From fd23ebc6d186554d4d8f8890a82392b5724caee9 Mon Sep 17 00:00:00 2001 From: Manuel Alejandro de Brito Fontes Date: Sat, 18 Apr 2020 18:14:23 -0400 Subject: [PATCH] Cleanup deploy docs and remove old yaml manifests --- deploy/aws/l4/service-l4.yaml | 13 - deploy/aws/l7/service-l7.yaml | 17 - deploy/aws/nlb/service-nlb.yaml | 7 - deploy/baremetal/service-nodeport.yaml | 16 - deploy/static/configmap.yaml | 30 -- deploy/static/mandatory.yaml | 293 ------------------ deploy/static/namespace.yaml | 10 - .../provider/aws/patch-configmap-l4.yaml | 10 - .../provider/aws/patch-configmap-l7.yaml | 14 - deploy/static/provider/aws/service-l4.yaml | 32 -- deploy/static/provider/aws/service-l7.yaml | 36 --- deploy/static/provider/aws/service-nlb.yaml | 30 -- .../provider/baremetal/service-nodeport.yaml | 25 -- deploy/static/provider/cloud-generic.yaml | 25 -- deploy/static/rbac.yaml | 149 --------- deploy/static/with-rbac.yaml | 88 ------ deploy/validating-webhook.yaml.tpl | 25 -- deploy/with-validating-webhook.yaml.tpl | 115 ------- docs/deploy/index.md | 106 ++++--- 19 files changed, 56 insertions(+), 985 deletions(-) delete mode 100644 deploy/aws/l4/service-l4.yaml delete mode 100644 deploy/aws/l7/service-l7.yaml delete mode 100644 deploy/aws/nlb/service-nlb.yaml delete mode 100644 deploy/baremetal/service-nodeport.yaml delete mode 100644 deploy/static/configmap.yaml delete mode 100644 deploy/static/mandatory.yaml delete mode 100644 deploy/static/namespace.yaml delete mode 100644 deploy/static/provider/aws/patch-configmap-l4.yaml delete mode 100644 deploy/static/provider/aws/patch-configmap-l7.yaml delete mode 100644 deploy/static/provider/aws/service-l4.yaml delete mode 100644 deploy/static/provider/aws/service-l7.yaml delete mode 100644 deploy/static/provider/aws/service-nlb.yaml delete mode 100644 deploy/static/provider/baremetal/service-nodeport.yaml delete mode 100644 deploy/static/provider/cloud-generic.yaml delete mode 100644 deploy/static/rbac.yaml delete mode 100644 deploy/static/with-rbac.yaml delete mode 100644 deploy/validating-webhook.yaml.tpl delete mode 100644 deploy/with-validating-webhook.yaml.tpl diff --git a/deploy/aws/l4/service-l4.yaml b/deploy/aws/l4/service-l4.yaml deleted file mode 100644 index 3d9642491..000000000 --- a/deploy/aws/l4/service-l4.yaml +++ /dev/null @@ -1,13 +0,0 @@ -kind: Service -apiVersion: v1 -metadata: - name: ingress-nginx - annotations: - # Enable PROXY protocol - service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*" - # Ensure the ELB idle timeout is less than nginx keep-alive timeout. By default, - # NGINX keep-alive is set to 75s. If using WebSockets, the value will need to be - # increased to '3600' to avoid any potential issues. - service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "60" -spec: - externalTrafficPolicy: Cluster diff --git a/deploy/aws/l7/service-l7.yaml b/deploy/aws/l7/service-l7.yaml deleted file mode 100644 index b3b0b64d8..000000000 --- a/deploy/aws/l7/service-l7.yaml +++ /dev/null @@ -1,17 +0,0 @@ -kind: Service -apiVersion: v1 -metadata: - name: ingress-nginx - annotations: - # replace with the correct value of the generated certificate in the AWS console - service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:us-west-2:XXXXXXXX:certificate/XXXXXX-XXXXXXX-XXXXXXX-XXXXXXXX" - # the backend instances are HTTP - service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http" - # Map port 443 - service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https" - # Ensure the ELB idle timeout is less than nginx keep-alive timeout. By default, - # NGINX keep-alive is set to 75s. If using WebSockets, the value will need to be - # increased to '3600' to avoid any potential issues. - service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "60" -spec: - externalTrafficPolicy: Cluster diff --git a/deploy/aws/nlb/service-nlb.yaml b/deploy/aws/nlb/service-nlb.yaml deleted file mode 100644 index a0438c207..000000000 --- a/deploy/aws/nlb/service-nlb.yaml +++ /dev/null @@ -1,7 +0,0 @@ -kind: Service -apiVersion: v1 -metadata: - name: ingress-nginx - annotations: - # by default the type is elb (classic load balancer). - service.beta.kubernetes.io/aws-load-balancer-type: nlb diff --git a/deploy/baremetal/service-nodeport.yaml b/deploy/baremetal/service-nodeport.yaml deleted file mode 100644 index 0aadea157..000000000 --- a/deploy/baremetal/service-nodeport.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: ingress-nginx -spec: - type: NodePort - ports: - - name: http - port: 80 - targetPort: 80 - protocol: TCP - - name: https - port: 443 - targetPort: 443 - protocol: TCP - externalTrafficPolicy: Cluster diff --git a/deploy/static/configmap.yaml b/deploy/static/configmap.yaml deleted file mode 100644 index 436b660a9..000000000 --- a/deploy/static/configmap.yaml +++ /dev/null @@ -1,30 +0,0 @@ -kind: ConfigMap -apiVersion: v1 -metadata: - name: nginx-configuration - namespace: ingress-nginx - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: tcp-services - namespace: ingress-nginx - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: udp-services - namespace: ingress-nginx - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - ---- diff --git a/deploy/static/mandatory.yaml b/deploy/static/mandatory.yaml deleted file mode 100644 index 7d91c35d2..000000000 --- a/deploy/static/mandatory.yaml +++ /dev/null @@ -1,293 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: ingress-nginx - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - ---- - -kind: ConfigMap -apiVersion: v1 -metadata: - name: nginx-configuration - namespace: ingress-nginx - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: tcp-services - namespace: ingress-nginx - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: udp-services - namespace: ingress-nginx - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: nginx-ingress-serviceaccount - namespace: ingress-nginx - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRole -metadata: - name: nginx-ingress-clusterrole - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx -rules: - - apiGroups: - - "" - resources: - - configmaps - - endpoints - - nodes - - pods - - secrets - verbs: - - list - - watch - - apiGroups: - - "" - resources: - - nodes - verbs: - - get - - apiGroups: - - "" - resources: - - services - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - apiGroups: - - "extensions" - - "networking.k8s.io" - resources: - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - "extensions" - - "networking.k8s.io" - resources: - - ingresses/status - verbs: - - update - ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: Role -metadata: - name: nginx-ingress-role - namespace: ingress-nginx - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx -rules: - - apiGroups: - - "" - resources: - - configmaps - - pods - - secrets - - namespaces - verbs: - - get - - apiGroups: - - "" - resources: - - configmaps - resourceNames: - # Defaults to "-" - # Here: "-" - # This has to be adapted if you change either parameter - # when launching the nginx-ingress-controller. - - "ingress-controller-leader-nginx" - verbs: - - get - - update - - apiGroups: - - "" - resources: - - configmaps - verbs: - - create - - apiGroups: - - "" - resources: - - endpoints - verbs: - - get - ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: RoleBinding -metadata: - name: nginx-ingress-role-nisa-binding - namespace: ingress-nginx - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: nginx-ingress-role -subjects: - - kind: ServiceAccount - name: nginx-ingress-serviceaccount - namespace: ingress-nginx - ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding -metadata: - name: nginx-ingress-clusterrole-nisa-binding - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: nginx-ingress-clusterrole -subjects: - - kind: ServiceAccount - name: nginx-ingress-serviceaccount - namespace: ingress-nginx - ---- - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: nginx-ingress-controller - namespace: ingress-nginx - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - template: - metadata: - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - annotations: - prometheus.io/port: "10254" - prometheus.io/scrape: "true" - spec: - # wait up to five minutes for the drain of connections - terminationGracePeriodSeconds: 300 - serviceAccountName: nginx-ingress-serviceaccount - nodeSelector: - kubernetes.io/os: linux - containers: - - name: nginx-ingress-controller - image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.30.0 - args: - - /nginx-ingress-controller - - --configmap=$(POD_NAMESPACE)/nginx-configuration - - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services - - --udp-services-configmap=$(POD_NAMESPACE)/udp-services - - --publish-service=$(POD_NAMESPACE)/ingress-nginx - - --annotations-prefix=nginx.ingress.kubernetes.io - securityContext: - allowPrivilegeEscalation: true - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - # www-data -> 101 - runAsUser: 101 - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - ports: - - name: http - containerPort: 80 - protocol: TCP - - name: https - containerPort: 443 - protocol: TCP - livenessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 10 - readinessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 10 - lifecycle: - preStop: - exec: - command: - - /wait-shutdown - ---- - -apiVersion: v1 -kind: LimitRange -metadata: - name: ingress-nginx - namespace: ingress-nginx - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx -spec: - limits: - - min: - memory: 90Mi - cpu: 100m - type: Container diff --git a/deploy/static/namespace.yaml b/deploy/static/namespace.yaml deleted file mode 100644 index 9196d6d16..000000000 --- a/deploy/static/namespace.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: ingress-nginx - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - ---- - diff --git a/deploy/static/provider/aws/patch-configmap-l4.yaml b/deploy/static/provider/aws/patch-configmap-l4.yaml deleted file mode 100644 index 1d612289f..000000000 --- a/deploy/static/provider/aws/patch-configmap-l4.yaml +++ /dev/null @@ -1,10 +0,0 @@ -kind: ConfigMap -apiVersion: v1 -metadata: - name: nginx-configuration - namespace: ingress-nginx - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx -data: - use-proxy-protocol: "true" diff --git a/deploy/static/provider/aws/patch-configmap-l7.yaml b/deploy/static/provider/aws/patch-configmap-l7.yaml deleted file mode 100644 index b1bcd2a97..000000000 --- a/deploy/static/provider/aws/patch-configmap-l7.yaml +++ /dev/null @@ -1,14 +0,0 @@ -kind: ConfigMap -apiVersion: v1 -metadata: - name: nginx-configuration - namespace: ingress-nginx - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx -data: - use-proxy-protocol: "false" - use-forwarded-headers: "true" - proxy-real-ip-cidr: "0.0.0.0/0" # restrict this to the IP addresses of ELB ---- - diff --git a/deploy/static/provider/aws/service-l4.yaml b/deploy/static/provider/aws/service-l4.yaml deleted file mode 100644 index ab70da90f..000000000 --- a/deploy/static/provider/aws/service-l4.yaml +++ /dev/null @@ -1,32 +0,0 @@ -kind: Service -apiVersion: v1 -metadata: - name: ingress-nginx - namespace: ingress-nginx - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - annotations: - # Enable PROXY protocol - service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*" - # Ensure the ELB idle timeout is less than nginx keep-alive timeout. By default, - # NGINX keep-alive is set to 75s. If using WebSockets, the value will need to be - # increased to '3600' to avoid any potential issues. - service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "60" -spec: - type: LoadBalancer - selector: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - ports: - - name: http - port: 80 - protocol: TCP - targetPort: http - - name: https - port: 443 - protocol: TCP - targetPort: https - ---- - diff --git a/deploy/static/provider/aws/service-l7.yaml b/deploy/static/provider/aws/service-l7.yaml deleted file mode 100644 index c6bc4c09e..000000000 --- a/deploy/static/provider/aws/service-l7.yaml +++ /dev/null @@ -1,36 +0,0 @@ -kind: Service -apiVersion: v1 -metadata: - name: ingress-nginx - namespace: ingress-nginx - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - annotations: - # replace with the correct value of the generated certificate in the AWS console - service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:us-west-2:XXXXXXXX:certificate/XXXXXX-XXXXXXX-XXXXXXX-XXXXXXXX" - # the backend instances are HTTP - service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http" - # Map port 443 - service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https" - # Ensure the ELB idle timeout is less than nginx keep-alive timeout. By default, - # NGINX keep-alive is set to 75s. If using WebSockets, the value will need to be - # increased to '3600' to avoid any potential issues. - service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "60" -spec: - type: LoadBalancer - selector: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - ports: - - name: http - port: 80 - protocol: TCP - targetPort: http - - name: https - port: 443 - protocol: TCP - targetPort: http - ---- - diff --git a/deploy/static/provider/aws/service-nlb.yaml b/deploy/static/provider/aws/service-nlb.yaml deleted file mode 100644 index 02a688eb9..000000000 --- a/deploy/static/provider/aws/service-nlb.yaml +++ /dev/null @@ -1,30 +0,0 @@ -kind: Service -apiVersion: v1 -metadata: - name: ingress-nginx - namespace: ingress-nginx - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - annotations: - # by default the type is elb (classic load balancer). - service.beta.kubernetes.io/aws-load-balancer-type: nlb -spec: - # this setting is to make sure the source IP address is preserved. - externalTrafficPolicy: Local - type: LoadBalancer - selector: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - ports: - - name: http - port: 80 - protocol: TCP - targetPort: http - - name: https - port: 443 - protocol: TCP - targetPort: https - ---- - diff --git a/deploy/static/provider/baremetal/service-nodeport.yaml b/deploy/static/provider/baremetal/service-nodeport.yaml deleted file mode 100644 index 24e302818..000000000 --- a/deploy/static/provider/baremetal/service-nodeport.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: ingress-nginx - namespace: ingress-nginx - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx -spec: - type: NodePort - ports: - - name: http - port: 80 - targetPort: 80 - protocol: TCP - - name: https - port: 443 - targetPort: 443 - protocol: TCP - selector: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - ---- - diff --git a/deploy/static/provider/cloud-generic.yaml b/deploy/static/provider/cloud-generic.yaml deleted file mode 100644 index 1db280af8..000000000 --- a/deploy/static/provider/cloud-generic.yaml +++ /dev/null @@ -1,25 +0,0 @@ -kind: Service -apiVersion: v1 -metadata: - name: ingress-nginx - namespace: ingress-nginx - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx -spec: - externalTrafficPolicy: Local - type: LoadBalancer - selector: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - ports: - - name: http - port: 80 - protocol: TCP - targetPort: http - - name: https - port: 443 - protocol: TCP - targetPort: https - ---- diff --git a/deploy/static/rbac.yaml b/deploy/static/rbac.yaml deleted file mode 100644 index 61186cd70..000000000 --- a/deploy/static/rbac.yaml +++ /dev/null @@ -1,149 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: nginx-ingress-serviceaccount - namespace: ingress-nginx - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRole -metadata: - name: nginx-ingress-clusterrole - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx -rules: - - apiGroups: - - "" - resources: - - configmaps - - endpoints - - nodes - - pods - - secrets - verbs: - - list - - watch - - apiGroups: - - "" - resources: - - nodes - verbs: - - get - - apiGroups: - - "" - resources: - - services - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - apiGroups: - - "extensions" - - "networking.k8s.io" - resources: - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - "extensions" - - "networking.k8s.io" - resources: - - ingresses/status - verbs: - - update - ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: Role -metadata: - name: nginx-ingress-role - namespace: ingress-nginx - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx -rules: - - apiGroups: - - "" - resources: - - configmaps - - pods - - secrets - - namespaces - verbs: - - get - - apiGroups: - - "" - resources: - - configmaps - resourceNames: - # Defaults to "-" - # Here: "-" - # This has to be adapted if you change either parameter - # when launching the nginx-ingress-controller. - - "ingress-controller-leader-nginx" - verbs: - - get - - update - - apiGroups: - - "" - resources: - - configmaps - verbs: - - create - - apiGroups: - - "" - resources: - - endpoints - verbs: - - get - ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: RoleBinding -metadata: - name: nginx-ingress-role-nisa-binding - namespace: ingress-nginx - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: nginx-ingress-role -subjects: - - kind: ServiceAccount - name: nginx-ingress-serviceaccount - namespace: ingress-nginx - ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding -metadata: - name: nginx-ingress-clusterrole-nisa-binding - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: nginx-ingress-clusterrole -subjects: - - kind: ServiceAccount - name: nginx-ingress-serviceaccount - namespace: ingress-nginx - ---- - diff --git a/deploy/static/with-rbac.yaml b/deploy/static/with-rbac.yaml deleted file mode 100644 index ed07fb738..000000000 --- a/deploy/static/with-rbac.yaml +++ /dev/null @@ -1,88 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: nginx-ingress-controller - namespace: ingress-nginx - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - template: - metadata: - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - annotations: - prometheus.io/port: "10254" - prometheus.io/scrape: "true" - spec: - # wait up to five minutes for the drain of connections - terminationGracePeriodSeconds: 300 - serviceAccountName: nginx-ingress-serviceaccount - nodeSelector: - kubernetes.io/os: linux - containers: - - name: nginx-ingress-controller - image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.30.0 - args: - - /nginx-ingress-controller - - --configmap=$(POD_NAMESPACE)/nginx-configuration - - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services - - --udp-services-configmap=$(POD_NAMESPACE)/udp-services - - --publish-service=$(POD_NAMESPACE)/ingress-nginx - - --annotations-prefix=nginx.ingress.kubernetes.io - securityContext: - allowPrivilegeEscalation: true - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - # www-data -> 101 - runAsUser: 101 - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - ports: - - name: http - containerPort: 80 - - name: https - containerPort: 443 - livenessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 10 - readinessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 10 - lifecycle: - preStop: - exec: - command: - - /wait-shutdown - ---- - diff --git a/deploy/validating-webhook.yaml.tpl b/deploy/validating-webhook.yaml.tpl deleted file mode 100644 index b7ee80ac5..000000000 --- a/deploy/validating-webhook.yaml.tpl +++ /dev/null @@ -1,25 +0,0 @@ ---- -apiVersion: admissionregistration.k8s.io/v1beta1 -kind: ValidatingWebhookConfiguration -metadata: - name: check-ingress -webhooks: -- name: validate.nginx.ingress.kubernetes.io - rules: - - apiGroups: - - networking.k8s.io - apiVersions: - - v1beta1 - operations: - - CREATE - - UPDATE - resources: - - ingresses - failurePolicy: Fail - clientConfig: - service: - namespace: ingress-nginx - name: nginx-ingress-webhook - path: /networking.k8s.io/v1beta1/ingresses - caBundle: ---- \ No newline at end of file diff --git a/deploy/with-validating-webhook.yaml.tpl b/deploy/with-validating-webhook.yaml.tpl deleted file mode 100644 index 15cf37c85..000000000 --- a/deploy/with-validating-webhook.yaml.tpl +++ /dev/null @@ -1,115 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: ingress-validation-webhook - namespace: ingress-nginx -spec: - ports: - - name: admission - port: 443 - protocol: TCP - targetPort: 8080 - selector: - app.kubernetes.io/name: ingress-nginx ---- -apiVersion: v1 -data: - key.pem: - certificate.pem: -kind: Secret -metadata: - name: nginx-ingress-webhook-certificate - namespace: ingress-nginx -type: Opaque ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: nginx-ingress-controller - namespace: ingress-nginx - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - template: - metadata: - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - annotations: - prometheus.io/port: "10254" - prometheus.io/scrape: "true" - spec: - serviceAccountName: nginx-ingress-serviceaccount - containers: - - name: nginx-ingress-controller - image: containers.schibsted.io/thibault-jamet/ingress-nginx:0.23.0-schibsted - args: - - /nginx-ingress-controller - - --configmap=$(POD_NAMESPACE)/nginx-configuration - - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services - - --udp-services-configmap=$(POD_NAMESPACE)/udp-services - - --publish-service=$(POD_NAMESPACE)/ingress-nginx - - --annotations-prefix=nginx.ingress.kubernetes.io - - --validating-webhook=:8080 - - --validating-webhook-certificate=/usr/local/certificates/certificate.pem - - --validating-webhook-key=/usr/local/certificates/key.pem - volumeMounts: - - name: webhook-cert - mountPath: "/usr/local/certificates/" - readOnly: true - securityContext: - allowPrivilegeEscalation: true - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - # www-data -> 33 - runAsUser: 33 - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - ports: - - name: http - containerPort: 80 - - name: https - containerPort: 443 - - name: webhook - containerPort: 8080 - livenessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 10 - readinessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 10 - volumes: - - name: webhook-cert - secret: - secretName: nginx-ingress-webhook-certificate ---- diff --git a/docs/deploy/index.md b/docs/deploy/index.md index 5289d87e6..8583d9811 100644 --- a/docs/deploy/index.md +++ b/docs/deploy/index.md @@ -1,48 +1,34 @@ # Installation Guide +!!! attention + The default configuration watches Ingress object from **all the namespaces**. + + To change this behavior use the flag `--watch-namespace` to limit the scope to a particular namespace. + +!!! warning + If multiple Ingresses define paths for the same host, the ingress controller **merges the definitions**. + ## Contents -- [Prerequisite Generic Deployment Command](#prerequisite-generic-deployment-command) - - [Provider Specific Steps](#provider-specific-steps) - - [Docker for Mac](#docker-for-mac) - - [minikube](#minikube) - - [AWS](#aws) - - [GCE - GKE](#gce-gke) - - [Azure](#azure) - - [Bare-metal](#bare-metal) +- [Provider Specific Steps](#provider-specific-steps) + - [Docker for Mac](#docker-for-mac) + - [minikube](#minikube) + - [AWS](#aws) + - [GCE - GKE](#gce-gke) + - [Azure](#azure) + - [Bare-metal](#bare-metal) - [Verify installation](#verify-installation) - [Detect installed version](#detect-installed-version) - [Using Helm](#using-helm) -## Prerequisite Generic Deployment Command - -!!! attention - The default configuration watches Ingress object from *all the namespaces*. - To change this behavior use the flag `--watch-namespace` to limit the scope to a particular namespace. - -!!! warning - If multiple Ingresses define different paths for the same host, the ingress controller will merge the definitions. - -!!! attention - If you're using GKE you need to initialize your user as a cluster-admin with the following command: - ```console - kubectl create clusterrolebinding cluster-admin-binding \ - --clusterrole cluster-admin \ - --user $(gcloud config get-value account) - ``` - ### Provider Specific Steps -There are cloud provider specific yaml files. - #### Docker for Mac Kubernetes is available in Docker for Mac (from [version 18.06.0-ce](https://docs.docker.com/docker-for-mac/release-notes/#stable-releases-of-2018)) [enable]: https://docs.docker.com/docker-for-mac/#kubernetes -Create a service - ```console kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/cloud/deploy.yaml ``` @@ -57,14 +43,14 @@ minikube addons enable ingress For development: -1. Disable the ingress addon: +- Disable the ingress addon: ```console minikube addons disable ingress ``` -2. Execute `make dev-env` -3. Confirm the `nginx-ingress-controller` deployment exists: +- Execute `make dev-env` +- Confirm the `nginx-ingress-controller` deployment exists: ```console $ kubectl get pods -n ingress-nginx @@ -82,23 +68,29 @@ In AWS we use a Network load balancer (NLB) to expose the NGINX Ingress controll kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/aws/deploy.yaml ``` -##### TLS termination in the Load Balancer (ELB) +##### TLS termination in AWS Load Balancer (ELB) + +In some scenarios is required to terminate TLS in the Load Balancer and not in the ingress controller. -In some scenarios is not possible to terminate TLS in the ingress controller but in the Load Balancer. For this purpose we provide a template: -1. Download [deploy-tls-termination.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/204739fb6650c48fd41dc9505f8fd9ef6bc768e1/deploy/static/provider/aws/deploy-tls-termination.yaml) +- Download [deploy-tls-termination.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/204739fb6650c48fd41dc9505f8fd9ef6bc768e1/deploy/static/provider/aws/deploy-tls-termination.yaml) ```console wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/204739fb6650c48fd41dc9505f8fd9ef6bc768e1/deploy/static/provider/aws/deploy-tls-termination.yaml ``` -2. Change: +- Edit the file and change: -- Set the VPC CIDR: `proxy-real-ip-cidr: XXX.XXX.XXX/XX` -- Change the AWS Certificate Manager (ACM) ID `service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-west-2:XXXXXXXX:certificate/XXXXXX-XXXXXXX-XXXXXXX-XXXXXXXX` + - VPC CIDR in use for the Kubernetes cluster: -3. Deploy the manifests: + `proxy-real-ip-cidr: XXX.XXX.XXX/XX` + + - AWS Certificate Manager (ACM) ID + + `arn:aws:acm:us-west-2:XXXXXXXX:certificate/XXXXXX-XXXXXXX-XXXXXXX-XXXXXXXX` + +- Deploy the manifest: ```console kubectl apply -f deploy-tls-termination.yaml @@ -109,19 +101,31 @@ kubectl apply -f deploy-tls-termination.yaml In some scenarios users will need to modify the value of the NLB idle timeout. Users need to ensure the idle timeout is less than the [keepalive_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout) that is configured for NGINX. By default NGINX `keepalive_timeout` is set to `75s`. -The default NLB idle timeout will work for most scenarios, unless the NGINX [keepalive_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout) has been modified, in which case `service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout` will need to be modified to ensure it is less than the `keepalive_timeout` the user has configured. +The default NLB idle timeout works for most scenarios, unless the NGINX [keepalive_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout) has been modified, in which case the annotation -_Please Note: An idle timeout of `3600s` is recommended when using WebSockets._ +`service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout` value must be modified to ensure it is less than the configured `keepalive_timeout`. -More information with regards to idle timeouts for your Load Balancer can be found in the [official AWS documentation](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/network-load-balancers.html#connection-idle-timeout). +!!! note "" + An idle timeout of `3600` is recommended when using WebSockets + +More information with regards to timeouts for can be found in the [official AWS documentation](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/network-load-balancers.html#connection-idle-timeout) #### GCE-GKE +!!! info + Initialize your user as a cluster-admin with the following command: + ```console + kubectl create clusterrolebinding cluster-admin-binding \ + --clusterrole cluster-admin \ + --user $(gcloud config get-value account) + ``` + ```console kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/cloud/deploy.yaml ``` -**Important Note:** proxy protocol is not supported in GCE/GKE +!!! warning Important + Proxy protocol is not supported in GCE/GKE #### Azure @@ -145,10 +149,12 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/mast To check if the ingress controller pods have started, run the following command: ```console -kubectl get pods --all-namespaces -l app.kubernetes.io/name=ingress-nginx --watch +kubectl get pods -n ingress-nginx \ + -l app.kubernetes.io/name=ingress-nginx --watch ``` -Once the operator pods are running, you can cancel the above command by typing `Ctrl+C`. +Once the ingress controller pods are running, you can cancel the command typing `Ctrl+C`. + Now, you are ready to create your first ingress. ### Detect installed version @@ -168,18 +174,18 @@ NGINX Ingress controller can be installed via [Helm](https://helm.sh/) using the To install the chart with the release name `ingress-nginx`: ```console -helm repo add k8s-ingress-nginx https://kubernetes.github.io/ingress-nginx/ -helm install ingress-nginx k8s-ingress-nginx +helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx +helm install ingress-nginx ``` If you are using [Helm 2](https://v2.helm.sh/) then specify release name using `--name` flag ```console -helm repo add k8s-ingress-nginx https://kubernetes.github.io/ingress-nginx/ -helm install k8s-ingress-nginx --name ingress-nginx +helm repo add https://kubernetes.github.io/ingress-nginx/ +helm install --name ingress-nginx ``` -### Detect installed version: +## Detect installed version: ```console POD_NAME=$(kubectl get pods -l app.kubernetes.io/name=ingress-nginx -o jsonpath='{.items[0].metadata.name}')