diff --git a/.github/labeler.yml b/.github/labeler.yml index ffbc8e3bc6..1dcdbea5a2 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -26,4 +26,4 @@ dependencies: - changed-files: ['go.mod', 'go.sum'] helm_chart: - - changed-files: ['deployments/helm-chart/**/*'] + - changed-files: ['charts/nginx-ingress/**/*'] diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index be5e5f6aee..39b4ccbf8d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -46,14 +46,14 @@ jobs: id: vars run: | echo "k8s_latest=$(grep -m1 'FROM kindest/node' > $GITHUB_OUTPUT - echo "chart_version=$(yq '.version' > $GITHUB_OUTPUT + echo "chart_version=$(yq '.version' > $GITHUB_OUTPUT echo "go_path=$(go env GOPATH)" >> $GITHUB_OUTPUT - name: Check if go.mod and go.sum are up to date run: go mod tidy && git diff --exit-code -- go.mod go.sum - name: Check if CRDs changed - run: make update-crds && git diff --name-only --exit-code deployments/common/crds* deployments/helm-chart/crds* + run: make update-crds && git diff --name-only --exit-code config/crd/bases - name: Check if Codegen changed run: | @@ -126,7 +126,7 @@ jobs: ## Resources - Documentation -- https://docs.nginx.com/nginx-ingress-controller/ - Configuration examples -- https://github.com/nginxinc/kubernetes-ingress/tree/{{version}}/examples - - Helm Chart -- https://github.com/nginxinc/kubernetes-ingress/tree/{{version}}/deployments/helm-chart + - Helm Chart -- https://github.com/nginxinc/kubernetes-ingress/tree/{{version}}/charts/nginx-ingress - Operator -- https://github.com/nginxinc/nginx-ingress-operator/ if: ${{ github.event_name == 'push' && github.ref != 'refs/heads/main' }} @@ -214,7 +214,7 @@ jobs: --set controller.service.type=NodePort --set controller.nginxplus=${{ contains(matrix.type, 'plus') && 'true' || 'false' }} --wait - working-directory: ${{ github.workspace }}/deployments/helm-chart + working-directory: ${{ github.workspace }}/charts/nginx-ingress - name: Expose Test Ingresses run: | @@ -418,7 +418,7 @@ jobs: - name: Package id: package run: | - output=$(helm package ${{ github.ref_type != 'tag' && '--app-version edge --version 0.0.0-edge' || '' }} kic/deployments/helm-chart) + output=$(helm package ${{ github.ref_type != 'tag' && '--app-version edge --version 0.0.0-edge' || '' }} kic/charts/nginx-ingress) echo "path=$(basename -- $(echo $output | cut -d: -f2))" >> $GITHUB_OUTPUT - name: Push to OCI registries diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index a352f31720..74a16ab125 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -56,7 +56,7 @@ jobs: uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - name: Lint chart - run: helm lint deployments/helm-chart + run: helm lint charts/nginx-ingress markdown-lint: name: Markdown Lint diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 3d00c67c14..8d577d00c6 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -9,7 +9,7 @@ repos: - id: end-of-file-fixer - id: check-yaml args: [--allow-multiple-documents] - exclude: ^(deployments/helm-chart.*/templates|deployments/helm-chart/crds) + exclude: ^(charts/nginx-ingress/templates) - id: check-ast - id: check-added-large-files - id: check-merge-conflict @@ -67,9 +67,9 @@ repos: hooks: - id: check-jsonschema name: "Check Helm Chart JSON Schema" - files: deployments/helm-chart/values.yaml + files: charts/nginx-ingress/values.yaml types: [yaml] - args: ['--schemafile', 'deployments/helm-chart/values.schema.json'] + args: ['--schemafile', 'charts/nginx-ingress/values.schema.json'] - repo: https://github.com/DavidAnson/markdownlint-cli2 rev: v0.8.1 diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 19cfe17f6a..40f623a297 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -42,7 +42,7 @@ Read the [documentation](https://github.com/nginxinc/kubernetes-ingress/tree/mai - The internal code is found at `internal/` - Build files for Docker are found at `build/` - CI files are found at `.github/workflows/` - - Deployment yaml files, and Helm files are found at `deployments/` + - Deployment yaml files, and Helm files are found at `charts/` - We use [Go modules](https://github.com/golang/go/wiki/Modules) for managing dependencies. ## Contributing diff --git a/Makefile b/Makefile index 2377c8b9c3..e232d893ca 100644 --- a/Makefile +++ b/Makefile @@ -63,8 +63,14 @@ update-codegen: ## Generate code .PHONY: update-crds update-crds: ## Update CRDs - go run sigs.k8s.io/controller-tools/cmd/controller-gen crd:crdVersions=v1 schemapatch:manifests=./deployments/common/crds/ paths=./pkg/apis/... output:dir=./deployments/common/crds - @cp -Rp deployments/common/crds/* deployments/helm-chart/crds/ + go run sigs.k8s.io/controller-tools/cmd/controller-gen crd paths=./pkg/apis/... output:crd:artifacts:config=config/crd/bases + kustomize build config/crd >deploy/crds.yaml + kustomize build config/crd/app-protect-dos --load-restrictor='LoadRestrictionsNone' >deploy/crds-nap-dos.yaml + kustomize build config/crd/app-protect-waf --load-restrictor='LoadRestrictionsNone' >deploy/crds-nap-waf.yaml + +.PHONY: generate-manifests +generate-manifests: update-crds ## Generate manifests + ./hack/generate-manifests.sh .PHONY: certificate-and-key certificate-and-key: ## Create default cert and key diff --git a/README.md b/README.md index 3f3b6a9a80..0f53a4f150 100644 --- a/README.md +++ b/README.md @@ -118,8 +118,8 @@ your links to the correct versions: | Version | Description | Image for NGINX | Image for NGINX Plus | Installation Manifests and Helm Chart | Documentation and Examples | | ------- | ----------- | --------------- | -------------------- | ---------------------------------------| -------------------------- | -| Latest stable release | For production use | Use the 3.2.1 images from [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/), [GitHub Container](https://github.com/nginxinc/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress) or [build your own image](https://docs.nginx.com/nginx-ingress-controller/installation/building-ingress-controller-image/). | Use the 3.2.1 images from the [F5 Container Registry](https://docs.nginx.com/nginx-ingress-controller/installation/pulling-ingress-controller-image/) or the [AWS Marketplace](https://aws.amazon.com/marketplace/search/?CREATOR=741df81b-dfdc-4d36-b8da-945ea66b522c&FULFILLMENT_OPTION_TYPE=CONTAINER&filters=CREATOR%2CFULFILLMENT_OPTION_TYPE) or [Build your own image](https://docs.nginx.com/nginx-ingress-controller/installation/building-ingress-controller-image/). | [Manifests](https://github.com/nginxinc/kubernetes-ingress/tree/v3.2.1/deployments). [Helm chart](https://github.com/nginxinc/kubernetes-ingress/tree/v3.2.1/deployments/helm-chart). | [Documentation](https://docs.nginx.com/nginx-ingress-controller/). [Examples](https://docs.nginx.com/nginx-ingress-controller/configuration/configuration-examples/). | -| Edge/Nightly | For testing and experimenting | Use the edge or nightly images from [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/), [GitHub Container](https://github.com/nginxinc/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress) or [build your own image](https://github.com/nginxinc/kubernetes-ingress/tree/main/docs/content/installation/building-ingress-controller-image.md). | [Build your own image](https://github.com/nginxinc/kubernetes-ingress/tree/main/docs/content/installation/building-ingress-controller-image.md). | [Manifests](https://github.com/nginxinc/kubernetes-ingress/tree/main/deployments). [Helm chart](https://github.com/nginxinc/kubernetes-ingress/tree/main/deployments/helm-chart). | [Documentation](https://github.com/nginxinc/kubernetes-ingress/tree/main/docs/content). [Examples](https://github.com/nginxinc/kubernetes-ingress/tree/main/examples). | +| Latest stable release | For production use | Use the 3.2.1 images from [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/), [GitHub Container](https://github.com/nginxinc/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress) or [build your own image](https://docs.nginx.com/nginx-ingress-controller/installation/building-ingress-controller-image/). | Use the 3.2.1 images from the [F5 Container Registry](https://docs.nginx.com/nginx-ingress-controller/installation/pulling-ingress-controller-image/) or the [AWS Marketplace](https://aws.amazon.com/marketplace/search/?CREATOR=741df81b-dfdc-4d36-b8da-945ea66b522c&FULFILLMENT_OPTION_TYPE=CONTAINER&filters=CREATOR%2CFULFILLMENT_OPTION_TYPE) or [Build your own image](https://docs.nginx.com/nginx-ingress-controller/installation/building-ingress-controller-image/). | [Manifests](https://github.com/nginxinc/kubernetes-ingress/tree/v3.2.1/deployments). [Helm chart](https://github.com/nginxinc/kubernetes-ingress/tree/v3.2.1/charts/nginx-ingress). | [Documentation](https://docs.nginx.com/nginx-ingress-controller/). [Examples](https://docs.nginx.com/nginx-ingress-controller/configuration/configuration-examples/). | +| Edge/Nightly | For testing and experimenting | Use the edge or nightly images from [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/), [GitHub Container](https://github.com/nginxinc/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress) or [build your own image](https://github.com/nginxinc/kubernetes-ingress/tree/main/docs/content/installation/building-ingress-controller-image.md). | [Build your own image](https://github.com/nginxinc/kubernetes-ingress/tree/main/docs/content/installation/building-ingress-controller-image.md). | [Manifests](https://github.com/nginxinc/kubernetes-ingress/tree/main/deployments). [Helm chart](https://github.com/nginxinc/kubernetes-ingress/tree/main/charts/nginx-ingress). | [Documentation](https://github.com/nginxinc/kubernetes-ingress/tree/main/docs/content). [Examples](https://github.com/nginxinc/kubernetes-ingress/tree/main/examples). | ## SBOM (Software Bill of Materials) diff --git a/deployments/helm-chart/.helmignore b/charts/nginx-ingress/.helmignore similarity index 86% rename from deployments/helm-chart/.helmignore rename to charts/nginx-ingress/.helmignore index c1347c2c27..63c4476ded 100644 --- a/deployments/helm-chart/.helmignore +++ b/charts/nginx-ingress/.helmignore @@ -1,2 +1,4 @@ # Patterns to ignore when building packages. *.png + +.cache diff --git a/deployments/helm-chart/Chart.yaml b/charts/nginx-ingress/Chart.yaml similarity index 73% rename from deployments/helm-chart/Chart.yaml rename to charts/nginx-ingress/Chart.yaml index 716bede51a..afaf7bba0d 100644 --- a/deployments/helm-chart/Chart.yaml +++ b/charts/nginx-ingress/Chart.yaml @@ -5,10 +5,10 @@ appVersion: 3.2.1 kubeVersion: ">= 1.22.0-0" type: application description: NGINX Ingress Controller -icon: https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.2.1/deployments/helm-chart/chart-icon.png +icon: https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.2.1/charts/nginx-ingress/chart-icon.png home: https://github.com/nginxinc/kubernetes-ingress sources: - - https://github.com/nginxinc/kubernetes-ingress/tree/v3.2.1/deployments/helm-chart + - https://github.com/nginxinc/kubernetes-ingress/tree/v3.2.1/charts/nginx-ingress keywords: - ingress - nginx diff --git a/deployments/helm-chart/README.md b/charts/nginx-ingress/README.md similarity index 96% rename from deployments/helm-chart/README.md rename to charts/nginx-ingress/README.md index e3186f7d86..b09d1e2221 100644 --- a/deployments/helm-chart/README.md +++ b/charts/nginx-ingress/README.md @@ -75,14 +75,14 @@ To install the chart with the release name my-release (my-release is the name th For NGINX: ```console -helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.18.1 +helm install my-release -n nginx-ingress --create-namespace oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.18.1 ``` For NGINX Plus: (assuming you have pushed the Ingress Controller image `nginx-plus-ingress` to your private registry `myregistry.example.com`) ```console -helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.18.1 --set controller.image.repository=myregistry.example.com/nginx-plus-ingress --set controller.nginxplus=true +helm install my-release -n nginx-ingress --create-namespace oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.18.1 --set controller.image.repository=myregistry.example.com/nginx-plus-ingress --set controller.nginxplus=true ``` This will install the latest `edge` version of the Ingress Controller from GitHub Container Registry. If you prefer to @@ -97,7 +97,7 @@ CRDs](#upgrading-the-crds). To upgrade the release `my-release`: ```console -helm upgrade my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.18.1 +helm upgrade my-release -n nginx-ingress oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.18.1 ``` ### Uninstalling the Chart @@ -105,7 +105,7 @@ helm upgrade my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0. To uninstall/delete the release `my-release`: ```console -helm uninstall my-release +helm uninstall my-release -n nginx-ingress ``` The command removes all the Kubernetes components associated with the release and deletes the release. @@ -120,7 +120,7 @@ version is built from the `main` branch of the NGINX Ingress Controller reposito by specifying the `--version` flag with the value `0.0.0-edge`: ```console -helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.0.0-edge +helm install my-release -n nginx-ingress --create-namespace oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.0.0-edge ``` > **Warning** @@ -154,13 +154,13 @@ To install the chart with the release name my-release (my-release is the name th For NGINX: ```console -helm install my-release . +helm install my-release -n nginx-ingress --create-namespace . ``` For NGINX Plus: ```console -helm install my-release -f values-plus.yaml . +helm install my-release -f values-plus.yaml -n nginx-ingress --create-namespace . ``` The command deploys the Ingress Controller in your Kubernetes cluster in the default configuration. The configuration @@ -174,7 +174,7 @@ CRDs](#upgrading-the-crds). To upgrade the release `my-release`: ```console -helm upgrade my-release . +helm upgrade my-release -n nginx-ingress . ``` ### Uninstalling the Chart @@ -182,7 +182,7 @@ helm upgrade my-release . To uninstall/delete the release `my-release`: ```console -helm uninstall my-release +helm uninstall my-release -n nginx-ingress ``` The command removes all the Kubernetes components associated with the release and deletes the release. @@ -251,8 +251,7 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont |`controller.enableCustomResources` | Enable the custom resources. | true | |`controller.enablePreviewPolicies` | Enable preview policies. This parameter is deprecated. To enable OIDC Policies please use `controller.enableOIDC` instead. | false | |`controller.enableOIDC` | Enable OIDC policies. | false | -|`controller.enableTLSPassthrough` | Enable TLS Passthrough on default port 443. Requires `controller.enableCustomResources`. | false | -|`controller.tlsPassThroughPort` | Set the port for the TLS Passthrough. Requires `controller.enableCustomResources` and `controller.enableTLSPassthrough`. | 443 | +|`controller.enableTLSPassthrough` | Enable TLS Passthrough on port 443. Requires `controller.enableCustomResources`. | false | |`controller.enableCertManager` | Enable x509 automated certificate management for VirtualServer resources using cert-manager (cert-manager.io). Requires `controller.enableCustomResources`. | false | |`controller.enableExternalDNS` | Enable integration with ExternalDNS for configuring public DNS entries for VirtualServer resources using [ExternalDNS](https://github.com/kubernetes-sigs/external-dns). Requires `controller.enableCustomResources`. | false | |`controller.globalConfiguration.create` | Creates the GlobalConfiguration custom resource. Requires `controller.enableCustomResources`. | false | diff --git a/deployments/helm-chart/chart-icon.png b/charts/nginx-ingress/chart-icon.png similarity index 100% rename from deployments/helm-chart/chart-icon.png rename to charts/nginx-ingress/chart-icon.png diff --git a/charts/nginx-ingress/crds b/charts/nginx-ingress/crds new file mode 120000 index 0000000000..5188fdaabe --- /dev/null +++ b/charts/nginx-ingress/crds @@ -0,0 +1 @@ +../../config/crd/bases/ \ No newline at end of file diff --git a/deployments/helm-chart/templates/NOTES.txt b/charts/nginx-ingress/templates/NOTES.txt similarity index 100% rename from deployments/helm-chart/templates/NOTES.txt rename to charts/nginx-ingress/templates/NOTES.txt diff --git a/deployments/helm-chart/templates/_helpers.tpl b/charts/nginx-ingress/templates/_helpers.tpl similarity index 100% rename from deployments/helm-chart/templates/_helpers.tpl rename to charts/nginx-ingress/templates/_helpers.tpl diff --git a/deployments/helm-chart/templates/controller-configmap.yaml b/charts/nginx-ingress/templates/controller-configmap.yaml similarity index 100% rename from deployments/helm-chart/templates/controller-configmap.yaml rename to charts/nginx-ingress/templates/controller-configmap.yaml diff --git a/deployments/helm-chart/templates/controller-daemonset.yaml b/charts/nginx-ingress/templates/controller-daemonset.yaml similarity index 98% rename from deployments/helm-chart/templates/controller-daemonset.yaml rename to charts/nginx-ingress/templates/controller-daemonset.yaml index a3d17a5a8d..7d6ebdc124 100644 --- a/deployments/helm-chart/templates/controller-daemonset.yaml +++ b/charts/nginx-ingress/templates/controller-daemonset.yaml @@ -230,9 +230,6 @@ spec: - -disable-ipv6={{ .Values.controller.disableIPV6 }} {{- if .Values.controller.enableCustomResources }} - -enable-tls-passthrough={{ .Values.controller.enableTLSPassthrough }} -{{ if .Values.controller.enableTLSPassthrough }} - - -tls-passthrough-port={{ .Values.controller.tlsPassthroughPort }} -{{ end }} - -enable-preview-policies={{ .Values.controller.enablePreviewPolicies }} - -enable-cert-manager={{ .Values.controller.enableCertManager }} - -enable-oidc={{ .Values.controller.enableOIDC }} diff --git a/deployments/helm-chart/templates/controller-deployment.yaml b/charts/nginx-ingress/templates/controller-deployment.yaml similarity index 98% rename from deployments/helm-chart/templates/controller-deployment.yaml rename to charts/nginx-ingress/templates/controller-deployment.yaml index 8982b8c0fa..ce0b736d2a 100644 --- a/deployments/helm-chart/templates/controller-deployment.yaml +++ b/charts/nginx-ingress/templates/controller-deployment.yaml @@ -173,14 +173,14 @@ spec: - -enable-app-protect={{ .Values.controller.appprotect.enable }} {{- if and .Values.controller.appprotect.enable .Values.controller.appprotect.logLevel }} - -app-protect-log-level={{ .Values.controller.appprotect.logLevel }} -{{ end }} +{{- end }} - -enable-app-protect-dos={{ .Values.controller.appprotectdos.enable }} {{- if .Values.controller.appprotectdos.enable }} - -app-protect-dos-debug={{ .Values.controller.appprotectdos.debug }} - -app-protect-dos-max-daemons={{ .Values.controller.appprotectdos.maxDaemons }} - -app-protect-dos-max-workers={{ .Values.controller.appprotectdos.maxWorkers }} - -app-protect-dos-memory={{ .Values.controller.appprotectdos.memory }} -{{ end }} +{{- end }} - -nginx-configmaps=$(POD_NAMESPACE)/{{ include "nginx-ingress.configName" . }} {{- if .Values.controller.defaultTLS.secret }} - -default-server-tls-secret={{ .Values.controller.defaultTLS.secret }} @@ -237,9 +237,6 @@ spec: - -disable-ipv6={{ .Values.controller.disableIPV6 }} {{- if .Values.controller.enableCustomResources }} - -enable-tls-passthrough={{ .Values.controller.enableTLSPassthrough }} -{{ if .Values.controller.enableTLSPassthrough }} - - -tls-passthrough-port={{ .Values.controller.tlsPassthroughPort }} -{{ end }} - -enable-preview-policies={{ .Values.controller.enablePreviewPolicies }} - -enable-cert-manager={{ .Values.controller.enableCertManager }} - -enable-oidc={{ .Values.controller.enableOIDC }} diff --git a/deployments/helm-chart/templates/controller-globalconfiguration.yaml b/charts/nginx-ingress/templates/controller-globalconfiguration.yaml similarity index 100% rename from deployments/helm-chart/templates/controller-globalconfiguration.yaml rename to charts/nginx-ingress/templates/controller-globalconfiguration.yaml diff --git a/deployments/helm-chart/templates/controller-hpa.yaml b/charts/nginx-ingress/templates/controller-hpa.yaml similarity index 100% rename from deployments/helm-chart/templates/controller-hpa.yaml rename to charts/nginx-ingress/templates/controller-hpa.yaml diff --git a/deployments/helm-chart/templates/controller-ingress-class.yaml b/charts/nginx-ingress/templates/controller-ingress-class.yaml similarity index 100% rename from deployments/helm-chart/templates/controller-ingress-class.yaml rename to charts/nginx-ingress/templates/controller-ingress-class.yaml diff --git a/deployments/helm-chart/templates/controller-leader-election-configmap.yaml b/charts/nginx-ingress/templates/controller-leader-election-configmap.yaml similarity index 100% rename from deployments/helm-chart/templates/controller-leader-election-configmap.yaml rename to charts/nginx-ingress/templates/controller-leader-election-configmap.yaml diff --git a/deployments/helm-chart/templates/controller-pdb.yaml b/charts/nginx-ingress/templates/controller-pdb.yaml similarity index 100% rename from deployments/helm-chart/templates/controller-pdb.yaml rename to charts/nginx-ingress/templates/controller-pdb.yaml diff --git a/deployments/helm-chart/templates/controller-secret.yaml b/charts/nginx-ingress/templates/controller-secret.yaml similarity index 100% rename from deployments/helm-chart/templates/controller-secret.yaml rename to charts/nginx-ingress/templates/controller-secret.yaml diff --git a/deployments/helm-chart/templates/controller-service.yaml b/charts/nginx-ingress/templates/controller-service.yaml similarity index 100% rename from deployments/helm-chart/templates/controller-service.yaml rename to charts/nginx-ingress/templates/controller-service.yaml diff --git a/deployments/helm-chart/templates/controller-serviceaccount.yaml b/charts/nginx-ingress/templates/controller-serviceaccount.yaml similarity index 100% rename from deployments/helm-chart/templates/controller-serviceaccount.yaml rename to charts/nginx-ingress/templates/controller-serviceaccount.yaml diff --git a/deployments/helm-chart/templates/controller-servicemonitor.yaml b/charts/nginx-ingress/templates/controller-servicemonitor.yaml similarity index 100% rename from deployments/helm-chart/templates/controller-servicemonitor.yaml rename to charts/nginx-ingress/templates/controller-servicemonitor.yaml diff --git a/deployments/helm-chart/templates/controller-wildcard-secret.yaml b/charts/nginx-ingress/templates/controller-wildcard-secret.yaml similarity index 100% rename from deployments/helm-chart/templates/controller-wildcard-secret.yaml rename to charts/nginx-ingress/templates/controller-wildcard-secret.yaml diff --git a/deployments/helm-chart/templates/rbac.yaml b/charts/nginx-ingress/templates/rbac.yaml similarity index 100% rename from deployments/helm-chart/templates/rbac.yaml rename to charts/nginx-ingress/templates/rbac.yaml diff --git a/deployments/helm-chart/values.schema.json b/charts/nginx-ingress/values.schema.json similarity index 99% rename from deployments/helm-chart/values.schema.json rename to charts/nginx-ingress/values.schema.json index dd43083a78..6079d73fe7 100644 --- a/deployments/helm-chart/values.schema.json +++ b/charts/nginx-ingress/values.schema.json @@ -648,14 +648,6 @@ false ] }, - "tlsPassthroughPort": { - "type": "integer", - "default": 443, - "title": "The tlsPassthroughPort", - "examples": [ - 443 - ] - }, "enableCertManager": { "type": "boolean", "default": false, @@ -1369,7 +1361,6 @@ "enableOIDC": false, "includeYear": false, "enableTLSPassthrough": false, - "tlsPassthroughPort": 443, "enableCertManager": false, "enableExternalDNS": false, "globalConfiguration": { diff --git a/deployments/helm-chart/values.yaml b/charts/nginx-ingress/values.yaml similarity index 97% rename from deployments/helm-chart/values.yaml rename to charts/nginx-ingress/values.yaml index 531af909af..95f893ae03 100644 --- a/deployments/helm-chart/values.yaml +++ b/charts/nginx-ingress/values.yaml @@ -209,7 +209,7 @@ controller: ## The number of Ingress Controller pods that can be unavailable. This is a mutually exclusive setting with "minAvailable". # maxUnavailable: 1 - ## Strategy used to replace old Pods by new ones. .spec.strategy.type can be "Recreate" or "RollingUpdate" for Deployments, and "OnDelete" or "RollingUpdate" for Daemonsets. "RollingUpdate" is the default value. + ## Strategy used to replace old Pods by new ones. .spec.strategy.type can be "Recreate" or "RollingUpdate" for Deployments, and "OnDelete" or "RollingUpdate" for Daemonsets. "RollingUpdate" is the default value. strategy: {} ## Extra containers for the Ingress Controller pods. @@ -257,9 +257,6 @@ controller: ## Enable TLS Passthrough on port 443. Requires controller.enableCustomResources. enableTLSPassthrough: false - ## Set the port for TLS Passthrough. Requires controller.enableCustomResources and controller.enableTLSPassthrough. - tlsPassthroughPort: 443 - ## Enable cert manager for Virtual Server resources. Requires controller.enableCustomResources. enableCertManager: false @@ -375,7 +372,7 @@ controller: ## The name of the service account of the Ingress Controller pods. Used for RBAC. ## Autogenerated if not set or set to "". - # name: nginx-ingress + name: nginx-ingress ## The name of the secret containing docker registry credentials. ## Secret must exist in the same namespace as the helm release. @@ -416,8 +413,7 @@ controller: enableLeaderElection: true ## Specifies the name of the ConfigMap, within the same namespace as the controller, used as the lock for leader election. controller.reportIngressStatus.enableLeaderElection must be set to true. - ## Autogenerated if not set or set to "". - # leaderElectionLockName: "nginx-ingress-leader-election" + leaderElectionLockName: "nginx-ingress-leader-election" ## The annotations of the leader election configmap. annotations: {} diff --git a/config/base/kustomization.yaml b/config/base/kustomization.yaml new file mode 100644 index 0000000000..f3639e3726 --- /dev/null +++ b/config/base/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- deploy.yaml +- namespace.yaml diff --git a/config/base/namespace.yaml b/config/base/namespace.yaml new file mode 100644 index 0000000000..4b60fec13d --- /dev/null +++ b/config/base/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: nginx-ingress diff --git a/config/crd/app-protect-dos/kustomization.yaml b/config/crd/app-protect-dos/kustomization.yaml new file mode 100644 index 0000000000..f8dcb8ae0a --- /dev/null +++ b/config/crd/app-protect-dos/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ../bases/appprotectdos.f5.com_apdoslogconfs.yaml +- ../bases/appprotectdos.f5.com_apdospolicy.yaml +- ../bases/appprotectdos.f5.com_dosprotectedresources.yaml diff --git a/config/crd/app-protect-waf/kustomization.yaml b/config/crd/app-protect-waf/kustomization.yaml new file mode 100644 index 0000000000..1ee28ecbd4 --- /dev/null +++ b/config/crd/app-protect-waf/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ../bases/appprotect.f5.com_aplogconfs.yaml +- ../bases/appprotect.f5.com_appolicies.yaml +- ../bases/appprotect.f5.com_apusersigs.yaml diff --git a/deployments/common/crds/appprotect.f5.com_aplogconfs.yaml b/config/crd/bases/appprotect.f5.com_aplogconfs.yaml similarity index 100% rename from deployments/common/crds/appprotect.f5.com_aplogconfs.yaml rename to config/crd/bases/appprotect.f5.com_aplogconfs.yaml diff --git a/deployments/common/crds/appprotect.f5.com_appolicies.yaml b/config/crd/bases/appprotect.f5.com_appolicies.yaml similarity index 100% rename from deployments/common/crds/appprotect.f5.com_appolicies.yaml rename to config/crd/bases/appprotect.f5.com_appolicies.yaml diff --git a/deployments/common/crds/appprotect.f5.com_apusersigs.yaml b/config/crd/bases/appprotect.f5.com_apusersigs.yaml similarity index 100% rename from deployments/common/crds/appprotect.f5.com_apusersigs.yaml rename to config/crd/bases/appprotect.f5.com_apusersigs.yaml diff --git a/deployments/common/crds/appprotectdos.f5.com_apdoslogconfs.yaml b/config/crd/bases/appprotectdos.f5.com_apdoslogconfs.yaml similarity index 100% rename from deployments/common/crds/appprotectdos.f5.com_apdoslogconfs.yaml rename to config/crd/bases/appprotectdos.f5.com_apdoslogconfs.yaml diff --git a/deployments/common/crds/appprotectdos.f5.com_apdospolicy.yaml b/config/crd/bases/appprotectdos.f5.com_apdospolicy.yaml similarity index 100% rename from deployments/common/crds/appprotectdos.f5.com_apdospolicy.yaml rename to config/crd/bases/appprotectdos.f5.com_apdospolicy.yaml diff --git a/config/crd/bases/appprotectdos.f5.com_dosprotectedresources.yaml b/config/crd/bases/appprotectdos.f5.com_dosprotectedresources.yaml new file mode 100644 index 0000000000..34d85433fe --- /dev/null +++ b/config/crd/bases/appprotectdos.f5.com_dosprotectedresources.yaml @@ -0,0 +1,98 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 + name: dosprotectedresources.appprotectdos.f5.com +spec: + group: appprotectdos.f5.com + names: + kind: DosProtectedResource + listKind: DosProtectedResourceList + plural: dosprotectedresources + shortNames: + - pr + singular: dosprotectedresource + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: DosProtectedResource defines a Dos protected resource. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: DosProtectedResourceSpec defines the properties and values + a DosProtectedResource can have. + properties: + apDosMonitor: + description: 'ApDosMonitor is how NGINX App Protect DoS monitors the + stress level of the protected object. The monitor requests are sent + from localhost (127.0.0.1). Default value: URI - None, protocol + - http1, timeout - NGINX App Protect DoS default.' + properties: + protocol: + description: Protocol determines if the server listens on http1 + / http2 / grpc / websocket. The default is http1. + enum: + - http1 + - http2 + - grpc + - websocket + type: string + timeout: + description: Timeout determines how long (in seconds) should NGINX + App Protect DoS wait for a response. Default is 10 seconds for + http1/http2 and 5 seconds for grpc. + format: int64 + type: integer + uri: + description: 'URI is the destination to the desired protected + object in the nginx.conf:' + type: string + type: object + apDosPolicy: + description: ApDosPolicy is the namespace/name of a ApDosPolicy resource + type: string + dosAccessLogDest: + description: DosAccessLogDest is the network address for the access + logs + type: string + dosSecurityLog: + description: DosSecurityLog defines the security log of the DosProtectedResource. + properties: + apDosLogConf: + description: ApDosLogConf is the namespace/name of a APDosLogConf + resource + type: string + dosLogDest: + description: DosLogDest is the network address of a logging service, + can be either IP or DNS name. + type: string + enable: + description: Enable enables the security logging feature if set + to true + type: boolean + type: object + enable: + description: Enable enables the DOS feature if set to true + type: boolean + name: + description: Name is the name of protected object, max of 63 characters. + type: string + type: object + type: object + served: true + storage: true diff --git a/config/crd/bases/externaldns.nginx.org_dnsendpoints.yaml b/config/crd/bases/externaldns.nginx.org_dnsendpoints.yaml new file mode 100644 index 0000000000..54d27d796e --- /dev/null +++ b/config/crd/bases/externaldns.nginx.org_dnsendpoints.yaml @@ -0,0 +1,92 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 + name: dnsendpoints.externaldns.nginx.org +spec: + group: externaldns.nginx.org + names: + kind: DNSEndpoint + listKind: DNSEndpointList + plural: dnsendpoints + singular: dnsendpoint + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: DNSEndpoint is the CRD wrapper for Endpoint + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: DNSEndpointSpec holds information about endpoints. + properties: + endpoints: + items: + description: Endpoint describes DNS Endpoint. + properties: + dnsName: + description: The hostname for the DNS record + type: string + labels: + additionalProperties: + type: string + description: Labels stores labels defined for the Endpoint + type: object + providerSpecific: + description: ProviderSpecific stores provider specific config + items: + description: ProviderSpecificProperty represents provider + specific config property. + properties: + name: + description: Name of the property + type: string + value: + description: Value of the property + type: string + type: object + type: array + recordTTL: + description: TTL for the record + format: int64 + type: integer + recordType: + description: RecordType type of record, e.g. CNAME, A, SRV, + TXT, MX + type: string + targets: + description: The targets the DNS service points to + items: + type: string + type: array + type: object + type: array + type: object + status: + description: DNSEndpointStatus represents generation observed by the external + dns controller. + properties: + observedGeneration: + description: The generation observed by by the external-dns controller. + format: int64 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/config/crd/bases/k8s.nginx.org_globalconfigurations.yaml b/config/crd/bases/k8s.nginx.org_globalconfigurations.yaml new file mode 100644 index 0000000000..2da90682a3 --- /dev/null +++ b/config/crd/bases/k8s.nginx.org_globalconfigurations.yaml @@ -0,0 +1,55 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 + name: globalconfigurations.k8s.nginx.org +spec: + group: k8s.nginx.org + names: + kind: GlobalConfiguration + listKind: GlobalConfigurationList + plural: globalconfigurations + shortNames: + - gc + singular: globalconfiguration + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: GlobalConfiguration defines the GlobalConfiguration resource. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: GlobalConfigurationSpec is the spec of the GlobalConfiguration + resource. + properties: + listeners: + items: + description: Listener defines a listener. + properties: + name: + type: string + port: + type: integer + protocol: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true diff --git a/config/crd/bases/k8s.nginx.org_policies.yaml b/config/crd/bases/k8s.nginx.org_policies.yaml new file mode 100644 index 0000000000..59bc5cb9d4 --- /dev/null +++ b/config/crd/bases/k8s.nginx.org_policies.yaml @@ -0,0 +1,322 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 + name: policies.k8s.nginx.org +spec: + group: k8s.nginx.org + names: + kind: Policy + listKind: PolicyList + plural: policies + shortNames: + - pol + singular: policy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Current state of the Policy. If the resource has a valid status, + it means it has been validated and accepted by the Ingress Controller. + jsonPath: .status.state + name: State + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: Policy defines a Policy for VirtualServer and VirtualServerRoute + resources. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: PolicySpec is the spec of the Policy resource. The spec includes + multiple fields, where each field represents a different policy. Only + one policy (field) is allowed. + properties: + accessControl: + description: AccessControl defines an access policy based on the source + IP of a request. + properties: + allow: + items: + type: string + type: array + deny: + items: + type: string + type: array + type: object + basicAuth: + description: 'BasicAuth holds HTTP Basic authentication configuration + policy status: preview' + properties: + realm: + type: string + secret: + type: string + type: object + egressMTLS: + description: EgressMTLS defines an Egress MTLS policy. + properties: + ciphers: + type: string + protocols: + type: string + serverName: + type: boolean + sessionReuse: + type: boolean + sslName: + type: string + tlsSecret: + type: string + trustedCertSecret: + type: string + verifyDepth: + type: integer + verifyServer: + type: boolean + type: object + ingressClassName: + type: string + ingressMTLS: + description: IngressMTLS defines an Ingress MTLS policy. + properties: + clientCertSecret: + type: string + crlFileName: + type: string + verifyClient: + type: string + verifyDepth: + type: integer + type: object + jwt: + description: JWTAuth holds JWT authentication configuration. + properties: + jwksURI: + type: string + keyCache: + type: string + realm: + type: string + secret: + type: string + token: + type: string + type: object + oidc: + description: OIDC defines an Open ID Connect policy. + properties: + accessTokenEnable: + type: boolean + authEndpoint: + type: string + authExtraArgs: + items: + type: string + type: array + clientID: + type: string + clientSecret: + type: string + jwksURI: + type: string + redirectURI: + type: string + scope: + type: string + tokenEndpoint: + type: string + zoneSyncLeeway: + type: integer + type: object + rateLimit: + description: RateLimit defines a rate limit policy. + properties: + burst: + type: integer + delay: + type: integer + dryRun: + type: boolean + key: + type: string + logLevel: + type: string + noDelay: + type: boolean + rate: + type: string + rejectCode: + type: integer + zoneSize: + type: string + type: object + waf: + description: WAF defines an WAF policy. + properties: + apBundle: + type: string + apPolicy: + type: string + enable: + type: boolean + securityLog: + description: SecurityLog defines the security log of a WAF policy. + properties: + apLogConf: + type: string + enable: + type: boolean + logDest: + type: string + type: object + securityLogs: + items: + description: SecurityLog defines the security log of a WAF policy. + properties: + apLogConf: + type: string + enable: + type: boolean + logDest: + type: string + type: object + type: array + type: object + type: object + status: + description: PolicyStatus is the status of the policy resource + properties: + message: + type: string + reason: + type: string + state: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Policy defines a Policy for VirtualServer and VirtualServerRoute + resources. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: PolicySpec is the spec of the Policy resource. The spec includes + multiple fields, where each field represents a different policy. Only + one policy (field) is allowed. + properties: + accessControl: + description: AccessControl defines an access policy based on the source + IP of a request. + properties: + allow: + items: + type: string + type: array + deny: + items: + type: string + type: array + type: object + egressMTLS: + description: EgressMTLS defines an Egress MTLS policy. + properties: + ciphers: + type: string + protocols: + type: string + serverName: + type: boolean + sessionReuse: + type: boolean + sslName: + type: string + tlsSecret: + type: string + trustedCertSecret: + type: string + verifyDepth: + type: integer + verifyServer: + type: boolean + type: object + ingressMTLS: + description: IngressMTLS defines an Ingress MTLS policy. + properties: + clientCertSecret: + type: string + verifyClient: + type: string + verifyDepth: + type: integer + type: object + jwt: + description: JWTAuth holds JWT authentication configuration. + properties: + realm: + type: string + secret: + type: string + token: + type: string + type: object + rateLimit: + description: RateLimit defines a rate limit policy. + properties: + burst: + type: integer + delay: + type: integer + dryRun: + type: boolean + key: + type: string + logLevel: + type: string + noDelay: + type: boolean + rate: + type: string + rejectCode: + type: integer + zoneSize: + type: string + type: object + type: object + type: object + served: true + storage: false diff --git a/config/crd/bases/k8s.nginx.org_transportservers.yaml b/config/crd/bases/k8s.nginx.org_transportservers.yaml new file mode 100644 index 0000000000..1a8740cc0d --- /dev/null +++ b/config/crd/bases/k8s.nginx.org_transportservers.yaml @@ -0,0 +1,165 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 + name: transportservers.k8s.nginx.org +spec: + group: k8s.nginx.org + names: + kind: TransportServer + listKind: TransportServerList + plural: transportservers + shortNames: + - ts + singular: transportserver + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Current state of the TransportServer. If the resource has a valid + status, it means it has been validated and accepted by the Ingress Controller. + jsonPath: .status.state + name: State + type: string + - jsonPath: .status.reason + name: Reason + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: TransportServer defines the TransportServer resource. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TransportServerSpec is the spec of the TransportServer resource. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + type: object + host: + type: string + ingressClassName: + type: string + listener: + description: TransportServerListener defines a listener for a TransportServer. + properties: + name: + type: string + protocol: + type: string + type: object + serverSnippets: + type: string + sessionParameters: + description: SessionParameters defines session parameters. + properties: + timeout: + type: string + type: object + streamSnippets: + type: string + tls: + description: TLS defines TLS configuration for a TransportServer. + properties: + secret: + type: string + type: object + upstreamParameters: + description: UpstreamParameters defines parameters for an upstream. + properties: + connectTimeout: + type: string + nextUpstream: + type: boolean + nextUpstreamTimeout: + type: string + nextUpstreamTries: + type: integer + udpRequests: + type: integer + udpResponses: + type: integer + type: object + upstreams: + items: + description: Upstream defines an upstream. + properties: + failTimeout: + type: string + healthCheck: + description: HealthCheck defines the parameters for active Upstream + HealthChecks. + properties: + enable: + type: boolean + fails: + type: integer + interval: + type: string + jitter: + type: string + match: + description: Match defines the parameters of a custom health + check. + properties: + expect: + type: string + send: + type: string + type: object + passes: + type: integer + port: + type: integer + timeout: + type: string + type: object + loadBalancingMethod: + type: string + maxConns: + type: integer + maxFails: + type: integer + name: + type: string + port: + type: integer + service: + type: string + type: object + type: array + type: object + status: + description: TransportServerStatus defines the status for the TransportServer + resource. + properties: + message: + type: string + reason: + type: string + state: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/config/crd/bases/k8s.nginx.org_virtualserverroutes.yaml b/config/crd/bases/k8s.nginx.org_virtualserverroutes.yaml new file mode 100644 index 0000000000..d0701fa5c6 --- /dev/null +++ b/config/crd/bases/k8s.nginx.org_virtualserverroutes.yaml @@ -0,0 +1,680 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 + name: virtualserverroutes.k8s.nginx.org +spec: + group: k8s.nginx.org + names: + kind: VirtualServerRoute + listKind: VirtualServerRouteList + plural: virtualserverroutes + shortNames: + - vsr + singular: virtualserverroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Current state of the VirtualServerRoute. If the resource has a + valid status, it means it has been validated and accepted by the Ingress Controller. + jsonPath: .status.state + name: State + type: string + - jsonPath: .spec.host + name: Host + type: string + - jsonPath: .status.externalEndpoints[*].ip + name: IP + type: string + - jsonPath: .status.externalEndpoints[*].hostname + name: ExternalHostname + priority: 1 + type: string + - jsonPath: .status.externalEndpoints[*].ports + name: Ports + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: VirtualServerRoute defines the VirtualServerRoute resource. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: VirtualServerRouteSpec is the spec of the VirtualServerRoute + resource. + properties: + host: + type: string + ingressClassName: + type: string + subroutes: + items: + description: Route defines a route. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the response + headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with the + add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + dos: + type: string + errorPages: + items: + description: ErrorPage defines an ErrorPage in a Route. + properties: + codes: + items: + type: integer + type: array + redirect: + description: ErrorPageRedirect defines a redirect for + an ErrorPage. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ErrorPageReturn defines a return for an ErrorPage. + properties: + body: + type: string + code: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: + type: string + type: object + type: object + type: array + location-snippets: + type: string + matches: + items: + description: Match defines a match. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the + response headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with + the add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in + an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + conditions: + items: + description: Condition defines a condition in a MatchRule. + properties: + argument: + type: string + cookie: + type: string + header: + type: string + value: + type: string + variable: + type: string + type: object + type: array + splits: + items: + description: Split defines a split. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in + an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines + the request headers manipulation in an + ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP + Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines + the response headers manipulation in an + ActionProxy. + properties: + add: + items: + description: AddHeader defines an + HTTP Header with an optional Always + field to use with the add_header + NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect + in an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in + an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + weight: + type: integer + type: object + type: array + type: object + type: array + path: + type: string + policies: + items: + description: PolicyReference references a policy by name and + an optional namespace. + properties: + name: + type: string + namespace: + type: string + type: object + type: array + route: + type: string + splits: + items: + description: Split defines a split. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the + response headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with + the add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in + an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + weight: + type: integer + type: object + type: array + type: object + type: array + upstreams: + items: + description: Upstream defines an upstream. + properties: + buffer-size: + type: string + buffering: + type: boolean + buffers: + description: UpstreamBuffers defines Buffer Configuration for + an Upstream. + properties: + number: + type: integer + size: + type: string + type: object + client-max-body-size: + type: string + connect-timeout: + type: string + fail-timeout: + type: string + healthCheck: + description: HealthCheck defines the parameters for active Upstream + HealthChecks. + properties: + connect-timeout: + type: string + enable: + type: boolean + fails: + type: integer + grpcService: + type: string + grpcStatus: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + interval: + type: string + jitter: + type: string + keepalive-time: + type: string + mandatory: + type: boolean + passes: + type: integer + path: + type: string + persistent: + type: boolean + port: + type: integer + read-timeout: + type: string + send-timeout: + type: string + statusMatch: + type: string + tls: + description: UpstreamTLS defines a TLS configuration for + an Upstream. + properties: + enable: + type: boolean + type: object + type: object + keepalive: + type: integer + lb-method: + type: string + max-conns: + type: integer + max-fails: + type: integer + name: + type: string + next-upstream: + type: string + next-upstream-timeout: + type: string + next-upstream-tries: + type: integer + ntlm: + type: boolean + port: + type: integer + queue: + description: UpstreamQueue defines Queue Configuration for an + Upstream. + properties: + size: + type: integer + timeout: + type: string + type: object + read-timeout: + type: string + send-timeout: + type: string + service: + type: string + sessionCookie: + description: SessionCookie defines the parameters for session + persistence. + properties: + domain: + type: string + enable: + type: boolean + expires: + type: string + httpOnly: + type: boolean + name: + type: string + path: + type: string + samesite: + type: string + secure: + type: boolean + type: object + slow-start: + type: string + subselector: + additionalProperties: + type: string + type: object + tls: + description: UpstreamTLS defines a TLS configuration for an + Upstream. + properties: + enable: + type: boolean + type: object + type: + type: string + use-cluster-ip: + type: boolean + type: object + type: array + type: object + status: + description: VirtualServerRouteStatus defines the status for the VirtualServerRoute + resource. + properties: + externalEndpoints: + items: + description: ExternalEndpoint defines the IP/ Hostname and ports + used to connect to this resource. + properties: + hostname: + type: string + ip: + type: string + ports: + type: string + type: object + type: array + message: + type: string + reason: + type: string + referencedBy: + type: string + state: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/config/crd/bases/k8s.nginx.org_virtualservers.yaml b/config/crd/bases/k8s.nginx.org_virtualservers.yaml new file mode 100644 index 0000000000..dcbfe17dff --- /dev/null +++ b/config/crd/bases/k8s.nginx.org_virtualservers.yaml @@ -0,0 +1,768 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 + name: virtualservers.k8s.nginx.org +spec: + group: k8s.nginx.org + names: + kind: VirtualServer + listKind: VirtualServerList + plural: virtualservers + shortNames: + - vs + singular: virtualserver + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Current state of the VirtualServer. If the resource has a valid + status, it means it has been validated and accepted by the Ingress Controller. + jsonPath: .status.state + name: State + type: string + - jsonPath: .spec.host + name: Host + type: string + - jsonPath: .status.externalEndpoints[*].ip + name: IP + type: string + - jsonPath: .status.externalEndpoints[*].hostname + name: ExternalHostname + priority: 1 + type: string + - jsonPath: .status.externalEndpoints[*].ports + name: Ports + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: VirtualServer defines the VirtualServer resource. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: VirtualServerSpec is the spec of the VirtualServer resource. + properties: + dos: + type: string + externalDNS: + description: ExternalDNS defines externaldns sub-resource of a virtual + server. + properties: + enable: + type: boolean + labels: + additionalProperties: + type: string + description: Labels stores labels defined for the Endpoint + type: object + providerSpecific: + description: ProviderSpecific stores provider specific config + items: + description: ProviderSpecificProperty defines specific property + for using with ExternalDNS sub-resource. + properties: + name: + description: Name of the property + type: string + value: + description: Value of the property + type: string + type: object + type: array + recordTTL: + description: TTL for the record + format: int64 + type: integer + recordType: + type: string + type: object + gunzip: + type: boolean + host: + type: string + http-snippets: + type: string + ingressClassName: + type: string + internalRoute: + description: InternalRoute allows for the configuration of internal + routing. + type: boolean + policies: + items: + description: PolicyReference references a policy by name and an + optional namespace. + properties: + name: + type: string + namespace: + type: string + type: object + type: array + routes: + items: + description: Route defines a route. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the response + headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with the + add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + dos: + type: string + errorPages: + items: + description: ErrorPage defines an ErrorPage in a Route. + properties: + codes: + items: + type: integer + type: array + redirect: + description: ErrorPageRedirect defines a redirect for + an ErrorPage. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ErrorPageReturn defines a return for an ErrorPage. + properties: + body: + type: string + code: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: + type: string + type: object + type: object + type: array + location-snippets: + type: string + matches: + items: + description: Match defines a match. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the + response headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with + the add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in + an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + conditions: + items: + description: Condition defines a condition in a MatchRule. + properties: + argument: + type: string + cookie: + type: string + header: + type: string + value: + type: string + variable: + type: string + type: object + type: array + splits: + items: + description: Split defines a split. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in + an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines + the request headers manipulation in an + ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP + Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines + the response headers manipulation in an + ActionProxy. + properties: + add: + items: + description: AddHeader defines an + HTTP Header with an optional Always + field to use with the add_header + NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect + in an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in + an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + weight: + type: integer + type: object + type: array + type: object + type: array + path: + type: string + policies: + items: + description: PolicyReference references a policy by name and + an optional namespace. + properties: + name: + type: string + namespace: + type: string + type: object + type: array + route: + type: string + splits: + items: + description: Split defines a split. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the + response headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with + the add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in + an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + weight: + type: integer + type: object + type: array + type: object + type: array + server-snippets: + type: string + tls: + description: TLS defines TLS configuration for a VirtualServer. + properties: + cert-manager: + description: CertManager defines a cert manager config for a TLS. + properties: + cluster-issuer: + type: string + common-name: + type: string + duration: + type: string + issuer: + type: string + issuer-group: + type: string + issuer-kind: + type: string + renew-before: + type: string + usages: + type: string + type: object + redirect: + description: TLSRedirect defines a redirect for a TLS. + properties: + basedOn: + type: string + code: + type: integer + enable: + type: boolean + type: object + secret: + type: string + type: object + upstreams: + items: + description: Upstream defines an upstream. + properties: + buffer-size: + type: string + buffering: + type: boolean + buffers: + description: UpstreamBuffers defines Buffer Configuration for + an Upstream. + properties: + number: + type: integer + size: + type: string + type: object + client-max-body-size: + type: string + connect-timeout: + type: string + fail-timeout: + type: string + healthCheck: + description: HealthCheck defines the parameters for active Upstream + HealthChecks. + properties: + connect-timeout: + type: string + enable: + type: boolean + fails: + type: integer + grpcService: + type: string + grpcStatus: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + interval: + type: string + jitter: + type: string + keepalive-time: + type: string + mandatory: + type: boolean + passes: + type: integer + path: + type: string + persistent: + type: boolean + port: + type: integer + read-timeout: + type: string + send-timeout: + type: string + statusMatch: + type: string + tls: + description: UpstreamTLS defines a TLS configuration for + an Upstream. + properties: + enable: + type: boolean + type: object + type: object + keepalive: + type: integer + lb-method: + type: string + max-conns: + type: integer + max-fails: + type: integer + name: + type: string + next-upstream: + type: string + next-upstream-timeout: + type: string + next-upstream-tries: + type: integer + ntlm: + type: boolean + port: + type: integer + queue: + description: UpstreamQueue defines Queue Configuration for an + Upstream. + properties: + size: + type: integer + timeout: + type: string + type: object + read-timeout: + type: string + send-timeout: + type: string + service: + type: string + sessionCookie: + description: SessionCookie defines the parameters for session + persistence. + properties: + domain: + type: string + enable: + type: boolean + expires: + type: string + httpOnly: + type: boolean + name: + type: string + path: + type: string + samesite: + type: string + secure: + type: boolean + type: object + slow-start: + type: string + subselector: + additionalProperties: + type: string + type: object + tls: + description: UpstreamTLS defines a TLS configuration for an + Upstream. + properties: + enable: + type: boolean + type: object + type: + type: string + use-cluster-ip: + type: boolean + type: object + type: array + type: object + status: + description: VirtualServerStatus defines the status for the VirtualServer + resource. + properties: + externalEndpoints: + items: + description: ExternalEndpoint defines the IP/ Hostname and ports + used to connect to this resource. + properties: + hostname: + type: string + ip: + type: string + ports: + type: string + type: object + type: array + message: + type: string + reason: + type: string + state: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml new file mode 100644 index 0000000000..7336f9687f --- /dev/null +++ b/config/crd/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- bases/externaldns.nginx.org_dnsendpoints.yaml +- bases/k8s.nginx.org_globalconfigurations.yaml +- bases/k8s.nginx.org_policies.yaml +- bases/k8s.nginx.org_transportservers.yaml +- bases/k8s.nginx.org_virtualserverroutes.yaml +- bases/k8s.nginx.org_virtualservers.yaml diff --git a/config/overlays/app-protect-dos/deployment.yaml b/config/overlays/app-protect-dos/deployment.yaml new file mode 100644 index 0000000000..3654af01a6 --- /dev/null +++ b/config/overlays/app-protect-dos/deployment.yaml @@ -0,0 +1,43 @@ +# This is generated from https://github.com/nginxinc/nap-dos-arbitrator-helm-chart +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx-appprotect-dos-arbitrator + namespace: nginx-ingress + labels: + app.kubernetes.io/name: nginx-appprotect-dos-arbitrator + app.kubernetes.io/instance: nginx-appprotect-dos-arbitrator + app.kubernetes.io/version: "1.1.1" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: nginx-appprotect-dos-arbitrator + app.kubernetes.io/instance: nginx-appprotect-dos-arbitrator + template: + metadata: + labels: + app.kubernetes.io/name: nginx-appprotect-dos-arbitrator + app.kubernetes.io/instance: nginx-appprotect-dos-arbitrator + spec: + serviceAccountName: default + securityContext: + {} + containers: + - name: nginx-appprotect-dos-arbitrator + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsUser: 1001 + image: "docker-registry.nginx.com/nap-dos/app_protect_dos_arb:1.1.1" + imagePullPolicy: IfNotPresent + ports: + - name: arb + containerPort: 3000 + protocol: TCP + resources: + limits: + cpu: 500m + memory: 128Mi diff --git a/config/overlays/app-protect-dos/kustomization.yaml b/config/overlays/app-protect-dos/kustomization.yaml new file mode 100644 index 0000000000..31cb687baf --- /dev/null +++ b/config/overlays/app-protect-dos/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ../../base +- deployment.yaml +- service.yaml +# - ../../crd/bases/appprotectdos.f5.com_apdoslogconfs.yaml +# - ../../crd/bases/appprotectdos.f5.com_apdospolicy.yaml +# - ../../crd/bases/appprotectdos.f5.com_dosprotectedresources.yaml diff --git a/config/overlays/app-protect-dos/service.yaml b/config/overlays/app-protect-dos/service.yaml new file mode 100644 index 0000000000..624f0eff6e --- /dev/null +++ b/config/overlays/app-protect-dos/service.yaml @@ -0,0 +1,20 @@ +# This is generated from https://github.com/nginxinc/nap-dos-arbitrator-helm-chart +apiVersion: v1 +kind: Service +metadata: + name: nginx-appprotect-dos-arbitrator + namespace: nginx-ingress + labels: + app.kubernetes.io/name: nginx-appprotect-dos-arbitrator + app.kubernetes.io/instance: nginx-appprotect-dos-arbitrator + app.kubernetes.io/version: "1.1.1" +spec: + type: ClusterIP + ports: + - port: 3000 + targetPort: http + protocol: TCP + name: http + selector: + app.kubernetes.io/name: nginx-appprotect-dos-arbitrator + app.kubernetes.io/instance: nginx-appprotect-dos-arbitrator diff --git a/deployments/README.md b/deploy/README.md similarity index 100% rename from deployments/README.md rename to deploy/README.md diff --git a/deploy/app-protect-dos/deploy.yaml b/deploy/app-protect-dos/deploy.yaml new file mode 100644 index 0000000000..5eafe9ede0 --- /dev/null +++ b/deploy/app-protect-dos/deploy.yaml @@ -0,0 +1,400 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: nginx-ingress +--- +apiVersion: v1 +imagePullSecrets: +- name: nginx-registry-credentials +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress +rules: +- apiGroups: + - appprotectdos.f5.com + resources: + - apdospolicies + - apdoslogconfs + - dosprotectedresources + verbs: + - get + - watch + - list +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - update + - create +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch + - update +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - update + - create +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers + - virtualserverroutes + - globalconfigurations + - transportservers + - policies + verbs: + - list + - watch + - get +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers/status + - virtualserverroutes/status + - policies/status + - transportservers/status + verbs: + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: nginx-ingress +subjects: +- kind: ServiceAccount + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: v1 +data: null +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress-leader-election + namespace: nginx-ingress +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: nginx-appprotect-dos-arbitrator + app.kubernetes.io/name: nginx-appprotect-dos-arbitrator + app.kubernetes.io/version: 1.1.1 + name: nginx-appprotect-dos-arbitrator + namespace: nginx-ingress +spec: + ports: + - name: http + port: 3000 + protocol: TCP + targetPort: http + selector: + app.kubernetes.io/instance: nginx-appprotect-dos-arbitrator + app.kubernetes.io/name: nginx-appprotect-dos-arbitrator + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress-controller + namespace: nginx-ingress +spec: + externalTrafficPolicy: Local + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + selector: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + type: LoadBalancer +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/instance: nginx-appprotect-dos-arbitrator + app.kubernetes.io/name: nginx-appprotect-dos-arbitrator + app.kubernetes.io/version: 1.1.1 + name: nginx-appprotect-dos-arbitrator + namespace: nginx-ingress +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: nginx-appprotect-dos-arbitrator + app.kubernetes.io/name: nginx-appprotect-dos-arbitrator + template: + metadata: + labels: + app.kubernetes.io/instance: nginx-appprotect-dos-arbitrator + app.kubernetes.io/name: nginx-appprotect-dos-arbitrator + spec: + containers: + - image: docker-registry.nginx.com/nap-dos/app_protect_dos_arb:1.1.1 + imagePullPolicy: IfNotPresent + name: nginx-appprotect-dos-arbitrator + ports: + - containerPort: 3000 + name: arb + protocol: TCP + resources: + limits: + cpu: 500m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsUser: 1001 + securityContext: {} + serviceAccountName: default +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress-controller + namespace: nginx-ingress +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + template: + metadata: + annotations: + prometheus.io/port: "9113" + prometheus.io/scheme: http + prometheus.io/scrape: "true" + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + spec: + automountServiceAccountToken: true + containers: + - args: + - -nginx-plus=true + - -nginx-reload-timeout=60000 + - -enable-app-protect=false + - -enable-app-protect-dos=true + - -app-protect-dos-debug=false + - -app-protect-dos-max-daemons=0 + - -app-protect-dos-max-workers=0 + - -app-protect-dos-memory=0 + - -nginx-configmaps=$(POD_NAMESPACE)/nginx-ingress + - -ingress-class=nginx + - -health-status=false + - -health-status-uri=/nginx-health + - -nginx-debug=false + - -v=1 + - -nginx-status=true + - -nginx-status-port=8080 + - -nginx-status-allow-cidrs=127.0.0.1 + - -report-ingress-status + - -external-service=nginx-ingress-controller + - -enable-leader-election=true + - -leader-election-lock-name=nginx-ingress-leader-election + - -enable-prometheus-metrics=true + - -prometheus-metrics-listen-port=9113 + - -prometheus-tls-secret= + - -enable-service-insight=false + - -service-insight-listen-port=9114 + - -service-insight-tls-secret= + - -enable-custom-resources=true + - -enable-snippets=false + - -include-year=false + - -disable-ipv6=false + - -enable-tls-passthrough=false + - -enable-preview-policies=false + - -enable-cert-manager=false + - -enable-oidc=false + - -enable-external-dns=false + - -ready-status=true + - -ready-status-port=8081 + - -enable-latency-metrics=false + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + image: private-registry.nginx.com/nginx-ic-dos/nginx-plus-ingress:3.2.1 + imagePullPolicy: IfNotPresent + name: nginx-ingress + ports: + - containerPort: 80 + name: http + protocol: TCP + - containerPort: 443 + name: https + protocol: TCP + - containerPort: 9113 + name: prometheus + - containerPort: 8081 + name: readiness-port + readinessProbe: + httpGet: + path: /nginx-ready + port: readiness-port + initialDelaySeconds: 0 + periodSeconds: 1 + resources: + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: 101 + dnsPolicy: ClusterFirst + hostNetwork: false + securityContext: + seccompProfile: + type: RuntimeDefault + serviceAccountName: nginx-ingress + terminationGracePeriodSeconds: 30 +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx +spec: + controller: nginx.org/ingress-controller diff --git a/deploy/app-protect-waf/deploy.yaml b/deploy/app-protect-waf/deploy.yaml new file mode 100644 index 0000000000..3719618033 --- /dev/null +++ b/deploy/app-protect-waf/deploy.yaml @@ -0,0 +1,335 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: nginx-ingress +--- +apiVersion: v1 +imagePullSecrets: +- name: nginx-registry-credentials +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress +rules: +- apiGroups: + - appprotect.f5.com + resources: + - appolicies + - aplogconfs + - apusersigs + verbs: + - get + - watch + - list +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - update + - create +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch + - update +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - update + - create +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers + - virtualserverroutes + - globalconfigurations + - transportservers + - policies + verbs: + - list + - watch + - get +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers/status + - virtualserverroutes/status + - policies/status + - transportservers/status + verbs: + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: nginx-ingress +subjects: +- kind: ServiceAccount + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: v1 +data: null +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress-leader-election + namespace: nginx-ingress +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress-controller + namespace: nginx-ingress +spec: + externalTrafficPolicy: Local + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + selector: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + type: LoadBalancer +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress-controller + namespace: nginx-ingress +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + template: + metadata: + annotations: + prometheus.io/port: "9113" + prometheus.io/scheme: http + prometheus.io/scrape: "true" + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + spec: + automountServiceAccountToken: true + containers: + - args: + - -nginx-plus=true + - -nginx-reload-timeout=60000 + - -enable-app-protect=true + - -app-protect-log-level=error + - -enable-app-protect-dos=false + - -nginx-configmaps=$(POD_NAMESPACE)/nginx-ingress + - -ingress-class=nginx + - -health-status=false + - -health-status-uri=/nginx-health + - -nginx-debug=false + - -v=1 + - -nginx-status=true + - -nginx-status-port=8080 + - -nginx-status-allow-cidrs=127.0.0.1 + - -report-ingress-status + - -external-service=nginx-ingress-controller + - -enable-leader-election=true + - -leader-election-lock-name=nginx-ingress-leader-election + - -enable-prometheus-metrics=true + - -prometheus-metrics-listen-port=9113 + - -prometheus-tls-secret= + - -enable-service-insight=false + - -service-insight-listen-port=9114 + - -service-insight-tls-secret= + - -enable-custom-resources=true + - -enable-snippets=false + - -include-year=false + - -disable-ipv6=false + - -enable-tls-passthrough=false + - -enable-preview-policies=false + - -enable-cert-manager=false + - -enable-oidc=false + - -enable-external-dns=false + - -ready-status=true + - -ready-status-port=8081 + - -enable-latency-metrics=false + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + image: private-registry.nginx.com/nginx-ic-nap/nginx-plus-ingress:3.2.1 + imagePullPolicy: IfNotPresent + name: nginx-ingress + ports: + - containerPort: 80 + name: http + protocol: TCP + - containerPort: 443 + name: https + protocol: TCP + - containerPort: 9113 + name: prometheus + - containerPort: 8081 + name: readiness-port + readinessProbe: + httpGet: + path: /nginx-ready + port: readiness-port + initialDelaySeconds: 0 + periodSeconds: 1 + resources: + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: 101 + dnsPolicy: ClusterFirst + hostNetwork: false + securityContext: + seccompProfile: + type: RuntimeDefault + serviceAccountName: nginx-ingress + terminationGracePeriodSeconds: 30 +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx +spec: + controller: nginx.org/ingress-controller diff --git a/deploy/aws-nlb/deploy.yaml b/deploy/aws-nlb/deploy.yaml new file mode 100644 index 0000000000..63dd5608c8 --- /dev/null +++ b/deploy/aws-nlb/deploy.yaml @@ -0,0 +1,328 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: nginx-ingress +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress +rules: +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - update + - create +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch + - update +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - update + - create +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers + - virtualserverroutes + - globalconfigurations + - transportservers + - policies + verbs: + - list + - watch + - get +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers/status + - virtualserverroutes/status + - policies/status + - transportservers/status + verbs: + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: nginx-ingress +subjects: +- kind: ServiceAccount + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: v1 +data: + proxy-protocol: "True" + real-ip-header: proxy_protocol + set-real-ip-from: 0.0.0.0/0 +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress-leader-election + namespace: nginx-ingress +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip + service.beta.kubernetes.io/aws-load-balancer-type: nlb + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress-controller + namespace: nginx-ingress +spec: + externalTrafficPolicy: Local + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + selector: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + type: LoadBalancer +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress-controller + namespace: nginx-ingress +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + template: + metadata: + annotations: + prometheus.io/port: "9113" + prometheus.io/scheme: http + prometheus.io/scrape: "true" + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + spec: + automountServiceAccountToken: true + containers: + - args: + - -nginx-plus=false + - -nginx-reload-timeout=60000 + - -enable-app-protect=false + - -enable-app-protect-dos=false + - -nginx-configmaps=$(POD_NAMESPACE)/nginx-ingress + - -ingress-class=nginx + - -health-status=false + - -health-status-uri=/nginx-health + - -nginx-debug=false + - -v=1 + - -nginx-status=true + - -nginx-status-port=8080 + - -nginx-status-allow-cidrs=127.0.0.1 + - -report-ingress-status + - -external-service=nginx-ingress-controller + - -enable-leader-election=true + - -leader-election-lock-name=nginx-ingress-leader-election + - -enable-prometheus-metrics=true + - -prometheus-metrics-listen-port=9113 + - -prometheus-tls-secret= + - -enable-service-insight=false + - -service-insight-listen-port=9114 + - -service-insight-tls-secret= + - -enable-custom-resources=true + - -enable-snippets=false + - -include-year=false + - -disable-ipv6=false + - -enable-tls-passthrough=false + - -enable-preview-policies=false + - -enable-cert-manager=false + - -enable-oidc=false + - -enable-external-dns=false + - -ready-status=true + - -ready-status-port=8081 + - -enable-latency-metrics=false + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + image: nginx/nginx-ingress:3.2.1 + imagePullPolicy: IfNotPresent + name: nginx-ingress + ports: + - containerPort: 80 + name: http + protocol: TCP + - containerPort: 443 + name: https + protocol: TCP + - containerPort: 9113 + name: prometheus + - containerPort: 8081 + name: readiness-port + readinessProbe: + httpGet: + path: /nginx-ready + port: readiness-port + initialDelaySeconds: 0 + periodSeconds: 1 + resources: + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: 101 + dnsPolicy: ClusterFirst + hostNetwork: false + securityContext: + seccompProfile: + type: RuntimeDefault + serviceAccountName: nginx-ingress + terminationGracePeriodSeconds: 30 +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx +spec: + controller: nginx.org/ingress-controller diff --git a/deploy/azure/deploy.yaml b/deploy/azure/deploy.yaml new file mode 100644 index 0000000000..c090ffb398 --- /dev/null +++ b/deploy/azure/deploy.yaml @@ -0,0 +1,324 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: nginx-ingress +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress +rules: +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - update + - create +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch + - update +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - update + - create +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers + - virtualserverroutes + - globalconfigurations + - transportservers + - policies + verbs: + - list + - watch + - get +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers/status + - virtualserverroutes/status + - policies/status + - transportservers/status + verbs: + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: nginx-ingress +subjects: +- kind: ServiceAccount + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: v1 +data: null +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress-leader-election + namespace: nginx-ingress +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress-controller + namespace: nginx-ingress +spec: + externalTrafficPolicy: Local + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + selector: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + type: LoadBalancer +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress-controller + namespace: nginx-ingress +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + template: + metadata: + annotations: + prometheus.io/port: "9113" + prometheus.io/scheme: http + prometheus.io/scrape: "true" + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + spec: + automountServiceAccountToken: true + containers: + - args: + - -nginx-plus=false + - -nginx-reload-timeout=60000 + - -enable-app-protect=false + - -enable-app-protect-dos=false + - -nginx-configmaps=$(POD_NAMESPACE)/nginx-ingress + - -ingress-class=nginx + - -health-status=false + - -health-status-uri=/nginx-health + - -nginx-debug=false + - -v=1 + - -nginx-status=true + - -nginx-status-port=8080 + - -nginx-status-allow-cidrs=127.0.0.1 + - -report-ingress-status + - -external-service=nginx-ingress-controller + - -enable-leader-election=true + - -leader-election-lock-name=nginx-ingress-leader-election + - -enable-prometheus-metrics=true + - -prometheus-metrics-listen-port=9113 + - -prometheus-tls-secret= + - -enable-service-insight=false + - -service-insight-listen-port=9114 + - -service-insight-tls-secret= + - -enable-custom-resources=true + - -enable-snippets=false + - -include-year=false + - -disable-ipv6=false + - -enable-tls-passthrough=false + - -enable-preview-policies=false + - -enable-cert-manager=false + - -enable-oidc=false + - -enable-external-dns=false + - -ready-status=true + - -ready-status-port=8081 + - -enable-latency-metrics=false + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + image: nginx/nginx-ingress:3.2.1 + imagePullPolicy: IfNotPresent + name: nginx-ingress + ports: + - containerPort: 80 + name: http + protocol: TCP + - containerPort: 443 + name: https + protocol: TCP + - containerPort: 9113 + name: prometheus + - containerPort: 8081 + name: readiness-port + readinessProbe: + httpGet: + path: /nginx-ready + port: readiness-port + initialDelaySeconds: 0 + periodSeconds: 1 + resources: + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: 101 + dnsPolicy: ClusterFirst + hostNetwork: false + nodeSelector: + kubernetes.io/os: linux + securityContext: + seccompProfile: + type: RuntimeDefault + serviceAccountName: nginx-ingress + terminationGracePeriodSeconds: 30 +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx +spec: + controller: nginx.org/ingress-controller diff --git a/deploy/crds b/deploy/crds new file mode 120000 index 0000000000..c29b1b8fe4 --- /dev/null +++ b/deploy/crds @@ -0,0 +1 @@ +../config/crd/bases/ \ No newline at end of file diff --git a/deploy/crds-nap-dos.yaml b/deploy/crds-nap-dos.yaml new file mode 100644 index 0000000000..89f6fae947 --- /dev/null +++ b/deploy/crds-nap-dos.yaml @@ -0,0 +1,243 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 + creationTimestamp: null + name: apdoslogconfs.appprotectdos.f5.com +spec: + group: appprotectdos.f5.com + names: + kind: APDosLogConf + listKind: APDosLogConfList + plural: apdoslogconfs + singular: apdoslogconf + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: APDosLogConf is the Schema for the APDosLogConfs API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: APDosLogConfSpec defines the desired state of APDosLogConf + properties: + content: + properties: + format: + enum: + - splunk + - arcsight + - user-defined + type: string + format_string: + type: string + max_message_size: + pattern: ^([1-9]|[1-5][0-9]|6[0-4])k$ + type: string + type: object + filter: + properties: + attack-signatures: + default: top 10 + pattern: ^(none|all|top ([1-9]|[1-9][0-9]|[1-9][0-9]{2,4}|100000))$ + type: string + bad-actors: + default: top 10 + pattern: ^(none|all|top ([1-9]|[1-9][0-9]|[1-9][0-9]{2,4}|100000))$ + type: string + traffic-mitigation-stats: + default: all + enum: + - none + - all + type: string + type: object + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 + creationTimestamp: null + name: apdospolicies.appprotectdos.f5.com +spec: + group: appprotectdos.f5.com + names: + kind: APDosPolicy + listKind: APDosPoliciesList + plural: apdospolicies + singular: apdospolicy + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: APDosPolicy is the Schema for the APDosPolicy API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: APDosPolicySpec defines the desired state of APDosPolicy + properties: + automation_tools_detection: + default: "on" + enum: + - "on" + - "off" + type: string + bad_actors: + default: "on" + enum: + - "on" + - "off" + type: string + mitigation_mode: + default: standard + enum: + - standard + - conservative + - none + type: string + signatures: + default: "on" + enum: + - "on" + - "off" + type: string + tls_fingerprint: + default: "on" + enum: + - "on" + - "off" + type: string + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 + name: dosprotectedresources.appprotectdos.f5.com +spec: + group: appprotectdos.f5.com + names: + kind: DosProtectedResource + listKind: DosProtectedResourceList + plural: dosprotectedresources + shortNames: + - pr + singular: dosprotectedresource + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: DosProtectedResource defines a Dos protected resource. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: DosProtectedResourceSpec defines the properties and values + a DosProtectedResource can have. + properties: + apDosMonitor: + description: 'ApDosMonitor is how NGINX App Protect DoS monitors the + stress level of the protected object. The monitor requests are sent + from localhost (127.0.0.1). Default value: URI - None, protocol + - http1, timeout - NGINX App Protect DoS default.' + properties: + protocol: + description: Protocol determines if the server listens on http1 + / http2 / grpc / websocket. The default is http1. + enum: + - http1 + - http2 + - grpc + - websocket + type: string + timeout: + description: Timeout determines how long (in seconds) should NGINX + App Protect DoS wait for a response. Default is 10 seconds for + http1/http2 and 5 seconds for grpc. + format: int64 + type: integer + uri: + description: 'URI is the destination to the desired protected + object in the nginx.conf:' + type: string + type: object + apDosPolicy: + description: ApDosPolicy is the namespace/name of a ApDosPolicy resource + type: string + dosAccessLogDest: + description: DosAccessLogDest is the network address for the access + logs + type: string + dosSecurityLog: + description: DosSecurityLog defines the security log of the DosProtectedResource. + properties: + apDosLogConf: + description: ApDosLogConf is the namespace/name of a APDosLogConf + resource + type: string + dosLogDest: + description: DosLogDest is the network address of a logging service, + can be either IP or DNS name. + type: string + enable: + description: Enable enables the security logging feature if set + to true + type: boolean + type: object + enable: + description: Enable enables the DOS feature if set to true + type: boolean + name: + description: Name is the name of protected object, max of 63 characters. + type: string + type: object + type: object + served: true + storage: true diff --git a/deploy/crds-nap-waf.yaml b/deploy/crds-nap-waf.yaml new file mode 100644 index 0000000000..31f5dac110 --- /dev/null +++ b/deploy/crds-nap-waf.yaml @@ -0,0 +1,2090 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + creationTimestamp: null + name: aplogconfs.appprotect.f5.com +spec: + group: appprotect.f5.com + names: + kind: APLogConf + listKind: APLogConfList + plural: aplogconfs + singular: aplogconf + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: APLogConf is the Schema for the APLogConfs API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: APLogConfSpec defines the desired state of APLogConf + properties: + content: + properties: + escaping_characters: + items: + properties: + from: + type: string + to: + type: string + type: object + type: array + format: + enum: + - splunk + - arcsight + - default + - user-defined + - grpc + type: string + format_string: + type: string + list_delimiter: + type: string + list_prefix: + type: string + list_suffix: + type: string + max_message_size: + pattern: ^([1-9]|[1-5][0-9]|6[0-4])k$ + type: string + max_request_size: + pattern: ^([1-9]|[1-9][0-9]|[1-9][0-9]{2}|1[0-9]{3}|20[1-3][0-9]|204[1-8]|any)$ + type: string + type: object + filter: + properties: + request_type: + enum: + - all + - illegal + - blocked + type: string + type: object + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + creationTimestamp: null + name: appolicies.appprotect.f5.com +spec: + group: appprotect.f5.com + names: + kind: APPolicy + listKind: APPolicyList + plural: appolicies + singular: appolicy + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: APPolicyConfig is the Schema for the APPolicyconfigs API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: APPolicySpec defines the desired state of APPolicy + properties: + modifications: + items: + properties: + action: + type: string + description: + type: string + entity: + properties: + name: + type: string + type: object + entityChanges: + properties: + type: + type: string + type: object + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + modificationsReference: + properties: + link: + pattern: ^http + type: string + type: object + policy: + description: Defines the App Protect policy + properties: + applicationLanguage: + enum: + - iso-8859-10 + - iso-8859-6 + - windows-1255 + - auto-detect + - koi8-r + - gb18030 + - iso-8859-8 + - windows-1250 + - iso-8859-9 + - windows-1252 + - iso-8859-16 + - gb2312 + - iso-8859-2 + - iso-8859-5 + - windows-1257 + - windows-1256 + - iso-8859-13 + - windows-874 + - windows-1253 + - iso-8859-3 + - euc-jp + - utf-8 + - gbk + - windows-1251 + - big5 + - iso-8859-1 + - shift_jis + - euc-kr + - iso-8859-4 + - iso-8859-7 + - iso-8859-15 + type: string + blocking-settings: + properties: + evasions: + items: + properties: + description: + enum: + - '%u decoding' + - Apache whitespace + - Bad unescape + - Bare byte decoding + - Directory traversals + - IIS backslashes + - IIS Unicode codepoints + - Multiple decoding + type: string + enabled: + type: boolean + maxDecodingPasses: + type: integer + type: object + type: array + http-protocols: + items: + properties: + description: + enum: + - Unescaped space in URL + - Unparsable request content + - Several Content-Length headers + - 'POST request with Content-Length: 0' + - Null in request + - No Host header in HTTP/1.1 request + - Multiple host headers + - Host header contains IP address + - High ASCII characters in headers + - Header name with no header value + - CRLF characters before request start + - Content length should be a positive number + - Chunked request with Content-Length header + - Check maximum number of parameters + - Check maximum number of headers + - Body in GET or HEAD requests + - Bad multipart/form-data request parsing + - Bad multipart parameters parsing + - Bad HTTP version + - Bad host header value + type: string + enabled: + type: boolean + maxHeaders: + type: integer + maxParams: + type: integer + type: object + type: array + violations: + items: + properties: + alarm: + type: boolean + block: + type: boolean + description: + type: string + name: + enum: + - VIOL_GRPC_FORMAT + - VIOL_GRPC_MALFORMED + - VIOL_GRPC_METHOD + - VIOL_PARAMETER_ARRAY_VALUE + - VIOL_PARAMETER_VALUE_REGEXP + - VIOL_CSRF + - VIOL_PARAMETER_VALUE_BASE64 + - VIOL_MANDATORY_HEADER + - VIOL_HEADER_REPEATED + - VIOL_ASM_COOKIE_MODIFIED + - VIOL_BLACKLISTED_IP + - VIOL_COOKIE_EXPIRED + - VIOL_COOKIE_LENGTH + - VIOL_COOKIE_MALFORMED + - VIOL_COOKIE_MODIFIED + - VIOL_DATA_GUARD + - VIOL_ENCODING + - VIOL_EVASION + - VIOL_FILETYPE + - VIOL_FILE_UPLOAD + - VIOL_FILE_UPLOAD_IN_BODY + - VIOL_HEADER_LENGTH + - VIOL_HEADER_METACHAR + - VIOL_HTTP_PROTOCOL + - VIOL_HTTP_RESPONSE_STATUS + - VIOL_JSON_FORMAT + - VIOL_JSON_MALFORMED + - VIOL_JSON_SCHEMA + - VIOL_MANDATORY_PARAMETER + - VIOL_MANDATORY_REQUEST_BODY + - VIOL_METHOD + - VIOL_PARAMETER + - VIOL_PARAMETER_DATA_TYPE + - VIOL_PARAMETER_EMPTY_VALUE + - VIOL_PARAMETER_LOCATION + - VIOL_PARAMETER_MULTIPART_NULL_VALUE + - VIOL_PARAMETER_NAME_METACHAR + - VIOL_PARAMETER_NUMERIC_VALUE + - VIOL_PARAMETER_REPEATED + - VIOL_PARAMETER_STATIC_VALUE + - VIOL_PARAMETER_VALUE_LENGTH + - VIOL_PARAMETER_VALUE_METACHAR + - VIOL_POST_DATA_LENGTH + - VIOL_QUERY_STRING_LENGTH + - VIOL_RATING_THREAT + - VIOL_RATING_NEED_EXAMINATION + - VIOL_REQUEST_MAX_LENGTH + - VIOL_REQUEST_LENGTH + - VIOL_THREAT_CAMPAIGN + - VIOL_URL + - VIOL_URL_CONTENT_TYPE + - VIOL_URL_LENGTH + - VIOL_URL_METACHAR + - VIOL_XML_FORMAT + - VIOL_XML_MALFORMED + type: string + type: object + type: array + type: object + blockingSettingReference: + properties: + link: + pattern: ^http + type: string + type: object + bot-defense: + properties: + mitigations: + properties: + anomalies: + items: + properties: + $action: + enum: + - delete + type: string + action: + enum: + - alarm + - block + - default + - detect + - ignore + type: string + name: + type: string + scoreThreshold: + pattern: '[0-9]|[1-9][0-9]|1[0-4][0-9]|150|default' + type: string + type: object + type: array + browsers: + items: + properties: + $action: + enum: + - delete + type: string + action: + enum: + - alarm + - block + - detect + type: string + browserDefinition: + properties: + $action: + enum: + - delete + type: string + isUserDefined: + type: boolean + matchRegex: + type: string + matchString: + type: string + name: + type: string + type: object + maxVersion: + maximum: 2147483647 + minimum: 0 + type: integer + minVersion: + maximum: 2147483647 + minimum: 0 + type: integer + name: + type: string + type: object + type: array + classes: + items: + properties: + action: + enum: + - alarm + - block + - detect + - ignore + type: string + name: + enum: + - browser + - malicious-bot + - suspicious-browser + - trusted-bot + - unknown + - untrusted-bot + type: string + type: object + type: array + signatures: + items: + properties: + $action: + enum: + - delete + type: string + action: + enum: + - alarm + - block + - detect + - ignore + type: string + name: + type: string + type: object + type: array + type: object + settings: + properties: + caseSensitiveHttpHeaders: + type: boolean + isEnabled: + type: boolean + type: object + type: object + browser-definitions: + items: + properties: + $action: + enum: + - delete + type: string + isUserDefined: + type: boolean + matchRegex: + type: string + matchString: + type: string + name: + type: string + type: object + type: array + caseInsensitive: + type: boolean + character-sets: + items: + properties: + characterSet: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + characterSetType: + enum: + - gwt-content + - header + - json-content + - parameter-name + - parameter-value + - plain-text-content + - url + - xml-content + type: string + type: object + type: array + characterSetReference: + properties: + link: + pattern: ^http + type: string + type: object + cookie-settings: + properties: + maximumCookieHeaderLength: + pattern: any|\d+ + type: string + type: object + cookieReference: + properties: + link: + pattern: ^http + type: string + type: object + cookieSettingsReference: + properties: + link: + pattern: ^http + type: string + type: object + cookies: + items: + properties: + $action: + enum: + - delete + type: string + accessibleOnlyThroughTheHttpProtocol: + type: boolean + attackSignaturesCheck: + type: boolean + decodeValueAsBase64: + enum: + - enabled + - disabled + - required + type: string + enforcementType: + type: string + insertSameSiteAttribute: + enum: + - lax + - none + - none-value + - strict + type: string + name: + type: string + securedOverHttpsConnection: + type: boolean + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + type: + enum: + - explicit + - wildcard + type: string + wildcardOrder: + type: integer + type: object + type: array + csrf-protection: + properties: + enabled: + type: boolean + expirationTimeInSeconds: + pattern: disabled|\d+ + type: string + sslOnly: + type: boolean + type: object + csrf-urls: + items: + properties: + $action: + enum: + - delete + type: string + enforcementAction: + enum: + - verify-origin + - none + type: string + method: + enum: + - GET + - POST + - any + type: string + url: + type: string + wildcardOrder: + type: integer + type: object + type: array + data-guard: + properties: + creditCardNumbers: + type: boolean + enabled: + type: boolean + enforcementMode: + enum: + - ignore-urls-in-list + - enforce-urls-in-list + type: string + enforcementUrls: + items: + type: string + type: array + lastCcnDigitsToExpose: + type: integer + lastSsnDigitsToExpose: + type: integer + maskData: + type: boolean + usSocialSecurityNumbers: + type: boolean + type: object + dataGuardReference: + properties: + link: + pattern: ^http + type: string + type: object + description: + type: string + enablePassiveMode: + type: boolean + enforcementMode: + enum: + - transparent + - blocking + type: string + enforcer-settings: + properties: + enforcerStateCookies: + properties: + httpOnlyAttribute: + type: boolean + sameSiteAttribute: + enum: + - lax + - none + - none-value + - strict + type: string + secureAttribute: + enum: + - always + - never + type: string + type: object + type: object + filetypeReference: + properties: + link: + pattern: ^http + type: string + type: object + filetypes: + items: + properties: + $action: + enum: + - delete + type: string + allowed: + type: boolean + checkPostDataLength: + type: boolean + checkQueryStringLength: + type: boolean + checkRequestLength: + type: boolean + checkUrlLength: + type: boolean + name: + type: string + postDataLength: + type: integer + queryStringLength: + type: integer + requestLength: + type: integer + responseCheck: + type: boolean + type: + enum: + - explicit + - wildcard + type: string + urlLength: + type: integer + wildcardOrder: + type: integer + type: object + type: array + fullPath: + type: string + general: + properties: + allowedResponseCodes: + items: + format: int32 + maximum: 999 + minimum: 100 + type: integer + type: array + customXffHeaders: + items: + type: string + type: array + maskCreditCardNumbersInRequest: + type: boolean + trustXff: + type: boolean + type: object + generalReference: + properties: + link: + pattern: ^http + type: string + type: object + grpc-profiles: + items: + properties: + $action: + enum: + - delete + type: string + associateUrls: + type: boolean + attackSignaturesCheck: + type: boolean + defenseAttributes: + properties: + allowUnknownFields: + type: boolean + maximumDataLength: + pattern: any|\d+ + type: string + type: object + description: + type: string + hasIdlFiles: + type: boolean + idlFiles: + items: + properties: + idlFile: + properties: + contents: + type: string + fileName: + type: string + isBase64: + type: boolean + type: object + importUrl: + type: string + isPrimary: + type: boolean + primaryIdlFileName: + type: string + type: object + type: array + metacharElementCheck: + type: boolean + name: + type: string + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + type: object + type: array + header-settings: + properties: + maximumHttpHeaderLength: + pattern: any|\d+ + type: string + type: object + headerReference: + properties: + link: + pattern: ^http + type: string + type: object + headerSettingsReference: + properties: + link: + pattern: ^http + type: string + type: object + headers: + items: + properties: + $action: + enum: + - delete + type: string + allowRepeatedOccurrences: + type: boolean + base64Decoding: + type: boolean + checkSignatures: + type: boolean + decodeValueAsBase64: + enum: + - enabled + - disabled + - required + type: string + htmlNormalization: + type: boolean + mandatory: + type: boolean + maskValueInLogs: + type: boolean + name: + type: string + normalizationViolations: + type: boolean + percentDecoding: + type: boolean + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + type: + enum: + - explicit + - wildcard + type: string + urlNormalization: + type: boolean + wildcardOrder: + type: integer + type: object + type: array + host-names: + items: + properties: + $action: + enum: + - delete + type: string + includeSubdomains: + type: boolean + name: + type: string + type: object + type: array + idl-files: + items: + properties: + contents: + type: string + fileName: + type: string + isBase64: + type: boolean + type: object + type: array + json-profiles: + items: + properties: + $action: + enum: + - delete + type: string + attackSignaturesCheck: + type: boolean + defenseAttributes: + properties: + maximumArrayLength: + pattern: any|\d+ + type: string + maximumStructureDepth: + pattern: any|\d+ + type: string + maximumTotalLengthOfJSONData: + pattern: any|\d+ + type: string + maximumValueLength: + pattern: any|\d+ + type: string + tolerateJSONParsingWarnings: + type: boolean + type: object + description: + type: string + handleJsonValuesAsParameters: + type: boolean + hasValidationFiles: + type: boolean + metacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + name: + type: string + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + validationFiles: + items: + properties: + importUrl: + type: string + isPrimary: + type: boolean + jsonValidationFile: + properties: + $action: + enum: + - delete + type: string + contents: + type: string + fileName: + type: string + isBase64: + type: boolean + type: object + type: object + type: array + type: object + type: array + json-validation-files: + items: + properties: + $action: + enum: + - delete + type: string + contents: + type: string + fileName: + type: string + isBase64: + type: boolean + type: object + type: array + jsonProfileReference: + properties: + link: + pattern: ^http + type: string + type: object + jsonValidationFileReference: + properties: + link: + pattern: ^http + type: string + type: object + methodReference: + properties: + link: + pattern: ^http + type: string + type: object + methods: + items: + properties: + $action: + enum: + - delete + type: string + name: + type: string + type: object + type: array + name: + type: string + open-api-files: + items: + properties: + link: + pattern: ^http + type: string + type: object + type: array + parameterReference: + properties: + link: + pattern: ^http + type: string + type: object + parameters: + items: + properties: + $action: + enum: + - delete + type: string + allowEmptyValue: + type: boolean + allowRepeatedParameterName: + type: boolean + arraySerializationFormat: + enum: + - csv + - form + - label + - matrix + - multi + - multipart + - pipe + - ssv + - tsv + type: string + attackSignaturesCheck: + type: boolean + checkMaxValue: + type: boolean + checkMaxValueLength: + type: boolean + checkMetachars: + type: boolean + checkMinValue: + type: boolean + checkMinValueLength: + type: boolean + checkMultipleOfValue: + type: boolean + contentProfile: + properties: + name: + type: string + type: object + dataType: + enum: + - alpha-numeric + - binary + - boolean + - decimal + - email + - integer + - none + - phone + type: string + decodeValueAsBase64: + enum: + - enabled + - disabled + - required + type: string + disallowFileUploadOfExecutables: + type: boolean + enableRegularExpression: + type: boolean + exclusiveMax: + type: boolean + exclusiveMin: + type: boolean + isBase64: + type: boolean + isCookie: + type: boolean + isHeader: + type: boolean + level: + enum: + - global + - url + type: string + mandatory: + type: boolean + maximumLength: + type: integer + maximumValue: + type: integer + metacharsOnParameterValueCheck: + type: boolean + minimumLength: + type: integer + minimumValue: + type: integer + multipleOf: + type: integer + name: + type: string + nameMetacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + objectSerializationStyle: + type: string + parameterEnumValues: + items: + type: string + type: array + parameterLocation: + enum: + - any + - cookie + - form-data + - header + - path + - query + type: string + regularExpression: + type: string + sensitiveParameter: + type: boolean + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + staticValues: + type: string + type: + enum: + - explicit + - wildcard + type: string + url: + type: object + valueMetacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + valueType: + enum: + - array + - auto-detect + - dynamic-content + - dynamic-parameter-name + - ignore + - json + - object + - openapi-array + - static-content + - user-input + - xml + type: string + wildcardOrder: + type: integer + type: object + type: array + response-pages: + items: + properties: + ajaxActionType: + enum: + - alert-popup + - custom + - redirect + type: string + ajaxCustomContent: + type: string + ajaxEnabled: + type: boolean + ajaxPopupMessage: + type: string + ajaxRedirectUrl: + type: string + grpcStatusCode: + pattern: ABORTED|ALREADY_EXISTS|CANCELLED|DATA_LOSS|DEADLINE_EXCEEDED|FAILED_PRECONDITION|INTERNAL|INVALID_ARGUMENT|NOT_FOUND|OK|OUT_OF_RANGE|PERMISSION_DENIED|RESOURCE_EXHAUSTED|UNAUTHENTICATED|UNAVAILABLE|UNIMPLEMENTED|UNKNOWN|d+ + type: string + grpcStatusMessage: + type: string + responseActionType: + enum: + - custom + - default + - erase-cookies + - redirect + - soap-fault + type: string + responseContent: + type: string + responseHeader: + type: string + responsePageType: + enum: + - ajax + - ajax-login + - captcha + - captcha-fail + - default + - failed-login-honeypot + - failed-login-honeypot-ajax + - hijack + - leaked-credentials + - leaked-credentials-ajax + - mobile + - persistent-flow + - xml + - grpc + type: string + responseRedirectUrl: + type: string + type: object + type: array + responsePageReference: + properties: + link: + pattern: ^http + type: string + type: object + sensitive-parameters: + items: + properties: + $action: + enum: + - delete + type: string + name: + type: string + type: object + type: array + sensitiveParameterReference: + properties: + link: + pattern: ^http + type: string + type: object + server-technologies: + items: + properties: + $action: + enum: + - delete + type: string + serverTechnologyName: + enum: + - Jenkins + - SharePoint + - Oracle Application Server + - Python + - Oracle Identity Manager + - Spring Boot + - CouchDB + - SQLite + - Handlebars + - Mustache + - Prototype + - Zend + - Redis + - Underscore.js + - Ember.js + - ZURB Foundation + - ef.js + - Vue.js + - UIKit + - TYPO3 CMS + - RequireJS + - React + - MooTools + - Laravel + - GraphQL + - Google Web Toolkit + - Express.js + - CodeIgniter + - Backbone.js + - AngularJS + - JavaScript + - Nginx + - Jetty + - Joomla + - JavaServer Faces (JSF) + - Ruby + - MongoDB + - Django + - Node.js + - Citrix + - JBoss + - Elasticsearch + - Apache Struts + - XML + - PostgreSQL + - IBM DB2 + - Sybase/ASE + - CGI + - Proxy Servers + - SSI (Server Side Includes) + - Cisco + - Novell + - Macromedia JRun + - BEA Systems WebLogic Server + - Lotus Domino + - MySQL + - Oracle + - Microsoft SQL Server + - PHP + - Outlook Web Access + - Apache/NCSA HTTP Server + - Apache Tomcat + - WordPress + - Macromedia ColdFusion + - Unix/Linux + - Microsoft Windows + - ASP.NET + - Front Page Server Extensions (FPSE) + - IIS + - WebDAV + - ASP + - Java Servlets/JSP + - jQuery + type: string + type: object + type: array + serverTechnologyReference: + properties: + link: + pattern: ^http + type: string + type: object + signature-requirements: + items: + properties: + $action: + enum: + - delete + type: string + tag: + type: string + type: object + type: array + signature-sets: + items: + properties: + $action: + enum: + - delete + type: string + alarm: + type: boolean + block: + type: boolean + name: + type: string + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + signature-settings: + properties: + attackSignatureFalsePositiveMode: + enum: + - detect + - detect-and-allow + - disabled + type: string + minimumAccuracyForAutoAddedSignatures: + enum: + - high + - low + - medium + type: string + type: object + signatureReference: + properties: + link: + pattern: ^http + type: string + type: object + signatureSetReference: + properties: + link: + pattern: ^http + type: string + type: object + signatureSettingReference: + properties: + link: + pattern: ^http + type: string + type: object + signatures: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + softwareVersion: + type: string + template: + properties: + name: + type: string + type: object + threat-campaigns: + items: + properties: + isEnabled: + type: boolean + name: + type: string + type: object + type: array + threatCampaignReference: + properties: + link: + pattern: ^http + type: string + type: object + urlReference: + properties: + link: + pattern: ^http + type: string + type: object + urls: + items: + properties: + $action: + enum: + - delete + type: string + allowRenderingInFrames: + enum: + - never + - only-same + type: string + allowRenderingInFramesOnlyFrom: + type: string + attackSignaturesCheck: + type: boolean + clickjackingProtection: + type: boolean + description: + type: string + disallowFileUploadOfExecutables: + type: boolean + html5CrossOriginRequestsEnforcement: + properties: + allowOriginsEnforcementMode: + enum: + - replace-with + - unmodified + type: string + checkAllowedMethods: + type: boolean + crossDomainAllowedOrigin: + items: + properties: + includeSubDomains: + type: boolean + originName: + type: string + originPort: + pattern: any|\d+ + type: string + originProtocol: + enum: + - http + - http/https + - https + type: string + type: object + type: array + enforcementMode: + enum: + - disabled + - enforce + type: string + type: object + isAllowed: + type: boolean + mandatoryBody: + type: boolean + metacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + metacharsOnUrlCheck: + type: boolean + method: + enum: + - ACL + - BCOPY + - BDELETE + - BMOVE + - BPROPFIND + - BPROPPATCH + - CHECKIN + - CHECKOUT + - CONNECT + - COPY + - DELETE + - GET + - HEAD + - LINK + - LOCK + - MERGE + - MKCOL + - MKWORKSPACE + - MOVE + - NOTIFY + - OPTIONS + - PATCH + - POLL + - POST + - PROPFIND + - PROPPATCH + - PUT + - REPORT + - RPC_IN_DATA + - RPC_OUT_DATA + - SEARCH + - SUBSCRIBE + - TRACE + - TRACK + - UNLINK + - UNLOCK + - UNSUBSCRIBE + - VERSION_CONTROL + - X-MS-ENUMATTS + - '*' + type: string + methodOverrides: + items: + properties: + allowed: + type: boolean + method: + enum: + - ACL + - BCOPY + - BDELETE + - BMOVE + - BPROPFIND + - BPROPPATCH + - CHECKIN + - CHECKOUT + - CONNECT + - COPY + - DELETE + - GET + - HEAD + - LINK + - LOCK + - MERGE + - MKCOL + - MKWORKSPACE + - MOVE + - NOTIFY + - OPTIONS + - PATCH + - POLL + - POST + - PROPFIND + - PROPPATCH + - PUT + - REPORT + - RPC_IN_DATA + - RPC_OUT_DATA + - SEARCH + - SUBSCRIBE + - TRACE + - TRACK + - UNLINK + - UNLOCK + - UNSUBSCRIBE + - VERSION_CONTROL + - X-MS-ENUMATTS + type: string + type: object + type: array + methodsOverrideOnUrlCheck: + type: boolean + name: + type: string + operationId: + type: string + positionalParameters: + items: + properties: + parameter: + properties: + $action: + enum: + - delete + type: string + allowEmptyValue: + type: boolean + allowRepeatedParameterName: + type: boolean + arraySerializationFormat: + enum: + - csv + - form + - label + - matrix + - multi + - multipart + - pipe + - ssv + - tsv + type: string + attackSignaturesCheck: + type: boolean + checkMaxValue: + type: boolean + checkMaxValueLength: + type: boolean + checkMetachars: + type: boolean + checkMinValue: + type: boolean + checkMinValueLength: + type: boolean + checkMultipleOfValue: + type: boolean + contentProfile: + properties: + name: + type: string + type: object + dataType: + enum: + - alpha-numeric + - binary + - boolean + - decimal + - email + - integer + - none + - phone + type: string + decodeValueAsBase64: + enum: + - enabled + - disabled + - required + type: string + disallowFileUploadOfExecutables: + type: boolean + enableRegularExpression: + type: boolean + exclusiveMax: + type: boolean + exclusiveMin: + type: boolean + isBase64: + type: boolean + isCookie: + type: boolean + isHeader: + type: boolean + level: + enum: + - global + - url + type: string + mandatory: + type: boolean + maximumLength: + type: integer + maximumValue: + type: integer + metacharsOnParameterValueCheck: + type: boolean + minimumLength: + type: integer + minimumValue: + type: integer + multipleOf: + type: integer + name: + type: string + nameMetacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + objectSerializationStyle: + type: string + parameterEnumValues: + items: + type: string + type: array + parameterLocation: + enum: + - any + - cookie + - form-data + - header + - path + - query + type: string + regularExpression: + type: string + sensitiveParameter: + type: boolean + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + staticValues: + type: string + type: + enum: + - explicit + - wildcard + type: string + url: + type: object + valueMetacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + valueType: + enum: + - array + - auto-detect + - dynamic-content + - dynamic-parameter-name + - ignore + - json + - object + - openapi-array + - static-content + - user-input + - xml + type: string + wildcardOrder: + type: integer + type: object + urlSegmentIndex: + type: integer + type: object + type: array + protocol: + enum: + - http + - https + type: string + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + type: + enum: + - explicit + - wildcard + type: string + urlContentProfiles: + items: + properties: + contentProfile: + properties: + name: + type: string + type: object + headerName: + type: string + headerOrder: + type: string + headerValue: + type: string + name: + type: string + type: + enum: + - apply-content-signatures + - apply-value-and-content-signatures + - disallow + - do-nothing + - form-data + - gwt + - json + - xml + - grpc + type: string + type: object + type: array + wildcardOrder: + type: integer + type: object + type: array + whitelist-ips: + items: + properties: + $action: + enum: + - delete + type: string + blockRequests: + enum: + - always + - never + - policy-default + type: string + ipAddress: + pattern: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' + type: string + ipMask: + pattern: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' + type: string + neverLogRequests: + type: boolean + type: object + type: array + whitelistIpReference: + properties: + link: + pattern: ^http + type: string + type: object + xml-profiles: + items: + properties: + $action: + enum: + - delete + type: string + attackSignaturesCheck: + type: boolean + defenseAttributes: + properties: + allowCDATA: + type: boolean + allowDTDs: + type: boolean + allowExternalReferences: + type: boolean + allowProcessingInstructions: + type: boolean + maximumAttributeValueLength: + pattern: any|\d+ + type: string + maximumAttributesPerElement: + pattern: any|\d+ + type: string + maximumChildrenPerElement: + pattern: any|\d+ + type: string + maximumDocumentDepth: + pattern: any|\d+ + type: string + maximumDocumentSize: + pattern: any|\d+ + type: string + maximumElements: + pattern: any|\d+ + type: string + maximumNSDeclarations: + pattern: any|\d+ + type: string + maximumNameLength: + pattern: any|\d+ + type: string + maximumNamespaceLength: + pattern: any|\d+ + type: string + tolerateCloseTagShorthand: + type: boolean + tolerateLeadingWhiteSpace: + type: boolean + tolerateNumericNames: + type: boolean + type: object + description: + type: string + enableWss: + type: boolean + followSchemaLinks: + type: boolean + name: + type: string + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + type: object + type: array + xml-validation-files: + items: + properties: + $action: + enum: + - delete + type: string + contents: + type: string + fileName: + type: string + isBase64: + type: boolean + type: object + type: array + xmlProfileReference: + properties: + link: + pattern: ^http + type: string + type: object + xmlValidationFileReference: + properties: + link: + pattern: ^http + type: string + type: object + type: object + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + creationTimestamp: null + name: apusersigs.appprotect.f5.com +spec: + group: appprotect.f5.com + names: + kind: APUserSig + listKind: APUserSigList + plural: apusersigs + singular: apusersig + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: APUserSig is the Schema for the apusersigs API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: APUserSigSpec defines the desired state of APUserSig + properties: + properties: + type: string + signatures: + items: + properties: + accuracy: + enum: + - high + - medium + - low + type: string + attackType: + properties: + name: + type: string + type: object + description: + type: string + name: + type: string + references: + properties: + type: + enum: + - bugtraq + - cve + - nessus + - url + type: string + value: + type: string + type: object + risk: + enum: + - high + - medium + - low + type: string + rule: + type: string + signatureType: + enum: + - request + - response + type: string + systems: + items: + properties: + name: + type: string + type: object + type: array + type: object + type: array + tag: + type: string + type: object + type: object + served: true + storage: true diff --git a/deploy/crds.yaml b/deploy/crds.yaml new file mode 100644 index 0000000000..2c04549de2 --- /dev/null +++ b/deploy/crds.yaml @@ -0,0 +1,2081 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 + name: dnsendpoints.externaldns.nginx.org +spec: + group: externaldns.nginx.org + names: + kind: DNSEndpoint + listKind: DNSEndpointList + plural: dnsendpoints + singular: dnsendpoint + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: DNSEndpoint is the CRD wrapper for Endpoint + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: DNSEndpointSpec holds information about endpoints. + properties: + endpoints: + items: + description: Endpoint describes DNS Endpoint. + properties: + dnsName: + description: The hostname for the DNS record + type: string + labels: + additionalProperties: + type: string + description: Labels stores labels defined for the Endpoint + type: object + providerSpecific: + description: ProviderSpecific stores provider specific config + items: + description: ProviderSpecificProperty represents provider + specific config property. + properties: + name: + description: Name of the property + type: string + value: + description: Value of the property + type: string + type: object + type: array + recordTTL: + description: TTL for the record + format: int64 + type: integer + recordType: + description: RecordType type of record, e.g. CNAME, A, SRV, + TXT, MX + type: string + targets: + description: The targets the DNS service points to + items: + type: string + type: array + type: object + type: array + type: object + status: + description: DNSEndpointStatus represents generation observed by the external + dns controller. + properties: + observedGeneration: + description: The generation observed by by the external-dns controller. + format: int64 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 + name: globalconfigurations.k8s.nginx.org +spec: + group: k8s.nginx.org + names: + kind: GlobalConfiguration + listKind: GlobalConfigurationList + plural: globalconfigurations + shortNames: + - gc + singular: globalconfiguration + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: GlobalConfiguration defines the GlobalConfiguration resource. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: GlobalConfigurationSpec is the spec of the GlobalConfiguration + resource. + properties: + listeners: + items: + description: Listener defines a listener. + properties: + name: + type: string + port: + type: integer + protocol: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 + name: policies.k8s.nginx.org +spec: + group: k8s.nginx.org + names: + kind: Policy + listKind: PolicyList + plural: policies + shortNames: + - pol + singular: policy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Current state of the Policy. If the resource has a valid status, + it means it has been validated and accepted by the Ingress Controller. + jsonPath: .status.state + name: State + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: Policy defines a Policy for VirtualServer and VirtualServerRoute + resources. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: PolicySpec is the spec of the Policy resource. The spec includes + multiple fields, where each field represents a different policy. Only + one policy (field) is allowed. + properties: + accessControl: + description: AccessControl defines an access policy based on the source + IP of a request. + properties: + allow: + items: + type: string + type: array + deny: + items: + type: string + type: array + type: object + basicAuth: + description: 'BasicAuth holds HTTP Basic authentication configuration + policy status: preview' + properties: + realm: + type: string + secret: + type: string + type: object + egressMTLS: + description: EgressMTLS defines an Egress MTLS policy. + properties: + ciphers: + type: string + protocols: + type: string + serverName: + type: boolean + sessionReuse: + type: boolean + sslName: + type: string + tlsSecret: + type: string + trustedCertSecret: + type: string + verifyDepth: + type: integer + verifyServer: + type: boolean + type: object + ingressClassName: + type: string + ingressMTLS: + description: IngressMTLS defines an Ingress MTLS policy. + properties: + clientCertSecret: + type: string + crlFileName: + type: string + verifyClient: + type: string + verifyDepth: + type: integer + type: object + jwt: + description: JWTAuth holds JWT authentication configuration. + properties: + jwksURI: + type: string + keyCache: + type: string + realm: + type: string + secret: + type: string + token: + type: string + type: object + oidc: + description: OIDC defines an Open ID Connect policy. + properties: + accessTokenEnable: + type: boolean + authEndpoint: + type: string + authExtraArgs: + items: + type: string + type: array + clientID: + type: string + clientSecret: + type: string + jwksURI: + type: string + redirectURI: + type: string + scope: + type: string + tokenEndpoint: + type: string + zoneSyncLeeway: + type: integer + type: object + rateLimit: + description: RateLimit defines a rate limit policy. + properties: + burst: + type: integer + delay: + type: integer + dryRun: + type: boolean + key: + type: string + logLevel: + type: string + noDelay: + type: boolean + rate: + type: string + rejectCode: + type: integer + zoneSize: + type: string + type: object + waf: + description: WAF defines an WAF policy. + properties: + apBundle: + type: string + apPolicy: + type: string + enable: + type: boolean + securityLog: + description: SecurityLog defines the security log of a WAF policy. + properties: + apLogConf: + type: string + enable: + type: boolean + logDest: + type: string + type: object + securityLogs: + items: + description: SecurityLog defines the security log of a WAF policy. + properties: + apLogConf: + type: string + enable: + type: boolean + logDest: + type: string + type: object + type: array + type: object + type: object + status: + description: PolicyStatus is the status of the policy resource + properties: + message: + type: string + reason: + type: string + state: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Policy defines a Policy for VirtualServer and VirtualServerRoute + resources. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: PolicySpec is the spec of the Policy resource. The spec includes + multiple fields, where each field represents a different policy. Only + one policy (field) is allowed. + properties: + accessControl: + description: AccessControl defines an access policy based on the source + IP of a request. + properties: + allow: + items: + type: string + type: array + deny: + items: + type: string + type: array + type: object + egressMTLS: + description: EgressMTLS defines an Egress MTLS policy. + properties: + ciphers: + type: string + protocols: + type: string + serverName: + type: boolean + sessionReuse: + type: boolean + sslName: + type: string + tlsSecret: + type: string + trustedCertSecret: + type: string + verifyDepth: + type: integer + verifyServer: + type: boolean + type: object + ingressMTLS: + description: IngressMTLS defines an Ingress MTLS policy. + properties: + clientCertSecret: + type: string + verifyClient: + type: string + verifyDepth: + type: integer + type: object + jwt: + description: JWTAuth holds JWT authentication configuration. + properties: + realm: + type: string + secret: + type: string + token: + type: string + type: object + rateLimit: + description: RateLimit defines a rate limit policy. + properties: + burst: + type: integer + delay: + type: integer + dryRun: + type: boolean + key: + type: string + logLevel: + type: string + noDelay: + type: boolean + rate: + type: string + rejectCode: + type: integer + zoneSize: + type: string + type: object + type: object + type: object + served: true + storage: false +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 + name: transportservers.k8s.nginx.org +spec: + group: k8s.nginx.org + names: + kind: TransportServer + listKind: TransportServerList + plural: transportservers + shortNames: + - ts + singular: transportserver + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Current state of the TransportServer. If the resource has a valid + status, it means it has been validated and accepted by the Ingress Controller. + jsonPath: .status.state + name: State + type: string + - jsonPath: .status.reason + name: Reason + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: TransportServer defines the TransportServer resource. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TransportServerSpec is the spec of the TransportServer resource. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + type: object + host: + type: string + ingressClassName: + type: string + listener: + description: TransportServerListener defines a listener for a TransportServer. + properties: + name: + type: string + protocol: + type: string + type: object + serverSnippets: + type: string + sessionParameters: + description: SessionParameters defines session parameters. + properties: + timeout: + type: string + type: object + streamSnippets: + type: string + tls: + description: TLS defines TLS configuration for a TransportServer. + properties: + secret: + type: string + type: object + upstreamParameters: + description: UpstreamParameters defines parameters for an upstream. + properties: + connectTimeout: + type: string + nextUpstream: + type: boolean + nextUpstreamTimeout: + type: string + nextUpstreamTries: + type: integer + udpRequests: + type: integer + udpResponses: + type: integer + type: object + upstreams: + items: + description: Upstream defines an upstream. + properties: + failTimeout: + type: string + healthCheck: + description: HealthCheck defines the parameters for active Upstream + HealthChecks. + properties: + enable: + type: boolean + fails: + type: integer + interval: + type: string + jitter: + type: string + match: + description: Match defines the parameters of a custom health + check. + properties: + expect: + type: string + send: + type: string + type: object + passes: + type: integer + port: + type: integer + timeout: + type: string + type: object + loadBalancingMethod: + type: string + maxConns: + type: integer + maxFails: + type: integer + name: + type: string + port: + type: integer + service: + type: string + type: object + type: array + type: object + status: + description: TransportServerStatus defines the status for the TransportServer + resource. + properties: + message: + type: string + reason: + type: string + state: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 + name: virtualserverroutes.k8s.nginx.org +spec: + group: k8s.nginx.org + names: + kind: VirtualServerRoute + listKind: VirtualServerRouteList + plural: virtualserverroutes + shortNames: + - vsr + singular: virtualserverroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Current state of the VirtualServerRoute. If the resource has a + valid status, it means it has been validated and accepted by the Ingress Controller. + jsonPath: .status.state + name: State + type: string + - jsonPath: .spec.host + name: Host + type: string + - jsonPath: .status.externalEndpoints[*].ip + name: IP + type: string + - jsonPath: .status.externalEndpoints[*].hostname + name: ExternalHostname + priority: 1 + type: string + - jsonPath: .status.externalEndpoints[*].ports + name: Ports + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: VirtualServerRoute defines the VirtualServerRoute resource. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: VirtualServerRouteSpec is the spec of the VirtualServerRoute + resource. + properties: + host: + type: string + ingressClassName: + type: string + subroutes: + items: + description: Route defines a route. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the response + headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with the + add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + dos: + type: string + errorPages: + items: + description: ErrorPage defines an ErrorPage in a Route. + properties: + codes: + items: + type: integer + type: array + redirect: + description: ErrorPageRedirect defines a redirect for + an ErrorPage. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ErrorPageReturn defines a return for an ErrorPage. + properties: + body: + type: string + code: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: + type: string + type: object + type: object + type: array + location-snippets: + type: string + matches: + items: + description: Match defines a match. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the + response headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with + the add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in + an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + conditions: + items: + description: Condition defines a condition in a MatchRule. + properties: + argument: + type: string + cookie: + type: string + header: + type: string + value: + type: string + variable: + type: string + type: object + type: array + splits: + items: + description: Split defines a split. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in + an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines + the request headers manipulation in an + ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP + Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines + the response headers manipulation in an + ActionProxy. + properties: + add: + items: + description: AddHeader defines an + HTTP Header with an optional Always + field to use with the add_header + NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect + in an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in + an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + weight: + type: integer + type: object + type: array + type: object + type: array + path: + type: string + policies: + items: + description: PolicyReference references a policy by name and + an optional namespace. + properties: + name: + type: string + namespace: + type: string + type: object + type: array + route: + type: string + splits: + items: + description: Split defines a split. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the + response headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with + the add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in + an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + weight: + type: integer + type: object + type: array + type: object + type: array + upstreams: + items: + description: Upstream defines an upstream. + properties: + buffer-size: + type: string + buffering: + type: boolean + buffers: + description: UpstreamBuffers defines Buffer Configuration for + an Upstream. + properties: + number: + type: integer + size: + type: string + type: object + client-max-body-size: + type: string + connect-timeout: + type: string + fail-timeout: + type: string + healthCheck: + description: HealthCheck defines the parameters for active Upstream + HealthChecks. + properties: + connect-timeout: + type: string + enable: + type: boolean + fails: + type: integer + grpcService: + type: string + grpcStatus: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + interval: + type: string + jitter: + type: string + keepalive-time: + type: string + mandatory: + type: boolean + passes: + type: integer + path: + type: string + persistent: + type: boolean + port: + type: integer + read-timeout: + type: string + send-timeout: + type: string + statusMatch: + type: string + tls: + description: UpstreamTLS defines a TLS configuration for + an Upstream. + properties: + enable: + type: boolean + type: object + type: object + keepalive: + type: integer + lb-method: + type: string + max-conns: + type: integer + max-fails: + type: integer + name: + type: string + next-upstream: + type: string + next-upstream-timeout: + type: string + next-upstream-tries: + type: integer + ntlm: + type: boolean + port: + type: integer + queue: + description: UpstreamQueue defines Queue Configuration for an + Upstream. + properties: + size: + type: integer + timeout: + type: string + type: object + read-timeout: + type: string + send-timeout: + type: string + service: + type: string + sessionCookie: + description: SessionCookie defines the parameters for session + persistence. + properties: + domain: + type: string + enable: + type: boolean + expires: + type: string + httpOnly: + type: boolean + name: + type: string + path: + type: string + samesite: + type: string + secure: + type: boolean + type: object + slow-start: + type: string + subselector: + additionalProperties: + type: string + type: object + tls: + description: UpstreamTLS defines a TLS configuration for an + Upstream. + properties: + enable: + type: boolean + type: object + type: + type: string + use-cluster-ip: + type: boolean + type: object + type: array + type: object + status: + description: VirtualServerRouteStatus defines the status for the VirtualServerRoute + resource. + properties: + externalEndpoints: + items: + description: ExternalEndpoint defines the IP/ Hostname and ports + used to connect to this resource. + properties: + hostname: + type: string + ip: + type: string + ports: + type: string + type: object + type: array + message: + type: string + reason: + type: string + referencedBy: + type: string + state: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 + name: virtualservers.k8s.nginx.org +spec: + group: k8s.nginx.org + names: + kind: VirtualServer + listKind: VirtualServerList + plural: virtualservers + shortNames: + - vs + singular: virtualserver + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Current state of the VirtualServer. If the resource has a valid + status, it means it has been validated and accepted by the Ingress Controller. + jsonPath: .status.state + name: State + type: string + - jsonPath: .spec.host + name: Host + type: string + - jsonPath: .status.externalEndpoints[*].ip + name: IP + type: string + - jsonPath: .status.externalEndpoints[*].hostname + name: ExternalHostname + priority: 1 + type: string + - jsonPath: .status.externalEndpoints[*].ports + name: Ports + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: VirtualServer defines the VirtualServer resource. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: VirtualServerSpec is the spec of the VirtualServer resource. + properties: + dos: + type: string + externalDNS: + description: ExternalDNS defines externaldns sub-resource of a virtual + server. + properties: + enable: + type: boolean + labels: + additionalProperties: + type: string + description: Labels stores labels defined for the Endpoint + type: object + providerSpecific: + description: ProviderSpecific stores provider specific config + items: + description: ProviderSpecificProperty defines specific property + for using with ExternalDNS sub-resource. + properties: + name: + description: Name of the property + type: string + value: + description: Value of the property + type: string + type: object + type: array + recordTTL: + description: TTL for the record + format: int64 + type: integer + recordType: + type: string + type: object + gunzip: + type: boolean + host: + type: string + http-snippets: + type: string + ingressClassName: + type: string + internalRoute: + description: InternalRoute allows for the configuration of internal + routing. + type: boolean + policies: + items: + description: PolicyReference references a policy by name and an + optional namespace. + properties: + name: + type: string + namespace: + type: string + type: object + type: array + routes: + items: + description: Route defines a route. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the response + headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with the + add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + dos: + type: string + errorPages: + items: + description: ErrorPage defines an ErrorPage in a Route. + properties: + codes: + items: + type: integer + type: array + redirect: + description: ErrorPageRedirect defines a redirect for + an ErrorPage. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ErrorPageReturn defines a return for an ErrorPage. + properties: + body: + type: string + code: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: + type: string + type: object + type: object + type: array + location-snippets: + type: string + matches: + items: + description: Match defines a match. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the + response headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with + the add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in + an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + conditions: + items: + description: Condition defines a condition in a MatchRule. + properties: + argument: + type: string + cookie: + type: string + header: + type: string + value: + type: string + variable: + type: string + type: object + type: array + splits: + items: + description: Split defines a split. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in + an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines + the request headers manipulation in an + ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP + Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines + the response headers manipulation in an + ActionProxy. + properties: + add: + items: + description: AddHeader defines an + HTTP Header with an optional Always + field to use with the add_header + NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect + in an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in + an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + weight: + type: integer + type: object + type: array + type: object + type: array + path: + type: string + policies: + items: + description: PolicyReference references a policy by name and + an optional namespace. + properties: + name: + type: string + namespace: + type: string + type: object + type: array + route: + type: string + splits: + items: + description: Split defines a split. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the + response headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with + the add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in + an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + weight: + type: integer + type: object + type: array + type: object + type: array + server-snippets: + type: string + tls: + description: TLS defines TLS configuration for a VirtualServer. + properties: + cert-manager: + description: CertManager defines a cert manager config for a TLS. + properties: + cluster-issuer: + type: string + common-name: + type: string + duration: + type: string + issuer: + type: string + issuer-group: + type: string + issuer-kind: + type: string + renew-before: + type: string + usages: + type: string + type: object + redirect: + description: TLSRedirect defines a redirect for a TLS. + properties: + basedOn: + type: string + code: + type: integer + enable: + type: boolean + type: object + secret: + type: string + type: object + upstreams: + items: + description: Upstream defines an upstream. + properties: + buffer-size: + type: string + buffering: + type: boolean + buffers: + description: UpstreamBuffers defines Buffer Configuration for + an Upstream. + properties: + number: + type: integer + size: + type: string + type: object + client-max-body-size: + type: string + connect-timeout: + type: string + fail-timeout: + type: string + healthCheck: + description: HealthCheck defines the parameters for active Upstream + HealthChecks. + properties: + connect-timeout: + type: string + enable: + type: boolean + fails: + type: integer + grpcService: + type: string + grpcStatus: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + interval: + type: string + jitter: + type: string + keepalive-time: + type: string + mandatory: + type: boolean + passes: + type: integer + path: + type: string + persistent: + type: boolean + port: + type: integer + read-timeout: + type: string + send-timeout: + type: string + statusMatch: + type: string + tls: + description: UpstreamTLS defines a TLS configuration for + an Upstream. + properties: + enable: + type: boolean + type: object + type: object + keepalive: + type: integer + lb-method: + type: string + max-conns: + type: integer + max-fails: + type: integer + name: + type: string + next-upstream: + type: string + next-upstream-timeout: + type: string + next-upstream-tries: + type: integer + ntlm: + type: boolean + port: + type: integer + queue: + description: UpstreamQueue defines Queue Configuration for an + Upstream. + properties: + size: + type: integer + timeout: + type: string + type: object + read-timeout: + type: string + send-timeout: + type: string + service: + type: string + sessionCookie: + description: SessionCookie defines the parameters for session + persistence. + properties: + domain: + type: string + enable: + type: boolean + expires: + type: string + httpOnly: + type: boolean + name: + type: string + path: + type: string + samesite: + type: string + secure: + type: boolean + type: object + slow-start: + type: string + subselector: + additionalProperties: + type: string + type: object + tls: + description: UpstreamTLS defines a TLS configuration for an + Upstream. + properties: + enable: + type: boolean + type: object + type: + type: string + use-cluster-ip: + type: boolean + type: object + type: array + type: object + status: + description: VirtualServerStatus defines the status for the VirtualServer + resource. + properties: + externalEndpoints: + items: + description: ExternalEndpoint defines the IP/ Hostname and ports + used to connect to this resource. + properties: + hostname: + type: string + ip: + type: string + ports: + type: string + type: object + type: array + message: + type: string + reason: + type: string + state: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/deploy/daemon-set/deploy.yaml b/deploy/daemon-set/deploy.yaml new file mode 100644 index 0000000000..3a31105f7a --- /dev/null +++ b/deploy/daemon-set/deploy.yaml @@ -0,0 +1,321 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: nginx-ingress +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress +rules: +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - update + - create +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch + - update +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - update + - create +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers + - virtualserverroutes + - globalconfigurations + - transportservers + - policies + verbs: + - list + - watch + - get +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers/status + - virtualserverroutes/status + - policies/status + - transportservers/status + verbs: + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: nginx-ingress +subjects: +- kind: ServiceAccount + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: v1 +data: null +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress-leader-election + namespace: nginx-ingress +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress-controller + namespace: nginx-ingress +spec: + externalTrafficPolicy: Local + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + selector: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + type: LoadBalancer +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress-controller + namespace: nginx-ingress +spec: + selector: + matchLabels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + template: + metadata: + annotations: + prometheus.io/port: "9113" + prometheus.io/scheme: http + prometheus.io/scrape: "true" + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + spec: + automountServiceAccountToken: true + containers: + - args: + - -nginx-plus=false + - -nginx-reload-timeout=60000 + - -enable-app-protect=false + - -enable-app-protect-dos=false + - -nginx-configmaps=$(POD_NAMESPACE)/nginx-ingress + - -ingress-class=nginx + - -health-status=false + - -health-status-uri=/nginx-health + - -nginx-debug=false + - -v=1 + - -nginx-status=true + - -nginx-status-port=8080 + - -nginx-status-allow-cidrs=127.0.0.1 + - -report-ingress-status + - -external-service=nginx-ingress-controller + - -enable-leader-election=true + - -leader-election-lock-name=nginx-ingress-leader-election + - -enable-prometheus-metrics=true + - -prometheus-metrics-listen-port=9113 + - -prometheus-tls-secret= + - -enable-service-insight=false + - -service-insight-listen-port=9114 + - -service-insight-tls-secret= + - -enable-custom-resources=true + - -enable-snippets=false + - -include-year=false + - -disable-ipv6=false + - -enable-tls-passthrough=false + - -enable-preview-policies=false + - -enable-cert-manager=false + - -enable-oidc=false + - -enable-external-dns=false + - -ready-status=true + - -ready-status-port=8081 + - -enable-latency-metrics=false + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + image: nginx/nginx-ingress:3.2.1 + imagePullPolicy: IfNotPresent + name: nginx-ingress + ports: + - containerPort: 80 + name: http + protocol: TCP + - containerPort: 443 + name: https + protocol: TCP + - containerPort: 9113 + name: prometheus + - containerPort: 8081 + name: readiness-port + readinessProbe: + httpGet: + path: /nginx-ready + port: readiness-port + initialDelaySeconds: 0 + periodSeconds: 1 + resources: + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: 101 + dnsPolicy: ClusterFirst + hostNetwork: false + securityContext: + seccompProfile: + type: RuntimeDefault + serviceAccountName: nginx-ingress + terminationGracePeriodSeconds: 30 +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx +spec: + controller: nginx.org/ingress-controller diff --git a/deploy/default/deploy.yaml b/deploy/default/deploy.yaml new file mode 100644 index 0000000000..a943b87abd --- /dev/null +++ b/deploy/default/deploy.yaml @@ -0,0 +1,322 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: nginx-ingress +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress +rules: +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - update + - create +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch + - update +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - update + - create +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers + - virtualserverroutes + - globalconfigurations + - transportservers + - policies + verbs: + - list + - watch + - get +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers/status + - virtualserverroutes/status + - policies/status + - transportservers/status + verbs: + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: nginx-ingress +subjects: +- kind: ServiceAccount + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: v1 +data: null +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress-leader-election + namespace: nginx-ingress +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress-controller + namespace: nginx-ingress +spec: + externalTrafficPolicy: Local + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + selector: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + type: LoadBalancer +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress-controller + namespace: nginx-ingress +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + template: + metadata: + annotations: + prometheus.io/port: "9113" + prometheus.io/scheme: http + prometheus.io/scrape: "true" + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + spec: + automountServiceAccountToken: true + containers: + - args: + - -nginx-plus=false + - -nginx-reload-timeout=60000 + - -enable-app-protect=false + - -enable-app-protect-dos=false + - -nginx-configmaps=$(POD_NAMESPACE)/nginx-ingress + - -ingress-class=nginx + - -health-status=false + - -health-status-uri=/nginx-health + - -nginx-debug=false + - -v=1 + - -nginx-status=true + - -nginx-status-port=8080 + - -nginx-status-allow-cidrs=127.0.0.1 + - -report-ingress-status + - -external-service=nginx-ingress-controller + - -enable-leader-election=true + - -leader-election-lock-name=nginx-ingress-leader-election + - -enable-prometheus-metrics=true + - -prometheus-metrics-listen-port=9113 + - -prometheus-tls-secret= + - -enable-service-insight=false + - -service-insight-listen-port=9114 + - -service-insight-tls-secret= + - -enable-custom-resources=true + - -enable-snippets=false + - -include-year=false + - -disable-ipv6=false + - -enable-tls-passthrough=false + - -enable-preview-policies=false + - -enable-cert-manager=false + - -enable-oidc=false + - -enable-external-dns=false + - -ready-status=true + - -ready-status-port=8081 + - -enable-latency-metrics=false + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + image: nginx/nginx-ingress:3.2.1 + imagePullPolicy: IfNotPresent + name: nginx-ingress + ports: + - containerPort: 80 + name: http + protocol: TCP + - containerPort: 443 + name: https + protocol: TCP + - containerPort: 9113 + name: prometheus + - containerPort: 8081 + name: readiness-port + readinessProbe: + httpGet: + path: /nginx-ready + port: readiness-port + initialDelaySeconds: 0 + periodSeconds: 1 + resources: + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: 101 + dnsPolicy: ClusterFirst + hostNetwork: false + securityContext: + seccompProfile: + type: RuntimeDefault + serviceAccountName: nginx-ingress + terminationGracePeriodSeconds: 30 +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx +spec: + controller: nginx.org/ingress-controller diff --git a/deploy/edge/deploy.yaml b/deploy/edge/deploy.yaml new file mode 100644 index 0000000000..e815045e02 --- /dev/null +++ b/deploy/edge/deploy.yaml @@ -0,0 +1,323 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: nginx-ingress +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress +rules: +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - update + - create +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch + - update +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - update + - create +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers + - virtualserverroutes + - globalconfigurations + - transportservers + - policies + verbs: + - list + - watch + - get +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers/status + - virtualserverroutes/status + - policies/status + - transportservers/status + verbs: + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: nginx-ingress +subjects: +- kind: ServiceAccount + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: v1 +data: null +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress-leader-election + namespace: nginx-ingress +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress-controller + namespace: nginx-ingress +spec: + externalTrafficPolicy: Local + ports: + - name: http + nodePort: null + port: 80 + protocol: TCP + targetPort: 80 + - name: https + nodePort: null + port: 443 + protocol: TCP + targetPort: 443 + selector: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + type: NodePort +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress-controller + namespace: nginx-ingress +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + template: + metadata: + annotations: + prometheus.io/port: "9113" + prometheus.io/scheme: http + prometheus.io/scrape: "true" + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + spec: + automountServiceAccountToken: true + containers: + - args: + - -nginx-plus=false + - -nginx-reload-timeout=60000 + - -enable-app-protect=false + - -enable-app-protect-dos=false + - -nginx-configmaps=$(POD_NAMESPACE)/nginx-ingress + - -ingress-class=nginx + - -health-status=false + - -health-status-uri=/nginx-health + - -nginx-debug=false + - -v=1 + - -nginx-status=true + - -nginx-status-port=8080 + - -nginx-status-allow-cidrs=127.0.0.1 + - -report-ingress-status + - -enable-leader-election=true + - -leader-election-lock-name=nginx-ingress-leader-election + - -enable-prometheus-metrics=true + - -prometheus-metrics-listen-port=9113 + - -prometheus-tls-secret= + - -enable-service-insight=false + - -service-insight-listen-port=9114 + - -service-insight-tls-secret= + - -enable-custom-resources=true + - -enable-snippets=false + - -include-year=false + - -disable-ipv6=false + - -enable-tls-passthrough=false + - -enable-preview-policies=false + - -enable-cert-manager=false + - -enable-oidc=false + - -enable-external-dns=false + - -ready-status=true + - -ready-status-port=8081 + - -enable-latency-metrics=false + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + image: nginx/nginx-ingress:edge + imagePullPolicy: IfNotPresent + name: nginx-ingress + ports: + - containerPort: 80 + name: http + protocol: TCP + - containerPort: 443 + name: https + protocol: TCP + - containerPort: 9113 + name: prometheus + - containerPort: 8081 + name: readiness-port + readinessProbe: + httpGet: + path: /nginx-ready + port: readiness-port + initialDelaySeconds: 0 + periodSeconds: 1 + resources: + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: 101 + dnsPolicy: ClusterFirst + hostNetwork: false + securityContext: + seccompProfile: + type: RuntimeDefault + serviceAccountName: nginx-ingress + terminationGracePeriodSeconds: 30 +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx +spec: + controller: nginx.org/ingress-controller diff --git a/deploy/external-dns/deploy.yaml b/deploy/external-dns/deploy.yaml new file mode 100644 index 0000000000..e96dce32d9 --- /dev/null +++ b/deploy/external-dns/deploy.yaml @@ -0,0 +1,339 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: nginx-ingress +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress +rules: +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - update + - create +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch + - update +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - update + - create +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers + - virtualserverroutes + - globalconfigurations + - transportservers + - policies + verbs: + - list + - watch + - get +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers/status + - virtualserverroutes/status + - policies/status + - transportservers/status + verbs: + - update +- apiGroups: + - externaldns.nginx.org + resources: + - dnsendpoints + verbs: + - list + - watch + - get + - update + - create + - delete +- apiGroups: + - externaldns.nginx.org + resources: + - dnsendpoints/status + verbs: + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: nginx-ingress +subjects: +- kind: ServiceAccount + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: v1 +data: null +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress-leader-election + namespace: nginx-ingress +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress-controller + namespace: nginx-ingress +spec: + externalTrafficPolicy: Local + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + selector: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + type: LoadBalancer +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress-controller + namespace: nginx-ingress +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + template: + metadata: + annotations: + prometheus.io/port: "9113" + prometheus.io/scheme: http + prometheus.io/scrape: "true" + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + spec: + automountServiceAccountToken: true + containers: + - args: + - -nginx-plus=false + - -nginx-reload-timeout=60000 + - -enable-app-protect=false + - -enable-app-protect-dos=false + - -nginx-configmaps=$(POD_NAMESPACE)/nginx-ingress + - -ingress-class=nginx + - -health-status=false + - -health-status-uri=/nginx-health + - -nginx-debug=false + - -v=1 + - -nginx-status=true + - -nginx-status-port=8080 + - -nginx-status-allow-cidrs=127.0.0.1 + - -report-ingress-status + - -external-service=nginx-ingress-controller + - -enable-leader-election=true + - -leader-election-lock-name=nginx-ingress-leader-election + - -enable-prometheus-metrics=true + - -prometheus-metrics-listen-port=9113 + - -prometheus-tls-secret= + - -enable-service-insight=false + - -service-insight-listen-port=9114 + - -service-insight-tls-secret= + - -enable-custom-resources=true + - -enable-snippets=false + - -include-year=false + - -disable-ipv6=false + - -enable-tls-passthrough=false + - -enable-preview-policies=false + - -enable-cert-manager=false + - -enable-oidc=false + - -enable-external-dns=true + - -ready-status=true + - -ready-status-port=8081 + - -enable-latency-metrics=false + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + image: nginx/nginx-ingress:3.2.1 + imagePullPolicy: IfNotPresent + name: nginx-ingress + ports: + - containerPort: 80 + name: http + protocol: TCP + - containerPort: 443 + name: https + protocol: TCP + - containerPort: 9113 + name: prometheus + - containerPort: 8081 + name: readiness-port + readinessProbe: + httpGet: + path: /nginx-ready + port: readiness-port + initialDelaySeconds: 0 + periodSeconds: 1 + resources: + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: 101 + dnsPolicy: ClusterFirst + hostNetwork: false + securityContext: + seccompProfile: + type: RuntimeDefault + serviceAccountName: nginx-ingress + terminationGracePeriodSeconds: 30 +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx +spec: + controller: nginx.org/ingress-controller diff --git a/deploy/nginx-plus/deploy.yaml b/deploy/nginx-plus/deploy.yaml new file mode 100644 index 0000000000..0eb22e6be1 --- /dev/null +++ b/deploy/nginx-plus/deploy.yaml @@ -0,0 +1,324 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: nginx-ingress +--- +apiVersion: v1 +imagePullSecrets: +- name: nginx-registry-credentials +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress +rules: +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - update + - create +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch + - update +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - update + - create +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers + - virtualserverroutes + - globalconfigurations + - transportservers + - policies + verbs: + - list + - watch + - get +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers/status + - virtualserverroutes/status + - policies/status + - transportservers/status + verbs: + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: nginx-ingress +subjects: +- kind: ServiceAccount + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: v1 +data: null +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress-leader-election + namespace: nginx-ingress +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress-controller + namespace: nginx-ingress +spec: + externalTrafficPolicy: Local + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + selector: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + type: LoadBalancer +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress-controller + namespace: nginx-ingress +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + template: + metadata: + annotations: + prometheus.io/port: "9113" + prometheus.io/scheme: http + prometheus.io/scrape: "true" + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + spec: + automountServiceAccountToken: true + containers: + - args: + - -nginx-plus=true + - -nginx-reload-timeout=60000 + - -enable-app-protect=false + - -enable-app-protect-dos=false + - -nginx-configmaps=$(POD_NAMESPACE)/nginx-ingress + - -ingress-class=nginx + - -health-status=false + - -health-status-uri=/nginx-health + - -nginx-debug=false + - -v=1 + - -nginx-status=true + - -nginx-status-port=8080 + - -nginx-status-allow-cidrs=127.0.0.1 + - -report-ingress-status + - -external-service=nginx-ingress-controller + - -enable-leader-election=true + - -leader-election-lock-name=nginx-ingress-leader-election + - -enable-prometheus-metrics=true + - -prometheus-metrics-listen-port=9113 + - -prometheus-tls-secret= + - -enable-service-insight=false + - -service-insight-listen-port=9114 + - -service-insight-tls-secret= + - -enable-custom-resources=true + - -enable-snippets=false + - -include-year=false + - -disable-ipv6=false + - -enable-tls-passthrough=false + - -enable-preview-policies=false + - -enable-cert-manager=false + - -enable-oidc=false + - -enable-external-dns=false + - -ready-status=true + - -ready-status-port=8081 + - -enable-latency-metrics=false + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + image: private-registry.nginx.com/nginx-ic/nginx-plus-ingress:3.2.1 + imagePullPolicy: IfNotPresent + name: nginx-ingress + ports: + - containerPort: 80 + name: http + protocol: TCP + - containerPort: 443 + name: https + protocol: TCP + - containerPort: 9113 + name: prometheus + - containerPort: 8081 + name: readiness-port + readinessProbe: + httpGet: + path: /nginx-ready + port: readiness-port + initialDelaySeconds: 0 + periodSeconds: 1 + resources: + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: 101 + dnsPolicy: ClusterFirst + hostNetwork: false + securityContext: + seccompProfile: + type: RuntimeDefault + serviceAccountName: nginx-ingress + terminationGracePeriodSeconds: 30 +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx +spec: + controller: nginx.org/ingress-controller diff --git a/deploy/nodeport/deploy.yaml b/deploy/nodeport/deploy.yaml new file mode 100644 index 0000000000..7e6e39ed90 --- /dev/null +++ b/deploy/nodeport/deploy.yaml @@ -0,0 +1,323 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: nginx-ingress +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress +rules: +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - update + - create +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch + - update +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - update + - create +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers + - virtualserverroutes + - globalconfigurations + - transportservers + - policies + verbs: + - list + - watch + - get +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers/status + - virtualserverroutes/status + - policies/status + - transportservers/status + verbs: + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: nginx-ingress +subjects: +- kind: ServiceAccount + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: v1 +data: null +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress-leader-election + namespace: nginx-ingress +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress-controller + namespace: nginx-ingress +spec: + externalTrafficPolicy: Local + ports: + - name: http + nodePort: null + port: 80 + protocol: TCP + targetPort: 80 + - name: https + nodePort: null + port: 443 + protocol: TCP + targetPort: 443 + selector: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + type: NodePort +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress-controller + namespace: nginx-ingress +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + template: + metadata: + annotations: + prometheus.io/port: "9113" + prometheus.io/scheme: http + prometheus.io/scrape: "true" + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + spec: + automountServiceAccountToken: true + containers: + - args: + - -nginx-plus=false + - -nginx-reload-timeout=60000 + - -enable-app-protect=false + - -enable-app-protect-dos=false + - -nginx-configmaps=$(POD_NAMESPACE)/nginx-ingress + - -ingress-class=nginx + - -health-status=false + - -health-status-uri=/nginx-health + - -nginx-debug=false + - -v=1 + - -nginx-status=true + - -nginx-status-port=8080 + - -nginx-status-allow-cidrs=127.0.0.1 + - -report-ingress-status + - -enable-leader-election=true + - -leader-election-lock-name=nginx-ingress-leader-election + - -enable-prometheus-metrics=true + - -prometheus-metrics-listen-port=9113 + - -prometheus-tls-secret= + - -enable-service-insight=false + - -service-insight-listen-port=9114 + - -service-insight-tls-secret= + - -enable-custom-resources=true + - -enable-snippets=false + - -include-year=false + - -disable-ipv6=false + - -enable-tls-passthrough=false + - -enable-preview-policies=false + - -enable-cert-manager=false + - -enable-oidc=false + - -enable-external-dns=false + - -ready-status=true + - -ready-status-port=8081 + - -enable-latency-metrics=false + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + image: nginx/nginx-ingress:3.2.1 + imagePullPolicy: IfNotPresent + name: nginx-ingress + ports: + - containerPort: 80 + name: http + protocol: TCP + - containerPort: 443 + name: https + protocol: TCP + - containerPort: 9113 + name: prometheus + - containerPort: 8081 + name: readiness-port + readinessProbe: + httpGet: + path: /nginx-ready + port: readiness-port + initialDelaySeconds: 0 + periodSeconds: 1 + resources: + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: 101 + dnsPolicy: ClusterFirst + hostNetwork: false + securityContext: + seccompProfile: + type: RuntimeDefault + serviceAccountName: nginx-ingress + terminationGracePeriodSeconds: 30 +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx +spec: + controller: nginx.org/ingress-controller diff --git a/deploy/oidc/deploy.yaml b/deploy/oidc/deploy.yaml new file mode 100644 index 0000000000..3027e98ed4 --- /dev/null +++ b/deploy/oidc/deploy.yaml @@ -0,0 +1,324 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: nginx-ingress +--- +apiVersion: v1 +imagePullSecrets: +- name: nginx-registry-credentials +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress +rules: +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - update + - create +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch + - update +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - update + - create +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers + - virtualserverroutes + - globalconfigurations + - transportservers + - policies + verbs: + - list + - watch + - get +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers/status + - virtualserverroutes/status + - policies/status + - transportservers/status + verbs: + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: nginx-ingress +subjects: +- kind: ServiceAccount + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: v1 +data: null +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress-leader-election + namespace: nginx-ingress +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress-controller + namespace: nginx-ingress +spec: + externalTrafficPolicy: Local + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + selector: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + type: LoadBalancer +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress-controller + namespace: nginx-ingress +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + template: + metadata: + annotations: + prometheus.io/port: "9113" + prometheus.io/scheme: http + prometheus.io/scrape: "true" + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + spec: + automountServiceAccountToken: true + containers: + - args: + - -nginx-plus=true + - -nginx-reload-timeout=60000 + - -enable-app-protect=false + - -enable-app-protect-dos=false + - -nginx-configmaps=$(POD_NAMESPACE)/nginx-ingress + - -ingress-class=nginx + - -health-status=false + - -health-status-uri=/nginx-health + - -nginx-debug=false + - -v=1 + - -nginx-status=true + - -nginx-status-port=8080 + - -nginx-status-allow-cidrs=127.0.0.1 + - -report-ingress-status + - -external-service=nginx-ingress-controller + - -enable-leader-election=true + - -leader-election-lock-name=nginx-ingress-leader-election + - -enable-prometheus-metrics=true + - -prometheus-metrics-listen-port=9113 + - -prometheus-tls-secret= + - -enable-service-insight=false + - -service-insight-listen-port=9114 + - -service-insight-tls-secret= + - -enable-custom-resources=true + - -enable-snippets=false + - -include-year=false + - -disable-ipv6=false + - -enable-tls-passthrough=false + - -enable-preview-policies=false + - -enable-cert-manager=false + - -enable-oidc=true + - -enable-external-dns=false + - -ready-status=true + - -ready-status-port=8081 + - -enable-latency-metrics=false + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + image: private-registry.nginx.com/nginx-ic/nginx-plus-ingress:3.2.1 + imagePullPolicy: IfNotPresent + name: nginx-ingress + ports: + - containerPort: 80 + name: http + protocol: TCP + - containerPort: 443 + name: https + protocol: TCP + - containerPort: 9113 + name: prometheus + - containerPort: 8081 + name: readiness-port + readinessProbe: + httpGet: + path: /nginx-ready + port: readiness-port + initialDelaySeconds: 0 + periodSeconds: 1 + resources: + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: 101 + dnsPolicy: ClusterFirst + hostNetwork: false + securityContext: + seccompProfile: + type: RuntimeDefault + serviceAccountName: nginx-ingress + terminationGracePeriodSeconds: 30 +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx +spec: + controller: nginx.org/ingress-controller diff --git a/deploy/read-only-fs/deploy.yaml b/deploy/read-only-fs/deploy.yaml new file mode 100644 index 0000000000..f1d3dfe1ce --- /dev/null +++ b/deploy/read-only-fs/deploy.yaml @@ -0,0 +1,334 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: nginx-ingress +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress +rules: +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - update + - create +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch + - update +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - update + - create +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: nginx-ingress +subjects: +- kind: ServiceAccount + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: v1 +data: null +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress-leader-election + namespace: nginx-ingress +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress-controller + namespace: nginx-ingress +spec: + externalTrafficPolicy: Local + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + selector: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + type: LoadBalancer +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress-controller + namespace: nginx-ingress +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + template: + metadata: + annotations: + prometheus.io/port: "9113" + prometheus.io/scheme: http + prometheus.io/scrape: "true" + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + spec: + automountServiceAccountToken: true + containers: + - args: + - -nginx-plus=false + - -nginx-reload-timeout=60000 + - -enable-app-protect=false + - -enable-app-protect-dos=false + - -nginx-configmaps=$(POD_NAMESPACE)/nginx-ingress + - -ingress-class=nginx + - -health-status=false + - -health-status-uri=/nginx-health + - -nginx-debug=false + - -v=1 + - -nginx-status=true + - -nginx-status-port=8080 + - -nginx-status-allow-cidrs=127.0.0.1 + - -report-ingress-status + - -external-service=nginx-ingress-controller + - -enable-leader-election=true + - -leader-election-lock-name=nginx-ingress-leader-election + - -enable-prometheus-metrics=true + - -prometheus-metrics-listen-port=9113 + - -prometheus-tls-secret= + - -enable-service-insight=false + - -service-insight-listen-port=9114 + - -service-insight-tls-secret= + - -enable-custom-resources=false + - -enable-snippets=false + - -include-year=false + - -disable-ipv6=false + - -ready-status=true + - -ready-status-port=8081 + - -enable-latency-metrics=false + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + image: nginx/nginx-ingress:3.2.1 + imagePullPolicy: IfNotPresent + name: nginx-ingress + ports: + - containerPort: 80 + name: http + protocol: TCP + - containerPort: 443 + name: https + protocol: TCP + - containerPort: 9113 + name: prometheus + - containerPort: 8081 + name: readiness-port + readinessProbe: + httpGet: + path: /nginx-ready + port: readiness-port + initialDelaySeconds: 0 + periodSeconds: 1 + resources: + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 101 + volumeMounts: + - mountPath: /etc/nginx + name: nginx-etc + - mountPath: /var/cache/nginx + name: nginx-cache + - mountPath: /var/lib/nginx + name: nginx-lib + - mountPath: /var/log/nginx + name: nginx-log + dnsPolicy: ClusterFirst + hostNetwork: false + initContainers: + - command: + - cp + - -vdR + - /etc/nginx/. + - /mnt/etc + image: nginx/nginx-ingress:3.2.1 + imagePullPolicy: IfNotPresent + name: init-nginx-ingress + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 101 + volumeMounts: + - mountPath: /mnt/etc + name: nginx-etc + securityContext: + seccompProfile: + type: RuntimeDefault + serviceAccountName: nginx-ingress + terminationGracePeriodSeconds: 30 + volumes: + - emptyDir: {} + name: nginx-etc + - emptyDir: {} + name: nginx-cache + - emptyDir: {} + name: nginx-lib + - emptyDir: {} + name: nginx-log +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx +spec: + controller: nginx.org/ingress-controller diff --git a/deploy/service-insight/deploy.yaml b/deploy/service-insight/deploy.yaml new file mode 100644 index 0000000000..e3991f1465 --- /dev/null +++ b/deploy/service-insight/deploy.yaml @@ -0,0 +1,322 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: nginx-ingress +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress +rules: +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - update + - create +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch + - update +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - update + - create +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers + - virtualserverroutes + - globalconfigurations + - transportservers + - policies + verbs: + - list + - watch + - get +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers/status + - virtualserverroutes/status + - policies/status + - transportservers/status + verbs: + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: nginx-ingress +subjects: +- kind: ServiceAccount + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: v1 +data: null +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress-leader-election + namespace: nginx-ingress +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress-controller + namespace: nginx-ingress +spec: + externalTrafficPolicy: Local + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + selector: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + type: LoadBalancer +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx-ingress-controller + namespace: nginx-ingress +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + template: + metadata: + annotations: + prometheus.io/port: "9113" + prometheus.io/scheme: http + prometheus.io/scrape: "true" + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + spec: + automountServiceAccountToken: true + containers: + - args: + - -nginx-plus=true + - -nginx-reload-timeout=60000 + - -enable-app-protect=false + - -enable-app-protect-dos=false + - -nginx-configmaps=$(POD_NAMESPACE)/nginx-ingress + - -ingress-class=nginx + - -health-status=false + - -health-status-uri=/nginx-health + - -nginx-debug=false + - -v=1 + - -nginx-status=true + - -nginx-status-port=8080 + - -nginx-status-allow-cidrs=127.0.0.1 + - -report-ingress-status + - -external-service=nginx-ingress-controller + - -enable-leader-election=true + - -leader-election-lock-name=nginx-ingress-leader-election + - -enable-prometheus-metrics=true + - -prometheus-metrics-listen-port=9113 + - -prometheus-tls-secret= + - -enable-service-insight=false + - -service-insight-listen-port=9114 + - -service-insight-tls-secret= + - -enable-custom-resources=true + - -enable-snippets=false + - -include-year=false + - -disable-ipv6=false + - -enable-tls-passthrough=false + - -enable-preview-policies=false + - -enable-cert-manager=false + - -enable-oidc=false + - -enable-external-dns=false + - -ready-status=true + - -ready-status-port=8081 + - -enable-latency-metrics=false + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + image: nginx/nginx-ingress:3.2.1 + imagePullPolicy: IfNotPresent + name: nginx-ingress + ports: + - containerPort: 80 + name: http + protocol: TCP + - containerPort: 443 + name: https + protocol: TCP + - containerPort: 9113 + name: prometheus + - containerPort: 8081 + name: readiness-port + readinessProbe: + httpGet: + path: /nginx-ready + port: readiness-port + initialDelaySeconds: 0 + periodSeconds: 1 + resources: + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: 101 + dnsPolicy: ClusterFirst + hostNetwork: false + securityContext: + seccompProfile: + type: RuntimeDefault + serviceAccountName: nginx-ingress + terminationGracePeriodSeconds: 30 +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.2.1 + name: nginx +spec: + controller: nginx.org/ingress-controller diff --git a/deployments/common/crds/appprotectdos.f5.com_dosprotectedresources.yaml b/deployments/common/crds/appprotectdos.f5.com_dosprotectedresources.yaml deleted file mode 100644 index 53a51c4939..0000000000 --- a/deployments/common/crds/appprotectdos.f5.com_dosprotectedresources.yaml +++ /dev/null @@ -1,81 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.13.0 - name: dosprotectedresources.appprotectdos.f5.com -spec: - group: appprotectdos.f5.com - names: - kind: DosProtectedResource - listKind: DosProtectedResourceList - plural: dosprotectedresources - shortNames: - - pr - singular: dosprotectedresource - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - description: DosProtectedResource defines a Dos protected resource. - type: object - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: DosProtectedResourceSpec defines the properties and values a DosProtectedResource can have. - type: object - properties: - apDosMonitor: - description: 'ApDosMonitor is how NGINX App Protect DoS monitors the stress level of the protected object. The monitor requests are sent from localhost (127.0.0.1). Default value: URI - None, protocol - http1, timeout - NGINX App Protect DoS default.' - type: object - properties: - protocol: - description: Protocol determines if the server listens on http1 / http2 / grpc / websocket. The default is http1. - type: string - enum: - - http1 - - http2 - - grpc - - websocket - timeout: - description: Timeout determines how long (in seconds) should NGINX App Protect DoS wait for a response. Default is 10 seconds for http1/http2 and 5 seconds for grpc. - type: integer - format: int64 - uri: - description: 'URI is the destination to the desired protected object in the nginx.conf:' - type: string - apDosPolicy: - description: ApDosPolicy is the namespace/name of a ApDosPolicy resource - type: string - dosAccessLogDest: - description: DosAccessLogDest is the network address for the access logs - type: string - dosSecurityLog: - description: DosSecurityLog defines the security log of the DosProtectedResource. - type: object - properties: - apDosLogConf: - description: ApDosLogConf is the namespace/name of a APDosLogConf resource - type: string - dosLogDest: - description: DosLogDest is the network address of a logging service, can be either IP or DNS name. - type: string - enable: - description: Enable enables the security logging feature if set to true - type: boolean - enable: - description: Enable enables the DOS feature if set to true - type: boolean - name: - description: Name is the name of protected object, max of 63 characters. - type: string - served: true - storage: true diff --git a/deployments/common/crds/externaldns.nginx.org_dnsendpoints.yaml b/deployments/common/crds/externaldns.nginx.org_dnsendpoints.yaml deleted file mode 100644 index 82790713bf..0000000000 --- a/deployments/common/crds/externaldns.nginx.org_dnsendpoints.yaml +++ /dev/null @@ -1,84 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.13.0 - name: dnsendpoints.externaldns.nginx.org -spec: - group: externaldns.nginx.org - names: - kind: DNSEndpoint - listKind: DNSEndpointList - plural: dnsendpoints - singular: dnsendpoint - scope: Namespaced - versions: - - name: v1 - schema: - openAPIV3Schema: - description: DNSEndpoint is the CRD wrapper for Endpoint - type: object - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: DNSEndpointSpec holds information about endpoints. - type: object - properties: - endpoints: - type: array - items: - description: Endpoint describes DNS Endpoint. - type: object - properties: - dnsName: - description: The hostname for the DNS record - type: string - labels: - description: Labels stores labels defined for the Endpoint - type: object - additionalProperties: - type: string - providerSpecific: - description: ProviderSpecific stores provider specific config - type: array - items: - description: ProviderSpecificProperty represents provider specific config property. - type: object - properties: - name: - description: Name of the property - type: string - value: - description: Value of the property - type: string - recordTTL: - description: TTL for the record - type: integer - format: int64 - recordType: - description: RecordType type of record, e.g. CNAME, A, SRV, TXT, MX - type: string - targets: - description: The targets the DNS service points to - type: array - items: - type: string - status: - description: DNSEndpointStatus represents generation observed by the external dns controller. - type: object - properties: - observedGeneration: - description: The generation observed by by the external-dns controller. - type: integer - format: int64 - served: true - storage: true - subresources: - status: {} diff --git a/deployments/common/crds/k8s.nginx.org_globalconfigurations.yaml b/deployments/common/crds/k8s.nginx.org_globalconfigurations.yaml deleted file mode 100644 index d4448bfbc9..0000000000 --- a/deployments/common/crds/k8s.nginx.org_globalconfigurations.yaml +++ /dev/null @@ -1,49 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.13.0 - name: globalconfigurations.k8s.nginx.org -spec: - group: k8s.nginx.org - names: - kind: GlobalConfiguration - listKind: GlobalConfigurationList - plural: globalconfigurations - shortNames: - - gc - singular: globalconfiguration - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: GlobalConfiguration defines the GlobalConfiguration resource. - type: object - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: GlobalConfigurationSpec is the spec of the GlobalConfiguration resource. - type: object - properties: - listeners: - type: array - items: - description: Listener defines a listener. - type: object - properties: - name: - type: string - port: - type: integer - protocol: - type: string - served: true - storage: true diff --git a/deployments/common/crds/k8s.nginx.org_policies.yaml b/deployments/common/crds/k8s.nginx.org_policies.yaml deleted file mode 100644 index 907c22a88f..0000000000 --- a/deployments/common/crds/k8s.nginx.org_policies.yaml +++ /dev/null @@ -1,303 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.13.0 - name: policies.k8s.nginx.org -spec: - group: k8s.nginx.org - names: - kind: Policy - listKind: PolicyList - plural: policies - shortNames: - - pol - singular: policy - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Current state of the Policy. If the resource has a valid status, it means it has been validated and accepted by the Ingress Controller. - jsonPath: .status.state - name: State - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: Policy defines a Policy for VirtualServer and VirtualServerRoute resources. - type: object - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: PolicySpec is the spec of the Policy resource. The spec includes multiple fields, where each field represents a different policy. Only one policy (field) is allowed. - type: object - properties: - accessControl: - description: AccessControl defines an access policy based on the source IP of a request. - type: object - properties: - allow: - type: array - items: - type: string - deny: - type: array - items: - type: string - basicAuth: - description: 'BasicAuth holds HTTP Basic authentication configuration policy status: preview' - type: object - properties: - realm: - type: string - secret: - type: string - egressMTLS: - description: EgressMTLS defines an Egress MTLS policy. - type: object - properties: - ciphers: - type: string - protocols: - type: string - serverName: - type: boolean - sessionReuse: - type: boolean - sslName: - type: string - tlsSecret: - type: string - trustedCertSecret: - type: string - verifyDepth: - type: integer - verifyServer: - type: boolean - ingressClassName: - type: string - ingressMTLS: - description: IngressMTLS defines an Ingress MTLS policy. - type: object - properties: - clientCertSecret: - type: string - crlFileName: - type: string - verifyClient: - type: string - verifyDepth: - type: integer - jwt: - description: JWTAuth holds JWT authentication configuration. - type: object - properties: - jwksURI: - type: string - keyCache: - type: string - realm: - type: string - secret: - type: string - token: - type: string - oidc: - description: OIDC defines an Open ID Connect policy. - type: object - properties: - accessTokenEnable: - type: boolean - authEndpoint: - type: string - authExtraArgs: - type: array - items: - type: string - clientID: - type: string - clientSecret: - type: string - jwksURI: - type: string - redirectURI: - type: string - scope: - type: string - tokenEndpoint: - type: string - zoneSyncLeeway: - type: integer - rateLimit: - description: RateLimit defines a rate limit policy. - type: object - properties: - burst: - type: integer - delay: - type: integer - dryRun: - type: boolean - key: - type: string - logLevel: - type: string - noDelay: - type: boolean - rate: - type: string - rejectCode: - type: integer - zoneSize: - type: string - waf: - description: WAF defines an WAF policy. - type: object - properties: - apBundle: - type: string - apPolicy: - type: string - enable: - type: boolean - securityLog: - description: SecurityLog defines the security log of a WAF policy. - type: object - properties: - apLogConf: - type: string - enable: - type: boolean - logDest: - type: string - securityLogs: - type: array - items: - description: SecurityLog defines the security log of a WAF policy. - type: object - properties: - apLogConf: - type: string - enable: - type: boolean - logDest: - type: string - status: - description: PolicyStatus is the status of the policy resource - type: object - properties: - message: - type: string - reason: - type: string - state: - type: string - served: true - storage: true - subresources: - status: {} - - name: v1alpha1 - schema: - openAPIV3Schema: - description: Policy defines a Policy for VirtualServer and VirtualServerRoute resources. - type: object - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: PolicySpec is the spec of the Policy resource. The spec includes multiple fields, where each field represents a different policy. Only one policy (field) is allowed. - type: object - properties: - accessControl: - description: AccessControl defines an access policy based on the source IP of a request. - type: object - properties: - allow: - type: array - items: - type: string - deny: - type: array - items: - type: string - egressMTLS: - description: EgressMTLS defines an Egress MTLS policy. - type: object - properties: - ciphers: - type: string - protocols: - type: string - serverName: - type: boolean - sessionReuse: - type: boolean - sslName: - type: string - tlsSecret: - type: string - trustedCertSecret: - type: string - verifyDepth: - type: integer - verifyServer: - type: boolean - ingressMTLS: - description: IngressMTLS defines an Ingress MTLS policy. - type: object - properties: - clientCertSecret: - type: string - verifyClient: - type: string - verifyDepth: - type: integer - jwt: - description: JWTAuth holds JWT authentication configuration. - type: object - properties: - realm: - type: string - secret: - type: string - token: - type: string - rateLimit: - description: RateLimit defines a rate limit policy. - type: object - properties: - burst: - type: integer - delay: - type: integer - dryRun: - type: boolean - key: - type: string - logLevel: - type: string - noDelay: - type: boolean - rate: - type: string - rejectCode: - type: integer - zoneSize: - type: string - served: true - storage: false diff --git a/deployments/common/crds/k8s.nginx.org_transportservers.yaml b/deployments/common/crds/k8s.nginx.org_transportservers.yaml deleted file mode 100644 index b1448e9e3b..0000000000 --- a/deployments/common/crds/k8s.nginx.org_transportservers.yaml +++ /dev/null @@ -1,156 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.13.0 - name: transportservers.k8s.nginx.org -spec: - group: k8s.nginx.org - names: - kind: TransportServer - listKind: TransportServerList - plural: transportservers - shortNames: - - ts - singular: transportserver - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Current state of the TransportServer. If the resource has a valid status, it means it has been validated and accepted by the Ingress Controller. - jsonPath: .status.state - name: State - type: string - - jsonPath: .status.reason - name: Reason - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: TransportServer defines the TransportServer resource. - type: object - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: TransportServerSpec is the spec of the TransportServer resource. - type: object - properties: - action: - description: Action defines an action. - type: object - properties: - pass: - type: string - host: - type: string - ingressClassName: - type: string - listener: - description: TransportServerListener defines a listener for a TransportServer. - type: object - properties: - name: - type: string - protocol: - type: string - serverSnippets: - type: string - sessionParameters: - description: SessionParameters defines session parameters. - type: object - properties: - timeout: - type: string - streamSnippets: - type: string - tls: - description: TLS defines TLS configuration for a TransportServer. - type: object - properties: - secret: - type: string - upstreamParameters: - description: UpstreamParameters defines parameters for an upstream. - type: object - properties: - connectTimeout: - type: string - nextUpstream: - type: boolean - nextUpstreamTimeout: - type: string - nextUpstreamTries: - type: integer - udpRequests: - type: integer - udpResponses: - type: integer - upstreams: - type: array - items: - description: Upstream defines an upstream. - type: object - properties: - failTimeout: - type: string - healthCheck: - description: HealthCheck defines the parameters for active Upstream HealthChecks. - type: object - properties: - enable: - type: boolean - fails: - type: integer - interval: - type: string - jitter: - type: string - match: - description: Match defines the parameters of a custom health check. - type: object - properties: - expect: - type: string - send: - type: string - passes: - type: integer - port: - type: integer - timeout: - type: string - loadBalancingMethod: - type: string - maxConns: - type: integer - maxFails: - type: integer - name: - type: string - port: - type: integer - service: - type: string - status: - description: TransportServerStatus defines the status for the TransportServer resource. - type: object - properties: - message: - type: string - reason: - type: string - state: - type: string - served: true - storage: true - subresources: - status: {} diff --git a/deployments/common/crds/k8s.nginx.org_virtualserverroutes.yaml b/deployments/common/crds/k8s.nginx.org_virtualserverroutes.yaml deleted file mode 100644 index d21640a398..0000000000 --- a/deployments/common/crds/k8s.nginx.org_virtualserverroutes.yaml +++ /dev/null @@ -1,638 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.13.0 - name: virtualserverroutes.k8s.nginx.org -spec: - group: k8s.nginx.org - names: - kind: VirtualServerRoute - listKind: VirtualServerRouteList - plural: virtualserverroutes - shortNames: - - vsr - singular: virtualserverroute - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Current state of the VirtualServerRoute. If the resource has a valid status, it means it has been validated and accepted by the Ingress Controller. - jsonPath: .status.state - name: State - type: string - - jsonPath: .spec.host - name: Host - type: string - - jsonPath: .status.externalEndpoints[*].ip - name: IP - type: string - - jsonPath: .status.externalEndpoints[*].hostname - name: ExternalHostname - priority: 1 - type: string - - jsonPath: .status.externalEndpoints[*].ports - name: Ports - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: VirtualServerRoute defines the VirtualServerRoute resource. - type: object - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: VirtualServerRouteSpec is the spec of the VirtualServerRoute resource. - type: object - properties: - host: - type: string - ingressClassName: - type: string - subroutes: - type: array - items: - description: Route defines a route. - type: object - properties: - action: - description: Action defines an action. - type: object - properties: - pass: - type: string - proxy: - description: ActionProxy defines a proxy in an Action. - type: object - properties: - requestHeaders: - description: ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. - type: object - properties: - pass: - type: boolean - set: - type: array - items: - description: Header defines an HTTP Header. - type: object - properties: - name: - type: string - value: - type: string - responseHeaders: - description: ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. - type: object - properties: - add: - type: array - items: - description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. - type: object - properties: - always: - type: boolean - name: - type: string - value: - type: string - hide: - type: array - items: - type: string - ignore: - type: array - items: - type: string - pass: - type: array - items: - type: string - rewritePath: - type: string - upstream: - type: string - redirect: - description: ActionRedirect defines a redirect in an Action. - type: object - properties: - code: - type: integer - url: - type: string - return: - description: ActionReturn defines a return in an Action. - type: object - properties: - body: - type: string - code: - type: integer - type: - type: string - dos: - type: string - errorPages: - type: array - items: - description: ErrorPage defines an ErrorPage in a Route. - type: object - properties: - codes: - type: array - items: - type: integer - redirect: - description: ErrorPageRedirect defines a redirect for an ErrorPage. - type: object - properties: - code: - type: integer - url: - type: string - return: - description: ErrorPageReturn defines a return for an ErrorPage. - type: object - properties: - body: - type: string - code: - type: integer - headers: - type: array - items: - description: Header defines an HTTP Header. - type: object - properties: - name: - type: string - value: - type: string - type: - type: string - location-snippets: - type: string - matches: - type: array - items: - description: Match defines a match. - type: object - properties: - action: - description: Action defines an action. - type: object - properties: - pass: - type: string - proxy: - description: ActionProxy defines a proxy in an Action. - type: object - properties: - requestHeaders: - description: ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. - type: object - properties: - pass: - type: boolean - set: - type: array - items: - description: Header defines an HTTP Header. - type: object - properties: - name: - type: string - value: - type: string - responseHeaders: - description: ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. - type: object - properties: - add: - type: array - items: - description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. - type: object - properties: - always: - type: boolean - name: - type: string - value: - type: string - hide: - type: array - items: - type: string - ignore: - type: array - items: - type: string - pass: - type: array - items: - type: string - rewritePath: - type: string - upstream: - type: string - redirect: - description: ActionRedirect defines a redirect in an Action. - type: object - properties: - code: - type: integer - url: - type: string - return: - description: ActionReturn defines a return in an Action. - type: object - properties: - body: - type: string - code: - type: integer - type: - type: string - conditions: - type: array - items: - description: Condition defines a condition in a MatchRule. - type: object - properties: - argument: - type: string - cookie: - type: string - header: - type: string - value: - type: string - variable: - type: string - splits: - type: array - items: - description: Split defines a split. - type: object - properties: - action: - description: Action defines an action. - type: object - properties: - pass: - type: string - proxy: - description: ActionProxy defines a proxy in an Action. - type: object - properties: - requestHeaders: - description: ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. - type: object - properties: - pass: - type: boolean - set: - type: array - items: - description: Header defines an HTTP Header. - type: object - properties: - name: - type: string - value: - type: string - responseHeaders: - description: ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. - type: object - properties: - add: - type: array - items: - description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. - type: object - properties: - always: - type: boolean - name: - type: string - value: - type: string - hide: - type: array - items: - type: string - ignore: - type: array - items: - type: string - pass: - type: array - items: - type: string - rewritePath: - type: string - upstream: - type: string - redirect: - description: ActionRedirect defines a redirect in an Action. - type: object - properties: - code: - type: integer - url: - type: string - return: - description: ActionReturn defines a return in an Action. - type: object - properties: - body: - type: string - code: - type: integer - type: - type: string - weight: - type: integer - path: - type: string - policies: - type: array - items: - description: PolicyReference references a policy by name and an optional namespace. - type: object - properties: - name: - type: string - namespace: - type: string - route: - type: string - splits: - type: array - items: - description: Split defines a split. - type: object - properties: - action: - description: Action defines an action. - type: object - properties: - pass: - type: string - proxy: - description: ActionProxy defines a proxy in an Action. - type: object - properties: - requestHeaders: - description: ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. - type: object - properties: - pass: - type: boolean - set: - type: array - items: - description: Header defines an HTTP Header. - type: object - properties: - name: - type: string - value: - type: string - responseHeaders: - description: ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. - type: object - properties: - add: - type: array - items: - description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. - type: object - properties: - always: - type: boolean - name: - type: string - value: - type: string - hide: - type: array - items: - type: string - ignore: - type: array - items: - type: string - pass: - type: array - items: - type: string - rewritePath: - type: string - upstream: - type: string - redirect: - description: ActionRedirect defines a redirect in an Action. - type: object - properties: - code: - type: integer - url: - type: string - return: - description: ActionReturn defines a return in an Action. - type: object - properties: - body: - type: string - code: - type: integer - type: - type: string - weight: - type: integer - upstreams: - type: array - items: - description: Upstream defines an upstream. - type: object - properties: - buffer-size: - type: string - buffering: - type: boolean - buffers: - description: UpstreamBuffers defines Buffer Configuration for an Upstream. - type: object - properties: - number: - type: integer - size: - type: string - client-max-body-size: - type: string - connect-timeout: - type: string - fail-timeout: - type: string - healthCheck: - description: HealthCheck defines the parameters for active Upstream HealthChecks. - type: object - properties: - connect-timeout: - type: string - enable: - type: boolean - fails: - type: integer - grpcService: - type: string - grpcStatus: - type: integer - headers: - type: array - items: - description: Header defines an HTTP Header. - type: object - properties: - name: - type: string - value: - type: string - interval: - type: string - jitter: - type: string - keepalive-time: - type: string - mandatory: - type: boolean - passes: - type: integer - path: - type: string - persistent: - type: boolean - port: - type: integer - read-timeout: - type: string - send-timeout: - type: string - statusMatch: - type: string - tls: - description: UpstreamTLS defines a TLS configuration for an Upstream. - type: object - properties: - enable: - type: boolean - keepalive: - type: integer - lb-method: - type: string - max-conns: - type: integer - max-fails: - type: integer - name: - type: string - next-upstream: - type: string - next-upstream-timeout: - type: string - next-upstream-tries: - type: integer - ntlm: - type: boolean - port: - type: integer - queue: - description: UpstreamQueue defines Queue Configuration for an Upstream. - type: object - properties: - size: - type: integer - timeout: - type: string - read-timeout: - type: string - send-timeout: - type: string - service: - type: string - sessionCookie: - description: SessionCookie defines the parameters for session persistence. - type: object - properties: - domain: - type: string - enable: - type: boolean - expires: - type: string - httpOnly: - type: boolean - name: - type: string - path: - type: string - samesite: - type: string - secure: - type: boolean - slow-start: - type: string - subselector: - type: object - additionalProperties: - type: string - tls: - description: UpstreamTLS defines a TLS configuration for an Upstream. - type: object - properties: - enable: - type: boolean - type: - type: string - use-cluster-ip: - type: boolean - status: - description: VirtualServerRouteStatus defines the status for the VirtualServerRoute resource. - type: object - properties: - externalEndpoints: - type: array - items: - description: ExternalEndpoint defines the IP/ Hostname and ports used to connect to this resource. - type: object - properties: - hostname: - type: string - ip: - type: string - ports: - type: string - message: - type: string - reason: - type: string - referencedBy: - type: string - state: - type: string - served: true - storage: true - subresources: - status: {} diff --git a/deployments/common/crds/k8s.nginx.org_virtualservers.yaml b/deployments/common/crds/k8s.nginx.org_virtualservers.yaml deleted file mode 100644 index f0095f4dd6..0000000000 --- a/deployments/common/crds/k8s.nginx.org_virtualservers.yaml +++ /dev/null @@ -1,723 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.13.0 - name: virtualservers.k8s.nginx.org -spec: - group: k8s.nginx.org - names: - kind: VirtualServer - listKind: VirtualServerList - plural: virtualservers - shortNames: - - vs - singular: virtualserver - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Current state of the VirtualServer. If the resource has a valid status, it means it has been validated and accepted by the Ingress Controller. - jsonPath: .status.state - name: State - type: string - - jsonPath: .spec.host - name: Host - type: string - - jsonPath: .status.externalEndpoints[*].ip - name: IP - type: string - - jsonPath: .status.externalEndpoints[*].hostname - name: ExternalHostname - priority: 1 - type: string - - jsonPath: .status.externalEndpoints[*].ports - name: Ports - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: VirtualServer defines the VirtualServer resource. - type: object - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: VirtualServerSpec is the spec of the VirtualServer resource. - type: object - properties: - dos: - type: string - externalDNS: - description: ExternalDNS defines externaldns sub-resource of a virtual server. - type: object - properties: - enable: - type: boolean - labels: - description: Labels stores labels defined for the Endpoint - type: object - additionalProperties: - type: string - providerSpecific: - description: ProviderSpecific stores provider specific config - type: array - items: - description: ProviderSpecificProperty defines specific property for using with ExternalDNS sub-resource. - type: object - properties: - name: - description: Name of the property - type: string - value: - description: Value of the property - type: string - recordTTL: - description: TTL for the record - type: integer - format: int64 - recordType: - type: string - gunzip: - type: boolean - host: - type: string - http-snippets: - type: string - ingressClassName: - type: string - internalRoute: - description: InternalRoute allows for the configuration of internal routing. - type: boolean - policies: - type: array - items: - description: PolicyReference references a policy by name and an optional namespace. - type: object - properties: - name: - type: string - namespace: - type: string - routes: - type: array - items: - description: Route defines a route. - type: object - properties: - action: - description: Action defines an action. - type: object - properties: - pass: - type: string - proxy: - description: ActionProxy defines a proxy in an Action. - type: object - properties: - requestHeaders: - description: ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. - type: object - properties: - pass: - type: boolean - set: - type: array - items: - description: Header defines an HTTP Header. - type: object - properties: - name: - type: string - value: - type: string - responseHeaders: - description: ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. - type: object - properties: - add: - type: array - items: - description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. - type: object - properties: - always: - type: boolean - name: - type: string - value: - type: string - hide: - type: array - items: - type: string - ignore: - type: array - items: - type: string - pass: - type: array - items: - type: string - rewritePath: - type: string - upstream: - type: string - redirect: - description: ActionRedirect defines a redirect in an Action. - type: object - properties: - code: - type: integer - url: - type: string - return: - description: ActionReturn defines a return in an Action. - type: object - properties: - body: - type: string - code: - type: integer - type: - type: string - dos: - type: string - errorPages: - type: array - items: - description: ErrorPage defines an ErrorPage in a Route. - type: object - properties: - codes: - type: array - items: - type: integer - redirect: - description: ErrorPageRedirect defines a redirect for an ErrorPage. - type: object - properties: - code: - type: integer - url: - type: string - return: - description: ErrorPageReturn defines a return for an ErrorPage. - type: object - properties: - body: - type: string - code: - type: integer - headers: - type: array - items: - description: Header defines an HTTP Header. - type: object - properties: - name: - type: string - value: - type: string - type: - type: string - location-snippets: - type: string - matches: - type: array - items: - description: Match defines a match. - type: object - properties: - action: - description: Action defines an action. - type: object - properties: - pass: - type: string - proxy: - description: ActionProxy defines a proxy in an Action. - type: object - properties: - requestHeaders: - description: ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. - type: object - properties: - pass: - type: boolean - set: - type: array - items: - description: Header defines an HTTP Header. - type: object - properties: - name: - type: string - value: - type: string - responseHeaders: - description: ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. - type: object - properties: - add: - type: array - items: - description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. - type: object - properties: - always: - type: boolean - name: - type: string - value: - type: string - hide: - type: array - items: - type: string - ignore: - type: array - items: - type: string - pass: - type: array - items: - type: string - rewritePath: - type: string - upstream: - type: string - redirect: - description: ActionRedirect defines a redirect in an Action. - type: object - properties: - code: - type: integer - url: - type: string - return: - description: ActionReturn defines a return in an Action. - type: object - properties: - body: - type: string - code: - type: integer - type: - type: string - conditions: - type: array - items: - description: Condition defines a condition in a MatchRule. - type: object - properties: - argument: - type: string - cookie: - type: string - header: - type: string - value: - type: string - variable: - type: string - splits: - type: array - items: - description: Split defines a split. - type: object - properties: - action: - description: Action defines an action. - type: object - properties: - pass: - type: string - proxy: - description: ActionProxy defines a proxy in an Action. - type: object - properties: - requestHeaders: - description: ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. - type: object - properties: - pass: - type: boolean - set: - type: array - items: - description: Header defines an HTTP Header. - type: object - properties: - name: - type: string - value: - type: string - responseHeaders: - description: ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. - type: object - properties: - add: - type: array - items: - description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. - type: object - properties: - always: - type: boolean - name: - type: string - value: - type: string - hide: - type: array - items: - type: string - ignore: - type: array - items: - type: string - pass: - type: array - items: - type: string - rewritePath: - type: string - upstream: - type: string - redirect: - description: ActionRedirect defines a redirect in an Action. - type: object - properties: - code: - type: integer - url: - type: string - return: - description: ActionReturn defines a return in an Action. - type: object - properties: - body: - type: string - code: - type: integer - type: - type: string - weight: - type: integer - path: - type: string - policies: - type: array - items: - description: PolicyReference references a policy by name and an optional namespace. - type: object - properties: - name: - type: string - namespace: - type: string - route: - type: string - splits: - type: array - items: - description: Split defines a split. - type: object - properties: - action: - description: Action defines an action. - type: object - properties: - pass: - type: string - proxy: - description: ActionProxy defines a proxy in an Action. - type: object - properties: - requestHeaders: - description: ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. - type: object - properties: - pass: - type: boolean - set: - type: array - items: - description: Header defines an HTTP Header. - type: object - properties: - name: - type: string - value: - type: string - responseHeaders: - description: ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. - type: object - properties: - add: - type: array - items: - description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. - type: object - properties: - always: - type: boolean - name: - type: string - value: - type: string - hide: - type: array - items: - type: string - ignore: - type: array - items: - type: string - pass: - type: array - items: - type: string - rewritePath: - type: string - upstream: - type: string - redirect: - description: ActionRedirect defines a redirect in an Action. - type: object - properties: - code: - type: integer - url: - type: string - return: - description: ActionReturn defines a return in an Action. - type: object - properties: - body: - type: string - code: - type: integer - type: - type: string - weight: - type: integer - server-snippets: - type: string - tls: - description: TLS defines TLS configuration for a VirtualServer. - type: object - properties: - cert-manager: - description: CertManager defines a cert manager config for a TLS. - type: object - properties: - cluster-issuer: - type: string - common-name: - type: string - duration: - type: string - issuer: - type: string - issuer-group: - type: string - issuer-kind: - type: string - renew-before: - type: string - usages: - type: string - redirect: - description: TLSRedirect defines a redirect for a TLS. - type: object - properties: - basedOn: - type: string - code: - type: integer - enable: - type: boolean - secret: - type: string - upstreams: - type: array - items: - description: Upstream defines an upstream. - type: object - properties: - buffer-size: - type: string - buffering: - type: boolean - buffers: - description: UpstreamBuffers defines Buffer Configuration for an Upstream. - type: object - properties: - number: - type: integer - size: - type: string - client-max-body-size: - type: string - connect-timeout: - type: string - fail-timeout: - type: string - healthCheck: - description: HealthCheck defines the parameters for active Upstream HealthChecks. - type: object - properties: - connect-timeout: - type: string - enable: - type: boolean - fails: - type: integer - grpcService: - type: string - grpcStatus: - type: integer - headers: - type: array - items: - description: Header defines an HTTP Header. - type: object - properties: - name: - type: string - value: - type: string - interval: - type: string - jitter: - type: string - keepalive-time: - type: string - mandatory: - type: boolean - passes: - type: integer - path: - type: string - persistent: - type: boolean - port: - type: integer - read-timeout: - type: string - send-timeout: - type: string - statusMatch: - type: string - tls: - description: UpstreamTLS defines a TLS configuration for an Upstream. - type: object - properties: - enable: - type: boolean - keepalive: - type: integer - lb-method: - type: string - max-conns: - type: integer - max-fails: - type: integer - name: - type: string - next-upstream: - type: string - next-upstream-timeout: - type: string - next-upstream-tries: - type: integer - ntlm: - type: boolean - port: - type: integer - queue: - description: UpstreamQueue defines Queue Configuration for an Upstream. - type: object - properties: - size: - type: integer - timeout: - type: string - read-timeout: - type: string - send-timeout: - type: string - service: - type: string - sessionCookie: - description: SessionCookie defines the parameters for session persistence. - type: object - properties: - domain: - type: string - enable: - type: boolean - expires: - type: string - httpOnly: - type: boolean - name: - type: string - path: - type: string - samesite: - type: string - secure: - type: boolean - slow-start: - type: string - subselector: - type: object - additionalProperties: - type: string - tls: - description: UpstreamTLS defines a TLS configuration for an Upstream. - type: object - properties: - enable: - type: boolean - type: - type: string - use-cluster-ip: - type: boolean - status: - description: VirtualServerStatus defines the status for the VirtualServer resource. - type: object - properties: - externalEndpoints: - type: array - items: - description: ExternalEndpoint defines the IP/ Hostname and ports used to connect to this resource. - type: object - properties: - hostname: - type: string - ip: - type: string - ports: - type: string - message: - type: string - reason: - type: string - state: - type: string - served: true - storage: true - subresources: - status: {} diff --git a/deployments/common/ingress-class.yaml b/deployments/common/ingress-class.yaml deleted file mode 100644 index 51045d723e..0000000000 --- a/deployments/common/ingress-class.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: IngressClass -metadata: - name: nginx - # annotations: - # ingressclass.kubernetes.io/is-default-class: "true" -spec: - controller: nginx.org/ingress-controller diff --git a/deployments/common/nginx-config.yaml b/deployments/common/nginx-config.yaml deleted file mode 100644 index a6a6c812b5..0000000000 --- a/deployments/common/nginx-config.yaml +++ /dev/null @@ -1,6 +0,0 @@ -kind: ConfigMap -apiVersion: v1 -metadata: - name: nginx-config - namespace: nginx-ingress -data: diff --git a/deployments/common/ns-and-sa.yaml b/deployments/common/ns-and-sa.yaml deleted file mode 100644 index b7316e6f30..0000000000 --- a/deployments/common/ns-and-sa.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: nginx-ingress ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: nginx-ingress - namespace: nginx-ingress -#automountServiceAccountToken: false diff --git a/deployments/daemon-set/nginx-ingress.yaml b/deployments/daemon-set/nginx-ingress.yaml deleted file mode 100644 index 200e90b6f9..0000000000 --- a/deployments/daemon-set/nginx-ingress.yaml +++ /dev/null @@ -1,113 +0,0 @@ -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: nginx-ingress - namespace: nginx-ingress -spec: - selector: - matchLabels: - app: nginx-ingress - template: - metadata: - labels: - app: nginx-ingress - app.kubernetes.io/name: nginx-ingress - #annotations: - #prometheus.io/scrape: "true" - #prometheus.io/port: "9113" - #prometheus.io/scheme: http - spec: - serviceAccountName: nginx-ingress - automountServiceAccountToken: true - securityContext: - seccompProfile: - type: RuntimeDefault -# volumes: -# - name: nginx-etc -# emptyDir: {} -# - name: nginx-cache -# emptyDir: {} -# - name: nginx-lib -# emptyDir: {} -# - name: nginx-log -# emptyDir: {} - containers: - - image: nginx/nginx-ingress:3.2.1 - imagePullPolicy: IfNotPresent - name: nginx-ingress - ports: - - name: http - containerPort: 80 - hostPort: 80 - - name: https - containerPort: 443 - hostPort: 443 - - name: readiness-port - containerPort: 8081 - - name: prometheus - containerPort: 9113 - readinessProbe: - httpGet: - path: /nginx-ready - port: readiness-port - periodSeconds: 1 - resources: - requests: - cpu: "100m" - memory: "128Mi" - #limits: - # cpu: "1" - # memory: "1Gi" - securityContext: - allowPrivilegeEscalation: false -# readOnlyRootFilesystem: true - runAsUser: 101 #nginx - runAsNonRoot: true - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE -# volumeMounts: -# - mountPath: /etc/nginx -# name: nginx-etc -# - mountPath: /var/cache/nginx -# name: nginx-cache -# - mountPath: /var/lib/nginx -# name: nginx-lib -# - mountPath: /var/log/nginx -# name: nginx-log - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - args: - - -nginx-configmaps=$(POD_NAMESPACE)/nginx-config - #- -default-server-tls-secret=$(POD_NAMESPACE)/default-server-secret - #- -include-year - #- -v=3 # Enables extensive logging. Useful for troubleshooting. - #- -report-ingress-status - #- -external-service=nginx-ingress - #- -enable-prometheus-metrics - #- -global-configuration=$(POD_NAMESPACE)/nginx-configuration -# initContainers: -# - image: nginx/nginx-ingress:3.2.1 -# imagePullPolicy: IfNotPresent -# name: init-nginx-ingress -# command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc'] -# securityContext: -# allowPrivilegeEscalation: false -# readOnlyRootFilesystem: true -# runAsUser: 101 #nginx -# runAsNonRoot: true -# capabilities: -# drop: -# - ALL -# volumeMounts: -# - mountPath: /mnt/etc -# name: nginx-etc diff --git a/deployments/daemon-set/nginx-plus-ingress.yaml b/deployments/daemon-set/nginx-plus-ingress.yaml deleted file mode 100644 index 117a076b4f..0000000000 --- a/deployments/daemon-set/nginx-plus-ingress.yaml +++ /dev/null @@ -1,116 +0,0 @@ -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: nginx-ingress - namespace: nginx-ingress -spec: - selector: - matchLabels: - app: nginx-ingress - template: - metadata: - labels: - app: nginx-ingress - app.kubernetes.io/name: nginx-ingress - #annotations: - #prometheus.io/scrape: "true" - #prometheus.io/port: "9113" - #prometheus.io/scheme: http - spec: - serviceAccountName: nginx-ingress - automountServiceAccountToken: true - securityContext: - seccompProfile: - type: RuntimeDefault -# volumes: -# - name: nginx-etc -# emptyDir: {} -# - name: nginx-cache -# emptyDir: {} -# - name: nginx-lib -# emptyDir: {} -# - name: nginx-log -# emptyDir: {} - containers: - - image: nginx-plus-ingress:3.2.1 - imagePullPolicy: IfNotPresent - name: nginx-plus-ingress - ports: - - name: http - containerPort: 80 - hostPort: 80 - - name: https - containerPort: 443 - hostPort: 443 - - name: readiness-port - containerPort: 8081 - - name: prometheus - containerPort: 9113 - readinessProbe: - httpGet: - path: /nginx-ready - port: readiness-port - periodSeconds: 1 - resources: - requests: - cpu: "100m" - memory: "128Mi" - #limits: - # cpu: "1" - # memory: "1Gi" - securityContext: - allowPrivilegeEscalation: false -# readOnlyRootFilesystem: true - runAsUser: 101 #nginx - runAsNonRoot: true - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE -# volumeMounts: -# - mountPath: /etc/nginx -# name: nginx-etc -# - mountPath: /var/cache/nginx -# name: nginx-cache -# - mountPath: /var/lib/nginx -# name: nginx-lib -# - mountPath: /var/log/nginx -# name: nginx-log - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - args: - - -nginx-plus - - -nginx-configmaps=$(POD_NAMESPACE)/nginx-config - #- -default-server-tls-secret=$(POD_NAMESPACE)/default-server-secret - #- -include-year - #- -enable-app-protect - #- -enable-app-protect-dos - #- -v=3 # Enables extensive logging. Useful for troubleshooting. - #- -report-ingress-status - #- -external-service=nginx-ingress - #- -enable-prometheus-metrics - #- -global-configuration=$(POD_NAMESPACE)/nginx-configuration -# initContainers: -# - image: nginx/nginx-ingress:3.2.1 -# imagePullPolicy: IfNotPresent -# name: init-nginx-ingress -# command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc'] -# securityContext: -# allowPrivilegeEscalation: false -# readOnlyRootFilesystem: true -# runAsUser: 101 #nginx -# runAsNonRoot: true -# capabilities: -# drop: -# - ALL -# volumeMounts: -# - mountPath: /mnt/etc -# name: nginx-etc diff --git a/deployments/deployment/appprotect-dos-arb.yaml b/deployments/deployment/appprotect-dos-arb.yaml deleted file mode 100644 index 8186592688..0000000000 --- a/deployments/deployment/appprotect-dos-arb.yaml +++ /dev/null @@ -1,31 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: appprotect-dos-arb - namespace: nginx-ingress -spec: - replicas: 1 - selector: - matchLabels: - app: appprotect-dos-arb - template: - metadata: - labels: - app: appprotect-dos-arb - spec: - containers: - - name: appprotect-dos-arb - image: docker-registry.nginx.com/nap-dos/app_protect_dos_arb:1.1.1 - imagePullPolicy: IfNotPresent - resources: - limits: - memory: "128Mi" - cpu: "500m" - ports: - - containerPort: 3000 - securityContext: - allowPrivilegeEscalation: false - runAsUser: 1001 - capabilities: - drop: - - ALL diff --git a/deployments/deployment/nginx-ingress.yaml b/deployments/deployment/nginx-ingress.yaml deleted file mode 100644 index 9c667ce5d3..0000000000 --- a/deployments/deployment/nginx-ingress.yaml +++ /dev/null @@ -1,114 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: nginx-ingress - namespace: nginx-ingress -spec: - replicas: 1 - selector: - matchLabels: - app: nginx-ingress - template: - metadata: - labels: - app: nginx-ingress - app.kubernetes.io/name: nginx-ingress - #annotations: - #prometheus.io/scrape: "true" - #prometheus.io/port: "9113" - #prometheus.io/scheme: http - spec: - serviceAccountName: nginx-ingress - automountServiceAccountToken: true - securityContext: - seccompProfile: - type: RuntimeDefault -# volumes: -# - name: nginx-etc -# emptyDir: {} -# - name: nginx-cache -# emptyDir: {} -# - name: nginx-lib -# emptyDir: {} -# - name: nginx-log -# emptyDir: {} - containers: - - image: nginx/nginx-ingress:3.2.1 - imagePullPolicy: IfNotPresent - name: nginx-ingress - ports: - - name: http - containerPort: 80 - - name: https - containerPort: 443 - - name: readiness-port - containerPort: 8081 - - name: prometheus - containerPort: 9113 - readinessProbe: - httpGet: - path: /nginx-ready - port: readiness-port - periodSeconds: 1 - resources: - requests: - cpu: "100m" - memory: "128Mi" - #limits: - # cpu: "1" - # memory: "1Gi" - securityContext: - allowPrivilegeEscalation: false -# readOnlyRootFilesystem: true - runAsUser: 101 #nginx - runAsNonRoot: true - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE -# volumeMounts: -# - mountPath: /etc/nginx -# name: nginx-etc -# - mountPath: /var/cache/nginx -# name: nginx-cache -# - mountPath: /var/lib/nginx -# name: nginx-lib -# - mountPath: /var/log/nginx -# name: nginx-log - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - args: - - -nginx-configmaps=$(POD_NAMESPACE)/nginx-config - #- -default-server-tls-secret=$(POD_NAMESPACE)/default-server-secret - #- -include-year - #- -enable-cert-manager - #- -enable-external-dns - #- -v=3 # Enables extensive logging. Useful for troubleshooting. - #- -report-ingress-status - #- -external-service=nginx-ingress - #- -enable-prometheus-metrics - #- -global-configuration=$(POD_NAMESPACE)/nginx-configuration -# initContainers: -# - image: nginx/nginx-ingress:3.2.1 -# imagePullPolicy: IfNotPresent -# name: init-nginx-ingress -# command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc'] -# securityContext: -# allowPrivilegeEscalation: false -# readOnlyRootFilesystem: true -# runAsUser: 101 #nginx -# runAsNonRoot: true -# capabilities: -# drop: -# - ALL -# volumeMounts: -# - mountPath: /mnt/etc -# name: nginx-etc diff --git a/deployments/deployment/nginx-plus-ingress.yaml b/deployments/deployment/nginx-plus-ingress.yaml deleted file mode 100644 index 175de1cf26..0000000000 --- a/deployments/deployment/nginx-plus-ingress.yaml +++ /dev/null @@ -1,120 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: nginx-ingress - namespace: nginx-ingress -spec: - replicas: 1 - selector: - matchLabels: - app: nginx-ingress - template: - metadata: - labels: - app: nginx-ingress - app.kubernetes.io/name: nginx-ingress - #annotations: - #prometheus.io/scrape: "true" - #prometheus.io/port: "9113" - #prometheus.io/scheme: http - spec: - serviceAccountName: nginx-ingress - automountServiceAccountToken: true - securityContext: - seccompProfile: - type: RuntimeDefault -# volumes: -# - name: nginx-etc -# emptyDir: {} -# - name: nginx-cache -# emptyDir: {} -# - name: nginx-lib -# emptyDir: {} -# - name: nginx-log -# emptyDir: {} - containers: - - image: nginx-plus-ingress:3.2.1 - imagePullPolicy: IfNotPresent - name: nginx-plus-ingress - ports: - - name: http - containerPort: 80 - - name: https - containerPort: 443 - - name: readiness-port - containerPort: 8081 - - name: prometheus - containerPort: 9113 - - name: service-insight - containerPort: 9114 - readinessProbe: - httpGet: - path: /nginx-ready - port: readiness-port - periodSeconds: 1 - resources: - requests: - cpu: "100m" - memory: "128Mi" - #limits: - # cpu: "1" - # memory: "1Gi" - securityContext: - allowPrivilegeEscalation: false -# readOnlyRootFilesystem: true - runAsUser: 101 #nginx - runAsNonRoot: true - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE -# volumeMounts: -# - mountPath: /etc/nginx -# name: nginx-etc -# - mountPath: /var/cache/nginx -# name: nginx-cache -# - mountPath: /var/lib/nginx -# name: nginx-lib -# - mountPath: /var/log/nginx -# name: nginx-log - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - args: - - -nginx-plus - - -nginx-configmaps=$(POD_NAMESPACE)/nginx-config - #- -default-server-tls-secret=$(POD_NAMESPACE)/default-server-secret - #- -include-year - #- -enable-cert-manager - #- -enable-external-dns - #- -enable-app-protect - #- -enable-app-protect-dos - #- -v=3 # Enables extensive logging. Useful for troubleshooting. - #- -report-ingress-status - #- -external-service=nginx-ingress - #- -enable-prometheus-metrics - #- -enable-service-insight - #- -global-configuration=$(POD_NAMESPACE)/nginx-configuration -# initContainers: -# - image: nginx/nginx-ingress:3.2.1 -# imagePullPolicy: IfNotPresent -# name: init-nginx-ingress -# command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc'] -# securityContext: -# allowPrivilegeEscalation: false -# readOnlyRootFilesystem: true -# runAsUser: 101 #nginx -# runAsNonRoot: true -# capabilities: -# drop: -# - ALL -# volumeMounts: -# - mountPath: /mnt/etc -# name: nginx-etc diff --git a/deployments/helm-chart/crds/appprotect.f5.com_aplogconfs.yaml b/deployments/helm-chart/crds/appprotect.f5.com_aplogconfs.yaml deleted file mode 100644 index 53b7fb40d7..0000000000 --- a/deployments/helm-chart/crds/appprotect.f5.com_aplogconfs.yaml +++ /dev/null @@ -1,80 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.10.0 - creationTimestamp: null - name: aplogconfs.appprotect.f5.com -spec: - group: appprotect.f5.com - names: - kind: APLogConf - listKind: APLogConfList - plural: aplogconfs - singular: aplogconf - preserveUnknownFields: false - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - description: APLogConf is the Schema for the APLogConfs API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: APLogConfSpec defines the desired state of APLogConf - properties: - content: - properties: - escaping_characters: - items: - properties: - from: - type: string - to: - type: string - type: object - type: array - format: - enum: - - splunk - - arcsight - - default - - user-defined - - grpc - type: string - format_string: - type: string - list_delimiter: - type: string - list_prefix: - type: string - list_suffix: - type: string - max_message_size: - pattern: ^([1-9]|[1-5][0-9]|6[0-4])k$ - type: string - max_request_size: - pattern: ^([1-9]|[1-9][0-9]|[1-9][0-9]{2}|1[0-9]{3}|20[1-3][0-9]|204[1-8]|any)$ - type: string - type: object - filter: - properties: - request_type: - enum: - - all - - illegal - - blocked - type: string - type: object - type: object - type: object - served: true - storage: true diff --git a/deployments/helm-chart/crds/appprotect.f5.com_appolicies.yaml b/deployments/helm-chart/crds/appprotect.f5.com_appolicies.yaml deleted file mode 100644 index 8c494414cb..0000000000 --- a/deployments/helm-chart/crds/appprotect.f5.com_appolicies.yaml +++ /dev/null @@ -1,1903 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.10.0 - creationTimestamp: null - name: appolicies.appprotect.f5.com -spec: - group: appprotect.f5.com - names: - kind: APPolicy - listKind: APPolicyList - plural: appolicies - singular: appolicy - preserveUnknownFields: false - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - description: APPolicyConfig is the Schema for the APPolicyconfigs API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: APPolicySpec defines the desired state of APPolicy - properties: - modifications: - items: - properties: - action: - type: string - description: - type: string - entity: - properties: - name: - type: string - type: object - entityChanges: - properties: - type: - type: string - type: object - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - modificationsReference: - properties: - link: - pattern: ^http - type: string - type: object - policy: - description: Defines the App Protect policy - properties: - applicationLanguage: - enum: - - iso-8859-10 - - iso-8859-6 - - windows-1255 - - auto-detect - - koi8-r - - gb18030 - - iso-8859-8 - - windows-1250 - - iso-8859-9 - - windows-1252 - - iso-8859-16 - - gb2312 - - iso-8859-2 - - iso-8859-5 - - windows-1257 - - windows-1256 - - iso-8859-13 - - windows-874 - - windows-1253 - - iso-8859-3 - - euc-jp - - utf-8 - - gbk - - windows-1251 - - big5 - - iso-8859-1 - - shift_jis - - euc-kr - - iso-8859-4 - - iso-8859-7 - - iso-8859-15 - type: string - blocking-settings: - properties: - evasions: - items: - properties: - description: - enum: - - '%u decoding' - - Apache whitespace - - Bad unescape - - Bare byte decoding - - Directory traversals - - IIS backslashes - - IIS Unicode codepoints - - Multiple decoding - type: string - enabled: - type: boolean - maxDecodingPasses: - type: integer - type: object - type: array - http-protocols: - items: - properties: - description: - enum: - - Unescaped space in URL - - Unparsable request content - - Several Content-Length headers - - 'POST request with Content-Length: 0' - - Null in request - - No Host header in HTTP/1.1 request - - Multiple host headers - - Host header contains IP address - - High ASCII characters in headers - - Header name with no header value - - CRLF characters before request start - - Content length should be a positive number - - Chunked request with Content-Length header - - Check maximum number of parameters - - Check maximum number of headers - - Body in GET or HEAD requests - - Bad multipart/form-data request parsing - - Bad multipart parameters parsing - - Bad HTTP version - - Bad host header value - type: string - enabled: - type: boolean - maxHeaders: - type: integer - maxParams: - type: integer - type: object - type: array - violations: - items: - properties: - alarm: - type: boolean - block: - type: boolean - description: - type: string - name: - enum: - - VIOL_GRPC_FORMAT - - VIOL_GRPC_MALFORMED - - VIOL_GRPC_METHOD - - VIOL_PARAMETER_ARRAY_VALUE - - VIOL_PARAMETER_VALUE_REGEXP - - VIOL_CSRF - - VIOL_PARAMETER_VALUE_BASE64 - - VIOL_MANDATORY_HEADER - - VIOL_HEADER_REPEATED - - VIOL_ASM_COOKIE_MODIFIED - - VIOL_BLACKLISTED_IP - - VIOL_COOKIE_EXPIRED - - VIOL_COOKIE_LENGTH - - VIOL_COOKIE_MALFORMED - - VIOL_COOKIE_MODIFIED - - VIOL_DATA_GUARD - - VIOL_ENCODING - - VIOL_EVASION - - VIOL_FILETYPE - - VIOL_FILE_UPLOAD - - VIOL_FILE_UPLOAD_IN_BODY - - VIOL_HEADER_LENGTH - - VIOL_HEADER_METACHAR - - VIOL_HTTP_PROTOCOL - - VIOL_HTTP_RESPONSE_STATUS - - VIOL_JSON_FORMAT - - VIOL_JSON_MALFORMED - - VIOL_JSON_SCHEMA - - VIOL_MANDATORY_PARAMETER - - VIOL_MANDATORY_REQUEST_BODY - - VIOL_METHOD - - VIOL_PARAMETER - - VIOL_PARAMETER_DATA_TYPE - - VIOL_PARAMETER_EMPTY_VALUE - - VIOL_PARAMETER_LOCATION - - VIOL_PARAMETER_MULTIPART_NULL_VALUE - - VIOL_PARAMETER_NAME_METACHAR - - VIOL_PARAMETER_NUMERIC_VALUE - - VIOL_PARAMETER_REPEATED - - VIOL_PARAMETER_STATIC_VALUE - - VIOL_PARAMETER_VALUE_LENGTH - - VIOL_PARAMETER_VALUE_METACHAR - - VIOL_POST_DATA_LENGTH - - VIOL_QUERY_STRING_LENGTH - - VIOL_RATING_THREAT - - VIOL_RATING_NEED_EXAMINATION - - VIOL_REQUEST_MAX_LENGTH - - VIOL_REQUEST_LENGTH - - VIOL_THREAT_CAMPAIGN - - VIOL_URL - - VIOL_URL_CONTENT_TYPE - - VIOL_URL_LENGTH - - VIOL_URL_METACHAR - - VIOL_XML_FORMAT - - VIOL_XML_MALFORMED - type: string - type: object - type: array - type: object - blockingSettingReference: - properties: - link: - pattern: ^http - type: string - type: object - bot-defense: - properties: - mitigations: - properties: - anomalies: - items: - properties: - $action: - enum: - - delete - type: string - action: - enum: - - alarm - - block - - default - - detect - - ignore - type: string - name: - type: string - scoreThreshold: - pattern: '[0-9]|[1-9][0-9]|1[0-4][0-9]|150|default' - type: string - type: object - type: array - browsers: - items: - properties: - $action: - enum: - - delete - type: string - action: - enum: - - alarm - - block - - detect - type: string - browserDefinition: - properties: - $action: - enum: - - delete - type: string - isUserDefined: - type: boolean - matchRegex: - type: string - matchString: - type: string - name: - type: string - type: object - maxVersion: - maximum: 2147483647 - minimum: 0 - type: integer - minVersion: - maximum: 2147483647 - minimum: 0 - type: integer - name: - type: string - type: object - type: array - classes: - items: - properties: - action: - enum: - - alarm - - block - - detect - - ignore - type: string - name: - enum: - - browser - - malicious-bot - - suspicious-browser - - trusted-bot - - unknown - - untrusted-bot - type: string - type: object - type: array - signatures: - items: - properties: - $action: - enum: - - delete - type: string - action: - enum: - - alarm - - block - - detect - - ignore - type: string - name: - type: string - type: object - type: array - type: object - settings: - properties: - caseSensitiveHttpHeaders: - type: boolean - isEnabled: - type: boolean - type: object - type: object - browser-definitions: - items: - properties: - $action: - enum: - - delete - type: string - isUserDefined: - type: boolean - matchRegex: - type: string - matchString: - type: string - name: - type: string - type: object - type: array - caseInsensitive: - type: boolean - character-sets: - items: - properties: - characterSet: - items: - properties: - isAllowed: - type: boolean - metachar: - type: string - type: object - type: array - characterSetType: - enum: - - gwt-content - - header - - json-content - - parameter-name - - parameter-value - - plain-text-content - - url - - xml-content - type: string - type: object - type: array - characterSetReference: - properties: - link: - pattern: ^http - type: string - type: object - cookie-settings: - properties: - maximumCookieHeaderLength: - pattern: any|\d+ - type: string - type: object - cookieReference: - properties: - link: - pattern: ^http - type: string - type: object - cookieSettingsReference: - properties: - link: - pattern: ^http - type: string - type: object - cookies: - items: - properties: - $action: - enum: - - delete - type: string - accessibleOnlyThroughTheHttpProtocol: - type: boolean - attackSignaturesCheck: - type: boolean - decodeValueAsBase64: - enum: - - enabled - - disabled - - required - type: string - enforcementType: - type: string - insertSameSiteAttribute: - enum: - - lax - - none - - none-value - - strict - type: string - name: - type: string - securedOverHttpsConnection: - type: boolean - signatureOverrides: - items: - properties: - enabled: - type: boolean - name: - type: string - signatureId: - type: integer - tag: - type: string - type: object - type: array - type: - enum: - - explicit - - wildcard - type: string - wildcardOrder: - type: integer - type: object - type: array - csrf-protection: - properties: - enabled: - type: boolean - expirationTimeInSeconds: - pattern: disabled|\d+ - type: string - sslOnly: - type: boolean - type: object - csrf-urls: - items: - properties: - $action: - enum: - - delete - type: string - enforcementAction: - enum: - - verify-origin - - none - type: string - method: - enum: - - GET - - POST - - any - type: string - url: - type: string - wildcardOrder: - type: integer - type: object - type: array - data-guard: - properties: - creditCardNumbers: - type: boolean - enabled: - type: boolean - enforcementMode: - enum: - - ignore-urls-in-list - - enforce-urls-in-list - type: string - enforcementUrls: - items: - type: string - type: array - lastCcnDigitsToExpose: - type: integer - lastSsnDigitsToExpose: - type: integer - maskData: - type: boolean - usSocialSecurityNumbers: - type: boolean - type: object - dataGuardReference: - properties: - link: - pattern: ^http - type: string - type: object - description: - type: string - enablePassiveMode: - type: boolean - enforcementMode: - enum: - - transparent - - blocking - type: string - enforcer-settings: - properties: - enforcerStateCookies: - properties: - httpOnlyAttribute: - type: boolean - sameSiteAttribute: - enum: - - lax - - none - - none-value - - strict - type: string - secureAttribute: - enum: - - always - - never - type: string - type: object - type: object - filetypeReference: - properties: - link: - pattern: ^http - type: string - type: object - filetypes: - items: - properties: - $action: - enum: - - delete - type: string - allowed: - type: boolean - checkPostDataLength: - type: boolean - checkQueryStringLength: - type: boolean - checkRequestLength: - type: boolean - checkUrlLength: - type: boolean - name: - type: string - postDataLength: - type: integer - queryStringLength: - type: integer - requestLength: - type: integer - responseCheck: - type: boolean - type: - enum: - - explicit - - wildcard - type: string - urlLength: - type: integer - wildcardOrder: - type: integer - type: object - type: array - fullPath: - type: string - general: - properties: - allowedResponseCodes: - items: - format: int32 - maximum: 999 - minimum: 100 - type: integer - type: array - customXffHeaders: - items: - type: string - type: array - maskCreditCardNumbersInRequest: - type: boolean - trustXff: - type: boolean - type: object - generalReference: - properties: - link: - pattern: ^http - type: string - type: object - grpc-profiles: - items: - properties: - $action: - enum: - - delete - type: string - associateUrls: - type: boolean - attackSignaturesCheck: - type: boolean - defenseAttributes: - properties: - allowUnknownFields: - type: boolean - maximumDataLength: - pattern: any|\d+ - type: string - type: object - description: - type: string - hasIdlFiles: - type: boolean - idlFiles: - items: - properties: - idlFile: - properties: - contents: - type: string - fileName: - type: string - isBase64: - type: boolean - type: object - importUrl: - type: string - isPrimary: - type: boolean - primaryIdlFileName: - type: string - type: object - type: array - metacharElementCheck: - type: boolean - name: - type: string - signatureOverrides: - items: - properties: - enabled: - type: boolean - name: - type: string - signatureId: - type: integer - tag: - type: string - type: object - type: array - type: object - type: array - header-settings: - properties: - maximumHttpHeaderLength: - pattern: any|\d+ - type: string - type: object - headerReference: - properties: - link: - pattern: ^http - type: string - type: object - headerSettingsReference: - properties: - link: - pattern: ^http - type: string - type: object - headers: - items: - properties: - $action: - enum: - - delete - type: string - allowRepeatedOccurrences: - type: boolean - base64Decoding: - type: boolean - checkSignatures: - type: boolean - decodeValueAsBase64: - enum: - - enabled - - disabled - - required - type: string - htmlNormalization: - type: boolean - mandatory: - type: boolean - maskValueInLogs: - type: boolean - name: - type: string - normalizationViolations: - type: boolean - percentDecoding: - type: boolean - signatureOverrides: - items: - properties: - enabled: - type: boolean - name: - type: string - signatureId: - type: integer - tag: - type: string - type: object - type: array - type: - enum: - - explicit - - wildcard - type: string - urlNormalization: - type: boolean - wildcardOrder: - type: integer - type: object - type: array - host-names: - items: - properties: - $action: - enum: - - delete - type: string - includeSubdomains: - type: boolean - name: - type: string - type: object - type: array - idl-files: - items: - properties: - contents: - type: string - fileName: - type: string - isBase64: - type: boolean - type: object - type: array - json-profiles: - items: - properties: - $action: - enum: - - delete - type: string - attackSignaturesCheck: - type: boolean - defenseAttributes: - properties: - maximumArrayLength: - pattern: any|\d+ - type: string - maximumStructureDepth: - pattern: any|\d+ - type: string - maximumTotalLengthOfJSONData: - pattern: any|\d+ - type: string - maximumValueLength: - pattern: any|\d+ - type: string - tolerateJSONParsingWarnings: - type: boolean - type: object - description: - type: string - handleJsonValuesAsParameters: - type: boolean - hasValidationFiles: - type: boolean - metacharOverrides: - items: - properties: - isAllowed: - type: boolean - metachar: - type: string - type: object - type: array - name: - type: string - signatureOverrides: - items: - properties: - enabled: - type: boolean - name: - type: string - signatureId: - type: integer - tag: - type: string - type: object - type: array - validationFiles: - items: - properties: - importUrl: - type: string - isPrimary: - type: boolean - jsonValidationFile: - properties: - $action: - enum: - - delete - type: string - contents: - type: string - fileName: - type: string - isBase64: - type: boolean - type: object - type: object - type: array - type: object - type: array - json-validation-files: - items: - properties: - $action: - enum: - - delete - type: string - contents: - type: string - fileName: - type: string - isBase64: - type: boolean - type: object - type: array - jsonProfileReference: - properties: - link: - pattern: ^http - type: string - type: object - jsonValidationFileReference: - properties: - link: - pattern: ^http - type: string - type: object - methodReference: - properties: - link: - pattern: ^http - type: string - type: object - methods: - items: - properties: - $action: - enum: - - delete - type: string - name: - type: string - type: object - type: array - name: - type: string - open-api-files: - items: - properties: - link: - pattern: ^http - type: string - type: object - type: array - parameterReference: - properties: - link: - pattern: ^http - type: string - type: object - parameters: - items: - properties: - $action: - enum: - - delete - type: string - allowEmptyValue: - type: boolean - allowRepeatedParameterName: - type: boolean - arraySerializationFormat: - enum: - - csv - - form - - label - - matrix - - multi - - multipart - - pipe - - ssv - - tsv - type: string - attackSignaturesCheck: - type: boolean - checkMaxValue: - type: boolean - checkMaxValueLength: - type: boolean - checkMetachars: - type: boolean - checkMinValue: - type: boolean - checkMinValueLength: - type: boolean - checkMultipleOfValue: - type: boolean - contentProfile: - properties: - name: - type: string - type: object - dataType: - enum: - - alpha-numeric - - binary - - boolean - - decimal - - email - - integer - - none - - phone - type: string - decodeValueAsBase64: - enum: - - enabled - - disabled - - required - type: string - disallowFileUploadOfExecutables: - type: boolean - enableRegularExpression: - type: boolean - exclusiveMax: - type: boolean - exclusiveMin: - type: boolean - isBase64: - type: boolean - isCookie: - type: boolean - isHeader: - type: boolean - level: - enum: - - global - - url - type: string - mandatory: - type: boolean - maximumLength: - type: integer - maximumValue: - type: integer - metacharsOnParameterValueCheck: - type: boolean - minimumLength: - type: integer - minimumValue: - type: integer - multipleOf: - type: integer - name: - type: string - nameMetacharOverrides: - items: - properties: - isAllowed: - type: boolean - metachar: - type: string - type: object - type: array - objectSerializationStyle: - type: string - parameterEnumValues: - items: - type: string - type: array - parameterLocation: - enum: - - any - - cookie - - form-data - - header - - path - - query - type: string - regularExpression: - type: string - sensitiveParameter: - type: boolean - signatureOverrides: - items: - properties: - enabled: - type: boolean - name: - type: string - signatureId: - type: integer - tag: - type: string - type: object - type: array - staticValues: - type: string - type: - enum: - - explicit - - wildcard - type: string - url: - type: object - valueMetacharOverrides: - items: - properties: - isAllowed: - type: boolean - metachar: - type: string - type: object - type: array - valueType: - enum: - - array - - auto-detect - - dynamic-content - - dynamic-parameter-name - - ignore - - json - - object - - openapi-array - - static-content - - user-input - - xml - type: string - wildcardOrder: - type: integer - type: object - type: array - response-pages: - items: - properties: - ajaxActionType: - enum: - - alert-popup - - custom - - redirect - type: string - ajaxCustomContent: - type: string - ajaxEnabled: - type: boolean - ajaxPopupMessage: - type: string - ajaxRedirectUrl: - type: string - grpcStatusCode: - pattern: ABORTED|ALREADY_EXISTS|CANCELLED|DATA_LOSS|DEADLINE_EXCEEDED|FAILED_PRECONDITION|INTERNAL|INVALID_ARGUMENT|NOT_FOUND|OK|OUT_OF_RANGE|PERMISSION_DENIED|RESOURCE_EXHAUSTED|UNAUTHENTICATED|UNAVAILABLE|UNIMPLEMENTED|UNKNOWN|d+ - type: string - grpcStatusMessage: - type: string - responseActionType: - enum: - - custom - - default - - erase-cookies - - redirect - - soap-fault - type: string - responseContent: - type: string - responseHeader: - type: string - responsePageType: - enum: - - ajax - - ajax-login - - captcha - - captcha-fail - - default - - failed-login-honeypot - - failed-login-honeypot-ajax - - hijack - - leaked-credentials - - leaked-credentials-ajax - - mobile - - persistent-flow - - xml - - grpc - type: string - responseRedirectUrl: - type: string - type: object - type: array - responsePageReference: - properties: - link: - pattern: ^http - type: string - type: object - sensitive-parameters: - items: - properties: - $action: - enum: - - delete - type: string - name: - type: string - type: object - type: array - sensitiveParameterReference: - properties: - link: - pattern: ^http - type: string - type: object - server-technologies: - items: - properties: - $action: - enum: - - delete - type: string - serverTechnologyName: - enum: - - Jenkins - - SharePoint - - Oracle Application Server - - Python - - Oracle Identity Manager - - Spring Boot - - CouchDB - - SQLite - - Handlebars - - Mustache - - Prototype - - Zend - - Redis - - Underscore.js - - Ember.js - - ZURB Foundation - - ef.js - - Vue.js - - UIKit - - TYPO3 CMS - - RequireJS - - React - - MooTools - - Laravel - - GraphQL - - Google Web Toolkit - - Express.js - - CodeIgniter - - Backbone.js - - AngularJS - - JavaScript - - Nginx - - Jetty - - Joomla - - JavaServer Faces (JSF) - - Ruby - - MongoDB - - Django - - Node.js - - Citrix - - JBoss - - Elasticsearch - - Apache Struts - - XML - - PostgreSQL - - IBM DB2 - - Sybase/ASE - - CGI - - Proxy Servers - - SSI (Server Side Includes) - - Cisco - - Novell - - Macromedia JRun - - BEA Systems WebLogic Server - - Lotus Domino - - MySQL - - Oracle - - Microsoft SQL Server - - PHP - - Outlook Web Access - - Apache/NCSA HTTP Server - - Apache Tomcat - - WordPress - - Macromedia ColdFusion - - Unix/Linux - - Microsoft Windows - - ASP.NET - - Front Page Server Extensions (FPSE) - - IIS - - WebDAV - - ASP - - Java Servlets/JSP - - jQuery - type: string - type: object - type: array - serverTechnologyReference: - properties: - link: - pattern: ^http - type: string - type: object - signature-requirements: - items: - properties: - $action: - enum: - - delete - type: string - tag: - type: string - type: object - type: array - signature-sets: - items: - properties: - $action: - enum: - - delete - type: string - alarm: - type: boolean - block: - type: boolean - name: - type: string - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - signature-settings: - properties: - attackSignatureFalsePositiveMode: - enum: - - detect - - detect-and-allow - - disabled - type: string - minimumAccuracyForAutoAddedSignatures: - enum: - - high - - low - - medium - type: string - type: object - signatureReference: - properties: - link: - pattern: ^http - type: string - type: object - signatureSetReference: - properties: - link: - pattern: ^http - type: string - type: object - signatureSettingReference: - properties: - link: - pattern: ^http - type: string - type: object - signatures: - items: - properties: - enabled: - type: boolean - name: - type: string - signatureId: - type: integer - tag: - type: string - type: object - type: array - softwareVersion: - type: string - template: - properties: - name: - type: string - type: object - threat-campaigns: - items: - properties: - isEnabled: - type: boolean - name: - type: string - type: object - type: array - threatCampaignReference: - properties: - link: - pattern: ^http - type: string - type: object - urlReference: - properties: - link: - pattern: ^http - type: string - type: object - urls: - items: - properties: - $action: - enum: - - delete - type: string - allowRenderingInFrames: - enum: - - never - - only-same - type: string - allowRenderingInFramesOnlyFrom: - type: string - attackSignaturesCheck: - type: boolean - clickjackingProtection: - type: boolean - description: - type: string - disallowFileUploadOfExecutables: - type: boolean - html5CrossOriginRequestsEnforcement: - properties: - allowOriginsEnforcementMode: - enum: - - replace-with - - unmodified - type: string - checkAllowedMethods: - type: boolean - crossDomainAllowedOrigin: - items: - properties: - includeSubDomains: - type: boolean - originName: - type: string - originPort: - pattern: any|\d+ - type: string - originProtocol: - enum: - - http - - http/https - - https - type: string - type: object - type: array - enforcementMode: - enum: - - disabled - - enforce - type: string - type: object - isAllowed: - type: boolean - mandatoryBody: - type: boolean - metacharOverrides: - items: - properties: - isAllowed: - type: boolean - metachar: - type: string - type: object - type: array - metacharsOnUrlCheck: - type: boolean - method: - enum: - - ACL - - BCOPY - - BDELETE - - BMOVE - - BPROPFIND - - BPROPPATCH - - CHECKIN - - CHECKOUT - - CONNECT - - COPY - - DELETE - - GET - - HEAD - - LINK - - LOCK - - MERGE - - MKCOL - - MKWORKSPACE - - MOVE - - NOTIFY - - OPTIONS - - PATCH - - POLL - - POST - - PROPFIND - - PROPPATCH - - PUT - - REPORT - - RPC_IN_DATA - - RPC_OUT_DATA - - SEARCH - - SUBSCRIBE - - TRACE - - TRACK - - UNLINK - - UNLOCK - - UNSUBSCRIBE - - VERSION_CONTROL - - X-MS-ENUMATTS - - '*' - type: string - methodOverrides: - items: - properties: - allowed: - type: boolean - method: - enum: - - ACL - - BCOPY - - BDELETE - - BMOVE - - BPROPFIND - - BPROPPATCH - - CHECKIN - - CHECKOUT - - CONNECT - - COPY - - DELETE - - GET - - HEAD - - LINK - - LOCK - - MERGE - - MKCOL - - MKWORKSPACE - - MOVE - - NOTIFY - - OPTIONS - - PATCH - - POLL - - POST - - PROPFIND - - PROPPATCH - - PUT - - REPORT - - RPC_IN_DATA - - RPC_OUT_DATA - - SEARCH - - SUBSCRIBE - - TRACE - - TRACK - - UNLINK - - UNLOCK - - UNSUBSCRIBE - - VERSION_CONTROL - - X-MS-ENUMATTS - type: string - type: object - type: array - methodsOverrideOnUrlCheck: - type: boolean - name: - type: string - operationId: - type: string - positionalParameters: - items: - properties: - parameter: - properties: - $action: - enum: - - delete - type: string - allowEmptyValue: - type: boolean - allowRepeatedParameterName: - type: boolean - arraySerializationFormat: - enum: - - csv - - form - - label - - matrix - - multi - - multipart - - pipe - - ssv - - tsv - type: string - attackSignaturesCheck: - type: boolean - checkMaxValue: - type: boolean - checkMaxValueLength: - type: boolean - checkMetachars: - type: boolean - checkMinValue: - type: boolean - checkMinValueLength: - type: boolean - checkMultipleOfValue: - type: boolean - contentProfile: - properties: - name: - type: string - type: object - dataType: - enum: - - alpha-numeric - - binary - - boolean - - decimal - - email - - integer - - none - - phone - type: string - decodeValueAsBase64: - enum: - - enabled - - disabled - - required - type: string - disallowFileUploadOfExecutables: - type: boolean - enableRegularExpression: - type: boolean - exclusiveMax: - type: boolean - exclusiveMin: - type: boolean - isBase64: - type: boolean - isCookie: - type: boolean - isHeader: - type: boolean - level: - enum: - - global - - url - type: string - mandatory: - type: boolean - maximumLength: - type: integer - maximumValue: - type: integer - metacharsOnParameterValueCheck: - type: boolean - minimumLength: - type: integer - minimumValue: - type: integer - multipleOf: - type: integer - name: - type: string - nameMetacharOverrides: - items: - properties: - isAllowed: - type: boolean - metachar: - type: string - type: object - type: array - objectSerializationStyle: - type: string - parameterEnumValues: - items: - type: string - type: array - parameterLocation: - enum: - - any - - cookie - - form-data - - header - - path - - query - type: string - regularExpression: - type: string - sensitiveParameter: - type: boolean - signatureOverrides: - items: - properties: - enabled: - type: boolean - name: - type: string - signatureId: - type: integer - tag: - type: string - type: object - type: array - staticValues: - type: string - type: - enum: - - explicit - - wildcard - type: string - url: - type: object - valueMetacharOverrides: - items: - properties: - isAllowed: - type: boolean - metachar: - type: string - type: object - type: array - valueType: - enum: - - array - - auto-detect - - dynamic-content - - dynamic-parameter-name - - ignore - - json - - object - - openapi-array - - static-content - - user-input - - xml - type: string - wildcardOrder: - type: integer - type: object - urlSegmentIndex: - type: integer - type: object - type: array - protocol: - enum: - - http - - https - type: string - signatureOverrides: - items: - properties: - enabled: - type: boolean - name: - type: string - signatureId: - type: integer - tag: - type: string - type: object - type: array - type: - enum: - - explicit - - wildcard - type: string - urlContentProfiles: - items: - properties: - contentProfile: - properties: - name: - type: string - type: object - headerName: - type: string - headerOrder: - type: string - headerValue: - type: string - name: - type: string - type: - enum: - - apply-content-signatures - - apply-value-and-content-signatures - - disallow - - do-nothing - - form-data - - gwt - - json - - xml - - grpc - type: string - type: object - type: array - wildcardOrder: - type: integer - type: object - type: array - whitelist-ips: - items: - properties: - $action: - enum: - - delete - type: string - blockRequests: - enum: - - always - - never - - policy-default - type: string - ipAddress: - pattern: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' - type: string - ipMask: - pattern: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' - type: string - neverLogRequests: - type: boolean - type: object - type: array - whitelistIpReference: - properties: - link: - pattern: ^http - type: string - type: object - xml-profiles: - items: - properties: - $action: - enum: - - delete - type: string - attackSignaturesCheck: - type: boolean - defenseAttributes: - properties: - allowCDATA: - type: boolean - allowDTDs: - type: boolean - allowExternalReferences: - type: boolean - allowProcessingInstructions: - type: boolean - maximumAttributeValueLength: - pattern: any|\d+ - type: string - maximumAttributesPerElement: - pattern: any|\d+ - type: string - maximumChildrenPerElement: - pattern: any|\d+ - type: string - maximumDocumentDepth: - pattern: any|\d+ - type: string - maximumDocumentSize: - pattern: any|\d+ - type: string - maximumElements: - pattern: any|\d+ - type: string - maximumNSDeclarations: - pattern: any|\d+ - type: string - maximumNameLength: - pattern: any|\d+ - type: string - maximumNamespaceLength: - pattern: any|\d+ - type: string - tolerateCloseTagShorthand: - type: boolean - tolerateLeadingWhiteSpace: - type: boolean - tolerateNumericNames: - type: boolean - type: object - description: - type: string - enableWss: - type: boolean - followSchemaLinks: - type: boolean - name: - type: string - signatureOverrides: - items: - properties: - enabled: - type: boolean - name: - type: string - signatureId: - type: integer - tag: - type: string - type: object - type: array - type: object - type: array - xml-validation-files: - items: - properties: - $action: - enum: - - delete - type: string - contents: - type: string - fileName: - type: string - isBase64: - type: boolean - type: object - type: array - xmlProfileReference: - properties: - link: - pattern: ^http - type: string - type: object - xmlValidationFileReference: - properties: - link: - pattern: ^http - type: string - type: object - type: object - type: object - type: object - served: true - storage: true diff --git a/deployments/helm-chart/crds/appprotect.f5.com_apusersigs.yaml b/deployments/helm-chart/crds/appprotect.f5.com_apusersigs.yaml deleted file mode 100644 index 34eb0784f4..0000000000 --- a/deployments/helm-chart/crds/appprotect.f5.com_apusersigs.yaml +++ /dev/null @@ -1,93 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.10.0 - creationTimestamp: null - name: apusersigs.appprotect.f5.com -spec: - group: appprotect.f5.com - names: - kind: APUserSig - listKind: APUserSigList - plural: apusersigs - singular: apusersig - preserveUnknownFields: false - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - description: APUserSig is the Schema for the apusersigs API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: APUserSigSpec defines the desired state of APUserSig - properties: - properties: - type: string - signatures: - items: - properties: - accuracy: - enum: - - high - - medium - - low - type: string - attackType: - properties: - name: - type: string - type: object - description: - type: string - name: - type: string - references: - properties: - type: - enum: - - bugtraq - - cve - - nessus - - url - type: string - value: - type: string - type: object - risk: - enum: - - high - - medium - - low - type: string - rule: - type: string - signatureType: - enum: - - request - - response - type: string - systems: - items: - properties: - name: - type: string - type: object - type: array - type: object - type: array - tag: - type: string - type: object - type: object - served: true - storage: true diff --git a/deployments/helm-chart/crds/appprotectdos.f5.com_apdoslogconfs.yaml b/deployments/helm-chart/crds/appprotectdos.f5.com_apdoslogconfs.yaml deleted file mode 100644 index e23e87184b..0000000000 --- a/deployments/helm-chart/crds/appprotectdos.f5.com_apdoslogconfs.yaml +++ /dev/null @@ -1,68 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.9.2 - creationTimestamp: null - name: apdoslogconfs.appprotectdos.f5.com -spec: - group: appprotectdos.f5.com - names: - kind: APDosLogConf - listKind: APDosLogConfList - plural: apdoslogconfs - singular: apdoslogconf - preserveUnknownFields: false - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - description: APDosLogConf is the Schema for the APDosLogConfs API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: APDosLogConfSpec defines the desired state of APDosLogConf - properties: - content: - properties: - format: - enum: - - splunk - - arcsight - - user-defined - type: string - format_string: - type: string - max_message_size: - pattern: ^([1-9]|[1-5][0-9]|6[0-4])k$ - type: string - type: object - filter: - properties: - traffic-mitigation-stats: - enum: - - none - - all - default: all - type: string - bad-actors: - pattern: ^(none|all|top ([1-9]|[1-9][0-9]|[1-9][0-9]{2,4}|100000))$ - default: top 10 - type: string - attack-signatures: - pattern: ^(none|all|top ([1-9]|[1-9][0-9]|[1-9][0-9]{2,4}|100000))$ - default: top 10 - type: string - type: object - type: object - type: object - served: true - storage: true diff --git a/deployments/helm-chart/crds/appprotectdos.f5.com_apdospolicy.yaml b/deployments/helm-chart/crds/appprotectdos.f5.com_apdospolicy.yaml deleted file mode 100644 index a16399a1a2..0000000000 --- a/deployments/helm-chart/crds/appprotectdos.f5.com_apdospolicy.yaml +++ /dev/null @@ -1,68 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.9.2 - creationTimestamp: null - name: apdospolicies.appprotectdos.f5.com -spec: - group: appprotectdos.f5.com - names: - kind: APDosPolicy - listKind: APDosPoliciesList - plural: apdospolicies - singular: apdospolicy - preserveUnknownFields: false - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - type: object - description: APDosPolicy is the Schema for the APDosPolicy API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - type: object - description: APDosPolicySpec defines the desired state of APDosPolicy - properties: - mitigation_mode: - enum: - - "standard" - - "conservative" - - "none" - default: "standard" - type: string - signatures: - enum: - - "on" - - "off" - default: "on" - type: string - bad_actors: - enum: - - "on" - - "off" - default: "on" - type: string - automation_tools_detection: - enum: - - "on" - - "off" - default: "on" - type: string - tls_fingerprint: - enum: - - "on" - - "off" - default: "on" - type: string - served: true - storage: true diff --git a/deployments/helm-chart/crds/appprotectdos.f5.com_dosprotectedresources.yaml b/deployments/helm-chart/crds/appprotectdos.f5.com_dosprotectedresources.yaml deleted file mode 100644 index 53a51c4939..0000000000 --- a/deployments/helm-chart/crds/appprotectdos.f5.com_dosprotectedresources.yaml +++ /dev/null @@ -1,81 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.13.0 - name: dosprotectedresources.appprotectdos.f5.com -spec: - group: appprotectdos.f5.com - names: - kind: DosProtectedResource - listKind: DosProtectedResourceList - plural: dosprotectedresources - shortNames: - - pr - singular: dosprotectedresource - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - description: DosProtectedResource defines a Dos protected resource. - type: object - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: DosProtectedResourceSpec defines the properties and values a DosProtectedResource can have. - type: object - properties: - apDosMonitor: - description: 'ApDosMonitor is how NGINX App Protect DoS monitors the stress level of the protected object. The monitor requests are sent from localhost (127.0.0.1). Default value: URI - None, protocol - http1, timeout - NGINX App Protect DoS default.' - type: object - properties: - protocol: - description: Protocol determines if the server listens on http1 / http2 / grpc / websocket. The default is http1. - type: string - enum: - - http1 - - http2 - - grpc - - websocket - timeout: - description: Timeout determines how long (in seconds) should NGINX App Protect DoS wait for a response. Default is 10 seconds for http1/http2 and 5 seconds for grpc. - type: integer - format: int64 - uri: - description: 'URI is the destination to the desired protected object in the nginx.conf:' - type: string - apDosPolicy: - description: ApDosPolicy is the namespace/name of a ApDosPolicy resource - type: string - dosAccessLogDest: - description: DosAccessLogDest is the network address for the access logs - type: string - dosSecurityLog: - description: DosSecurityLog defines the security log of the DosProtectedResource. - type: object - properties: - apDosLogConf: - description: ApDosLogConf is the namespace/name of a APDosLogConf resource - type: string - dosLogDest: - description: DosLogDest is the network address of a logging service, can be either IP or DNS name. - type: string - enable: - description: Enable enables the security logging feature if set to true - type: boolean - enable: - description: Enable enables the DOS feature if set to true - type: boolean - name: - description: Name is the name of protected object, max of 63 characters. - type: string - served: true - storage: true diff --git a/deployments/helm-chart/crds/externaldns.nginx.org_dnsendpoints.yaml b/deployments/helm-chart/crds/externaldns.nginx.org_dnsendpoints.yaml deleted file mode 100644 index 82790713bf..0000000000 --- a/deployments/helm-chart/crds/externaldns.nginx.org_dnsendpoints.yaml +++ /dev/null @@ -1,84 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.13.0 - name: dnsendpoints.externaldns.nginx.org -spec: - group: externaldns.nginx.org - names: - kind: DNSEndpoint - listKind: DNSEndpointList - plural: dnsendpoints - singular: dnsendpoint - scope: Namespaced - versions: - - name: v1 - schema: - openAPIV3Schema: - description: DNSEndpoint is the CRD wrapper for Endpoint - type: object - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: DNSEndpointSpec holds information about endpoints. - type: object - properties: - endpoints: - type: array - items: - description: Endpoint describes DNS Endpoint. - type: object - properties: - dnsName: - description: The hostname for the DNS record - type: string - labels: - description: Labels stores labels defined for the Endpoint - type: object - additionalProperties: - type: string - providerSpecific: - description: ProviderSpecific stores provider specific config - type: array - items: - description: ProviderSpecificProperty represents provider specific config property. - type: object - properties: - name: - description: Name of the property - type: string - value: - description: Value of the property - type: string - recordTTL: - description: TTL for the record - type: integer - format: int64 - recordType: - description: RecordType type of record, e.g. CNAME, A, SRV, TXT, MX - type: string - targets: - description: The targets the DNS service points to - type: array - items: - type: string - status: - description: DNSEndpointStatus represents generation observed by the external dns controller. - type: object - properties: - observedGeneration: - description: The generation observed by by the external-dns controller. - type: integer - format: int64 - served: true - storage: true - subresources: - status: {} diff --git a/deployments/helm-chart/crds/k8s.nginx.org_globalconfigurations.yaml b/deployments/helm-chart/crds/k8s.nginx.org_globalconfigurations.yaml deleted file mode 100644 index d4448bfbc9..0000000000 --- a/deployments/helm-chart/crds/k8s.nginx.org_globalconfigurations.yaml +++ /dev/null @@ -1,49 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.13.0 - name: globalconfigurations.k8s.nginx.org -spec: - group: k8s.nginx.org - names: - kind: GlobalConfiguration - listKind: GlobalConfigurationList - plural: globalconfigurations - shortNames: - - gc - singular: globalconfiguration - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: GlobalConfiguration defines the GlobalConfiguration resource. - type: object - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: GlobalConfigurationSpec is the spec of the GlobalConfiguration resource. - type: object - properties: - listeners: - type: array - items: - description: Listener defines a listener. - type: object - properties: - name: - type: string - port: - type: integer - protocol: - type: string - served: true - storage: true diff --git a/deployments/helm-chart/crds/k8s.nginx.org_policies.yaml b/deployments/helm-chart/crds/k8s.nginx.org_policies.yaml deleted file mode 100644 index 907c22a88f..0000000000 --- a/deployments/helm-chart/crds/k8s.nginx.org_policies.yaml +++ /dev/null @@ -1,303 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.13.0 - name: policies.k8s.nginx.org -spec: - group: k8s.nginx.org - names: - kind: Policy - listKind: PolicyList - plural: policies - shortNames: - - pol - singular: policy - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Current state of the Policy. If the resource has a valid status, it means it has been validated and accepted by the Ingress Controller. - jsonPath: .status.state - name: State - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: Policy defines a Policy for VirtualServer and VirtualServerRoute resources. - type: object - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: PolicySpec is the spec of the Policy resource. The spec includes multiple fields, where each field represents a different policy. Only one policy (field) is allowed. - type: object - properties: - accessControl: - description: AccessControl defines an access policy based on the source IP of a request. - type: object - properties: - allow: - type: array - items: - type: string - deny: - type: array - items: - type: string - basicAuth: - description: 'BasicAuth holds HTTP Basic authentication configuration policy status: preview' - type: object - properties: - realm: - type: string - secret: - type: string - egressMTLS: - description: EgressMTLS defines an Egress MTLS policy. - type: object - properties: - ciphers: - type: string - protocols: - type: string - serverName: - type: boolean - sessionReuse: - type: boolean - sslName: - type: string - tlsSecret: - type: string - trustedCertSecret: - type: string - verifyDepth: - type: integer - verifyServer: - type: boolean - ingressClassName: - type: string - ingressMTLS: - description: IngressMTLS defines an Ingress MTLS policy. - type: object - properties: - clientCertSecret: - type: string - crlFileName: - type: string - verifyClient: - type: string - verifyDepth: - type: integer - jwt: - description: JWTAuth holds JWT authentication configuration. - type: object - properties: - jwksURI: - type: string - keyCache: - type: string - realm: - type: string - secret: - type: string - token: - type: string - oidc: - description: OIDC defines an Open ID Connect policy. - type: object - properties: - accessTokenEnable: - type: boolean - authEndpoint: - type: string - authExtraArgs: - type: array - items: - type: string - clientID: - type: string - clientSecret: - type: string - jwksURI: - type: string - redirectURI: - type: string - scope: - type: string - tokenEndpoint: - type: string - zoneSyncLeeway: - type: integer - rateLimit: - description: RateLimit defines a rate limit policy. - type: object - properties: - burst: - type: integer - delay: - type: integer - dryRun: - type: boolean - key: - type: string - logLevel: - type: string - noDelay: - type: boolean - rate: - type: string - rejectCode: - type: integer - zoneSize: - type: string - waf: - description: WAF defines an WAF policy. - type: object - properties: - apBundle: - type: string - apPolicy: - type: string - enable: - type: boolean - securityLog: - description: SecurityLog defines the security log of a WAF policy. - type: object - properties: - apLogConf: - type: string - enable: - type: boolean - logDest: - type: string - securityLogs: - type: array - items: - description: SecurityLog defines the security log of a WAF policy. - type: object - properties: - apLogConf: - type: string - enable: - type: boolean - logDest: - type: string - status: - description: PolicyStatus is the status of the policy resource - type: object - properties: - message: - type: string - reason: - type: string - state: - type: string - served: true - storage: true - subresources: - status: {} - - name: v1alpha1 - schema: - openAPIV3Schema: - description: Policy defines a Policy for VirtualServer and VirtualServerRoute resources. - type: object - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: PolicySpec is the spec of the Policy resource. The spec includes multiple fields, where each field represents a different policy. Only one policy (field) is allowed. - type: object - properties: - accessControl: - description: AccessControl defines an access policy based on the source IP of a request. - type: object - properties: - allow: - type: array - items: - type: string - deny: - type: array - items: - type: string - egressMTLS: - description: EgressMTLS defines an Egress MTLS policy. - type: object - properties: - ciphers: - type: string - protocols: - type: string - serverName: - type: boolean - sessionReuse: - type: boolean - sslName: - type: string - tlsSecret: - type: string - trustedCertSecret: - type: string - verifyDepth: - type: integer - verifyServer: - type: boolean - ingressMTLS: - description: IngressMTLS defines an Ingress MTLS policy. - type: object - properties: - clientCertSecret: - type: string - verifyClient: - type: string - verifyDepth: - type: integer - jwt: - description: JWTAuth holds JWT authentication configuration. - type: object - properties: - realm: - type: string - secret: - type: string - token: - type: string - rateLimit: - description: RateLimit defines a rate limit policy. - type: object - properties: - burst: - type: integer - delay: - type: integer - dryRun: - type: boolean - key: - type: string - logLevel: - type: string - noDelay: - type: boolean - rate: - type: string - rejectCode: - type: integer - zoneSize: - type: string - served: true - storage: false diff --git a/deployments/helm-chart/crds/k8s.nginx.org_transportservers.yaml b/deployments/helm-chart/crds/k8s.nginx.org_transportservers.yaml deleted file mode 100644 index b1448e9e3b..0000000000 --- a/deployments/helm-chart/crds/k8s.nginx.org_transportservers.yaml +++ /dev/null @@ -1,156 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.13.0 - name: transportservers.k8s.nginx.org -spec: - group: k8s.nginx.org - names: - kind: TransportServer - listKind: TransportServerList - plural: transportservers - shortNames: - - ts - singular: transportserver - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Current state of the TransportServer. If the resource has a valid status, it means it has been validated and accepted by the Ingress Controller. - jsonPath: .status.state - name: State - type: string - - jsonPath: .status.reason - name: Reason - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: TransportServer defines the TransportServer resource. - type: object - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: TransportServerSpec is the spec of the TransportServer resource. - type: object - properties: - action: - description: Action defines an action. - type: object - properties: - pass: - type: string - host: - type: string - ingressClassName: - type: string - listener: - description: TransportServerListener defines a listener for a TransportServer. - type: object - properties: - name: - type: string - protocol: - type: string - serverSnippets: - type: string - sessionParameters: - description: SessionParameters defines session parameters. - type: object - properties: - timeout: - type: string - streamSnippets: - type: string - tls: - description: TLS defines TLS configuration for a TransportServer. - type: object - properties: - secret: - type: string - upstreamParameters: - description: UpstreamParameters defines parameters for an upstream. - type: object - properties: - connectTimeout: - type: string - nextUpstream: - type: boolean - nextUpstreamTimeout: - type: string - nextUpstreamTries: - type: integer - udpRequests: - type: integer - udpResponses: - type: integer - upstreams: - type: array - items: - description: Upstream defines an upstream. - type: object - properties: - failTimeout: - type: string - healthCheck: - description: HealthCheck defines the parameters for active Upstream HealthChecks. - type: object - properties: - enable: - type: boolean - fails: - type: integer - interval: - type: string - jitter: - type: string - match: - description: Match defines the parameters of a custom health check. - type: object - properties: - expect: - type: string - send: - type: string - passes: - type: integer - port: - type: integer - timeout: - type: string - loadBalancingMethod: - type: string - maxConns: - type: integer - maxFails: - type: integer - name: - type: string - port: - type: integer - service: - type: string - status: - description: TransportServerStatus defines the status for the TransportServer resource. - type: object - properties: - message: - type: string - reason: - type: string - state: - type: string - served: true - storage: true - subresources: - status: {} diff --git a/deployments/helm-chart/crds/k8s.nginx.org_virtualserverroutes.yaml b/deployments/helm-chart/crds/k8s.nginx.org_virtualserverroutes.yaml deleted file mode 100644 index d21640a398..0000000000 --- a/deployments/helm-chart/crds/k8s.nginx.org_virtualserverroutes.yaml +++ /dev/null @@ -1,638 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.13.0 - name: virtualserverroutes.k8s.nginx.org -spec: - group: k8s.nginx.org - names: - kind: VirtualServerRoute - listKind: VirtualServerRouteList - plural: virtualserverroutes - shortNames: - - vsr - singular: virtualserverroute - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Current state of the VirtualServerRoute. If the resource has a valid status, it means it has been validated and accepted by the Ingress Controller. - jsonPath: .status.state - name: State - type: string - - jsonPath: .spec.host - name: Host - type: string - - jsonPath: .status.externalEndpoints[*].ip - name: IP - type: string - - jsonPath: .status.externalEndpoints[*].hostname - name: ExternalHostname - priority: 1 - type: string - - jsonPath: .status.externalEndpoints[*].ports - name: Ports - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: VirtualServerRoute defines the VirtualServerRoute resource. - type: object - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: VirtualServerRouteSpec is the spec of the VirtualServerRoute resource. - type: object - properties: - host: - type: string - ingressClassName: - type: string - subroutes: - type: array - items: - description: Route defines a route. - type: object - properties: - action: - description: Action defines an action. - type: object - properties: - pass: - type: string - proxy: - description: ActionProxy defines a proxy in an Action. - type: object - properties: - requestHeaders: - description: ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. - type: object - properties: - pass: - type: boolean - set: - type: array - items: - description: Header defines an HTTP Header. - type: object - properties: - name: - type: string - value: - type: string - responseHeaders: - description: ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. - type: object - properties: - add: - type: array - items: - description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. - type: object - properties: - always: - type: boolean - name: - type: string - value: - type: string - hide: - type: array - items: - type: string - ignore: - type: array - items: - type: string - pass: - type: array - items: - type: string - rewritePath: - type: string - upstream: - type: string - redirect: - description: ActionRedirect defines a redirect in an Action. - type: object - properties: - code: - type: integer - url: - type: string - return: - description: ActionReturn defines a return in an Action. - type: object - properties: - body: - type: string - code: - type: integer - type: - type: string - dos: - type: string - errorPages: - type: array - items: - description: ErrorPage defines an ErrorPage in a Route. - type: object - properties: - codes: - type: array - items: - type: integer - redirect: - description: ErrorPageRedirect defines a redirect for an ErrorPage. - type: object - properties: - code: - type: integer - url: - type: string - return: - description: ErrorPageReturn defines a return for an ErrorPage. - type: object - properties: - body: - type: string - code: - type: integer - headers: - type: array - items: - description: Header defines an HTTP Header. - type: object - properties: - name: - type: string - value: - type: string - type: - type: string - location-snippets: - type: string - matches: - type: array - items: - description: Match defines a match. - type: object - properties: - action: - description: Action defines an action. - type: object - properties: - pass: - type: string - proxy: - description: ActionProxy defines a proxy in an Action. - type: object - properties: - requestHeaders: - description: ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. - type: object - properties: - pass: - type: boolean - set: - type: array - items: - description: Header defines an HTTP Header. - type: object - properties: - name: - type: string - value: - type: string - responseHeaders: - description: ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. - type: object - properties: - add: - type: array - items: - description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. - type: object - properties: - always: - type: boolean - name: - type: string - value: - type: string - hide: - type: array - items: - type: string - ignore: - type: array - items: - type: string - pass: - type: array - items: - type: string - rewritePath: - type: string - upstream: - type: string - redirect: - description: ActionRedirect defines a redirect in an Action. - type: object - properties: - code: - type: integer - url: - type: string - return: - description: ActionReturn defines a return in an Action. - type: object - properties: - body: - type: string - code: - type: integer - type: - type: string - conditions: - type: array - items: - description: Condition defines a condition in a MatchRule. - type: object - properties: - argument: - type: string - cookie: - type: string - header: - type: string - value: - type: string - variable: - type: string - splits: - type: array - items: - description: Split defines a split. - type: object - properties: - action: - description: Action defines an action. - type: object - properties: - pass: - type: string - proxy: - description: ActionProxy defines a proxy in an Action. - type: object - properties: - requestHeaders: - description: ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. - type: object - properties: - pass: - type: boolean - set: - type: array - items: - description: Header defines an HTTP Header. - type: object - properties: - name: - type: string - value: - type: string - responseHeaders: - description: ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. - type: object - properties: - add: - type: array - items: - description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. - type: object - properties: - always: - type: boolean - name: - type: string - value: - type: string - hide: - type: array - items: - type: string - ignore: - type: array - items: - type: string - pass: - type: array - items: - type: string - rewritePath: - type: string - upstream: - type: string - redirect: - description: ActionRedirect defines a redirect in an Action. - type: object - properties: - code: - type: integer - url: - type: string - return: - description: ActionReturn defines a return in an Action. - type: object - properties: - body: - type: string - code: - type: integer - type: - type: string - weight: - type: integer - path: - type: string - policies: - type: array - items: - description: PolicyReference references a policy by name and an optional namespace. - type: object - properties: - name: - type: string - namespace: - type: string - route: - type: string - splits: - type: array - items: - description: Split defines a split. - type: object - properties: - action: - description: Action defines an action. - type: object - properties: - pass: - type: string - proxy: - description: ActionProxy defines a proxy in an Action. - type: object - properties: - requestHeaders: - description: ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. - type: object - properties: - pass: - type: boolean - set: - type: array - items: - description: Header defines an HTTP Header. - type: object - properties: - name: - type: string - value: - type: string - responseHeaders: - description: ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. - type: object - properties: - add: - type: array - items: - description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. - type: object - properties: - always: - type: boolean - name: - type: string - value: - type: string - hide: - type: array - items: - type: string - ignore: - type: array - items: - type: string - pass: - type: array - items: - type: string - rewritePath: - type: string - upstream: - type: string - redirect: - description: ActionRedirect defines a redirect in an Action. - type: object - properties: - code: - type: integer - url: - type: string - return: - description: ActionReturn defines a return in an Action. - type: object - properties: - body: - type: string - code: - type: integer - type: - type: string - weight: - type: integer - upstreams: - type: array - items: - description: Upstream defines an upstream. - type: object - properties: - buffer-size: - type: string - buffering: - type: boolean - buffers: - description: UpstreamBuffers defines Buffer Configuration for an Upstream. - type: object - properties: - number: - type: integer - size: - type: string - client-max-body-size: - type: string - connect-timeout: - type: string - fail-timeout: - type: string - healthCheck: - description: HealthCheck defines the parameters for active Upstream HealthChecks. - type: object - properties: - connect-timeout: - type: string - enable: - type: boolean - fails: - type: integer - grpcService: - type: string - grpcStatus: - type: integer - headers: - type: array - items: - description: Header defines an HTTP Header. - type: object - properties: - name: - type: string - value: - type: string - interval: - type: string - jitter: - type: string - keepalive-time: - type: string - mandatory: - type: boolean - passes: - type: integer - path: - type: string - persistent: - type: boolean - port: - type: integer - read-timeout: - type: string - send-timeout: - type: string - statusMatch: - type: string - tls: - description: UpstreamTLS defines a TLS configuration for an Upstream. - type: object - properties: - enable: - type: boolean - keepalive: - type: integer - lb-method: - type: string - max-conns: - type: integer - max-fails: - type: integer - name: - type: string - next-upstream: - type: string - next-upstream-timeout: - type: string - next-upstream-tries: - type: integer - ntlm: - type: boolean - port: - type: integer - queue: - description: UpstreamQueue defines Queue Configuration for an Upstream. - type: object - properties: - size: - type: integer - timeout: - type: string - read-timeout: - type: string - send-timeout: - type: string - service: - type: string - sessionCookie: - description: SessionCookie defines the parameters for session persistence. - type: object - properties: - domain: - type: string - enable: - type: boolean - expires: - type: string - httpOnly: - type: boolean - name: - type: string - path: - type: string - samesite: - type: string - secure: - type: boolean - slow-start: - type: string - subselector: - type: object - additionalProperties: - type: string - tls: - description: UpstreamTLS defines a TLS configuration for an Upstream. - type: object - properties: - enable: - type: boolean - type: - type: string - use-cluster-ip: - type: boolean - status: - description: VirtualServerRouteStatus defines the status for the VirtualServerRoute resource. - type: object - properties: - externalEndpoints: - type: array - items: - description: ExternalEndpoint defines the IP/ Hostname and ports used to connect to this resource. - type: object - properties: - hostname: - type: string - ip: - type: string - ports: - type: string - message: - type: string - reason: - type: string - referencedBy: - type: string - state: - type: string - served: true - storage: true - subresources: - status: {} diff --git a/deployments/helm-chart/crds/k8s.nginx.org_virtualservers.yaml b/deployments/helm-chart/crds/k8s.nginx.org_virtualservers.yaml deleted file mode 100644 index f0095f4dd6..0000000000 --- a/deployments/helm-chart/crds/k8s.nginx.org_virtualservers.yaml +++ /dev/null @@ -1,723 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.13.0 - name: virtualservers.k8s.nginx.org -spec: - group: k8s.nginx.org - names: - kind: VirtualServer - listKind: VirtualServerList - plural: virtualservers - shortNames: - - vs - singular: virtualserver - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Current state of the VirtualServer. If the resource has a valid status, it means it has been validated and accepted by the Ingress Controller. - jsonPath: .status.state - name: State - type: string - - jsonPath: .spec.host - name: Host - type: string - - jsonPath: .status.externalEndpoints[*].ip - name: IP - type: string - - jsonPath: .status.externalEndpoints[*].hostname - name: ExternalHostname - priority: 1 - type: string - - jsonPath: .status.externalEndpoints[*].ports - name: Ports - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: VirtualServer defines the VirtualServer resource. - type: object - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: VirtualServerSpec is the spec of the VirtualServer resource. - type: object - properties: - dos: - type: string - externalDNS: - description: ExternalDNS defines externaldns sub-resource of a virtual server. - type: object - properties: - enable: - type: boolean - labels: - description: Labels stores labels defined for the Endpoint - type: object - additionalProperties: - type: string - providerSpecific: - description: ProviderSpecific stores provider specific config - type: array - items: - description: ProviderSpecificProperty defines specific property for using with ExternalDNS sub-resource. - type: object - properties: - name: - description: Name of the property - type: string - value: - description: Value of the property - type: string - recordTTL: - description: TTL for the record - type: integer - format: int64 - recordType: - type: string - gunzip: - type: boolean - host: - type: string - http-snippets: - type: string - ingressClassName: - type: string - internalRoute: - description: InternalRoute allows for the configuration of internal routing. - type: boolean - policies: - type: array - items: - description: PolicyReference references a policy by name and an optional namespace. - type: object - properties: - name: - type: string - namespace: - type: string - routes: - type: array - items: - description: Route defines a route. - type: object - properties: - action: - description: Action defines an action. - type: object - properties: - pass: - type: string - proxy: - description: ActionProxy defines a proxy in an Action. - type: object - properties: - requestHeaders: - description: ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. - type: object - properties: - pass: - type: boolean - set: - type: array - items: - description: Header defines an HTTP Header. - type: object - properties: - name: - type: string - value: - type: string - responseHeaders: - description: ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. - type: object - properties: - add: - type: array - items: - description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. - type: object - properties: - always: - type: boolean - name: - type: string - value: - type: string - hide: - type: array - items: - type: string - ignore: - type: array - items: - type: string - pass: - type: array - items: - type: string - rewritePath: - type: string - upstream: - type: string - redirect: - description: ActionRedirect defines a redirect in an Action. - type: object - properties: - code: - type: integer - url: - type: string - return: - description: ActionReturn defines a return in an Action. - type: object - properties: - body: - type: string - code: - type: integer - type: - type: string - dos: - type: string - errorPages: - type: array - items: - description: ErrorPage defines an ErrorPage in a Route. - type: object - properties: - codes: - type: array - items: - type: integer - redirect: - description: ErrorPageRedirect defines a redirect for an ErrorPage. - type: object - properties: - code: - type: integer - url: - type: string - return: - description: ErrorPageReturn defines a return for an ErrorPage. - type: object - properties: - body: - type: string - code: - type: integer - headers: - type: array - items: - description: Header defines an HTTP Header. - type: object - properties: - name: - type: string - value: - type: string - type: - type: string - location-snippets: - type: string - matches: - type: array - items: - description: Match defines a match. - type: object - properties: - action: - description: Action defines an action. - type: object - properties: - pass: - type: string - proxy: - description: ActionProxy defines a proxy in an Action. - type: object - properties: - requestHeaders: - description: ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. - type: object - properties: - pass: - type: boolean - set: - type: array - items: - description: Header defines an HTTP Header. - type: object - properties: - name: - type: string - value: - type: string - responseHeaders: - description: ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. - type: object - properties: - add: - type: array - items: - description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. - type: object - properties: - always: - type: boolean - name: - type: string - value: - type: string - hide: - type: array - items: - type: string - ignore: - type: array - items: - type: string - pass: - type: array - items: - type: string - rewritePath: - type: string - upstream: - type: string - redirect: - description: ActionRedirect defines a redirect in an Action. - type: object - properties: - code: - type: integer - url: - type: string - return: - description: ActionReturn defines a return in an Action. - type: object - properties: - body: - type: string - code: - type: integer - type: - type: string - conditions: - type: array - items: - description: Condition defines a condition in a MatchRule. - type: object - properties: - argument: - type: string - cookie: - type: string - header: - type: string - value: - type: string - variable: - type: string - splits: - type: array - items: - description: Split defines a split. - type: object - properties: - action: - description: Action defines an action. - type: object - properties: - pass: - type: string - proxy: - description: ActionProxy defines a proxy in an Action. - type: object - properties: - requestHeaders: - description: ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. - type: object - properties: - pass: - type: boolean - set: - type: array - items: - description: Header defines an HTTP Header. - type: object - properties: - name: - type: string - value: - type: string - responseHeaders: - description: ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. - type: object - properties: - add: - type: array - items: - description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. - type: object - properties: - always: - type: boolean - name: - type: string - value: - type: string - hide: - type: array - items: - type: string - ignore: - type: array - items: - type: string - pass: - type: array - items: - type: string - rewritePath: - type: string - upstream: - type: string - redirect: - description: ActionRedirect defines a redirect in an Action. - type: object - properties: - code: - type: integer - url: - type: string - return: - description: ActionReturn defines a return in an Action. - type: object - properties: - body: - type: string - code: - type: integer - type: - type: string - weight: - type: integer - path: - type: string - policies: - type: array - items: - description: PolicyReference references a policy by name and an optional namespace. - type: object - properties: - name: - type: string - namespace: - type: string - route: - type: string - splits: - type: array - items: - description: Split defines a split. - type: object - properties: - action: - description: Action defines an action. - type: object - properties: - pass: - type: string - proxy: - description: ActionProxy defines a proxy in an Action. - type: object - properties: - requestHeaders: - description: ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. - type: object - properties: - pass: - type: boolean - set: - type: array - items: - description: Header defines an HTTP Header. - type: object - properties: - name: - type: string - value: - type: string - responseHeaders: - description: ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. - type: object - properties: - add: - type: array - items: - description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. - type: object - properties: - always: - type: boolean - name: - type: string - value: - type: string - hide: - type: array - items: - type: string - ignore: - type: array - items: - type: string - pass: - type: array - items: - type: string - rewritePath: - type: string - upstream: - type: string - redirect: - description: ActionRedirect defines a redirect in an Action. - type: object - properties: - code: - type: integer - url: - type: string - return: - description: ActionReturn defines a return in an Action. - type: object - properties: - body: - type: string - code: - type: integer - type: - type: string - weight: - type: integer - server-snippets: - type: string - tls: - description: TLS defines TLS configuration for a VirtualServer. - type: object - properties: - cert-manager: - description: CertManager defines a cert manager config for a TLS. - type: object - properties: - cluster-issuer: - type: string - common-name: - type: string - duration: - type: string - issuer: - type: string - issuer-group: - type: string - issuer-kind: - type: string - renew-before: - type: string - usages: - type: string - redirect: - description: TLSRedirect defines a redirect for a TLS. - type: object - properties: - basedOn: - type: string - code: - type: integer - enable: - type: boolean - secret: - type: string - upstreams: - type: array - items: - description: Upstream defines an upstream. - type: object - properties: - buffer-size: - type: string - buffering: - type: boolean - buffers: - description: UpstreamBuffers defines Buffer Configuration for an Upstream. - type: object - properties: - number: - type: integer - size: - type: string - client-max-body-size: - type: string - connect-timeout: - type: string - fail-timeout: - type: string - healthCheck: - description: HealthCheck defines the parameters for active Upstream HealthChecks. - type: object - properties: - connect-timeout: - type: string - enable: - type: boolean - fails: - type: integer - grpcService: - type: string - grpcStatus: - type: integer - headers: - type: array - items: - description: Header defines an HTTP Header. - type: object - properties: - name: - type: string - value: - type: string - interval: - type: string - jitter: - type: string - keepalive-time: - type: string - mandatory: - type: boolean - passes: - type: integer - path: - type: string - persistent: - type: boolean - port: - type: integer - read-timeout: - type: string - send-timeout: - type: string - statusMatch: - type: string - tls: - description: UpstreamTLS defines a TLS configuration for an Upstream. - type: object - properties: - enable: - type: boolean - keepalive: - type: integer - lb-method: - type: string - max-conns: - type: integer - max-fails: - type: integer - name: - type: string - next-upstream: - type: string - next-upstream-timeout: - type: string - next-upstream-tries: - type: integer - ntlm: - type: boolean - port: - type: integer - queue: - description: UpstreamQueue defines Queue Configuration for an Upstream. - type: object - properties: - size: - type: integer - timeout: - type: string - read-timeout: - type: string - send-timeout: - type: string - service: - type: string - sessionCookie: - description: SessionCookie defines the parameters for session persistence. - type: object - properties: - domain: - type: string - enable: - type: boolean - expires: - type: string - httpOnly: - type: boolean - name: - type: string - path: - type: string - samesite: - type: string - secure: - type: boolean - slow-start: - type: string - subselector: - type: object - additionalProperties: - type: string - tls: - description: UpstreamTLS defines a TLS configuration for an Upstream. - type: object - properties: - enable: - type: boolean - type: - type: string - use-cluster-ip: - type: boolean - status: - description: VirtualServerStatus defines the status for the VirtualServer resource. - type: object - properties: - externalEndpoints: - type: array - items: - description: ExternalEndpoint defines the IP/ Hostname and ports used to connect to this resource. - type: object - properties: - hostname: - type: string - ip: - type: string - ports: - type: string - message: - type: string - reason: - type: string - state: - type: string - served: true - storage: true - subresources: - status: {} diff --git a/deployments/helm-chart/values-icp.yaml b/deployments/helm-chart/values-icp.yaml deleted file mode 100644 index 06a1fe8d40..0000000000 --- a/deployments/helm-chart/values-icp.yaml +++ /dev/null @@ -1,17 +0,0 @@ -controller: - name: controller - kind: daemonset - nginxplus: true - image: - repository: mycluster.icp:8500/kube-system/nginx-plus-ingress - tag: "3.2.1" - nodeSelector: - beta.kubernetes.io/arch: "amd64" - proxy: true - terminationGracePeriodSeconds: 60 - tolerations: - - key: "dedicated" - operator: "Exists" - effect: "NoSchedule" - - key: "CriticalAddonsOnly" - operator: "Exists" diff --git a/deployments/helm-chart/values-nsm.yaml b/deployments/helm-chart/values-nsm.yaml deleted file mode 100644 index 47d11e0571..0000000000 --- a/deployments/helm-chart/values-nsm.yaml +++ /dev/null @@ -1,6 +0,0 @@ -controller: - name: controller - enableLatencyMetrics: true -nginxServiceMesh: - enable: true - enableEgress: true diff --git a/deployments/helm-chart/values-plus.yaml b/deployments/helm-chart/values-plus.yaml deleted file mode 100644 index 7852aa3b2f..0000000000 --- a/deployments/helm-chart/values-plus.yaml +++ /dev/null @@ -1,6 +0,0 @@ -controller: - name: controller - nginxplus: true - image: - repository: nginx-plus-ingress - tag: "3.2.1" diff --git a/deployments/rbac/ap-rbac.yaml b/deployments/rbac/ap-rbac.yaml deleted file mode 100644 index 87d673884c..0000000000 --- a/deployments/rbac/ap-rbac.yaml +++ /dev/null @@ -1,28 +0,0 @@ -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: nginx-ingress-app-protect -rules: -- apiGroups: - - appprotect.f5.com - resources: - - appolicies - - aplogconfs - - apusersigs - verbs: - - "get" - - "watch" - - "list" ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: nginx-ingress-app-protect -subjects: -- kind: ServiceAccount - name: nginx-ingress - namespace: nginx-ingress -roleRef: - kind: ClusterRole - name: nginx-ingress-app-protect - apiGroup: rbac.authorization.k8s.io diff --git a/deployments/rbac/apdos-rbac.yaml b/deployments/rbac/apdos-rbac.yaml deleted file mode 100644 index 9c23452d72..0000000000 --- a/deployments/rbac/apdos-rbac.yaml +++ /dev/null @@ -1,28 +0,0 @@ -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: nginx-ingress-app-protect-dos -rules: - - apiGroups: - - appprotectdos.f5.com - resources: - - apdospolicies - - apdoslogconfs - - dosprotectedresources - verbs: - - "get" - - "watch" - - "list" ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: nginx-ingress-app-protect-dos -subjects: - - kind: ServiceAccount - name: nginx-ingress - namespace: nginx-ingress -roleRef: - kind: ClusterRole - name: nginx-ingress-app-protect-dos - apiGroup: rbac.authorization.k8s.io diff --git a/deployments/rbac/rbac.yaml b/deployments/rbac/rbac.yaml deleted file mode 100644 index 4a95414b83..0000000000 --- a/deployments/rbac/rbac.yaml +++ /dev/null @@ -1,165 +0,0 @@ -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: nginx-ingress -rules: -- apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - services - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - update - - create -- apiGroups: - - "" - resources: - - pods - verbs: - - get - - list - - watch - - update -- apiGroups: - - "" - resources: - - namespaces - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - list -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - update - - create -- apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - list - - watch - - get -- apiGroups: - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update -- apiGroups: - - k8s.nginx.org - resources: - - virtualservers - - virtualserverroutes - - globalconfigurations - - transportservers - - policies - verbs: - - list - - watch - - get -- apiGroups: - - k8s.nginx.org - resources: - - virtualservers/status - - virtualserverroutes/status - - policies/status - - transportservers/status - - dnsendpoints/status - verbs: - - update -- apiGroups: - - networking.k8s.io - resources: - - ingressclasses - verbs: - - get -- apiGroups: - - cis.f5.com - resources: - - ingresslinks - verbs: - - list - - watch - - get -- apiGroups: - - cert-manager.io - resources: - - certificates - verbs: - - list - - watch - - get - - update - - create - - delete -- apiGroups: - - externaldns.nginx.org - resources: - - dnsendpoints - verbs: - - list - - watch - - get - - update - - create - - delete -- apiGroups: - - externaldns.nginx.org - resources: - - dnsendpoints/status - verbs: - - update ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: nginx-ingress -subjects: -- kind: ServiceAccount - name: nginx-ingress - namespace: nginx-ingress -roleRef: - kind: ClusterRole - name: nginx-ingress - apiGroup: rbac.authorization.k8s.io diff --git a/deployments/service/appprotect-dos-arb-svc.yaml b/deployments/service/appprotect-dos-arb-svc.yaml deleted file mode 100644 index 1b8031afc3..0000000000 --- a/deployments/service/appprotect-dos-arb-svc.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: svc-appprotect-dos-arb - namespace: nginx-ingress -spec: - selector: - app: appprotect-dos-arb - ports: - - name: arb - port: 3000 - protocol: TCP - targetPort: 3000 - clusterIP: None diff --git a/deployments/service/loadbalancer-aws-elb.yaml b/deployments/service/loadbalancer-aws-elb.yaml deleted file mode 100644 index ee66f46244..0000000000 --- a/deployments/service/loadbalancer-aws-elb.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: nginx-ingress - namespace: nginx-ingress - annotations: - service.beta.kubernetes.io/aws-load-balancer-type: "nlb" - service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip" -spec: - type: LoadBalancer - ports: - - port: 80 - targetPort: 80 - protocol: TCP - name: http - - port: 443 - targetPort: 443 - protocol: TCP - name: https - selector: - app: nginx-ingress diff --git a/deployments/service/loadbalancer.yaml b/deployments/service/loadbalancer.yaml deleted file mode 100644 index d27ca5bc6a..0000000000 --- a/deployments/service/loadbalancer.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: nginx-ingress - namespace: nginx-ingress -spec: - externalTrafficPolicy: Local - type: LoadBalancer - ports: - - port: 80 - targetPort: 80 - protocol: TCP - name: http - - port: 443 - targetPort: 443 - protocol: TCP - name: https - selector: - app: nginx-ingress diff --git a/deployments/service/nodeport.yaml b/deployments/service/nodeport.yaml deleted file mode 100644 index f263b66388..0000000000 --- a/deployments/service/nodeport.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: nginx-ingress - namespace: nginx-ingress -spec: - type: NodePort - ports: - - port: 80 - targetPort: 80 - protocol: TCP - name: http - - port: 443 - targetPort: 443 - protocol: TCP - name: https - selector: - app: nginx-ingress diff --git a/docs/content/configuration/security.md b/docs/content/configuration/security.md index 9097b580b7..2b20c5a238 100644 --- a/docs/content/configuration/security.md +++ b/docs/content/configuration/security.md @@ -22,11 +22,10 @@ In addition, the following relating more specifically to Ingress Controller. The Ingress Controller is deployed within a Kubernetes environment, this environment must be secured. Kubernetes uses [RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) to control the resources and operations available to different types of users. The Ingress Controller requires a service account which is configured using RBAC. -We strongly recommend using the [RBAC configuration](https://github.com/nginxinc/kubernetes-ingress/blob/main/deployments/rbac/rbac.yaml) provided in our standard deployment configuration. +We strongly recommend using the RBAC configuration provided in our deployment configurations. It is configured with the least amount of privilege required for the Ingress Controller to work. -We strongly recommend inspecting the RBAC configuration (for [manifests installation](https://github.com/nginxinc/kubernetes-ingress/blob/main/deployments/rbac/rbac.yaml) -or for [helm](https://github.com/nginxinc/kubernetes-ingress/blob/main/deployments/helm-chart/templates/rbac.yaml)) +We strongly recommend inspecting the RBAC configuration in the deployment file or Helm chart (see [here](https://github.com/nginxinc/kubernetes-ingress/blob/main/charts/nginx-ingress/templates/rbac.yaml) to understand what access the Ingress Controller service account has and to which resources. For example, by default the service account has access to all Secret resources in the cluster. @@ -58,58 +57,11 @@ Snippets are disabled by default. To use snippets, set the [`enable-snippets`](/ The F5 Nginx Ingress Controller (NIC) has various protections against attacks, such as running the service as non-root to avoid changes to files. An additional industry best practice is having root filesystems set as read-only so that the attack surface is further reduced by limiting changes to binaries and libraries. -Currently, we do not set read-only root filesystem as default. Instead, this is an opt-in feature available on the [helm-chart](/nginx-ingress-controller/installation/installation-with-helm/#configuration) via `controller.readOnlyRootFilesystem`. -When using manifests instead of Helm, uncomment the following sections of the deployment: +Currently, we do not set read-only root filesystem as default. Instead, this is an opt-in feature available on the [Helm Chart](/nginx-ingress-controller/installation/installation-with-helm/#configuration) +via `controller.readOnlyRootFilesystem`. -- `readOnlyRootFilesystem: true`, -- The entire `volumeMounts` section, -- The entire `initContiners` section, -- For `initContainers:image:`, use exact same image used for regular NIC installation. -Refer to the below code-block for guidance: +If you prefer to use manifests instead of Helm, you can use the following manifest to enable this feature: -``` -# volumes: -# - name: nginx-etc -# emptyDir: {} -# - name: nginx-cache -# emptyDir: {} -# - name: nginx-lib -# emptyDir: {} -# - name: nginx-log -# emptyDir: {} -. -. -. -# readOnlyRootFilesystem: true -. -. -. -# volumeMounts: -# - mountPath: /etc/nginx -# name: nginx-etc -# - mountPath: /var/cache/nginx -# name: nginx-cache -# - mountPath: /var/lib/nginx -# name: nginx-lib -# - mountPath: /var/log/nginx -# name: nginx-log -. -. -. -# initContainers: -# - image: : -# imagePullPolicy: IfNotPresent -# name: init-nginx-ingress -# command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc'] -# securityContext: -# allowPrivilegeEscalation: false -# readOnlyRootFilesystem: true -# runAsUser: 101 #nginx -# runAsNonRoot: true -# capabilities: -# drop: -# - ALL -# volumeMounts: -# - mountPath: /mnt/etc -# name: nginx-etc +```shell +kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.2.1/deploy/read-only-fs/deploy.yaml ``` diff --git a/docs/content/installation/installation-with-helm.md b/docs/content/installation/installation-with-helm.md index bb45538c5a..78fd90d748 100644 --- a/docs/content/installation/installation-with-helm.md +++ b/docs/content/installation/installation-with-helm.md @@ -1,7 +1,7 @@ --- title: Installation with Helm description: This document describes how to install the NGINX Ingress Controller in your Kubernetes cluster using Helm. -weight: 1900 +weight: 1800 doctypes: [""] toc: true docs: "DOCS-602" diff --git a/docs/content/installation/installation-with-manifests.md b/docs/content/installation/installation-with-manifests.md index 8f661f1138..be1b4cc315 100644 --- a/docs/content/installation/installation-with-manifests.md +++ b/docs/content/installation/installation-with-manifests.md @@ -1,7 +1,7 @@ --- title: Installation with Manifests description: "This document describes how to install the NGINX Ingress Controller in your Kubernetes cluster using Kubernetes manifests." -weight: 1800 +weight: 1900 doctypes: [""] aliases: - /installation/ @@ -11,196 +11,197 @@ docs: "DOCS-603" ## Prerequisites -{{}} All documentation should only be used with the latest stable release, indicated on [the releases page](https://github.com/nginxinc/kubernetes-ingress/releases) of the GitHub repository. {{}} - 1. Make sure you have access to an NGINX Ingress Controller image: - - For NGINX Ingress Controller, use the image `nginx/nginx-ingress` from [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress). - - For NGINX Plus Ingress Controller, see [here](/nginx-ingress-controller/installation/pulling-ingress-controller-image) for details on pulling the image from the F5 Docker registry. - - To pull from the F5 Container registry in your Kubernetes cluster, configure a docker registry secret using your JWT token from the MyF5 portal by following the instructions from [here](/nginx-ingress-controller/installation/using-the-jwt-token-docker-secret). + - For NGINX Ingress Controller, use the images from [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress), + [GitHub Container Registry](https://github.com/nginxinc/kubernetes-ingress/pkgs/container/kubernetes-ingress), + [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or + [Quay.io](https://quay.io/repository/nginx/nginx-ingress). + - For NGINX Plus Ingress Controller, see + [here](/nginx-ingress-controller/installation/pulling-ingress-controller-image) for details on pulling the image + from the F5 Docker registry. + - To pull from the F5 Container registry in your Kubernetes cluster, configure a docker registry secret using your + JWT token from the MyF5 portal by following the instructions from + [here](/nginx-ingress-controller/installation/using-the-jwt-token-docker-secret). - You can also build your own image and push it to your private Docker registry by following the instructions from [here](/nginx-ingress-controller/installation/building-ingress-controller-image). -2. Clone the NGINX Ingress Controller repository and change into the deployments folder: - - ```shell - git clone https://github.com/nginxinc/kubernetes-ingress.git --branch v3.2.1 - cd kubernetes-ingress/deployments - ``` +2. All the commands in this document directly apply the YAML files from the repository. If you prefer, you can download + the files and modify them according to your requirements. - {{}}The above command will clone the branch of the latest NGINX Ingress Controller release, and all documentation assumes you are using it.{{}} +{{}} To perform some of the following steps you must be a cluster admin. Follow the documentation of your +Kubernetes platform to configure the admin access. For Google Kubernetes Engine, see their [Role-Based Access +Control](https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control) documentation.{{}} --- -## 1. Configure RBAC +## 1. Create Custom Resources -1. Create a namespace and a service account for NGINX Ingress Controller: - - ```shell - kubectl apply -f common/ns-and-sa.yaml - ``` +{{}} +By default, it is required to create custom resource definitions for VirtualServer, VirtualServerRoute, TransportServer +and Policy. Otherwise, NGINX Ingress Controller pods will not become `Ready`. If you'd like to disable that requirement, +configure +[`-enable-custom-resources`](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments#cmdoption-global-configuration) +command-line argument to `false` and skip this section. +{{}} -2. Create a cluster role and cluster role binding for the service account: +1. Create custom resource definitions for [VirtualServer and VirtualServerRoute](/nginx-ingress-controller/configuration/virtualserver-and-virtualserverroute-resources), + [TransportServer](/nginx-ingress-controller/configuration/transportserver-resource), + [Policy](/nginx-ingress-controller/configuration/policy-resource) and + [GlobalConfiguration](/nginx-ingress-controller/configuration/global-configuration/globalconfiguration-resource) + resources: ```shell - kubectl apply -f rbac/rbac.yaml + kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.2.1/deploy/crds.yaml ``` -3. (App Protect only) Create the App Protect role and role binding: +2. If you would like to use the NGINX App Protect WAF module, you will need to create custom resource definitions for + `APPolicy`, `APLogConf` and `APUserSig`: ```shell - kubectl apply -f rbac/ap-rbac.yaml + kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.2.1/deploy/crds-nap-waf.yaml ``` -4. (App Protect DoS only) Create the App Protect DoS role and role binding: +3. If you would like to use the NGINX App Protect DoS module, you will need to create custom resource definitions for + `APDosPolicy`, `APDosLogConf` and `DosProtectedResource`: ```shell - kubectl apply -f rbac/apdos-rbac.yaml + kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.2.1/deploy/crds-nap-dos.yaml ``` -{{}} To perform this step you must be a cluster admin. Follow the documentation of your Kubernetes platform to configure the admin access. For Google Kubernetes Engine, see their [Role-Based Access Control](https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control) documentation.{{}} - --- -## 2. Create Common Resources +## 2. Deploying NGINX Ingress Controller -In this section, we create resources common for most of NGINX Ingress Controller installations: -{{}} -Installing the `default-server-secret.yaml` is optional and is required only if you are using the [default server TLS secret](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments#cmdoption-default-server-tls-secret) command line argument. It is recommended that users provide their own certificate. -Otherwise, step 1 can be ignored. -{{}} +The NGINX Ingress Controller repository contains deployment files with all the resources needed in a single file (except +for the CRDs above). You can run the commands as is or or customize them according to your requirements, for example to +update the [command line arguments](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments) +documentation for more details. -1. Create a secret with a TLS certificate and a key for the default server in NGINX (below assumes you are in the `kubernetes-ingress/deployment` directory): - - ```console - kubectl apply -f ../examples/shared-examples/default-server-secret/default-server-secret.yaml - ``` +--- - {{}} The default server returns the Not Found page with the 404 status code for all requests for domains for which there are no Ingress rules defined. For testing purposes we include a self-signed certificate and key that we generated. However, we recommend that you use your own certificate and key. {{}} +### 2.1 Running NGINX Ingress Controller -1. Create a config map for customizing NGINX configuration: +There are multiple sample deployment files available in the repository. Choose the one that best suits your needs. - ```console - kubectl apply -f common/nginx-config.yaml - ``` +{{}} -1. Create an IngressClass resource: +{{}} - ```console - kubectl apply -f common/ingress-class.yaml - ``` +This is a default deployment file. It deploys the NGINX Ingress Controller as a Deployment. - If you would like to set this NGINX Ingress Controller instance as the default, uncomment the annotation `ingressclass.kubernetes.io/is-default-class`. With this annotation set to true all the new Ingresses without an ingressClassName field specified will be assigned this IngressClass. +```shell +kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.2.1/deploy/default/deploy.yaml +``` - {{}} NGINX Ingress Controller will fail to start without an IngressClass resource. {{}} +{{%/tab%}} ---- +{{}} -## 3. Create Custom Resources +This is a default daemonset file. It deploys the NGINX Ingress Controller as a DaemonSet. -{{}} -By default, it is required to create custom resource definitions for VirtualServer, VirtualServerRoute, TransportServer and Policy. Otherwise, NGINX Ingress Controller pods will not become `Ready`. If you'd like to disable that requirement, configure [`-enable-custom-resources`](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments#cmdoption-global-configuration) command-line argument to `false` and skip this section. -{{}} +```shell +kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.2.1/deploy/default/daemonset.yaml +``` -1. Create custom resource definitions for [VirtualServer and VirtualServerRoute](/nginx-ingress-controller/configuration/virtualserver-and-virtualserverroute-resources), [TransportServer](/nginx-ingress-controller/configuration/transportserver-resource) and [Policy](/nginx-ingress-controller/configuration/policy-resource) resources: +{{%/tab%}} - ```console - kubectl apply -f common/crds/k8s.nginx.org_virtualservers.yaml - kubectl apply -f common/crds/k8s.nginx.org_virtualserverroutes.yaml - kubectl apply -f common/crds/k8s.nginx.org_transportservers.yaml - kubectl apply -f common/crds/k8s.nginx.org_policies.yaml - ``` +{{}} -2. If you would like to use the TCP and UDP load balancing features, create a custom resource definition for the [GlobalConfiguration](/nginx-ingress-controller/configuration/global-configuration/globalconfiguration-resource) resource: +Deploys NGINX Ingress Controller using a nodeSelector to deploy the controller on Azure nodes. - ```console - kubectl apply -f common/crds/k8s.nginx.org_globalconfigurations.yaml - ``` +```shell +kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.2.1/deploy/azure/deploy.yaml +``` -3. If you would like to use the App Protect WAF module, you will need to create custom resource definitions for `APPolicy`, `APLogConf` and `APUserSig`: +{{%/tab%}} - ```console - kubectl apply -f common/crds/appprotect.f5.com_aplogconfs.yaml - kubectl apply -f common/crds/appprotect.f5.com_appolicies.yaml - kubectl apply -f common/crds/appprotect.f5.com_apusersigs.yaml - ``` +{{}} -4. If you would like to use the App Protect DoS module, you will need to create custom resource definitions for `APDosPolicy`, `APDosLogConf` and `DosProtectedResource`: + Deploys NGINX Ingress Controller using a Service type of `LoadBalancer` to allocate an AWS + Network Load Balancer (NLB). - ```console - kubectl apply -f common/crds/appprotectdos.f5.com_apdoslogconfs.yaml - kubectl apply -f common/crds/appprotectdos.f5.com_apdospolicy.yaml - kubectl apply -f common/crds/appprotectdos.f5.com_dosprotectedresources.yaml - ``` +```shell +kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.2.1/deploy/aws-nlb/deploy.yaml +``` ---- +{{%/tab%}} -## 4. Deploying NGINX Ingress Controller +{{}} -There are two options for deploying NGINX Ingress Controller: +Deploys NGINX Ingress Controller with OpenID Connect (OIDC) authentication enabled. -- *Deployment*. Use a Deployment if you plan to dynamically change the number of Ingress Controller replicas. -- *DaemonSet*. Use a DaemonSet for deploying the Ingress Controller on every node or a subset of nodes. +```shell +kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.2.1/deploy/oidc/deploy.yaml +``` -Additionally, if you would like to use the NGINX App Protect DoS module, you'll need to deploy the Arbitrator. +{{%/tab%}} -{{}} Before creating a Deployment or Daemonset resource, make sure to update the [command-line arguments](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments) of NGINX Ingress Controller container in the corresponding manifest file according to your requirements. {{}} +{{}} ---- +Deploys NGINX Ingress Controller with the NGINX Plus. The image is pulled from the +NGINX Plus Docker registry, and the `imagePullSecretName` is the name of the secret to use to pull the image. +The secret must be created in the same namespace as the NGINX Ingress Controller. -### Deploying Arbitrator for NGINX App Protect DoS +```shell +kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.2.1/deploy/nginx-plus/deploy.yaml +``` -There are two steps for deploying NGINX Ingress Controller with the NGINX App Protect DoS module: +{{%/tab%}} -1. Build your own image and push it to your private Docker registry by following the instructions from [here](/nginx-ingress-controller/app-protect-dos/installation#Build-the-app-protect-dos-arb-Docker-Image). +{{}} -1. Run the Arbitrator by using a Deployment and Service +Deploys NGINX Ingress Controller with the NGINX App Protect WAF module enabled. The image is pulled from the NGINX Plus +Docker registry, and the `imagePullSecretName` is the name of the secret to use to pull the image. The secret must be +created in the same namespace as the NGINX Ingress Controller. - ```console - kubectl apply -f deployment/appprotect-dos-arb.yaml - kubectl apply -f service/appprotect-dos-arb-svc.yaml - ``` +```shell +kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.2.1/deploy/appprotect-waf/deploy.yaml +``` ---- +{{%/tab%}} -### 4.1 Running NGINX Ingress Controller +{{}} -#### Using a Deployment +Deploys NGINX Ingress Controller with the NGINX App Protect DoS module enabled. The image is pulled from the NGINX Plus +Docker registry, and the `imagePullSecretName` is the name of the secret to use to pull the image. The secret must be +created in the same namespace as the NGINX Ingress Controller. -When you run NGINX Ingress Controller by using a Deployment, by default, Kubernetes will create one NGINX Ingress Controller pod. +```shell +kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.2.1/deploy/appprotect-dos/deploy.yaml +``` -For NGINX, run: +{{%/tab%}} -```console -kubectl apply -f deployment/nginx-ingress.yaml -``` +{{}} -For NGINX Plus, run: +Deploys NGINX Ingress Controller with a read-only filesystem. -```console -kubectl apply -f deployment/nginx-plus-ingress.yaml +```shell +kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.2.1/deploy/read-only-fs/deploy.yaml ``` -{{}} Update the `nginx-plus-ingress.yaml` with the chosen image from the F5 Container registry; or the container image that you have built. {{}} +{{%/tab%}} ---- +{{}} -#### Using a DaemonSet +Deploys NGINX Ingress Controller using a Service type of `NodePort`. -When you run the Ingress Controller by using a DaemonSet, Kubernetes will create an Ingress Controller pod on every node of the cluster. +```shell +kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.2.1/deploy/nodeport/deploy.yaml +``` -{{}} Read the Kubernetes [DaemonSet docs](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) to learn how to run NGINX Ingress Controller on a subset of nodes instead of on every node of the cluster.{{}} +{{%/tab%}} -For NGINX, run: +{{}} -```console -kubectl apply -f daemon-set/nginx-ingress.yaml -``` +Deploys NGINX Ingress Controller using the `edge` tag from Docker Hub. See the +[README](https://github.com/nginxinc/kubernetes-ingress/blob/main/README.md#nginx-ingress-controller-releases) +for more information on the different tags. -For NGINX Plus, run: - -```console -kubectl apply -f daemon-set/nginx-plus-ingress.yaml +```shell +kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.2.1/deploy/edge/deploy.yaml ``` -{{}}Update `nginx-plus-ingress.yaml` with the chosen image from the F5 Container registry; or the container image that you have built.{{}} +{{%/tab%}} +{{}} --- @@ -208,81 +209,55 @@ kubectl apply -f daemon-set/nginx-plus-ingress.yaml Run the following command to make sure that the NGINX Ingress Controller pods are running: -```console +```shell kubectl get pods --namespace=nginx-ingress ``` ## 5. Getting Access to NGINX Ingress Controller -**If you created a daemonset**, ports 80 and 443 of NGINX Ingress Controller container are mapped to the same ports of the node where the container is running. To access NGINX Ingress Controller, use those ports and an IP address of any node of the cluster where the Ingress Controller is running. - -**If you created a deployment**, there are two options for accessing NGINX Ingress Controller pods: +If you deployed a DaemonSet, ports 80 and 443 of NGINX Ingress Controller container are mapped to the same ports of the +node where the container is running. To access NGINX Ingress Controller, use those ports and an IP address of any node +of the cluster where the Ingress Controller is running. -### 5.1 Create a Service for the NGINX Ingress Controller Pods +If you deployed a Deployment, there are two options for accessing NGINX Ingress Controller pods: -#### Using a NodePort Service - -Create a service with the type *NodePort*: - -```console -kubectl create -f service/nodeport.yaml -``` - -Kubernetes will randomly allocate two ports on every node of the cluster. To access the Ingress Controller, use an IP address of any node of the cluster along with the two allocated ports. +- If the LoadBalancer type is `NodePort`, Kubernetes will randomly allocate two ports on every node of the cluster. +To access the Ingress Controller, use an IP address of any node of the cluster along with the two allocated ports. {{}} Read more about the type NodePort in the [Kubernetes documentation](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport). {{}} -#### Using a LoadBalancer Service - -1. Create a service using a manifest for your cloud provider: - - For GCP or Azure, run: +- If the LoadBalancer type is `LoadBalancer`: + - For GCP or Azure, Kubernetes will allocate a cloud load balancer for load balancing the Ingress Controller pods. + Use the public IP of the load balancer to access NGINX Ingress Controller. + - For AWS, Kubernetes will allocate a Network Load Balancer (NLB) in TCP mode with the PROXY protocol enabled to pass + the client's information (the IP address and the port). - ```shell - kubectl apply -f service/loadbalancer.yaml - ``` - - - For AWS, run: - - ```shell - kubectl apply -f service/loadbalancer-aws-elb.yaml - ``` - - Kubernetes will allocate a Classic Load Balancer (ELB) in TCP mode with the PROXY protocol enabled to pass the client's information (the IP address and the port). NGINX must be configured to use the PROXY protocol: - - Add the following keys to the config map file `nginx-config.yaml` from the Step 2: - - ```yaml - proxy-protocol: "True" - real-ip-header: "proxy_protocol" - set-real-ip-from: "0.0.0.0/0" - ``` - - - Update the config map: - - ```shell - kubectl apply -f common/nginx-config.yaml - ``` - - {{}} For AWS, additional options regarding an allocated load balancer are available, such as its type and SSL termination. Read the [Kubernetes documentation](https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer) to learn more. {{}} + {{}} For AWS, additional options regarding an allocated load balancer are available, such as its type and SSL + termination. Read the [Kubernetes documentation](https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer) to learn more. + {{}} Kubernetes will allocate and configure a cloud load balancer for load balancing the Ingress Controller pods. -2. Use the public IP of the load balancer to access NGINX Ingress Controller. To get the public IP: - - For GCP or Azure, run: - ```shell - kubectl get svc nginx-ingress --namespace=nginx-ingress - ``` + Use the public IP of the load balancer to access NGINX Ingress Controller. To get the public IP: + - For GCP or Azure, run: - - In case of AWS ELB, the public IP is not reported by `kubectl`, because the ELB IP addresses are not static. In general, you should rely on the ELB DNS name instead of the ELB IP addresses. However, for testing purposes, you can get the DNS name of the ELB using `kubectl describe` and then run `nslookup` to find the associated IP address: + ```shell + kubectl get svc nginx-ingress --namespace=nginx-ingress + ``` - ```shell - kubectl describe svc nginx-ingress --namespace=nginx-ingress - ``` + - In case of AWS ELB, the public IP is not reported by `kubectl`, because the ELB IP addresses are not static. In + general, you should rely on the ELB DNS name instead of the ELB IP addresses. However, for testing purposes, you + can get the DNS name of the ELB using `kubectl describe` and then run `nslookup` to find the associated IP address: - You can resolve the DNS name into an IP address using `nslookup`: + ```shell + kubectl describe svc nginx-ingress --namespace=nginx-ingress + ``` - ```shell - nslookup - ``` + You can resolve the DNS name into an IP address using `nslookup`: + + ```shell + nslookup + ``` The public IP can be reported in the status of an ingress resource. See the [Reporting Resources Status doc](/nginx-ingress-controller/configuration/global-configuration/reporting-resources-status) for more details. @@ -290,7 +265,8 @@ Kubernetes will randomly allocate two ports on every node of the cluster. To acc ## Uninstall NGINX Ingress Controller -1. Delete the `nginx-ingress` namespace to uninstall NGINX Ingress Controller along with all the auxiliary resources that were created: +1. Delete the `nginx-ingress` namespace to uninstall NGINX Ingress Controller along with all the auxiliary resources + that were created: ```shell kubectl delete namespace nginx-ingress @@ -308,5 +284,5 @@ Kubernetes will randomly allocate two ports on every node of the cluster. To acc {{}} This step will also remove all associated Custom Resources. {{}} ```shell - kubectl delete -f common/crds/ + kubectl delete -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.2.1/deploy/crds.yaml ``` diff --git a/docs/content/installation/installation-with-operator.md b/docs/content/installation/installation-with-operator.md index 2b023f764b..b8fb801a07 100644 --- a/docs/content/installation/installation-with-operator.md +++ b/docs/content/installation/installation-with-operator.md @@ -8,10 +8,6 @@ toc: true docs: "DOCS-604" --- -{{< note >}} -An NGINX Ingress Operator version compatible with the 3.2.0 NGINX Ingress Controller release is not available yet. We will update this document and remove this note once we publish a compatible Operator version. -{{< /note >}} - This document describes how to install the F5 NGINX Ingress Controller in your Kubernetes cluster using the NGINX Ingress Operator. ## Prerequisites diff --git a/docs/content/installation/using-the-jwt-token-docker-secret.md b/docs/content/installation/using-the-jwt-token-docker-secret.md index 1bc4a31b34..9a397eca0c 100644 --- a/docs/content/installation/using-the-jwt-token-docker-secret.md +++ b/docs/content/installation/using-the-jwt-token-docker-secret.md @@ -18,8 +18,8 @@ To list the available image tags using the Docker registry API, you will also ne You can also get the image using alternative methods: -* You can use Docker to pull an NGINX Ingress Controller image with NGINX Plus and push it to your private registry by following the ["Pulling the Ingress Controller Image"](https://docs.nginx.com/nginx-ingress-controller/installation/pulling-ingress-controller-image/) documentation. -* You can also build an NGINX Ingress Controller image by following the ["Information on how to build an Ingress Controller image"](https://docs.nginx.com/nginx-ingress-controller/installation/building-ingress-controller-image/) documentation. +- You can use Docker to pull an NGINX Ingress Controller image with NGINX Plus and push it to your private registry by following the ["Pulling the Ingress Controller Image"](https://docs.nginx.com/nginx-ingress-controller/installation/pulling-ingress-controller-image/) documentation. +- You can also build an NGINX Ingress Controller image by following the ["Information on how to build an Ingress Controller image"](https://docs.nginx.com/nginx-ingress-controller/installation/building-ingress-controller-image/) documentation. If you would like an NGINX Ingress Controller image using NGINX open source, we provide the image through [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/). @@ -27,8 +27,8 @@ If you would like an NGINX Ingress Controller image using NGINX open source, we You will need the following information from [MyF5](https://my.f5.com) for these steps: -* A JWT Access Token (Per instance) for NGINX Ingress Controller from an active NGINX Ingress Controller subscription. -* The certificate (`nginx-repo.crt`) and key (`nginx-repo.key`) for each NGINX Ingress Controller instance, used to list the available image tags from the Docker registry API. +- A JWT Access Token (Per instance) for NGINX Ingress Controller from an active NGINX Ingress Controller subscription. +- The certificate (`nginx-repo.crt`) and key (`nginx-repo.key`) for each NGINX Ingress Controller instance, used to list the available image tags from the Docker registry API. ## Prepare NGINX Ingress Controller @@ -43,20 +43,18 @@ You will need the following information from [MyF5](https://my.f5.com) for these 1. Create a kubernetes `docker-registry` secret type on the cluster, using the JWT token as the username and `none` for password (Password is unused). The name of the docker server is `private-registry.nginx.com`. - - ```shell + ```shell kubectl create secret docker-registry regcred --docker-server=private-registry.nginx.com --docker-username= --docker-password=none [-n nginx-ingress] ``` - It is important that the `--docker-username=` contains the contents of the token and is not pointing to the token itself. Ensure that when you copy the contents of the JWT token, there are no additional characters or extra whitepaces. This can invalidate the token and cause 401 errors when trying to authenticate to the registry. + It is important that the `--docker-username=` contains the contents of the token and is not pointing to the token itself. Ensure that when you copy the contents of the JWT token, there are no additional characters or extra whitepaces. This can invalidate the token and cause 401 errors when trying to authenticate to the registry. 1. Confirm the details of the created secret by running: - ```shell + ```shell kubectl get secret regcred --output=yaml ``` - 1. You can now use the newly created Kubernetes secret in `helm` and `manifest` deployments. ## Manifest Deployment @@ -73,7 +71,7 @@ spec: seccompProfile: type: RuntimeDefault containers: - - image: private-registry.nginx.com/nginx-ic/nginx-plus-ingress:3.2.0 + - image: private-registry.nginx.com/nginx-ic/nginx-plus-ingress:3.2.1 imagePullPolicy: IfNotPresent name: nginx-plus-ingress ``` @@ -89,7 +87,7 @@ If you are using `helm` for deployment, there are two main methods: using *sourc The [Helm installation page for NGINX Ingess Controller](https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-helm/#managing-the-chart-via-sources) has a section describing how to use sources: these are the unique steps for Docker secrets using JWT tokens. 1. Clone the NGINX [`kubernetes-ingress` repository](https://github.com/nginxinc/kubernetes-ingress). -1. Navigate to the `deployments/helm-chart` folder of your local clone. +1. Navigate to the `charts/nginx-ingress` folder of your local clone. 1. Open the `values.yaml` file in an editor. You must change a few lines NGINX Ingress Controller with NGINX Plus to be deployed. @@ -111,7 +109,7 @@ image: repository: private-registry.nginx.com/nginx-ic/nginx-plus-ingress ## The version tag - tag: 3.2.0 + tag: 3.2.1 serviceAccount: ## The annotations of the service account of the Ingress Controller pods. @@ -136,13 +134,12 @@ The above command will install NGINX Ingress Controller in the `nginx-ingress` n If the namespace does not exist, `--create-namespace` will create it. Using `-f values.yaml` tells `helm` to use the `values.yaml` file that you modified earlier with the settings you want to apply for your NGINX Ingress Controller deployment. - ### Helm Chart If you want to install NGINX Ingress Controller using the charts method, the following is an example of using the command line to pass the required arguments using the `set` parameter. ```shell -helm install my-release -n nginx-ingress oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.18.0 --set controller.image.repository=private-registry.nginx.com/nginx-ic/nginx-plus-ingress --set controller.image.tag=3.2.0 --set controller.nginxplus=true --set controller.serviceAccount.imagePullSecretName=regcred +helm install my-release -n nginx-ingress oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.18.0 --set controller.image.repository=private-registry.nginx.com/nginx-ic/nginx-plus-ingress --set controller.image.tag=3.2.1 --set controller.nginxplus=true --set controller.serviceAccount.imagePullSecretName=regcred ``` Checking the validation that the .crts/key and .jwt are able to successfully authenticate to the repo to pull NGINX Ingress controller images: diff --git a/docs/content/tutorials/custom-listen-ports.md b/docs/content/tutorials/custom-listen-ports.md index c11297f6f0..07585da3f2 100644 --- a/docs/content/tutorials/custom-listen-ports.md +++ b/docs/content/tutorials/custom-listen-ports.md @@ -88,7 +88,7 @@ spec: spec: serviceAccountName: nginx-ingress containers: - - image: nginx/nginx-ingress:3.2.0 + - image: nginx/nginx-ingress:3.2.1 imagePullPolicy: IfNotPresent name: nginx-ingress ports: diff --git a/examples/custom-resources/external-dns/README.md b/examples/custom-resources/external-dns/README.md index 2cc2ee10e3..3a1cc4845a 100644 --- a/examples/custom-resources/external-dns/README.md +++ b/examples/custom-resources/external-dns/README.md @@ -13,13 +13,7 @@ server. In this example, we deploy an ExternalDNS deployment with the AWS provid docs](https://docs.nginx.com/nginx-ingress-controller/configuration/global-configuration/reporting-resources-status#virtualserver-and-virtualserverroute-resources) for more details). -## Step 1: Register the external-crd with the k8s api (run from the root of this repo) - -```console -kubectl apply -f deployments/common/crds/externaldns.nginx.org_dnsendpoints.yaml -``` - -## Step 2: Deploy external-dns +## Step 1: Deploy external-dns Update `external-dns-route53.yaml` with your Domain Name and Hosted Zone ID, and apply the file. @@ -27,7 +21,7 @@ Update `external-dns-route53.yaml` with your Domain Name and Hosted Zone ID, and kubectl apply -f external-dns-route53.yaml ``` -## Step 3 - Deploy the Cafe Application +## Step 2 - Deploy the Cafe Application Create the coffee and the tea deployments and services: @@ -35,7 +29,7 @@ Create the coffee and the tea deployments and services: kubectl create -f cafe.yaml ``` -## Step 4 - Configure Load Balancing and TLS Termination +## Step 3 - Configure Load Balancing and TLS Termination 1. Create the secret with the TLS certificate and key: @@ -50,7 +44,7 @@ kubectl create -f cafe.yaml kubectl create -f cafe-virtual-server.yaml ``` -## Step 5 - Test the Configuration +## Step 4 - Test the Configuration Using a browser, navigate to `https://cafe./coffee`, making sure to update as listed in the `spec.host` of the virtual server. You should see something like the following in the browser window: diff --git a/examples/custom-resources/service-insight/README.md b/examples/custom-resources/service-insight/README.md index 00bbc43864..528c21049a 100644 --- a/examples/custom-resources/service-insight/README.md +++ b/examples/custom-resources/service-insight/README.md @@ -3,12 +3,11 @@ > The Service Insight feature is available only for F5 NGINX Plus. To use the [Service Insight](https://docs.nginx.com/nginx-ingress-controller/logging-and-monitoring/service-insight/) -feature provided by F5 NGINX Ingress Controller you must enable it by setting `serviceInsight.create=true` in your `helm -install/upgrade...` command OR [manifest](../../../deployments/deployment/nginx-plus-ingress.yaml) depending on your +feature provided by F5 NGINX Ingress Controller you must enable it by setting `serviceInsight.create` to `true` when +using the Helm Chart or by using the [manifest](../../../deploy/service-insight/deploy.yaml) depending on your preferred installation method. -The following example demonstrates how to enable the Service Insight for NGINX Ingress Controller using [manifests -(Deployment)](../../../deployments/deployment/nginx-plus-ingress.yaml): +The following example is an extract of the Service Insight Deployment for NGINX Ingress Controller using the manifest above: ```yaml apiVersion: apps/v1 @@ -32,7 +31,7 @@ spec: securityContext: ... containers: - - image: nginx-plus-ingress:3.2.0 + - image: nginx-plus-ingress:3.2.1 imagePullPolicy: IfNotPresent name: nginx-plus-ingress ports: @@ -67,9 +66,11 @@ spec: ## Deployment -[Install NGINX Ingress -Controller](https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-manifests/), and uncomment -the `-enable-service-insight` option: this will allow Service Insight to interact with it. +Install NGINX Ingress Controller with: + +```console +kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/main/deploy/service-insight/deploy.yaml +``` The examples below use the `nodeport` service. @@ -297,7 +298,7 @@ Response: ## Service Insight with TLS The following example demonstrates how to enable the Service Insight for NGINX Ingress Controller with **TLS** using -[manifests (Deployment)](../../../deployments/deployment/nginx-plus-ingress.yaml): +manifests (Deployment): ```yaml apiVersion: apps/v1 @@ -321,7 +322,7 @@ spec: securityContext: ... containers: - - image: nginx-plus-ingress:3.2.0 + - image: nginx-plus-ingress:3.2.1 imagePullPolicy: IfNotPresent name: nginx-plus-ingress ports: diff --git a/examples/helm-chart/README.md b/examples/helm-chart/README.md new file mode 100644 index 0000000000..f334df5558 --- /dev/null +++ b/examples/helm-chart/README.md @@ -0,0 +1,42 @@ +# Helm Chart Examples + +This directory contains examples of Helm charts that can be used to deploy +NGINX Ingress Controller in a Kubernetes cluster. + +## Prerequisites + +- Helm 3.0+ + +## Examples + +- [Default](./default) - deploys the NGINX Ingress Controller with default parameters. +- [NGINX App Protect DoS](./app-protect-dos) - deploys the NGINX Ingress Controller with the NGINX App Protect DoS + module enabled. The image is pulled from the NGINX Plus Docker registry, and the `imagePullSecretName` is the name of + the secret to use to pull the image. The secret must be created in the same namespace as the NGINX Ingress Controller. +- [NGINX App Protect WAF](./app-protect-waf) - deploys the NGINX Ingress Controller with the NGINX App Protect WAF + module enabled. The image is pulled from the NGINX Plus Docker registry, and the `imagePullSecretName` is the name of + the secret to use to pull the image. The secret must be created in the same namespace as the NGINX Ingress Controller. +- [AWS NLB](./aws-nlb) - deploys the NGINX Ingress Controller using a Service type of `LoadBalancer` to allocate an AWS + Network Load Balancer (NLB). +- [Azure](./azure) - deploys the NGINX Ingress Controller using a nodeSelector to deploy the controller on Azure nodes. +- [DaemonSet](./daemonset) - deploys the NGINX Ingress Controller as a DaemonSet. +- [Edge](./edge) - deploys the NGINX Ingress Controller using the `edge` tag from Docker Hub. + See the [README](../../README.md#nginx-ingress-controller-releases) for more information on the different tags. +- [NGINX Plus](./nginx-plus) - deploys the NGINX Ingress Controller with the NGINX Plus. The image is pulled from the + NGINX Plus Docker registry, and the `imagePullSecretName` is the name of the secret to use to pull the image. + The secret must be created in the same namespace as the NGINX Ingress Controller. +- [OIDC](./oidc) - deploys the NGINX Ingress Controller with OpenID Connect (OIDC) authentication enabled. +- [Read-only filesystem](./read-only-filesystem) - deploys the NGINX Ingress Controller with a read-only filesystem. +- [NodePort](./nodeport) - deploys the NGINX Ingress Controller using a Service type of `NodePort`. + +## Manifests generation + +These examples are used to generate manifests for the NGINX Ingress Controller located in the manifest folder +[here](../../deploy). + +If you want to generate manifests for a specific example, or need to customize one of the examples, run the following +command from the root of the project: + +```shell +helm template nginx-ingress --namespace nginx-ingress --values examples/helm-chart//values.yaml charts/nginx-ingress +``` diff --git a/examples/helm-chart/app-protect-dos/values.yaml b/examples/helm-chart/app-protect-dos/values.yaml new file mode 100644 index 0000000000..d71530b7c4 --- /dev/null +++ b/examples/helm-chart/app-protect-dos/values.yaml @@ -0,0 +1,10 @@ +controller: + name: controller + kind: deployment + nginxplus: true + appprotectdos: + enable: true + image: + repository: private-registry.nginx.com/nginx-ic-dos/nginx-plus-ingress + serviceAccount: + imagePullSecretName: nginx-registry-credentials diff --git a/examples/helm-chart/app-protect-waf/values.yaml b/examples/helm-chart/app-protect-waf/values.yaml new file mode 100644 index 0000000000..060f6656c7 --- /dev/null +++ b/examples/helm-chart/app-protect-waf/values.yaml @@ -0,0 +1,11 @@ +controller: + name: controller + kind: deployment + nginxplus: true + appprotect: + enable: true + logLevel: error + image: + repository: private-registry.nginx.com/nginx-ic-nap/nginx-plus-ingress + serviceAccount: + imagePullSecretName: nginx-registry-credentials diff --git a/examples/helm-chart/aws-nlb/values.yaml b/examples/helm-chart/aws-nlb/values.yaml new file mode 100644 index 0000000000..e5c8250ff2 --- /dev/null +++ b/examples/helm-chart/aws-nlb/values.yaml @@ -0,0 +1,13 @@ +controller: + name: controller + kind: deployment + service: + type: LoadBalancer + annotations: + service.beta.kubernetes.io/aws-load-balancer-type: "nlb" + service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip" + config: + entries: + proxy-protocol: "True" + real-ip-header: "proxy_protocol" + set-real-ip-from: "0.0.0.0/0" diff --git a/examples/helm-chart/azure/values.yaml b/examples/helm-chart/azure/values.yaml new file mode 100644 index 0000000000..03547143be --- /dev/null +++ b/examples/helm-chart/azure/values.yaml @@ -0,0 +1,5 @@ +controller: + name: controller + kind: deployment + nodeSelector: + kubernetes.io/os: linux diff --git a/examples/helm-chart/daemon-set/values.yaml b/examples/helm-chart/daemon-set/values.yaml new file mode 100644 index 0000000000..7cf8214e66 --- /dev/null +++ b/examples/helm-chart/daemon-set/values.yaml @@ -0,0 +1,3 @@ +controller: + name: controller + kind: daemonset diff --git a/examples/helm-chart/default/values.yaml b/examples/helm-chart/default/values.yaml new file mode 100644 index 0000000000..3552bbf27c --- /dev/null +++ b/examples/helm-chart/default/values.yaml @@ -0,0 +1,2 @@ +controller: + name: controller diff --git a/examples/helm-chart/edge/values.yaml b/examples/helm-chart/edge/values.yaml new file mode 100644 index 0000000000..0e85649cfb --- /dev/null +++ b/examples/helm-chart/edge/values.yaml @@ -0,0 +1,7 @@ +controller: + name: controller + kind: deployment + image: + tag: edge + service: + type: NodePort diff --git a/examples/helm-chart/external-dns/values.yaml b/examples/helm-chart/external-dns/values.yaml new file mode 100644 index 0000000000..47166a9e17 --- /dev/null +++ b/examples/helm-chart/external-dns/values.yaml @@ -0,0 +1,3 @@ +controller: + name: controller + enableExternalDNS: true diff --git a/examples/helm-chart/nginx-plus/values.yaml b/examples/helm-chart/nginx-plus/values.yaml new file mode 100644 index 0000000000..8ab0626e49 --- /dev/null +++ b/examples/helm-chart/nginx-plus/values.yaml @@ -0,0 +1,8 @@ +controller: + name: controller + kind: deployment + nginxplus: true + image: + repository: private-registry.nginx.com/nginx-ic/nginx-plus-ingress + serviceAccount: + imagePullSecretName: nginx-registry-credentials diff --git a/examples/helm-chart/nodeport/values.yaml b/examples/helm-chart/nodeport/values.yaml new file mode 100644 index 0000000000..18922539ef --- /dev/null +++ b/examples/helm-chart/nodeport/values.yaml @@ -0,0 +1,4 @@ +controller: + name: controller + service: + type: NodePort diff --git a/examples/helm-chart/oidc/values.yaml b/examples/helm-chart/oidc/values.yaml new file mode 100644 index 0000000000..3586cecf83 --- /dev/null +++ b/examples/helm-chart/oidc/values.yaml @@ -0,0 +1,9 @@ +controller: + name: controller + kind: deployment + nginxplus: true + enableOIDC: true + image: + repository: private-registry.nginx.com/nginx-ic/nginx-plus-ingress + serviceAccount: + imagePullSecretName: nginx-registry-credentials diff --git a/examples/helm-chart/read-only-fs/values.yaml b/examples/helm-chart/read-only-fs/values.yaml new file mode 100644 index 0000000000..b9ffdd47b7 --- /dev/null +++ b/examples/helm-chart/read-only-fs/values.yaml @@ -0,0 +1,5 @@ +controller: + name: controller + kind: deployment + enableCustomResources: false + readOnlyRootFilesystem: true diff --git a/examples/helm-chart/service-insight/values.yaml b/examples/helm-chart/service-insight/values.yaml new file mode 100644 index 0000000000..c69fe1babc --- /dev/null +++ b/examples/helm-chart/service-insight/values.yaml @@ -0,0 +1,5 @@ +controller: + name: controller + nginxplus: true + serviceInsight: + create: true diff --git a/hack/common-release-prep.sh b/hack/common-release-prep.sh index 7875c5746a..19cc50f089 100755 --- a/hack/common-release-prep.sh +++ b/hack/common-release-prep.sh @@ -12,21 +12,14 @@ FILES_TO_UPDATE_IC_VERSION=( Makefile README.md - deployments/daemon-set/nginx-ingress.yaml - deployments/daemon-set/nginx-plus-ingress.yaml - deployments/deployment/nginx-ingress.yaml - deployments/deployment/nginx-plus-ingress.yaml - deployments/helm-chart/Chart.yaml - deployments/helm-chart/README.md - deployments/helm-chart/values-icp.yaml - deployments/helm-chart/values-nsm.yaml - deployments/helm-chart/values-plus.yaml - deployments/helm-chart/values.yaml + charts/nginx-ingress/Chart.yaml + charts/nginx-ingress/README.md + charts/nginx-ingress/values.yaml ) FILE_TO_UPDATE_HELM_CHART_VERSION=( - deployments/helm-chart/Chart.yaml - deployments/helm-chart/README.md + charts/nginx-ingress/Chart.yaml + charts/nginx-ingress/README.md ) DOCS_TO_UPDATE_FOLDER=docs/content @@ -42,7 +35,7 @@ sed -i "" "s/$prev_helm_chart_version/$helm_chart_version/g" ${FILE_TO_UPDATE_HE # copy the helm chart README to the docs { sed -n '1,10p' docs/content/installation/installation-with-helm.md - sed -n '3,$p' deployments/helm-chart/README.md + sed -n '3,$p' charts/nginx-ingress/README.md } >file2.new && mv file2.new docs/content/installation/installation-with-helm.md sed -i '' '/^|Parameter | Description | Default |/i\ diff --git a/hack/generate-manifests.sh b/hack/generate-manifests.sh new file mode 100755 index 0000000000..2844c5d1cf --- /dev/null +++ b/hack/generate-manifests.sh @@ -0,0 +1,20 @@ +#!/usr/bin/env bash + +# Generate deployment files using Helm. This script uses the Helm chart examples in examples/helm-chart + +charts=$(find examples/helm-chart -maxdepth 1 -mindepth 1 -type d -exec basename {} \;) + +for chart in $charts; do + manifest=deploy/$chart/deploy.yaml + helm template nginx-ingress --namespace nginx-ingress --values examples/helm-chart/$chart/values.yaml --skip-crds charts/nginx-ingress >$manifest 2>/dev/null + sed -i.bak '/app.kubernetes.io\/managed-by: Helm/d' $manifest + sed -i.bak '/helm.sh/d' $manifest + cp $manifest config/base + if [ "$chart" == "app-protect-dos" ]; then + kustomize build config/overlays/app-protect-dos >$manifest + else + kustomize build config/base >$manifest + fi + rm -f config/base/deploy.yaml + rm -f $manifest.bak +done