Static manifest generation uses kustomize instead of python (#8099)

* regenerate at 4.0.12

* bash for loop and static values files

* add .tool-versions

* fixup static manifests with kustomize instead of python

* remove spec.replicas where set

* generate manifests for all supported versions

* update docs

* remove all versions except default (1.20) for now

* update to 1.1.1/4.0.15

RELEASE.md

@@ -1,6 +1,6 @@
 # RELEASE PROCESS
 
-## 1. BUILD the new Ingress-Nginx-Controller image 
+## 1. BUILD the new Ingress-Nginx-Controller image
 
 ### a. Make changes in codebase
 
@@ -8,7 +8,7 @@
 
 ### b. Make changes to appropriate files in [images directory ](images)
 
-- Make changes in /images 
+- Make changes in /images
 
 ### c. Create Pull Request
 
@@ -18,7 +18,7 @@
 
   - Example [NGINX_VERSION](images/nginx/rootfs/build.sh#L21), [SHA256](images/nginx/rootfs/build.sh#L124).
 
-  - If you are updating any component in [build.sh](images/nginx/rootfs/build.sh) please also update the SHA256 checksum of that component as well, the cloud build will fail with an exit 10 if not.  
+  - If you are updating any component in [build.sh](images/nginx/rootfs/build.sh) please also update the SHA256 checksum of that component as well, the cloud build will fail with an exit 10 if not.
 
 ### d. Merge
 
@@ -26,7 +26,7 @@
 
 ### e. Make sure cloudbuild is a success
 
-- Wait for [cloud build](https://console.cloud.google.com/cloud-build/builds?project=k8s-staging-ingress-nginx). If you don't have access to cloudbuild, you can also have a look at [this](https://prow.k8s.io/?repo=kubernetes%2Fingress-nginx&job=post-*), to see the progress of the build. 
+- Wait for [cloud build](https://console.cloud.google.com/cloud-build/builds?project=k8s-staging-ingress-nginx). If you don't have access to cloudbuild, you can also have a look at [this](https://prow.k8s.io/?repo=kubernetes%2Fingress-nginx&job=post-*), to see the progress of the build.
 
 - Proceed only after cloud-build is successful in building a new Ingress-Nginx-Controller image.
 
@@ -42,7 +42,7 @@
 ### b. Make changes to appropriate files in [images directory ](images)
 
 - Sometimes, you may also be needing to rebuild, images for one or multiple other related components of the Ingress-Nginx-Controller ecosystem. Make changes to the required files in the /images directory, if/as applicable, in the context of the release you are attempting.  :
-   
+
   - [e2e](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e-image)
 
     - Update references to e2e-test-runner image [If applicable] :
@@ -72,24 +72,24 @@
 
 ### e. Make sure cloudbuild is a success
 
-- Wait for [cloud build](https://console.cloud.google.com/cloud-build/builds?project=k8s-staging-ingress-nginx). If you don't have access to cloudbuild, you can also have a look at [this](https://prow.k8s.io/?repo=kubernetes%2Fingress-nginx&job=post-*), to see the progress of the build. 
+- Wait for [cloud build](https://console.cloud.google.com/cloud-build/builds?project=k8s-staging-ingress-nginx). If you don't have access to cloudbuild, you can also have a look at [this](https://prow.k8s.io/?repo=kubernetes%2Fingress-nginx&job=post-*), to see the progress of the build.
 
 - Proceed only after cloud-build is successful in building a new Ingress-Nginx-Controller image.
 
 
 ## 3. PROMOTE the Image(s):
 
-Promoting the images basically means that images, that were pushed to staging container registry in the steps above, now are also pushed to the public container registry. Thus are publicly available. Follow these steps to promote images: 
+Promoting the images basically means that images, that were pushed to staging container registry in the steps above, now are also pushed to the public container registry. Thus are publicly available. Follow these steps to promote images:
 
 ### a. Get the sha
 
-- Get the sha of the new image(s) of the controller, (and any other component image IF APPLICABLE to release), from the cloudbuild, from steps above 
+- Get the sha of the new image(s) of the controller, (and any other component image IF APPLICABLE to release), from the cloudbuild, from steps above
 
   - The sha is available in output from [cloud build](https://console.cloud.google.com/cloud-build/builds?project=k8s-staging-ingress-nginx)
 
   - The sha is also visible here https://console.cloud.google.com/gcr/images/k8s-staging-ingress-nginx/global/controller
 
-  - The sha is also visible [here]((https://prow.k8s.io/?repo=kubernetes%2Fingress-nginx&job=post-*)), after cloud build is finished. Click on the respective job, go to `Artifacts` section in the UI, then again `artifacts` in the directory browser. In the `build.log` at the very bottom you see something like this: 
+  - The sha is also visible [here]((https://prow.k8s.io/?repo=kubernetes%2Fingress-nginx&job=post-*)), after cloud build is finished. Click on the respective job, go to `Artifacts` section in the UI, then again `artifacts` in the directory browser. In the `build.log` at the very bottom you see something like this:
 
   ```
   ...
@@ -99,7 +99,7 @@ Promoting the images basically means that images, that were pushed to staging co
 
 ### b. Add the new image to [k8s.io](http://github.com/kubernetes/k8s.io)
 
-- The sha(s) from the step before (and the tag(s) for the new image(s) have to be added, as a new line, in a file, of the [k8s.io](http://github.com/kubernetes/k8s.io) project of Kubernetes organization. 
+- The sha(s) from the step before (and the tag(s) for the new image(s) have to be added, as a new line, in a file, of the [k8s.io](http://github.com/kubernetes/k8s.io) project of Kubernetes organization.
 
 - Fork that other project (if you don't have a fork already).
 
@@ -113,7 +113,7 @@ Promoting the images basically means that images, that were pushed to staging co
 
 - For making it easier, you can edit your branch directly in the browser. But be careful about making any mistake.
 
-- Insert the sha(s) & the tag(s), in a new line, in this file [Project kubernetes/k8s.io Ingress-Nginx-Controller Images](https://github.com/kubernetes/k8s.io/blob/main/k8s.gcr.io/images/k8s-staging-ingress-nginx/images.yaml)  Look at this [example PR and the diff](https://github.com/kubernetes/k8s.io/pull/2536) to see how it was done before 
+- Insert the sha(s) & the tag(s), in a new line, in this file [Project kubernetes/k8s.io Ingress-Nginx-Controller Images](https://github.com/kubernetes/k8s.io/blob/main/k8s.gcr.io/images/k8s-staging-ingress-nginx/images.yaml)  Look at this [example PR and the diff](https://github.com/kubernetes/k8s.io/pull/2536) to see how it was done before
 
 - Save and commit
 
@@ -130,13 +130,13 @@ Promoting the images basically means that images, that were pushed to staging co
 
 ## 4. PREPARE for a new Release
 
-- Make sure to get the tag and sha of the promoted image from the step before, either from cloudbuild or from [here](https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/ingress-nginx/controller). 
+- Make sure to get the tag and sha of the promoted image from the step before, either from cloudbuild or from [here](https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/ingress-nginx/controller).
 
 - This involves editing of several different files. So carefully follow the steps below and double check all changes with diff/grep etc., repeatedly. Mistakes here impact endusers.
 
 ### a. Make sure your git workspace is ready
 
-- Get your git workspace ready 
+- Get your git workspace ready
 
   - If not using a pre-existing fork, then Fork the repo kubernetes/ingress-nginx
 
@@ -165,7 +165,7 @@ Promoting the images basically means that images, that were pushed to staging co
     - appVersion
     - kubeVersion (**ONLY if applicable**)
     - annotations
-      - artifacthub.io/prerelease: "true" 
+      - artifacthub.io/prerelease: "true"
       - artifacthub.io/changes: |
         - Replace this line and other lines under this annotation with the Changelog. One process to generate the Changelog is described below
           - Install and configure github cli as per the docs of gh-cli  https://cli.github.com/,
@@ -230,41 +230,21 @@ Promoting the images basically means that images, that were pushed to staging co
 
   - Prepare to use a script to update the edit the static manifests and set the "image", "digest", "version" etc. fields to the desired value.
 
+  - This script depends on kustomize and helm. The versions are pinned in `hack/.tool-versions` and you can use [asdf](https://github.com/asdf-vm/asdf#asdf) to install them
 
-  - This script depends on python and a specific python package `pip3 install ruamel.yaml`
+  - Execute the script to update static manifests using that script [hack/generate-deploy-scripts.sh](https://github.com/kubernetes/ingress-nginx/blob/main/hack/generate-deploy-scripts.sh)
 
-  - Execute the script to update static manifests using that script [generate-deploy-scripts.sh](https://github.com/kubernetes/ingress-nginx/blob/main/hack/generate-deploy-scripts.sh)
   - Open some of the manifests and check if the script worked properly
 
   - Use grep -ir to search for any misses by the script or undesired changes
 
   - The script should properly set the image and the digest fields to the desired tag and semver
 
-  - Manually fix one problem that the script can not take care of.
 
-    - This problem is wrong formatting of a snippet in the file [deploy-tls-termination.yaml](https://github.com/kubernetes/ingress-nginx/blob/main/deploy/static/provider/aws/deploy-tls-termination.yaml)
-    - In the configMap section, for the configMap named ingress-nginx-controller, the "configMap.data" spec has a snippet
-
-    - This snippet becomes a single line, formatted with the newline character "\n"
-
-    - That single line formatted with "\n" needs to be changed as it does not meet yaml requirements
-
-    - At the time of writing this doc, the 'configMap.data' spec is at line number 39.
-
-    - So editing begins at line 40 (at the time of writing this doc)
-
-    - Make that snippet look like this ;
-      ```
-      data:
-        http-snippet:|
-          server{
-            listen 2443;
-            return 308 https://$host$request_uri;
-          }
-      ```
 
 ### f. Edit the changelog
-  [Changelog.md](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md) 
+
+  [Changelog.md](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md)
 - Each time a release is made, a new section is added to the Changelog.md file
 - A new section in the Changelog.md file consists of 3 components listed below
   - the "Image"
@@ -277,8 +257,9 @@ Promoting the images basically means that images, that were pushed to staging co
 - One process to generate this list of PRs is already described above in step 4c. So if you are following this document, then you have done this already and very likely have retained the file containing the list of PRs, in the format that is needed.
 
 ### g. Edit the Documentation:
+
 - Update the version in [docs/deploy/index.md](docs/deploy/index.md)
-- Update Supported versions in the Support Versions table in the README.md 
+- Update Supported versions in the Support Versions table in the README.md
 
 ### h. Edit stable.txt
 
@@ -294,7 +275,7 @@ Promoting the images basically means that images, that were pushed to staging co
 
 - Open PR for releasing the new version of the Ingress-Nginx-Controller ;
   - Look at this PR for how it was done before [example PR](https://github.com/kubernetes/ingress-nginx/pull/7490)
-  - Create a PR 
+  - Create a PR
 
 ### b. Merge
 

deploy/static/provider/aws/nlb-with-tls-termination/kustomization.yaml

@@ -0,0 +1,11 @@
+# NOTE: kustomize is not supported. This file exists only to be able to reference it from bases.
+# https://kubectl.docs.kubernetes.io/references/kustomize/bases/
+#
+# ```
+# namespace: ingress-nginx
+# bases:
+#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/aws/nlb-with-tls-termination?ref=master
+# ```
+
+resources:
+  - deploy.yaml

docs/deploy/index.md

@@ -55,8 +55,11 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/cont
 !!! info
     The YAML manifest in the command above was generated with `helm template`, so you will end up with almost the same resources as if you had used Helm to install the controller.
 
-If you are running an old version of Kubernetes (1.18 or earlier), please read
-[this paragraph](#running-on-Kubernetes-versions-older-than-1.19) for specific instructions.
+!!! attention
+  If you are running an old version of Kubernetes (1.18 or earlier), please read
+  [this paragraph](#running-on-Kubernetes-versions-older-than-1.19) for specific instructions.
+  Because of api deprecations, the default manifest may not work on your cluster.
+  Specific manifests for supported Kubernetes versions are available within a subfolder of each provider.
 
 ### Pre-flight check
 
@@ -186,12 +189,13 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/cont
 
 ##### TLS termination in AWS Load Balancer (NLB)
 
-By default, TLS is terminated in the ingress controller. But it is also possible to terminate TLS in the Load Balancer. This section explains how to do that on AWS with using an NLB.
+By default, TLS is terminated in the ingress controller. But it is also possible to terminate TLS in the Load Balancer. This section explains how to do that on AWS using an NLB.
 
-1. Download the the [deploy-tls-termination.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.1/deploy/static/provider/aws/deploy-tls-termination.yaml) template:
-   ```console
-   wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.1/deploy/static/provider/aws/deploy-tls-termination.yaml
-   ```
+1. Download the [deploy.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.1/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml) template
+
+  ```console
+  wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.1/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml
+  ```
 
 2. Edit the file and change the VPC CIDR in use for the Kubernetes cluster:
    ```
@@ -205,7 +209,7 @@ By default, TLS is terminated in the ingress controller. But it is also possible
 
 4. Deploy the manifest:
    ```console
-   kubectl apply -f deploy-tls-termination.yaml
+   kubectl apply -f deploy.yaml
    ```
 
 ##### NLB Idle Timeouts

hack/.tool-versions

@@ -0,0 +1,2 @@
+kustomize 4.1.3
+helm 3.7.1

hack/generate-deploy-scripts.sh

@@ -22,194 +22,51 @@ set -o errexit
 set -o nounset
 set -o pipefail
 
+# for backwards compatibility, the default version of 1.20 is copied to the root of the variant
+# with enough docs updates, this could be removed
+# see     # DEFAULT VERSION HANDLING
+K8S_DEFAULT_VERSION=1.20
+# K8S_TARGET_VERSIONS=("1.19" "1.20" "1.21" "1.22") TODO @afirth revert for #8000
+K8S_TARGET_VERSIONS=("1.20")
+
 DIR=$(cd $(dirname "${BASH_SOURCE}")/.. && pwd -P)
 
-RELEASE_NAME=ingress-nginx
-NAMESPACE=ingress-nginx
+# clean
+rm -rf ${DIR}/deploy/static/provider/*
 
-NAMESPACE_VAR="
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: $NAMESPACE
-  labels:
-    app.kubernetes.io/name: $RELEASE_NAME
-    app.kubernetes.io/instance: ingress-nginx
-"
+TEMPLATE_DIR="${DIR}/hack/manifest-templates"
 
-# Baremetal
-OUTPUT_FILE="${DIR}/deploy/static/provider/baremetal/deploy.yaml"
-cat << EOF | helm template $RELEASE_NAME ${DIR}/charts/ingress-nginx --namespace $NAMESPACE --values - | $DIR/hack/add-namespace.py $NAMESPACE > ${OUTPUT_FILE}
-controller:
-  service:
-    type: NodePort
+# each helm values file `values.yaml` under `hack/manifest-templates/provider` will be generated as provider/<provider>[/variant][/kube-version]/deploy.yaml
+# TARGET is provider/<provider>[/variant]
+TARGETS=$(dirname $(cd $DIR/hack/manifest-templates/ && find . -type f -name "values.yaml" ) | cut -d'/' -f2-)
+for K8S_VERSION in "${K8S_TARGET_VERSIONS[@]}"
+do
+  for TARGET in ${TARGETS}
+  do
+    TARGET_DIR="${TEMPLATE_DIR}/${TARGET}"
+    MANIFEST="${TEMPLATE_DIR}/common/manifest.yaml" # intermediate manifest
+    OUTPUT_DIR="${DIR}/deploy/static/${TARGET}/${K8S_VERSION}"
+    echo $OUTPUT_DIR
 
-  publishService:
-    enabled: false
-EOF
+    mkdir -p ${OUTPUT_DIR}
+    cd ${TARGET_DIR}
+    helm template ingress-nginx ${DIR}/charts/ingress-nginx \
+      --values values.yaml \
+      --namespace ingress-nginx \
+      --kube-version ${K8S_VERSION} \
+      > $MANIFEST
+    kustomize --load-restrictor=LoadRestrictionsNone build . > ${OUTPUT_DIR}/deploy.yaml
+    rm $MANIFEST
+    cd ~-
+    # automatically generate the (unsupported) kustomization.yaml for each target
+    sed "s_{TARGET}_${TARGET}_" $TEMPLATE_DIR/static-kustomization-template.yaml > ${OUTPUT_DIR}/kustomization.yaml
 
-echo "${NAMESPACE_VAR}
-$(cat ${OUTPUT_FILE})" > ${OUTPUT_FILE}
-
-# Cloud - generic
-OUTPUT_FILE="${DIR}/deploy/static/provider/cloud/deploy.yaml"
-cat << EOF | helm template $RELEASE_NAME ${DIR}/charts/ingress-nginx --namespace $NAMESPACE --values - | $DIR/hack/add-namespace.py $NAMESPACE > ${OUTPUT_FILE}
-controller:
-  service:
-    type: LoadBalancer
-    externalTrafficPolicy: Local
-EOF
-
-echo "${NAMESPACE_VAR}
-$(cat ${OUTPUT_FILE})" > ${OUTPUT_FILE}
-
-
-# AWS - NLB
-OUTPUT_FILE="${DIR}/deploy/static/provider/aws/deploy.yaml"
-cat << EOF | helm template $RELEASE_NAME ${DIR}/charts/ingress-nginx --namespace $NAMESPACE --values - | $DIR/hack/add-namespace.py $NAMESPACE > ${OUTPUT_FILE}
-controller:
-  service:
-    type: LoadBalancer
-    externalTrafficPolicy: Local
-    annotations:
-      service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "tcp"
-      service.beta.kubernetes.io/aws-load-balancer-type: nlb
-      service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
-EOF
-
-echo "${NAMESPACE_VAR}
-$(cat ${OUTPUT_FILE})" > ${OUTPUT_FILE}
-
-
-OUTPUT_FILE="${DIR}/deploy/static/provider/aws/deploy-tls-termination.yaml"
-cat << EOF | helm template $RELEASE_NAME ${DIR}/charts/ingress-nginx --namespace $NAMESPACE --values - | $DIR/hack/add-namespace.py $NAMESPACE > ${OUTPUT_FILE}
-controller:
-  service:
-    type: LoadBalancer
-    externalTrafficPolicy: Local
-
-    annotations:
-      # This example is for legacy in-tree service load balancer controller for AWS NLB,
-      # that has been phased out from Kubernetes mainline.
-      service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
-      service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
-      service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:us-west-2:XXXXXXXX:certificate/XXXXXX-XXXXXXX-XXXXXXX-XXXXXXXX"
-      service.beta.kubernetes.io/aws-load-balancer-type: nlb
-      # Ensure the ELB idle timeout is less than nginx keep-alive timeout. By default,
-      # NGINX keep-alive is set to 75s. If using WebSockets, the value will need to be
-      # increased to '3600' to avoid any potential issues.
-      service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "60"
-
-    targetPorts:
-      http: tohttps
-      https: http
-
-  # Configures the ports the nginx-controller listens on
-  containerPort:
-    http: 80
-    https: 80
-    tohttps: 2443
-
-  config:
-    proxy-real-ip-cidr: XXX.XXX.XXX/XX
-    use-forwarded-headers: "true"
-    http-snippet: |
-      server {
-        listen 2443;
-        return 308 https://\$host\$request_uri;
-      }
-EOF
-
-echo "${NAMESPACE_VAR}
-$(cat ${OUTPUT_FILE})" > ${OUTPUT_FILE}
-
-# Kind - https://kind.sigs.k8s.io/docs/user/ingress/
-OUTPUT_FILE="${DIR}/deploy/static/provider/kind/deploy.yaml"
-cat << EOF | helm template $RELEASE_NAME ${DIR}/charts/ingress-nginx --namespace $NAMESPACE --values - | $DIR/hack/add-namespace.py $NAMESPACE > ${OUTPUT_FILE}
-controller:
-  updateStrategy:
-    type: RollingUpdate
-    rollingUpdate:
-      maxUnavailable: 1
-  hostPort:
-    enabled: true
-  terminationGracePeriodSeconds: 0
-  service:
-    type: NodePort
-  watchIngressWithoutClass: true
-
-  nodeSelector:
-    ingress-ready: "true"
-  tolerations:
-    - key: "node-role.kubernetes.io/master"
-      operator: "Equal"
-      effect: "NoSchedule"
-
-  publishService:
-    enabled: false
-  extraArgs:
-    publish-status-address: localhost
-EOF
-
-# Digital Ocean
-echo "${NAMESPACE_VAR}
-$(cat ${OUTPUT_FILE})" > ${OUTPUT_FILE}
-
-OUTPUT_FILE="${DIR}/deploy/static/provider/do/deploy.yaml"
-cat << EOF | helm template $RELEASE_NAME ${DIR}/charts/ingress-nginx --namespace $NAMESPACE --values - | $DIR/hack/add-namespace.py $NAMESPACE > ${OUTPUT_FILE}
-controller:
-  service:
-    type: LoadBalancer
-    externalTrafficPolicy: Local
-    annotations:
-      service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true"
-  config:
-    use-proxy-protocol: "true"
-  admissionWebhooks:
-    timeoutSeconds: 29
-
-EOF
-
-# Scaleway
-echo "${NAMESPACE_VAR}
-$(cat ${OUTPUT_FILE})" > ${OUTPUT_FILE}
-
-OUTPUT_FILE="${DIR}/deploy/static/provider/scw/deploy.yaml"
-cat << EOF | helm template $RELEASE_NAME ${DIR}/charts/ingress-nginx --namespace $NAMESPACE --values - | $DIR/hack/add-namespace.py $NAMESPACE > ${OUTPUT_FILE}
-controller:
-  service:
-    type: LoadBalancer
-    externalTrafficPolicy: Local
-    annotations:
-      service.beta.kubernetes.io/scw-loadbalancer-proxy-protocol-v2: "true"
-  config:
-    use-proxy-protocol: "true"
-
-EOF
-
-# Exoscale
-echo "${NAMESPACE_VAR}
-$(cat ${OUTPUT_FILE})" > ${OUTPUT_FILE}
-
-OUTPUT_FILE="${DIR}/deploy/static/provider/exoscale/deploy.yaml"
-cat << EOF | helm template $RELEASE_NAME ${DIR}/charts/ingress-nginx --namespace $NAMESPACE --values - | $DIR/hack/add-namespace.py $NAMESPACE > ${OUTPUT_FILE}
-controller:
-  kind: DaemonSet
-  service:
-    type: LoadBalancer
-    externalTrafficPolicy: Local
-    annotations:
-      service.beta.kubernetes.io/exoscale-loadbalancer-name: "nginx-ingress-controller"
-      service.beta.kubernetes.io/exoscale-loadbalancer-description: "NGINX Ingress Controller load balancer"
-      service.beta.kubernetes.io/exoscale-loadbalancer-service-strategy: "source-hash"
-      service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-mode: "http"
-      service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-uri: "/"
-      service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-interval: "10s"
-      service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-timeout: "3s"
-      service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-retries: "1"
-  publishService:
-      enabled: true
-EOF
-
-echo "${NAMESPACE_VAR}
-$(cat ${OUTPUT_FILE})" > ${OUTPUT_FILE}
+    # DEFAULT VERSION HANDLING
+    if [[ ${K8S_VERSION} = ${K8S_DEFAULT_VERSION} ]]
+    then
+      cp ${OUTPUT_DIR}/*.yaml ${OUTPUT_DIR}/../
+      sed -i "1s/^/#GENERATED FOR K8S ${K8S_VERSION}\n/" ${OUTPUT_DIR}/../deploy.yaml
+      rm -rf ${OUTPUT_DIR} # TODO @afirth remove for #8000 - this avoids the duplicate files for easier review of the build script changes
+    fi
+  done
+done

hack/manifest-templates/common/kustomization.yaml

@@ -0,0 +1,14 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- manifest.yaml
+- namespace.yaml
+
+patches:
+- target:
+    group: apps
+    version: v1
+    kind: Deployment
+  patch: |-
+    - op: remove
+      path: /spec/replicas

hack/manifest-templates/common/namespace.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ingress-nginx
+  labels:
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/instance: ingress-nginx

hack/manifest-templates/provider/aws/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../common

hack/manifest-templates/provider/aws/nlb-with-tls-termination/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../../common

hack/manifest-templates/provider/aws/nlb-with-tls-termination/values.yaml

@@ -0,0 +1,36 @@
+# AWS NLB with TLS termination
+controller:
+  service:
+    type: LoadBalancer
+    externalTrafficPolicy: Local
+
+    annotations:
+      # This example is for legacy in-tree service load balancer controller for AWS NLB,
+      # that has been phased out from Kubernetes mainline.
+      service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
+      service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
+      service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:us-west-2:XXXXXXXX:certificate/XXXXXX-XXXXXXX-XXXXXXX-XXXXXXXX"
+      service.beta.kubernetes.io/aws-load-balancer-type: nlb
+      # Ensure the ELB idle timeout is less than nginx keep-alive timeout. By default,
+      # NGINX keep-alive is set to 75s. If using WebSockets, the value will need to be
+      # increased to '3600' to avoid any potential issues.
+      service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "60"
+
+    targetPorts:
+      http: tohttps
+      https: http
+
+  # Configures the ports the nginx-controller listens on
+  containerPort:
+    http: 80
+    https: 80
+    tohttps: 2443
+
+  config:
+    proxy-real-ip-cidr: XXX.XXX.XXX/XX
+    use-forwarded-headers: "true"
+    http-snippet: |
+      server {
+        listen 2443;
+        return 308 https://$host$request_uri;
+      }

hack/manifest-templates/provider/aws/values.yaml

@@ -0,0 +1,9 @@
+# AWS - NLB
+controller:
+  service:
+    type: LoadBalancer
+    externalTrafficPolicy: Local
+    annotations:
+      service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "tcp"
+      service.beta.kubernetes.io/aws-load-balancer-type: nlb
+      service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"

hack/manifest-templates/provider/baremetal/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../common

hack/manifest-templates/provider/baremetal/values.yaml

@@ -0,0 +1,7 @@
+# Baremetal
+controller:
+  service:
+    type: NodePort
+
+  publishService:
+    enabled: false

hack/manifest-templates/provider/cloud/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../common

hack/manifest-templates/provider/cloud/values.yaml

@@ -0,0 +1,4 @@
+controller:
+  service:
+    type: LoadBalancer
+    externalTrafficPolicy: Local

hack/manifest-templates/provider/do/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../common

hack/manifest-templates/provider/do/values.yaml

@@ -0,0 +1,11 @@
+# Digital Ocean
+controller:
+  service:
+    type: LoadBalancer
+    externalTrafficPolicy: Local
+    annotations:
+      service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true"
+  config:
+    use-proxy-protocol: "true"
+  admissionWebhooks:
+    timeoutSeconds: 29

hack/manifest-templates/provider/exoscale/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../common

hack/manifest-templates/provider/exoscale/values.yaml

@@ -0,0 +1,17 @@
+# Exoscale
+controller:
+  kind: DaemonSet
+  service:
+    type: LoadBalancer
+    externalTrafficPolicy: Local
+    annotations:
+      service.beta.kubernetes.io/exoscale-loadbalancer-name: "nginx-ingress-controller"
+      service.beta.kubernetes.io/exoscale-loadbalancer-description: "NGINX Ingress Controller load balancer"
+      service.beta.kubernetes.io/exoscale-loadbalancer-service-strategy: "source-hash"
+      service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-mode: "http"
+      service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-uri: "/"
+      service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-interval: "10s"
+      service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-timeout: "3s"
+      service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-retries: "1"
+  publishService:
+      enabled: true

hack/manifest-templates/provider/kind/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../common

hack/manifest-templates/provider/kind/values.yaml

@@ -0,0 +1,24 @@
+# Kind - https://kind.sigs.k8s.io/docs/user/ingress/
+controller:
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 1
+  hostPort:
+    enabled: true
+  terminationGracePeriodSeconds: 0
+  service:
+    type: NodePort
+  watchIngressWithoutClass: true
+
+  nodeSelector:
+    ingress-ready: "true"
+  tolerations:
+    - key: "node-role.kubernetes.io/master"
+      operator: "Equal"
+      effect: "NoSchedule"
+
+  publishService:
+    enabled: false
+  extraArgs:
+    publish-status-address: localhost

hack/manifest-templates/provider/scw/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../common

hack/manifest-templates/provider/scw/values.yaml

@@ -0,0 +1,9 @@
+# Scaleway
+controller:
+  service:
+    type: LoadBalancer
+    externalTrafficPolicy: Local
+    annotations:
+      service.beta.kubernetes.io/scw-loadbalancer-proxy-protocol-v2: "true"
+  config:
+    use-proxy-protocol: "true"

hack/manifest-templates/static-kustomization-template.yaml

@@ -0,0 +1,11 @@
+# NOTE: kustomize is not supported. This file exists only to be able to reference it from bases.
+# https://kubectl.docs.kubernetes.io/references/kustomize/bases/
+#
+# ```
+# namespace: ingress-nginx
+# bases:
+#   - github.com/kubernetes/ingress-nginx/deploy/static/{TARGET}?ref=master
+# ```
+
+resources:
+  - deploy.yaml