badjware
/
home-stack-kustomize
1
0
Fork 0
Code Releases Activity

deploy nginx-ingress-controller to kube-system

This commit is contained in:
Massaki Archambault 2020-08-10 22:05:54 -04:00
parent 7aa58298e1
commit acc1a074ed
12 changed files with 536 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
Makefile
View File

@ -1,4 +1,4 @@
KUSTOMIZE = docker run -v $(HOME)/.aws:/root/.aws:ro -v $(PWD):/host:ro -w /host badjware/kustomize-plugins:latest
KUSTOMIZE = docker run -v $(HOME)/.aws:/root/.aws:ro -v $(PWD):/host -w /host badjware/kustomize-plugins:latest
KUSTOMIZEFLAGS = --enable_alpha_plugins
KUBECTL = kubectl
@ -35,15 +35,18 @@ endif
.PHONY: all info auto-deploy clean diff apply
all: info auto-deploy $(KUSTOMIZEOUT)
all: info $(KUSTOMIZEOUTALL) $(KUSTOMIZEOUT)
info:
@echo "Building for" $(environment)
$(KUSTOMIZE) version
clean:
rm -r $(OUTDIR)
auto-deploy: $(SRC)
auto-deploy: $(KUSTOMIZEOUTALL)
$(KUSTOMIZEOUTALL): $(SRC)
@mkdir -p $(dir $(KUSTOMIZEOUTALL))
$(KUSTOMIZE) build $(KUSTOMIZEFLAGS) $(KUSTOMIZEDIRALL) >$(KUSTOMIZEOUTALL) || (rm $(KUSTOMIZEOUTALL); exit 1)

149
kustomize/bases/cert-manager/cert-manager-namespace.patch Normal file
View File

@ -0,0 +1,149 @@
--- a 2020-08-03 08:32:44.463589161 -0400
+++ b 2020-08-03 08:34:06.230277210 -0400
@@ -19,7 +19,7 @@
metadata:
name: certificaterequests.cert-manager.io
annotations:
- cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca'
+ cert-manager.io/inject-ca-from-secret: 'kube-system/cert-manager-webhook-ca'
labels:
app: 'cert-manager'
app.kubernetes.io/name: 'cert-manager'
@@ -54,7 +54,7 @@
# webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
webhookClientConfig:
service:
- namespace: 'cert-manager'
+ namespace: kube-system
name: 'cert-manager-webhook'
path: /convert
names:
@@ -585,7 +585,7 @@
metadata:
name: certificates.cert-manager.io
annotations:
- cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca'
+ cert-manager.io/inject-ca-from-secret: 'kube-system/cert-manager-webhook-ca'
labels:
app: 'cert-manager'
app.kubernetes.io/name: 'cert-manager'
@@ -623,7 +623,7 @@
# webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
webhookClientConfig:
service:
- namespace: 'cert-manager'
+ namespace: kube-system
name: 'cert-manager-webhook'
path: /convert
names:
@@ -1797,7 +1797,7 @@
metadata:
name: challenges.acme.cert-manager.io
annotations:
- cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca'
+ cert-manager.io/inject-ca-from-secret: 'kube-system/cert-manager-webhook-ca'
labels:
app: 'cert-manager'
app.kubernetes.io/name: 'cert-manager'
@@ -1831,7 +1831,7 @@
# webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
webhookClientConfig:
service:
- namespace: 'cert-manager'
+ namespace: kube-system
name: 'cert-manager-webhook'
path: /convert
names:
@@ -6260,7 +6260,7 @@
metadata:
name: clusterissuers.cert-manager.io
annotations:
- cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca'
+ cert-manager.io/inject-ca-from-secret: 'kube-system/cert-manager-webhook-ca'
labels:
app: 'cert-manager'
app.kubernetes.io/name: 'cert-manager'
@@ -6291,7 +6291,7 @@
# webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
webhookClientConfig:
service:
- namespace: 'cert-manager'
+ namespace: kube-system
name: 'cert-manager-webhook'
path: /convert
names:
@@ -12084,7 +12084,7 @@
metadata:
name: issuers.cert-manager.io
annotations:
- cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca'
+ cert-manager.io/inject-ca-from-secret: 'kube-system/cert-manager-webhook-ca'
labels:
app: 'cert-manager'
app.kubernetes.io/name: 'cert-manager'
@@ -12115,7 +12115,7 @@
# webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
webhookClientConfig:
service:
- namespace: 'cert-manager'
+ namespace: kube-system
name: 'cert-manager-webhook'
path: /convert
names:
@@ -17905,7 +17905,7 @@
metadata:
name: orders.acme.cert-manager.io
annotations:
- cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca'
+ cert-manager.io/inject-ca-from-secret: 'kube-system/cert-manager-webhook-ca'
labels:
app: 'cert-manager'
app.kubernetes.io/name: 'cert-manager'
@@ -17940,7 +17940,7 @@
# webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
webhookClientConfig:
service:
- namespace: 'cert-manager'
+ namespace: kube-system
name: 'cert-manager-webhook'
path: /convert
names:
@@ -18515,11 +18515,6 @@
after it is initially set.
type: string
---
-apiVersion: v1
-kind: Namespace
-metadata:
- name: cert-manager
----
# Source: cert-manager/templates/cainjector-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
@@ -19100,7 +19095,7 @@
subjects:
- kind: ServiceAccount
name: cert-manager-cainjector
- namespace: cert-manager
+ namespace: kube-system
---
# Source: cert-manager/templates/rbac.yaml
# grant cert-manager permission to manage the leaderelection configmap in the
@@ -19125,7 +19120,7 @@
- apiGroup: ""
kind: ServiceAccount
name: cert-manager
- namespace: cert-manager
+ namespace: kube-system
---
# Source: cert-manager/templates/webhook-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
@@ -19148,7 +19143,7 @@
- apiGroup: ""
kind: ServiceAccount
name: cert-manager-webhook
- namespace: cert-manager
+ namespace: kube-system
---
# Source: cert-manager/templates/service.yaml
apiVersion: v1

4
kustomize/bases/cert-manager/cert-manager.yaml
View File

@ -4,4 +4,6 @@ metadata:
name: cert-manager
resources:
- url: https://github.com/jetstack/cert-manager/releases/download/v0.16.0/cert-manager.yaml
sha256: 5770f5f01c10a902355b3522b8ce44508ebb6ec88955efde9a443afe5b3969d7
sha256: 5770f5f01c10a902355b3522b8ce44508ebb6ec88955efde9a443afe5b3969d7
patches:
- cert-manager-namespace.patch

3
kustomize/bases/ingress-nginx/kustomization.yaml
View File

@ -1,2 +1,5 @@
generators:
- nginx-ingress-controller.yaml
patchesStrategicMerge:
- nginx-ingress-controller-daemonset-patch.yaml

9
kustomize/bases/ingress-nginx/nginx-ingress-controller-daemonset-patch.yaml Normal file
View File

@ -0,0 +1,9 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: ingress-nginx-controller
namespace: kube-system
spec:
template:
spec:
hostNetwork: true

11
kustomize/bases/ingress-nginx/nginx-ingress-controller-daemonset.patch Normal file
View File

@ -0,0 +1,11 @@
--- a 2020-08-02 10:51:40.867697750 -0400
+++ b 2020-08-02 10:54:35.864444036 -0400
@@ -301,7 +291,7 @@
---
# Source: ingress-nginx/templates/controller-deployment.yaml
apiVersion: apps/v1
-kind: Deployment
+kind: DaemonSet
metadata:
labels:
helm.sh/chart: ingress-nginx-2.0.3

345
kustomize/bases/ingress-nginx/nginx-ingress-controller-namespace.patch Normal file
View File

@ -0,0 +1,345 @@
--- a 2020-08-03 08:27:39.420706235 -0400
+++ b 2020-08-03 08:29:09.257135444 -0400
@@ -1,14 +1,4 @@
-
-apiVersion: v1
-kind: Namespace
-metadata:
- name: ingress-nginx
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
-
----
-# Source: ingress-nginx/templates/controller-serviceaccount.yaml
+# Source: kube-system/templates/controller-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
@@ -20,9 +10,9 @@
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: ingress-nginx
- namespace: ingress-nginx
+ namespace: kube-system
---
-# Source: ingress-nginx/templates/controller-configmap.yaml
+# Source: kube-system/templates/controller-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
@@ -34,10 +24,10 @@
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: ingress-nginx-controller
- namespace: ingress-nginx
+ namespace: kube-system
data:
---
-# Source: ingress-nginx/templates/clusterrole.yaml
+# Source: kube-system/templates/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
@@ -48,7 +38,7 @@
app.kubernetes.io/version: 0.32.0
app.kubernetes.io/managed-by: Helm
name: ingress-nginx
- namespace: ingress-nginx
+ namespace: kube-system
rules:
- apiGroups:
- ''
@@ -108,7 +98,7 @@
- list
- watch
---
-# Source: ingress-nginx/templates/clusterrolebinding.yaml
+# Source: kube-system/templates/clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
@@ -119,7 +109,7 @@
app.kubernetes.io/version: 0.32.0
app.kubernetes.io/managed-by: Helm
name: ingress-nginx
- namespace: ingress-nginx
+ namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
@@ -127,9 +117,9 @@
subjects:
- kind: ServiceAccount
name: ingress-nginx
- namespace: ingress-nginx
+ namespace: kube-system
---
-# Source: ingress-nginx/templates/controller-role.yaml
+# Source: kube-system/templates/controller-role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
@@ -141,7 +131,7 @@
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: ingress-nginx
- namespace: ingress-nginx
+ namespace: kube-system
rules:
- apiGroups:
- ''
@@ -224,7 +214,7 @@
- create
- patch
---
-# Source: ingress-nginx/templates/controller-rolebinding.yaml
+# Source: kube-system/templates/controller-rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
@@ -236,7 +226,7 @@
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: ingress-nginx
- namespace: ingress-nginx
+ namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
@@ -244,9 +234,9 @@
subjects:
- kind: ServiceAccount
name: ingress-nginx
- namespace: ingress-nginx
+ namespace: kube-system
---
-# Source: ingress-nginx/templates/controller-service-webhook.yaml
+# Source: kube-system/templates/controller-service-webhook.yaml
apiVersion: v1
kind: Service
metadata:
@@ -258,7 +248,7 @@
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: ingress-nginx-controller-admission
- namespace: ingress-nginx
+ namespace: kube-system
spec:
type: ClusterIP
ports:
@@ -270,7 +260,7 @@
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/component: controller
---
-# Source: ingress-nginx/templates/controller-service.yaml
+# Source: kube-system/templates/controller-service.yaml
apiVersion: v1
kind: Service
metadata:
@@ -282,7 +272,7 @@
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: ingress-nginx-controller
- namespace: ingress-nginx
+ namespace: kube-system
spec:
type: NodePort
ports:
@@ -299,7 +289,7 @@
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/component: controller
---
-# Source: ingress-nginx/templates/controller-deployment.yaml
+# Source: kube-system/templates/controller-deployment.yaml
apiVersion: apps/v1
kind: DaemonSet
metadata:
@@ -311,7 +301,7 @@
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: ingress-nginx-controller
- namespace: ingress-nginx
+ namespace: kube-system
spec:
selector:
matchLabels:
@@ -341,7 +331,7 @@
- /nginx-ingress-controller
- --election-id=ingress-controller-leader
- --ingress-class=nginx
- - --configmap=ingress-nginx/ingress-nginx-controller
+ - --configmap=kube-system/ingress-nginx-controller
- --validating-webhook=:8443
- --validating-webhook-certificate=/usr/local/certificates/cert
- --validating-webhook-key=/usr/local/certificates/key
@@ -407,7 +397,7 @@
secret:
secretName: ingress-nginx-admission
---
-# Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
+# Source: kube-system/templates/admission-webhooks/validating-webhook.yaml
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
@@ -419,7 +409,7 @@
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
name: ingress-nginx-admission
- namespace: ingress-nginx
+ namespace: kube-system
webhooks:
- name: validate.nginx.ingress.kubernetes.io
rules:
@@ -436,11 +426,11 @@
failurePolicy: Fail
clientConfig:
service:
- namespace: ingress-nginx
+ namespace: kube-system
name: ingress-nginx-controller-admission
path: /extensions/v1beta1/ingresses
---
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
+# Source: kube-system/templates/admission-webhooks/job-patch/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
@@ -455,7 +445,7 @@
app.kubernetes.io/version: 0.32.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
- namespace: ingress-nginx
+ namespace: kube-system
rules:
- apiGroups:
- admissionregistration.k8s.io
@@ -465,7 +455,7 @@
- get
- update
---
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
+# Source: kube-system/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
@@ -480,7 +470,7 @@
app.kubernetes.io/version: 0.32.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
- namespace: ingress-nginx
+ namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
@@ -488,9 +478,9 @@
subjects:
- kind: ServiceAccount
name: ingress-nginx-admission
- namespace: ingress-nginx
+ namespace: kube-system
---
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
+# Source: kube-system/templates/admission-webhooks/job-patch/job-createSecret.yaml
apiVersion: batch/v1
kind: Job
metadata:
@@ -505,7 +495,7 @@
app.kubernetes.io/version: 0.32.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
- namespace: ingress-nginx
+ namespace: kube-system
spec:
template:
metadata:
@@ -525,7 +515,7 @@
args:
- create
- --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.ingress-nginx.svc
- - --namespace=ingress-nginx
+ - --namespace=kube-system
- --secret-name=ingress-nginx-admission
restartPolicy: OnFailure
serviceAccountName: ingress-nginx-admission
@@ -533,7 +523,7 @@
runAsNonRoot: true
runAsUser: 2000
---
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
+# Source: kube-system/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
apiVersion: batch/v1
kind: Job
metadata:
@@ -548,7 +538,7 @@
app.kubernetes.io/version: 0.32.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
- namespace: ingress-nginx
+ namespace: kube-system
spec:
template:
metadata:
@@ -568,7 +558,7 @@
args:
- patch
- --webhook-name=ingress-nginx-admission
- - --namespace=ingress-nginx
+ - --namespace=kube-system
- --patch-mutating=false
- --secret-name=ingress-nginx-admission
- --patch-failure-policy=Fail
@@ -578,7 +568,7 @@
runAsNonRoot: true
runAsUser: 2000
---
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
+# Source: kube-system/templates/admission-webhooks/job-patch/role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
@@ -593,7 +583,7 @@
app.kubernetes.io/version: 0.32.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
- namespace: ingress-nginx
+ namespace: kube-system
rules:
- apiGroups:
- ''
@@ -603,7 +593,7 @@
- get
- create
---
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml
+# Source: kube-system/templates/admission-webhooks/job-patch/rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
@@ -618,7 +608,7 @@
app.kubernetes.io/version: 0.32.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
- namespace: ingress-nginx
+ namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
@@ -626,9 +616,9 @@
subjects:
- kind: ServiceAccount
name: ingress-nginx-admission
- namespace: ingress-nginx
+ namespace: kube-system
---
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
+# Source: kube-system/templates/admission-webhooks/job-patch/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
@@ -643,4 +633,4 @@
app.kubernetes.io/version: 0.32.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
- namespace: ingress-nginx
+ namespace: kube-system

5
kustomize/bases/ingress-nginx/nginx-ingress-controller.yaml
View File

@ -4,4 +4,7 @@ metadata:
name: nginx-ingress-controller
resources:
- url: https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-0.32.0/deploy/static/provider/baremetal/deploy.yaml
sha256: b51736bb5cf846902ef5870d7d34e5627050ad8452850fdae0ab59fab54e69b6
sha256: b51736bb5cf846902ef5870d7d34e5627050ad8452850fdae0ab59fab54e69b6
patches:
- nginx-ingress-controller-daemonset.patch
- nginx-ingress-controller-namespace.patch

4
kustomize/namespaces/cert-manager/kustomization.yaml
View File

@ -1,4 +0,0 @@
bases:
- ../../bases/cert-manager
# namespace: cert-manager

4
kustomize/namespaces/ingress-nginx/kustomization.yaml
View File

@ -1,4 +0,0 @@
bases:
- ../../bases/ingress-nginx
# namespace: ingress-nginx

5
kustomize/namespaces/kube-system/kustomization.yaml Normal file
View File

@ -0,0 +1,5 @@
bases:
- ../../bases/ingress-nginx
- ../../bases/cert-manager
namespace: kube-system

3
kustomize/overlays/dev-auto-deploy/kustomization.yaml
View File

@ -1,6 +1,5 @@
bases:
- ../../namespaces/cert-manager
- ../../namespaces/ingress-nginx
- ../../namespaces/kube-system
# allow "kubectl apply -l managed-by=auto-deploy --prune ..."
commonlabels: