Blame - cluster/kube/lib/nginx.libsonnet - hscloud

blob: 510f851557e9dccb5ed2ce647db999b0fa36b1dc [file] [log] [blame]

Sergiusz Bazanski	a9c7e86	2019-04-01 17:56:28 +0200	[diff] [blame]	1	# Deploy a per-cluster Nginx Ingress Controller
				2
				3	local kube = import "../../../kube/kube.libsonnet";
Sergiusz Bazanski	b13b7ff	2019-08-29 20:12:24 +0200	[diff] [blame]	4	local policies = import "../../../kube/policies.libsonnet";
Sergiusz Bazanski	a9c7e86	2019-04-01 17:56:28 +0200	[diff] [blame]	5
				6	{
				7	Environment: {
				8	local env = self,
				9	local cfg = env.cfg,
				10	cfg:: {
				11	image: "quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.23.0",
				12	namespace: "nginx-system",
				13	},
				14
				15	metadata:: {
				16	namespace: cfg.namespace,
				17	labels: {
				18	"app.kubernetes.io/name": "ingress-nginx",
				19	"app.kubernetes.io/part-of": "ingress-nginx",
				20	},
				21	},
				22
				23	namespace: kube.Namespace(cfg.namespace),
				24
Sergiusz Bazanski	b13b7ff	2019-08-29 20:12:24 +0200	[diff] [blame]	25	allowInsecure: policies.AllowNamespaceInsecure(cfg.namespace),
				26
Sergiusz Bazanski	a9c7e86	2019-04-01 17:56:28 +0200	[diff] [blame]	27	maps: {
				28	make(name):: kube.ConfigMap(name) {
				29	metadata+: env.metadata,
				30	},
				31	configuration: env.maps.make("nginx-configuration"),
Sergiusz Bazanski	543b412	2019-06-29 22:42:39 +0200	[diff] [blame]	32	tcp: env.maps.make("tcp-services") {
				33	data: {
Piotr Dobrowolski	f00edf6	2020-07-02 18:30:38 +0200	[diff] [blame]	34	"22": "gerrit/gerrit:22",
Sergiusz Bazanski	543b412	2019-06-29 22:42:39 +0200	[diff] [blame]	35	}
				36	},
Sergiusz Bazanski	a9c7e86	2019-04-01 17:56:28 +0200	[diff] [blame]	37	udp: env.maps.make("udp-services"),
				38	},
				39
				40	sa: kube.ServiceAccount("nginx-ingress-serviceaccount") {
				41	metadata+: env.metadata,
				42	},
				43
				44	cr: kube.ClusterRole("nginx-ingress-clusterrole") {
				45	metadata+: env.metadata {
				46	namespace:: null,
				47	},
				48	rules: [
				49	{
				50	apiGroups: [""],
				51	resources: ["configmaps", "endpoints", "nodes", "pods", "secrets"],
				52	verbs: ["list", "watch"],
				53	},
				54	{
				55	apiGroups: [""],
				56	resources: ["nodes"],
				57	verbs: ["get"],
				58	},
				59	{
				60	apiGroups: [""],
				61	resources: ["services"],
				62	verbs: ["get", "list", "watch"],
				63	},
				64	{
				65	apiGroups: ["extensions"],
				66	resources: ["ingresses"],
				67	verbs: ["get", "list", "watch"],
				68	},
				69	{
				70	apiGroups: [""],
				71	resources: ["events"],
				72	verbs: ["create", "patch"],
				73	},
				74	{
				75	apiGroups: ["extensions"],
				76	resources: ["ingresses/status"],
				77	verbs: ["update"],
				78	},
				79	],
				80	},
				81
				82	crb: kube.ClusterRoleBinding("nginx-ingress-clusterrole-nisa-binding") {
				83	metadata+: env.metadata {
				84	namespace:: null,
				85	},
				86	roleRef: {
				87	apiGroup: "rbac.authorization.k8s.io",
				88	kind: "ClusterRole",
				89	name: env.cr.metadata.name,
				90	},
				91	subjects: [
				92	{
				93	kind: "ServiceAccount",
				94	name: env.sa.metadata.name,
				95	namespace: env.sa.metadata.namespace,
				96	},
				97	],
				98	},
				99
				100	role: kube.Role("nginx-ingress-role") {
				101	metadata+: env.metadata,
				102	rules : [
				103	{
				104	apiGroups: [""],
				105	resources: ["configmaps", "pods", "secrets", "namespaces"],
				106	verbs: ["get"],
				107	},
				108	{
				109	apiGroups: [""],
				110	resources: ["configmaps"],
				111	resourceNames: ["ingress-controller-leader-nginx"],
				112	verbs: ["get", "update"],
				113	},
				114	{
				115	apiGroups: [""],
				116	resources: ["configmaps"],
				117	verbs: ["create"],
				118	},
				119	{
				120	apiGroups: [""],
				121	resources: ["endpoints"],
				122	verbs: ["get"],
				123	},
				124	],
				125	},
				126
				127	roleb: kube.RoleBinding("nginx-ingress-role-nisa-binding") {
				128	metadata+: env.metadata,
				129	roleRef: {
				130	apiGroup: "rbac.authorization.k8s.io",
				131	kind: "Role",
				132	name: env.role.metadata.name,
				133	},
				134	subjects: [
				135	{
				136	kind: "ServiceAccount",
				137	name: env.sa.metadata.name,
				138	namespace: env.sa.metadata.namespace,
				139	},
				140	],
				141	},
				142
				143	service: kube.Service("ingress-nginx") {
				144	metadata+: env.metadata,
				145	target_pod:: env.deployment.spec.template,
				146	spec+: {
				147	type: "LoadBalancer",
				148	ports: [
Sergiusz Bazanski	543b412	2019-06-29 22:42:39 +0200	[diff] [blame]	149	{ name: "ssh", port: 22, targetPort: 22, protocol: "TCP" },
Sergiusz Bazanski	a9c7e86	2019-04-01 17:56:28 +0200	[diff] [blame]	150	{ name: "http", port: 80, targetPort: 80, protocol: "TCP" },
				151	{ name: "https", port: 443, targetPort: 443, protocol: "TCP" },
				152	],
				153	},
				154	},
				155
Piotr Dobrowolski	f00edf6	2020-07-02 18:30:38 +0200	[diff] [blame]	156	serviceGitea: kube.Service("ingress-nginx-gitea") {
				157	metadata+: env.metadata,
				158	target_pod:: env.deployment.spec.template,
				159	spec+: {
				160	type: "LoadBalancer",
				161	loadBalancerIP: "185.236.240.60",
				162	ports: [
				163	{ name: "ssh", port: 22, targetPort: 222, protocol: "TCP" },
				164	{ name: "http", port: 80, targetPort: 80, protocol: "TCP" },
				165	{ name: "https", port: 443, targetPort: 443, protocol: "TCP" },
				166	],
				167	},
				168	},
				169
Sergiusz Bazanski	a9c7e86	2019-04-01 17:56:28 +0200	[diff] [blame]	170	deployment: kube.Deployment("nginx-ingress-controller") {
				171	metadata+: env.metadata,
				172	spec+: {
Sergiusz Bazanski	fd323a0	2019-11-17 19:49:04 +0100	[diff] [blame]	173	replicas: 5,
Sergiusz Bazanski	a9c7e86	2019-04-01 17:56:28 +0200	[diff] [blame]	174	template+: {
				175	spec+: {
				176	serviceAccountName: env.sa.metadata.name,
				177	containers_: {
				178	controller: kube.Container("nginx-ingress-controller") {
				179	image: cfg.image,
				180	args: [
				181	"/nginx-ingress-controller",
				182	"--configmap=%s/%s" % [cfg.namespace, env.maps.configuration.metadata.name],
				183	"--tcp-services-configmap=%s/%s" % [cfg.namespace, env.maps.tcp.metadata.name],
				184	"--udp-services-configmap=%s/%s" % [cfg.namespace, env.maps.udp.metadata.name],
				185	"--publish-service=%s/%s" % [cfg.namespace, env.service.metadata.name],
				186	"--annotations-prefix=nginx.ingress.kubernetes.io",
				187	],
				188	env_: {
				189	POD_NAME: kube.FieldRef("metadata.name"),
				190	POD_NAMESPACE: kube.FieldRef("metadata.namespace"),
				191	},
				192	ports_: {
				193	http: { containerPort: 80 },
				194	https: { containerPort: 443 },
				195	},
				196	livenessProbe: {
				197	failureThreshold: 3,
				198	httpGet: {
				199	path: "/healthz",
				200	port: 10254,
				201	scheme: "HTTP",
				202	},
				203	initialDelaySeconds: 10,
				204	periodSeconds: 10,
				205	successThreshold: 1,
				206	timeoutSeconds: 10,
				207	},
				208	readinessProbe: {
				209	failureThreshold: 3,
				210	httpGet: {
				211	path: "/healthz",
				212	port: 10254,
				213	scheme: "HTTP",
				214	},
				215	periodSeconds: 10,
				216	successThreshold: 1,
				217	timeoutSeconds: 10,
				218	},
				219	securityContext: {
				220	allowPrivilegeEscalation: true,
				221	capabilities: {
				222	drop: ["ALL"],
				223	add: ["NET_BIND_SERVICE"],
				224	},
				225	runAsUser: 33,
				226	},
Serge Bazanski	059fdfe	2020-09-12 21:44:53 +0000	[diff] [blame]	227	resources: {
				228	limits: { cpu: "2", memory: "4G" },
				229	requests: { cpu: "1", memory: "1G" },
				230	},
Sergiusz Bazanski	a9c7e86	2019-04-01 17:56:28 +0200	[diff] [blame]	231	},
				232	},
				233	},
				234	},
				235	},
				236	},
				237	},
				238	}