From 9c87c5dc9268166910e92a0fef09643e7958637e Mon Sep 17 00:00:00 2001 From: Jonathan Hardison Date: Tue, 22 Oct 2024 00:26:04 -0500 Subject: [PATCH] batch update and push of couchdb --- .../couchdb/certificates/ingress-cert.yaml | 14 + apps/couchdb/couchdb/kustomization.yaml | 16 + apps/couchdb/couchdb/namespace.yaml | 9 + apps/couchdb/couchdb/op-secret.yaml | 7 + apps/couchdb/couchdb/values.yaml | 296 ++++++++ .../overlays/prod/kustomization.yaml | 2 +- core/ingress-nginx/overlays/prod/deploy.yaml | 666 ++++++++++++++++++ .../overlays/prod/kustomization.yaml | 11 + 8 files changed, 1020 insertions(+), 1 deletion(-) create mode 100644 apps/couchdb/couchdb/certificates/ingress-cert.yaml create mode 100644 apps/couchdb/couchdb/kustomization.yaml create mode 100644 apps/couchdb/couchdb/namespace.yaml create mode 100644 apps/couchdb/couchdb/op-secret.yaml create mode 100644 apps/couchdb/couchdb/values.yaml create mode 100644 core/ingress-nginx/overlays/prod/deploy.yaml create mode 100644 core/ingress-nginx/overlays/prod/kustomization.yaml diff --git a/apps/couchdb/couchdb/certificates/ingress-cert.yaml b/apps/couchdb/couchdb/certificates/ingress-cert.yaml new file mode 100644 index 0000000..1863cb1 --- /dev/null +++ b/apps/couchdb/couchdb/certificates/ingress-cert.yaml @@ -0,0 +1,14 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: couchdb-tls + namespace: couchdb +spec: + issuerRef: + name: lets-encrypt + kind: ClusterIssuer + group: cert-manager.io + secretName: couchdb-tls-cert + commonName: couchdb1.hhouse.us + dnsNames: + - couchdb1.hhouse.us \ No newline at end of file diff --git a/apps/couchdb/couchdb/kustomization.yaml b/apps/couchdb/couchdb/kustomization.yaml new file mode 100644 index 0000000..9bd0ff6 --- /dev/null +++ b/apps/couchdb/couchdb/kustomization.yaml @@ -0,0 +1,16 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: couchdb + +resources: + - namespace.yaml + - op-secret.yaml + - certificates/ingress-cert.yaml + +helmCharts: +- name: couchdb + repo: https://apache.github.io/couchdb-helm + releaseName: couchdb + namespace: couchdb + version: 4.5.3 + valuesFile: values.yaml \ No newline at end of file diff --git a/apps/couchdb/couchdb/namespace.yaml b/apps/couchdb/couchdb/namespace.yaml new file mode 100644 index 0000000..dc0d41c --- /dev/null +++ b/apps/couchdb/couchdb/namespace.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + kubernetes.io/metadata.name: couchdb + istio-injection: enabled + annotations: + operator.1password.io/auto-restart: "true" + name: couchdb \ No newline at end of file diff --git a/apps/couchdb/couchdb/op-secret.yaml b/apps/couchdb/couchdb/op-secret.yaml new file mode 100644 index 0000000..8b6bb04 --- /dev/null +++ b/apps/couchdb/couchdb/op-secret.yaml @@ -0,0 +1,7 @@ +apiVersion: onepassword.com/v1 +kind: OnePasswordItem +metadata: + name: couchdb-couchdb #this name will also be used for naming the generated kubernetes secret + namespace: couchdb +spec: + itemPath: "vaults/k8s-prod/items/couchdb-secret" \ No newline at end of file diff --git a/apps/couchdb/couchdb/values.yaml b/apps/couchdb/couchdb/values.yaml new file mode 100644 index 0000000..a43147c --- /dev/null +++ b/apps/couchdb/couchdb/values.yaml @@ -0,0 +1,296 @@ +# -- the initial number of nodes in the CouchDB cluster. +clusterSize: 1 + +# -- If allowAdminParty is enabled the cluster will start up without any database +# administrator account; i.e., all users will be granted administrative +# access. Otherwise, the system will look for a Secret called +# -couchdb containing `adminUsername`, `adminPassword` and +# `cookieAuthSecret` keys. See the `createAdminSecret` flag. +# ref: https://kubernetes.io/docs/concepts/configuration/secret/ +allowAdminParty: false + +# Set it to true to automatically enable the cluster after installation. +# It will create a post-install job that will send the {"action": "finish_cluster"} +# message to CouchDB to finalize the cluster and add the defaultDatabases listed. +# Note that this job needs service.enabled to be set to true and if you use adminHash, +# a valid adminPassword in the secret. Also set the --wait flag when you install to +# avoid first jobs failure (helm install --wait ...) +autoSetup: + enabled: false + image: + repository: curlimages/curl + tag: latest + pullPolicy: Always + defaultDatabases: + - _global_changes + +# -- If createAdminSecret is enabled a Secret called -couchdb will +# be created containing auto-generated credentials. Users who prefer to set +# these values themselves have a couple of options: +# +# 1) The `adminUsername`, `adminPassword`, `adminHash`, and `cookieAuthSecret` +# can be defined directly in the chart's values. Note that all of a chart's +# values are currently stored in plaintext in a ConfigMap in the tiller +# namespace. +# +# 2) This flag can be disabled and a Secret with the required keys can be +# created ahead of time. +createAdminSecret: false + +#adminUsername: admin +# adminPassword: this_is_not_secure +# adminHash: -pbkdf2-this_is_not_necessarily_secure_either +# cookieAuthSecret: neither_is_this + +## When enabled, will deploy a networkpolicy that allows CouchDB pods to +## communicate with each other for clustering and ingress on port 5984 +networkPolicy: + enabled: true + +## Use an alternate scheduler, e.g. "stork". +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +# schedulerName: + +# Use a service account +serviceAccount: + enabled: true + create: true +# name: + +# imagePullSecrets: +# - name: myimagepullsecret + +# -- The storage volume used by each Pod in the StatefulSet. If a +# persistentVolume is not enabled, the Pods will use `emptyDir` ephemeral +# local storage. Setting the storageClass attribute to "-" disables dynamic +# provisioning of Persistent Volumes; leaving it unset will invoke the default +# provisioner. +persistentVolume: + enabled: true + # NOTE: the number of existing claims must match the cluster size + existingClaims: [] + annotations: {} + accessModes: + - ReadWriteOnce + size: 10Gi + #storageClass: "-" + +# Experimental - FEATURE STATE: Kubernetes v1.27 [beta] +# Field controls if and how PVCs are deleted during the lifecycle +# of a StatefulSet +# ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention +persistentVolumeClaimRetentionPolicy: + enabled: false + whenScaled: Retain + whenDeleted: Retain + +## The CouchDB image +image: + repository: couchdb + tag: 3.3.3 + pullPolicy: IfNotPresent + +## Experimental integration with Lucene-powered fulltext search +searchImage: + repository: kocolosk/couchdb-search + tag: 0.2.0 + pullPolicy: IfNotPresent + +# -- Flip this to flag to include the Search container in each Pod +enableSearch: false + +initImage: + repository: busybox + tag: latest + pullPolicy: Always + +## CouchDB is happy to spin up cluster nodes in parallel, but if you encounter +## problems you can try setting podManagementPolicy to the StatefulSet default +## `OrderedReady` +podManagementPolicy: Parallel + +## To better tolerate Node failures, we can prevent Kubernetes scheduler from +## assigning more than one Pod of CouchDB StatefulSet per Node using podAntiAffinity. +affinity: {} + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchExpressions: + # - key: "app" + # operator: In + # values: + # - couchdb + # topologyKey: "kubernetes.io/hostname" + +## To control how Pods are spread across your cluster among failure-domains such as regions, +## zones, nodes, and other user-defined topology domains use topologySpreadConstraints. +topologySpreadConstraints: {} + # topologySpreadConstraints: + # - maxSkew: 1 + # topologyKey: "topology.kubernetes.io/zone" + # whenUnsatisfiable: ScheduleAnyway + # labelSelector: + # matchLabels: + # app: couchdb + +## Optional pod labels +labels: {} + +## Optional pod annotations +annotations: {} + +## Optional tolerations +tolerations: [] + +## A StatefulSet requires a headless Service to establish the stable network +## identities of the Pods, and that Service is created automatically by this +## chart without any additional configuration. The Service block below refers +## to a second Service that governs how clients connect to the CouchDB cluster. +service: + annotations: {} + enabled: true + type: ClusterIP + externalPort: 5984 + targetPort: 5984 + labels: {} + extraPorts: [] + # - name: sqs + # port: 4984 + # targetPort: 4984 + # protocol: TCP + +## If you need to expose any additional ports on the CouchDB container, for example +## if you're running CouchDB container with additional processes that need to +## be accessible outside of the pod, you can define them here. +extraPorts: [] + # - name: sqs + # containerPort: 4984 + +## An Ingress resource can provide name-based virtual hosting and TLS +## termination among other things for CouchDB deployments which are accessed +## from outside the Kubernetes cluster. +## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ +ingress: + enabled: true + className: nginx + hosts: + - couchdb1.hhouse.us + path: / + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + tls: + # Secrets must be manually created in the namespace. + - secretName: couchdb-tls-cert + hosts: + - couchdb1.hhouse.u + +## Optional resource requests and limits for the CouchDB container +## ref: http://kubernetes.io/docs/user-guide/compute-resources/ +resources: {} + # requests: + # cpu: 100m + # memory: 128Mi + # limits: + # cpu: 56 + # memory: 256Gi + +## Optional resource requests and limits for the CouchDB init container +## ref: http://kubernetes.io/docs/user-guide/compute-resources/ +initResources: {} + # requests: + # cpu: 100m + # memory: 128Mi + # limits: + # cpu: 500m + # memory: 128Mi + +# -- erlangFlags is a map that is passed to the Erlang VM as flags using the +# ERL_FLAGS env. The `name` flag is required to establish connectivity +# between cluster nodes. +# ref: http://erlang.org/doc/man/erl.html#init_flags +erlangFlags: + name: couchdb + # Older versions of the official CouchDB image (anything prior to 3.2.1) + # do not act on the COUCHDB_ERLANG_COOKIE environment variable, so if you + # want to cluster these deployments it's necessary to pass in a cookie here + # setcookie: make-something-up + +# -- couchdbConfig will override default CouchDB configuration settings. +# The contents of this map are reformatted into a .ini file laid down +# by a ConfigMap object. +# ref: http://docs.couchdb.org/en/latest/config/index.html +couchdbConfig: + couchdb: + uuid: 97438a660ff144ef9613d06f9e65a68b # Unique identifier for this CouchDB server instance + # cluster: + # q: 8 # Create 8 shards for each database + chttpd: + bind_address: any + # chttpd.require_valid_user disables all the anonymous requests to the port + # 5984 when is set to true. + require_valid_user: false + # required to use Fauxton if chttpd.require_valid_user is set to true + # httpd: + # WWW-Authenticate: "Basic realm=\"administrator\"" + +# Kubernetes local cluster domain. +# This is used to generate FQDNs for peers when joining the CouchDB cluster. +dns: + clusterDomainSuffix: cluster.local + +## Configure liveness and readiness probe values +## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes +livenessProbe: + enabled: true + failureThreshold: 3 + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 +readinessProbe: + enabled: true + failureThreshold: 3 + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + +# Control an optional pod disruption budget +podDisruptionBudget: + # toggle creation of pod disruption budget, disabled by default + enabled: false + # minAvailable: 1 + maxUnavailable: 1 + +# CouchDB 3.2.0 adds in a metrics endpoint on the path `/_node/_local/_prometheus`. +# Optionally, a standalone, unauthenticated port can be exposed for these metrics. +prometheusPort: + enabled: false + bind_address: "0.0.0.0" + port: 17986 + +# Configure arbitrary sidecar containers for CouchDB pods created by the +# StatefulSet +sidecars: {} + # - name: foo + # image: "busybox" + # imagePullPolicy: IfNotPresent + # resources: + # requests: + # cpu: "0.1" + # memory: 10Mi + # command: ['echo "foo";'] + # volumeMounts: + # - name: database-storage + # mountPath: /opt/couchdb/data/ + +# Placement manager to annotate each document in the nodes DB with "zone" attribute +# recording the zone where node has been scheduled +# Ref: https://docs.couchdb.org/en/stable/cluster/sharding.html#specifying-database-placement +placementConfig: + enabled: false + image: + repository: caligrafix/couchdb-autoscaler-placement-manager + tag: 0.1.0 diff --git a/core/cert-manager/overlays/prod/kustomization.yaml b/core/cert-manager/overlays/prod/kustomization.yaml index a12a30d..dab1b73 100644 --- a/core/cert-manager/overlays/prod/kustomization.yaml +++ b/core/cert-manager/overlays/prod/kustomization.yaml @@ -3,7 +3,7 @@ kind: Kustomization #namespace: cert-manager resources: - - https://github.com/cert-manager/cert-manager/releases/download/v1.15.3/cert-manager.yaml + - https://github.com/cert-manager/cert-manager/releases/download/v1.16.1/cert-manager.yaml - hhouse-cloudflare-api-token-secret_secrets.yaml - hhouse-clusterissuer.yaml - hhouse-lets-encrypt-priviate-key_secrets.yaml diff --git a/core/ingress-nginx/overlays/prod/deploy.yaml b/core/ingress-nginx/overlays/prod/deploy.yaml new file mode 100644 index 0000000..bf86948 --- /dev/null +++ b/core/ingress-nginx/overlays/prod/deploy.yaml @@ -0,0 +1,666 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + name: ingress-nginx +--- +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.12.0-beta.0 + name: ingress-nginx + namespace: ingress-nginx +--- +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.12.0-beta.0 + name: ingress-nginx-admission + namespace: ingress-nginx +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.12.0-beta.0 + name: ingress-nginx + namespace: ingress-nginx +rules: +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +- apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - coordination.k8s.io + resourceNames: + - ingress-nginx-leader + resources: + - leases + verbs: + - get + - update +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - list + - watch + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.12.0-beta.0 + name: ingress-nginx-admission + namespace: ingress-nginx +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.12.0-beta.0 + name: ingress-nginx +rules: +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - secrets + - namespaces + verbs: + - list + - watch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - nodes + verbs: + - get +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - list + - watch + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.12.0-beta.0 + name: ingress-nginx-admission +rules: +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - get + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.12.0-beta.0 + name: ingress-nginx + namespace: ingress-nginx +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ingress-nginx +subjects: +- kind: ServiceAccount + name: ingress-nginx + namespace: ingress-nginx +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.12.0-beta.0 + name: ingress-nginx-admission + namespace: ingress-nginx +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ingress-nginx-admission +subjects: +- kind: ServiceAccount + name: ingress-nginx-admission + namespace: ingress-nginx +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.12.0-beta.0 + name: ingress-nginx +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ingress-nginx +subjects: +- kind: ServiceAccount + name: ingress-nginx + namespace: ingress-nginx +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.12.0-beta.0 + name: ingress-nginx-admission +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ingress-nginx-admission +subjects: +- kind: ServiceAccount + name: ingress-nginx-admission + namespace: ingress-nginx +--- +apiVersion: v1 +data: null +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.12.0-beta.0 + name: ingress-nginx-controller + namespace: ingress-nginx +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.12.0-beta.0 + name: ingress-nginx-controller + namespace: ingress-nginx +spec: + externalTrafficPolicy: Local + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - appProtocol: http + name: http + port: 80 + protocol: TCP + targetPort: http + - appProtocol: https + name: https + port: 443 + protocol: TCP + targetPort: https + selector: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + type: LoadBalancer + loadBalancerIP: 192.168.5.211 +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.12.0-beta.0 + name: ingress-nginx-controller-admission + namespace: ingress-nginx +spec: + ports: + - appProtocol: https + name: https-webhook + port: 443 + targetPort: webhook + selector: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + type: ClusterIP +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.12.0-beta.0 + name: ingress-nginx-controller + namespace: ingress-nginx +spec: + minReadySeconds: 0 + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + strategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.12.0-beta.0 + spec: + containers: + - args: + - /nginx-ingress-controller + - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller + - --election-id=ingress-nginx-leader + - --controller-class=k8s.io/ingress-nginx + - --ingress-class=nginx + - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller + - --validating-webhook=:8443 + - --validating-webhook-certificate=/usr/local/certificates/cert + - --validating-webhook-key=/usr/local/certificates/key + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LD_PRELOAD + value: /usr/local/lib/libmimalloc.so + image: registry.k8s.io/ingress-nginx/controller:v1.12.0-beta.0@sha256:9724476b928967173d501040631b23ba07f47073999e80e34b120e8db5f234d5 + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - /wait-shutdown + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: controller + ports: + - containerPort: 80 + name: http + protocol: TCP + - containerPort: 443 + name: https + protocol: TCP + - containerPort: 8443 + name: webhook + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + cpu: 100m + memory: 90Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + readOnlyRootFilesystem: false + runAsGroup: 82 + runAsNonRoot: true + runAsUser: 101 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /usr/local/certificates/ + name: webhook-cert + readOnly: true + dnsPolicy: ClusterFirst + nodeSelector: + kubernetes.io/os: linux + serviceAccountName: ingress-nginx + terminationGracePeriodSeconds: 300 + volumes: + - name: webhook-cert + secret: + secretName: ingress-nginx-admission +--- +apiVersion: batch/v1 +kind: Job +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.12.0-beta.0 + name: ingress-nginx-admission-create + namespace: ingress-nginx +spec: + template: + metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.12.0-beta.0 + name: ingress-nginx-admission-create + spec: + containers: + - args: + - create + - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc + - --namespace=$(POD_NAMESPACE) + - --secret-name=ingress-nginx-admission + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.4@sha256:a9f03b34a3cbfbb26d103a14046ab2c5130a80c3d69d526ff8063d2b37b9fd3f + imagePullPolicy: IfNotPresent + name: create + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + nodeSelector: + kubernetes.io/os: linux + restartPolicy: OnFailure + serviceAccountName: ingress-nginx-admission +--- +apiVersion: batch/v1 +kind: Job +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.12.0-beta.0 + name: ingress-nginx-admission-patch + namespace: ingress-nginx +spec: + template: + metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.12.0-beta.0 + name: ingress-nginx-admission-patch + spec: + containers: + - args: + - patch + - --webhook-name=ingress-nginx-admission + - --namespace=$(POD_NAMESPACE) + - --patch-mutating=false + - --secret-name=ingress-nginx-admission + - --patch-failure-policy=Fail + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.4@sha256:a9f03b34a3cbfbb26d103a14046ab2c5130a80c3d69d526ff8063d2b37b9fd3f + imagePullPolicy: IfNotPresent + name: patch + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + nodeSelector: + kubernetes.io/os: linux + restartPolicy: OnFailure + serviceAccountName: ingress-nginx-admission +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.12.0-beta.0 + name: nginx +spec: + controller: k8s.io/ingress-nginx +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.12.0-beta.0 + name: ingress-nginx-admission +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: ingress-nginx-controller-admission + namespace: ingress-nginx + path: /networking/v1/ingresses + port: 443 + failurePolicy: Fail + matchPolicy: Equivalent + name: validate.nginx.ingress.kubernetes.io + rules: + - apiGroups: + - networking.k8s.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - ingresses + sideEffects: None \ No newline at end of file diff --git a/core/ingress-nginx/overlays/prod/kustomization.yaml b/core/ingress-nginx/overlays/prod/kustomization.yaml new file mode 100644 index 0000000..54b6d49 --- /dev/null +++ b/core/ingress-nginx/overlays/prod/kustomization.yaml @@ -0,0 +1,11 @@ +# NOTE: kustomize is not supported. This file exists only to be able to reference it from bases. +# https://kubectl.docs.kubernetes.io/references/kustomize/bases/ +# +# ``` +# namespace: ingress-nginx +# bases: +# - github.com/kubernetes/ingress-nginx/tree/main/deploy/static/provider/baremetal +# ``` + +resources: + - deploy.yaml \ No newline at end of file