Blame - cluster/kube/lib/nginx.libsonnet - hscloud

blob: a6d10f185c6cc2289bb458edb36345b543552c65 [file] [log] [blame]

Sergiusz Bazanski	a9c7e86	2019-04-01 17:56:28 +0200	[diff] [blame^]	1	# Deploy a per-cluster Nginx Ingress Controller
				2
				3	local kube = import "../../../kube/kube.libsonnet";
				4
				5	{
				6	Environment: {
				7	local env = self,
				8	local cfg = env.cfg,
				9	cfg:: {
				10	image: "quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.23.0",
				11	namespace: "nginx-system",
				12	},
				13
				14	metadata:: {
				15	namespace: cfg.namespace,
				16	labels: {
				17	"app.kubernetes.io/name": "ingress-nginx",
				18	"app.kubernetes.io/part-of": "ingress-nginx",
				19	},
				20	},
				21
				22	namespace: kube.Namespace(cfg.namespace),
				23
				24	maps: {
				25	make(name):: kube.ConfigMap(name) {
				26	metadata+: env.metadata,
				27	},
				28	configuration: env.maps.make("nginx-configuration"),
				29	tcp: env.maps.make("tcp-services"),
				30	udp: env.maps.make("udp-services"),
				31	},
				32
				33	sa: kube.ServiceAccount("nginx-ingress-serviceaccount") {
				34	metadata+: env.metadata,
				35	},
				36
				37	cr: kube.ClusterRole("nginx-ingress-clusterrole") {
				38	metadata+: env.metadata {
				39	namespace:: null,
				40	},
				41	rules: [
				42	{
				43	apiGroups: [""],
				44	resources: ["configmaps", "endpoints", "nodes", "pods", "secrets"],
				45	verbs: ["list", "watch"],
				46	},
				47	{
				48	apiGroups: [""],
				49	resources: ["nodes"],
				50	verbs: ["get"],
				51	},
				52	{
				53	apiGroups: [""],
				54	resources: ["services"],
				55	verbs: ["get", "list", "watch"],
				56	},
				57	{
				58	apiGroups: ["extensions"],
				59	resources: ["ingresses"],
				60	verbs: ["get", "list", "watch"],
				61	},
				62	{
				63	apiGroups: [""],
				64	resources: ["events"],
				65	verbs: ["create", "patch"],
				66	},
				67	{
				68	apiGroups: ["extensions"],
				69	resources: ["ingresses/status"],
				70	verbs: ["update"],
				71	},
				72	],
				73	},
				74
				75	crb: kube.ClusterRoleBinding("nginx-ingress-clusterrole-nisa-binding") {
				76	metadata+: env.metadata {
				77	namespace:: null,
				78	},
				79	roleRef: {
				80	apiGroup: "rbac.authorization.k8s.io",
				81	kind: "ClusterRole",
				82	name: env.cr.metadata.name,
				83	},
				84	subjects: [
				85	{
				86	kind: "ServiceAccount",
				87	name: env.sa.metadata.name,
				88	namespace: env.sa.metadata.namespace,
				89	},
				90	],
				91	},
				92
				93	role: kube.Role("nginx-ingress-role") {
				94	metadata+: env.metadata,
				95	rules : [
				96	{
				97	apiGroups: [""],
				98	resources: ["configmaps", "pods", "secrets", "namespaces"],
				99	verbs: ["get"],
				100	},
				101	{
				102	apiGroups: [""],
				103	resources: ["configmaps"],
				104	resourceNames: ["ingress-controller-leader-nginx"],
				105	verbs: ["get", "update"],
				106	},
				107	{
				108	apiGroups: [""],
				109	resources: ["configmaps"],
				110	verbs: ["create"],
				111	},
				112	{
				113	apiGroups: [""],
				114	resources: ["endpoints"],
				115	verbs: ["get"],
				116	},
				117	],
				118	},
				119
				120	roleb: kube.RoleBinding("nginx-ingress-role-nisa-binding") {
				121	metadata+: env.metadata,
				122	roleRef: {
				123	apiGroup: "rbac.authorization.k8s.io",
				124	kind: "Role",
				125	name: env.role.metadata.name,
				126	},
				127	subjects: [
				128	{
				129	kind: "ServiceAccount",
				130	name: env.sa.metadata.name,
				131	namespace: env.sa.metadata.namespace,
				132	},
				133	],
				134	},
				135
				136	service: kube.Service("ingress-nginx") {
				137	metadata+: env.metadata,
				138	target_pod:: env.deployment.spec.template,
				139	spec+: {
				140	type: "LoadBalancer",
				141	ports: [
				142	{ name: "http", port: 80, targetPort: 80, protocol: "TCP" },
				143	{ name: "https", port: 443, targetPort: 443, protocol: "TCP" },
				144	],
				145	},
				146	},
				147
				148	deployment: kube.Deployment("nginx-ingress-controller") {
				149	metadata+: env.metadata,
				150	spec+: {
				151	replicas: 1,
				152	template+: {
				153	spec+: {
				154	serviceAccountName: env.sa.metadata.name,
				155	containers_: {
				156	controller: kube.Container("nginx-ingress-controller") {
				157	image: cfg.image,
				158	args: [
				159	"/nginx-ingress-controller",
				160	"--configmap=%s/%s" % [cfg.namespace, env.maps.configuration.metadata.name],
				161	"--tcp-services-configmap=%s/%s" % [cfg.namespace, env.maps.tcp.metadata.name],
				162	"--udp-services-configmap=%s/%s" % [cfg.namespace, env.maps.udp.metadata.name],
				163	"--publish-service=%s/%s" % [cfg.namespace, env.service.metadata.name],
				164	"--annotations-prefix=nginx.ingress.kubernetes.io",
				165	],
				166	env_: {
				167	POD_NAME: kube.FieldRef("metadata.name"),
				168	POD_NAMESPACE: kube.FieldRef("metadata.namespace"),
				169	},
				170	ports_: {
				171	http: { containerPort: 80 },
				172	https: { containerPort: 443 },
				173	},
				174	livenessProbe: {
				175	failureThreshold: 3,
				176	httpGet: {
				177	path: "/healthz",
				178	port: 10254,
				179	scheme: "HTTP",
				180	},
				181	initialDelaySeconds: 10,
				182	periodSeconds: 10,
				183	successThreshold: 1,
				184	timeoutSeconds: 10,
				185	},
				186	readinessProbe: {
				187	failureThreshold: 3,
				188	httpGet: {
				189	path: "/healthz",
				190	port: 10254,
				191	scheme: "HTTP",
				192	},
				193	periodSeconds: 10,
				194	successThreshold: 1,
				195	timeoutSeconds: 10,
				196	},
				197	securityContext: {
				198	allowPrivilegeEscalation: true,
				199	capabilities: {
				200	drop: ["ALL"],
				201	add: ["NET_BIND_SERVICE"],
				202	},
				203	runAsUser: 33,
				204	},
				205	},
				206	},
				207	},
				208	},
				209	},
				210	},
				211	},
				212	}