Blame - cluster/kube/lib/nginx.libsonnet - hscloud

Sergiusz Bazanski

a9c7e86

2019-04-01 17:56:28 +0200

[diff] [blame]

1

# Deploy a per-cluster Nginx Ingress Controller

2

3

local kube = import "../../../kube/kube.libsonnet";

Sergiusz Bazanski

b13b7ff

2019-08-29 20:12:24 +0200

[diff] [blame]

4

local policies = import "../../../kube/policies.libsonnet";

Sergiusz Bazanski

a9c7e86

2019-04-01 17:56:28 +0200

[diff] [blame]

{

Environment: {

local env = self,

local cfg = env.cfg,

cfg:: {

Serge Bazanski

2e8d24b

2021-03-25 18:39:52 +0100

[diff] [blame]

11

# Built from nginx-ingress-controller/Dockerfile:

12

#

13

# $ cd cluster/kube/lib/nginx-ingress-controller

14

# $ docker build -t eu.gcr.io/bgpwtf/nginx-ingress-controller:v0.44.0-r1 .

15

# [..]

16

# (2/8) Upgrading libcrypto1.1 (1.1.1i-r0 -> 1.1.1k-r0)

17

# (3/8) Upgrading libssl1.1 (1.1.1i-r0 -> 1.1.1k-r0

18

# [...]

19

# (8/8) Upgrading openssl (1.1.1i-r0 -> 1.1.1k-r0)

20

# $ docker push eu.gcr.io/bgpwtf/nginx-ingress-controller:v0.44.0-r1

21

#

22

# TODO(q3k): unfork this once openssl 1.1.1k lands in upstream

23

# nginx-ingress-controller.

24

image: "eu.gcr.io/bgpwtf/nginx-ingress-controller:v0.44.0-r1",

Sergiusz Bazanski

a9c7e86

2019-04-01 17:56:28 +0200

[diff] [blame]

25

namespace: "nginx-system",

},

metadata:: {

namespace: cfg.namespace,

30

labels: {

31

"app.kubernetes.io/name": "ingress-nginx",

32

"app.kubernetes.io/part-of": "ingress-nginx",

},

},

namespace: kube.Namespace(cfg.namespace),

37

Sergiusz Bazanski

b13b7ff

2019-08-29 20:12:24 +0200

[diff] [blame]

38

allowInsecure: policies.AllowNamespaceInsecure(cfg.namespace),

39

Sergiusz Bazanski

a9c7e86

2019-04-01 17:56:28 +0200

[diff] [blame]

40

maps: {

41

make(name):: kube.ConfigMap(name) {

42

metadata+: env.metadata,

43

},

Serge Bazanski

e17f7ed

2021-05-22 19:10:30 +0000

[diff] [blame]

44

configuration: env.maps.make("nginx-configuration") {

45

data: {

46

"proxy-set-headers": "%s/nginx-custom-headers" % [cfg.namespace],

47

},

48

},

49

customHeaders: env.maps.make("nginx-custom-headers") {

50

data: {

51

# RFC6648 deprecates X-prefixed headers as a convention in

52

# multiple application protocols, including HTTP. It

53

# recommends that any new headers should just start off

54

# with a final standardized name, ie. suggests to use

55

# Toaster-ID instead of X-Toaster-ID.

56

#

57

# However, it also acknowledges that headers likely to

58

# never be standardized can still be prefixed with OrgName-

59

# or other constructs. And since we're not even attempting

60

# to standardize anything here, this is what we use to

61

# prefix hscloud-specific headers.

62

#

63

# Hscloud == hscloud, this repository.

64

# Nic == nginx-ingress-controller, this ingress controller.

65

66

# Set source port/addr. Source-IP duplicates

67

# X-Forwarded-For, but is added for consistency with

68

# Source-Port.

69

#

70

# Source-IP is an IP address in two possible formats:

71

# IPv4: "1.2.3.4"

72

# IPv6: "2a0d:1234::42"

73

# Any other format received by services should be

74

# considered invalid, and the service should assume a

75

# misconfiguration of the N-I-C.

76

"Hscloud-Nic-Source-IP": "${remote_addr}",

77

# Source-Port is a stringified TCP port, encoding a port

78

# number from 1 to 65535. Any other value received by

79

# services should be considered invalid, and the service

80

# should assume a misconfiguration of the N-I-C.

81

"Hscloud-Nic-Source-Port": "${remote_port}",

82

},

83

},

Sergiusz Bazanski

543b412

2019-06-29 22:42:39 +0200

[diff] [blame]

84

tcp: env.maps.make("tcp-services") {

85

data: {

Piotr Dobrowolski

f00edf6

2020-07-02 18:30:38 +0200

[diff] [blame]

86

"22": "gerrit/gerrit:22",

Sergiusz Bazanski

543b412

2019-06-29 22:42:39 +0200

[diff] [blame]

87

}

88

},

Sergiusz Bazanski

a9c7e86

2019-04-01 17:56:28 +0200

[diff] [blame]

89

udp: env.maps.make("udp-services"),

90

},

91

92

sa: kube.ServiceAccount("nginx-ingress-serviceaccount") {

93

metadata+: env.metadata,

94

},

95

96

cr: kube.ClusterRole("nginx-ingress-clusterrole") {

97

metadata+: env.metadata {

namespace:: null,

},

rules: [

{

apiGroups: [""],

resources: ["configmaps", "endpoints", "nodes", "pods", "secrets"],

104

verbs: ["list", "watch"],

},

{

apiGroups: [""],

resources: ["nodes"],

verbs: ["get"],

},

{

apiGroups: [""],

resources: ["services"],

114

verbs: ["get", "list", "watch"],

115

},

116

{

Serge Bazanski

2e8d24b

2021-03-25 18:39:52 +0100

[diff] [blame]

117

apiGroups: ["extensions", "networking.k8s.io"],

Sergiusz Bazanski

a9c7e86

2019-04-01 17:56:28 +0200

[diff] [blame]

118

resources: ["ingresses"],

119

verbs: ["get", "list", "watch"],

},

{

apiGroups: [""],

resources: ["events"],

124

verbs: ["create", "patch"],

125

},

126

{

Serge Bazanski

2e8d24b

2021-03-25 18:39:52 +0100

[diff] [blame]

127

apiGroups: ["extensions", "networking.k8s.io"],

Sergiusz Bazanski

a9c7e86

2019-04-01 17:56:28 +0200

[diff] [blame]

128

resources: ["ingresses/status"],

129

verbs: ["update"],

130

},

Serge Bazanski

2e8d24b

2021-03-25 18:39:52 +0100

[diff] [blame]

131

{

132

apiGroups: ["extensions", "networking.k8s.io"],

133

resources: ["ingressclasses"],

134

verbs: ["get", "list", "watch"],

135

},

Sergiusz Bazanski

a9c7e86

2019-04-01 17:56:28 +0200

[diff] [blame]

],

},

crb: kube.ClusterRoleBinding("nginx-ingress-clusterrole-nisa-binding") {

140

metadata+: env.metadata {

namespace:: null,

},

roleRef: {

apiGroup: "rbac.authorization.k8s.io",

kind: "ClusterRole",

},

subjects: [

{

kind: "ServiceAccount",

151

152

namespace: env.sa.metadata.namespace,

},

],

},

role: kube.Role("nginx-ingress-role") {

158

metadata+: env.metadata,

159

rules : [

160

{

161

apiGroups: [""],

Serge Bazanski

2e8d24b

2021-03-25 18:39:52 +0100

[diff] [blame]

162

resources: ["namespaces"],

Sergiusz Bazanski

a9c7e86

2019-04-01 17:56:28 +0200

[diff] [blame]

verbs: ["get"],

},

{

apiGroups: [""],

Serge Bazanski

2e8d24b

2021-03-25 18:39:52 +0100

[diff] [blame]

167

resources: ["configmaps", "pods", "secrets", "endpoints"],

168

verbs: ["get", "list", "watch"],

},

{

apiGroups: [""],

resources: ["services"],

173

verbs: ["get", "list", "watch"],

174

},

175

{

176

apiGroups: ["extensions", "networking.k8s.io"],

177

resources: ["ingresses"],

178

verbs: ["get", "list", "watch"],

179

},

180

{

181

apiGroups: ["extensions", "networking.k8s.io"],

182

resources: ["ingresses/status"],

verbs: ["update"],

},

{

apiGroups: ["extensions", "networking.k8s.io"],

187

resources: ["ingressclasses"],

188

verbs: ["get", "list", "watch"],

189

},

190

{

191

apiGroups: [""],

Sergiusz Bazanski

a9c7e86

2019-04-01 17:56:28 +0200

[diff] [blame]

192

resources: ["configmaps"],

193

resourceNames: ["ingress-controller-leader-nginx"],

194

verbs: ["get", "update"],

},

{

apiGroups: [""],

resources: ["configmaps"],

verbs: ["create"],

},

{

apiGroups: [""],

Serge Bazanski

2e8d24b

2021-03-25 18:39:52 +0100

[diff] [blame]

203

resources: ["events"],

204

verbs: ["create", "patch"],

Sergiusz Bazanski

a9c7e86

2019-04-01 17:56:28 +0200

[diff] [blame]

},

],

},

roleb: kube.RoleBinding("nginx-ingress-role-nisa-binding") {

210

metadata+: env.metadata,

211

roleRef: {

212

apiGroup: "rbac.authorization.k8s.io",

kind: "Role",

},

subjects: [

{

kind: "ServiceAccount",

219

220

namespace: env.sa.metadata.namespace,

},

],

},

service: kube.Service("ingress-nginx") {

226

metadata+: env.metadata,

227

target_pod:: env.deployment.spec.template,

228

spec+: {

229

type: "LoadBalancer",

230

ports: [

Sergiusz Bazanski

543b412

2019-06-29 22:42:39 +0200

[diff] [blame]

231

{ name: "ssh", port: 22, targetPort: 22, protocol: "TCP" },

Sergiusz Bazanski

a9c7e86

2019-04-01 17:56:28 +0200

[diff] [blame]

232

{ name: "http", port: 80, targetPort: 80, protocol: "TCP" },

233

{ name: "https", port: 443, targetPort: 443, protocol: "TCP" },

],

},

},

Piotr Dobrowolski

2020-07-02 18:30:38 +0200

[diff] [blame]

238

serviceGitea: kube.Service("ingress-nginx-gitea") {

239

metadata+: env.metadata,

240

target_pod:: env.deployment.spec.template,

241

spec+: {

242

type: "LoadBalancer",

243

loadBalancerIP: "185.236.240.60",

244

ports: [

245

{ name: "ssh", port: 22, targetPort: 222, protocol: "TCP" },

246

{ name: "http", port: 80, targetPort: 80, protocol: "TCP" },

247

{ name: "https", port: 443, targetPort: 443, protocol: "TCP" },

],

},

},

Sergiusz Bazanski

2019-04-01 17:56:28 +0200

[diff] [blame]

252

deployment: kube.Deployment("nginx-ingress-controller") {

253

metadata+: env.metadata,

254

spec+: {

Sergiusz Bazanski

fd323a0

2019-11-17 19:49:04 +0100

[diff] [blame]

255

replicas: 5,

Sergiusz Bazanski

a9c7e86

2019-04-01 17:56:28 +0200

[diff] [blame]

256

template+: {

257

spec+: {

258

serviceAccountName: env.sa.metadata.name,

259

containers_: {

260

controller: kube.Container("nginx-ingress-controller") {

261

image: cfg.image,

Serge Bazanski

2e8d24b

2021-03-25 18:39:52 +0100

[diff] [blame]

262

imagePullPolicy: "IfNotPresent",

lifecycle: {

preStop: {

exec: {

command: [ "/wait-shutdown" ],

267

},

268

},

269

},

Sergiusz Bazanski

a9c7e86

2019-04-01 17:56:28 +0200

[diff] [blame]

270

args: [

271

"/nginx-ingress-controller",

Serge Bazanski

2e8d24b

2021-03-25 18:39:52 +0100

[diff] [blame]

272

"--election-id=ingress-controller-leader",

273

"--ingress-class=nginx",

Sergiusz Bazanski

a9c7e86

2019-04-01 17:56:28 +0200

[diff] [blame]

274

"--configmap=%s/%s" % [cfg.namespace, env.maps.configuration.metadata.name],

275

"--tcp-services-configmap=%s/%s" % [cfg.namespace, env.maps.tcp.metadata.name],

276

"--udp-services-configmap=%s/%s" % [cfg.namespace, env.maps.udp.metadata.name],

277

"--publish-service=%s/%s" % [cfg.namespace, env.service.metadata.name],

278

"--annotations-prefix=nginx.ingress.kubernetes.io",

279

],

280

env_: {

281

POD_NAME: kube.FieldRef("metadata.name"),

282

POD_NAMESPACE: kube.FieldRef("metadata.namespace"),

283

},

284

ports_: {

285

http: { containerPort: 80 },

286

https: { containerPort: 443 },

},

livenessProbe: {

failureThreshold: 3,

httpGet: {

path: "/healthz",

port: 10254,

scheme: "HTTP",

},

initialDelaySeconds: 10,

periodSeconds: 10,

successThreshold: 1,

timeoutSeconds: 10,

},

readinessProbe: {

failureThreshold: 3,

httpGet: {

path: "/healthz",

port: 10254,

scheme: "HTTP",

},

periodSeconds: 10,

successThreshold: 1,

timeoutSeconds: 10,

},

securityContext: {

allowPrivilegeEscalation: true,

313

capabilities: {

314

drop: ["ALL"],

315

add: ["NET_BIND_SERVICE"],

316

},

Serge Bazanski

2e8d24b

2021-03-25 18:39:52 +0100

[diff] [blame]

317

runAsUser: 101,

Sergiusz Bazanski

a9c7e86

2019-04-01 17:56:28 +0200

[diff] [blame]

318

},

Serge Bazanski

059fdfe

2020-09-12 21:44:53 +0000

[diff] [blame]

319

resources: {

320

limits: { cpu: "2", memory: "4G" },

321

requests: { cpu: "1", memory: "1G" },

322

},

Sergiusz Bazanski

a9c7e86

2019-04-01 17:56:28 +0200

[diff] [blame]

},

},

},

},

},

},

},

}