diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 623a0c91f7..7187bffafc 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -8,6 +8,8 @@ repos: exclude: ^notice/overrides.json - id: check-merge-conflict - id: check-yaml + exclude: > + (?x)^(cli/config/kubernetes.*)$ - id: check-xml - id: end-of-file-fixer exclude: > diff --git a/cli/config/kubernetes/README.md b/cli/config/kubernetes/README.md new file mode 100644 index 0000000000..3a8015930e --- /dev/null +++ b/cli/config/kubernetes/README.md @@ -0,0 +1,26 @@ +# K8s deployment for Elasticsearch, Kibana, and Fleet-Server + +## Requirements + +- docker +- kind (>= 0.10.0) +- kubectl (>= 1.17) + +## Deployment + +``` +kind create cluster +kubectl apply -k base +``` + +This will allow you to visit `http://localhost:5601` using username: `elastic` password: `changeme` to login + +## Local Ingress (Optional) + +If a local ingress is preferred, apply the following to setup nginx-ingress + +``` +kubectl apply -k overlays/local +``` + +This will allow you to reach the Kibana endpoint at `http://localhost` diff --git a/cli/config/kubernetes/base/elasticsearch/configmap.yaml b/cli/config/kubernetes/base/elasticsearch/configmap.yaml new file mode 100644 index 0000000000..98db4446cb --- /dev/null +++ b/cli/config/kubernetes/base/elasticsearch/configmap.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: elasticsearch-config +data: + ES_JAVA_OPTS: "-Xms1g -Xmx1g" + network.host: "" + transport.host: "127.0.0.1" + http.host: "0.0.0.0" + indices.id_field_data.enabled: 'true' + xpack.license.self_generated.type: "trial" + xpack.security.enabled: 'true' + xpack.security.authc.api_key.enabled: 'true' + ELASTIC_USERNAME: "elastic" + ELASTIC_PASSWORD: "changeme" diff --git a/cli/config/kubernetes/base/elasticsearch/deployment.yaml b/cli/config/kubernetes/base/elasticsearch/deployment.yaml new file mode 100644 index 0000000000..271cb0742c --- /dev/null +++ b/cli/config/kubernetes/base/elasticsearch/deployment.yaml @@ -0,0 +1,25 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: elasticsearch + labels: + app: elasticsearch +spec: + replicas: 1 + selector: + matchLabels: + app: elasticsearch + template: + metadata: + labels: + app: elasticsearch + spec: + containers: + - name: elasticsearch + image: docker.elastic.co/elasticsearch/elasticsearch:8.0.0-SNAPSHOT + envFrom: + - configMapRef: + name: elasticsearch-config + ports: + - containerPort: 9200 + name: client diff --git a/cli/config/kubernetes/base/elasticsearch/kustomization.yaml b/cli/config/kubernetes/base/elasticsearch/kustomization.yaml new file mode 100644 index 0000000000..81d586a3cd --- /dev/null +++ b/cli/config/kubernetes/base/elasticsearch/kustomization.yaml @@ -0,0 +1,4 @@ +resources: +- deployment.yaml +- service.yaml +- configmap.yaml diff --git a/cli/config/kubernetes/base/elasticsearch/service.yaml b/cli/config/kubernetes/base/elasticsearch/service.yaml new file mode 100644 index 0000000000..f43cdd3f74 --- /dev/null +++ b/cli/config/kubernetes/base/elasticsearch/service.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Service +metadata: + name: elasticsearch + labels: + service: elasticsearch +spec: + type: NodePort + ports: + - port: 9200 + name: client + selector: + app: elasticsearch diff --git a/cli/config/kubernetes/base/fleet-server/cluster-role-binding.yaml b/cli/config/kubernetes/base/fleet-server/cluster-role-binding.yaml new file mode 100644 index 0000000000..c0b3d25536 --- /dev/null +++ b/cli/config/kubernetes/base/fleet-server/cluster-role-binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: fleet-server-cluster-role-binding +subjects: +- kind: ServiceAccount + name: default + namespace: default +roleRef: + kind: ClusterRole + name: fleet-server-cluster-role + apiGroup: rbac.authorization.k8s.io diff --git a/cli/config/kubernetes/base/fleet-server/cluster-role.yaml b/cli/config/kubernetes/base/fleet-server/cluster-role.yaml new file mode 100644 index 0000000000..3e1bca2f3e --- /dev/null +++ b/cli/config/kubernetes/base/fleet-server/cluster-role.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: fleet-server-cluster-role + labels: + app: fleet-server +rules: +- apiGroups: [""] + resources: + - nodes + - namespaces + - events + - pods + - services + verbs: ["get", "list", "watch"] diff --git a/cli/config/kubernetes/base/fleet-server/deployment.yaml b/cli/config/kubernetes/base/fleet-server/deployment.yaml new file mode 100644 index 0000000000..94597ccd4a --- /dev/null +++ b/cli/config/kubernetes/base/fleet-server/deployment.yaml @@ -0,0 +1,32 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: fleet-server + labels: + app: fleet-server +spec: + replicas: 1 + selector: + matchLabels: + app: fleet-server + template: + metadata: + labels: + app: fleet-server + spec: + containers: + - name: fleet-server + image: docker.elastic.co/beats/elastic-agent:8.0.0-SNAPSHOT + env: + - name: FLEET_SERVER_ENABLE + value: "1" + - name: FLEET_SERVER_INSECURE_HTTP + value: "1" + - name: KIBANA_FLEET_SETUP + value: "1" + - name: KIBANA_FLEET_HOST + value: "http://kibana:5601" + - name: FLEET_SERVER_HOST + value: "0.0.0.0" + - name: FLEET_SERVER_PORT + value: "8220" diff --git a/cli/config/kubernetes/base/fleet-server/kustomization.yaml b/cli/config/kubernetes/base/fleet-server/kustomization.yaml new file mode 100644 index 0000000000..f4208b1288 --- /dev/null +++ b/cli/config/kubernetes/base/fleet-server/kustomization.yaml @@ -0,0 +1,7 @@ +resources: +- deployment.yaml +- service.yaml +- role.yaml +- role-binding.yaml +- cluster-role.yaml +- cluster-role-binding.yaml diff --git a/cli/config/kubernetes/base/fleet-server/role-binding.yaml b/cli/config/kubernetes/base/fleet-server/role-binding.yaml new file mode 100644 index 0000000000..f0b6586e63 --- /dev/null +++ b/cli/config/kubernetes/base/fleet-server/role-binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: fleet-server-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: fleet-server-role +subjects: +- kind: ServiceAccount + name: default + namespace: default diff --git a/cli/config/kubernetes/base/fleet-server/role.yaml b/cli/config/kubernetes/base/fleet-server/role.yaml new file mode 100644 index 0000000000..540e200627 --- /dev/null +++ b/cli/config/kubernetes/base/fleet-server/role.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: fleet-server-role + namespace: default + labels: + app: fleet-server +rules: + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: ["get", "create", "update", "list", "watch", "update", "patch", "delete"] diff --git a/cli/config/kubernetes/base/fleet-server/service.yaml b/cli/config/kubernetes/base/fleet-server/service.yaml new file mode 100644 index 0000000000..ddbf6f8e90 --- /dev/null +++ b/cli/config/kubernetes/base/fleet-server/service.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Service +metadata: + name: fleet-server + labels: + service: fleet-server +spec: + type: NodePort + selector: + app: fleet-server + ports: + - port: 8220 + name: http diff --git a/cli/config/kubernetes/base/kibana/configmap.yaml b/cli/config/kubernetes/base/kibana/configmap.yaml new file mode 100644 index 0000000000..34576b6eab --- /dev/null +++ b/cli/config/kubernetes/base/kibana/configmap.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: kibana +data: + kibana.yml: |- + --- + server.name: kibana + server.host: "0.0.0.0" + + elasticsearch.hosts: [ "http://elasticsearch:9200" ] + elasticsearch.username: elastic + elasticsearch.password: changeme + monitoring.ui.container.elasticsearch.enabled: true + + xpack.encryptedSavedObjects.encryptionKey: "12345678901234567890123456789012" + + xpack.fleet.enabled: true + xpack.fleet.registryUrl: http://package-registry:8080 + xpack.fleet.agents.enabled: true + xpack.fleet.agents.elasticsearch.host: http://elasticsearch:9200 + xpack.fleet.agents.fleet_server.hosts: ["http://fleet-server:8220"] + xpack.fleet.agents.kibana.host: "http://kibana:5601" + xpack.fleet.agents.tlsCheckDisabled: true diff --git a/cli/config/kubernetes/base/kibana/deployment.yaml b/cli/config/kubernetes/base/kibana/deployment.yaml new file mode 100644 index 0000000000..abbdc1c606 --- /dev/null +++ b/cli/config/kubernetes/base/kibana/deployment.yaml @@ -0,0 +1,48 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: kibana + labels: + app: kibana +spec: + replicas: 1 + selector: + matchLabels: + app: kibana + template: + metadata: + labels: + app: kibana + spec: + containers: + - name: kibana + image: docker.elastic.co/kibana/kibana:8.0.0-SNAPSHOT + env: + - name: ELASTICSEARCH_URL + value: http://elasticsearch:9200 + - name: ELASTICSEARCH_USERNAME + value: elastic + - name: ELASTICSEARCH_PASSWORD + value: changeme + ports: + - containerPort: 5601 + hostPort: 5601 + name: http + livenessProbe: + tcpSocket: + port: http + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + tcpSocket: + port: http + initialDelaySeconds: 15 + periodSeconds: 20 + volumeMounts: + - mountPath: /usr/share/kibana/config/kibana.yml + name: config + subPath: kibana.yml + volumes: + - name: config + configMap: + name: kibana diff --git a/cli/config/kubernetes/base/kibana/kustomization.yaml b/cli/config/kubernetes/base/kibana/kustomization.yaml new file mode 100644 index 0000000000..81d586a3cd --- /dev/null +++ b/cli/config/kubernetes/base/kibana/kustomization.yaml @@ -0,0 +1,4 @@ +resources: +- deployment.yaml +- service.yaml +- configmap.yaml diff --git a/cli/config/kubernetes/base/kibana/service.yaml b/cli/config/kubernetes/base/kibana/service.yaml new file mode 100644 index 0000000000..2ed79c4a29 --- /dev/null +++ b/cli/config/kubernetes/base/kibana/service.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Service +metadata: + name: kibana + labels: + service: kibana +spec: + type: NodePort + ports: + - port: 5601 + name: http + selector: + app: kibana diff --git a/cli/config/kubernetes/base/kustomization.yaml b/cli/config/kubernetes/base/kustomization.yaml new file mode 100644 index 0000000000..09b83ef350 --- /dev/null +++ b/cli/config/kubernetes/base/kustomization.yaml @@ -0,0 +1,10 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: default +commonLabels: + env: test +bases: +- ./elasticsearch +- ./kibana +- ./package-registry +- ./fleet-server diff --git a/cli/config/kubernetes/base/package-registry/deployment.yaml b/cli/config/kubernetes/base/package-registry/deployment.yaml new file mode 100644 index 0000000000..6dae9547a0 --- /dev/null +++ b/cli/config/kubernetes/base/package-registry/deployment.yaml @@ -0,0 +1,24 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: package-registry + labels: + app: package-registry +spec: + replicas: 1 + selector: + matchLabels: + app: package-registry + template: + metadata: + labels: + app: package-registry + spec: + containers: + - name: package-registry + image: docker.elastic.co/package-registry/distribution:staging + livenessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 15 + periodSeconds: 20 diff --git a/cli/config/kubernetes/base/package-registry/kustomization.yaml b/cli/config/kubernetes/base/package-registry/kustomization.yaml new file mode 100644 index 0000000000..a944d005ca --- /dev/null +++ b/cli/config/kubernetes/base/package-registry/kustomization.yaml @@ -0,0 +1,3 @@ +resources: +- deployment.yaml +- service.yaml diff --git a/cli/config/kubernetes/base/package-registry/service.yaml b/cli/config/kubernetes/base/package-registry/service.yaml new file mode 100644 index 0000000000..4d7d293c9e --- /dev/null +++ b/cli/config/kubernetes/base/package-registry/service.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Service +metadata: + name: package-registry + labels: + service: package-registry +spec: + type: NodePort + ports: + - port: 8080 + name: package-registry + selector: + app: package-registry diff --git a/cli/config/kubernetes/kind.yaml b/cli/config/kubernetes/kind.yaml new file mode 100644 index 0000000000..32f50aba9a --- /dev/null +++ b/cli/config/kubernetes/kind.yaml @@ -0,0 +1,26 @@ +kind: Cluster +apiVersion: kind.x-k8s.io/v1alpha4 +nodes: +- role: control-plane + kubeadmConfigPatches: + - | + kind: InitConfiguration + nodeRegistration: + kubeletExtraArgs: + node-labels: "ingress-ready=true" + extraPortMappings: + - containerPort: 80 + hostPort: 80 + protocol: TCP + - containerPort: 443 + hostPort: 443 + protocol: TCP + - containerPort: 5601 + hostPort: 5601 + protocol: TCP + - containerPort: 9200 + hostPort: 9200 + protocol: TCP + - containerPort: 8220 + hostPort: 8220 + protocol: TCP diff --git a/cli/config/kubernetes/overlays/local/ingress.yaml b/cli/config/kubernetes/overlays/local/ingress.yaml new file mode 100644 index 0000000000..d894baf0aa --- /dev/null +++ b/cli/config/kubernetes/overlays/local/ingress.yaml @@ -0,0 +1,12 @@ +apiVersion: networking.k8s.io/v1beta1 +kind: Ingress +metadata: + name: kibana-ingress +spec: + rules: + - http: + paths: + - path: / + backend: + serviceName: kibana + servicePort: 5601 diff --git a/cli/config/kubernetes/overlays/local/kustomization.yaml b/cli/config/kubernetes/overlays/local/kustomization.yaml new file mode 100644 index 0000000000..3722f06af4 --- /dev/null +++ b/cli/config/kubernetes/overlays/local/kustomization.yaml @@ -0,0 +1,6 @@ +bases: + - ../../base + +resources: + - ./ingress.yaml + - ./nginx-ingress.yaml diff --git a/cli/config/kubernetes/overlays/local/nginx-ingress.yaml b/cli/config/kubernetes/overlays/local/nginx-ingress.yaml new file mode 100644 index 0000000000..4a242567a9 --- /dev/null +++ b/cli/config/kubernetes/overlays/local/nginx-ingress.yaml @@ -0,0 +1,657 @@ + +apiVersion: v1 +kind: Namespace +metadata: + name: ingress-nginx + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + +--- +# Source: ingress-nginx/templates/controller-serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: ingress-nginx-3.27.0 + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/version: 0.45.0 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: controller + name: ingress-nginx + namespace: ingress-nginx +automountServiceAccountToken: true +--- +# Source: ingress-nginx/templates/controller-configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + helm.sh/chart: ingress-nginx-3.27.0 + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/version: 0.45.0 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: controller + name: ingress-nginx-controller + namespace: ingress-nginx +data: +--- +# Source: ingress-nginx/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: ingress-nginx-3.27.0 + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/version: 0.45.0 + app.kubernetes.io/managed-by: Helm + name: ingress-nginx +rules: + - apiGroups: + - '' + resources: + - configmaps + - endpoints + - nodes + - pods + - secrets + verbs: + - list + - watch + - apiGroups: + - '' + resources: + - nodes + verbs: + - get + - apiGroups: + - '' + resources: + - services + verbs: + - get + - list + - watch + - apiGroups: + - extensions + - networking.k8s.io # k8s 1.14+ + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - events + verbs: + - create + - patch + - apiGroups: + - extensions + - networking.k8s.io # k8s 1.14+ + resources: + - ingresses/status + verbs: + - update + - apiGroups: + - networking.k8s.io # k8s 1.14+ + resources: + - ingressclasses + verbs: + - get + - list + - watch +--- +# Source: ingress-nginx/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: ingress-nginx-3.27.0 + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/version: 0.45.0 + app.kubernetes.io/managed-by: Helm + name: ingress-nginx +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ingress-nginx +subjects: + - kind: ServiceAccount + name: ingress-nginx + namespace: ingress-nginx +--- +# Source: ingress-nginx/templates/controller-role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + helm.sh/chart: ingress-nginx-3.27.0 + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/version: 0.45.0 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: controller + name: ingress-nginx + namespace: ingress-nginx +rules: + - apiGroups: + - '' + resources: + - namespaces + verbs: + - get + - apiGroups: + - '' + resources: + - configmaps + - pods + - secrets + - endpoints + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - services + verbs: + - get + - list + - watch + - apiGroups: + - extensions + - networking.k8s.io # k8s 1.14+ + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - extensions + - networking.k8s.io # k8s 1.14+ + resources: + - ingresses/status + verbs: + - update + - apiGroups: + - networking.k8s.io # k8s 1.14+ + resources: + - ingressclasses + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - configmaps + resourceNames: + - ingress-controller-leader-nginx + verbs: + - get + - update + - apiGroups: + - '' + resources: + - configmaps + verbs: + - create + - apiGroups: + - '' + resources: + - events + verbs: + - create + - patch +--- +# Source: ingress-nginx/templates/controller-rolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + helm.sh/chart: ingress-nginx-3.27.0 + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/version: 0.45.0 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: controller + name: ingress-nginx + namespace: ingress-nginx +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ingress-nginx +subjects: + - kind: ServiceAccount + name: ingress-nginx + namespace: ingress-nginx +--- +# Source: ingress-nginx/templates/controller-service-webhook.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: ingress-nginx-3.27.0 + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/version: 0.45.0 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: controller + name: ingress-nginx-controller-admission + namespace: ingress-nginx +spec: + type: ClusterIP + ports: + - name: https-webhook + port: 443 + targetPort: webhook + selector: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/component: controller +--- +# Source: ingress-nginx/templates/controller-service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: + labels: + helm.sh/chart: ingress-nginx-3.27.0 + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/version: 0.45.0 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: controller + name: ingress-nginx-controller + namespace: ingress-nginx +spec: + type: NodePort + ports: + - name: http + port: 80 + protocol: TCP + targetPort: http + - name: https + port: 443 + protocol: TCP + targetPort: https + selector: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/component: controller +--- +# Source: ingress-nginx/templates/controller-deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: ingress-nginx-3.27.0 + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/version: 0.45.0 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: controller + name: ingress-nginx-controller + namespace: ingress-nginx +spec: + selector: + matchLabels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/component: controller + revisionHistoryLimit: 10 + strategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate + minReadySeconds: 0 + template: + metadata: + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/component: controller + spec: + dnsPolicy: ClusterFirst + containers: + - name: controller + image: k8s.gcr.io/ingress-nginx/controller:v0.45.0@sha256:c4390c53f348c3bd4e60a5dd6a11c35799ae78c49388090140b9d72ccede1755 + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - /wait-shutdown + args: + - /nginx-ingress-controller + - --election-id=ingress-controller-leader + - --ingress-class=nginx + - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller + - --validating-webhook=:8443 + - --validating-webhook-certificate=/usr/local/certificates/cert + - --validating-webhook-key=/usr/local/certificates/key + - --publish-status-address=localhost + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LD_PRELOAD + value: /usr/local/lib/libmimalloc.so + livenessProbe: + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 5 + readinessProbe: + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 3 + ports: + - name: http + containerPort: 80 + protocol: TCP + hostPort: 80 + - name: https + containerPort: 443 + protocol: TCP + hostPort: 443 + - name: webhook + containerPort: 8443 + protocol: TCP + volumeMounts: + - name: webhook-cert + mountPath: /usr/local/certificates/ + readOnly: true + resources: + requests: + cpu: 100m + memory: 90Mi + nodeSelector: + ingress-ready: 'true' + kubernetes.io/os: linux + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/master + operator: Equal + serviceAccountName: ingress-nginx + terminationGracePeriodSeconds: 0 + volumes: + - name: webhook-cert + secret: + secretName: ingress-nginx-admission +--- +# Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml +# before changing this value, check the required kubernetes version +# https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + helm.sh/chart: ingress-nginx-3.27.0 + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/version: 0.45.0 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: admission-webhook + name: ingress-nginx-admission +webhooks: + - name: validate.nginx.ingress.kubernetes.io + matchPolicy: Equivalent + rules: + - apiGroups: + - networking.k8s.io + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - ingresses + failurePolicy: Fail + sideEffects: None + admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + namespace: ingress-nginx + name: ingress-nginx-controller-admission + path: /networking/v1beta1/ingresses +--- +# Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: ingress-nginx-admission + annotations: + helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + labels: + helm.sh/chart: ingress-nginx-3.27.0 + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/version: 0.45.0 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: admission-webhook + namespace: ingress-nginx +--- +# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: ingress-nginx-admission + annotations: + helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + labels: + helm.sh/chart: ingress-nginx-3.27.0 + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/version: 0.45.0 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: admission-webhook +rules: + - apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - get + - update +--- +# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: ingress-nginx-admission + annotations: + helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + labels: + helm.sh/chart: ingress-nginx-3.27.0 + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/version: 0.45.0 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: admission-webhook +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ingress-nginx-admission +subjects: + - kind: ServiceAccount + name: ingress-nginx-admission + namespace: ingress-nginx +--- +# Source: ingress-nginx/templates/admission-webhooks/job-patch/role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: ingress-nginx-admission + annotations: + helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + labels: + helm.sh/chart: ingress-nginx-3.27.0 + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/version: 0.45.0 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: admission-webhook + namespace: ingress-nginx +rules: + - apiGroups: + - '' + resources: + - secrets + verbs: + - get + - create +--- +# Source: ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: ingress-nginx-admission + annotations: + helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + labels: + helm.sh/chart: ingress-nginx-3.27.0 + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/version: 0.45.0 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: admission-webhook + namespace: ingress-nginx +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ingress-nginx-admission +subjects: + - kind: ServiceAccount + name: ingress-nginx-admission + namespace: ingress-nginx +--- +# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: ingress-nginx-admission-create + annotations: + helm.sh/hook: pre-install,pre-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + labels: + helm.sh/chart: ingress-nginx-3.27.0 + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/version: 0.45.0 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: admission-webhook + namespace: ingress-nginx +spec: + template: + metadata: + name: ingress-nginx-admission-create + labels: + helm.sh/chart: ingress-nginx-3.27.0 + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/version: 0.45.0 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: admission-webhook + spec: + containers: + - name: create + image: docker.io/jettech/kube-webhook-certgen:v1.5.1 + imagePullPolicy: IfNotPresent + args: + - create + - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc + - --namespace=$(POD_NAMESPACE) + - --secret-name=ingress-nginx-admission + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + restartPolicy: OnFailure + serviceAccountName: ingress-nginx-admission + securityContext: + runAsNonRoot: true + runAsUser: 2000 +--- +# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: ingress-nginx-admission-patch + annotations: + helm.sh/hook: post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + labels: + helm.sh/chart: ingress-nginx-3.27.0 + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/version: 0.45.0 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: admission-webhook + namespace: ingress-nginx +spec: + template: + metadata: + name: ingress-nginx-admission-patch + labels: + helm.sh/chart: ingress-nginx-3.27.0 + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/version: 0.45.0 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: admission-webhook + spec: + containers: + - name: patch + image: docker.io/jettech/kube-webhook-certgen:v1.5.1 + imagePullPolicy: IfNotPresent + args: + - patch + - --webhook-name=ingress-nginx-admission + - --namespace=$(POD_NAMESPACE) + - --patch-mutating=false + - --secret-name=ingress-nginx-admission + - --patch-failure-policy=Fail + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + restartPolicy: OnFailure + serviceAccountName: ingress-nginx-admission + securityContext: + runAsNonRoot: true + runAsUser: 2000