From 70561f5230c2bacccc70c504685b0de8840b41eb Mon Sep 17 00:00:00 2001 From: James Sulinski Date: Tue, 1 Aug 2017 21:24:37 -0500 Subject: [PATCH 01/10] Add RBAC support --- stable/nginx-ingress/README.md | 1 + .../controller-cluster-role-binding.yaml | 14 +++++ .../templates/controller-cluster-role.yaml | 54 +++++++++++++++++++ .../templates/controller-deployment.yaml | 6 +-- .../templates/controller-role-binding.yaml | 14 +++++ .../templates/controller-role.yaml | 37 +++++++++++++ .../templates/controller-service-account.yaml | 6 +++ stable/nginx-ingress/values.yaml | 4 ++ 8 files changed, 133 insertions(+), 3 deletions(-) create mode 100644 stable/nginx-ingress/templates/controller-cluster-role-binding.yaml create mode 100644 stable/nginx-ingress/templates/controller-cluster-role.yaml create mode 100644 stable/nginx-ingress/templates/controller-role-binding.yaml create mode 100644 stable/nginx-ingress/templates/controller-role.yaml create mode 100644 stable/nginx-ingress/templates/controller-service-account.yaml diff --git a/stable/nginx-ingress/README.md b/stable/nginx-ingress/README.md index b76c49e9b26a..d84697adfcc2 100644 --- a/stable/nginx-ingress/README.md +++ b/stable/nginx-ingress/README.md @@ -64,6 +64,7 @@ Parameter | Description | Default `controller.service.annotations` | annotations for controller service | `{}` `controller.publishService.enabled` | if true, the controller will set the endpoint records on the ingress objects to reflect those on the service | `false` `controller.publishService.pathOverride` | override of the default publish-service name | `""` +`controller.rbac.enabled` | if true, will set up RBAC | `false` `controller.service.clusterIP` | internal controller cluster service IP | `""` `controller.service.externalIPs` | controller service external IP addresses | `[]` `controller.service.loadBalancerIP` | IP address to assign to load balancer (if supported) | `""` diff --git a/stable/nginx-ingress/templates/controller-cluster-role-binding.yaml b/stable/nginx-ingress/templates/controller-cluster-role-binding.yaml new file mode 100644 index 000000000000..0ffbdc62fce5 --- /dev/null +++ b/stable/nginx-ingress/templates/controller-cluster-role-binding.yaml @@ -0,0 +1,14 @@ +{{- if .Values.controller.rbac.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: {{ template "fullname" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "fullname" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} diff --git a/stable/nginx-ingress/templates/controller-cluster-role.yaml b/stable/nginx-ingress/templates/controller-cluster-role.yaml new file mode 100644 index 000000000000..8aa694eab8ea --- /dev/null +++ b/stable/nginx-ingress/templates/controller-cluster-role.yaml @@ -0,0 +1,54 @@ +{{- if .Values.controller.rbac.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: {{ template "fullname" . }} +rules: + - apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - secrets + verbs: + - list + - watch + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch + - update + - apiGroups: + - "extensions" + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - "extensions" + resources: + - ingresses/status + verbs: + - update +{{- end -}} diff --git a/stable/nginx-ingress/templates/controller-deployment.yaml b/stable/nginx-ingress/templates/controller-deployment.yaml index 233a639cdd77..760970759310 100644 --- a/stable/nginx-ingress/templates/controller-deployment.yaml +++ b/stable/nginx-ingress/templates/controller-deployment.yaml @@ -23,9 +23,9 @@ spec: release: {{ .Release.Name }} spec: hostNetwork: {{ .Values.controller.hostNetwork }} - {{- if .Values.controller.serviceAccountName }} - serviceAccountName: {{ .Values.controller.serviceAccountName }} - {{- end }} +{{- if .Values.controller.rbac.enabled }} + serviceAccountName: {{ template "fullname" . }} +{{- end }} containers: - name: {{ template "name" . }}-{{ .Values.controller.name }} image: "{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag }}" diff --git a/stable/nginx-ingress/templates/controller-role-binding.yaml b/stable/nginx-ingress/templates/controller-role-binding.yaml new file mode 100644 index 000000000000..26b98709d430 --- /dev/null +++ b/stable/nginx-ingress/templates/controller-role-binding.yaml @@ -0,0 +1,14 @@ +{{- if .Values.controller.rbac.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: {{ template "fullname" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "fullname" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} diff --git a/stable/nginx-ingress/templates/controller-role.yaml b/stable/nginx-ingress/templates/controller-role.yaml new file mode 100644 index 000000000000..36c63b7cb529 --- /dev/null +++ b/stable/nginx-ingress/templates/controller-role.yaml @@ -0,0 +1,37 @@ +{{- if .Values.controller.rbac.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: {{ template "fullname" . }} +rules: + - apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + verbs: + - get + - apiGroups: + - "" + resources: + - configmaps + resourceNames: + # Defaults to "-" + # Here: "-" + # This has to be adapted if you change either parameter + # when launching the nginx-ingress-controller. + - "ingress-controller-leader-nginx" + verbs: + - create + - get + - update + - apiGroups: + - "" + resources: + - endpoints + verbs: + - get + - create + - update +{{- end -}} diff --git a/stable/nginx-ingress/templates/controller-service-account.yaml b/stable/nginx-ingress/templates/controller-service-account.yaml new file mode 100644 index 000000000000..faf150d493b0 --- /dev/null +++ b/stable/nginx-ingress/templates/controller-service-account.yaml @@ -0,0 +1,6 @@ +{{- if .Values.controller.rbac.enabled -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "fullname" . }} +{{- end -}} diff --git a/stable/nginx-ingress/values.yaml b/stable/nginx-ingress/values.yaml index 4a2038c137b6..0a14bde45aba 100644 --- a/stable/nginx-ingress/values.yaml +++ b/stable/nginx-ingress/values.yaml @@ -41,6 +41,10 @@ controller: ## kind: Deployment + ## enable RBAC as per: https://github.com/kubernetes/ingress/tree/master/examples/rbac/nginx and https://github.com/kubernetes/ingress/issues/266 + rbac: + enabled: false + ## Node labels for controller pod assignment ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ ## From 993056041b92f29ca2640f272eb07de05de2ac13 Mon Sep 17 00:00:00 2001 From: James Sulinski Date: Tue, 11 Jul 2017 21:10:30 -0700 Subject: [PATCH 02/10] nginx-ingress: fix spacing for events --- stable/nginx-ingress/templates/controller-cluster-role.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stable/nginx-ingress/templates/controller-cluster-role.yaml b/stable/nginx-ingress/templates/controller-cluster-role.yaml index 8aa694eab8ea..ba728f606dba 100644 --- a/stable/nginx-ingress/templates/controller-cluster-role.yaml +++ b/stable/nginx-ingress/templates/controller-cluster-role.yaml @@ -41,7 +41,7 @@ rules: - apiGroups: - "" resources: - - events + - events verbs: - create - patch From bd9bb5484bb3ff1c25a554874083f6a2f16097fd Mon Sep 17 00:00:00 2001 From: icereval Date: Tue, 11 Jul 2017 08:43:59 -0400 Subject: [PATCH 03/10] Add RBAC support for nginx-ingress based on: https://github.com/kubernetes/charts/pull/1235 --- .../nginx-ingress/templates/controller-daemonset.yaml | 10 ++++++++-- .../nginx-ingress/templates/controller-deployment.yaml | 10 ++++++++-- .../templates/default-backend-service.yaml | 2 +- 3 files changed, 17 insertions(+), 5 deletions(-) diff --git a/stable/nginx-ingress/templates/controller-daemonset.yaml b/stable/nginx-ingress/templates/controller-daemonset.yaml index 3a07cfa32bf3..e39d08cbdbec 100644 --- a/stable/nginx-ingress/templates/controller-daemonset.yaml +++ b/stable/nginx-ingress/templates/controller-daemonset.yaml @@ -12,15 +12,21 @@ metadata: spec: template: metadata: - {{- if .Values.controller.podAnnotations }} annotations: -{{ toYaml .Values.controller.podAnnotations | indent 8 }} + checksum/config: {{ include (print $.Template.BasePath "/controller-configmap.yaml") . | sha256sum }} + {{- if .Values.controller.podAnnotations }} +{{ toYaml .Values.controller.podAnnotations | indent 8}} {{- end }} labels: app: {{ template "name" . }} component: "{{ .Values.controller.name }}" release: {{ .Release.Name }} spec: +{{- if .Values.controller.rbac.enabled }} + serviceAccountName: {{ template "fullname" . }} +{{- else }} + serviceAccountName: default +{{- end }} hostNetwork: {{ .Values.controller.hostNetwork }} {{- if .Values.controller.serviceAccountName }} serviceAccountName: {{ .Values.controller.serviceAccountName }} diff --git a/stable/nginx-ingress/templates/controller-deployment.yaml b/stable/nginx-ingress/templates/controller-deployment.yaml index 760970759310..f795c2302250 100644 --- a/stable/nginx-ingress/templates/controller-deployment.yaml +++ b/stable/nginx-ingress/templates/controller-deployment.yaml @@ -13,15 +13,21 @@ spec: replicas: {{ .Values.controller.replicaCount }} template: metadata: - {{- if .Values.controller.podAnnotations }} annotations: -{{ toYaml .Values.controller.podAnnotations | indent 8 }} + checksum/config: {{ include (print $.Template.BasePath "/controller-configmap.yaml") . | sha256sum }} + {{- if .Values.controller.podAnnotations }} +{{ toYaml .Values.controller.podAnnotations | indent 8}} {{- end }} labels: app: {{ template "name" . }} component: "{{ .Values.controller.name }}" release: {{ .Release.Name }} spec: +{{- if .Values.controller.rbac.enabled }} + serviceAccountName: {{ template "fullname" . }} +{{- else }} + serviceAccountName: default +{{- end }} hostNetwork: {{ .Values.controller.hostNetwork }} {{- if .Values.controller.rbac.enabled }} serviceAccountName: {{ template "fullname" . }} diff --git a/stable/nginx-ingress/templates/default-backend-service.yaml b/stable/nginx-ingress/templates/default-backend-service.yaml index 6e0379db11b5..7ac61f8423b8 100644 --- a/stable/nginx-ingress/templates/default-backend-service.yaml +++ b/stable/nginx-ingress/templates/default-backend-service.yaml @@ -33,5 +33,5 @@ spec: app: {{ template "name" . }} component: "{{ .Values.defaultBackend.name }}" release: {{ .Release.Name }} - type: ClusterIP + type: "{{ .Values.defaultBackend.service.type }}" {{- end }} From 4f97fb9c2246d69ad73ca48bc6da85bd26588c42 Mon Sep 17 00:00:00 2001 From: James Sulinski Date: Tue, 11 Jul 2017 22:45:26 -0700 Subject: [PATCH 04/10] Pull in new RBAC changes from https://github.com/kubernetes/ingress/commit/4618fd2f64a904b1949f1d0a9a76ebe6ab8cb719 --- stable/nginx-ingress/templates/controller-role.yaml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/stable/nginx-ingress/templates/controller-role.yaml b/stable/nginx-ingress/templates/controller-role.yaml index 36c63b7cb529..c2f331bf7b61 100644 --- a/stable/nginx-ingress/templates/controller-role.yaml +++ b/stable/nginx-ingress/templates/controller-role.yaml @@ -23,9 +23,14 @@ rules: # when launching the nginx-ingress-controller. - "ingress-controller-leader-nginx" verbs: - - create - get - update + - apiGroups: + - "" + resources: + - configmaps + verbs: + - create - apiGroups: - "" resources: From 0394da3165c27e45c2c09c443a1a08b660799d93 Mon Sep 17 00:00:00 2001 From: James Sulinski Date: Fri, 14 Jul 2017 16:00:08 -0700 Subject: [PATCH 05/10] Move resourceNames to a value --- stable/nginx-ingress/templates/controller-role.yaml | 4 +++- stable/nginx-ingress/values.yaml | 2 ++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/stable/nginx-ingress/templates/controller-role.yaml b/stable/nginx-ingress/templates/controller-role.yaml index c2f331bf7b61..8158a5bb62d4 100644 --- a/stable/nginx-ingress/templates/controller-role.yaml +++ b/stable/nginx-ingress/templates/controller-role.yaml @@ -21,7 +21,9 @@ rules: # Here: "-" # This has to be adapted if you change either parameter # when launching the nginx-ingress-controller. - - "ingress-controller-leader-nginx" +{{- if .Values.controller.rbac.resourceNames }} +{{ toYaml .Values.controller.rbac.resourceNames | indent 6 }} +{{- end }} verbs: - get - update diff --git a/stable/nginx-ingress/values.yaml b/stable/nginx-ingress/values.yaml index 0a14bde45aba..0ef75b1361d6 100644 --- a/stable/nginx-ingress/values.yaml +++ b/stable/nginx-ingress/values.yaml @@ -44,6 +44,8 @@ controller: ## enable RBAC as per: https://github.com/kubernetes/ingress/tree/master/examples/rbac/nginx and https://github.com/kubernetes/ingress/issues/266 rbac: enabled: false + resourceNames: + - ingress-controller-leader-nginx ## Node labels for controller pod assignment ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ From c00a2d387cca3f49b1cba38be5e6939bccf14bfa Mon Sep 17 00:00:00 2001 From: AJ Christensen Date: Sat, 15 Jul 2017 11:42:15 +1200 Subject: [PATCH 06/10] templates: use a range loop to render the resourceNames * this produces the correctly formatted output we are looking for, specifically with regard to the extra carriage return which didn't want to be chomped away by the usual `-` method. --- stable/nginx-ingress/templates/controller-role.yaml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/stable/nginx-ingress/templates/controller-role.yaml b/stable/nginx-ingress/templates/controller-role.yaml index 8158a5bb62d4..95bf445d50c2 100644 --- a/stable/nginx-ingress/templates/controller-role.yaml +++ b/stable/nginx-ingress/templates/controller-role.yaml @@ -16,13 +16,15 @@ rules: - "" resources: - configmaps - resourceNames: +{{- if .Values.controller.rbac.resourceNames }} # Defaults to "-" # Here: "-" # This has to be adapted if you change either parameter # when launching the nginx-ingress-controller. -{{- if .Values.controller.rbac.resourceNames }} -{{ toYaml .Values.controller.rbac.resourceNames | indent 6 }} + resourceNames: + {{- range .Values.controller.rbac.resourceNames }} + - {{ . -}} + {{ end }} {{- end }} verbs: - get From f3bbc016de5b89e2cc80e61c8c43ed85c46a1931 Mon Sep 17 00:00:00 2001 From: Michael Goodness Date: Mon, 14 Aug 2017 14:13:57 -0500 Subject: [PATCH 07/10] Tweak RBAC --- stable/nginx-ingress/README.md | 5 +++- ...ler-cluster-role.yaml => clusterrole.yaml} | 16 +++++++--- ...e-binding.yaml => clusterrolebinding.yaml} | 7 ++++- .../templates/controller-daemonset.yaml | 18 +++++------- .../templates/controller-deployment.yaml | 22 +++++++------- .../templates/controller-service-account.yaml | 6 ---- .../{controller-role.yaml => role.yaml} | 20 ++++++------- ...ler-role-binding.yaml => rolebinding.yaml} | 7 ++++- .../templates/serviceaccount.yaml | 11 +++++++ stable/nginx-ingress/values.yaml | 29 ++++++++++++------- 10 files changed, 84 insertions(+), 57 deletions(-) rename stable/nginx-ingress/templates/{controller-cluster-role.yaml => clusterrole.yaml} (71%) rename stable/nginx-ingress/templates/{controller-cluster-role-binding.yaml => clusterrolebinding.yaml} (64%) delete mode 100644 stable/nginx-ingress/templates/controller-service-account.yaml rename stable/nginx-ingress/templates/{controller-role.yaml => role.yaml} (57%) rename stable/nginx-ingress/templates/{controller-role-binding.yaml => rolebinding.yaml} (63%) create mode 100644 stable/nginx-ingress/templates/serviceaccount.yaml diff --git a/stable/nginx-ingress/README.md b/stable/nginx-ingress/README.md index d84697adfcc2..6d68fc5da370 100644 --- a/stable/nginx-ingress/README.md +++ b/stable/nginx-ingress/README.md @@ -52,9 +52,10 @@ Parameter | Description | Default `controller.config` | nginx ConfigMap entries | none `controller.hostNetwork` | If the nginx deployment / daemonset should run on the host's network namespace | false `controller.defaultBackendService` | default 404 backend service; required only if `defaultBackend.enabled = false` | `""` +`controller.electionID` | election ID to use for the status update | `ingress-controller-leader` +`controller.ingressClass` | name of the ingress class to route through this controller | `nginx` `controller.scope.enabled` | limit the scope of the ingress controller | `false` (watch all namespaces) `controller.scope.namespace` | namespace to watch for ingress | `""` (use the release namespace) -`controller.serviceAccountName` | Service account to run under | `default` `controller.extraArgs` | Additional controller container arguments | `{}` `controller.kind` | install as Deployment or DaemonSet | `Deployment` `controller.nodeSelector` | node labels for pod assignment | `{}` @@ -96,6 +97,8 @@ Parameter | Description | Default `defaultBackend.service.loadBalancerIP` | IP address to assign to load balancer (if supported) | `""` `defaultBackend.service.loadBalancerSourceRanges` | list of IP CIDRs allowed access to load balancer (if supported) | `[]` `defaultBackend.service.type` | type of default backend service to create | `ClusterIP` +`rbac.create` | If true, create & use RBAC resources | `false` +`rbac.serviceAccountName` | ServiceAccount to be used (ignored if rbac.create=true) | `default` `statsExporter.name` | name of the Prometheus metrics exporter component | `stats-exporter` `statsExporter.image.repository` | Prometheus metrics exporter container image repository | `quay.io/cy-play/vts-nginx-exporter` `statsExporter.image.tag` | Prometheus metrics exporter image tag | `v0.0.3` diff --git a/stable/nginx-ingress/templates/controller-cluster-role.yaml b/stable/nginx-ingress/templates/clusterrole.yaml similarity index 71% rename from stable/nginx-ingress/templates/controller-cluster-role.yaml rename to stable/nginx-ingress/templates/clusterrole.yaml index ba728f606dba..14a35677e987 100644 --- a/stable/nginx-ingress/templates/controller-cluster-role.yaml +++ b/stable/nginx-ingress/templates/clusterrole.yaml @@ -1,7 +1,12 @@ -{{- if .Values.controller.rbac.enabled -}} +{{- if .Values.rbac.create -}} apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: + labels: + app: {{ template "name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} name: {{ template "fullname" . }} rules: - apiGroups: @@ -18,6 +23,9 @@ rules: - apiGroups: - "" resources: + {{- if .Values.controller.scope.enabled }} + - namespaces + {{- end }} - nodes verbs: - get @@ -28,8 +36,8 @@ rules: verbs: - get - list - - watch - update + - watch - apiGroups: - "extensions" resources: @@ -43,8 +51,8 @@ rules: resources: - events verbs: - - create - - patch + - create + - patch - apiGroups: - "extensions" resources: diff --git a/stable/nginx-ingress/templates/controller-cluster-role-binding.yaml b/stable/nginx-ingress/templates/clusterrolebinding.yaml similarity index 64% rename from stable/nginx-ingress/templates/controller-cluster-role-binding.yaml rename to stable/nginx-ingress/templates/clusterrolebinding.yaml index 0ffbdc62fce5..5a48ca212f18 100644 --- a/stable/nginx-ingress/templates/controller-cluster-role-binding.yaml +++ b/stable/nginx-ingress/templates/clusterrolebinding.yaml @@ -1,7 +1,12 @@ -{{- if .Values.controller.rbac.enabled -}} +{{- if .Values.rbac.create -}} apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: + labels: + app: {{ template "name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} name: {{ template "fullname" . }} roleRef: apiGroup: rbac.authorization.k8s.io diff --git a/stable/nginx-ingress/templates/controller-daemonset.yaml b/stable/nginx-ingress/templates/controller-daemonset.yaml index e39d08cbdbec..2f4d4c313f31 100644 --- a/stable/nginx-ingress/templates/controller-daemonset.yaml +++ b/stable/nginx-ingress/templates/controller-daemonset.yaml @@ -22,15 +22,6 @@ spec: component: "{{ .Values.controller.name }}" release: {{ .Release.Name }} spec: -{{- if .Values.controller.rbac.enabled }} - serviceAccountName: {{ template "fullname" . }} -{{- else }} - serviceAccountName: default -{{- end }} - hostNetwork: {{ .Values.controller.hostNetwork }} - {{- if .Values.controller.serviceAccountName }} - serviceAccountName: {{ .Values.controller.serviceAccountName }} - {{- end }} containers: - name: {{ template "name" . }}-{{ .Values.controller.name }} image: "{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag }}" @@ -41,6 +32,12 @@ spec: {{- if and (contains "0.9" .Values.controller.image.tag) .Values.controller.publishService.enabled }} - --publish-service={{ template "controller.publishServicePath" . }} {{- end }} + {{- if (contains "0.9" .Values.controller.image.tag) }} + - --election-id={{ .Values.controller.electionID }} + {{- end }} + {{- if (contains "0.9" .Values.controller.image.tag) }} + - --ingress-class={{ .Values.controller.ingressClass }} + {{- end }} {{- if (contains "0.9" .Values.controller.image.tag) }} - --configmap={{ .Release.Namespace }}/{{ template "controller.fullname" . }} {{- else }} @@ -103,7 +100,6 @@ spec: scheme: HTTP resources: {{ toYaml .Values.controller.resources | indent 12 }} - {{- if .Values.controller.stats.enabled }} - name: {{ template "name" . }}-{{ .Values.statsExporter.name }} image: "{{ .Values.statsExporter.image.repository }}:{{ .Values.statsExporter.image.tag }}" @@ -124,9 +120,11 @@ spec: resources: {{ toYaml .Values.statsExporter.resources | indent 12 }} {{- end }} + hostNetwork: {{ .Values.controller.hostNetwork }} {{- if .Values.controller.nodeSelector }} nodeSelector: {{ toYaml .Values.controller.nodeSelector | indent 8 }} {{- end }} + serviceAccountName: {{ if .Values.rbac.create }}{{ template "fullname" . }}{{ else }}"{{ .Values.rbac.serviceAccountName }}"{{ end }} terminationGracePeriodSeconds: 60 {{- end }} diff --git a/stable/nginx-ingress/templates/controller-deployment.yaml b/stable/nginx-ingress/templates/controller-deployment.yaml index f795c2302250..630ea5249442 100644 --- a/stable/nginx-ingress/templates/controller-deployment.yaml +++ b/stable/nginx-ingress/templates/controller-deployment.yaml @@ -15,23 +15,14 @@ spec: metadata: annotations: checksum/config: {{ include (print $.Template.BasePath "/controller-configmap.yaml") . | sha256sum }} - {{- if .Values.controller.podAnnotations }} + {{- if .Values.controller.podAnnotations }} {{ toYaml .Values.controller.podAnnotations | indent 8}} - {{- end }} + {{- end }} labels: app: {{ template "name" . }} component: "{{ .Values.controller.name }}" release: {{ .Release.Name }} spec: -{{- if .Values.controller.rbac.enabled }} - serviceAccountName: {{ template "fullname" . }} -{{- else }} - serviceAccountName: default -{{- end }} - hostNetwork: {{ .Values.controller.hostNetwork }} -{{- if .Values.controller.rbac.enabled }} - serviceAccountName: {{ template "fullname" . }} -{{- end }} containers: - name: {{ template "name" . }}-{{ .Values.controller.name }} image: "{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag }}" @@ -42,6 +33,12 @@ spec: {{- if and (contains "0.9" .Values.controller.image.tag) .Values.controller.publishService.enabled }} - --publish-service={{ template "controller.publishServicePath" . }} {{- end }} + {{- if (contains "0.9" .Values.controller.image.tag) }} + - --election-id={{ .Values.controller.electionID }} + {{- end }} + {{- if (contains "0.9" .Values.controller.image.tag) }} + - --ingress-class={{ .Values.controller.ingressClass }} + {{- end }} {{- if (contains "0.9" .Values.controller.image.tag) }} - --configmap={{ .Release.Namespace }}/{{ template "controller.fullname" . }} {{- else }} @@ -104,7 +101,6 @@ spec: scheme: HTTP resources: {{ toYaml .Values.controller.resources | indent 12 }} - {{- if .Values.controller.stats.enabled }} - name: {{ template "name" . }}-{{ .Values.statsExporter.name }} image: "{{ .Values.statsExporter.image.repository }}:{{ .Values.statsExporter.image.tag }}" @@ -125,9 +121,11 @@ spec: resources: {{ toYaml .Values.statsExporter.resources | indent 12 }} {{- end }} + hostNetwork: {{ .Values.controller.hostNetwork }} {{- if .Values.controller.nodeSelector }} nodeSelector: {{ toYaml .Values.controller.nodeSelector | indent 8 }} {{- end }} + serviceAccountName: {{ if .Values.rbac.create }}{{ template "fullname" . }}{{ else }}"{{ .Values.rbac.serviceAccountName }}"{{ end }} terminationGracePeriodSeconds: 60 {{- end }} diff --git a/stable/nginx-ingress/templates/controller-service-account.yaml b/stable/nginx-ingress/templates/controller-service-account.yaml deleted file mode 100644 index faf150d493b0..000000000000 --- a/stable/nginx-ingress/templates/controller-service-account.yaml +++ /dev/null @@ -1,6 +0,0 @@ -{{- if .Values.controller.rbac.enabled -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ template "fullname" . }} -{{- end -}} diff --git a/stable/nginx-ingress/templates/controller-role.yaml b/stable/nginx-ingress/templates/role.yaml similarity index 57% rename from stable/nginx-ingress/templates/controller-role.yaml rename to stable/nginx-ingress/templates/role.yaml index 95bf445d50c2..ad3a80ffccae 100644 --- a/stable/nginx-ingress/templates/controller-role.yaml +++ b/stable/nginx-ingress/templates/role.yaml @@ -1,13 +1,19 @@ -{{- if .Values.controller.rbac.enabled -}} +{{- if .Values.rbac.create -}} apiVersion: rbac.authorization.k8s.io/v1beta1 kind: Role metadata: + labels: + app: {{ template "name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} name: {{ template "fullname" . }} rules: - apiGroups: - "" resources: - configmaps + - namespaces - pods - secrets verbs: @@ -16,16 +22,8 @@ rules: - "" resources: - configmaps -{{- if .Values.controller.rbac.resourceNames }} - # Defaults to "-" - # Here: "-" - # This has to be adapted if you change either parameter - # when launching the nginx-ingress-controller. resourceNames: - {{- range .Values.controller.rbac.resourceNames }} - - {{ . -}} - {{ end }} -{{- end }} + - {{ .Values.controller.electionID }}-{{ .Values.controller.ingressClass }} verbs: - get - update @@ -40,7 +38,7 @@ rules: resources: - endpoints verbs: - - get - create + - get - update {{- end -}} diff --git a/stable/nginx-ingress/templates/controller-role-binding.yaml b/stable/nginx-ingress/templates/rolebinding.yaml similarity index 63% rename from stable/nginx-ingress/templates/controller-role-binding.yaml rename to stable/nginx-ingress/templates/rolebinding.yaml index 26b98709d430..7ba52c339ee0 100644 --- a/stable/nginx-ingress/templates/controller-role-binding.yaml +++ b/stable/nginx-ingress/templates/rolebinding.yaml @@ -1,7 +1,12 @@ -{{- if .Values.controller.rbac.enabled -}} +{{- if .Values.rbac.create -}} apiVersion: rbac.authorization.k8s.io/v1beta1 kind: RoleBinding metadata: + labels: + app: {{ template "name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} name: {{ template "fullname" . }} roleRef: apiGroup: rbac.authorization.k8s.io diff --git a/stable/nginx-ingress/templates/serviceaccount.yaml b/stable/nginx-ingress/templates/serviceaccount.yaml new file mode 100644 index 000000000000..8967eb1a75d8 --- /dev/null +++ b/stable/nginx-ingress/templates/serviceaccount.yaml @@ -0,0 +1,11 @@ +{{- if .Values.rbac.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: {{ template "name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + name: {{ template "fullname" . }} +{{- end -}} diff --git a/stable/nginx-ingress/values.yaml b/stable/nginx-ingress/values.yaml index 0ef75b1361d6..3808d898434c 100644 --- a/stable/nginx-ingress/values.yaml +++ b/stable/nginx-ingress/values.yaml @@ -20,6 +20,19 @@ controller: ## defaultBackendService: "" + ## Optionally specify the secret name for default SSL certificate + ## Must be / + ## + defaultSSLCertificate: "" + + ## Election ID to use for status update + ## + electionID: ingress-controller-leader + + ## Name of the ingress class to route through this controller + ## + ingressClass: nginx + ## Allows customization of the external service ## the ingress will be bound to via DNS publishService: @@ -41,22 +54,11 @@ controller: ## kind: Deployment - ## enable RBAC as per: https://github.com/kubernetes/ingress/tree/master/examples/rbac/nginx and https://github.com/kubernetes/ingress/issues/266 - rbac: - enabled: false - resourceNames: - - ingress-controller-leader-nginx - ## Node labels for controller pod assignment ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ ## nodeSelector: {} - ## Run the controller via this service account - ## Ref: https://github.com/kubernetes/ingress/tree/master/examples/rbac/nginx - ## - serviceAccountName: "" - ## Annotations to be added to controller pods ## podAnnotations: {} @@ -168,6 +170,11 @@ defaultBackend: servicePort: 80 type: ClusterIP +## Enable RBAC as per https://github.com/kubernetes/ingress/tree/master/examples/rbac/nginx and https://github.com/kubernetes/ingress/issues/266 +rbac: + create: false + serviceAccountName: default + ## If controller.stats.enabled = true, Prometheus metrics will be exported ## Ref: https://github.com/hnlq715/nginx-vts-exporter ## From 358b8ffba3f13fa2e179344631fd09a93e0febdf Mon Sep 17 00:00:00 2001 From: Michael Goodness Date: Mon, 14 Aug 2017 14:14:39 -0500 Subject: [PATCH 08/10] Bump chart versions --- stable/nginx-ingress/Chart.yaml | 4 ++-- stable/nginx-ingress/templates/clusterrole.yaml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/stable/nginx-ingress/Chart.yaml b/stable/nginx-ingress/Chart.yaml index 47da67c14525..b0af816bf25b 100755 --- a/stable/nginx-ingress/Chart.yaml +++ b/stable/nginx-ingress/Chart.yaml @@ -1,6 +1,6 @@ name: nginx-ingress -version: 0.7.2 -appVersion: 0.9.0-beta.7 +version: 0.8.0 +appVersion: 0.9.0-beta.11 description: An nginx Ingress controller that uses ConfigMap to store the nginx configuration. icon: https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Nginx_logo.svg/500px-Nginx_logo.svg.png keywords: diff --git a/stable/nginx-ingress/templates/clusterrole.yaml b/stable/nginx-ingress/templates/clusterrole.yaml index 14a35677e987..4a7251e305b6 100644 --- a/stable/nginx-ingress/templates/clusterrole.yaml +++ b/stable/nginx-ingress/templates/clusterrole.yaml @@ -39,7 +39,7 @@ rules: - update - watch - apiGroups: - - "extensions" + - extensions resources: - ingresses verbs: @@ -54,7 +54,7 @@ rules: - create - patch - apiGroups: - - "extensions" + - extensions resources: - ingresses/status verbs: From a5eca07ec7d475e2a23c2d88055d2bfe9c71de5f Mon Sep 17 00:00:00 2001 From: Michael Goodness Date: Tue, 1 Aug 2017 23:23:07 -0500 Subject: [PATCH 09/10] Fix README --- stable/nginx-ingress/README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/stable/nginx-ingress/README.md b/stable/nginx-ingress/README.md index 6d68fc5da370..32a80985c4b4 100644 --- a/stable/nginx-ingress/README.md +++ b/stable/nginx-ingress/README.md @@ -65,7 +65,6 @@ Parameter | Description | Default `controller.service.annotations` | annotations for controller service | `{}` `controller.publishService.enabled` | if true, the controller will set the endpoint records on the ingress objects to reflect those on the service | `false` `controller.publishService.pathOverride` | override of the default publish-service name | `""` -`controller.rbac.enabled` | if true, will set up RBAC | `false` `controller.service.clusterIP` | internal controller cluster service IP | `""` `controller.service.externalIPs` | controller service external IP addresses | `[]` `controller.service.loadBalancerIP` | IP address to assign to load balancer (if supported) | `""` From fbe521c0ad4269e642fc8c7a0caa92d7448e7086 Mon Sep 17 00:00:00 2001 From: Michael Goodness Date: Tue, 1 Aug 2017 23:45:33 -0500 Subject: [PATCH 10/10] Restrict namespace RBAC if scoped --- stable/nginx-ingress/templates/clusterrole.yaml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/stable/nginx-ingress/templates/clusterrole.yaml b/stable/nginx-ingress/templates/clusterrole.yaml index 4a7251e305b6..84e41601bbc6 100644 --- a/stable/nginx-ingress/templates/clusterrole.yaml +++ b/stable/nginx-ingress/templates/clusterrole.yaml @@ -20,12 +20,19 @@ rules: verbs: - list - watch +{{- if and .Values.controller.scope.enabled .Values.controller.scope.namespace }} - apiGroups: - "" resources: - {{- if .Values.controller.scope.enabled }} - namespaces - {{- end }} + resourceNames: + - "{{ .Values.controller.scope.namespace }}" + verbs: + - get +{{- end }} + - apiGroups: + - "" + resources: - nodes verbs: - get