diff --git a/Makefile b/Makefile index 9e7e4a2..9d85239 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -KUSTOMIZE = docker run -v $(HOME)/.aws:/root/.aws:ro -v $(PWD):/host:ro -w /host badjware/kustomize-plugins:latest +KUSTOMIZE = docker run -v $(HOME)/.aws:/root/.aws:ro -v $(PWD):/host -w /host badjware/kustomize-plugins:latest KUSTOMIZEFLAGS = --enable_alpha_plugins KUBECTL = kubectl @@ -35,15 +35,18 @@ endif .PHONY: all info auto-deploy clean diff apply -all: info auto-deploy $(KUSTOMIZEOUT) +all: info $(KUSTOMIZEOUTALL) $(KUSTOMIZEOUT) info: @echo "Building for" $(environment) + $(KUSTOMIZE) version clean: rm -r $(OUTDIR) -auto-deploy: $(SRC) +auto-deploy: $(KUSTOMIZEOUTALL) + +$(KUSTOMIZEOUTALL): $(SRC) @mkdir -p $(dir $(KUSTOMIZEOUTALL)) $(KUSTOMIZE) build $(KUSTOMIZEFLAGS) $(KUSTOMIZEDIRALL) >$(KUSTOMIZEOUTALL) || (rm $(KUSTOMIZEOUTALL); exit 1) diff --git a/kustomize/bases/cert-manager/cert-manager-namespace.patch b/kustomize/bases/cert-manager/cert-manager-namespace.patch new file mode 100644 index 0000000..0c56c90 --- /dev/null +++ b/kustomize/bases/cert-manager/cert-manager-namespace.patch @@ -0,0 +1,149 @@ +--- a 2020-08-03 08:32:44.463589161 -0400 ++++ b 2020-08-03 08:34:06.230277210 -0400 +@@ -19,7 +19,7 @@ + metadata: + name: certificaterequests.cert-manager.io + annotations: +- cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca' ++ cert-manager.io/inject-ca-from-secret: 'kube-system/cert-manager-webhook-ca' + labels: + app: 'cert-manager' + app.kubernetes.io/name: 'cert-manager' +@@ -54,7 +54,7 @@ + # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server. + webhookClientConfig: + service: +- namespace: 'cert-manager' ++ namespace: kube-system + name: 'cert-manager-webhook' + path: /convert + names: +@@ -585,7 +585,7 @@ + metadata: + name: certificates.cert-manager.io + annotations: +- cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca' ++ cert-manager.io/inject-ca-from-secret: 'kube-system/cert-manager-webhook-ca' + labels: + app: 'cert-manager' + app.kubernetes.io/name: 'cert-manager' +@@ -623,7 +623,7 @@ + # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server. + webhookClientConfig: + service: +- namespace: 'cert-manager' ++ namespace: kube-system + name: 'cert-manager-webhook' + path: /convert + names: +@@ -1797,7 +1797,7 @@ + metadata: + name: challenges.acme.cert-manager.io + annotations: +- cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca' ++ cert-manager.io/inject-ca-from-secret: 'kube-system/cert-manager-webhook-ca' + labels: + app: 'cert-manager' + app.kubernetes.io/name: 'cert-manager' +@@ -1831,7 +1831,7 @@ + # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server. + webhookClientConfig: + service: +- namespace: 'cert-manager' ++ namespace: kube-system + name: 'cert-manager-webhook' + path: /convert + names: +@@ -6260,7 +6260,7 @@ + metadata: + name: clusterissuers.cert-manager.io + annotations: +- cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca' ++ cert-manager.io/inject-ca-from-secret: 'kube-system/cert-manager-webhook-ca' + labels: + app: 'cert-manager' + app.kubernetes.io/name: 'cert-manager' +@@ -6291,7 +6291,7 @@ + # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server. + webhookClientConfig: + service: +- namespace: 'cert-manager' ++ namespace: kube-system + name: 'cert-manager-webhook' + path: /convert + names: +@@ -12084,7 +12084,7 @@ + metadata: + name: issuers.cert-manager.io + annotations: +- cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca' ++ cert-manager.io/inject-ca-from-secret: 'kube-system/cert-manager-webhook-ca' + labels: + app: 'cert-manager' + app.kubernetes.io/name: 'cert-manager' +@@ -12115,7 +12115,7 @@ + # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server. + webhookClientConfig: + service: +- namespace: 'cert-manager' ++ namespace: kube-system + name: 'cert-manager-webhook' + path: /convert + names: +@@ -17905,7 +17905,7 @@ + metadata: + name: orders.acme.cert-manager.io + annotations: +- cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca' ++ cert-manager.io/inject-ca-from-secret: 'kube-system/cert-manager-webhook-ca' + labels: + app: 'cert-manager' + app.kubernetes.io/name: 'cert-manager' +@@ -17940,7 +17940,7 @@ + # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server. + webhookClientConfig: + service: +- namespace: 'cert-manager' ++ namespace: kube-system + name: 'cert-manager-webhook' + path: /convert + names: +@@ -18515,11 +18515,6 @@ + after it is initially set. + type: string + --- +-apiVersion: v1 +-kind: Namespace +-metadata: +- name: cert-manager +---- + # Source: cert-manager/templates/cainjector-serviceaccount.yaml + apiVersion: v1 + kind: ServiceAccount +@@ -19100,7 +19095,7 @@ + subjects: + - kind: ServiceAccount + name: cert-manager-cainjector +- namespace: cert-manager ++ namespace: kube-system + --- + # Source: cert-manager/templates/rbac.yaml + # grant cert-manager permission to manage the leaderelection configmap in the +@@ -19125,7 +19120,7 @@ + - apiGroup: "" + kind: ServiceAccount + name: cert-manager +- namespace: cert-manager ++ namespace: kube-system + --- + # Source: cert-manager/templates/webhook-rbac.yaml + apiVersion: rbac.authorization.k8s.io/v1beta1 +@@ -19148,7 +19143,7 @@ + - apiGroup: "" + kind: ServiceAccount + name: cert-manager-webhook +- namespace: cert-manager ++ namespace: kube-system + --- + # Source: cert-manager/templates/service.yaml + apiVersion: v1 diff --git a/kustomize/bases/cert-manager/cert-manager.yaml b/kustomize/bases/cert-manager/cert-manager.yaml index fec7e58..35fd67e 100644 --- a/kustomize/bases/cert-manager/cert-manager.yaml +++ b/kustomize/bases/cert-manager/cert-manager.yaml @@ -4,4 +4,6 @@ metadata: name: cert-manager resources: - url: https://github.com/jetstack/cert-manager/releases/download/v0.16.0/cert-manager.yaml - sha256: 5770f5f01c10a902355b3522b8ce44508ebb6ec88955efde9a443afe5b3969d7 \ No newline at end of file + sha256: 5770f5f01c10a902355b3522b8ce44508ebb6ec88955efde9a443afe5b3969d7 + patches: + - cert-manager-namespace.patch \ No newline at end of file diff --git a/kustomize/bases/ingress-nginx/kustomization.yaml b/kustomize/bases/ingress-nginx/kustomization.yaml index 253012d..28a327d 100644 --- a/kustomize/bases/ingress-nginx/kustomization.yaml +++ b/kustomize/bases/ingress-nginx/kustomization.yaml @@ -1,2 +1,5 @@ generators: - nginx-ingress-controller.yaml + +patchesStrategicMerge: + - nginx-ingress-controller-daemonset-patch.yaml \ No newline at end of file diff --git a/kustomize/bases/ingress-nginx/nginx-ingress-controller-daemonset-patch.yaml b/kustomize/bases/ingress-nginx/nginx-ingress-controller-daemonset-patch.yaml new file mode 100644 index 0000000..356d554 --- /dev/null +++ b/kustomize/bases/ingress-nginx/nginx-ingress-controller-daemonset-patch.yaml @@ -0,0 +1,9 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: ingress-nginx-controller + namespace: kube-system +spec: + template: + spec: + hostNetwork: true \ No newline at end of file diff --git a/kustomize/bases/ingress-nginx/nginx-ingress-controller-daemonset.patch b/kustomize/bases/ingress-nginx/nginx-ingress-controller-daemonset.patch new file mode 100644 index 0000000..51f780f --- /dev/null +++ b/kustomize/bases/ingress-nginx/nginx-ingress-controller-daemonset.patch @@ -0,0 +1,11 @@ +--- a 2020-08-02 10:51:40.867697750 -0400 ++++ b 2020-08-02 10:54:35.864444036 -0400 +@@ -301,7 +291,7 @@ + --- + # Source: ingress-nginx/templates/controller-deployment.yaml + apiVersion: apps/v1 +-kind: Deployment ++kind: DaemonSet + metadata: + labels: + helm.sh/chart: ingress-nginx-2.0.3 diff --git a/kustomize/bases/ingress-nginx/nginx-ingress-controller-namespace.patch b/kustomize/bases/ingress-nginx/nginx-ingress-controller-namespace.patch new file mode 100644 index 0000000..2e7e96d --- /dev/null +++ b/kustomize/bases/ingress-nginx/nginx-ingress-controller-namespace.patch @@ -0,0 +1,345 @@ +--- a 2020-08-03 08:27:39.420706235 -0400 ++++ b 2020-08-03 08:29:09.257135444 -0400 +@@ -1,14 +1,4 @@ +- +-apiVersion: v1 +-kind: Namespace +-metadata: +- name: ingress-nginx +- labels: +- app.kubernetes.io/name: ingress-nginx +- app.kubernetes.io/instance: ingress-nginx +- +---- +-# Source: ingress-nginx/templates/controller-serviceaccount.yaml ++# Source: kube-system/templates/controller-serviceaccount.yaml + apiVersion: v1 + kind: ServiceAccount + metadata: +@@ -20,9 +10,9 @@ + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: controller + name: ingress-nginx +- namespace: ingress-nginx ++ namespace: kube-system + --- +-# Source: ingress-nginx/templates/controller-configmap.yaml ++# Source: kube-system/templates/controller-configmap.yaml + apiVersion: v1 + kind: ConfigMap + metadata: +@@ -34,10 +24,10 @@ + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: controller + name: ingress-nginx-controller +- namespace: ingress-nginx ++ namespace: kube-system + data: + --- +-# Source: ingress-nginx/templates/clusterrole.yaml ++# Source: kube-system/templates/clusterrole.yaml + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: +@@ -48,7 +38,7 @@ + app.kubernetes.io/version: 0.32.0 + app.kubernetes.io/managed-by: Helm + name: ingress-nginx +- namespace: ingress-nginx ++ namespace: kube-system + rules: + - apiGroups: + - '' +@@ -108,7 +98,7 @@ + - list + - watch + --- +-# Source: ingress-nginx/templates/clusterrolebinding.yaml ++# Source: kube-system/templates/clusterrolebinding.yaml + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: +@@ -119,7 +109,7 @@ + app.kubernetes.io/version: 0.32.0 + app.kubernetes.io/managed-by: Helm + name: ingress-nginx +- namespace: ingress-nginx ++ namespace: kube-system + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +@@ -127,9 +117,9 @@ + subjects: + - kind: ServiceAccount + name: ingress-nginx +- namespace: ingress-nginx ++ namespace: kube-system + --- +-# Source: ingress-nginx/templates/controller-role.yaml ++# Source: kube-system/templates/controller-role.yaml + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: +@@ -141,7 +131,7 @@ + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: controller + name: ingress-nginx +- namespace: ingress-nginx ++ namespace: kube-system + rules: + - apiGroups: + - '' +@@ -224,7 +214,7 @@ + - create + - patch + --- +-# Source: ingress-nginx/templates/controller-rolebinding.yaml ++# Source: kube-system/templates/controller-rolebinding.yaml + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: +@@ -236,7 +226,7 @@ + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: controller + name: ingress-nginx +- namespace: ingress-nginx ++ namespace: kube-system + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role +@@ -244,9 +234,9 @@ + subjects: + - kind: ServiceAccount + name: ingress-nginx +- namespace: ingress-nginx ++ namespace: kube-system + --- +-# Source: ingress-nginx/templates/controller-service-webhook.yaml ++# Source: kube-system/templates/controller-service-webhook.yaml + apiVersion: v1 + kind: Service + metadata: +@@ -258,7 +248,7 @@ + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: controller + name: ingress-nginx-controller-admission +- namespace: ingress-nginx ++ namespace: kube-system + spec: + type: ClusterIP + ports: +@@ -270,7 +260,7 @@ + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/component: controller + --- +-# Source: ingress-nginx/templates/controller-service.yaml ++# Source: kube-system/templates/controller-service.yaml + apiVersion: v1 + kind: Service + metadata: +@@ -282,7 +272,7 @@ + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: controller + name: ingress-nginx-controller +- namespace: ingress-nginx ++ namespace: kube-system + spec: + type: NodePort + ports: +@@ -299,7 +289,7 @@ + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/component: controller + --- +-# Source: ingress-nginx/templates/controller-deployment.yaml ++# Source: kube-system/templates/controller-deployment.yaml + apiVersion: apps/v1 + kind: DaemonSet + metadata: +@@ -311,7 +301,7 @@ + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: controller + name: ingress-nginx-controller +- namespace: ingress-nginx ++ namespace: kube-system + spec: + selector: + matchLabels: +@@ -341,7 +331,7 @@ + - /nginx-ingress-controller + - --election-id=ingress-controller-leader + - --ingress-class=nginx +- - --configmap=ingress-nginx/ingress-nginx-controller ++ - --configmap=kube-system/ingress-nginx-controller + - --validating-webhook=:8443 + - --validating-webhook-certificate=/usr/local/certificates/cert + - --validating-webhook-key=/usr/local/certificates/key +@@ -407,7 +397,7 @@ + secret: + secretName: ingress-nginx-admission + --- +-# Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml ++# Source: kube-system/templates/admission-webhooks/validating-webhook.yaml + apiVersion: admissionregistration.k8s.io/v1beta1 + kind: ValidatingWebhookConfiguration + metadata: +@@ -419,7 +409,7 @@ + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: admission-webhook + name: ingress-nginx-admission +- namespace: ingress-nginx ++ namespace: kube-system + webhooks: + - name: validate.nginx.ingress.kubernetes.io + rules: +@@ -436,11 +426,11 @@ + failurePolicy: Fail + clientConfig: + service: +- namespace: ingress-nginx ++ namespace: kube-system + name: ingress-nginx-controller-admission + path: /extensions/v1beta1/ingresses + --- +-# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml ++# Source: kube-system/templates/admission-webhooks/job-patch/clusterrole.yaml + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: +@@ -455,7 +445,7 @@ + app.kubernetes.io/version: 0.32.0 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: admission-webhook +- namespace: ingress-nginx ++ namespace: kube-system + rules: + - apiGroups: + - admissionregistration.k8s.io +@@ -465,7 +455,7 @@ + - get + - update + --- +-# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml ++# Source: kube-system/templates/admission-webhooks/job-patch/clusterrolebinding.yaml + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: +@@ -480,7 +470,7 @@ + app.kubernetes.io/version: 0.32.0 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: admission-webhook +- namespace: ingress-nginx ++ namespace: kube-system + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +@@ -488,9 +478,9 @@ + subjects: + - kind: ServiceAccount + name: ingress-nginx-admission +- namespace: ingress-nginx ++ namespace: kube-system + --- +-# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml ++# Source: kube-system/templates/admission-webhooks/job-patch/job-createSecret.yaml + apiVersion: batch/v1 + kind: Job + metadata: +@@ -505,7 +495,7 @@ + app.kubernetes.io/version: 0.32.0 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: admission-webhook +- namespace: ingress-nginx ++ namespace: kube-system + spec: + template: + metadata: +@@ -525,7 +515,7 @@ + args: + - create + - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.ingress-nginx.svc +- - --namespace=ingress-nginx ++ - --namespace=kube-system + - --secret-name=ingress-nginx-admission + restartPolicy: OnFailure + serviceAccountName: ingress-nginx-admission +@@ -533,7 +523,7 @@ + runAsNonRoot: true + runAsUser: 2000 + --- +-# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml ++# Source: kube-system/templates/admission-webhooks/job-patch/job-patchWebhook.yaml + apiVersion: batch/v1 + kind: Job + metadata: +@@ -548,7 +538,7 @@ + app.kubernetes.io/version: 0.32.0 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: admission-webhook +- namespace: ingress-nginx ++ namespace: kube-system + spec: + template: + metadata: +@@ -568,7 +558,7 @@ + args: + - patch + - --webhook-name=ingress-nginx-admission +- - --namespace=ingress-nginx ++ - --namespace=kube-system + - --patch-mutating=false + - --secret-name=ingress-nginx-admission + - --patch-failure-policy=Fail +@@ -578,7 +568,7 @@ + runAsNonRoot: true + runAsUser: 2000 + --- +-# Source: ingress-nginx/templates/admission-webhooks/job-patch/role.yaml ++# Source: kube-system/templates/admission-webhooks/job-patch/role.yaml + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: +@@ -593,7 +583,7 @@ + app.kubernetes.io/version: 0.32.0 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: admission-webhook +- namespace: ingress-nginx ++ namespace: kube-system + rules: + - apiGroups: + - '' +@@ -603,7 +593,7 @@ + - get + - create + --- +-# Source: ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml ++# Source: kube-system/templates/admission-webhooks/job-patch/rolebinding.yaml + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: +@@ -618,7 +608,7 @@ + app.kubernetes.io/version: 0.32.0 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: admission-webhook +- namespace: ingress-nginx ++ namespace: kube-system + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role +@@ -626,9 +616,9 @@ + subjects: + - kind: ServiceAccount + name: ingress-nginx-admission +- namespace: ingress-nginx ++ namespace: kube-system + --- +-# Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml ++# Source: kube-system/templates/admission-webhooks/job-patch/serviceaccount.yaml + apiVersion: v1 + kind: ServiceAccount + metadata: +@@ -643,4 +633,4 @@ + app.kubernetes.io/version: 0.32.0 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: admission-webhook +- namespace: ingress-nginx ++ namespace: kube-system diff --git a/kustomize/bases/ingress-nginx/nginx-ingress-controller.yaml b/kustomize/bases/ingress-nginx/nginx-ingress-controller.yaml index 400e1b0..1898470 100644 --- a/kustomize/bases/ingress-nginx/nginx-ingress-controller.yaml +++ b/kustomize/bases/ingress-nginx/nginx-ingress-controller.yaml @@ -4,4 +4,7 @@ metadata: name: nginx-ingress-controller resources: - url: https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-0.32.0/deploy/static/provider/baremetal/deploy.yaml - sha256: b51736bb5cf846902ef5870d7d34e5627050ad8452850fdae0ab59fab54e69b6 \ No newline at end of file + sha256: b51736bb5cf846902ef5870d7d34e5627050ad8452850fdae0ab59fab54e69b6 + patches: + - nginx-ingress-controller-daemonset.patch + - nginx-ingress-controller-namespace.patch \ No newline at end of file diff --git a/kustomize/namespaces/cert-manager/kustomization.yaml b/kustomize/namespaces/cert-manager/kustomization.yaml deleted file mode 100644 index 642906a..0000000 --- a/kustomize/namespaces/cert-manager/kustomization.yaml +++ /dev/null @@ -1,4 +0,0 @@ -bases: - - ../../bases/cert-manager - -# namespace: cert-manager diff --git a/kustomize/namespaces/ingress-nginx/kustomization.yaml b/kustomize/namespaces/ingress-nginx/kustomization.yaml deleted file mode 100644 index 28b62ab..0000000 --- a/kustomize/namespaces/ingress-nginx/kustomization.yaml +++ /dev/null @@ -1,4 +0,0 @@ -bases: - - ../../bases/ingress-nginx - -# namespace: ingress-nginx diff --git a/kustomize/namespaces/kube-system/kustomization.yaml b/kustomize/namespaces/kube-system/kustomization.yaml new file mode 100644 index 0000000..23a1c19 --- /dev/null +++ b/kustomize/namespaces/kube-system/kustomization.yaml @@ -0,0 +1,5 @@ +bases: + - ../../bases/ingress-nginx + - ../../bases/cert-manager + +namespace: kube-system diff --git a/kustomize/overlays/dev-auto-deploy/kustomization.yaml b/kustomize/overlays/dev-auto-deploy/kustomization.yaml index 8b703f1..b504660 100644 --- a/kustomize/overlays/dev-auto-deploy/kustomization.yaml +++ b/kustomize/overlays/dev-auto-deploy/kustomization.yaml @@ -1,6 +1,5 @@ bases: - - ../../namespaces/cert-manager - - ../../namespaces/ingress-nginx + - ../../namespaces/kube-system # allow "kubectl apply -l managed-by=auto-deploy --prune ..." commonlabels: