Blame - cluster/kube/lib/nginx.libsonnet - hscloud

blob: 94000f1abdd58de54c49d60d7658cc43204c1d4a [file] [log] [blame]

Sergiusz Bazanski	a9c7e86	2019-04-01 17:56:28 +0200	[diff] [blame]	1	# Deploy a per-cluster Nginx Ingress Controller
				2
				3	local kube = import "../../../kube/kube.libsonnet";
Sergiusz Bazanski	b13b7ff	2019-08-29 20:12:24 +0200	[diff] [blame]	4	local policies = import "../../../kube/policies.libsonnet";
Sergiusz Bazanski	a9c7e86	2019-04-01 17:56:28 +0200	[diff] [blame]	5
				6	{
				7	Environment: {
				8	local env = self,
				9	local cfg = env.cfg,
				10	cfg:: {
				11	image: "quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.23.0",
				12	namespace: "nginx-system",
				13	},
				14
				15	metadata:: {
				16	namespace: cfg.namespace,
				17	labels: {
				18	"app.kubernetes.io/name": "ingress-nginx",
				19	"app.kubernetes.io/part-of": "ingress-nginx",
				20	},
				21	},
				22
				23	namespace: kube.Namespace(cfg.namespace),
				24
Sergiusz Bazanski	b13b7ff	2019-08-29 20:12:24 +0200	[diff] [blame]	25	allowInsecure: policies.AllowNamespaceInsecure(cfg.namespace),
				26
Sergiusz Bazanski	a9c7e86	2019-04-01 17:56:28 +0200	[diff] [blame]	27	maps: {
				28	make(name):: kube.ConfigMap(name) {
				29	metadata+: env.metadata,
				30	},
				31	configuration: env.maps.make("nginx-configuration"),
Sergiusz Bazanski	543b412	2019-06-29 22:42:39 +0200	[diff] [blame]	32	tcp: env.maps.make("tcp-services") {
				33	data: {
Piotr Dobrowolski	f00edf6	2020-07-02 18:30:38 +0200	[diff] [blame^]	34	"22": "gerrit/gerrit:22",
				35	"222": "gitea-prod/gitea:22",
Sergiusz Bazanski	543b412	2019-06-29 22:42:39 +0200	[diff] [blame]	36	}
				37	},
Sergiusz Bazanski	a9c7e86	2019-04-01 17:56:28 +0200	[diff] [blame]	38	udp: env.maps.make("udp-services"),
				39	},
				40
				41	sa: kube.ServiceAccount("nginx-ingress-serviceaccount") {
				42	metadata+: env.metadata,
				43	},
				44
				45	cr: kube.ClusterRole("nginx-ingress-clusterrole") {
				46	metadata+: env.metadata {
				47	namespace:: null,
				48	},
				49	rules: [
				50	{
				51	apiGroups: [""],
				52	resources: ["configmaps", "endpoints", "nodes", "pods", "secrets"],
				53	verbs: ["list", "watch"],
				54	},
				55	{
				56	apiGroups: [""],
				57	resources: ["nodes"],
				58	verbs: ["get"],
				59	},
				60	{
				61	apiGroups: [""],
				62	resources: ["services"],
				63	verbs: ["get", "list", "watch"],
				64	},
				65	{
				66	apiGroups: ["extensions"],
				67	resources: ["ingresses"],
				68	verbs: ["get", "list", "watch"],
				69	},
				70	{
				71	apiGroups: [""],
				72	resources: ["events"],
				73	verbs: ["create", "patch"],
				74	},
				75	{
				76	apiGroups: ["extensions"],
				77	resources: ["ingresses/status"],
				78	verbs: ["update"],
				79	},
				80	],
				81	},
				82
				83	crb: kube.ClusterRoleBinding("nginx-ingress-clusterrole-nisa-binding") {
				84	metadata+: env.metadata {
				85	namespace:: null,
				86	},
				87	roleRef: {
				88	apiGroup: "rbac.authorization.k8s.io",
				89	kind: "ClusterRole",
				90	name: env.cr.metadata.name,
				91	},
				92	subjects: [
				93	{
				94	kind: "ServiceAccount",
				95	name: env.sa.metadata.name,
				96	namespace: env.sa.metadata.namespace,
				97	},
				98	],
				99	},
				100
				101	role: kube.Role("nginx-ingress-role") {
				102	metadata+: env.metadata,
				103	rules : [
				104	{
				105	apiGroups: [""],
				106	resources: ["configmaps", "pods", "secrets", "namespaces"],
				107	verbs: ["get"],
				108	},
				109	{
				110	apiGroups: [""],
				111	resources: ["configmaps"],
				112	resourceNames: ["ingress-controller-leader-nginx"],
				113	verbs: ["get", "update"],
				114	},
				115	{
				116	apiGroups: [""],
				117	resources: ["configmaps"],
				118	verbs: ["create"],
				119	},
				120	{
				121	apiGroups: [""],
				122	resources: ["endpoints"],
				123	verbs: ["get"],
				124	},
				125	],
				126	},
				127
				128	roleb: kube.RoleBinding("nginx-ingress-role-nisa-binding") {
				129	metadata+: env.metadata,
				130	roleRef: {
				131	apiGroup: "rbac.authorization.k8s.io",
				132	kind: "Role",
				133	name: env.role.metadata.name,
				134	},
				135	subjects: [
				136	{
				137	kind: "ServiceAccount",
				138	name: env.sa.metadata.name,
				139	namespace: env.sa.metadata.namespace,
				140	},
				141	],
				142	},
				143
				144	service: kube.Service("ingress-nginx") {
				145	metadata+: env.metadata,
				146	target_pod:: env.deployment.spec.template,
				147	spec+: {
				148	type: "LoadBalancer",
				149	ports: [
Sergiusz Bazanski	543b412	2019-06-29 22:42:39 +0200	[diff] [blame]	150	{ name: "ssh", port: 22, targetPort: 22, protocol: "TCP" },
Sergiusz Bazanski	a9c7e86	2019-04-01 17:56:28 +0200	[diff] [blame]	151	{ name: "http", port: 80, targetPort: 80, protocol: "TCP" },
				152	{ name: "https", port: 443, targetPort: 443, protocol: "TCP" },
				153	],
				154	},
				155	},
				156
Piotr Dobrowolski	f00edf6	2020-07-02 18:30:38 +0200	[diff] [blame^]	157	serviceGitea: kube.Service("ingress-nginx-gitea") {
				158	metadata+: env.metadata,
				159	target_pod:: env.deployment.spec.template,
				160	spec+: {
				161	type: "LoadBalancer",
				162	loadBalancerIP: "185.236.240.60",
				163	ports: [
				164	{ name: "ssh", port: 22, targetPort: 222, protocol: "TCP" },
				165	{ name: "http", port: 80, targetPort: 80, protocol: "TCP" },
				166	{ name: "https", port: 443, targetPort: 443, protocol: "TCP" },
				167	],
				168	},
				169	},
				170
Sergiusz Bazanski	a9c7e86	2019-04-01 17:56:28 +0200	[diff] [blame]	171	deployment: kube.Deployment("nginx-ingress-controller") {
				172	metadata+: env.metadata,
				173	spec+: {
Sergiusz Bazanski	fd323a0	2019-11-17 19:49:04 +0100	[diff] [blame]	174	replicas: 5,
Sergiusz Bazanski	a9c7e86	2019-04-01 17:56:28 +0200	[diff] [blame]	175	template+: {
				176	spec+: {
				177	serviceAccountName: env.sa.metadata.name,
				178	containers_: {
				179	controller: kube.Container("nginx-ingress-controller") {
				180	image: cfg.image,
				181	args: [
				182	"/nginx-ingress-controller",
				183	"--configmap=%s/%s" % [cfg.namespace, env.maps.configuration.metadata.name],
				184	"--tcp-services-configmap=%s/%s" % [cfg.namespace, env.maps.tcp.metadata.name],
				185	"--udp-services-configmap=%s/%s" % [cfg.namespace, env.maps.udp.metadata.name],
				186	"--publish-service=%s/%s" % [cfg.namespace, env.service.metadata.name],
				187	"--annotations-prefix=nginx.ingress.kubernetes.io",
				188	],
				189	env_: {
				190	POD_NAME: kube.FieldRef("metadata.name"),
				191	POD_NAMESPACE: kube.FieldRef("metadata.namespace"),
				192	},
				193	ports_: {
				194	http: { containerPort: 80 },
				195	https: { containerPort: 443 },
				196	},
				197	livenessProbe: {
				198	failureThreshold: 3,
				199	httpGet: {
				200	path: "/healthz",
				201	port: 10254,
				202	scheme: "HTTP",
				203	},
				204	initialDelaySeconds: 10,
				205	periodSeconds: 10,
				206	successThreshold: 1,
				207	timeoutSeconds: 10,
				208	},
				209	readinessProbe: {
				210	failureThreshold: 3,
				211	httpGet: {
				212	path: "/healthz",
				213	port: 10254,
				214	scheme: "HTTP",
				215	},
				216	periodSeconds: 10,
				217	successThreshold: 1,
				218	timeoutSeconds: 10,
				219	},
				220	securityContext: {
				221	allowPrivilegeEscalation: true,
				222	capabilities: {
				223	drop: ["ALL"],
				224	add: ["NET_BIND_SERVICE"],
				225	},
				226	runAsUser: 33,
				227	},
				228	},
				229	},
				230	},
				231	},
				232	},
				233	},
				234	},
				235	}