Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature/ingress controller #335

Draft
wants to merge 4 commits into
base: master
Choose a base branch
from
Draft

Feature/ingress controller #335

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
f6da2d7
[WIP] nginx as a per-namespace ingress controller
Sep 9, 2020
feeefc4
[fix] Permissions issues
Sep 9, 2020
0d6897c
[feature] ansible config (WIP)
GregLeBarbar Sep 9, 2020
cbf5b37
[fix] don't mess with the securityContext
Sep 11, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions ansible/roles/wordpress-openshift-namespace/defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,2 +1,4 @@
---
# defaults file for wordpress-openshift-namespace

ingress_state: latest
282 changes: 282 additions & 0 deletions ansible/roles/wordpress-openshift-namespace/tasks/ingress-controller.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,282 @@
- name: ingress-nginx ServiceAccount
openshift:
state: '{{ ingress_state }}'
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: ingress-nginx-controller
helm.sh/chart: ingress-nginx-2.13.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.35.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: ingress-nginx
namespace: "{{ openshift_namespace }}"
tags:
- ingress.service_accounts

- name: ServiceAccount
openshift:
state: '{{ ingress_state }}'
# Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: ingress-nginx-admission
labels:
app: ingress-nginx-controller
helm.sh/chart: ingress-nginx-2.13.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.35.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
namespace: "{{ openshift_namespace }}"
tags:
- ingress.service_accounts

- name: ingress-nginx-controller ConfigMap
openshift:
state: '{{ ingress_state }}'
# Source: ingress-nginx/templates/controller-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
labels:
app: ingress-nginx-controller
name: ingress-nginx-controller
namespace: "{{ openshift_namespace }}"
data:

- name: Service nr 1
openshift:
state: '{{ ingress_state }}'
# Source: ingress-nginx/templates/controller-service-webhook.yaml
apiVersion: v1
kind: Service
metadata:
labels:
app: ingress-nginx-controller
name: ingress-nginx-controller-admission
namespace: "{{ openshift_namespace }}"
spec:
type: ClusterIP
ports:
- name: https-webhook
port: 443
targetPort: webhook
selector:
app: ingress-nginx-controller

- name: Service nr 2
openshift:
state: '{{ ingress_state }}'
# Source: ingress-nginx/templates/controller-service.yaml
apiVersion: v1
kind: Service
metadata:
labels:
app: ingress-nginx-controller
name: ingress-nginx-controller
namespace: "{{ openshift_namespace }}"
spec:
type: LoadBalancer
externalTrafficPolicy: Local
ports:
- name: http
port: 80
protocol: TCP
targetPort: http
- name: https
port: 443
protocol: TCP
targetPort: https
selector:
app: ingress-nginx-controller

- name: Deployment
openshift:
state: '{{ ingress_state }}'
# Source: ingress-nginx/templates/controller-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: ingress-nginx-controller
name: ingress-nginx-controller
namespace: "{{ openshift_namespace }}"
spec:
selector:
matchLabels:
app: ingress-nginx-controller
revisionHistoryLimit: 10
template:
metadata:
labels:
app: ingress-nginx-controller
spec:
dnsPolicy: ClusterFirst
containers:
- name: controller
image: k8s.gcr.io/ingress-nginx/controller:v0.35.0@sha256:fc4979d8b8443a831c9789b5155cded454cb7de737a8b727bc2ba0106d2eae8b
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- /wait-shutdown
args:
- /nginx-ingress-controller
- --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
- --election-id=ingress-controller-leader
- --ingress-class=nginx
- --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
- --validating-webhook=:8443
- --validating-webhook-certificate=/usr/local/certificates/cert
- --validating-webhook-key=/usr/local/certificates/key
securityContext:
runAsUser: 1000100101
allowPrivilegeEscalation: true
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
livenessProbe:
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 5
readinessProbe:
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 3
ports:
- name: http
containerPort: 80
protocol: TCP
- name: https
containerPort: 443
protocol: TCP
- name: webhook
containerPort: 8443
protocol: TCP
volumeMounts:
- name: webhook-cert
mountPath: /usr/local/certificates/
readOnly: true
resources:
requests:
cpu: 100m
memory: 90Mi
serviceAccountName: ingress-nginx
terminationGracePeriodSeconds: 300
volumes:
- name: webhook-cert
secret:
secretName: ingress-nginx-admission

- name: Job
openshift:
# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
state: '{{ ingress_state }}'
apiVersion: batch/v1
kind: Job
metadata:
name: ingress-nginx-admission-create
labels:
app: ingress-nginx-controller
namespace: "{{ openshift_namespace }}"
spec:
template:
metadata:
name: ingress-nginx-admission-create
labels:
app: ingress-nginx-controller
spec:
containers:
- name: create
image: docker.io/jettech/kube-webhook-certgen:v1.2.2
imagePullPolicy: IfNotPresent
args:
- create
- --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
- --namespace=$(POD_NAMESPACE)
- --secret-name=ingress-nginx-admission
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
restartPolicy: OnFailure
serviceAccountName: ingress-nginx-admission
securityContext:
runAsNonRoot: true
runAsUser: 2000

- name: Another Job
openshift:
# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
state: '{{ ingress_state }}'
apiVersion: batch/v1
kind: Job
metadata:
name: ingress-nginx-admission-patch
labels:
app: ingress-nginx-controller
namespace: "{{ openshift_namespace }}"
spec:
template:
metadata:
name: ingress-nginx-admission-patch
labels:
app: ingress-nginx-controller
spec:
containers:
- name: patch
image: docker.io/jettech/kube-webhook-certgen:v1.2.2
imagePullPolicy: IfNotPresent
args:
- patch
- --webhook-name=ingress-nginx-admission
- --namespace=$(POD_NAMESPACE)
- --patch-mutating=false
- --secret-name=ingress-nginx-admission
- --patch-failure-policy=Fail
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
restartPolicy: OnFailure
serviceAccountName: ingress-nginx-admission
securityContext:
runAsNonRoot: true
runAsUser: 2000

- name: Secret
openshift:
kind: "Secret"
apiVersion: "v1"
metadata:
name: "ingress-nginx-admission"
annotations:
"kubernetes.io/service-account.name": "ingress-nginx-admission"
type: "kubernetes.io/service-account-token"
10 changes: 10 additions & 0 deletions ansible/roles/wordpress-openshift-namespace/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,16 @@
- ci.services
- ci.jenkinsfile

- name: "nginx ingress controller"
include_tasks:
file: ingress-controller.yml
apply:
tags:
- ingress
tags:
- ingress
- ingress.service_accounts

- name: "Management container (ssh server, PHP CLI)"
include_tasks:
file: mgmt.yml
Expand Down