From 0707cb3195f4dfadce486ead5ec3c6d03d50be26 Mon Sep 17 00:00:00 2001 From: Philipp Strube Date: Wed, 29 Jul 2020 11:08:51 +0200 Subject: [PATCH 1/3] Use Env expansion for namespace in args When deploying the controller to a custom namespace, users have to overwrite the namespace attribute as well as the hardcoded namespace values in a number of args for the Deployment and the admission controller Jobs. Instead, this commit, uses the namespace name from the DownwardAPI, and allows users to simply change the namespace attribute without having to worry about the container args. --- charts/ingress-nginx/templates/_helpers.tpl | 2 +- .../admission-webhooks/job-patch/job-createSecret.yaml | 9 +++++++-- .../admission-webhooks/job-patch/job-patchWebhook.yaml | 7 ++++++- .../ingress-nginx/templates/controller-deployment.yaml | 10 +++++----- 4 files changed, 19 insertions(+), 9 deletions(-) diff --git a/charts/ingress-nginx/templates/_helpers.tpl b/charts/ingress-nginx/templates/_helpers.tpl index c5d221bee..d516a593c 100644 --- a/charts/ingress-nginx/templates/_helpers.tpl +++ b/charts/ingress-nginx/templates/_helpers.tpl @@ -48,7 +48,7 @@ Users can provide an override for an explicit service they want bound via `.Valu */}} {{- define "ingress-nginx.controller.publishServicePath" -}} -{{- $defServiceName := printf "%s/%s" .Release.Namespace (include "ingress-nginx.controller.fullname" .) -}} +{{- $defServiceName := printf "%s/%s" "$(POD_NAMESPACE)" (include "ingress-nginx.controller.fullname" .) -}} {{- $servicePath := default $defServiceName .Values.controller.publishService.pathOverride }} {{- print $servicePath | trimSuffix "-" -}} {{- end -}} diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml index 8f5e0b36c..d9ca4607c 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml @@ -38,9 +38,14 @@ spec: imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }} args: - create - - --host={{ include "ingress-nginx.controller.fullname" . }}-admission,{{ include "ingress-nginx.controller.fullname" . }}-admission.{{ .Release.Namespace }}.svc - - --namespace={{ .Release.Namespace }} + - --host={{ include "ingress-nginx.controller.fullname" . }}-admission,{{ include "ingress-nginx.controller.fullname" . }}-admission.$(POD_NAMESPACE).svc + - --namespace=$(POD_NAMESPACE) - --secret-name={{ include "ingress-nginx.fullname" . }}-admission + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace restartPolicy: OnFailure serviceAccountName: {{ include "ingress-nginx.fullname" . }}-admission {{- if .Values.controller.admissionWebhooks.patch.nodeSelector }} diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml index 9e7b53b73..d297854cb 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml @@ -39,10 +39,15 @@ spec: args: - patch - --webhook-name={{ include "ingress-nginx.fullname" . }}-admission - - --namespace={{ .Release.Namespace }} + - --namespace=$(POD_NAMESPACE) - --patch-mutating=false - --secret-name={{ include "ingress-nginx.fullname" . }}-admission - --patch-failure-policy={{ .Values.controller.admissionWebhooks.failurePolicy }} + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace restartPolicy: OnFailure serviceAccountName: {{ include "ingress-nginx.fullname" . }}-admission {{- if .Values.controller.admissionWebhooks.patch.nodeSelector }} diff --git a/charts/ingress-nginx/templates/controller-deployment.yaml b/charts/ingress-nginx/templates/controller-deployment.yaml index e9d5eaf28..a18fc38c6 100644 --- a/charts/ingress-nginx/templates/controller-deployment.yaml +++ b/charts/ingress-nginx/templates/controller-deployment.yaml @@ -71,22 +71,22 @@ spec: args: - /nginx-ingress-controller {{- if .Values.defaultBackend.enabled }} - - --default-backend-service={{ .Release.Namespace }}/{{ include "ingress-nginx.defaultBackend.fullname" . }} + - --default-backend-service=$(POD_NAMESPACE)/{{ include "ingress-nginx.defaultBackend.fullname" . }} {{- end }} {{- if .Values.controller.publishService.enabled }} - --publish-service={{ template "ingress-nginx.controller.publishServicePath" . }} {{- end }} - --election-id={{ .Values.controller.electionID }} - --ingress-class={{ .Values.controller.ingressClass }} - - --configmap={{ .Release.Namespace }}/{{ include "ingress-nginx.controller.fullname" . }} + - --configmap=$(POD_NAMESPACE)/{{ include "ingress-nginx.controller.fullname" . }} {{- if .Values.tcp }} - - --tcp-services-configmap={{ .Release.Namespace }}/{{ include "ingress-nginx.fullname" . }}-tcp + - --tcp-services-configmap=$(POD_NAMESPACE)/{{ include "ingress-nginx.fullname" . }}-tcp {{- end }} {{- if .Values.udp }} - - --udp-services-configmap={{ .Release.Namespace }}/{{ include "ingress-nginx.fullname" . }}-udp + - --udp-services-configmap=$(POD_NAMESPACE)/{{ include "ingress-nginx.fullname" . }}-udp {{- end }} {{- if .Values.controller.scope.enabled }} - - --watch-namespace={{ default .Release.Namespace .Values.controller.scope.namespace }} + - --watch-namespace={{ default "$(POD_NAMESPACE)" .Values.controller.scope.namespace }} {{- end }} {{- if and .Values.controller.reportNodeInternalIp .Values.controller.hostNetwork }} - --report-node-internal-ip-address={{ .Values.controller.reportNodeInternalIp }} From bc67ca4523f3cc8727aeac02cd9259d9643de028 Mon Sep 17 00:00:00 2001 From: Philipp Strube Date: Wed, 29 Jul 2020 11:43:35 +0200 Subject: [PATCH 2/3] Update deploy scripts using hack/generate-deploy-scripts.sh --- .../provider/aws/deploy-tls-termination.yaml | 20 ++++++++++++++----- deploy/static/provider/aws/deploy.yaml | 20 ++++++++++++++----- deploy/static/provider/baremetal/deploy.yaml | 18 +++++++++++++---- deploy/static/provider/cloud/deploy.yaml | 20 ++++++++++++++----- deploy/static/provider/do/deploy.yaml | 20 ++++++++++++++----- deploy/static/provider/kind/deploy.yaml | 18 +++++++++++++---- 6 files changed, 88 insertions(+), 28 deletions(-) diff --git a/deploy/static/provider/aws/deploy-tls-termination.yaml b/deploy/static/provider/aws/deploy-tls-termination.yaml index 285c0c81a..e84e6a8d7 100644 --- a/deploy/static/provider/aws/deploy-tls-termination.yaml +++ b/deploy/static/provider/aws/deploy-tls-termination.yaml @@ -352,10 +352,10 @@ spec: - /wait-shutdown args: - /nginx-ingress-controller - - --publish-service=ingress-nginx/ingress-nginx-controller + - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller - --election-id=ingress-controller-leader - --ingress-class=nginx - - --configmap=ingress-nginx/ingress-nginx-controller + - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller - --validating-webhook=:8443 - --validating-webhook-certificate=/usr/local/certificates/cert - --validating-webhook-key=/usr/local/certificates/key @@ -611,9 +611,14 @@ spec: imagePullPolicy: IfNotPresent args: - create - - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.ingress-nginx.svc - - --namespace=ingress-nginx + - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc + - --namespace=$(POD_NAMESPACE) - --secret-name=ingress-nginx-admission + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace restartPolicy: OnFailure serviceAccountName: ingress-nginx-admission securityContext: @@ -655,10 +660,15 @@ spec: args: - patch - --webhook-name=ingress-nginx-admission - - --namespace=ingress-nginx + - --namespace=$(POD_NAMESPACE) - --patch-mutating=false - --secret-name=ingress-nginx-admission - --patch-failure-policy=Fail + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace restartPolicy: OnFailure serviceAccountName: ingress-nginx-admission securityContext: diff --git a/deploy/static/provider/aws/deploy.yaml b/deploy/static/provider/aws/deploy.yaml index 6a4604f1d..3cb8186d6 100644 --- a/deploy/static/provider/aws/deploy.yaml +++ b/deploy/static/provider/aws/deploy.yaml @@ -343,10 +343,10 @@ spec: - /wait-shutdown args: - /nginx-ingress-controller - - --publish-service=ingress-nginx/ingress-nginx-controller + - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller - --election-id=ingress-controller-leader - --ingress-class=nginx - - --configmap=ingress-nginx/ingress-nginx-controller + - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller - --validating-webhook=:8443 - --validating-webhook-certificate=/usr/local/certificates/cert - --validating-webhook-key=/usr/local/certificates/key @@ -599,9 +599,14 @@ spec: imagePullPolicy: IfNotPresent args: - create - - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.ingress-nginx.svc - - --namespace=ingress-nginx + - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc + - --namespace=$(POD_NAMESPACE) - --secret-name=ingress-nginx-admission + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace restartPolicy: OnFailure serviceAccountName: ingress-nginx-admission securityContext: @@ -643,10 +648,15 @@ spec: args: - patch - --webhook-name=ingress-nginx-admission - - --namespace=ingress-nginx + - --namespace=$(POD_NAMESPACE) - --patch-mutating=false - --secret-name=ingress-nginx-admission - --patch-failure-policy=Fail + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace restartPolicy: OnFailure serviceAccountName: ingress-nginx-admission securityContext: diff --git a/deploy/static/provider/baremetal/deploy.yaml b/deploy/static/provider/baremetal/deploy.yaml index 33ba1081f..2a0fe06fe 100644 --- a/deploy/static/provider/baremetal/deploy.yaml +++ b/deploy/static/provider/baremetal/deploy.yaml @@ -339,7 +339,7 @@ spec: - /nginx-ingress-controller - --election-id=ingress-controller-leader - --ingress-class=nginx - - --configmap=ingress-nginx/ingress-nginx-controller + - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller - --validating-webhook=:8443 - --validating-webhook-certificate=/usr/local/certificates/cert - --validating-webhook-key=/usr/local/certificates/key @@ -592,9 +592,14 @@ spec: imagePullPolicy: IfNotPresent args: - create - - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.ingress-nginx.svc - - --namespace=ingress-nginx + - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc + - --namespace=$(POD_NAMESPACE) - --secret-name=ingress-nginx-admission + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace restartPolicy: OnFailure serviceAccountName: ingress-nginx-admission securityContext: @@ -636,10 +641,15 @@ spec: args: - patch - --webhook-name=ingress-nginx-admission - - --namespace=ingress-nginx + - --namespace=$(POD_NAMESPACE) - --patch-mutating=false - --secret-name=ingress-nginx-admission - --patch-failure-policy=Fail + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace restartPolicy: OnFailure serviceAccountName: ingress-nginx-admission securityContext: diff --git a/deploy/static/provider/cloud/deploy.yaml b/deploy/static/provider/cloud/deploy.yaml index d152dd5fe..1f81b39cd 100644 --- a/deploy/static/provider/cloud/deploy.yaml +++ b/deploy/static/provider/cloud/deploy.yaml @@ -338,10 +338,10 @@ spec: - /wait-shutdown args: - /nginx-ingress-controller - - --publish-service=ingress-nginx/ingress-nginx-controller + - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller - --election-id=ingress-controller-leader - --ingress-class=nginx - - --configmap=ingress-nginx/ingress-nginx-controller + - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller - --validating-webhook=:8443 - --validating-webhook-certificate=/usr/local/certificates/cert - --validating-webhook-key=/usr/local/certificates/key @@ -594,9 +594,14 @@ spec: imagePullPolicy: IfNotPresent args: - create - - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.ingress-nginx.svc - - --namespace=ingress-nginx + - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc + - --namespace=$(POD_NAMESPACE) - --secret-name=ingress-nginx-admission + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace restartPolicy: OnFailure serviceAccountName: ingress-nginx-admission securityContext: @@ -638,10 +643,15 @@ spec: args: - patch - --webhook-name=ingress-nginx-admission - - --namespace=ingress-nginx + - --namespace=$(POD_NAMESPACE) - --patch-mutating=false - --secret-name=ingress-nginx-admission - --patch-failure-policy=Fail + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace restartPolicy: OnFailure serviceAccountName: ingress-nginx-admission securityContext: diff --git a/deploy/static/provider/do/deploy.yaml b/deploy/static/provider/do/deploy.yaml index 5901de8ae..3b49645be 100644 --- a/deploy/static/provider/do/deploy.yaml +++ b/deploy/static/provider/do/deploy.yaml @@ -341,10 +341,10 @@ spec: - /wait-shutdown args: - /nginx-ingress-controller - - --publish-service=ingress-nginx/ingress-nginx-controller + - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller - --election-id=ingress-controller-leader - --ingress-class=nginx - - --configmap=ingress-nginx/ingress-nginx-controller + - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller - --validating-webhook=:8443 - --validating-webhook-certificate=/usr/local/certificates/cert - --validating-webhook-key=/usr/local/certificates/key @@ -597,9 +597,14 @@ spec: imagePullPolicy: IfNotPresent args: - create - - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.ingress-nginx.svc - - --namespace=ingress-nginx + - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc + - --namespace=$(POD_NAMESPACE) - --secret-name=ingress-nginx-admission + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace restartPolicy: OnFailure serviceAccountName: ingress-nginx-admission securityContext: @@ -641,10 +646,15 @@ spec: args: - patch - --webhook-name=ingress-nginx-admission - - --namespace=ingress-nginx + - --namespace=$(POD_NAMESPACE) - --patch-mutating=false - --secret-name=ingress-nginx-admission - --patch-failure-policy=Fail + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace restartPolicy: OnFailure serviceAccountName: ingress-nginx-admission securityContext: diff --git a/deploy/static/provider/kind/deploy.yaml b/deploy/static/provider/kind/deploy.yaml index cb314ef38..228ceffda 100644 --- a/deploy/static/provider/kind/deploy.yaml +++ b/deploy/static/provider/kind/deploy.yaml @@ -343,7 +343,7 @@ spec: - /nginx-ingress-controller - --election-id=ingress-controller-leader - --ingress-class=nginx - - --configmap=ingress-nginx/ingress-nginx-controller + - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller - --validating-webhook=:8443 - --validating-webhook-certificate=/usr/local/certificates/cert - --validating-webhook-key=/usr/local/certificates/key @@ -605,9 +605,14 @@ spec: imagePullPolicy: IfNotPresent args: - create - - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.ingress-nginx.svc - - --namespace=ingress-nginx + - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc + - --namespace=$(POD_NAMESPACE) - --secret-name=ingress-nginx-admission + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace restartPolicy: OnFailure serviceAccountName: ingress-nginx-admission securityContext: @@ -649,10 +654,15 @@ spec: args: - patch - --webhook-name=ingress-nginx-admission - - --namespace=ingress-nginx + - --namespace=$(POD_NAMESPACE) - --patch-mutating=false - --secret-name=ingress-nginx-admission - --patch-failure-policy=Fail + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace restartPolicy: OnFailure serviceAccountName: ingress-nginx-admission securityContext: From 1a5f89bdf13984ceaec82a64bc5e7e4fbb04f8c8 Mon Sep 17 00:00:00 2001 From: Philipp Strube Date: Wed, 29 Jul 2020 14:29:40 +0200 Subject: [PATCH 3/3] Bump chart patch version --- charts/ingress-nginx/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml index 92aea0514..3af1655b7 100644 --- a/charts/ingress-nginx/Chart.yaml +++ b/charts/ingress-nginx/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: ingress-nginx -version: 2.11.1 +version: 2.11.2 appVersion: 0.34.1 home: https://github.com/kubernetes/ingress-nginx description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer