diff --git a/doc/source/install/multinode.rst b/doc/source/install/multinode.rst index d06f002e4..a7a544a8f 100644 --- a/doc/source/install/multinode.rst +++ b/doc/source/install/multinode.rst @@ -18,7 +18,7 @@ Alternatively, this step can be performed by running the script directly: Deploy Cluster and Namespace Ingress Controllers ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -.. literalinclude:: ../../../tools/deployment/multinode/020-ingress.sh +.. literalinclude:: ../../../tools/deployment/common/ingress.sh :language: shell :lines: 1,17- diff --git a/ingress/.helmignore b/ingress/.helmignore deleted file mode 100644 index b54c347b8..000000000 --- a/ingress/.helmignore +++ /dev/null @@ -1 +0,0 @@ -values_overrides diff --git a/ingress/Chart.yaml b/ingress/Chart.yaml deleted file mode 100644 index c96eb6a4f..000000000 --- a/ingress/Chart.yaml +++ /dev/null @@ -1,25 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -apiVersion: v1 -appVersion: v1.8.2 -description: OpenStack-Helm Ingress Controller -name: ingress -version: 0.2.19 -home: https://github.com/kubernetes/ingress -sources: - - https://github.com/kubernetes/ingress - - https://opendev.org/openstack/openstack-helm -maintainers: - - name: OpenStack-Helm Authors -... diff --git a/ingress/requirements.yaml b/ingress/requirements.yaml deleted file mode 100644 index 84f0affae..000000000 --- a/ingress/requirements.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -dependencies: - - name: helm-toolkit - repository: file://../helm-toolkit - version: ">= 0.1.0" -... diff --git a/ingress/templates/bin/_ingress-controller.sh.tpl b/ingress/templates/bin/_ingress-controller.sh.tpl deleted file mode 100644 index ee9e85eab..000000000 --- a/ingress/templates/bin/_ingress-controller.sh.tpl +++ /dev/null @@ -1,69 +0,0 @@ -#!/bin/bash - -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -set -ex -COMMAND="${@:-start}" - -function start () { - find /tmp -maxdepth 1 \! -path /tmp -perm /222 -exec rm -rfv {} \; - - declare -A desired_opts - desired_opts["--stream-port"]="${PORT_STREAM}" - desired_opts["--profiler-port"]="${PORT_PROFILER}" - - possible_opts=$(/nginx-ingress-controller --help 2>&1 | awk '/^ --/ { print $1 }') - - extra_opts=() - for k in "${!desired_opts[@]}"; do - if echo "$possible_opts" | grep -q -- ^${k}$; then - extra_opts+=($k=${desired_opts[$k]}) - fi - done - - exec /usr/bin/dumb-init \ - /nginx-ingress-controller \ - {{- if eq .Values.deployment.mode "namespace" }} - --watch-namespace ${POD_NAMESPACE} \ - {{- end }} - --http-port=${PORT_HTTP} \ - --https-port=${PORT_HTTPS} \ - --healthz-port=${PORT_HEALTHZ} \ - --status-port=${PORT_STATUS} \ - --default-server-port=${DEFAULT_SERVER_PORT} \ - --election-id=${RELEASE_NAME} \ - --controller-class=${CONTROLLER_CLASS} \ - --ingress-class=${INGRESS_CLASS} \ - {{- if .Values.deployment.cluster.ingressClassByName }} - --ingress-class-by-name=${INGRESS_CLASS_BY_NAME} \ - {{- end }} - --default-backend-service=${POD_NAMESPACE}/${ERROR_PAGE_SERVICE} \ - {{- if .Values.conf.default_ssl_certificate.enabled }} - {{- $ns := .Values.conf.default_ssl_certificate.namespace | default .Release.Namespace }} - {{- $secret := .Values.conf.default_ssl_certificate.name | default .Values.secrets.tls.ingress.api.public }} - --default-ssl-certificate={{ $ns }}/{{ $secret }} \ - {{- end }} - --configmap=${POD_NAMESPACE}/ingress-conf \ - --tcp-services-configmap=${POD_NAMESPACE}/ingress-services-tcp \ - --udp-services-configmap=${POD_NAMESPACE}/ingress-services-udp \ - "${extra_opts[@]}" -} - -function stop () { - sleep 5 - kill -TERM 1 -} - -$COMMAND diff --git a/ingress/templates/bin/_ingress-vip-keepalived.sh.tpl b/ingress/templates/bin/_ingress-vip-keepalived.sh.tpl deleted file mode 100644 index 4c1b93787..000000000 --- a/ingress/templates/bin/_ingress-vip-keepalived.sh.tpl +++ /dev/null @@ -1,29 +0,0 @@ -#!/bin/bash - -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -set -ex - -COMMAND="${@:-start}" - -function kernel_modules () { - chroot /mnt/host-rootfs modprobe ip_vs -} - -function start () { - # Exit if the interface does not exist - ip link show ${interface} > /dev/null || exit 1 - ip link set ${interface} up -} - -$COMMAND diff --git a/ingress/templates/bin/_ingress-vip-routed.sh.tpl b/ingress/templates/bin/_ingress-vip-routed.sh.tpl deleted file mode 100644 index e6dbb1968..000000000 --- a/ingress/templates/bin/_ingress-vip-routed.sh.tpl +++ /dev/null @@ -1,60 +0,0 @@ -#!/bin/bash - -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -set -ex - -COMMAND="${@:-start}" - -function kernel_modules () { - chroot /mnt/host-rootfs modprobe dummy -} - -function test_vip () { - ip addr show ${interface} | \ - awk "/inet / && /${interface}/{print \$2 }" | \ - awk -F '/' '{ print $1 }' | \ - grep -q "${addr%/*}" -} - -function start () { - ip link show ${interface} > /dev/null || ip link add ${interface} type dummy - if ! test_vip; then - ip addr add ${addr} dev ${interface} - fi - ip link set ${interface} up - garp_interface=$(ip route list match "${addr}" scope link | \ - awk '$2 == "dev" { print $3; exit }') - if [ -n "${garp_interface}" ]; then - arping -U -c 3 -I "${garp_interface}" "${addr%/*}" || true - fi -} - -function sleep () { - exec bash -c "while :; do sleep 2073600; done" -} - -function stop () { - ip link show ${interface} > /dev/null || exit 0 - if test_vip; then - ip addr del ${addr} dev ${interface} - fi - if [ "$(ip address show ${interface} | \ - awk "/inet / && /${interface}/{print \$2 }" | \ - wc -l)" -le "0" ]; then - ip link set ${interface} down - ip link del ${interface} - fi -} - -$COMMAND diff --git a/ingress/templates/configmap-bin.yaml b/ingress/templates/configmap-bin.yaml deleted file mode 100644 index c70b0c900..000000000 --- a/ingress/templates/configmap-bin.yaml +++ /dev/null @@ -1,37 +0,0 @@ -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.configmap_bin }} -{{- $envAll := . }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: ingress-bin -data: -{{- if .Values.images.local_registry.active }} - image-repo-sync.sh: | -{{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }} -{{- end }} -{{- if and .Values.network.host_namespace .Values.network.vip.manage }} - ingress-vip.sh: | -{{- if eq .Values.network.vip.mode "routed" }} -{{ tuple "bin/_ingress-vip-routed.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} -{{- else if eq .Values.network.vip.mode "keepalived" }} -{{ tuple "bin/_ingress-vip-keepalived.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} -{{- end }} -{{- end }} - ingress-controller.sh: | -{{ tuple "bin/_ingress-controller.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} -{{- end }} diff --git a/ingress/templates/configmap-conf.yaml b/ingress/templates/configmap-conf.yaml deleted file mode 100644 index 12457b11c..000000000 --- a/ingress/templates/configmap-conf.yaml +++ /dev/null @@ -1,38 +0,0 @@ -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.configmap_conf }} -{{- $envAll := . }} - -{{- if and .Values.network.host_namespace .Values.network.vip.manage -}} -{{- if empty (index .Values.network.vip "mode") -}} -{{- $_ := set .Values.network.vip "mode" "routed" }} -{{- end -}} -{{- if empty (index .Values.conf.ingress "bind-address") -}} -{{- $_ := set .Values.conf.ingress "bind-address" ( .Values.network.vip.addr | split "/" )._0 }} -{{- end -}} -{{- else -}} -{{- if empty (index .Values.conf.ingress "bind-address") -}} -{{- $_ := unset .Values.conf.ingress "bind-address" }} -{{- end -}} -{{- end -}} - ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: ingress-conf -data: -{{ toYaml .Values.conf.ingress | indent 2 }} -{{- end }} diff --git a/ingress/templates/configmap-services-tcp.yaml b/ingress/templates/configmap-services-tcp.yaml deleted file mode 100644 index 2e12e0bee..000000000 --- a/ingress/templates/configmap-services-tcp.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.configmap_services_tcp }} -{{- $envAll := . }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: ingress-services-tcp -{{- if not (empty $envAll.Values.conf.services.tcp) }} -data: -{{ toYaml $envAll.Values.conf.services.tcp | indent 2 }} -{{- end }} -{{- end }} diff --git a/ingress/templates/configmap-services-udp.yaml b/ingress/templates/configmap-services-udp.yaml deleted file mode 100644 index 3c6beaa6d..000000000 --- a/ingress/templates/configmap-services-udp.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.configmap_services_udp }} -{{- $envAll := . }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: ingress-services-udp -{{- if not (empty $envAll.Values.conf.services.udp) }} -data: -{{ toYaml $envAll.Values.conf.services.udp | indent 2 }} -{{- end }} -{{- end }} diff --git a/ingress/templates/deployment-error.yaml b/ingress/templates/deployment-error.yaml deleted file mode 100644 index ccd6c3b33..000000000 --- a/ingress/templates/deployment-error.yaml +++ /dev/null @@ -1,78 +0,0 @@ -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.deployment_error }} -{{- $envAll := . }} - -{{- $serviceAccountName := "ingress-error-pages" }} -{{ tuple $envAll "error_pages" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: ingress-error-pages - annotations: - {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} - labels: -{{ tuple $envAll "ingress" "error-pages" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} -spec: - replicas: {{ .Values.pod.replicas.error_page }} - selector: - matchLabels: -{{ tuple $envAll "ingress" "error-pages" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }} -{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }} - template: - metadata: - labels: -{{ tuple $envAll "ingress" "error-pages" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} - annotations: -{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} - configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} - configmap-etc-hash: {{ tuple "configmap-conf.yaml" . | include "helm-toolkit.utils.hash" }} -{{ dict "envAll" $envAll "podName" "ingress-error-pages" "containerNames" (list "init" "ingress-error-pages") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} - spec: -{{ dict "envAll" $envAll "application" "error_pages" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} - shareProcessNamespace: true - serviceAccountName: {{ $serviceAccountName }} - affinity: -{{ tuple $envAll "ingress" "error-pages" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} - nodeSelector: - {{ .Values.labels.error_server.node_selector_key }}: {{ .Values.labels.error_server.node_selector_value | quote }} -{{ if $envAll.Values.pod.tolerations.ingress.enabled }} -{{ tuple $envAll "ingress" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} -{{ end }} - terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.error_pages.timeout | default "60" }} - initContainers: -{{ tuple $envAll "error_pages" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} - containers: - - name: ingress-error-pages -{{ tuple $envAll "error_pages" | include "helm-toolkit.snippets.image" | indent 10 }} -{{ tuple $envAll $envAll.Values.pod.resources.error_pages | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} -{{ dict "envAll" $envAll "application" "error_pages" "container" "ingress_error_pages" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} - livenessProbe: - httpGet: - path: /healthz - port: 8080 - scheme: HTTP - initialDelaySeconds: 30 - timeoutSeconds: 5 - ports: - - containerPort: 8080 - volumeMounts: - - name: pod-tmp - mountPath: /tmp - volumes: - - name: pod-tmp - emptyDir: {} -{{- end }} diff --git a/ingress/templates/deployment-ingress.yaml b/ingress/templates/deployment-ingress.yaml deleted file mode 100644 index b8a2ea77b..000000000 --- a/ingress/templates/deployment-ingress.yaml +++ /dev/null @@ -1,402 +0,0 @@ -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.deployment_ingress }} -{{- $envAll := . }} - -{{- $serviceAccountName := printf "%s-%s" .Release.Name "ingress" }} -{{ tuple $envAll "ingress" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ $serviceAccountName }} -rules: - - apiGroups: - - "" - resources: - - configmaps - - endpoints - - nodes - - pods - - secrets - verbs: - - list - - watch - - apiGroups: - - "" - resources: - - nodes - verbs: - - get - - apiGroups: - - "" - resources: - - services - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - apiGroups: - - "extensions" - - "networking.k8s.io" - resources: - - ingresses - - ingressclasses - verbs: - - get - - list - - watch - - apiGroups: - - "extensions" - - "networking.k8s.io" - resources: - - ingresses/status - - ingressclasses/status - verbs: - - update - - apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ $serviceAccountName }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ $serviceAccountName }} -subjects: - - kind: ServiceAccount - name: {{ $serviceAccountName }} - namespace: {{ $envAll.Release.Namespace }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ $serviceAccountName }} - namespace: {{ $envAll.Release.Namespace }} -rules: - - apiGroups: - - "" - resources: - - configmaps - - pods - - secrets - - namespaces - verbs: - - get - - apiGroups: - - "" - resources: - - configmaps - resourceNames: - - {{ $envAll.Release.Name }} - verbs: - - get - - update - - apiGroups: - - "" - resources: - - configmaps - verbs: - - create - - apiGroups: - - "" - resources: - - endpoints - verbs: - - get - - create - - update - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - create - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ $serviceAccountName }} - namespace: {{ $envAll.Release.Namespace }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ $serviceAccountName }} -subjects: - - kind: ServiceAccount - name: {{ $serviceAccountName }} - namespace: {{ $envAll.Release.Namespace }} ---- -{{- if eq .Values.deployment.type "Deployment" }} -apiVersion: apps/v1 -kind: Deployment -{{- else if eq .Values.deployment.type "DaemonSet" }} -apiVersion: apps/v1 -kind: DaemonSet -{{- end }} -metadata: - name: ingress - annotations: - {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} - labels: -{{ tuple $envAll "ingress" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} - app: ingress-api - app.kubernetes.io/name: "ingress-api" - app.kubernetes.io/instance: {{ $serviceAccountName }} - app.kubernetes.io/component: "ingress" - app.kubernetes.io/managed-by: {{ $envAll.Release.Service }} -{{- if $envAll.Chart.AppVersion }} - app.kubernetes.io/version: {{ $envAll.Chart.AppVersion | quote }} -{{- end }} -spec: -{{- if eq .Values.deployment.type "Deployment" }} - replicas: {{ .Values.pod.replicas.ingress }} -{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }} -{{- end }} - selector: - matchLabels: -{{ tuple $envAll "ingress" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }} - app: ingress-api - template: - metadata: - labels: -{{ tuple $envAll "ingress" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} - app: ingress-api - app.kubernetes.io/name: "ingress-api" - app.kubernetes.io/instance: {{ $serviceAccountName }} - app.kubernetes.io/component: "ingress" - app.kubernetes.io/managed-by: {{ $envAll.Release.Service }} -{{- if $envAll.Chart.AppVersion }} - app.kubernetes.io/version: {{ $envAll.Chart.AppVersion | quote }} -{{- end }} - annotations: -{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} - configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} - configmap-etc-hash: {{ tuple "configmap-conf.yaml" . | include "helm-toolkit.utils.hash" }} -{{- $containers := "init ingress" }} -{{- if and .Values.network.host_namespace .Values.network.vip.manage }} -{{- $containers = printf "%s ingress-vip-kernel-modules ingress-vip-init ingress-vip" $containers }} -{{- end }} -{{- $containers = splitList " " $containers }} -{{ dict "envAll" $envAll "podName" "ingress-server" "containerNames" $containers | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} - spec: -{{ dict "envAll" $envAll "application" "server" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} - shareProcessNamespace: true - serviceAccountName: {{ $serviceAccountName }} -{{- if eq .Values.deployment.type "Deployment" }} - affinity: -{{ tuple $envAll "ingress" "server" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} -{{- end }} -{{ if $envAll.Values.pod.tolerations.ingress.enabled }} -{{ tuple $envAll "ingress" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} -{{ end }} - nodeSelector: - {{ .Values.labels.server.node_selector_key }}: {{ .Values.labels.server.node_selector_value | quote }} -{{- if .Values.network.host_namespace }} - hostNetwork: true -{{- end }} - dnsPolicy: {{ .Values.pod.dns_policy }} - terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.server.timeout | default "60" }} - initContainers: -{{ tuple $envAll "ingress" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} -{{- if and .Values.network.host_namespace .Values.network.vip.manage }} - - name: ingress-vip-kernel-modules -{{ tuple $envAll "ingress_module_init" | include "helm-toolkit.snippets.image" | indent 10 }} -{{ dict "envAll" $envAll "application" "server" "container" "ingress_vip_kernel_modules" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} - command: - - /tmp/nginx/ingress-vip.sh - - kernel_modules - volumeMounts: - - name: pod-tmp - mountPath: /tmp/nginx - - name: ingress-bin - mountPath: /tmp/nginx/ingress-vip.sh - subPath: ingress-vip.sh - readOnly: true - - name: host-rootfs - mountPath: /mnt/host-rootfs - mountPropagation: HostToContainer - readOnly: true - - name: ingress-vip-init -{{ tuple $envAll "ingress_routed_vip" | include "helm-toolkit.snippets.image" | indent 10 }} -{{ dict "envAll" $envAll "application" "server" "container" "ingress_vip_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} - env: -{{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.network.vip | indent 12 }} - command: - - /tmp/nginx/ingress-vip.sh - - start - volumeMounts: - - name: pod-tmp - mountPath: /tmp/nginx - - name: ingress-bin - mountPath: /tmp/nginx/ingress-vip.sh - subPath: ingress-vip.sh - readOnly: true -{{- end }} - containers: - - name: ingress -{{ tuple $envAll "ingress" | include "helm-toolkit.snippets.image" | indent 10 }} -{{ tuple $envAll $envAll.Values.pod.resources.ingress | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} -{{ dict "envAll" $envAll "application" "server" "container" "ingress" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} - readinessProbe: - httpGet: - path: /healthz - port: {{ tuple "ingress" "internal" "healthz" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} - scheme: HTTP - livenessProbe: - httpGet: - path: /healthz - port: {{ tuple "ingress" "internal" "healthz" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} - scheme: HTTP - initialDelaySeconds: 10 - timeoutSeconds: 1 - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: PORT_HTTP - value: {{ tuple "ingress" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }} - - name: PORT_HTTPS - value: {{ tuple "ingress" "internal" "https" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }} - - name: PORT_STATUS - value: {{ tuple "ingress" "internal" "status" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }} - - name: PORT_STREAM - value: {{ tuple "ingress" "internal" "stream" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }} - - name: PORT_PROFILER - value: {{ tuple "ingress" "internal" "profiler" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }} - - name: PORT_HEALTHZ - value: {{ tuple "ingress" "internal" "healthz" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }} - - name: DEFAULT_SERVER_PORT - value: {{ tuple "ingress" "internal" "server" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }} - - name: RELEASE_NAME - value: {{ .Release.Name | quote }} - - name: ERROR_PAGE_SERVICE - value: {{ tuple "ingress" "error_pages" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" | quote }} - - name: INGRESS_CLASS - value: "{{ .Values.deployment.cluster.class }}" - {{- if .Values.deployment.cluster.ingressClassByName }} - - name: INGRESS_CLASS_BY_NAME - value: "{{ .Values.deployment.cluster.ingressClassByName }}" - {{- end }} - - name: CONTROLLER_CLASS - value: "{{ .Values.deployment.cluster.controllerClass }}" - ports: - - containerPort: {{ tuple "ingress" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} - {{- if .Values.network.host_namespace }} - hostPort: {{ tuple "ingress" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} - {{- end }} - - containerPort: {{ tuple "ingress" "internal" "https" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} - {{- if .Values.network.host_namespace }} - hostPort: {{ tuple "ingress" "internal" "https" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} - {{- end }} - - containerPort: {{ tuple "ingress" "internal" "status" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} - {{- if .Values.network.host_namespace }} - hostPort: {{ tuple "ingress" "internal" "status" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} - {{- end }} - - containerPort: {{ tuple "ingress" "internal" "healthz" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} - {{- if .Values.network.host_namespace }} - hostPort: {{ tuple "ingress" "internal" "healthz" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} - {{- end }} - - containerPort: {{ tuple "ingress" "internal" "server" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} - {{- if .Values.network.host_namespace }} - hostPort: {{ tuple "ingress" "internal" "server" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} - {{- end }} - command: - - /tmp/nginx/ingress-controller.sh - - start - lifecycle: - preStop: - exec: - command: - - /tmp/nginx/ingress-controller.sh - - stop - volumeMounts: - - name: pod-tmp - mountPath: /tmp/nginx - - name: ingress-bin - mountPath: /tmp/nginx/ingress-controller.sh - subPath: ingress-controller.sh - readOnly: true -{{- if and .Values.network.host_namespace .Values.network.vip.manage }} - - name: ingress-vip -{{- if eq .Values.network.vip.mode "routed" }} -{{ tuple $envAll "ingress_routed_vip" | include "helm-toolkit.snippets.image" | indent 10 }} -{{ dict "envAll" $envAll "application" "server" "container" "ingress_vip" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} - env: -{{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.network.vip | indent 12 }} - command: - - /tmp/nginx/ingress-vip.sh - - sleep - lifecycle: - preStop: - exec: - command: - - /tmp/nginx/ingress-vip.sh - - stop - volumeMounts: - - name: pod-tmp - mountPath: /tmp/nginx - - name: ingress-bin - mountPath: /tmp/nginx/ingress-vip.sh - subPath: ingress-vip.sh - readOnly: true -{{- else if eq .Values.network.vip.mode "keepalived" }} -{{ tuple $envAll "keepalived" | include "helm-toolkit.snippets.image" | indent 10 }} - env: - - name: KEEPALIVED_INTERFACE - value: {{ .Values.network.vip.interface | quote }} - - name: KEEPALIVED_VIRTUAL_IPS - value: {{ ( .Values.network.vip.addr | split "/" )._0 | quote }} - - name: KEEPALIVED_UNICAST_PEERS - value: null - - name: KEEPALIVED_ROUTER_ID - value: {{ .Values.network.vip.keepalived_router_id | quote }} -{{- end }} -{{- end }} - volumes: - - name: pod-tmp - emptyDir: {} - - name: ingress-bin - configMap: - name: ingress-bin - defaultMode: 0555 - {{- if and .Values.network.host_namespace .Values.network.vip.manage }} - - name: host-rootfs - hostPath: - path: / - {{- end }} -{{- end }} diff --git a/ingress/templates/endpoints-ingress.yaml b/ingress/templates/endpoints-ingress.yaml deleted file mode 100644 index c78195b1b..000000000 --- a/ingress/templates/endpoints-ingress.yaml +++ /dev/null @@ -1,51 +0,0 @@ -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.endpoints_ingress }} -{{- $envAll := . }} -{{- if and .Values.network.host_namespace .Values.network.vip.manage -}} ---- -apiVersion: "v1" -kind: "Endpoints" -metadata: - labels: -{{ tuple $envAll "ingress" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} - endpoint: vip - name: {{ tuple "ingress" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} -subsets: - - addresses: - - ip: {{ ( .Values.network.vip.addr | split "/" )._0 | quote }} - ports: - - port: {{ tuple "ingress" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} - protocol: TCP - name: http - - port: {{ tuple "ingress" "internal" "https" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} - protocol: TCP - name: https - {{- if not (empty $envAll.Values.conf.services.tcp) }} - {{range $key, $value := $envAll.Values.conf.services.tcp -}} - - port: {{ $key }} - protocol: TCP - name: {{ cat ((( $value | split "/" )._1 | split ":" )._0 | trunc 8 ) $key | nospace | quote }} - {{ end -}} - {{- end }} - {{- if not (empty $envAll.Values.conf.services.udp) }} - {{range $key, $value := $envAll.Values.conf.services.udp -}} - - port: {{ $key }} - protocol: UDP - name: {{ cat ((( $value | split "/" )._1 | split ":" )._0 | trunc 8 ) $key | nospace | quote }} - {{ end -}} - {{- end }} -{{- end }} -{{- end }} diff --git a/ingress/templates/ingress-class.yaml b/ingress/templates/ingress-class.yaml deleted file mode 100644 index 51461ce9a..000000000 --- a/ingress/templates/ingress-class.yaml +++ /dev/null @@ -1,32 +0,0 @@ -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.ingressClass }} -{{- $envAll := . }} -{{- if empty (index .Values.network.ingress.spec "ingressClassName") }} -{{- $_ := set .Values.network.ingress.spec "ingressClassName" .Values.deployment.cluster.class -}} -{{- end }} -{{- if empty (index .Values.network.ingressClass.spec "controller") }} -{{- $_ := set .Values.network.ingressClass.spec "controller" .Values.deployment.cluster.controllerClass -}} -{{- end }} ---- -apiVersion: networking.k8s.io/v1 -kind: IngressClass -metadata: - labels: - app.kubernetes.io/component: controller - name: {{ index $envAll.Values.network.ingress.spec "ingressClassName" | quote }} -spec: - controller: {{ index $envAll.Values.network.ingressClass.spec "controller" | quote }} -{{- end }} diff --git a/ingress/templates/ingress.yaml b/ingress/templates/ingress.yaml deleted file mode 100644 index b424ab55a..000000000 --- a/ingress/templates/ingress.yaml +++ /dev/null @@ -1,46 +0,0 @@ -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.ingress }} -{{- $envAll := . }} -{{- if eq .Values.deployment.mode "namespace" }} -{{- if empty (index .Values.network.ingress.spec "ingressClassName") -}} -{{- $_ := set .Values.network.ingress.spec "ingressClassName" .Values.deployment.cluster.class -}} -{{- end -}} -{{- $serviceName := tuple "ingress" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}} -{{- $servicePort := tuple "ingress" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" -}} ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: {{ .Release.Namespace }}-{{ .Release.Name }} -spec: -{{ toYaml .Values.network.ingress.spec | indent 2 }} - rules: - - host: {{ printf "%s.%s.svc.%s" "*" .Release.Namespace .Values.endpoints.cluster_domain_suffix | quote }} - http: - paths: - - path: / - pathType: ImplementationSpecific - backend: - service: - name: {{ $serviceName }} - port: -{{- if or (kindIs "int" $servicePort) (regexMatch "^[0-9]{1,5}$" $servicePort) }} - number: {{ $servicePort | int }} -{{- else }} - name: {{ $servicePort | quote }} -{{- end }} -{{- end }} -{{- end }} diff --git a/ingress/templates/job-image-repo-sync.yaml b/ingress/templates/job-image-repo-sync.yaml deleted file mode 100644 index 2132f9a3f..000000000 --- a/ingress/templates/job-image-repo-sync.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if and .Values.manifests.job_image_repo_sync .Values.images.local_registry.active }} -{{- $imageRepoSyncJob := dict "envAll" . "serviceName" "ingress" -}} -{{- if .Values.pod.tolerations.ingress.enabled -}} -{{- $_ := set $imageRepoSyncJob "tolerationsEnabled" true -}} -{{- end -}} -{{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }} -{{- end }} diff --git a/ingress/templates/network_policy.yaml b/ingress/templates/network_policy.yaml deleted file mode 100644 index 83c2269a4..000000000 --- a/ingress/templates/network_policy.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.network_policy -}} -{{- $netpol_opts := dict "envAll" . "name" "application" "label" "ingress" -}} -{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }} -{{- end -}} diff --git a/ingress/templates/secret-dhparam.yaml b/ingress/templates/secret-dhparam.yaml deleted file mode 100644 index 9665c0769..000000000 --- a/ingress/templates/secret-dhparam.yaml +++ /dev/null @@ -1,25 +0,0 @@ -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.secret_dhparam }} -{{- $envAll := . }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: secret-dhparam -type: Opaque -data: - dhparam.pem: {{ .Values.secrets.dhparam.secret_dhparam | b64enc }} -{{- end }} diff --git a/ingress/templates/secret-ingress-tls.yaml b/ingress/templates/secret-ingress-tls.yaml deleted file mode 100644 index eeb39c688..000000000 --- a/ingress/templates/secret-ingress-tls.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.secret_ingress_tls }} -{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "ingress" ) }} -{{- end }} diff --git a/ingress/templates/secret-registry.yaml b/ingress/templates/secret-registry.yaml deleted file mode 100644 index da979b322..000000000 --- a/ingress/templates/secret-registry.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }} -{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }} -{{- end }} diff --git a/ingress/templates/service-error.yaml b/ingress/templates/service-error.yaml deleted file mode 100644 index c839b581a..000000000 --- a/ingress/templates/service-error.yaml +++ /dev/null @@ -1,32 +0,0 @@ -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.service_error }} -{{- $envAll := . }} ---- -apiVersion: v1 -kind: Service -metadata: - labels: -{{ tuple $envAll "ingress" "error-pages" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} - name: {{ tuple "ingress" "error_pages" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} -spec: - clusterIP: None - ports: - - port: 80 - protocol: TCP - targetPort: 8080 - selector: -{{ tuple $envAll "ingress" "error-pages" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} -{{- end }} diff --git a/ingress/templates/service-ingress-metrics-exporter.yaml b/ingress/templates/service-ingress-metrics-exporter.yaml deleted file mode 100644 index 2a06210cc..000000000 --- a/ingress/templates/service-ingress-metrics-exporter.yaml +++ /dev/null @@ -1,36 +0,0 @@ -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.monitoring.prometheus.service_exporter }} -{{- if .Values.monitoring.prometheus.enabled }} -{{- $envAll := . }} -{{- $prometheus_annotations := $envAll.Values.monitoring.prometheus.ingress_exporter }} ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ tuple "ingress_exporter" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} - labels: -{{ tuple $envAll "ingress_exporter" "metrics" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} - annotations: -{{- if .Values.monitoring.prometheus.enabled }} -{{ tuple $prometheus_annotations | include "helm-toolkit.snippets.prometheus_service_annotations" | indent 4 }} -{{- end }} -spec: - ports: - - name: metrics - port: {{ .Values.endpoints.ingress_exporter.port.metrics.default }} - selector: -{{ tuple $envAll "ingress" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}{{- end }} -{{- end }} diff --git a/ingress/templates/service-ingress.yaml b/ingress/templates/service-ingress.yaml deleted file mode 100644 index 8fe9a69bc..000000000 --- a/ingress/templates/service-ingress.yaml +++ /dev/null @@ -1,77 +0,0 @@ -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.service_ingress }} -{{- $envAll := . }} ---- -apiVersion: v1 -kind: Service -metadata: - labels: -{{ tuple $envAll "ingress" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} -{{- if and .Values.network.host_namespace .Values.network.vip.manage }} - endpoint: vip -{{- end }} - name: {{ tuple "ingress" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} -spec: -{{- if and .Values.network.host_namespace .Values.network.vip.manage }} - clusterIP: None -{{- end }} -{{- if .Values.network.vip.assign_as_external_ip }} - externalIPs: - - {{ (.Values.network.vip.addr | split "/")._0 }} -{{- end }} - ports: - - name: http - port: {{ tuple "ingress" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} - protocol: TCP - targetPort: {{ tuple "ingress" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} - {{- if .Values.network.ingress.node_port.enabled }} - nodePort: {{ .Values.network.ingress.node_port.http_port }} - {{- end }} - - name: https - port: {{ tuple "ingress" "internal" "https" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} - protocol: TCP - targetPort: {{ tuple "ingress" "internal" "https" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} - {{- if .Values.network.ingress.node_port.enabled }} - nodePort: {{ .Values.network.ingress.node_port.https_port }} - {{- end }} - - name: status - port: {{ tuple "ingress" "internal" "status" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} - protocol: TCP - targetPort: {{ tuple "ingress" "internal" "status" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} - {{- if not (empty $envAll.Values.conf.services.tcp) }} - {{range $key, $value := $envAll.Values.conf.services.tcp -}} - - name: {{ cat ((( $value | split "/" )._1 | split ":" )._0 | trunc 8 ) $key | nospace | quote }} - port: {{ $key }} - protocol: TCP - targetPort: {{ $key }} - {{ end -}} - {{- end }} - {{- if not (empty $envAll.Values.conf.services.udp) }} - {{range $key, $value := $envAll.Values.conf.services.udp -}} - - name: {{ cat ((( $value | split "/" )._1 | split ":" )._0 | trunc 8 ) $key | nospace | quote }} - port: {{ $key }} - protocol: UDP - targetPort: {{ $key }} - {{ end -}} - {{- end }} -{{- if not (and .Values.network.host_namespace .Values.network.vip.manage) }} - selector: -{{ tuple $envAll "ingress" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} -{{- end }} -{{- if .Values.network.ingress.node_port.enabled }} - type: NodePort -{{- end }} -{{- end }} diff --git a/ingress/values.yaml b/ingress/values.yaml deleted file mode 100644 index 600d646a8..000000000 --- a/ingress/values.yaml +++ /dev/null @@ -1,363 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Default values for ingress. -# This is a YAML-formatted file. -# Declare name/value pairs to be passed into your templates. -# name: value - ---- -deployment: - mode: namespace - type: Deployment - cluster: - class: "nginx-cluster" - ingressClassByName: false - controllerClass: "k8s.io/nginx-ingress" - -images: - tags: - entrypoint: quay.io/airshipit/kubernetes-entrypoint:v1.0.0 - ingress: registry.k8s.io/ingress-nginx/controller:v1.8.2 - ingress_module_init: docker.io/openstackhelm/neutron:xena-ubuntu_focal - ingress_routed_vip: docker.io/openstackhelm/neutron:xena-ubuntu_focal - error_pages: registry.k8s.io/defaultbackend:1.4 - keepalived: docker.io/osixia/keepalived:1.4.5 - dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0 - image_repo_sync: docker.io/library/docker:17.07.0 - pull_policy: "IfNotPresent" - local_registry: - active: false - exclude: - - dep_check - - image_repo_sync - -pod: - security_context: - error_pages: - pod: - runAsUser: 65534 - container: - ingress_error_pages: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - server: - pod: - runAsUser: 65534 - container: - ingress_vip_kernel_modules: - capabilities: - add: - - SYS_MODULE - readOnlyRootFilesystem: true - runAsUser: 0 - ingress_vip_init: - capabilities: - add: - - NET_ADMIN - readOnlyRootFilesystem: true - runAsUser: 0 - ingress: - readOnlyRootFilesystem: false - runAsUser: 101 - ingress_vip: - capabilities: - add: - - NET_ADMIN - readOnlyRootFilesystem: true - runAsUser: 0 - affinity: - anti: - type: - default: preferredDuringSchedulingIgnoredDuringExecution - topologyKey: - default: kubernetes.io/hostname - weight: - default: 10 - tolerations: - ingress: - enabled: false - tolerations: - - key: node-role.kubernetes.io/master - operator: Exists - effect: NoSchedule - - key: node-role.kubernetes.io/control-plane - operator: Exists - effect: NoSchedule - dns_policy: "ClusterFirstWithHostNet" - replicas: - ingress: 1 - error_page: 1 - lifecycle: - upgrades: - deployments: - revision_history: 3 - pod_replacement_strategy: RollingUpdate - rolling_update: - max_unavailable: 1 - max_surge: 3 - termination_grace_period: - server: - timeout: 60 - error_pages: - timeout: 60 - resources: - enabled: false - ingress: - requests: - memory: "128Mi" - cpu: "100m" - limits: - memory: "1024Mi" - cpu: "2000m" - error_pages: - requests: - memory: "128Mi" - cpu: "100m" - limits: - memory: "1024Mi" - cpu: "2000m" - jobs: - image_repo_sync: - requests: - memory: "128Mi" - cpu: "100m" - limits: - memory: "1024Mi" - cpu: "2000m" - -labels: - server: - node_selector_key: openstack-control-plane - node_selector_value: enabled - error_server: - node_selector_key: openstack-control-plane - node_selector_value: enabled - -network: - host_namespace: false - vip: - manage: false - # what type of vip manage machanism will be used - # possible options: routed, keepalived - mode: routed - interface: ingress-vip - addr: 172.18.0.1/32 - keepalived_router_id: 100 - # Use .network.vip.addr as an external IP for the service - # Useful if the CNI or provider can set up routes, etc. - assign_as_external_ip: false - ingressClass: - spec: - controller: null - ingress: - spec: - ingressClassName: null - node_port: - enabled: false - http_port: 30080 - https_port: 30443 - annotations: - # NOTE(portdirect): if left blank this is populated from - # .deployment.cluster.class - nginx.ingress.kubernetes.io/proxy-body-size: "0" - nginx.ingress.kubernetes.io/configuration-snippet: | - more_set_headers "X-Content-Type-Options: nosniff"; - more_set_headers "X-Frame-Options: deny"; - more_set_headers "X-Permitted-Cross-Domain-Policies: none"; - more_set_headers "Content-Security-Policy: script-src 'self'"; - external_policy_local: false - -dependencies: - dynamic: - common: - local_image_registry: - jobs: - - ingress-image-repo-sync - services: - - endpoint: node - service: local_image_registry - static: - error_pages: - jobs: null - ingress: - jobs: null - image_repo_sync: - services: - - endpoint: internal - service: local_image_registry - -monitoring: - prometheus: - enabled: true - ingress_exporter: - scrape: true - port: 10254 - -endpoints: - cluster_domain_suffix: cluster.local - local_image_registry: - name: docker-registry - namespace: docker-registry - hosts: - default: localhost - internal: docker-registry - node: localhost - host_fqdn_override: - default: null - port: - registry: - node: 5000 - oci_image_registry: - name: oci-image-registry - namespace: oci-image-registry - auth: - enabled: false - ingress: - username: ingress - password: password - hosts: - default: localhost - host_fqdn_override: - default: null - port: - registry: - default: null - ingress: - hosts: - default: ingress - error_pages: ingress-error-pages - host_fqdn_override: - default: null - # NOTE: The values under .endpoints.ingress.host_fqdn_override.public.tls - # will be used for the default SSL certificate. - # See also the .conf.default_ssl_certificate options below. - public: - tls: - crt: "" - key: "" - port: - http: - default: 80 - https: - default: 443 - healthz: - default: 10254 - status: - default: 10246 - stream: - default: 10247 - profiler: - default: 10245 - server: - default: 8181 - ingress_exporter: - namespace: null - hosts: - default: ingress-exporter - host_fqdn_override: - default: null - path: - default: null - scheme: - default: 'http' - port: - metrics: - default: 10254 - kube_dns: - namespace: kube-system - name: kubernetes-dns - hosts: - default: kube-dns - host_fqdn_override: - default: null - path: - default: null - scheme: http - port: - dns_tcp: - default: 53 - dns: - default: 53 - protocol: UDP - -network_policy: - ingress: - ingress: - - {} - egress: - - {} - -secrets: - oci_image_registry: - ingress: ingress-oci-image-registry-key - tls: - ingress: - api: - # .secrets.tls.ingress.api.public="name of the TLS secret to create for the default cert" - # NOTE: The contents of the secret are from .endpoints.ingress.host_fqdn_override.public.tls - public: default-tls-public - dhparam: - secret_dhparam: | -conf: - ingress: - enable-underscores-in-headers: "true" - # NOTE(portdirect): if left blank this is populated from - # .network.vip.addr when running in host networking - # and .network.vip.manage=true, otherwise it is left as - # an empty string (the default). - bind-address: null - enable-vts-status: "true" - server-tokens: "false" - ssl-dh-param: openstack/secret-dhparam - # This block sets the --default-ssl-certificate option - # https://kubernetes.github.io/ingress-nginx/user-guide/tls/#default-ssl-certificate - default_ssl_certificate: - # .conf.default_ssl_certificate.enabled=true: use a default certificate - enabled: false - # If referencing an existing TLS secret with the default cert - # .conf.default_ssl_certificate.name="name of the secret" - # (defaults to value of .secrets.tls.ingress.api.public) - # .conf.default_ssl_certificate.namespace="namespace of the secret" - # (optional, defaults to release namespace) - name: "" - namespace: "" - # NOTE: To create a new secret to hold the default certificate, leave the - # above values empty, and specify: - # .endpoints.ingress.host_fqdn_override.public.tls.crt="PEM cert data" - # .endpoints.ingress.host_fqdn_override.public.tls.key="PEM key data" - # .manifests.secret_ingress_tls=true - services: - tcp: null - udp: null - -manifests: - configmap_bin: true - configmap_conf: true - configmap_services_tcp: true - configmap_services_udp: true - deployment_error: true - deployment_ingress: true - endpoints_ingress: true - ingress: true - ingressClass: true - secret_ingress_tls: false - secret_dhparam: false - service_error: true - service_ingress: true - job_image_repo_sync: true - monitoring: - prometheus: - service_exporter: true - network_policy: false - secret_registry: true -... diff --git a/ingress/values_overrides/apparmor.yaml b/ingress/values_overrides/apparmor.yaml deleted file mode 100644 index c89fb3c93..000000000 --- a/ingress/values_overrides/apparmor.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -pod: - mandatory_access_control: - type: apparmor - ingress-error-pages: - init: runtime/default - ingress-error-pages: runtime/default - ingress-server: - init: runtime/default - ingress-vip-kernel-modules: runtime/default - ingress-vip-init: runtime/default - ingress: runtime/default - ingress-vip: runtime/default -... diff --git a/ingress/values_overrides/ingress-class-cluster.yaml b/ingress/values_overrides/ingress-class-cluster.yaml deleted file mode 100644 index eb422c89b..000000000 --- a/ingress/values_overrides/ingress-class-cluster.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -deployment: - mode: cluster - type: DaemonSet -network: - host_namespace: true -... diff --git a/ingress/values_overrides/ingress-class-namespaced.yaml b/ingress/values_overrides/ingress-class-namespaced.yaml deleted file mode 100644 index 96c8f95ff..000000000 --- a/ingress/values_overrides/ingress-class-namespaced.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -deployment: - mode: namespace - type: Deployment - cluster: - class: "ucp-ingress" - controllerClass: "k8s.io/ucp-ingress" -... diff --git a/ingress/values_overrides/netpol.yaml b/ingress/values_overrides/netpol.yaml deleted file mode 100644 index 7eedf73ca..000000000 --- a/ingress/values_overrides/netpol.yaml +++ /dev/null @@ -1,4 +0,0 @@ ---- -manifests: - network_policy: true -... diff --git a/ingress/values_overrides/rocky-opensuse_15.yaml b/ingress/values_overrides/rocky-opensuse_15.yaml deleted file mode 100644 index 6209b8a2a..000000000 --- a/ingress/values_overrides/rocky-opensuse_15.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -images: - tags: - ingress_module_init: "docker.io/openstackhelm/neutron:rocky-opensuse_15" - ingress_routed_vip: "docker.io/openstackhelm/neutron:rocky-opensuse_15" -... diff --git a/tools/deployment/apparmor/015-ingress.sh b/tools/deployment/apparmor/015-ingress.sh deleted file mode 100755 index c63855ef8..000000000 --- a/tools/deployment/apparmor/015-ingress.sh +++ /dev/null @@ -1,63 +0,0 @@ -#!/bin/bash - -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -set -xe - -#NOTE: Lint and package chart -make ingress - -: ${OSH_INFRA_EXTRA_HELM_ARGS_KUBE_SYSTEM:="$(./tools/deployment/common/get-values-overrides.sh ingress)"} -: ${OSH_INFRA_EXTRA_HELM_ARGS_OPENSTACK:="$(./tools/deployment/common/get-values-overrides.sh ingress)"} -: ${OSH_INFRA_EXTRA_HELM_ARGS_CEPH:="$(./tools/deployment/common/get-values-overrides.sh ingress)"} - -#NOTE: Deploy command -: ${OSH_INFRA_EXTRA_HELM_ARGS:=""} - -#NOTE: Deploy global ingress with IngressClass nginx-cluster -tee /tmp/ingress-kube-system.yaml <