DevFW-CICD/ingress-nginx-helm
12
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
7908 commits 4 branches 217 tags 166 MiB
Commit graph

32 commits

Author SHA1 Message Date
Marco Ebert
027603927b
Chart: Remove Pod Security Policy. (#11971) 2024-09-15 17:03:24 +02:00
Marco Ebert
61f56cb490
Chart: Improve default backend service account. (#11972) 2024-09-15 15:49:14 +01:00
Marco Ebert
e972a35e98
Chart: Remove isControllerTagValid. (#11710) 2024-08-01 00:28:12 -07:00
Gerald Pape
36df47fcc4
Chart: Explicitly set runAsGroup. (#11679) 
* Chart: Explicitly set `runAsGroup`.

Set a default value for the runAsGroup in container securityContexts of
the controller and default backend.

Also set the runAsGroup for opentelemetry and webhook Job container
securityContexts.

Signed-off-by: Gerald Pape <gerald@giantswarm.io>

* Apply suggestions from code review

Co-authored-by: Marco Ebert <marco_ebert@icloud.com>

---------

Signed-off-by: Gerald Pape <gerald@giantswarm.io>
Co-authored-by: Marco Ebert <marco_ebert@icloud.com>
 2024-07-29 06:27:15 -07:00
Reddysekhar Gaduputi
0c17748c44
Chart: Make admission webhook patch job RBAC configurable. (#11376) 
* Add an option to skip rbac resources creation in helm chart for admission-webhooks (#11375)

Signed-off-by: Reddysekhar Gaduputi <gsekhar73@gmail.com>

* Add an option to skip rbac resources creation in helm chart update README (#11375)

Signed-off-by: Reddysekhar Gaduputi <gsekhar73@gmail.com>

* Add an option to skip serviceAccount resources creation in helm chart for admission-webhooks (#11375)

Signed-off-by: Reddysekhar Gaduputi <gsekhar73@gmail.com>

* Add helm chart tests for admission-webhooks (#11375)

Signed-off-by: Reddysekhar Gaduputi <gsekhar73@gmail.com>

* Chart make admission webhook patch job RBAC configurable (#11375)

Signed-off-by: Reddysekhar Gaduputi <gsekhar73@gmail.com>

* Update charts/ingress-nginx/tests/admission-webhooks/job-patch/clusterrole_test.yaml

Co-authored-by: Marco Ebert <marco_ebert@icloud.com>

* Update charts/ingress-nginx/tests/admission-webhooks/job-patch/clusterrolebinding_test.yaml

Co-authored-by: Marco Ebert <marco_ebert@icloud.com>

* Update charts/ingress-nginx/tests/admission-webhooks/job-patch/role_test.yaml

Co-authored-by: Marco Ebert <marco_ebert@icloud.com>

* Update charts/ingress-nginx/tests/admission-webhooks/job-patch/rolebinding_test.yaml

Co-authored-by: Marco Ebert <marco_ebert@icloud.com>

* Update charts/ingress-nginx/tests/admission-webhooks/job-patch/serviceaccount_test.yaml

Co-authored-by: Marco Ebert <marco_ebert@icloud.com>

---------

Signed-off-by: Reddysekhar Gaduputi <gsekhar73@gmail.com>
Co-authored-by: Marco Ebert <marco_ebert@icloud.com>
 2024-06-03 02:17:23 -07:00
Marco Ebert
112b9bb028
Chart: Render controller.ingressClassResource.parameters natively. (#11108) 2024-03-14 06:23:13 -07:00
patst
7e31f818ff
helm: opentelemetry addon allow configuration of registry with setting tag (#9773) 
* feat: allow configuration of registry, image, tag and digest in single values for opentelemetry addon

* feat: allow configuration of registry, image, tag and digest in single values for opentelemetry addon

* add ci test file

* fix: updated helm-docs with opentelemetry image value

* fix: ci test case

* fix: ci test case set default registry, image + tag

* fix: ci test case set default registry + image

* fix: remove unrequired comment

* feat!: use extraModules helper method for templating the image value

* image definition for OTel image is now split up in image, repo and registry values

* feat!: move distroless config under the image key

* update helm-docs

* Refactor template to generate the image name

* adapt test cases for extraModules

* implement code review

* try to fix ci test for opentelemetry
 2023-12-08 11:09:34 +01:00
Marco Ebert
8b026f42d5
Chart: Tighten securityContexts and Pod Security Policies. (#10491) 
* Values: Fix docs of `controller.podSecurityContext` & `controller.sysctls`.

* Values: Add missing `controller.containerSecurityContext`.

Already in use, but has never been added to values.

* Values: Fix docs of `defaultBackend.podSecurityContext` & `defaultBackend.containerSecurityContext`.

* Helpers: Rename `controller.containerSecurityContext` to `ingress-nginx.controller.containerSecurityContext`.

Due to alignment with other templates.

* Helpers: Improve `extraModules`.

- Make `command` a multiline list.
- Fix `toYaml` usage.
- Remove `toYaml` where not necessary.

* Helpers: Move `ingress-nginx.defaultBackend.fullname`.

* Helpers: Add `ingress-nginx.defaultBackend.containerSecurityContext`.

Extracts the default backend `securityContext` into a template, as for the controller.

* Controller: Fix indentation of `controller.podSecurityContext` & `controller.sysctls`.

* Controller: Improve `controller.extraModules` & `controller.opentelemetry`.

- Add `controller.extraModules.distroless` & `controller.extraModules.resources`.
- Add `controller.opentelemetry.name` & `controller.opentelemetry.distroless`.
- Align `extraModules` inclusion for `controller.extraModules` & `controller.opentelemetry`.
- Remove redundant whitespaces.

* Controller/PSP: Align indentation.

* Controller/PSP: Remove quotes.

* Controller/PSP: Improve comments.

* Controller/PSP: Reorder fields.

See https://v1-24.docs.kubernetes.io/docs/concepts/security/pod-security-policy.

* Admission Webhooks: Fix indentation of `controller.admissionWebhooks.patch.securityContext`.

* Admission Webhooks/PSP: Align indentation.

* Admission Webhooks/PSP: Reorder fields.

* Admission Webhooks/PSP: Align condition.

* Admission Webhooks/ClusterRole: Align PSP rule.

* Default Backend/PSP: Align indentation.

* Default Backend/PSP: Reorder fields.

See https://v1-24.docs.kubernetes.io/docs/concepts/security/pod-security-policy.

* Values: Tighten `controller.image`.

Due to recent changes, the controller image can be run without privilege escalation:

- https://github.com/kubernetes/ingress-nginx/issues/8499
- https://github.com/kubernetes/ingress-nginx/pull/7449

* Values: Tighten `controller.extraModules.containerSecurityContext`.

* Values: Tighten `controller.opentelemetry.containerSecurityContext`.

* Values: Tighten `controller.admissionWebhooks.*.securityContext`.

Moves the pod `securityContext` to the containers to not interfere with injected containers.

* Values: Tighten `defaultBackend.image`.
 2023-11-07 18:52:36 +01:00
Marco Ebert
9cb3919e84
Chart: Improve #10539. (#10565) 
* Helpers: Align `ingress-nginx.namespace` to `ingress-nginx.name`.

* Templates: Remove quotes.

In alignment to others. Also does not make sense as `namespace` must conform to DNS.

* Admission Webhooks/Validating Webhook: Make use of `ingress-nginx.namespace`.

* KEDA: Remove comment.

* Templates: Add forgotten namespace definitions.
 2023-11-01 22:59:56 +01:00
Marco Ebert
0120a2df48
Admission Webhook: Truncate name. (#10523) 2023-10-29 18:26:05 +01:00
jasine
7ce6cc88d8
feat: add namespace overrides (#10539) 
* feat: add namespace overrides

* add value in readme

* fix: readme description

* fix: description in value

* fix: set max length and trim last "-"
 2023-10-24 19:53:46 +02:00
František Hána
06c64bf567
helm: add resources to opentelemetry init container (#10300) 2023-09-11 19:36:12 -07:00
Marco Ebert
2d03da6334
Deployment/DaemonSet: Fix templating & value. (#10240) 2023-09-10 07:20:09 -07:00
Ehsan Saei
436df32c2c
add distroless otel init (#10035) 
add distroless otel init
 2023-06-12 03:47:48 -07:00
Ehsan Saei
3474c33e15
update OpenTelemetry image (#9308) 
* update OpenTelemetry image

* review comment

* helm-docs

* clean
 2022-12-05 00:55:02 -08:00
FutureMatt
249780737c
#7652 - Updated Helm chart to use the fullname for the electionID if not specified. (#9133) 
* Automatically generate electionID from the fullname or use the set value.

* Updated the chart readme to include the new empty default.

* Rebuilt the Helm readme with helm-docs.
 2022-10-13 07:37:01 -07:00
Ricardo Katz
3def835a6a
Jail/chroot nginx process inside controller container (#8337) 
* Initial work on chrooting nginx process

* More improvements in chroot

* Fix charts and some file locations

* Fix symlink on non chrooted container

* fix psp test

* Add e2e tests to chroot image

* Fix logger

* Add internal logger in controller

* Fix overlay for chrooted tests

* Fix tests

* fix boilerplates

* Fix unittest to point to the right pid

* Fix PR review
 2022-04-08 21:48:04 -07:00
Nicolas Lamirault
3732681588
Support additonal labels and all Kubernetes recommanded labels (#7186) 
* Add: Kubernetes recommanded labels

Signed-off-by: Nicolas Lamirault <nicolas.lamirault@gmail.com>

* Add: support additional labels

Signed-off-by: Nicolas Lamirault <nicolas.lamirault@gmail.com>

* Add: commonLabels default value

Signed-off-by: Nicolas Lamirault <nicolas.lamirault@gmail.com>
 2022-01-16 14:29:28 -08:00
Adam Graves
6299c39842
Allow setting of container securityContext (#7533) 
Currently this blocks deployments on clusters with global PodSecurityPolicies set

Signed-off-by: Adam Graves <adam.graves85@gmail.com>
 2021-11-15 13:54:49 -08:00
Christian Rebischke
cec3c0af3d
helm: add new ingressClass resource (#6882) 
* helm: add new ingressClass resource

* add ingress parameters support

This commit adds ingress parameters support.
Credits go to Ariel Vinas: ariel@craftech.io
 2021-06-18 16:16:42 -07:00
Andrew Konrath
603e2c5ee8 Allow custom service names for controller and backend (#6457) 2020-12-05 17:49:15 -06:00
Philipp Strube
59b16c4e92 Use Env expansion for namespace in args 
When deploying the controller to a custom namespace, users have to
overwrite the namespace attribute as well as the hardcoded namespace
values in a number of args for the Deployment and the admission
controller Jobs.

Instead, this commit, uses the namespace name from the DownwardAPI,
and allows users to simply change the namespace attribute without
having to worry about the container args.
 2020-07-29 11:44:08 +02:00
nicklasfrahm
f63b7601a2 Fix helper for defaultbackend name 
Signed-off-by: nicklasfrahm <nicklas.frahm@gmail.com>
 2020-04-28 18:39:35 +02:00
Manuel Alejandro de Brito Fontes
977178dea4 Remove chart old podSecurityPolicy check 2020-04-14 23:07:45 -04:00
Manuel Alejandro de Brito Fontes
1f3eac2c8c Remove duplicated annotations definition and refactor hostPort configuration 2020-04-06 19:15:47 -04:00
Manuel Alejandro de Brito Fontes
b8839a66b5 Fix valid semver comparison to allow dev images 2020-03-16 16:53:56 -03:00
Manuel Alejandro de Brito Fontes
e9641ba08e Check chart controller image tag 2020-03-16 11:50:05 -03:00
Naseem
5ae314bd64
Hardcode component names. 
By removing this, we reduce unecessary config options and moving parts.

Signed-off-by: Naseem <naseem@transit.app>
 2020-03-10 09:36:26 -04:00
ChiefAlexander
388a499533
Cleanup chart code 2020-03-03 09:20:45 -06:00
ChiefAlexander
710f1f2601
Update helm templates to match new chart name 2020-02-28 08:53:24 -06:00
Naseem
003039f23c
Use recommended labels and label helpers 
Signed-off-by: Naseem <naseem@transit.app>
 2020-02-27 22:35:34 -05:00
Manuel Alejandro de Brito Fontes
624cb5f048
Start migration of helm chart (#5159) 2020-02-24 16:25:57 -03:00