Merge "Enable kube-addon-manager leader election"
diff --git a/kubernetes/files/kube-addons/ingress-nginx/ingress-nginx.yaml b/kubernetes/files/kube-addons/ingress-nginx/ingress-nginx.yaml
new file mode 100644
index 0000000..aedb8be
--- /dev/null
+++ b/kubernetes/files/kube-addons/ingress-nginx/ingress-nginx.yaml
@@ -0,0 +1,368 @@
+{%- from "kubernetes/map.jinja" import common with context -%}
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: ingress-nginx
+ labels:
+ app: ingress-nginx
+ addonmanager.kubernetes.io/mode: Reconcile
+---
+
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+ name: default-http-backend
+ labels:
+ app.kubernetes.io/name: default-http-backend
+ app.kubernetes.io/part-of: ingress-nginx
+ addonmanager.kubernetes.io/mode: Reconcile
+ namespace: ingress-nginx
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: default-http-backend
+ app.kubernetes.io/part-of: ingress-nginx
+ template:
+ metadata:
+ labels:
+ app.kubernetes.io/name: default-http-backend
+ app.kubernetes.io/part-of: ingress-nginx
+ addonmanager.kubernetes.io/mode: Reconcile
+ spec:
+ terminationGracePeriodSeconds: 60
+ containers:
+ - name: default-http-backend
+ # Any image is permissible as long as:
+ # 1. It serves a 404 page at /
+ # 2. It serves 200 on a /healthz endpoint
+ image: {{ common.addons.get('ingress-nginx', {}).get('defaultbackend_image', 'gcr.io/google_containers/defaultbackend:1.4') }}
+ livenessProbe:
+ httpGet:
+ path: /healthz
+ port: 8080
+ scheme: HTTP
+ initialDelaySeconds: 30
+ timeoutSeconds: 5
+ ports:
+ - containerPort: 8080
+ resources:
+ limits:
+ cpu: 10m
+ memory: 20Mi
+ requests:
+ cpu: 10m
+ memory: 20Mi
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+ name: default-http-backend
+ namespace: ingress-nginx
+ labels:
+ app.kubernetes.io/name: default-http-backend
+ app.kubernetes.io/part-of: ingress-nginx
+ addonmanager.kubernetes.io/mode: Reconcile
+spec:
+ ports:
+ - port: 80
+ targetPort: 8080
+ selector:
+ app.kubernetes.io/name: default-http-backend
+ app.kubernetes.io/part-of: ingress-nginx
+---
+
+kind: ConfigMap
+apiVersion: v1
+metadata:
+ name: nginx-configuration
+ namespace: ingress-nginx
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ addonmanager.kubernetes.io/mode: Reconcile
+---
+
+kind: ConfigMap
+apiVersion: v1
+metadata:
+ name: tcp-services
+ namespace: ingress-nginx
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ addonmanager.kubernetes.io/mode: Reconcile
+---
+
+kind: ConfigMap
+apiVersion: v1
+metadata:
+ name: udp-services
+ namespace: ingress-nginx
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ addonmanager.kubernetes.io/mode: Reconcile
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: nginx-ingress-serviceaccount
+ namespace: ingress-nginx
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ addonmanager.kubernetes.io/mode: Reconcile
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ name: nginx-ingress-clusterrole
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ addonmanager.kubernetes.io/mode: Reconcile
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - configmaps
+ - endpoints
+ - nodes
+ - pods
+ - secrets
+ verbs:
+ - list
+ - watch
+ - apiGroups:
+ - ""
+ resources:
+ - nodes
+ verbs:
+ - get
+ - apiGroups:
+ - ""
+ resources:
+ - services
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - "extensions"
+ resources:
+ - ingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - ""
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+ - apiGroups:
+ - "extensions"
+ resources:
+ - ingresses/status
+ verbs:
+ - update
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: Role
+metadata:
+ name: nginx-ingress-role
+ namespace: ingress-nginx
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ addonmanager.kubernetes.io/mode: Reconcile
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - configmaps
+ - pods
+ - secrets
+ - namespaces
+ verbs:
+ - get
+ - apiGroups:
+ - ""
+ resources:
+ - configmaps
+ resourceNames:
+ # Defaults to "<election-id>-<ingress-class>"
+ # Here: "<ingress-controller-leader>-<nginx>"
+ # This has to be adapted if you change either parameter
+ # when launching the nginx-ingress-controller.
+ - "ingress-controller-leader-nginx"
+ verbs:
+ - get
+ - update
+ - apiGroups:
+ - ""
+ resources:
+ - configmaps
+ verbs:
+ - create
+ - apiGroups:
+ - ""
+ resources:
+ - endpoints
+ verbs:
+ - get
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+ name: nginx-ingress-role-nisa-binding
+ namespace: ingress-nginx
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ addonmanager.kubernetes.io/mode: Reconcile
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: nginx-ingress-role
+subjects:
+ - kind: ServiceAccount
+ name: nginx-ingress-serviceaccount
+ namespace: ingress-nginx
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+ name: nginx-ingress-clusterrole-nisa-binding
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ addonmanager.kubernetes.io/mode: Reconcile
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: nginx-ingress-clusterrole
+subjects:
+ - kind: ServiceAccount
+ name: nginx-ingress-serviceaccount
+ namespace: ingress-nginx
+---
+
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+ name: nginx-ingress-controller
+ namespace: ingress-nginx
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ addonmanager.kubernetes.io/mode: Reconcile
+spec:
+ replicas: {{ common.addons.get('ingress-nginx', {}).get('controller_replicas', 1) }}
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ template:
+ metadata:
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ addonmanager.kubernetes.io/mode: Reconcile
+ annotations:
+ prometheus.io/port: '10254'
+ prometheus.io/scrape: 'true'
+ spec:
+ serviceAccountName: nginx-ingress-serviceaccount
+ containers:
+ - name: nginx-ingress-controller
+ image: {{ common.addons.get('ingress-nginx', {}).get('controller_image', 'quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.19.0') }}
+ args:
+ - /nginx-ingress-controller
+ - --default-backend-service=$(POD_NAMESPACE)/default-http-backend
+ - --configmap=$(POD_NAMESPACE)/nginx-configuration
+ - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
+ - --udp-services-configmap=$(POD_NAMESPACE)/udp-services
+ - --publish-service=$(POD_NAMESPACE)/ingress-nginx
+ - --annotations-prefix=nginx.ingress.kubernetes.io
+ securityContext:
+ capabilities:
+ drop:
+ - ALL
+ add:
+ - NET_BIND_SERVICE
+ # www-data -> 33
+ runAsUser: 33
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ ports:
+ - name: http
+ containerPort: 80
+ - name: https
+ containerPort: 443
+ livenessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 10254
+ scheme: HTTP
+ initialDelaySeconds: 10
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 10254
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+
+---
+
+kind: Service
+apiVersion: v1
+metadata:
+ name: ingress-nginx
+ namespace: ingress-nginx
+ labels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ addonmanager.kubernetes.io/mode: Reconcile
+spec:
+ externalTrafficPolicy: Local
+ type: LoadBalancer
+ selector:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/part-of: ingress-nginx
+ ports:
+ - name: http
+ port: 80
+ targetPort: http
+ - name: https
+ port: 443
+ targetPort: https
+
+---
diff --git a/kubernetes/master/kube-addons.sls b/kubernetes/master/kube-addons.sls
index 07ecd10..e312dcb 100644
--- a/kubernetes/master/kube-addons.sls
+++ b/kubernetes/master/kube-addons.sls
@@ -467,4 +467,14 @@
{% endif %}
+{%- if common.addons.get('ingress-nginx', {}).get('enabled', False) %}
+/etc/kubernetes/addons/ingress/ingress-nginx.yaml:
+ file.managed:
+ - source: salt://kubernetes/files/kube-addons/ingress-nginx/ingress-nginx.yaml
+ - template: jinja
+ - group: root
+ - dir_mode: 755
+ - makedirs: True
+{% endif %}
+
{% endif %}