Ingress Nginx Integration
setup ingress using node-port & reverse proxy
Change-Id: I4d1241616ebc07f5d9f09da7871282c96cd41062
diff --git a/playbooks/postinstall.yaml b/playbooks/postinstall.yaml
index c9f23f4..c874ca8 100644
--- a/playbooks/postinstall.yaml
+++ b/playbooks/postinstall.yaml
@@ -29,4 +29,10 @@
roles:
- role: postinstall
+- hosts: all
+ gather_facts: true
+
+ roles:
+ - role: ingress
+
# vim: set ts=2 sw=2 expandtab:
diff --git a/playbooks/roles/ingress/tasks/install-ingress.yml b/playbooks/roles/ingress/tasks/install-ingress.yml
new file mode 100644
index 0000000..ac1565d
--- /dev/null
+++ b/playbooks/roles/ingress/tasks/install-ingress.yml
@@ -0,0 +1,49 @@
+---
+# ============LICENSE_START=======================================================
+# Copyright (C) 2022 The Nordix Foundation. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+- name: Load execution mode variables
+ include_vars: "{{ execution_mode }}.yaml"
+
+- name: Apply nginx ingress manifest
+ k8s:
+ resource_definition: "{{ lookup('template', 'ingress-nginx.yml.j2') }}"
+
+- name: Install nginx pkg
+ package:
+ name: nginx
+ state: present
+ become: true
+
+- name: Remove nginx default site
+ file:
+ path: /etc/nginx/sites-enabled/default
+ state: absent
+ become: true
+
+- name: Ingress site config
+ template:
+ src: ingress-site.yml.j2
+ dest: /etc/nginx/sites-enabled/ingress
+ become: true
+
+- name: Reload nginx service
+ service:
+ name: nginx
+ state: reloaded
+ become: true
diff --git a/playbooks/roles/ingress/tasks/main.yml b/playbooks/roles/ingress/tasks/main.yml
new file mode 100644
index 0000000..d60fca7
--- /dev/null
+++ b/playbooks/roles/ingress/tasks/main.yml
@@ -0,0 +1,24 @@
+---
+# ============LICENSE_START=======================================================
+# Copyright (C) 2022 The Nordix Foundation. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+
+- include_tasks: install-ingress.yml
+ when: jumphost in group_names
+
+# vim: set ts=2 sw=2 expandtab:
diff --git a/playbooks/roles/ingress/templates/ingress-nginx.yml.j2 b/playbooks/roles/ingress/templates/ingress-nginx.yml.j2
new file mode 100644
index 0000000..8205ecd
--- /dev/null
+++ b/playbooks/roles/ingress/templates/ingress-nginx.yml.j2
@@ -0,0 +1,665 @@
+
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: ingress-nginx
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: ingress-nginx
+
+---
+# Source: ingress-nginx/templates/controller-serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ labels:
+ helm.sh/chart: ingress-nginx-4.0.15
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: ingress-nginx
+ app.kubernetes.io/version: 1.1.1
+ app.kubernetes.io/component: controller
+ name: ingress-nginx
+ namespace: ingress-nginx
+automountServiceAccountToken: true
+---
+# Source: ingress-nginx/templates/controller-configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ labels:
+ helm.sh/chart: ingress-nginx-4.0.15
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: ingress-nginx
+ app.kubernetes.io/version: 1.1.1
+ app.kubernetes.io/component: controller
+ name: ingress-nginx-controller
+ namespace: ingress-nginx
+data:
+ allow-snippet-annotations: 'true'
+---
+# Source: ingress-nginx/templates/clusterrole.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ labels:
+ helm.sh/chart: ingress-nginx-4.0.15
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: ingress-nginx
+ app.kubernetes.io/version: 1.1.1
+ name: ingress-nginx
+rules:
+ - apiGroups:
+ - ''
+ resources:
+ - configmaps
+ - endpoints
+ - nodes
+ - pods
+ - secrets
+ - namespaces
+ verbs:
+ - list
+ - watch
+ - apiGroups:
+ - ''
+ resources:
+ - nodes
+ verbs:
+ - get
+ - apiGroups:
+ - ''
+ resources:
+ - services
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - ''
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+ - apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses/status
+ verbs:
+ - update
+ - apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingressclasses
+ verbs:
+ - get
+ - list
+ - watch
+---
+# Source: ingress-nginx/templates/clusterrolebinding.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ labels:
+ helm.sh/chart: ingress-nginx-4.0.15
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: ingress-nginx
+ app.kubernetes.io/version: 1.1.1
+ name: ingress-nginx
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: ingress-nginx
+subjects:
+ - kind: ServiceAccount
+ name: ingress-nginx
+ namespace: ingress-nginx
+---
+# Source: ingress-nginx/templates/controller-role.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ labels:
+ helm.sh/chart: ingress-nginx-4.0.15
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: ingress-nginx
+ app.kubernetes.io/version: 1.1.1
+ app.kubernetes.io/component: controller
+ name: ingress-nginx
+ namespace: ingress-nginx
+rules:
+ - apiGroups:
+ - ''
+ resources:
+ - namespaces
+ verbs:
+ - get
+ - apiGroups:
+ - ''
+ resources:
+ - configmaps
+ - pods
+ - secrets
+ - endpoints
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - ''
+ resources:
+ - services
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses/status
+ verbs:
+ - update
+ - apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingressclasses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - ''
+ resources:
+ - configmaps
+ resourceNames:
+ - ingress-controller-leader
+ verbs:
+ - get
+ - update
+ - apiGroups:
+ - ''
+ resources:
+ - configmaps
+ verbs:
+ - create
+ - apiGroups:
+ - ''
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+---
+# Source: ingress-nginx/templates/controller-rolebinding.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ labels:
+ helm.sh/chart: ingress-nginx-4.0.15
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: ingress-nginx
+ app.kubernetes.io/version: 1.1.1
+ app.kubernetes.io/component: controller
+ name: ingress-nginx
+ namespace: ingress-nginx
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: ingress-nginx
+subjects:
+ - kind: ServiceAccount
+ name: ingress-nginx
+ namespace: ingress-nginx
+---
+# Source: ingress-nginx/templates/controller-service-webhook.yaml
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ helm.sh/chart: ingress-nginx-4.0.15
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: ingress-nginx
+ app.kubernetes.io/version: 1.1.1
+ app.kubernetes.io/component: controller
+ name: ingress-nginx-controller-admission
+ namespace: ingress-nginx
+spec:
+ type: ClusterIP
+ ports:
+ - name: https-webhook
+ port: 443
+ targetPort: webhook
+ appProtocol: https
+ selector:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: ingress-nginx
+ app.kubernetes.io/component: controller
+---
+# Source: ingress-nginx/templates/controller-service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+ annotations:
+ labels:
+ helm.sh/chart: ingress-nginx-4.0.15
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: ingress-nginx
+ app.kubernetes.io/version: 1.1.1
+ app.kubernetes.io/component: controller
+ name: ingress-nginx-controller
+ namespace: ingress-nginx
+spec:
+ type: NodePort
+ ipFamilyPolicy: SingleStack
+ ipFamilies:
+ - IPv4
+ ports:
+ - name: http
+ port: 80
+ nodePort: 30080
+ protocol: TCP
+ targetPort: http
+ appProtocol: http
+ - name: https
+ port: 443
+ nodePort: 30433
+ protocol: TCP
+ targetPort: https
+ appProtocol: https
+ selector:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: ingress-nginx
+ app.kubernetes.io/component: controller
+---
+# Source: ingress-nginx/templates/controller-deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ labels:
+ helm.sh/chart: ingress-nginx-4.0.15
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: ingress-nginx
+ app.kubernetes.io/version: 1.1.1
+ app.kubernetes.io/component: controller
+ name: ingress-nginx-controller
+ namespace: ingress-nginx
+spec:
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: ingress-nginx
+ app.kubernetes.io/component: controller
+ revisionHistoryLimit: 10
+ minReadySeconds: 0
+ template:
+ metadata:
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: ingress-nginx
+ app.kubernetes.io/component: controller
+ spec:
+ dnsPolicy: ClusterFirst
+ containers:
+ - name: controller
+ image: "{{ ingress_repo_url }}/controller:{{ ingress_nginx_version }}"
+ imagePullPolicy: IfNotPresent
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - /wait-shutdown
+ args:
+ - /nginx-ingress-controller
+ - --election-id=ingress-controller-leader
+ - --controller-class=k8s.io/ingress-nginx
+ - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
+ - --validating-webhook=:8443
+ - --validating-webhook-certificate=/usr/local/certificates/cert
+ - --validating-webhook-key=/usr/local/certificates/key
+ securityContext:
+ capabilities:
+ drop:
+ - ALL
+ add:
+ - NET_BIND_SERVICE
+ runAsUser: 101
+ allowPrivilegeEscalation: true
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: LD_PRELOAD
+ value: /usr/local/lib/libmimalloc.so
+ livenessProbe:
+ failureThreshold: 5
+ httpGet:
+ path: /healthz
+ port: 10254
+ scheme: HTTP
+ initialDelaySeconds: 10
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 10254
+ scheme: HTTP
+ initialDelaySeconds: 10
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ ports:
+ - name: http
+ containerPort: 80
+ protocol: TCP
+ - name: https
+ containerPort: 443
+ protocol: TCP
+ - name: webhook
+ containerPort: 8443
+ protocol: TCP
+ volumeMounts:
+ - name: webhook-cert
+ mountPath: /usr/local/certificates/
+ readOnly: true
+ resources:
+ requests:
+ cpu: 100m
+ memory: 90Mi
+ nodeSelector:
+ kubernetes.io/os: linux
+ serviceAccountName: ingress-nginx
+ terminationGracePeriodSeconds: 300
+ volumes:
+ - name: webhook-cert
+ secret:
+ secretName: ingress-nginx-admission
+---
+# Source: ingress-nginx/templates/controller-ingressclass.yaml
+# We don't support namespaced ingressClass yet
+# So a ClusterRole and a ClusterRoleBinding is required
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+ labels:
+ helm.sh/chart: ingress-nginx-4.0.15
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: ingress-nginx
+ app.kubernetes.io/version: 1.1.1
+ app.kubernetes.io/component: controller
+ name: nginx
+ namespace: ingress-nginx
+spec:
+ controller: k8s.io/ingress-nginx
+---
+# Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
+# before changing this value, check the required kubernetes version
+# https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+ labels:
+ helm.sh/chart: ingress-nginx-4.0.15
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: ingress-nginx
+ app.kubernetes.io/version: 1.1.1
+ app.kubernetes.io/component: admission-webhook
+ name: ingress-nginx-admission
+webhooks:
+ - name: validate.nginx.ingress.kubernetes.io
+ matchPolicy: Equivalent
+ rules:
+ - apiGroups:
+ - networking.k8s.io
+ apiVersions:
+ - v1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - ingresses
+ failurePolicy: Fail
+ sideEffects: None
+ admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ namespace: ingress-nginx
+ name: ingress-nginx-controller-admission
+ path: /networking/v1/ingresses
+---
+# Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: ingress-nginx-admission
+ namespace: ingress-nginx
+ annotations:
+ helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+ labels:
+ helm.sh/chart: ingress-nginx-4.0.15
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: ingress-nginx
+ app.kubernetes.io/version: 1.1.1
+ app.kubernetes.io/component: admission-webhook
+---
+# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: ingress-nginx-admission
+ annotations:
+ helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+ labels:
+ helm.sh/chart: ingress-nginx-4.0.15
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: ingress-nginx
+ app.kubernetes.io/version: 1.1.1
+ app.kubernetes.io/component: admission-webhook
+rules:
+ - apiGroups:
+ - admissionregistration.k8s.io
+ resources:
+ - validatingwebhookconfigurations
+ verbs:
+ - get
+ - update
+---
+# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: ingress-nginx-admission
+ annotations:
+ helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+ labels:
+ helm.sh/chart: ingress-nginx-4.0.15
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: ingress-nginx
+ app.kubernetes.io/version: 1.1.1
+ app.kubernetes.io/component: admission-webhook
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: ingress-nginx-admission
+subjects:
+ - kind: ServiceAccount
+ name: ingress-nginx-admission
+ namespace: ingress-nginx
+---
+# Source: ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: ingress-nginx-admission
+ namespace: ingress-nginx
+ annotations:
+ helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+ labels:
+ helm.sh/chart: ingress-nginx-4.0.15
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: ingress-nginx
+ app.kubernetes.io/version: 1.1.1
+ app.kubernetes.io/component: admission-webhook
+rules:
+ - apiGroups:
+ - ''
+ resources:
+ - secrets
+ verbs:
+ - get
+ - create
+---
+# Source: ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: ingress-nginx-admission
+ namespace: ingress-nginx
+ annotations:
+ helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+ labels:
+ helm.sh/chart: ingress-nginx-4.0.15
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: ingress-nginx
+ app.kubernetes.io/version: 1.1.1
+ app.kubernetes.io/component: admission-webhook
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: ingress-nginx-admission
+subjects:
+ - kind: ServiceAccount
+ name: ingress-nginx-admission
+ namespace: ingress-nginx
+---
+# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: ingress-nginx-admission-create
+ namespace: ingress-nginx
+ annotations:
+ helm.sh/hook: pre-install,pre-upgrade
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+ labels:
+ helm.sh/chart: ingress-nginx-4.0.15
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: ingress-nginx
+ app.kubernetes.io/version: 1.1.1
+ app.kubernetes.io/component: admission-webhook
+spec:
+ template:
+ metadata:
+ name: ingress-nginx-admission-create
+ labels:
+ helm.sh/chart: ingress-nginx-4.0.15
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: ingress-nginx
+ app.kubernetes.io/version: 1.1.1
+ app.kubernetes.io/component: admission-webhook
+ spec:
+ containers:
+ - name: create
+ image: "{{ ingress_repo_url }}/kube-webhook-certgen:{{ ingress_nginx_version }}"
+ imagePullPolicy: IfNotPresent
+ args:
+ - create
+ - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
+ - --namespace=$(POD_NAMESPACE)
+ - --secret-name=ingress-nginx-admission
+ env:
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ securityContext:
+ allowPrivilegeEscalation: false
+ restartPolicy: OnFailure
+ serviceAccountName: ingress-nginx-admission
+ nodeSelector:
+ kubernetes.io/os: linux
+ securityContext:
+ runAsNonRoot: true
+ runAsUser: 2000
+---
+# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: ingress-nginx-admission-patch
+ namespace: ingress-nginx
+ annotations:
+ helm.sh/hook: post-install,post-upgrade
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+ labels:
+ helm.sh/chart: ingress-nginx-4.0.15
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: ingress-nginx
+ app.kubernetes.io/version: 1.1.1
+ app.kubernetes.io/component: admission-webhook
+spec:
+ template:
+ metadata:
+ name: ingress-nginx-admission-patch
+ labels:
+ helm.sh/chart: ingress-nginx-4.0.15
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: ingress-nginx
+ app.kubernetes.io/version: 1.1.1
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: admission-webhook
+ spec:
+ containers:
+ - name: patch
+ image: "{{ ingress_repo_url }}/kube-webhook-certgen:{{ ingress_nginx_version }}"
+ imagePullPolicy: IfNotPresent
+ args:
+ - patch
+ - --webhook-name=ingress-nginx-admission
+ - --namespace=$(POD_NAMESPACE)
+ - --patch-mutating=false
+ - --secret-name=ingress-nginx-admission
+ - --patch-failure-policy=Fail
+ env:
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ securityContext:
+ allowPrivilegeEscalation: false
+ restartPolicy: OnFailure
+ serviceAccountName: ingress-nginx-admission
+ nodeSelector:
+ kubernetes.io/os: linux
+ securityContext:
+ runAsNonRoot: true
+ runAsUser: 2000
diff --git a/playbooks/roles/ingress/templates/ingress-site.yml.j2 b/playbooks/roles/ingress/templates/ingress-site.yml.j2
new file mode 100644
index 0000000..0d39b02
--- /dev/null
+++ b/playbooks/roles/ingress/templates/ingress-site.yml.j2
@@ -0,0 +1,13 @@
+upstream ingress_service {
+ {% for node in groups['k8s-cluster'] %}
+ server {{ hostvars[node]['ansible_default_ipv4']['address'] }}:30080;
+ {% endfor %}
+}
+server {
+ listen 80;
+ server_name {{ ansible_host }};
+ location / {
+ proxy_pass http://ingress_service;
+ }
+}
+# TODO: setup https and ssl bypass
diff --git a/playbooks/roles/ingress/vars/main.yaml b/playbooks/roles/ingress/vars/main.yaml
new file mode 100644
index 0000000..167b0a7
--- /dev/null
+++ b/playbooks/roles/ingress/vars/main.yaml
@@ -0,0 +1,22 @@
+---
+# ============LICENSE_START=======================================================
+# Copyright (C) 2022 The Nordix Foundation. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+jumphost: "{{ 'jumphost' if provisioner_type == 'heat' else 'localhost' }}"
+
+# vim: set ts=2 sw=2 expandtab:
diff --git a/playbooks/roles/ingress/vars/offline-deployment.yaml b/playbooks/roles/ingress/vars/offline-deployment.yaml
new file mode 100644
index 0000000..616d79b
--- /dev/null
+++ b/playbooks/roles/ingress/vars/offline-deployment.yaml
@@ -0,0 +1,22 @@
+---
+# ============LICENSE_START=======================================================
+# Copyright (C) 2022 The Nordix Foundation. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+ingress_repo_url: "{{ server_fqdn }}/ingress-nginx"
+
+# vim: set ts=2 sw=2 expandtab:
diff --git a/playbooks/roles/ingress/vars/online-deployment.yaml b/playbooks/roles/ingress/vars/online-deployment.yaml
new file mode 100644
index 0000000..6a23ba9
--- /dev/null
+++ b/playbooks/roles/ingress/vars/online-deployment.yaml
@@ -0,0 +1,22 @@
+---
+# ============LICENSE_START=======================================================
+# Copyright (C) 2022 The Nordix Foundation. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+ingress_repo_url: "k8s.gcr.io/ingress-nginx"
+
+# vim: set ts=2 sw=2 expandtab:
diff --git a/playbooks/roles/package/defaults/main.yaml b/playbooks/roles/package/defaults/main.yaml
index 6b3e469..4a86caa 100644
--- a/playbooks/roles/package/defaults/main.yaml
+++ b/playbooks/roles/package/defaults/main.yaml
@@ -66,6 +66,13 @@
- weave_npc
other_images:
+ # ingress
+ ingress-controller:
+ repo: "k8s.gcr.io/ingress-nginx/controller"
+ tag: "{{ ingress_nginx_version }}"
+ ingress-kube-webhook-certgen:
+ repo: k8s.gcr.io/ingress-nginx/kube-webhook-certgen
+ tag: "{{ ingress_nginx_version }}"
# ceph
ceph:
repo: ceph/ceph
diff --git a/playbooks/roles/postinstall/tasks/main.yml b/playbooks/roles/postinstall/tasks/main.yml
index c2eefc1..8518a05 100644
--- a/playbooks/roles/postinstall/tasks/main.yml
+++ b/playbooks/roles/postinstall/tasks/main.yml
@@ -19,6 +19,7 @@
# NOTE: Install OpenShift and configure kubectl & helm on localhost
# we operate against Kubernetes cluster from localhost
+
- include_tasks: configure-{{ jumphost }}.yml
when: jumphost in group_names
diff --git a/vars/kubernetes.yaml b/vars/kubernetes.yaml
index 08f7f1b..8a9b614 100644
--- a/vars/kubernetes.yaml
+++ b/vars/kubernetes.yaml
@@ -73,13 +73,14 @@
containerd_io_version: "1.2.13-2"
# -------------------------------------------------------------------------------
-# Kubernetes: Kubernetes and kubectl versions
+# Kubernetes: Kubernetes kubectl and Ingress versions
# -------------------------------------------------------------------------------
# Kubernetes version that is supported by the pinned kubespray version
kubernetes_version: "v1.19.11"
# version of the kubectl should generally match to the version of kubernetes itself
# but it would be good to have possibility to override it in case if someone needs it for some reason
kubectl_version: "{{ kubernetes_version }}"
+ingress_nginx_version: "v1.1.1"
# -------------------------------------------------------------------------------
# Kubernetes: Versions of rook, ceph and their dependencies