medined/ingress-controller-manifest.yaml

## ingress-controller-manifest.yaml
apiVersion: v1
kind: Namespace
metadata:
  name: ingress-nginx
  labels:
    name: ingress-nginx
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: nginx-ingress-serviceaccount
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: nginx-ingress-clusterrole
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
rules:
  - apiGroups:      [policy]
    resources:      [podsecuritypolicies]
    resourceNames:  [privileged]
    verbs:          [use]
  - apiGroups:
      - ""
    resources:
      - configmaps
      - endpoints
      - nodes
      - pods
      - secrets
    verbs:
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - nodes
    verbs:
      - get
  - apiGroups:
      - ""
    resources:
      - services
    verbs:
      - get
      - list
      - watch
  - apiGroups:
    - ""
    resources:
      - events
    verbs:
      - create
      - patch
  - apiGroups:
      - "extensions"
      - "networking.k8s.io"
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - "extensions"
      - "networking.k8s.io"
    resources:
      - ingresses/status
    verbs:
      - update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: nginx-ingress-role
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
rules:
  - apiGroups:      [policy]
    resources:      [podsecuritypolicies]
    resourceNames:  [privileged]
    verbs:          [use]
  - apiGroups:
      - ""
    resources:
      - configmaps
      - pods
      - secrets
      - namespaces
    verbs:
      - get
  - apiGroups:
      - ""
    resources:
      - configmaps
    resourceNames:
      # Defaults to "<election-id>-<ingress-class>"
      # Here: "<ingress-controller-leader>-<nginx>"
      # This has to be adapted if you change either parameter
      # when launching the nginx-ingress-controller.
      - "ingress-controller-leader-nginx"
    verbs:
      - get
      - update
  - apiGroups:
      - ""
    resources:
      - configmaps
    verbs:
      - create
  - apiGroups:
      - ""
    resources:
      - endpoints
    verbs:
      - get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: nginx-ingress-role-nisa-binding
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: nginx-ingress-role
subjects:
  - kind: ServiceAccount
    name: nginx-ingress-serviceaccount
    namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: nginx-ingress-clusterrole-nisa-binding
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: nginx-ingress-clusterrole
subjects:
  - kind: ServiceAccount
    name: nginx-ingress-serviceaccount
    namespace: ingress-nginx
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: default-http-backend
  namespace: ingress-nginx
  labels:
    app: default-http-backend
spec:
  replicas: 1
  selector:
    matchLabels:
      app: default-http-backend
  template:
    metadata:
      labels:
        app: default-http-backend
    spec:
      serviceAccountName: nginx-ingress-serviceaccount
      terminationGracePeriodSeconds: 60
      containers:
      - name: default-http-backend
        # Any image is permissible as long as:
        # 1. It serves a 404 page at /
        # 2. It serves 200 on a /healthz endpoint
        image: gcr.io/google_containers/defaultbackend:1.0
        livenessProbe:
          httpGet:
            path: /healthz
            port: 8080
            scheme: HTTP
          initialDelaySeconds: 30
          timeoutSeconds: 5
        ports:
        - containerPort: 8080
        resources:
          limits:
            cpu: 10m
            memory: 20Mi
          requests:
            cpu: 10m
            memory: 20Mi
---
apiVersion: v1
kind: Service
metadata:
  name: default-http-backend-service
  namespace: ingress-nginx
  labels:
    app: default-http-backend
spec:
  ports:
  - port: 80
    targetPort: 8080
  selector:
    app: default-http-backend
  type: NodePort
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-ingress-controller-deployment
  namespace: ingress-nginx
spec:
  replicas: 2
  strategy:
    rollingUpdate:
      maxUnavailable: 1
  selector:
    matchLabels:
      name: nginx-ingress-controller
  template:
    metadata:
      labels:
        name: nginx-ingress-controller
      annotations:
        seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
    spec:
      # When the --ingress-class=public parameter is used with the
      # nginx-ingress-controller, then configMap resource name (for RBAC
      # role) will be "ingress-controller-leader-public". Otherwise, it
      # will be "ingress-controller-leader-nginx"
      serviceAccountName: nginx-ingress-serviceaccount
      containers:
        - name: nginx-ingress-controller
          image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.32.0
          args:
            - /nginx-ingress-controller
#            - --ingress-class=public
            - --default-backend-service=$(POD_NAMESPACE)/default-http-backend-service
          resources:
            requests:
              memory: "64Mi"
              cpu: "250m"
            limits:
              memory: "128Mi"
              cpu: "500m"
          # use downward API
          env:
            - name: POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
          ports:
            - name: http
              containerPort: 80
              hostPort: 80
            - name: https
              containerPort: 443
              hostPort: 443
            - name: health
              containerPort: 10254
              hostPort: 10254
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: 10254
              scheme: HTTP
            initialDelaySeconds: 10
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 5
          readinessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: 10254
              scheme: HTTP
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 5
          lifecycle:
            preStop:
              exec:
                command:
                  - /wait-shutdown
          securityContext:
            capabilities:
              add:
              - NET_BIND_SERVICE
              drop:
              - ALL
            runAsUser: 101 # www-data
      restartPolicy: Always
      terminationGracePeriodSeconds: 300
---
apiVersion: v1
kind: Service
metadata:
  name: nginx-ingress-controller-service
  namespace: ingress-nginx
  annotations:
    prometheus.io/scrape: 'true'
    prometheus.io/port: '10254'
spec:
  type: ClusterIP
  selector:
    name: nginx-ingress-controller
  ports:
    - name: http
      protocol: TCP
      port: 80
      targetPort: 80
    - name: https
      protocol: TCP
      port: 443
      targetPort: 443
	apiVersion: v1
	kind: Namespace
	metadata:
	name: ingress-nginx
	labels:
	name: ingress-nginx
	---
	apiVersion: v1
	kind: ServiceAccount
	metadata:
	name: nginx-ingress-serviceaccount
	namespace: ingress-nginx
	labels:
	app.kubernetes.io/name: ingress-nginx
	app.kubernetes.io/part-of: ingress-nginx
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRole
	metadata:
	name: nginx-ingress-clusterrole
	labels:
	app.kubernetes.io/name: ingress-nginx
	app.kubernetes.io/part-of: ingress-nginx
	rules:
	- apiGroups: [policy]
	resources: [podsecuritypolicies]
	resourceNames: [privileged]
	verbs: [use]
	- apiGroups:
	- ""
	resources:
	- configmaps
	- endpoints
	- nodes
	- pods
	- secrets
	verbs:
	- list
	- watch
	- apiGroups:
	- ""
	resources:
	- nodes
	verbs:
	- get
	- apiGroups:
	- ""
	resources:
	- services
	verbs:
	- get
	- list
	- watch
	- apiGroups:
	- ""
	resources:
	- events
	verbs:
	- create
	- patch
	- apiGroups:
	- "extensions"
	- "networking.k8s.io"
	resources:
	- ingresses
	verbs:
	- get
	- list
	- watch
	- apiGroups:
	- "extensions"
	- "networking.k8s.io"
	resources:
	- ingresses/status
	verbs:
	- update
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: Role
	metadata:
	name: nginx-ingress-role
	namespace: ingress-nginx
	labels:
	app.kubernetes.io/name: ingress-nginx
	app.kubernetes.io/part-of: ingress-nginx
	rules:
	- apiGroups: [policy]
	resources: [podsecuritypolicies]
	resourceNames: [privileged]
	verbs: [use]
	- apiGroups:
	- ""
	resources:
	- configmaps
	- pods
	- secrets
	- namespaces
	verbs:
	- get
	- apiGroups:
	- ""
	resources:
	- configmaps
	resourceNames:
	# Defaults to "<election-id>-<ingress-class>"
	# Here: "<ingress-controller-leader>-<nginx>"
	# This has to be adapted if you change either parameter
	# when launching the nginx-ingress-controller.
	- "ingress-controller-leader-nginx"
	verbs:
	- get
	- update
	- apiGroups:
	- ""
	resources:
	- configmaps
	verbs:
	- create
	- apiGroups:
	- ""
	resources:
	- endpoints
	verbs:
	- get
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: RoleBinding
	metadata:
	name: nginx-ingress-role-nisa-binding
	namespace: ingress-nginx
	labels:
	app.kubernetes.io/name: ingress-nginx
	app.kubernetes.io/part-of: ingress-nginx
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: Role
	name: nginx-ingress-role
	subjects:
	- kind: ServiceAccount
	name: nginx-ingress-serviceaccount
	namespace: ingress-nginx
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRoleBinding
	metadata:
	name: nginx-ingress-clusterrole-nisa-binding
	labels:
	app.kubernetes.io/name: ingress-nginx
	app.kubernetes.io/part-of: ingress-nginx
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: ClusterRole
	name: nginx-ingress-clusterrole
	subjects:
	- kind: ServiceAccount
	name: nginx-ingress-serviceaccount
	namespace: ingress-nginx
	---
	apiVersion: apps/v1
	kind: Deployment
	metadata:
	name: default-http-backend
	namespace: ingress-nginx
	labels:
	app: default-http-backend
	spec:
	replicas: 1
	selector:
	matchLabels:
	app: default-http-backend
	template:
	metadata:
	labels:
	app: default-http-backend
	spec:
	serviceAccountName: nginx-ingress-serviceaccount
	terminationGracePeriodSeconds: 60
	containers:
	- name: default-http-backend
	# Any image is permissible as long as:
	# 1. It serves a 404 page at /
	# 2. It serves 200 on a /healthz endpoint
	image: gcr.io/google_containers/defaultbackend:1.0
	livenessProbe:
	httpGet:
	path: /healthz
	port: 8080
	scheme: HTTP
	initialDelaySeconds: 30
	timeoutSeconds: 5
	ports:
	- containerPort: 8080
	resources:
	limits:
	cpu: 10m
	memory: 20Mi
	requests:
	cpu: 10m
	memory: 20Mi
	---
	apiVersion: v1
	kind: Service
	metadata:
	name: default-http-backend-service
	namespace: ingress-nginx
	labels:
	app: default-http-backend
	spec:
	ports:
	- port: 80
	targetPort: 8080
	selector:
	app: default-http-backend
	type: NodePort
	---
	apiVersion: apps/v1
	kind: Deployment
	metadata:
	name: nginx-ingress-controller-deployment
	namespace: ingress-nginx
	spec:
	replicas: 2
	strategy:
	rollingUpdate:
	maxUnavailable: 1
	selector:
	matchLabels:
	name: nginx-ingress-controller
	template:
	metadata:
	labels:
	name: nginx-ingress-controller
	annotations:
	seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
	spec:
	# When the --ingress-class=public parameter is used with the
	# nginx-ingress-controller, then configMap resource name (for RBAC
	# role) will be "ingress-controller-leader-public". Otherwise, it
	# will be "ingress-controller-leader-nginx"
	serviceAccountName: nginx-ingress-serviceaccount
	containers:
	- name: nginx-ingress-controller
	image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.32.0
	args:
	- /nginx-ingress-controller
	# - --ingress-class=public
	- --default-backend-service=$(POD_NAMESPACE)/default-http-backend-service
	resources:
	requests:
	memory: "64Mi"
	cpu: "250m"
	limits:
	memory: "128Mi"
	cpu: "500m"
	# use downward API
	env:
	- name: POD_NAME
	valueFrom:
	fieldRef:
	fieldPath: metadata.name
	- name: POD_NAMESPACE
	valueFrom:
	fieldRef:
	fieldPath: metadata.namespace
	ports:
	- name: http
	containerPort: 80
	hostPort: 80
	- name: https
	containerPort: 443
	hostPort: 443
	- name: health
	containerPort: 10254
	hostPort: 10254
	livenessProbe:
	failureThreshold: 3
	httpGet:
	path: /healthz
	port: 10254
	scheme: HTTP
	initialDelaySeconds: 10
	periodSeconds: 10
	successThreshold: 1
	timeoutSeconds: 5
	readinessProbe:
	failureThreshold: 3
	httpGet:
	path: /healthz
	port: 10254
	scheme: HTTP
	periodSeconds: 10
	successThreshold: 1
	timeoutSeconds: 5
	lifecycle:
	preStop:
	exec:
	command:
	- /wait-shutdown
	securityContext:
	capabilities:
	add:
	- NET_BIND_SERVICE
	drop:
	- ALL
	runAsUser: 101 # www-data
	restartPolicy: Always
	terminationGracePeriodSeconds: 300
	---
	apiVersion: v1
	kind: Service
	metadata:
	name: nginx-ingress-controller-service
	namespace: ingress-nginx
	annotations:
	prometheus.io/scrape: 'true'
	prometheus.io/port: '10254'
	spec:
	type: ClusterIP
	selector:
	name: nginx-ingress-controller
	ports:
	- name: http
	protocol: TCP
	port: 80
	targetPort: 80
	- name: https
	protocol: TCP
	port: 443
	targetPort: 443