From 246b44945ea17d65fc2011bd8ee1081adb540780 Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Mon, 24 Jun 2024 18:55:35 +0200 Subject: [PATCH 1/2] add certManager addon Signed-off-by: Andrei Kvapil --- packages/apps/kubernetes/README.md | 1 + .../templates/helmreleases/cert-manager.yaml | 34 +++++++++++++++++++ .../templates/helmreleases/cilium.yaml | 2 ++ .../templates/helmreleases/csi.yaml | 2 ++ .../templates/helmreleases/delete.yaml | 22 +++++++----- packages/apps/kubernetes/values.yaml | 6 ++++ 6 files changed, 58 insertions(+), 9 deletions(-) create mode 100644 packages/apps/kubernetes/templates/helmreleases/cert-manager.yaml diff --git a/packages/apps/kubernetes/README.md b/packages/apps/kubernetes/README.md index 2d5b43a5..8783db67 100644 --- a/packages/apps/kubernetes/README.md +++ b/packages/apps/kubernetes/README.md @@ -36,3 +36,4 @@ kubectl get secret -n kubernetes--admin-kubeconfig -o g | `host` | The hostname used to access the Kubernetes cluster externally (defaults to using the cluster name as a subdomain for the tenant host). | `""` | | `controlPlane.replicas` | Number of replicas for Kubernetes contorl-plane components | `2` | | `nodeGroups` | nodeGroups configuration | `{}` | +| `addons` | addons configuration | `{}` | diff --git a/packages/apps/kubernetes/templates/helmreleases/cert-manager.yaml b/packages/apps/kubernetes/templates/helmreleases/cert-manager.yaml new file mode 100644 index 00000000..175b94b2 --- /dev/null +++ b/packages/apps/kubernetes/templates/helmreleases/cert-manager.yaml @@ -0,0 +1,34 @@ +{{- if .Values.addons.certManager.enabled }} +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: {{ .Release.Name }}-cert-manager + labels: + cozystack.io/repository: system + coztstack.io/target-cluster-name: {{ .Release.Name }} +spec: + interval: 1m + releaseName: cert-mnager + chart: + spec: + chart: cozy-cert-manager + reconcileStrategy: Revision + sourceRef: + kind: HelmRepository + name: cozystack-system + namespace: cozy-system + kubeConfig: + secretRef: + name: {{ .Release.Name }}-kubeconfig + targetNamespace: cozy-cert-manager + storageNamespace: cozy-cert-manager + install: + createNamespace: true + dependsOn: + {{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" .Release.Namespace .Release.Name }} + - name: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} + {{- end }} + - name: {{ .Release.Name }}-cilium + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/packages/apps/kubernetes/templates/helmreleases/cilium.yaml b/packages/apps/kubernetes/templates/helmreleases/cilium.yaml index 4f23ed21..ca99af87 100644 --- a/packages/apps/kubernetes/templates/helmreleases/cilium.yaml +++ b/packages/apps/kubernetes/templates/helmreleases/cilium.yaml @@ -44,5 +44,7 @@ spec: enableIPv4Masquerade: true ipv4NativeRoutingCIDR: "" dependsOn: + {{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" .Release.Namespace .Release.Name }} - name: {{ .Release.Name }} namespace: {{ .Release.Namespace }} + {{- end }} diff --git a/packages/apps/kubernetes/templates/helmreleases/csi.yaml b/packages/apps/kubernetes/templates/helmreleases/csi.yaml index 5ced4163..349da151 100644 --- a/packages/apps/kubernetes/templates/helmreleases/csi.yaml +++ b/packages/apps/kubernetes/templates/helmreleases/csi.yaml @@ -24,5 +24,7 @@ spec: install: createNamespace: true dependsOn: + {{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" .Release.Namespace .Release.Name }} - name: {{ .Release.Name }} namespace: {{ .Release.Namespace }} + {{- end }} diff --git a/packages/apps/kubernetes/templates/helmreleases/delete.yaml b/packages/apps/kubernetes/templates/helmreleases/delete.yaml index 71215c30..f89ac771 100644 --- a/packages/apps/kubernetes/templates/helmreleases/delete.yaml +++ b/packages/apps/kubernetes/templates/helmreleases/delete.yaml @@ -22,15 +22,18 @@ spec: - name: kubectl image: docker.io/clastix/kubectl:v1.29.1 command: - - kubectl - - --namespace={{ .Release.Namespace }} - - patch - - helmrelease - - {{ .Release.Name }}-cilium - - {{ .Release.Name }}-csi - - -p - - '{"spec": {"suspend": true}}' - - --type=merge + - /bin/sh + - -c + - | + kubectl + --namespace={{ .Release.Namespace }} + patch + helmrelease + {{ .Release.Name }}-cilium + {{ .Release.Name }}-csi + {{ .Release.Name }}-cert-manager + -p '{"spec": {"suspend": true}}' + --type=merge --field-manager=flux-client-side-apply || true --- apiVersion: v1 kind: ServiceAccount @@ -60,6 +63,7 @@ rules: resourceNames: - {{ .Release.Name }}-cilium - {{ .Release.Name }}-csi + - {{ .Release.Name }}-cert-manager --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding diff --git a/packages/apps/kubernetes/values.yaml b/packages/apps/kubernetes/values.yaml index 15b5cc2b..c2670a7e 100644 --- a/packages/apps/kubernetes/values.yaml +++ b/packages/apps/kubernetes/values.yaml @@ -16,3 +16,9 @@ nodeGroups: resources: cpu: 2 memory: 1024Mi + +## @param addons [object] addons configuration +## +addons: + certManager: + enabled: false From 6bd2d45531c4ce676c10b6a92535ac6f743dba20 Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Tue, 25 Jun 2024 12:46:11 +0200 Subject: [PATCH 2/2] add tenant nginx-ingress Signed-off-by: Andrei Kvapil --- packages/apps/kubernetes/Chart.yaml | 2 +- packages/apps/kubernetes/README.md | 14 +- .../apps/kubernetes/templates/cluster.yaml | 9 + .../templates/helmreleases/ingress-nginx.yaml | 44 ++++ .../apps/kubernetes/templates/ingress.yaml | 43 ++++ packages/apps/kubernetes/values.schema.json | 30 +++ packages/apps/kubernetes/values.yaml | 13 +- packages/apps/versions_map | 3 +- packages/core/installer/images/cozystack.json | 6 +- packages/system/ingress-nginx/Makefile | 1 - .../templates/controller-daemonset.yaml.orig | 243 ------------------ 11 files changed, 150 insertions(+), 258 deletions(-) create mode 100644 packages/apps/kubernetes/templates/helmreleases/ingress-nginx.yaml create mode 100644 packages/apps/kubernetes/templates/ingress.yaml delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-daemonset.yaml.orig diff --git a/packages/apps/kubernetes/Chart.yaml b/packages/apps/kubernetes/Chart.yaml index 39e8cc22..fd023735 100644 --- a/packages/apps/kubernetes/Chart.yaml +++ b/packages/apps/kubernetes/Chart.yaml @@ -16,7 +16,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.4.0 +version: 0.5.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/packages/apps/kubernetes/README.md b/packages/apps/kubernetes/README.md index 8783db67..434ca7ee 100644 --- a/packages/apps/kubernetes/README.md +++ b/packages/apps/kubernetes/README.md @@ -31,9 +31,11 @@ kubectl get secret -n kubernetes--admin-kubeconfig -o g ### Common parameters -| Name | Description | Value | -| ----------------------- | -------------------------------------------------------------------------------------------------------------------------------------- | ----- | -| `host` | The hostname used to access the Kubernetes cluster externally (defaults to using the cluster name as a subdomain for the tenant host). | `""` | -| `controlPlane.replicas` | Number of replicas for Kubernetes contorl-plane components | `2` | -| `nodeGroups` | nodeGroups configuration | `{}` | -| `addons` | addons configuration | `{}` | +| Name | Description | Value | +| ----------------------------- | -------------------------------------------------------------------------------------------------------------------------------------- | ------------- | +| `host` | The hostname used to access the Kubernetes cluster externally (defaults to using the cluster name as a subdomain for the tenant host). | `""` | +| `controlPlane.replicas` | Number of replicas for Kubernetes contorl-plane components | `2` | +| `nodeGroups` | nodeGroups configuration | `{}` | +| `addons.certManager.enabled` | Enables the certificate manager which automatically creates and manages SSL/TLS certificates | `true` | +| `addons.ingressNginx.enabled` | Enables Ingress-NGINX Controller on nodes with 'ingress-nginx' role | `true` | +| `addons.ingressNginx.host` | The domain name that should be passtrough to the cluster by upper ingress. | `example.org` | diff --git a/packages/apps/kubernetes/templates/cluster.yaml b/packages/apps/kubernetes/templates/cluster.yaml index baa0bc6b..8ef574ef 100644 --- a/packages/apps/kubernetes/templates/cluster.yaml +++ b/packages/apps/kubernetes/templates/cluster.yaml @@ -114,6 +114,10 @@ spec: virtualMachineTemplate: metadata: namespace: {{ $.Release.Namespace }} + labels: + {{- range $group.roles }} + node-role.kubernetes.io/{{ . }}: "" + {{- end }} spec: runStrategy: Always template: @@ -165,6 +169,11 @@ metadata: spec: clusterName: {{ $.Release.Name }} template: + metadata: + labels: + {{- range $group.roles }} + node-role.kubernetes.io/{{ . }}: "" + {{- end }} spec: bootstrap: configRef: diff --git a/packages/apps/kubernetes/templates/helmreleases/ingress-nginx.yaml b/packages/apps/kubernetes/templates/helmreleases/ingress-nginx.yaml new file mode 100644 index 00000000..13749a9f --- /dev/null +++ b/packages/apps/kubernetes/templates/helmreleases/ingress-nginx.yaml @@ -0,0 +1,44 @@ +{{- if .Values.addons.ingressNginx.enabled }} +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: {{ .Release.Name }}-ingress-nginx + labels: + cozystack.io/repository: system + coztstack.io/target-cluster-name: {{ .Release.Name }} +spec: + interval: 1m + releaseName: cert-mnager + chart: + spec: + chart: cozy-ingress-nginx + reconcileStrategy: Revision + sourceRef: + kind: HelmRepository + name: cozystack-system + namespace: cozy-system + kubeConfig: + secretRef: + name: {{ .Release.Name }}-kubeconfig + targetNamespace: cozy-ingress-nginx + storageNamespace: cozy-ingress-nginx + install: + createNamespace: true + values: + ingress-nginx: + fullnameOverride: ingress-nginx + controller: + kind: DaemonSet + hostNetwork: true + service: + enabled: false + nodeSelector: + node-role.kubernetes.io/ingress-nginx: "" + dependsOn: + {{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" .Release.Namespace .Release.Name }} + - name: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} + {{- end }} + - name: {{ .Release.Name }}-cilium + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/packages/apps/kubernetes/templates/ingress.yaml b/packages/apps/kubernetes/templates/ingress.yaml new file mode 100644 index 00000000..3951e1de --- /dev/null +++ b/packages/apps/kubernetes/templates/ingress.yaml @@ -0,0 +1,43 @@ +{{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }} +{{- $ingress := index $myNS.metadata.annotations "namespace.cozystack.io/ingress" }} +{{- if .Values.addons.ingressNginx.enabled }} +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ .Release.Name }}-ingress-nginx + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/ssl-passthrough: "true" +spec: + ingressClassName: "{{ $ingress }}" + rules: + - host: {{ .Values.addons.ingressNginx.host | quote }} + http: + paths: + - path: / + pathType: ImplementationSpecific + backend: + service: + name: {{ .Release.Name }}-ingress-nginx + port: + number: 443 +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ .Release.Name }}-ingress-nginx +spec: + ports: + - appProtocol: http + name: http + port: 80 + targetPort: 80 + - appProtocol: https + name: https + port: 443 + targetPort: 443 + selector: + cluster.x-k8s.io/cluster-name: {{ .Release.Name }} + node-role.kubernetes.io/ingress-nginx: "" +{{- end }} diff --git a/packages/apps/kubernetes/values.schema.json b/packages/apps/kubernetes/values.schema.json index d467b3fe..2455d5f8 100644 --- a/packages/apps/kubernetes/values.schema.json +++ b/packages/apps/kubernetes/values.schema.json @@ -16,6 +16,36 @@ "default": 2 } } + }, + "addons": { + "type": "object", + "properties": { + "certManager": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "Enables the certificate manager which automatically creates and manages SSL/TLS certificates", + "default": true + } + } + }, + "ingressNginx": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "Enables Ingress-NGINX Controller on nodes with 'ingress-nginx' role", + "default": true + }, + "host": { + "type": "string", + "description": "The domain name that should be passtrough to the cluster by upper ingress.", + "default": "example.org" + } + } + } + } } } } \ No newline at end of file diff --git a/packages/apps/kubernetes/values.yaml b/packages/apps/kubernetes/values.yaml index c2670a7e..8d8f536a 100644 --- a/packages/apps/kubernetes/values.yaml +++ b/packages/apps/kubernetes/values.yaml @@ -16,9 +16,16 @@ nodeGroups: resources: cpu: 2 memory: 1024Mi + roles: + - ingress-nginx -## @param addons [object] addons configuration -## addons: + ## @param addons.certManager.enabled Enables the certificate manager which automatically creates and manages SSL/TLS certificates certManager: - enabled: false + enabled: true + + ## @param addons.ingressNginx.enabled Enables Ingress-NGINX Controller on nodes with 'ingress-nginx' role + ## @param addons.ingressNginx.host The domain name that should be passtrough to the cluster by upper ingress. + ingressNginx: + enabled: true + host: "example.org" diff --git a/packages/apps/versions_map b/packages/apps/versions_map index 5d5d46b8..bb7fe850 100644 --- a/packages/apps/versions_map +++ b/packages/apps/versions_map @@ -8,7 +8,8 @@ kafka 0.2.0 HEAD kubernetes 0.1.0 f642698 kubernetes 0.2.0 7cd7de73 kubernetes 0.3.0 7caccec1 -kubernetes 0.4.0 HEAD +kubernetes 0.4.0 6cae6ce8 +kubernetes 0.5.0 HEAD mysql 0.1.0 f642698 mysql 0.2.0 8b975ff0 mysql 0.3.0 HEAD diff --git a/packages/core/installer/images/cozystack.json b/packages/core/installer/images/cozystack.json index 71b95399..3594b9b3 100644 --- a/packages/core/installer/images/cozystack.json +++ b/packages/core/installer/images/cozystack.json @@ -1,10 +1,10 @@ { - "buildx.build.ref": "priceless_leavitt/priceless_leavitt0/t5xx0qcox11kirc7xzxp3iwy6", + "buildx.build.ref": "priceless_leavitt/priceless_leavitt0/d75hbe5lm96nutwocaw0h8ohc", "containerimage.descriptor": { "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json", - "digest": "sha256:8b7ebb9d5de39214d0ffc2634c37ada2e2d2fc7ad956c455b329e857bb6e6fd1", + "digest": "sha256:a5544e0cf76b09b421345906d2e85282ba8c2187e9db814cfe5c08ddd9ee491a", "size": 685 }, - "containerimage.digest": "sha256:8b7ebb9d5de39214d0ffc2634c37ada2e2d2fc7ad956c455b329e857bb6e6fd1", + "containerimage.digest": "sha256:a5544e0cf76b09b421345906d2e85282ba8c2187e9db814cfe5c08ddd9ee491a", "image.name": "ghcr.io/aenix-io/cozystack/cozystack:latest" } \ No newline at end of file diff --git a/packages/system/ingress-nginx/Makefile b/packages/system/ingress-nginx/Makefile index 831ef0a0..e8167a00 100644 --- a/packages/system/ingress-nginx/Makefile +++ b/packages/system/ingress-nginx/Makefile @@ -11,4 +11,3 @@ update: patch -p 3 < patches/add-metrics2.patch rm -f charts/ingress-nginx/templates/controller-deployment.yaml.orig rm -rf charts/ingress-nginx/changelog/ - #sed -i '/ type:/a \ allocateLoadBalancerNodePorts: false' charts/ingress-nginx/templates/controller-service.yaml diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-daemonset.yaml.orig b/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-daemonset.yaml.orig deleted file mode 100644 index 3aaa9250..00000000 --- a/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-daemonset.yaml.orig +++ /dev/null @@ -1,243 +0,0 @@ -{{- if eq .Values.controller.kind "DaemonSet" -}} -{{- include "isControllerTagValid" . -}} -apiVersion: apps/v1 -kind: DaemonSet -metadata: - labels: - {{- include "ingress-nginx.labels" . | nindent 4 }} - app.kubernetes.io/component: controller - {{- with .Values.controller.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} - name: {{ include "ingress-nginx.controller.fullname" . }} - namespace: {{ include "ingress-nginx.namespace" . }} - {{- if .Values.controller.annotations }} - annotations: {{ toYaml .Values.controller.annotations | nindent 4 }} - {{- end }} -spec: - selector: - matchLabels: - {{- include "ingress-nginx.selectorLabels" . | nindent 6 }} - app.kubernetes.io/component: controller - revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} - {{- if .Values.controller.updateStrategy }} - updateStrategy: {{ toYaml .Values.controller.updateStrategy | nindent 4 }} - {{- end }} - minReadySeconds: {{ .Values.controller.minReadySeconds }} - template: - metadata: - {{- if .Values.controller.podAnnotations }} - annotations: - {{- range $key, $value := .Values.controller.podAnnotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} - {{- end }} - labels: - {{- include "ingress-nginx.labels" . | nindent 8 }} - app.kubernetes.io/component: controller - {{- with .Values.controller.labels }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- if .Values.controller.podLabels }} - {{- toYaml .Values.controller.podLabels | nindent 8 }} - {{- end }} - spec: - {{- if .Values.controller.dnsConfig }} - dnsConfig: {{ toYaml .Values.controller.dnsConfig | nindent 8 }} - {{- end }} - {{- if .Values.controller.hostAliases }} - hostAliases: {{ tpl (toYaml .Values.controller.hostAliases) $ | nindent 8 }} - {{- end }} - {{- if .Values.controller.hostname }} - hostname: {{ toYaml .Values.controller.hostname | nindent 8 }} - {{- end }} - dnsPolicy: {{ .Values.controller.dnsPolicy }} - {{- if .Values.imagePullSecrets }} - imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }} - {{- end }} - {{- if .Values.controller.priorityClassName }} - priorityClassName: {{ .Values.controller.priorityClassName | quote }} - {{- end }} - {{- if or .Values.controller.podSecurityContext .Values.controller.sysctls }} - securityContext: - {{- if .Values.controller.podSecurityContext }} - {{- toYaml .Values.controller.podSecurityContext | nindent 8 }} - {{- end }} - {{- if .Values.controller.sysctls }} - sysctls: - {{- range $sysctl, $value := .Values.controller.sysctls }} - - name: {{ $sysctl | quote }} - value: {{ $value | quote }} - {{- end }} - {{- end }} - {{- end }} - {{- if .Values.controller.shareProcessNamespace }} - shareProcessNamespace: {{ .Values.controller.shareProcessNamespace }} - {{- end }} - containers: - - name: {{ .Values.controller.containerName }} - {{- with .Values.controller.image }} - image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ include "ingress-nginx.image" . }}{{- end -}}:{{ .tag }}{{ include "ingress-nginx.imageDigest" . }}" - {{- end }} - imagePullPolicy: {{ .Values.controller.image.pullPolicy }} - {{- if .Values.controller.lifecycle }} - lifecycle: {{ toYaml .Values.controller.lifecycle | nindent 12 }} - {{- end }} - args: {{ include "ingress-nginx.params" . | nindent 12 }} - securityContext: {{ include "ingress-nginx.controller.containerSecurityContext" . | nindent 12 }} - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - {{- if .Values.controller.enableMimalloc }} - - name: LD_PRELOAD - value: /usr/local/lib/libmimalloc.so - {{- end }} - {{- if .Values.controller.extraEnvs }} - {{- toYaml .Values.controller.extraEnvs | nindent 12 }} - {{- end }} - {{- if .Values.controller.startupProbe }} - startupProbe: {{ toYaml .Values.controller.startupProbe | nindent 12 }} - {{- end }} - {{- if .Values.controller.livenessProbe }} - livenessProbe: {{ toYaml .Values.controller.livenessProbe | nindent 12 }} - {{- end }} - {{- if .Values.controller.readinessProbe }} - readinessProbe: {{ toYaml .Values.controller.readinessProbe | nindent 12 }} - {{- end }} - ports: - {{- range $key, $value := .Values.controller.containerPort }} - - name: {{ $key }} - containerPort: {{ $value }} - protocol: TCP - {{- if $.Values.controller.hostPort.enabled }} - hostPort: {{ index $.Values.controller.hostPort.ports $key | default $value }} - {{- end }} - {{- end }} - {{- if .Values.controller.metrics.enabled }} - - name: {{ .Values.controller.metrics.portName }} - containerPort: {{ .Values.controller.metrics.port }} - protocol: TCP - {{- end }} - {{- if .Values.controller.admissionWebhooks.enabled }} - - name: webhook - containerPort: {{ .Values.controller.admissionWebhooks.port }} - protocol: TCP - {{- end }} - {{- range $key, $value := .Values.tcp }} - - name: {{ if $.Values.portNamePrefix }}{{ $.Values.portNamePrefix }}-{{ end }}{{ $key }}-tcp - containerPort: {{ $key }} - protocol: TCP - {{- if $.Values.controller.hostPort.enabled }} - hostPort: {{ $key }} - {{- end }} - {{- end }} - {{- range $key, $value := .Values.udp }} - - name: {{ if $.Values.portNamePrefix }}{{ $.Values.portNamePrefix }}-{{ end }}{{ $key }}-udp - containerPort: {{ $key }} - protocol: UDP - {{- if $.Values.controller.hostPort.enabled }} - hostPort: {{ $key }} - {{- end }} - {{- end }} - {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} - volumeMounts: - {{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} - - name: modules - {{- if .Values.controller.image.chroot }} - mountPath: /chroot/modules_mount - {{- else }} - mountPath: /modules_mount - {{- end }} - {{- end }} - {{- if .Values.controller.customTemplate.configMapName }} - - mountPath: /etc/nginx/template - name: nginx-template-volume - readOnly: true - {{- end }} - {{- if .Values.controller.admissionWebhooks.enabled }} - - name: webhook-cert - mountPath: /usr/local/certificates/ - readOnly: true - {{- end }} - {{- if .Values.controller.extraVolumeMounts }} - {{- toYaml .Values.controller.extraVolumeMounts | nindent 12 }} - {{- end }} - {{- end }} - {{- if .Values.controller.resources }} - resources: {{ toYaml .Values.controller.resources | nindent 12 }} - {{- end }} - {{- if .Values.controller.extraContainers }} - {{- toYaml .Values.controller.extraContainers | nindent 8 }} - {{- end }} - {{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} - initContainers: - {{- if .Values.controller.extraInitContainers }} - {{- toYaml .Values.controller.extraInitContainers | nindent 8 }} - {{- end }} - {{- if .Values.controller.extraModules }} - {{- range .Values.controller.extraModules }} - {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }} - {{- include "extraModules" (dict "name" .name "image" .image "distroless" .distroless "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }} - {{- end }} - {{- end }} - {{- if .Values.controller.opentelemetry.enabled }} - {{- with .Values.controller.opentelemetry }} - {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }} - {{- include "extraModules" (dict "name" .name "image" .image "distroless" .distroless "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }} - {{- end }} - {{- end }} - {{- end }} - {{- if .Values.controller.hostNetwork }} - hostNetwork: {{ .Values.controller.hostNetwork }} - {{- end }} - {{- if .Values.controller.nodeSelector }} - nodeSelector: {{ toYaml .Values.controller.nodeSelector | nindent 8 }} - {{- end }} - {{- if .Values.controller.tolerations }} - tolerations: {{ toYaml .Values.controller.tolerations | nindent 8 }} - {{- end }} - {{- if .Values.controller.affinity }} - affinity: {{ toYaml .Values.controller.affinity | nindent 8 }} - {{- end }} - {{- if .Values.controller.topologySpreadConstraints }} - topologySpreadConstraints: {{ tpl (toYaml .Values.controller.topologySpreadConstraints) $ | nindent 8 }} - {{- end }} - serviceAccountName: {{ template "ingress-nginx.serviceAccountName" . }} - terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} - {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} - volumes: - {{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled)}} - - name: modules - emptyDir: {} - {{- end }} - {{- if .Values.controller.customTemplate.configMapName }} - - name: nginx-template-volume - configMap: - name: {{ .Values.controller.customTemplate.configMapName }} - items: - - key: {{ .Values.controller.customTemplate.configMapKey }} - path: nginx.tmpl - {{- end }} - {{- if .Values.controller.admissionWebhooks.enabled }} - - name: webhook-cert - secret: - secretName: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} - {{- if .Values.controller.admissionWebhooks.certManager.enabled }} - items: - - key: tls.crt - path: cert - - key: tls.key - path: key - {{- end }} - {{- end }} - {{- if .Values.controller.extraVolumes }} - {{ toYaml .Values.controller.extraVolumes | nindent 8 }} - {{- end }} - {{- end }} -{{- end }}