epostnikof/kubespray
1
0
Fork 0
mirror of https://github.com/kubernetes-sigs/kubespray.git synced 2026-02-10 19:07:27 +03:00
Code Issues Packages Projects Releases Wiki Activity

cleanup: Deprecate Ingress-Nginx from kubernetes-apps (#12767)

Browse Source 
* [docs] Remove ingress-nginx references in docs and scripts jinja

Signed-off-by: Meza <meza-xyz@proton.me>

* Remove ingress-nginx doc and remove references in readme and sidebar

Signed-off-by: Meza <meza-xyz@proton.me>

* Delete ingress-nginx dir from kubernetes-apps

Signed-off-by: Meza <meza-xyz@proton.me>

* Delete ingress-nginx from inventory addons

Signed-off-by: Meza <meza-xyz@proton.me>

* Delete ingress_nginx_enabled from default main

Signed-off-by: Meza <meza-xyz@proton.me>

* Delete ingress_nginx from download

Signed-off-by: Meza <meza-xyz@proton.me>

* Delete ingress_nginx from dependencies

Signed-off-by: Meza <meza-xyz@proton.me>

* Remove ingress_nginx from registry task

Signed-off-by: Meza <meza-xyz@proton.me>

---------

Signed-off-by: Meza <meza-xyz@proton.me>
This commit is contained in:
Meza
2026-02-10 09:52:04 -05:00
committed by GitHub
parent 8f73dc9c2f
commit 8bd5045ecf
33 changed files with 12 additions and 1034 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
README.md
View File

@@ -128,7 +128,6 @@ Note:
- Application
- [cert-manager](https://github.com/jetstack/cert-manager) 1.15.3
- [coredns](https://github.com/coredns/coredns) 1.12.4
- [ingress-nginx](https://github.com/kubernetes/ingress-nginx) 1.13.3
- [argocd](https://argoproj.github.io/) 2.14.5
- [helm](https://helm.sh/) 3.18.4
- [metallb](https://metallb.universe.tf/) 0.13.9
@@ -202,8 +201,6 @@ See also [Network checker](docs/advanced/netcheck.md).
## Ingress Plugins
- [nginx](https://kubernetes.github.io/ingress-nginx): the NGINX Ingress Controller.
- [metallb](docs/ingress/metallb.md): the MetalLB bare-metal service LoadBalancer provider.
## Community docs and resources

1
docs/_sidebar.md generated
View File

@@ -57,7 +57,6 @@
* [Setting-up-your-first-cluster](/docs/getting_started/setting-up-your-first-cluster.md)
* Ingress
* [Alb Ingress Controller](/docs/ingress/alb_ingress_controller.md)
* [Ingress Nginx](/docs/ingress/ingress_nginx.md)
* [Kube-vip](/docs/ingress/kube-vip.md)
* [Metallb](/docs/ingress/metallb.md)
* Operating Systems

27
docs/advanced/cert_manager.md
View File

@@ -30,14 +30,7 @@ If you don't have a TLS Root CA certificate and key available, you can create th
A common use-case for cert-manager is requesting TLS signed certificates to secure your ingress resources. This can be done by simply adding annotations to your Ingress resources and cert-manager will facilitate creating the Certificate resource for you. A small sub-component of cert-manager, ingress-shim, is responsible for this.
To enable the Nginx Ingress controller as part of your Kubespray deployment, simply edit your K8s cluster addons inventory e.g. `inventory\sample\group_vars\k8s_cluster\addons.yml` and set `ingress_nginx_enabled` to true.
```ini
# Nginx ingress controller deployment
ingress_nginx_enabled: true
```
For example, if you're using the Nginx ingress controller, you can secure the Prometheus ingress by adding the annotation `cert-manager.io/cluster-issuer: ca-issuer` and the `spec.tls` section to the `Ingress` resource definition.
For example, if you're using the Traefik ingress controller, you can secure the Prometheus ingress by adding the annotation `cert-manager.io/cluster-issuer: ca-issuer` and the `spec.tls` section to the `Ingress` resource definition.
```yaml
apiVersion: networking.k8s.io/v1
@@ -48,9 +41,9 @@ metadata:
labels:
prometheus: k8s
annotations:
kubernetes.io/ingress.class: "nginx"
cert-manager.io/cluster-issuer: ca-issuer
spec:
ingressClassName: "traefik"
tls:
- hosts:
- prometheus.example.com
@@ -72,8 +65,8 @@ Once deployed to your K8s cluster, every 3 months cert-manager will automaticall
Please consult the official upstream documentation:
- [cert-manager Ingress Usage](https://cert-manager.io/v1.5-docs/usage/ingress/)
- [cert-manager Ingress Tutorial](https://cert-manager.io/v1.5-docs/tutorials/acme/ingress/#step-3-assign-a-dns-name)
- [cert-manager Ingress Usage](https://cert-manager.io/usage/ingress/)
- [cert-manager Ingress Tutorial](https://cert-manager.io/tutorials/acme/ingress/#step-3-assign-a-dns-name)
### ACME
@@ -81,12 +74,12 @@ The ACME Issuer type represents a single account registered with the Automated C
Certificates issued by public ACME servers are typically trusted by clients computers by default. This means that, for example, visiting a website that is backed by an ACME certificate issued for that URL, will be trusted by default by most clients web browsers. ACME certificates are typically free.
- [ACME Configuration](https://cert-manager.io/v1.5-docs/configuration/acme/)
- [ACME HTTP Validation](https://cert-manager.io/v1.5-docs/tutorials/acme/http-validation/)
- [HTTP01 Challenges](https://cert-manager.io/v1.5-docs/configuration/acme/http01/)
- [ACME DNS Validation](https://cert-manager.io/v1.5-docs/tutorials/acme/dns-validation/)
- [DNS01 Challenges](https://cert-manager.io/v1.5-docs/configuration/acme/dns01/)
- [ACME FAQ](https://cert-manager.io/v1.5-docs/faq/acme/)
- [ACME Configuration](https://cert-manager.io/docs/configuration/acme/)
- [ACME HTTP Validation](https://cert-manager.io/docs/tutorials/acme/http-validation/)
- [HTTP01 Challenges](https://cert-manager.io/docs/configuration/acme/http01/)
- [ACME DNS Validation](https://cert-manager.io/docs/tutorials/acme/dns-validation/)
- [DNS01 Challenges](https://cert-manager.io/docs/configuration/acme/dns01/)
- [ACME FAQ](https://cert-manager.io/docs/troubleshooting/acme/)
#### ACME With An Internal Certificate Authority

1
docs/developers/ci-setup.md
View File

@@ -145,7 +145,6 @@ upstream_dns_servers:
- 1.0.0.1
# Extensions
ingress_nginx_enabled: True
helm_enabled: True
cert_manager_enabled: True
metrics_server_enabled: True

203
docs/ingress/ingress_nginx.md
View File

@@ -1,203 +0,0 @@
# Installation Guide
## Contents
- [Prerequisite Generic Deployment Command](#prerequisite-generic-deployment-command)
- [Provider Specific Steps](#provider-specific-steps)
- [Docker for Mac](#docker-for-mac)
- [minikube](#minikube)
- [AWS](#aws)
- [GCE - GKE](#gce-gke)
- [Azure](#azure)
- [Bare-metal](#bare-metal)
- [Verify installation](#verify-installation)
- [Detect installed version](#detect-installed-version)
- [Using Helm](#using-helm)
## Prerequisite Generic Deployment Command
!!! attention
The default configuration watches Ingress object from *all the namespaces*.
To change this behavior use the flag `--watch-namespace` to limit the scope to a particular namespace.
!!! warning
If multiple Ingresses define different paths for the same host, the ingress controller will merge the definitions.
!!! attention
If you're using GKE you need to initialize your user as a cluster-admin with the following command:
```console
kubectl create clusterrolebinding cluster-admin-binding \
--clusterrole cluster-admin \
--user $(gcloud config get-value account)
```
The following **Mandatory Command** is required for all deployments except for AWS. See below for the AWS version.
```console
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.13.3/deploy/static/provider/cloud/deploy.yaml
```
### Provider Specific Steps
There are cloud provider specific yaml files.
#### Docker for Mac
Kubernetes is available in Docker for Mac (from [version 18.06.0-ce](https://docs.docker.com/docker-for-mac/release-notes/#stable-releases-of-2018))
First you need to [enable kubernetes](https://docs.docker.com/docker-for-mac/#kubernetes).
Then you have to create a service:
```console
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/cloud-generic.yaml
```
#### minikube
For standard usage:
```console
minikube addons enable ingress
```
For development:
1. Disable the ingress addon:
```console
minikube addons disable ingress
```
1. Execute `make dev-env`
1. Confirm the `nginx-ingress-controller` deployment exists:
```console
$ kubectl get pods -n ingress-nginx
NAME READY STATUS RESTARTS AGE
default-http-backend-66b447d9cf-rrlf9 1/1 Running 0 12s
nginx-ingress-controller-fdcdcd6dd-vvpgs 1/1 Running 0 11s
```
#### AWS
In AWS we use an Elastic Load Balancer (ELB) to expose the NGINX Ingress controller behind a Service of `Type=LoadBalancer`.
Since Kubernetes v1.9.0 it is possible to use a classic load balancer (ELB) or network load balancer (NLB)
Please check the [elastic load balancing AWS details page](https://aws.amazon.com/elasticloadbalancing/details/)
##### Elastic Load Balancer - ELB
This setup requires to choose in which layer (L4 or L7) we want to configure the Load Balancer:
- [Layer 4](https://en.wikipedia.org/wiki/OSI_model#Layer_4:_Transport_Layer): Use an Network Load Balancer (NLB) with TCP as the listener protocol for ports 80 and 443.
- [Layer 7](https://en.wikipedia.org/wiki/OSI_model#Layer_7:_Application_Layer): Use an Elastic Load Balancer (ELB) with HTTP as the listener protocol for port 80 and terminate TLS in the ELB
For L4:
```console
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/aws/deploy.yaml
```
For L7:
Change the value of `service.beta.kubernetes.io/aws-load-balancer-ssl-cert` in the file `provider/aws/deploy-tls-termination.yaml` replacing the dummy id with a valid one. The dummy value is `"arn:aws:acm:us-west-2:XXXXXXXX:certificate/XXXXXX-XXXXXXX-XXXXXXX-XXXXXXXX"`
Check that no change is necessary with regards to the ELB idle timeout. In some scenarios, users may want to modify the ELB idle timeout, so please check the [ELB Idle Timeouts section](#elb-idle-timeouts) for additional information. If a change is required, users will need to update the value of `service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout` in `provider/aws/deploy-tls-termination.yaml`
Then execute:
```console
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/aws/deploy-tls-termination.yaml
```
This example creates an ELB with just two listeners, one in port 80 and another in port 443
![Listeners](https://github.com/kubernetes/ingress-nginx/blob/main/docs/images/elb-l7-listener.png)
##### ELB Idle Timeouts
In some scenarios users will need to modify the value of the ELB idle timeout.
Users need to ensure the idle timeout is less than the [keepalive_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout) that is configured for NGINX.
By default NGINX `keepalive_timeout` is set to `75s`.
The default ELB idle timeout will work for most scenarios, unless the NGINX [keepalive_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout) has been modified,
in which case `service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout` will need to be modified to ensure it is less than the `keepalive_timeout` the user has configured.
*Please Note: An idle timeout of `3600s` is recommended when using WebSockets.*
More information with regards to idle timeouts for your Load Balancer can be found in the [official AWS documentation](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/config-idle-timeout.html).
##### Network Load Balancer (NLB)
This type of load balancer is supported since v1.10.0 as an ALPHA feature.
```console
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/aws/service-nlb.yaml
```
#### GCE-GKE
```console
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/cloud-generic.yaml
```
**Important Note:** proxy protocol is not supported in GCE/GKE
#### Azure
```console
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/cloud-generic.yaml
```
#### Bare-metal
Using [NodePort](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport):
```console
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/baremetal/deploy.yaml
```
!!! tip
For extended notes regarding deployments on bare-metal, see [Bare-metal considerations](https://github.com/kubernetes/ingress-nginx/blob/main/docs/deploy/baremetal.md).
### Verify installation
To check if the ingress controller pods have started, run the following command:
```console
kubectl get pods --all-namespaces -l app.kubernetes.io/name=ingress-nginx --watch
```
Once the operator pods are running, you can cancel the above command by typing `Ctrl+C`.
Now, you are ready to create your first ingress.
### Detect installed version
To detect which version of the ingress controller is running, exec into the pod and run `nginx-ingress-controller version` command.
```console
POD_NAMESPACE=ingress-nginx
POD_NAME=$(kubectl get pods -n $POD_NAMESPACE -l app.kubernetes.io/component=controller -o jsonpath='{.items[0].metadata.name}')
kubectl exec -it $POD_NAME -n $POD_NAMESPACE -- /nginx-ingress-controller --version
```
## Using Helm
NGINX Ingress controller can be installed via [Helm](https://helm.sh/) using the chart [ingress-nginx/ingress-nginx](https://kubernetes.github.io/ingress-nginx).
Official documentation is [here](https://kubernetes.github.io/ingress-nginx/deploy/#using-helm)
To install the chart with the release name `my-nginx`:
```console
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm install my-nginx ingress-nginx/ingress-nginx
```
Detect installed version:
```console
POD_NAME=$(kubectl get pods -l app.kubernetes.io/name=ingress-nginx -o jsonpath='{.items[0].metadata.name}')
kubectl exec -it $POD_NAME -- /nginx-ingress-controller --version
```

33
inventory/sample/group_vars/k8s_cluster/addons.yml
View File

@@ -63,39 +63,6 @@ local_volume_provisioner_enabled: false
# Gateway API CRDs
gateway_api_enabled: false
# Nginx ingress controller deployment
ingress_nginx_enabled: false
# ingress_nginx_host_network: false
# ingress_nginx_service_type: LoadBalancer
# ingress_nginx_service_annotations:
# example.io/loadbalancerIPs: 1.2.3.4
# ingress_nginx_service_nodeport_http: 30080
# ingress_nginx_service_nodeport_https: 30081
ingress_publish_status_address: ""
# ingress_nginx_nodeselector:
# kubernetes.io/os: "linux"
# ingress_nginx_tolerations:
# - key: "node-role.kubernetes.io/control-plane"
# operator: "Equal"
# value: ""
# effect: "NoSchedule"
# ingress_nginx_namespace: "ingress-nginx"
# ingress_nginx_insecure_port: 80
# ingress_nginx_secure_port: 443
# ingress_nginx_configmap:
# map-hash-bucket-size: "128"
# ssl-protocols: "TLSv1.2 TLSv1.3"
# ingress_nginx_configmap_tcp_services:
# 9000: "default/example-go:8080"
# ingress_nginx_configmap_udp_services:
# 53: "kube-system/coredns:53"
# ingress_nginx_extra_args:
# - --default-ssl-certificate=default/foo-tls
# ingress_nginx_termination_grace_period_seconds: 300
# ingress_nginx_class: nginx
# ingress_nginx_without_class: true
# ingress_nginx_default: false
# ALB ingress controller deployment
ingress_alb_enabled: false
# alb_ingress_aws_region: "us-east-1"

28
roles/kubernetes-apps/ingress_controller/ingress_nginx/defaults/main.yml
View File

@@ -1,28 +0,0 @@
---
ingress_nginx_namespace: "ingress-nginx"
ingress_nginx_host_network: false
ingress_nginx_service_type: LoadBalancer
ingress_nginx_service_nodeport_http: ""
ingress_nginx_service_nodeport_https: ""
ingress_nginx_service_annotations: {}
ingress_publish_status_address: ""
ingress_nginx_publish_service: "{{ ingress_nginx_namespace }}/ingress-nginx"
ingress_nginx_nodeselector:
kubernetes.io/os: "linux"
ingress_nginx_tolerations: []
ingress_nginx_insecure_port: 80
ingress_nginx_secure_port: 443
ingress_nginx_metrics_port: 10254
ingress_nginx_configmap: {}
ingress_nginx_configmap_tcp_services: {}
ingress_nginx_configmap_udp_services: {}
ingress_nginx_extra_args: []
ingress_nginx_termination_grace_period_seconds: 300
ingress_nginx_class: nginx
ingress_nginx_without_class: true
ingress_nginx_default: false
ingress_nginx_webhook_enabled: false
ingress_nginx_webhook_job_ttl: 1800
ingress_nginx_opentelemetry_enabled: false
ingress_nginx_probe_initial_delay_seconds: 10

69
roles/kubernetes-apps/ingress_controller/ingress_nginx/tasks/main.yml
View File

@@ -1,69 +0,0 @@
---
- name: NGINX Ingress Controller | Create addon dir
file:
path: "{{ kube_config_dir }}/addons/ingress_nginx"
state: directory
owner: root
group: root
mode: "0755"
when:
- inventory_hostname == groups['kube_control_plane'][0]
- name: NGINX Ingress Controller | Templates list
set_fact:
ingress_nginx_templates:
- { name: 00-namespace, file: 00-namespace.yml, type: ns }
- { name: cm-ingress-nginx, file: cm-ingress-nginx.yml, type: cm }
- { name: cm-tcp-services, file: cm-tcp-services.yml, type: cm }
- { name: cm-udp-services, file: cm-udp-services.yml, type: cm }
- { name: sa-ingress-nginx, file: sa-ingress-nginx.yml, type: sa }
- { name: clusterrole-ingress-nginx, file: clusterrole-ingress-nginx.yml, type: clusterrole }
- { name: clusterrolebinding-ingress-nginx, file: clusterrolebinding-ingress-nginx.yml, type: clusterrolebinding }
- { name: role-ingress-nginx, file: role-ingress-nginx.yml, type: role }
- { name: rolebinding-ingress-nginx, file: rolebinding-ingress-nginx.yml, type: rolebinding }
- { name: ingressclass-nginx, file: ingressclass-nginx.yml, type: ingressclass }
- { name: ds-ingress-nginx-controller, file: ds-ingress-nginx-controller.yml, type: ds }
ingress_nginx_template_for_service:
- { name: svc-ingress-nginx, file: svc-ingress-nginx.yml, type: svc }
ingress_nginx_templates_for_webhook:
- { name: admission-webhook-configuration, file: admission-webhook-configuration.yml, type: sa }
- { name: sa-admission-webhook, file: sa-admission-webhook.yml, type: sa }
- { name: clusterrole-admission-webhook, file: clusterrole-admission-webhook.yml, type: clusterrole }
- { name: clusterrolebinding-admission-webhook, file: clusterrolebinding-admission-webhook.yml, type: clusterrolebinding }
- { name: role-admission-webhook, file: role-admission-webhook.yml, type: role }
- { name: rolebinding-admission-webhook, file: rolebinding-admission-webhook.yml, type: rolebinding }
- { name: admission-webhook-job, file: admission-webhook-job.yml, type: job }
- { name: svc-ingress-nginx-controller-admission, file: svc-ingress-nginx-controller-admission.yml, type: svc }
- name: NGINX Ingress Controller | Append extra templates to NGINX Ingress Template list for service
set_fact:
ingress_nginx_templates: "{{ ingress_nginx_templates + ingress_nginx_template_for_service }}"
when: not ingress_nginx_host_network
- name: NGINX Ingress Controller | Append extra templates to NGINX Ingress Templates list for webhook
set_fact:
ingress_nginx_templates: "{{ ingress_nginx_templates + ingress_nginx_templates_for_webhook }}"
when: ingress_nginx_webhook_enabled
- name: NGINX Ingress Controller | Create manifests
template:
src: "{{ item.file }}.j2"
dest: "{{ kube_config_dir }}/addons/ingress_nginx/{{ item.file }}"
mode: "0644"
with_items: "{{ ingress_nginx_templates }}"
register: ingress_nginx_manifests
when:
- inventory_hostname == groups['kube_control_plane'][0]
- name: NGINX Ingress Controller | Apply manifests
kube:
name: "{{ item.item.name }}"
namespace: "{{ ingress_nginx_namespace }}"
kubectl: "{{ bin_dir }}/kubectl"
resource: "{{ item.item.type }}"
filename: "{{ kube_config_dir }}/addons/ingress_nginx/{{ item.item.file }}"
state: "latest"
with_items: "{{ ingress_nginx_manifests.results }}"
when:
- inventory_hostname == groups['kube_control_plane'][0]

7
roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/00-namespace.yml.j2
View File

@@ -1,7 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: {{ ingress_nginx_namespace }}
labels:
name: {{ ingress_nginx_namespace }}

30
roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/admission-webhook-configuration.yml.j2
View File

@@ -1,30 +0,0 @@
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
name: ingress-nginx-admission
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
service:
name: ingress-nginx-controller-admission
namespace: {{ ingress_nginx_namespace }}
path: /networking/v1/ingresses
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: validate.nginx.ingress.kubernetes.io
rules:
- apiGroups:
- networking.k8s.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- ingresses
sideEffects: None

96
roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/admission-webhook-job.yml.j2
View File

@@ -1,96 +0,0 @@
---
apiVersion: batch/v1
kind: Job
metadata:
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
name: ingress-nginx-admission-create
namespace: {{ ingress_nginx_namespace }}
spec:
template:
metadata:
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
name: ingress-nginx-admission-create
spec:
containers:
- args:
- create
- --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
- --namespace=$(POD_NAMESPACE)
- --secret-name=ingress-nginx-admission
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: "{{ ingress_nginx_kube_webhook_certgen_image_repo }}:{{ ingress_nginx_kube_webhook_certgen_image_tag }}"
imagePullPolicy: {{ k8s_image_pull_policy }}
name: create
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
nodeSelector:
kubernetes.io/os: linux
restartPolicy: OnFailure
serviceAccountName: ingress-nginx-admission
ttlSecondsAfterFinished: {{ ingress_nginx_webhook_job_ttl }}
---
apiVersion: batch/v1
kind: Job
metadata:
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
name: ingress-nginx-admission-patch
namespace: {{ ingress_nginx_namespace }}
spec:
template:
metadata:
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
name: ingress-nginx-admission-patch
spec:
containers:
- args:
- patch
- --webhook-name=ingress-nginx-admission
- --namespace=$(POD_NAMESPACE)
- --patch-mutating=false
- --secret-name=ingress-nginx-admission
- --patch-failure-policy=Fail
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: "{{ ingress_nginx_kube_webhook_certgen_image_repo }}:{{ ingress_nginx_kube_webhook_certgen_image_tag }}"
imagePullPolicy: {{ k8s_image_pull_policy }}
name: patch
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
nodeSelector:
kubernetes.io/os: linux
restartPolicy: OnFailure
serviceAccountName: ingress-nginx-admission
ttlSecondsAfterFinished: {{ ingress_nginx_webhook_job_ttl }}

15
roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/clusterrole-admission-webhook.yml.j2
View File

@@ -1,15 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
name: ingress-nginx-admission
rules:
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
verbs:
- get
- update

36
roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/clusterrole-ingress-nginx.yml.j2
View File

@@ -1,36 +0,0 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
rules:
- apiGroups: [""]
resources: ["configmaps", "endpoints", "nodes", "pods", "secrets", "namespaces"]
verbs: ["list", "watch"]
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get"]
- apiGroups: [""]
resources: ["services"]
verbs: ["get", "list", "watch"]
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses/status"]
verbs: ["update"]
- apiGroups: ["networking.k8s.io"]
resources: ["ingressclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["list", "watch"]
- apiGroups: ["discovery.k8s.io"]
resources: ["endpointslices"]
verbs: ["get", "list", "watch"]

16
roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/clusterrolebinding-admission-webhook.yml.j2
View File

@@ -1,16 +0,0 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
name: ingress-nginx-admission
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ingress-nginx-admission
subjects:
- kind: ServiceAccount
name: ingress-nginx-admission
namespace: {{ ingress_nginx_namespace }}

16
roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/clusterrolebinding-ingress-nginx.yml.j2
View File

@@ -1,16 +0,0 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ingress-nginx
subjects:
- kind: ServiceAccount
name: ingress-nginx
namespace: {{ ingress_nginx_namespace }}

13
roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/cm-ingress-nginx.yml.j2
View File

@@ -1,13 +0,0 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: ingress-nginx
namespace: {{ ingress_nginx_namespace }}
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
{% if ingress_nginx_configmap %}
data:
{{ ingress_nginx_configmap | to_nice_yaml | indent(2) }}
{%- endif %}

13
roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/cm-tcp-services.yml.j2
View File

@@ -1,13 +0,0 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: tcp-services
namespace: {{ ingress_nginx_namespace }}
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
{% if ingress_nginx_configmap_tcp_services %}
data:
{{ ingress_nginx_configmap_tcp_services | to_nice_yaml | indent(2) }}
{%- endif %}

13
roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/cm-udp-services.yml.j2
View File

@@ -1,13 +0,0 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: udp-services
namespace: {{ ingress_nginx_namespace }}
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
{% if ingress_nginx_configmap_udp_services %}
data:
{{ ingress_nginx_configmap_udp_services | to_nice_yaml | indent(2) }}
{%- endif %}

201
roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ds-ingress-nginx-controller.yml.j2
View File

@@ -1,201 +0,0 @@
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: ingress-nginx-controller
namespace: {{ ingress_nginx_namespace }}
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
spec:
selector:
matchLabels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
template:
metadata:
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
annotations:
prometheus.io/port: "10254"
prometheus.io/scrape: "true"
spec:
serviceAccountName: ingress-nginx
terminationGracePeriodSeconds: {{ ingress_nginx_termination_grace_period_seconds }}
{% if ingress_nginx_opentelemetry_enabled %}
initContainers:
- name: opentelemetry
command:
- /init_module
image: {{ ingress_nginx_opentelemetry_image_repo }}:{{ ingress_nginx_opentelemetry_image_tag }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_BIND_SERVICE
drop:
- ALL
readOnlyRootFilesystem: false
runAsGroup: 82
runAsNonRoot: true
runAsUser: 101
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /modules_mount
name: modules
{% endif %}
{% if ingress_nginx_host_network %}
hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet
{% endif %}
{% if ingress_nginx_nodeselector %}
nodeSelector:
{{ ingress_nginx_nodeselector | to_nice_yaml | indent(width=8) }}
{%- endif %}
{% if ingress_nginx_tolerations %}
tolerations:
{{ ingress_nginx_tolerations | to_nice_yaml(indent=2) | indent(width=8) }}
{% endif %}
priorityClassName: {% if ingress_nginx_namespace == 'kube-system' %}system-node-critical{% else %}k8s-cluster-critical{% endif %}{{ '' }}
containers:
- name: ingress-nginx-controller
image: {{ ingress_nginx_controller_image_repo }}:{{ ingress_nginx_controller_image_tag }}
imagePullPolicy: {{ k8s_image_pull_policy }}
lifecycle:
preStop:
exec:
command:
- /wait-shutdown
args:
- /nginx-ingress-controller
- --configmap=$(POD_NAMESPACE)/ingress-nginx
- --election-id=ingress-controller-leader-{{ ingress_nginx_class }}
- --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
- --udp-services-configmap=$(POD_NAMESPACE)/udp-services
- --annotations-prefix=nginx.ingress.kubernetes.io
- --ingress-class={{ ingress_nginx_class }}
{% if ingress_nginx_without_class %}
- --watch-ingress-without-class=true
{% endif %}
{% if ingress_publish_status_address != "" %}
- --publish-status-address={{ ingress_publish_status_address }}
{% elif ingress_nginx_host_network %}
- --report-node-internal-ip-address
{% elif ingress_nginx_publish_service != "" %}
- --publish-service={{ ingress_nginx_publish_service }}
{% endif %}
{% for extra_arg in ingress_nginx_extra_args %}
- {{ extra_arg }}
{% endfor %}
{% if ingress_nginx_webhook_enabled %}
- --validating-webhook=:8443
- --validating-webhook-certificate=/usr/local/certificates/cert
- --validating-webhook-key=/usr/local/certificates/key
{% endif %}
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_BIND_SERVICE
drop:
- ALL
readOnlyRootFilesystem: false
runAsGroup: 82
runAsNonRoot: true
runAsUser: 101
seccompProfile:
type: RuntimeDefault
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: LD_PRELOAD
value: /usr/local/lib/libmimalloc.so
ports:
- name: http
containerPort: 80
hostPort: {{ ingress_nginx_insecure_port }}
- name: https
containerPort: 443
hostPort: {{ ingress_nginx_secure_port }}
- name: metrics
containerPort: 10254
{% if not ingress_nginx_host_network %}
hostPort: {{ ingress_nginx_metrics_port }}
{% endif %}
{% if ingress_nginx_configmap_tcp_services %}
{% for port in ingress_nginx_configmap_tcp_services.keys() %}
- name: tcp-port-{{ port }}
containerPort: {{ port | int }}
protocol: TCP
{% if not ingress_nginx_host_network %}
hostPort: {{ port | int }}
{% endif %}
{% endfor %}
{% endif %}
{% if ingress_nginx_configmap_udp_services %}
{% for port in ingress_nginx_configmap_udp_services.keys() %}
- name: udp-port-{{ port }}
containerPort: {{ port | int }}
protocol: UDP
{% if not ingress_nginx_host_network %}
hostPort: {{ port | int }}
{% endif %}
{% endfor %}
{% endif %}
{% if ingress_nginx_webhook_enabled %}
- name: webhook
containerPort: 8443
protocol: TCP
{% endif %}
livenessProbe:
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: {{ ingress_nginx_probe_initial_delay_seconds }}
periodSeconds: 10
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 3
readinessProbe:
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: {{ ingress_nginx_probe_initial_delay_seconds }}
periodSeconds: 10
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 3
{% if ingress_nginx_webhook_enabled or ingress_nginx_opentelemetry_enabled %}
volumeMounts:
{% if ingress_nginx_webhook_enabled %}
- mountPath: /usr/local/certificates/
name: webhook-cert
readOnly: true
{% endif %}
{% if ingress_nginx_opentelemetry_enabled %}
- name: modules
mountPath: /modules_mount
{% endif %}
{% endif %}
{% if ingress_nginx_webhook_enabled or ingress_nginx_opentelemetry_enabled %}
volumes:
{% if ingress_nginx_webhook_enabled %}
- name: webhook-cert
secret:
secretName: ingress-nginx-admission
{% endif %}
{% if ingress_nginx_opentelemetry_enabled %}
- name: modules
emptyDir: {}
{% endif %}
{% endif %}

13
roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ingressclass-nginx.yml.j2
View File

@@ -1,13 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
name: {{ ingress_nginx_class }}
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
{% if ingress_nginx_default %}
annotations:
ingressclass.kubernetes.io/is-default-class: "true"
{% endif %}
spec:
controller: k8s.io/ingress-nginx

17
roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/role-admission-webhook.yml.j2
View File

@@ -1,17 +0,0 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
name: ingress-nginx-admission
namespace: {{ ingress_nginx_namespace }}
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- create

47
roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/role-ingress-nginx.yml.j2
View File

@@ -1,47 +0,0 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: ingress-nginx
namespace: {{ ingress_nginx_namespace }}
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
rules:
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get"]
- apiGroups: [""]
resources: ["configmaps", "pods", "secrets", "endpoints"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["services"]
verbs: ["get", "list", "watch"]
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses/status"]
verbs: ["update"]
- apiGroups: ["networking.k8s.io"]
resources: ["ingressclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
# Defaults to "<election-id>", defined in
# ds-ingress-nginx-controller.yml.js
# by a command-line argument.
#
# This is the correct behaviour for ingress-controller
# version 1.8.1
resourceNames: ["ingress-controller-leader-{{ ingress_nginx_class }}"]
verbs: ["get", "update"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["create"]
- apiGroups: ["discovery.k8s.io"]
resources: ["endpointslices"]
verbs: ["get", "list", "watch"]

17
roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/rolebinding-admission-webhook.yml.j2
View File

@@ -1,17 +0,0 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
name: ingress-nginx-admission
namespace: {{ ingress_nginx_namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ingress-nginx-admission
subjects:
- kind: ServiceAccount
name: ingress-nginx-admission
namespace: {{ ingress_nginx_namespace }}

17
roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/rolebinding-ingress-nginx.yml.j2
View File

@@ -1,17 +0,0 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: ingress-nginx
namespace: {{ ingress_nginx_namespace }}
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ingress-nginx
subjects:
- kind: ServiceAccount
name: ingress-nginx
namespace: {{ ingress_nginx_namespace }}

8
roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/sa-admission-webhook.yml.j2
View File

@@ -1,8 +0,0 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: ingress-nginx-admission
namespace: {{ ingress_nginx_namespace }}
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx

9
roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/sa-ingress-nginx.yml.j2
View File

@@ -1,9 +0,0 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: ingress-nginx
namespace: {{ ingress_nginx_namespace }}
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx

18
roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/svc-ingress-nginx-controller-admission.yml.j2
View File

@@ -1,18 +0,0 @@
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
name: ingress-nginx-controller-admission
namespace: {{ ingress_nginx_namespace }}
spec:
type: ClusterIP
ports:
- appProtocol: https
name: https-webhook
port: 443
targetPort: webhook
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx

50
roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/svc-ingress-nginx.yml.j2
View File

@@ -1,50 +0,0 @@
{% if not ingress_nginx_host_network %}
apiVersion: v1
kind: Service
metadata:
name: ingress-nginx
namespace: {{ ingress_nginx_namespace }}
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
{% if ingress_nginx_service_annotations %}
annotations:
{{ ingress_nginx_service_annotations | to_nice_yaml(indent=2, width=1337) | indent(width=4) }}
{% endif %}
spec:
type: {{ ingress_nginx_service_type }}
ports:
- name: http
port: 80
targetPort: 80
protocol: TCP
{% if (ingress_nginx_service_type == 'NodePort' or ingress_nginx_service_type == 'LoadBalancer') and ingress_nginx_service_nodeport_http %}
nodePort: {{ingress_nginx_service_nodeport_http | int}}
{% endif %}
- name: https
port: 443
targetPort: 443
protocol: TCP
{% if (ingress_nginx_service_type == 'NodePort' or ingress_nginx_service_type == 'LoadBalancer') and ingress_nginx_service_nodeport_https %}
nodePort: {{ingress_nginx_service_nodeport_https | int}}
{% endif %}
{% if ingress_nginx_configmap_tcp_services %}
{% for port in ingress_nginx_configmap_tcp_services.keys() %}
- name: tcp-port-{{ port }}
port: {{ port | int }}
targetPort: {{ port | int }}
protocol: TCP
{% endfor %}
{% endif %}
{% if ingress_nginx_configmap_udp_services %}
{% for port in ingress_nginx_configmap_udp_services.keys() %}
- name: udp-port-{{ port }}
port: {{ port | int }}
targetPort: {{ port | int }}
protocol: UDP
{% endfor %}
{% endif %}
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
{% endif %}

7
roles/kubernetes-apps/ingress_controller/meta/main.yml
View File

@@ -1,12 +1,5 @@
---
dependencies:
- role: kubernetes-apps/ingress_controller/ingress_nginx
when: ingress_nginx_enabled
tags:
- apps
- ingress-controller
- ingress-nginx
- role: kubernetes-apps/ingress_controller/cert_manager
when: cert_manager_enabled
tags:

4
roles/kubernetes-apps/registry/tasks/main.yml
View File

@@ -43,12 +43,12 @@
- { name: registry-cm, file: registry-cm.yml, type: cm }
- { name: registry-rs, file: registry-rs.yml, type: rs }
- name: Registry | Append nginx ingress templates to Registry Templates list when ingress enabled
- name: Registry | Append ingress templates to Registry Templates list when ALB ingress enabled
set_fact:
registry_templates: "{{ registry_templates + [item] }}"
with_items:
- [{ name: registry-ing, file: registry-ing.yml, type: ing }]
when: ingress_nginx_enabled or ingress_alb_enabled
when: ingress_alb_enabled
- name: Registry | Create manifests
template:

16
roles/kubespray_defaults/defaults/main/download.yml
View File

@@ -309,13 +309,6 @@ local_volume_provisioner_image_tag: "v{{ local_volume_provisioner_version }}"
local_path_provisioner_version: "0.0.32"
local_path_provisioner_image_repo: "{{ docker_image_repo }}/rancher/local-path-provisioner"
local_path_provisioner_image_tag: "v{{ local_path_provisioner_version }}"
ingress_nginx_version: "1.13.3"
ingress_nginx_controller_image_repo: "{{ kube_image_repo }}/ingress-nginx/controller"
ingress_nginx_opentelemetry_image_repo: "{{ kube_image_repo }}/ingress-nginx/opentelemetry"
ingress_nginx_controller_image_tag: "v{{ ingress_nginx_version }}"
ingress_nginx_opentelemetry_image_tag: "v20230721-3e2062ee5"
ingress_nginx_kube_webhook_certgen_image_repo: "{{ kube_image_repo }}/ingress-nginx/kube-webhook-certgen"
ingress_nginx_kube_webhook_certgen_image_tag: "v1.6.3"
alb_ingress_image_repo: "{{ docker_image_repo }}/amazon/aws-alb-ingress-controller"
alb_ingress_image_tag: "v1.1.9"
cert_manager_version: "1.15.3"
@@ -919,15 +912,6 @@ downloads:
groups:
- kube_node
ingress_nginx_controller:
enabled: "{{ ingress_nginx_enabled }}"
container: true
repo: "{{ ingress_nginx_controller_image_repo }}"
tag: "{{ ingress_nginx_controller_image_tag }}"
checksum: "{{ ingress_nginx_controller_digest_checksum | default(None) }}"
groups:
- kube_node
ingress_alb_controller:
enabled: "{{ ingress_alb_enabled }}"
container: true

1
roles/kubespray_defaults/defaults/main/main.yml
View File

@@ -455,7 +455,6 @@ vsphere_csi_enabled: false
upcloud_csi_enabled: false
csi_snapshot_controller_enabled: false
persistent_volumes_enabled: false
ingress_nginx_enabled: false
ingress_alb_enabled: false
cert_manager_enabled: false
expand_persistent_volumes: false

1
scripts/readme_versions.md.j2
View File

@@ -16,7 +16,6 @@
- Application
- [cert-manager](https://github.com/jetstack/cert-manager) {{ cert_manager_version }}
- [coredns](https://github.com/coredns/coredns) {{ coredns_version }}
- [ingress-nginx](https://github.com/kubernetes/ingress-nginx) {{ ingress_nginx_version }}
- [argocd](https://argoproj.github.io/) {{ argocd_version }}
- [helm](https://helm.sh/) {{ helm_version }}
- [metallb](https://metallb.universe.tf/) {{ metallb_version }}