Refactor Helm Chart location and generate mainfests automatically

Moves the Helm Chart to charts/nginx-ingress.

Uses Helm Charts in examples/helm-chart to template single file
manifests in deploy/.

Adds `kustomize` to create a single CRDs file and single files
CRDs for NAP WAF and NAP DoS.

.github/labeler.yml

@@ -26,4 +26,4 @@ dependencies:
   - changed-files: ['go.mod', 'go.sum']
 
 helm_chart:
-  - changed-files: ['deployments/helm-chart/**/*']
+  - changed-files: ['charts/nginx-ingress/**/*']

.github/workflows/ci.yml

@@ -46,14 +46,14 @@ jobs:
         id: vars
         run: |
           echo "k8s_latest=$(grep -m1 'FROM kindest/node' <tests/Dockerfile | awk -F'[:v]' '{print $3}')" >> $GITHUB_OUTPUT
-          echo "chart_version=$(yq '.version' <deployments/helm-chart/Chart.yaml)" >> $GITHUB_OUTPUT
+          echo "chart_version=$(yq '.version' <charts/nginx-ingress/Chart.yaml)" >> $GITHUB_OUTPUT
           echo "go_path=$(go env GOPATH)" >> $GITHUB_OUTPUT
 
       - name: Check if go.mod and go.sum are up to date
         run: go mod tidy && git diff --exit-code -- go.mod go.sum
 
       - name: Check if CRDs changed
-        run: make update-crds && git diff --name-only --exit-code deployments/common/crds* deployments/helm-chart/crds*
+        run: make update-crds && git diff --name-only --exit-code config/crd/bases
 
       - name: Check if Codegen changed
         run: |
@@ -126,7 +126,7 @@ jobs:
             ## Resources
             - Documentation -- https://docs.nginx.com/nginx-ingress-controller/
             - Configuration examples -- https://github.com/nginxinc/kubernetes-ingress/tree/{{version}}/examples
-            - Helm Chart -- https://github.com/nginxinc/kubernetes-ingress/tree/{{version}}/deployments/helm-chart
+            - Helm Chart -- https://github.com/nginxinc/kubernetes-ingress/tree/{{version}}/charts/nginx-ingress
             - Operator -- https://github.com/nginxinc/nginx-ingress-operator/
         if: ${{ github.event_name == 'push' && github.ref != 'refs/heads/main' }}
 
@@ -214,7 +214,7 @@ jobs:
           --set controller.service.type=NodePort
           --set controller.nginxplus=${{ contains(matrix.type, 'plus') && 'true' || 'false' }}
           --wait
-        working-directory: ${{ github.workspace }}/deployments/helm-chart
+        working-directory: ${{ github.workspace }}/charts/nginx-ingress
 
       - name: Expose Test Ingresses
         run: |
@@ -418,7 +418,7 @@ jobs:
       - name: Package
         id: package
         run: |
-          output=$(helm package ${{ github.ref_type != 'tag' && '--app-version edge --version 0.0.0-edge' || '' }} kic/deployments/helm-chart)
+          output=$(helm package ${{ github.ref_type != 'tag' && '--app-version edge --version 0.0.0-edge' || '' }} kic/charts/nginx-ingress)
           echo "path=$(basename -- $(echo $output | cut -d: -f2))" >> $GITHUB_OUTPUT
 
       - name: Push to OCI registries

.github/workflows/lint.yml

@@ -56,7 +56,7 @@ jobs:
         uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
 
       - name: Lint chart
-        run: helm lint deployments/helm-chart
+        run: helm lint charts/nginx-ingress
 
   markdown-lint:
     name: Markdown Lint

.pre-commit-config.yaml

@@ -9,7 +9,7 @@ repos:
       - id: end-of-file-fixer
       - id: check-yaml
         args: [--allow-multiple-documents]
-        exclude: ^(deployments/helm-chart.*/templates|deployments/helm-chart/crds)
+        exclude: ^(charts/nginx-ingress/templates)
       - id: check-ast
       - id: check-added-large-files
       - id: check-merge-conflict
@@ -67,9 +67,9 @@ repos:
     hooks:
       - id: check-jsonschema
         name: "Check Helm Chart JSON Schema"
-        files: deployments/helm-chart/values.yaml
+        files: charts/nginx-ingress/values.yaml
         types: [yaml]
-        args: ['--schemafile', 'deployments/helm-chart/values.schema.json']
+        args: ['--schemafile', 'charts/nginx-ingress/values.schema.json']
 
   - repo: https://github.com/DavidAnson/markdownlint-cli2
     rev: v0.8.1

CONTRIBUTING.md

@@ -42,7 +42,7 @@ Read the [documentation](https://github.com/nginxinc/kubernetes-ingress/tree/mai
   - The internal code is found at `internal/`
   - Build files for Docker are found at `build/`
   - CI files are found at `.github/workflows/`
-  - Deployment yaml files, and Helm files are found at `deployments/`
+  - Deployment yaml files, and Helm files are found at `charts/`
   - We use [Go modules](https://github.com/golang/go/wiki/Modules) for managing dependencies.
 
 ## Contributing

Makefile

@@ -63,8 +63,14 @@ update-codegen: ## Generate code
 
 .PHONY: update-crds
 update-crds: ## Update CRDs
-	go run sigs.k8s.io/controller-tools/cmd/controller-gen crd:crdVersions=v1 schemapatch:manifests=./deployments/common/crds/ paths=./pkg/apis/... output:dir=./deployments/common/crds
-	@cp -Rp deployments/common/crds/* deployments/helm-chart/crds/
+	go run sigs.k8s.io/controller-tools/cmd/controller-gen crd paths=./pkg/apis/... output:crd:artifacts:config=config/crd/bases
+	kustomize build config/crd >deploy/crds.yaml
+	kustomize build config/crd/app-protect-dos --load-restrictor='LoadRestrictionsNone' >deploy/crds-nap-dos.yaml
+	kustomize build config/crd/app-protect-waf --load-restrictor='LoadRestrictionsNone' >deploy/crds-nap-waf.yaml
+
+.PHONY: generate-manifests
+generate-manifests: update-crds ## Generate manifests
+	./hack/generate-manifests.sh
 
 .PHONY: certificate-and-key
 certificate-and-key: ## Create default cert and key

README.md

@@ -118,8 +118,8 @@ your links to the correct versions:
 
 | Version | Description |  Image for NGINX | Image for NGINX Plus | Installation Manifests and Helm Chart | Documentation and Examples |
 | ------- | ----------- | --------------- | -------------------- | ---------------------------------------| -------------------------- |
-| Latest stable release | For production use | Use the 3.2.1 images from [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/), [GitHub Container](https://github.com/nginxinc/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress) or [build your own image](https://docs.nginx.com/nginx-ingress-controller/installation/building-ingress-controller-image/). | Use the 3.2.1 images from the [F5 Container Registry](https://docs.nginx.com/nginx-ingress-controller/installation/pulling-ingress-controller-image/) or the [AWS Marketplace](https://aws.amazon.com/marketplace/search/?CREATOR=741df81b-dfdc-4d36-b8da-945ea66b522c&FULFILLMENT_OPTION_TYPE=CONTAINER&filters=CREATOR%2CFULFILLMENT_OPTION_TYPE) or [Build your own image](https://docs.nginx.com/nginx-ingress-controller/installation/building-ingress-controller-image/). | [Manifests](https://github.com/nginxinc/kubernetes-ingress/tree/v3.2.1/deployments). [Helm chart](https://github.com/nginxinc/kubernetes-ingress/tree/v3.2.1/deployments/helm-chart). | [Documentation](https://docs.nginx.com/nginx-ingress-controller/). [Examples](https://docs.nginx.com/nginx-ingress-controller/configuration/configuration-examples/). |
-| Edge/Nightly | For testing and experimenting | Use the edge or nightly images from [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/), [GitHub Container](https://github.com/nginxinc/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress) or [build your own image](https://github.com/nginxinc/kubernetes-ingress/tree/main/docs/content/installation/building-ingress-controller-image.md). | [Build your own image](https://github.com/nginxinc/kubernetes-ingress/tree/main/docs/content/installation/building-ingress-controller-image.md). | [Manifests](https://github.com/nginxinc/kubernetes-ingress/tree/main/deployments). [Helm chart](https://github.com/nginxinc/kubernetes-ingress/tree/main/deployments/helm-chart). | [Documentation](https://github.com/nginxinc/kubernetes-ingress/tree/main/docs/content). [Examples](https://github.com/nginxinc/kubernetes-ingress/tree/main/examples). |
+| Latest stable release | For production use | Use the 3.2.1 images from [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/), [GitHub Container](https://github.com/nginxinc/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress) or [build your own image](https://docs.nginx.com/nginx-ingress-controller/installation/building-ingress-controller-image/). | Use the 3.2.1 images from the [F5 Container Registry](https://docs.nginx.com/nginx-ingress-controller/installation/pulling-ingress-controller-image/) or the [AWS Marketplace](https://aws.amazon.com/marketplace/search/?CREATOR=741df81b-dfdc-4d36-b8da-945ea66b522c&FULFILLMENT_OPTION_TYPE=CONTAINER&filters=CREATOR%2CFULFILLMENT_OPTION_TYPE) or [Build your own image](https://docs.nginx.com/nginx-ingress-controller/installation/building-ingress-controller-image/). | [Manifests](https://github.com/nginxinc/kubernetes-ingress/tree/v3.2.1/deployments). [Helm chart](https://github.com/nginxinc/kubernetes-ingress/tree/v3.2.1/charts/nginx-ingress). | [Documentation](https://docs.nginx.com/nginx-ingress-controller/). [Examples](https://docs.nginx.com/nginx-ingress-controller/configuration/configuration-examples/). |
+| Edge/Nightly | For testing and experimenting | Use the edge or nightly images from [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/), [GitHub Container](https://github.com/nginxinc/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress) or [build your own image](https://github.com/nginxinc/kubernetes-ingress/tree/main/docs/content/installation/building-ingress-controller-image.md). | [Build your own image](https://github.com/nginxinc/kubernetes-ingress/tree/main/docs/content/installation/building-ingress-controller-image.md). | [Manifests](https://github.com/nginxinc/kubernetes-ingress/tree/main/deployments). [Helm chart](https://github.com/nginxinc/kubernetes-ingress/tree/main/charts/nginx-ingress). | [Documentation](https://github.com/nginxinc/kubernetes-ingress/tree/main/docs/content). [Examples](https://github.com/nginxinc/kubernetes-ingress/tree/main/examples). |
 
 ## SBOM (Software Bill of Materials)
 

deployments/helm-chart/.helmignore → charts/nginx-ingress/.helmignore

@@ -1,2 +1,4 @@
 # Patterns to ignore when building packages.
 *.png
+
+.cache

deployments/helm-chart/Chart.yaml → charts/nginx-ingress/Chart.yaml

@@ -5,10 +5,10 @@ appVersion: 3.2.1
 kubeVersion: ">= 1.22.0-0"
 type: application
 description: NGINX Ingress Controller
-icon: https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.2.1/deployments/helm-chart/chart-icon.png
+icon: https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.2.1/charts/nginx-ingress/chart-icon.png
 home: https://github.com/nginxinc/kubernetes-ingress
 sources:
-  - https://github.com/nginxinc/kubernetes-ingress/tree/v3.2.1/deployments/helm-chart
+  - https://github.com/nginxinc/kubernetes-ingress/tree/v3.2.1/charts/nginx-ingress
 keywords:
   - ingress
   - nginx

deployments/helm-chart/README.md → charts/nginx-ingress/README.md

@@ -75,14 +75,14 @@ To install the chart with the release name my-release (my-release is the name th
 For NGINX:
 
 ```console
-helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.18.1
+helm install my-release -n nginx-ingress --create-namespace oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.18.1
 ```
 
 For NGINX Plus: (assuming you have pushed the Ingress Controller image `nginx-plus-ingress` to your private registry
 `myregistry.example.com`)
 
 ```console
-helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.18.1 --set controller.image.repository=myregistry.example.com/nginx-plus-ingress --set controller.nginxplus=true
+helm install my-release -n nginx-ingress --create-namespace oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.18.1 --set controller.image.repository=myregistry.example.com/nginx-plus-ingress --set controller.nginxplus=true
 ```
 
 This will install the latest `edge` version of the Ingress Controller from GitHub Container Registry. If you prefer to
@@ -97,15 +97,15 @@ CRDs](#upgrading-the-crds).
 To upgrade the release `my-release`:
 
 ```console
-helm upgrade my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.18.1
+helm upgrade my-release -n nginx-ingress oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.18.1
 ```
 
 ### Uninstalling the Chart
 
 To uninstall/delete the release `my-release`:
 
 ```console
-helm uninstall my-release
+helm uninstall my-release -n nginx-ingress
 ```
 
 The command removes all the Kubernetes components associated with the release and deletes the release.
@@ -120,7 +120,7 @@ version is built from the `main` branch of the NGINX Ingress Controller reposito
 by specifying the `--version` flag with the value `0.0.0-edge`:
 
 ```console
-helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.0.0-edge
+helm install my-release -n nginx-ingress --create-namespace oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.0.0-edge
 ```
 
 > **Warning**
@@ -154,13 +154,13 @@ To install the chart with the release name my-release (my-release is the name th
 For NGINX:
 
 ```console
-helm install my-release .
+helm install my-release -n nginx-ingress --create-namespace .
 ```
 
 For NGINX Plus:
 
 ```console
-helm install my-release -f values-plus.yaml .
+helm install my-release -f values-plus.yaml -n nginx-ingress --create-namespace .
 ```
 
 The command deploys the Ingress Controller in your Kubernetes cluster in the default configuration. The configuration
@@ -174,15 +174,15 @@ CRDs](#upgrading-the-crds).
 To upgrade the release `my-release`:
 
 ```console
-helm upgrade my-release .
+helm upgrade my-release -n nginx-ingress .
 ```
 
 ### Uninstalling the Chart
 
 To uninstall/delete the release `my-release`:
 
 ```console
-helm uninstall my-release
+helm uninstall my-release -n nginx-ingress
 ```
 
 The command removes all the Kubernetes components associated with the release and deletes the release.
@@ -251,8 +251,7 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont
 |`controller.enableCustomResources` | Enable the custom resources. | true |
 |`controller.enablePreviewPolicies` | Enable preview policies. This parameter is deprecated. To enable OIDC Policies please use `controller.enableOIDC` instead. | false |
 |`controller.enableOIDC` | Enable OIDC policies. | false |
-|`controller.enableTLSPassthrough` | Enable TLS Passthrough on default port 443. Requires `controller.enableCustomResources`. | false |
-|`controller.tlsPassThroughPort` | Set the port for the TLS Passthrough. Requires `controller.enableCustomResources` and `controller.enableTLSPassthrough`.  | 443 |
+|`controller.enableTLSPassthrough` | Enable TLS Passthrough on port 443. Requires `controller.enableCustomResources`. | false |
 |`controller.enableCertManager` | Enable x509 automated certificate management for VirtualServer resources using cert-manager (cert-manager.io). Requires `controller.enableCustomResources`. | false |
 |`controller.enableExternalDNS` | Enable integration with ExternalDNS for configuring public DNS entries for VirtualServer resources using [ExternalDNS](https://github.com/kubernetes-sigs/external-dns). Requires `controller.enableCustomResources`. | false |
 |`controller.globalConfiguration.create` | Creates the GlobalConfiguration custom resource. Requires `controller.enableCustomResources`. | false |

charts/nginx-ingress/crds

@@ -0,0 +1 @@
+../../config/crd/bases/

deployments/helm-chart/templates/controller-daemonset.yaml → charts/nginx-ingress/templates/controller-daemonset.yaml

@@ -230,9 +230,6 @@ spec:
           - -disable-ipv6={{ .Values.controller.disableIPV6 }}
 {{- if .Values.controller.enableCustomResources }}
           - -enable-tls-passthrough={{ .Values.controller.enableTLSPassthrough }}
-{{ if .Values.controller.enableTLSPassthrough }}
-          - -tls-passthrough-port={{ .Values.controller.tlsPassthroughPort }}
-{{ end }}
           - -enable-preview-policies={{ .Values.controller.enablePreviewPolicies }}
           - -enable-cert-manager={{ .Values.controller.enableCertManager }}
           - -enable-oidc={{ .Values.controller.enableOIDC }}

deployments/helm-chart/templates/controller-deployment.yaml → charts/nginx-ingress/templates/controller-deployment.yaml

@@ -173,14 +173,14 @@ spec:
           - -enable-app-protect={{ .Values.controller.appprotect.enable }}
 {{- if and .Values.controller.appprotect.enable .Values.controller.appprotect.logLevel }}
           - -app-protect-log-level={{ .Values.controller.appprotect.logLevel }}
-{{ end }}
+{{- end }}
           - -enable-app-protect-dos={{ .Values.controller.appprotectdos.enable }}
 {{- if .Values.controller.appprotectdos.enable }}
           - -app-protect-dos-debug={{ .Values.controller.appprotectdos.debug }}
           - -app-protect-dos-max-daemons={{ .Values.controller.appprotectdos.maxDaemons }}
           - -app-protect-dos-max-workers={{ .Values.controller.appprotectdos.maxWorkers }}
           - -app-protect-dos-memory={{ .Values.controller.appprotectdos.memory }}
-{{ end }}
+{{- end }}
           - -nginx-configmaps=$(POD_NAMESPACE)/{{ include "nginx-ingress.configName" . }}
 {{- if .Values.controller.defaultTLS.secret }}
           - -default-server-tls-secret={{ .Values.controller.defaultTLS.secret }}
@@ -237,9 +237,6 @@ spec:
           - -disable-ipv6={{ .Values.controller.disableIPV6 }}
 {{- if .Values.controller.enableCustomResources }}
           - -enable-tls-passthrough={{ .Values.controller.enableTLSPassthrough }}
-{{ if .Values.controller.enableTLSPassthrough }}
-          - -tls-passthrough-port={{ .Values.controller.tlsPassthroughPort }}
-{{ end }}
           - -enable-preview-policies={{ .Values.controller.enablePreviewPolicies }}
           - -enable-cert-manager={{ .Values.controller.enableCertManager }}
           - -enable-oidc={{ .Values.controller.enableOIDC }}

deployments/helm-chart/values.schema.json → charts/nginx-ingress/values.schema.json

@@ -648,14 +648,6 @@
             false
           ]
         },
-        "tlsPassthroughPort": {
-          "type": "integer",
-          "default": 443,
-          "title": "The tlsPassthroughPort",
-          "examples": [
-            443
-          ]
-        },
         "enableCertManager": {
           "type": "boolean",
           "default": false,
@@ -1369,7 +1361,6 @@
           "enableOIDC": false,
           "includeYear": false,
           "enableTLSPassthrough": false,
-          "tlsPassthroughPort": 443,
           "enableCertManager": false,
           "enableExternalDNS": false,
           "globalConfiguration": {

deployments/helm-chart/values.yaml → charts/nginx-ingress/values.yaml

@@ -209,7 +209,7 @@ controller:
     ## The number of Ingress Controller pods that can be unavailable. This is a mutually exclusive setting with "minAvailable".
     # maxUnavailable: 1
 
-    ## Strategy used to replace old Pods by new ones. .spec.strategy.type can be "Recreate" or "RollingUpdate" for Deployments, and "OnDelete" or "RollingUpdate" for Daemonsets. "RollingUpdate" is the default value.
+  ## Strategy used to replace old Pods by new ones. .spec.strategy.type can be "Recreate" or "RollingUpdate" for Deployments, and "OnDelete" or "RollingUpdate" for Daemonsets. "RollingUpdate" is the default value.
   strategy: {}
 
   ## Extra containers for the Ingress Controller pods.
@@ -257,9 +257,6 @@ controller:
   ## Enable TLS Passthrough on port 443. Requires controller.enableCustomResources.
   enableTLSPassthrough: false
 
-  ## Set the port for TLS Passthrough. Requires controller.enableCustomResources and controller.enableTLSPassthrough.
-  tlsPassthroughPort: 443
-
   ## Enable cert manager for Virtual Server resources. Requires controller.enableCustomResources.
   enableCertManager: false
 
@@ -375,7 +372,7 @@ controller:
 
     ## The name of the service account of the Ingress Controller pods. Used for RBAC.
     ## Autogenerated if not set or set to "".
-    # name: nginx-ingress
+    name: nginx-ingress
 
     ## The name of the secret containing docker registry credentials.
     ## Secret must exist in the same namespace as the helm release.
@@ -416,8 +413,7 @@ controller:
     enableLeaderElection: true
 
     ## Specifies the name of the ConfigMap, within the same namespace as the controller, used as the lock for leader election. controller.reportIngressStatus.enableLeaderElection must be set to true.
-    ## Autogenerated if not set or set to "".
-    # leaderElectionLockName: "nginx-ingress-leader-election"
+    leaderElectionLockName: "nginx-ingress-leader-election"
 
     ## The annotations of the leader election configmap.
     annotations: {}

config/base/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- deploy.yaml
+- namespace.yaml

config/base/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: nginx-ingress