diff --git a/README.md b/README.md index d55df6efe..a53c77223 100644 --- a/README.md +++ b/README.md @@ -128,7 +128,6 @@ Note: - Application - [cert-manager](https://github.com/jetstack/cert-manager) 1.15.3 - [coredns](https://github.com/coredns/coredns) 1.12.4 - - [ingress-nginx](https://github.com/kubernetes/ingress-nginx) 1.13.3 - [argocd](https://argoproj.github.io/) 2.14.5 - [helm](https://helm.sh/) 3.18.4 - [metallb](https://metallb.universe.tf/) 0.13.9 @@ -202,8 +201,6 @@ See also [Network checker](docs/advanced/netcheck.md). ## Ingress Plugins -- [nginx](https://kubernetes.github.io/ingress-nginx): the NGINX Ingress Controller. - - [metallb](docs/ingress/metallb.md): the MetalLB bare-metal service LoadBalancer provider. ## Community docs and resources diff --git a/docs/_sidebar.md b/docs/_sidebar.md index 88bdb1772..319d96f87 100644 --- a/docs/_sidebar.md +++ b/docs/_sidebar.md @@ -57,7 +57,6 @@ * [Setting-up-your-first-cluster](/docs/getting_started/setting-up-your-first-cluster.md) * Ingress * [Alb Ingress Controller](/docs/ingress/alb_ingress_controller.md) - * [Ingress Nginx](/docs/ingress/ingress_nginx.md) * [Kube-vip](/docs/ingress/kube-vip.md) * [Metallb](/docs/ingress/metallb.md) * Operating Systems diff --git a/docs/advanced/cert_manager.md b/docs/advanced/cert_manager.md index d959ab646..11448dd32 100644 --- a/docs/advanced/cert_manager.md +++ b/docs/advanced/cert_manager.md @@ -30,14 +30,7 @@ If you don't have a TLS Root CA certificate and key available, you can create th A common use-case for cert-manager is requesting TLS signed certificates to secure your ingress resources. This can be done by simply adding annotations to your Ingress resources and cert-manager will facilitate creating the Certificate resource for you. A small sub-component of cert-manager, ingress-shim, is responsible for this. -To enable the Nginx Ingress controller as part of your Kubespray deployment, simply edit your K8s cluster addons inventory e.g. `inventory\sample\group_vars\k8s_cluster\addons.yml` and set `ingress_nginx_enabled` to true. - -```ini -# Nginx ingress controller deployment -ingress_nginx_enabled: true -``` - -For example, if you're using the Nginx ingress controller, you can secure the Prometheus ingress by adding the annotation `cert-manager.io/cluster-issuer: ca-issuer` and the `spec.tls` section to the `Ingress` resource definition. +For example, if you're using the Traefik ingress controller, you can secure the Prometheus ingress by adding the annotation `cert-manager.io/cluster-issuer: ca-issuer` and the `spec.tls` section to the `Ingress` resource definition. ```yaml apiVersion: networking.k8s.io/v1 @@ -48,9 +41,9 @@ metadata: labels: prometheus: k8s annotations: - kubernetes.io/ingress.class: "nginx" cert-manager.io/cluster-issuer: ca-issuer spec: + ingressClassName: "traefik" tls: - hosts: - prometheus.example.com @@ -72,8 +65,8 @@ Once deployed to your K8s cluster, every 3 months cert-manager will automaticall Please consult the official upstream documentation: -- [cert-manager Ingress Usage](https://cert-manager.io/v1.5-docs/usage/ingress/) -- [cert-manager Ingress Tutorial](https://cert-manager.io/v1.5-docs/tutorials/acme/ingress/#step-3-assign-a-dns-name) +- [cert-manager Ingress Usage](https://cert-manager.io/usage/ingress/) +- [cert-manager Ingress Tutorial](https://cert-manager.io/tutorials/acme/ingress/#step-3-assign-a-dns-name) ### ACME @@ -81,12 +74,12 @@ The ACME Issuer type represents a single account registered with the Automated C Certificates issued by public ACME servers are typically trusted by client’s computers by default. This means that, for example, visiting a website that is backed by an ACME certificate issued for that URL, will be trusted by default by most client’s web browsers. ACME certificates are typically free. -- [ACME Configuration](https://cert-manager.io/v1.5-docs/configuration/acme/) -- [ACME HTTP Validation](https://cert-manager.io/v1.5-docs/tutorials/acme/http-validation/) - - [HTTP01 Challenges](https://cert-manager.io/v1.5-docs/configuration/acme/http01/) -- [ACME DNS Validation](https://cert-manager.io/v1.5-docs/tutorials/acme/dns-validation/) - - [DNS01 Challenges](https://cert-manager.io/v1.5-docs/configuration/acme/dns01/) -- [ACME FAQ](https://cert-manager.io/v1.5-docs/faq/acme/) +- [ACME Configuration](https://cert-manager.io/docs/configuration/acme/) +- [ACME HTTP Validation](https://cert-manager.io/docs/tutorials/acme/http-validation/) + - [HTTP01 Challenges](https://cert-manager.io/docs/configuration/acme/http01/) +- [ACME DNS Validation](https://cert-manager.io/docs/tutorials/acme/dns-validation/) + - [DNS01 Challenges](https://cert-manager.io/docs/configuration/acme/dns01/) +- [ACME FAQ](https://cert-manager.io/docs/troubleshooting/acme/) #### ACME With An Internal Certificate Authority diff --git a/docs/developers/ci-setup.md b/docs/developers/ci-setup.md index 375fbae64..4b2c88049 100644 --- a/docs/developers/ci-setup.md +++ b/docs/developers/ci-setup.md @@ -145,7 +145,6 @@ upstream_dns_servers: - 1.0.0.1 # Extensions -ingress_nginx_enabled: True helm_enabled: True cert_manager_enabled: True metrics_server_enabled: True diff --git a/docs/ingress/ingress_nginx.md b/docs/ingress/ingress_nginx.md deleted file mode 100644 index 3d908d4a9..000000000 --- a/docs/ingress/ingress_nginx.md +++ /dev/null @@ -1,203 +0,0 @@ -# Installation Guide - -## Contents - -- [Prerequisite Generic Deployment Command](#prerequisite-generic-deployment-command) - - [Provider Specific Steps](#provider-specific-steps) - - [Docker for Mac](#docker-for-mac) - - [minikube](#minikube) - - [AWS](#aws) - - [GCE - GKE](#gce-gke) - - [Azure](#azure) - - [Bare-metal](#bare-metal) - - [Verify installation](#verify-installation) - - [Detect installed version](#detect-installed-version) -- [Using Helm](#using-helm) - -## Prerequisite Generic Deployment Command - -!!! attention - The default configuration watches Ingress object from *all the namespaces*. - To change this behavior use the flag `--watch-namespace` to limit the scope to a particular namespace. - -!!! warning - If multiple Ingresses define different paths for the same host, the ingress controller will merge the definitions. - -!!! attention - If you're using GKE you need to initialize your user as a cluster-admin with the following command: - -```console -kubectl create clusterrolebinding cluster-admin-binding \ ---clusterrole cluster-admin \ ---user $(gcloud config get-value account) -``` - -The following **Mandatory Command** is required for all deployments except for AWS. See below for the AWS version. - -```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.13.3/deploy/static/provider/cloud/deploy.yaml -``` - -### Provider Specific Steps - -There are cloud provider specific yaml files. - -#### Docker for Mac - -Kubernetes is available in Docker for Mac (from [version 18.06.0-ce](https://docs.docker.com/docker-for-mac/release-notes/#stable-releases-of-2018)) - -First you need to [enable kubernetes](https://docs.docker.com/docker-for-mac/#kubernetes). - -Then you have to create a service: - -```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/cloud-generic.yaml -``` - -#### minikube - -For standard usage: - -```console -minikube addons enable ingress -``` - -For development: - -1. Disable the ingress addon: - -```console -minikube addons disable ingress -``` - -1. Execute `make dev-env` -1. Confirm the `nginx-ingress-controller` deployment exists: - -```console -$ kubectl get pods -n ingress-nginx -NAME READY STATUS RESTARTS AGE -default-http-backend-66b447d9cf-rrlf9 1/1 Running 0 12s -nginx-ingress-controller-fdcdcd6dd-vvpgs 1/1 Running 0 11s -``` - -#### AWS - -In AWS we use an Elastic Load Balancer (ELB) to expose the NGINX Ingress controller behind a Service of `Type=LoadBalancer`. -Since Kubernetes v1.9.0 it is possible to use a classic load balancer (ELB) or network load balancer (NLB) -Please check the [elastic load balancing AWS details page](https://aws.amazon.com/elasticloadbalancing/details/) - -##### Elastic Load Balancer - ELB - -This setup requires to choose in which layer (L4 or L7) we want to configure the Load Balancer: - -- [Layer 4](https://en.wikipedia.org/wiki/OSI_model#Layer_4:_Transport_Layer): Use an Network Load Balancer (NLB) with TCP as the listener protocol for ports 80 and 443. -- [Layer 7](https://en.wikipedia.org/wiki/OSI_model#Layer_7:_Application_Layer): Use an Elastic Load Balancer (ELB) with HTTP as the listener protocol for port 80 and terminate TLS in the ELB - -For L4: - -```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/aws/deploy.yaml -``` - -For L7: - -Change the value of `service.beta.kubernetes.io/aws-load-balancer-ssl-cert` in the file `provider/aws/deploy-tls-termination.yaml` replacing the dummy id with a valid one. The dummy value is `"arn:aws:acm:us-west-2:XXXXXXXX:certificate/XXXXXX-XXXXXXX-XXXXXXX-XXXXXXXX"` - -Check that no change is necessary with regards to the ELB idle timeout. In some scenarios, users may want to modify the ELB idle timeout, so please check the [ELB Idle Timeouts section](#elb-idle-timeouts) for additional information. If a change is required, users will need to update the value of `service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout` in `provider/aws/deploy-tls-termination.yaml` - -Then execute: - -```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/aws/deploy-tls-termination.yaml -``` - -This example creates an ELB with just two listeners, one in port 80 and another in port 443 - -![Listeners](https://github.com/kubernetes/ingress-nginx/blob/main/docs/images/elb-l7-listener.png) - -##### ELB Idle Timeouts - -In some scenarios users will need to modify the value of the ELB idle timeout. -Users need to ensure the idle timeout is less than the [keepalive_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout) that is configured for NGINX. -By default NGINX `keepalive_timeout` is set to `75s`. - -The default ELB idle timeout will work for most scenarios, unless the NGINX [keepalive_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout) has been modified, -in which case `service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout` will need to be modified to ensure it is less than the `keepalive_timeout` the user has configured. - -*Please Note: An idle timeout of `3600s` is recommended when using WebSockets.* - -More information with regards to idle timeouts for your Load Balancer can be found in the [official AWS documentation](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/config-idle-timeout.html). - -##### Network Load Balancer (NLB) - -This type of load balancer is supported since v1.10.0 as an ALPHA feature. - -```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/aws/service-nlb.yaml -``` - -#### GCE-GKE - -```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/cloud-generic.yaml -``` - -**Important Note:** proxy protocol is not supported in GCE/GKE - -#### Azure - -```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/cloud-generic.yaml -``` - -#### Bare-metal - -Using [NodePort](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport): - -```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/baremetal/deploy.yaml -``` - -!!! tip - For extended notes regarding deployments on bare-metal, see [Bare-metal considerations](https://github.com/kubernetes/ingress-nginx/blob/main/docs/deploy/baremetal.md). - -### Verify installation - -To check if the ingress controller pods have started, run the following command: - -```console -kubectl get pods --all-namespaces -l app.kubernetes.io/name=ingress-nginx --watch -``` - -Once the operator pods are running, you can cancel the above command by typing `Ctrl+C`. -Now, you are ready to create your first ingress. - -### Detect installed version - -To detect which version of the ingress controller is running, exec into the pod and run `nginx-ingress-controller version` command. - -```console -POD_NAMESPACE=ingress-nginx -POD_NAME=$(kubectl get pods -n $POD_NAMESPACE -l app.kubernetes.io/component=controller -o jsonpath='{.items[0].metadata.name}') - -kubectl exec -it $POD_NAME -n $POD_NAMESPACE -- /nginx-ingress-controller --version -``` - -## Using Helm - -NGINX Ingress controller can be installed via [Helm](https://helm.sh/) using the chart [ingress-nginx/ingress-nginx](https://kubernetes.github.io/ingress-nginx). -Official documentation is [here](https://kubernetes.github.io/ingress-nginx/deploy/#using-helm) - -To install the chart with the release name `my-nginx`: - -```console -helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx -helm install my-nginx ingress-nginx/ingress-nginx -``` - -Detect installed version: - -```console -POD_NAME=$(kubectl get pods -l app.kubernetes.io/name=ingress-nginx -o jsonpath='{.items[0].metadata.name}') -kubectl exec -it $POD_NAME -- /nginx-ingress-controller --version -``` diff --git a/inventory/sample/group_vars/k8s_cluster/addons.yml b/inventory/sample/group_vars/k8s_cluster/addons.yml index 32520205f..2fea72144 100644 --- a/inventory/sample/group_vars/k8s_cluster/addons.yml +++ b/inventory/sample/group_vars/k8s_cluster/addons.yml @@ -63,39 +63,6 @@ local_volume_provisioner_enabled: false # Gateway API CRDs gateway_api_enabled: false -# Nginx ingress controller deployment -ingress_nginx_enabled: false -# ingress_nginx_host_network: false -# ingress_nginx_service_type: LoadBalancer -# ingress_nginx_service_annotations: -# example.io/loadbalancerIPs: 1.2.3.4 -# ingress_nginx_service_nodeport_http: 30080 -# ingress_nginx_service_nodeport_https: 30081 -ingress_publish_status_address: "" -# ingress_nginx_nodeselector: -# kubernetes.io/os: "linux" -# ingress_nginx_tolerations: -# - key: "node-role.kubernetes.io/control-plane" -# operator: "Equal" -# value: "" -# effect: "NoSchedule" -# ingress_nginx_namespace: "ingress-nginx" -# ingress_nginx_insecure_port: 80 -# ingress_nginx_secure_port: 443 -# ingress_nginx_configmap: -# map-hash-bucket-size: "128" -# ssl-protocols: "TLSv1.2 TLSv1.3" -# ingress_nginx_configmap_tcp_services: -# 9000: "default/example-go:8080" -# ingress_nginx_configmap_udp_services: -# 53: "kube-system/coredns:53" -# ingress_nginx_extra_args: -# - --default-ssl-certificate=default/foo-tls -# ingress_nginx_termination_grace_period_seconds: 300 -# ingress_nginx_class: nginx -# ingress_nginx_without_class: true -# ingress_nginx_default: false - # ALB ingress controller deployment ingress_alb_enabled: false # alb_ingress_aws_region: "us-east-1" diff --git a/roles/kubernetes-apps/ingress_controller/ingress_nginx/defaults/main.yml b/roles/kubernetes-apps/ingress_controller/ingress_nginx/defaults/main.yml deleted file mode 100644 index b4f385c74..000000000 --- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/defaults/main.yml +++ /dev/null @@ -1,28 +0,0 @@ ---- -ingress_nginx_namespace: "ingress-nginx" -ingress_nginx_host_network: false -ingress_nginx_service_type: LoadBalancer -ingress_nginx_service_nodeport_http: "" -ingress_nginx_service_nodeport_https: "" -ingress_nginx_service_annotations: {} -ingress_publish_status_address: "" -ingress_nginx_publish_service: "{{ ingress_nginx_namespace }}/ingress-nginx" -ingress_nginx_nodeselector: - kubernetes.io/os: "linux" -ingress_nginx_tolerations: [] -ingress_nginx_insecure_port: 80 -ingress_nginx_secure_port: 443 -ingress_nginx_metrics_port: 10254 -ingress_nginx_configmap: {} -ingress_nginx_configmap_tcp_services: {} -ingress_nginx_configmap_udp_services: {} -ingress_nginx_extra_args: [] -ingress_nginx_termination_grace_period_seconds: 300 -ingress_nginx_class: nginx -ingress_nginx_without_class: true -ingress_nginx_default: false -ingress_nginx_webhook_enabled: false -ingress_nginx_webhook_job_ttl: 1800 -ingress_nginx_opentelemetry_enabled: false - -ingress_nginx_probe_initial_delay_seconds: 10 diff --git a/roles/kubernetes-apps/ingress_controller/ingress_nginx/tasks/main.yml b/roles/kubernetes-apps/ingress_controller/ingress_nginx/tasks/main.yml deleted file mode 100644 index be26060b8..000000000 --- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/tasks/main.yml +++ /dev/null @@ -1,69 +0,0 @@ ---- - -- name: NGINX Ingress Controller | Create addon dir - file: - path: "{{ kube_config_dir }}/addons/ingress_nginx" - state: directory - owner: root - group: root - mode: "0755" - when: - - inventory_hostname == groups['kube_control_plane'][0] - -- name: NGINX Ingress Controller | Templates list - set_fact: - ingress_nginx_templates: - - { name: 00-namespace, file: 00-namespace.yml, type: ns } - - { name: cm-ingress-nginx, file: cm-ingress-nginx.yml, type: cm } - - { name: cm-tcp-services, file: cm-tcp-services.yml, type: cm } - - { name: cm-udp-services, file: cm-udp-services.yml, type: cm } - - { name: sa-ingress-nginx, file: sa-ingress-nginx.yml, type: sa } - - { name: clusterrole-ingress-nginx, file: clusterrole-ingress-nginx.yml, type: clusterrole } - - { name: clusterrolebinding-ingress-nginx, file: clusterrolebinding-ingress-nginx.yml, type: clusterrolebinding } - - { name: role-ingress-nginx, file: role-ingress-nginx.yml, type: role } - - { name: rolebinding-ingress-nginx, file: rolebinding-ingress-nginx.yml, type: rolebinding } - - { name: ingressclass-nginx, file: ingressclass-nginx.yml, type: ingressclass } - - { name: ds-ingress-nginx-controller, file: ds-ingress-nginx-controller.yml, type: ds } - ingress_nginx_template_for_service: - - { name: svc-ingress-nginx, file: svc-ingress-nginx.yml, type: svc } - ingress_nginx_templates_for_webhook: - - { name: admission-webhook-configuration, file: admission-webhook-configuration.yml, type: sa } - - { name: sa-admission-webhook, file: sa-admission-webhook.yml, type: sa } - - { name: clusterrole-admission-webhook, file: clusterrole-admission-webhook.yml, type: clusterrole } - - { name: clusterrolebinding-admission-webhook, file: clusterrolebinding-admission-webhook.yml, type: clusterrolebinding } - - { name: role-admission-webhook, file: role-admission-webhook.yml, type: role } - - { name: rolebinding-admission-webhook, file: rolebinding-admission-webhook.yml, type: rolebinding } - - { name: admission-webhook-job, file: admission-webhook-job.yml, type: job } - - { name: svc-ingress-nginx-controller-admission, file: svc-ingress-nginx-controller-admission.yml, type: svc } - -- name: NGINX Ingress Controller | Append extra templates to NGINX Ingress Template list for service - set_fact: - ingress_nginx_templates: "{{ ingress_nginx_templates + ingress_nginx_template_for_service }}" - when: not ingress_nginx_host_network - -- name: NGINX Ingress Controller | Append extra templates to NGINX Ingress Templates list for webhook - set_fact: - ingress_nginx_templates: "{{ ingress_nginx_templates + ingress_nginx_templates_for_webhook }}" - when: ingress_nginx_webhook_enabled - -- name: NGINX Ingress Controller | Create manifests - template: - src: "{{ item.file }}.j2" - dest: "{{ kube_config_dir }}/addons/ingress_nginx/{{ item.file }}" - mode: "0644" - with_items: "{{ ingress_nginx_templates }}" - register: ingress_nginx_manifests - when: - - inventory_hostname == groups['kube_control_plane'][0] - -- name: NGINX Ingress Controller | Apply manifests - kube: - name: "{{ item.item.name }}" - namespace: "{{ ingress_nginx_namespace }}" - kubectl: "{{ bin_dir }}/kubectl" - resource: "{{ item.item.type }}" - filename: "{{ kube_config_dir }}/addons/ingress_nginx/{{ item.item.file }}" - state: "latest" - with_items: "{{ ingress_nginx_manifests.results }}" - when: - - inventory_hostname == groups['kube_control_plane'][0] diff --git a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/00-namespace.yml.j2 b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/00-namespace.yml.j2 deleted file mode 100644 index 1f1236619..000000000 --- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/00-namespace.yml.j2 +++ /dev/null @@ -1,7 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: {{ ingress_nginx_namespace }} - labels: - name: {{ ingress_nginx_namespace }} diff --git a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/admission-webhook-configuration.yml.j2 b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/admission-webhook-configuration.yml.j2 deleted file mode 100644 index 4ade5ef25..000000000 --- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/admission-webhook-configuration.yml.j2 +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - name: ingress-nginx-admission -webhooks: -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: ingress-nginx-controller-admission - namespace: {{ ingress_nginx_namespace }} - path: /networking/v1/ingresses - port: 443 - failurePolicy: Fail - matchPolicy: Equivalent - name: validate.nginx.ingress.kubernetes.io - rules: - - apiGroups: - - networking.k8s.io - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - ingresses - sideEffects: None diff --git a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/admission-webhook-job.yml.j2 b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/admission-webhook-job.yml.j2 deleted file mode 100644 index 21e420664..000000000 --- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/admission-webhook-job.yml.j2 +++ /dev/null @@ -1,96 +0,0 @@ ---- -apiVersion: batch/v1 -kind: Job -metadata: - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - name: ingress-nginx-admission-create - namespace: {{ ingress_nginx_namespace }} -spec: - template: - metadata: - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - name: ingress-nginx-admission-create - spec: - containers: - - args: - - create - - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc - - --namespace=$(POD_NAMESPACE) - - --secret-name=ingress-nginx-admission - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: "{{ ingress_nginx_kube_webhook_certgen_image_repo }}:{{ ingress_nginx_kube_webhook_certgen_image_tag }}" - imagePullPolicy: {{ k8s_image_pull_policy }} - name: create - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - seccompProfile: - type: RuntimeDefault - nodeSelector: - kubernetes.io/os: linux - restartPolicy: OnFailure - serviceAccountName: ingress-nginx-admission - ttlSecondsAfterFinished: {{ ingress_nginx_webhook_job_ttl }} ---- -apiVersion: batch/v1 -kind: Job -metadata: - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - name: ingress-nginx-admission-patch - namespace: {{ ingress_nginx_namespace }} -spec: - template: - metadata: - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - name: ingress-nginx-admission-patch - spec: - containers: - - args: - - patch - - --webhook-name=ingress-nginx-admission - - --namespace=$(POD_NAMESPACE) - - --patch-mutating=false - - --secret-name=ingress-nginx-admission - - --patch-failure-policy=Fail - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: "{{ ingress_nginx_kube_webhook_certgen_image_repo }}:{{ ingress_nginx_kube_webhook_certgen_image_tag }}" - imagePullPolicy: {{ k8s_image_pull_policy }} - name: patch - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - seccompProfile: - type: RuntimeDefault - nodeSelector: - kubernetes.io/os: linux - restartPolicy: OnFailure - serviceAccountName: ingress-nginx-admission - ttlSecondsAfterFinished: {{ ingress_nginx_webhook_job_ttl }} diff --git a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/clusterrole-admission-webhook.yml.j2 b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/clusterrole-admission-webhook.yml.j2 deleted file mode 100644 index daa47539a..000000000 --- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/clusterrole-admission-webhook.yml.j2 +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - name: ingress-nginx-admission -rules: -- apiGroups: - - admissionregistration.k8s.io - resources: - - validatingwebhookconfigurations - verbs: - - get - - update diff --git a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/clusterrole-ingress-nginx.yml.j2 b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/clusterrole-ingress-nginx.yml.j2 deleted file mode 100644 index 2f3558aaa..000000000 --- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/clusterrole-ingress-nginx.yml.j2 +++ /dev/null @@ -1,36 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: ingress-nginx - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx -rules: - - apiGroups: [""] - resources: ["configmaps", "endpoints", "nodes", "pods", "secrets", "namespaces"] - verbs: ["list", "watch"] - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get"] - - apiGroups: [""] - resources: ["services"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["update"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingressclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] diff --git a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/clusterrolebinding-admission-webhook.yml.j2 b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/clusterrolebinding-admission-webhook.yml.j2 deleted file mode 100644 index 87915946e..000000000 --- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/clusterrolebinding-admission-webhook.yml.j2 +++ /dev/null @@ -1,16 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - name: ingress-nginx-admission -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ingress-nginx-admission -subjects: - - kind: ServiceAccount - name: ingress-nginx-admission - namespace: {{ ingress_nginx_namespace }} diff --git a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/clusterrolebinding-ingress-nginx.yml.j2 b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/clusterrolebinding-ingress-nginx.yml.j2 deleted file mode 100644 index ad83dc257..000000000 --- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/clusterrolebinding-ingress-nginx.yml.j2 +++ /dev/null @@ -1,16 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: ingress-nginx - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ingress-nginx -subjects: - - kind: ServiceAccount - name: ingress-nginx - namespace: {{ ingress_nginx_namespace }} diff --git a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/cm-ingress-nginx.yml.j2 b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/cm-ingress-nginx.yml.j2 deleted file mode 100644 index 9f1e3bb36..000000000 --- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/cm-ingress-nginx.yml.j2 +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: ingress-nginx - namespace: {{ ingress_nginx_namespace }} - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx -{% if ingress_nginx_configmap %} -data: - {{ ingress_nginx_configmap | to_nice_yaml | indent(2) }} -{%- endif %} diff --git a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/cm-tcp-services.yml.j2 b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/cm-tcp-services.yml.j2 deleted file mode 100644 index 97520816c..000000000 --- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/cm-tcp-services.yml.j2 +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: tcp-services - namespace: {{ ingress_nginx_namespace }} - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx -{% if ingress_nginx_configmap_tcp_services %} -data: - {{ ingress_nginx_configmap_tcp_services | to_nice_yaml | indent(2) }} -{%- endif %} diff --git a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/cm-udp-services.yml.j2 b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/cm-udp-services.yml.j2 deleted file mode 100644 index a3f6613a4..000000000 --- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/cm-udp-services.yml.j2 +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: udp-services - namespace: {{ ingress_nginx_namespace }} - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx -{% if ingress_nginx_configmap_udp_services %} -data: - {{ ingress_nginx_configmap_udp_services | to_nice_yaml | indent(2) }} -{%- endif %} diff --git a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ds-ingress-nginx-controller.yml.j2 b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ds-ingress-nginx-controller.yml.j2 deleted file mode 100644 index 12dd44ac4..000000000 --- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ds-ingress-nginx-controller.yml.j2 +++ /dev/null @@ -1,201 +0,0 @@ ---- -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: ingress-nginx-controller - namespace: {{ ingress_nginx_namespace }} - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx -spec: - selector: - matchLabels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - template: - metadata: - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - annotations: - prometheus.io/port: "10254" - prometheus.io/scrape: "true" - spec: - serviceAccountName: ingress-nginx - terminationGracePeriodSeconds: {{ ingress_nginx_termination_grace_period_seconds }} -{% if ingress_nginx_opentelemetry_enabled %} - initContainers: - - name: opentelemetry - command: - - /init_module - image: {{ ingress_nginx_opentelemetry_image_repo }}:{{ ingress_nginx_opentelemetry_image_tag }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_BIND_SERVICE - drop: - - ALL - readOnlyRootFilesystem: false - runAsGroup: 82 - runAsNonRoot: true - runAsUser: 101 - seccompProfile: - type: RuntimeDefault - volumeMounts: - - mountPath: /modules_mount - name: modules -{% endif %} -{% if ingress_nginx_host_network %} - hostNetwork: true - dnsPolicy: ClusterFirstWithHostNet -{% endif %} -{% if ingress_nginx_nodeselector %} - nodeSelector: - {{ ingress_nginx_nodeselector | to_nice_yaml | indent(width=8) }} -{%- endif %} -{% if ingress_nginx_tolerations %} - tolerations: - {{ ingress_nginx_tolerations | to_nice_yaml(indent=2) | indent(width=8) }} -{% endif %} - priorityClassName: {% if ingress_nginx_namespace == 'kube-system' %}system-node-critical{% else %}k8s-cluster-critical{% endif %}{{ '' }} - containers: - - name: ingress-nginx-controller - image: {{ ingress_nginx_controller_image_repo }}:{{ ingress_nginx_controller_image_tag }} - imagePullPolicy: {{ k8s_image_pull_policy }} - lifecycle: - preStop: - exec: - command: - - /wait-shutdown - args: - - /nginx-ingress-controller - - --configmap=$(POD_NAMESPACE)/ingress-nginx - - --election-id=ingress-controller-leader-{{ ingress_nginx_class }} - - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services - - --udp-services-configmap=$(POD_NAMESPACE)/udp-services - - --annotations-prefix=nginx.ingress.kubernetes.io - - --ingress-class={{ ingress_nginx_class }} -{% if ingress_nginx_without_class %} - - --watch-ingress-without-class=true -{% endif %} -{% if ingress_publish_status_address != "" %} - - --publish-status-address={{ ingress_publish_status_address }} -{% elif ingress_nginx_host_network %} - - --report-node-internal-ip-address -{% elif ingress_nginx_publish_service != "" %} - - --publish-service={{ ingress_nginx_publish_service }} -{% endif %} -{% for extra_arg in ingress_nginx_extra_args %} - - {{ extra_arg }} -{% endfor %} -{% if ingress_nginx_webhook_enabled %} - - --validating-webhook=:8443 - - --validating-webhook-certificate=/usr/local/certificates/cert - - --validating-webhook-key=/usr/local/certificates/key -{% endif %} - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_BIND_SERVICE - drop: - - ALL - readOnlyRootFilesystem: false - runAsGroup: 82 - runAsNonRoot: true - runAsUser: 101 - seccompProfile: - type: RuntimeDefault - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: LD_PRELOAD - value: /usr/local/lib/libmimalloc.so - ports: - - name: http - containerPort: 80 - hostPort: {{ ingress_nginx_insecure_port }} - - name: https - containerPort: 443 - hostPort: {{ ingress_nginx_secure_port }} - - name: metrics - containerPort: 10254 -{% if not ingress_nginx_host_network %} - hostPort: {{ ingress_nginx_metrics_port }} -{% endif %} -{% if ingress_nginx_configmap_tcp_services %} -{% for port in ingress_nginx_configmap_tcp_services.keys() %} - - name: tcp-port-{{ port }} - containerPort: {{ port | int }} - protocol: TCP -{% if not ingress_nginx_host_network %} - hostPort: {{ port | int }} -{% endif %} -{% endfor %} -{% endif %} -{% if ingress_nginx_configmap_udp_services %} -{% for port in ingress_nginx_configmap_udp_services.keys() %} - - name: udp-port-{{ port }} - containerPort: {{ port | int }} - protocol: UDP -{% if not ingress_nginx_host_network %} - hostPort: {{ port | int }} -{% endif %} -{% endfor %} -{% endif %} -{% if ingress_nginx_webhook_enabled %} - - name: webhook - containerPort: 8443 - protocol: TCP -{% endif %} - livenessProbe: - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - initialDelaySeconds: {{ ingress_nginx_probe_initial_delay_seconds }} - periodSeconds: 10 - timeoutSeconds: 5 - successThreshold: 1 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - initialDelaySeconds: {{ ingress_nginx_probe_initial_delay_seconds }} - periodSeconds: 10 - timeoutSeconds: 5 - successThreshold: 1 - failureThreshold: 3 -{% if ingress_nginx_webhook_enabled or ingress_nginx_opentelemetry_enabled %} - volumeMounts: -{% if ingress_nginx_webhook_enabled %} - - mountPath: /usr/local/certificates/ - name: webhook-cert - readOnly: true -{% endif %} -{% if ingress_nginx_opentelemetry_enabled %} - - name: modules - mountPath: /modules_mount -{% endif %} -{% endif %} -{% if ingress_nginx_webhook_enabled or ingress_nginx_opentelemetry_enabled %} - volumes: -{% if ingress_nginx_webhook_enabled %} - - name: webhook-cert - secret: - secretName: ingress-nginx-admission -{% endif %} -{% if ingress_nginx_opentelemetry_enabled %} - - name: modules - emptyDir: {} -{% endif %} -{% endif %} diff --git a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ingressclass-nginx.yml.j2 b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ingressclass-nginx.yml.j2 deleted file mode 100644 index 0e5fa8c83..000000000 --- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ingressclass-nginx.yml.j2 +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: IngressClass -metadata: - name: {{ ingress_nginx_class }} - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx -{% if ingress_nginx_default %} - annotations: - ingressclass.kubernetes.io/is-default-class: "true" -{% endif %} -spec: - controller: k8s.io/ingress-nginx diff --git a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/role-admission-webhook.yml.j2 b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/role-admission-webhook.yml.j2 deleted file mode 100644 index 5d1bb0172..000000000 --- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/role-admission-webhook.yml.j2 +++ /dev/null @@ -1,17 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - name: ingress-nginx-admission - namespace: {{ ingress_nginx_namespace }} -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - create diff --git a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/role-ingress-nginx.yml.j2 b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/role-ingress-nginx.yml.j2 deleted file mode 100644 index 695b07fbd..000000000 --- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/role-ingress-nginx.yml.j2 +++ /dev/null @@ -1,47 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: ingress-nginx - namespace: {{ ingress_nginx_namespace }} - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx -rules: - - apiGroups: [""] - resources: ["namespaces"] - verbs: ["get"] - - apiGroups: [""] - resources: ["configmaps", "pods", "secrets", "endpoints"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["services"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["update"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingressclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - # Defaults to "", defined in - # ds-ingress-nginx-controller.yml.js - # by a command-line argument. - # - # This is the correct behaviour for ingress-controller - # version 1.8.1 - resourceNames: ["ingress-controller-leader-{{ ingress_nginx_class }}"] - verbs: ["get", "update"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["create"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] diff --git a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/rolebinding-admission-webhook.yml.j2 b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/rolebinding-admission-webhook.yml.j2 deleted file mode 100644 index 671912db3..000000000 --- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/rolebinding-admission-webhook.yml.j2 +++ /dev/null @@ -1,17 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - name: ingress-nginx-admission - namespace: {{ ingress_nginx_namespace }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: ingress-nginx-admission -subjects: -- kind: ServiceAccount - name: ingress-nginx-admission - namespace: {{ ingress_nginx_namespace }} diff --git a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/rolebinding-ingress-nginx.yml.j2 b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/rolebinding-ingress-nginx.yml.j2 deleted file mode 100644 index 142d400de..000000000 --- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/rolebinding-ingress-nginx.yml.j2 +++ /dev/null @@ -1,17 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: ingress-nginx - namespace: {{ ingress_nginx_namespace }} - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: ingress-nginx -subjects: - - kind: ServiceAccount - name: ingress-nginx - namespace: {{ ingress_nginx_namespace }} diff --git a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/sa-admission-webhook.yml.j2 b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/sa-admission-webhook.yml.j2 deleted file mode 100644 index 488a04523..000000000 --- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/sa-admission-webhook.yml.j2 +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: ingress-nginx-admission - namespace: {{ ingress_nginx_namespace }} - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx diff --git a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/sa-ingress-nginx.yml.j2 b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/sa-ingress-nginx.yml.j2 deleted file mode 100644 index 305d553f0..000000000 --- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/sa-ingress-nginx.yml.j2 +++ /dev/null @@ -1,9 +0,0 @@ ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: ingress-nginx - namespace: {{ ingress_nginx_namespace }} - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx diff --git a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/svc-ingress-nginx-controller-admission.yml.j2 b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/svc-ingress-nginx-controller-admission.yml.j2 deleted file mode 100644 index e22c8e51c..000000000 --- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/svc-ingress-nginx-controller-admission.yml.j2 +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - name: ingress-nginx-controller-admission - namespace: {{ ingress_nginx_namespace }} -spec: - type: ClusterIP - ports: - - appProtocol: https - name: https-webhook - port: 443 - targetPort: webhook - selector: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx diff --git a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/svc-ingress-nginx.yml.j2 b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/svc-ingress-nginx.yml.j2 deleted file mode 100644 index 8df113865..000000000 --- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/svc-ingress-nginx.yml.j2 +++ /dev/null @@ -1,50 +0,0 @@ -{% if not ingress_nginx_host_network %} -apiVersion: v1 -kind: Service -metadata: - name: ingress-nginx - namespace: {{ ingress_nginx_namespace }} - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx -{% if ingress_nginx_service_annotations %} - annotations: - {{ ingress_nginx_service_annotations | to_nice_yaml(indent=2, width=1337) | indent(width=4) }} -{% endif %} -spec: - type: {{ ingress_nginx_service_type }} - ports: - - name: http - port: 80 - targetPort: 80 - protocol: TCP -{% if (ingress_nginx_service_type == 'NodePort' or ingress_nginx_service_type == 'LoadBalancer') and ingress_nginx_service_nodeport_http %} - nodePort: {{ingress_nginx_service_nodeport_http | int}} -{% endif %} - - name: https - port: 443 - targetPort: 443 - protocol: TCP -{% if (ingress_nginx_service_type == 'NodePort' or ingress_nginx_service_type == 'LoadBalancer') and ingress_nginx_service_nodeport_https %} - nodePort: {{ingress_nginx_service_nodeport_https | int}} -{% endif %} -{% if ingress_nginx_configmap_tcp_services %} -{% for port in ingress_nginx_configmap_tcp_services.keys() %} - - name: tcp-port-{{ port }} - port: {{ port | int }} - targetPort: {{ port | int }} - protocol: TCP -{% endfor %} -{% endif %} -{% if ingress_nginx_configmap_udp_services %} -{% for port in ingress_nginx_configmap_udp_services.keys() %} - - name: udp-port-{{ port }} - port: {{ port | int }} - targetPort: {{ port | int }} - protocol: UDP -{% endfor %} -{% endif %} - selector: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx -{% endif %} diff --git a/roles/kubernetes-apps/ingress_controller/meta/main.yml b/roles/kubernetes-apps/ingress_controller/meta/main.yml index b269607fd..ac97d0949 100644 --- a/roles/kubernetes-apps/ingress_controller/meta/main.yml +++ b/roles/kubernetes-apps/ingress_controller/meta/main.yml @@ -1,12 +1,5 @@ --- dependencies: - - role: kubernetes-apps/ingress_controller/ingress_nginx - when: ingress_nginx_enabled - tags: - - apps - - ingress-controller - - ingress-nginx - - role: kubernetes-apps/ingress_controller/cert_manager when: cert_manager_enabled tags: diff --git a/roles/kubernetes-apps/registry/tasks/main.yml b/roles/kubernetes-apps/registry/tasks/main.yml index 4e4979d1e..6ac8abe35 100644 --- a/roles/kubernetes-apps/registry/tasks/main.yml +++ b/roles/kubernetes-apps/registry/tasks/main.yml @@ -43,12 +43,12 @@ - { name: registry-cm, file: registry-cm.yml, type: cm } - { name: registry-rs, file: registry-rs.yml, type: rs } -- name: Registry | Append nginx ingress templates to Registry Templates list when ingress enabled +- name: Registry | Append ingress templates to Registry Templates list when ALB ingress enabled set_fact: registry_templates: "{{ registry_templates + [item] }}" with_items: - [{ name: registry-ing, file: registry-ing.yml, type: ing }] - when: ingress_nginx_enabled or ingress_alb_enabled + when: ingress_alb_enabled - name: Registry | Create manifests template: diff --git a/roles/kubespray_defaults/defaults/main/download.yml b/roles/kubespray_defaults/defaults/main/download.yml index ff90f7460..45c6130fa 100644 --- a/roles/kubespray_defaults/defaults/main/download.yml +++ b/roles/kubespray_defaults/defaults/main/download.yml @@ -309,13 +309,6 @@ local_volume_provisioner_image_tag: "v{{ local_volume_provisioner_version }}" local_path_provisioner_version: "0.0.32" local_path_provisioner_image_repo: "{{ docker_image_repo }}/rancher/local-path-provisioner" local_path_provisioner_image_tag: "v{{ local_path_provisioner_version }}" -ingress_nginx_version: "1.13.3" -ingress_nginx_controller_image_repo: "{{ kube_image_repo }}/ingress-nginx/controller" -ingress_nginx_opentelemetry_image_repo: "{{ kube_image_repo }}/ingress-nginx/opentelemetry" -ingress_nginx_controller_image_tag: "v{{ ingress_nginx_version }}" -ingress_nginx_opentelemetry_image_tag: "v20230721-3e2062ee5" -ingress_nginx_kube_webhook_certgen_image_repo: "{{ kube_image_repo }}/ingress-nginx/kube-webhook-certgen" -ingress_nginx_kube_webhook_certgen_image_tag: "v1.6.3" alb_ingress_image_repo: "{{ docker_image_repo }}/amazon/aws-alb-ingress-controller" alb_ingress_image_tag: "v1.1.9" cert_manager_version: "1.15.3" @@ -919,15 +912,6 @@ downloads: groups: - kube_node - ingress_nginx_controller: - enabled: "{{ ingress_nginx_enabled }}" - container: true - repo: "{{ ingress_nginx_controller_image_repo }}" - tag: "{{ ingress_nginx_controller_image_tag }}" - checksum: "{{ ingress_nginx_controller_digest_checksum | default(None) }}" - groups: - - kube_node - ingress_alb_controller: enabled: "{{ ingress_alb_enabled }}" container: true diff --git a/roles/kubespray_defaults/defaults/main/main.yml b/roles/kubespray_defaults/defaults/main/main.yml index c3790a355..97c0f29fb 100644 --- a/roles/kubespray_defaults/defaults/main/main.yml +++ b/roles/kubespray_defaults/defaults/main/main.yml @@ -455,7 +455,6 @@ vsphere_csi_enabled: false upcloud_csi_enabled: false csi_snapshot_controller_enabled: false persistent_volumes_enabled: false -ingress_nginx_enabled: false ingress_alb_enabled: false cert_manager_enabled: false expand_persistent_volumes: false diff --git a/scripts/readme_versions.md.j2 b/scripts/readme_versions.md.j2 index 5941bb778..eebaef2f2 100644 --- a/scripts/readme_versions.md.j2 +++ b/scripts/readme_versions.md.j2 @@ -16,7 +16,6 @@ - Application - [cert-manager](https://github.com/jetstack/cert-manager) {{ cert_manager_version }} - [coredns](https://github.com/coredns/coredns) {{ coredns_version }} - - [ingress-nginx](https://github.com/kubernetes/ingress-nginx) {{ ingress_nginx_version }} - [argocd](https://argoproj.github.io/) {{ argocd_version }} - [helm](https://helm.sh/) {{ helm_version }} - [metallb](https://metallb.universe.tf/) {{ metallb_version }}