--- /dev/null
+
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: ingress-nginx
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: ingress-nginx
+
+---
+# Source: ingress-nginx/templates/controller-serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ labels:
+ helm.sh/chart: ingress-nginx-4.0.15
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: ingress-nginx
+ app.kubernetes.io/version: 1.1.1
+ app.kubernetes.io/component: controller
+ name: ingress-nginx
+ namespace: ingress-nginx
+automountServiceAccountToken: true
+---
+# Source: ingress-nginx/templates/controller-configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ labels:
+ helm.sh/chart: ingress-nginx-4.0.15
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: ingress-nginx
+ app.kubernetes.io/version: 1.1.1
+ app.kubernetes.io/component: controller
+ name: ingress-nginx-controller
+ namespace: ingress-nginx
+data:
+ allow-snippet-annotations: 'true'
+---
+# Source: ingress-nginx/templates/clusterrole.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ labels:
+ helm.sh/chart: ingress-nginx-4.0.15
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: ingress-nginx
+ app.kubernetes.io/version: 1.1.1
+ name: ingress-nginx
+rules:
+ - apiGroups:
+ - ''
+ resources:
+ - configmaps
+ - endpoints
+ - nodes
+ - pods
+ - secrets
+ - namespaces
+ verbs:
+ - list
+ - watch
+ - apiGroups:
+ - ''
+ resources:
+ - nodes
+ verbs:
+ - get
+ - apiGroups:
+ - ''
+ resources:
+ - services
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - ''
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+ - apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses/status
+ verbs:
+ - update
+ - apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingressclasses
+ verbs:
+ - get
+ - list
+ - watch
+---
+# Source: ingress-nginx/templates/clusterrolebinding.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ labels:
+ helm.sh/chart: ingress-nginx-4.0.15
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: ingress-nginx
+ app.kubernetes.io/version: 1.1.1
+ name: ingress-nginx
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: ingress-nginx
+subjects:
+ - kind: ServiceAccount
+ name: ingress-nginx
+ namespace: ingress-nginx
+---
+# Source: ingress-nginx/templates/controller-role.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ labels:
+ helm.sh/chart: ingress-nginx-4.0.15
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: ingress-nginx
+ app.kubernetes.io/version: 1.1.1
+ app.kubernetes.io/component: controller
+ name: ingress-nginx
+ namespace: ingress-nginx
+rules:
+ - apiGroups:
+ - ''
+ resources:
+ - namespaces
+ verbs:
+ - get
+ - apiGroups:
+ - ''
+ resources:
+ - configmaps
+ - pods
+ - secrets
+ - endpoints
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - ''
+ resources:
+ - services
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses/status
+ verbs:
+ - update
+ - apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingressclasses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - ''
+ resources:
+ - configmaps
+ resourceNames:
+ - ingress-controller-leader
+ verbs:
+ - get
+ - update
+ - apiGroups:
+ - ''
+ resources:
+ - configmaps
+ verbs:
+ - create
+ - apiGroups:
+ - ''
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+---
+# Source: ingress-nginx/templates/controller-rolebinding.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ labels:
+ helm.sh/chart: ingress-nginx-4.0.15
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: ingress-nginx
+ app.kubernetes.io/version: 1.1.1
+ app.kubernetes.io/component: controller
+ name: ingress-nginx
+ namespace: ingress-nginx
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: ingress-nginx
+subjects:
+ - kind: ServiceAccount
+ name: ingress-nginx
+ namespace: ingress-nginx
+---
+# Source: ingress-nginx/templates/controller-service-webhook.yaml
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ helm.sh/chart: ingress-nginx-4.0.15
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: ingress-nginx
+ app.kubernetes.io/version: 1.1.1
+ app.kubernetes.io/component: controller
+ name: ingress-nginx-controller-admission
+ namespace: ingress-nginx
+spec:
+ type: ClusterIP
+ ports:
+ - name: https-webhook
+ port: 443
+ targetPort: webhook
+ appProtocol: https
+ selector:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: ingress-nginx
+ app.kubernetes.io/component: controller
+---
+# Source: ingress-nginx/templates/controller-service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+ annotations:
+ labels:
+ helm.sh/chart: ingress-nginx-4.0.15
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: ingress-nginx
+ app.kubernetes.io/version: 1.1.1
+ app.kubernetes.io/component: controller
+ name: ingress-nginx-controller
+ namespace: ingress-nginx
+spec:
+ type: NodePort
+ ipFamilyPolicy: SingleStack
+ ipFamilies:
+ - IPv4
+ ports:
+ - name: http
+ port: 80
+ nodePort: 30080
+ protocol: TCP
+ targetPort: http
+ appProtocol: http
+ - name: https
+ port: 443
+ nodePort: 30433
+ protocol: TCP
+ targetPort: https
+ appProtocol: https
+ selector:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: ingress-nginx
+ app.kubernetes.io/component: controller
+---
+# Source: ingress-nginx/templates/controller-deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ labels:
+ helm.sh/chart: ingress-nginx-4.0.15
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: ingress-nginx
+ app.kubernetes.io/version: 1.1.1
+ app.kubernetes.io/component: controller
+ name: ingress-nginx-controller
+ namespace: ingress-nginx
+spec:
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: ingress-nginx
+ app.kubernetes.io/component: controller
+ revisionHistoryLimit: 10
+ minReadySeconds: 0
+ template:
+ metadata:
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: ingress-nginx
+ app.kubernetes.io/component: controller
+ spec:
+ dnsPolicy: ClusterFirst
+ containers:
+ - name: controller
+ image: "{{ ingress_repo_url }}/controller:{{ ingress_nginx_version }}"
+ imagePullPolicy: IfNotPresent
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - /wait-shutdown
+ args:
+ - /nginx-ingress-controller
+ - --election-id=ingress-controller-leader
+ - --controller-class=k8s.io/ingress-nginx
+ - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
+ - --validating-webhook=:8443
+ - --validating-webhook-certificate=/usr/local/certificates/cert
+ - --validating-webhook-key=/usr/local/certificates/key
+ securityContext:
+ capabilities:
+ drop:
+ - ALL
+ add:
+ - NET_BIND_SERVICE
+ runAsUser: 101
+ allowPrivilegeEscalation: true
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: LD_PRELOAD
+ value: /usr/local/lib/libmimalloc.so
+ livenessProbe:
+ failureThreshold: 5
+ httpGet:
+ path: /healthz
+ port: 10254
+ scheme: HTTP
+ initialDelaySeconds: 10
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 10254
+ scheme: HTTP
+ initialDelaySeconds: 10
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ ports:
+ - name: http
+ containerPort: 80
+ protocol: TCP
+ - name: https
+ containerPort: 443
+ protocol: TCP
+ - name: webhook
+ containerPort: 8443
+ protocol: TCP
+ volumeMounts:
+ - name: webhook-cert
+ mountPath: /usr/local/certificates/
+ readOnly: true
+ resources:
+ requests:
+ cpu: 100m
+ memory: 90Mi
+ nodeSelector:
+ kubernetes.io/os: linux
+ serviceAccountName: ingress-nginx
+ terminationGracePeriodSeconds: 300
+ volumes:
+ - name: webhook-cert
+ secret:
+ secretName: ingress-nginx-admission
+---
+# Source: ingress-nginx/templates/controller-ingressclass.yaml
+# We don't support namespaced ingressClass yet
+# So a ClusterRole and a ClusterRoleBinding is required
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+ labels:
+ helm.sh/chart: ingress-nginx-4.0.15
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: ingress-nginx
+ app.kubernetes.io/version: 1.1.1
+ app.kubernetes.io/component: controller
+ name: nginx
+ namespace: ingress-nginx
+spec:
+ controller: k8s.io/ingress-nginx
+---
+# Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
+# before changing this value, check the required kubernetes version
+# https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+ labels:
+ helm.sh/chart: ingress-nginx-4.0.15
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: ingress-nginx
+ app.kubernetes.io/version: 1.1.1
+ app.kubernetes.io/component: admission-webhook
+ name: ingress-nginx-admission
+webhooks:
+ - name: validate.nginx.ingress.kubernetes.io
+ matchPolicy: Equivalent
+ rules:
+ - apiGroups:
+ - networking.k8s.io
+ apiVersions:
+ - v1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - ingresses
+ failurePolicy: Fail
+ sideEffects: None
+ admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ namespace: ingress-nginx
+ name: ingress-nginx-controller-admission
+ path: /networking/v1/ingresses
+---
+# Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: ingress-nginx-admission
+ namespace: ingress-nginx
+ annotations:
+ helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+ labels:
+ helm.sh/chart: ingress-nginx-4.0.15
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: ingress-nginx
+ app.kubernetes.io/version: 1.1.1
+ app.kubernetes.io/component: admission-webhook
+---
+# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: ingress-nginx-admission
+ annotations:
+ helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+ labels:
+ helm.sh/chart: ingress-nginx-4.0.15
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: ingress-nginx
+ app.kubernetes.io/version: 1.1.1
+ app.kubernetes.io/component: admission-webhook
+rules:
+ - apiGroups:
+ - admissionregistration.k8s.io
+ resources:
+ - validatingwebhookconfigurations
+ verbs:
+ - get
+ - update
+---
+# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: ingress-nginx-admission
+ annotations:
+ helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+ labels:
+ helm.sh/chart: ingress-nginx-4.0.15
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: ingress-nginx
+ app.kubernetes.io/version: 1.1.1
+ app.kubernetes.io/component: admission-webhook
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: ingress-nginx-admission
+subjects:
+ - kind: ServiceAccount
+ name: ingress-nginx-admission
+ namespace: ingress-nginx
+---
+# Source: ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: ingress-nginx-admission
+ namespace: ingress-nginx
+ annotations:
+ helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+ labels:
+ helm.sh/chart: ingress-nginx-4.0.15
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: ingress-nginx
+ app.kubernetes.io/version: 1.1.1
+ app.kubernetes.io/component: admission-webhook
+rules:
+ - apiGroups:
+ - ''
+ resources:
+ - secrets
+ verbs:
+ - get
+ - create
+---
+# Source: ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: ingress-nginx-admission
+ namespace: ingress-nginx
+ annotations:
+ helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+ labels:
+ helm.sh/chart: ingress-nginx-4.0.15
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: ingress-nginx
+ app.kubernetes.io/version: 1.1.1
+ app.kubernetes.io/component: admission-webhook
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: ingress-nginx-admission
+subjects:
+ - kind: ServiceAccount
+ name: ingress-nginx-admission
+ namespace: ingress-nginx
+---
+# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: ingress-nginx-admission-create
+ namespace: ingress-nginx
+ annotations:
+ helm.sh/hook: pre-install,pre-upgrade
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+ labels:
+ helm.sh/chart: ingress-nginx-4.0.15
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: ingress-nginx
+ app.kubernetes.io/version: 1.1.1
+ app.kubernetes.io/component: admission-webhook
+spec:
+ template:
+ metadata:
+ name: ingress-nginx-admission-create
+ labels:
+ helm.sh/chart: ingress-nginx-4.0.15
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: ingress-nginx
+ app.kubernetes.io/version: 1.1.1
+ app.kubernetes.io/component: admission-webhook
+ spec:
+ containers:
+ - name: create
+ image: "{{ ingress_repo_url }}/kube-webhook-certgen:{{ ingress_nginx_version }}"
+ imagePullPolicy: IfNotPresent
+ args:
+ - create
+ - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
+ - --namespace=$(POD_NAMESPACE)
+ - --secret-name=ingress-nginx-admission
+ env:
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ securityContext:
+ allowPrivilegeEscalation: false
+ restartPolicy: OnFailure
+ serviceAccountName: ingress-nginx-admission
+ nodeSelector:
+ kubernetes.io/os: linux
+ securityContext:
+ runAsNonRoot: true
+ runAsUser: 2000
+---
+# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: ingress-nginx-admission-patch
+ namespace: ingress-nginx
+ annotations:
+ helm.sh/hook: post-install,post-upgrade
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+ labels:
+ helm.sh/chart: ingress-nginx-4.0.15
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: ingress-nginx
+ app.kubernetes.io/version: 1.1.1
+ app.kubernetes.io/component: admission-webhook
+spec:
+ template:
+ metadata:
+ name: ingress-nginx-admission-patch
+ labels:
+ helm.sh/chart: ingress-nginx-4.0.15
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: ingress-nginx
+ app.kubernetes.io/version: 1.1.1
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: admission-webhook
+ spec:
+ containers:
+ - name: patch
+ image: "{{ ingress_repo_url }}/kube-webhook-certgen:{{ ingress_nginx_version }}"
+ imagePullPolicy: IfNotPresent
+ args:
+ - patch
+ - --webhook-name=ingress-nginx-admission
+ - --namespace=$(POD_NAMESPACE)
+ - --patch-mutating=false
+ - --secret-name=ingress-nginx-admission
+ - --patch-failure-policy=Fail
+ env:
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ securityContext:
+ allowPrivilegeEscalation: false
+ restartPolicy: OnFailure
+ serviceAccountName: ingress-nginx-admission
+ nodeSelector:
+ kubernetes.io/os: linux
+ securityContext:
+ runAsNonRoot: true
+ runAsUser: 2000
Code Review / infra / stack / kubernetes.git / blobdiff