ingress-nginx: Upgrade to 0.16.2

ingress-nginx 0.16.2 (https://github.com/kubernetes/ingress-nginx/releases/tag/nginx-0.16.2)

This patch simplify ingress-nginx deployment by default deploy on
master, with customizable options; on the other hand, remove the
additional Ansible group "kube-ingress" and its k8s node label
injection.

Reference to https://kubernetes.io/docs/concepts/services-networking/ingress/#prerequisites:

    GCE/Google Kubernetes Engine deploys an ingress controller on the master.

By changing `ingress_nginx_nodeselector` plus custom k8s node
label, user could customize the DaemonSet deployment target.

If `ingress_nginx_nodeselector` is empty, will deploy DaemonSet on
every k8s node.

roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/cm-ingress-nginx.yml.j2

@@ -6,5 +6,7 @@ metadata:
   namespace: {{ ingress_nginx_namespace }}
   labels:
     k8s-app: ingress-nginx
+{% if ingress_nginx_configmap %}
 data:
   {{ ingress_nginx_configmap | to_nice_yaml | indent(2) }}
+{%- endif %}

roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/cm-tcp-services.yml.j2

@@ -2,9 +2,11 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: ingress-nginx-tcp-services
+  name: tcp-services
   namespace: {{ ingress_nginx_namespace }}
   labels:
     k8s-app: ingress-nginx
+{% if ingress_nginx_configmap_tcp_services %}
 data:
   {{ ingress_nginx_configmap_tcp_services | to_nice_yaml | indent(2) }}
+{%- endif %}

roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/cm-udp-services.yml.j2

@@ -2,9 +2,11 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: ingress-nginx-udp-services
+  name: udp-services
   namespace: {{ ingress_nginx_namespace }}
   labels:
     k8s-app: ingress-nginx
+{% if ingress_nginx_configmap_udp_services %}
 data:
   {{ ingress_nginx_configmap_udp_services | to_nice_yaml | indent(2) }}
+{%- endif %}

roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/deploy-default-backend.yml.j2

@@ -1,27 +1,27 @@
 ---
 apiVersion: apps/v1
-kind: ReplicaSet
+kind: Deployment
 metadata:
-  name: ingress-nginx-default-backend-v{{ ingress_nginx_default_backend_image_tag }}
+  name: default-backend-v{{ ingress_nginx_default_backend_image_tag }}
   namespace: {{ ingress_nginx_namespace }}
   labels:
-    k8s-app: ingress-nginx-default-backend
+    k8s-app: default-backend
     version: v{{ ingress_nginx_default_backend_image_tag }}
 spec:
   replicas: 1
   selector:
     matchLabels:
-      k8s-app: ingress-nginx-default-backend
+      k8s-app: default-backend
       version: v{{ ingress_nginx_default_backend_image_tag }}
   template:
     metadata:
       labels:
-        k8s-app: ingress-nginx-default-backend
+        k8s-app: default-backend
         version: v{{ ingress_nginx_default_backend_image_tag }}
     spec:
       terminationGracePeriodSeconds: 60
       containers:
-        - name: ingress-nginx-default-backend
+        - name: default-backend
           # Any image is permissible as long as:
           # 1. It serves a 404 page at /
           # 2. It serves 200 on a /healthz endpoint
@@ -35,3 +35,10 @@ spec:
             timeoutSeconds: 5
           ports:
             - containerPort: 8080
+          resources:
+            limits:
+              cpu: 10m
+              memory: 20Mi
+            requests:
+              cpu: 10m
+              memory: 20Mi

roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ds-ingress-nginx-controller.yml.j2

@@ -7,9 +7,6 @@ metadata:
   labels:
     k8s-app: ingress-nginx
     version: v{{ ingress_nginx_controller_image_tag }}
-  annotations:
-    prometheus.io/port: '10254'
-    prometheus.io/scrape: 'true'
 spec:
   selector:
     matchLabels:
@@ -24,23 +21,36 @@ spec:
         prometheus.io/port: '10254'
         prometheus.io/scrape: 'true'
     spec:
+{% if rbac_enabled %}
+      serviceAccountName: ingress-nginx
+{% endif %}
 {% if ingress_nginx_host_network %}
       hostNetwork: true
 {% endif %}
+{% if ingress_nginx_nodeselector %}
       nodeSelector:
-        node-role.kubernetes.io/ingress: "true"
-      terminationGracePeriodSeconds: 60
+        {{ ingress_nginx_nodeselector | to_nice_yaml }}
+{%- endif %}
       containers:
         - name: ingress-nginx-controller
           image: {{ ingress_nginx_controller_image_repo }}:{{ ingress_nginx_controller_image_tag }}
           imagePullPolicy: {{ k8s_image_pull_policy }}
           args:
             - /nginx-ingress-controller
-            - --default-backend-service=$(POD_NAMESPACE)/ingress-nginx-default-backend
+            - --default-backend-service=$(POD_NAMESPACE)/default-backend
             - --configmap=$(POD_NAMESPACE)/ingress-nginx
-            - --tcp-services-configmap=$(POD_NAMESPACE)/ingress-nginx-tcp-services
-            - --udp-services-configmap=$(POD_NAMESPACE)/ingress-nginx-udp-services
+            - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
+            - --udp-services-configmap=$(POD_NAMESPACE)/udp-services
+            - --publish-service=$(POD_NAMESPACE)/ingress-nginx
             - --annotations-prefix=nginx.ingress.kubernetes.io
+          securityContext:
+            capabilities:
+                drop:
+                  - ALL
+                add:
+                  - NET_BIND_SERVICE
+            # www-data -> 33
+            runAsUser: 33
           env:
             - name: POD_NAME
               valueFrom:
@@ -78,7 +88,3 @@ spec:
             timeoutSeconds: 1
           securityContext:
             runAsNonRoot: false
-{% if rbac_enabled %}
-      serviceAccountName: ingress-nginx
-{% endif %}
-

roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/svc-default-backend.yml.j2

@@ -2,13 +2,13 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: ingress-nginx-default-backend
+  name: default-backend
   namespace: {{ ingress_nginx_namespace }}
   labels:
-    k8s-app: ingress-nginx-default-backend
+    k8s-app: default-backend
 spec:
   ports:
     - port: 80
       targetPort: 8080
   selector:
-    k8s-app: ingress-nginx-default-backend
+    k8s-app: default-backend