priorityClassName` | controller priorityClassName | `nil` -`controller.lifecycle` | controller pod lifecycle hooks | `{}` -`controller.service.annotations` | annotations for controller service | `{}` -`controller.service.labels` | labels for controller service | `{}` -`controller.publishService.enabled` | if true, the controller will set the endpoint records on the ingress objects to reflect those on the service | `false` -`controller.publishService.pathOverride` | override of the default publish-service name | `""` -`controller.service.clusterIP` | internal controller cluster service IP | `""` -`controller.service.externalIPs` | controller service external IP addresses. Do not set this when `controller.hostNetwork` is set to `true` and `kube-proxy` is used as there will be a port-conflict for port `80` | `[]` -`controller.service.externalTrafficPolicy` | If `controller.service.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable [source IP preservation](https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typenodeport) | `"Local"` -`controller.service.healthCheckNodePort` | If `controller.service.type` is `NodePort` or `LoadBalancer` and `controller.service.externalTrafficPolicy` is set to `Local`, set this to [the managed health-check port the kube-proxy will expose](https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typenodeport). If blank, a random port in the `NodePort` range will be assigned | `""` -`global.hosts.externalIP` | IP address to assign to load balancer (if supported) | `""` -`controller.service.loadBalancerSourceRanges` | list of IP CIDRs allowed access to load balancer (if supported) | `[]` -`controller.service.enableHttp` | if port 80 should be opened for service | `true` -`controller.service.enableHttps` | if port 443 should be opened for service | `true` -`controller.service.targetPorts.http` | Sets the targetPort that maps to the Ingress' port 80 | `80` -`controller.service.targetPorts.https` | Sets the targetPort that maps to the Ingress' port 443 | `443` -`controller.service.type` | type of controller service to create | `LoadBalancer` -`controller.service.nodePorts.http` | If `controller.service.type` is `NodePort` and this is non-empty, it sets the nodePort that maps to the Ingress' port 80 | `""` -`controller.service.nodePorts.https` | If `controller.service.type` is `NodePort` and this is non-empty, it sets the nodePort that maps to the Ingress' port 443 | `""` -`controller.service.nodePorts.gitlab-shell` | If `controller.service.type` is `NodePort` and this (or `global.shell.port`, with lower priority) is non-empty, it sets the nodePort that maps to the Ingress' port for GitLab-Shell | `""` -`controller.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 10 -`controller.livenessProbe.periodSeconds` | How often to perform the probe | 10 -`controller.livenessProbe.timeoutSeconds` | When the probe times out | 5 -`controller.livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | 1 -`controller.livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 3 -`controller.livenessProbe.port` | The port number that the liveness probe will listen on. | 10254 -`controller.readinessProbe.initialDelaySeconds` | Delay before readiness probe is initiated | 10 -`controller.readinessProbe.periodSeconds` | How often to perform the probe | 10 -`controller.readinessProbe.timeoutSeconds` | When the probe times out | 1 -`controller.readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | 1 -`controller.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 3 -`controller.readinessProbe.port` | The port number that the readiness probe will listen on. | 10254 -`controller.stats.enabled` | if `true`, enable "vts-status" page | `false` -`controller.stats.service.annotations` | annotations for controller stats service | `{}` -`controller.stats.service.clusterIP` | internal controller stats cluster service IP | `""` -`controller.stats.service.externalIPs` | controller service stats external IP addresses | `[]` -`controller.stats.service.loadBalancerIP` | IP address to assign to load balancer (if supported) | `""` -`controller.stats.service.loadBalancerSourceRanges` | list of IP CIDRs allowed access to load balancer (if supported) | `[]` -`controller.stats.service.type` | type of controller stats service to create | `ClusterIP` -`controller.metrics.enabled` | if `true`, enable Prometheus metrics (`controller.stats.enabled` must be `true` as well) | `false` -`controller.metrics.service.annotations` | annotations for Prometheus metrics service | `{}` -`controller.metrics.service.clusterIP` | cluster IP address to assign to service | `""` -`controller.metrics.service.externalIPs` | Prometheus metrics service external IP addresses | `[]` -`controller.metrics.service.loadBalancerIP` | IP address to assign to load balancer (if supported) | `""` -`controller.metrics.service.loadBalancerSourceRanges` | list of IP CIDRs allowed access to load balancer (if supported) | `[]` -`controller.metrics.service.servicePort` | Prometheus metrics service port | `9913` -`controller.metrics.service.targetPort` | Prometheus metrics target port | `10254` -`controller.metrics.service.type` | type of Prometheus metrics service to create | `ClusterIP` -`controller.customTemplate.configMapName` | configMap containing a custom nginx template | `""` -`controller.customTemplate.configMapKey` | configMap key containing the nginx template | `""` -`controller.headers` | configMap key:value pairs containing the [custom headers](https://github.com/kubernetes/ingress-nginx/tree/master/docs/examples/customization/custom-headers) for Nginx | `{Referrer-Policy: strict-origin-when-cross-origin}` -`controller.updateStrategy` | allows setting of RollingUpdate strategy | `{}` -`defaultBackend.enabled` | If false, controller.defaultBackendService must be provided | `true` -`defaultBackend.name` | name of the default backend component | `default-backend` -`defaultBackend.image.repository` | default backend container image repository | `k8s.gcr.io/defaultbackend` -`defaultBackend.image.tag` | default backend container image tag | `1.4` -`defaultBackend.image.pullPolicy` | default backend container image pull policy | `IfNotPresent` -`defaultBackend.extraArgs` | Additional default backend container arguments | `{}` -`defaultBackend.port` | Http port number | `8080` -`defaultBackend.tolerations` | node taints to tolerate (requires Kubernetes >=1.6) | `[]` -`defaultBackend.affinity` | node/pod affinities (requires Kubernetes >=1.6) | `{}` -`defaultBackend.nodeSelector` | node labels for pod assignment | `{}` -`defaultBackend.podAnnotations` | annotations to be added to pods | `{}` -`defaultBackend.podLabels` | labels to add to the pod container metadata | `{}` -`defaultBackend.replicaCount` | desired number of default backend pods | `1` -`defaultBackend.minAvailable` | minimum number of available default backend pods for PodDisruptionBudget | `1` -`defaultBackend.resources` | default backend pod resource requests & limits | `{}` -`defaultBackend.priorityClassName` | default backend priorityClassName | `nil` -`defaultBackend.service.annotations` | annotations for default backend service | `{}` -`defaultBackend.service.clusterIP` | internal default backend cluster service IP | `""` -`defaultBackend.service.externalIPs` | default backend service external IP addresses | `[]` -`defaultBackend.service.loadBalancerIP` | IP address to assign to load balancer (if supported) | `""` -`defaultBackend.service.loadBalancerSourceRanges` | list of IP CIDRs allowed access to load balancer (if supported) | `[]` -`defaultBackend.service.type` | type of default backend service to create | `ClusterIP` -`imagePullSecrets` | name of Secret resource containing private registry credentials | `nil` -`rbac.create` | If true, create & use RBAC resources | `true` -`podSecurityPolicy.enabled` | if `true`, create & use Pod Security Policy resources | `false` -`serviceAccount.create` | if `true`, create a service account | `` -`serviceAccount.name` | The name of the service account to use. If not set and `create` is `true`, a name is generated using the fullname template. | `` -`revisionHistoryLimit` | The number of old history to retain to allow rollback. | `10` -`tcp` | TCP service key:value pairs | `{}` -`udp` | UDP service key:value pairs | `{}` - -```console -$ helm install my-release stable/nginx-ingress \ - --set controller.stats.enabled=true -``` - -NOTE: **Note**: -Helm v2 handles specifying the release name differently than Helm v3. -Please see the note in the [Installing the Chart](#installing-the-chart) -section for more information. - -Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, - -```console -$ helm install my-release stable/nginx-ingress -f values.yaml -``` - -A useful trick to debug issues with ingress is to increase the logLevel -as described [here](https://github.com/kubernetes/ingress-nginx/blob/master/docs/troubleshooting.md#debug) - -```console -$ helm install my-release stable/nginx-ingress --set controller.extraArgs.v=2 -``` - -## PodDisruptionBudget -Note that the PodDisruptionBudget resource will only be defined if the replicaCount is greater than one, -else it would make it impossible to evacuate a node. See [gh issue #7127](https://github.com/helm/charts/issues/7127) for more info. - -## Prometheus Metrics - -The Nginx ingress controller can export Prometheus metrics. In order for this to work, the VTS dashboard must be enabled as well. - -```console -$ helm install my-release stable/nginx-ingress \ - --set controller.stats.enabled=true \ - --set controller.metrics.enabled=true -``` - -NOTE: **Note**: -Helm v2 handles specifying the release name differently than Helm v3. -Please see the note in the [Installing the Chart](#installing-the-chart) -section for more information. - -You can add Prometheus annotations to the metrics service using `controller.metrics.service.annotations`. Alternatively, if you use the Prometheus Operator, you need to create a ServiceMonitor as follows: - -```yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: nginx-ingress-service-monitor -spec: - jobLabel: nginx-ingress - selector: - matchLabels: - app: nginx-ingress - release: - namespaceSelector: - matchNames: - - - endpoints: - - port: metrics - interval: 30s -``` -> **Tip**: You can use the default [values.yaml](values.yaml) - -## ExternalDNS Service configuration - -Add an [ExternalDNS](https://github.com/kubernetes-sigs/external-dns) annotation to the LoadBalancer service: - -```yaml -annotations: - external-dns.alpha.kubernetes.io/hostname: kubernetes-example.com. -``` - -## AWS L7 ELB with SSL Termination - -Annotate the controller as shown in the [nginx-ingress l7 patch](https://github.com/kubernetes/ingress-nginx/blob/master/deploy/provider/aws/service-l7.yaml): - -```yaml -controller: - service: - targetPorts: - http: http - https: http - annotations: - service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:XX-XXXX-X:XXXXXXXXX:certificate/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX - service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http" - service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https" - service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600' -``` - -## AWS route53-mapper - -To configure the LoadBalancer service with the [route53-mapper addon](https://github.com/kubernetes/kops/tree/master/addons/route53-mapper), add the `domainName` annotation and `dns` label: - -```yaml -controller: - service: - labels: - dns: "route53" - annotations: - domainName: "kubernetes-example.com" -``` diff --git a/charts/nginx/templates/NOTES.txt b/charts/nginx/templates/NOTES.txt deleted file mode 100644 index b2c044fcbc..0000000000 --- a/charts/nginx/templates/NOTES.txt +++ /dev/null @@ -1,66 +0,0 @@ -{{- if .Values.enabled }} -The nginx-ingress controller has been installed. - -{{- if contains "NodePort" .Values.controller.service.type }} -Get the application URL by running these commands: - -{{- if (not (empty .Values.controller.service.nodePorts.http)) }} - export HTTP_NODE_PORT={{ .Values.controller.service.nodePorts.http }} -{{- else }} - export HTTP_NODE_PORT=$(kubectl --namespace {{ .Release.Namespace }} get services -o jsonpath="{.spec.ports[0].nodePort}" {{ template "nginx-ingress.controller.fullname" . }}) -{{- end }} -{{- if (not (empty .Values.controller.service.nodePorts.https)) }} - export HTTPS_NODE_PORT={{ .Values.controller.service.nodePorts.https }} -{{- else }} - export HTTPS_NODE_PORT=$(kubectl --namespace {{ .Release.Namespace }} get services -o jsonpath="{.spec.ports[1].nodePort}" {{ template "nginx-ingress.controller.fullname" . }}) -{{- end }} - export NODE_IP=$(kubectl --namespace {{ .Release.Namespace }} get nodes -o jsonpath="{.items[0].status.addresses[1].address}") - - echo "Visit http://$NODE_IP:$HTTP_NODE_PORT to access your application via HTTP." - echo "Visit https://$NODE_IP:$HTTPS_NODE_PORT to access your application via HTTPS." -{{- else if contains "LoadBalancer" .Values.controller.service.type }} -It may take a few minutes for the LoadBalancer IP to be available. -You can watch the status by running 'kubectl --namespace {{ .Release.Namespace }} get services -o wide -w {{ template "nginx-ingress.controller.fullname" . }}' -{{- else if contains "ClusterIP" .Values.controller.service.type }} -Get the application URL by running these commands: - export POD_NAME=$(kubectl --namespace {{ .Release.Namespace }} get pods -o jsonpath="{.items[0].metadata.name}" -l "app={{ template "nginx-ingress.name" . }},component={{ .Values.controller.name }},release={{ .Release.Name }}") - kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:80 - echo "Visit http://127.0.0.1:8080 to access your application." -{{- end }} - -An example Ingress that makes use of the controller: - - apiVersion: extensions/v1beta1 - kind: Ingress - metadata: - annotations: - kubernetes.io/ingress.class: {{ .Values.controller.ingressClass }} - name: example - namespace: foo - spec: - rules: - - host: www.example.com - http: - paths: - - backend: - serviceName: exampleService - servicePort: 80 - path: / - # This section is only required if TLS is to be enabled for the Ingress - tls: - - hosts: - - www.example.com - secretName: example-tls - -If TLS is enabled for the Ingress, a Secret containing the certificate and key must also be provided: - - apiVersion: v1 - kind: Secret - metadata: - name: example-tls - namespace: foo - data: - tls.crt: - tls.key: - type: kubernetes.io/tls -{{- end }} diff --git a/charts/nginx/templates/_helpers.tpl b/charts/nginx/templates/_helpers.tpl deleted file mode 100644 index 2c8554613c..0000000000 --- a/charts/nginx/templates/_helpers.tpl +++ /dev/null @@ -1,84 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "nginx-ingress.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -*/}} -{{- define "nginx-ingress.fullname" -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{/* -Create a default fully qualified controller name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -*/}} -{{- define "nginx-ingress.controller.fullname" -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- printf "%s-%s" .Release.Name .Values.controller.name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s-%s" .Release.Name $name .Values.controller.name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{/* -Construct the path for the publish-service. - -By convention this will simply use the / to match the name of the -service generated. - -Users can provide an override for an explicit service they want bound via `.Values.controller.publishService.pathOverride` - -*/}} -{{- define "nginx-ingress.controller.publishServicePath" -}} -{{- $defServiceName := printf "%s/%s" .Release.Namespace (include "nginx-ingress.controller.fullname" .) -}} -{{- $servicePath := default $defServiceName .Values.controller.publishService.pathOverride }} -{{- print $servicePath | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified default backend name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -*/}} -{{- define "nginx-ingress.defaultBackend.fullname" -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- printf "%s-%s" .Release.Name .Values.defaultBackend.name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s-%s" .Release.Name $name .Values.defaultBackend.name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{- define "nginx-ingress.tcp-configmap" -}} -{{ default (printf "%s-%s" (include "nginx-ingress.fullname" .) "tcp") .Values.tcpExternalConfig }} -{{- end -}} - -{{/* -Create the name of the service account to use -*/}} -{{- define "nginx-ingress.serviceAccountName" -}} -{{- if .Values.serviceAccount.create -}} - {{ default (include "nginx-ingress.fullname" .) .Values.serviceAccount.name }} -{{- else -}} - {{ default "default" .Values.serviceAccount.name }} -{{- end -}} -{{- end -}} - -{{- define "nginx-ingress.controller.ingress-class" -}} -{{- if not .Values.controller.ingressClass -}} -{{ .Release.Name }}-nginx -{{- else -}} -nginx -{{- end -}} -{{- end -}} diff --git a/charts/nginx/templates/clusterrole.yaml b/charts/nginx/templates/clusterrole.yaml deleted file mode 100644 index 543900c844..0000000000 --- a/charts/nginx/templates/clusterrole.yaml +++ /dev/null @@ -1,69 +0,0 @@ -{{- if .Values.enabled -}} -{{- if and .Values.rbac.create (not .Values.controller.scope.enabled) -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "nginx-ingress.fullname" . }} - namespace: {{ $.Release.Namespace }} - labels: -{{ include "gitlab.standardLabels" . | indent 4 }} -rules: - - apiGroups: - - "" - resources: - - configmaps - - endpoints - - nodes - - pods - - secrets - verbs: - - list - - watch -{{- if and .Values.controller.scope.enabled .Values.controller.scope.namespace }} - - apiGroups: - - "" - resources: - - namespaces - resourceNames: - - "{{ .Values.controller.scope.namespace }}" - verbs: - - get -{{- end }} - - apiGroups: - - "" - resources: - - nodes - verbs: - - get - - apiGroups: - - "" - resources: - - services - verbs: - - get - - list - - update - - watch - - apiGroups: - - extensions - resources: - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - apiGroups: - - extensions - resources: - - ingresses/status - verbs: - - update -{{- end -}} -{{- end -}} diff --git a/charts/nginx/templates/clusterrolebinding.yaml b/charts/nginx/templates/clusterrolebinding.yaml deleted file mode 100644 index 20432ed00f..0000000000 --- a/charts/nginx/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- if .Values.enabled -}} -{{- if and .Values.rbac.create (not .Values.controller.scope.enabled) -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ template "nginx-ingress.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: -{{ include "gitlab.standardLabels" . | indent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "nginx-ingress.fullname" . }} -subjects: - - kind: ServiceAccount - name: {{ template "nginx-ingress.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- end -}} -{{- end -}} diff --git a/charts/nginx/templates/controller-configmap.yaml b/charts/nginx/templates/controller-configmap.yaml deleted file mode 100644 index db8c9dceab..0000000000 --- a/charts/nginx/templates/controller-configmap.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if .Values.enabled -}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "nginx-ingress.controller.fullname" . }} - namespace: {{ $.Release.Namespace }} - labels: -{{ include "gitlab.standardLabels" . | indent 4 }} - component: "{{ .Values.controller.name }}" -data: - enable-vts-status: "{{ .Values.controller.stats.enabled }}" -{{- if .Values.controller.headers }} - proxy-set-headers: {{ .Release.Namespace }}/{{ template "nginx-ingress.fullname" . }}-custom-headers -{{- end }} -{{- if .Values.controller.config }} -{{ toYaml .Values.controller.config | indent 2 }} -{{- end }} -{{- end }} diff --git a/charts/nginx/templates/controller-daemonset.yaml b/charts/nginx/templates/controller-daemonset.yaml deleted file mode 100644 index 5383cf552e..0000000000 --- a/charts/nginx/templates/controller-daemonset.yaml +++ /dev/null @@ -1,203 +0,0 @@ -{{- if .Values.enabled -}} -{{- if eq .Values.controller.kind "DaemonSet" }} -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: {{ template "nginx-ingress.controller.fullname" . }} - namespace: {{ $.Release.Namespace }} - labels: -{{ include "gitlab.standardLabels" . | indent 4 }} - component: "{{ .Values.controller.name }}" -spec: - revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} - updateStrategy: -{{ toYaml .Values.controller.updateStrategy | indent 4 }} - minReadySeconds: {{ .Values.controller.minReadySeconds }} - selector: - matchLabels: - app: {{ template "name" . }} - component: "{{ .Values.controller.name }}" - release: {{ .Release.Name }} - template: - metadata: - annotations: - checksum/config: {{ include (print $.Template.BasePath "/controller-configmap.yaml") . | sha256sum }} - {{- range $key, $value := .Values.controller.podAnnotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} - labels: - app: {{ template "nginx-ingress.name" . }} - component: "{{ .Values.controller.name }}" - release: {{ .Release.Name }} - {{- if .Values.controller.podLabels }} -{{ toYaml .Values.controller.podLabels | indent 8}} - {{- end }} - spec: - dnsPolicy: {{ .Values.controller.dnsPolicy }} - {{- if .Values.imagePullSecrets }} - imagePullSecrets: -{{ toYaml .Values.imagePullSecrets | indent 8 }} - {{- end }} -{{- if .Values.controller.priorityClassName }} - priorityClassName: "{{ .Values.controller.priorityClassName }}" -{{- end }} - containers: - - name: {{ template "nginx-ingress.name" . }}-{{ .Values.controller.name }} - image: "{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag }}" - imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}" - {{- if .Values.controller.lifecycle }} - lifecycle: -{{ toYaml .Values.controller.lifecycle | indent 12 }} - {{- end }} - args: - - /nginx-ingress-controller - - --default-backend-service={{ if .Values.defaultBackend.enabled }}{{ .Release.Namespace }}/{{ template "nginx-ingress.defaultBackend.fullname" . }}{{ else }}{{ .Values.controller.defaultBackendService }}{{ end }} - {{- if .Values.controller.publishService.enabled }} - - --publish-service={{ template "nginx-ingress.controller.publishServicePath" . }} - {{- end }} - - --election-id={{ .Values.controller.electionID }} - - --ingress-class={{ template "nginx-ingress.controller.ingress-class" . }} - - --configmap={{ .Release.Namespace }}/{{ template "nginx-ingress.controller.fullname" . }} - {{- if or .Values.tcp (include "gitlab.shell.port" $ ) }} - - --tcp-services-configmap={{ .Release.Namespace }}/{{ template "nginx-ingress.fullname" . }}-tcp - {{- end }} - {{- if .Values.udp }} - - --udp-services-configmap={{ .Release.Namespace }}/{{ template "nginx-ingress.fullname" . }}-udp - {{- end }} - {{- if .Values.controller.scope.enabled }} - - --watch-namespace={{ default .Release.Namespace .Values.controller.scope.namespace }} - {{- end }} - {{- range $key, $value := .Values.controller.extraArgs }} - {{- if $value }} - - --{{ $key }}={{ $value }} - {{- else }} - - --{{ $key }} - {{- end }} - {{- end }} - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - runAsUser: {{ .Values.controller.image.runAsUser }} - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - {{- if .Values.controller.extraEnvs }} -{{ toYaml .Values.controller.extraEnvs | indent 12 }} - {{- end }} - livenessProbe: - httpGet: - path: /healthz - port: {{ .Values.controller.livenessProbe.port }} - scheme: HTTP - initialDelaySeconds: {{ .Values.controller.livenessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.controller.livenessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.controller.livenessProbe.timeoutSeconds }} - successThreshold: {{ .Values.controller.livenessProbe.successThreshold }} - failureThreshold: {{ .Values.controller.livenessProbe.failureThreshold }} - ports: - - name: http - containerPort: 80 - protocol: TCP - {{- if .Values.controller.daemonset.useHostPort }} - hostPort: {{ .Values.controller.daemonset.hostPorts.http }} - {{- end }} - - name: https - containerPort: 443 - protocol: TCP - {{- if .Values.controller.daemonset.useHostPort }} - hostPort: {{ .Values.controller.daemonset.hostPorts.https }} - {{- end }} - {{- if .Values.controller.stats.enabled }} - - name: stats - containerPort: 18080 - protocol: TCP - {{- if .Values.controller.metrics.enabled }} - - name: metrics - containerPort: 10254 - protocol: TCP - {{- end }} - {{- end }} - - name: gitlab-shell - containerPort: {{ include "gitlab.shell.port" $ | int }} - protocol: TCP - {{- range $key, $value := .Values.tcp }} - - name: "{{ $key }}-tcp" - containerPort: {{ $key }} - protocol: TCP - {{- end }} - {{- range $key, $value := .Values.udp }} - - name: "{{ $key }}-udp" - containerPort: {{ $key }} - protocol: UDP - {{- end }} - readinessProbe: - httpGet: - path: /healthz - port: {{ .Values.controller.readinessProbe.port }} - scheme: HTTP - initialDelaySeconds: {{ .Values.controller.readinessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.controller.readinessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.controller.readinessProbe.timeoutSeconds }} - successThreshold: {{ .Values.controller.readinessProbe.successThreshold }} - failureThreshold: {{ .Values.controller.readinessProbe.failureThreshold }} -{{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts) }} - volumeMounts: -{{- end }} -{{- if .Values.controller.customTemplate.configMapName }} - - mountPath: /etc/nginx/template - name: nginx-template-volume - readOnly: true -{{- end }} -{{- if .Values.controller.extraVolumeMounts }} -{{ toYaml .Values.controller.extraVolumeMounts | indent 12}} -{{- end }} - resources: -{{ toYaml .Values.controller.resources | indent 12 }} -{{- if .Values.controller.extraContainers }} -{{ toYaml .Values.controller.extraContainers | indent 8}} -{{- end }} -{{- if .Values.controller.extraInitContainers }} - initContainers: -{{ toYaml .Values.controller.extraInitContainers | indent 8}} -{{- end }} - - hostNetwork: {{ .Values.controller.hostNetwork }} - {{- if .Values.controller.nodeSelector }} - nodeSelector: -{{ toYaml .Values.controller.nodeSelector | indent 8 }} - {{- end }} - {{- if .Values.controller.tolerations }} - tolerations: -{{ toYaml .Values.controller.tolerations | indent 8 }} - {{- end }} - {{- if .Values.controller.affinity }} - affinity: -{{ toYaml .Values.controller.affinity | indent 8 }} - {{- end }} - serviceAccountName: {{ template "nginx-ingress.serviceAccountName" . }} - terminationGracePeriodSeconds: 60 -{{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumes) }} - volumes: -{{- end }} -{{- if .Values.controller.customTemplate.configMapName }} - - name: nginx-template-volume - configMap: - name: {{ .Values.controller.customTemplate.configMapName }} - items: - - key: {{ .Values.controller.customTemplate.configMapKey }} - path: nginx.tmpl -{{- end }} -{{- if .Values.controller.extraVolumes }} -{{ toYaml .Values.controller.extraVolumes | indent 8}} -{{- end }} -{{- end }} -{{- end }} diff --git a/charts/nginx/templates/controller-deployment.yaml b/charts/nginx/templates/controller-deployment.yaml deleted file mode 100644 index e8bbd01ea5..0000000000 --- a/charts/nginx/templates/controller-deployment.yaml +++ /dev/null @@ -1,222 +0,0 @@ -{{- if .Values.enabled -}} -{{- if eq .Values.controller.kind "Deployment" }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ template "nginx-ingress.controller.fullname" . }} - namespace: {{ $.Release.Namespace }} - labels: - {{- include "gitlab.standardLabels" . | nindent 4 }} - component: "{{ .Values.controller.name }}" - annotations: - {{- include "gitlab.deploymentAnnotations" . | nindent 4 }} -spec: - replicas: {{ .Values.controller.replicaCount }} - revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} - strategy: -{{ toYaml .Values.controller.updateStrategy | indent 4 }} - minReadySeconds: {{ .Values.controller.minReadySeconds }} - selector: - matchLabels: - app: {{ template "name" . }} - component: "{{ .Values.controller.name }}" - release: {{ .Release.Name }} - template: - metadata: - annotations: - {{- range $key, $value := .Values.controller.podAnnotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} - labels: - app: {{ template "nginx-ingress.name" . }} - component: "{{ .Values.controller.name }}" - release: {{ .Release.Name }} - {{- if .Values.controller.podLabels }} -{{ toYaml .Values.controller.podLabels | indent 8 }} - {{- end }} - spec: - dnsPolicy: {{ .Values.controller.dnsPolicy }} - {{- if .Values.imagePullSecrets }} - imagePullSecrets: -{{ toYaml .Values.imagePullSecrets | indent 8 }} - {{- end }} -{{- if .Values.controller.priorityClassName }} - priorityClassName: "{{ .Values.controller.priorityClassName }}" -{{- end }} - containers: - - name: {{ template "nginx-ingress.name" . }}-{{ .Values.controller.name }} - image: "{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag }}" - imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}" - {{- if .Values.controller.lifecycle }} - lifecycle: -{{ toYaml .Values.controller.lifecycle | indent 12 }} - {{- end }} - args: - - /nginx-ingress-controller - - --default-backend-service={{ if .Values.defaultBackend.enabled }}{{ .Release.Namespace }}/{{ template "nginx-ingress.defaultBackend.fullname" . }}{{ else }}{{ .Values.controller.defaultBackendService }}{{ end }} - {{- if .Values.controller.publishService.enabled }} - - --publish-service={{ template "nginx-ingress.controller.publishServicePath" . }} - {{- end }} - - --election-id={{ .Values.controller.electionID }} - - --ingress-class={{ template "nginx-ingress.controller.ingress-class" . }} - - --configmap={{ .Release.Namespace }}/{{ template "nginx-ingress.controller.fullname" . }} - {{- if or .Values.tcp ( include "gitlab.shell.port" $ ) }} - - --tcp-services-configmap={{ .Release.Namespace }}/{{ template "nginx-ingress.tcp-configmap" . }} - {{- end }} - {{- if .Values.udp }} - - --udp-services-configmap={{ .Release.Namespace }}/{{ template "nginx-ingress.fullname" . }}-udp - {{- end }} - {{- if .Values.controller.scope.enabled }} - - --watch-namespace={{ default .Release.Namespace .Values.controller.scope.namespace }} - {{- end }} - {{- range $key, $value := .Values.controller.extraArgs }} - {{- if $value }} - - --{{ $key }}={{ $value }} - {{- else }} - - --{{ $key }} - {{- end }} - {{- end }} - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - runAsUser: {{ .Values.controller.image.runAsUser }} - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - {{- if .Values.controller.extraEnvs }} -{{ toYaml .Values.controller.extraEnvs | indent 12 }} - {{- end }} - livenessProbe: - httpGet: - path: /healthz - port: {{ .Values.controller.livenessProbe.port }} - scheme: HTTP - initialDelaySeconds: {{ .Values.controller.livenessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.controller.livenessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.controller.livenessProbe.timeoutSeconds }} - successThreshold: {{ .Values.controller.livenessProbe.successThreshold }} - failureThreshold: {{ .Values.controller.livenessProbe.failureThreshold }} - ports: - - name: http - containerPort: 80 - protocol: TCP - - name: https - containerPort: 443 - protocol: TCP - {{- if .Values.controller.stats.enabled }} - - name: stats - containerPort: 18080 - protocol: TCP - {{- if .Values.controller.metrics.enabled }} - - name: metrics - containerPort: 10254 - protocol: TCP - {{- end }} - {{- end }} - - name: gitlab-shell - containerPort: {{ include "gitlab.shell.port" $ | int }} - protocol: TCP - {{- range $key, $value := .Values.tcp }} - - name: "{{ $key }}-tcp" - containerPort: {{ $key }} - protocol: TCP - {{- end }} - {{- range $key, $value := .Values.udp }} - - name: "{{ $key }}-udp" - containerPort: {{ $key }} - protocol: UDP - {{- end }} - readinessProbe: - httpGet: - path: /healthz - port: {{ .Values.controller.readinessProbe.port }} - scheme: HTTP - initialDelaySeconds: {{ .Values.controller.readinessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.controller.readinessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.controller.readinessProbe.timeoutSeconds }} - successThreshold: {{ .Values.controller.readinessProbe.successThreshold }} - failureThreshold: {{ .Values.controller.readinessProbe.failureThreshold }} -{{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts) }} - volumeMounts: -{{- end }} -{{- if .Values.controller.customTemplate.configMapName }} - - mountPath: /etc/nginx/template - name: nginx-template-volume - readOnly: true -{{- end }} -{{- if .Values.controller.extraVolumeMounts }} -{{ toYaml .Values.controller.extraVolumeMounts | indent 12}} -{{- end }} - resources: -{{ toYaml .Values.controller.resources | indent 12 }} -{{- if .Values.controller.extraContainers }} -{{ toYaml .Values.controller.extraContainers | indent 8}} -{{- end }} -{{- if .Values.controller.extraInitContainers }} - initContainers: -{{ toYaml .Values.controller.extraInitContainers | indent 8}} -{{- end }} - hostNetwork: {{ .Values.controller.hostNetwork }} - {{- if .Values.controller.nodeSelector }} - nodeSelector: -{{ toYaml .Values.controller.nodeSelector | indent 8 }} - {{- end }} - {{- if .Values.controller.tolerations }} - tolerations: -{{ toYaml .Values.controller.tolerations | indent 8 }} - {{- end }} - {{- if .Values.controller.affinity }} - affinity: -{{ toYaml .Values.controller.affinity | indent 8 }} - {{- else -}} - {{- if eq (default .Values.global.antiAffinity .Values.antiAffinity) "hard" }} - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - topologyKey: "kubernetes.io/hostname" - labelSelector: - matchLabels: - app: {{ template "name" . }} - component: {{ .Values.controller.name }} - release: {{ .Release.Name }} - {{- else if eq (default .Values.global.antiAffinity .Values.antiAffinity) "soft" }} - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 1 - podAffinityTerm: - topologyKey: kubernetes.io/hostname - labelSelector: - matchLabels: - app: {{ template "name" . }} - component: {{ .Values.controller.name }} - release: {{ .Release.Name }} - {{- end }} - {{- end }} - serviceAccountName: {{ template "nginx-ingress.serviceAccountName" . }} - terminationGracePeriodSeconds: 60 -{{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumes) }} - volumes: -{{- end }} -{{- if .Values.controller.customTemplate.configMapName }} - - name: nginx-template-volume - configMap: - name: {{ .Values.controller.customTemplate.configMapName }} - items: - - key: {{ .Values.controller.customTemplate.configMapKey }} - path: nginx.tmpl -{{- end }} -{{- if .Values.controller.extraVolumes }} -{{ toYaml .Values.controller.extraVolumes | indent 8}} -{{- end }} -{{- end }} -{{- end }} diff --git a/charts/nginx/templates/controller-hpa.yaml b/charts/nginx/templates/controller-hpa.yaml deleted file mode 100644 index 0f6cd16b2c..0000000000 --- a/charts/nginx/templates/controller-hpa.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{- if .Values.enabled -}} -{{- if eq .Values.controller.kind "Deployment" }} -{{- if .Values.controller.autoscaling.enabled }} -apiVersion: autoscaling/v1 -kind: HorizontalPodAutoscaler -metadata: - name: {{ template "nginx-ingress.controller.fullname" . }} - namespace: {{ $.Release.Namespace }} - labels: -{{ include "gitlab.standardLabels" . | indent 4 }} - component: "{{ .Values.controller.name }}" -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ template "nginx-ingress.controller.fullname" . }} - minReplicas: {{ .Values.controller.autoscaling.minReplicas }} - maxReplicas: {{ .Values.controller.autoscaling.maxReplicas }} - metrics: - - type: Resource - resource: - name: cpu - targetAverageUtilization: {{ .Values.controller.autoscaling.targetCPUUtilizationPercentage }} - - type: Resource - resource: - name: memory - targetAverageUtilization: {{ .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} -{{- end }} -{{- end }} -{{- end }} diff --git a/charts/nginx/templates/controller-metrics-service.yaml b/charts/nginx/templates/controller-metrics-service.yaml deleted file mode 100644 index 2c515179dd..0000000000 --- a/charts/nginx/templates/controller-metrics-service.yaml +++ /dev/null @@ -1,42 +0,0 @@ -{{- if .Values.enabled -}} -{{- if and .Values.controller.stats.enabled .Values.controller.metrics.enabled }} -apiVersion: v1 -kind: Service -metadata: - name: {{ template "nginx-ingress.controller.fullname" . }}-metrics - namespace: {{ $.Release.Namespace }} -{{- if .Values.controller.metrics.service.annotations }} - annotations: - {{- range $key, $value := .Values.controller.metrics.service.annotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} -{{- end }} - labels: -{{ include "gitlab.standardLabels" . | indent 4 }} - component: "{{ .Values.controller.name }}" -spec: -{{- if not .Values.controller.metrics.service.omitClusterIP }} - {{ with .Values.controller.metrics.service.clusterIP }}clusterIP: {{ . }}{{ end }} -{{- end }} -{{- if .Values.controller.metrics.service.externalIPs }} - externalIPs: -{{ toYaml .Values.controller.metrics.service.externalIPs | indent 4 }} -{{- end }} -{{- if .Values.controller.metrics.service.loadBalancerIP }} - loadBalancerIP: "{{ .Values.controller.metrics.service.loadBalancerIP }}" -{{- end }} -{{- if .Values.controller.metrics.service.loadBalancerSourceRanges }} - loadBalancerSourceRanges: -{{ toYaml .Values.controller.metrics.service.loadBalancerSourceRanges | indent 4 }} -{{- end }} - ports: - - name: metrics - port: {{ .Values.controller.metrics.service.servicePort }} - targetPort: metrics - selector: - app: {{ template "nginx-ingress.name" . }} - component: "{{ .Values.controller.name }}" - release: {{ .Release.Name }} - type: "{{ .Values.controller.metrics.service.type }}" -{{- end }} -{{- end }} diff --git a/charts/nginx/templates/controller-poddisruptionbudget.yaml b/charts/nginx/templates/controller-poddisruptionbudget.yaml deleted file mode 100644 index 1c4a4b5431..0000000000 --- a/charts/nginx/templates/controller-poddisruptionbudget.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{- if and .Values.enabled (gt (.Values.controller.replicaCount | int) 1 ) -}} -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget -metadata: - name: {{ printf "%s-%d" (include "nginx-ingress.controller.fullname" . | trunc 60) (.Values.controller.minAvailable | int) }} - namespace: {{ $.Release.Namespace }} - labels: -{{ include "gitlab.standardLabels" . | indent 4 }} - component: "{{ .Values.controller.name }}" -spec: - selector: - matchLabels: - app: {{ template "nginx-ingress.name" . }} - release: {{ .Release.Name }} - component: "{{ .Values.controller.name }}" - minAvailable: {{ .Values.controller.minAvailable }} -{{- end }} diff --git a/charts/nginx/templates/controller-service.yaml b/charts/nginx/templates/controller-service.yaml deleted file mode 100644 index dd9f8bfaa4..0000000000 --- a/charts/nginx/templates/controller-service.yaml +++ /dev/null @@ -1,84 +0,0 @@ -{{- if .Values.enabled -}} -apiVersion: v1 -kind: Service -metadata: - name: {{ template "nginx-ingress.controller.fullname" . }} - namespace: {{ $.Release.Namespace }} -{{- if .Values.controller.service.annotations }} - annotations: - {{- range $key, $value := .Values.controller.service.annotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} -{{- end }} - labels: -{{- if .Values.controller.service.labels }} -{{ toYaml .Values.controller.service.labels | indent 4 }} -{{- end }} - component: "{{ .Values.controller.name }}" -{{ include "gitlab.standardLabels" . | indent 4 }} -spec: -{{- if not .Values.controller.service.omitClusterIP }} - {{ with .Values.controller.metrics.service.clusterIP }}clusterIP: {{ . }}{{ end }} -{{- end }} -{{- if .Values.controller.service.externalIPs }} - externalIPs: -{{ toYaml .Values.controller.service.externalIPs | indent 4 }} -{{- end }} -{{- if .Values.global.hosts.externalIP }} - loadBalancerIP: "{{ .Values.global.hosts.externalIP }}" -{{- end }} -{{- if .Values.controller.service.loadBalancerSourceRanges }} - loadBalancerSourceRanges: -{{ toYaml .Values.controller.service.loadBalancerSourceRanges | indent 4 }} -{{- end }} -{{- if and (semverCompare ">=1.7-0" .Capabilities.KubeVersion.GitVersion) (.Values.controller.service.externalTrafficPolicy) }} - externalTrafficPolicy: "{{ .Values.controller.service.externalTrafficPolicy }}" -{{- end }} -{{- if and (semverCompare ">=1.7-0" .Capabilities.KubeVersion.GitVersion) (.Values.controller.service.healthCheckNodePort) }} - healthCheckNodePort: {{ .Values.controller.service.healthCheckNodePort }} -{{- end }} - ports: - {{- if .Values.controller.service.enableHttp }} - - name: http - port: 80 - protocol: TCP - targetPort: {{ .Values.controller.service.targetPorts.http }} - {{- if (and (eq .Values.controller.service.type "NodePort") (not (empty .Values.controller.service.nodePorts.http))) }} - nodePort: {{ .Values.controller.service.nodePorts.http }} - {{- end }} - {{- end }} - {{- if .Values.controller.service.enableHttps }} - - name: https - port: 443 - protocol: TCP - targetPort: {{ .Values.controller.service.targetPorts.https }} - {{- if (and (eq .Values.controller.service.type "NodePort") (not (empty .Values.controller.service.nodePorts.https))) }} - nodePort: {{ .Values.controller.service.nodePorts.https }} - {{- end }} - {{- end }} - - name: gitlab-shell - port: {{ include "gitlab.shell.port" $ | int }} - protocol: TCP - targetPort: gitlab-shell - {{- $nodePort := coalesce (index .Values.controller.service.nodePorts "gitlab-shell") .Values.global.shell.port }} - {{- if (and (eq .Values.controller.service.type "NodePort") (not (empty $nodePort))) }} - nodePort: {{ $nodePort }} - {{- end }} - {{- range $key, $value := .Values.tcp }} - - name: "{{ $key }}-tcp" - port: {{ $key }} - protocol: TCP - targetPort: "{{ $key }}-tcp" - {{- end }} - {{- range $key, $value := .Values.udp }} - - name: "{{ $key }}-udp" - port: {{ $key }} - protocol: UDP - targetPort: "{{ $key }}-udp" - {{- end }} - selector: - app: {{ template "nginx-ingress.name" . }} - component: "{{ .Values.controller.name }}" - release: {{ .Release.Name }} - type: "{{ .Values.controller.service.type }}" -{{- end }} diff --git a/charts/nginx/templates/controller-stats-service.yaml b/charts/nginx/templates/controller-stats-service.yaml deleted file mode 100644 index c73c87b63f..0000000000 --- a/charts/nginx/templates/controller-stats-service.yaml +++ /dev/null @@ -1,42 +0,0 @@ -{{- if .Values.enabled -}} -{{- if .Values.controller.stats.enabled }} -apiVersion: v1 -kind: Service -metadata: - name: {{ template "nginx-ingress.controller.fullname" . }}-stats - namespace: {{ $.Release.Namespace }} -{{- if .Values.controller.stats.service.annotations }} - annotations: - {{- range $key, $value := .Values.controller.stats.service.annotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} -{{- end }} - labels: -{{ include "gitlab.standardLabels" . | indent 4 }} - component: "{{ .Values.controller.name }}" -spec: -{{- if not .Values.controller.stats.service.omitClusterIP }} - {{ with .Values.controller.metrics.service.clusterIP }}clusterIP: {{ . }}{{ end }} -{{- end }} -{{- if .Values.controller.stats.service.externalIPs }} - externalIPs: -{{ toYaml .Values.controller.stats.service.externalIPs | indent 4 }} -{{- end }} -{{- if .Values.controller.stats.service.loadBalancerIP }} - loadBalancerIP: "{{ .Values.controller.stats.service.loadBalancerIP }}" -{{- end }} -{{- if .Values.controller.stats.service.loadBalancerSourceRanges }} - loadBalancerSourceRanges: -{{ toYaml .Values.controller.stats.service.loadBalancerSourceRanges | indent 4 }} -{{- end }} - ports: - - name: stats - port: {{ .Values.controller.stats.service.servicePort }} - targetPort: stats - selector: - app: {{ template "nginx-ingress.name" . }} - component: "{{ .Values.controller.name }}" - release: {{ .Release.Name }} - type: "{{ .Values.controller.stats.service.type }}" -{{- end }} -{{- end }} diff --git a/charts/nginx/templates/default-backend-deployment.yaml b/charts/nginx/templates/default-backend-deployment.yaml deleted file mode 100644 index 5c4465d845..0000000000 --- a/charts/nginx/templates/default-backend-deployment.yaml +++ /dev/null @@ -1,83 +0,0 @@ -{{- if .Values.enabled -}} -{{- if .Values.defaultBackend.enabled }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ template "nginx-ingress.defaultBackend.fullname" . }} - namespace: {{ $.Release.Namespace }} - labels: - {{- include "gitlab.standardLabels" . | nindent 4 }} - component: "{{ .Values.defaultBackend.name }}" - annotations: - {{- include "gitlab.deploymentAnnotations" . | nindent 4 }} -spec: - replicas: {{ .Values.defaultBackend.replicaCount }} - revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} - selector: - matchLabels: - app: {{ template "nginx-ingress.name" . }} - component: "{{ .Values.defaultBackend.name }}" - release: {{ .Release.Name }} - template: - metadata: - {{- if .Values.defaultBackend.podAnnotations }} - annotations: - {{- range $key, $value := .Values.defaultBackend.podAnnotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} - {{- end }} - labels: - app: {{ template "nginx-ingress.name" . }} - component: "{{ .Values.defaultBackend.name }}" - release: {{ .Release.Name }} - {{- if .Values.defaultBackend.podLabels }} -{{ toYaml .Values.defaultBackend.podLabels | indent 8 }} - {{- end }} - spec: - {{- if .Values.imagePullSecrets }} - imagePullSecrets: -{{ toYaml .Values.imagePullSecrets | indent 8 }} - {{- end }} -{{- if .Values.defaultBackend.priorityClassName }} - priorityClassName: "{{ .Values.defaultBackend.priorityClassName }}" -{{- end }} - containers: - - name: {{ template "name" . }}-{{ .Values.defaultBackend.name }} - image: "{{ .Values.defaultBackend.image.repository }}:{{ .Values.defaultBackend.image.tag }}" - imagePullPolicy: "{{ .Values.defaultBackend.image.pullPolicy }}" - args: - {{- range $key, $value := .Values.defaultBackend.extraArgs }} - {{- if $value }} - - --{{ $key }}={{ $value }} - {{- else }} - - --{{ $key }} - {{- end }} - {{- end }} - livenessProbe: - httpGet: - path: /healthz - port: {{ .Values.defaultBackend.port }} - scheme: HTTP - initialDelaySeconds: 30 - timeoutSeconds: 5 - ports: - - name: http - containerPort: {{ .Values.defaultBackend.port }} - protocol: TCP - resources: -{{ toYaml .Values.defaultBackend.resources | indent 12 }} - {{- if .Values.defaultBackend.nodeSelector }} - nodeSelector: -{{ toYaml .Values.defaultBackend.nodeSelector | indent 8 }} - {{- end }} - {{- if .Values.defaultBackend.tolerations }} - tolerations: -{{ toYaml .Values.defaultBackend.tolerations | indent 8 }} - {{- end }} - {{- if .Values.defaultBackend.affinity }} - affinity: -{{ toYaml .Values.defaultBackend.affinity | indent 8 }} - {{- end }} - terminationGracePeriodSeconds: 60 -{{- end }} -{{- end }} diff --git a/charts/nginx/templates/default-backend-poddisruptionbudget.yaml b/charts/nginx/templates/default-backend-poddisruptionbudget.yaml deleted file mode 100644 index 56dcc70ed3..0000000000 --- a/charts/nginx/templates/default-backend-poddisruptionbudget.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{- if and .Values.enabled (gt (.Values.defaultBackend.replicaCount | int) 1 ) -}} -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget -metadata: - name: {{ printf "%s-%d" (include "nginx-ingress.defaultBackend.fullname" . | trunc 60) (.Values.defaultBackend.minAvailable | int) }} - namespace: {{ $.Release.Namespace }} - labels: -{{ include "gitlab.standardLabels" . | indent 4 }} - component: "{{ .Values.defaultBackend.name }}" -spec: - selector: - matchLabels: - app: {{ template "nginx-ingress.name" . }} - release: {{ .Release.Name }} - component: "{{ .Values.defaultBackend.name }}" - minAvailable: {{ .Values.defaultBackend.minAvailable }} -{{- end }} diff --git a/charts/nginx/templates/default-backend-service.yaml b/charts/nginx/templates/default-backend-service.yaml deleted file mode 100644 index 2c1da7aedc..0000000000 --- a/charts/nginx/templates/default-backend-service.yaml +++ /dev/null @@ -1,43 +0,0 @@ -{{- if .Values.enabled -}} -{{- if .Values.defaultBackend.enabled }} -apiVersion: v1 -kind: Service -metadata: - name: {{ template "nginx-ingress.defaultBackend.fullname" . }} - namespace: {{ $.Release.Namespace }} -{{- if .Values.defaultBackend.service.annotations }} - annotations: - {{- range $key, $value := .Values.defaultBackend.service.annotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} -{{- end }} - labels: -{{ include "gitlab.standardLabels" . | indent 4 }} - component: "{{ .Values.defaultBackend.name }}" -spec: -{{- if not .Values.defaultBackend.service.omitClusterIP }} - {{ with .Values.controller.metrics.service.clusterIP }}clusterIP: {{ . }}{{ end }} -{{- end }} -{{- if .Values.defaultBackend.service.externalIPs }} - externalIPs: -{{ toYaml .Values.defaultBackend.service.externalIPs | indent 4 }} -{{- end }} -{{- if .Values.defaultBackend.service.loadBalancerIP }} - loadBalancerIP: "{{ .Values.defaultBackend.service.loadBalancerIP }}" -{{- end }} -{{- if .Values.defaultBackend.service.loadBalancerSourceRanges }} - loadBalancerSourceRanges: -{{ toYaml .Values.defaultBackend.service.loadBalancerSourceRanges | indent 4 }} -{{- end }} - ports: - - name: http - port: {{ .Values.defaultBackend.service.servicePort }} - protocol: TCP - targetPort: http - selector: - app: {{ template "nginx-ingress.name" . }} - component: "{{ .Values.defaultBackend.name }}" - release: {{ .Release.Name }} - type: "{{ .Values.defaultBackend.service.type }}" -{{- end }} -{{- end }} diff --git a/charts/nginx/templates/headers-configmap.yaml b/charts/nginx/templates/headers-configmap.yaml deleted file mode 100644 index 1a74670ad5..0000000000 --- a/charts/nginx/templates/headers-configmap.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- if .Values.enabled -}} -{{- if .Values.controller.headers }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "nginx-ingress.fullname" . }}-custom-headers - namespace: {{ $.Release.Namespace }} - labels: -{{ include "gitlab.standardLabels" . | indent 4 }} - component: "{{ .Values.controller.name }}" -data: -{{ toYaml .Values.controller.headers | indent 2 }} -{{- end }} -{{- end }} diff --git a/charts/nginx/templates/podsecuritypolicy.yaml b/charts/nginx/templates/podsecuritypolicy.yaml deleted file mode 100755 index 8457a1ce40..0000000000 --- a/charts/nginx/templates/podsecuritypolicy.yaml +++ /dev/null @@ -1,45 +0,0 @@ -{{- if .Values.podSecurityPolicy.enabled}} -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: {{ template "nginx-ingress.fullname" . }} - namespace: {{ $.Release.Namespace }} - labels: -{{ include "gitlab.standardLabels" . | indent 4 }} -spec: - allowedCapabilities: - - NET_BIND_SERVICE - privileged: false - allowPrivilegeEscalation: true - # Allow core volume types. - volumes: - - 'configMap' - #- 'emptyDir' - #- 'projected' - - 'secret' - #- 'downwardAPI' - hostNetwork: false - hostIPC: false - hostPID: false - runAsUser: - # Require the container to run without root privileges. - rule: 'MustRunAsNonRoot' - supplementalGroups: - rule: 'MustRunAs' - ranges: - # Forbid adding the root group. - - min: 1 - max: 65535 - fsGroup: - rule: 'MustRunAs' - ranges: - # Forbid adding the root group. - - min: 1 - max: 65535 - readOnlyRootFilesystem: false - seLinux: - rule: 'RunAsAny' - hostPorts: - - max: 65535 - min: 1 -{{- end }} diff --git a/charts/nginx/templates/role.yaml b/charts/nginx/templates/role.yaml deleted file mode 100644 index e6c054e7f1..0000000000 --- a/charts/nginx/templates/role.yaml +++ /dev/null @@ -1,89 +0,0 @@ -{{- if .Values.enabled -}} -{{- if .Values.rbac.create -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ template "nginx-ingress.fullname" . }} - namespace: {{ $.Release.Namespace }} - labels: -{{ include "gitlab.standardLabels" . | indent 4 }} -rules: - - apiGroups: - - "" - resources: - - namespaces - verbs: - - get - - apiGroups: - - "" - resources: - - configmaps - - pods - - secrets - - endpoints - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - services - verbs: - - get - - list - - update - - watch - - apiGroups: - - extensions - resources: - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - extensions - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - "" - resources: - - configmaps - resourceNames: - - {{ .Values.controller.electionID }}-{{ template "nginx-ingress.controller.ingress-class" . }} - verbs: - - get - - update - - apiGroups: - - "" - resources: - - configmaps - verbs: - - create - - apiGroups: - - "" - resources: - - endpoints - verbs: - - create - - get - - update - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch -{{- if .Values.podSecurityPolicy.enabled }} - - apiGroups: ['policy'] - resources: ['podsecuritypolicies'] - verbs: ['use'] - resourceNames: [{{ template "nginx-ingress.fullname" . }}] -{{- end }} - -{{- end -}} -{{- end -}} diff --git a/charts/nginx/templates/rolebinding.yaml b/charts/nginx/templates/rolebinding.yaml deleted file mode 100644 index 6df6b58390..0000000000 --- a/charts/nginx/templates/rolebinding.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- if .Values.enabled -}} -{{- if .Values.rbac.create -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ template "nginx-ingress.fullname" . }} - namespace: {{ $.Release.Namespace }} - labels: -{{ include "gitlab.standardLabels" . | indent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ template "nginx-ingress.fullname" . }} -subjects: - - kind: ServiceAccount - name: {{ template "nginx-ingress.serviceAccountName" . }} - namespace: {{ $.Release.Namespace }} -{{- end -}} -{{- end -}} diff --git a/charts/nginx/templates/serviceaccount.yaml b/charts/nginx/templates/serviceaccount.yaml deleted file mode 100644 index d24eedd7c1..0000000000 --- a/charts/nginx/templates/serviceaccount.yaml +++ /dev/null @@ -1,11 +0,0 @@ -{{- if .Values.enabled -}} -{{- if .Values.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ template "nginx-ingress.serviceAccountName" . }} - namespace: {{ $.Release.Namespace }} - labels: -{{ include "gitlab.standardLabels" . | indent 4 }} -{{- end -}} -{{- end -}} diff --git a/charts/nginx/templates/tcp-configmap.yaml b/charts/nginx/templates/tcp-configmap.yaml deleted file mode 100644 index 437bd23371..0000000000 --- a/charts/nginx/templates/tcp-configmap.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- if .Values.enabled -}} -{{- if and .Values.tcp (not .Values.tcpExternalConfig) }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "nginx-ingress.tcp-configmap" . }} - namespace: {{ $.Release.Namespace }} - labels: -{{ include "gitlab.standardLabels" . | indent 4 }} - component: "{{ .Values.controller.name }}" -data: -{{ toYaml .Values.tcp | indent 2 }} -{{- end }} -{{- end }} diff --git a/charts/nginx/templates/udp-configmap.yaml b/charts/nginx/templates/udp-configmap.yaml deleted file mode 100644 index 76855394d7..0000000000 --- a/charts/nginx/templates/udp-configmap.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- if .Values.enabled -}} -{{- if .Values.udp }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "nginx-ingress.fullname" . }}-udp - namespace: {{ $.Release.Namespace }} - labels: -{{ include "gitlab.standardLabels" . | indent 4 }} - component: "{{ .Values.controller.name }}" -data: -{{ toYaml .Values.udp | indent 2 }} -{{- end }} -{{- end }} diff --git a/charts/nginx/values.yaml b/charts/nginx/values.yaml deleted file mode 100755 index 2d4e1003e7..0000000000 --- a/charts/nginx/values.yaml +++ /dev/null @@ -1,401 +0,0 @@ -## nginx configuration -## Ref: https://github.com/kubernetes/ingress/blob/master/controllers/nginx/configuration.md -## -# Added feature gate by GitLab -enabled: false - -## Upstream settings -controller: - name: controller - image: - repository: quay.io/kubernetes-ingress-controller/nginx-ingress-controller - tag: "0.21.0" - pullPolicy: IfNotPresent - # www-data -> uid 33 - runAsUser: 33 - - config: {} - # Will add custom header to Nginx https://github.com/kubernetes/ingress-nginx/tree/master/docs/examples/customization/custom-headers - headers: - Referrer-Policy: strict-origin-when-cross-origin - - # Required for use with CNI based kubernetes installations (such as ones set up by kubeadm), - # since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920 - # is merged - hostNetwork: false - - # Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'. - # By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller - # to keep resolving names inside the k8s network, use ClusterFirstWithHostNet. - dnsPolicy: ClusterFirst - - ## Use host ports 80 and 443 - daemonset: - useHostPort: false - hostPorts: - http: 80 - https: 443 - - ## Required only if defaultBackend.enabled = false - ## Must be / - ## - defaultBackendService: "" - - ## Election ID to use for status update - ## - electionID: ingress-controller-leader - - ## Name of the ingress class to route through this controller - ## - ingressClass: nginx - - # labels to add to the pod container metadata - podLabels: {} - # key: value - - ## Allows customization of the external service - ## the ingress will be bound to via DNS - publishService: - enabled: false - ## Allows overriding of the publish service to bind to - ## Must be / - ## - pathOverride: "" - - ## Limit the scope of the controller - ## - scope: - enabled: false - namespace: "" # defaults to .Release.Namespace - - ## Additional command line arguments to pass to nginx-ingress-controller - ## E.g. to specify the default SSL certificate you can use - ## extraArgs: - ## default-ssl-certificate: "/" - extraArgs: {} - - ## Additional environment variables to set - extraEnvs: [] - # extraEnvs: - # - name: FOO - # valueFrom: - # secretKeyRef: - # key: FOO - # name: secret-resource - - ## DaemonSet or Deployment - ## - kind: Deployment - - # The update strategy to apply to the Deployment or DaemonSet - ## - updateStrategy: {} - # rollingUpdate: - # maxUnavailable: 1 - # type: RollingUpdate - - # minReadySeconds to avoid killing pods before we are ready - ## - minReadySeconds: 0 - - - ## Node tolerations for server scheduling to nodes with taints - ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - ## - tolerations: [] - # - key: "key" - # operator: "Equal|Exists" - # value: "value" - # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" - - affinity: {} - - ## Node labels for controller pod assignment - ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ - ## - nodeSelector: {} - - ## Liveness and readiness probe values - ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes - ## - livenessProbe: - failureThreshold: 3 - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - port: 10254 - readinessProbe: - failureThreshold: 3 - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - port: 10254 - - ## Annotations to be added to controller pods - ## - podAnnotations: {} - - replicaCount: 1 - - minAvailable: 1 - - resources: {} - # limits: - # cpu: 100m - # memory: 64Mi - # requests: - # cpu: 100m - # memory: 64Mi - - autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 11 - targetCPUUtilizationPercentage: 50 - targetMemoryUtilizationPercentage: 50 - - ## Override NGINX template - customTemplate: - configMapName: "" - configMapKey: "" - - service: - annotations: {} - labels: {} - omitClusterIP: false - # clusterIP: "" - - ## List of IP addresses at which the controller services are available - ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips - ## - externalIPs: [] - - loadBalancerIP: "" - loadBalancerSourceRanges: [] - - enableHttp: true - enableHttps: true - - ## Set external traffic policy to: "Local" to preserve source IP on - ## providers supporting it - ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer - externalTrafficPolicy: "" - - healthCheckNodePort: 0 - - targetPorts: - http: http - https: https - - type: LoadBalancer - - # type: NodePort - # nodePorts: - # http: 32080 - # https: 32443 - nodePorts: - http: "" - https: "" - gitlab-shell: "" - - extraContainers: [] - ## Additional containers to be added to the controller pod. - ## See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example. - # - name: my-sidecar - # image: nginx:latest - # - name: lemonldap-ng-controller - # image: lemonldapng/lemonldap-ng-controller:0.2.0 - # args: - # - /lemonldap-ng-controller - # - --alsologtostderr - # - --configmap=$(POD_NAMESPACE)/lemonldap-ng-configuration - # env: - # - name: POD_NAME - # valueFrom: - # fieldRef: - # fieldPath: metadata.name - # - name: POD_NAMESPACE - # valueFrom: - # fieldRef: - # fieldPath: metadata.namespace - # volumeMounts: - # - name: copy-portal-skins - # mountPath: /srv/var/lib/lemonldap-ng/portal/skins - - extraVolumeMounts: [] - ## Additional volumeMounts to the controller main container. - # - name: copy-portal-skins - # mountPath: /var/lib/lemonldap-ng/portal/skins - - extraVolumes: [] - ## Additional volumes to the controller pod. - # - name: copy-portal-skins - # emptyDir: {} - - extraInitContainers: [] - ## Containers, which are run before the app containers are started. - # - name: init-myservice - # image: busybox - # command: ['sh', '-c', 'until nslookup myservice; do echo waiting for myservice; sleep 2; done;'] - - stats: - enabled: false - - service: - annotations: {} - omitClusterIP: false - # clusterIP: "" - - ## List of IP addresses at which the stats service is available - ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips - ## - externalIPs: [] - - loadBalancerIP: "" - loadBalancerSourceRanges: [] - servicePort: 18080 - type: ClusterIP - - ## If controller.stats.enabled = true and controller.metrics.enabled = true, Prometheus metrics will be exported - ## - metrics: - enabled: false - - service: - annotations: {} - # gitlab.com/prometheus_scrape: "true" - # gitlab.com/prometheus_port: "10254" - # prometheus.io/scrape: "true" - # prometheus.io/port: "10254" - omitClusterIP: false - # clusterIP: "" - - ## List of IP addresses at which the stats-exporter service is available - ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips - ## - externalIPs: [] - - loadBalancerIP: "" - loadBalancerSourceRanges: [] - servicePort: 9913 - type: ClusterIP - - lifecycle: {} - - priorityClassName: "" - -## Rollback limit -## -revisionHistoryLimit: 10 - -## Default 404 backend -## -defaultBackend: - - ## If false, controller.defaultBackendService must be provided - ## - enabled: true - - name: default-backend - image: - repository: k8s.gcr.io/defaultbackend - tag: "1.4" - pullPolicy: IfNotPresent - - extraArgs: {} - - port: 8080 - - ## Node tolerations for server scheduling to nodes with taints - ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - ## - tolerations: [] - # - key: "key" - # operator: "Equal|Exists" - # value: "value" - # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" - - affinity: {} - - # labels to add to the pod container metadata - podLabels: {} - # key: value - - ## Node labels for default backend pod assignment - ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ - ## - nodeSelector: {} - - ## Annotations to be added to default backend pods - ## - podAnnotations: {} - - replicaCount: 1 - - minAvailable: 1 - - resources: {} - # limits: - # cpu: 10m - # memory: 20Mi - # requests: - # cpu: 10m - # memory: 20Mi - - service: - annotations: {} - omitClusterIP: false - # clusterIP: "" - - ## List of IP addresses at which the default backend service is available - ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips - ## - externalIPs: [] - - loadBalancerIP: "" - loadBalancerSourceRanges: [] - servicePort: 80 - type: ClusterIP - - priorityClassName: "" - -## Enable RBAC as per https://github.com/kubernetes/ingress/tree/master/examples/rbac/nginx and https://github.com/kubernetes/ingress/issues/266 -rbac: - create: true - -# If true, create & use Pod Security Policy resources -# https://kubernetes.io/docs/concepts/policy/pod-security-policy/ -podSecurityPolicy: - enabled: false - -serviceAccount: - create: true - name: - -## Optional array of imagePullSecrets containing private registry credentials -## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ -imagePullSecrets: [] -# - name: secretName - -# TCP service key:value pairs -# Ref: https://github.com/kubernetes/contrib/tree/master/ingress/controllers/nginx/examples/tcp -## -tcp: {} -# 8080: "default/example-tcp-svc:9000" - -# Use an external configmap instead of generating the configmap from this chart. -# Contents must match spec format for nginx-ingress and tcp ports must still be specified -# using `tcp` setting above (although service name is meaningless with an external config) -# e.g -# --set tcp.22=ssh --set tcpExternalConfig=mynamespace/customconfigmap -# Ref: https://github.com/kubernetes/contrib/tree/master/ingress/controllers/nginx/examples/tcp -## -tcpExternalConfig: "" - -# UDP service key:value pairs -# Ref: https://github.com/kubernetes/contrib/tree/master/ingress/controllers/nginx/examples/udp -## -udp: {} -# 53: "kube-system/kube-dns:53" -- GitLab From aa7e4ed58673794a14f22eb6e2aa235f941a400c Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Thu, 3 Dec 2020 13:28:50 -0500 Subject: [PATCH 11/16] Rename instances of nginx-ingress to ingress-nginx Replaces any relevant instances of nginx-ingress to ingress-nginx to match the name change. --- .../gitlab-shell/templates/nginx-tcp-configmap.yml | 2 +- charts/ingress-nginx/README.md | 10 +++++----- charts/ingress-nginx/templates/_helpers.tpl | 6 +++--- .../templates/controller-configmap-tcp.yaml | 2 +- .../ingress-nginx/templates/controller-daemonset.yaml | 4 ++-- .../ingress-nginx/templates/controller-deployment.yaml | 4 ++-- charts/ingress-nginx/templates/controller-role.yaml | 2 +- .../ingress-nginx/templates/default-backend-hpa.yaml | 4 ++-- charts/ingress-nginx/values.yaml | 4 ++-- doc/advanced/external-mattermost/index.md | 2 +- doc/advanced/external-nginx/index.md | 6 +++--- doc/architecture/decisions.md | 2 +- doc/charts/globals.md | 6 +++--- doc/development/minikube/index.md | 4 ++-- doc/installation/command-line-options.md | 10 +++++----- doc/installation/deployment.md | 2 +- doc/installation/rbac.md | 2 +- examples/custom-images/values.yaml | 2 +- examples/eks_loadbalancer_annotations.yml | 2 +- examples/i2p-values-minimal.yaml | 2 +- examples/kind/kind-no-ssl.yaml | 4 ++-- examples/kind/kind-ssl.yaml | 4 ++-- examples/kind/values-base.yaml | 2 +- examples/kind/values-no-ssl.yaml | 2 +- examples/kind/values-ssl.yaml | 2 +- examples/ref/10k.yaml | 2 +- examples/ubi/values.yaml | 6 +++--- examples/values-gke-minimum.yaml | 2 +- examples/values-minikube-minimum.yaml | 2 +- examples/values-minikube.yaml | 2 +- examples/values-traefik-ingress.yaml | 2 +- spec/configuration/labels_spec.rb | 4 ++-- templates/_helpers.tpl | 10 +++++----- templates/application.yaml | 2 +- values.yaml | 4 ++-- 35 files changed, 64 insertions(+), 64 deletions(-) diff --git a/charts/gitlab/charts/gitlab-shell/templates/nginx-tcp-configmap.yml b/charts/gitlab/charts/gitlab-shell/templates/nginx-tcp-configmap.yml index 3763e4f8f2..18581077be 100644 --- a/charts/gitlab/charts/gitlab-shell/templates/nginx-tcp-configmap.yml +++ b/charts/gitlab/charts/gitlab-shell/templates/nginx-tcp-configmap.yml @@ -4,7 +4,7 @@ apiVersion: v1 kind: ConfigMap metadata: - name: {{ template "nginx-ingress.tcp-configmap" . }} + name: {{ template "ingress-nginx.tcp-configmap" . }} namespace: {{ $.Release.Namespace }} labels: {{- include "gitlab.standardLabels" . | nindent 4 }} diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index c09522303f..fc7fafe5cf 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -1,12 +1,12 @@ Forked from https://github.com/kubernetes/ingress-nginx * tcp-configmap.yaml: is optional depending on new `tcpExternalConfig` setting * Ability to use a templated tcp configmap name from another chart - * controller-configmap-tcp.yaml: `.metadata.name` is a template `nginx-ingress.tcp-configmap` - * controller-deployment.yaml: `.spec.template.spec.containers[0].args` uses `nginx-ingress.tcp-configmap` template for configmap name - * gitlab chart overrides `nginx-ingress.tcp-configmap` so that gitlab/gitlab-org/charts/gitlab-shell can configure its tcp service + * controller-configmap-tcp.yaml: `.metadata.name` is a template `ingress-nginx.tcp-configmap` + * controller-deployment.yaml: `.spec.template.spec.containers[0].args` uses `ingress-nginx.tcp-configmap` template for configmap name + * gitlab chart overrides `ingress-nginx.tcp-configmap` so that gitlab/gitlab-org/charts/gitlab-shell can configure its tcp service * Ability to use a templated ingress name based on the release name - * controller-deployment.yaml: `.spec.template.spec.containers[0].args` uses `nginx-ingress.controller.ingress-class` - * role.yaml: rule for editing leader configmap uses `nginx-ingress.controller.ingress-class` + * controller-deployment.yaml: `.spec.template.spec.containers[0].args` uses `ingress-nginx.controller.ingress-class` + * role.yaml: rule for editing leader configmap uses `ingress-nginx.controller.ingress-class` * Replace `controller.service.loadBalancerIP` with `global.hosts.externalIP` # ingress-nginx diff --git a/charts/ingress-nginx/templates/_helpers.tpl b/charts/ingress-nginx/templates/_helpers.tpl index 1606cf3a02..668a513a34 100644 --- a/charts/ingress-nginx/templates/_helpers.tpl +++ b/charts/ingress-nginx/templates/_helpers.tpl @@ -125,11 +125,11 @@ Check the ingress controller version tag is at most three versions behind the la {{/* GitLab-provided partials starting below */}} -{{- define "nginx-ingress.tcp-configmap" -}} -{{ default (printf "%s-%s" (include "nginx-ingress.fullname" .) "tcp") .Values.tcpExternalConfig }} +{{- define "ingress-nginx.tcp-configmap" -}} +{{ default (printf "%s-%s" (include "ingress-nginx.fullname" .) "tcp") .Values.tcpExternalConfig }} {{- end -}} -{{- define "nginx-ingress.controller.ingress-class" -}} +{{- define "ingress-nginx.controller.ingress-class" -}} {{- if not .Values.controller.ingressClass -}} {{ .Release.Name }}-nginx {{- else -}} diff --git a/charts/ingress-nginx/templates/controller-configmap-tcp.yaml b/charts/ingress-nginx/templates/controller-configmap-tcp.yaml index f019430c27..918bf9be20 100644 --- a/charts/ingress-nginx/templates/controller-configmap-tcp.yaml +++ b/charts/ingress-nginx/templates/controller-configmap-tcp.yaml @@ -9,7 +9,7 @@ metadata: {{- if .Values.controller.tcp.annotations }} annotations: {{ toYaml .Values.controller.tcp.annotations | nindent 4 }} {{- end }} - name: {{ template "nginx-ingress.tcp-configmap" . }} + name: {{ template "ingress-nginx.tcp-configmap" . }} namespace: {{ $.Release.Namespace }} data: {{ tpl (toYaml .Values.tcp) . | nindent 2 }} {{- end }} diff --git a/charts/ingress-nginx/templates/controller-daemonset.yaml b/charts/ingress-nginx/templates/controller-daemonset.yaml index f6b3d81b67..77819261b6 100644 --- a/charts/ingress-nginx/templates/controller-daemonset.yaml +++ b/charts/ingress-nginx/templates/controller-daemonset.yaml @@ -80,10 +80,10 @@ spec: - --publish-service={{ template "ingress-nginx.controller.publishServicePath" . }} {{- end }} - --election-id={{ .Values.controller.electionID }} - - --ingress-class={{ template "nginx-ingress.controller.ingress-class" . }} + - --ingress-class={{ template "ingress-nginx.controller.ingress-class" . }} - --configmap={{ .Release.Namespace }}/{{ include "ingress-nginx.controller.fullname" . }} {{- if or .Values.tcp (include "gitlab.shell.port" $ ) }} - - --tcp-services-configmap={{ .Release.Namespace }}/{{ template "nginx-ingress.fullname" . }}-tcp + - --tcp-services-configmap={{ .Release.Namespace }}/{{ template "ingress-nginx.fullname" . }}-tcp {{- end }} {{- if .Values.udp }} - --udp-services-configmap={{ .Release.Namespace }}/{{ include "ingress-nginx.fullname" . }}-udp diff --git a/charts/ingress-nginx/templates/controller-deployment.yaml b/charts/ingress-nginx/templates/controller-deployment.yaml index 67503425c8..6b371464a5 100644 --- a/charts/ingress-nginx/templates/controller-deployment.yaml +++ b/charts/ingress-nginx/templates/controller-deployment.yaml @@ -84,10 +84,10 @@ spec: - --publish-service={{ template "ingress-nginx.controller.publishServicePath" . }} {{- end }} - --election-id={{ .Values.controller.electionID }} - - --ingress-class={{ template "nginx-ingress.controller.ingress-class" . }} + - --ingress-class={{ template "ingress-nginx.controller.ingress-class" . }} - --configmap=$(POD_NAMESPACE)/{{ include "ingress-nginx.controller.fullname" . }} {{- if or .Values.tcp ( include "gitlab.shell.port" $ ) }} - - --tcp-services-configmap={{ .Release.Namespace }}/{{ template "nginx-ingress.tcp-configmap" . }} + - --tcp-services-configmap={{ .Release.Namespace }}/{{ template "ingress-nginx.tcp-configmap" . }} {{- end }} {{- if .Values.udp }} - --udp-services-configmap=$(POD_NAMESPACE)/{{ include "ingress-nginx.fullname" . }}-udp diff --git a/charts/ingress-nginx/templates/controller-role.yaml b/charts/ingress-nginx/templates/controller-role.yaml index 69467c8d9c..d7795398c7 100644 --- a/charts/ingress-nginx/templates/controller-role.yaml +++ b/charts/ingress-nginx/templates/controller-role.yaml @@ -63,7 +63,7 @@ rules: resources: - configmaps resourceNames: - - {{ .Values.controller.electionID }}-{{ template "nginx-ingress.controller.ingress-class" . }} + - {{ .Values.controller.electionID }}-{{ template "ingress-nginx.controller.ingress-class" . }} verbs: - get - update diff --git a/charts/ingress-nginx/templates/default-backend-hpa.yaml b/charts/ingress-nginx/templates/default-backend-hpa.yaml index e19e32773a..5814a16169 100644 --- a/charts/ingress-nginx/templates/default-backend-hpa.yaml +++ b/charts/ingress-nginx/templates/default-backend-hpa.yaml @@ -6,12 +6,12 @@ metadata: labels: {{- include "ingress-nginx.labels" . | nindent 4 }} app.kubernetes.io/component: default-backend - name: {{ template "nginx-ingress.defaultBackend.fullname" . }} + name: {{ template "ingress-nginx.defaultBackend.fullname" . }} spec: scaleTargetRef: apiVersion: {{ template "deployment.apiVersion" . }} kind: Deployment - name: {{ template "nginx-ingress.defaultBackend.fullname" . }} + name: {{ template "ingress-nginx.defaultBackend.fullname" . }} minReplicas: {{ .Values.defaultBackend.autoscaling.minReplicas }} maxReplicas: {{ .Values.defaultBackend.autoscaling.maxReplicas }} metrics: diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index d975b59194..8eafde4b1a 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -113,7 +113,7 @@ controller: ## Annotations to be added to the udp config configmap annotations: {} - ## Additional command line arguments to pass to nginx-ingress-controller + ## Additional command line arguments to pass to ingress-nginx-controller ## E.g. to specify the default SSL certificate you can use ## extraArgs: ## default-ssl-certificate: "/" @@ -721,7 +721,7 @@ udp: {} ## GitLab-provided values starting below # Use an external configmap instead of generating the configmap from this chart. -# Contents must match spec format for nginx-ingress and tcp ports must still be specified +# Contents must match spec format for ingress-nginx and tcp ports must still be specified # using `tcp` setting above (although service name is meaningless with an external config) # e.g # --set tcp.22=ssh --set tcpExternalConfig=mynamespace/customconfigmap diff --git a/doc/advanced/external-mattermost/index.md b/doc/advanced/external-mattermost/index.md index 84d284d6dd..82c3cf206f 100644 --- a/doc/advanced/external-mattermost/index.md +++ b/doc/advanced/external-mattermost/index.md @@ -9,7 +9,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w This document describes how to install Mattermost Team Edition Helm Chart in proximity with an existing GitLab Helm Chart deployment. As the Mattermost Helm Chart is installed in a separate namespace, it is recommended that -`cert-manager` and `nginx-ingress` be configured to manage cluster-wide Ingress and certificate resources. For additional configuration information, +`cert-manager` and `ingress-nginx` be configured to manage cluster-wide Ingress and certificate resources. For additional configuration information, refer to the [Mattermost Helm configuration guide](https://github.com/mattermost/mattermost-helm/tree/master/charts/mattermost-team-edition#configuration). ## Prerequisites diff --git a/doc/advanced/external-nginx/index.md b/doc/advanced/external-nginx/index.md index 24892e63e7..8bcb75251f 100644 --- a/doc/advanced/external-nginx/index.md +++ b/doc/advanced/external-nginx/index.md @@ -15,7 +15,7 @@ this guide will help. ## TCP services in the external Ingress Controller The GitLab Shell component requires TCP traffic to pass through on -port 22 (by default; this can be changed). Ingress does not directly support TCP services, so some additional configuration is necessary. Your NGINX Ingress Controller may have been [deployed directly](https://github.com/kubernetes/ingress-nginx/blob/master/docs/deploy/index.md) (i.e. with a Kubernetes spec file) or through the [official Helm chart](https://github.com/helm/charts/tree/master/stable/nginx-ingress). The configuration of the TCP pass through will differ depending on the deployment approach. +port 22 (by default; this can be changed). Ingress does not directly support TCP services, so some additional configuration is necessary. Your NGINX Ingress Controller may have been [deployed directly](https://github.com/kubernetes/ingress-nginx/blob/master/docs/deploy/index.md) (i.e. with a Kubernetes spec file) or through the [official Helm chart](https://github.com/kubernetes/ingress-nginx). The configuration of the TCP pass through will differ depending on the deployment approach. ### Direct deployment @@ -48,7 +48,7 @@ port 22 in addition to 80 and 443. ### Helm deployment -If you have installed or will install the NGINX Ingress Controller via it's [Helm chart](https://github.com/helm/charts/tree/master/stable/nginx-ingress), then you will need to add a value to the chart via the command line: +If you have installed or will install the NGINX Ingress Controller via it's [Helm chart](https://github.com/kubernetes/ingress-nginx), then you will need to add a value to the chart via the command line: ```shell --set tcp.22="gitlab/mygitlab-gitlab-shell:22" @@ -78,7 +78,7 @@ While not necessarily required, if you're using an external Ingress Controller, disable the Ingress Controller that is deployed by default with this chart: ```shell ---set nginx-ingress.enabled=false +--set ingress-nginx.enabled=false ``` ## Custom certificate management diff --git a/doc/architecture/decisions.md b/doc/architecture/decisions.md index e163464cf0..53725cd5b7 100644 --- a/doc/architecture/decisions.md +++ b/doc/architecture/decisions.md @@ -134,7 +134,7 @@ Our [registry chart](../charts/registry/index.md) was altered from the upstream ### NGINX Ingress -Our [NGINX Ingress chart](../charts/nginx/index.md) was altered from the upstream [NGINX Ingress](https://github.com/helm/charts/tree/master/stable/nginx-ingress). +Our [NGINX Ingress chart](../charts/nginx/index.md) was altered from the upstream [NGINX Ingress](https://github.com/kubernetes/ingress-nginx). - Add feature to allow for the tcp configmap to be external to the chart - Add feature to allow Ingress class to be templated based on release name diff --git a/doc/charts/globals.md b/doc/charts/globals.md index 24a13efded..b60e74148d 100644 --- a/doc/charts/globals.md +++ b/doc/charts/globals.md @@ -1392,9 +1392,9 @@ global: port: 32022 ``` -You can combine `global.shell.port` and `nginx-ingress.controller.service.type=NodePort` +You can combine `global.shell.port` and `ingress-nginx.controller.service.type=NodePort` to set a NodePort for the NGINX controller Service object. Note that if -`nginx-ingress.controller.service.nodePorts.gitlab-shell` is set, it will +`ingress-nginx.controller.service.nodePorts.gitlab-shell` is set, it will override `global.shell.port` when setting the NodePort for NGINX. ```yaml @@ -1402,7 +1402,7 @@ global: shell: port: 32022 -nginx-ingress: +ingress-nginx: controller: service: type: NodePort diff --git a/doc/development/minikube/index.md b/doc/development/minikube/index.md index 091f6aec70..fd08e577a9 100644 --- a/doc/development/minikube/index.md +++ b/doc/development/minikube/index.md @@ -163,9 +163,9 @@ For further details on Helm, see [Developing for Helm](../../installation/tools. ## Deploying the chart When deploying this chart into Minikube, some chart resources need to be reduced or disabled. -It is not possible to use the `nginx-ingress` chart to provide ports `22`, `80`, +It is not possible to use the `ingress-nginx` chart to provide ports `22`, `80`, `443`. It's best to disable it and set the Ingress class by setting -`nginx-ingress.enabled=false,global.ingress.class="nginx"`. +`ingress-nginx.enabled=false,global.ingress.class="nginx"`. The `certmanager` chart can not be used with Minikube. You must disable this by setting `certmanager.install=false,global.ingress.configureCertmanager=false`. diff --git a/doc/installation/command-line-options.md b/doc/installation/command-line-options.md index e56abcd476..01573a3b5e 100644 --- a/doc/installation/command-line-options.md +++ b/doc/installation/command-line-options.md @@ -144,16 +144,16 @@ must be `+%{key}`. |----------------------------------------|---------------------------------------|---------| | `certmanager.rbac.create` | Create and use RBAC resources | true | | `gitlab-runner.rbac.create` | Create and use RBAC resources | true | -| `nginx-ingress.rbac.create` | Create and use default RBAC resources | false | -| `nginx-ingress.rbac.createClusterRole` | Create and use Cluster role | false | -| `nginx-ingress.rbac.createRole` | Create and use namespaced role | true | +| `ingress-nginx.rbac.create` | Create and use default RBAC resources | false | +| `ingress-nginx.rbac.createClusterRole` | Create and use Cluster role | false | +| `ingress-nginx.rbac.createRole` | Create and use namespaced role | true | | `prometheus.rbac.create` | Create and use RBAC resources | true | ## Advanced NGINX Ingress configuration -Prefix NGINX Ingress values with `nginx-ingress`. For example, set the controller image tag using `nginx-ingress.controller.image.tag`. +Prefix NGINX Ingress values with `ingress-nginx`. For example, set the controller image tag using `ingress-nginx.controller.image.tag`. -See [`nginx-ingress` chart](../charts/nginx/index.md). +See [`ingress-nginx` chart](../charts/ingress-nginx/index.md). ## Advanced in-cluster Redis configuration diff --git a/doc/installation/deployment.md b/doc/installation/deployment.md index eda671b4fc..70e99f7b9d 100644 --- a/doc/installation/deployment.md +++ b/doc/installation/deployment.md @@ -199,7 +199,7 @@ This chart defaults to creating and using RBAC. If your cluster does not have RB ```shell --set certmanager.rbac.create=false ---set nginx-ingress.rbac.createRole=false +--set ingress-nginx.rbac.createRole=false --set prometheus.rbac.create=false --set gitlab-runner.rbac.create=false ``` diff --git a/doc/installation/rbac.md b/doc/installation/rbac.md index 80233388c6..a6927b4162 100644 --- a/doc/installation/rbac.md +++ b/doc/installation/rbac.md @@ -41,7 +41,7 @@ The service accounts are described in the following table. For each service acco | Name suffix | Description | Roles | Scope | --- | --- | --- | --- | `gitlab-runner` | The GitLab Runner is executed with this account. | Any resource (RW) | NS/C -| `nginx-ingress` | Used by NGINX Ingress to control service access points. | Secret, Pod, Endpoint, Ingress (R); Event (W); ConfigMap, Service (RW) | NS/C +| `ingress-nginx` | Used by NGINX Ingress to control service access points. | Secret, Pod, Endpoint, Ingress (R); Event (W); ConfigMap, Service (RW) | NS/C | `shared-secrets` | The job that creates shared secrets runs with this account. (in pre-install/upgrade hook) | Secret (RW) | NS | `operator` | Used by GitLab Operator to monitor and control GitLab resources, run migrations and shared secret jobs. Only used when Operator is enabled. | ConfigMap, Secret, Pod, Deployment, StatefulSet, DaemonSet, Job, ServiceAccount, \[Cluster\]Role, \[Cluster\]RoleBinding, GitLabs (RW) | NS/C | `cert-manager` | The job that controls certificate manager runs with this account. | Issuer, Certificate, CertificateRequest, Order (RW) | NS/C diff --git a/examples/custom-images/values.yaml b/examples/custom-images/values.yaml index bb7a8ce386..efa58bd3d5 100644 --- a/examples/custom-images/values.yaml +++ b/examples/custom-images/values.yaml @@ -65,7 +65,7 @@ minio: image: custom-repository tag: custom-tag -nginx-ingress: +ingress-nginx: controller: *custom defaultBackend: *custom diff --git a/examples/eks_loadbalancer_annotations.yml b/examples/eks_loadbalancer_annotations.yml index 8069e95830..e2fd6b9f6c 100644 --- a/examples/eks_loadbalancer_annotations.yml +++ b/examples/eks_loadbalancer_annotations.yml @@ -1,4 +1,4 @@ -nginx-ingress: +ingress-nginx: controller: service: annotations: diff --git a/examples/i2p-values-minimal.yaml b/examples/i2p-values-minimal.yaml index f506598751..946941be72 100644 --- a/examples/i2p-values-minimal.yaml +++ b/examples/i2p-values-minimal.yaml @@ -24,7 +24,7 @@ gitlab-runner: requests: cpu: 10m # Reduce replica counts, resource requests reducing CPU & memory requirements -nginx-ingress: +ingress-nginx: controller: replicaCount: 1 minAvailable: 1 diff --git a/examples/kind/kind-no-ssl.yaml b/examples/kind/kind-no-ssl.yaml index dcc90670bc..f8b50e2d59 100644 --- a/examples/kind/kind-no-ssl.yaml +++ b/examples/kind/kind-no-ssl.yaml @@ -4,13 +4,13 @@ nodes: - role: control-plane extraPortMappings: # containerPort below must match the values file: - # nginx-ingress.controller.service.nodePorts.http + # ingress-nginx.controller.service.nodePorts.http # Change hostPort if port 80 is already in use. - containerPort: 32080 hostPort: 80 listenAddress: "0.0.0.0" # containerPort below must match the values file: - # nginx-ingress.controller.service.nodePorts.ssh + # ingress-nginx.controller.service.nodePorts.ssh # Using high-numbered hostPort assuming port 22 is # already in use. - containerPort: 32022 diff --git a/examples/kind/kind-ssl.yaml b/examples/kind/kind-ssl.yaml index ef2a4993fa..0bafc90be4 100644 --- a/examples/kind/kind-ssl.yaml +++ b/examples/kind/kind-ssl.yaml @@ -4,13 +4,13 @@ nodes: - role: control-plane extraPortMappings: # containerPort below must match the values file: - # nginx-ingress.controller.service.nodePorts.https + # ingress-nginx.controller.service.nodePorts.https # Change hostPort if port 443 is already in use. - containerPort: 32443 hostPort: 443 listenAddress: "0.0.0.0" # containerPort below must match the values file: - # nginx-ingress.controller.service.nodePorts.ssh + # ingress-nginx.controller.service.nodePorts.ssh # Using high-numbered hostPort assuming port 22 is # already in use. - containerPort: 32022 diff --git a/examples/kind/values-base.yaml b/examples/kind/values-base.yaml index bb4cd24f76..63ece50853 100644 --- a/examples/kind/values-base.yaml +++ b/examples/kind/values-base.yaml @@ -14,7 +14,7 @@ certmanager: install: false # Specify NodePorts for NGINX and reduce replicas to 1 -nginx-ingress: +ingress-nginx: defaultBackend: replicaCount: 1 controller: diff --git a/examples/kind/values-no-ssl.yaml b/examples/kind/values-no-ssl.yaml index bf8373aeff..2c00569970 100644 --- a/examples/kind/values-no-ssl.yaml +++ b/examples/kind/values-no-ssl.yaml @@ -7,7 +7,7 @@ global: enabled: false # Specify NodePort for HTTP on NGINX -nginx-ingress: +ingress-nginx: controller: service: nodePorts: diff --git a/examples/kind/values-ssl.yaml b/examples/kind/values-ssl.yaml index 70b5cf041b..3b962f4801 100644 --- a/examples/kind/values-ssl.yaml +++ b/examples/kind/values-ssl.yaml @@ -1,5 +1,5 @@ # Specify NodePort for HTTPS on NGINX -nginx-ingress: +ingress-nginx: controller: service: nodePorts: diff --git a/examples/ref/10k.yaml b/examples/ref/10k.yaml index 9e06e75990..131d058cd8 100644 --- a/examples/ref/10k.yaml +++ b/examples/ref/10k.yaml @@ -137,7 +137,7 @@ global: grafana: nodeSelector: workload: "" -nginx-ingress: +ingress-nginx: controller: nodeSelector: workload: "" diff --git a/examples/ubi/values.yaml b/examples/ubi/values.yaml index f98a4f1f54..6837f30b61 100644 --- a/examples/ubi/values.yaml +++ b/examples/ubi/values.yaml @@ -19,7 +19,7 @@ postgresql: redis: install: false -nginx-ingress: +ingress-nginx: enabled: false prometheus: @@ -51,7 +51,7 @@ global: tls: secretName: my-wildcard-cert-secret # Your wildcard certificate. - # `global.hosts.ssh` is needed for `gitlab-shell` because `nginx-ingress` is disabled, + # `global.hosts.ssh` is needed for `gitlab-shell` because `ingress-nginx` is disabled, # and it needs to be exposed separately. hosts: ssh: ssh.gitlab.example.com @@ -121,7 +121,7 @@ gitlab: image: tag: master-ubi8 - # This is needed for `gitlab-shell` because `nginx-ingress` is disabled. + # This is needed for `gitlab-shell` because `ingress-nginx` is disabled. service: externalIPs: - x.x.x.x # Your IP address for `gitlab-shell`. diff --git a/examples/values-gke-minimum.yaml b/examples/values-gke-minimum.yaml index 508c18d793..bfb873ea4a 100644 --- a/examples/values-gke-minimum.yaml +++ b/examples/values-gke-minimum.yaml @@ -9,7 +9,7 @@ prometheus: install: false gitlab-runner: install: false -nginx-ingress: +ingress-nginx: controller: replicaCount: 1 minAvailable: 0 diff --git a/examples/values-minikube-minimum.yaml b/examples/values-minikube-minimum.yaml index d7323f806f..648643fd9e 100644 --- a/examples/values-minikube-minimum.yaml +++ b/examples/values-minikube-minimum.yaml @@ -25,7 +25,7 @@ global: certmanager: install: false # Use the `ingress` addon, not our Ingress (can't map 22/80/443) -nginx-ingress: +ingress-nginx: enabled: false # Save resources, only 3 CPU prometheus: diff --git a/examples/values-minikube.yaml b/examples/values-minikube.yaml index 4e0d3c9c29..9f6574553d 100644 --- a/examples/values-minikube.yaml +++ b/examples/values-minikube.yaml @@ -19,7 +19,7 @@ global: certmanager: install: false # Use the `ingress` addon, not our Ingress (can't map 22/80/443) -nginx-ingress: +ingress-nginx: enabled: false # Map gitlab-shell to a high-numbered NodePort cloning over SSH since # Minikube takes port 22. diff --git a/examples/values-traefik-ingress.yaml b/examples/values-traefik-ingress.yaml index e03fa0bb03..ce0e98ba8f 100644 --- a/examples/values-traefik-ingress.yaml +++ b/examples/values-traefik-ingress.yaml @@ -3,5 +3,5 @@ global: ingress: enabled: true # Default, present here to be explicit. class: traefik # Alter the `kubernetes.io/ingress.class` annotation chart wide. -nginx-ingress: +ingress-nginx: enabled: false # Disable the deployment of the in-chart NGINX Ingress provider. diff --git a/spec/configuration/labels_spec.rb b/spec/configuration/labels_spec.rb index 8ac58b5204..5a25cd491f 100644 --- a/spec/configuration/labels_spec.rb +++ b/spec/configuration/labels_spec.rb @@ -18,8 +18,8 @@ describe 'Labels configuration' do 'Deployment/test-gitlab-runner', 'Deployment/test-prometheus-server', 'Deployment/test-minio', - 'Deployment/test-nginx-ingress-controller', - 'Deployment/test-nginx-ingress-default-backend', + 'Deployment/test-ingress-nginx-controller', + 'Deployment/test-ingress-nginx-default-backend', # not included, StatefulSet: postgresql, redis, gitlab/gitaly ] end diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 64f0ff7b05..c6564bd348 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -262,16 +262,16 @@ Returns the nginx ingress class {{- end -}} {{/* -Overrides the nginx-ingress template to make sure gitlab-shell name matches +Overrides the ingress-nginx template to make sure gitlab-shell name matches */}} -{{- define "nginx-ingress.tcp-configmap" -}} -{{ .Release.Name}}-nginx-ingress-tcp +{{- define "ingress-nginx.tcp-configmap" -}} +{{ .Release.Name}}-ingress-nginx-tcp {{- end -}} {{/* -Overrides the nginx-ingress template to make sure our ingresses match +Overrides the ingress-nginx template to make sure our ingresses match */}} -{{- define "nginx-ingress.controller.ingress-class" -}} +{{- define "ingress-nginx.controller.ingress-class" -}} {{ template "gitlab.ingressclass" . }} {{- end -}} diff --git a/templates/application.yaml b/templates/application.yaml index 0269c9f400..5fbcb1dd10 100644 --- a/templates/application.yaml +++ b/templates/application.yaml @@ -101,7 +101,7 @@ spec: kind: PersistentVolumeClaim - group: apps kind: Deployment -{{- if eq (index .Values "nginx-ingress" "controller" "kind") "DaemonSet" }} +{{- if eq (index .Values "ingress-nginx" "controller" "kind") "DaemonSet" }} - group: apps kind: DaemonSet {{- end }} diff --git a/values.yaml b/values.yaml index 4c39bedf2a..e60003f5dc 100644 --- a/values.yaml +++ b/values.yaml @@ -632,8 +632,8 @@ certmanager: ## doc/charts/nginx/index.md ## doc/architecture/decisions.md#nginx-ingress -## Installation & configuration of charts/nginx -nginx-ingress: +## Installation & configuration of charts/ingress-nginx: +ingress-nginx: enabled: true tcpExternalConfig: "true" controller: -- GitLab From 3af2c32b7a6125d377e018b36f072f3622e62f8b Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Thu, 3 Dec 2020 13:29:36 -0500 Subject: [PATCH 12/16] Remove ingress-nginx.stats value Previous versions of the chart had a `stats` key, but it was removed: https://artifacthub.io/packages/helm/ingress-nginx/ingress-nginx#ingress-nginx-nginx --- values.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/values.yaml b/values.yaml index e60003f5dc..76c133b877 100644 --- a/values.yaml +++ b/values.yaml @@ -659,8 +659,6 @@ ingress-nginx: minAvailable: 1 scope: enabled: true - stats: - enabled: true metrics: enabled: true service: -- GitLab From 7fad4dc13a5e1f57e4862102a958745fca5ec594 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Thu, 3 Dec 2020 13:57:54 -0500 Subject: [PATCH 13/16] Fix link to nginx docs --- doc/installation/command-line-options.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/installation/command-line-options.md b/doc/installation/command-line-options.md index 01573a3b5e..40e1559761 100644 --- a/doc/installation/command-line-options.md +++ b/doc/installation/command-line-options.md @@ -153,7 +153,7 @@ must be `+%{key}`. Prefix NGINX Ingress values with `ingress-nginx`. For example, set the controller image tag using `ingress-nginx.controller.image.tag`. -See [`ingress-nginx` chart](../charts/ingress-nginx/index.md). +See [`ingress-nginx` chart](../charts/nginx/index.md). ## Advanced in-cluster Redis configuration -- GitLab From f499342bc00ccb13b4ae5bc78600630184d9e342 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Thu, 3 Dec 2020 14:00:28 -0500 Subject: [PATCH 14/16] Add changelog entry --- changelogs/unreleased/2377-update-nginx.yml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 changelogs/unreleased/2377-update-nginx.yml diff --git a/changelogs/unreleased/2377-update-nginx.yml b/changelogs/unreleased/2377-update-nginx.yml new file mode 100644 index 0000000000..83d1c27c00 --- /dev/null +++ b/changelogs/unreleased/2377-update-nginx.yml @@ -0,0 +1,5 @@ +--- +title: Update nginx-ingress to ingress-nginx +merge_request: 1689 +author: +type: other -- GitLab From 03f7960c175ffdf6073767237a7d06ae160c0e5a Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Thu, 3 Dec 2020 14:27:03 -0500 Subject: [PATCH 15/16] Inject gitlab.deploymentAnnotations Injects gitlab.deploymentAnnotations for the nginx deployments. Fixes failing specs as well. --- .../ingress-nginx/templates/controller-deployment.yaml | 10 ++++++---- .../templates/default-backend-deployment.yaml | 4 +++- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/charts/ingress-nginx/templates/controller-deployment.yaml b/charts/ingress-nginx/templates/controller-deployment.yaml index 6b371464a5..6919eb2b99 100644 --- a/charts/ingress-nginx/templates/controller-deployment.yaml +++ b/charts/ingress-nginx/templates/controller-deployment.yaml @@ -11,9 +11,11 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.controller.fullname" . }} - {{- if .Values.controller.annotations }} - annotations: {{ toYaml .Values.controller.annotations | nindent 4 }} - {{- end }} + annotations: + {{- include "gitlab.deploymentAnnotations" . | nindent 4 }} + {{- if .Values.controller.annotations }} + {{ toYaml .Values.controller.annotations | nindent 4 }} + {{- end }} spec: selector: matchLabels: @@ -261,4 +263,4 @@ spec: {{- end }} {{- end }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/ingress-nginx/templates/default-backend-deployment.yaml b/charts/ingress-nginx/templates/default-backend-deployment.yaml index ae1c2f4ccd..986844e5b5 100644 --- a/charts/ingress-nginx/templates/default-backend-deployment.yaml +++ b/charts/ingress-nginx/templates/default-backend-deployment.yaml @@ -7,6 +7,8 @@ metadata: {{- include "ingress-nginx.labels" . | nindent 4 }} app.kubernetes.io/component: default-backend name: {{ include "ingress-nginx.defaultBackend.fullname" . }} + annotations: + {{- include "gitlab.deploymentAnnotations" . | nindent 4 }} spec: selector: matchLabels: @@ -104,4 +106,4 @@ spec: {{- end }} terminationGracePeriodSeconds: 60 {{- end }} -{{- end }} \ No newline at end of file +{{- end }} -- GitLab From bdc6ca910ee9b8c4456a207c23c0ced6bd37c4b7 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Thu, 3 Dec 2020 14:28:16 -0500 Subject: [PATCH 16/16] Fix specs failure for custom-images values Fixes specs failure for custom-images/values.yaml by only setting ingress-nginx.controller.image.repository, and not image.tag because there's logic that checks the value of the tag with SemVer. Left it as a comment though so others can see that it's toggleable. --- examples/custom-images/values.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/examples/custom-images/values.yaml b/examples/custom-images/values.yaml index efa58bd3d5..bd9fc65b8d 100644 --- a/examples/custom-images/values.yaml +++ b/examples/custom-images/values.yaml @@ -66,7 +66,10 @@ minio: tag: custom-tag ingress-nginx: - controller: *custom + controller: + image: + repository: custom-image + # tag: custom-tag defaultBackend: *custom registry: -- GitLab