Gitiles
Code Review Sign In
code.v1.dodo.cloud / pcloud / refs/heads/main / . / charts / k8s-gerrit / supplements / test-cluster / ingress / nginx-ingress-controller.yaml
blob: afda778145e9fa4b15a5d6654620caa3e1c045d8 [file] [log] [blame]
Giorgi Lekveishvili285ab622023-11-22 13:50:45 +0400[diff] [blame]1#https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.2.0/deploy/static/provider/cloud/deploy.yaml
2apiVersion: v1
3kind: Namespace
4metadata:
5 labels:
6 app.kubernetes.io/instance: ingress-nginx
7 app.kubernetes.io/name: ingress-nginx
8 name: ingress-nginx
9---
10apiVersion: v1
11automountServiceAccountToken: true
12kind: ServiceAccount
13metadata:
14 labels:
15 app.kubernetes.io/component: controller
16 app.kubernetes.io/instance: ingress-nginx
17 app.kubernetes.io/name: ingress-nginx
18 app.kubernetes.io/part-of: ingress-nginx
19 app.kubernetes.io/version: 1.2.0
20 name: ingress-nginx
21 namespace: ingress-nginx
22---
23apiVersion: v1
24kind: ServiceAccount
25metadata:
26 labels:
27 app.kubernetes.io/component: admission-webhook
28 app.kubernetes.io/instance: ingress-nginx
29 app.kubernetes.io/name: ingress-nginx
30 app.kubernetes.io/part-of: ingress-nginx
31 app.kubernetes.io/version: 1.2.0
32 name: ingress-nginx-admission
33 namespace: ingress-nginx
34---
35apiVersion: rbac.authorization.k8s.io/v1
36kind: Role
37metadata:
38 labels:
39 app.kubernetes.io/component: controller
40 app.kubernetes.io/instance: ingress-nginx
41 app.kubernetes.io/name: ingress-nginx
42 app.kubernetes.io/part-of: ingress-nginx
43 app.kubernetes.io/version: 1.2.0
44 name: ingress-nginx
45 namespace: ingress-nginx
46rules:
47- apiGroups:
48 - ""
49 resources:
50 - namespaces
51 verbs:
52 - get
53- apiGroups:
54 - ""
55 resources:
56 - configmaps
57 - pods
58 - secrets
59 - endpoints
60 verbs:
61 - get
62 - list
63 - watch
64- apiGroups:
65 - ""
66 resources:
67 - services
68 verbs:
69 - get
70 - list
71 - watch
72- apiGroups:
73 - networking.k8s.io
74 resources:
75 - ingresses
76 verbs:
77 - get
78 - list
79 - watch
80- apiGroups:
81 - networking.k8s.io
82 resources:
83 - ingresses/status
84 verbs:
85 - update
86- apiGroups:
87 - networking.k8s.io
88 resources:
89 - ingressclasses
90 verbs:
91 - get
92 - list
93 - watch
94- apiGroups:
95 - ""
96 resourceNames:
97 - ingress-controller-leader
98 resources:
99 - configmaps
100 verbs:
101 - get
102 - update
103- apiGroups:
104 - ""
105 resources:
106 - configmaps
107 verbs:
108 - create
109- apiGroups:
110 - ""
111 resources:
112 - events
113 verbs:
114 - create
115 - patch
116---
117apiVersion: rbac.authorization.k8s.io/v1
118kind: Role
119metadata:
120 labels:
121 app.kubernetes.io/component: admission-webhook
122 app.kubernetes.io/instance: ingress-nginx
123 app.kubernetes.io/name: ingress-nginx
124 app.kubernetes.io/part-of: ingress-nginx
125 app.kubernetes.io/version: 1.2.0
126 name: ingress-nginx-admission
127 namespace: ingress-nginx
128rules:
129- apiGroups:
130 - ""
131 resources:
132 - secrets
133 verbs:
134 - get
135 - create
136---
137apiVersion: rbac.authorization.k8s.io/v1
138kind: ClusterRole
139metadata:
140 labels:
141 app.kubernetes.io/instance: ingress-nginx
142 app.kubernetes.io/name: ingress-nginx
143 app.kubernetes.io/part-of: ingress-nginx
144 app.kubernetes.io/version: 1.2.0
145 name: ingress-nginx
146rules:
147- apiGroups:
148 - ""
149 resources:
150 - configmaps
151 - endpoints
152 - nodes
153 - pods
154 - secrets
155 - namespaces
156 verbs:
157 - list
158 - watch
159- apiGroups:
160 - ""
161 resources:
162 - nodes
163 verbs:
164 - get
165- apiGroups:
166 - ""
167 resources:
168 - services
169 verbs:
170 - get
171 - list
172 - watch
173- apiGroups:
174 - networking.k8s.io
175 resources:
176 - ingresses
177 verbs:
178 - get
179 - list
180 - watch
181- apiGroups:
182 - ""
183 resources:
184 - events
185 verbs:
186 - create
187 - patch
188- apiGroups:
189 - networking.k8s.io
190 resources:
191 - ingresses/status
192 verbs:
193 - update
194- apiGroups:
195 - networking.k8s.io
196 resources:
197 - ingressclasses
198 verbs:
199 - get
200 - list
201 - watch
202---
203apiVersion: rbac.authorization.k8s.io/v1
204kind: ClusterRole
205metadata:
206 labels:
207 app.kubernetes.io/component: admission-webhook
208 app.kubernetes.io/instance: ingress-nginx
209 app.kubernetes.io/name: ingress-nginx
210 app.kubernetes.io/part-of: ingress-nginx
211 app.kubernetes.io/version: 1.2.0
212 name: ingress-nginx-admission
213rules:
214- apiGroups:
215 - admissionregistration.k8s.io
216 resources:
217 - validatingwebhookconfigurations
218 verbs:
219 - get
220 - update
221---
222apiVersion: rbac.authorization.k8s.io/v1
223kind: RoleBinding
224metadata:
225 labels:
226 app.kubernetes.io/component: controller
227 app.kubernetes.io/instance: ingress-nginx
228 app.kubernetes.io/name: ingress-nginx
229 app.kubernetes.io/part-of: ingress-nginx
230 app.kubernetes.io/version: 1.2.0
231 name: ingress-nginx
232 namespace: ingress-nginx
233roleRef:
234 apiGroup: rbac.authorization.k8s.io
235 kind: Role
236 name: ingress-nginx
237subjects:
238- kind: ServiceAccount
239 name: ingress-nginx
240 namespace: ingress-nginx
241---
242apiVersion: rbac.authorization.k8s.io/v1
243kind: RoleBinding
244metadata:
245 labels:
246 app.kubernetes.io/component: admission-webhook
247 app.kubernetes.io/instance: ingress-nginx
248 app.kubernetes.io/name: ingress-nginx
249 app.kubernetes.io/part-of: ingress-nginx
250 app.kubernetes.io/version: 1.2.0
251 name: ingress-nginx-admission
252 namespace: ingress-nginx
253roleRef:
254 apiGroup: rbac.authorization.k8s.io
255 kind: Role
256 name: ingress-nginx-admission
257subjects:
258- kind: ServiceAccount
259 name: ingress-nginx-admission
260 namespace: ingress-nginx
261---
262apiVersion: rbac.authorization.k8s.io/v1
263kind: ClusterRoleBinding
264metadata:
265 labels:
266 app.kubernetes.io/instance: ingress-nginx
267 app.kubernetes.io/name: ingress-nginx
268 app.kubernetes.io/part-of: ingress-nginx
269 app.kubernetes.io/version: 1.2.0
270 name: ingress-nginx
271roleRef:
272 apiGroup: rbac.authorization.k8s.io
273 kind: ClusterRole
274 name: ingress-nginx
275subjects:
276- kind: ServiceAccount
277 name: ingress-nginx
278 namespace: ingress-nginx
279---
280apiVersion: rbac.authorization.k8s.io/v1
281kind: ClusterRoleBinding
282metadata:
283 labels:
284 app.kubernetes.io/component: admission-webhook
285 app.kubernetes.io/instance: ingress-nginx
286 app.kubernetes.io/name: ingress-nginx
287 app.kubernetes.io/part-of: ingress-nginx
288 app.kubernetes.io/version: 1.2.0
289 name: ingress-nginx-admission
290roleRef:
291 apiGroup: rbac.authorization.k8s.io
292 kind: ClusterRole
293 name: ingress-nginx-admission
294subjects:
295- kind: ServiceAccount
296 name: ingress-nginx-admission
297 namespace: ingress-nginx
298---
299apiVersion: v1
300data:
301 allow-snippet-annotations: "true"
302kind: ConfigMap
303metadata:
304 labels:
305 app.kubernetes.io/component: controller
306 app.kubernetes.io/instance: ingress-nginx
307 app.kubernetes.io/name: ingress-nginx
308 app.kubernetes.io/part-of: ingress-nginx
309 app.kubernetes.io/version: 1.2.0
310 name: ingress-nginx-controller
311 namespace: ingress-nginx
312---
313apiVersion: v1
314kind: Service
315metadata:
316 labels:
317 app.kubernetes.io/component: controller
318 app.kubernetes.io/instance: ingress-nginx
319 app.kubernetes.io/name: ingress-nginx
320 app.kubernetes.io/part-of: ingress-nginx
321 app.kubernetes.io/version: 1.2.0
322 annotations:
323 # NOTE: This only works when using Gardener to manage the cluster
324 cert.gardener.cloud/commonName: #TODO: wildcard ingress URL, e.g. "*.example.com"
325 cert.gardener.cloud/purpose: managed
326 cert.gardener.cloud/secretname: tls-secret
327 dns.gardener.cloud/class: garden
328 dns.gardener.cloud/dnsnames: #TODO: wildcard ingress URL, e.g. "*.example.com"
329 dns.gardener.cloud/ttl: "600"
330 name: ingress-nginx-controller
331 namespace: ingress-nginx
332spec:
333 externalTrafficPolicy: Local
334 ports:
335 - appProtocol: http
336 name: http
337 port: 80
338 protocol: TCP
339 targetPort: http
340 - appProtocol: https
341 name: https
342 port: 443
343 protocol: TCP
344 targetPort: https
345 selector:
346 app.kubernetes.io/component: controller
347 app.kubernetes.io/instance: ingress-nginx
348 app.kubernetes.io/name: ingress-nginx
349 type: LoadBalancer
350---
351apiVersion: v1
352kind: Service
353metadata:
354 labels:
355 app.kubernetes.io/component: controller
356 app.kubernetes.io/instance: ingress-nginx
357 app.kubernetes.io/name: ingress-nginx
358 app.kubernetes.io/part-of: ingress-nginx
359 app.kubernetes.io/version: 1.2.0
360 name: ingress-nginx-controller-admission
361 namespace: ingress-nginx
362spec:
363 ports:
364 - appProtocol: https
365 name: https-webhook
366 port: 443
367 targetPort: webhook
368 selector:
369 app.kubernetes.io/component: controller
370 app.kubernetes.io/instance: ingress-nginx
371 app.kubernetes.io/name: ingress-nginx
372 type: ClusterIP
373---
374apiVersion: apps/v1
375kind: Deployment
376metadata:
377 labels:
378 app.kubernetes.io/component: controller
379 app.kubernetes.io/instance: ingress-nginx
380 app.kubernetes.io/name: ingress-nginx
381 app.kubernetes.io/part-of: ingress-nginx
382 app.kubernetes.io/version: 1.2.0
383 name: ingress-nginx-controller
384 namespace: ingress-nginx
385spec:
386 minReadySeconds: 0
387 revisionHistoryLimit: 10
388 selector:
389 matchLabels:
390 app.kubernetes.io/component: controller
391 app.kubernetes.io/instance: ingress-nginx
392 app.kubernetes.io/name: ingress-nginx
393 template:
394 metadata:
395 labels:
396 app.kubernetes.io/component: controller
397 app.kubernetes.io/instance: ingress-nginx
398 app.kubernetes.io/name: ingress-nginx
399 spec:
400 containers:
401 - args:
402 - /nginx-ingress-controller
403 - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
404 - --election-id=ingress-controller-leader
405 - --controller-class=k8s.io/ingress-nginx
406 - --ingress-class=nginx
407 - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
408 - --validating-webhook=:8443
409 - --validating-webhook-certificate=/usr/local/certificates/cert
410 - --validating-webhook-key=/usr/local/certificates/key
411 - --default-ssl-certificate=ingress-nginx/tls-secret
412 env:
413 - name: POD_NAME
414 valueFrom:
415 fieldRef:
416 fieldPath: metadata.name
417 - name: POD_NAMESPACE
418 valueFrom:
419 fieldRef:
420 fieldPath: metadata.namespace
421 - name: LD_PRELOAD
422 value: /usr/local/lib/libmimalloc.so
423 image: k8s.gcr.io/ingress-nginx/controller:v1.2.0@sha256:d8196e3bc1e72547c5dec66d6556c0ff92a23f6d0919b206be170bc90d5f9185
424 imagePullPolicy: IfNotPresent
425 lifecycle:
426 preStop:
427 exec:
428 command:
429 - /wait-shutdown
430 livenessProbe:
431 failureThreshold: 5
432 httpGet:
433 path: /healthz
434 port: 10254
435 scheme: HTTP
436 initialDelaySeconds: 10
437 periodSeconds: 10
438 successThreshold: 1
439 timeoutSeconds: 1
440 name: controller
441 ports:
442 - containerPort: 80
443 name: http
444 protocol: TCP
445 - containerPort: 443
446 name: https
447 protocol: TCP
448 - containerPort: 8443
449 name: webhook
450 protocol: TCP
451 readinessProbe:
452 failureThreshold: 3
453 httpGet:
454 path: /healthz
455 port: 10254
456 scheme: HTTP
457 initialDelaySeconds: 10
458 periodSeconds: 10
459 successThreshold: 1
460 timeoutSeconds: 1
461 resources:
462 requests:
463 cpu: 100m
464 memory: 90Mi
465 securityContext:
466 allowPrivilegeEscalation: true
467 capabilities:
468 add:
469 - NET_BIND_SERVICE
470 drop:
471 - ALL
472 runAsUser: 101
473 volumeMounts:
474 - mountPath: /usr/local/certificates/
475 name: webhook-cert
476 readOnly: true
477 dnsPolicy: ClusterFirst
478 nodeSelector:
479 kubernetes.io/os: linux
480 serviceAccountName: ingress-nginx
481 terminationGracePeriodSeconds: 300
482 volumes:
483 - name: webhook-cert
484 secret:
485 secretName: ingress-nginx-admission
486---
487apiVersion: batch/v1
488kind: Job
489metadata:
490 labels:
491 app.kubernetes.io/component: admission-webhook
492 app.kubernetes.io/instance: ingress-nginx
493 app.kubernetes.io/name: ingress-nginx
494 app.kubernetes.io/part-of: ingress-nginx
495 app.kubernetes.io/version: 1.2.0
496 name: ingress-nginx-admission-create
497 namespace: ingress-nginx
498spec:
499 template:
500 metadata:
501 labels:
502 app.kubernetes.io/component: admission-webhook
503 app.kubernetes.io/instance: ingress-nginx
504 app.kubernetes.io/name: ingress-nginx
505 app.kubernetes.io/part-of: ingress-nginx
506 app.kubernetes.io/version: 1.2.0
507 name: ingress-nginx-admission-create
508 spec:
509 containers:
510 - args:
511 - create
512 - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
513 - --namespace=$(POD_NAMESPACE)
514 - --secret-name=ingress-nginx-admission
515 env:
516 - name: POD_NAMESPACE
517 valueFrom:
518 fieldRef:
519 fieldPath: metadata.namespace
520 image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
521 imagePullPolicy: IfNotPresent
522 name: create
523 securityContext:
524 allowPrivilegeEscalation: false
525 nodeSelector:
526 kubernetes.io/os: linux
527 restartPolicy: OnFailure
528 securityContext:
529 fsGroup: 2000
530 runAsNonRoot: true
531 runAsUser: 2000
532 serviceAccountName: ingress-nginx-admission
533---
534apiVersion: batch/v1
535kind: Job
536metadata:
537 labels:
538 app.kubernetes.io/component: admission-webhook
539 app.kubernetes.io/instance: ingress-nginx
540 app.kubernetes.io/name: ingress-nginx
541 app.kubernetes.io/part-of: ingress-nginx
542 app.kubernetes.io/version: 1.2.0
543 name: ingress-nginx-admission-patch
544 namespace: ingress-nginx
545spec:
546 template:
547 metadata:
548 labels:
549 app.kubernetes.io/component: admission-webhook
550 app.kubernetes.io/instance: ingress-nginx
551 app.kubernetes.io/name: ingress-nginx
552 app.kubernetes.io/part-of: ingress-nginx
553 app.kubernetes.io/version: 1.2.0
554 name: ingress-nginx-admission-patch
555 spec:
556 containers:
557 - args:
558 - patch
559 - --webhook-name=ingress-nginx-admission
560 - --namespace=$(POD_NAMESPACE)
561 - --patch-mutating=false
562 - --secret-name=ingress-nginx-admission
563 - --patch-failure-policy=Fail
564 env:
565 - name: POD_NAMESPACE
566 valueFrom:
567 fieldRef:
568 fieldPath: metadata.namespace
569 image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
570 imagePullPolicy: IfNotPresent
571 name: patch
572 securityContext:
573 allowPrivilegeEscalation: false
574 nodeSelector:
575 kubernetes.io/os: linux
576 restartPolicy: OnFailure
577 securityContext:
578 fsGroup: 2000
579 runAsNonRoot: true
580 runAsUser: 2000
581 serviceAccountName: ingress-nginx-admission
582---
583apiVersion: networking.k8s.io/v1
584kind: IngressClass
585metadata:
586 labels:
587 app.kubernetes.io/component: controller
588 app.kubernetes.io/instance: ingress-nginx
589 app.kubernetes.io/name: ingress-nginx
590 app.kubernetes.io/part-of: ingress-nginx
591 app.kubernetes.io/version: 1.2.0
592 name: nginx
593spec:
594 controller: k8s.io/ingress-nginx
595---
596apiVersion: admissionregistration.k8s.io/v1
597kind: ValidatingWebhookConfiguration
598metadata:
599 labels:
600 app.kubernetes.io/component: admission-webhook
601 app.kubernetes.io/instance: ingress-nginx
602 app.kubernetes.io/name: ingress-nginx
603 app.kubernetes.io/part-of: ingress-nginx
604 app.kubernetes.io/version: 1.2.0
605 name: ingress-nginx-admission
606webhooks:
607- admissionReviewVersions:
608 - v1
609 clientConfig:
610 service:
611 name: ingress-nginx-controller-admission
612 namespace: ingress-nginx
613 path: /networking/v1/ingresses
614 failurePolicy: Fail
615 matchPolicy: Equivalent
616 name: validate.nginx.ingress.kubernetes.io
617 rules:
618 - apiGroups:
619 - networking.k8s.io
620 apiVersions:
621 - v1
622 operations:
623 - CREATE
624 - UPDATE
625 resources:
626 - ingresses
627 sideEffects: None