github-personal/cozystack
1
0
Fork 0
mirror of https://github.com/outbackdingo/cozystack.git synced 2026-01-27 18:18:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #183 from aenix-io/tenant-nginx-ingress

Browse Source 
Managed tenant nginx ingress controller
This commit is contained in:
Marian Koreniuk
2024-06-25 17:32:31 +02:00
committed by GitHub
parent 2145f41c7f 6bd2d45531
commit 18579abdcd
15 changed files with 204 additions and 263 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
packages/apps/kubernetes/Chart.yaml
View File

@@ -16,7 +16,7 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.4.0
version: 0.5.0
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to

13
packages/apps/kubernetes/README.md
View File

@@ -31,8 +31,11 @@ kubectl get secret -n <namespace> kubernetes-<clusterName>-admin-kubeconfig -o g
### Common parameters
| Name | Description | Value |
| ----------------------- | -------------------------------------------------------------------------------------------------------------------------------------- | ----- |
| `host` | The hostname used to access the Kubernetes cluster externally (defaults to using the cluster name as a subdomain for the tenant host). | `""` |
| `controlPlane.replicas` | Number of replicas for Kubernetes contorl-plane components | `2` |
| `nodeGroups` | nodeGroups configuration | `{}` |
| Name | Description | Value |
| ----------------------------- | -------------------------------------------------------------------------------------------------------------------------------------- | ------------- |
| `host` | The hostname used to access the Kubernetes cluster externally (defaults to using the cluster name as a subdomain for the tenant host). | `""` |
| `controlPlane.replicas` | Number of replicas for Kubernetes contorl-plane components | `2` |
| `nodeGroups` | nodeGroups configuration | `{}` |
| `addons.certManager.enabled` | Enables the certificate manager which automatically creates and manages SSL/TLS certificates | `true` |
| `addons.ingressNginx.enabled` | Enables Ingress-NGINX Controller on nodes with 'ingress-nginx' role | `true` |
| `addons.ingressNginx.host` | The domain name that should be passtrough to the cluster by upper ingress. | `example.org` |

9
packages/apps/kubernetes/templates/cluster.yaml
View File

@@ -114,6 +114,10 @@ spec:
virtualMachineTemplate:
metadata:
namespace: {{ $.Release.Namespace }}
labels:
{{- range $group.roles }}
node-role.kubernetes.io/{{ . }}: ""
{{- end }}
spec:
runStrategy: Always
template:
@@ -165,6 +169,11 @@ metadata:
spec:
clusterName: {{ $.Release.Name }}
template:
metadata:
labels:
{{- range $group.roles }}
node-role.kubernetes.io/{{ . }}: ""
{{- end }}
spec:
bootstrap:
configRef:

34
packages/apps/kubernetes/templates/helmreleases/cert-manager.yaml Normal file
View File

@@ -0,0 +1,34 @@
{{- if .Values.addons.certManager.enabled }}
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: {{ .Release.Name }}-cert-manager
labels:
cozystack.io/repository: system
coztstack.io/target-cluster-name: {{ .Release.Name }}
spec:
interval: 1m
releaseName: cert-mnager
chart:
spec:
chart: cozy-cert-manager
reconcileStrategy: Revision
sourceRef:
kind: HelmRepository
name: cozystack-system
namespace: cozy-system
kubeConfig:
secretRef:
name: {{ .Release.Name }}-kubeconfig
targetNamespace: cozy-cert-manager
storageNamespace: cozy-cert-manager
install:
createNamespace: true
dependsOn:
{{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" .Release.Namespace .Release.Name }}
- name: {{ .Release.Name }}
namespace: {{ .Release.Namespace }}
{{- end }}
- name: {{ .Release.Name }}-cilium
namespace: {{ .Release.Namespace }}
{{- end }}

2
packages/apps/kubernetes/templates/helmreleases/cilium.yaml
View File

@@ -44,5 +44,7 @@ spec:
enableIPv4Masquerade: true
ipv4NativeRoutingCIDR: ""
dependsOn:
{{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" .Release.Namespace .Release.Name }}
- name: {{ .Release.Name }}
namespace: {{ .Release.Namespace }}
{{- end }}

2
packages/apps/kubernetes/templates/helmreleases/csi.yaml
View File

@@ -24,5 +24,7 @@ spec:
install:
createNamespace: true
dependsOn:
{{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" .Release.Namespace .Release.Name }}
- name: {{ .Release.Name }}
namespace: {{ .Release.Namespace }}
{{- end }}

22
packages/apps/kubernetes/templates/helmreleases/delete.yaml
View File

@@ -22,15 +22,18 @@ spec:
- name: kubectl
image: docker.io/clastix/kubectl:v1.29.1
command:
- kubectl
- --namespace={{ .Release.Namespace }}
- patch
- helmrelease
- {{ .Release.Name }}-cilium
- {{ .Release.Name }}-csi
- -p
- '{"spec": {"suspend": true}}'
- --type=merge
- /bin/sh
- -c
- |
kubectl
--namespace={{ .Release.Namespace }}
patch
helmrelease
{{ .Release.Name }}-cilium
{{ .Release.Name }}-csi
{{ .Release.Name }}-cert-manager
-p '{"spec": {"suspend": true}}'
--type=merge --field-manager=flux-client-side-apply || true
---
apiVersion: v1
kind: ServiceAccount
@@ -60,6 +63,7 @@ rules:
resourceNames:
- {{ .Release.Name }}-cilium
- {{ .Release.Name }}-csi
- {{ .Release.Name }}-cert-manager
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding

44
packages/apps/kubernetes/templates/helmreleases/ingress-nginx.yaml Normal file
View File

@@ -0,0 +1,44 @@
{{- if .Values.addons.ingressNginx.enabled }}
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: {{ .Release.Name }}-ingress-nginx
labels:
cozystack.io/repository: system
coztstack.io/target-cluster-name: {{ .Release.Name }}
spec:
interval: 1m
releaseName: cert-mnager
chart:
spec:
chart: cozy-ingress-nginx
reconcileStrategy: Revision
sourceRef:
kind: HelmRepository
name: cozystack-system
namespace: cozy-system
kubeConfig:
secretRef:
name: {{ .Release.Name }}-kubeconfig
targetNamespace: cozy-ingress-nginx
storageNamespace: cozy-ingress-nginx
install:
createNamespace: true
values:
ingress-nginx:
fullnameOverride: ingress-nginx
controller:
kind: DaemonSet
hostNetwork: true
service:
enabled: false
nodeSelector:
node-role.kubernetes.io/ingress-nginx: ""
dependsOn:
{{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" .Release.Namespace .Release.Name }}
- name: {{ .Release.Name }}
namespace: {{ .Release.Namespace }}
{{- end }}
- name: {{ .Release.Name }}-cilium
namespace: {{ .Release.Namespace }}
{{- end }}

43
packages/apps/kubernetes/templates/ingress.yaml Normal file
View File

@@ -0,0 +1,43 @@
{{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
{{- $ingress := index $myNS.metadata.annotations "namespace.cozystack.io/ingress" }}
{{- if .Values.addons.ingressNginx.enabled }}
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ .Release.Name }}-ingress-nginx
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "false"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
spec:
ingressClassName: "{{ $ingress }}"
rules:
- host: {{ .Values.addons.ingressNginx.host | quote }}
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: {{ .Release.Name }}-ingress-nginx
port:
number: 443
---
apiVersion: v1
kind: Service
metadata:
name: {{ .Release.Name }}-ingress-nginx
spec:
ports:
- appProtocol: http
name: http
port: 80
targetPort: 80
- appProtocol: https
name: https
port: 443
targetPort: 443
selector:
cluster.x-k8s.io/cluster-name: {{ .Release.Name }}
node-role.kubernetes.io/ingress-nginx: ""
{{- end }}

30
packages/apps/kubernetes/values.schema.json
View File

@@ -16,6 +16,36 @@
"default": 2
}
}
},
"addons": {
"type": "object",
"properties": {
"certManager": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean",
"description": "Enables the certificate manager which automatically creates and manages SSL/TLS certificates",
"default": true
}
}
},
"ingressNginx": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean",
"description": "Enables Ingress-NGINX Controller on nodes with 'ingress-nginx' role",
"default": true
},
"host": {
"type": "string",
"description": "The domain name that should be passtrough to the cluster by upper ingress.",
"default": "example.org"
}
}
}
}
}
}
}

13
packages/apps/kubernetes/values.yaml
View File

@@ -16,3 +16,16 @@ nodeGroups:
resources:
cpu: 2
memory: 1024Mi
roles:
- ingress-nginx
addons:
## @param addons.certManager.enabled Enables the certificate manager which automatically creates and manages SSL/TLS certificates
certManager:
enabled: true
## @param addons.ingressNginx.enabled Enables Ingress-NGINX Controller on nodes with 'ingress-nginx' role
## @param addons.ingressNginx.host The domain name that should be passtrough to the cluster by upper ingress.
ingressNginx:
enabled: true
host: "example.org"

3
packages/apps/versions_map
View File

@@ -8,7 +8,8 @@ kafka 0.2.0 HEAD
kubernetes 0.1.0 f642698
kubernetes 0.2.0 7cd7de73
kubernetes 0.3.0 7caccec1
kubernetes 0.4.0 HEAD
kubernetes 0.4.0 6cae6ce8
kubernetes 0.5.0 HEAD
mysql 0.1.0 f642698
mysql 0.2.0 8b975ff0
mysql 0.3.0 HEAD

6
packages/core/installer/images/cozystack.json
View File

@@ -1,10 +1,10 @@
{
"buildx.build.ref": "priceless_leavitt/priceless_leavitt0/t5xx0qcox11kirc7xzxp3iwy6",
"buildx.build.ref": "priceless_leavitt/priceless_leavitt0/d75hbe5lm96nutwocaw0h8ohc",
"containerimage.descriptor": {
"mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
"digest": "sha256:8b7ebb9d5de39214d0ffc2634c37ada2e2d2fc7ad956c455b329e857bb6e6fd1",
"digest": "sha256:a5544e0cf76b09b421345906d2e85282ba8c2187e9db814cfe5c08ddd9ee491a",
"size": 685
},
"containerimage.digest": "sha256:8b7ebb9d5de39214d0ffc2634c37ada2e2d2fc7ad956c455b329e857bb6e6fd1",
"containerimage.digest": "sha256:a5544e0cf76b09b421345906d2e85282ba8c2187e9db814cfe5c08ddd9ee491a",
"image.name": "ghcr.io/aenix-io/cozystack/cozystack:latest"
}

1
packages/system/ingress-nginx/Makefile
View File

@@ -11,4 +11,3 @@ update:
patch --no-backup-if-mismatch -p 3 < patches/add-metrics2.patch
rm -f charts/ingress-nginx/templates/controller-deployment.yaml.orig
rm -rf charts/ingress-nginx/changelog/
#sed -i '/ type:/a \ allocateLoadBalancerNodePorts: false' charts/ingress-nginx/templates/controller-service.yaml

243
packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-daemonset.yaml.orig
View File

@@ -1,243 +0,0 @@
{{- if eq .Values.controller.kind "DaemonSet" -}}
{{- include "isControllerTagValid" . -}}
apiVersion: apps/v1
kind: DaemonSet
metadata:
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: controller
{{- with .Values.controller.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.controller.fullname" . }}
namespace: {{ include "ingress-nginx.namespace" . }}
{{- if .Values.controller.annotations }}
annotations: {{ toYaml .Values.controller.annotations | nindent 4 }}
{{- end }}
spec:
selector:
matchLabels:
{{- include "ingress-nginx.selectorLabels" . | nindent 6 }}
app.kubernetes.io/component: controller
revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
{{- if .Values.controller.updateStrategy }}
updateStrategy: {{ toYaml .Values.controller.updateStrategy | nindent 4 }}
{{- end }}
minReadySeconds: {{ .Values.controller.minReadySeconds }}
template:
metadata:
{{- if .Values.controller.podAnnotations }}
annotations:
{{- range $key, $value := .Values.controller.podAnnotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
labels:
{{- include "ingress-nginx.labels" . | nindent 8 }}
app.kubernetes.io/component: controller
{{- with .Values.controller.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.controller.podLabels }}
{{- toYaml .Values.controller.podLabels | nindent 8 }}
{{- end }}
spec:
{{- if .Values.controller.dnsConfig }}
dnsConfig: {{ toYaml .Values.controller.dnsConfig | nindent 8 }}
{{- end }}
{{- if .Values.controller.hostAliases }}
hostAliases: {{ tpl (toYaml .Values.controller.hostAliases) $ | nindent 8 }}
{{- end }}
{{- if .Values.controller.hostname }}
hostname: {{ toYaml .Values.controller.hostname | nindent 8 }}
{{- end }}
dnsPolicy: {{ .Values.controller.dnsPolicy }}
{{- if .Values.imagePullSecrets }}
imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }}
{{- end }}
{{- if .Values.controller.priorityClassName }}
priorityClassName: {{ .Values.controller.priorityClassName | quote }}
{{- end }}
{{- if or .Values.controller.podSecurityContext .Values.controller.sysctls }}
securityContext:
{{- if .Values.controller.podSecurityContext }}
{{- toYaml .Values.controller.podSecurityContext | nindent 8 }}
{{- end }}
{{- if .Values.controller.sysctls }}
sysctls:
{{- range $sysctl, $value := .Values.controller.sysctls }}
- name: {{ $sysctl | quote }}
value: {{ $value | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.controller.shareProcessNamespace }}
shareProcessNamespace: {{ .Values.controller.shareProcessNamespace }}
{{- end }}
containers:
- name: {{ .Values.controller.containerName }}
{{- with .Values.controller.image }}
image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ include "ingress-nginx.image" . }}{{- end -}}:{{ .tag }}{{ include "ingress-nginx.imageDigest" . }}"
{{- end }}
imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
{{- if .Values.controller.lifecycle }}
lifecycle: {{ toYaml .Values.controller.lifecycle | nindent 12 }}
{{- end }}
args: {{ include "ingress-nginx.params" . | nindent 12 }}
securityContext: {{ include "ingress-nginx.controller.containerSecurityContext" . | nindent 12 }}
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- if .Values.controller.enableMimalloc }}
- name: LD_PRELOAD
value: /usr/local/lib/libmimalloc.so
{{- end }}
{{- if .Values.controller.extraEnvs }}
{{- toYaml .Values.controller.extraEnvs | nindent 12 }}
{{- end }}
{{- if .Values.controller.startupProbe }}
startupProbe: {{ toYaml .Values.controller.startupProbe | nindent 12 }}
{{- end }}
{{- if .Values.controller.livenessProbe }}
livenessProbe: {{ toYaml .Values.controller.livenessProbe | nindent 12 }}
{{- end }}
{{- if .Values.controller.readinessProbe }}
readinessProbe: {{ toYaml .Values.controller.readinessProbe | nindent 12 }}
{{- end }}
ports:
{{- range $key, $value := .Values.controller.containerPort }}
- name: {{ $key }}
containerPort: {{ $value }}
protocol: TCP
{{- if $.Values.controller.hostPort.enabled }}
hostPort: {{ index $.Values.controller.hostPort.ports $key | default $value }}
{{- end }}
{{- end }}
{{- if .Values.controller.metrics.enabled }}
- name: {{ .Values.controller.metrics.portName }}
containerPort: {{ .Values.controller.metrics.port }}
protocol: TCP
{{- end }}
{{- if .Values.controller.admissionWebhooks.enabled }}
- name: webhook
containerPort: {{ .Values.controller.admissionWebhooks.port }}
protocol: TCP
{{- end }}
{{- range $key, $value := .Values.tcp }}
- name: {{ if $.Values.portNamePrefix }}{{ $.Values.portNamePrefix }}-{{ end }}{{ $key }}-tcp
containerPort: {{ $key }}
protocol: TCP
{{- if $.Values.controller.hostPort.enabled }}
hostPort: {{ $key }}
{{- end }}
{{- end }}
{{- range $key, $value := .Values.udp }}
- name: {{ if $.Values.portNamePrefix }}{{ $.Values.portNamePrefix }}-{{ end }}{{ $key }}-udp
containerPort: {{ $key }}
protocol: UDP
{{- if $.Values.controller.hostPort.enabled }}
hostPort: {{ $key }}
{{- end }}
{{- end }}
{{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
volumeMounts:
{{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
- name: modules
{{- if .Values.controller.image.chroot }}
mountPath: /chroot/modules_mount
{{- else }}
mountPath: /modules_mount
{{- end }}
{{- end }}
{{- if .Values.controller.customTemplate.configMapName }}
- mountPath: /etc/nginx/template
name: nginx-template-volume
readOnly: true
{{- end }}
{{- if .Values.controller.admissionWebhooks.enabled }}
- name: webhook-cert
mountPath: /usr/local/certificates/
readOnly: true
{{- end }}
{{- if .Values.controller.extraVolumeMounts }}
{{- toYaml .Values.controller.extraVolumeMounts | nindent 12 }}
{{- end }}
{{- end }}
{{- if .Values.controller.resources }}
resources: {{ toYaml .Values.controller.resources | nindent 12 }}
{{- end }}
{{- if .Values.controller.extraContainers }}
{{- toYaml .Values.controller.extraContainers | nindent 8 }}
{{- end }}
{{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
initContainers:
{{- if .Values.controller.extraInitContainers }}
{{- toYaml .Values.controller.extraInitContainers | nindent 8 }}
{{- end }}
{{- if .Values.controller.extraModules }}
{{- range .Values.controller.extraModules }}
{{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }}
{{- include "extraModules" (dict "name" .name "image" .image "distroless" .distroless "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }}
{{- end }}
{{- end }}
{{- if .Values.controller.opentelemetry.enabled }}
{{- with .Values.controller.opentelemetry }}
{{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }}
{{- include "extraModules" (dict "name" .name "image" .image "distroless" .distroless "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.controller.hostNetwork }}
hostNetwork: {{ .Values.controller.hostNetwork }}
{{- end }}
{{- if .Values.controller.nodeSelector }}
nodeSelector: {{ toYaml .Values.controller.nodeSelector | nindent 8 }}
{{- end }}
{{- if .Values.controller.tolerations }}
tolerations: {{ toYaml .Values.controller.tolerations | nindent 8 }}
{{- end }}
{{- if .Values.controller.affinity }}
affinity: {{ toYaml .Values.controller.affinity | nindent 8 }}
{{- end }}
{{- if .Values.controller.topologySpreadConstraints }}
topologySpreadConstraints: {{ tpl (toYaml .Values.controller.topologySpreadConstraints) $ | nindent 8 }}
{{- end }}
serviceAccountName: {{ template "ingress-nginx.serviceAccountName" . }}
terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}
{{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
volumes:
{{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled)}}
- name: modules
emptyDir: {}
{{- end }}
{{- if .Values.controller.customTemplate.configMapName }}
- name: nginx-template-volume
configMap:
name: {{ .Values.controller.customTemplate.configMapName }}
items:
- key: {{ .Values.controller.customTemplate.configMapKey }}
path: nginx.tmpl
{{- end }}
{{- if .Values.controller.admissionWebhooks.enabled }}
- name: webhook-cert
secret:
secretName: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
{{- if .Values.controller.admissionWebhooks.certManager.enabled }}
items:
- key: tls.crt
path: cert
- key: tls.key
path: key
{{- end }}
{{- end }}
{{- if .Values.controller.extraVolumes }}
{{ toYaml .Values.controller.extraVolumes | nindent 8 }}
{{- end }}
{{- end }}
{{- end }}