refactor: organize network namespace #3548
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
smurf-bot
bot
added
area/kubernetes
--- kubernetes/main/apps/network/echo-server/app Kustomization: flux-system/echo-server HelmRelease: network/echo-server
+++ kubernetes/main/apps/network/echo-server/app Kustomization: flux-system/echo-server HelmRelease: network/echo-server
@@ -1,119 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
- labels:
- app.kubernetes.io/name: echo-server
- kustomize.toolkit.fluxcd.io/name: echo-server
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: echo-server
- namespace: network
-spec:
- chart:
- spec:
- chart: app-template
- sourceRef:
- kind: HelmRepository
- name: bjw-s
- namespace: flux-system
- version: 3.6.1
- install:
- remediation:
- retries: 3
- interval: 30m
- upgrade:
- cleanupOnFail: true
- remediation:
- retries: 3
- strategy: rollback
- values:
- controllers:
- echo-server:
- containers:
- app:
- env:
- HTTP_PORT: 8080
- LOG_IGNORE_PATH: /healthz
- LOG_WITHOUT_NEWLINE: true
- PROMETHEUS_ENABLED: true
- image:
- repository: ghcr.io/mendhak/http-https-echo
- tag: 35
- probes:
- liveness:
- custom: true
- enabled: true
- spec:
- failureThreshold: 3
- httpGet:
- path: /healthz
- port: 8080
- initialDelaySeconds: 0
- periodSeconds: 10
- timeoutSeconds: 1
- readiness:
- custom: true
- enabled: true
- spec:
- failureThreshold: 3
- httpGet:
- path: /healthz
- port: 8080
- initialDelaySeconds: 0
- periodSeconds: 10
- timeoutSeconds: 1
- resources:
- limits:
- memory: 64Mi
- requests:
- cpu: 10m
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- readOnlyRootFilesystem: true
- seccompProfile:
- type: RuntimeDefault
- strategy: RollingUpdate
- defaultPodOptions:
- securityContext:
- fsGroupChangePolicy: OnRootMismatch
- runAsGroup: 100
- runAsNonRoot: true
- runAsUser: 1000
- seccompProfile:
- type: RuntimeDefault
- topologySpreadConstraints:
- - labelSelector:
- matchLabels:
- app.kubernetes.io/name: echo-server
- maxSkew: 1
- topologyKey: kubernetes.io/hostname
- whenUnsatisfiable: DoNotSchedule
- ingress:
- app:
- className: external
- hosts:
- - host: '{{ .Release.Name }}...PLACEHOLDER_SECRET_DOMAIN..'
- paths:
- - path: /
- service:
- identifier: app
- port: http
- service:
- app:
- controller: echo-server
- ports:
- http:
- port: 8080
- serviceMonitor:
- app:
- endpoints:
- - interval: 1m
- path: /metrics
- port: http
- scheme: http
- scrapeTimeout: 10s
- serviceName: echo-server
-
--- kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/cloudflared
+++ kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/cloudflared
@@ -1,43 +0,0 @@
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
- labels:
- kustomize.toolkit.fluxcd.io/name: cluster-apps
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: cloudflared
- namespace: flux-system
-spec:
- commonMetadata:
- labels:
- app.kubernetes.io/name: cloudflared
- decryption:
- provider: sops
- secretRef:
- name: sops-age
- dependsOn:
- - name: external-secrets-stores
- interval: 30m
- path: ./kubernetes/main/apps/network/cloudflared/app
- postBuild:
- substituteFrom:
- - kind: ConfigMap
- name: cluster-settings
- optional: true
- - kind: ConfigMap
- name: cluster-settings-main
- optional: true
- - kind: Secret
- name: cluster-secrets
- optional: true
- - kind: Secret
- name: cluster-secrets-main
- optional: true
- prune: true
- sourceRef:
- kind: GitRepository
- name: flux-system
- targetNamespace: network
- timeout: 5m
- wait: false
-
--- kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/echo-server
+++ kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/echo-server
@@ -1,41 +0,0 @@
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
- labels:
- kustomize.toolkit.fluxcd.io/name: cluster-apps
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: echo-server
- namespace: flux-system
-spec:
- commonMetadata:
- labels:
- app.kubernetes.io/name: echo-server
- decryption:
- provider: sops
- secretRef:
- name: sops-age
- interval: 30m
- path: ./kubernetes/main/apps/network/echo-server/app
- postBuild:
- substituteFrom:
- - kind: ConfigMap
- name: cluster-settings
- optional: true
- - kind: ConfigMap
- name: cluster-settings-main
- optional: true
- - kind: Secret
- name: cluster-secrets
- optional: true
- - kind: Secret
- name: cluster-secrets-main
- optional: true
- prune: true
- sourceRef:
- kind: GitRepository
- name: flux-system
- targetNamespace: network
- timeout: 5m
- wait: false
-
--- kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/external-dns-cloudflare
+++ kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/external-dns-cloudflare
@@ -15,13 +15,13 @@
provider: sops
secretRef:
name: sops-age
dependsOn:
- name: external-secrets-stores
interval: 30m
- path: ./kubernetes/main/apps/network/external-dns/cloudflare
+ path: ./kubernetes/main/apps/network/external/external-dns
postBuild:
substituteFrom:
- kind: ConfigMap
name: cluster-settings
optional: true
- kind: ConfigMap
--- kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/external-dns-unifi
+++ kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/external-dns-unifi
@@ -15,13 +15,13 @@
provider: sops
secretRef:
name: sops-age
dependsOn:
- name: external-secrets-stores
interval: 30m
- path: ./kubernetes/main/apps/network/external-dns/unifi
+ path: ./kubernetes/main/apps/network/internal/external-dns
postBuild:
substituteFrom:
- kind: ConfigMap
name: cluster-settings
optional: true
- kind: ConfigMap
--- kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/nginx-external
+++ kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/nginx-external
@@ -1,43 +0,0 @@
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
- labels:
- kustomize.toolkit.fluxcd.io/name: cluster-apps
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: nginx-external
- namespace: flux-system
-spec:
- commonMetadata:
- labels:
- app.kubernetes.io/name: nginx-external
- decryption:
- provider: sops
- secretRef:
- name: sops-age
- dependsOn:
- - name: cert-manager-tls
- interval: 30m
- path: ./kubernetes/main/apps/network/nginx/external
- postBuild:
- substituteFrom:
- - kind: ConfigMap
- name: cluster-settings
- optional: true
- - kind: ConfigMap
- name: cluster-settings-main
- optional: true
- - kind: Secret
- name: cluster-secrets
- optional: true
- - kind: Secret
- name: cluster-secrets-main
- optional: true
- prune: true
- sourceRef:
- kind: GitRepository
- name: flux-system
- targetNamespace: network
- timeout: 5m
- wait: false
-
--- kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/nginx-internal
+++ kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/nginx-internal
@@ -1,43 +0,0 @@
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
- labels:
- kustomize.toolkit.fluxcd.io/name: cluster-apps
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: nginx-internal
- namespace: flux-system
-spec:
- commonMetadata:
- labels:
- app.kubernetes.io/name: nginx-internal
- decryption:
- provider: sops
- secretRef:
- name: sops-age
- dependsOn:
- - name: cert-manager-tls
- interval: 30m
- path: ./kubernetes/main/apps/network/nginx/internal
- postBuild:
- substituteFrom:
- - kind: ConfigMap
- name: cluster-settings
- optional: true
- - kind: ConfigMap
- name: cluster-settings-main
- optional: true
- - kind: Secret
- name: cluster-secrets
- optional: true
- - kind: Secret
- name: cluster-secrets-main
- optional: true
- prune: true
- sourceRef:
- kind: GitRepository
- name: flux-system
- targetNamespace: network
- timeout: 5m
- wait: false
-
--- kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/external-cloudflared
+++ kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/external-cloudflared
@@ -0,0 +1,44 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+ labels:
+ kustomize.toolkit.fluxcd.io/name: cluster-apps
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: external-cloudflared
+ namespace: flux-system
+spec:
+ commonMetadata:
+ labels:
+ app.kubernetes.io/name: external-cloudflared
+ decryption:
+ provider: sops
+ secretRef:
+ name: sops-age
+ dependsOn:
+ - name: external-external-dns
+ - name: external-secrets-stores
+ interval: 30m
+ path: ./kubernetes/main/apps/network/external/cloudflared
+ postBuild:
+ substituteFrom:
+ - kind: ConfigMap
+ name: cluster-settings
+ optional: true
+ - kind: ConfigMap
+ name: cluster-settings-main
+ optional: true
+ - kind: Secret
+ name: cluster-secrets
+ optional: true
+ - kind: Secret
+ name: cluster-secrets-main
+ optional: true
+ prune: true
+ sourceRef:
+ kind: GitRepository
+ name: flux-system
+ targetNamespace: network
+ timeout: 5m
+ wait: false
+
--- kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/external-echo-server
+++ kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/external-echo-server
@@ -0,0 +1,41 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+ labels:
+ kustomize.toolkit.fluxcd.io/name: cluster-apps
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: external-echo-server
+ namespace: flux-system
+spec:
+ commonMetadata:
+ labels:
+ app.kubernetes.io/name: external-echo-server
+ decryption:
+ provider: sops
+ secretRef:
+ name: sops-age
+ interval: 30m
+ path: ./kubernetes/main/apps/network/external/echo-server
+ postBuild:
+ substituteFrom:
+ - kind: ConfigMap
+ name: cluster-settings
+ optional: true
+ - kind: ConfigMap
+ name: cluster-settings-main
+ optional: true
+ - kind: Secret
+ name: cluster-secrets
+ optional: true
+ - kind: Secret
+ name: cluster-secrets-main
+ optional: true
+ prune: true
+ sourceRef:
+ kind: GitRepository
+ name: flux-system
+ targetNamespace: network
+ timeout: 5m
+ wait: false
+
--- kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/external-ingress-nginx
+++ kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/external-ingress-nginx
@@ -0,0 +1,43 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+ labels:
+ kustomize.toolkit.fluxcd.io/name: cluster-apps
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: external-ingress-nginx
+ namespace: flux-system
+spec:
+ commonMetadata:
+ labels:
+ app.kubernetes.io/name: external-ingress-nginx
+ decryption:
+ provider: sops
+ secretRef:
+ name: sops-age
+ dependsOn:
+ - name: cert-manager-tls
+ interval: 30m
+ path: ./kubernetes/main/apps/network/external/ingress-nginx
+ postBuild:
+ substituteFrom:
+ - kind: ConfigMap
+ name: cluster-settings
+ optional: true
+ - kind: ConfigMap
+ name: cluster-settings-main
+ optional: true
+ - kind: Secret
+ name: cluster-secrets
+ optional: true
+ - kind: Secret
+ name: cluster-secrets-main
+ optional: true
+ prune: true
+ sourceRef:
+ kind: GitRepository
+ name: flux-system
+ targetNamespace: network
+ timeout: 5m
+ wait: false
+
--- kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/internal-ingress-nginx
+++ kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/internal-ingress-nginx
@@ -0,0 +1,43 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+ labels:
+ kustomize.toolkit.fluxcd.io/name: cluster-apps
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: internal-ingress-nginx
+ namespace: flux-system
+spec:
+ commonMetadata:
+ labels:
+ app.kubernetes.io/name: internal-ingress-nginx
+ decryption:
+ provider: sops
+ secretRef:
+ name: sops-age
+ dependsOn:
+ - name: cert-manager-tls
+ interval: 30m
+ path: ./kubernetes/main/apps/network/internal/ingress-nginx
+ postBuild:
+ substituteFrom:
+ - kind: ConfigMap
+ name: cluster-settings
+ optional: true
+ - kind: ConfigMap
+ name: cluster-settings-main
+ optional: true
+ - kind: Secret
+ name: cluster-secrets
+ optional: true
+ - kind: Secret
+ name: cluster-secrets-main
+ optional: true
+ prune: true
+ sourceRef:
+ kind: GitRepository
+ name: flux-system
+ targetNamespace: network
+ timeout: 5m
+ wait: false
+
--- kubernetes/main/apps/network/external-dns/cloudflare Kustomization: flux-system/external-dns-cloudflare ExternalSecret: network/external-dns-secret
+++ kubernetes/main/apps/network/external-dns/cloudflare Kustomization: flux-system/external-dns-cloudflare ExternalSecret: network/external-dns-secret
@@ -1,23 +0,0 @@
----
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
- labels:
- app.kubernetes.io/name: external-dns-cloudflare
- kustomize.toolkit.fluxcd.io/name: external-dns-cloudflare
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: external-dns-secret
- namespace: network
-spec:
- dataFrom:
- - extract:
- key: cloudflare
- secretStoreRef:
- kind: ClusterSecretStore
- name: onepassword-connect
- target:
- name: external-dns-secret
- template:
- data:
- api-token: '{{ .CLOUDFLARE_API_KEY }}'
-
--- kubernetes/main/apps/network/external-dns/cloudflare Kustomization: flux-system/external-dns-cloudflare HelmRelease: network/external-dns-cloudflare
+++ kubernetes/main/apps/network/external-dns/cloudflare Kustomization: flux-system/external-dns-cloudflare HelmRelease: network/external-dns-cloudflare
@@ -1,61 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
- labels:
- app.kubernetes.io/name: external-dns-cloudflare
- kustomize.toolkit.fluxcd.io/name: external-dns-cloudflare
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: external-dns-cloudflare
- namespace: network
-spec:
- chart:
- spec:
- chart: external-dns
- sourceRef:
- kind: HelmRepository
- name: external-dns
- namespace: flux-system
- version: 1.15.0
- install:
- crds: CreateReplace
- remediation:
- retries: 3
- interval: 30m
- upgrade:
- cleanupOnFail: true
- crds: CreateReplace
- remediation:
- retries: 3
- strategy: rollback
- values:
- domainFilters:
- - ..PLACEHOLDER_SECRET_DOMAIN..
- env:
- - name: CF_API_TOKEN
- valueFrom:
- secretKeyRef:
- key: api-token
- name: external-dns-secret
- extraArgs:
- - --cloudflare-dns-records-per-page=1000
- - --cloudflare-proxied
- - --crd-source-apiversion=externaldns.k8s.io/v1alpha1
- - --crd-source-kind=DNSEndpoint
- - --ignore-ingress-tls-spec
- - --ingress-class=external
- fullnameOverride: external-dns-cloudflare
- podAnnotations:
- secret.reloader.stakater.com/reload: external-dns-secret
- policy: sync
- provider:
- name: cloudflare
- serviceMonitor:
- enabled: true
- sources:
- - crd
- - ingress
- triggerLoopOnEvent: true
- txtOwnerId: main
- txtPrefix: k8s.main.
-
--- kubernetes/main/apps/network/cloudflared/app Kustomization: flux-system/cloudflared DNSEndpoint: network/cloudflared
+++ kubernetes/main/apps/network/cloudflared/app Kustomization: flux-system/cloudflared DNSEndpoint: network/cloudflared
@@ -1,17 +0,0 @@
----
-apiVersion: externaldns.k8s.io/v1alpha1
-kind: DNSEndpoint
-metadata:
- labels:
- app.kubernetes.io/name: cloudflared
- kustomize.toolkit.fluxcd.io/name: cloudflared
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: cloudflared
- namespace: network
-spec:
- endpoints:
- - dnsName: external...PLACEHOLDER_SECRET_DOMAIN..
- recordType: CNAME
- targets:
- - ..PLACEHOLDER_CLOUDFLARE_TUNNEL_ID...cfargotunnel.com
-
--- kubernetes/main/apps/network/cloudflared/app Kustomization: flux-system/cloudflared ExternalSecret: network/cloudflared-secret
+++ kubernetes/main/apps/network/cloudflared/app Kustomization: flux-system/cloudflared ExternalSecret: network/cloudflared-secret
@@ -1,28 +0,0 @@
----
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
- labels:
- app.kubernetes.io/name: cloudflared
- kustomize.toolkit.fluxcd.io/name: cloudflared
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: cloudflared-secret
- namespace: network
-spec:
- dataFrom:
- - extract:
- key: cloudflare
- secretStoreRef:
- kind: ClusterSecretStore
- name: onepassword-connect
- target:
- name: cloudflared-secret
- template:
- data:
- credentials.json: |
- {
- "AccountTag": "{{ .CLOUDFLARE_ACCOUNT_TAG }}",
- "TunnelSecret": "{{ .CLOUDFLARE_TUNNEL_SECRET }}",
- "TunnelID": "..PLACEHOLDER_CLOUDFLARE_TUNNEL_ID.."
- }
-
--- kubernetes/main/apps/network/cloudflared/app Kustomization: flux-system/cloudflared HelmRelease: network/cloudflared
+++ kubernetes/main/apps/network/cloudflared/app Kustomization: flux-system/cloudflared HelmRelease: network/cloudflared
@@ -1,131 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
- labels:
- app.kubernetes.io/name: cloudflared
- kustomize.toolkit.fluxcd.io/name: cloudflared
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: cloudflared
- namespace: network
-spec:
- chart:
- spec:
- chart: app-template
- sourceRef:
- kind: HelmRepository
- name: bjw-s
- namespace: flux-system
- version: 3.6.1
- dependsOn:
- - name: nginx-external
- namespace: network
- install:
- remediation:
- retries: 3
- interval: 30m
- upgrade:
- cleanupOnFail: true
- remediation:
- retries: 3
- strategy: rollback
- values:
- controllers:
- cloudflared:
- annotations:
- reloader.stakater.com/auto: 'true'
- containers:
- app:
- args:
- - tunnel
- - --config
- - /etc/cloudflared/config/config.yaml
- - run
- - ..PLACEHOLDER_CLOUDFLARE_TUNNEL_ID..
- env:
- NO_AUTOUPDATE: true
- TUNNEL_CRED_FILE: /etc/cloudflared/creds/credentials.json
- TUNNEL_METRICS: 0.0.0.0:8080
- TUNNEL_ORIGIN_ENABLE_HTTP2: true
- TUNNEL_POST_QUANTUM: true
- TUNNEL_TRANSPORT_PROTOCOL: quic
- image:
- repository: docker.io/cloudflare/cloudflared
- tag: 2025.1.0@sha256:3247f3ef49eda23244b8aa5583f82b7c3880b0d057e1172d0e818f5e678d9f27
- probes:
- liveness:
- custom: true
- enabled: true
- spec:
- failureThreshold: 3
- httpGet:
- path: /ready
- port: 8080
- initialDelaySeconds: 0
- periodSeconds: 10
- timeoutSeconds: 1
- readiness:
- custom: true
- enabled: true
- spec:
- failureThreshold: 3
- httpGet:
- path: /ready
- port: 8080
- initialDelaySeconds: 0
- periodSeconds: 10
- timeoutSeconds: 1
- resources:
- limits:
- memory: 256M
- requests:
- cpu: 5m
- memory: 128M
- replicas: 2
- strategy: RollingUpdate
- defaultPodOptions:
- securityContext:
- fsGroupChangePolicy: OnRootMismatch
- runAsGroup: 100
- runAsNonRoot: true
- runAsUser: 1000
- seccompProfile:
- type: RuntimeDefault
- topologySpreadConstraints:
- - labelSelector:
- matchLabels:
- app.kubernetes.io/name: cloudflared
- maxSkew: 1
- topologyKey: kubernetes.io/hostname
- whenUnsatisfiable: DoNotSchedule
- persistence:
- config:
- globalMounts:
- - path: /etc/cloudflared/config/config.yaml
- readOnly: true
- subPath: config.yaml
- name: cloudflared-configmap
- type: configMap
- creds:
- globalMounts:
- - path: /etc/cloudflared/creds/credentials.json
- readOnly: true
- subPath: credentials.json
- name: cloudflared-secret
- type: secret
- service:
- app:
- controller: cloudflared
- ports:
- http:
- port: 8080
- serviceMonitor:
- app:
- endpoints:
- - interval: 1m
- path: /metrics
- port: http
- scheme: http
- scrapeTimeout: 10s
- serviceName: cloudflared
-
--- kubernetes/main/apps/network/cloudflared/app Kustomization: flux-system/cloudflared ConfigMap: network/cloudflared-configmap
+++ kubernetes/main/apps/network/cloudflared/app Kustomization: flux-system/cloudflared ConfigMap: network/cloudflared-configmap
@@ -1,23 +0,0 @@
----
-apiVersion: v1
-data:
- config.yaml: |
- ---
- originRequest:
- originServerName: external...PLACEHOLDER_SECRET_DOMAIN..
-
- ingress:
- - hostname: ..PLACEHOLDER_SECRET_DOMAIN..
- service: https://nginx-external-controller.network.svc.cluster.local:443
- - hostname: "*...PLACEHOLDER_SECRET_DOMAIN.."
- service: https://nginx-external-controller.network.svc.cluster.local:443
- - service: http_status:404
-kind: ConfigMap
-metadata:
- labels:
- app.kubernetes.io/name: cloudflared
- kustomize.toolkit.fluxcd.io/name: cloudflared
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: cloudflared-configmap
- namespace: network
-
--- kubernetes/main/apps/network/external-dns/unifi Kustomization: flux-system/external-dns-unifi ExternalSecret: network/external-dns-unifi
+++ kubernetes/main/apps/network/external-dns/unifi Kustomization: flux-system/external-dns-unifi ExternalSecret: network/external-dns-unifi
@@ -1,23 +0,0 @@
----
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
- labels:
- app.kubernetes.io/name: external-dns-unifi
- kustomize.toolkit.fluxcd.io/name: external-dns-unifi
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: external-dns-unifi
- namespace: network
-spec:
- dataFrom:
- - extract:
- key: unifi
- secretStoreRef:
- kind: ClusterSecretStore
- name: onepassword-connect
- target:
- name: external-dns-unifi
- template:
- data:
- EXTERNAL_DNS_UNIFI_API_KEY: '{{ .EXTERNAL_DNS_UNIFI_API_KEY }}'
-
--- kubernetes/main/apps/network/external-dns/unifi Kustomization: flux-system/external-dns-unifi HelmRelease: network/external-dns-unifi
+++ kubernetes/main/apps/network/external-dns/unifi Kustomization: flux-system/external-dns-unifi HelmRelease: network/external-dns-unifi
@@ -1,72 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
- labels:
- app.kubernetes.io/name: external-dns-unifi
- kustomize.toolkit.fluxcd.io/name: external-dns-unifi
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: external-dns-unifi
- namespace: network
-spec:
- chart:
- spec:
- chart: external-dns
- sourceRef:
- kind: HelmRepository
- name: external-dns
- namespace: flux-system
- version: 1.15.0
- install:
- remediation:
- retries: 3
- interval: 30m
- upgrade:
- cleanupOnFail: true
- remediation:
- retries: 3
- strategy: rollback
- values:
- domainFilters:
- - ..PLACEHOLDER_SECRET_DOMAIN..
- extraArgs:
- - --ignore-ingress-tls-spec
- fullnameOverride: external-dns-unifi
- podAnnotations:
- secret.reloader.stakater.com/reload: external-dns-unifi
- policy: sync
- provider:
- name: webhook
- webhook:
- env:
- - name: UNIFI_HOST
- value: https://192.168.1.1
- - name: UNIFI_API_KEY
- valueFrom:
- secretKeyRef:
- key: EXTERNAL_DNS_UNIFI_API_KEY
- name: external-dns-unifi
- image:
- repository: ghcr.io/kashalls/external-dns-unifi-webhook
- tag: v0.4.0@sha256:f71f9e64f723a1af77e9ecdcbaef2db2095721d33b385baee1848d0bf09d44e7
- livenessProbe:
- httpGet:
- path: /healthz
- port: http-webhook
- initialDelaySeconds: 10
- timeoutSeconds: 5
- readinessProbe:
- httpGet:
- path: /readyz
- port: http-webhook
- initialDelaySeconds: 10
- timeoutSeconds: 5
- serviceMonitor:
- enabled: true
- sources:
- - ingress
- - service
- triggerLoopOnEvent: true
- txtOwnerId: main
- txtPrefix: k8s.main.
-
--- kubernetes/main/apps/network/nginx/internal Kustomization: flux-system/nginx-internal HelmRelease: network/nginx-internal
+++ kubernetes/main/apps/network/nginx/internal Kustomization: flux-system/nginx-internal HelmRelease: network/nginx-internal
@@ -1,99 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
- labels:
- app.kubernetes.io/name: nginx-internal
- kustomize.toolkit.fluxcd.io/name: nginx-internal
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: nginx-internal
- namespace: network
-spec:
- chart:
- spec:
- chart: ingress-nginx
- sourceRef:
- kind: HelmRepository
- name: ingress-nginx
- namespace: flux-system
- version: 4.12.0
- install:
- remediation:
- retries: 3
- interval: 30m
- upgrade:
- cleanupOnFail: true
- remediation:
- retries: 3
- strategy: rollback
- values:
- controller:
- admissionWebhooks:
- objectSelector:
- matchExpressions:
- - key: ingress-class
- operator: In
- values:
- - internal
- config:
- allow-snippet-annotations: true
- annotations-risk-level: Critical
- block-user-agents: GPTBot,~*GPTBot*,ChatGPT-User,~*ChatGPT-User*,Google-Extended,~*Google-Extended*,CCBot,~*CCBot*,Omgilibot,~*Omgilibot*,FacebookBot,~*FacebookBot*
- client-body-buffer-size: 100M
- client-body-timeout: 120
- client-header-timeout: 120
- enable-brotli: 'true'
- enable-ocsp: 'true'
- enable-real-ip: 'true'
- force-ssl-redirect: 'true'
- hide-headers: Server,X-Powered-By
- hsts-max-age: 31449600
- keep-alive: 120
- keep-alive-requests: 10000
- log-format-escape-json: 'true'
- log-format-upstream: |
- {"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", "x_forwarded_for": "$proxy_add_x_forwarded_for", "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, "status": $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args", "request_length": $request_length, "duration": $request_time, "method": "$request_method", "http_referrer": "$http_referer", "http_user_agent": "$http_user_agent"}
- proxy-body-size: 0
- proxy-buffer-size: 16k
- ssl-protocols: TLSv1.3 TLSv1.2
- use-forwarded-headers: 'true'
- extraArgs:
- default-ssl-certificate: cert-manager/..PLACEHOLDER_SECRET_DOMAIN..-tls
- publish-status-address: internal...PLACEHOLDER_SECRET_DOMAIN..
- ingressClassResource:
- controllerValue: k8s.io/internal
- default: true
- name: internal
- metrics:
- enabled: true
- serviceMonitor:
- enabled: true
- namespaceSelector:
- any: true
- publishService:
- enabled: false
- replicaCount: 2
- resources:
- limits:
- memory: 500Mi
- requests:
- cpu: 100m
- service:
- annotations:
- external-dns.alpha.kubernetes.io/hostname: internal...PLACEHOLDER_SECRET_DOMAIN..
- lbipam.cilium.io/ips: ..PLACEHOLDER_SVC_NGINX_INTERNAL..
- externalTrafficPolicy: Cluster
- terminationGracePeriodSeconds: 120
- topologySpreadConstraints:
- - labelSelector:
- matchLabels:
- app.kubernetes.io/component: controller
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/name: ingress-nginx
- maxSkew: 1
- topologyKey: kubernetes.io/hostname
- whenUnsatisfiable: DoNotSchedule
- defaultBackend:
- enabled: false
- fullnameOverride: nginx-internal
-
--- kubernetes/main/apps/network/nginx/external Kustomization: flux-system/nginx-external HelmRelease: network/nginx-external
+++ kubernetes/main/apps/network/nginx/external Kustomization: flux-system/nginx-external HelmRelease: network/nginx-external
@@ -1,98 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
- labels:
- app.kubernetes.io/name: nginx-external
- kustomize.toolkit.fluxcd.io/name: nginx-external
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: nginx-external
- namespace: network
-spec:
- chart:
- spec:
- chart: ingress-nginx
- sourceRef:
- kind: HelmRepository
- name: ingress-nginx
- namespace: flux-system
- version: 4.12.0
- install:
- remediation:
- retries: 3
- interval: 30m
- upgrade:
- cleanupOnFail: true
- remediation:
- retries: 3
- strategy: rollback
- values:
- controller:
- admissionWebhooks:
- objectSelector:
- matchExpressions:
- - key: ingress-class
- operator: In
- values:
- - external
- config:
- allow-snippet-annotations: true
- annotations-risk-level: Critical
- block-user-agents: GPTBot,~*GPTBot*,ChatGPT-User,~*ChatGPT-User*,Google-Extended,~*Google-Extended*,CCBot,~*CCBot*,Omgilibot,~*Omgilibot*,FacebookBot,~*FacebookBot*
- client-body-buffer-size: 100M
- client-body-timeout: 120
- client-header-timeout: 120
- enable-brotli: 'true'
- enable-ocsp: 'true'
- enable-real-ip: 'true'
- force-ssl-redirect: 'true'
- hide-headers: Server,X-Powered-By
- hsts-max-age: 31449600
- keep-alive: 120
- keep-alive-requests: 10000
- log-format-escape-json: 'true'
- log-format-upstream: |
- {"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", "x_forwarded_for": "$proxy_add_x_forwarded_for", "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, "status": $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args", "request_length": $request_length, "duration": $request_time, "method": "$request_method", "http_referrer": "$http_referer", "http_user_agent": "$http_user_agent"}
- proxy-body-size: 0
- proxy-buffer-size: 16k
- ssl-protocols: TLSv1.3 TLSv1.2
- use-forwarded-headers: 'true'
- extraArgs:
- default-ssl-certificate: cert-manager/..PLACEHOLDER_SECRET_DOMAIN..-tls
- publish-status-address: external...PLACEHOLDER_SECRET_DOMAIN..
- ingressClassResource:
- controllerValue: k8s.io/external
- default: false
- name: external
- metrics:
- enabled: true
- serviceMonitor:
- enabled: true
- namespaceSelector:
- any: true
- publishService:
- enabled: false
- replicaCount: 2
- resources:
- limits:
- memory: 500Mi
- requests:
- cpu: 100m
- service:
- annotations:
- external-dns.alpha.kubernetes.io/hostname: external...PLACEHOLDER_SECRET_DOMAIN..
- lbipam.cilium.io/ips: ..PLACEHOLDER_SVC_NGINX_EXTERNAL..
- terminationGracePeriodSeconds: 120
- topologySpreadConstraints:
- - labelSelector:
- matchLabels:
- app.kubernetes.io/component: controller
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/name: ingress-nginx
- maxSkew: 1
- topologyKey: kubernetes.io/hostname
- whenUnsatisfiable: DoNotSchedule
- defaultBackend:
- enabled: false
- fullnameOverride: nginx-external
-
--- kubernetes/main/apps/network/external/echo-server Kustomization: flux-system/external-echo-server HelmRelease: network/echo-server
+++ kubernetes/main/apps/network/external/echo-server Kustomization: flux-system/external-echo-server HelmRelease: network/echo-server
@@ -0,0 +1,119 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+ labels:
+ app.kubernetes.io/name: external-echo-server
+ kustomize.toolkit.fluxcd.io/name: external-echo-server
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: echo-server
+ namespace: network
+spec:
+ chart:
+ spec:
+ chart: app-template
+ sourceRef:
+ kind: HelmRepository
+ name: bjw-s
+ namespace: flux-system
+ version: 3.6.1
+ install:
+ remediation:
+ retries: 3
+ interval: 30m
+ upgrade:
+ cleanupOnFail: true
+ remediation:
+ retries: 3
+ strategy: rollback
+ values:
+ controllers:
+ echo-server:
+ containers:
+ app:
+ env:
+ HTTP_PORT: 8080
+ LOG_IGNORE_PATH: /healthz
+ LOG_WITHOUT_NEWLINE: true
+ PROMETHEUS_ENABLED: true
+ image:
+ repository: ghcr.io/mendhak/http-https-echo
+ tag: 35
+ probes:
+ liveness:
+ custom: true
+ enabled: true
+ spec:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 8080
+ initialDelaySeconds: 0
+ periodSeconds: 10
+ timeoutSeconds: 1
+ readiness:
+ custom: true
+ enabled: true
+ spec:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 8080
+ initialDelaySeconds: 0
+ periodSeconds: 10
+ timeoutSeconds: 1
+ resources:
+ limits:
+ memory: 64Mi
+ requests:
+ cpu: 10m
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ seccompProfile:
+ type: RuntimeDefault
+ strategy: RollingUpdate
+ defaultPodOptions:
+ securityContext:
+ fsGroupChangePolicy: OnRootMismatch
+ runAsGroup: 100
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ topologySpreadConstraints:
+ - labelSelector:
+ matchLabels:
+ app.kubernetes.io/name: echo-server
+ maxSkew: 1
+ topologyKey: kubernetes.io/hostname
+ whenUnsatisfiable: DoNotSchedule
+ ingress:
+ app:
+ className: external
+ hosts:
+ - host: '{{ .Release.Name }}...PLACEHOLDER_SECRET_DOMAIN..'
+ paths:
+ - path: /
+ service:
+ identifier: app
+ port: http
+ service:
+ app:
+ controller: echo-server
+ ports:
+ http:
+ port: 8080
+ serviceMonitor:
+ app:
+ endpoints:
+ - interval: 1m
+ path: /metrics
+ port: http
+ scheme: http
+ scrapeTimeout: 10s
+ serviceName: echo-server
+
--- kubernetes/main/apps/network/external/external-dns Kustomization: flux-system/external-dns-cloudflare ExternalSecret: network/external-dns-cloudflare
+++ kubernetes/main/apps/network/external/external-dns Kustomization: flux-system/external-dns-cloudflare ExternalSecret: network/external-dns-cloudflare
@@ -0,0 +1,23 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+ labels:
+ app.kubernetes.io/name: external-dns-cloudflare
+ kustomize.toolkit.fluxcd.io/name: external-dns-cloudflare
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: external-dns-cloudflare
+ namespace: network
+spec:
+ dataFrom:
+ - extract:
+ key: cloudflare
+ secretStoreRef:
+ kind: ClusterSecretStore
+ name: onepassword-connect
+ target:
+ name: external-dns-cloudflare
+ template:
+ data:
+ api-token: '{{ .CLOUDFLARE_API_KEY }}'
+
--- kubernetes/main/apps/network/external/external-dns Kustomization: flux-system/external-dns-cloudflare HelmRelease: network/external-dns-cloudflare
+++ kubernetes/main/apps/network/external/external-dns Kustomization: flux-system/external-dns-cloudflare HelmRelease: network/external-dns-cloudflare
@@ -0,0 +1,61 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+ labels:
+ app.kubernetes.io/name: external-dns-cloudflare
+ kustomize.toolkit.fluxcd.io/name: external-dns-cloudflare
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: external-dns-cloudflare
+ namespace: network
+spec:
+ chart:
+ spec:
+ chart: external-dns
+ sourceRef:
+ kind: HelmRepository
+ name: external-dns
+ namespace: flux-system
+ version: 1.15.0
+ install:
+ crds: CreateReplace
+ remediation:
+ retries: 3
+ interval: 30m
+ upgrade:
+ cleanupOnFail: true
+ crds: CreateReplace
+ remediation:
+ retries: 3
+ strategy: rollback
+ values:
+ domainFilters:
+ - ..PLACEHOLDER_SECRET_DOMAIN..
+ env:
+ - name: CF_API_TOKEN
+ valueFrom:
+ secretKeyRef:
+ key: api-token
+ name: external-dns-cloudflare
+ extraArgs:
+ - --cloudflare-dns-records-per-page=1000
+ - --cloudflare-proxied
+ - --crd-source-apiversion=externaldns.k8s.io/v1alpha1
+ - --crd-source-kind=DNSEndpoint
+ - --ignore-ingress-tls-spec
+ - --ingress-class=external
+ fullnameOverride: external-dns-cloudflare
+ podAnnotations:
+ secret.reloader.stakater.com/reload: external-dns-cloudflare
+ policy: sync
+ provider:
+ name: cloudflare
+ serviceMonitor:
+ enabled: true
+ sources:
+ - crd
+ - ingress
+ triggerLoopOnEvent: true
+ txtOwnerId: main
+ txtPrefix: k8s.main.
+
--- kubernetes/main/apps/network/external/cloudflared Kustomization: flux-system/external-cloudflared DNSEndpoint: network/cloudflared
+++ kubernetes/main/apps/network/external/cloudflared Kustomization: flux-system/external-cloudflared DNSEndpoint: network/cloudflared
@@ -0,0 +1,17 @@
+---
+apiVersion: externaldns.k8s.io/v1alpha1
+kind: DNSEndpoint
+metadata:
+ labels:
+ app.kubernetes.io/name: external-cloudflared
+ kustomize.toolkit.fluxcd.io/name: external-cloudflared
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: cloudflared
+ namespace: network
+spec:
+ endpoints:
+ - dnsName: external...PLACEHOLDER_SECRET_DOMAIN..
+ recordType: CNAME
+ targets:
+ - ..PLACEHOLDER_CLOUDFLARE_TUNNEL_ID...cfargotunnel.com
+
--- kubernetes/main/apps/network/external/cloudflared Kustomization: flux-system/external-cloudflared ExternalSecret: network/cloudflared-secret
+++ kubernetes/main/apps/network/external/cloudflared Kustomization: flux-system/external-cloudflared ExternalSecret: network/cloudflared-secret
@@ -0,0 +1,28 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+ labels:
+ app.kubernetes.io/name: external-cloudflared
+ kustomize.toolkit.fluxcd.io/name: external-cloudflared
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: cloudflared-secret
+ namespace: network
+spec:
+ dataFrom:
+ - extract:
+ key: cloudflare
+ secretStoreRef:
+ kind: ClusterSecretStore
+ name: onepassword-connect
+ target:
+ name: cloudflared-secret
+ template:
+ data:
+ credentials.json: |
+ {
+ "AccountTag": "{{ .CLOUDFLARE_ACCOUNT_TAG }}",
+ "TunnelSecret": "{{ .CLOUDFLARE_TUNNEL_SECRET }}",
+ "TunnelID": "..PLACEHOLDER_CLOUDFLARE_TUNNEL_ID.."
+ }
+
--- kubernetes/main/apps/network/external/cloudflared Kustomization: flux-system/external-cloudflared HelmRelease: network/cloudflared
+++ kubernetes/main/apps/network/external/cloudflared Kustomization: flux-system/external-cloudflared HelmRelease: network/cloudflared
@@ -0,0 +1,128 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+ labels:
+ app.kubernetes.io/name: external-cloudflared
+ kustomize.toolkit.fluxcd.io/name: external-cloudflared
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: cloudflared
+ namespace: network
+spec:
+ chart:
+ spec:
+ chart: app-template
+ sourceRef:
+ kind: HelmRepository
+ name: bjw-s
+ namespace: flux-system
+ version: 3.6.1
+ install:
+ remediation:
+ retries: 3
+ interval: 30m
+ upgrade:
+ cleanupOnFail: true
+ remediation:
+ retries: 3
+ strategy: rollback
+ values:
+ controllers:
+ cloudflared:
+ annotations:
+ reloader.stakater.com/auto: 'true'
+ containers:
+ app:
+ args:
+ - tunnel
+ - --config
+ - /etc/cloudflared/config/config.yaml
+ - run
+ - ..PLACEHOLDER_CLOUDFLARE_TUNNEL_ID..
+ env:
+ NO_AUTOUPDATE: true
+ TUNNEL_CRED_FILE: /etc/cloudflared/creds/credentials.json
+ TUNNEL_METRICS: 0.0.0.0:8080
+ TUNNEL_ORIGIN_ENABLE_HTTP2: true
+ TUNNEL_POST_QUANTUM: true
+ TUNNEL_TRANSPORT_PROTOCOL: quic
+ image:
+ repository: docker.io/cloudflare/cloudflared
+ tag: 2025.1.0@sha256:3247f3ef49eda23244b8aa5583f82b7c3880b0d057e1172d0e818f5e678d9f27
+ probes:
+ liveness:
+ custom: true
+ enabled: true
+ spec:
+ failureThreshold: 3
+ httpGet:
+ path: /ready
+ port: 8080
+ initialDelaySeconds: 0
+ periodSeconds: 10
+ timeoutSeconds: 1
+ readiness:
+ custom: true
+ enabled: true
+ spec:
+ failureThreshold: 3
+ httpGet:
+ path: /ready
+ port: 8080
+ initialDelaySeconds: 0
+ periodSeconds: 10
+ timeoutSeconds: 1
+ resources:
+ limits:
+ memory: 256M
+ requests:
+ cpu: 5m
+ memory: 128M
+ replicas: 2
+ strategy: RollingUpdate
+ defaultPodOptions:
+ securityContext:
+ fsGroupChangePolicy: OnRootMismatch
+ runAsGroup: 100
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ topologySpreadConstraints:
+ - labelSelector:
+ matchLabels:
+ app.kubernetes.io/name: cloudflared
+ maxSkew: 1
+ topologyKey: kubernetes.io/hostname
+ whenUnsatisfiable: DoNotSchedule
+ persistence:
+ config-file:
+ globalMounts:
+ - path: /etc/cloudflared/config/config.yaml
+ readOnly: true
+ subPath: config.yaml
+ name: cloudflared-configmap
+ type: configMap
+ secret-file:
+ globalMounts:
+ - path: /etc/cloudflared/creds/credentials.json
+ readOnly: true
+ subPath: credentials.json
+ name: cloudflared-tunnel-secret
+ type: secret
+ service:
+ app:
+ controller: cloudflared
+ ports:
+ http:
+ port: 8080
+ serviceMonitor:
+ app:
+ endpoints:
+ - interval: 1m
+ path: /metrics
+ port: http
+ scheme: http
+ scrapeTimeout: 10s
+ serviceName: cloudflared
+
--- kubernetes/main/apps/network/external/cloudflared Kustomization: flux-system/external-cloudflared ConfigMap: network/cloudflared-configmap
+++ kubernetes/main/apps/network/external/cloudflared Kustomization: flux-system/external-cloudflared ConfigMap: network/cloudflared-configmap
@@ -0,0 +1,23 @@
+---
+apiVersion: v1
+data:
+ config.yaml: |
+ ---
+ originRequest:
+ originServerName: external...PLACEHOLDER_SECRET_DOMAIN..
+
+ ingress:
+ - hostname: ..PLACEHOLDER_SECRET_DOMAIN..
+ service: https://nginx-external-controller.network.svc.cluster.local:443
+ - hostname: "*...PLACEHOLDER_SECRET_DOMAIN.."
+ service: https://nginx-external-controller.network.svc.cluster.local:443
+ - service: http_status:404
+kind: ConfigMap
+metadata:
+ labels:
+ app.kubernetes.io/name: external-cloudflared
+ kustomize.toolkit.fluxcd.io/name: external-cloudflared
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: cloudflared-configmap
+ namespace: network
+
--- kubernetes/main/apps/network/internal/external-dns Kustomization: flux-system/external-dns-unifi ExternalSecret: network/external-dns-unifi
+++ kubernetes/main/apps/network/internal/external-dns Kustomization: flux-system/external-dns-unifi ExternalSecret: network/external-dns-unifi
@@ -0,0 +1,23 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+ labels:
+ app.kubernetes.io/name: external-dns-unifi
+ kustomize.toolkit.fluxcd.io/name: external-dns-unifi
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: external-dns-unifi
+ namespace: network
+spec:
+ dataFrom:
+ - extract:
+ key: unifi
+ secretStoreRef:
+ kind: ClusterSecretStore
+ name: onepassword-connect
+ target:
+ name: external-dns-unifi
+ template:
+ data:
+ EXTERNAL_DNS_UNIFI_API_KEY: '{{ .EXTERNAL_DNS_UNIFI_API_KEY }}'
+
--- kubernetes/main/apps/network/internal/external-dns Kustomization: flux-system/external-dns-unifi HelmRelease: network/external-dns-unifi
+++ kubernetes/main/apps/network/internal/external-dns Kustomization: flux-system/external-dns-unifi HelmRelease: network/external-dns-unifi
@@ -0,0 +1,72 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+ labels:
+ app.kubernetes.io/name: external-dns-unifi
+ kustomize.toolkit.fluxcd.io/name: external-dns-unifi
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: external-dns-unifi
+ namespace: network
+spec:
+ chart:
+ spec:
+ chart: external-dns
+ sourceRef:
+ kind: HelmRepository
+ name: external-dns
+ namespace: flux-system
+ version: 1.15.0
+ install:
+ remediation:
+ retries: 3
+ interval: 30m
+ upgrade:
+ cleanupOnFail: true
+ remediation:
+ retries: 3
+ strategy: rollback
+ values:
+ domainFilters:
+ - ..PLACEHOLDER_SECRET_DOMAIN..
+ extraArgs:
+ - --ignore-ingress-tls-spec
+ fullnameOverride: external-dns-unifi
+ podAnnotations:
+ secret.reloader.stakater.com/reload: external-dns-unifi
+ policy: sync
+ provider:
+ name: webhook
+ webhook:
+ env:
+ - name: UNIFI_HOST
+ value: https://192.168.1.1
+ - name: UNIFI_API_KEY
+ valueFrom:
+ secretKeyRef:
+ key: EXTERNAL_DNS_UNIFI_API_KEY
+ name: external-dns-unifi
+ image:
+ repository: ghcr.io/kashalls/external-dns-unifi-webhook
+ tag: v0.4.0@sha256:f71f9e64f723a1af77e9ecdcbaef2db2095721d33b385baee1848d0bf09d44e7
+ livenessProbe:
+ httpGet:
+ path: /healthz
+ port: http-webhook
+ initialDelaySeconds: 10
+ timeoutSeconds: 5
+ readinessProbe:
+ httpGet:
+ path: /readyz
+ port: http-webhook
+ initialDelaySeconds: 10
+ timeoutSeconds: 5
+ serviceMonitor:
+ enabled: true
+ sources:
+ - ingress
+ - service
+ triggerLoopOnEvent: true
+ txtOwnerId: main
+ txtPrefix: k8s.main.
+
--- kubernetes/main/apps/network/internal/ingress-nginx Kustomization: flux-system/internal-ingress-nginx HelmRelease: network/internal-ingress-nginx
+++ kubernetes/main/apps/network/internal/ingress-nginx Kustomization: flux-system/internal-ingress-nginx HelmRelease: network/internal-ingress-nginx
@@ -0,0 +1,99 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+ labels:
+ app.kubernetes.io/name: internal-ingress-nginx
+ kustomize.toolkit.fluxcd.io/name: internal-ingress-nginx
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: internal-ingress-nginx
+ namespace: network
+spec:
+ chart:
+ spec:
+ chart: ingress-nginx
+ sourceRef:
+ kind: HelmRepository
+ name: ingress-nginx
+ namespace: flux-system
+ version: 4.12.0
+ install:
+ remediation:
+ retries: 3
+ interval: 30m
+ upgrade:
+ cleanupOnFail: true
+ remediation:
+ retries: 3
+ strategy: rollback
+ values:
+ controller:
+ admissionWebhooks:
+ objectSelector:
+ matchExpressions:
+ - key: ingress-class
+ operator: In
+ values:
+ - internal
+ config:
+ allow-snippet-annotations: true
+ annotations-risk-level: Critical
+ block-user-agents: AdsBot-Google,Amazonbot,anthropic-ai,Applebot-Extended,Bytespider,CCBot,ChatGPT-User,ClaudeBot,Claude-Web,cohere-ai,Diffbot,FacebookBot,FriendlyCrawler,Google-Extended,GoogleOther,GPTBot,img2dataset,omgili,omgilibot,peer39_crawler,peer39_crawler/1.0,PerplexityBot,YouBot,
+ client-body-buffer-size: 100M
+ client-body-timeout: 120
+ client-header-timeout: 120
+ enable-brotli: 'true'
+ enable-ocsp: 'true'
+ enable-real-ip: 'true'
+ force-ssl-redirect: 'true'
+ hide-headers: Server,X-Powered-By
+ hsts-max-age: 31449600
+ keep-alive: 120
+ keep-alive-requests: 10000
+ log-format-escape-json: 'true'
+ log-format-upstream: |
+ {"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", "x_forwarded_for": "$proxy_add_x_forwarded_for", "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, "status": $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args", "request_length": $request_length, "duration": $request_time, "method": "$request_method", "http_referrer": "$http_referer", "http_user_agent": "$http_user_agent"}
+ proxy-body-size: 0
+ proxy-buffer-size: 16k
+ ssl-protocols: TLSv1.3 TLSv1.2
+ use-forwarded-headers: 'true'
+ extraArgs:
+ default-ssl-certificate: cert-manager/..PLACEHOLDER_SECRET_DOMAIN..-tls
+ publish-status-address: internal...PLACEHOLDER_SECRET_DOMAIN..
+ ingressClassResource:
+ controllerValue: k8s.io/internal
+ default: true
+ name: internal
+ metrics:
+ enabled: true
+ serviceMonitor:
+ enabled: true
+ namespaceSelector:
+ any: true
+ publishService:
+ enabled: false
+ replicaCount: 2
+ resources:
+ limits:
+ memory: 500Mi
+ requests:
+ cpu: 100m
+ service:
+ annotations:
+ external-dns.alpha.kubernetes.io/hostname: internal...PLACEHOLDER_SECRET_DOMAIN..
+ lbipam.cilium.io/ips: ..PLACEHOLDER_SVC_NGINX_INTERNAL..
+ externalTrafficPolicy: Cluster
+ terminationGracePeriodSeconds: 120
+ topologySpreadConstraints:
+ - labelSelector:
+ matchLabels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/name: ingress-nginx
+ maxSkew: 1
+ topologyKey: kubernetes.io/hostname
+ whenUnsatisfiable: DoNotSchedule
+ defaultBackend:
+ enabled: false
+ fullnameOverride: internal-ingress-nginx
+
--- kubernetes/main/apps/network/external/ingress-nginx Kustomization: flux-system/external-ingress-nginx HelmRelease: network/external-ingress-nginx
+++ kubernetes/main/apps/network/external/ingress-nginx Kustomization: flux-system/external-ingress-nginx HelmRelease: network/external-ingress-nginx
@@ -0,0 +1,98 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+ labels:
+ app.kubernetes.io/name: external-ingress-nginx
+ kustomize.toolkit.fluxcd.io/name: external-ingress-nginx
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: external-ingress-nginx
+ namespace: network
+spec:
+ chart:
+ spec:
+ chart: ingress-nginx
+ sourceRef:
+ kind: HelmRepository
+ name: ingress-nginx
+ namespace: flux-system
+ version: 4.12.0
+ install:
+ remediation:
+ retries: 3
+ interval: 30m
+ upgrade:
+ cleanupOnFail: true
+ remediation:
+ retries: 3
+ strategy: rollback
+ values:
+ controller:
+ admissionWebhooks:
+ objectSelector:
+ matchExpressions:
+ - key: ingress-class
+ operator: In
+ values:
+ - external
+ config:
+ allow-snippet-annotations: true
+ annotations-risk-level: Critical
+ block-user-agents: AdsBot-Google,Amazonbot,anthropic-ai,Applebot-Extended,Bytespider,CCBot,ChatGPT-User,ClaudeBot,Claude-Web,cohere-ai,Diffbot,FacebookBot,FriendlyCrawler,Google-Extended,GoogleOther,GPTBot,img2dataset,omgili,omgilibot,peer39_crawler,peer39_crawler/1.0,PerplexityBot,YouBot,
+ client-body-buffer-size: 100M
+ client-body-timeout: 120
+ client-header-timeout: 120
+ enable-brotli: 'true'
+ enable-ocsp: 'true'
+ enable-real-ip: 'true'
+ force-ssl-redirect: 'true'
+ hide-headers: Server,X-Powered-By
+ hsts-max-age: 31449600
+ keep-alive: 120
+ keep-alive-requests: 10000
+ log-format-escape-json: 'true'
+ log-format-upstream: |
+ {"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", "x_forwarded_for": "$proxy_add_x_forwarded_for", "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, "status": $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args", "request_length": $request_length, "duration": $request_time, "method": "$request_method", "http_referrer": "$http_referer", "http_user_agent": "$http_user_agent"}
+ proxy-body-size: 0
+ proxy-buffer-size: 16k
+ ssl-protocols: TLSv1.3 TLSv1.2
+ use-forwarded-headers: 'true'
+ extraArgs:
+ default-ssl-certificate: cert-manager/..PLACEHOLDER_SECRET_DOMAIN..-tls
+ publish-status-address: external...PLACEHOLDER_SECRET_DOMAIN..
+ ingressClassResource:
+ controllerValue: k8s.io/external
+ default: false
+ name: external
+ metrics:
+ enabled: true
+ serviceMonitor:
+ enabled: true
+ namespaceSelector:
+ any: true
+ publishService:
+ enabled: false
+ replicaCount: 2
+ resources:
+ limits:
+ memory: 500Mi
+ requests:
+ cpu: 100m
+ service:
+ annotations:
+ external-dns.alpha.kubernetes.io/hostname: external...PLACEHOLDER_SECRET_DOMAIN..
+ lbipam.cilium.io/ips: ..PLACEHOLDER_SVC_NGINX_EXTERNAL..
+ terminationGracePeriodSeconds: 120
+ topologySpreadConstraints:
+ - labelSelector:
+ matchLabels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/name: ingress-nginx
+ maxSkew: 1
+ topologyKey: kubernetes.io/hostname
+ whenUnsatisfiable: DoNotSchedule
+ defaultBackend:
+ enabled: false
+ fullnameOverride: external-ingress-nginx
+ |
--- kubernetes/main/apps/network/echo-server/app Kustomization: flux-system/echo-server HelmRelease: network/echo-server
+++ kubernetes/main/apps/network/echo-server/app Kustomization: flux-system/echo-server HelmRelease: network/echo-server
@@ -1,119 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
- labels:
- app.kubernetes.io/name: echo-server
- kustomize.toolkit.fluxcd.io/name: echo-server
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: echo-server
- namespace: network
-spec:
- chart:
- spec:
- chart: app-template
- sourceRef:
- kind: HelmRepository
- name: bjw-s
- namespace: flux-system
- version: 3.6.1
- install:
- remediation:
- retries: 3
- interval: 30m
- upgrade:
- cleanupOnFail: true
- remediation:
- retries: 3
- strategy: rollback
- values:
- controllers:
- echo-server:
- containers:
- app:
- env:
- HTTP_PORT: 8080
- LOG_IGNORE_PATH: /healthz
- LOG_WITHOUT_NEWLINE: true
- PROMETHEUS_ENABLED: true
- image:
- repository: ghcr.io/mendhak/http-https-echo
- tag: 35
- probes:
- liveness:
- custom: true
- enabled: true
- spec:
- failureThreshold: 3
- httpGet:
- path: /healthz
- port: 8080
- initialDelaySeconds: 0
- periodSeconds: 10
- timeoutSeconds: 1
- readiness:
- custom: true
- enabled: true
- spec:
- failureThreshold: 3
- httpGet:
- path: /healthz
- port: 8080
- initialDelaySeconds: 0
- periodSeconds: 10
- timeoutSeconds: 1
- resources:
- limits:
- memory: 64Mi
- requests:
- cpu: 10m
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- readOnlyRootFilesystem: true
- seccompProfile:
- type: RuntimeDefault
- strategy: RollingUpdate
- defaultPodOptions:
- securityContext:
- fsGroupChangePolicy: OnRootMismatch
- runAsGroup: 100
- runAsNonRoot: true
- runAsUser: 1000
- seccompProfile:
- type: RuntimeDefault
- topologySpreadConstraints:
- - labelSelector:
- matchLabels:
- app.kubernetes.io/name: echo-server
- maxSkew: 1
- topologyKey: kubernetes.io/hostname
- whenUnsatisfiable: DoNotSchedule
- ingress:
- app:
- className: external
- hosts:
- - host: '{{ .Release.Name }}...PLACEHOLDER_SECRET_DOMAIN..'
- paths:
- - path: /
- service:
- identifier: app
- port: http
- service:
- app:
- controller: echo-server
- ports:
- http:
- port: 8080
- serviceMonitor:
- app:
- endpoints:
- - interval: 1m
- path: /metrics
- port: http
- scheme: http
- scrapeTimeout: 10s
- serviceName: echo-server
-
--- kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/cloudflared
+++ kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/cloudflared
@@ -1,43 +0,0 @@
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
- labels:
- kustomize.toolkit.fluxcd.io/name: cluster-apps
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: cloudflared
- namespace: flux-system
-spec:
- commonMetadata:
- labels:
- app.kubernetes.io/name: cloudflared
- decryption:
- provider: sops
- secretRef:
- name: sops-age
- dependsOn:
- - name: external-secrets-stores
- interval: 30m
- path: ./kubernetes/main/apps/network/cloudflared/app
- postBuild:
- substituteFrom:
- - kind: ConfigMap
- name: cluster-settings
- optional: true
- - kind: ConfigMap
- name: cluster-settings-main
- optional: true
- - kind: Secret
- name: cluster-secrets
- optional: true
- - kind: Secret
- name: cluster-secrets-main
- optional: true
- prune: true
- sourceRef:
- kind: GitRepository
- name: flux-system
- targetNamespace: network
- timeout: 5m
- wait: false
-
--- kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/echo-server
+++ kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/echo-server
@@ -1,41 +0,0 @@
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
- labels:
- kustomize.toolkit.fluxcd.io/name: cluster-apps
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: echo-server
- namespace: flux-system
-spec:
- commonMetadata:
- labels:
- app.kubernetes.io/name: echo-server
- decryption:
- provider: sops
- secretRef:
- name: sops-age
- interval: 30m
- path: ./kubernetes/main/apps/network/echo-server/app
- postBuild:
- substituteFrom:
- - kind: ConfigMap
- name: cluster-settings
- optional: true
- - kind: ConfigMap
- name: cluster-settings-main
- optional: true
- - kind: Secret
- name: cluster-secrets
- optional: true
- - kind: Secret
- name: cluster-secrets-main
- optional: true
- prune: true
- sourceRef:
- kind: GitRepository
- name: flux-system
- targetNamespace: network
- timeout: 5m
- wait: false
-
--- kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/external-dns-cloudflare
+++ kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/external-dns-cloudflare
@@ -15,13 +15,13 @@
provider: sops
secretRef:
name: sops-age
dependsOn:
- name: external-secrets-stores
interval: 30m
- path: ./kubernetes/main/apps/network/external-dns/cloudflare
+ path: ./kubernetes/main/apps/network/external/external-dns
postBuild:
substituteFrom:
- kind: ConfigMap
name: cluster-settings
optional: true
- kind: ConfigMap
--- kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/external-dns-unifi
+++ kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/external-dns-unifi
@@ -15,13 +15,13 @@
provider: sops
secretRef:
name: sops-age
dependsOn:
- name: external-secrets-stores
interval: 30m
- path: ./kubernetes/main/apps/network/external-dns/unifi
+ path: ./kubernetes/main/apps/network/internal/external-dns
postBuild:
substituteFrom:
- kind: ConfigMap
name: cluster-settings
optional: true
- kind: ConfigMap
--- kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/nginx-external
+++ kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/nginx-external
@@ -1,43 +0,0 @@
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
- labels:
- kustomize.toolkit.fluxcd.io/name: cluster-apps
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: nginx-external
- namespace: flux-system
-spec:
- commonMetadata:
- labels:
- app.kubernetes.io/name: nginx-external
- decryption:
- provider: sops
- secretRef:
- name: sops-age
- dependsOn:
- - name: cert-manager-tls
- interval: 30m
- path: ./kubernetes/main/apps/network/nginx/external
- postBuild:
- substituteFrom:
- - kind: ConfigMap
- name: cluster-settings
- optional: true
- - kind: ConfigMap
- name: cluster-settings-main
- optional: true
- - kind: Secret
- name: cluster-secrets
- optional: true
- - kind: Secret
- name: cluster-secrets-main
- optional: true
- prune: true
- sourceRef:
- kind: GitRepository
- name: flux-system
- targetNamespace: network
- timeout: 5m
- wait: false
-
--- kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/nginx-internal
+++ kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/nginx-internal
@@ -1,43 +0,0 @@
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
- labels:
- kustomize.toolkit.fluxcd.io/name: cluster-apps
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: nginx-internal
- namespace: flux-system
-spec:
- commonMetadata:
- labels:
- app.kubernetes.io/name: nginx-internal
- decryption:
- provider: sops
- secretRef:
- name: sops-age
- dependsOn:
- - name: cert-manager-tls
- interval: 30m
- path: ./kubernetes/main/apps/network/nginx/internal
- postBuild:
- substituteFrom:
- - kind: ConfigMap
- name: cluster-settings
- optional: true
- - kind: ConfigMap
- name: cluster-settings-main
- optional: true
- - kind: Secret
- name: cluster-secrets
- optional: true
- - kind: Secret
- name: cluster-secrets-main
- optional: true
- prune: true
- sourceRef:
- kind: GitRepository
- name: flux-system
- targetNamespace: network
- timeout: 5m
- wait: false
-
--- kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/external-cloudflared
+++ kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/external-cloudflared
@@ -0,0 +1,44 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+ labels:
+ kustomize.toolkit.fluxcd.io/name: cluster-apps
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: external-cloudflared
+ namespace: flux-system
+spec:
+ commonMetadata:
+ labels:
+ app.kubernetes.io/name: external-cloudflared
+ decryption:
+ provider: sops
+ secretRef:
+ name: sops-age
+ dependsOn:
+ - name: external-external-dns
+ - name: external-secrets-stores
+ interval: 30m
+ path: ./kubernetes/main/apps/network/external/cloudflared
+ postBuild:
+ substituteFrom:
+ - kind: ConfigMap
+ name: cluster-settings
+ optional: true
+ - kind: ConfigMap
+ name: cluster-settings-main
+ optional: true
+ - kind: Secret
+ name: cluster-secrets
+ optional: true
+ - kind: Secret
+ name: cluster-secrets-main
+ optional: true
+ prune: true
+ sourceRef:
+ kind: GitRepository
+ name: flux-system
+ targetNamespace: network
+ timeout: 5m
+ wait: false
+
--- kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/external-echo-server
+++ kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/external-echo-server
@@ -0,0 +1,41 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+ labels:
+ kustomize.toolkit.fluxcd.io/name: cluster-apps
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: external-echo-server
+ namespace: flux-system
+spec:
+ commonMetadata:
+ labels:
+ app.kubernetes.io/name: external-echo-server
+ decryption:
+ provider: sops
+ secretRef:
+ name: sops-age
+ interval: 30m
+ path: ./kubernetes/main/apps/network/external/echo-server
+ postBuild:
+ substituteFrom:
+ - kind: ConfigMap
+ name: cluster-settings
+ optional: true
+ - kind: ConfigMap
+ name: cluster-settings-main
+ optional: true
+ - kind: Secret
+ name: cluster-secrets
+ optional: true
+ - kind: Secret
+ name: cluster-secrets-main
+ optional: true
+ prune: true
+ sourceRef:
+ kind: GitRepository
+ name: flux-system
+ targetNamespace: network
+ timeout: 5m
+ wait: false
+
--- kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/external-ingress-nginx
+++ kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/external-ingress-nginx
@@ -0,0 +1,43 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+ labels:
+ kustomize.toolkit.fluxcd.io/name: cluster-apps
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: external-ingress-nginx
+ namespace: flux-system
+spec:
+ commonMetadata:
+ labels:
+ app.kubernetes.io/name: external-ingress-nginx
+ decryption:
+ provider: sops
+ secretRef:
+ name: sops-age
+ dependsOn:
+ - name: cert-manager-tls
+ interval: 30m
+ path: ./kubernetes/main/apps/network/external/ingress-nginx
+ postBuild:
+ substituteFrom:
+ - kind: ConfigMap
+ name: cluster-settings
+ optional: true
+ - kind: ConfigMap
+ name: cluster-settings-main
+ optional: true
+ - kind: Secret
+ name: cluster-secrets
+ optional: true
+ - kind: Secret
+ name: cluster-secrets-main
+ optional: true
+ prune: true
+ sourceRef:
+ kind: GitRepository
+ name: flux-system
+ targetNamespace: network
+ timeout: 5m
+ wait: false
+
--- kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/internal-ingress-nginx
+++ kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/internal-ingress-nginx
@@ -0,0 +1,43 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+ labels:
+ kustomize.toolkit.fluxcd.io/name: cluster-apps
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: internal-ingress-nginx
+ namespace: flux-system
+spec:
+ commonMetadata:
+ labels:
+ app.kubernetes.io/name: internal-ingress-nginx
+ decryption:
+ provider: sops
+ secretRef:
+ name: sops-age
+ dependsOn:
+ - name: cert-manager-tls
+ interval: 30m
+ path: ./kubernetes/main/apps/network/internal/ingress-nginx
+ postBuild:
+ substituteFrom:
+ - kind: ConfigMap
+ name: cluster-settings
+ optional: true
+ - kind: ConfigMap
+ name: cluster-settings-main
+ optional: true
+ - kind: Secret
+ name: cluster-secrets
+ optional: true
+ - kind: Secret
+ name: cluster-secrets-main
+ optional: true
+ prune: true
+ sourceRef:
+ kind: GitRepository
+ name: flux-system
+ targetNamespace: network
+ timeout: 5m
+ wait: false
+
--- kubernetes/main/apps/network/external-dns/cloudflare Kustomization: flux-system/external-dns-cloudflare ExternalSecret: network/external-dns-secret
+++ kubernetes/main/apps/network/external-dns/cloudflare Kustomization: flux-system/external-dns-cloudflare ExternalSecret: network/external-dns-secret
@@ -1,23 +0,0 @@
----
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
- labels:
- app.kubernetes.io/name: external-dns-cloudflare
- kustomize.toolkit.fluxcd.io/name: external-dns-cloudflare
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: external-dns-secret
- namespace: network
-spec:
- dataFrom:
- - extract:
- key: cloudflare
- secretStoreRef:
- kind: ClusterSecretStore
- name: onepassword-connect
- target:
- name: external-dns-secret
- template:
- data:
- api-token: '{{ .CLOUDFLARE_API_KEY }}'
-
--- kubernetes/main/apps/network/external-dns/cloudflare Kustomization: flux-system/external-dns-cloudflare HelmRelease: network/external-dns-cloudflare
+++ kubernetes/main/apps/network/external-dns/cloudflare Kustomization: flux-system/external-dns-cloudflare HelmRelease: network/external-dns-cloudflare
@@ -1,61 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
- labels:
- app.kubernetes.io/name: external-dns-cloudflare
- kustomize.toolkit.fluxcd.io/name: external-dns-cloudflare
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: external-dns-cloudflare
- namespace: network
-spec:
- chart:
- spec:
- chart: external-dns
- sourceRef:
- kind: HelmRepository
- name: external-dns
- namespace: flux-system
- version: 1.15.0
- install:
- crds: CreateReplace
- remediation:
- retries: 3
- interval: 30m
- upgrade:
- cleanupOnFail: true
- crds: CreateReplace
- remediation:
- retries: 3
- strategy: rollback
- values:
- domainFilters:
- - ..PLACEHOLDER_SECRET_DOMAIN..
- env:
- - name: CF_API_TOKEN
- valueFrom:
- secretKeyRef:
- key: api-token
- name: external-dns-secret
- extraArgs:
- - --cloudflare-dns-records-per-page=1000
- - --cloudflare-proxied
- - --crd-source-apiversion=externaldns.k8s.io/v1alpha1
- - --crd-source-kind=DNSEndpoint
- - --ignore-ingress-tls-spec
- - --ingress-class=external
- fullnameOverride: external-dns-cloudflare
- podAnnotations:
- secret.reloader.stakater.com/reload: external-dns-secret
- policy: sync
- provider:
- name: cloudflare
- serviceMonitor:
- enabled: true
- sources:
- - crd
- - ingress
- triggerLoopOnEvent: true
- txtOwnerId: main
- txtPrefix: k8s.main.
-
--- kubernetes/main/apps/network/external-dns/unifi Kustomization: flux-system/external-dns-unifi ExternalSecret: network/external-dns-unifi
+++ kubernetes/main/apps/network/external-dns/unifi Kustomization: flux-system/external-dns-unifi ExternalSecret: network/external-dns-unifi
@@ -1,23 +0,0 @@
----
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
- labels:
- app.kubernetes.io/name: external-dns-unifi
- kustomize.toolkit.fluxcd.io/name: external-dns-unifi
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: external-dns-unifi
- namespace: network
-spec:
- dataFrom:
- - extract:
- key: unifi
- secretStoreRef:
- kind: ClusterSecretStore
- name: onepassword-connect
- target:
- name: external-dns-unifi
- template:
- data:
- EXTERNAL_DNS_UNIFI_API_KEY: '{{ .EXTERNAL_DNS_UNIFI_API_KEY }}'
-
--- kubernetes/main/apps/network/external-dns/unifi Kustomization: flux-system/external-dns-unifi HelmRelease: network/external-dns-unifi
+++ kubernetes/main/apps/network/external-dns/unifi Kustomization: flux-system/external-dns-unifi HelmRelease: network/external-dns-unifi
@@ -1,72 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
- labels:
- app.kubernetes.io/name: external-dns-unifi
- kustomize.toolkit.fluxcd.io/name: external-dns-unifi
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: external-dns-unifi
- namespace: network
-spec:
- chart:
- spec:
- chart: external-dns
- sourceRef:
- kind: HelmRepository
- name: external-dns
- namespace: flux-system
- version: 1.15.0
- install:
- remediation:
- retries: 3
- interval: 30m
- upgrade:
- cleanupOnFail: true
- remediation:
- retries: 3
- strategy: rollback
- values:
- domainFilters:
- - ..PLACEHOLDER_SECRET_DOMAIN..
- extraArgs:
- - --ignore-ingress-tls-spec
- fullnameOverride: external-dns-unifi
- podAnnotations:
- secret.reloader.stakater.com/reload: external-dns-unifi
- policy: sync
- provider:
- name: webhook
- webhook:
- env:
- - name: UNIFI_HOST
- value: https://192.168.1.1
- - name: UNIFI_API_KEY
- valueFrom:
- secretKeyRef:
- key: EXTERNAL_DNS_UNIFI_API_KEY
- name: external-dns-unifi
- image:
- repository: ghcr.io/kashalls/external-dns-unifi-webhook
- tag: v0.4.0@sha256:f71f9e64f723a1af77e9ecdcbaef2db2095721d33b385baee1848d0bf09d44e7
- livenessProbe:
- httpGet:
- path: /healthz
- port: http-webhook
- initialDelaySeconds: 10
- timeoutSeconds: 5
- readinessProbe:
- httpGet:
- path: /readyz
- port: http-webhook
- initialDelaySeconds: 10
- timeoutSeconds: 5
- serviceMonitor:
- enabled: true
- sources:
- - ingress
- - service
- triggerLoopOnEvent: true
- txtOwnerId: main
- txtPrefix: k8s.main.
-
--- kubernetes/main/apps/network/cloudflared/app Kustomization: flux-system/cloudflared DNSEndpoint: network/cloudflared
+++ kubernetes/main/apps/network/cloudflared/app Kustomization: flux-system/cloudflared DNSEndpoint: network/cloudflared
@@ -1,17 +0,0 @@
----
-apiVersion: externaldns.k8s.io/v1alpha1
-kind: DNSEndpoint
-metadata:
- labels:
- app.kubernetes.io/name: cloudflared
- kustomize.toolkit.fluxcd.io/name: cloudflared
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: cloudflared
- namespace: network
-spec:
- endpoints:
- - dnsName: external...PLACEHOLDER_SECRET_DOMAIN..
- recordType: CNAME
- targets:
- - ..PLACEHOLDER_CLOUDFLARE_TUNNEL_ID...cfargotunnel.com
-
--- kubernetes/main/apps/network/cloudflared/app Kustomization: flux-system/cloudflared ExternalSecret: network/cloudflared-secret
+++ kubernetes/main/apps/network/cloudflared/app Kustomization: flux-system/cloudflared ExternalSecret: network/cloudflared-secret
@@ -1,28 +0,0 @@
----
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
- labels:
- app.kubernetes.io/name: cloudflared
- kustomize.toolkit.fluxcd.io/name: cloudflared
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: cloudflared-secret
- namespace: network
-spec:
- dataFrom:
- - extract:
- key: cloudflare
- secretStoreRef:
- kind: ClusterSecretStore
- name: onepassword-connect
- target:
- name: cloudflared-secret
- template:
- data:
- credentials.json: |
- {
- "AccountTag": "{{ .CLOUDFLARE_ACCOUNT_TAG }}",
- "TunnelSecret": "{{ .CLOUDFLARE_TUNNEL_SECRET }}",
- "TunnelID": "..PLACEHOLDER_CLOUDFLARE_TUNNEL_ID.."
- }
-
--- kubernetes/main/apps/network/cloudflared/app Kustomization: flux-system/cloudflared HelmRelease: network/cloudflared
+++ kubernetes/main/apps/network/cloudflared/app Kustomization: flux-system/cloudflared HelmRelease: network/cloudflared
@@ -1,131 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
- labels:
- app.kubernetes.io/name: cloudflared
- kustomize.toolkit.fluxcd.io/name: cloudflared
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: cloudflared
- namespace: network
-spec:
- chart:
- spec:
- chart: app-template
- sourceRef:
- kind: HelmRepository
- name: bjw-s
- namespace: flux-system
- version: 3.6.1
- dependsOn:
- - name: nginx-external
- namespace: network
- install:
- remediation:
- retries: 3
- interval: 30m
- upgrade:
- cleanupOnFail: true
- remediation:
- retries: 3
- strategy: rollback
- values:
- controllers:
- cloudflared:
- annotations:
- reloader.stakater.com/auto: 'true'
- containers:
- app:
- args:
- - tunnel
- - --config
- - /etc/cloudflared/config/config.yaml
- - run
- - ..PLACEHOLDER_CLOUDFLARE_TUNNEL_ID..
- env:
- NO_AUTOUPDATE: true
- TUNNEL_CRED_FILE: /etc/cloudflared/creds/credentials.json
- TUNNEL_METRICS: 0.0.0.0:8080
- TUNNEL_ORIGIN_ENABLE_HTTP2: true
- TUNNEL_POST_QUANTUM: true
- TUNNEL_TRANSPORT_PROTOCOL: quic
- image:
- repository: docker.io/cloudflare/cloudflared
- tag: 2025.1.0@sha256:3247f3ef49eda23244b8aa5583f82b7c3880b0d057e1172d0e818f5e678d9f27
- probes:
- liveness:
- custom: true
- enabled: true
- spec:
- failureThreshold: 3
- httpGet:
- path: /ready
- port: 8080
- initialDelaySeconds: 0
- periodSeconds: 10
- timeoutSeconds: 1
- readiness:
- custom: true
- enabled: true
- spec:
- failureThreshold: 3
- httpGet:
- path: /ready
- port: 8080
- initialDelaySeconds: 0
- periodSeconds: 10
- timeoutSeconds: 1
- resources:
- limits:
- memory: 256M
- requests:
- cpu: 5m
- memory: 128M
- replicas: 2
- strategy: RollingUpdate
- defaultPodOptions:
- securityContext:
- fsGroupChangePolicy: OnRootMismatch
- runAsGroup: 100
- runAsNonRoot: true
- runAsUser: 1000
- seccompProfile:
- type: RuntimeDefault
- topologySpreadConstraints:
- - labelSelector:
- matchLabels:
- app.kubernetes.io/name: cloudflared
- maxSkew: 1
- topologyKey: kubernetes.io/hostname
- whenUnsatisfiable: DoNotSchedule
- persistence:
- config:
- globalMounts:
- - path: /etc/cloudflared/config/config.yaml
- readOnly: true
- subPath: config.yaml
- name: cloudflared-configmap
- type: configMap
- creds:
- globalMounts:
- - path: /etc/cloudflared/creds/credentials.json
- readOnly: true
- subPath: credentials.json
- name: cloudflared-secret
- type: secret
- service:
- app:
- controller: cloudflared
- ports:
- http:
- port: 8080
- serviceMonitor:
- app:
- endpoints:
- - interval: 1m
- path: /metrics
- port: http
- scheme: http
- scrapeTimeout: 10s
- serviceName: cloudflared
-
--- kubernetes/main/apps/network/cloudflared/app Kustomization: flux-system/cloudflared ConfigMap: network/cloudflared-configmap
+++ kubernetes/main/apps/network/cloudflared/app Kustomization: flux-system/cloudflared ConfigMap: network/cloudflared-configmap
@@ -1,23 +0,0 @@
----
-apiVersion: v1
-data:
- config.yaml: |
- ---
- originRequest:
- originServerName: external...PLACEHOLDER_SECRET_DOMAIN..
-
- ingress:
- - hostname: ..PLACEHOLDER_SECRET_DOMAIN..
- service: https://nginx-external-controller.network.svc.cluster.local:443
- - hostname: "*...PLACEHOLDER_SECRET_DOMAIN.."
- service: https://nginx-external-controller.network.svc.cluster.local:443
- - service: http_status:404
-kind: ConfigMap
-metadata:
- labels:
- app.kubernetes.io/name: cloudflared
- kustomize.toolkit.fluxcd.io/name: cloudflared
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: cloudflared-configmap
- namespace: network
-
--- kubernetes/main/apps/network/nginx/external Kustomization: flux-system/nginx-external HelmRelease: network/nginx-external
+++ kubernetes/main/apps/network/nginx/external Kustomization: flux-system/nginx-external HelmRelease: network/nginx-external
@@ -1,98 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
- labels:
- app.kubernetes.io/name: nginx-external
- kustomize.toolkit.fluxcd.io/name: nginx-external
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: nginx-external
- namespace: network
-spec:
- chart:
- spec:
- chart: ingress-nginx
- sourceRef:
- kind: HelmRepository
- name: ingress-nginx
- namespace: flux-system
- version: 4.12.0
- install:
- remediation:
- retries: 3
- interval: 30m
- upgrade:
- cleanupOnFail: true
- remediation:
- retries: 3
- strategy: rollback
- values:
- controller:
- admissionWebhooks:
- objectSelector:
- matchExpressions:
- - key: ingress-class
- operator: In
- values:
- - external
- config:
- allow-snippet-annotations: true
- annotations-risk-level: Critical
- block-user-agents: GPTBot,~*GPTBot*,ChatGPT-User,~*ChatGPT-User*,Google-Extended,~*Google-Extended*,CCBot,~*CCBot*,Omgilibot,~*Omgilibot*,FacebookBot,~*FacebookBot*
- client-body-buffer-size: 100M
- client-body-timeout: 120
- client-header-timeout: 120
- enable-brotli: 'true'
- enable-ocsp: 'true'
- enable-real-ip: 'true'
- force-ssl-redirect: 'true'
- hide-headers: Server,X-Powered-By
- hsts-max-age: 31449600
- keep-alive: 120
- keep-alive-requests: 10000
- log-format-escape-json: 'true'
- log-format-upstream: |
- {"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", "x_forwarded_for": "$proxy_add_x_forwarded_for", "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, "status": $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args", "request_length": $request_length, "duration": $request_time, "method": "$request_method", "http_referrer": "$http_referer", "http_user_agent": "$http_user_agent"}
- proxy-body-size: 0
- proxy-buffer-size: 16k
- ssl-protocols: TLSv1.3 TLSv1.2
- use-forwarded-headers: 'true'
- extraArgs:
- default-ssl-certificate: cert-manager/..PLACEHOLDER_SECRET_DOMAIN..-tls
- publish-status-address: external...PLACEHOLDER_SECRET_DOMAIN..
- ingressClassResource:
- controllerValue: k8s.io/external
- default: false
- name: external
- metrics:
- enabled: true
- serviceMonitor:
- enabled: true
- namespaceSelector:
- any: true
- publishService:
- enabled: false
- replicaCount: 2
- resources:
- limits:
- memory: 500Mi
- requests:
- cpu: 100m
- service:
- annotations:
- external-dns.alpha.kubernetes.io/hostname: external...PLACEHOLDER_SECRET_DOMAIN..
- lbipam.cilium.io/ips: ..PLACEHOLDER_SVC_NGINX_EXTERNAL..
- terminationGracePeriodSeconds: 120
- topologySpreadConstraints:
- - labelSelector:
- matchLabels:
- app.kubernetes.io/component: controller
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/name: ingress-nginx
- maxSkew: 1
- topologyKey: kubernetes.io/hostname
- whenUnsatisfiable: DoNotSchedule
- defaultBackend:
- enabled: false
- fullnameOverride: nginx-external
-
--- kubernetes/main/apps/network/nginx/internal Kustomization: flux-system/nginx-internal HelmRelease: network/nginx-internal
+++ kubernetes/main/apps/network/nginx/internal Kustomization: flux-system/nginx-internal HelmRelease: network/nginx-internal
@@ -1,99 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
- labels:
- app.kubernetes.io/name: nginx-internal
- kustomize.toolkit.fluxcd.io/name: nginx-internal
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: nginx-internal
- namespace: network
-spec:
- chart:
- spec:
- chart: ingress-nginx
- sourceRef:
- kind: HelmRepository
- name: ingress-nginx
- namespace: flux-system
- version: 4.12.0
- install:
- remediation:
- retries: 3
- interval: 30m
- upgrade:
- cleanupOnFail: true
- remediation:
- retries: 3
- strategy: rollback
- values:
- controller:
- admissionWebhooks:
- objectSelector:
- matchExpressions:
- - key: ingress-class
- operator: In
- values:
- - internal
- config:
- allow-snippet-annotations: true
- annotations-risk-level: Critical
- block-user-agents: GPTBot,~*GPTBot*,ChatGPT-User,~*ChatGPT-User*,Google-Extended,~*Google-Extended*,CCBot,~*CCBot*,Omgilibot,~*Omgilibot*,FacebookBot,~*FacebookBot*
- client-body-buffer-size: 100M
- client-body-timeout: 120
- client-header-timeout: 120
- enable-brotli: 'true'
- enable-ocsp: 'true'
- enable-real-ip: 'true'
- force-ssl-redirect: 'true'
- hide-headers: Server,X-Powered-By
- hsts-max-age: 31449600
- keep-alive: 120
- keep-alive-requests: 10000
- log-format-escape-json: 'true'
- log-format-upstream: |
- {"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", "x_forwarded_for": "$proxy_add_x_forwarded_for", "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, "status": $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args", "request_length": $request_length, "duration": $request_time, "method": "$request_method", "http_referrer": "$http_referer", "http_user_agent": "$http_user_agent"}
- proxy-body-size: 0
- proxy-buffer-size: 16k
- ssl-protocols: TLSv1.3 TLSv1.2
- use-forwarded-headers: 'true'
- extraArgs:
- default-ssl-certificate: cert-manager/..PLACEHOLDER_SECRET_DOMAIN..-tls
- publish-status-address: internal...PLACEHOLDER_SECRET_DOMAIN..
- ingressClassResource:
- controllerValue: k8s.io/internal
- default: true
- name: internal
- metrics:
- enabled: true
- serviceMonitor:
- enabled: true
- namespaceSelector:
- any: true
- publishService:
- enabled: false
- replicaCount: 2
- resources:
- limits:
- memory: 500Mi
- requests:
- cpu: 100m
- service:
- annotations:
- external-dns.alpha.kubernetes.io/hostname: internal...PLACEHOLDER_SECRET_DOMAIN..
- lbipam.cilium.io/ips: ..PLACEHOLDER_SVC_NGINX_INTERNAL..
- externalTrafficPolicy: Cluster
- terminationGracePeriodSeconds: 120
- topologySpreadConstraints:
- - labelSelector:
- matchLabels:
- app.kubernetes.io/component: controller
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/name: ingress-nginx
- maxSkew: 1
- topologyKey: kubernetes.io/hostname
- whenUnsatisfiable: DoNotSchedule
- defaultBackend:
- enabled: false
- fullnameOverride: nginx-internal
-
--- kubernetes/main/apps/network/external/echo-server Kustomization: flux-system/external-echo-server HelmRelease: network/echo-server
+++ kubernetes/main/apps/network/external/echo-server Kustomization: flux-system/external-echo-server HelmRelease: network/echo-server
@@ -0,0 +1,119 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+ labels:
+ app.kubernetes.io/name: external-echo-server
+ kustomize.toolkit.fluxcd.io/name: external-echo-server
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: echo-server
+ namespace: network
+spec:
+ chart:
+ spec:
+ chart: app-template
+ sourceRef:
+ kind: HelmRepository
+ name: bjw-s
+ namespace: flux-system
+ version: 3.6.1
+ install:
+ remediation:
+ retries: 3
+ interval: 30m
+ upgrade:
+ cleanupOnFail: true
+ remediation:
+ retries: 3
+ strategy: rollback
+ values:
+ controllers:
+ echo-server:
+ containers:
+ app:
+ env:
+ HTTP_PORT: 8080
+ LOG_IGNORE_PATH: /healthz
+ LOG_WITHOUT_NEWLINE: true
+ PROMETHEUS_ENABLED: true
+ image:
+ repository: ghcr.io/mendhak/http-https-echo
+ tag: 35
+ probes:
+ liveness:
+ custom: true
+ enabled: true
+ spec:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 8080
+ initialDelaySeconds: 0
+ periodSeconds: 10
+ timeoutSeconds: 1
+ readiness:
+ custom: true
+ enabled: true
+ spec:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 8080
+ initialDelaySeconds: 0
+ periodSeconds: 10
+ timeoutSeconds: 1
+ resources:
+ limits:
+ memory: 64Mi
+ requests:
+ cpu: 10m
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ seccompProfile:
+ type: RuntimeDefault
+ strategy: RollingUpdate
+ defaultPodOptions:
+ securityContext:
+ fsGroupChangePolicy: OnRootMismatch
+ runAsGroup: 100
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ topologySpreadConstraints:
+ - labelSelector:
+ matchLabels:
+ app.kubernetes.io/name: echo-server
+ maxSkew: 1
+ topologyKey: kubernetes.io/hostname
+ whenUnsatisfiable: DoNotSchedule
+ ingress:
+ app:
+ className: external
+ hosts:
+ - host: '{{ .Release.Name }}...PLACEHOLDER_SECRET_DOMAIN..'
+ paths:
+ - path: /
+ service:
+ identifier: app
+ port: http
+ service:
+ app:
+ controller: echo-server
+ ports:
+ http:
+ port: 8080
+ serviceMonitor:
+ app:
+ endpoints:
+ - interval: 1m
+ path: /metrics
+ port: http
+ scheme: http
+ scrapeTimeout: 10s
+ serviceName: echo-server
+
--- kubernetes/main/apps/network/internal/external-dns Kustomization: flux-system/external-dns-unifi ExternalSecret: network/external-dns-unifi
+++ kubernetes/main/apps/network/internal/external-dns Kustomization: flux-system/external-dns-unifi ExternalSecret: network/external-dns-unifi
@@ -0,0 +1,23 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+ labels:
+ app.kubernetes.io/name: external-dns-unifi
+ kustomize.toolkit.fluxcd.io/name: external-dns-unifi
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: external-dns-unifi
+ namespace: network
+spec:
+ dataFrom:
+ - extract:
+ key: unifi
+ secretStoreRef:
+ kind: ClusterSecretStore
+ name: onepassword-connect
+ target:
+ name: external-dns-unifi
+ template:
+ data:
+ EXTERNAL_DNS_UNIFI_API_KEY: '{{ .EXTERNAL_DNS_UNIFI_API_KEY }}'
+
--- kubernetes/main/apps/network/internal/external-dns Kustomization: flux-system/external-dns-unifi HelmRelease: network/external-dns-unifi
+++ kubernetes/main/apps/network/internal/external-dns Kustomization: flux-system/external-dns-unifi HelmRelease: network/external-dns-unifi
@@ -0,0 +1,72 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+ labels:
+ app.kubernetes.io/name: external-dns-unifi
+ kustomize.toolkit.fluxcd.io/name: external-dns-unifi
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: external-dns-unifi
+ namespace: network
+spec:
+ chart:
+ spec:
+ chart: external-dns
+ sourceRef:
+ kind: HelmRepository
+ name: external-dns
+ namespace: flux-system
+ version: 1.15.0
+ install:
+ remediation:
+ retries: 3
+ interval: 30m
+ upgrade:
+ cleanupOnFail: true
+ remediation:
+ retries: 3
+ strategy: rollback
+ values:
+ domainFilters:
+ - ..PLACEHOLDER_SECRET_DOMAIN..
+ extraArgs:
+ - --ignore-ingress-tls-spec
+ fullnameOverride: external-dns-unifi
+ podAnnotations:
+ secret.reloader.stakater.com/reload: external-dns-unifi
+ policy: sync
+ provider:
+ name: webhook
+ webhook:
+ env:
+ - name: UNIFI_HOST
+ value: https://192.168.1.1
+ - name: UNIFI_API_KEY
+ valueFrom:
+ secretKeyRef:
+ key: EXTERNAL_DNS_UNIFI_API_KEY
+ name: external-dns-unifi
+ image:
+ repository: ghcr.io/kashalls/external-dns-unifi-webhook
+ tag: v0.4.0@sha256:f71f9e64f723a1af77e9ecdcbaef2db2095721d33b385baee1848d0bf09d44e7
+ livenessProbe:
+ httpGet:
+ path: /healthz
+ port: http-webhook
+ initialDelaySeconds: 10
+ timeoutSeconds: 5
+ readinessProbe:
+ httpGet:
+ path: /readyz
+ port: http-webhook
+ initialDelaySeconds: 10
+ timeoutSeconds: 5
+ serviceMonitor:
+ enabled: true
+ sources:
+ - ingress
+ - service
+ triggerLoopOnEvent: true
+ txtOwnerId: main
+ txtPrefix: k8s.main.
+
--- kubernetes/main/apps/network/external/cloudflared Kustomization: flux-system/external-cloudflared DNSEndpoint: network/cloudflared
+++ kubernetes/main/apps/network/external/cloudflared Kustomization: flux-system/external-cloudflared DNSEndpoint: network/cloudflared
@@ -0,0 +1,17 @@
+---
+apiVersion: externaldns.k8s.io/v1alpha1
+kind: DNSEndpoint
+metadata:
+ labels:
+ app.kubernetes.io/name: external-cloudflared
+ kustomize.toolkit.fluxcd.io/name: external-cloudflared
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: cloudflared
+ namespace: network
+spec:
+ endpoints:
+ - dnsName: external...PLACEHOLDER_SECRET_DOMAIN..
+ recordType: CNAME
+ targets:
+ - ..PLACEHOLDER_CLOUDFLARE_TUNNEL_ID...cfargotunnel.com
+
--- kubernetes/main/apps/network/external/cloudflared Kustomization: flux-system/external-cloudflared ExternalSecret: network/cloudflared-secret
+++ kubernetes/main/apps/network/external/cloudflared Kustomization: flux-system/external-cloudflared ExternalSecret: network/cloudflared-secret
@@ -0,0 +1,28 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+ labels:
+ app.kubernetes.io/name: external-cloudflared
+ kustomize.toolkit.fluxcd.io/name: external-cloudflared
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: cloudflared-secret
+ namespace: network
+spec:
+ dataFrom:
+ - extract:
+ key: cloudflare
+ secretStoreRef:
+ kind: ClusterSecretStore
+ name: onepassword-connect
+ target:
+ name: cloudflared-secret
+ template:
+ data:
+ credentials.json: |
+ {
+ "AccountTag": "{{ .CLOUDFLARE_ACCOUNT_TAG }}",
+ "TunnelSecret": "{{ .CLOUDFLARE_TUNNEL_SECRET }}",
+ "TunnelID": "..PLACEHOLDER_CLOUDFLARE_TUNNEL_ID.."
+ }
+
--- kubernetes/main/apps/network/external/cloudflared Kustomization: flux-system/external-cloudflared HelmRelease: network/cloudflared
+++ kubernetes/main/apps/network/external/cloudflared Kustomization: flux-system/external-cloudflared HelmRelease: network/cloudflared
@@ -0,0 +1,128 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+ labels:
+ app.kubernetes.io/name: external-cloudflared
+ kustomize.toolkit.fluxcd.io/name: external-cloudflared
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: cloudflared
+ namespace: network
+spec:
+ chart:
+ spec:
+ chart: app-template
+ sourceRef:
+ kind: HelmRepository
+ name: bjw-s
+ namespace: flux-system
+ version: 3.6.1
+ install:
+ remediation:
+ retries: 3
+ interval: 30m
+ upgrade:
+ cleanupOnFail: true
+ remediation:
+ retries: 3
+ strategy: rollback
+ values:
+ controllers:
+ cloudflared:
+ annotations:
+ reloader.stakater.com/auto: 'true'
+ containers:
+ app:
+ args:
+ - tunnel
+ - --config
+ - /etc/cloudflared/config/config.yaml
+ - run
+ - ..PLACEHOLDER_CLOUDFLARE_TUNNEL_ID..
+ env:
+ NO_AUTOUPDATE: true
+ TUNNEL_CRED_FILE: /etc/cloudflared/creds/credentials.json
+ TUNNEL_METRICS: 0.0.0.0:8080
+ TUNNEL_ORIGIN_ENABLE_HTTP2: true
+ TUNNEL_POST_QUANTUM: true
+ TUNNEL_TRANSPORT_PROTOCOL: quic
+ image:
+ repository: docker.io/cloudflare/cloudflared
+ tag: 2025.1.0@sha256:3247f3ef49eda23244b8aa5583f82b7c3880b0d057e1172d0e818f5e678d9f27
+ probes:
+ liveness:
+ custom: true
+ enabled: true
+ spec:
+ failureThreshold: 3
+ httpGet:
+ path: /ready
+ port: 8080
+ initialDelaySeconds: 0
+ periodSeconds: 10
+ timeoutSeconds: 1
+ readiness:
+ custom: true
+ enabled: true
+ spec:
+ failureThreshold: 3
+ httpGet:
+ path: /ready
+ port: 8080
+ initialDelaySeconds: 0
+ periodSeconds: 10
+ timeoutSeconds: 1
+ resources:
+ limits:
+ memory: 256M
+ requests:
+ cpu: 5m
+ memory: 128M
+ replicas: 2
+ strategy: RollingUpdate
+ defaultPodOptions:
+ securityContext:
+ fsGroupChangePolicy: OnRootMismatch
+ runAsGroup: 100
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ topologySpreadConstraints:
+ - labelSelector:
+ matchLabels:
+ app.kubernetes.io/name: cloudflared
+ maxSkew: 1
+ topologyKey: kubernetes.io/hostname
+ whenUnsatisfiable: DoNotSchedule
+ persistence:
+ config-file:
+ globalMounts:
+ - path: /etc/cloudflared/config/config.yaml
+ readOnly: true
+ subPath: config.yaml
+ name: cloudflared-configmap
+ type: configMap
+ secret-file:
+ globalMounts:
+ - path: /etc/cloudflared/creds/credentials.json
+ readOnly: true
+ subPath: credentials.json
+ name: cloudflared-tunnel-secret
+ type: secret
+ service:
+ app:
+ controller: cloudflared
+ ports:
+ http:
+ port: 8080
+ serviceMonitor:
+ app:
+ endpoints:
+ - interval: 1m
+ path: /metrics
+ port: http
+ scheme: http
+ scrapeTimeout: 10s
+ serviceName: cloudflared
+
--- kubernetes/main/apps/network/external/cloudflared Kustomization: flux-system/external-cloudflared ConfigMap: network/cloudflared-configmap
+++ kubernetes/main/apps/network/external/cloudflared Kustomization: flux-system/external-cloudflared ConfigMap: network/cloudflared-configmap
@@ -0,0 +1,23 @@
+---
+apiVersion: v1
+data:
+ config.yaml: |
+ ---
+ originRequest:
+ originServerName: external...PLACEHOLDER_SECRET_DOMAIN..
+
+ ingress:
+ - hostname: ..PLACEHOLDER_SECRET_DOMAIN..
+ service: https://nginx-external-controller.network.svc.cluster.local:443
+ - hostname: "*...PLACEHOLDER_SECRET_DOMAIN.."
+ service: https://nginx-external-controller.network.svc.cluster.local:443
+ - service: http_status:404
+kind: ConfigMap
+metadata:
+ labels:
+ app.kubernetes.io/name: external-cloudflared
+ kustomize.toolkit.fluxcd.io/name: external-cloudflared
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: cloudflared-configmap
+ namespace: network
+
--- kubernetes/main/apps/network/external/external-dns Kustomization: flux-system/external-dns-cloudflare ExternalSecret: network/external-dns-cloudflare
+++ kubernetes/main/apps/network/external/external-dns Kustomization: flux-system/external-dns-cloudflare ExternalSecret: network/external-dns-cloudflare
@@ -0,0 +1,23 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+ labels:
+ app.kubernetes.io/name: external-dns-cloudflare
+ kustomize.toolkit.fluxcd.io/name: external-dns-cloudflare
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: external-dns-cloudflare
+ namespace: network
+spec:
+ dataFrom:
+ - extract:
+ key: cloudflare
+ secretStoreRef:
+ kind: ClusterSecretStore
+ name: onepassword-connect
+ target:
+ name: external-dns-cloudflare
+ template:
+ data:
+ api-token: '{{ .CLOUDFLARE_API_KEY }}'
+
--- kubernetes/main/apps/network/external/external-dns Kustomization: flux-system/external-dns-cloudflare HelmRelease: network/external-dns-cloudflare
+++ kubernetes/main/apps/network/external/external-dns Kustomization: flux-system/external-dns-cloudflare HelmRelease: network/external-dns-cloudflare
@@ -0,0 +1,61 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+ labels:
+ app.kubernetes.io/name: external-dns-cloudflare
+ kustomize.toolkit.fluxcd.io/name: external-dns-cloudflare
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: external-dns-cloudflare
+ namespace: network
+spec:
+ chart:
+ spec:
+ chart: external-dns
+ sourceRef:
+ kind: HelmRepository
+ name: external-dns
+ namespace: flux-system
+ version: 1.15.0
+ install:
+ crds: CreateReplace
+ remediation:
+ retries: 3
+ interval: 30m
+ upgrade:
+ cleanupOnFail: true
+ crds: CreateReplace
+ remediation:
+ retries: 3
+ strategy: rollback
+ values:
+ domainFilters:
+ - ..PLACEHOLDER_SECRET_DOMAIN..
+ env:
+ - name: CF_API_TOKEN
+ valueFrom:
+ secretKeyRef:
+ key: api-token
+ name: external-dns-cloudflare
+ extraArgs:
+ - --cloudflare-dns-records-per-page=1000
+ - --cloudflare-proxied
+ - --crd-source-apiversion=externaldns.k8s.io/v1alpha1
+ - --crd-source-kind=DNSEndpoint
+ - --ignore-ingress-tls-spec
+ - --ingress-class=external
+ fullnameOverride: external-dns-cloudflare
+ podAnnotations:
+ secret.reloader.stakater.com/reload: external-dns-cloudflare
+ policy: sync
+ provider:
+ name: cloudflare
+ serviceMonitor:
+ enabled: true
+ sources:
+ - crd
+ - ingress
+ triggerLoopOnEvent: true
+ txtOwnerId: main
+ txtPrefix: k8s.main.
+
--- kubernetes/main/apps/network/internal/ingress-nginx Kustomization: flux-system/internal-ingress-nginx HelmRelease: network/internal-ingress-nginx
+++ kubernetes/main/apps/network/internal/ingress-nginx Kustomization: flux-system/internal-ingress-nginx HelmRelease: network/internal-ingress-nginx
@@ -0,0 +1,99 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+ labels:
+ app.kubernetes.io/name: internal-ingress-nginx
+ kustomize.toolkit.fluxcd.io/name: internal-ingress-nginx
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: internal-ingress-nginx
+ namespace: network
+spec:
+ chart:
+ spec:
+ chart: ingress-nginx
+ sourceRef:
+ kind: HelmRepository
+ name: ingress-nginx
+ namespace: flux-system
+ version: 4.12.0
+ install:
+ remediation:
+ retries: 3
+ interval: 30m
+ upgrade:
+ cleanupOnFail: true
+ remediation:
+ retries: 3
+ strategy: rollback
+ values:
+ controller:
+ admissionWebhooks:
+ objectSelector:
+ matchExpressions:
+ - key: ingress-class
+ operator: In
+ values:
+ - internal
+ config:
+ allow-snippet-annotations: true
+ annotations-risk-level: Critical
+ block-user-agents: AdsBot-Google,Amazonbot,anthropic-ai,Applebot-Extended,Bytespider,CCBot,ChatGPT-User,ClaudeBot,Claude-Web,cohere-ai,Diffbot,FacebookBot,FriendlyCrawler,Google-Extended,GoogleOther,GPTBot,img2dataset,omgili,omgilibot,peer39_crawler,peer39_crawler/1.0,PerplexityBot,YouBot,
+ client-body-buffer-size: 100M
+ client-body-timeout: 120
+ client-header-timeout: 120
+ enable-brotli: 'true'
+ enable-ocsp: 'true'
+ enable-real-ip: 'true'
+ force-ssl-redirect: 'true'
+ hide-headers: Server,X-Powered-By
+ hsts-max-age: 31449600
+ keep-alive: 120
+ keep-alive-requests: 10000
+ log-format-escape-json: 'true'
+ log-format-upstream: |
+ {"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", "x_forwarded_for": "$proxy_add_x_forwarded_for", "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, "status": $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args", "request_length": $request_length, "duration": $request_time, "method": "$request_method", "http_referrer": "$http_referer", "http_user_agent": "$http_user_agent"}
+ proxy-body-size: 0
+ proxy-buffer-size: 16k
+ ssl-protocols: TLSv1.3 TLSv1.2
+ use-forwarded-headers: 'true'
+ extraArgs:
+ default-ssl-certificate: cert-manager/..PLACEHOLDER_SECRET_DOMAIN..-tls
+ publish-status-address: internal...PLACEHOLDER_SECRET_DOMAIN..
+ ingressClassResource:
+ controllerValue: k8s.io/internal
+ default: true
+ name: internal
+ metrics:
+ enabled: true
+ serviceMonitor:
+ enabled: true
+ namespaceSelector:
+ any: true
+ publishService:
+ enabled: false
+ replicaCount: 2
+ resources:
+ limits:
+ memory: 500Mi
+ requests:
+ cpu: 100m
+ service:
+ annotations:
+ external-dns.alpha.kubernetes.io/hostname: internal...PLACEHOLDER_SECRET_DOMAIN..
+ lbipam.cilium.io/ips: ..PLACEHOLDER_SVC_NGINX_INTERNAL..
+ externalTrafficPolicy: Cluster
+ terminationGracePeriodSeconds: 120
+ topologySpreadConstraints:
+ - labelSelector:
+ matchLabels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/name: ingress-nginx
+ maxSkew: 1
+ topologyKey: kubernetes.io/hostname
+ whenUnsatisfiable: DoNotSchedule
+ defaultBackend:
+ enabled: false
+ fullnameOverride: internal-ingress-nginx
+
--- kubernetes/main/apps/network/external/ingress-nginx Kustomization: flux-system/external-ingress-nginx HelmRelease: network/external-ingress-nginx
+++ kubernetes/main/apps/network/external/ingress-nginx Kustomization: flux-system/external-ingress-nginx HelmRelease: network/external-ingress-nginx
@@ -0,0 +1,98 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+ labels:
+ app.kubernetes.io/name: external-ingress-nginx
+ kustomize.toolkit.fluxcd.io/name: external-ingress-nginx
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: external-ingress-nginx
+ namespace: network
+spec:
+ chart:
+ spec:
+ chart: ingress-nginx
+ sourceRef:
+ kind: HelmRepository
+ name: ingress-nginx
+ namespace: flux-system
+ version: 4.12.0
+ install:
+ remediation:
+ retries: 3
+ interval: 30m
+ upgrade:
+ cleanupOnFail: true
+ remediation:
+ retries: 3
+ strategy: rollback
+ values:
+ controller:
+ admissionWebhooks:
+ objectSelector:
+ matchExpressions:
+ - key: ingress-class
+ operator: In
+ values:
+ - external
+ config:
+ allow-snippet-annotations: true
+ annotations-risk-level: Critical
+ block-user-agents: AdsBot-Google,Amazonbot,anthropic-ai,Applebot-Extended,Bytespider,CCBot,ChatGPT-User,ClaudeBot,Claude-Web,cohere-ai,Diffbot,FacebookBot,FriendlyCrawler,Google-Extended,GoogleOther,GPTBot,img2dataset,omgili,omgilibot,peer39_crawler,peer39_crawler/1.0,PerplexityBot,YouBot,
+ client-body-buffer-size: 100M
+ client-body-timeout: 120
+ client-header-timeout: 120
+ enable-brotli: 'true'
+ enable-ocsp: 'true'
+ enable-real-ip: 'true'
+ force-ssl-redirect: 'true'
+ hide-headers: Server,X-Powered-By
+ hsts-max-age: 31449600
+ keep-alive: 120
+ keep-alive-requests: 10000
+ log-format-escape-json: 'true'
+ log-format-upstream: |
+ {"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", "x_forwarded_for": "$proxy_add_x_forwarded_for", "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, "status": $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args", "request_length": $request_length, "duration": $request_time, "method": "$request_method", "http_referrer": "$http_referer", "http_user_agent": "$http_user_agent"}
+ proxy-body-size: 0
+ proxy-buffer-size: 16k
+ ssl-protocols: TLSv1.3 TLSv1.2
+ use-forwarded-headers: 'true'
+ extraArgs:
+ default-ssl-certificate: cert-manager/..PLACEHOLDER_SECRET_DOMAIN..-tls
+ publish-status-address: external...PLACEHOLDER_SECRET_DOMAIN..
+ ingressClassResource:
+ controllerValue: k8s.io/external
+ default: false
+ name: external
+ metrics:
+ enabled: true
+ serviceMonitor:
+ enabled: true
+ namespaceSelector:
+ any: true
+ publishService:
+ enabled: false
+ replicaCount: 2
+ resources:
+ limits:
+ memory: 500Mi
+ requests:
+ cpu: 100m
+ service:
+ annotations:
+ external-dns.alpha.kubernetes.io/hostname: external...PLACEHOLDER_SECRET_DOMAIN..
+ lbipam.cilium.io/ips: ..PLACEHOLDER_SVC_NGINX_EXTERNAL..
+ terminationGracePeriodSeconds: 120
+ topologySpreadConstraints:
+ - labelSelector:
+ matchLabels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/name: ingress-nginx
+ maxSkew: 1
+ topologyKey: kubernetes.io/hostname
+ whenUnsatisfiable: DoNotSchedule
+ defaultBackend:
+ enabled: false
+ fullnameOverride: external-ingress-nginx
+ |
--- HelmRelease: network/external-dns-cloudflare Deployment: network/external-dns-cloudflare
+++ HelmRelease: network/external-dns-cloudflare Deployment: network/external-dns-cloudflare
@@ -19,13 +19,13 @@
template:
metadata:
labels:
app.kubernetes.io/name: external-dns
app.kubernetes.io/instance: external-dns-cloudflare
annotations:
- secret.reloader.stakater.com/reload: external-dns-secret
+ secret.reloader.stakater.com/reload: external-dns-cloudflare
spec:
serviceAccountName: external-dns-cloudflare
securityContext:
fsGroup: 65534
runAsNonRoot: true
seccompProfile:
@@ -46,13 +46,13 @@
imagePullPolicy: IfNotPresent
env:
- name: CF_API_TOKEN
valueFrom:
secretKeyRef:
key: api-token
- name: external-dns-secret
+ name: external-dns-cloudflare
args:
- --log-level=info
- --log-format=text
- --interval=1m
- --events
- --source=crd
--- HelmRelease: network/nginx-external PodDisruptionBudget: network/nginx-external-controller
+++ HelmRelease: network/nginx-external PodDisruptionBudget: network/nginx-external-controller
@@ -1,20 +0,0 @@
----
-apiVersion: policy/v1
-kind: PodDisruptionBudget
-metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: nginx-external-controller
- namespace: network
-spec:
- selector:
- matchLabels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/component: controller
- minAvailable: 1
-
--- HelmRelease: network/nginx-external ServiceAccount: network/nginx-external
+++ HelmRelease: network/nginx-external ServiceAccount: network/nginx-external
@@ -1,14 +0,0 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: nginx-external
- namespace: network
-automountServiceAccountToken: true
-
--- HelmRelease: network/nginx-external ConfigMap: network/nginx-external-controller
+++ HelmRelease: network/nginx-external ConfigMap: network/nginx-external-controller
@@ -1,35 +0,0 @@
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: nginx-external-controller
- namespace: network
-data:
- allow-snippet-annotations: 'true'
- annotations-risk-level: Critical
- block-user-agents: GPTBot,~*GPTBot*,ChatGPT-User,~*ChatGPT-User*,Google-Extended,~*Google-Extended*,CCBot,~*CCBot*,Omgilibot,~*Omgilibot*,FacebookBot,~*FacebookBot*
- client-body-buffer-size: 100M
- client-body-timeout: '120'
- client-header-timeout: '120'
- enable-brotli: 'true'
- enable-ocsp: 'true'
- enable-real-ip: 'true'
- force-ssl-redirect: 'true'
- hide-headers: Server,X-Powered-By
- hsts-max-age: '3.14496e+07'
- keep-alive: '120'
- keep-alive-requests: '10000'
- log-format-escape-json: 'true'
- log-format-upstream: |
- {"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", "x_forwarded_for": "$proxy_add_x_forwarded_for", "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, "status": $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args", "request_length": $request_length, "duration": $request_time, "method": "$request_method", "http_referrer": "$http_referer", "http_user_agent": "$http_user_agent"}
- proxy-body-size: '0'
- proxy-buffer-size: 16k
- ssl-protocols: TLSv1.3 TLSv1.2
- use-forwarded-headers: 'true'
-
--- HelmRelease: network/nginx-external ClusterRole: network/nginx-external
+++ HelmRelease: network/nginx-external ClusterRole: network/nginx-external
@@ -1,82 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- name: nginx-external
-rules:
-- apiGroups:
- - ''
- resources:
- - configmaps
- - endpoints
- - nodes
- - pods
- - secrets
- - namespaces
- verbs:
- - list
- - watch
-- apiGroups:
- - coordination.k8s.io
- resources:
- - leases
- verbs:
- - list
- - watch
-- apiGroups:
- - ''
- resources:
- - nodes
- verbs:
- - get
-- apiGroups:
- - ''
- resources:
- - services
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - networking.k8s.io
- resources:
- - ingresses
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - ''
- resources:
- - events
- verbs:
- - create
- - patch
-- apiGroups:
- - networking.k8s.io
- resources:
- - ingresses/status
- verbs:
- - update
-- apiGroups:
- - networking.k8s.io
- resources:
- - ingressclasses
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - discovery.k8s.io
- resources:
- - endpointslices
- verbs:
- - list
- - watch
- - get
-
--- HelmRelease: network/nginx-external ClusterRoleBinding: network/nginx-external
+++ HelmRelease: network/nginx-external ClusterRoleBinding: network/nginx-external
@@ -1,19 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- name: nginx-external
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: nginx-external
-subjects:
-- kind: ServiceAccount
- name: nginx-external
- namespace: network
-
--- HelmRelease: network/nginx-external Role: network/nginx-external
+++ HelmRelease: network/nginx-external Role: network/nginx-external
@@ -1,91 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: nginx-external
- namespace: network
-rules:
-- apiGroups:
- - ''
- resources:
- - namespaces
- verbs:
- - get
-- apiGroups:
- - ''
- resources:
- - configmaps
- - pods
- - secrets
- - endpoints
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - ''
- resources:
- - services
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - networking.k8s.io
- resources:
- - ingresses
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - networking.k8s.io
- resources:
- - ingresses/status
- verbs:
- - update
-- apiGroups:
- - networking.k8s.io
- resources:
- - ingressclasses
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - coordination.k8s.io
- resources:
- - leases
- resourceNames:
- - nginx-external-leader
- verbs:
- - get
- - update
-- apiGroups:
- - coordination.k8s.io
- resources:
- - leases
- verbs:
- - create
-- apiGroups:
- - ''
- resources:
- - events
- verbs:
- - create
- - patch
-- apiGroups:
- - discovery.k8s.io
- resources:
- - endpointslices
- verbs:
- - list
- - watch
- - get
-
--- HelmRelease: network/nginx-external RoleBinding: network/nginx-external
+++ HelmRelease: network/nginx-external RoleBinding: network/nginx-external
@@ -1,21 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: nginx-external
- namespace: network
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: nginx-external
-subjects:
-- kind: ServiceAccount
- name: nginx-external
- namespace: network
-
--- HelmRelease: network/nginx-external Service: network/nginx-external-controller-metrics
+++ HelmRelease: network/nginx-external Service: network/nginx-external-controller-metrics
@@ -1,24 +0,0 @@
----
-apiVersion: v1
-kind: Service
-metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: nginx-external-controller-metrics
- namespace: network
-spec:
- type: ClusterIP
- ports:
- - name: metrics
- port: 10254
- protocol: TCP
- targetPort: metrics
- selector:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/component: controller
-
--- HelmRelease: network/nginx-external Service: network/nginx-external-controller-admission
+++ HelmRelease: network/nginx-external Service: network/nginx-external-controller-admission
@@ -1,24 +0,0 @@
----
-apiVersion: v1
-kind: Service
-metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: nginx-external-controller-admission
- namespace: network
-spec:
- type: ClusterIP
- ports:
- - name: https-webhook
- port: 443
- targetPort: webhook
- appProtocol: https
- selector:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/component: controller
-
--- HelmRelease: network/nginx-external Service: network/nginx-external-controller
+++ HelmRelease: network/nginx-external Service: network/nginx-external-controller
@@ -1,36 +0,0 @@
----
-apiVersion: v1
-kind: Service
-metadata:
- annotations:
- external-dns.alpha.kubernetes.io/hostname: external...PLACEHOLDER_SECRET_DOMAIN..
- lbipam.cilium.io/ips: ..PLACEHOLDER_SVC_NGINX_EXTERNAL..
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: nginx-external-controller
- namespace: network
-spec:
- type: LoadBalancer
- ipFamilyPolicy: SingleStack
- ipFamilies:
- - IPv4
- ports:
- - name: http
- port: 80
- protocol: TCP
- targetPort: http
- appProtocol: http
- - name: https
- port: 443
- protocol: TCP
- targetPort: https
- appProtocol: https
- selector:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/component: controller
-
--- HelmRelease: network/nginx-external Deployment: network/nginx-external-controller
+++ HelmRelease: network/nginx-external Deployment: network/nginx-external-controller
@@ -1,137 +0,0 @@
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: nginx-external-controller
- namespace: network
-spec:
- selector:
- matchLabels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/component: controller
- replicas: 2
- revisionHistoryLimit: 10
- minReadySeconds: 0
- template:
- metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- spec:
- dnsPolicy: ClusterFirst
- containers:
- - name: controller
- image: registry.k8s.io/ingress-nginx/controller:v1.12.0@sha256:e6b8de175acda6ca913891f0f727bca4527e797d52688cbe9fec9040d6f6b6fa
- imagePullPolicy: IfNotPresent
- lifecycle:
- preStop:
- exec:
- command:
- - /wait-shutdown
- args:
- - /nginx-ingress-controller
- - --election-id=nginx-external-leader
- - --controller-class=k8s.io/external
- - --ingress-class=nginx
- - --configmap=$(POD_NAMESPACE)/nginx-external-controller
- - --validating-webhook=:8443
- - --validating-webhook-certificate=/usr/local/certificates/cert
- - --validating-webhook-key=/usr/local/certificates/key
- - --enable-metrics=true
- - --default-ssl-certificate=cert-manager/..PLACEHOLDER_SECRET_DOMAIN..-tls
- - --publish-status-address=external...PLACEHOLDER_SECRET_DOMAIN..
- securityContext:
- runAsNonRoot: true
- runAsUser: 101
- runAsGroup: 82
- allowPrivilegeEscalation: false
- seccompProfile:
- type: RuntimeDefault
- capabilities:
- drop:
- - ALL
- add:
- - NET_BIND_SERVICE
- readOnlyRootFilesystem: false
- env:
- - name: POD_NAME
- valueFrom:
- fieldRef:
- fieldPath: metadata.name
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- - name: LD_PRELOAD
- value: /usr/local/lib/libmimalloc.so
- livenessProbe:
- failureThreshold: 5
- httpGet:
- path: /healthz
- port: 10254
- scheme: HTTP
- initialDelaySeconds: 10
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 1
- readinessProbe:
- failureThreshold: 3
- httpGet:
- path: /healthz
- port: 10254
- scheme: HTTP
- initialDelaySeconds: 10
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 1
- ports:
- - name: http
- containerPort: 80
- protocol: TCP
- - name: https
- containerPort: 443
- protocol: TCP
- - name: metrics
- containerPort: 10254
- protocol: TCP
- - name: webhook
- containerPort: 8443
- protocol: TCP
- volumeMounts:
- - name: webhook-cert
- mountPath: /usr/local/certificates/
- readOnly: true
- resources:
- limits:
- memory: 500Mi
- requests:
- cpu: 100m
- memory: 90Mi
- nodeSelector:
- kubernetes.io/os: linux
- topologySpreadConstraints:
- - labelSelector:
- matchLabels:
- app.kubernetes.io/component: controller
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/name: ingress-nginx
- maxSkew: 1
- topologyKey: kubernetes.io/hostname
- whenUnsatisfiable: DoNotSchedule
- serviceAccountName: nginx-external
- terminationGracePeriodSeconds: 120
- volumes:
- - name: webhook-cert
- secret:
- secretName: nginx-external-admission
-
--- HelmRelease: network/nginx-external IngressClass: network/external
+++ HelmRelease: network/nginx-external IngressClass: network/external
@@ -1,14 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: IngressClass
-metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: external
-spec:
- controller: k8s.io/external
-
--- HelmRelease: network/nginx-external ServiceMonitor: network/nginx-external-controller
+++ HelmRelease: network/nginx-external ServiceMonitor: network/nginx-external-controller
@@ -1,24 +0,0 @@
----
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
- name: nginx-external-controller
- namespace: network
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
-spec:
- namespaceSelector:
- any: true
- selector:
- matchLabels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/component: controller
- endpoints:
- - port: metrics
- interval: 30s
-
--- HelmRelease: network/nginx-external ValidatingWebhookConfiguration: network/nginx-external-admission
+++ HelmRelease: network/nginx-external ValidatingWebhookConfiguration: network/nginx-external-admission
@@ -1,41 +0,0 @@
----
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
- name: nginx-external-admission
-webhooks:
-- name: validate.nginx.ingress.kubernetes.io
- matchPolicy: Equivalent
- rules:
- - apiGroups:
- - networking.k8s.io
- apiVersions:
- - v1
- operations:
- - CREATE
- - UPDATE
- resources:
- - ingresses
- failurePolicy: Fail
- sideEffects: None
- admissionReviewVersions:
- - v1
- clientConfig:
- service:
- name: nginx-external-controller-admission
- namespace: network
- port: 443
- path: /networking/v1/ingresses
- objectSelector:
- matchExpressions:
- - key: ingress-class
- operator: In
- values:
- - external
-
--- HelmRelease: network/nginx-external ServiceAccount: network/nginx-external-admission
+++ HelmRelease: network/nginx-external ServiceAccount: network/nginx-external-admission
@@ -1,17 +0,0 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: nginx-external-admission
- namespace: network
- annotations:
- helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
-automountServiceAccountToken: true
-
--- HelmRelease: network/nginx-external ClusterRole: network/nginx-external-admission
+++ HelmRelease: network/nginx-external ClusterRole: network/nginx-external-admission
@@ -1,23 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: nginx-external-admission
- annotations:
- helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
-rules:
-- apiGroups:
- - admissionregistration.k8s.io
- resources:
- - validatingwebhookconfigurations
- verbs:
- - get
- - update
-
--- HelmRelease: network/nginx-external ClusterRoleBinding: network/nginx-external-admission
+++ HelmRelease: network/nginx-external ClusterRoleBinding: network/nginx-external-admission
@@ -1,23 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: nginx-external-admission
- annotations:
- helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: nginx-external-admission
-subjects:
-- kind: ServiceAccount
- name: nginx-external-admission
- namespace: network
-
--- HelmRelease: network/nginx-external Role: network/nginx-external-admission
+++ HelmRelease: network/nginx-external Role: network/nginx-external-admission
@@ -1,24 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: nginx-external-admission
- namespace: network
- annotations:
- helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
-rules:
-- apiGroups:
- - ''
- resources:
- - secrets
- verbs:
- - get
- - create
-
--- HelmRelease: network/nginx-external RoleBinding: network/nginx-external-admission
+++ HelmRelease: network/nginx-external RoleBinding: network/nginx-external-admission
@@ -1,24 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: nginx-external-admission
- namespace: network
- annotations:
- helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: nginx-external-admission
-subjects:
-- kind: ServiceAccount
- name: nginx-external-admission
- namespace: network
-
--- HelmRelease: network/nginx-external Job: network/nginx-external-admission-create
+++ HelmRelease: network/nginx-external Job: network/nginx-external-admission-create
@@ -1,56 +0,0 @@
----
-apiVersion: batch/v1
-kind: Job
-metadata:
- name: nginx-external-admission-create
- namespace: network
- annotations:
- helm.sh/hook: pre-install,pre-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
-spec:
- template:
- metadata:
- name: nginx-external-admission-create
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
- spec:
- containers:
- - name: create
- image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.0@sha256:aaafd456bda110628b2d4ca6296f38731a3aaf0bf7581efae824a41c770a8fc4
- imagePullPolicy: IfNotPresent
- args:
- - create
- - --host=nginx-external-controller-admission,nginx-external-controller-admission.$(POD_NAMESPACE).svc
- - --namespace=$(POD_NAMESPACE)
- - --secret-name=nginx-external-admission
- env:
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- readOnlyRootFilesystem: true
- runAsGroup: 65532
- runAsNonRoot: true
- runAsUser: 65532
- seccompProfile:
- type: RuntimeDefault
- restartPolicy: OnFailure
- serviceAccountName: nginx-external-admission
- nodeSelector:
- kubernetes.io/os: linux
-
--- HelmRelease: network/nginx-external Job: network/nginx-external-admission-patch
+++ HelmRelease: network/nginx-external Job: network/nginx-external-admission-patch
@@ -1,58 +0,0 @@
----
-apiVersion: batch/v1
-kind: Job
-metadata:
- name: nginx-external-admission-patch
- namespace: network
- annotations:
- helm.sh/hook: post-install,post-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
-spec:
- template:
- metadata:
- name: nginx-external-admission-patch
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
- spec:
- containers:
- - name: patch
- image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.0@sha256:aaafd456bda110628b2d4ca6296f38731a3aaf0bf7581efae824a41c770a8fc4
- imagePullPolicy: IfNotPresent
- args:
- - patch
- - --webhook-name=nginx-external-admission
- - --namespace=$(POD_NAMESPACE)
- - --patch-mutating=false
- - --secret-name=nginx-external-admission
- - --patch-failure-policy=Fail
- env:
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- readOnlyRootFilesystem: true
- runAsGroup: 65532
- runAsNonRoot: true
- runAsUser: 65532
- seccompProfile:
- type: RuntimeDefault
- restartPolicy: OnFailure
- serviceAccountName: nginx-external-admission
- nodeSelector:
- kubernetes.io/os: linux
-
--- HelmRelease: network/nginx-internal PodDisruptionBudget: network/nginx-internal-controller
+++ HelmRelease: network/nginx-internal PodDisruptionBudget: network/nginx-internal-controller
@@ -1,20 +0,0 @@
----
-apiVersion: policy/v1
-kind: PodDisruptionBudget
-metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: nginx-internal-controller
- namespace: network
-spec:
- selector:
- matchLabels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/component: controller
- minAvailable: 1
-
--- HelmRelease: network/nginx-internal ServiceAccount: network/nginx-internal
+++ HelmRelease: network/nginx-internal ServiceAccount: network/nginx-internal
@@ -1,14 +0,0 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: nginx-internal
- namespace: network
-automountServiceAccountToken: true
-
--- HelmRelease: network/nginx-internal ConfigMap: network/nginx-internal-controller
+++ HelmRelease: network/nginx-internal ConfigMap: network/nginx-internal-controller
@@ -1,35 +0,0 @@
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: nginx-internal-controller
- namespace: network
-data:
- allow-snippet-annotations: 'true'
- annotations-risk-level: Critical
- block-user-agents: GPTBot,~*GPTBot*,ChatGPT-User,~*ChatGPT-User*,Google-Extended,~*Google-Extended*,CCBot,~*CCBot*,Omgilibot,~*Omgilibot*,FacebookBot,~*FacebookBot*
- client-body-buffer-size: 100M
- client-body-timeout: '120'
- client-header-timeout: '120'
- enable-brotli: 'true'
- enable-ocsp: 'true'
- enable-real-ip: 'true'
- force-ssl-redirect: 'true'
- hide-headers: Server,X-Powered-By
- hsts-max-age: '3.14496e+07'
- keep-alive: '120'
- keep-alive-requests: '10000'
- log-format-escape-json: 'true'
- log-format-upstream: |
- {"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", "x_forwarded_for": "$proxy_add_x_forwarded_for", "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, "status": $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args", "request_length": $request_length, "duration": $request_time, "method": "$request_method", "http_referrer": "$http_referer", "http_user_agent": "$http_user_agent"}
- proxy-body-size: '0'
- proxy-buffer-size: 16k
- ssl-protocols: TLSv1.3 TLSv1.2
- use-forwarded-headers: 'true'
-
--- HelmRelease: network/nginx-internal ClusterRole: network/nginx-internal
+++ HelmRelease: network/nginx-internal ClusterRole: network/nginx-internal
@@ -1,82 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- name: nginx-internal
-rules:
-- apiGroups:
- - ''
- resources:
- - configmaps
- - endpoints
- - nodes
- - pods
- - secrets
- - namespaces
- verbs:
- - list
- - watch
-- apiGroups:
- - coordination.k8s.io
- resources:
- - leases
- verbs:
- - list
- - watch
-- apiGroups:
- - ''
- resources:
- - nodes
- verbs:
- - get
-- apiGroups:
- - ''
- resources:
- - services
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - networking.k8s.io
- resources:
- - ingresses
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - ''
- resources:
- - events
- verbs:
- - create
- - patch
-- apiGroups:
- - networking.k8s.io
- resources:
- - ingresses/status
- verbs:
- - update
-- apiGroups:
- - networking.k8s.io
- resources:
- - ingressclasses
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - discovery.k8s.io
- resources:
- - endpointslices
- verbs:
- - list
- - watch
- - get
-
--- HelmRelease: network/nginx-internal ClusterRoleBinding: network/nginx-internal
+++ HelmRelease: network/nginx-internal ClusterRoleBinding: network/nginx-internal
@@ -1,19 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- name: nginx-internal
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: nginx-internal
-subjects:
-- kind: ServiceAccount
- name: nginx-internal
- namespace: network
-
--- HelmRelease: network/nginx-internal Role: network/nginx-internal
+++ HelmRelease: network/nginx-internal Role: network/nginx-internal
@@ -1,91 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: nginx-internal
- namespace: network
-rules:
-- apiGroups:
- - ''
- resources:
- - namespaces
- verbs:
- - get
-- apiGroups:
- - ''
- resources:
- - configmaps
- - pods
- - secrets
- - endpoints
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - ''
- resources:
- - services
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - networking.k8s.io
- resources:
- - ingresses
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - networking.k8s.io
- resources:
- - ingresses/status
- verbs:
- - update
-- apiGroups:
- - networking.k8s.io
- resources:
- - ingressclasses
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - coordination.k8s.io
- resources:
- - leases
- resourceNames:
- - nginx-internal-leader
- verbs:
- - get
- - update
-- apiGroups:
- - coordination.k8s.io
- resources:
- - leases
- verbs:
- - create
-- apiGroups:
- - ''
- resources:
- - events
- verbs:
- - create
- - patch
-- apiGroups:
- - discovery.k8s.io
- resources:
- - endpointslices
- verbs:
- - list
- - watch
- - get
-
--- HelmRelease: network/nginx-internal RoleBinding: network/nginx-internal
+++ HelmRelease: network/nginx-internal RoleBinding: network/nginx-internal
@@ -1,21 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: nginx-internal
- namespace: network
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: nginx-internal
-subjects:
-- kind: ServiceAccount
- name: nginx-internal
- namespace: network
-
--- HelmRelease: network/nginx-internal Service: network/nginx-internal-controller-metrics
+++ HelmRelease: network/nginx-internal Service: network/nginx-internal-controller-metrics
@@ -1,24 +0,0 @@
----
-apiVersion: v1
-kind: Service
-metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: nginx-internal-controller-metrics
- namespace: network
-spec:
- type: ClusterIP
- ports:
- - name: metrics
- port: 10254
- protocol: TCP
- targetPort: metrics
- selector:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/component: controller
-
--- HelmRelease: network/nginx-internal Service: network/nginx-internal-controller-admission
+++ HelmRelease: network/nginx-internal Service: network/nginx-internal-controller-admission
@@ -1,24 +0,0 @@
----
-apiVersion: v1
-kind: Service
-metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: nginx-internal-controller-admission
- namespace: network
-spec:
- type: ClusterIP
- ports:
- - name: https-webhook
- port: 443
- targetPort: webhook
- appProtocol: https
- selector:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/component: controller
-
--- HelmRelease: network/nginx-internal Service: network/nginx-internal-controller
+++ HelmRelease: network/nginx-internal Service: network/nginx-internal-controller
@@ -1,37 +0,0 @@
----
-apiVersion: v1
-kind: Service
-metadata:
- annotations:
- external-dns.alpha.kubernetes.io/hostname: internal...PLACEHOLDER_SECRET_DOMAIN..
- lbipam.cilium.io/ips: ..PLACEHOLDER_SVC_NGINX_INTERNAL..
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: nginx-internal-controller
- namespace: network
-spec:
- type: LoadBalancer
- externalTrafficPolicy: Cluster
- ipFamilyPolicy: SingleStack
- ipFamilies:
- - IPv4
- ports:
- - name: http
- port: 80
- protocol: TCP
- targetPort: http
- appProtocol: http
- - name: https
- port: 443
- protocol: TCP
- targetPort: https
- appProtocol: https
- selector:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/component: controller
-
--- HelmRelease: network/nginx-internal Deployment: network/nginx-internal-controller
+++ HelmRelease: network/nginx-internal Deployment: network/nginx-internal-controller
@@ -1,137 +0,0 @@
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: nginx-internal-controller
- namespace: network
-spec:
- selector:
- matchLabels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/component: controller
- replicas: 2
- revisionHistoryLimit: 10
- minReadySeconds: 0
- template:
- metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- spec:
- dnsPolicy: ClusterFirst
- containers:
- - name: controller
- image: registry.k8s.io/ingress-nginx/controller:v1.12.0@sha256:e6b8de175acda6ca913891f0f727bca4527e797d52688cbe9fec9040d6f6b6fa
- imagePullPolicy: IfNotPresent
- lifecycle:
- preStop:
- exec:
- command:
- - /wait-shutdown
- args:
- - /nginx-ingress-controller
- - --election-id=nginx-internal-leader
- - --controller-class=k8s.io/internal
- - --ingress-class=nginx
- - --configmap=$(POD_NAMESPACE)/nginx-internal-controller
- - --validating-webhook=:8443
- - --validating-webhook-certificate=/usr/local/certificates/cert
- - --validating-webhook-key=/usr/local/certificates/key
- - --enable-metrics=true
- - --default-ssl-certificate=cert-manager/..PLACEHOLDER_SECRET_DOMAIN..-tls
- - --publish-status-address=internal...PLACEHOLDER_SECRET_DOMAIN..
- securityContext:
- runAsNonRoot: true
- runAsUser: 101
- runAsGroup: 82
- allowPrivilegeEscalation: false
- seccompProfile:
- type: RuntimeDefault
- capabilities:
- drop:
- - ALL
- add:
- - NET_BIND_SERVICE
- readOnlyRootFilesystem: false
- env:
- - name: POD_NAME
- valueFrom:
- fieldRef:
- fieldPath: metadata.name
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- - name: LD_PRELOAD
- value: /usr/local/lib/libmimalloc.so
- livenessProbe:
- failureThreshold: 5
- httpGet:
- path: /healthz
- port: 10254
- scheme: HTTP
- initialDelaySeconds: 10
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 1
- readinessProbe:
- failureThreshold: 3
- httpGet:
- path: /healthz
- port: 10254
- scheme: HTTP
- initialDelaySeconds: 10
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 1
- ports:
- - name: http
- containerPort: 80
- protocol: TCP
- - name: https
- containerPort: 443
- protocol: TCP
- - name: metrics
- containerPort: 10254
- protocol: TCP
- - name: webhook
- containerPort: 8443
- protocol: TCP
- volumeMounts:
- - name: webhook-cert
- mountPath: /usr/local/certificates/
- readOnly: true
- resources:
- limits:
- memory: 500Mi
- requests:
- cpu: 100m
- memory: 90Mi
- nodeSelector:
- kubernetes.io/os: linux
- topologySpreadConstraints:
- - labelSelector:
- matchLabels:
- app.kubernetes.io/component: controller
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/name: ingress-nginx
- maxSkew: 1
- topologyKey: kubernetes.io/hostname
- whenUnsatisfiable: DoNotSchedule
- serviceAccountName: nginx-internal
- terminationGracePeriodSeconds: 120
- volumes:
- - name: webhook-cert
- secret:
- secretName: nginx-internal-admission
-
--- HelmRelease: network/nginx-internal IngressClass: network/internal
+++ HelmRelease: network/nginx-internal IngressClass: network/internal
@@ -1,16 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: IngressClass
-metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: internal
- annotations:
- ingressclass.kubernetes.io/is-default-class: 'true'
-spec:
- controller: k8s.io/internal
-
--- HelmRelease: network/nginx-internal ServiceMonitor: network/nginx-internal-controller
+++ HelmRelease: network/nginx-internal ServiceMonitor: network/nginx-internal-controller
@@ -1,24 +0,0 @@
----
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
- name: nginx-internal-controller
- namespace: network
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
-spec:
- namespaceSelector:
- any: true
- selector:
- matchLabels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/component: controller
- endpoints:
- - port: metrics
- interval: 30s
-
--- HelmRelease: network/nginx-internal ValidatingWebhookConfiguration: network/nginx-internal-admission
+++ HelmRelease: network/nginx-internal ValidatingWebhookConfiguration: network/nginx-internal-admission
@@ -1,41 +0,0 @@
----
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
- name: nginx-internal-admission
-webhooks:
-- name: validate.nginx.ingress.kubernetes.io
- matchPolicy: Equivalent
- rules:
- - apiGroups:
- - networking.k8s.io
- apiVersions:
- - v1
- operations:
- - CREATE
- - UPDATE
- resources:
- - ingresses
- failurePolicy: Fail
- sideEffects: None
- admissionReviewVersions:
- - v1
- clientConfig:
- service:
- name: nginx-internal-controller-admission
- namespace: network
- port: 443
- path: /networking/v1/ingresses
- objectSelector:
- matchExpressions:
- - key: ingress-class
- operator: In
- values:
- - internal
-
--- HelmRelease: network/nginx-internal ServiceAccount: network/nginx-internal-admission
+++ HelmRelease: network/nginx-internal ServiceAccount: network/nginx-internal-admission
@@ -1,17 +0,0 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: nginx-internal-admission
- namespace: network
- annotations:
- helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
-automountServiceAccountToken: true
-
--- HelmRelease: network/nginx-internal ClusterRole: network/nginx-internal-admission
+++ HelmRelease: network/nginx-internal ClusterRole: network/nginx-internal-admission
@@ -1,23 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: nginx-internal-admission
- annotations:
- helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
-rules:
-- apiGroups:
- - admissionregistration.k8s.io
- resources:
- - validatingwebhookconfigurations
- verbs:
- - get
- - update
-
--- HelmRelease: network/nginx-internal ClusterRoleBinding: network/nginx-internal-admission
+++ HelmRelease: network/nginx-internal ClusterRoleBinding: network/nginx-internal-admission
@@ -1,23 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: nginx-internal-admission
- annotations:
- helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: nginx-internal-admission
-subjects:
-- kind: ServiceAccount
- name: nginx-internal-admission
- namespace: network
-
--- HelmRelease: network/nginx-internal Role: network/nginx-internal-admission
+++ HelmRelease: network/nginx-internal Role: network/nginx-internal-admission
@@ -1,24 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: nginx-internal-admission
- namespace: network
- annotations:
- helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
-rules:
-- apiGroups:
- - ''
- resources:
- - secrets
- verbs:
- - get
- - create
-
--- HelmRelease: network/nginx-internal RoleBinding: network/nginx-internal-admission
+++ HelmRelease: network/nginx-internal RoleBinding: network/nginx-internal-admission
@@ -1,24 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: nginx-internal-admission
- namespace: network
- annotations:
- helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: nginx-internal-admission
-subjects:
-- kind: ServiceAccount
- name: nginx-internal-admission
- namespace: network
-
--- HelmRelease: network/nginx-internal Job: network/nginx-internal-admission-create
+++ HelmRelease: network/nginx-internal Job: network/nginx-internal-admission-create
@@ -1,56 +0,0 @@
----
-apiVersion: batch/v1
-kind: Job
-metadata:
- name: nginx-internal-admission-create
- namespace: network
- annotations:
- helm.sh/hook: pre-install,pre-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
-spec:
- template:
- metadata:
- name: nginx-internal-admission-create
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
- spec:
- containers:
- - name: create
- image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.0@sha256:aaafd456bda110628b2d4ca6296f38731a3aaf0bf7581efae824a41c770a8fc4
- imagePullPolicy: IfNotPresent
- args:
- - create
- - --host=nginx-internal-controller-admission,nginx-internal-controller-admission.$(POD_NAMESPACE).svc
- - --namespace=$(POD_NAMESPACE)
- - --secret-name=nginx-internal-admission
- env:
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- readOnlyRootFilesystem: true
- runAsGroup: 65532
- runAsNonRoot: true
- runAsUser: 65532
- seccompProfile:
- type: RuntimeDefault
- restartPolicy: OnFailure
- serviceAccountName: nginx-internal-admission
- nodeSelector:
- kubernetes.io/os: linux
-
--- HelmRelease: network/nginx-internal Job: network/nginx-internal-admission-patch
+++ HelmRelease: network/nginx-internal Job: network/nginx-internal-admission-patch
@@ -1,58 +0,0 @@
----
-apiVersion: batch/v1
-kind: Job
-metadata:
- name: nginx-internal-admission-patch
- namespace: network
- annotations:
- helm.sh/hook: post-install,post-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
-spec:
- template:
- metadata:
- name: nginx-internal-admission-patch
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
- spec:
- containers:
- - name: patch
- image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.0@sha256:aaafd456bda110628b2d4ca6296f38731a3aaf0bf7581efae824a41c770a8fc4
- imagePullPolicy: IfNotPresent
- args:
- - patch
- - --webhook-name=nginx-internal-admission
- - --namespace=$(POD_NAMESPACE)
- - --patch-mutating=false
- - --secret-name=nginx-internal-admission
- - --patch-failure-policy=Fail
- env:
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- readOnlyRootFilesystem: true
- runAsGroup: 65532
- runAsNonRoot: true
- runAsUser: 65532
- seccompProfile:
- type: RuntimeDefault
- restartPolicy: OnFailure
- serviceAccountName: nginx-internal-admission
- nodeSelector:
- kubernetes.io/os: linux
-
--- HelmRelease: network/cloudflared Deployment: network/cloudflared
+++ HelmRelease: network/cloudflared Deployment: network/cloudflared
@@ -91,21 +91,21 @@
memory: 256M
requests:
cpu: 5m
memory: 128M
volumeMounts:
- mountPath: /etc/cloudflared/config/config.yaml
- name: config
+ name: config-file
readOnly: true
subPath: config.yaml
- mountPath: /etc/cloudflared/creds/credentials.json
- name: creds
+ name: secret-file
readOnly: true
subPath: credentials.json
volumes:
- configMap:
name: cloudflared-configmap
- name: config
- - name: creds
+ name: config-file
+ - name: secret-file
secret:
- secretName: cloudflared-secret
+ secretName: cloudflared-tunnel-secret
--- HelmRelease: network/external-ingress-nginx PodDisruptionBudget: network/external-ingress-nginx-controller
+++ HelmRelease: network/external-ingress-nginx PodDisruptionBudget: network/external-ingress-nginx-controller
@@ -0,0 +1,20 @@
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ name: external-ingress-nginx-controller
+ namespace: network
+spec:
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/component: controller
+ minAvailable: 1
+
--- HelmRelease: network/external-ingress-nginx ServiceAccount: network/external-ingress-nginx
+++ HelmRelease: network/external-ingress-nginx ServiceAccount: network/external-ingress-nginx
@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ name: external-ingress-nginx
+ namespace: network
+automountServiceAccountToken: true
+
--- HelmRelease: network/external-ingress-nginx ConfigMap: network/external-ingress-nginx-controller
+++ HelmRelease: network/external-ingress-nginx ConfigMap: network/external-ingress-nginx-controller
@@ -0,0 +1,35 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ name: external-ingress-nginx-controller
+ namespace: network
+data:
+ allow-snippet-annotations: 'true'
+ annotations-risk-level: Critical
+ block-user-agents: AdsBot-Google,Amazonbot,anthropic-ai,Applebot-Extended,Bytespider,CCBot,ChatGPT-User,ClaudeBot,Claude-Web,cohere-ai,Diffbot,FacebookBot,FriendlyCrawler,Google-Extended,GoogleOther,GPTBot,img2dataset,omgili,omgilibot,peer39_crawler,peer39_crawler/1.0,PerplexityBot,YouBot,
+ client-body-buffer-size: 100M
+ client-body-timeout: '120'
+ client-header-timeout: '120'
+ enable-brotli: 'true'
+ enable-ocsp: 'true'
+ enable-real-ip: 'true'
+ force-ssl-redirect: 'true'
+ hide-headers: Server,X-Powered-By
+ hsts-max-age: '3.14496e+07'
+ keep-alive: '120'
+ keep-alive-requests: '10000'
+ log-format-escape-json: 'true'
+ log-format-upstream: |
+ {"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", "x_forwarded_for": "$proxy_add_x_forwarded_for", "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, "status": $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args", "request_length": $request_length, "duration": $request_time, "method": "$request_method", "http_referrer": "$http_referer", "http_user_agent": "$http_user_agent"}
+ proxy-body-size: '0'
+ proxy-buffer-size: 16k
+ ssl-protocols: TLSv1.3 TLSv1.2
+ use-forwarded-headers: 'true'
+
--- HelmRelease: network/external-ingress-nginx ClusterRole: network/external-ingress-nginx
+++ HelmRelease: network/external-ingress-nginx ClusterRole: network/external-ingress-nginx
@@ -0,0 +1,82 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ name: external-ingress-nginx
+rules:
+- apiGroups:
+ - ''
+ resources:
+ - configmaps
+ - endpoints
+ - nodes
+ - pods
+ - secrets
+ - namespaces
+ verbs:
+ - list
+ - watch
+- apiGroups:
+ - coordination.k8s.io
+ resources:
+ - leases
+ verbs:
+ - list
+ - watch
+- apiGroups:
+ - ''
+ resources:
+ - nodes
+ verbs:
+ - get
+- apiGroups:
+ - ''
+ resources:
+ - services
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - ''
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+- apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses/status
+ verbs:
+ - update
+- apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingressclasses
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - discovery.k8s.io
+ resources:
+ - endpointslices
+ verbs:
+ - list
+ - watch
+ - get
+
--- HelmRelease: network/external-ingress-nginx ClusterRoleBinding: network/external-ingress-nginx
+++ HelmRelease: network/external-ingress-nginx ClusterRoleBinding: network/external-ingress-nginx
@@ -0,0 +1,19 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ name: external-ingress-nginx
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: external-ingress-nginx
+subjects:
+- kind: ServiceAccount
+ name: external-ingress-nginx
+ namespace: network
+
--- HelmRelease: network/external-ingress-nginx Role: network/external-ingress-nginx
+++ HelmRelease: network/external-ingress-nginx Role: network/external-ingress-nginx
@@ -0,0 +1,91 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ name: external-ingress-nginx
+ namespace: network
+rules:
+- apiGroups:
+ - ''
+ resources:
+ - namespaces
+ verbs:
+ - get
+- apiGroups:
+ - ''
+ resources:
+ - configmaps
+ - pods
+ - secrets
+ - endpoints
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - ''
+ resources:
+ - services
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses/status
+ verbs:
+ - update
+- apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingressclasses
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - coordination.k8s.io
+ resources:
+ - leases
+ resourceNames:
+ - external-ingress-nginx-leader
+ verbs:
+ - get
+ - update
+- apiGroups:
+ - coordination.k8s.io
+ resources:
+ - leases
+ verbs:
+ - create
+- apiGroups:
+ - ''
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+- apiGroups:
+ - discovery.k8s.io
+ resources:
+ - endpointslices
+ verbs:
+ - list
+ - watch
+ - get
+
--- HelmRelease: network/external-ingress-nginx RoleBinding: network/external-ingress-nginx
+++ HelmRelease: network/external-ingress-nginx RoleBinding: network/external-ingress-nginx
@@ -0,0 +1,21 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ name: external-ingress-nginx
+ namespace: network
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: external-ingress-nginx
+subjects:
+- kind: ServiceAccount
+ name: external-ingress-nginx
+ namespace: network
+
--- HelmRelease: network/external-ingress-nginx Service: network/external-ingress-nginx-controller-metrics
+++ HelmRelease: network/external-ingress-nginx Service: network/external-ingress-nginx-controller-metrics
@@ -0,0 +1,24 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ name: external-ingress-nginx-controller-metrics
+ namespace: network
+spec:
+ type: ClusterIP
+ ports:
+ - name: metrics
+ port: 10254
+ protocol: TCP
+ targetPort: metrics
+ selector:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/component: controller
+
--- HelmRelease: network/external-ingress-nginx Service: network/external-ingress-nginx-controller-admission
+++ HelmRelease: network/external-ingress-nginx Service: network/external-ingress-nginx-controller-admission
@@ -0,0 +1,24 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ name: external-ingress-nginx-controller-admission
+ namespace: network
+spec:
+ type: ClusterIP
+ ports:
+ - name: https-webhook
+ port: 443
+ targetPort: webhook
+ appProtocol: https
+ selector:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/component: controller
+
--- HelmRelease: network/external-ingress-nginx Service: network/external-ingress-nginx-controller
+++ HelmRelease: network/external-ingress-nginx Service: network/external-ingress-nginx-controller
@@ -0,0 +1,36 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+ annotations:
+ external-dns.alpha.kubernetes.io/hostname: external...PLACEHOLDER_SECRET_DOMAIN..
+ lbipam.cilium.io/ips: ..PLACEHOLDER_SVC_NGINX_EXTERNAL..
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ name: external-ingress-nginx-controller
+ namespace: network
+spec:
+ type: LoadBalancer
+ ipFamilyPolicy: SingleStack
+ ipFamilies:
+ - IPv4
+ ports:
+ - name: http
+ port: 80
+ protocol: TCP
+ targetPort: http
+ appProtocol: http
+ - name: https
+ port: 443
+ protocol: TCP
+ targetPort: https
+ appProtocol: https
+ selector:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/component: controller
+
--- HelmRelease: network/external-ingress-nginx Deployment: network/external-ingress-nginx-controller
+++ HelmRelease: network/external-ingress-nginx Deployment: network/external-ingress-nginx-controller
@@ -0,0 +1,137 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ name: external-ingress-nginx-controller
+ namespace: network
+spec:
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/component: controller
+ replicas: 2
+ revisionHistoryLimit: 10
+ minReadySeconds: 0
+ template:
+ metadata:
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ spec:
+ dnsPolicy: ClusterFirst
+ containers:
+ - name: controller
+ image: registry.k8s.io/ingress-nginx/controller:v1.12.0@sha256:e6b8de175acda6ca913891f0f727bca4527e797d52688cbe9fec9040d6f6b6fa
+ imagePullPolicy: IfNotPresent
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - /wait-shutdown
+ args:
+ - /nginx-ingress-controller
+ - --election-id=external-ingress-nginx-leader
+ - --controller-class=k8s.io/external
+ - --ingress-class=nginx
+ - --configmap=$(POD_NAMESPACE)/external-ingress-nginx-controller
+ - --validating-webhook=:8443
+ - --validating-webhook-certificate=/usr/local/certificates/cert
+ - --validating-webhook-key=/usr/local/certificates/key
+ - --enable-metrics=true
+ - --default-ssl-certificate=cert-manager/..PLACEHOLDER_SECRET_DOMAIN..-tls
+ - --publish-status-address=external...PLACEHOLDER_SECRET_DOMAIN..
+ securityContext:
+ runAsNonRoot: true
+ runAsUser: 101
+ runAsGroup: 82
+ allowPrivilegeEscalation: false
+ seccompProfile:
+ type: RuntimeDefault
+ capabilities:
+ drop:
+ - ALL
+ add:
+ - NET_BIND_SERVICE
+ readOnlyRootFilesystem: false
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: LD_PRELOAD
+ value: /usr/local/lib/libmimalloc.so
+ livenessProbe:
+ failureThreshold: 5
+ httpGet:
+ path: /healthz
+ port: 10254
+ scheme: HTTP
+ initialDelaySeconds: 10
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 10254
+ scheme: HTTP
+ initialDelaySeconds: 10
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ ports:
+ - name: http
+ containerPort: 80
+ protocol: TCP
+ - name: https
+ containerPort: 443
+ protocol: TCP
+ - name: metrics
+ containerPort: 10254
+ protocol: TCP
+ - name: webhook
+ containerPort: 8443
+ protocol: TCP
+ volumeMounts:
+ - name: webhook-cert
+ mountPath: /usr/local/certificates/
+ readOnly: true
+ resources:
+ limits:
+ memory: 500Mi
+ requests:
+ cpu: 100m
+ memory: 90Mi
+ nodeSelector:
+ kubernetes.io/os: linux
+ topologySpreadConstraints:
+ - labelSelector:
+ matchLabels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/name: ingress-nginx
+ maxSkew: 1
+ topologyKey: kubernetes.io/hostname
+ whenUnsatisfiable: DoNotSchedule
+ serviceAccountName: external-ingress-nginx
+ terminationGracePeriodSeconds: 120
+ volumes:
+ - name: webhook-cert
+ secret:
+ secretName: external-ingress-nginx-admission
+
--- HelmRelease: network/external-ingress-nginx IngressClass: network/external
+++ HelmRelease: network/external-ingress-nginx IngressClass: network/external
@@ -0,0 +1,14 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ name: external
+spec:
+ controller: k8s.io/external
+
--- HelmRelease: network/external-ingress-nginx ServiceMonitor: network/external-ingress-nginx-controller
+++ HelmRelease: network/external-ingress-nginx ServiceMonitor: network/external-ingress-nginx-controller
@@ -0,0 +1,24 @@
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+ name: external-ingress-nginx-controller
+ namespace: network
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+spec:
+ namespaceSelector:
+ any: true
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/component: controller
+ endpoints:
+ - port: metrics
+ interval: 30s
+
--- HelmRelease: network/external-ingress-nginx ValidatingWebhookConfiguration: network/external-ingress-nginx-admission
+++ HelmRelease: network/external-ingress-nginx ValidatingWebhookConfiguration: network/external-ingress-nginx-admission
@@ -0,0 +1,41 @@
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: admission-webhook
+ name: external-ingress-nginx-admission
+webhooks:
+- name: validate.nginx.ingress.kubernetes.io
+ matchPolicy: Equivalent
+ rules:
+ - apiGroups:
+ - networking.k8s.io
+ apiVersions:
+ - v1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - ingresses
+ failurePolicy: Fail
+ sideEffects: None
+ admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: external-ingress-nginx-controller-admission
+ namespace: network
+ port: 443
+ path: /networking/v1/ingresses
+ objectSelector:
+ matchExpressions:
+ - key: ingress-class
+ operator: In
+ values:
+ - external
+
--- HelmRelease: network/external-ingress-nginx ServiceAccount: network/external-ingress-nginx-admission
+++ HelmRelease: network/external-ingress-nginx ServiceAccount: network/external-ingress-nginx-admission
@@ -0,0 +1,17 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: external-ingress-nginx-admission
+ namespace: network
+ annotations:
+ helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: admission-webhook
+automountServiceAccountToken: true
+
--- HelmRelease: network/external-ingress-nginx ClusterRole: network/external-ingress-nginx-admission
+++ HelmRelease: network/external-ingress-nginx ClusterRole: network/external-ingress-nginx-admission
@@ -0,0 +1,23 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: external-ingress-nginx-admission
+ annotations:
+ helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: admission-webhook
+rules:
+- apiGroups:
+ - admissionregistration.k8s.io
+ resources:
+ - validatingwebhookconfigurations
+ verbs:
+ - get
+ - update
+
--- HelmRelease: network/external-ingress-nginx ClusterRoleBinding: network/external-ingress-nginx-admission
+++ HelmRelease: network/external-ingress-nginx ClusterRoleBinding: network/external-ingress-nginx-admission
@@ -0,0 +1,23 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: external-ingress-nginx-admission
+ annotations:
+ helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: admission-webhook
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: external-ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+ name: external-ingress-nginx-admission
+ namespace: network
+
--- HelmRelease: network/external-ingress-nginx Role: network/external-ingress-nginx-admission
+++ HelmRelease: network/external-ingress-nginx Role: network/external-ingress-nginx-admission
@@ -0,0 +1,24 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: external-ingress-nginx-admission
+ namespace: network
+ annotations:
+ helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: admission-webhook
+rules:
+- apiGroups:
+ - ''
+ resources:
+ - secrets
+ verbs:
+ - get
+ - create
+
--- HelmRelease: network/external-ingress-nginx RoleBinding: network/external-ingress-nginx-admission
+++ HelmRelease: network/external-ingress-nginx RoleBinding: network/external-ingress-nginx-admission
@@ -0,0 +1,24 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: external-ingress-nginx-admission
+ namespace: network
+ annotations:
+ helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: admission-webhook
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: external-ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+ name: external-ingress-nginx-admission
+ namespace: network
+
--- HelmRelease: network/external-ingress-nginx Job: network/external-ingress-nginx-admission-create
+++ HelmRelease: network/external-ingress-nginx Job: network/external-ingress-nginx-admission-create
@@ -0,0 +1,56 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: external-ingress-nginx-admission-create
+ namespace: network
+ annotations:
+ helm.sh/hook: pre-install,pre-upgrade
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: admission-webhook
+spec:
+ template:
+ metadata:
+ name: external-ingress-nginx-admission-create
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: admission-webhook
+ spec:
+ containers:
+ - name: create
+ image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.0@sha256:aaafd456bda110628b2d4ca6296f38731a3aaf0bf7581efae824a41c770a8fc4
+ imagePullPolicy: IfNotPresent
+ args:
+ - create
+ - --host=external-ingress-nginx-controller-admission,external-ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
+ - --namespace=$(POD_NAMESPACE)
+ - --secret-name=external-ingress-nginx-admission
+ env:
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsGroup: 65532
+ runAsNonRoot: true
+ runAsUser: 65532
+ seccompProfile:
+ type: RuntimeDefault
+ restartPolicy: OnFailure
+ serviceAccountName: external-ingress-nginx-admission
+ nodeSelector:
+ kubernetes.io/os: linux
+
--- HelmRelease: network/external-ingress-nginx Job: network/external-ingress-nginx-admission-patch
+++ HelmRelease: network/external-ingress-nginx Job: network/external-ingress-nginx-admission-patch
@@ -0,0 +1,58 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: external-ingress-nginx-admission-patch
+ namespace: network
+ annotations:
+ helm.sh/hook: post-install,post-upgrade
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: admission-webhook
+spec:
+ template:
+ metadata:
+ name: external-ingress-nginx-admission-patch
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: admission-webhook
+ spec:
+ containers:
+ - name: patch
+ image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.0@sha256:aaafd456bda110628b2d4ca6296f38731a3aaf0bf7581efae824a41c770a8fc4
+ imagePullPolicy: IfNotPresent
+ args:
+ - patch
+ - --webhook-name=external-ingress-nginx-admission
+ - --namespace=$(POD_NAMESPACE)
+ - --patch-mutating=false
+ - --secret-name=external-ingress-nginx-admission
+ - --patch-failure-policy=Fail
+ env:
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsGroup: 65532
+ runAsNonRoot: true
+ runAsUser: 65532
+ seccompProfile:
+ type: RuntimeDefault
+ restartPolicy: OnFailure
+ serviceAccountName: external-ingress-nginx-admission
+ nodeSelector:
+ kubernetes.io/os: linux
+
--- HelmRelease: network/internal-ingress-nginx PodDisruptionBudget: network/internal-ingress-nginx-controller
+++ HelmRelease: network/internal-ingress-nginx PodDisruptionBudget: network/internal-ingress-nginx-controller
@@ -0,0 +1,20 @@
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ name: internal-ingress-nginx-controller
+ namespace: network
+spec:
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/component: controller
+ minAvailable: 1
+
--- HelmRelease: network/internal-ingress-nginx ServiceAccount: network/internal-ingress-nginx
+++ HelmRelease: network/internal-ingress-nginx ServiceAccount: network/internal-ingress-nginx
@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ name: internal-ingress-nginx
+ namespace: network
+automountServiceAccountToken: true
+
--- HelmRelease: network/internal-ingress-nginx ConfigMap: network/internal-ingress-nginx-controller
+++ HelmRelease: network/internal-ingress-nginx ConfigMap: network/internal-ingress-nginx-controller
@@ -0,0 +1,35 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ name: internal-ingress-nginx-controller
+ namespace: network
+data:
+ allow-snippet-annotations: 'true'
+ annotations-risk-level: Critical
+ block-user-agents: AdsBot-Google,Amazonbot,anthropic-ai,Applebot-Extended,Bytespider,CCBot,ChatGPT-User,ClaudeBot,Claude-Web,cohere-ai,Diffbot,FacebookBot,FriendlyCrawler,Google-Extended,GoogleOther,GPTBot,img2dataset,omgili,omgilibot,peer39_crawler,peer39_crawler/1.0,PerplexityBot,YouBot,
+ client-body-buffer-size: 100M
+ client-body-timeout: '120'
+ client-header-timeout: '120'
+ enable-brotli: 'true'
+ enable-ocsp: 'true'
+ enable-real-ip: 'true'
+ force-ssl-redirect: 'true'
+ hide-headers: Server,X-Powered-By
+ hsts-max-age: '3.14496e+07'
+ keep-alive: '120'
+ keep-alive-requests: '10000'
+ log-format-escape-json: 'true'
+ log-format-upstream: |
+ {"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", "x_forwarded_for": "$proxy_add_x_forwarded_for", "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, "status": $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args", "request_length": $request_length, "duration": $request_time, "method": "$request_method", "http_referrer": "$http_referer", "http_user_agent": "$http_user_agent"}
+ proxy-body-size: '0'
+ proxy-buffer-size: 16k
+ ssl-protocols: TLSv1.3 TLSv1.2
+ use-forwarded-headers: 'true'
+
--- HelmRelease: network/internal-ingress-nginx ClusterRole: network/internal-ingress-nginx
+++ HelmRelease: network/internal-ingress-nginx ClusterRole: network/internal-ingress-nginx
@@ -0,0 +1,82 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ name: internal-ingress-nginx
+rules:
+- apiGroups:
+ - ''
+ resources:
+ - configmaps
+ - endpoints
+ - nodes
+ - pods
+ - secrets
+ - namespaces
+ verbs:
+ - list
+ - watch
+- apiGroups:
+ - coordination.k8s.io
+ resources:
+ - leases
+ verbs:
+ - list
+ - watch
+- apiGroups:
+ - ''
+ resources:
+ - nodes
+ verbs:
+ - get
+- apiGroups:
+ - ''
+ resources:
+ - services
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - ''
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+- apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses/status
+ verbs:
+ - update
+- apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingressclasses
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - discovery.k8s.io
+ resources:
+ - endpointslices
+ verbs:
+ - list
+ - watch
+ - get
+
--- HelmRelease: network/internal-ingress-nginx ClusterRoleBinding: network/internal-ingress-nginx
+++ HelmRelease: network/internal-ingress-nginx ClusterRoleBinding: network/internal-ingress-nginx
@@ -0,0 +1,19 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ name: internal-ingress-nginx
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: internal-ingress-nginx
+subjects:
+- kind: ServiceAccount
+ name: internal-ingress-nginx
+ namespace: network
+
--- HelmRelease: network/internal-ingress-nginx Role: network/internal-ingress-nginx
+++ HelmRelease: network/internal-ingress-nginx Role: network/internal-ingress-nginx
@@ -0,0 +1,91 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ name: internal-ingress-nginx
+ namespace: network
+rules:
+- apiGroups:
+ - ''
+ resources:
+ - namespaces
+ verbs:
+ - get
+- apiGroups:
+ - ''
+ resources:
+ - configmaps
+ - pods
+ - secrets
+ - endpoints
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - ''
+ resources:
+ - services
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses/status
+ verbs:
+ - update
+- apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingressclasses
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - coordination.k8s.io
+ resources:
+ - leases
+ resourceNames:
+ - internal-ingress-nginx-leader
+ verbs:
+ - get
+ - update
+- apiGroups:
+ - coordination.k8s.io
+ resources:
+ - leases
+ verbs:
+ - create
+- apiGroups:
+ - ''
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+- apiGroups:
+ - discovery.k8s.io
+ resources:
+ - endpointslices
+ verbs:
+ - list
+ - watch
+ - get
+
--- HelmRelease: network/internal-ingress-nginx RoleBinding: network/internal-ingress-nginx
+++ HelmRelease: network/internal-ingress-nginx RoleBinding: network/internal-ingress-nginx
@@ -0,0 +1,21 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ name: internal-ingress-nginx
+ namespace: network
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: internal-ingress-nginx
+subjects:
+- kind: ServiceAccount
+ name: internal-ingress-nginx
+ namespace: network
+
--- HelmRelease: network/internal-ingress-nginx Service: network/internal-ingress-nginx-controller-metrics
+++ HelmRelease: network/internal-ingress-nginx Service: network/internal-ingress-nginx-controller-metrics
@@ -0,0 +1,24 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ name: internal-ingress-nginx-controller-metrics
+ namespace: network
+spec:
+ type: ClusterIP
+ ports:
+ - name: metrics
+ port: 10254
+ protocol: TCP
+ targetPort: metrics
+ selector:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/component: controller
+
--- HelmRelease: network/internal-ingress-nginx Service: network/internal-ingress-nginx-controller-admission
+++ HelmRelease: network/internal-ingress-nginx Service: network/internal-ingress-nginx-controller-admission
@@ -0,0 +1,24 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ name: internal-ingress-nginx-controller-admission
+ namespace: network
+spec:
+ type: ClusterIP
+ ports:
+ - name: https-webhook
+ port: 443
+ targetPort: webhook
+ appProtocol: https
+ selector:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/component: controller
+
--- HelmRelease: network/internal-ingress-nginx Service: network/internal-ingress-nginx-controller
+++ HelmRelease: network/internal-ingress-nginx Service: network/internal-ingress-nginx-controller
@@ -0,0 +1,37 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+ annotations:
+ external-dns.alpha.kubernetes.io/hostname: internal...PLACEHOLDER_SECRET_DOMAIN..
+ lbipam.cilium.io/ips: ..PLACEHOLDER_SVC_NGINX_INTERNAL..
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ name: internal-ingress-nginx-controller
+ namespace: network
+spec:
+ type: LoadBalancer
+ externalTrafficPolicy: Cluster
+ ipFamilyPolicy: SingleStack
+ ipFamilies:
+ - IPv4
+ ports:
+ - name: http
+ port: 80
+ protocol: TCP
+ targetPort: http
+ appProtocol: http
+ - name: https
+ port: 443
+ protocol: TCP
+ targetPort: https
+ appProtocol: https
+ selector:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/component: controller
+
--- HelmRelease: network/internal-ingress-nginx Deployment: network/internal-ingress-nginx-controller
+++ HelmRelease: network/internal-ingress-nginx Deployment: network/internal-ingress-nginx-controller
@@ -0,0 +1,137 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ name: internal-ingress-nginx-controller
+ namespace: network
+spec:
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/component: controller
+ replicas: 2
+ revisionHistoryLimit: 10
+ minReadySeconds: 0
+ template:
+ metadata:
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ spec:
+ dnsPolicy: ClusterFirst
+ containers:
+ - name: controller
+ image: registry.k8s.io/ingress-nginx/controller:v1.12.0@sha256:e6b8de175acda6ca913891f0f727bca4527e797d52688cbe9fec9040d6f6b6fa
+ imagePullPolicy: IfNotPresent
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - /wait-shutdown
+ args:
+ - /nginx-ingress-controller
+ - --election-id=internal-ingress-nginx-leader
+ - --controller-class=k8s.io/internal
+ - --ingress-class=nginx
+ - --configmap=$(POD_NAMESPACE)/internal-ingress-nginx-controller
+ - --validating-webhook=:8443
+ - --validating-webhook-certificate=/usr/local/certificates/cert
+ - --validating-webhook-key=/usr/local/certificates/key
+ - --enable-metrics=true
+ - --default-ssl-certificate=cert-manager/..PLACEHOLDER_SECRET_DOMAIN..-tls
+ - --publish-status-address=internal...PLACEHOLDER_SECRET_DOMAIN..
+ securityContext:
+ runAsNonRoot: true
+ runAsUser: 101
+ runAsGroup: 82
+ allowPrivilegeEscalation: false
+ seccompProfile:
+ type: RuntimeDefault
+ capabilities:
+ drop:
+ - ALL
+ add:
+ - NET_BIND_SERVICE
+ readOnlyRootFilesystem: false
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: LD_PRELOAD
+ value: /usr/local/lib/libmimalloc.so
+ livenessProbe:
+ failureThreshold: 5
+ httpGet:
+ path: /healthz
+ port: 10254
+ scheme: HTTP
+ initialDelaySeconds: 10
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 10254
+ scheme: HTTP
+ initialDelaySeconds: 10
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ ports:
+ - name: http
+ containerPort: 80
+ protocol: TCP
+ - name: https
+ containerPort: 443
+ protocol: TCP
+ - name: metrics
+ containerPort: 10254
+ protocol: TCP
+ - name: webhook
+ containerPort: 8443
+ protocol: TCP
+ volumeMounts:
+ - name: webhook-cert
+ mountPath: /usr/local/certificates/
+ readOnly: true
+ resources:
+ limits:
+ memory: 500Mi
+ requests:
+ cpu: 100m
+ memory: 90Mi
+ nodeSelector:
+ kubernetes.io/os: linux
+ topologySpreadConstraints:
+ - labelSelector:
+ matchLabels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/name: ingress-nginx
+ maxSkew: 1
+ topologyKey: kubernetes.io/hostname
+ whenUnsatisfiable: DoNotSchedule
+ serviceAccountName: internal-ingress-nginx
+ terminationGracePeriodSeconds: 120
+ volumes:
+ - name: webhook-cert
+ secret:
+ secretName: internal-ingress-nginx-admission
+
--- HelmRelease: network/internal-ingress-nginx IngressClass: network/internal
+++ HelmRelease: network/internal-ingress-nginx IngressClass: network/internal
@@ -0,0 +1,16 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ name: internal
+ annotations:
+ ingressclass.kubernetes.io/is-default-class: 'true'
+spec:
+ controller: k8s.io/internal
+
--- HelmRelease: network/internal-ingress-nginx ServiceMonitor: network/internal-ingress-nginx-controller
+++ HelmRelease: network/internal-ingress-nginx ServiceMonitor: network/internal-ingress-nginx-controller
@@ -0,0 +1,24 @@
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+ name: internal-ingress-nginx-controller
+ namespace: network
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+spec:
+ namespaceSelector:
+ any: true
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/component: controller
+ endpoints:
+ - port: metrics
+ interval: 30s
+
--- HelmRelease: network/internal-ingress-nginx ValidatingWebhookConfiguration: network/internal-ingress-nginx-admission
+++ HelmRelease: network/internal-ingress-nginx ValidatingWebhookConfiguration: network/internal-ingress-nginx-admission
@@ -0,0 +1,41 @@
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: admission-webhook
+ name: internal-ingress-nginx-admission
+webhooks:
+- name: validate.nginx.ingress.kubernetes.io
+ matchPolicy: Equivalent
+ rules:
+ - apiGroups:
+ - networking.k8s.io
+ apiVersions:
+ - v1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - ingresses
+ failurePolicy: Fail
+ sideEffects: None
+ admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: internal-ingress-nginx-controller-admission
+ namespace: network
+ port: 443
+ path: /networking/v1/ingresses
+ objectSelector:
+ matchExpressions:
+ - key: ingress-class
+ operator: In
+ values:
+ - internal
+
--- HelmRelease: network/internal-ingress-nginx ServiceAccount: network/internal-ingress-nginx-admission
+++ HelmRelease: network/internal-ingress-nginx ServiceAccount: network/internal-ingress-nginx-admission
@@ -0,0 +1,17 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: internal-ingress-nginx-admission
+ namespace: network
+ annotations:
+ helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: admission-webhook
+automountServiceAccountToken: true
+
--- HelmRelease: network/internal-ingress-nginx ClusterRole: network/internal-ingress-nginx-admission
+++ HelmRelease: network/internal-ingress-nginx ClusterRole: network/internal-ingress-nginx-admission
@@ -0,0 +1,23 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: internal-ingress-nginx-admission
+ annotations:
+ helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: admission-webhook
+rules:
+- apiGroups:
+ - admissionregistration.k8s.io
+ resources:
+ - validatingwebhookconfigurations
+ verbs:
+ - get
+ - update
+
--- HelmRelease: network/internal-ingress-nginx ClusterRoleBinding: network/internal-ingress-nginx-admission
+++ HelmRelease: network/internal-ingress-nginx ClusterRoleBinding: network/internal-ingress-nginx-admission
@@ -0,0 +1,23 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: internal-ingress-nginx-admission
+ annotations:
+ helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: admission-webhook
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: internal-ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+ name: internal-ingress-nginx-admission
+ namespace: network
+
--- HelmRelease: network/internal-ingress-nginx Role: network/internal-ingress-nginx-admission
+++ HelmRelease: network/internal-ingress-nginx Role: network/internal-ingress-nginx-admission
@@ -0,0 +1,24 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: internal-ingress-nginx-admission
+ namespace: network
+ annotations:
+ helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: admission-webhook
+rules:
+- apiGroups:
+ - ''
+ resources:
+ - secrets
+ verbs:
+ - get
+ - create
+
--- HelmRelease: network/internal-ingress-nginx RoleBinding: network/internal-ingress-nginx-admission
+++ HelmRelease: network/internal-ingress-nginx RoleBinding: network/internal-ingress-nginx-admission
@@ -0,0 +1,24 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: internal-ingress-nginx-admission
+ namespace: network
+ annotations:
+ helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: admission-webhook
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: internal-ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+ name: internal-ingress-nginx-admission
+ namespace: network
+
--- HelmRelease: network/internal-ingress-nginx Job: network/internal-ingress-nginx-admission-create
+++ HelmRelease: network/internal-ingress-nginx Job: network/internal-ingress-nginx-admission-create
@@ -0,0 +1,56 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: internal-ingress-nginx-admission-create
+ namespace: network
+ annotations:
+ helm.sh/hook: pre-install,pre-upgrade
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: admission-webhook
+spec:
+ template:
+ metadata:
+ name: internal-ingress-nginx-admission-create
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: admission-webhook
+ spec:
+ containers:
+ - name: create
+ image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.0@sha256:aaafd456bda110628b2d4ca6296f38731a3aaf0bf7581efae824a41c770a8fc4
+ imagePullPolicy: IfNotPresent
+ args:
+ - create
+ - --host=internal-ingress-nginx-controller-admission,internal-ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
+ - --namespace=$(POD_NAMESPACE)
+ - --secret-name=internal-ingress-nginx-admission
+ env:
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsGroup: 65532
+ runAsNonRoot: true
+ runAsUser: 65532
+ seccompProfile:
+ type: RuntimeDefault
+ restartPolicy: OnFailure
+ serviceAccountName: internal-ingress-nginx-admission
+ nodeSelector:
+ kubernetes.io/os: linux
+
--- HelmRelease: network/internal-ingress-nginx Job: network/internal-ingress-nginx-admission-patch
+++ HelmRelease: network/internal-ingress-nginx Job: network/internal-ingress-nginx-admission-patch
@@ -0,0 +1,58 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: internal-ingress-nginx-admission-patch
+ namespace: network
+ annotations:
+ helm.sh/hook: post-install,post-upgrade
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: admission-webhook
+spec:
+ template:
+ metadata:
+ name: internal-ingress-nginx-admission-patch
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: admission-webhook
+ spec:
+ containers:
+ - name: patch
+ image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.0@sha256:aaafd456bda110628b2d4ca6296f38731a3aaf0bf7581efae824a41c770a8fc4
+ imagePullPolicy: IfNotPresent
+ args:
+ - patch
+ - --webhook-name=internal-ingress-nginx-admission
+ - --namespace=$(POD_NAMESPACE)
+ - --patch-mutating=false
+ - --secret-name=internal-ingress-nginx-admission
+ - --patch-failure-policy=Fail
+ env:
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsGroup: 65532
+ runAsNonRoot: true
+ runAsUser: 65532
+ seccompProfile:
+ type: RuntimeDefault
+ restartPolicy: OnFailure
+ serviceAccountName: internal-ingress-nginx-admission
+ nodeSelector:
+ kubernetes.io/os: linux
+ |
--- HelmRelease: network/external-dns-cloudflare Deployment: network/external-dns-cloudflare
+++ HelmRelease: network/external-dns-cloudflare Deployment: network/external-dns-cloudflare
@@ -19,13 +19,13 @@
template:
metadata:
labels:
app.kubernetes.io/name: external-dns
app.kubernetes.io/instance: external-dns-cloudflare
annotations:
- secret.reloader.stakater.com/reload: external-dns-secret
+ secret.reloader.stakater.com/reload: external-dns-cloudflare
spec:
serviceAccountName: external-dns-cloudflare
securityContext:
fsGroup: 65534
runAsNonRoot: true
seccompProfile:
@@ -46,13 +46,13 @@
imagePullPolicy: IfNotPresent
env:
- name: CF_API_TOKEN
valueFrom:
secretKeyRef:
key: api-token
- name: external-dns-secret
+ name: external-dns-cloudflare
args:
- --log-level=info
- --log-format=text
- --interval=1m
- --events
- --source=crd
--- HelmRelease: network/nginx-external PodDisruptionBudget: network/nginx-external-controller
+++ HelmRelease: network/nginx-external PodDisruptionBudget: network/nginx-external-controller
@@ -1,20 +0,0 @@
----
-apiVersion: policy/v1
-kind: PodDisruptionBudget
-metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: nginx-external-controller
- namespace: network
-spec:
- selector:
- matchLabels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/component: controller
- minAvailable: 1
-
--- HelmRelease: network/nginx-external ServiceAccount: network/nginx-external
+++ HelmRelease: network/nginx-external ServiceAccount: network/nginx-external
@@ -1,14 +0,0 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: nginx-external
- namespace: network
-automountServiceAccountToken: true
-
--- HelmRelease: network/nginx-external ConfigMap: network/nginx-external-controller
+++ HelmRelease: network/nginx-external ConfigMap: network/nginx-external-controller
@@ -1,35 +0,0 @@
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: nginx-external-controller
- namespace: network
-data:
- allow-snippet-annotations: 'true'
- annotations-risk-level: Critical
- block-user-agents: GPTBot,~*GPTBot*,ChatGPT-User,~*ChatGPT-User*,Google-Extended,~*Google-Extended*,CCBot,~*CCBot*,Omgilibot,~*Omgilibot*,FacebookBot,~*FacebookBot*
- client-body-buffer-size: 100M
- client-body-timeout: '120'
- client-header-timeout: '120'
- enable-brotli: 'true'
- enable-ocsp: 'true'
- enable-real-ip: 'true'
- force-ssl-redirect: 'true'
- hide-headers: Server,X-Powered-By
- hsts-max-age: '3.14496e+07'
- keep-alive: '120'
- keep-alive-requests: '10000'
- log-format-escape-json: 'true'
- log-format-upstream: |
- {"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", "x_forwarded_for": "$proxy_add_x_forwarded_for", "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, "status": $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args", "request_length": $request_length, "duration": $request_time, "method": "$request_method", "http_referrer": "$http_referer", "http_user_agent": "$http_user_agent"}
- proxy-body-size: '0'
- proxy-buffer-size: 16k
- ssl-protocols: TLSv1.3 TLSv1.2
- use-forwarded-headers: 'true'
-
--- HelmRelease: network/nginx-external ClusterRole: network/nginx-external
+++ HelmRelease: network/nginx-external ClusterRole: network/nginx-external
@@ -1,82 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- name: nginx-external
-rules:
-- apiGroups:
- - ''
- resources:
- - configmaps
- - endpoints
- - nodes
- - pods
- - secrets
- - namespaces
- verbs:
- - list
- - watch
-- apiGroups:
- - coordination.k8s.io
- resources:
- - leases
- verbs:
- - list
- - watch
-- apiGroups:
- - ''
- resources:
- - nodes
- verbs:
- - get
-- apiGroups:
- - ''
- resources:
- - services
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - networking.k8s.io
- resources:
- - ingresses
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - ''
- resources:
- - events
- verbs:
- - create
- - patch
-- apiGroups:
- - networking.k8s.io
- resources:
- - ingresses/status
- verbs:
- - update
-- apiGroups:
- - networking.k8s.io
- resources:
- - ingressclasses
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - discovery.k8s.io
- resources:
- - endpointslices
- verbs:
- - list
- - watch
- - get
-
--- HelmRelease: network/nginx-external ClusterRoleBinding: network/nginx-external
+++ HelmRelease: network/nginx-external ClusterRoleBinding: network/nginx-external
@@ -1,19 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- name: nginx-external
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: nginx-external
-subjects:
-- kind: ServiceAccount
- name: nginx-external
- namespace: network
-
--- HelmRelease: network/nginx-external Role: network/nginx-external
+++ HelmRelease: network/nginx-external Role: network/nginx-external
@@ -1,91 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: nginx-external
- namespace: network
-rules:
-- apiGroups:
- - ''
- resources:
- - namespaces
- verbs:
- - get
-- apiGroups:
- - ''
- resources:
- - configmaps
- - pods
- - secrets
- - endpoints
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - ''
- resources:
- - services
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - networking.k8s.io
- resources:
- - ingresses
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - networking.k8s.io
- resources:
- - ingresses/status
- verbs:
- - update
-- apiGroups:
- - networking.k8s.io
- resources:
- - ingressclasses
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - coordination.k8s.io
- resources:
- - leases
- resourceNames:
- - nginx-external-leader
- verbs:
- - get
- - update
-- apiGroups:
- - coordination.k8s.io
- resources:
- - leases
- verbs:
- - create
-- apiGroups:
- - ''
- resources:
- - events
- verbs:
- - create
- - patch
-- apiGroups:
- - discovery.k8s.io
- resources:
- - endpointslices
- verbs:
- - list
- - watch
- - get
-
--- HelmRelease: network/nginx-external RoleBinding: network/nginx-external
+++ HelmRelease: network/nginx-external RoleBinding: network/nginx-external
@@ -1,21 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: nginx-external
- namespace: network
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: nginx-external
-subjects:
-- kind: ServiceAccount
- name: nginx-external
- namespace: network
-
--- HelmRelease: network/nginx-external Service: network/nginx-external-controller-metrics
+++ HelmRelease: network/nginx-external Service: network/nginx-external-controller-metrics
@@ -1,24 +0,0 @@
----
-apiVersion: v1
-kind: Service
-metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: nginx-external-controller-metrics
- namespace: network
-spec:
- type: ClusterIP
- ports:
- - name: metrics
- port: 10254
- protocol: TCP
- targetPort: metrics
- selector:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/component: controller
-
--- HelmRelease: network/nginx-external Service: network/nginx-external-controller-admission
+++ HelmRelease: network/nginx-external Service: network/nginx-external-controller-admission
@@ -1,24 +0,0 @@
----
-apiVersion: v1
-kind: Service
-metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: nginx-external-controller-admission
- namespace: network
-spec:
- type: ClusterIP
- ports:
- - name: https-webhook
- port: 443
- targetPort: webhook
- appProtocol: https
- selector:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/component: controller
-
--- HelmRelease: network/nginx-external Service: network/nginx-external-controller
+++ HelmRelease: network/nginx-external Service: network/nginx-external-controller
@@ -1,36 +0,0 @@
----
-apiVersion: v1
-kind: Service
-metadata:
- annotations:
- external-dns.alpha.kubernetes.io/hostname: external...PLACEHOLDER_SECRET_DOMAIN..
- lbipam.cilium.io/ips: ..PLACEHOLDER_SVC_NGINX_EXTERNAL..
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: nginx-external-controller
- namespace: network
-spec:
- type: LoadBalancer
- ipFamilyPolicy: SingleStack
- ipFamilies:
- - IPv4
- ports:
- - name: http
- port: 80
- protocol: TCP
- targetPort: http
- appProtocol: http
- - name: https
- port: 443
- protocol: TCP
- targetPort: https
- appProtocol: https
- selector:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/component: controller
-
--- HelmRelease: network/nginx-external Deployment: network/nginx-external-controller
+++ HelmRelease: network/nginx-external Deployment: network/nginx-external-controller
@@ -1,137 +0,0 @@
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: nginx-external-controller
- namespace: network
-spec:
- selector:
- matchLabels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/component: controller
- replicas: 2
- revisionHistoryLimit: 10
- minReadySeconds: 0
- template:
- metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- spec:
- dnsPolicy: ClusterFirst
- containers:
- - name: controller
- image: registry.k8s.io/ingress-nginx/controller:v1.12.0@sha256:e6b8de175acda6ca913891f0f727bca4527e797d52688cbe9fec9040d6f6b6fa
- imagePullPolicy: IfNotPresent
- lifecycle:
- preStop:
- exec:
- command:
- - /wait-shutdown
- args:
- - /nginx-ingress-controller
- - --election-id=nginx-external-leader
- - --controller-class=k8s.io/external
- - --ingress-class=nginx
- - --configmap=$(POD_NAMESPACE)/nginx-external-controller
- - --validating-webhook=:8443
- - --validating-webhook-certificate=/usr/local/certificates/cert
- - --validating-webhook-key=/usr/local/certificates/key
- - --enable-metrics=true
- - --default-ssl-certificate=cert-manager/..PLACEHOLDER_SECRET_DOMAIN..-tls
- - --publish-status-address=external...PLACEHOLDER_SECRET_DOMAIN..
- securityContext:
- runAsNonRoot: true
- runAsUser: 101
- runAsGroup: 82
- allowPrivilegeEscalation: false
- seccompProfile:
- type: RuntimeDefault
- capabilities:
- drop:
- - ALL
- add:
- - NET_BIND_SERVICE
- readOnlyRootFilesystem: false
- env:
- - name: POD_NAME
- valueFrom:
- fieldRef:
- fieldPath: metadata.name
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- - name: LD_PRELOAD
- value: /usr/local/lib/libmimalloc.so
- livenessProbe:
- failureThreshold: 5
- httpGet:
- path: /healthz
- port: 10254
- scheme: HTTP
- initialDelaySeconds: 10
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 1
- readinessProbe:
- failureThreshold: 3
- httpGet:
- path: /healthz
- port: 10254
- scheme: HTTP
- initialDelaySeconds: 10
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 1
- ports:
- - name: http
- containerPort: 80
- protocol: TCP
- - name: https
- containerPort: 443
- protocol: TCP
- - name: metrics
- containerPort: 10254
- protocol: TCP
- - name: webhook
- containerPort: 8443
- protocol: TCP
- volumeMounts:
- - name: webhook-cert
- mountPath: /usr/local/certificates/
- readOnly: true
- resources:
- limits:
- memory: 500Mi
- requests:
- cpu: 100m
- memory: 90Mi
- nodeSelector:
- kubernetes.io/os: linux
- topologySpreadConstraints:
- - labelSelector:
- matchLabels:
- app.kubernetes.io/component: controller
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/name: ingress-nginx
- maxSkew: 1
- topologyKey: kubernetes.io/hostname
- whenUnsatisfiable: DoNotSchedule
- serviceAccountName: nginx-external
- terminationGracePeriodSeconds: 120
- volumes:
- - name: webhook-cert
- secret:
- secretName: nginx-external-admission
-
--- HelmRelease: network/nginx-external IngressClass: network/external
+++ HelmRelease: network/nginx-external IngressClass: network/external
@@ -1,14 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: IngressClass
-metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: external
-spec:
- controller: k8s.io/external
-
--- HelmRelease: network/nginx-external ServiceMonitor: network/nginx-external-controller
+++ HelmRelease: network/nginx-external ServiceMonitor: network/nginx-external-controller
@@ -1,24 +0,0 @@
----
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
- name: nginx-external-controller
- namespace: network
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
-spec:
- namespaceSelector:
- any: true
- selector:
- matchLabels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/component: controller
- endpoints:
- - port: metrics
- interval: 30s
-
--- HelmRelease: network/nginx-external ValidatingWebhookConfiguration: network/nginx-external-admission
+++ HelmRelease: network/nginx-external ValidatingWebhookConfiguration: network/nginx-external-admission
@@ -1,41 +0,0 @@
----
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
- name: nginx-external-admission
-webhooks:
-- name: validate.nginx.ingress.kubernetes.io
- matchPolicy: Equivalent
- rules:
- - apiGroups:
- - networking.k8s.io
- apiVersions:
- - v1
- operations:
- - CREATE
- - UPDATE
- resources:
- - ingresses
- failurePolicy: Fail
- sideEffects: None
- admissionReviewVersions:
- - v1
- clientConfig:
- service:
- name: nginx-external-controller-admission
- namespace: network
- port: 443
- path: /networking/v1/ingresses
- objectSelector:
- matchExpressions:
- - key: ingress-class
- operator: In
- values:
- - external
-
--- HelmRelease: network/nginx-external ServiceAccount: network/nginx-external-admission
+++ HelmRelease: network/nginx-external ServiceAccount: network/nginx-external-admission
@@ -1,17 +0,0 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: nginx-external-admission
- namespace: network
- annotations:
- helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
-automountServiceAccountToken: true
-
--- HelmRelease: network/nginx-external ClusterRole: network/nginx-external-admission
+++ HelmRelease: network/nginx-external ClusterRole: network/nginx-external-admission
@@ -1,23 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: nginx-external-admission
- annotations:
- helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
-rules:
-- apiGroups:
- - admissionregistration.k8s.io
- resources:
- - validatingwebhookconfigurations
- verbs:
- - get
- - update
-
--- HelmRelease: network/nginx-external ClusterRoleBinding: network/nginx-external-admission
+++ HelmRelease: network/nginx-external ClusterRoleBinding: network/nginx-external-admission
@@ -1,23 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: nginx-external-admission
- annotations:
- helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: nginx-external-admission
-subjects:
-- kind: ServiceAccount
- name: nginx-external-admission
- namespace: network
-
--- HelmRelease: network/nginx-external Role: network/nginx-external-admission
+++ HelmRelease: network/nginx-external Role: network/nginx-external-admission
@@ -1,24 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: nginx-external-admission
- namespace: network
- annotations:
- helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
-rules:
-- apiGroups:
- - ''
- resources:
- - secrets
- verbs:
- - get
- - create
-
--- HelmRelease: network/nginx-external RoleBinding: network/nginx-external-admission
+++ HelmRelease: network/nginx-external RoleBinding: network/nginx-external-admission
@@ -1,24 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: nginx-external-admission
- namespace: network
- annotations:
- helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: nginx-external-admission
-subjects:
-- kind: ServiceAccount
- name: nginx-external-admission
- namespace: network
-
--- HelmRelease: network/nginx-external Job: network/nginx-external-admission-create
+++ HelmRelease: network/nginx-external Job: network/nginx-external-admission-create
@@ -1,56 +0,0 @@
----
-apiVersion: batch/v1
-kind: Job
-metadata:
- name: nginx-external-admission-create
- namespace: network
- annotations:
- helm.sh/hook: pre-install,pre-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
-spec:
- template:
- metadata:
- name: nginx-external-admission-create
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
- spec:
- containers:
- - name: create
- image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.0@sha256:aaafd456bda110628b2d4ca6296f38731a3aaf0bf7581efae824a41c770a8fc4
- imagePullPolicy: IfNotPresent
- args:
- - create
- - --host=nginx-external-controller-admission,nginx-external-controller-admission.$(POD_NAMESPACE).svc
- - --namespace=$(POD_NAMESPACE)
- - --secret-name=nginx-external-admission
- env:
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- readOnlyRootFilesystem: true
- runAsGroup: 65532
- runAsNonRoot: true
- runAsUser: 65532
- seccompProfile:
- type: RuntimeDefault
- restartPolicy: OnFailure
- serviceAccountName: nginx-external-admission
- nodeSelector:
- kubernetes.io/os: linux
-
--- HelmRelease: network/nginx-external Job: network/nginx-external-admission-patch
+++ HelmRelease: network/nginx-external Job: network/nginx-external-admission-patch
@@ -1,58 +0,0 @@
----
-apiVersion: batch/v1
-kind: Job
-metadata:
- name: nginx-external-admission-patch
- namespace: network
- annotations:
- helm.sh/hook: post-install,post-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
-spec:
- template:
- metadata:
- name: nginx-external-admission-patch
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
- spec:
- containers:
- - name: patch
- image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.0@sha256:aaafd456bda110628b2d4ca6296f38731a3aaf0bf7581efae824a41c770a8fc4
- imagePullPolicy: IfNotPresent
- args:
- - patch
- - --webhook-name=nginx-external-admission
- - --namespace=$(POD_NAMESPACE)
- - --patch-mutating=false
- - --secret-name=nginx-external-admission
- - --patch-failure-policy=Fail
- env:
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- readOnlyRootFilesystem: true
- runAsGroup: 65532
- runAsNonRoot: true
- runAsUser: 65532
- seccompProfile:
- type: RuntimeDefault
- restartPolicy: OnFailure
- serviceAccountName: nginx-external-admission
- nodeSelector:
- kubernetes.io/os: linux
-
--- HelmRelease: network/nginx-internal PodDisruptionBudget: network/nginx-internal-controller
+++ HelmRelease: network/nginx-internal PodDisruptionBudget: network/nginx-internal-controller
@@ -1,20 +0,0 @@
----
-apiVersion: policy/v1
-kind: PodDisruptionBudget
-metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: nginx-internal-controller
- namespace: network
-spec:
- selector:
- matchLabels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/component: controller
- minAvailable: 1
-
--- HelmRelease: network/nginx-internal ServiceAccount: network/nginx-internal
+++ HelmRelease: network/nginx-internal ServiceAccount: network/nginx-internal
@@ -1,14 +0,0 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: nginx-internal
- namespace: network
-automountServiceAccountToken: true
-
--- HelmRelease: network/nginx-internal ConfigMap: network/nginx-internal-controller
+++ HelmRelease: network/nginx-internal ConfigMap: network/nginx-internal-controller
@@ -1,35 +0,0 @@
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: nginx-internal-controller
- namespace: network
-data:
- allow-snippet-annotations: 'true'
- annotations-risk-level: Critical
- block-user-agents: GPTBot,~*GPTBot*,ChatGPT-User,~*ChatGPT-User*,Google-Extended,~*Google-Extended*,CCBot,~*CCBot*,Omgilibot,~*Omgilibot*,FacebookBot,~*FacebookBot*
- client-body-buffer-size: 100M
- client-body-timeout: '120'
- client-header-timeout: '120'
- enable-brotli: 'true'
- enable-ocsp: 'true'
- enable-real-ip: 'true'
- force-ssl-redirect: 'true'
- hide-headers: Server,X-Powered-By
- hsts-max-age: '3.14496e+07'
- keep-alive: '120'
- keep-alive-requests: '10000'
- log-format-escape-json: 'true'
- log-format-upstream: |
- {"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", "x_forwarded_for": "$proxy_add_x_forwarded_for", "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, "status": $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args", "request_length": $request_length, "duration": $request_time, "method": "$request_method", "http_referrer": "$http_referer", "http_user_agent": "$http_user_agent"}
- proxy-body-size: '0'
- proxy-buffer-size: 16k
- ssl-protocols: TLSv1.3 TLSv1.2
- use-forwarded-headers: 'true'
-
--- HelmRelease: network/nginx-internal ClusterRole: network/nginx-internal
+++ HelmRelease: network/nginx-internal ClusterRole: network/nginx-internal
@@ -1,82 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- name: nginx-internal
-rules:
-- apiGroups:
- - ''
- resources:
- - configmaps
- - endpoints
- - nodes
- - pods
- - secrets
- - namespaces
- verbs:
- - list
- - watch
-- apiGroups:
- - coordination.k8s.io
- resources:
- - leases
- verbs:
- - list
- - watch
-- apiGroups:
- - ''
- resources:
- - nodes
- verbs:
- - get
-- apiGroups:
- - ''
- resources:
- - services
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - networking.k8s.io
- resources:
- - ingresses
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - ''
- resources:
- - events
- verbs:
- - create
- - patch
-- apiGroups:
- - networking.k8s.io
- resources:
- - ingresses/status
- verbs:
- - update
-- apiGroups:
- - networking.k8s.io
- resources:
- - ingressclasses
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - discovery.k8s.io
- resources:
- - endpointslices
- verbs:
- - list
- - watch
- - get
-
--- HelmRelease: network/nginx-internal ClusterRoleBinding: network/nginx-internal
+++ HelmRelease: network/nginx-internal ClusterRoleBinding: network/nginx-internal
@@ -1,19 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- name: nginx-internal
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: nginx-internal
-subjects:
-- kind: ServiceAccount
- name: nginx-internal
- namespace: network
-
--- HelmRelease: network/nginx-internal Role: network/nginx-internal
+++ HelmRelease: network/nginx-internal Role: network/nginx-internal
@@ -1,91 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: nginx-internal
- namespace: network
-rules:
-- apiGroups:
- - ''
- resources:
- - namespaces
- verbs:
- - get
-- apiGroups:
- - ''
- resources:
- - configmaps
- - pods
- - secrets
- - endpoints
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - ''
- resources:
- - services
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - networking.k8s.io
- resources:
- - ingresses
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - networking.k8s.io
- resources:
- - ingresses/status
- verbs:
- - update
-- apiGroups:
- - networking.k8s.io
- resources:
- - ingressclasses
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - coordination.k8s.io
- resources:
- - leases
- resourceNames:
- - nginx-internal-leader
- verbs:
- - get
- - update
-- apiGroups:
- - coordination.k8s.io
- resources:
- - leases
- verbs:
- - create
-- apiGroups:
- - ''
- resources:
- - events
- verbs:
- - create
- - patch
-- apiGroups:
- - discovery.k8s.io
- resources:
- - endpointslices
- verbs:
- - list
- - watch
- - get
-
--- HelmRelease: network/nginx-internal RoleBinding: network/nginx-internal
+++ HelmRelease: network/nginx-internal RoleBinding: network/nginx-internal
@@ -1,21 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: nginx-internal
- namespace: network
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: nginx-internal
-subjects:
-- kind: ServiceAccount
- name: nginx-internal
- namespace: network
-
--- HelmRelease: network/nginx-internal Service: network/nginx-internal-controller-metrics
+++ HelmRelease: network/nginx-internal Service: network/nginx-internal-controller-metrics
@@ -1,24 +0,0 @@
----
-apiVersion: v1
-kind: Service
-metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: nginx-internal-controller-metrics
- namespace: network
-spec:
- type: ClusterIP
- ports:
- - name: metrics
- port: 10254
- protocol: TCP
- targetPort: metrics
- selector:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/component: controller
-
--- HelmRelease: network/nginx-internal Service: network/nginx-internal-controller-admission
+++ HelmRelease: network/nginx-internal Service: network/nginx-internal-controller-admission
@@ -1,24 +0,0 @@
----
-apiVersion: v1
-kind: Service
-metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: nginx-internal-controller-admission
- namespace: network
-spec:
- type: ClusterIP
- ports:
- - name: https-webhook
- port: 443
- targetPort: webhook
- appProtocol: https
- selector:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/component: controller
-
--- HelmRelease: network/nginx-internal Service: network/nginx-internal-controller
+++ HelmRelease: network/nginx-internal Service: network/nginx-internal-controller
@@ -1,37 +0,0 @@
----
-apiVersion: v1
-kind: Service
-metadata:
- annotations:
- external-dns.alpha.kubernetes.io/hostname: internal...PLACEHOLDER_SECRET_DOMAIN..
- lbipam.cilium.io/ips: ..PLACEHOLDER_SVC_NGINX_INTERNAL..
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: nginx-internal-controller
- namespace: network
-spec:
- type: LoadBalancer
- externalTrafficPolicy: Cluster
- ipFamilyPolicy: SingleStack
- ipFamilies:
- - IPv4
- ports:
- - name: http
- port: 80
- protocol: TCP
- targetPort: http
- appProtocol: http
- - name: https
- port: 443
- protocol: TCP
- targetPort: https
- appProtocol: https
- selector:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/component: controller
-
--- HelmRelease: network/nginx-internal Deployment: network/nginx-internal-controller
+++ HelmRelease: network/nginx-internal Deployment: network/nginx-internal-controller
@@ -1,137 +0,0 @@
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: nginx-internal-controller
- namespace: network
-spec:
- selector:
- matchLabels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/component: controller
- replicas: 2
- revisionHistoryLimit: 10
- minReadySeconds: 0
- template:
- metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- spec:
- dnsPolicy: ClusterFirst
- containers:
- - name: controller
- image: registry.k8s.io/ingress-nginx/controller:v1.12.0@sha256:e6b8de175acda6ca913891f0f727bca4527e797d52688cbe9fec9040d6f6b6fa
- imagePullPolicy: IfNotPresent
- lifecycle:
- preStop:
- exec:
- command:
- - /wait-shutdown
- args:
- - /nginx-ingress-controller
- - --election-id=nginx-internal-leader
- - --controller-class=k8s.io/internal
- - --ingress-class=nginx
- - --configmap=$(POD_NAMESPACE)/nginx-internal-controller
- - --validating-webhook=:8443
- - --validating-webhook-certificate=/usr/local/certificates/cert
- - --validating-webhook-key=/usr/local/certificates/key
- - --enable-metrics=true
- - --default-ssl-certificate=cert-manager/..PLACEHOLDER_SECRET_DOMAIN..-tls
- - --publish-status-address=internal...PLACEHOLDER_SECRET_DOMAIN..
- securityContext:
- runAsNonRoot: true
- runAsUser: 101
- runAsGroup: 82
- allowPrivilegeEscalation: false
- seccompProfile:
- type: RuntimeDefault
- capabilities:
- drop:
- - ALL
- add:
- - NET_BIND_SERVICE
- readOnlyRootFilesystem: false
- env:
- - name: POD_NAME
- valueFrom:
- fieldRef:
- fieldPath: metadata.name
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- - name: LD_PRELOAD
- value: /usr/local/lib/libmimalloc.so
- livenessProbe:
- failureThreshold: 5
- httpGet:
- path: /healthz
- port: 10254
- scheme: HTTP
- initialDelaySeconds: 10
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 1
- readinessProbe:
- failureThreshold: 3
- httpGet:
- path: /healthz
- port: 10254
- scheme: HTTP
- initialDelaySeconds: 10
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 1
- ports:
- - name: http
- containerPort: 80
- protocol: TCP
- - name: https
- containerPort: 443
- protocol: TCP
- - name: metrics
- containerPort: 10254
- protocol: TCP
- - name: webhook
- containerPort: 8443
- protocol: TCP
- volumeMounts:
- - name: webhook-cert
- mountPath: /usr/local/certificates/
- readOnly: true
- resources:
- limits:
- memory: 500Mi
- requests:
- cpu: 100m
- memory: 90Mi
- nodeSelector:
- kubernetes.io/os: linux
- topologySpreadConstraints:
- - labelSelector:
- matchLabels:
- app.kubernetes.io/component: controller
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/name: ingress-nginx
- maxSkew: 1
- topologyKey: kubernetes.io/hostname
- whenUnsatisfiable: DoNotSchedule
- serviceAccountName: nginx-internal
- terminationGracePeriodSeconds: 120
- volumes:
- - name: webhook-cert
- secret:
- secretName: nginx-internal-admission
-
--- HelmRelease: network/nginx-internal IngressClass: network/internal
+++ HelmRelease: network/nginx-internal IngressClass: network/internal
@@ -1,16 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: IngressClass
-metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: internal
- annotations:
- ingressclass.kubernetes.io/is-default-class: 'true'
-spec:
- controller: k8s.io/internal
-
--- HelmRelease: network/nginx-internal ServiceMonitor: network/nginx-internal-controller
+++ HelmRelease: network/nginx-internal ServiceMonitor: network/nginx-internal-controller
@@ -1,24 +0,0 @@
----
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
- name: nginx-internal-controller
- namespace: network
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
-spec:
- namespaceSelector:
- any: true
- selector:
- matchLabels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/component: controller
- endpoints:
- - port: metrics
- interval: 30s
-
--- HelmRelease: network/nginx-internal ValidatingWebhookConfiguration: network/nginx-internal-admission
+++ HelmRelease: network/nginx-internal ValidatingWebhookConfiguration: network/nginx-internal-admission
@@ -1,41 +0,0 @@
----
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
- name: nginx-internal-admission
-webhooks:
-- name: validate.nginx.ingress.kubernetes.io
- matchPolicy: Equivalent
- rules:
- - apiGroups:
- - networking.k8s.io
- apiVersions:
- - v1
- operations:
- - CREATE
- - UPDATE
- resources:
- - ingresses
- failurePolicy: Fail
- sideEffects: None
- admissionReviewVersions:
- - v1
- clientConfig:
- service:
- name: nginx-internal-controller-admission
- namespace: network
- port: 443
- path: /networking/v1/ingresses
- objectSelector:
- matchExpressions:
- - key: ingress-class
- operator: In
- values:
- - internal
-
--- HelmRelease: network/nginx-internal ServiceAccount: network/nginx-internal-admission
+++ HelmRelease: network/nginx-internal ServiceAccount: network/nginx-internal-admission
@@ -1,17 +0,0 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: nginx-internal-admission
- namespace: network
- annotations:
- helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
-automountServiceAccountToken: true
-
--- HelmRelease: network/nginx-internal ClusterRole: network/nginx-internal-admission
+++ HelmRelease: network/nginx-internal ClusterRole: network/nginx-internal-admission
@@ -1,23 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: nginx-internal-admission
- annotations:
- helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
-rules:
-- apiGroups:
- - admissionregistration.k8s.io
- resources:
- - validatingwebhookconfigurations
- verbs:
- - get
- - update
-
--- HelmRelease: network/nginx-internal ClusterRoleBinding: network/nginx-internal-admission
+++ HelmRelease: network/nginx-internal ClusterRoleBinding: network/nginx-internal-admission
@@ -1,23 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: nginx-internal-admission
- annotations:
- helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: nginx-internal-admission
-subjects:
-- kind: ServiceAccount
- name: nginx-internal-admission
- namespace: network
-
--- HelmRelease: network/nginx-internal Role: network/nginx-internal-admission
+++ HelmRelease: network/nginx-internal Role: network/nginx-internal-admission
@@ -1,24 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: nginx-internal-admission
- namespace: network
- annotations:
- helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
-rules:
-- apiGroups:
- - ''
- resources:
- - secrets
- verbs:
- - get
- - create
-
--- HelmRelease: network/nginx-internal RoleBinding: network/nginx-internal-admission
+++ HelmRelease: network/nginx-internal RoleBinding: network/nginx-internal-admission
@@ -1,24 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: nginx-internal-admission
- namespace: network
- annotations:
- helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: nginx-internal-admission
-subjects:
-- kind: ServiceAccount
- name: nginx-internal-admission
- namespace: network
-
--- HelmRelease: network/nginx-internal Job: network/nginx-internal-admission-create
+++ HelmRelease: network/nginx-internal Job: network/nginx-internal-admission-create
@@ -1,56 +0,0 @@
----
-apiVersion: batch/v1
-kind: Job
-metadata:
- name: nginx-internal-admission-create
- namespace: network
- annotations:
- helm.sh/hook: pre-install,pre-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
-spec:
- template:
- metadata:
- name: nginx-internal-admission-create
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
- spec:
- containers:
- - name: create
- image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.0@sha256:aaafd456bda110628b2d4ca6296f38731a3aaf0bf7581efae824a41c770a8fc4
- imagePullPolicy: IfNotPresent
- args:
- - create
- - --host=nginx-internal-controller-admission,nginx-internal-controller-admission.$(POD_NAMESPACE).svc
- - --namespace=$(POD_NAMESPACE)
- - --secret-name=nginx-internal-admission
- env:
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- readOnlyRootFilesystem: true
- runAsGroup: 65532
- runAsNonRoot: true
- runAsUser: 65532
- seccompProfile:
- type: RuntimeDefault
- restartPolicy: OnFailure
- serviceAccountName: nginx-internal-admission
- nodeSelector:
- kubernetes.io/os: linux
-
--- HelmRelease: network/nginx-internal Job: network/nginx-internal-admission-patch
+++ HelmRelease: network/nginx-internal Job: network/nginx-internal-admission-patch
@@ -1,58 +0,0 @@
----
-apiVersion: batch/v1
-kind: Job
-metadata:
- name: nginx-internal-admission-patch
- namespace: network
- annotations:
- helm.sh/hook: post-install,post-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
-spec:
- template:
- metadata:
- name: nginx-internal-admission-patch
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
- spec:
- containers:
- - name: patch
- image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.0@sha256:aaafd456bda110628b2d4ca6296f38731a3aaf0bf7581efae824a41c770a8fc4
- imagePullPolicy: IfNotPresent
- args:
- - patch
- - --webhook-name=nginx-internal-admission
- - --namespace=$(POD_NAMESPACE)
- - --patch-mutating=false
- - --secret-name=nginx-internal-admission
- - --patch-failure-policy=Fail
- env:
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- readOnlyRootFilesystem: true
- runAsGroup: 65532
- runAsNonRoot: true
- runAsUser: 65532
- seccompProfile:
- type: RuntimeDefault
- restartPolicy: OnFailure
- serviceAccountName: nginx-internal-admission
- nodeSelector:
- kubernetes.io/os: linux
-
--- HelmRelease: network/cloudflared Deployment: network/cloudflared
+++ HelmRelease: network/cloudflared Deployment: network/cloudflared
@@ -91,21 +91,21 @@
memory: 256M
requests:
cpu: 5m
memory: 128M
volumeMounts:
- mountPath: /etc/cloudflared/config/config.yaml
- name: config
+ name: config-file
readOnly: true
subPath: config.yaml
- mountPath: /etc/cloudflared/creds/credentials.json
- name: creds
+ name: secret-file
readOnly: true
subPath: credentials.json
volumes:
- configMap:
name: cloudflared-configmap
- name: config
- - name: creds
+ name: config-file
+ - name: secret-file
secret:
- secretName: cloudflared-secret
+ secretName: cloudflared-tunnel-secret
--- HelmRelease: network/external-ingress-nginx PodDisruptionBudget: network/external-ingress-nginx-controller
+++ HelmRelease: network/external-ingress-nginx PodDisruptionBudget: network/external-ingress-nginx-controller
@@ -0,0 +1,20 @@
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ name: external-ingress-nginx-controller
+ namespace: network
+spec:
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/component: controller
+ minAvailable: 1
+
--- HelmRelease: network/external-ingress-nginx ServiceAccount: network/external-ingress-nginx
+++ HelmRelease: network/external-ingress-nginx ServiceAccount: network/external-ingress-nginx
@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ name: external-ingress-nginx
+ namespace: network
+automountServiceAccountToken: true
+
--- HelmRelease: network/external-ingress-nginx ConfigMap: network/external-ingress-nginx-controller
+++ HelmRelease: network/external-ingress-nginx ConfigMap: network/external-ingress-nginx-controller
@@ -0,0 +1,35 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ name: external-ingress-nginx-controller
+ namespace: network
+data:
+ allow-snippet-annotations: 'true'
+ annotations-risk-level: Critical
+ block-user-agents: AdsBot-Google,Amazonbot,anthropic-ai,Applebot-Extended,Bytespider,CCBot,ChatGPT-User,ClaudeBot,Claude-Web,cohere-ai,Diffbot,FacebookBot,FriendlyCrawler,Google-Extended,GoogleOther,GPTBot,img2dataset,omgili,omgilibot,peer39_crawler,peer39_crawler/1.0,PerplexityBot,YouBot,
+ client-body-buffer-size: 100M
+ client-body-timeout: '120'
+ client-header-timeout: '120'
+ enable-brotli: 'true'
+ enable-ocsp: 'true'
+ enable-real-ip: 'true'
+ force-ssl-redirect: 'true'
+ hide-headers: Server,X-Powered-By
+ hsts-max-age: '3.14496e+07'
+ keep-alive: '120'
+ keep-alive-requests: '10000'
+ log-format-escape-json: 'true'
+ log-format-upstream: |
+ {"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", "x_forwarded_for": "$proxy_add_x_forwarded_for", "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, "status": $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args", "request_length": $request_length, "duration": $request_time, "method": "$request_method", "http_referrer": "$http_referer", "http_user_agent": "$http_user_agent"}
+ proxy-body-size: '0'
+ proxy-buffer-size: 16k
+ ssl-protocols: TLSv1.3 TLSv1.2
+ use-forwarded-headers: 'true'
+
--- HelmRelease: network/external-ingress-nginx ClusterRole: network/external-ingress-nginx
+++ HelmRelease: network/external-ingress-nginx ClusterRole: network/external-ingress-nginx
@@ -0,0 +1,82 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ name: external-ingress-nginx
+rules:
+- apiGroups:
+ - ''
+ resources:
+ - configmaps
+ - endpoints
+ - nodes
+ - pods
+ - secrets
+ - namespaces
+ verbs:
+ - list
+ - watch
+- apiGroups:
+ - coordination.k8s.io
+ resources:
+ - leases
+ verbs:
+ - list
+ - watch
+- apiGroups:
+ - ''
+ resources:
+ - nodes
+ verbs:
+ - get
+- apiGroups:
+ - ''
+ resources:
+ - services
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - ''
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+- apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses/status
+ verbs:
+ - update
+- apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingressclasses
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - discovery.k8s.io
+ resources:
+ - endpointslices
+ verbs:
+ - list
+ - watch
+ - get
+
--- HelmRelease: network/external-ingress-nginx ClusterRoleBinding: network/external-ingress-nginx
+++ HelmRelease: network/external-ingress-nginx ClusterRoleBinding: network/external-ingress-nginx
@@ -0,0 +1,19 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ name: external-ingress-nginx
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: external-ingress-nginx
+subjects:
+- kind: ServiceAccount
+ name: external-ingress-nginx
+ namespace: network
+
--- HelmRelease: network/external-ingress-nginx Role: network/external-ingress-nginx
+++ HelmRelease: network/external-ingress-nginx Role: network/external-ingress-nginx
@@ -0,0 +1,91 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ name: external-ingress-nginx
+ namespace: network
+rules:
+- apiGroups:
+ - ''
+ resources:
+ - namespaces
+ verbs:
+ - get
+- apiGroups:
+ - ''
+ resources:
+ - configmaps
+ - pods
+ - secrets
+ - endpoints
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - ''
+ resources:
+ - services
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses/status
+ verbs:
+ - update
+- apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingressclasses
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - coordination.k8s.io
+ resources:
+ - leases
+ resourceNames:
+ - external-ingress-nginx-leader
+ verbs:
+ - get
+ - update
+- apiGroups:
+ - coordination.k8s.io
+ resources:
+ - leases
+ verbs:
+ - create
+- apiGroups:
+ - ''
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+- apiGroups:
+ - discovery.k8s.io
+ resources:
+ - endpointslices
+ verbs:
+ - list
+ - watch
+ - get
+
--- HelmRelease: network/external-ingress-nginx RoleBinding: network/external-ingress-nginx
+++ HelmRelease: network/external-ingress-nginx RoleBinding: network/external-ingress-nginx
@@ -0,0 +1,21 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ name: external-ingress-nginx
+ namespace: network
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: external-ingress-nginx
+subjects:
+- kind: ServiceAccount
+ name: external-ingress-nginx
+ namespace: network
+
--- HelmRelease: network/external-ingress-nginx Service: network/external-ingress-nginx-controller-metrics
+++ HelmRelease: network/external-ingress-nginx Service: network/external-ingress-nginx-controller-metrics
@@ -0,0 +1,24 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ name: external-ingress-nginx-controller-metrics
+ namespace: network
+spec:
+ type: ClusterIP
+ ports:
+ - name: metrics
+ port: 10254
+ protocol: TCP
+ targetPort: metrics
+ selector:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/component: controller
+
--- HelmRelease: network/external-ingress-nginx Service: network/external-ingress-nginx-controller-admission
+++ HelmRelease: network/external-ingress-nginx Service: network/external-ingress-nginx-controller-admission
@@ -0,0 +1,24 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ name: external-ingress-nginx-controller-admission
+ namespace: network
+spec:
+ type: ClusterIP
+ ports:
+ - name: https-webhook
+ port: 443
+ targetPort: webhook
+ appProtocol: https
+ selector:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/component: controller
+
--- HelmRelease: network/external-ingress-nginx Service: network/external-ingress-nginx-controller
+++ HelmRelease: network/external-ingress-nginx Service: network/external-ingress-nginx-controller
@@ -0,0 +1,36 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+ annotations:
+ external-dns.alpha.kubernetes.io/hostname: external...PLACEHOLDER_SECRET_DOMAIN..
+ lbipam.cilium.io/ips: ..PLACEHOLDER_SVC_NGINX_EXTERNAL..
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ name: external-ingress-nginx-controller
+ namespace: network
+spec:
+ type: LoadBalancer
+ ipFamilyPolicy: SingleStack
+ ipFamilies:
+ - IPv4
+ ports:
+ - name: http
+ port: 80
+ protocol: TCP
+ targetPort: http
+ appProtocol: http
+ - name: https
+ port: 443
+ protocol: TCP
+ targetPort: https
+ appProtocol: https
+ selector:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/component: controller
+
--- HelmRelease: network/external-ingress-nginx Deployment: network/external-ingress-nginx-controller
+++ HelmRelease: network/external-ingress-nginx Deployment: network/external-ingress-nginx-controller
@@ -0,0 +1,137 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ name: external-ingress-nginx-controller
+ namespace: network
+spec:
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/component: controller
+ replicas: 2
+ revisionHistoryLimit: 10
+ minReadySeconds: 0
+ template:
+ metadata:
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ spec:
+ dnsPolicy: ClusterFirst
+ containers:
+ - name: controller
+ image: registry.k8s.io/ingress-nginx/controller:v1.12.0@sha256:e6b8de175acda6ca913891f0f727bca4527e797d52688cbe9fec9040d6f6b6fa
+ imagePullPolicy: IfNotPresent
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - /wait-shutdown
+ args:
+ - /nginx-ingress-controller
+ - --election-id=external-ingress-nginx-leader
+ - --controller-class=k8s.io/external
+ - --ingress-class=nginx
+ - --configmap=$(POD_NAMESPACE)/external-ingress-nginx-controller
+ - --validating-webhook=:8443
+ - --validating-webhook-certificate=/usr/local/certificates/cert
+ - --validating-webhook-key=/usr/local/certificates/key
+ - --enable-metrics=true
+ - --default-ssl-certificate=cert-manager/..PLACEHOLDER_SECRET_DOMAIN..-tls
+ - --publish-status-address=external...PLACEHOLDER_SECRET_DOMAIN..
+ securityContext:
+ runAsNonRoot: true
+ runAsUser: 101
+ runAsGroup: 82
+ allowPrivilegeEscalation: false
+ seccompProfile:
+ type: RuntimeDefault
+ capabilities:
+ drop:
+ - ALL
+ add:
+ - NET_BIND_SERVICE
+ readOnlyRootFilesystem: false
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: LD_PRELOAD
+ value: /usr/local/lib/libmimalloc.so
+ livenessProbe:
+ failureThreshold: 5
+ httpGet:
+ path: /healthz
+ port: 10254
+ scheme: HTTP
+ initialDelaySeconds: 10
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 10254
+ scheme: HTTP
+ initialDelaySeconds: 10
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ ports:
+ - name: http
+ containerPort: 80
+ protocol: TCP
+ - name: https
+ containerPort: 443
+ protocol: TCP
+ - name: metrics
+ containerPort: 10254
+ protocol: TCP
+ - name: webhook
+ containerPort: 8443
+ protocol: TCP
+ volumeMounts:
+ - name: webhook-cert
+ mountPath: /usr/local/certificates/
+ readOnly: true
+ resources:
+ limits:
+ memory: 500Mi
+ requests:
+ cpu: 100m
+ memory: 90Mi
+ nodeSelector:
+ kubernetes.io/os: linux
+ topologySpreadConstraints:
+ - labelSelector:
+ matchLabels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/name: ingress-nginx
+ maxSkew: 1
+ topologyKey: kubernetes.io/hostname
+ whenUnsatisfiable: DoNotSchedule
+ serviceAccountName: external-ingress-nginx
+ terminationGracePeriodSeconds: 120
+ volumes:
+ - name: webhook-cert
+ secret:
+ secretName: external-ingress-nginx-admission
+
--- HelmRelease: network/external-ingress-nginx IngressClass: network/external
+++ HelmRelease: network/external-ingress-nginx IngressClass: network/external
@@ -0,0 +1,14 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ name: external
+spec:
+ controller: k8s.io/external
+
--- HelmRelease: network/external-ingress-nginx ServiceMonitor: network/external-ingress-nginx-controller
+++ HelmRelease: network/external-ingress-nginx ServiceMonitor: network/external-ingress-nginx-controller
@@ -0,0 +1,24 @@
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+ name: external-ingress-nginx-controller
+ namespace: network
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+spec:
+ namespaceSelector:
+ any: true
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/component: controller
+ endpoints:
+ - port: metrics
+ interval: 30s
+
--- HelmRelease: network/external-ingress-nginx ValidatingWebhookConfiguration: network/external-ingress-nginx-admission
+++ HelmRelease: network/external-ingress-nginx ValidatingWebhookConfiguration: network/external-ingress-nginx-admission
@@ -0,0 +1,41 @@
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: admission-webhook
+ name: external-ingress-nginx-admission
+webhooks:
+- name: validate.nginx.ingress.kubernetes.io
+ matchPolicy: Equivalent
+ rules:
+ - apiGroups:
+ - networking.k8s.io
+ apiVersions:
+ - v1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - ingresses
+ failurePolicy: Fail
+ sideEffects: None
+ admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: external-ingress-nginx-controller-admission
+ namespace: network
+ port: 443
+ path: /networking/v1/ingresses
+ objectSelector:
+ matchExpressions:
+ - key: ingress-class
+ operator: In
+ values:
+ - external
+
--- HelmRelease: network/external-ingress-nginx ServiceAccount: network/external-ingress-nginx-admission
+++ HelmRelease: network/external-ingress-nginx ServiceAccount: network/external-ingress-nginx-admission
@@ -0,0 +1,17 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: external-ingress-nginx-admission
+ namespace: network
+ annotations:
+ helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: admission-webhook
+automountServiceAccountToken: true
+
--- HelmRelease: network/external-ingress-nginx ClusterRole: network/external-ingress-nginx-admission
+++ HelmRelease: network/external-ingress-nginx ClusterRole: network/external-ingress-nginx-admission
@@ -0,0 +1,23 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: external-ingress-nginx-admission
+ annotations:
+ helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: admission-webhook
+rules:
+- apiGroups:
+ - admissionregistration.k8s.io
+ resources:
+ - validatingwebhookconfigurations
+ verbs:
+ - get
+ - update
+
--- HelmRelease: network/external-ingress-nginx ClusterRoleBinding: network/external-ingress-nginx-admission
+++ HelmRelease: network/external-ingress-nginx ClusterRoleBinding: network/external-ingress-nginx-admission
@@ -0,0 +1,23 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: external-ingress-nginx-admission
+ annotations:
+ helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: admission-webhook
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: external-ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+ name: external-ingress-nginx-admission
+ namespace: network
+
--- HelmRelease: network/external-ingress-nginx Role: network/external-ingress-nginx-admission
+++ HelmRelease: network/external-ingress-nginx Role: network/external-ingress-nginx-admission
@@ -0,0 +1,24 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: external-ingress-nginx-admission
+ namespace: network
+ annotations:
+ helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: admission-webhook
+rules:
+- apiGroups:
+ - ''
+ resources:
+ - secrets
+ verbs:
+ - get
+ - create
+
--- HelmRelease: network/external-ingress-nginx RoleBinding: network/external-ingress-nginx-admission
+++ HelmRelease: network/external-ingress-nginx RoleBinding: network/external-ingress-nginx-admission
@@ -0,0 +1,24 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: external-ingress-nginx-admission
+ namespace: network
+ annotations:
+ helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: admission-webhook
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: external-ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+ name: external-ingress-nginx-admission
+ namespace: network
+
--- HelmRelease: network/external-ingress-nginx Job: network/external-ingress-nginx-admission-create
+++ HelmRelease: network/external-ingress-nginx Job: network/external-ingress-nginx-admission-create
@@ -0,0 +1,56 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: external-ingress-nginx-admission-create
+ namespace: network
+ annotations:
+ helm.sh/hook: pre-install,pre-upgrade
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: admission-webhook
+spec:
+ template:
+ metadata:
+ name: external-ingress-nginx-admission-create
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: admission-webhook
+ spec:
+ containers:
+ - name: create
+ image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.0@sha256:aaafd456bda110628b2d4ca6296f38731a3aaf0bf7581efae824a41c770a8fc4
+ imagePullPolicy: IfNotPresent
+ args:
+ - create
+ - --host=external-ingress-nginx-controller-admission,external-ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
+ - --namespace=$(POD_NAMESPACE)
+ - --secret-name=external-ingress-nginx-admission
+ env:
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsGroup: 65532
+ runAsNonRoot: true
+ runAsUser: 65532
+ seccompProfile:
+ type: RuntimeDefault
+ restartPolicy: OnFailure
+ serviceAccountName: external-ingress-nginx-admission
+ nodeSelector:
+ kubernetes.io/os: linux
+
--- HelmRelease: network/external-ingress-nginx Job: network/external-ingress-nginx-admission-patch
+++ HelmRelease: network/external-ingress-nginx Job: network/external-ingress-nginx-admission-patch
@@ -0,0 +1,58 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: external-ingress-nginx-admission-patch
+ namespace: network
+ annotations:
+ helm.sh/hook: post-install,post-upgrade
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: admission-webhook
+spec:
+ template:
+ metadata:
+ name: external-ingress-nginx-admission-patch
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: external-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: admission-webhook
+ spec:
+ containers:
+ - name: patch
+ image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.0@sha256:aaafd456bda110628b2d4ca6296f38731a3aaf0bf7581efae824a41c770a8fc4
+ imagePullPolicy: IfNotPresent
+ args:
+ - patch
+ - --webhook-name=external-ingress-nginx-admission
+ - --namespace=$(POD_NAMESPACE)
+ - --patch-mutating=false
+ - --secret-name=external-ingress-nginx-admission
+ - --patch-failure-policy=Fail
+ env:
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsGroup: 65532
+ runAsNonRoot: true
+ runAsUser: 65532
+ seccompProfile:
+ type: RuntimeDefault
+ restartPolicy: OnFailure
+ serviceAccountName: external-ingress-nginx-admission
+ nodeSelector:
+ kubernetes.io/os: linux
+
--- HelmRelease: network/internal-ingress-nginx PodDisruptionBudget: network/internal-ingress-nginx-controller
+++ HelmRelease: network/internal-ingress-nginx PodDisruptionBudget: network/internal-ingress-nginx-controller
@@ -0,0 +1,20 @@
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ name: internal-ingress-nginx-controller
+ namespace: network
+spec:
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/component: controller
+ minAvailable: 1
+
--- HelmRelease: network/internal-ingress-nginx ServiceAccount: network/internal-ingress-nginx
+++ HelmRelease: network/internal-ingress-nginx ServiceAccount: network/internal-ingress-nginx
@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ name: internal-ingress-nginx
+ namespace: network
+automountServiceAccountToken: true
+
--- HelmRelease: network/internal-ingress-nginx ConfigMap: network/internal-ingress-nginx-controller
+++ HelmRelease: network/internal-ingress-nginx ConfigMap: network/internal-ingress-nginx-controller
@@ -0,0 +1,35 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ name: internal-ingress-nginx-controller
+ namespace: network
+data:
+ allow-snippet-annotations: 'true'
+ annotations-risk-level: Critical
+ block-user-agents: AdsBot-Google,Amazonbot,anthropic-ai,Applebot-Extended,Bytespider,CCBot,ChatGPT-User,ClaudeBot,Claude-Web,cohere-ai,Diffbot,FacebookBot,FriendlyCrawler,Google-Extended,GoogleOther,GPTBot,img2dataset,omgili,omgilibot,peer39_crawler,peer39_crawler/1.0,PerplexityBot,YouBot,
+ client-body-buffer-size: 100M
+ client-body-timeout: '120'
+ client-header-timeout: '120'
+ enable-brotli: 'true'
+ enable-ocsp: 'true'
+ enable-real-ip: 'true'
+ force-ssl-redirect: 'true'
+ hide-headers: Server,X-Powered-By
+ hsts-max-age: '3.14496e+07'
+ keep-alive: '120'
+ keep-alive-requests: '10000'
+ log-format-escape-json: 'true'
+ log-format-upstream: |
+ {"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", "x_forwarded_for": "$proxy_add_x_forwarded_for", "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, "status": $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args", "request_length": $request_length, "duration": $request_time, "method": "$request_method", "http_referrer": "$http_referer", "http_user_agent": "$http_user_agent"}
+ proxy-body-size: '0'
+ proxy-buffer-size: 16k
+ ssl-protocols: TLSv1.3 TLSv1.2
+ use-forwarded-headers: 'true'
+
--- HelmRelease: network/internal-ingress-nginx ClusterRole: network/internal-ingress-nginx
+++ HelmRelease: network/internal-ingress-nginx ClusterRole: network/internal-ingress-nginx
@@ -0,0 +1,82 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ name: internal-ingress-nginx
+rules:
+- apiGroups:
+ - ''
+ resources:
+ - configmaps
+ - endpoints
+ - nodes
+ - pods
+ - secrets
+ - namespaces
+ verbs:
+ - list
+ - watch
+- apiGroups:
+ - coordination.k8s.io
+ resources:
+ - leases
+ verbs:
+ - list
+ - watch
+- apiGroups:
+ - ''
+ resources:
+ - nodes
+ verbs:
+ - get
+- apiGroups:
+ - ''
+ resources:
+ - services
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - ''
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+- apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses/status
+ verbs:
+ - update
+- apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingressclasses
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - discovery.k8s.io
+ resources:
+ - endpointslices
+ verbs:
+ - list
+ - watch
+ - get
+
--- HelmRelease: network/internal-ingress-nginx ClusterRoleBinding: network/internal-ingress-nginx
+++ HelmRelease: network/internal-ingress-nginx ClusterRoleBinding: network/internal-ingress-nginx
@@ -0,0 +1,19 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ name: internal-ingress-nginx
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: internal-ingress-nginx
+subjects:
+- kind: ServiceAccount
+ name: internal-ingress-nginx
+ namespace: network
+
--- HelmRelease: network/internal-ingress-nginx Role: network/internal-ingress-nginx
+++ HelmRelease: network/internal-ingress-nginx Role: network/internal-ingress-nginx
@@ -0,0 +1,91 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ name: internal-ingress-nginx
+ namespace: network
+rules:
+- apiGroups:
+ - ''
+ resources:
+ - namespaces
+ verbs:
+ - get
+- apiGroups:
+ - ''
+ resources:
+ - configmaps
+ - pods
+ - secrets
+ - endpoints
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - ''
+ resources:
+ - services
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses/status
+ verbs:
+ - update
+- apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingressclasses
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - coordination.k8s.io
+ resources:
+ - leases
+ resourceNames:
+ - internal-ingress-nginx-leader
+ verbs:
+ - get
+ - update
+- apiGroups:
+ - coordination.k8s.io
+ resources:
+ - leases
+ verbs:
+ - create
+- apiGroups:
+ - ''
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+- apiGroups:
+ - discovery.k8s.io
+ resources:
+ - endpointslices
+ verbs:
+ - list
+ - watch
+ - get
+
--- HelmRelease: network/internal-ingress-nginx RoleBinding: network/internal-ingress-nginx
+++ HelmRelease: network/internal-ingress-nginx RoleBinding: network/internal-ingress-nginx
@@ -0,0 +1,21 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ name: internal-ingress-nginx
+ namespace: network
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: internal-ingress-nginx
+subjects:
+- kind: ServiceAccount
+ name: internal-ingress-nginx
+ namespace: network
+
--- HelmRelease: network/internal-ingress-nginx Service: network/internal-ingress-nginx-controller-metrics
+++ HelmRelease: network/internal-ingress-nginx Service: network/internal-ingress-nginx-controller-metrics
@@ -0,0 +1,24 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ name: internal-ingress-nginx-controller-metrics
+ namespace: network
+spec:
+ type: ClusterIP
+ ports:
+ - name: metrics
+ port: 10254
+ protocol: TCP
+ targetPort: metrics
+ selector:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/component: controller
+
--- HelmRelease: network/internal-ingress-nginx Service: network/internal-ingress-nginx-controller-admission
+++ HelmRelease: network/internal-ingress-nginx Service: network/internal-ingress-nginx-controller-admission
@@ -0,0 +1,24 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ name: internal-ingress-nginx-controller-admission
+ namespace: network
+spec:
+ type: ClusterIP
+ ports:
+ - name: https-webhook
+ port: 443
+ targetPort: webhook
+ appProtocol: https
+ selector:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/component: controller
+
--- HelmRelease: network/internal-ingress-nginx Service: network/internal-ingress-nginx-controller
+++ HelmRelease: network/internal-ingress-nginx Service: network/internal-ingress-nginx-controller
@@ -0,0 +1,37 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+ annotations:
+ external-dns.alpha.kubernetes.io/hostname: internal...PLACEHOLDER_SECRET_DOMAIN..
+ lbipam.cilium.io/ips: ..PLACEHOLDER_SVC_NGINX_INTERNAL..
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ name: internal-ingress-nginx-controller
+ namespace: network
+spec:
+ type: LoadBalancer
+ externalTrafficPolicy: Cluster
+ ipFamilyPolicy: SingleStack
+ ipFamilies:
+ - IPv4
+ ports:
+ - name: http
+ port: 80
+ protocol: TCP
+ targetPort: http
+ appProtocol: http
+ - name: https
+ port: 443
+ protocol: TCP
+ targetPort: https
+ appProtocol: https
+ selector:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/component: controller
+
--- HelmRelease: network/internal-ingress-nginx Deployment: network/internal-ingress-nginx-controller
+++ HelmRelease: network/internal-ingress-nginx Deployment: network/internal-ingress-nginx-controller
@@ -0,0 +1,137 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ name: internal-ingress-nginx-controller
+ namespace: network
+spec:
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/component: controller
+ replicas: 2
+ revisionHistoryLimit: 10
+ minReadySeconds: 0
+ template:
+ metadata:
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ spec:
+ dnsPolicy: ClusterFirst
+ containers:
+ - name: controller
+ image: registry.k8s.io/ingress-nginx/controller:v1.12.0@sha256:e6b8de175acda6ca913891f0f727bca4527e797d52688cbe9fec9040d6f6b6fa
+ imagePullPolicy: IfNotPresent
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - /wait-shutdown
+ args:
+ - /nginx-ingress-controller
+ - --election-id=internal-ingress-nginx-leader
+ - --controller-class=k8s.io/internal
+ - --ingress-class=nginx
+ - --configmap=$(POD_NAMESPACE)/internal-ingress-nginx-controller
+ - --validating-webhook=:8443
+ - --validating-webhook-certificate=/usr/local/certificates/cert
+ - --validating-webhook-key=/usr/local/certificates/key
+ - --enable-metrics=true
+ - --default-ssl-certificate=cert-manager/..PLACEHOLDER_SECRET_DOMAIN..-tls
+ - --publish-status-address=internal...PLACEHOLDER_SECRET_DOMAIN..
+ securityContext:
+ runAsNonRoot: true
+ runAsUser: 101
+ runAsGroup: 82
+ allowPrivilegeEscalation: false
+ seccompProfile:
+ type: RuntimeDefault
+ capabilities:
+ drop:
+ - ALL
+ add:
+ - NET_BIND_SERVICE
+ readOnlyRootFilesystem: false
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: LD_PRELOAD
+ value: /usr/local/lib/libmimalloc.so
+ livenessProbe:
+ failureThreshold: 5
+ httpGet:
+ path: /healthz
+ port: 10254
+ scheme: HTTP
+ initialDelaySeconds: 10
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 10254
+ scheme: HTTP
+ initialDelaySeconds: 10
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ ports:
+ - name: http
+ containerPort: 80
+ protocol: TCP
+ - name: https
+ containerPort: 443
+ protocol: TCP
+ - name: metrics
+ containerPort: 10254
+ protocol: TCP
+ - name: webhook
+ containerPort: 8443
+ protocol: TCP
+ volumeMounts:
+ - name: webhook-cert
+ mountPath: /usr/local/certificates/
+ readOnly: true
+ resources:
+ limits:
+ memory: 500Mi
+ requests:
+ cpu: 100m
+ memory: 90Mi
+ nodeSelector:
+ kubernetes.io/os: linux
+ topologySpreadConstraints:
+ - labelSelector:
+ matchLabels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/name: ingress-nginx
+ maxSkew: 1
+ topologyKey: kubernetes.io/hostname
+ whenUnsatisfiable: DoNotSchedule
+ serviceAccountName: internal-ingress-nginx
+ terminationGracePeriodSeconds: 120
+ volumes:
+ - name: webhook-cert
+ secret:
+ secretName: internal-ingress-nginx-admission
+
--- HelmRelease: network/internal-ingress-nginx IngressClass: network/internal
+++ HelmRelease: network/internal-ingress-nginx IngressClass: network/internal
@@ -0,0 +1,16 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ name: internal
+ annotations:
+ ingressclass.kubernetes.io/is-default-class: 'true'
+spec:
+ controller: k8s.io/internal
+
--- HelmRelease: network/internal-ingress-nginx ServiceMonitor: network/internal-ingress-nginx-controller
+++ HelmRelease: network/internal-ingress-nginx ServiceMonitor: network/internal-ingress-nginx-controller
@@ -0,0 +1,24 @@
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+ name: internal-ingress-nginx-controller
+ namespace: network
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+spec:
+ namespaceSelector:
+ any: true
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/component: controller
+ endpoints:
+ - port: metrics
+ interval: 30s
+
--- HelmRelease: network/internal-ingress-nginx ValidatingWebhookConfiguration: network/internal-ingress-nginx-admission
+++ HelmRelease: network/internal-ingress-nginx ValidatingWebhookConfiguration: network/internal-ingress-nginx-admission
@@ -0,0 +1,41 @@
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: admission-webhook
+ name: internal-ingress-nginx-admission
+webhooks:
+- name: validate.nginx.ingress.kubernetes.io
+ matchPolicy: Equivalent
+ rules:
+ - apiGroups:
+ - networking.k8s.io
+ apiVersions:
+ - v1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - ingresses
+ failurePolicy: Fail
+ sideEffects: None
+ admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: internal-ingress-nginx-controller-admission
+ namespace: network
+ port: 443
+ path: /networking/v1/ingresses
+ objectSelector:
+ matchExpressions:
+ - key: ingress-class
+ operator: In
+ values:
+ - internal
+
--- HelmRelease: network/internal-ingress-nginx ServiceAccount: network/internal-ingress-nginx-admission
+++ HelmRelease: network/internal-ingress-nginx ServiceAccount: network/internal-ingress-nginx-admission
@@ -0,0 +1,17 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: internal-ingress-nginx-admission
+ namespace: network
+ annotations:
+ helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: admission-webhook
+automountServiceAccountToken: true
+
--- HelmRelease: network/internal-ingress-nginx ClusterRole: network/internal-ingress-nginx-admission
+++ HelmRelease: network/internal-ingress-nginx ClusterRole: network/internal-ingress-nginx-admission
@@ -0,0 +1,23 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: internal-ingress-nginx-admission
+ annotations:
+ helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: admission-webhook
+rules:
+- apiGroups:
+ - admissionregistration.k8s.io
+ resources:
+ - validatingwebhookconfigurations
+ verbs:
+ - get
+ - update
+
--- HelmRelease: network/internal-ingress-nginx ClusterRoleBinding: network/internal-ingress-nginx-admission
+++ HelmRelease: network/internal-ingress-nginx ClusterRoleBinding: network/internal-ingress-nginx-admission
@@ -0,0 +1,23 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: internal-ingress-nginx-admission
+ annotations:
+ helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: admission-webhook
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: internal-ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+ name: internal-ingress-nginx-admission
+ namespace: network
+
--- HelmRelease: network/internal-ingress-nginx Role: network/internal-ingress-nginx-admission
+++ HelmRelease: network/internal-ingress-nginx Role: network/internal-ingress-nginx-admission
@@ -0,0 +1,24 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: internal-ingress-nginx-admission
+ namespace: network
+ annotations:
+ helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: admission-webhook
+rules:
+- apiGroups:
+ - ''
+ resources:
+ - secrets
+ verbs:
+ - get
+ - create
+
--- HelmRelease: network/internal-ingress-nginx RoleBinding: network/internal-ingress-nginx-admission
+++ HelmRelease: network/internal-ingress-nginx RoleBinding: network/internal-ingress-nginx-admission
@@ -0,0 +1,24 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: internal-ingress-nginx-admission
+ namespace: network
+ annotations:
+ helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: admission-webhook
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: internal-ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+ name: internal-ingress-nginx-admission
+ namespace: network
+
--- HelmRelease: network/internal-ingress-nginx Job: network/internal-ingress-nginx-admission-create
+++ HelmRelease: network/internal-ingress-nginx Job: network/internal-ingress-nginx-admission-create
@@ -0,0 +1,56 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: internal-ingress-nginx-admission-create
+ namespace: network
+ annotations:
+ helm.sh/hook: pre-install,pre-upgrade
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: admission-webhook
+spec:
+ template:
+ metadata:
+ name: internal-ingress-nginx-admission-create
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: admission-webhook
+ spec:
+ containers:
+ - name: create
+ image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.0@sha256:aaafd456bda110628b2d4ca6296f38731a3aaf0bf7581efae824a41c770a8fc4
+ imagePullPolicy: IfNotPresent
+ args:
+ - create
+ - --host=internal-ingress-nginx-controller-admission,internal-ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
+ - --namespace=$(POD_NAMESPACE)
+ - --secret-name=internal-ingress-nginx-admission
+ env:
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsGroup: 65532
+ runAsNonRoot: true
+ runAsUser: 65532
+ seccompProfile:
+ type: RuntimeDefault
+ restartPolicy: OnFailure
+ serviceAccountName: internal-ingress-nginx-admission
+ nodeSelector:
+ kubernetes.io/os: linux
+
--- HelmRelease: network/internal-ingress-nginx Job: network/internal-ingress-nginx-admission-patch
+++ HelmRelease: network/internal-ingress-nginx Job: network/internal-ingress-nginx-admission-patch
@@ -0,0 +1,58 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: internal-ingress-nginx-admission-patch
+ namespace: network
+ annotations:
+ helm.sh/hook: post-install,post-upgrade
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: admission-webhook
+spec:
+ template:
+ metadata:
+ name: internal-ingress-nginx-admission-patch
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: internal-ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: admission-webhook
+ spec:
+ containers:
+ - name: patch
+ image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.0@sha256:aaafd456bda110628b2d4ca6296f38731a3aaf0bf7581efae824a41c770a8fc4
+ imagePullPolicy: IfNotPresent
+ args:
+ - patch
+ - --webhook-name=internal-ingress-nginx-admission
+ - --namespace=$(POD_NAMESPACE)
+ - --patch-mutating=false
+ - --secret-name=internal-ingress-nginx-admission
+ - --patch-failure-policy=Fail
+ env:
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsGroup: 65532
+ runAsNonRoot: true
+ runAsUser: 65532
+ seccompProfile:
+ type: RuntimeDefault
+ restartPolicy: OnFailure
+ serviceAccountName: internal-ingress-nginx-admission
+ nodeSelector:
+ kubernetes.io/os: linux
+ |
joryirving
added a commit
that referenced
this pull request
Jan 16, 2025
* refactor: organize network namespace * fix: rename to make more sense
joryirving
added a commit
that referenced
this pull request
Jan 16, 2025
* refactor: organize network namespace * fix: rename to make more sense
joryirving
added a commit
that referenced
this pull request
Jan 16, 2025
* refactor: organize network namespace * fix: rename to make more sense
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
noodle oodle doodle