ingress_deploy.yaml

  2. apiVersion: v1
  3. kind: Namespace
  4. metadata:
  5.   name: ingress-nginx
  6.   labels:
  7.     app.kubernetes.io/name: ingress-nginx
  8.     app.kubernetes.io/instance: ingress-nginx
  10. ---
  11. # Source: ingress-nginx/templates/controller-serviceaccount.yaml
  12. apiVersion: v1
  13. kind: ServiceAccount
  14. metadata:
  15.   labels:
  16.     helm.sh/chart: ingress-nginx-3.23.0
  17.     app.kubernetes.io/name: ingress-nginx
  18.     app.kubernetes.io/instance: ingress-nginx
  19.     app.kubernetes.io/version: 0.44.0
  20.     app.kubernetes.io/managed-by: Helm
  21.     app.kubernetes.io/component: controller
  22.   name: ingress-nginx
  23.   namespace: ingress-nginx
  24. ---
  25. # Source: ingress-nginx/templates/controller-configmap.yaml
  26. apiVersion: v1
  27. kind: ConfigMap
  28. metadata:
  29.   labels:
  30.     helm.sh/chart: ingress-nginx-3.23.0
  31.     app.kubernetes.io/name: ingress-nginx
  32.     app.kubernetes.io/instance: ingress-nginx
  33.     app.kubernetes.io/version: 0.44.0
  34.     app.kubernetes.io/managed-by: Helm
  35.     app.kubernetes.io/component: controller
  36.   name: ingress-nginx-controller
  37.   namespace: ingress-nginx
  38. data:
  39. ---
  40. # Source: ingress-nginx/templates/clusterrole.yaml
  41. apiVersion: rbac.authorization.k8s.io/v1
  42. kind: ClusterRole
  43. metadata:
  44.   labels:
  45.     helm.sh/chart: ingress-nginx-3.23.0
  46.     app.kubernetes.io/name: ingress-nginx
  47.     app.kubernetes.io/instance: ingress-nginx
  48.     app.kubernetes.io/version: 0.44.0
  49.     app.kubernetes.io/managed-by: Helm
  50.   name: ingress-nginx
  51. rules:
  52.   - apiGroups:
  53.       - ''
  54.     resources:
  55.       - configmaps
  56.       - endpoints
  57.       - nodes
  58.       - pods
  59.       - secrets
  60.     verbs:
  61.       - list
  62.       - watch
  63.   - apiGroups:
  64.       - ''
  65.     resources:
  66.       - nodes
  67.     verbs:
  68.       - get
  69.   - apiGroups:
  70.       - ''
  71.     resources:
  72.       - services
  73.     verbs:
  74.       - get
  75.       - list
  76.       - watch
  77.   - apiGroups:
  78.       - extensions
  79.       - networking.k8s.io   # k8s 1.14+
  80.     resources:
  81.       - ingresses
  82.     verbs:
  83.       - get
  84.       - list
  85.       - watch
  86.   - apiGroups:
  87.       - ''
  88.     resources:
  89.       - events
  90.     verbs:
  91.       - create
  92.       - patch
  93.   - apiGroups:
  94.       - extensions
  95.       - networking.k8s.io   # k8s 1.14+
  96.     resources:
  97.       - ingresses/status
  98.     verbs:
  99.       - update
  100.   - apiGroups:
  101.       - networking.k8s.io   # k8s 1.14+
  102.     resources:
  103.       - ingressclasses
  104.     verbs:
  105.       - get
  106.       - list
  107.       - watch
  108. ---
  109. # Source: ingress-nginx/templates/clusterrolebinding.yaml
  110. apiVersion: rbac.authorization.k8s.io/v1
  111. kind: ClusterRoleBinding
  112. metadata:
  113.   labels:
  114.     helm.sh/chart: ingress-nginx-3.23.0
  115.     app.kubernetes.io/name: ingress-nginx
  116.     app.kubernetes.io/instance: ingress-nginx
  117.     app.kubernetes.io/version: 0.44.0
  118.     app.kubernetes.io/managed-by: Helm
  119.   name: ingress-nginx
  120. roleRef:
  121.   apiGroup: rbac.authorization.k8s.io
  122.   kind: ClusterRole
  123.   name: ingress-nginx
  124. subjects:
  125.   - kind: ServiceAccount
  126.     name: ingress-nginx
  127.     namespace: ingress-nginx
  128. ---
  129. # Source: ingress-nginx/templates/controller-role.yaml
  130. apiVersion: rbac.authorization.k8s.io/v1
  131. kind: Role
  132. metadata:
  133.   labels:
  134.     helm.sh/chart: ingress-nginx-3.23.0
  135.     app.kubernetes.io/name: ingress-nginx
  136.     app.kubernetes.io/instance: ingress-nginx
  137.     app.kubernetes.io/version: 0.44.0
  138.     app.kubernetes.io/managed-by: Helm
  139.     app.kubernetes.io/component: controller
  140.   name: ingress-nginx
  141.   namespace: ingress-nginx
  142. rules:
  143.   - apiGroups:
  144.       - ''
  145.     resources:
  146.       - namespaces
  147.     verbs:
  148.       - get
  149.   - apiGroups:
  150.       - ''
  151.     resources:
  152.       - configmaps
  153.       - pods
  154.       - secrets
  155.       - endpoints
  156.     verbs:
  157.       - get
  158.       - list
  159.       - watch
  160.   - apiGroups:
  161.       - ''
  162.     resources:
  163.       - services
  164.     verbs:
  165.       - get
  166.       - list
  167.       - watch
  168.   - apiGroups:
  169.       - extensions
  170.       - networking.k8s.io   # k8s 1.14+
  171.     resources:
  172.       - ingresses
  173.     verbs:
  174.       - get
  175.       - list
  176.       - watch
  177.   - apiGroups:
  178.       - extensions
  179.       - networking.k8s.io   # k8s 1.14+
  180.     resources:
  181.       - ingresses/status
  182.     verbs:
  183.       - update
  184.   - apiGroups:
  185.       - networking.k8s.io   # k8s 1.14+
  186.     resources:
  187.       - ingressclasses
  188.     verbs:
  189.       - get
  190.       - list
  191.       - watch
  192.   - apiGroups:
  193.       - ''
  194.     resources:
  195.       - configmaps
  196.     resourceNames:
  197.       - ingress-controller-leader-nginx
  198.     verbs:
  199.       - get
  200.       - update
  201.   - apiGroups:
  202.       - ''
  203.     resources:
  204.       - configmaps
  205.     verbs:
  206.       - create
  207.   - apiGroups:
  208.       - ''
  209.     resources:
  210.       - events
  211.     verbs:
  212.       - create
  213.       - patch
  214. ---
  215. # Source: ingress-nginx/templates/controller-rolebinding.yaml
  216. apiVersion: rbac.authorization.k8s.io/v1
  217. kind: RoleBinding
  218. metadata:
  219.   labels:
  220.     helm.sh/chart: ingress-nginx-3.23.0
  221.     app.kubernetes.io/name: ingress-nginx
  222.     app.kubernetes.io/instance: ingress-nginx
  223.     app.kubernetes.io/version: 0.44.0
  224.     app.kubernetes.io/managed-by: Helm
  225.     app.kubernetes.io/component: controller
  226.   name: ingress-nginx
  227.   namespace: ingress-nginx
  228. roleRef:
  229.   apiGroup: rbac.authorization.k8s.io
  230.   kind: Role
  231.   name: ingress-nginx
  232. subjects:
  233.   - kind: ServiceAccount
  234.     name: ingress-nginx
  235.     namespace: ingress-nginx
  236. ---
  237. # Source: ingress-nginx/templates/controller-service-webhook.yaml
  238. apiVersion: v1
  239. kind: Service
  240. metadata:
  241.   labels:
  242.     helm.sh/chart: ingress-nginx-3.23.0
  243.     app.kubernetes.io/name: ingress-nginx
  244.     app.kubernetes.io/instance: ingress-nginx
  245.     app.kubernetes.io/version: 0.44.0
  246.     app.kubernetes.io/managed-by: Helm
  247.     app.kubernetes.io/component: controller
  248.   name: ingress-nginx-controller-admission
  249.   namespace: ingress-nginx
  250. spec:
  251.   type: ClusterIP
  252.   ports:
  253.     - name: https-webhook
  254.       port: 443
  255.       targetPort: webhook
  256.   selector:
  257.     app.kubernetes.io/name: ingress-nginx
  258.     app.kubernetes.io/instance: ingress-nginx
  259.     app.kubernetes.io/component: controller
  260. ---
  261. # Source: ingress-nginx/templates/controller-service.yaml
  262. apiVersion: v1
  263. kind: Service
  264. metadata:
  265.   annotations:
  266.   labels:
  267.     helm.sh/chart: ingress-nginx-3.23.0
  268.     app.kubernetes.io/name: ingress-nginx
  269.     app.kubernetes.io/instance: ingress-nginx
  270.     app.kubernetes.io/version: 0.44.0
  271.     app.kubernetes.io/managed-by: Helm
  272.     app.kubernetes.io/component: controller
  273.   name: ingress-nginx-controller
  274.   namespace: ingress-nginx
  275. spec:
  276.   type: NodePort
  277.   ports:
  278.     - name: http
  279.       port: 80
  280.       protocol: TCP
  281.       targetPort: http
  282.     - name: https
  283.       port: 443
  284.       protocol: TCP
  285.       targetPort: https
  286.   selector:
  287.     app.kubernetes.io/name: ingress-nginx
  288.     app.kubernetes.io/instance: ingress-nginx
  289.     app.kubernetes.io/component: controller
  290. ---
  291. # Source: ingress-nginx/templates/controller-deployment.yaml
  292. apiVersion: apps/v1
  293. kind: Deployment
  294. metadata:
  295.   labels:
  296.     helm.sh/chart: ingress-nginx-3.23.0
  297.     app.kubernetes.io/name: ingress-nginx
  298.     app.kubernetes.io/instance: ingress-nginx
  299.     app.kubernetes.io/version: 0.44.0
  300.     app.kubernetes.io/managed-by: Helm
  301.     app.kubernetes.io/component: controller
  302.   name: ingress-nginx-controller
  303.   namespace: ingress-nginx
  304. spec:
  305.   selector:
  306.     matchLabels:
  307.       app.kubernetes.io/name: ingress-nginx
  308.       app.kubernetes.io/instance: ingress-nginx
  309.       app.kubernetes.io/component: controller
  310.   revisionHistoryLimit: 10
  311.   minReadySeconds: 0
  312.   template:
  313.     metadata:
  314.       labels:
  315.         app.kubernetes.io/name: ingress-nginx
  316.         app.kubernetes.io/instance: ingress-nginx
  317.         app.kubernetes.io/component: controller
  318.     spec:
  319.       dnsPolicy: ClusterFirst
  320.       containers:
  321.         - name: controller
  322.           image: k8s.gcr.io/ingress-nginx/controller:v0.44.0@sha256:3dd0fac48073beaca2d67a78c746c7593f9c575168a17139a9955a82c63c4b9a
  323.           imagePullPolicy: IfNotPresent
  324.           lifecycle:
  325.             preStop:
  326.               exec:
  327.                 command:
  328.                   - /wait-shutdown
  329.           args:
  330.             - /nginx-ingress-controller
  331.             - --election-id=ingress-controller-leader
  332.             - --ingress-class=nginx
  333.             - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
  334.             - --validating-webhook=:8443
  335.             - --validating-webhook-certificate=/usr/local/certificates/cert
  336.             - --validating-webhook-key=/usr/local/certificates/key
  337.           securityContext:
  338.             capabilities:
  339.               drop:
  340.                 - ALL
  341.               add:
  342.                 - NET_BIND_SERVICE
  343.             runAsUser: 101
  344.             allowPrivilegeEscalation: true
  345.           env:
  346.             - name: POD_NAME
  347.               valueFrom:
  348.                 fieldRef:
  349.                   fieldPath: metadata.name
  350.             - name: POD_NAMESPACE
  351.               valueFrom:
  352.                 fieldRef:
  353.                   fieldPath: metadata.namespace
  354.             - name: LD_PRELOAD
  355.               value: /usr/local/lib/libmimalloc.so
  356.           livenessProbe:
  357.             httpGet:
  358.               path: /healthz
  359.               port: 10254
  360.               scheme: HTTP
  361.             initialDelaySeconds: 10
  362.             periodSeconds: 10
  363.             timeoutSeconds: 1
  364.             successThreshold: 1
  365.             failureThreshold: 5
  366.           readinessProbe:
  367.             httpGet:
  368.               path: /healthz
  369.               port: 10254
  370.               scheme: HTTP
  371.             initialDelaySeconds: 10
  372.             periodSeconds: 10
  373.             timeoutSeconds: 1
  374.             successThreshold: 1
  375.             failureThreshold: 3
  376.           ports:
  377.             - name: http
  378.               containerPort: 80
  379.               protocol: TCP
  380.             - name: https
  381.               containerPort: 443
  382.               protocol: TCP
  383.             - name: webhook
  384.               containerPort: 8443
  385.               protocol: TCP
  386.           volumeMounts:
  387.             - name: webhook-cert
  388.               mountPath: /usr/local/certificates/
  389.               readOnly: true
  390.           resources:
  391.             requests:
  392.               cpu: 100m
  393.               memory: 90Mi
  394.       nodeSelector:
  395.         kubernetes.io/os: linux
  396.       serviceAccountName: ingress-nginx
  397.       terminationGracePeriodSeconds: 300
  398.       volumes:
  399.         - name: webhook-cert
  400.           secret:
  401.             secretName: ingress-nginx-admission
  402. ---
  403. # Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
  404. # before changing this value, check the required kubernetes version
  405. # https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites
  406. apiVersion: admissionregistration.k8s.io/v1
  407. kind: ValidatingWebhookConfiguration
  408. metadata:
  409.   labels:
  410.     helm.sh/chart: ingress-nginx-3.23.0
  411.     app.kubernetes.io/name: ingress-nginx
  412.     app.kubernetes.io/instance: ingress-nginx
  413.     app.kubernetes.io/version: 0.44.0
  414.     app.kubernetes.io/managed-by: Helm
  415.     app.kubernetes.io/component: admission-webhook
  416.   name: ingress-nginx-admission
  417. webhooks:
  418.   - name: validate.nginx.ingress.kubernetes.io
  419.     matchPolicy: Equivalent
  420.     rules:
  421.       - apiGroups:
  422.           - networking.k8s.io
  423.         apiVersions:
  424.           - v1beta1
  425.         operations:
  426.           - CREATE
  427.           - UPDATE
  428.         resources:
  429.           - ingresses
  430.     failurePolicy: Fail
  431.     sideEffects: None
  432.     admissionReviewVersions:
  433.       - v1
  434.       - v1beta1
  435.     clientConfig:
  436.       service:
  437.         namespace: ingress-nginx
  438.         name: ingress-nginx-controller-admission
  439.         path: /networking/v1beta1/ingresses
  440. ---
  441. # Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
  442. apiVersion: v1
  443. kind: ServiceAccount
  444. metadata:
  445.   name: ingress-nginx-admission
  446.   annotations:
  447.     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
  448.     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  449.   labels:
  450.     helm.sh/chart: ingress-nginx-3.23.0
  451.     app.kubernetes.io/name: ingress-nginx
  452.     app.kubernetes.io/instance: ingress-nginx
  453.     app.kubernetes.io/version: 0.44.0
  454.     app.kubernetes.io/managed-by: Helm
  455.     app.kubernetes.io/component: admission-webhook
  456.   namespace: ingress-nginx
  457. ---
  458. # Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
  459. apiVersion: rbac.authorization.k8s.io/v1
  460. kind: ClusterRole
  461. metadata:
  462.   name: ingress-nginx-admission
  463.   annotations:
  464.     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
  465.     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  466.   labels:
  467.     helm.sh/chart: ingress-nginx-3.23.0
  468.     app.kubernetes.io/name: ingress-nginx
  469.     app.kubernetes.io/instance: ingress-nginx
  470.     app.kubernetes.io/version: 0.44.0
  471.     app.kubernetes.io/managed-by: Helm
  472.     app.kubernetes.io/component: admission-webhook
  473. rules:
  474.   - apiGroups:
  475.       - admissionregistration.k8s.io
  476.     resources:
  477.       - validatingwebhookconfigurations
  478.     verbs:
  479.       - get
  480.       - update
  481. ---
  482. # Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
  483. apiVersion: rbac.authorization.k8s.io/v1
  484. kind: ClusterRoleBinding
  485. metadata:
  486.   name: ingress-nginx-admission
  487.   annotations:
  488.     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
  489.     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  490.   labels:
  491.     helm.sh/chart: ingress-nginx-3.23.0
  492.     app.kubernetes.io/name: ingress-nginx
  493.     app.kubernetes.io/instance: ingress-nginx
  494.     app.kubernetes.io/version: 0.44.0
  495.     app.kubernetes.io/managed-by: Helm
  496.     app.kubernetes.io/component: admission-webhook
  497. roleRef:
  498.   apiGroup: rbac.authorization.k8s.io
  499.   kind: ClusterRole
  500.   name: ingress-nginx-admission
  501. subjects:
  502.   - kind: ServiceAccount
  503.     name: ingress-nginx-admission
  504.     namespace: ingress-nginx
  505. ---
  506. # Source: ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
  507. apiVersion: rbac.authorization.k8s.io/v1
  508. kind: Role
  509. metadata:
  510.   name: ingress-nginx-admission
  511.   annotations:
  512.     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
  513.     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  514.   labels:
  515.     helm.sh/chart: ingress-nginx-3.23.0
  516.     app.kubernetes.io/name: ingress-nginx
  517.     app.kubernetes.io/instance: ingress-nginx
  518.     app.kubernetes.io/version: 0.44.0
  519.     app.kubernetes.io/managed-by: Helm
  520.     app.kubernetes.io/component: admission-webhook
  521.   namespace: ingress-nginx
  522. rules:
  523.   - apiGroups:
  524.       - ''
  525.     resources:
  526.       - secrets
  527.     verbs:
  528.       - get
  529.       - create
  530. ---
  531. # Source: ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml
  532. apiVersion: rbac.authorization.k8s.io/v1
  533. kind: RoleBinding
  534. metadata:
  535.   name: ingress-nginx-admission
  536.   annotations:
  537.     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
  538.     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  539.   labels:
  540.     helm.sh/chart: ingress-nginx-3.23.0
  541.     app.kubernetes.io/name: ingress-nginx
  542.     app.kubernetes.io/instance: ingress-nginx
  543.     app.kubernetes.io/version: 0.44.0
  544.     app.kubernetes.io/managed-by: Helm
  545.     app.kubernetes.io/component: admission-webhook
  546.   namespace: ingress-nginx
  547. roleRef:
  548.   apiGroup: rbac.authorization.k8s.io
  549.   kind: Role
  550.   name: ingress-nginx-admission
  551. subjects:
  552.   - kind: ServiceAccount
  553.     name: ingress-nginx-admission
  554.     namespace: ingress-nginx
  555. ---
  556. # Source: ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
  557. apiVersion: batch/v1
  558. kind: Job
  559. metadata:
  560.   name: ingress-nginx-admission-create
  561.   annotations:
  562.     helm.sh/hook: pre-install,pre-upgrade
  563.     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  564.   labels:
  565.     helm.sh/chart: ingress-nginx-3.23.0
  566.     app.kubernetes.io/name: ingress-nginx
  567.     app.kubernetes.io/instance: ingress-nginx
  568.     app.kubernetes.io/version: 0.44.0
  569.     app.kubernetes.io/managed-by: Helm
  570.     app.kubernetes.io/component: admission-webhook
  571.   namespace: ingress-nginx
  572. spec:
  573.   template:
  574.     metadata:
  575.       name: ingress-nginx-admission-create
  576.       labels:
  577.         helm.sh/chart: ingress-nginx-3.23.0
  578.         app.kubernetes.io/name: ingress-nginx
  579.         app.kubernetes.io/instance: ingress-nginx
  580.         app.kubernetes.io/version: 0.44.0
  581.         app.kubernetes.io/managed-by: Helm
  582.         app.kubernetes.io/component: admission-webhook
  583.     spec:
  584.       containers:
  585.         - name: create
  586.           image: docker.io/jettech/kube-webhook-certgen:v1.5.1
  587.           imagePullPolicy: IfNotPresent
  588.           args:
  589.             - create
  590.             - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
  591.             - --namespace=$(POD_NAMESPACE)
  592.             - --secret-name=ingress-nginx-admission
  593.           env:
  594.             - name: POD_NAMESPACE
  595.               valueFrom:
  596.                 fieldRef:
  597.                   fieldPath: metadata.namespace
  598.       restartPolicy: OnFailure
  599.       serviceAccountName: ingress-nginx-admission
  600.       securityContext:
  601.         runAsNonRoot: true
  602.         runAsUser: 2000
  603. ---
  604. # Source: ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
  605. apiVersion: batch/v1
  606. kind: Job
  607. metadata:
  608.   name: ingress-nginx-admission-patch
  609.   annotations:
  610.     helm.sh/hook: post-install,post-upgrade
  611.     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  612.   labels:
  613.     helm.sh/chart: ingress-nginx-3.23.0
  614.     app.kubernetes.io/name: ingress-nginx
  615.     app.kubernetes.io/instance: ingress-nginx
  616.     app.kubernetes.io/version: 0.44.0
  617.     app.kubernetes.io/managed-by: Helm
  618.     app.kubernetes.io/component: admission-webhook
  619.   namespace: ingress-nginx
  620. spec:
  621.   template:
  622.     metadata:
  623.       name: ingress-nginx-admission-patch
  624.       labels:
  625.         helm.sh/chart: ingress-nginx-3.23.0
  626.         app.kubernetes.io/name: ingress-nginx
  627.         app.kubernetes.io/instance: ingress-nginx
  628.         app.kubernetes.io/version: 0.44.0
  629.         app.kubernetes.io/managed-by: Helm
  630.         app.kubernetes.io/component: admission-webhook
  631.     spec:
  632.       containers:
  633.         - name: patch
  634.           image: docker.io/jettech/kube-webhook-certgen:v1.5.1
  635.           imagePullPolicy: IfNotPresent
  636.           args:
  637.             - patch
  638.             - --webhook-name=ingress-nginx-admission
  639.             - --namespace=$(POD_NAMESPACE)
  640.             - --patch-mutating=false
  641.             - --secret-name=ingress-nginx-admission
  642.             - --patch-failure-policy=Fail
  643.           env:
  644.             - name: POD_NAMESPACE
  645.               valueFrom:
  646.                 fieldRef:
  647.                   fieldPath: metadata.namespace
  648.       restartPolicy: OnFailure
  649.       serviceAccountName: ingress-nginx-admission
  650.       securityContext:
  651.         runAsNonRoot: true
  652.         runAsUser: 2000