From a96411892221c4536abcf8955d9d6ff7c8e5bb85 Mon Sep 17 00:00:00 2001 From: Tanguy Herbron Date: Sat, 21 Dec 2024 22:26:14 +0100 Subject: [PATCH] feat(nginx): Add nginx ingress controller --- nginx/deployment.yaml | 20 - nginx/external/deploy.yaml | 678 +++++++++++++++++++++++++++++ nginx/external/kustomization.yaml | 7 + nginx/external/loadbalancer.yaml | 21 + nginx/external/networkpolicy.yaml | 28 ++ nginx/external/servicemonitor.yaml | 14 + nginx/ingress.yaml | 23 - nginx/internal/deploy.yaml | 678 +++++++++++++++++++++++++++++ nginx/internal/kustomization.yaml | 6 + nginx/internal/loadbalancer.yaml | 22 + nginx/internal/servicemonitor.yaml | 14 + nginx/kustomization.yaml | 7 + nginx/namespace.yaml | 7 + nginx/service.yaml | 14 - 14 files changed, 1482 insertions(+), 57 deletions(-) delete mode 100644 nginx/deployment.yaml create mode 100644 nginx/external/deploy.yaml create mode 100644 nginx/external/kustomization.yaml create mode 100644 nginx/external/loadbalancer.yaml create mode 100644 nginx/external/networkpolicy.yaml create mode 100644 nginx/external/servicemonitor.yaml delete mode 100644 nginx/ingress.yaml create mode 100644 nginx/internal/deploy.yaml create mode 100644 nginx/internal/kustomization.yaml create mode 100644 nginx/internal/loadbalancer.yaml create mode 100644 nginx/internal/servicemonitor.yaml create mode 100644 nginx/kustomization.yaml create mode 100644 nginx/namespace.yaml delete mode 100644 nginx/service.yaml diff --git a/nginx/deployment.yaml b/nginx/deployment.yaml deleted file mode 100644 index 8f4aac4..0000000 --- a/nginx/deployment.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: nginx -spec: - replicas: 1 - selector: - matchLabels: - app: nginx - template: - metadata: - labels: - app: nginx - spec: - containers: - - name: nginx - image: nginx - ports: - - containerPort: 80 - diff --git a/nginx/external/deploy.yaml b/nginx/external/deploy.yaml new file mode 100644 index 0000000..2252370 --- /dev/null +++ b/nginx/external/deploy.yaml @@ -0,0 +1,678 @@ +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: controller-external + app.kubernetes.io/instance: nginx-external-ingress + app.kubernetes.io/name: nginx-external-ingress + app.kubernetes.io/part-of: nginx-external-ingress + app.kubernetes.io/version: 1.11.3 + name: nginx-external-ingress + namespace: nginx-ingress +--- +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: nginx-external-ingress + app.kubernetes.io/name: nginx-external-ingress + app.kubernetes.io/part-of: nginx-external-ingress + app.kubernetes.io/version: 1.11.3 + name: nginx-external-ingress-admission + namespace: nginx-ingress +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/component: controller-external + app.kubernetes.io/instance: nginx-external-ingress + app.kubernetes.io/name: nginx-external-ingress + app.kubernetes.io/part-of: nginx-external-ingress + app.kubernetes.io/version: 1.11.3 + name: nginx-external-ingress + namespace: nginx-ingress +rules: +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +- apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - coordination.k8s.io + resourceNames: + - nginx-external-ingress-leader + resources: + - leases + verbs: + - get + - update +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - list + - watch + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: nginx-external-ingress + app.kubernetes.io/name: nginx-external-ingress + app.kubernetes.io/part-of: nginx-external-ingress + app.kubernetes.io/version: 1.11.3 + name: nginx-external-ingress-admission + namespace: nginx-ingress +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: nginx-external-ingress + app.kubernetes.io/name: nginx-external-ingress + app.kubernetes.io/part-of: nginx-external-ingress + app.kubernetes.io/version: 1.11.3 + name: nginx-external-ingress +rules: +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - secrets + - namespaces + verbs: + - list + - watch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - nodes + verbs: + - get +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - list + - watch + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: nginx-external-ingress + app.kubernetes.io/name: nginx-external-ingress + app.kubernetes.io/part-of: nginx-external-ingress + app.kubernetes.io/version: 1.11.3 + name: nginx-external-ingress-admission +rules: +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - get + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/component: controller-external + app.kubernetes.io/instance: nginx-external-ingress + app.kubernetes.io/name: nginx-external-ingress + app.kubernetes.io/part-of: nginx-external-ingress + app.kubernetes.io/version: 1.11.3 + name: nginx-external-ingress + namespace: nginx-ingress +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: nginx-external-ingress +subjects: +- kind: ServiceAccount + name: nginx-external-ingress + namespace: nginx-ingress +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: nginx-external-ingress + app.kubernetes.io/name: nginx-external-ingress + app.kubernetes.io/part-of: nginx-external-ingress + app.kubernetes.io/version: 1.11.3 + name: nginx-external-ingress-admission + namespace: nginx-ingress +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: nginx-external-ingress-admission +subjects: +- kind: ServiceAccount + name: nginx-external-ingress-admission + namespace: nginx-ingress +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: nginx-external-ingress + app.kubernetes.io/name: nginx-external-ingress + app.kubernetes.io/part-of: nginx-external-ingress + app.kubernetes.io/version: 1.11.3 + name: nginx-external-ingress +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: nginx-external-ingress +subjects: +- kind: ServiceAccount + name: nginx-external-ingress + namespace: nginx-ingress +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: nginx-external-ingress + app.kubernetes.io/name: nginx-external-ingress + app.kubernetes.io/part-of: nginx-external-ingress + app.kubernetes.io/version: 1.11.3 + name: nginx-external-ingress-admission +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: nginx-external-ingress-admission +subjects: +- kind: ServiceAccount + name: nginx-external-ingress-admission + namespace: nginx-ingress +--- +apiVersion: v1 +data: + allow-snippet-annotations: "true" +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/component: controller-external + app.kubernetes.io/instance: nginx-external-ingress + app.kubernetes.io/name: nginx-external-ingress + app.kubernetes.io/part-of: nginx-external-ingress + app.kubernetes.io/version: 1.11.3 + name: nginx-external-ingress-controller + namespace: nginx-ingress +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: controller-external + app.kubernetes.io/instance: nginx-external-ingress + app.kubernetes.io/name: nginx-external-ingress + app.kubernetes.io/part-of: nginx-external-ingress + app.kubernetes.io/version: 1.11.3 + name: nginx-external-ingress-controller + namespace: nginx-ingress +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - appProtocol: http + name: http + port: 80 + protocol: TCP + targetPort: http + - appProtocol: https + name: https + port: 443 + protocol: TCP + targetPort: https + - name: prometheus + port: 10254 + protocol: TCP + targetPort: prometheus + selector: + app.kubernetes.io/component: controller-external + app.kubernetes.io/instance: nginx-external-ingress + app.kubernetes.io/name: nginx-external-ingress + type: NodePort +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: controller-external + app.kubernetes.io/instance: nginx-external-ingress + app.kubernetes.io/name: nginx-external-ingress + app.kubernetes.io/part-of: nginx-external-ingress + app.kubernetes.io/version: 1.11.3 + name: nginx-external-ingress-controller-admission + namespace: nginx-ingress +spec: + ports: + - appProtocol: https + name: https-webhook + port: 443 + targetPort: webhook + selector: + app.kubernetes.io/component: controller-external + app.kubernetes.io/instance: nginx-external-ingress + app.kubernetes.io/name: nginx-external-ingress + type: ClusterIP +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/component: controller-external + app.kubernetes.io/instance: nginx-external-ingress + app.kubernetes.io/name: nginx-external-ingress + app.kubernetes.io/part-of: nginx-external-ingress + app.kubernetes.io/version: 1.11.3 + name: nginx-external-ingress-controller + namespace: nginx-ingress +spec: + minReadySeconds: 0 + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/component: controller-external + app.kubernetes.io/instance: nginx-external-ingress + app.kubernetes.io/name: nginx-external-ingress + strategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + annotations: + prometheus.io/port: "10254" + prometheus.io/scrape: "true" + labels: + app.kubernetes.io/component: controller-external + app.kubernetes.io/instance: nginx-external-ingress + app.kubernetes.io/name: nginx-external-ingress + app.kubernetes.io/part-of: nginx-external-ingress + app.kubernetes.io/version: 1.11.3 + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: ingress + operator: In + values: + - external + tolerations: + - key: "type" + operator: "Equal" + value: "services" + effect: "NoSchedule" + containers: + - args: + - /nginx-ingress-controller + - --election-id=nginx-external-ingress-leader + - --controller-class=k8s.io/nginx-external-ingress + - --ingress-class=nginx-external + - --configmap=$(POD_NAMESPACE)/nginx-external-ingress-controller + - --validating-webhook=:8443 + - --validating-webhook-certificate=/usr/local/certificates/cert + - --validating-webhook-key=/usr/local/certificates/key + - --enable-metrics=true + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LD_PRELOAD + value: /usr/local/lib/libmimalloc.so + image: registry.k8s.io/ingress-nginx/controller:v1.11.3@sha256:d56f135b6462cfc476447cfe564b83a45e8bb7da2774963b00d12161112270b7 + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - /wait-shutdown + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: controller + ports: + - containerPort: 80 + name: http + protocol: TCP + - containerPort: 443 + name: https + protocol: TCP + - containerPort: 8443 + name: webhook + protocol: TCP + - containerPort: 10254 + name: prometheus + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + cpu: 100m + memory: 90Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: 101 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /usr/local/certificates/ + name: webhook-cert + readOnly: true + dnsPolicy: ClusterFirst + nodeSelector: + kubernetes.io/os: linux + serviceAccountName: nginx-external-ingress + terminationGracePeriodSeconds: 300 + volumes: + - name: webhook-cert + secret: + secretName: nginx-external-ingress-admission +--- +apiVersion: batch/v1 +kind: Job +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: nginx-external-ingress + app.kubernetes.io/name: nginx-external-ingress + app.kubernetes.io/part-of: nginx-external-ingress + app.kubernetes.io/version: 1.11.3 + name: nginx-external-ingress-admission-create + namespace: nginx-ingress +spec: + template: + metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: nginx-external-ingress + app.kubernetes.io/name: nginx-external-ingress + app.kubernetes.io/part-of: nginx-external-ingress + app.kubernetes.io/version: 1.11.3 + name: nginx-external-ingress-admission-create + spec: + containers: + - args: + - create + - --host=nginx-external-ingress-controller-admission,nginx-external-ingress-controller-admission.$(POD_NAMESPACE).svc + - --namespace=$(POD_NAMESPACE) + - --secret-name=nginx-external-ingress-admission + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.4@sha256:a9f03b34a3cbfbb26d103a14046ab2c5130a80c3d69d526ff8063d2b37b9fd3f + imagePullPolicy: IfNotPresent + name: create + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + nodeSelector: + kubernetes.io/os: linux + restartPolicy: OnFailure + serviceAccountName: nginx-external-ingress-admission +--- +apiVersion: batch/v1 +kind: Job +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: nginx-external-ingress + app.kubernetes.io/name: nginx-external-ingress + app.kubernetes.io/part-of: nginx-external-ingress + app.kubernetes.io/version: 1.11.3 + name: nginx-external-ingress-admission-patch + namespace: nginx-ingress +spec: + template: + metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: nginx-external-ingress + app.kubernetes.io/name: nginx-external-ingress + app.kubernetes.io/part-of: nginx-external-ingress + app.kubernetes.io/version: 1.11.3 + name: nginx-external-ingress-admission-patch + spec: + containers: + - args: + - patch + - --webhook-name=nginx-external-ingress-admission + - --namespace=$(POD_NAMESPACE) + - --patch-mutating=false + - --secret-name=nginx-external-ingress-admission + - --patch-failure-policy=Fail + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.4@sha256:a9f03b34a3cbfbb26d103a14046ab2c5130a80c3d69d526ff8063d2b37b9fd3f + imagePullPolicy: IfNotPresent + name: patch + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + nodeSelector: + kubernetes.io/os: linux + restartPolicy: OnFailure + serviceAccountName: nginx-external-ingress-admission +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + labels: + app.kubernetes.io/component: controller-external + app.kubernetes.io/instance: nginx-external-ingress + app.kubernetes.io/name: nginx-external-ingress + app.kubernetes.io/part-of: nginx-external-ingress + app.kubernetes.io/version: 1.11.3 + name: nginx-external +spec: + controller: k8s.io/nginx-external-ingress +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: nginx-external-ingress + app.kubernetes.io/name: nginx-external-ingress + app.kubernetes.io/part-of: nginx-external-ingress + app.kubernetes.io/version: 1.11.3 + name: nginx-external-ingress-admission +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: nginx-external-ingress-controller-admission + namespace: nginx-ingress + path: /networking/v1/ingresses + port: 443 + failurePolicy: Fail + matchPolicy: Equivalent + name: validate.nginx.ingress.kubernetes.io + rules: + - apiGroups: + - networking.k8s.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - ingresses + sideEffects: None diff --git a/nginx/external/kustomization.yaml b/nginx/external/kustomization.yaml new file mode 100644 index 0000000..0593a87 --- /dev/null +++ b/nginx/external/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - deploy.yaml + - loadbalancer.yaml + - networkpolicy.yaml diff --git a/nginx/external/loadbalancer.yaml b/nginx/external/loadbalancer.yaml new file mode 100644 index 0000000..a3bf955 --- /dev/null +++ b/nginx/external/loadbalancer.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Service +metadata: + name: nginx-external-ingress-controller-loadbalancer + namespace: nginx-ingress +spec: + selector: + app.kubernetes.io/component: controller-external + app.kubernetes.io/instance: nginx-external-ingress + app.kubernetes.io/name: nginx-external-ingress + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + type: LoadBalancer + externalTrafficPolicy: Local diff --git a/nginx/external/networkpolicy.yaml b/nginx/external/networkpolicy.yaml new file mode 100644 index 0000000..91bcce4 --- /dev/null +++ b/nginx/external/networkpolicy.yaml @@ -0,0 +1,28 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: nginx-scrapper-blocker + namespace: nginx-ingress +spec: + podSelector: {} # Applies to all pods in the namespace + ingress: + - from: + - ipBlock: + cidr: 0.0.0.0/0 + except: + - 57.141.0.0/24 # Facebook crawler + - 85.208.96.0/24 # Semrush crawler + - 185.191.171.0/24 # Random crawler + - 44.192.0.0/10 # AWS crawler + - 3.0.0.0/9 # AWS crawler + - 34.192.0.0/10 # AWS crawler + - 100.24.0.0/13 # AWS crawler + - 216.244.64.0/19 # Random crawler + - 54.224.0.0/11 # Random crawler + ports: + - protocol: TCP + port: 80 + - protocol: TCP + port: 443 + - protocol: TCP + port: 8443 diff --git a/nginx/external/servicemonitor.yaml b/nginx/external/servicemonitor.yaml new file mode 100644 index 0000000..8850ebd --- /dev/null +++ b/nginx/external/servicemonitor.yaml @@ -0,0 +1,14 @@ +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: nginx-external + namespace: nginx-ingress + labels: + app.kubernetes.io/name: nginx-external-ingress +spec: + selector: + matchLabels: + app.kubernetes.io/name: nginx-external-ingress + endpoints: + - port: prometheus + path: /metrics diff --git a/nginx/ingress.yaml b/nginx/ingress.yaml deleted file mode 100644 index 89696e2..0000000 --- a/nginx/ingress.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: nginx-ingress - annotations: - kubernetes.io/ingress.class: "traefik" - -spec: - tls: - - secretName: nginx-beta-tls - hosts: - - nginx.beta.halia.dev - rules: - - host: nginx.beta.halia.dev - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: nginx-svc - port: - number: 80 diff --git a/nginx/internal/deploy.yaml b/nginx/internal/deploy.yaml new file mode 100644 index 0000000..85107e1 --- /dev/null +++ b/nginx/internal/deploy.yaml @@ -0,0 +1,678 @@ +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: controller-internal + app.kubernetes.io/instance: nginx-internal-ingress + app.kubernetes.io/name: nginx-internal-ingress + app.kubernetes.io/part-of: nginx-internal-ingress + app.kubernetes.io/version: 1.11.3 + name: nginx-internal-ingress + namespace: nginx-ingress +--- +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: nginx-internal-ingress + app.kubernetes.io/name: nginx-internal-ingress + app.kubernetes.io/part-of: nginx-internal-ingress + app.kubernetes.io/version: 1.11.3 + name: nginx-internal-ingress-admission + namespace: nginx-ingress +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/component: controller-internal + app.kubernetes.io/instance: nginx-internal-ingress + app.kubernetes.io/name: nginx-internal-ingress + app.kubernetes.io/part-of: nginx-internal-ingress + app.kubernetes.io/version: 1.11.3 + name: nginx-internal-ingress + namespace: nginx-ingress +rules: +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +- apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - coordination.k8s.io + resourceNames: + - nginx-internal-ingress-leader + resources: + - leases + verbs: + - get + - update +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - list + - watch + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: nginx-internal-ingress + app.kubernetes.io/name: nginx-internal-ingress + app.kubernetes.io/part-of: nginx-internal-ingress + app.kubernetes.io/version: 1.11.3 + name: nginx-internal-ingress-admission + namespace: nginx-ingress +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: nginx-internal-ingress + app.kubernetes.io/name: nginx-internal-ingress + app.kubernetes.io/part-of: nginx-internal-ingress + app.kubernetes.io/version: 1.11.3 + name: nginx-internal-ingress +rules: +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - secrets + - namespaces + verbs: + - list + - watch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - nodes + verbs: + - get +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - list + - watch + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: nginx-internal-ingress + app.kubernetes.io/name: nginx-internal-ingress + app.kubernetes.io/part-of: nginx-internal-ingress + app.kubernetes.io/version: 1.11.3 + name: nginx-internal-ingress-admission +rules: +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - get + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/component: controller-internal + app.kubernetes.io/instance: nginx-internal-ingress + app.kubernetes.io/name: nginx-internal-ingress + app.kubernetes.io/part-of: nginx-internal-ingress + app.kubernetes.io/version: 1.11.3 + name: nginx-internal-ingress + namespace: nginx-ingress +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: nginx-internal-ingress +subjects: +- kind: ServiceAccount + name: nginx-internal-ingress + namespace: nginx-ingress +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: nginx-internal-ingress + app.kubernetes.io/name: nginx-internal-ingress + app.kubernetes.io/part-of: nginx-internal-ingress + app.kubernetes.io/version: 1.11.3 + name: nginx-internal-ingress-admission + namespace: nginx-ingress +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: nginx-internal-ingress-admission +subjects: +- kind: ServiceAccount + name: nginx-internal-ingress-admission + namespace: nginx-ingress +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: nginx-internal-ingress + app.kubernetes.io/name: nginx-internal-ingress + app.kubernetes.io/part-of: nginx-internal-ingress + app.kubernetes.io/version: 1.11.3 + name: nginx-internal-ingress +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: nginx-internal-ingress +subjects: +- kind: ServiceAccount + name: nginx-internal-ingress + namespace: nginx-ingress +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: nginx-internal-ingress + app.kubernetes.io/name: nginx-internal-ingress + app.kubernetes.io/part-of: nginx-internal-ingress + app.kubernetes.io/version: 1.11.3 + name: nginx-internal-ingress-admission +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: nginx-internal-ingress-admission +subjects: +- kind: ServiceAccount + name: nginx-internal-ingress-admission + namespace: nginx-ingress +--- +apiVersion: v1 +data: + allow-snippet-annotations: "false" +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/component: controller-internal + app.kubernetes.io/instance: nginx-internal-ingress + app.kubernetes.io/name: nginx-internal-ingress + app.kubernetes.io/part-of: nginx-internal-ingress + app.kubernetes.io/version: 1.11.3 + name: nginx-internal-ingress-controller + namespace: nginx-ingress +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: controller-internal + app.kubernetes.io/instance: nginx-internal-ingress + app.kubernetes.io/name: nginx-internal-ingress + app.kubernetes.io/part-of: nginx-internal-ingress + app.kubernetes.io/version: 1.11.3 + name: nginx-internal-ingress-controller + namespace: nginx-ingress +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - appProtocol: http + name: http + port: 80 + protocol: TCP + targetPort: http + - appProtocol: https + name: https + port: 443 + protocol: TCP + targetPort: https + - name: prometheus + port: 10254 + protocol: TCP + targetPort: prometheus + selector: + app.kubernetes.io/component: controller-internal + app.kubernetes.io/instance: nginx-internal-ingress + app.kubernetes.io/name: nginx-internal-ingress + type: NodePort +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: controller-internal + app.kubernetes.io/instance: nginx-internal-ingress + app.kubernetes.io/name: nginx-internal-ingress + app.kubernetes.io/part-of: nginx-internal-ingress + app.kubernetes.io/version: 1.11.3 + name: nginx-internal-ingress-controller-admission + namespace: nginx-ingress +spec: + ports: + - appProtocol: https + name: https-webhook + port: 443 + targetPort: webhook + selector: + app.kubernetes.io/component: controller-internal + app.kubernetes.io/instance: nginx-internal-ingress + app.kubernetes.io/name: nginx-internal-ingress + type: ClusterIP +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/component: controller-internal + app.kubernetes.io/instance: nginx-internal-ingress + app.kubernetes.io/name: nginx-internal-ingress + app.kubernetes.io/part-of: nginx-internal-ingress + app.kubernetes.io/version: 1.11.3 + name: nginx-internal-ingress-controller + namespace: nginx-ingress +spec: + minReadySeconds: 0 + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/component: controller-internal + app.kubernetes.io/instance: nginx-internal-ingress + app.kubernetes.io/name: nginx-internal-ingress + strategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + annotations: + prometheus.io/port: "10254" + prometheus.io/scrape: "true" + labels: + app.kubernetes.io/component: controller-internal + app.kubernetes.io/instance: nginx-internal-ingress + app.kubernetes.io/name: nginx-internal-ingress + app.kubernetes.io/part-of: nginx-internal-ingress + app.kubernetes.io/version: 1.11.3 + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: ingress + operator: In + values: + - internal + tolerations: + - key: "type" + operator: "Equal" + value: "services" + effect: "NoSchedule" + containers: + - args: + - /nginx-ingress-controller + - --election-id=nginx-internal-ingress-leader + - --controller-class=k8s.io/nginx-internal-ingress + - --ingress-class=nginx-internal + - --configmap=$(POD_NAMESPACE)/nginx-internal-ingress-controller + - --validating-webhook=:8443 + - --validating-webhook-certificate=/usr/local/certificates/cert + - --validating-webhook-key=/usr/local/certificates/key + - --enable-metrics=true + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LD_PRELOAD + value: /usr/local/lib/libmimalloc.so + image: registry.k8s.io/ingress-nginx/controller:v1.11.3@sha256:d56f135b6462cfc476447cfe564b83a45e8bb7da2774963b00d12161112270b7 + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - /wait-shutdown + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: controller + ports: + - containerPort: 80 + name: http + protocol: TCP + - containerPort: 443 + name: https + protocol: TCP + - containerPort: 8443 + name: webhook + protocol: TCP + - containerPort: 10254 + name: prometheus + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + cpu: 100m + memory: 90Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: 101 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /usr/local/certificates/ + name: webhook-cert + readOnly: true + dnsPolicy: ClusterFirst + nodeSelector: + kubernetes.io/os: linux + serviceAccountName: nginx-internal-ingress + terminationGracePeriodSeconds: 300 + volumes: + - name: webhook-cert + secret: + secretName: nginx-internal-ingress-admission +--- +apiVersion: batch/v1 +kind: Job +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: nginx-internal-ingress + app.kubernetes.io/name: nginx-internal-ingress + app.kubernetes.io/part-of: nginx-internal-ingress + app.kubernetes.io/version: 1.11.3 + name: nginx-internal-ingress-admission-create + namespace: nginx-ingress +spec: + template: + metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: nginx-internal-ingress + app.kubernetes.io/name: nginx-internal-ingress + app.kubernetes.io/part-of: nginx-internal-ingress + app.kubernetes.io/version: 1.11.3 + name: nginx-internal-ingress-admission-create + spec: + containers: + - args: + - create + - --host=nginx-internal-ingress-controller-admission,nginx-internal-ingress-controller-admission.$(POD_NAMESPACE).svc + - --namespace=$(POD_NAMESPACE) + - --secret-name=nginx-internal-ingress-admission + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.4@sha256:a9f03b34a3cbfbb26d103a14046ab2c5130a80c3d69d526ff8063d2b37b9fd3f + imagePullPolicy: IfNotPresent + name: create + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + nodeSelector: + kubernetes.io/os: linux + restartPolicy: OnFailure + serviceAccountName: nginx-internal-ingress-admission +--- +apiVersion: batch/v1 +kind: Job +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: nginx-internal-ingress + app.kubernetes.io/name: nginx-internal-ingress + app.kubernetes.io/part-of: nginx-internal-ingress + app.kubernetes.io/version: 1.11.3 + name: nginx-internal-ingress-admission-patch + namespace: nginx-ingress +spec: + template: + metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: nginx-internal-ingress + app.kubernetes.io/name: nginx-internal-ingress + app.kubernetes.io/part-of: nginx-internal-ingress + app.kubernetes.io/version: 1.11.3 + name: nginx-internal-ingress-admission-patch + spec: + containers: + - args: + - patch + - --webhook-name=nginx-internal-ingress-admission + - --namespace=$(POD_NAMESPACE) + - --patch-mutating=false + - --secret-name=nginx-internal-ingress-admission + - --patch-failure-policy=Fail + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.4@sha256:a9f03b34a3cbfbb26d103a14046ab2c5130a80c3d69d526ff8063d2b37b9fd3f + imagePullPolicy: IfNotPresent + name: patch + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + nodeSelector: + kubernetes.io/os: linux + restartPolicy: OnFailure + serviceAccountName: nginx-internal-ingress-admission +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + labels: + app.kubernetes.io/component: controller-internal + app.kubernetes.io/instance: nginx-internal-ingress + app.kubernetes.io/name: nginx-internal-ingress + app.kubernetes.io/part-of: nginx-internal-ingress + app.kubernetes.io/version: 1.11.3 + name: nginx-internal +spec: + controller: k8s.io/nginx-internal-ingress +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: nginx-internal-ingress + app.kubernetes.io/name: nginx-internal-ingress + app.kubernetes.io/part-of: nginx-internal-ingress + app.kubernetes.io/version: 1.11.3 + name: nginx-internal-ingress-admission +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: nginx-internal-ingress-controller-admission + namespace: nginx-ingress + path: /networking/v1/ingresses + port: 443 + failurePolicy: Fail + matchPolicy: Equivalent + name: validate.nginx.ingress.kubernetes.io + rules: + - apiGroups: + - networking.k8s.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - ingresses + sideEffects: None diff --git a/nginx/internal/kustomization.yaml b/nginx/internal/kustomization.yaml new file mode 100644 index 0000000..f8e6d0b --- /dev/null +++ b/nginx/internal/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - deploy.yaml + - loadbalancer.yaml diff --git a/nginx/internal/loadbalancer.yaml b/nginx/internal/loadbalancer.yaml new file mode 100644 index 0000000..2d04415 --- /dev/null +++ b/nginx/internal/loadbalancer.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Service +metadata: + name: nginx-internal-ingress-controller-loadbalancer + namespace: nginx-ingress +spec: + selector: + app.kubernetes.io/component: controller-internal + app.kubernetes.io/instance: nginx-internal-ingress + app.kubernetes.io/name: nginx-internal-ingress + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + type: LoadBalancer + externalTrafficPolicy: Local + loadBalancerIP: 10.10.0.16 diff --git a/nginx/internal/servicemonitor.yaml b/nginx/internal/servicemonitor.yaml new file mode 100644 index 0000000..5194910 --- /dev/null +++ b/nginx/internal/servicemonitor.yaml @@ -0,0 +1,14 @@ +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: nginx-internal + namespace: nginx-ingress + labels: + app.kubernetes.io/name: nginx-internal-ingress +spec: + selector: + matchLabels: + app.kubernetes.io/name: nginx-internal-ingress + endpoints: + - port: prometheus + path: /metrics diff --git a/nginx/kustomization.yaml b/nginx/kustomization.yaml new file mode 100644 index 0000000..b1b2a1a --- /dev/null +++ b/nginx/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - namespace.yaml + - internal + - external diff --git a/nginx/namespace.yaml b/nginx/namespace.yaml new file mode 100644 index 0000000..ba510bd --- /dev/null +++ b/nginx/namespace.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + name: nginx-ingress diff --git a/nginx/service.yaml b/nginx/service.yaml deleted file mode 100644 index 3ddeb2a..0000000 --- a/nginx/service.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: nginx-svc - labels: - app: nginx -spec: - type: ClusterIP - ports: - - name: http - port: 80 - selector: - app: nginx -