DevFW-CICD/ingress-nginx-helm
16
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: Allows service name suffixes to be configurable;

Browse source 
This includes -internal, -admission and -metrics which are still the defaults
This commit is contained in:
Phil Nichol 2023-01-14 13:44:42 +00:00
parent ada114315e
commit d1b464f376
No known key found for this signature in database
GPG key ID: 998C1F11E05F7B14
20 changed files with 90 additions and 37 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
charts/ingress-nginx/README.md
View file

@ -290,6 +290,7 @@ Kubernetes: `>=1.20.0-0`
| controller.admissionWebhooks.service.annotations | object | `{}` | |
| controller.admissionWebhooks.service.externalIPs | list | `[]` | |
| controller.admissionWebhooks.service.loadBalancerSourceRanges | list | `[]` | |
| controller.admissionWebhooks.service.nameSuffix | string | `"admission"` | - Suffix to be used to name the admission webhook service |
| controller.admissionWebhooks.service.servicePort | int | `443` | |
| controller.admissionWebhooks.service.type | string | `"ClusterIP"` | |
| controller.affinity | object | `{}` | Affinity and anti-affinity rules for server scheduling to nodes # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity # |
@ -377,6 +378,7 @@ Kubernetes: `>=1.20.0-0`
| controller.metrics.service.annotations | object | `{}` | |
| controller.metrics.service.externalIPs | list | `[]` | List of IP addresses at which the stats-exporter service is available # Ref: https://kubernetes.io/docs/user-guide/services/#external-ips # |
| controller.metrics.service.loadBalancerSourceRanges | list | `[]` | |
| controller.metrics.service.nameSuffix | string | `"metrics"` | - Suffix to be used to name the metrics service |
| controller.metrics.service.servicePort | int | `10254` | |
| controller.metrics.service.type | string | `"ClusterIP"` | |
| controller.metrics.serviceMonitor.additionalLabels | object | `{}` | |
@ -427,6 +429,7 @@ Kubernetes: `>=1.20.0-0`
| controller.service.internal.annotations | object | `{}` | Annotations are mandatory for the load balancer to come up. Varies with the cloud service. |
| controller.service.internal.enabled | bool | `false` | Enables an additional internal load balancer (besides the external one). |
| controller.service.internal.loadBalancerSourceRanges | list | `[]` | Restrict access For LoadBalancer service. Defaults to 0.0.0.0/0. |
| controller.service.internal.nameSuffix | string | `"internal"` | - Suffix to be used to name the internal service |
| controller.service.ipFamilies | list | `["IPv4"]` | List of IP families (e.g. IPv4, IPv6) assigned to the service. This field is usually assigned automatically based on cluster configuration and the ipFamilyPolicy field. # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ |
| controller.service.ipFamilyPolicy | string | `"SingleStack"` | Represents the dual-stack-ness requested or required by this Service. Possible values are SingleStack, PreferDualStack or RequireDualStack. The ipFamilies and clusterIPs fields depend on the value of this field. # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ |
| controller.service.labels | object | `{}` | |

43
charts/ingress-nginx/templates/_helpers.tpl
View file

@ -85,6 +85,49 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
{{- printf "%s-%s" (include "ingress-nginx.fullname" .) .Values.controller.name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a name for the controller internal service.
We fail if longer than 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "ingress-nginx.controller.internal.servicename" -}}
{{- $name := printf "%s-%s" (include "ingress-nginx.controller.fullname" .) .Values.controller.service.internal.nameSuffix | trimSuffix "-" -}}
{{- if gt (len $name) 63 -}}
{{- fail (printf "Internal service name must be shorter than 63 characters. Got: %s" $name) -}}
{{- end -}}
{{- print $name -}}
{{- end -}}
{{/*
Create a name for the controller metrics service.
We fail if longer than 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "ingress-nginx.controller.metrics.servicename" -}}
{{- $name := printf "%s-%s" (include "ingress-nginx.controller.fullname" .) .Values.controller.metrics.service.nameSuffix | trimSuffix "-" -}}
{{- if gt (len $name) 63 -}}
{{- fail (printf "Metrics service name must be shorter than 63 characters. Got: %s" $name) -}}
{{- end -}}
{{- print $name -}}
{{- end -}}
{{/*
Create a name for the controller admission webhook service.
We fail if longer than 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "ingress-nginx.controller.admission.servicename" -}}
{{- $name := printf "%s-%s" (include "ingress-nginx.controller.fullname" .) .Values.controller.admissionWebhooks.service.nameSuffix | trimSuffix "-" -}}
{{- if gt (len $name) 63 -}}
{{- fail (printf "Admission webhook service name must be shorter than 63 characters. Got: %s" $name) -}}
{{- end -}}
{{- print $name -}}
{{- end -}}
{{/*
Create the short admission webhook name.
*/}}
{{- define "ingress-nginx.admission.name" -}}
{{- printf "%s-%s" (include "ingress-nginx.fullname" .) (.Values.controller.admissionWebhooks.service.nameSuffix | trimSuffix "-") -}}
{{- end -}}
{{/*
Construct a unique electionID.
Users can provide an override for an explicit electionID if they want via `.Values.controller.electionID`

2
charts/ingress-nginx/templates/_params.tpl
View file

@ -7,7 +7,7 @@
{{- if .Values.controller.service.external.enabled }}
- --publish-service={{ template "ingress-nginx.controller.publishServicePath" . }}
{{- else if .Values.controller.service.internal.enabled }}
- --publish-service={{ template "ingress-nginx.controller.publishServicePath" . }}-internal
- --publish-service={{ template "ingress-nginx.controller.publishServicePath" . }}-{{ .Values.controller.service.internal.nameSuffix | trimSuffix "-" }}
{{- end }}
{{- end }}
- --election-id={{ include "ingress-nginx.controller.electionID" . }}

10
charts/ingress-nginx/templates/admission-webhooks/cert-manager.yaml
View file

@ -42,10 +42,10 @@ spec:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission
name: {{ include "ingress-nginx.admission.name" . }}
namespace: {{ .Release.Namespace }}
spec:
secretName: {{ include "ingress-nginx.fullname" . }}-admission
secretName: {{ include "ingress-nginx.admission.name" . }}
duration: {{ .Values.controller.admissionWebhooks.certManager.admissionCert.duration | default "8760h0m0s" | quote }}
issuerRef:
{{- if .Values.controller.admissionWebhooks.certManager.issuerRef }}
@ -54,9 +54,9 @@ spec:
name: {{ include "ingress-nginx.fullname" . }}-root-issuer
{{- end }}
dnsNames:
- {{ include "ingress-nginx.controller.fullname" . }}-admission
- {{ include "ingress-nginx.controller.fullname" . }}-admission.{{ .Release.Namespace }}
- {{ include "ingress-nginx.controller.fullname" . }}-admission.{{ .Release.Namespace }}.svc
- {{ include "ingress-nginx.controller.metrics.servicename" . }}
- {{ include "ingress-nginx.controller.metrics.servicename" . }}.{{ .Release.Namespace }}
- {{ include "ingress-nginx.controller.metrics.servicename" . }}.{{ .Release.Namespace }}.svc
subject:
organizations:
- ingress-nginx-admission

4
charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
View file

@ -2,7 +2,7 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission
name: {{ include "ingress-nginx.admission.name" . }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
@ -28,7 +28,7 @@ rules:
{{- with .Values.controller.admissionWebhooks.existingPsp }}
- {{ . }}
{{- else }}
- {{ include "ingress-nginx.fullname" . }}-admission
- {{ include "ingress-nginx.admission.name" . }}
{{- end }}
{{- end }}
{{- end }}

6
charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
View file

@ -2,7 +2,7 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission
name: {{ include "ingress-nginx.admission.name" . }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
@ -15,9 +15,9 @@ metadata:
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "ingress-nginx.fullname" . }}-admission
name: {{ include "ingress-nginx.admission.name" . }}
subjects:
- kind: ServiceAccount
name: {{ include "ingress-nginx.fullname" . }}-admission
name: {{ include "ingress-nginx.admission.name" . }}
namespace: {{ .Release.Namespace | quote }}
{{- end }}

10
charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
View file

@ -2,7 +2,7 @@
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission-create
name: {{ include "ingress-nginx.admission.name" . }}-create
namespace: {{ .Release.Namespace }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade
@ -23,7 +23,7 @@ spec:
{{- end }}
template:
metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission-create
name: {{ include "ingress-nginx.admission.name" . }}-create
{{- if .Values.controller.admissionWebhooks.patch.podAnnotations }}
annotations: {{ toYaml .Values.controller.admissionWebhooks.patch.podAnnotations | nindent 8 }}
{{- end }}
@ -48,9 +48,9 @@ spec:
imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }}
args:
- create
- --host={{ include "ingress-nginx.controller.fullname" . }}-admission,{{ include "ingress-nginx.controller.fullname" . }}-admission.$(POD_NAMESPACE).svc
- --host={{ include "ingress-nginx.controller.admission.servicename" . }},{{ include "ingress-nginx.controller.admission.servicename" . }}.$(POD_NAMESPACE).svc
- --namespace=$(POD_NAMESPACE)
- --secret-name={{ include "ingress-nginx.fullname" . }}-admission
- --secret-name={{ include "ingress-nginx.admission.name" . }}
env:
- name: POD_NAMESPACE
valueFrom:
@ -66,7 +66,7 @@ spec:
resources: {{ toYaml .Values.controller.admissionWebhooks.createSecretJob.resources | nindent 12 }}
{{- end }}
restartPolicy: OnFailure
serviceAccountName: {{ include "ingress-nginx.fullname" . }}-admission
serviceAccountName: {{ include "ingress-nginx.admission.name" . }}
{{- if .Values.controller.admissionWebhooks.patch.nodeSelector }}
nodeSelector: {{ toYaml .Values.controller.admissionWebhooks.patch.nodeSelector | nindent 8 }}
{{- end }}

10
charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
View file

@ -2,7 +2,7 @@
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission-patch
name: {{ include "ingress-nginx.admission.name" . }}-patch
namespace: {{ .Release.Namespace }}
annotations:
"helm.sh/hook": post-install,post-upgrade
@ -23,7 +23,7 @@ spec:
{{- end }}
template:
metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission-patch
name: {{ include "ingress-nginx.admission.name" . }}-patch
{{- if .Values.controller.admissionWebhooks.patch.podAnnotations }}
annotations: {{ toYaml .Values.controller.admissionWebhooks.patch.podAnnotations | nindent 8 }}
{{- end }}
@ -48,10 +48,10 @@ spec:
imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }}
args:
- patch
- --webhook-name={{ include "ingress-nginx.fullname" . }}-admission
- --webhook-name={{ include "ingress-nginx.admission.name" . }}
- --namespace=$(POD_NAMESPACE)
- --patch-mutating=false
- --secret-name={{ include "ingress-nginx.fullname" . }}-admission
- --secret-name={{ include "ingress-nginx.admission.name" . }}
- --patch-failure-policy={{ .Values.controller.admissionWebhooks.failurePolicy }}
env:
- name: POD_NAMESPACE
@ -68,7 +68,7 @@ spec:
resources: {{ toYaml .Values.controller.admissionWebhooks.patchWebhookJob.resources | nindent 12 }}
{{- end }}
restartPolicy: OnFailure
serviceAccountName: {{ include "ingress-nginx.fullname" . }}-admission
serviceAccountName: {{ include "ingress-nginx.admission.name" . }}
{{- if .Values.controller.admissionWebhooks.patch.nodeSelector }}
nodeSelector: {{ toYaml .Values.controller.admissionWebhooks.patch.nodeSelector | nindent 8 }}
{{- end }}

2
charts/ingress-nginx/templates/admission-webhooks/job-patch/networkpolicy.yaml
View file

@ -2,7 +2,7 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission
name: {{ include "ingress-nginx.admission.name" . }}
namespace: {{ .Release.Namespace }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade

2
charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml
View file

@ -3,7 +3,7 @@
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission
name: {{ include "ingress-nginx.admission.name" . }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded

2
charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
View file

@ -2,7 +2,7 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission
name: {{ include "ingress-nginx.admission.name" . }}
namespace: {{ .Release.Namespace }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade

6
charts/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml
View file

@ -2,7 +2,7 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission
name: {{ include "ingress-nginx.admission.name" . }}
namespace: {{ .Release.Namespace }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
@ -16,9 +16,9 @@ metadata:
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "ingress-nginx.fullname" . }}-admission
name: {{ include "ingress-nginx.admission.name" . }}
subjects:
- kind: ServiceAccount
name: {{ include "ingress-nginx.fullname" . }}-admission
name: {{ include "ingress-nginx.admission.name" . }}
namespace: {{ .Release.Namespace | quote }}
{{- end }}

2
charts/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
View file

@ -2,7 +2,7 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission
name: {{ include "ingress-nginx.admission.name" . }}
namespace: {{ .Release.Namespace }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade

8
charts/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
View file

@ -6,8 +6,8 @@ kind: ValidatingWebhookConfiguration
metadata:
annotations:
{{- if .Values.controller.admissionWebhooks.certManager.enabled }}
certmanager.k8s.io/inject-ca-from: {{ printf "%s/%s-admission" .Release.Namespace (include "ingress-nginx.fullname" .) | quote }}
cert-manager.io/inject-ca-from: {{ printf "%s/%s-admission" .Release.Namespace (include "ingress-nginx.fullname" .) | quote }}
certmanager.k8s.io/inject-ca-from: {{ printf "%s/%s" .Release.Namespace (include "ingress-nginx.admission.name" .) | quote }}
cert-manager.io/inject-ca-from: {{ printf "%s/%s" .Release.Namespace (include "ingress-nginx.admission.name" .) | quote }}
{{- end }}
{{- if .Values.controller.admissionWebhooks.annotations }}
{{- toYaml .Values.controller.admissionWebhooks.annotations | nindent 4 }}
@ -18,7 +18,7 @@ metadata:
{{- with .Values.controller.admissionWebhooks.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.fullname" . }}-admission
name: {{ include "ingress-nginx.admission.name" . }}
webhooks:
- name: validate.nginx.ingress.kubernetes.io
matchPolicy: Equivalent
@ -39,7 +39,7 @@ webhooks:
clientConfig:
service:
namespace: {{ .Release.Namespace | quote }}
name: {{ include "ingress-nginx.controller.fullname" . }}-admission
name: {{ include "ingress-nginx.controller.admission.servicename" . }}
path: /networking/v1/ingresses
{{- if .Values.controller.admissionWebhooks.timeoutSeconds }}
timeoutSeconds: {{ .Values.controller.admissionWebhooks.timeoutSeconds }}

2
charts/ingress-nginx/templates/controller-daemonset.yaml
View file

@ -224,7 +224,7 @@ spec:
{{- if .Values.controller.admissionWebhooks.enabled }}
- name: webhook-cert
secret:
secretName: {{ include "ingress-nginx.fullname" . }}-admission
secretName: {{ include "ingress-nginx.admission.name" . }}
{{- if .Values.controller.admissionWebhooks.certManager.enabled }}
items:
- key: tls.crt

2
charts/ingress-nginx/templates/controller-deployment.yaml
View file

@ -227,7 +227,7 @@ spec:
{{- if .Values.controller.admissionWebhooks.enabled }}
- name: webhook-cert
secret:
secretName: {{ include "ingress-nginx.fullname" . }}-admission
secretName: {{ include "ingress-nginx.admission.name" . }}
{{- if .Values.controller.admissionWebhooks.certManager.enabled }}
items:
- key: tls.crt

2
charts/ingress-nginx/templates/controller-service-internal.yaml
View file

@ -12,7 +12,7 @@ metadata:
{{- if .Values.controller.service.labels }}
{{- toYaml .Values.controller.service.labels | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.controller.fullname" . }}-internal
name: {{ include "ingress-nginx.controller.internal.servicename" . }}
namespace: {{ .Release.Namespace }}
spec:
type: "{{ .Values.controller.service.type }}"

2
charts/ingress-nginx/templates/controller-service-metrics.yaml
View file

@ -11,7 +11,7 @@ metadata:
{{- if .Values.controller.metrics.service.labels }}
{{- toYaml .Values.controller.metrics.service.labels | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.controller.fullname" . }}-metrics
name: {{ include "ingress-nginx.controller.metrics.servicename" . }}
namespace: {{ .Release.Namespace }}
spec:
type: {{ .Values.controller.metrics.service.type }}

2
charts/ingress-nginx/templates/controller-service-webhook.yaml
View file

@ -11,7 +11,7 @@ metadata:
{{- with .Values.controller.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.controller.fullname" . }}-admission
name: {{ include "ingress-nginx.controller.admission.servicename" . }}
namespace: {{ .Release.Namespace }}
spec:
type: {{ .Values.controller.admissionWebhooks.service.type }}

7
charts/ingress-nginx/values.yaml
View file

@ -538,6 +538,9 @@ controller:
## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer
# externalTrafficPolicy: ""
# --- Suffix to be used to name the internal service
nameSuffix: internal
# shareProcessNamespace enables process namespace sharing within the pod.
# This can be used for example to signal log rotation using `kill -USR1` from a sidecar.
shareProcessNamespace: false
@ -634,6 +637,8 @@ controller:
externalIPs: []
# loadBalancerIP: ""
loadBalancerSourceRanges: []
# --- Suffix to be used to name the admission webhook service
nameSuffix: admission
servicePort: 443
type: ClusterIP
@ -710,6 +715,8 @@ controller:
# loadBalancerIP: ""
loadBalancerSourceRanges: []
# --- Suffix to be used to name the metrics service
nameSuffix: metrics
servicePort: 10254
type: ClusterIP
# externalTrafficPolicy: ""