From e7b52281057ca126a0c24d6e9b09be7386189a9e Mon Sep 17 00:00:00 2001 From: Luca Comellini Date: Mon, 21 Aug 2023 17:47:50 -0700 Subject: [PATCH] Generate mainfests automatically from Helm Uses Helm Charts in examples/helm-chart to template single file manifests in deploy/. --- .github/workflows/build-plus.yml | 2 +- .github/workflows/release-pr.yml | 23 +- CONTRIBUTING.md | 3 +- Makefile | 4 + README.md | 2 +- charts/nginx-ingress/README.md | 22 +- .../templates/controller-daemonset.yaml | 4 +- .../templates/controller-deployment.yaml | 8 +- charts/nginx-ingress/values-nsm.yaml | 6 - charts/nginx-ingress/values.yaml | 6 +- config/base/kustomization.yaml | 5 + config/base/namespace.yaml | 4 + .../overlays/app-protect-dos/deployment.yaml | 43 ++ .../app-protect-dos/kustomization.yaml | 9 + config/overlays/app-protect-dos/service.yaml | 20 + {deployments => deploy}/README.md | 0 deploy/app-protect-dos/deploy.yaml | 443 ++++++++++++++++++ deploy/app-protect-waf/deploy.yaml | 378 +++++++++++++++ deploy/aws-nlb/deploy.yaml | 371 +++++++++++++++ deploy/azure/deploy.yaml | 367 +++++++++++++++ deploy/crds | 1 + deploy/daemon-set/deploy.yaml | 364 ++++++++++++++ deploy/default/deploy.yaml | 365 +++++++++++++++ deploy/edge/deploy.yaml | 366 +++++++++++++++ deploy/external-dns/deploy.yaml | 382 +++++++++++++++ deploy/nginx-plus/deploy.yaml | 367 +++++++++++++++ deploy/nodeport/deploy.yaml | 366 +++++++++++++++ deploy/oidc/deploy.yaml | 367 +++++++++++++++ deploy/openservicemesh/deploy.yaml | 366 +++++++++++++++ deploy/read-only-fs/deploy.yaml | 375 +++++++++++++++ deploy/service-insight/deploy.yaml | 365 +++++++++++++++ deployments/service/loadbalancer-aws-elb.yaml | 21 - deployments/service/loadbalancer.yaml | 19 - deployments/service/nodeport.yaml | 18 - docs/content/app-protect-dos/installation.md | 13 +- docs/content/configuration/security.md | 63 +-- .../installation/installation-with-helm.md | 2 +- .../installation-with-manifests.md | 341 +++++++------- .../using-the-jwt-token-docker-secret.md | 10 +- .../troubleshooting/troubleshoot-common.md | 2 +- docs/content/tutorials/custom-listen-ports.md | 2 +- docs/content/tutorials/nginx-ingress-osm.md | 18 +- docs/content/usage-reporting.md | 2 +- .../service-insight/README.md | 21 +- examples/helm-chart/README.md | 44 ++ .../helm-chart/app-protect-dos/values.yaml | 10 + .../helm-chart/app-protect-waf/values.yaml | 11 + examples/helm-chart/aws-nlb/values.yaml | 13 + examples/helm-chart/azure/values.yaml | 5 + examples/helm-chart/daemon-set/values.yaml | 3 + examples/helm-chart/default/values.yaml | 2 + examples/helm-chart/edge/values.yaml | 7 + examples/helm-chart/external-dns/values.yaml | 3 + examples/helm-chart/nginx-plus/values.yaml | 8 + examples/helm-chart/nodeport/values.yaml | 4 + examples/helm-chart/oidc/values.yaml | 9 + .../helm-chart/openservicemesh/values.yaml | 5 + examples/helm-chart/read-only-fs/values.yaml | 5 + .../helm-chart/service-insight/values.yaml | 5 + hack/generate-manifests.sh | 20 + perf-tests/suite/test_ap_reload_perf.py | 2 +- tests/Dockerfile | 4 +- tests/Makefile | 2 +- .../data}/common/ingress-class.yaml | 0 .../data}/common/nginx-config.yaml | 0 .../data}/common/ns-and-sa.yaml | 0 .../data}/daemon-set/nginx-ingress.yaml | 0 .../data}/daemon-set/nginx-plus-ingress.yaml | 0 .../data}/deployment/appprotect-dos-arb.yaml | 0 .../data}/deployment/nginx-ingress.yaml | 0 .../data}/deployment/nginx-plus-ingress.yaml | 0 {deployments => tests/data}/rbac/ap-rbac.yaml | 0 .../data}/rbac/apdos-rbac.yaml | 0 {deployments => tests/data}/rbac/rbac.yaml | 0 .../data}/service/appprotect-dos-arb-svc.yaml | 0 tests/settings.py | 1 - tests/suite/fixtures/fixtures.py | 12 +- tests/suite/fixtures/ic_fixtures.py | 18 +- tests/suite/test_ac_policies.py | 4 +- tests/suite/test_ac_policies_vsr.py | 4 +- tests/suite/test_annotations.py | 4 +- tests/suite/test_app_protect_integration.py | 2 +- .../test_app_protect_waf_policies_grpc.py | 4 +- tests/suite/test_custom_annotations.py | 4 +- tests/suite/test_default_server.py | 2 +- .../test_transport_server_external_name.py | 6 +- .../test_transport_server_service_insight.py | 2 +- tests/suite/test_ts_tls_passthrough.py | 4 +- tests/suite/test_v_s_route_grpc.py | 6 +- tests/suite/test_virtual_server.py | 6 +- .../test_virtual_server_configmap_keys.py | 4 +- tests/suite/test_virtual_server_grpc.py | 6 +- tests/suite/test_virtual_server_mixed_grpc.py | 6 +- tests/suite/utils/resources_utils.py | 10 +- 94 files changed, 5782 insertions(+), 421 deletions(-) delete mode 100644 charts/nginx-ingress/values-nsm.yaml create mode 100644 config/base/kustomization.yaml create mode 100644 config/base/namespace.yaml create mode 100644 config/overlays/app-protect-dos/deployment.yaml create mode 100644 config/overlays/app-protect-dos/kustomization.yaml create mode 100644 config/overlays/app-protect-dos/service.yaml rename {deployments => deploy}/README.md (100%) create mode 100644 deploy/app-protect-dos/deploy.yaml create mode 100644 deploy/app-protect-waf/deploy.yaml create mode 100644 deploy/aws-nlb/deploy.yaml create mode 100644 deploy/azure/deploy.yaml create mode 120000 deploy/crds create mode 100644 deploy/daemon-set/deploy.yaml create mode 100644 deploy/default/deploy.yaml create mode 100644 deploy/edge/deploy.yaml create mode 100644 deploy/external-dns/deploy.yaml create mode 100644 deploy/nginx-plus/deploy.yaml create mode 100644 deploy/nodeport/deploy.yaml create mode 100644 deploy/oidc/deploy.yaml create mode 100644 deploy/openservicemesh/deploy.yaml create mode 100644 deploy/read-only-fs/deploy.yaml create mode 100644 deploy/service-insight/deploy.yaml delete mode 100644 deployments/service/loadbalancer-aws-elb.yaml delete mode 100644 deployments/service/loadbalancer.yaml delete mode 100644 deployments/service/nodeport.yaml create mode 100644 examples/helm-chart/README.md create mode 100644 examples/helm-chart/app-protect-dos/values.yaml create mode 100644 examples/helm-chart/app-protect-waf/values.yaml create mode 100644 examples/helm-chart/aws-nlb/values.yaml create mode 100644 examples/helm-chart/azure/values.yaml create mode 100644 examples/helm-chart/daemon-set/values.yaml create mode 100644 examples/helm-chart/default/values.yaml create mode 100644 examples/helm-chart/edge/values.yaml create mode 100644 examples/helm-chart/external-dns/values.yaml create mode 100644 examples/helm-chart/nginx-plus/values.yaml create mode 100644 examples/helm-chart/nodeport/values.yaml create mode 100644 examples/helm-chart/oidc/values.yaml create mode 100644 examples/helm-chart/openservicemesh/values.yaml create mode 100644 examples/helm-chart/read-only-fs/values.yaml create mode 100644 examples/helm-chart/service-insight/values.yaml create mode 100755 hack/generate-manifests.sh rename {deployments => tests/data}/common/ingress-class.yaml (100%) rename {deployments => tests/data}/common/nginx-config.yaml (100%) rename {deployments => tests/data}/common/ns-and-sa.yaml (100%) rename {deployments => tests/data}/daemon-set/nginx-ingress.yaml (100%) rename {deployments => tests/data}/daemon-set/nginx-plus-ingress.yaml (100%) rename {deployments => tests/data}/deployment/appprotect-dos-arb.yaml (100%) rename {deployments => tests/data}/deployment/nginx-ingress.yaml (100%) rename {deployments => tests/data}/deployment/nginx-plus-ingress.yaml (100%) rename {deployments => tests/data}/rbac/ap-rbac.yaml (100%) rename {deployments => tests/data}/rbac/apdos-rbac.yaml (100%) rename {deployments => tests/data}/rbac/rbac.yaml (100%) rename {deployments => tests/data}/service/appprotect-dos-arb-svc.yaml (100%) diff --git a/.github/workflows/build-plus.yml b/.github/workflows/build-plus.yml index d9d855d0e6..82aa9747d8 100644 --- a/.github/workflows/build-plus.yml +++ b/.github/workflows/build-plus.yml @@ -171,7 +171,7 @@ jobs: This is the official implementation of NGINX Ingress Controller (based on NGINX Plus) from NGINX. usage-instructions: | This container requires Kubernetes and can be deployed to EKS. - Review the installation instructions https://docs.nginx.com/nginx-ingress-controller/installation/ and utilize the deployment resources available https://github.com/nginxinc/kubernetes-ingress/tree/master/deployments + Review the installation instructions https://docs.nginx.com/nginx-ingress-controller/installation/ and utilize the deployment resources available https://github.com/nginxinc/kubernetes-ingress/tree/main/deploy Use this image instead of building your own. if: ${{ github.ref_type == 'tag' && contains(inputs.target, 'aws') }} diff --git a/.github/workflows/release-pr.yml b/.github/workflows/release-pr.yml index d34e913b04..1717b93b48 100644 --- a/.github/workflows/release-pr.yml +++ b/.github/workflows/release-pr.yml @@ -39,29 +39,22 @@ jobs: DOCS_TO_UPDATE_FOLDER=docs/content FILES_TO_UPDATE_IC_VERSION=( - README.md - deployments/daemon-set/nginx-ingress.yaml - deployments/daemon-set/nginx-plus-ingress.yaml - deployments/deployment/nginx-ingress.yaml - deployments/deployment/nginx-plus-ingress.yaml - deployments/helm-chart/Chart.yaml - deployments/helm-chart/README.md - deployments/helm-chart/values-icp.yaml - deployments/helm-chart/values-nsm.yaml - deployments/helm-chart/values-plus.yaml - deployments/helm-chart/values.yaml + README.md + charts/nginx-ingress/Chart.yaml + charts/nginx-ingress/README.md + charts/nginx-ingress/values.yaml ) FILE_TO_UPDATE_HELM_CHART_VERSION=( - deployments/helm-chart/Chart.yaml - deployments/helm-chart/README.md + charts/nginx-ingress/Chart.yaml + charts/nginx-ingress/README.md ) ic_version=${{ github.event.inputs.version }} helm_chart_version=${{ github.event.inputs.helm_version }} - current_ic_version=$(yq '.appVersion' deploy/crds-nap-dos.yaml kustomize build config/crd/app-protect-waf --load-restrictor='LoadRestrictionsNone' >deploy/crds-nap-waf.yaml +.PHONY: generate-manifests +generate-manifests: ## Generate manifests + ./hack/generate-manifests.sh + .PHONY: certificate-and-key certificate-and-key: ## Create default cert and key ./build/generate_default_cert_and_key.sh diff --git a/README.md b/README.md index 59a075580a..e75fb8e0e9 100644 --- a/README.md +++ b/README.md @@ -119,7 +119,7 @@ your links to the correct versions: | Version | Description | Image for NGINX | Image for NGINX Plus | Installation Manifests and Helm Chart | Documentation and Examples | | ------- | ----------- | --------------- | -------------------- | ---------------------------------------| -------------------------- | | Latest stable release | For production use | Use the 3.3.2 images from [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/), [GitHub Container](https://github.com/nginxinc/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress) or [build your own image](https://docs.nginx.com/nginx-ingress-controller/installation/building-ingress-controller-image/). | Use the 3.3.2 images from the [F5 Container Registry](https://docs.nginx.com/nginx-ingress-controller/installation/pulling-ingress-controller-image/) or the [AWS Marketplace](https://aws.amazon.com/marketplace/search/?CREATOR=741df81b-dfdc-4d36-b8da-945ea66b522c&FULFILLMENT_OPTION_TYPE=CONTAINER&filters=CREATOR%2CFULFILLMENT_OPTION_TYPE) or [Build your own image](https://docs.nginx.com/nginx-ingress-controller/installation/building-ingress-controller-image/). | [Manifests](https://github.com/nginxinc/kubernetes-ingress/tree/v3.3.2/deployments). [Helm chart](https://github.com/nginxinc/kubernetes-ingress/tree/v3.3.2/deployments/helm-chart). | [Documentation](https://docs.nginx.com/nginx-ingress-controller/). [Examples](https://docs.nginx.com/nginx-ingress-controller/configuration/configuration-examples/). | -| Edge/Nightly | For testing and experimenting | Use the edge or nightly images from [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/), [GitHub Container](https://github.com/nginxinc/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress) or [build your own image](https://github.com/nginxinc/kubernetes-ingress/tree/main/docs/content/installation/building-ingress-controller-image.md). | [Build your own image](https://github.com/nginxinc/kubernetes-ingress/tree/main/docs/content/installation/building-ingress-controller-image.md). | [Manifests](https://github.com/nginxinc/kubernetes-ingress/tree/main/deployments). [Helm chart](https://github.com/nginxinc/kubernetes-ingress/tree/main/charts/nginx-ingress). | [Documentation](https://github.com/nginxinc/kubernetes-ingress/tree/main/docs/content). [Examples](https://github.com/nginxinc/kubernetes-ingress/tree/main/examples). | +| Edge/Nightly | For testing and experimenting | Use the edge or nightly images from [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/), [GitHub Container](https://github.com/nginxinc/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress) or [build your own image](https://github.com/nginxinc/kubernetes-ingress/tree/main/docs/content/installation/building-ingress-controller-image.md). | [Build your own image](https://github.com/nginxinc/kubernetes-ingress/tree/main/docs/content/installation/building-ingress-controller-image.md). | [Manifests](https://github.com/nginxinc/kubernetes-ingress/tree/main/deploy). [Helm chart](https://github.com/nginxinc/kubernetes-ingress/tree/main/charts/nginx-ingress). | [Documentation](https://github.com/nginxinc/kubernetes-ingress/tree/main/docs/content). [Examples](https://github.com/nginxinc/kubernetes-ingress/tree/main/examples). | ## SBOM (Software Bill of Materials) diff --git a/charts/nginx-ingress/README.md b/charts/nginx-ingress/README.md index e23afecfab..142fc9b5a8 100644 --- a/charts/nginx-ingress/README.md +++ b/charts/nginx-ingress/README.md @@ -78,14 +78,14 @@ To install the chart with the release name my-release (my-release is the name th For NGINX: ```console -helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.0.2 +helm install my-release -n nginx-ingress --create-namespace oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.0.2 ``` For NGINX Plus: (assuming you have pushed the Ingress Controller image `nginx-plus-ingress` to your private registry `myregistry.example.com`) ```console -helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.0.2 --set controller.image.repository=myregistry.example.com/nginx-plus-ingress --set controller.nginxplus=true +helm install my-release -n nginx-ingress --create-namespace oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.0.2 --set controller.image.repository=myregistry.example.com/nginx-plus-ingress --set controller.nginxplus=true ``` This will install the latest `edge` version of the Ingress Controller from GitHub Container Registry. If you prefer to @@ -100,7 +100,7 @@ CRDs](#upgrading-the-crds). To upgrade the release `my-release`: ```console -helm upgrade my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.0.2 +helm upgrade my-release -n nginx-ingress oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.0.2 ``` ### Uninstalling the Chart @@ -108,7 +108,7 @@ helm upgrade my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1. To uninstall/delete the release `my-release`: ```console -helm uninstall my-release +helm uninstall my-release -n nginx-ingress ``` The command removes all the Kubernetes components associated with the release and deletes the release. @@ -123,7 +123,7 @@ version is built from the `main` branch of the NGINX Ingress Controller reposito by specifying the `--version` flag with the value `0.0.0-edge`: ```console -helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.0.0-edge +helm install my-release -n nginx-ingress --create-namespace oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.0.0-edge ``` > **Warning** @@ -157,13 +157,13 @@ To install the chart with the release name my-release (my-release is the name th For NGINX: ```console -helm install my-release . +helm install my-release -n nginx-ingress --create-namespace . ``` For NGINX Plus: ```console -helm install my-release -f values-plus.yaml . +helm install my-release -f values-plus.yaml -n nginx-ingress --create-namespace . ``` The command deploys the Ingress Controller in your Kubernetes cluster in the default configuration. The configuration @@ -177,7 +177,7 @@ CRDs](#upgrading-the-crds). To upgrade the release `my-release`: ```console -helm upgrade my-release . +helm upgrade my-release -n nginx-ingress . ``` ### Uninstalling the Chart @@ -185,7 +185,7 @@ helm upgrade my-release . To uninstall/delete the release `my-release`: ```console -helm uninstall my-release +helm uninstall my-release -n nginx-ingress ``` The command removes all the Kubernetes components associated with the release and deletes the release. @@ -379,8 +379,8 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont |`controller.watchSecretNamespace` | Comma separated list of namespaces the Ingress Controller should watch for resources of type Secret. If this arg is not configured, the Ingress Controller watches the same namespaces for all resources. See `controller.watchNamespace` and `controller.watchNamespaceLabel`. Please note that if configuring multiple namespaces using the Helm cli `--set` option, the string needs to wrapped in double quotes and the commas escaped using a backslash - e.g. `--set controller.watchSecretNamespace="default\,nginx-ingress"`. | "" | |`controller.enableCustomResources` | Enable the custom resources. | true | |`controller.enableOIDC` | Enable OIDC policies. | false | -|`controller.enableTLSPassthrough` | Enable TLS Passthrough on default port 443. Requires `controller.enableCustomResources`. | false | -|`controller.tlsPassThroughPort` | Set the port for the TLS Passthrough. Requires `controller.enableCustomResources` and `controller.enableTLSPassthrough`. | 443 | +|`controller.enableTLSPassthrough` | Enable TLS Passthrough on port 443. Requires `controller.enableCustomResources`. | false | +|`controller.tlsPassThroughPort` | Set the port for the TLS Passthrough. Requires `controller.enableCustomResources` and `controller.enableTLSPassthrough`. | 443 | |`controller.enableCertManager` | Enable x509 automated certificate management for VirtualServer resources using cert-manager (cert-manager.io). Requires `controller.enableCustomResources`. | false | |`controller.enableExternalDNS` | Enable integration with ExternalDNS for configuring public DNS entries for VirtualServer resources using [ExternalDNS](https://github.com/kubernetes-sigs/external-dns). Requires `controller.enableCustomResources`. | false | |`controller.globalConfiguration.create` | Creates the GlobalConfiguration custom resource. Requires `controller.enableCustomResources`. | false | diff --git a/charts/nginx-ingress/templates/controller-daemonset.yaml b/charts/nginx-ingress/templates/controller-daemonset.yaml index 243907770a..21e07e2fe9 100644 --- a/charts/nginx-ingress/templates/controller-daemonset.yaml +++ b/charts/nginx-ingress/templates/controller-daemonset.yaml @@ -230,9 +230,9 @@ spec: - -disable-ipv6={{ .Values.controller.disableIPV6 }} {{- if .Values.controller.enableCustomResources }} - -enable-tls-passthrough={{ .Values.controller.enableTLSPassthrough }} -{{ if .Values.controller.enableTLSPassthrough }} +{{- if .Values.controller.enableTLSPassthrough }} - -tls-passthrough-port={{ .Values.controller.tlsPassthroughPort }} -{{ end }} +{{- end }} - -enable-cert-manager={{ .Values.controller.enableCertManager }} - -enable-oidc={{ .Values.controller.enableOIDC }} - -enable-external-dns={{ .Values.controller.enableExternalDNS }} diff --git a/charts/nginx-ingress/templates/controller-deployment.yaml b/charts/nginx-ingress/templates/controller-deployment.yaml index febddbdc5d..341911c759 100644 --- a/charts/nginx-ingress/templates/controller-deployment.yaml +++ b/charts/nginx-ingress/templates/controller-deployment.yaml @@ -173,14 +173,14 @@ spec: - -enable-app-protect={{ .Values.controller.appprotect.enable }} {{- if and .Values.controller.appprotect.enable .Values.controller.appprotect.logLevel }} - -app-protect-log-level={{ .Values.controller.appprotect.logLevel }} -{{ end }} +{{- end }} - -enable-app-protect-dos={{ .Values.controller.appprotectdos.enable }} {{- if .Values.controller.appprotectdos.enable }} - -app-protect-dos-debug={{ .Values.controller.appprotectdos.debug }} - -app-protect-dos-max-daemons={{ .Values.controller.appprotectdos.maxDaemons }} - -app-protect-dos-max-workers={{ .Values.controller.appprotectdos.maxWorkers }} - -app-protect-dos-memory={{ .Values.controller.appprotectdos.memory }} -{{ end }} +{{- end }} - -nginx-configmaps=$(POD_NAMESPACE)/{{ include "nginx-ingress.configName" . }} {{- if .Values.controller.defaultTLS.secret }} - -default-server-tls-secret={{ .Values.controller.defaultTLS.secret }} @@ -237,9 +237,9 @@ spec: - -disable-ipv6={{ .Values.controller.disableIPV6 }} {{- if .Values.controller.enableCustomResources }} - -enable-tls-passthrough={{ .Values.controller.enableTLSPassthrough }} -{{ if .Values.controller.enableTLSPassthrough }} +{{- if .Values.controller.enableTLSPassthrough }} - -tls-passthrough-port={{ .Values.controller.tlsPassthroughPort }} -{{ end }} +{{- end }} - -enable-cert-manager={{ .Values.controller.enableCertManager }} - -enable-oidc={{ .Values.controller.enableOIDC }} - -enable-external-dns={{ .Values.controller.enableExternalDNS }} diff --git a/charts/nginx-ingress/values-nsm.yaml b/charts/nginx-ingress/values-nsm.yaml deleted file mode 100644 index 47d11e0571..0000000000 --- a/charts/nginx-ingress/values-nsm.yaml +++ /dev/null @@ -1,6 +0,0 @@ -controller: - name: controller - enableLatencyMetrics: true -nginxServiceMesh: - enable: true - enableEgress: true diff --git a/charts/nginx-ingress/values.yaml b/charts/nginx-ingress/values.yaml index dc8997c7bb..60ba43eb39 100644 --- a/charts/nginx-ingress/values.yaml +++ b/charts/nginx-ingress/values.yaml @@ -211,7 +211,7 @@ controller: ## The number of Ingress Controller pods that can be unavailable. This is a mutually exclusive setting with "minAvailable". # maxUnavailable: 1 - ## Strategy used to replace old Pods by new ones. .spec.strategy.type can be "Recreate" or "RollingUpdate" for Deployments, and "OnDelete" or "RollingUpdate" for Daemonsets. "RollingUpdate" is the default value. + ## Strategy used to replace old Pods by new ones. .spec.strategy.type can be "Recreate" or "RollingUpdate" for Deployments, and "OnDelete" or "RollingUpdate" for Daemonsets. "RollingUpdate" is the default value. strategy: {} ## Extra containers for the Ingress Controller pods. @@ -275,7 +275,7 @@ controller: create: false ## The spec of the GlobalConfiguration for defining the global configuration parameters of the Ingress Controller. - spec: {} ## Ensure both curly brackets are removed when adding listeners in YAML format. + spec: {} # listeners: # - name: dns-udp # port: 5353 @@ -380,7 +380,7 @@ controller: ## The name of the service account of the Ingress Controller pods. Used for RBAC. ## Autogenerated if not set or set to "". - # name: nginx-ingress + name: nginx-ingress ## The name of the secret containing docker registry credentials. ## Secret must exist in the same namespace as the helm release. diff --git a/config/base/kustomization.yaml b/config/base/kustomization.yaml new file mode 100644 index 0000000000..f3639e3726 --- /dev/null +++ b/config/base/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- deploy.yaml +- namespace.yaml diff --git a/config/base/namespace.yaml b/config/base/namespace.yaml new file mode 100644 index 0000000000..4b60fec13d --- /dev/null +++ b/config/base/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: nginx-ingress diff --git a/config/overlays/app-protect-dos/deployment.yaml b/config/overlays/app-protect-dos/deployment.yaml new file mode 100644 index 0000000000..3654af01a6 --- /dev/null +++ b/config/overlays/app-protect-dos/deployment.yaml @@ -0,0 +1,43 @@ +# This is generated from https://github.com/nginxinc/nap-dos-arbitrator-helm-chart +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx-appprotect-dos-arbitrator + namespace: nginx-ingress + labels: + app.kubernetes.io/name: nginx-appprotect-dos-arbitrator + app.kubernetes.io/instance: nginx-appprotect-dos-arbitrator + app.kubernetes.io/version: "1.1.1" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: nginx-appprotect-dos-arbitrator + app.kubernetes.io/instance: nginx-appprotect-dos-arbitrator + template: + metadata: + labels: + app.kubernetes.io/name: nginx-appprotect-dos-arbitrator + app.kubernetes.io/instance: nginx-appprotect-dos-arbitrator + spec: + serviceAccountName: default + securityContext: + {} + containers: + - name: nginx-appprotect-dos-arbitrator + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsUser: 1001 + image: "docker-registry.nginx.com/nap-dos/app_protect_dos_arb:1.1.1" + imagePullPolicy: IfNotPresent + ports: + - name: arb + containerPort: 3000 + protocol: TCP + resources: + limits: + cpu: 500m + memory: 128Mi diff --git a/config/overlays/app-protect-dos/kustomization.yaml b/config/overlays/app-protect-dos/kustomization.yaml new file mode 100644 index 0000000000..31cb687baf --- /dev/null +++ b/config/overlays/app-protect-dos/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ../../base +- deployment.yaml +- service.yaml +# - ../../crd/bases/appprotectdos.f5.com_apdoslogconfs.yaml +# - ../../crd/bases/appprotectdos.f5.com_apdospolicy.yaml +# - ../../crd/bases/appprotectdos.f5.com_dosprotectedresources.yaml diff --git a/config/overlays/app-protect-dos/service.yaml b/config/overlays/app-protect-dos/service.yaml new file mode 100644 index 0000000000..624f0eff6e --- /dev/null +++ b/config/overlays/app-protect-dos/service.yaml @@ -0,0 +1,20 @@ +# This is generated from https://github.com/nginxinc/nap-dos-arbitrator-helm-chart +apiVersion: v1 +kind: Service +metadata: + name: nginx-appprotect-dos-arbitrator + namespace: nginx-ingress + labels: + app.kubernetes.io/name: nginx-appprotect-dos-arbitrator + app.kubernetes.io/instance: nginx-appprotect-dos-arbitrator + app.kubernetes.io/version: "1.1.1" +spec: + type: ClusterIP + ports: + - port: 3000 + targetPort: http + protocol: TCP + name: http + selector: + app.kubernetes.io/name: nginx-appprotect-dos-arbitrator + app.kubernetes.io/instance: nginx-appprotect-dos-arbitrator diff --git a/deployments/README.md b/deploy/README.md similarity index 100% rename from deployments/README.md rename to deploy/README.md diff --git a/deploy/app-protect-dos/deploy.yaml b/deploy/app-protect-dos/deploy.yaml new file mode 100644 index 0000000000..4d6119d510 --- /dev/null +++ b/deploy/app-protect-dos/deploy.yaml @@ -0,0 +1,443 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: nginx-ingress +--- +apiVersion: v1 +imagePullSecrets: +- name: nginx-registry-credentials +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress + namespace: nginx-ingress +rules: +- apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +- apiGroups: + - "" + resources: + - pods + verbs: + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resourceNames: + - nginx-ingress-leader + resources: + - leases + verbs: + - get + - update +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress +rules: +- apiGroups: + - "" + resources: + - configmaps + - namespaces + - pods + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - appprotectdos.f5.com + resources: + - apdospolicies + - apdoslogconfs + - dosprotectedresources + verbs: + - get + - watch + - list +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers + - virtualserverroutes + - globalconfigurations + - transportservers + - policies + verbs: + - list + - watch + - get +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers/status + - virtualserverroutes/status + - policies/status + - transportservers/status + verbs: + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress + namespace: nginx-ingress +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: nginx-ingress +subjects: +- kind: ServiceAccount + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: nginx-ingress +subjects: +- kind: ServiceAccount + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: v1 +data: null +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress-leader + namespace: nginx-ingress +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: nginx-appprotect-dos-arbitrator + app.kubernetes.io/name: nginx-appprotect-dos-arbitrator + app.kubernetes.io/version: 1.1.1 + name: nginx-appprotect-dos-arbitrator + namespace: nginx-ingress +spec: + ports: + - name: http + port: 3000 + protocol: TCP + targetPort: http + selector: + app.kubernetes.io/instance: nginx-appprotect-dos-arbitrator + app.kubernetes.io/name: nginx-appprotect-dos-arbitrator + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress-controller + namespace: nginx-ingress +spec: + externalTrafficPolicy: Local + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + selector: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + type: LoadBalancer +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/instance: nginx-appprotect-dos-arbitrator + app.kubernetes.io/name: nginx-appprotect-dos-arbitrator + app.kubernetes.io/version: 1.1.1 + name: nginx-appprotect-dos-arbitrator + namespace: nginx-ingress +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: nginx-appprotect-dos-arbitrator + app.kubernetes.io/name: nginx-appprotect-dos-arbitrator + template: + metadata: + labels: + app.kubernetes.io/instance: nginx-appprotect-dos-arbitrator + app.kubernetes.io/name: nginx-appprotect-dos-arbitrator + spec: + containers: + - image: docker-registry.nginx.com/nap-dos/app_protect_dos_arb:1.1.1 + imagePullPolicy: IfNotPresent + name: nginx-appprotect-dos-arbitrator + ports: + - containerPort: 3000 + name: arb + protocol: TCP + resources: + limits: + cpu: 500m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsUser: 1001 + securityContext: {} + serviceAccountName: default +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress-controller + namespace: nginx-ingress +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + template: + metadata: + annotations: + prometheus.io/port: "9113" + prometheus.io/scheme: http + prometheus.io/scrape: "true" + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + spec: + automountServiceAccountToken: true + containers: + - args: + - -nginx-plus=true + - -nginx-reload-timeout=60000 + - -enable-app-protect=false + - -enable-app-protect-dos=true + - -app-protect-dos-debug=false + - -app-protect-dos-max-daemons=0 + - -app-protect-dos-max-workers=0 + - -app-protect-dos-memory=0 + - -nginx-configmaps=$(POD_NAMESPACE)/nginx-ingress + - -ingress-class=nginx + - -health-status=false + - -health-status-uri=/nginx-health + - -nginx-debug=false + - -v=1 + - -nginx-status=true + - -nginx-status-port=8080 + - -nginx-status-allow-cidrs=127.0.0.1 + - -report-ingress-status + - -external-service=nginx-ingress-controller + - -enable-leader-election=true + - -leader-election-lock-name=nginx-ingress-leader + - -enable-prometheus-metrics=true + - -prometheus-metrics-listen-port=9113 + - -prometheus-tls-secret= + - -enable-service-insight=false + - -service-insight-listen-port=9114 + - -service-insight-tls-secret= + - -enable-custom-resources=true + - -enable-snippets=false + - -include-year=false + - -disable-ipv6=false + - -enable-tls-passthrough=false + - -enable-preview-policies= + - -enable-cert-manager=false + - -enable-oidc=false + - -enable-external-dns=false + - -default-http-listener-port=80 + - -default-https-listener-port=443 + - -ready-status=true + - -ready-status-port=8081 + - -enable-latency-metrics=false + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + image: private-registry.nginx.com/nginx-ic-dos/nginx-plus-ingress:3.3.2 + imagePullPolicy: IfNotPresent + name: nginx-ingress + ports: + - containerPort: 80 + name: http + protocol: TCP + - containerPort: 443 + name: https + protocol: TCP + - containerPort: 9113 + name: prometheus + - containerPort: 8081 + name: readiness-port + readinessProbe: + httpGet: + path: /nginx-ready + port: readiness-port + initialDelaySeconds: 0 + periodSeconds: 1 + resources: + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: 101 + dnsPolicy: ClusterFirst + hostNetwork: false + securityContext: + seccompProfile: + type: RuntimeDefault + serviceAccountName: nginx-ingress + terminationGracePeriodSeconds: 30 +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx +spec: + controller: nginx.org/ingress-controller diff --git a/deploy/app-protect-waf/deploy.yaml b/deploy/app-protect-waf/deploy.yaml new file mode 100644 index 0000000000..613248ccc2 --- /dev/null +++ b/deploy/app-protect-waf/deploy.yaml @@ -0,0 +1,378 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: nginx-ingress +--- +apiVersion: v1 +imagePullSecrets: +- name: nginx-registry-credentials +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress + namespace: nginx-ingress +rules: +- apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +- apiGroups: + - "" + resources: + - pods + verbs: + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resourceNames: + - nginx-ingress-leader + resources: + - leases + verbs: + - get + - update +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress +rules: +- apiGroups: + - "" + resources: + - configmaps + - namespaces + - pods + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - appprotect.f5.com + resources: + - appolicies + - aplogconfs + - apusersigs + verbs: + - get + - watch + - list +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers + - virtualserverroutes + - globalconfigurations + - transportservers + - policies + verbs: + - list + - watch + - get +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers/status + - virtualserverroutes/status + - policies/status + - transportservers/status + verbs: + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress + namespace: nginx-ingress +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: nginx-ingress +subjects: +- kind: ServiceAccount + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: nginx-ingress +subjects: +- kind: ServiceAccount + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: v1 +data: null +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress-leader + namespace: nginx-ingress +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress-controller + namespace: nginx-ingress +spec: + externalTrafficPolicy: Local + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + selector: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + type: LoadBalancer +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress-controller + namespace: nginx-ingress +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + template: + metadata: + annotations: + prometheus.io/port: "9113" + prometheus.io/scheme: http + prometheus.io/scrape: "true" + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + spec: + automountServiceAccountToken: true + containers: + - args: + - -nginx-plus=true + - -nginx-reload-timeout=60000 + - -enable-app-protect=true + - -app-protect-log-level=error + - -enable-app-protect-dos=false + - -nginx-configmaps=$(POD_NAMESPACE)/nginx-ingress + - -ingress-class=nginx + - -health-status=false + - -health-status-uri=/nginx-health + - -nginx-debug=false + - -v=1 + - -nginx-status=true + - -nginx-status-port=8080 + - -nginx-status-allow-cidrs=127.0.0.1 + - -report-ingress-status + - -external-service=nginx-ingress-controller + - -enable-leader-election=true + - -leader-election-lock-name=nginx-ingress-leader + - -enable-prometheus-metrics=true + - -prometheus-metrics-listen-port=9113 + - -prometheus-tls-secret= + - -enable-service-insight=false + - -service-insight-listen-port=9114 + - -service-insight-tls-secret= + - -enable-custom-resources=true + - -enable-snippets=false + - -include-year=false + - -disable-ipv6=false + - -enable-tls-passthrough=false + - -enable-preview-policies= + - -enable-cert-manager=false + - -enable-oidc=false + - -enable-external-dns=false + - -default-http-listener-port=80 + - -default-https-listener-port=443 + - -ready-status=true + - -ready-status-port=8081 + - -enable-latency-metrics=false + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + image: private-registry.nginx.com/nginx-ic-nap/nginx-plus-ingress:3.3.2 + imagePullPolicy: IfNotPresent + name: nginx-ingress + ports: + - containerPort: 80 + name: http + protocol: TCP + - containerPort: 443 + name: https + protocol: TCP + - containerPort: 9113 + name: prometheus + - containerPort: 8081 + name: readiness-port + readinessProbe: + httpGet: + path: /nginx-ready + port: readiness-port + initialDelaySeconds: 0 + periodSeconds: 1 + resources: + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: 101 + dnsPolicy: ClusterFirst + hostNetwork: false + securityContext: + seccompProfile: + type: RuntimeDefault + serviceAccountName: nginx-ingress + terminationGracePeriodSeconds: 30 +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx +spec: + controller: nginx.org/ingress-controller diff --git a/deploy/aws-nlb/deploy.yaml b/deploy/aws-nlb/deploy.yaml new file mode 100644 index 0000000000..e64cf12dba --- /dev/null +++ b/deploy/aws-nlb/deploy.yaml @@ -0,0 +1,371 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: nginx-ingress +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress + namespace: nginx-ingress +rules: +- apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +- apiGroups: + - "" + resources: + - pods + verbs: + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resourceNames: + - nginx-ingress-leader + resources: + - leases + verbs: + - get + - update +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress +rules: +- apiGroups: + - "" + resources: + - configmaps + - namespaces + - pods + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers + - virtualserverroutes + - globalconfigurations + - transportservers + - policies + verbs: + - list + - watch + - get +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers/status + - virtualserverroutes/status + - policies/status + - transportservers/status + verbs: + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress + namespace: nginx-ingress +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: nginx-ingress +subjects: +- kind: ServiceAccount + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: nginx-ingress +subjects: +- kind: ServiceAccount + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: v1 +data: + proxy-protocol: "True" + real-ip-header: proxy_protocol + set-real-ip-from: 0.0.0.0/0 +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress-leader + namespace: nginx-ingress +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip + service.beta.kubernetes.io/aws-load-balancer-type: nlb + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress-controller + namespace: nginx-ingress +spec: + externalTrafficPolicy: Local + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + selector: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + type: LoadBalancer +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress-controller + namespace: nginx-ingress +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + template: + metadata: + annotations: + prometheus.io/port: "9113" + prometheus.io/scheme: http + prometheus.io/scrape: "true" + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + spec: + automountServiceAccountToken: true + containers: + - args: + - -nginx-plus=false + - -nginx-reload-timeout=60000 + - -enable-app-protect=false + - -enable-app-protect-dos=false + - -nginx-configmaps=$(POD_NAMESPACE)/nginx-ingress + - -ingress-class=nginx + - -health-status=false + - -health-status-uri=/nginx-health + - -nginx-debug=false + - -v=1 + - -nginx-status=true + - -nginx-status-port=8080 + - -nginx-status-allow-cidrs=127.0.0.1 + - -report-ingress-status + - -external-service=nginx-ingress-controller + - -enable-leader-election=true + - -leader-election-lock-name=nginx-ingress-leader + - -enable-prometheus-metrics=true + - -prometheus-metrics-listen-port=9113 + - -prometheus-tls-secret= + - -enable-service-insight=false + - -service-insight-listen-port=9114 + - -service-insight-tls-secret= + - -enable-custom-resources=true + - -enable-snippets=false + - -include-year=false + - -disable-ipv6=false + - -enable-tls-passthrough=false + - -enable-preview-policies= + - -enable-cert-manager=false + - -enable-oidc=false + - -enable-external-dns=false + - -default-http-listener-port=80 + - -default-https-listener-port=443 + - -ready-status=true + - -ready-status-port=8081 + - -enable-latency-metrics=false + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + image: nginx/nginx-ingress:3.3.2 + imagePullPolicy: IfNotPresent + name: nginx-ingress + ports: + - containerPort: 80 + name: http + protocol: TCP + - containerPort: 443 + name: https + protocol: TCP + - containerPort: 9113 + name: prometheus + - containerPort: 8081 + name: readiness-port + readinessProbe: + httpGet: + path: /nginx-ready + port: readiness-port + initialDelaySeconds: 0 + periodSeconds: 1 + resources: + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: 101 + dnsPolicy: ClusterFirst + hostNetwork: false + securityContext: + seccompProfile: + type: RuntimeDefault + serviceAccountName: nginx-ingress + terminationGracePeriodSeconds: 30 +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx +spec: + controller: nginx.org/ingress-controller diff --git a/deploy/azure/deploy.yaml b/deploy/azure/deploy.yaml new file mode 100644 index 0000000000..2e392b7e98 --- /dev/null +++ b/deploy/azure/deploy.yaml @@ -0,0 +1,367 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: nginx-ingress +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress + namespace: nginx-ingress +rules: +- apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +- apiGroups: + - "" + resources: + - pods + verbs: + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resourceNames: + - nginx-ingress-leader + resources: + - leases + verbs: + - get + - update +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress +rules: +- apiGroups: + - "" + resources: + - configmaps + - namespaces + - pods + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers + - virtualserverroutes + - globalconfigurations + - transportservers + - policies + verbs: + - list + - watch + - get +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers/status + - virtualserverroutes/status + - policies/status + - transportservers/status + verbs: + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress + namespace: nginx-ingress +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: nginx-ingress +subjects: +- kind: ServiceAccount + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: nginx-ingress +subjects: +- kind: ServiceAccount + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: v1 +data: null +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress-leader + namespace: nginx-ingress +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress-controller + namespace: nginx-ingress +spec: + externalTrafficPolicy: Local + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + selector: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + type: LoadBalancer +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress-controller + namespace: nginx-ingress +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + template: + metadata: + annotations: + prometheus.io/port: "9113" + prometheus.io/scheme: http + prometheus.io/scrape: "true" + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + spec: + automountServiceAccountToken: true + containers: + - args: + - -nginx-plus=false + - -nginx-reload-timeout=60000 + - -enable-app-protect=false + - -enable-app-protect-dos=false + - -nginx-configmaps=$(POD_NAMESPACE)/nginx-ingress + - -ingress-class=nginx + - -health-status=false + - -health-status-uri=/nginx-health + - -nginx-debug=false + - -v=1 + - -nginx-status=true + - -nginx-status-port=8080 + - -nginx-status-allow-cidrs=127.0.0.1 + - -report-ingress-status + - -external-service=nginx-ingress-controller + - -enable-leader-election=true + - -leader-election-lock-name=nginx-ingress-leader + - -enable-prometheus-metrics=true + - -prometheus-metrics-listen-port=9113 + - -prometheus-tls-secret= + - -enable-service-insight=false + - -service-insight-listen-port=9114 + - -service-insight-tls-secret= + - -enable-custom-resources=true + - -enable-snippets=false + - -include-year=false + - -disable-ipv6=false + - -enable-tls-passthrough=false + - -enable-preview-policies= + - -enable-cert-manager=false + - -enable-oidc=false + - -enable-external-dns=false + - -default-http-listener-port=80 + - -default-https-listener-port=443 + - -ready-status=true + - -ready-status-port=8081 + - -enable-latency-metrics=false + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + image: nginx/nginx-ingress:3.3.2 + imagePullPolicy: IfNotPresent + name: nginx-ingress + ports: + - containerPort: 80 + name: http + protocol: TCP + - containerPort: 443 + name: https + protocol: TCP + - containerPort: 9113 + name: prometheus + - containerPort: 8081 + name: readiness-port + readinessProbe: + httpGet: + path: /nginx-ready + port: readiness-port + initialDelaySeconds: 0 + periodSeconds: 1 + resources: + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: 101 + dnsPolicy: ClusterFirst + hostNetwork: false + nodeSelector: + kubernetes.io/os: linux + securityContext: + seccompProfile: + type: RuntimeDefault + serviceAccountName: nginx-ingress + terminationGracePeriodSeconds: 30 +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx +spec: + controller: nginx.org/ingress-controller diff --git a/deploy/crds b/deploy/crds new file mode 120000 index 0000000000..c29b1b8fe4 --- /dev/null +++ b/deploy/crds @@ -0,0 +1 @@ +../config/crd/bases/ \ No newline at end of file diff --git a/deploy/daemon-set/deploy.yaml b/deploy/daemon-set/deploy.yaml new file mode 100644 index 0000000000..96c993c724 --- /dev/null +++ b/deploy/daemon-set/deploy.yaml @@ -0,0 +1,364 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: nginx-ingress +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress + namespace: nginx-ingress +rules: +- apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +- apiGroups: + - "" + resources: + - pods + verbs: + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resourceNames: + - nginx-ingress-leader + resources: + - leases + verbs: + - get + - update +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress +rules: +- apiGroups: + - "" + resources: + - configmaps + - namespaces + - pods + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers + - virtualserverroutes + - globalconfigurations + - transportservers + - policies + verbs: + - list + - watch + - get +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers/status + - virtualserverroutes/status + - policies/status + - transportservers/status + verbs: + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress + namespace: nginx-ingress +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: nginx-ingress +subjects: +- kind: ServiceAccount + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: nginx-ingress +subjects: +- kind: ServiceAccount + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: v1 +data: null +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress-leader + namespace: nginx-ingress +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress-controller + namespace: nginx-ingress +spec: + externalTrafficPolicy: Local + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + selector: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + type: LoadBalancer +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress-controller + namespace: nginx-ingress +spec: + selector: + matchLabels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + template: + metadata: + annotations: + prometheus.io/port: "9113" + prometheus.io/scheme: http + prometheus.io/scrape: "true" + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + spec: + automountServiceAccountToken: true + containers: + - args: + - -nginx-plus=false + - -nginx-reload-timeout=60000 + - -enable-app-protect=false + - -enable-app-protect-dos=false + - -nginx-configmaps=$(POD_NAMESPACE)/nginx-ingress + - -ingress-class=nginx + - -health-status=false + - -health-status-uri=/nginx-health + - -nginx-debug=false + - -v=1 + - -nginx-status=true + - -nginx-status-port=8080 + - -nginx-status-allow-cidrs=127.0.0.1 + - -report-ingress-status + - -external-service=nginx-ingress-controller + - -enable-leader-election=true + - -leader-election-lock-name=nginx-ingress-leader + - -enable-prometheus-metrics=true + - -prometheus-metrics-listen-port=9113 + - -prometheus-tls-secret= + - -enable-service-insight=false + - -service-insight-listen-port=9114 + - -service-insight-tls-secret= + - -enable-custom-resources=true + - -enable-snippets=false + - -include-year=false + - -disable-ipv6=false + - -enable-tls-passthrough=false + - -enable-preview-policies= + - -enable-cert-manager=false + - -enable-oidc=false + - -enable-external-dns=false + - -default-http-listener-port=80 + - -default-https-listener-port=443 + - -ready-status=true + - -ready-status-port=8081 + - -enable-latency-metrics=false + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + image: nginx/nginx-ingress:3.3.2 + imagePullPolicy: IfNotPresent + name: nginx-ingress + ports: + - containerPort: 80 + name: http + protocol: TCP + - containerPort: 443 + name: https + protocol: TCP + - containerPort: 9113 + name: prometheus + - containerPort: 8081 + name: readiness-port + readinessProbe: + httpGet: + path: /nginx-ready + port: readiness-port + initialDelaySeconds: 0 + periodSeconds: 1 + resources: + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: 101 + dnsPolicy: ClusterFirst + hostNetwork: false + securityContext: + seccompProfile: + type: RuntimeDefault + serviceAccountName: nginx-ingress + terminationGracePeriodSeconds: 30 +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx +spec: + controller: nginx.org/ingress-controller diff --git a/deploy/default/deploy.yaml b/deploy/default/deploy.yaml new file mode 100644 index 0000000000..a55443065b --- /dev/null +++ b/deploy/default/deploy.yaml @@ -0,0 +1,365 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: nginx-ingress +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress + namespace: nginx-ingress +rules: +- apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +- apiGroups: + - "" + resources: + - pods + verbs: + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resourceNames: + - nginx-ingress-leader + resources: + - leases + verbs: + - get + - update +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress +rules: +- apiGroups: + - "" + resources: + - configmaps + - namespaces + - pods + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers + - virtualserverroutes + - globalconfigurations + - transportservers + - policies + verbs: + - list + - watch + - get +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers/status + - virtualserverroutes/status + - policies/status + - transportservers/status + verbs: + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress + namespace: nginx-ingress +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: nginx-ingress +subjects: +- kind: ServiceAccount + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: nginx-ingress +subjects: +- kind: ServiceAccount + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: v1 +data: null +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress-leader + namespace: nginx-ingress +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress-controller + namespace: nginx-ingress +spec: + externalTrafficPolicy: Local + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + selector: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + type: LoadBalancer +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress-controller + namespace: nginx-ingress +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + template: + metadata: + annotations: + prometheus.io/port: "9113" + prometheus.io/scheme: http + prometheus.io/scrape: "true" + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + spec: + automountServiceAccountToken: true + containers: + - args: + - -nginx-plus=false + - -nginx-reload-timeout=60000 + - -enable-app-protect=false + - -enable-app-protect-dos=false + - -nginx-configmaps=$(POD_NAMESPACE)/nginx-ingress + - -ingress-class=nginx + - -health-status=false + - -health-status-uri=/nginx-health + - -nginx-debug=false + - -v=1 + - -nginx-status=true + - -nginx-status-port=8080 + - -nginx-status-allow-cidrs=127.0.0.1 + - -report-ingress-status + - -external-service=nginx-ingress-controller + - -enable-leader-election=true + - -leader-election-lock-name=nginx-ingress-leader + - -enable-prometheus-metrics=true + - -prometheus-metrics-listen-port=9113 + - -prometheus-tls-secret= + - -enable-service-insight=false + - -service-insight-listen-port=9114 + - -service-insight-tls-secret= + - -enable-custom-resources=true + - -enable-snippets=false + - -include-year=false + - -disable-ipv6=false + - -enable-tls-passthrough=false + - -enable-preview-policies= + - -enable-cert-manager=false + - -enable-oidc=false + - -enable-external-dns=false + - -default-http-listener-port=80 + - -default-https-listener-port=443 + - -ready-status=true + - -ready-status-port=8081 + - -enable-latency-metrics=false + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + image: nginx/nginx-ingress:3.3.2 + imagePullPolicy: IfNotPresent + name: nginx-ingress + ports: + - containerPort: 80 + name: http + protocol: TCP + - containerPort: 443 + name: https + protocol: TCP + - containerPort: 9113 + name: prometheus + - containerPort: 8081 + name: readiness-port + readinessProbe: + httpGet: + path: /nginx-ready + port: readiness-port + initialDelaySeconds: 0 + periodSeconds: 1 + resources: + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: 101 + dnsPolicy: ClusterFirst + hostNetwork: false + securityContext: + seccompProfile: + type: RuntimeDefault + serviceAccountName: nginx-ingress + terminationGracePeriodSeconds: 30 +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx +spec: + controller: nginx.org/ingress-controller diff --git a/deploy/edge/deploy.yaml b/deploy/edge/deploy.yaml new file mode 100644 index 0000000000..046f4812db --- /dev/null +++ b/deploy/edge/deploy.yaml @@ -0,0 +1,366 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: nginx-ingress +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress + namespace: nginx-ingress +rules: +- apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +- apiGroups: + - "" + resources: + - pods + verbs: + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resourceNames: + - nginx-ingress-leader + resources: + - leases + verbs: + - get + - update +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress +rules: +- apiGroups: + - "" + resources: + - configmaps + - namespaces + - pods + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers + - virtualserverroutes + - globalconfigurations + - transportservers + - policies + verbs: + - list + - watch + - get +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers/status + - virtualserverroutes/status + - policies/status + - transportservers/status + verbs: + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress + namespace: nginx-ingress +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: nginx-ingress +subjects: +- kind: ServiceAccount + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: nginx-ingress +subjects: +- kind: ServiceAccount + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: v1 +data: null +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress-leader + namespace: nginx-ingress +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress-controller + namespace: nginx-ingress +spec: + externalTrafficPolicy: Local + ports: + - name: http + nodePort: null + port: 80 + protocol: TCP + targetPort: 80 + - name: https + nodePort: null + port: 443 + protocol: TCP + targetPort: 443 + selector: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + type: NodePort +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress-controller + namespace: nginx-ingress +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + template: + metadata: + annotations: + prometheus.io/port: "9113" + prometheus.io/scheme: http + prometheus.io/scrape: "true" + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + spec: + automountServiceAccountToken: true + containers: + - args: + - -nginx-plus=false + - -nginx-reload-timeout=60000 + - -enable-app-protect=false + - -enable-app-protect-dos=false + - -nginx-configmaps=$(POD_NAMESPACE)/nginx-ingress + - -ingress-class=nginx + - -health-status=false + - -health-status-uri=/nginx-health + - -nginx-debug=false + - -v=1 + - -nginx-status=true + - -nginx-status-port=8080 + - -nginx-status-allow-cidrs=127.0.0.1 + - -report-ingress-status + - -enable-leader-election=true + - -leader-election-lock-name=nginx-ingress-leader + - -enable-prometheus-metrics=true + - -prometheus-metrics-listen-port=9113 + - -prometheus-tls-secret= + - -enable-service-insight=false + - -service-insight-listen-port=9114 + - -service-insight-tls-secret= + - -enable-custom-resources=true + - -enable-snippets=false + - -include-year=false + - -disable-ipv6=false + - -enable-tls-passthrough=false + - -enable-preview-policies= + - -enable-cert-manager=false + - -enable-oidc=false + - -enable-external-dns=false + - -default-http-listener-port=80 + - -default-https-listener-port=443 + - -ready-status=true + - -ready-status-port=8081 + - -enable-latency-metrics=false + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + image: nginx/nginx-ingress:edge + imagePullPolicy: IfNotPresent + name: nginx-ingress + ports: + - containerPort: 80 + name: http + protocol: TCP + - containerPort: 443 + name: https + protocol: TCP + - containerPort: 9113 + name: prometheus + - containerPort: 8081 + name: readiness-port + readinessProbe: + httpGet: + path: /nginx-ready + port: readiness-port + initialDelaySeconds: 0 + periodSeconds: 1 + resources: + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: 101 + dnsPolicy: ClusterFirst + hostNetwork: false + securityContext: + seccompProfile: + type: RuntimeDefault + serviceAccountName: nginx-ingress + terminationGracePeriodSeconds: 30 +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx +spec: + controller: nginx.org/ingress-controller diff --git a/deploy/external-dns/deploy.yaml b/deploy/external-dns/deploy.yaml new file mode 100644 index 0000000000..10307b41e5 --- /dev/null +++ b/deploy/external-dns/deploy.yaml @@ -0,0 +1,382 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: nginx-ingress +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress + namespace: nginx-ingress +rules: +- apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +- apiGroups: + - "" + resources: + - pods + verbs: + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resourceNames: + - nginx-ingress-leader + resources: + - leases + verbs: + - get + - update +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress +rules: +- apiGroups: + - "" + resources: + - configmaps + - namespaces + - pods + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers + - virtualserverroutes + - globalconfigurations + - transportservers + - policies + verbs: + - list + - watch + - get +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers/status + - virtualserverroutes/status + - policies/status + - transportservers/status + verbs: + - update +- apiGroups: + - externaldns.nginx.org + resources: + - dnsendpoints + verbs: + - list + - watch + - get + - update + - create + - delete +- apiGroups: + - externaldns.nginx.org + resources: + - dnsendpoints/status + verbs: + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress + namespace: nginx-ingress +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: nginx-ingress +subjects: +- kind: ServiceAccount + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: nginx-ingress +subjects: +- kind: ServiceAccount + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: v1 +data: null +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress-leader + namespace: nginx-ingress +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress-controller + namespace: nginx-ingress +spec: + externalTrafficPolicy: Local + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + selector: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + type: LoadBalancer +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress-controller + namespace: nginx-ingress +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + template: + metadata: + annotations: + prometheus.io/port: "9113" + prometheus.io/scheme: http + prometheus.io/scrape: "true" + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + spec: + automountServiceAccountToken: true + containers: + - args: + - -nginx-plus=false + - -nginx-reload-timeout=60000 + - -enable-app-protect=false + - -enable-app-protect-dos=false + - -nginx-configmaps=$(POD_NAMESPACE)/nginx-ingress + - -ingress-class=nginx + - -health-status=false + - -health-status-uri=/nginx-health + - -nginx-debug=false + - -v=1 + - -nginx-status=true + - -nginx-status-port=8080 + - -nginx-status-allow-cidrs=127.0.0.1 + - -report-ingress-status + - -external-service=nginx-ingress-controller + - -enable-leader-election=true + - -leader-election-lock-name=nginx-ingress-leader + - -enable-prometheus-metrics=true + - -prometheus-metrics-listen-port=9113 + - -prometheus-tls-secret= + - -enable-service-insight=false + - -service-insight-listen-port=9114 + - -service-insight-tls-secret= + - -enable-custom-resources=true + - -enable-snippets=false + - -include-year=false + - -disable-ipv6=false + - -enable-tls-passthrough=false + - -enable-preview-policies= + - -enable-cert-manager=false + - -enable-oidc=false + - -enable-external-dns=true + - -default-http-listener-port=80 + - -default-https-listener-port=443 + - -ready-status=true + - -ready-status-port=8081 + - -enable-latency-metrics=false + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + image: nginx/nginx-ingress:3.3.2 + imagePullPolicy: IfNotPresent + name: nginx-ingress + ports: + - containerPort: 80 + name: http + protocol: TCP + - containerPort: 443 + name: https + protocol: TCP + - containerPort: 9113 + name: prometheus + - containerPort: 8081 + name: readiness-port + readinessProbe: + httpGet: + path: /nginx-ready + port: readiness-port + initialDelaySeconds: 0 + periodSeconds: 1 + resources: + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: 101 + dnsPolicy: ClusterFirst + hostNetwork: false + securityContext: + seccompProfile: + type: RuntimeDefault + serviceAccountName: nginx-ingress + terminationGracePeriodSeconds: 30 +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx +spec: + controller: nginx.org/ingress-controller diff --git a/deploy/nginx-plus/deploy.yaml b/deploy/nginx-plus/deploy.yaml new file mode 100644 index 0000000000..f5833d5af7 --- /dev/null +++ b/deploy/nginx-plus/deploy.yaml @@ -0,0 +1,367 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: nginx-ingress +--- +apiVersion: v1 +imagePullSecrets: +- name: nginx-registry-credentials +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress + namespace: nginx-ingress +rules: +- apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +- apiGroups: + - "" + resources: + - pods + verbs: + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resourceNames: + - nginx-ingress-leader + resources: + - leases + verbs: + - get + - update +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress +rules: +- apiGroups: + - "" + resources: + - configmaps + - namespaces + - pods + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers + - virtualserverroutes + - globalconfigurations + - transportservers + - policies + verbs: + - list + - watch + - get +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers/status + - virtualserverroutes/status + - policies/status + - transportservers/status + verbs: + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress + namespace: nginx-ingress +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: nginx-ingress +subjects: +- kind: ServiceAccount + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: nginx-ingress +subjects: +- kind: ServiceAccount + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: v1 +data: null +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress-leader + namespace: nginx-ingress +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress-controller + namespace: nginx-ingress +spec: + externalTrafficPolicy: Local + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + selector: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + type: LoadBalancer +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress-controller + namespace: nginx-ingress +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + template: + metadata: + annotations: + prometheus.io/port: "9113" + prometheus.io/scheme: http + prometheus.io/scrape: "true" + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + spec: + automountServiceAccountToken: true + containers: + - args: + - -nginx-plus=true + - -nginx-reload-timeout=60000 + - -enable-app-protect=false + - -enable-app-protect-dos=false + - -nginx-configmaps=$(POD_NAMESPACE)/nginx-ingress + - -ingress-class=nginx + - -health-status=false + - -health-status-uri=/nginx-health + - -nginx-debug=false + - -v=1 + - -nginx-status=true + - -nginx-status-port=8080 + - -nginx-status-allow-cidrs=127.0.0.1 + - -report-ingress-status + - -external-service=nginx-ingress-controller + - -enable-leader-election=true + - -leader-election-lock-name=nginx-ingress-leader + - -enable-prometheus-metrics=true + - -prometheus-metrics-listen-port=9113 + - -prometheus-tls-secret= + - -enable-service-insight=false + - -service-insight-listen-port=9114 + - -service-insight-tls-secret= + - -enable-custom-resources=true + - -enable-snippets=false + - -include-year=false + - -disable-ipv6=false + - -enable-tls-passthrough=false + - -enable-preview-policies= + - -enable-cert-manager=false + - -enable-oidc=false + - -enable-external-dns=false + - -default-http-listener-port=80 + - -default-https-listener-port=443 + - -ready-status=true + - -ready-status-port=8081 + - -enable-latency-metrics=false + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + image: private-registry.nginx.com/nginx-ic/nginx-plus-ingress:3.3.2 + imagePullPolicy: IfNotPresent + name: nginx-ingress + ports: + - containerPort: 80 + name: http + protocol: TCP + - containerPort: 443 + name: https + protocol: TCP + - containerPort: 9113 + name: prometheus + - containerPort: 8081 + name: readiness-port + readinessProbe: + httpGet: + path: /nginx-ready + port: readiness-port + initialDelaySeconds: 0 + periodSeconds: 1 + resources: + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: 101 + dnsPolicy: ClusterFirst + hostNetwork: false + securityContext: + seccompProfile: + type: RuntimeDefault + serviceAccountName: nginx-ingress + terminationGracePeriodSeconds: 30 +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx +spec: + controller: nginx.org/ingress-controller diff --git a/deploy/nodeport/deploy.yaml b/deploy/nodeport/deploy.yaml new file mode 100644 index 0000000000..df1b3adcc7 --- /dev/null +++ b/deploy/nodeport/deploy.yaml @@ -0,0 +1,366 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: nginx-ingress +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress + namespace: nginx-ingress +rules: +- apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +- apiGroups: + - "" + resources: + - pods + verbs: + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resourceNames: + - nginx-ingress-leader + resources: + - leases + verbs: + - get + - update +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress +rules: +- apiGroups: + - "" + resources: + - configmaps + - namespaces + - pods + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers + - virtualserverroutes + - globalconfigurations + - transportservers + - policies + verbs: + - list + - watch + - get +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers/status + - virtualserverroutes/status + - policies/status + - transportservers/status + verbs: + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress + namespace: nginx-ingress +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: nginx-ingress +subjects: +- kind: ServiceAccount + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: nginx-ingress +subjects: +- kind: ServiceAccount + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: v1 +data: null +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress-leader + namespace: nginx-ingress +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress-controller + namespace: nginx-ingress +spec: + externalTrafficPolicy: Local + ports: + - name: http + nodePort: null + port: 80 + protocol: TCP + targetPort: 80 + - name: https + nodePort: null + port: 443 + protocol: TCP + targetPort: 443 + selector: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + type: NodePort +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress-controller + namespace: nginx-ingress +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + template: + metadata: + annotations: + prometheus.io/port: "9113" + prometheus.io/scheme: http + prometheus.io/scrape: "true" + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + spec: + automountServiceAccountToken: true + containers: + - args: + - -nginx-plus=false + - -nginx-reload-timeout=60000 + - -enable-app-protect=false + - -enable-app-protect-dos=false + - -nginx-configmaps=$(POD_NAMESPACE)/nginx-ingress + - -ingress-class=nginx + - -health-status=false + - -health-status-uri=/nginx-health + - -nginx-debug=false + - -v=1 + - -nginx-status=true + - -nginx-status-port=8080 + - -nginx-status-allow-cidrs=127.0.0.1 + - -report-ingress-status + - -enable-leader-election=true + - -leader-election-lock-name=nginx-ingress-leader + - -enable-prometheus-metrics=true + - -prometheus-metrics-listen-port=9113 + - -prometheus-tls-secret= + - -enable-service-insight=false + - -service-insight-listen-port=9114 + - -service-insight-tls-secret= + - -enable-custom-resources=true + - -enable-snippets=false + - -include-year=false + - -disable-ipv6=false + - -enable-tls-passthrough=false + - -enable-preview-policies= + - -enable-cert-manager=false + - -enable-oidc=false + - -enable-external-dns=false + - -default-http-listener-port=80 + - -default-https-listener-port=443 + - -ready-status=true + - -ready-status-port=8081 + - -enable-latency-metrics=false + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + image: nginx/nginx-ingress:3.3.2 + imagePullPolicy: IfNotPresent + name: nginx-ingress + ports: + - containerPort: 80 + name: http + protocol: TCP + - containerPort: 443 + name: https + protocol: TCP + - containerPort: 9113 + name: prometheus + - containerPort: 8081 + name: readiness-port + readinessProbe: + httpGet: + path: /nginx-ready + port: readiness-port + initialDelaySeconds: 0 + periodSeconds: 1 + resources: + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: 101 + dnsPolicy: ClusterFirst + hostNetwork: false + securityContext: + seccompProfile: + type: RuntimeDefault + serviceAccountName: nginx-ingress + terminationGracePeriodSeconds: 30 +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx +spec: + controller: nginx.org/ingress-controller diff --git a/deploy/oidc/deploy.yaml b/deploy/oidc/deploy.yaml new file mode 100644 index 0000000000..f3038348ca --- /dev/null +++ b/deploy/oidc/deploy.yaml @@ -0,0 +1,367 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: nginx-ingress +--- +apiVersion: v1 +imagePullSecrets: +- name: nginx-registry-credentials +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress + namespace: nginx-ingress +rules: +- apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +- apiGroups: + - "" + resources: + - pods + verbs: + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resourceNames: + - nginx-ingress-leader + resources: + - leases + verbs: + - get + - update +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress +rules: +- apiGroups: + - "" + resources: + - configmaps + - namespaces + - pods + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers + - virtualserverroutes + - globalconfigurations + - transportservers + - policies + verbs: + - list + - watch + - get +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers/status + - virtualserverroutes/status + - policies/status + - transportservers/status + verbs: + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress + namespace: nginx-ingress +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: nginx-ingress +subjects: +- kind: ServiceAccount + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: nginx-ingress +subjects: +- kind: ServiceAccount + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: v1 +data: null +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress-leader + namespace: nginx-ingress +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress-controller + namespace: nginx-ingress +spec: + externalTrafficPolicy: Local + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + selector: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + type: LoadBalancer +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress-controller + namespace: nginx-ingress +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + template: + metadata: + annotations: + prometheus.io/port: "9113" + prometheus.io/scheme: http + prometheus.io/scrape: "true" + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + spec: + automountServiceAccountToken: true + containers: + - args: + - -nginx-plus=true + - -nginx-reload-timeout=60000 + - -enable-app-protect=false + - -enable-app-protect-dos=false + - -nginx-configmaps=$(POD_NAMESPACE)/nginx-ingress + - -ingress-class=nginx + - -health-status=false + - -health-status-uri=/nginx-health + - -nginx-debug=false + - -v=1 + - -nginx-status=true + - -nginx-status-port=8080 + - -nginx-status-allow-cidrs=127.0.0.1 + - -report-ingress-status + - -external-service=nginx-ingress-controller + - -enable-leader-election=true + - -leader-election-lock-name=nginx-ingress-leader + - -enable-prometheus-metrics=true + - -prometheus-metrics-listen-port=9113 + - -prometheus-tls-secret= + - -enable-service-insight=false + - -service-insight-listen-port=9114 + - -service-insight-tls-secret= + - -enable-custom-resources=true + - -enable-snippets=false + - -include-year=false + - -disable-ipv6=false + - -enable-tls-passthrough=false + - -enable-preview-policies= + - -enable-cert-manager=false + - -enable-oidc=true + - -enable-external-dns=false + - -default-http-listener-port=80 + - -default-https-listener-port=443 + - -ready-status=true + - -ready-status-port=8081 + - -enable-latency-metrics=false + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + image: private-registry.nginx.com/nginx-ic/nginx-plus-ingress:3.3.2 + imagePullPolicy: IfNotPresent + name: nginx-ingress + ports: + - containerPort: 80 + name: http + protocol: TCP + - containerPort: 443 + name: https + protocol: TCP + - containerPort: 9113 + name: prometheus + - containerPort: 8081 + name: readiness-port + readinessProbe: + httpGet: + path: /nginx-ready + port: readiness-port + initialDelaySeconds: 0 + periodSeconds: 1 + resources: + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: 101 + dnsPolicy: ClusterFirst + hostNetwork: false + securityContext: + seccompProfile: + type: RuntimeDefault + serviceAccountName: nginx-ingress + terminationGracePeriodSeconds: 30 +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx +spec: + controller: nginx.org/ingress-controller diff --git a/deploy/openservicemesh/deploy.yaml b/deploy/openservicemesh/deploy.yaml new file mode 100644 index 0000000000..ab2036ff22 --- /dev/null +++ b/deploy/openservicemesh/deploy.yaml @@ -0,0 +1,366 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: nginx-ingress +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress + namespace: nginx-ingress +rules: +- apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +- apiGroups: + - "" + resources: + - pods + verbs: + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resourceNames: + - nginx-ingress-leader + resources: + - leases + verbs: + - get + - update +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress +rules: +- apiGroups: + - "" + resources: + - configmaps + - namespaces + - pods + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers + - virtualserverroutes + - globalconfigurations + - transportservers + - policies + verbs: + - list + - watch + - get +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers/status + - virtualserverroutes/status + - policies/status + - transportservers/status + verbs: + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress + namespace: nginx-ingress +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: nginx-ingress +subjects: +- kind: ServiceAccount + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: nginx-ingress +subjects: +- kind: ServiceAccount + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: v1 +data: null +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress-leader + namespace: nginx-ingress +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress-controller + namespace: nginx-ingress +spec: + externalTrafficPolicy: Local + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + selector: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + type: LoadBalancer +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress-controller + namespace: nginx-ingress +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + template: + metadata: + annotations: + openservicemesh.io/inbound-port-exclusion-list: 80, 443 + prometheus.io/port: "9113" + prometheus.io/scheme: http + prometheus.io/scrape: "true" + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + spec: + automountServiceAccountToken: true + containers: + - args: + - -nginx-plus=false + - -nginx-reload-timeout=60000 + - -enable-app-protect=false + - -enable-app-protect-dos=false + - -nginx-configmaps=$(POD_NAMESPACE)/nginx-ingress + - -ingress-class=nginx + - -health-status=false + - -health-status-uri=/nginx-health + - -nginx-debug=false + - -v=1 + - -nginx-status=true + - -nginx-status-port=8080 + - -nginx-status-allow-cidrs=127.0.0.1 + - -report-ingress-status + - -external-service=nginx-ingress-controller + - -enable-leader-election=true + - -leader-election-lock-name=nginx-ingress-leader + - -enable-prometheus-metrics=true + - -prometheus-metrics-listen-port=9113 + - -prometheus-tls-secret= + - -enable-service-insight=false + - -service-insight-listen-port=9114 + - -service-insight-tls-secret= + - -enable-custom-resources=true + - -enable-snippets=false + - -include-year=false + - -disable-ipv6=false + - -enable-tls-passthrough=false + - -enable-preview-policies= + - -enable-cert-manager=false + - -enable-oidc=false + - -enable-external-dns=false + - -default-http-listener-port=80 + - -default-https-listener-port=443 + - -ready-status=true + - -ready-status-port=8081 + - -enable-latency-metrics=false + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + image: nginx/nginx-ingress:3.3.2 + imagePullPolicy: IfNotPresent + name: nginx-ingress + ports: + - containerPort: 80 + name: http + protocol: TCP + - containerPort: 443 + name: https + protocol: TCP + - containerPort: 9113 + name: prometheus + - containerPort: 8081 + name: readiness-port + readinessProbe: + httpGet: + path: /nginx-ready + port: readiness-port + initialDelaySeconds: 0 + periodSeconds: 1 + resources: + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: 101 + dnsPolicy: ClusterFirst + hostNetwork: false + securityContext: + seccompProfile: + type: RuntimeDefault + serviceAccountName: nginx-ingress + terminationGracePeriodSeconds: 30 +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx +spec: + controller: nginx.org/ingress-controller diff --git a/deploy/read-only-fs/deploy.yaml b/deploy/read-only-fs/deploy.yaml new file mode 100644 index 0000000000..81a55228af --- /dev/null +++ b/deploy/read-only-fs/deploy.yaml @@ -0,0 +1,375 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: nginx-ingress +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress + namespace: nginx-ingress +rules: +- apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +- apiGroups: + - "" + resources: + - pods + verbs: + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resourceNames: + - nginx-ingress-leader + resources: + - leases + verbs: + - get + - update +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress +rules: +- apiGroups: + - "" + resources: + - configmaps + - namespaces + - pods + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress + namespace: nginx-ingress +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: nginx-ingress +subjects: +- kind: ServiceAccount + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: nginx-ingress +subjects: +- kind: ServiceAccount + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: v1 +data: null +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress-leader + namespace: nginx-ingress +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress-controller + namespace: nginx-ingress +spec: + externalTrafficPolicy: Local + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + selector: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + type: LoadBalancer +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress-controller + namespace: nginx-ingress +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + template: + metadata: + annotations: + prometheus.io/port: "9113" + prometheus.io/scheme: http + prometheus.io/scrape: "true" + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + spec: + automountServiceAccountToken: true + containers: + - args: + - -nginx-plus=false + - -nginx-reload-timeout=60000 + - -enable-app-protect=false + - -enable-app-protect-dos=false + - -nginx-configmaps=$(POD_NAMESPACE)/nginx-ingress + - -ingress-class=nginx + - -health-status=false + - -health-status-uri=/nginx-health + - -nginx-debug=false + - -v=1 + - -nginx-status=true + - -nginx-status-port=8080 + - -nginx-status-allow-cidrs=127.0.0.1 + - -report-ingress-status + - -external-service=nginx-ingress-controller + - -enable-leader-election=true + - -leader-election-lock-name=nginx-ingress-leader + - -enable-prometheus-metrics=true + - -prometheus-metrics-listen-port=9113 + - -prometheus-tls-secret= + - -enable-service-insight=false + - -service-insight-listen-port=9114 + - -service-insight-tls-secret= + - -enable-custom-resources=false + - -enable-snippets=false + - -include-year=false + - -disable-ipv6=false + - -ready-status=true + - -ready-status-port=8081 + - -enable-latency-metrics=false + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + image: nginx/nginx-ingress:3.3.2 + imagePullPolicy: IfNotPresent + name: nginx-ingress + ports: + - containerPort: 80 + name: http + protocol: TCP + - containerPort: 443 + name: https + protocol: TCP + - containerPort: 9113 + name: prometheus + - containerPort: 8081 + name: readiness-port + readinessProbe: + httpGet: + path: /nginx-ready + port: readiness-port + initialDelaySeconds: 0 + periodSeconds: 1 + resources: + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 101 + volumeMounts: + - mountPath: /etc/nginx + name: nginx-etc + - mountPath: /var/cache/nginx + name: nginx-cache + - mountPath: /var/lib/nginx + name: nginx-lib + - mountPath: /var/log/nginx + name: nginx-log + dnsPolicy: ClusterFirst + hostNetwork: false + initContainers: + - command: + - cp + - -vdR + - /etc/nginx/. + - /mnt/etc + image: nginx/nginx-ingress:3.3.2 + imagePullPolicy: IfNotPresent + name: init-nginx-ingress + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 101 + volumeMounts: + - mountPath: /mnt/etc + name: nginx-etc + securityContext: + seccompProfile: + type: RuntimeDefault + serviceAccountName: nginx-ingress + terminationGracePeriodSeconds: 30 + volumes: + - emptyDir: {} + name: nginx-etc + - emptyDir: {} + name: nginx-cache + - emptyDir: {} + name: nginx-lib + - emptyDir: {} + name: nginx-log +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx +spec: + controller: nginx.org/ingress-controller diff --git a/deploy/service-insight/deploy.yaml b/deploy/service-insight/deploy.yaml new file mode 100644 index 0000000000..64aa25a8ec --- /dev/null +++ b/deploy/service-insight/deploy.yaml @@ -0,0 +1,365 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: nginx-ingress +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress + namespace: nginx-ingress +rules: +- apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +- apiGroups: + - "" + resources: + - pods + verbs: + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resourceNames: + - nginx-ingress-leader + resources: + - leases + verbs: + - get + - update +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress +rules: +- apiGroups: + - "" + resources: + - configmaps + - namespaces + - pods + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers + - virtualserverroutes + - globalconfigurations + - transportservers + - policies + verbs: + - list + - watch + - get +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers/status + - virtualserverroutes/status + - policies/status + - transportservers/status + verbs: + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress + namespace: nginx-ingress +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: nginx-ingress +subjects: +- kind: ServiceAccount + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: nginx-ingress +subjects: +- kind: ServiceAccount + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: v1 +data: null +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress + namespace: nginx-ingress +--- +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress-leader + namespace: nginx-ingress +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress-controller + namespace: nginx-ingress +spec: + externalTrafficPolicy: Local + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + selector: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + type: LoadBalancer +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx-ingress-controller + namespace: nginx-ingress +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + template: + metadata: + annotations: + prometheus.io/port: "9113" + prometheus.io/scheme: http + prometheus.io/scrape: "true" + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + spec: + automountServiceAccountToken: true + containers: + - args: + - -nginx-plus=true + - -nginx-reload-timeout=60000 + - -enable-app-protect=false + - -enable-app-protect-dos=false + - -nginx-configmaps=$(POD_NAMESPACE)/nginx-ingress + - -ingress-class=nginx + - -health-status=false + - -health-status-uri=/nginx-health + - -nginx-debug=false + - -v=1 + - -nginx-status=true + - -nginx-status-port=8080 + - -nginx-status-allow-cidrs=127.0.0.1 + - -report-ingress-status + - -external-service=nginx-ingress-controller + - -enable-leader-election=true + - -leader-election-lock-name=nginx-ingress-leader + - -enable-prometheus-metrics=true + - -prometheus-metrics-listen-port=9113 + - -prometheus-tls-secret= + - -enable-service-insight=false + - -service-insight-listen-port=9114 + - -service-insight-tls-secret= + - -enable-custom-resources=true + - -enable-snippets=false + - -include-year=false + - -disable-ipv6=false + - -enable-tls-passthrough=false + - -enable-preview-policies= + - -enable-cert-manager=false + - -enable-oidc=false + - -enable-external-dns=false + - -default-http-listener-port=80 + - -default-https-listener-port=443 + - -ready-status=true + - -ready-status-port=8081 + - -enable-latency-metrics=false + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + image: nginx/nginx-ingress:3.3.2 + imagePullPolicy: IfNotPresent + name: nginx-ingress + ports: + - containerPort: 80 + name: http + protocol: TCP + - containerPort: 443 + name: https + protocol: TCP + - containerPort: 9113 + name: prometheus + - containerPort: 8081 + name: readiness-port + readinessProbe: + httpGet: + path: /nginx-ready + port: readiness-port + initialDelaySeconds: 0 + periodSeconds: 1 + resources: + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: 101 + dnsPolicy: ClusterFirst + hostNetwork: false + securityContext: + seccompProfile: + type: RuntimeDefault + serviceAccountName: nginx-ingress + terminationGracePeriodSeconds: 30 +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + labels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/version: 3.3.2 + name: nginx +spec: + controller: nginx.org/ingress-controller diff --git a/deployments/service/loadbalancer-aws-elb.yaml b/deployments/service/loadbalancer-aws-elb.yaml deleted file mode 100644 index ee66f46244..0000000000 --- a/deployments/service/loadbalancer-aws-elb.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: nginx-ingress - namespace: nginx-ingress - annotations: - service.beta.kubernetes.io/aws-load-balancer-type: "nlb" - service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip" -spec: - type: LoadBalancer - ports: - - port: 80 - targetPort: 80 - protocol: TCP - name: http - - port: 443 - targetPort: 443 - protocol: TCP - name: https - selector: - app: nginx-ingress diff --git a/deployments/service/loadbalancer.yaml b/deployments/service/loadbalancer.yaml deleted file mode 100644 index d27ca5bc6a..0000000000 --- a/deployments/service/loadbalancer.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: nginx-ingress - namespace: nginx-ingress -spec: - externalTrafficPolicy: Local - type: LoadBalancer - ports: - - port: 80 - targetPort: 80 - protocol: TCP - name: http - - port: 443 - targetPort: 443 - protocol: TCP - name: https - selector: - app: nginx-ingress diff --git a/deployments/service/nodeport.yaml b/deployments/service/nodeport.yaml deleted file mode 100644 index f263b66388..0000000000 --- a/deployments/service/nodeport.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: nginx-ingress - namespace: nginx-ingress -spec: - type: NodePort - ports: - - port: 80 - targetPort: 80 - protocol: TCP - name: http - - port: 443 - targetPort: 443 - protocol: TCP - name: https - selector: - app: nginx-ingress diff --git a/docs/content/app-protect-dos/installation.md b/docs/content/app-protect-dos/installation.md index 2b77b0dd34..2bc31daa1e 100644 --- a/docs/content/app-protect-dos/installation.md +++ b/docs/content/app-protect-dos/installation.md @@ -13,16 +13,11 @@ This document provides an overview of the steps required to use NGINX App Protec ## Prerequisites -1. Make sure you have access to the Ingress Controller image: - - For NGINX Plus Ingress Controller, see [here](/nginx-ingress-controller/installation/pulling-ingress-controller-image) for details on how to pull the image from the F5 Docker registry. - - To pull from the F5 Container registry in your Kubernetes cluster, configure a docker registry secret using your JWT token from the MyF5 portal by following the instructions from [here](/nginx-ingress-controller/installation/using-the-jwt-token-docker-secret). - - It is also possible to build your own image and push it to your private Docker registry by following the instructions from [here](/nginx-ingress-controller/installation/building-ingress-controller-image). -2. Clone the Ingress Controller repo: +Make sure you have access to the Ingress Controller image: - ``` - git clone https://github.com/nginxinc/kubernetes-ingress.git --branch v3.3.2 - cd kubernetes-ingress/deployments - ``` +- For NGINX Plus Ingress Controller, see [here](/nginx-ingress-controller/installation/pulling-ingress-controller-image) for details on how to pull the image from the F5 Docker registry. +- To pull from the F5 Container registry in your Kubernetes cluster, configure a docker registry secret using your JWT token from the MyF5 portal by following the instructions from [here](/nginx-ingress-controller/installation/using-the-jwt-token-docker-secret). +- It is also possible to build your own image and push it to your private Docker registry by following the instructions from [here](/nginx-ingress-controller/installation/building-ingress-controller-image). ## Install the App Protect DoS Arbitrator diff --git a/docs/content/configuration/security.md b/docs/content/configuration/security.md index 472369b450..ea87930681 100644 --- a/docs/content/configuration/security.md +++ b/docs/content/configuration/security.md @@ -22,12 +22,10 @@ In addition, the following relating more specifically to Ingress Controller. The Ingress Controller is deployed within a Kubernetes environment, this environment must be secured. Kubernetes uses [RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) to control the resources and operations available to different types of users. The Ingress Controller requires a service account which is configured using RBAC. -We strongly recommend using the [RBAC configuration](https://github.com/nginxinc/kubernetes-ingress/blob/main/deployments/rbac/rbac.yaml) provided in our standard deployment configuration. +We strongly recommend using the RBAC configuration provided in our deployment configurations. It is configured with the least amount of privilege required for the Ingress Controller to work. -We strongly recommend inspecting the RBAC configuration (for [manifests installation](https://github.com/nginxinc/kubernetes-ingress/blob/main/deployments/rbac/rbac.yaml) -or for [helm](https://github.com/nginxinc/kubernetes-ingress/blob/main/charts/nginx-ingress/templates/rbac.yaml)) -to understand what access the Ingress Controller service account has and to which resources. +We strongly recommend inspecting the RBAC configuration in the deployment file or Helm chart to understand what access the Ingress Controller service account has and to which resources. For example, by default the service account has access to all Secret resources in the cluster. ### Certificates and Privacy Keys @@ -58,58 +56,11 @@ Snippets are disabled by default. To use snippets, set the [`enable-snippets`](/ The F5 Nginx Ingress Controller (NIC) has various protections against attacks, such as running the service as non-root to avoid changes to files. An additional industry best practice is having root filesystems set as read-only so that the attack surface is further reduced by limiting changes to binaries and libraries. -Currently, we do not set read-only root filesystem as default. Instead, this is an opt-in feature available on the [helm-chart](/nginx-ingress-controller/installation/installation-with-helm/#configuration) via `controller.readOnlyRootFilesystem`. -When using manifests instead of Helm, uncomment the following sections of the deployment: +Currently, we do not set read-only root filesystem as default. Instead, this is an opt-in feature available on the [Helm Chart](/nginx-ingress-controller/installation/installation-with-helm/#configuration) +via `controller.readOnlyRootFilesystem`. -- `readOnlyRootFilesystem: true`, -- The entire `volumeMounts` section, -- The entire `initContiners` section, -- For `initContainers:image:`, use exact same image used for regular NIC installation. -Refer to the below code-block for guidance: +If you prefer to use manifests instead of Helm, you can use the following manifest to enable this feature: -``` -# volumes: -# - name: nginx-etc -# emptyDir: {} -# - name: nginx-cache -# emptyDir: {} -# - name: nginx-lib -# emptyDir: {} -# - name: nginx-log -# emptyDir: {} -. -. -. -# readOnlyRootFilesystem: true -. -. -. -# volumeMounts: -# - mountPath: /etc/nginx -# name: nginx-etc -# - mountPath: /var/cache/nginx -# name: nginx-cache -# - mountPath: /var/lib/nginx -# name: nginx-lib -# - mountPath: /var/log/nginx -# name: nginx-log -. -. -. -# initContainers: -# - image: : -# imagePullPolicy: IfNotPresent -# name: init-nginx-ingress -# command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc'] -# securityContext: -# allowPrivilegeEscalation: false -# readOnlyRootFilesystem: true -# runAsUser: 101 #nginx -# runAsNonRoot: true -# capabilities: -# drop: -# - ALL -# volumeMounts: -# - mountPath: /mnt/etc -# name: nginx-etc +```shell +kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.3.2/deploy/read-only-fs/deploy.yaml ``` diff --git a/docs/content/installation/installation-with-helm.md b/docs/content/installation/installation-with-helm.md index 6407301529..7477e9c628 100644 --- a/docs/content/installation/installation-with-helm.md +++ b/docs/content/installation/installation-with-helm.md @@ -1,7 +1,7 @@ --- title: Installation with Helm description: This document describes how to install the NGINX Ingress Controller in your Kubernetes cluster using Helm. -weight: 1900 +weight: 1800 doctypes: [""] toc: true docs: "DOCS-602" diff --git a/docs/content/installation/installation-with-manifests.md b/docs/content/installation/installation-with-manifests.md index c9554de479..76fde3d037 100644 --- a/docs/content/installation/installation-with-manifests.md +++ b/docs/content/installation/installation-with-manifests.md @@ -1,7 +1,7 @@ --- title: Installation with Manifests description: "This document describes how to install the NGINX Ingress Controller in your Kubernetes cluster using Kubernetes manifests." -weight: 1800 +weight: 1900 doctypes: [""] aliases: - /installation/ @@ -11,196 +11,218 @@ docs: "DOCS-603" ## Prerequisites -{{}} All documentation should only be used with the latest stable release, indicated on [the releases page](https://github.com/nginxinc/kubernetes-ingress/releases) of the GitHub repository. {{}} - 1. Make sure you have access to an NGINX Ingress Controller image: - - For NGINX Ingress Controller, use the image `nginx/nginx-ingress` from [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress). - - For NGINX Plus Ingress Controller, see [here](/nginx-ingress-controller/installation/pulling-ingress-controller-image) for details on pulling the image from the F5 Docker registry. - - To pull from the F5 Container registry in your Kubernetes cluster, configure a docker registry secret using your JWT token from the MyF5 portal by following the instructions from [here](/nginx-ingress-controller/installation/using-the-jwt-token-docker-secret). + - For NGINX Ingress Controller, use the images from [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress), + [GitHub Container Registry](https://github.com/nginxinc/kubernetes-ingress/pkgs/container/kubernetes-ingress), + [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or + [Quay.io](https://quay.io/repository/nginx/nginx-ingress). + - For NGINX Plus Ingress Controller, see + [here](/nginx-ingress-controller/installation/pulling-ingress-controller-image) for details on pulling the image + from the F5 Docker registry. + - To pull from the F5 Container registry in your Kubernetes cluster, configure a docker registry secret using your + JWT token from the MyF5 portal by following the instructions from + [here](/nginx-ingress-controller/installation/using-the-jwt-token-docker-secret). - You can also build your own image and push it to your private Docker registry by following the instructions from [here](/nginx-ingress-controller/installation/building-ingress-controller-image). -2. Clone the NGINX Ingress Controller repository and change into the deployments folder: - - ```shell - git clone https://github.com/nginxinc/kubernetes-ingress.git --branch v3.3.2 - cd kubernetes-ingress/deployments - ``` +2. All the commands in this document directly apply the YAML files from the repository. If you prefer, you can download + the files and modify them according to your requirements. - {{}}The above command will clone the branch of the latest NGINX Ingress Controller release, and all documentation assumes you are using it.{{}} +{{}} To perform some of the following steps you must be a cluster admin. Follow the documentation of your +Kubernetes platform to configure the admin access. For Google Kubernetes Engine, see their [Role-Based Access +Control](https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control) documentation.{{}} --- -## 1. Configure RBAC +## 1. Create Custom Resources -1. Create a namespace and a service account for NGINX Ingress Controller: +{{}} +By default, it is required to create custom resource definitions for VirtualServer, VirtualServerRoute, TransportServer +and Policy. Otherwise, NGINX Ingress Controller pods will not become `Ready`. If you'd like to disable that requirement, +configure +[`-enable-custom-resources`](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments#cmdoption-global-configuration) +command-line argument to `false` and skip this section. +{{}} + +1. Create custom resource definitions for [VirtualServer and VirtualServerRoute](/nginx-ingress-controller/configuration/virtualserver-and-virtualserverroute-resources), + [TransportServer](/nginx-ingress-controller/configuration/transportserver-resource), + [Policy](/nginx-ingress-controller/configuration/policy-resource) and + [GlobalConfiguration](/nginx-ingress-controller/configuration/global-configuration/globalconfiguration-resource) + resources: ```shell - kubectl apply -f common/ns-and-sa.yaml + kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.3.2/deploy/crds.yaml ``` -2. Create a cluster role and cluster role binding for the service account: +2. If you would like to use the NGINX App Protect WAF module, you will need to create custom resource definitions for + `APPolicy`, `APLogConf` and `APUserSig`: ```shell - kubectl apply -f rbac/rbac.yaml + kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.3.2/deploy/crds-nap-waf.yaml ``` -3. (App Protect only) Create the App Protect role and role binding: +3. If you would like to use the NGINX App Protect DoS module, you will need to create custom resource definitions for + `APDosPolicy`, `APDosLogConf` and `DosProtectedResource`: ```shell - kubectl apply -f rbac/ap-rbac.yaml + kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.3.2/deploy/crds-nap-dos.yaml ``` -4. (App Protect DoS only) Create the App Protect DoS role and role binding: +--- - ```shell - kubectl apply -f rbac/apdos-rbac.yaml - ``` +## 2. Deploying NGINX Ingress Controller -{{}} To perform this step you must be a cluster admin. Follow the documentation of your Kubernetes platform to configure the admin access. For Google Kubernetes Engine, see their [Role-Based Access Control](https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control) documentation.{{}} +The NGINX Ingress Controller repository contains deployment files with all the resources needed in a single file (except +for the CRDs above). You can run the commands as is or or customize them according to your requirements, for example to +update the [command line arguments](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments) +documentation for more details. --- -## 2. Create Common Resources +### 2.1 Running NGINX Ingress Controller -In this section, we create resources common for most of NGINX Ingress Controller installations: -{{}} -Installing the `default-server-secret.yaml` is optional and is required only if you are using the [default server TLS secret](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments#cmdoption-default-server-tls-secret) command line argument. It is recommended that users provide their own certificate. -Otherwise, step 1 can be ignored. -{{}} +There are multiple sample deployment files available in the repository. Choose the one that best suits your needs. -1. Create a secret with a TLS certificate and a key for the default server in NGINX (below assumes you are in the `kubernetes-ingress/deployment` directory): +{{}} - ```console - kubectl apply -f ../examples/shared-examples/default-server-secret/default-server-secret.yaml - ``` +{{%tab name="Deployment"%}} - {{}} The default server returns the Not Found page with the 404 status code for all requests for domains for which there are no Ingress rules defined. For testing purposes we include a self-signed certificate and key that we generated. However, we recommend that you use your own certificate and key. {{}} +This is a default deployment file. It deploys the NGINX Ingress Controller as a Deployment. -1. Create a config map for customizing NGINX configuration: +```shell +kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.3.2/deploy/default/deploy.yaml +``` - ```console - kubectl apply -f common/nginx-config.yaml - ``` +{{%/tab%}} -1. Create an IngressClass resource: +{{%tab name="DaemonSet"%}} - ```console - kubectl apply -f common/ingress-class.yaml - ``` +This is a default daemonset file. It deploys the NGINX Ingress Controller as a DaemonSet. - If you would like to set this NGINX Ingress Controller instance as the default, uncomment the annotation `ingressclass.kubernetes.io/is-default-class`. With this annotation set to true all the new Ingresses without an ingressClassName field specified will be assigned this IngressClass. +```shell +kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.3.2/deploy/default/daemonset.yaml +``` - {{}} NGINX Ingress Controller will fail to start without an IngressClass resource. {{}} +{{%/tab%}} ---- +{{%tab name="Azure"%}} -## 3. Create Custom Resources +Deploys NGINX Ingress Controller using a nodeSelector to deploy the controller on Azure nodes. -{{}} -By default, it is required to create custom resource definitions for VirtualServer, VirtualServerRoute, TransportServer and Policy. Otherwise, NGINX Ingress Controller pods will not become `Ready`. If you'd like to disable that requirement, configure [`-enable-custom-resources`](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments#cmdoption-global-configuration) command-line argument to `false` and skip this section. -{{}} +```shell +kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.3.2/deploy/azure/deploy.yaml +``` -1. Create custom resource definitions for [VirtualServer and VirtualServerRoute](/nginx-ingress-controller/configuration/virtualserver-and-virtualserverroute-resources), [TransportServer](/nginx-ingress-controller/configuration/transportserver-resource) and [Policy](/nginx-ingress-controller/configuration/policy-resource) resources: +{{%/tab%}} - ```console - kubectl apply -f common/crds/k8s.nginx.org_virtualservers.yaml - kubectl apply -f common/crds/k8s.nginx.org_virtualserverroutes.yaml - kubectl apply -f common/crds/k8s.nginx.org_transportservers.yaml - kubectl apply -f common/crds/k8s.nginx.org_policies.yaml - ``` +{{%tab name="AWS NLB"%}} -2. If you would like to use the TCP and UDP load balancing features, create a custom resource definition for the [GlobalConfiguration](/nginx-ingress-controller/configuration/global-configuration/globalconfiguration-resource) resource: + Deploys NGINX Ingress Controller using a Service type of `LoadBalancer` to allocate an AWS + Network Load Balancer (NLB). - ```console - kubectl apply -f common/crds/k8s.nginx.org_globalconfigurations.yaml - ``` +```shell +kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.3.2/deploy/aws-nlb/deploy.yaml +``` -3. If you would like to use the App Protect WAF module, you will need to create custom resource definitions for `APPolicy`, `APLogConf` and `APUserSig`: +{{%/tab%}} - ```console - kubectl apply -f common/crds/appprotect.f5.com_aplogconfs.yaml - kubectl apply -f common/crds/appprotect.f5.com_appolicies.yaml - kubectl apply -f common/crds/appprotect.f5.com_apusersigs.yaml - ``` +{{%tab name="OIDC"%}} -4. If you would like to use the App Protect DoS module, you will need to create custom resource definitions for `APDosPolicy`, `APDosLogConf` and `DosProtectedResource`: +Deploys NGINX Ingress Controller with OpenID Connect (OIDC) authentication enabled. - ```console - kubectl apply -f common/crds/appprotectdos.f5.com_apdoslogconfs.yaml - kubectl apply -f common/crds/appprotectdos.f5.com_apdospolicy.yaml - kubectl apply -f common/crds/appprotectdos.f5.com_dosprotectedresources.yaml - ``` +```shell +kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.3.2/deploy/oidc/deploy.yaml +``` ---- +{{%/tab%}} -## 4. Deploying NGINX Ingress Controller +{{%tab name="NGINX Plus"%}} -There are two options for deploying NGINX Ingress Controller: +Deploys NGINX Ingress Controller with the NGINX Plus. The image is pulled from the +NGINX Plus Docker registry, and the `imagePullSecretName` is the name of the secret to use to pull the image. +The secret must be created in the same namespace as the NGINX Ingress Controller. -- *Deployment*. Use a Deployment if you plan to dynamically change the number of Ingress Controller replicas. -- *DaemonSet*. Use a DaemonSet for deploying the Ingress Controller on every node or a subset of nodes. +```shell +kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.3.2/deploy/nginx-plus/deploy.yaml +``` -Additionally, if you would like to use the NGINX App Protect DoS module, you'll need to deploy the Arbitrator. +{{%/tab%}} -{{}} Before creating a Deployment or Daemonset resource, make sure to update the [command-line arguments](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments) of NGINX Ingress Controller container in the corresponding manifest file according to your requirements. {{}} +{{%tab name="NGINX App Protect WAF"%}} ---- +Deploys NGINX Ingress Controller with the NGINX App Protect WAF module enabled. The image is pulled from the NGINX Plus +Docker registry, and the `imagePullSecretName` is the name of the secret to use to pull the image. The secret must be +created in the same namespace as the NGINX Ingress Controller. -### Deploying Arbitrator for NGINX App Protect DoS +```shell +kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.3.2/deploy/appprotect-waf/deploy.yaml +``` -There are two steps for deploying NGINX Ingress Controller with the NGINX App Protect DoS module: +{{%/tab%}} -1. Build your own image and push it to your private Docker registry by following the instructions from [here](/nginx-ingress-controller/app-protect-dos/installation#Build-the-app-protect-dos-arb-Docker-Image). +{{%tab name="NGINX App Protect DoS"%}} -1. Run the Arbitrator by using a Deployment and Service +Deploys NGINX Ingress Controller with the NGINX App Protect DoS module enabled. The image is pulled from the NGINX Plus +Docker registry, and the `imagePullSecretName` is the name of the secret to use to pull the image. The secret must be +created in the same namespace as the NGINX Ingress Controller. - ```console - kubectl apply -f deployment/appprotect-dos-arb.yaml - kubectl apply -f service/appprotect-dos-arb-svc.yaml - ``` +```shell +kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.3.2/deploy/appprotect-dos/deploy.yaml +``` ---- +{{%/tab%}} -### 4.1 Running NGINX Ingress Controller +{{%tab name="Read-only filesystem"%}} -#### Using a Deployment +Deploys NGINX Ingress Controller with a read-only filesystem. -When you run NGINX Ingress Controller by using a Deployment, by default, Kubernetes will create one NGINX Ingress Controller pod. +```shell +kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.3.2/deploy/read-only-fs/deploy.yaml +``` -For NGINX, run: +{{%/tab%}} -```console -kubectl apply -f deployment/nginx-ingress.yaml -``` +{{%tab name="NodePort"%}} -For NGINX Plus, run: +Deploys NGINX Ingress Controller using a Service type of `NodePort`. -```console -kubectl apply -f deployment/nginx-plus-ingress.yaml +```shell +kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.3.2/deploy/nodeport/deploy.yaml ``` -{{}} Update the `nginx-plus-ingress.yaml` with the chosen image from the F5 Container registry; or the container image that you have built. {{}} +{{%/tab%}} ---- +{{%tab name="Edge"%}} + +Deploys NGINX Ingress Controller using the `edge` tag from Docker Hub. See the +[README](https://github.com/nginxinc/kubernetes-ingress/blob/main/README.md#nginx-ingress-controller-releases) +for more information on the different tags. -#### Using a DaemonSet +```shell +kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.3.2/deploy/edge/deploy.yaml +``` -When you run the Ingress Controller by using a DaemonSet, Kubernetes will create an Ingress Controller pod on every node of the cluster. +{{%/tab%}} -{{}} Read the Kubernetes [DaemonSet docs](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) to learn how to run NGINX Ingress Controller on a subset of nodes instead of on every node of the cluster.{{}} +{{%tab name="Service Insight"%}} -For NGINX, run: +Deploys NGINX Ingress Controller with Service Insight enabled. -```console -kubectl apply -f daemon-set/nginx-ingress.yaml +```shell +kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.3.2/deploy/service-insight/deploy.yaml ``` -For NGINX Plus, run: +{{%/tab%}} + +{{%tab name="External DNS"%}} -```console -kubectl apply -f daemon-set/nginx-plus-ingress.yaml +Deploys NGINX Ingress Controller with External DNS enabled. + +```shell +kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.3.2/deploy/external-dns/deploy.yaml ``` -{{}}Update `nginx-plus-ingress.yaml` with the chosen image from the F5 Container registry; or the container image that you have built.{{}} +{{%/tab%}} + +{{}} --- @@ -208,81 +230,55 @@ kubectl apply -f daemon-set/nginx-plus-ingress.yaml Run the following command to make sure that the NGINX Ingress Controller pods are running: -```console +```shell kubectl get pods --namespace=nginx-ingress ``` ## 5. Getting Access to NGINX Ingress Controller -**If you created a daemonset**, ports 80 and 443 of NGINX Ingress Controller container are mapped to the same ports of the node where the container is running. To access NGINX Ingress Controller, use those ports and an IP address of any node of the cluster where the Ingress Controller is running. - -**If you created a deployment**, there are two options for accessing NGINX Ingress Controller pods: - -### 5.1 Create a Service for the NGINX Ingress Controller Pods +If you deployed a DaemonSet, ports 80 and 443 of NGINX Ingress Controller container are mapped to the same ports of the +node where the container is running. To access NGINX Ingress Controller, use those ports and an IP address of any node +of the cluster where the Ingress Controller is running. -#### Using a NodePort Service - -Create a service with the type *NodePort*: - -```console -kubectl create -f service/nodeport.yaml -``` +If you deployed a Deployment, there are two options for accessing NGINX Ingress Controller pods: -Kubernetes will randomly allocate two ports on every node of the cluster. To access the Ingress Controller, use an IP address of any node of the cluster along with the two allocated ports. +- If the LoadBalancer type is `NodePort`, Kubernetes will randomly allocate two ports on every node of the cluster. +To access the Ingress Controller, use an IP address of any node of the cluster along with the two allocated ports. {{}} Read more about the type NodePort in the [Kubernetes documentation](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport). {{}} -#### Using a LoadBalancer Service +- If the LoadBalancer type is `LoadBalancer`: + - For GCP or Azure, Kubernetes will allocate a cloud load balancer for load balancing the Ingress Controller pods. + Use the public IP of the load balancer to access NGINX Ingress Controller. + - For AWS, Kubernetes will allocate a Network Load Balancer (NLB) in TCP mode with the PROXY protocol enabled to pass + the client's information (the IP address and the port). -1. Create a service using a manifest for your cloud provider: - - For GCP or Azure, run: - - ```shell - kubectl apply -f service/loadbalancer.yaml - ``` - - - For AWS, run: - - ```shell - kubectl apply -f service/loadbalancer-aws-elb.yaml - ``` - - Kubernetes will allocate a Classic Load Balancer (ELB) in TCP mode with the PROXY protocol enabled to pass the client's information (the IP address and the port). NGINX must be configured to use the PROXY protocol: - - Add the following keys to the config map file `nginx-config.yaml` from the Step 2: - - ```yaml - proxy-protocol: "True" - real-ip-header: "proxy_protocol" - set-real-ip-from: "0.0.0.0/0" - ``` - - - Update the config map: - - ```shell - kubectl apply -f common/nginx-config.yaml - ``` - - {{}} For AWS, additional options regarding an allocated load balancer are available, such as its type and SSL termination. Read the [Kubernetes documentation](https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer) to learn more. {{}} + {{}} For AWS, additional options regarding an allocated load balancer are available, such as its type and SSL + termination. Read the [Kubernetes documentation](https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer) to learn more. + {{}} Kubernetes will allocate and configure a cloud load balancer for load balancing the Ingress Controller pods. -2. Use the public IP of the load balancer to access NGINX Ingress Controller. To get the public IP: - - For GCP or Azure, run: - ```shell - kubectl get svc nginx-ingress --namespace=nginx-ingress - ``` + Use the public IP of the load balancer to access NGINX Ingress Controller. To get the public IP: + - For GCP or Azure, run: - - In case of AWS ELB, the public IP is not reported by `kubectl`, because the ELB IP addresses are not static. In general, you should rely on the ELB DNS name instead of the ELB IP addresses. However, for testing purposes, you can get the DNS name of the ELB using `kubectl describe` and then run `nslookup` to find the associated IP address: + ```shell + kubectl get svc nginx-ingress --namespace=nginx-ingress + ``` - ```shell - kubectl describe svc nginx-ingress --namespace=nginx-ingress - ``` + - In case of AWS ELB, the public IP is not reported by `kubectl`, because the ELB IP addresses are not static. In + general, you should rely on the ELB DNS name instead of the ELB IP addresses. However, for testing purposes, you + can get the DNS name of the ELB using `kubectl describe` and then run `nslookup` to find the associated IP address: - You can resolve the DNS name into an IP address using `nslookup`: + ```shell + kubectl describe svc nginx-ingress --namespace=nginx-ingress + ``` - ```shell - nslookup - ``` + You can resolve the DNS name into an IP address using `nslookup`: + + ```shell + nslookup + ``` The public IP can be reported in the status of an ingress resource. See the [Reporting Resources Status doc](/nginx-ingress-controller/configuration/global-configuration/reporting-resources-status) for more details. @@ -290,7 +286,8 @@ Kubernetes will randomly allocate two ports on every node of the cluster. To acc ## Uninstall NGINX Ingress Controller -1. Delete the `nginx-ingress` namespace to uninstall NGINX Ingress Controller along with all the auxiliary resources that were created: +1. Delete the `nginx-ingress` namespace to uninstall NGINX Ingress Controller along with all the auxiliary resources + that were created: ```shell kubectl delete namespace nginx-ingress @@ -308,5 +305,5 @@ Kubernetes will randomly allocate two ports on every node of the cluster. To acc {{}} This step will also remove all associated Custom Resources. {{}} ```shell - kubectl delete -f common/crds/ + kubectl delete -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.3.2/deploy/crds.yaml ``` diff --git a/docs/content/installation/using-the-jwt-token-docker-secret.md b/docs/content/installation/using-the-jwt-token-docker-secret.md index 8ccd0bec63..e975475ea8 100644 --- a/docs/content/installation/using-the-jwt-token-docker-secret.md +++ b/docs/content/installation/using-the-jwt-token-docker-secret.md @@ -53,7 +53,7 @@ You will need the following information from [MyF5](https://my.f5.com) for these ```shell kubectl get secret regcred --output=yaml - ``` + ``` 1. You can now use the newly created Kubernetes secret in `helm` and `manifest` deployments. @@ -71,7 +71,7 @@ spec: seccompProfile: type: RuntimeDefault containers: - - image: private-registry.nginx.com/nginx-ic/nginx-plus-ingress:3.3.0 + - image: private-registry.nginx.com/nginx-ic/nginx-plus-ingress:3.3.2 imagePullPolicy: IfNotPresent name: nginx-plus-ingress ``` @@ -87,7 +87,7 @@ If you are using `helm` for deployment, there are two main methods: using *sourc The [Helm installation page for NGINX Ingress Controller](https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-helm/#managing-the-chart-via-sources) has a section describing how to use sources: these are the unique steps for Docker secrets using JWT tokens. 1. Clone the NGINX [`kubernetes-ingress` repository](https://github.com/nginxinc/kubernetes-ingress). -1. Navigate to the `deployments/helm-chart` folder of your local clone. +1. Navigate to the `charts/nginx-ingress` folder of your local clone. 1. Open the `values.yaml` file in an editor. You must change a few lines NGINX Ingress Controller with NGINX Plus to be deployed. @@ -109,7 +109,7 @@ image: repository: private-registry.nginx.com/nginx-ic/nginx-plus-ingress ## The version tag - tag: 3.3.0 + tag: 3.3.2 serviceAccount: ## The annotations of the service account of the Ingress Controller pods. @@ -139,7 +139,7 @@ If the namespace does not exist, `--create-namespace` will create it. Using `-f If you want to install NGINX Ingress Controller using the charts method, the following is an example of using the command line to pass the required arguments using the `set` parameter. ```shell -helm install my-release -n nginx-ingress oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.0.0 --set controller.image.repository=private-registry.nginx.com/nginx-ic/nginx-plus-ingress --set controller.image.tag=3.3.0 --set controller.nginxplus=true --set controller.serviceAccount.imagePullSecretName=regcred +helm install my-release -n nginx-ingress oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.0.2 --set controller.image.repository=private-registry.nginx.com/nginx-ic/nginx-plus-ingress --set controller.image.tag=3.3.2 --set controller.nginxplus=true --set controller.serviceAccount.imagePullSecretName=regcred ``` Checking the validation that the .crts/key and .jwt are able to successfully authenticate to the repo to pull NGINX Ingress controller images: diff --git a/docs/content/troubleshooting/troubleshoot-common.md b/docs/content/troubleshooting/troubleshoot-common.md index 63ff8f31e8..c29e0f02eb 100644 --- a/docs/content/troubleshooting/troubleshoot-common.md +++ b/docs/content/troubleshooting/troubleshoot-common.md @@ -145,7 +145,7 @@ controller: nginxplus: plus image: repository: nginx/nginx-ingress - tag: 3.3.0 + tag: 3.3.2 # NGINX Configmap config: entries: diff --git a/docs/content/tutorials/custom-listen-ports.md b/docs/content/tutorials/custom-listen-ports.md index b7fcac13ca..2a38a1efaf 100644 --- a/docs/content/tutorials/custom-listen-ports.md +++ b/docs/content/tutorials/custom-listen-ports.md @@ -88,7 +88,7 @@ spec: spec: serviceAccountName: nginx-ingress containers: - - image: nginx/nginx-ingress:3.3.0 + - image: nginx/nginx-ingress:3.3.2 imagePullPolicy: IfNotPresent name: nginx-ingress ports: diff --git a/docs/content/tutorials/nginx-ingress-osm.md b/docs/content/tutorials/nginx-ingress-osm.md index 440a65f5a4..9781bba64b 100644 --- a/docs/content/tutorials/nginx-ingress-osm.md +++ b/docs/content/tutorials/nginx-ingress-osm.md @@ -15,14 +15,14 @@ Open Service Mesh will work with both versions of [F5 NGINX Ingress controller]( Below is a link to the official F5 NGINX Ingress Controller documentation. [F5 NGINX Ingress controller](https://docs.nginx.com/nginx-ingress-controller/) -# Integrating NGINX Ingress Controller with Open Service Mesh +## Integrating NGINX Ingress Controller with Open Service Mesh There are two ways to integrate the NGINX Ingress Controller with Open Service Mesh (OSM): 1. Injecting an envoy sidecar directly with NGINX Ingress Controller. 2. Using the Open Service Mesh `ingressBackend` "proxy" feature. -# NGINX Ingress controller and OSM with sidecar proxy injected +## NGINX Ingress controller and OSM with sidecar proxy injected Install OSM in the cluster @@ -49,7 +49,7 @@ osm namespace add nginx-ingress --mesh-name osm-nginx The above command will use the mark the `nginx-ingress` namespace, where OSM will be installed (sidecar) -# Install F5 NGINX Ingress controller +## Install F5 NGINX Ingress controller Links to the complete install guides: @@ -58,7 +58,7 @@ Links to the complete install guides: When using the sidecar method, ensure that you add the correct annotations listed below. This ensures proper integration of NGINX Ingress Controller with the envoy sidecar proxy. -## Helm installs +### Helm installs If using `helm`, add the following `annotation` to your `values.yaml` file: @@ -79,7 +79,7 @@ helm install nic01 nginx-stable/nginx-ingress -n nginx-ingress --create-namespac Change your `release` accordingly to match your environment. -## Manifest installs +### Manifest installs For your `manifest` deployments, add the following `annotation`. @@ -88,6 +88,12 @@ annotations: openservicemesh.io/inbound-port-exclusion-list: "80,443" ``` +or you can use the provided `yaml` file in the `deploy` directory. + +```console +kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.3.2/deploy/openservicemesh/deploy.yaml +``` + ### Sample deployment file with required annotation ```yaml @@ -220,7 +226,7 @@ Once OSM has been installed, this next command will mark the NGINX Ingress Contr osm namespace add nginx-ingress --mesh-name osm-nginx --disable-sidecar-injection ``` -# Install F5 NGINX Ingress controller +## Install F5 NGINX Ingress controller Links to the complete install guides: diff --git a/docs/content/usage-reporting.md b/docs/content/usage-reporting.md index 5453fd56a7..6f900d812b 100644 --- a/docs/content/usage-reporting.md +++ b/docs/content/usage-reporting.md @@ -87,7 +87,7 @@ To make the credential available to Usage Reporting, we need to create a Kuberne If you need to update the basic-auth credentials for NGINX Management Suite in the future, update the `username` and `password` fields, and apply the changes by running the command again. Usage Reporting will automatically detect the changes, using the new username and password without redeployment. -5. Download and save the deployment file [cluster-connector.yaml](https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.3.0/examples/shared-examples/usage-reporting/cluster-connector.yaml). Edit the following under the `args` section and then save the file: +5. Download and save the deployment file [cluster-connector.yaml](https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.3.2/examples/shared-examples/usage-reporting/cluster-connector.yaml). Edit the following under the `args` section and then save the file: ```yaml args: diff --git a/examples/custom-resources/service-insight/README.md b/examples/custom-resources/service-insight/README.md index 09c4e8b40a..765c333243 100644 --- a/examples/custom-resources/service-insight/README.md +++ b/examples/custom-resources/service-insight/README.md @@ -3,12 +3,11 @@ > The Service Insight feature is available only for F5 NGINX Plus. To use the [Service Insight](https://docs.nginx.com/nginx-ingress-controller/logging-and-monitoring/service-insight/) -feature provided by F5 NGINX Ingress Controller you must enable it by setting `serviceInsight.create=true` in your `helm -install/upgrade...` command OR [manifest](../../../deployments/deployment/nginx-plus-ingress.yaml) depending on your +feature provided by F5 NGINX Ingress Controller you must enable it by setting `serviceInsight.create` to `true` when +using the Helm Chart or by using the [manifest](../../../deploy/service-insight/deploy.yaml) depending on your preferred installation method. -The following example demonstrates how to enable the Service Insight for NGINX Ingress Controller using [manifests -(Deployment)](../../../deployments/deployment/nginx-plus-ingress.yaml): +The following example is an extract of the Service Insight Deployment for NGINX Ingress Controller using the manifest above: ```yaml apiVersion: apps/v1 @@ -32,7 +31,7 @@ spec: securityContext: ... containers: - - image: nginx-plus-ingress:3.3.0 + - image: nginx-plus-ingress:3.3.2 imagePullPolicy: IfNotPresent name: nginx-plus-ingress ports: @@ -67,9 +66,11 @@ spec: ## Deployment -[Install NGINX Ingress -Controller](https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-manifests/), and uncomment -the `-enable-service-insight` option: this will allow Service Insight to interact with it. +Install NGINX Ingress Controller with: + +```console +kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/main/deploy/service-insight/deploy.yaml +``` The examples below use the `nodeport` service. @@ -297,7 +298,7 @@ Response: ## Service Insight with TLS The following example demonstrates how to enable the Service Insight for NGINX Ingress Controller with **TLS** using -[manifests (Deployment)](../../../deployments/deployment/nginx-plus-ingress.yaml): +manifests (Deployment): ```yaml apiVersion: apps/v1 @@ -321,7 +322,7 @@ spec: securityContext: ... containers: - - image: nginx-plus-ingress:3.3.0 + - image: nginx-plus-ingress:3.3.2 imagePullPolicy: IfNotPresent name: nginx-plus-ingress ports: diff --git a/examples/helm-chart/README.md b/examples/helm-chart/README.md new file mode 100644 index 0000000000..fa968a2ca7 --- /dev/null +++ b/examples/helm-chart/README.md @@ -0,0 +1,44 @@ +# Helm Chart Examples + +This directory contains examples of Helm charts that can be used to deploy +NGINX Ingress Controller in a Kubernetes cluster. + +## Prerequisites + +- Helm 3.0+ + +## Examples + +- [Default](./default) - deploys the NGINX Ingress Controller with default parameters. +- [NGINX App Protect DoS](./app-protect-dos) - deploys the NGINX Ingress Controller with the NGINX App Protect DoS + module enabled. The image is pulled from the NGINX Plus Docker registry, and the `imagePullSecretName` is the name of + the secret to use to pull the image. The secret must be created in the same namespace as the NGINX Ingress Controller. +- [NGINX App Protect WAF](./app-protect-waf) - deploys the NGINX Ingress Controller with the NGINX App Protect WAF + module enabled. The image is pulled from the NGINX Plus Docker registry, and the `imagePullSecretName` is the name of + the secret to use to pull the image. The secret must be created in the same namespace as the NGINX Ingress Controller. +- [AWS NLB](./aws-nlb) - deploys the NGINX Ingress Controller using a Service type of `LoadBalancer` to allocate an AWS + Network Load Balancer (NLB). +- [Azure](./azure) - deploys the NGINX Ingress Controller using a nodeSelector to deploy the controller on Azure nodes. +- [DaemonSet](./daemonset) - deploys the NGINX Ingress Controller as a DaemonSet. +- [Edge](./edge) - deploys the NGINX Ingress Controller using the `edge` tag from Docker Hub. + See the [README](../../README.md#nginx-ingress-controller-releases) for more information on the different tags. +- [NGINX Plus](./nginx-plus) - deploys the NGINX Ingress Controller with the NGINX Plus. The image is pulled from the + NGINX Plus Docker registry, and the `imagePullSecretName` is the name of the secret to use to pull the image. + The secret must be created in the same namespace as the NGINX Ingress Controller. +- [OIDC](./oidc) - deploys the NGINX Ingress Controller with OpenID Connect (OIDC) authentication enabled. +- [Read-only filesystem](./read-only-filesystem) - deploys the NGINX Ingress Controller with a read-only filesystem. +- [NodePort](./nodeport) - deploys the NGINX Ingress Controller using a Service type of `NodePort`. +- [Service Insight](./service-insight) - deploys the NGINX Ingress Controller with Service Insight enabled. +- [External DNS](./external-dns) - deploys the NGINX Ingress Controller with External DNS enabled. + +## Manifests generation + +These examples are used to generate manifests for the NGINX Ingress Controller located in the manifest folder +[here](../../deploy). + +If you want to generate manifests for a specific example, or need to customize one of the examples, run the following +command from the root of the project: + +```shell +helm template nginx-ingress --namespace nginx-ingress --values examples/helm-chart//values.yaml charts/nginx-ingress +``` diff --git a/examples/helm-chart/app-protect-dos/values.yaml b/examples/helm-chart/app-protect-dos/values.yaml new file mode 100644 index 0000000000..d71530b7c4 --- /dev/null +++ b/examples/helm-chart/app-protect-dos/values.yaml @@ -0,0 +1,10 @@ +controller: + name: controller + kind: deployment + nginxplus: true + appprotectdos: + enable: true + image: + repository: private-registry.nginx.com/nginx-ic-dos/nginx-plus-ingress + serviceAccount: + imagePullSecretName: nginx-registry-credentials diff --git a/examples/helm-chart/app-protect-waf/values.yaml b/examples/helm-chart/app-protect-waf/values.yaml new file mode 100644 index 0000000000..060f6656c7 --- /dev/null +++ b/examples/helm-chart/app-protect-waf/values.yaml @@ -0,0 +1,11 @@ +controller: + name: controller + kind: deployment + nginxplus: true + appprotect: + enable: true + logLevel: error + image: + repository: private-registry.nginx.com/nginx-ic-nap/nginx-plus-ingress + serviceAccount: + imagePullSecretName: nginx-registry-credentials diff --git a/examples/helm-chart/aws-nlb/values.yaml b/examples/helm-chart/aws-nlb/values.yaml new file mode 100644 index 0000000000..e5c8250ff2 --- /dev/null +++ b/examples/helm-chart/aws-nlb/values.yaml @@ -0,0 +1,13 @@ +controller: + name: controller + kind: deployment + service: + type: LoadBalancer + annotations: + service.beta.kubernetes.io/aws-load-balancer-type: "nlb" + service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip" + config: + entries: + proxy-protocol: "True" + real-ip-header: "proxy_protocol" + set-real-ip-from: "0.0.0.0/0" diff --git a/examples/helm-chart/azure/values.yaml b/examples/helm-chart/azure/values.yaml new file mode 100644 index 0000000000..03547143be --- /dev/null +++ b/examples/helm-chart/azure/values.yaml @@ -0,0 +1,5 @@ +controller: + name: controller + kind: deployment + nodeSelector: + kubernetes.io/os: linux diff --git a/examples/helm-chart/daemon-set/values.yaml b/examples/helm-chart/daemon-set/values.yaml new file mode 100644 index 0000000000..7cf8214e66 --- /dev/null +++ b/examples/helm-chart/daemon-set/values.yaml @@ -0,0 +1,3 @@ +controller: + name: controller + kind: daemonset diff --git a/examples/helm-chart/default/values.yaml b/examples/helm-chart/default/values.yaml new file mode 100644 index 0000000000..3552bbf27c --- /dev/null +++ b/examples/helm-chart/default/values.yaml @@ -0,0 +1,2 @@ +controller: + name: controller diff --git a/examples/helm-chart/edge/values.yaml b/examples/helm-chart/edge/values.yaml new file mode 100644 index 0000000000..0e85649cfb --- /dev/null +++ b/examples/helm-chart/edge/values.yaml @@ -0,0 +1,7 @@ +controller: + name: controller + kind: deployment + image: + tag: edge + service: + type: NodePort diff --git a/examples/helm-chart/external-dns/values.yaml b/examples/helm-chart/external-dns/values.yaml new file mode 100644 index 0000000000..47166a9e17 --- /dev/null +++ b/examples/helm-chart/external-dns/values.yaml @@ -0,0 +1,3 @@ +controller: + name: controller + enableExternalDNS: true diff --git a/examples/helm-chart/nginx-plus/values.yaml b/examples/helm-chart/nginx-plus/values.yaml new file mode 100644 index 0000000000..8ab0626e49 --- /dev/null +++ b/examples/helm-chart/nginx-plus/values.yaml @@ -0,0 +1,8 @@ +controller: + name: controller + kind: deployment + nginxplus: true + image: + repository: private-registry.nginx.com/nginx-ic/nginx-plus-ingress + serviceAccount: + imagePullSecretName: nginx-registry-credentials diff --git a/examples/helm-chart/nodeport/values.yaml b/examples/helm-chart/nodeport/values.yaml new file mode 100644 index 0000000000..18922539ef --- /dev/null +++ b/examples/helm-chart/nodeport/values.yaml @@ -0,0 +1,4 @@ +controller: + name: controller + service: + type: NodePort diff --git a/examples/helm-chart/oidc/values.yaml b/examples/helm-chart/oidc/values.yaml new file mode 100644 index 0000000000..3586cecf83 --- /dev/null +++ b/examples/helm-chart/oidc/values.yaml @@ -0,0 +1,9 @@ +controller: + name: controller + kind: deployment + nginxplus: true + enableOIDC: true + image: + repository: private-registry.nginx.com/nginx-ic/nginx-plus-ingress + serviceAccount: + imagePullSecretName: nginx-registry-credentials diff --git a/examples/helm-chart/openservicemesh/values.yaml b/examples/helm-chart/openservicemesh/values.yaml new file mode 100644 index 0000000000..3ce77eec48 --- /dev/null +++ b/examples/helm-chart/openservicemesh/values.yaml @@ -0,0 +1,5 @@ +controller: + name: controller + pod: + annotations: + openservicemesh.io/inbound-port-exclusion-list: "80, 443" diff --git a/examples/helm-chart/read-only-fs/values.yaml b/examples/helm-chart/read-only-fs/values.yaml new file mode 100644 index 0000000000..b9ffdd47b7 --- /dev/null +++ b/examples/helm-chart/read-only-fs/values.yaml @@ -0,0 +1,5 @@ +controller: + name: controller + kind: deployment + enableCustomResources: false + readOnlyRootFilesystem: true diff --git a/examples/helm-chart/service-insight/values.yaml b/examples/helm-chart/service-insight/values.yaml new file mode 100644 index 0000000000..c69fe1babc --- /dev/null +++ b/examples/helm-chart/service-insight/values.yaml @@ -0,0 +1,5 @@ +controller: + name: controller + nginxplus: true + serviceInsight: + create: true diff --git a/hack/generate-manifests.sh b/hack/generate-manifests.sh new file mode 100755 index 0000000000..2844c5d1cf --- /dev/null +++ b/hack/generate-manifests.sh @@ -0,0 +1,20 @@ +#!/usr/bin/env bash + +# Generate deployment files using Helm. This script uses the Helm chart examples in examples/helm-chart + +charts=$(find examples/helm-chart -maxdepth 1 -mindepth 1 -type d -exec basename {} \;) + +for chart in $charts; do + manifest=deploy/$chart/deploy.yaml + helm template nginx-ingress --namespace nginx-ingress --values examples/helm-chart/$chart/values.yaml --skip-crds charts/nginx-ingress >$manifest 2>/dev/null + sed -i.bak '/app.kubernetes.io\/managed-by: Helm/d' $manifest + sed -i.bak '/helm.sh/d' $manifest + cp $manifest config/base + if [ "$chart" == "app-protect-dos" ]; then + kustomize build config/overlays/app-protect-dos >$manifest + else + kustomize build config/base >$manifest + fi + rm -f config/base/deploy.yaml + rm -f $manifest.bak +done diff --git a/perf-tests/suite/test_ap_reload_perf.py b/perf-tests/suite/test_ap_reload_perf.py index 83d2d76a9b..bacf168f0a 100644 --- a/perf-tests/suite/test_ap_reload_perf.py +++ b/perf-tests/suite/test_ap_reload_perf.py @@ -9,7 +9,7 @@ import requests import yaml from kubernetes.client import V1ContainerPort -from settings import DEPLOYMENTS, TEST_DATA +from settings import TEST_DATA from suite.utils.ap_resources_utils import ( create_ap_logconf_from_yaml, create_ap_policy_from_yaml, diff --git a/tests/Dockerfile b/tests/Dockerfile index 05de516111..b5c56976d0 100644 --- a/tests/Dockerfile +++ b/tests/Dockerfile @@ -1,4 +1,4 @@ -# syntax=docker/dockerfile:1.5 +# syntax=docker/dockerfile:1.6 # this is here so we can grab the latest version of kind and have dependabot keep it up to date FROM kindest/node:v1.28.0 @@ -13,8 +13,8 @@ WORKDIR /workspace/tests COPY --link tests/requirements.txt /workspace/tests/ RUN pip install --require-hashes -r requirements.txt --no-deps -COPY --link deployments /workspace/deployments COPY --link config /workspace/config +COPY --link deploy /workspace/deploy RUN curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl \ && install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl \ diff --git a/tests/Makefile b/tests/Makefile index 23d88310ba..cc28c176ae 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -12,7 +12,7 @@ KUBE_CONFIG_FOLDER = $${HOME}/.kube KIND_KUBE_CONFIG_FOLDER = $${HOME}/.kube/kind SHOW_IC_LOGS = no PYTEST_ARGS = -DOCKERFILEPATH = docker/Dockerfile +DOCKERFILEPATH = Dockerfile IP_FAMILY=dual diff --git a/deployments/common/ingress-class.yaml b/tests/data/common/ingress-class.yaml similarity index 100% rename from deployments/common/ingress-class.yaml rename to tests/data/common/ingress-class.yaml diff --git a/deployments/common/nginx-config.yaml b/tests/data/common/nginx-config.yaml similarity index 100% rename from deployments/common/nginx-config.yaml rename to tests/data/common/nginx-config.yaml diff --git a/deployments/common/ns-and-sa.yaml b/tests/data/common/ns-and-sa.yaml similarity index 100% rename from deployments/common/ns-and-sa.yaml rename to tests/data/common/ns-and-sa.yaml diff --git a/deployments/daemon-set/nginx-ingress.yaml b/tests/data/daemon-set/nginx-ingress.yaml similarity index 100% rename from deployments/daemon-set/nginx-ingress.yaml rename to tests/data/daemon-set/nginx-ingress.yaml diff --git a/deployments/daemon-set/nginx-plus-ingress.yaml b/tests/data/daemon-set/nginx-plus-ingress.yaml similarity index 100% rename from deployments/daemon-set/nginx-plus-ingress.yaml rename to tests/data/daemon-set/nginx-plus-ingress.yaml diff --git a/deployments/deployment/appprotect-dos-arb.yaml b/tests/data/deployment/appprotect-dos-arb.yaml similarity index 100% rename from deployments/deployment/appprotect-dos-arb.yaml rename to tests/data/deployment/appprotect-dos-arb.yaml diff --git a/deployments/deployment/nginx-ingress.yaml b/tests/data/deployment/nginx-ingress.yaml similarity index 100% rename from deployments/deployment/nginx-ingress.yaml rename to tests/data/deployment/nginx-ingress.yaml diff --git a/deployments/deployment/nginx-plus-ingress.yaml b/tests/data/deployment/nginx-plus-ingress.yaml similarity index 100% rename from deployments/deployment/nginx-plus-ingress.yaml rename to tests/data/deployment/nginx-plus-ingress.yaml diff --git a/deployments/rbac/ap-rbac.yaml b/tests/data/rbac/ap-rbac.yaml similarity index 100% rename from deployments/rbac/ap-rbac.yaml rename to tests/data/rbac/ap-rbac.yaml diff --git a/deployments/rbac/apdos-rbac.yaml b/tests/data/rbac/apdos-rbac.yaml similarity index 100% rename from deployments/rbac/apdos-rbac.yaml rename to tests/data/rbac/apdos-rbac.yaml diff --git a/deployments/rbac/rbac.yaml b/tests/data/rbac/rbac.yaml similarity index 100% rename from deployments/rbac/rbac.yaml rename to tests/data/rbac/rbac.yaml diff --git a/deployments/service/appprotect-dos-arb-svc.yaml b/tests/data/service/appprotect-dos-arb-svc.yaml similarity index 100% rename from deployments/service/appprotect-dos-arb-svc.yaml rename to tests/data/service/appprotect-dos-arb-svc.yaml diff --git a/tests/settings.py b/tests/settings.py index ed76c72c7f..bf4ea4ae36 100644 --- a/tests/settings.py +++ b/tests/settings.py @@ -2,7 +2,6 @@ import os BASEDIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__))) -DEPLOYMENTS = f"{BASEDIR}/deployments" CRDS = f"{BASEDIR}/config/crd/bases" PROJECT_ROOT = os.path.abspath(os.path.dirname(__file__)) TEST_DATA = f"{PROJECT_ROOT}/data" diff --git a/tests/suite/fixtures/fixtures.py b/tests/suite/fixtures/fixtures.py index de19a7a254..4b37fd826d 100644 --- a/tests/suite/fixtures/fixtures.py +++ b/tests/suite/fixtures/fixtures.py @@ -16,7 +16,7 @@ RbacAuthorizationV1Api, ) from kubernetes.client.rest import ApiException -from settings import ALLOWED_DEPLOYMENT_TYPES, ALLOWED_IC_TYPES, ALLOWED_SERVICE_TYPES, CRDS, DEPLOYMENTS, TEST_DATA +from settings import ALLOWED_DEPLOYMENT_TYPES, ALLOWED_IC_TYPES, ALLOWED_SERVICE_TYPES, BASEDIR, CRDS, TEST_DATA from suite.utils.custom_resources_utils import create_crd_from_yaml, delete_crd from suite.utils.kube_config_utils import ensure_context_in_config, get_current_context_name from suite.utils.resources_utils import ( @@ -228,9 +228,9 @@ def ingress_controller_prerequisites(cli_arguments, kube_apis, request) -> Ingre """ print("------------------------- Create IC Prerequisites -----------------------------------") rbac = configure_rbac(kube_apis.rbac_v1) - namespace = create_ns_and_sa_from_yaml(kube_apis.v1, f"{DEPLOYMENTS}/common/ns-and-sa.yaml") + namespace = create_ns_and_sa_from_yaml(kube_apis.v1, f"{TEST_DATA}/common/ns-and-sa.yaml") print("Create IngressClass resources:") - subprocess.run(["kubectl", "apply", "-f", f"{DEPLOYMENTS}/common/ingress-class.yaml"]) + subprocess.run(["kubectl", "apply", "-f", f"{TEST_DATA}/common/ingress-class.yaml"]) subprocess.run( [ "kubectl", @@ -239,7 +239,7 @@ def ingress_controller_prerequisites(cli_arguments, kube_apis, request) -> Ingre f"{TEST_DATA}/ingress-class/resource/custom-ingress-class-res.yaml", ] ) - config_map_yaml = f"{DEPLOYMENTS}/common/nginx-config.yaml" + config_map_yaml = f"{TEST_DATA}/common/nginx-config.yaml" create_configmap_from_yaml(kube_apis.v1, namespace, config_map_yaml) with open(config_map_yaml) as f: config_map = yaml.safe_load(f) @@ -250,7 +250,7 @@ def fin(): print("Clean up prerequisites") delete_namespace(kube_apis.v1, namespace) print("Delete IngressClass resources:") - subprocess.run(["kubectl", "delete", "-f", f"{DEPLOYMENTS}/common/ingress-class.yaml"]) + subprocess.run(["kubectl", "delete", "-f", f"{TEST_DATA}/common/ingress-class.yaml"]) subprocess.run( [ "kubectl", @@ -427,7 +427,7 @@ def fin(): kube_apis.v1, ingress_controller_prerequisites.config_map["metadata"]["name"], ingress_controller_prerequisites.namespace, - f"{DEPLOYMENTS}/common/nginx-config.yaml", + f"{TEST_DATA}/common/nginx-config.yaml", ) request.addfinalizer(fin) diff --git a/tests/suite/fixtures/ic_fixtures.py b/tests/suite/fixtures/ic_fixtures.py index a29724ea71..8c0e1d0915 100644 --- a/tests/suite/fixtures/ic_fixtures.py +++ b/tests/suite/fixtures/ic_fixtures.py @@ -4,7 +4,7 @@ import pytest from kubernetes.client.rest import ApiException -from settings import CRDS, DEPLOYMENTS, TEST_DATA +from settings import CRDS, TEST_DATA from suite.utils.custom_resources_utils import create_crd_from_yaml, delete_crd from suite.utils.resources_utils import ( cleanup_rbac, @@ -103,7 +103,7 @@ def crd_ingress_controller( except ApiException as ex: # Finalizer method doesn't start if fixture creation was incomplete, ensure clean up here print("Restore the ClusterRole:") - patch_rbac(kube_apis.rbac_v1, f"{DEPLOYMENTS}/rbac/rbac.yaml") + patch_rbac(kube_apis.rbac_v1, f"{TEST_DATA}/rbac/rbac.yaml") print("Remove the IC:") delete_ingress_controller(kube_apis.apps_v1_api, name, cli_arguments["deployment-type"], namespace) pytest.fail("IC setup failed") @@ -111,7 +111,7 @@ def crd_ingress_controller( def fin(): if request.config.getoption("--skip-fixture-teardown") == "no": print("Restore the ClusterRole:") - patch_rbac(kube_apis.rbac_v1, f"{DEPLOYMENTS}/rbac/rbac.yaml") + patch_rbac(kube_apis.rbac_v1, f"{TEST_DATA}/rbac/rbac.yaml") print("Remove the IC:") delete_ingress_controller(kube_apis.apps_v1_api, name, cli_arguments["deployment-type"], namespace) @@ -276,8 +276,8 @@ def crd_ingress_controller_with_dos( kube_apis.v1, kube_apis.apps_v1_api, namespace, - f"{DEPLOYMENTS}/deployment/appprotect-dos-arb.yaml", - f"{DEPLOYMENTS}/service/appprotect-dos-arb-svc.yaml", + f"{TEST_DATA}/deployment/appprotect-dos-arb.yaml", + f"{TEST_DATA}/service/appprotect-dos-arb-svc.yaml", ) print("------------------------- Create IC -----------------------------------") @@ -396,7 +396,7 @@ def crd_ingress_controller_with_ed( except ApiException as ex: # Finalizer method doesn't start if fixture creation was incomplete, ensure clean up here print("Restore the ClusterRole:") - patch_rbac(kube_apis.rbac_v1, f"{DEPLOYMENTS}/rbac/rbac.yaml") + patch_rbac(kube_apis.rbac_v1, f"{TEST_DATA}/rbac/rbac.yaml") print("Remove the DNSEndpoint CRD:") delete_crd( kube_apis.api_extensions_v1, @@ -408,14 +408,14 @@ def crd_ingress_controller_with_ed( kube_apis.v1, ingress_controller_prerequisites.config_map["metadata"]["name"], ingress_controller_prerequisites.namespace, - f"{DEPLOYMENTS}/common/nginx-config.yaml", + f"{TEST_DATA}/common/nginx-config.yaml", ) pytest.fail("IC setup failed") def fin(): if request.config.getoption("--skip-fixture-teardown") == "no": print("Restore the ClusterRole:") - patch_rbac(kube_apis.rbac_v1, f"{DEPLOYMENTS}/rbac/rbac.yaml") + patch_rbac(kube_apis.rbac_v1, f"{TEST_DATA}/rbac/rbac.yaml") print("Remove the DNSEndpoint CRD:") delete_crd( kube_apis.api_extensions_v1, @@ -427,7 +427,7 @@ def fin(): kube_apis.v1, ingress_controller_prerequisites.config_map["metadata"]["name"], ingress_controller_prerequisites.namespace, - f"{DEPLOYMENTS}/common/nginx-config.yaml", + f"{TEST_DATA}/common/nginx-config.yaml", ) request.addfinalizer(fin) diff --git a/tests/suite/test_ac_policies.py b/tests/suite/test_ac_policies.py index 0fb0771b21..a95bb44f93 100644 --- a/tests/suite/test_ac_policies.py +++ b/tests/suite/test_ac_policies.py @@ -1,6 +1,6 @@ import pytest import requests -from settings import DEPLOYMENTS, TEST_DATA +from settings import TEST_DATA from suite.utils.custom_resources_utils import read_custom_resource from suite.utils.policy_resources_utils import create_policy_from_yaml, delete_policy from suite.utils.resources_utils import ( @@ -17,7 +17,7 @@ patch_virtual_server_from_yaml, ) -std_cm_src = f"{DEPLOYMENTS}/common/nginx-config.yaml" +std_cm_src = f"{TEST_DATA}/common/nginx-config.yaml" test_cm_src = f"{TEST_DATA}/access-control/configmap/nginx-config.yaml" std_vs_src = f"{TEST_DATA}/access-control/standard/virtual-server.yaml" deny_pol_src = f"{TEST_DATA}/access-control/policies/access-control-policy-deny.yaml" diff --git a/tests/suite/test_ac_policies_vsr.py b/tests/suite/test_ac_policies_vsr.py index 3d052fc4ff..ff43ea212a 100644 --- a/tests/suite/test_ac_policies_vsr.py +++ b/tests/suite/test_ac_policies_vsr.py @@ -1,12 +1,12 @@ import pytest import requests -from settings import DEPLOYMENTS, TEST_DATA +from settings import TEST_DATA from suite.utils.custom_resources_utils import read_custom_resource from suite.utils.policy_resources_utils import create_policy_from_yaml, delete_policy from suite.utils.resources_utils import replace_configmap_from_yaml, wait_before_test from suite.utils.vs_vsr_resources_utils import patch_v_s_route_from_yaml, patch_virtual_server_from_yaml -std_cm_src = f"{DEPLOYMENTS}/common/nginx-config.yaml" +std_cm_src = f"{TEST_DATA}/common/nginx-config.yaml" test_cm_src = f"{TEST_DATA}/access-control/configmap/nginx-config.yaml" std_vs_src = f"{TEST_DATA}/virtual-server-route/standard/virtual-server.yaml" deny_pol_src = f"{TEST_DATA}/access-control/policies/access-control-policy-deny.yaml" diff --git a/tests/suite/test_annotations.py b/tests/suite/test_annotations.py index e4079b8d8d..1afced1acc 100644 --- a/tests/suite/test_annotations.py +++ b/tests/suite/test_annotations.py @@ -1,7 +1,7 @@ import pytest import yaml from kubernetes.client import NetworkingV1Api -from settings import DEPLOYMENTS, TEST_DATA +from settings import TEST_DATA from suite.fixtures.fixtures import PublicEndpoint from suite.utils.custom_assertions import assert_event_count_increased from suite.utils.resources_utils import ( @@ -145,7 +145,7 @@ def fin(): kube_apis.v1, ingress_controller_prerequisites.config_map["metadata"]["name"], ingress_controller_prerequisites.namespace, - f"{DEPLOYMENTS}/common/nginx-config.yaml", + f"{TEST_DATA}/common/nginx-config.yaml", ) delete_common_app(kube_apis, "simple", test_namespace) delete_items_from_yaml( diff --git a/tests/suite/test_app_protect_integration.py b/tests/suite/test_app_protect_integration.py index 0866bc075a..f9e96b6007 100644 --- a/tests/suite/test_app_protect_integration.py +++ b/tests/suite/test_app_protect_integration.py @@ -1,7 +1,7 @@ import pytest import requests import yaml -from settings import CRDS, DEPLOYMENTS, TEST_DATA +from settings import CRDS, TEST_DATA from suite.utils.ap_resources_utils import ( create_ap_logconf_from_yaml, create_ap_policy_from_yaml, diff --git a/tests/suite/test_app_protect_waf_policies_grpc.py b/tests/suite/test_app_protect_waf_policies_grpc.py index 4cb88493ea..aa7f9e7f13 100644 --- a/tests/suite/test_app_protect_waf_policies_grpc.py +++ b/tests/suite/test_app_protect_waf_policies_grpc.py @@ -1,6 +1,6 @@ import grpc import pytest -from settings import DEPLOYMENTS, TEST_DATA +from settings import TEST_DATA from suite.fixtures.custom_resource_fixtures import VirtualServerRoute, VirtualServerRouteSetup, VirtualServerSetup from suite.grpc.helloworld_pb2 import HelloRequest from suite.grpc.helloworld_pb2_grpc import GreeterStub @@ -155,7 +155,7 @@ def cleanup(kube_apis, ingress_controller_prerequisites, src_pol_name, test_name kube_apis.v1, ingress_controller_prerequisites.config_map["metadata"]["name"], ingress_controller_prerequisites.namespace, - f"{DEPLOYMENTS}/common/nginx-config.yaml", + f"{TEST_DATA}/common/nginx-config.yaml", ) delete_ap_logconf(kube_apis.custom_objects, log_name, test_namespace) delete_ap_policy(kube_apis.custom_objects, ap_pol_name, test_namespace) diff --git a/tests/suite/test_custom_annotations.py b/tests/suite/test_custom_annotations.py index aa0491f4a3..bcd4a0fc68 100644 --- a/tests/suite/test_custom_annotations.py +++ b/tests/suite/test_custom_annotations.py @@ -1,5 +1,5 @@ import pytest -from settings import DEPLOYMENTS, TEST_DATA +from settings import TEST_DATA from suite.fixtures.fixtures import PublicEndpoint from suite.utils.resources_utils import ( create_items_from_yaml, @@ -60,7 +60,7 @@ def fin(): kube_apis.v1, ingress_controller_prerequisites.config_map["metadata"]["name"], ingress_controller_prerequisites.namespace, - f"{DEPLOYMENTS}/common/nginx-config.yaml", + f"{TEST_DATA}/common/nginx-config.yaml", ) delete_items_from_yaml(kube_apis, ing_src, test_namespace) diff --git a/tests/suite/test_default_server.py b/tests/suite/test_default_server.py index 31e5da5814..1a420fc604 100644 --- a/tests/suite/test_default_server.py +++ b/tests/suite/test_default_server.py @@ -3,7 +3,7 @@ import pytest import requests from requests.exceptions import ConnectionError -from settings import BASEDIR, DEPLOYMENTS, TEST_DATA +from settings import BASEDIR, TEST_DATA from suite.utils.resources_utils import ( create_secret_from_yaml, delete_secret, diff --git a/tests/suite/test_transport_server_external_name.py b/tests/suite/test_transport_server_external_name.py index f0f77a526b..fbd20a355a 100644 --- a/tests/suite/test_transport_server_external_name.py +++ b/tests/suite/test_transport_server_external_name.py @@ -1,5 +1,5 @@ import pytest -from settings import DEPLOYMENTS, TEST_DATA +from settings import TEST_DATA from suite.utils.custom_assertions import assert_event from suite.utils.resources_utils import ( create_items_from_yaml, @@ -64,7 +64,7 @@ def fin(): kube_apis.v1, config_map_name, ingress_controller_prerequisites.namespace, - f"{DEPLOYMENTS}/common/nginx-config.yaml", + f"{TEST_DATA}/common/nginx-config.yaml", ) request.addfinalizer(fin) @@ -143,7 +143,7 @@ def test_event_warning( kube_apis.v1, ingress_controller_prerequisites.config_map["metadata"]["name"], ingress_controller_prerequisites.namespace, - f"{DEPLOYMENTS}/common/nginx-config.yaml", + f"{TEST_DATA}/common/nginx-config.yaml", ) wait_before_test(5) events = get_events(kube_apis.v1, transport_server_setup.namespace) diff --git a/tests/suite/test_transport_server_service_insight.py b/tests/suite/test_transport_server_service_insight.py index 9bda5959f3..b4b7ce4d17 100644 --- a/tests/suite/test_transport_server_service_insight.py +++ b/tests/suite/test_transport_server_service_insight.py @@ -3,7 +3,7 @@ import pytest import requests -from settings import DEPLOYMENTS, TEST_DATA +from settings import TEST_DATA from suite.fixtures.fixtures import PublicEndpoint from suite.utils.custom_resources_utils import create_ts_from_yaml, delete_ts, read_ts from suite.utils.resources_utils import ( diff --git a/tests/suite/test_ts_tls_passthrough.py b/tests/suite/test_ts_tls_passthrough.py index 14dd36fc67..8ce1ead4d2 100644 --- a/tests/suite/test_ts_tls_passthrough.py +++ b/tests/suite/test_ts_tls_passthrough.py @@ -1,7 +1,7 @@ from pprint import pprint import pytest -from settings import DEPLOYMENTS, TEST_DATA +from settings import TEST_DATA from suite.fixtures.fixtures import PublicEndpoint from suite.utils.custom_resources_utils import create_ts_from_yaml, delete_ts, read_ts from suite.utils.resources_utils import ( @@ -174,7 +174,7 @@ def test_tls_passthrough_proxy_protocol_config( config = get_nginx_template_conf(kube_apis.v1, ingress_controller_prerequisites.namespace) assert f"listen {transport_server_tls_passthrough_setup.tls_passthrough_port} proxy_protocol;" in config assert f"listen [::]:{transport_server_tls_passthrough_setup.tls_passthrough_port} proxy_protocol;" in config - std_cm_src = f"{DEPLOYMENTS}/common/nginx-config.yaml" + std_cm_src = f"{TEST_DATA}/common/nginx-config.yaml" replace_configmap_from_yaml( kube_apis.v1, ingress_controller_prerequisites.config_map["metadata"]["name"], diff --git a/tests/suite/test_v_s_route_grpc.py b/tests/suite/test_v_s_route_grpc.py index f30f26d3ae..eb369b016f 100644 --- a/tests/suite/test_v_s_route_grpc.py +++ b/tests/suite/test_v_s_route_grpc.py @@ -1,5 +1,5 @@ import pytest -from settings import DEPLOYMENTS, TEST_DATA +from settings import TEST_DATA from suite.utils.custom_assertions import ( assert_event_starts_with_text_and_contains_errors, assert_grpc_entries_exist, @@ -48,7 +48,7 @@ def backend_setup(request, kube_apis, ingress_controller_prerequisites, test_nam kube_apis.v1, ingress_controller_prerequisites.config_map["metadata"]["name"], ingress_controller_prerequisites.namespace, - f"{DEPLOYMENTS}/common/nginx-config.yaml", + f"{TEST_DATA}/common/nginx-config.yaml", ) delete_common_app(kube_apis, app_name, test_namespace) pytest.fail(f"VSR GRPC setup failed") @@ -60,7 +60,7 @@ def fin(): kube_apis.v1, ingress_controller_prerequisites.config_map["metadata"]["name"], ingress_controller_prerequisites.namespace, - f"{DEPLOYMENTS}/common/nginx-config.yaml", + f"{TEST_DATA}/common/nginx-config.yaml", ) delete_common_app(kube_apis, app_name, test_namespace) diff --git a/tests/suite/test_virtual_server.py b/tests/suite/test_virtual_server.py index 4e96c764cf..daa379972a 100644 --- a/tests/suite/test_virtual_server.py +++ b/tests/suite/test_virtual_server.py @@ -1,5 +1,5 @@ import pytest -from settings import CRDS, DEPLOYMENTS, TEST_DATA +from settings import CRDS, TEST_DATA from suite.utils.custom_assertions import wait_and_assert_status_code from suite.utils.custom_resources_utils import create_crd_from_yaml, delete_crd from suite.utils.resources_utils import ( @@ -143,7 +143,7 @@ def test_responses_after_rbac_misconfiguration_on_the_fly( wait_and_assert_status_code(200, virtual_server_setup.backend_2_url, virtual_server_setup.vs_host) print("Step 11: restore ClusterRole and check") - patch_rbac(kube_apis.rbac_v1, f"{DEPLOYMENTS}/rbac/rbac.yaml") + patch_rbac(kube_apis.rbac_v1, f"{TEST_DATA}/rbac/rbac.yaml") wait_before_test(1) wait_and_assert_status_code(200, virtual_server_setup.backend_1_url, virtual_server_setup.vs_host) wait_and_assert_status_code(200, virtual_server_setup.backend_2_url, virtual_server_setup.vs_host) @@ -225,6 +225,6 @@ def test_responses_after_rbac_misconfiguration(self, kube_apis, crd_ingress_cont wait_and_assert_status_code(404, virtual_server_setup.backend_2_url, virtual_server_setup.vs_host) print("Step 2: configure RBAC and check") - patch_rbac(kube_apis.rbac_v1, f"{DEPLOYMENTS}/rbac/rbac.yaml") + patch_rbac(kube_apis.rbac_v1, f"{TEST_DATA}/rbac/rbac.yaml") wait_and_assert_status_code(200, virtual_server_setup.backend_1_url, virtual_server_setup.vs_host) wait_and_assert_status_code(200, virtual_server_setup.backend_2_url, virtual_server_setup.vs_host) diff --git a/tests/suite/test_virtual_server_configmap_keys.py b/tests/suite/test_virtual_server_configmap_keys.py index 1fe9ceb276..26644dbcd2 100644 --- a/tests/suite/test_virtual_server_configmap_keys.py +++ b/tests/suite/test_virtual_server_configmap_keys.py @@ -1,5 +1,5 @@ import pytest -from settings import DEPLOYMENTS, TEST_DATA +from settings import TEST_DATA from suite.utils.resources_utils import ( get_events, get_file_contents, @@ -142,7 +142,7 @@ def fin(): kube_apis.v1, ingress_controller_prerequisites.config_map["metadata"]["name"], ingress_controller_prerequisites.namespace, - f"{DEPLOYMENTS}/common/nginx-config.yaml", + f"{TEST_DATA}/common/nginx-config.yaml", ) request.addfinalizer(fin) diff --git a/tests/suite/test_virtual_server_grpc.py b/tests/suite/test_virtual_server_grpc.py index 36760127a1..f15106c606 100644 --- a/tests/suite/test_virtual_server_grpc.py +++ b/tests/suite/test_virtual_server_grpc.py @@ -1,6 +1,6 @@ import grpc import pytest -from settings import DEPLOYMENTS, TEST_DATA +from settings import TEST_DATA from suite.grpc.helloworld_pb2 import HelloRequest from suite.grpc.helloworld_pb2_grpc import GreeterStub from suite.utils.custom_assertions import ( @@ -59,7 +59,7 @@ def backend_setup(request, kube_apis, ingress_controller_prerequisites, test_nam kube_apis.v1, ingress_controller_prerequisites.config_map["metadata"]["name"], ingress_controller_prerequisites.namespace, - f"{DEPLOYMENTS}/common/nginx-config.yaml", + f"{TEST_DATA}/common/nginx-config.yaml", ) delete_common_app(kube_apis, app_name, test_namespace) pytest.fail(f"VS GRPC setup failed") @@ -72,7 +72,7 @@ def fin(): kube_apis.v1, ingress_controller_prerequisites.config_map["metadata"]["name"], ingress_controller_prerequisites.namespace, - f"{DEPLOYMENTS}/common/nginx-config.yaml", + f"{TEST_DATA}/common/nginx-config.yaml", ) delete_common_app(kube_apis, app_name, test_namespace) diff --git a/tests/suite/test_virtual_server_mixed_grpc.py b/tests/suite/test_virtual_server_mixed_grpc.py index 267a9fb78f..d664f402b5 100644 --- a/tests/suite/test_virtual_server_mixed_grpc.py +++ b/tests/suite/test_virtual_server_mixed_grpc.py @@ -1,6 +1,6 @@ import grpc import pytest -from settings import DEPLOYMENTS, TEST_DATA +from settings import TEST_DATA from suite.grpc.helloworld_pb2 import HelloRequest from suite.grpc.helloworld_pb2_grpc import GreeterStub from suite.utils.custom_assertions import ( @@ -54,7 +54,7 @@ def backend_setup(request, kube_apis, ingress_controller_prerequisites, test_nam kube_apis.v1, ingress_controller_prerequisites.config_map["metadata"]["name"], ingress_controller_prerequisites.namespace, - f"{DEPLOYMENTS}/common/nginx-config.yaml", + f"{TEST_DATA}/common/nginx-config.yaml", ) delete_common_app(kube_apis, app_name, test_namespace) pytest.fail(f"VS GRPC setup failed") @@ -67,7 +67,7 @@ def fin(): kube_apis.v1, ingress_controller_prerequisites.config_map["metadata"]["name"], ingress_controller_prerequisites.namespace, - f"{DEPLOYMENTS}/common/nginx-config.yaml", + f"{TEST_DATA}/common/nginx-config.yaml", ) delete_common_app(kube_apis, app_name, test_namespace) diff --git a/tests/suite/utils/resources_utils.py b/tests/suite/utils/resources_utils.py index 21c9a19297..0bc229b02b 100644 --- a/tests/suite/utils/resources_utils.py +++ b/tests/suite/utils/resources_utils.py @@ -12,7 +12,7 @@ from kubernetes.client.rest import ApiException from kubernetes.stream import stream from more_itertools import first -from settings import DEPLOYMENTS, PROJECT_ROOT, RECONFIGURATION_DELAY, TEST_DATA +from settings import PROJECT_ROOT, RECONFIGURATION_DELAY, TEST_DATA from suite.utils.ssl_utils import create_sni_session @@ -37,7 +37,7 @@ def configure_rbac(rbac_v1: RbacAuthorizationV1Api) -> RBACAuthorization: :param rbac_v1: RbacAuthorizationV1Api :return: RBACAuthorization """ - with open(f"{DEPLOYMENTS}/rbac/rbac.yaml") as f: + with open(f"{TEST_DATA}/rbac/rbac.yaml") as f: docs = yaml.safe_load_all(f) role_name = "" binding_name = "" @@ -61,7 +61,7 @@ def configure_rbac_with_ap(rbac_v1: RbacAuthorizationV1Api) -> RBACAuthorization :param rbac_v1: RbacAuthorizationV1Api :return: RBACAuthorization """ - with open(f"{DEPLOYMENTS}/rbac/ap-rbac.yaml") as f: + with open(f"{TEST_DATA}/rbac/ap-rbac.yaml") as f: docs = yaml.safe_load_all(f) role_name = "" binding_name = "" @@ -85,7 +85,7 @@ def configure_rbac_with_dos(rbac_v1: RbacAuthorizationV1Api) -> RBACAuthorizatio :param rbac_v1: RbacAuthorizationV1Api :return: RBACAuthorization """ - with open(f"{DEPLOYMENTS}/rbac/apdos-rbac.yaml") as f: + with open(f"{TEST_DATA}/rbac/apdos-rbac.yaml") as f: docs = yaml.safe_load_all(f) role_name = "" binding_name = "" @@ -1138,7 +1138,7 @@ def create_ingress_controller(v1: CoreV1Api, apps_v1_api: AppsV1Api, cli_argumen :return: str """ print(f"Create an Ingress Controller as {cli_arguments['ic-type']}") - yaml_manifest = f"{DEPLOYMENTS}/{cli_arguments['deployment-type']}/{cli_arguments['ic-type']}.yaml" + yaml_manifest = f"{TEST_DATA}/{cli_arguments['deployment-type']}/{cli_arguments['ic-type']}.yaml" with open(yaml_manifest) as f: dep = yaml.safe_load(f) dep["spec"]["replicas"] = int(cli_arguments["replicas"])