torvald/nube

## nube
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-ingress-controller
  namespace: 'ingress'
  annotations:
    velo/managed: 'true'
    velo/project: nginx-ingress
    velo/tenant: cluster:k8s-prod
    velo/step: manifests/controller
    velo/version: 750ff8ecad0801c9d31661c5ebf69170f1b46f0a
    velo/updated: '20240410155405'
    configmap.reloader.stakater.com/reload: nginx-configuration,default-upstream-headers,default-downstream-headers
  labels:
    velo/project: nginx-ingress
    app: nginx-ingress
    owner: 'infra'
    component: "controller"
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx-ingress
      component: "controller"
  revisionHistoryLimit: 10
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxSurge: 2
      maxUnavailable: 0
  minReadySeconds: 5
  template:
    metadata:
      labels:
        velo/project: nginx-ingress
        app: nginx-ingress
        owner: 'infra'
        component: "controller"
      annotations:
        velo/managed: 'true'
        velo/project: nginx-ingress
        velo/tenant: cluster:k8s-prod
        velo/step: manifests/controller
        cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
    spec:
      priorityClassName: high-priority-nonpreempting
      nodeSelector:
        node-pool-group: standard
      tolerations:
      - key: node-pool-group
        operator: Equal
        value: standard
        effect: NoSchedule
      dnsPolicy: ClusterFirst
      topologySpreadConstraints:
        # Spread replicas in different nodes
      - maxSkew: 1
        topologyKey: kubernetes.io/hostname
        whenUnsatisfiable: DoNotSchedule
        labelSelector:
          matchLabels:
            app: nginx-ingress
            component: "controller"
        # Spread replicas in different zones
      - maxSkew: 1
        topologyKey: topology.kubernetes.io/zone
        whenUnsatisfiable: DoNotSchedule
        labelSelector:
          matchLabels:
            app: nginx-ingress
            component: "controller"
      terminationGracePeriodSeconds: 300
      initContainers:
      - name: opentelemetry
        image:
          registry.k8s.io/ingress-nginx/opentelemetry:v20230527@sha256:fd7ec835f31b7b37187238eb4fdad4438806e69f413a203796263131f4f02ed0
        command: ['sh', '-c', '/usr/local/bin/init_module.sh']
        securityContext:
          allowPrivilegeEscalation: false
        volumeMounts:
        - name: modules
          mountPath: /modules_mount
      - name: sysctl
        image: alpine:3.10
        securityContext:
          privileged: true
        command:
        - "sh"
        - "-c"
        - "sysctl -w net.core.somaxconn=32768; sysctl -w net.ipv4.ip_local_port_range='1024
          65000'"
      - name: geoip-database-download
          # renovate: datasource=docker depName=google-cloud-sdk packageName=google/cloud-sdk
        image: google/cloud-sdk:453.0.0-slim
        env:
        - name: BUCKET_NAME
          value: <redacted>
        volumeMounts:
        - name: geoip-db
          mountPath: /geoip-db
        args:
        - /bin/bash
        - -c
        - |
          /bin/bash <<'EOF'
          set -e
          gsutil rsync -r gs://$BUCKET_NAME /geoip-db
          EOF
      containers:
      - name: nginx-ingress-controller
          # Remove the controller- part of the version as the image only have semver (with v prefix)
        image: registry.k8s.io/ingress-nginx/controller:v1.9.5
        imagePullPolicy: "IfNotPresent"
        lifecycle:
          preStop:
            exec:
              command:
              - /wait-shutdown
        command:
        - "sh"
        - "-c"
        args:
        - /nginx-ingress-controller --configmap=$(POD_NAMESPACE)/nginx-configuration
          --publish-service=$(POD_NAMESPACE)/nginx-ingress-controller --annotations-prefix=nginx.ingress.kubernetes.io
          --controller-class=k8s.io/nginx-ingress --default-backend-service=$(POD_NAMESPACE)/nginx-ingress-default-backend
          --election-id=ingress-controller-leader --enable-ssl-chain-completion=false
          --update-status --ingress-class=nginx --validating-webhook=:8443 --validating-webhook-certificate=/usr/local/certificates/cert
          --validating-webhook-key=/usr/local/certificates/key --default-ssl-certificate=$(POD_NAMESPACE)/default-tls
        securityContext:
          capabilities:
            drop:
            - ALL
            add:
            - NET_BIND_SERVICE
          runAsUser: 101
          allowPrivilegeEscalation: true
        env:
        - name: HOST_IP
          valueFrom:
            fieldRef:
              fieldPath: status.hostIP
        - name: OTEL_EXPORTER_OTLP_ENDPOINT
          value: $(HOST_IP):4317
        - name: POD_NAME
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        - name: LD_PRELOAD
          value: /usr/local/lib/libmimalloc.so
        livenessProbe:
          httpGet:
            path: /healthz
            port: 10254
            scheme: HTTP
          initialDelaySeconds: 10
          periodSeconds: 10
          timeoutSeconds: 5
          successThreshold: 1
          failureThreshold: 5
        readinessProbe:
          httpGet:
            path: /healthz
            port: 10254
            scheme: HTTP
          initialDelaySeconds: 10
          periodSeconds: 10
          timeoutSeconds: 5
          successThreshold: 1
          failureThreshold: 5
        ports:
        - name: http
          containerPort: 80
          protocol: TCP
        - name: https
          containerPort: 443
          protocol: TCP
        - name: webhook
          containerPort: 8443
        - name: metrics
          containerPort: 10254
          protocol: TCP
        volumeMounts:
        - name: webhook-cert
          mountPath: /usr/local/certificates/
          readOnly: true
        - name: geoip-db
          mountPath: /etc/nginx/geoip/
          readOnly: true
        - name: modules
          mountPath: /modules_mount
        resources:
          requests:
            cpu: 5000m
            memory: 8000Mi
              # ephemeral-storage is usually 35Mi per pod. But as of
              # 2023-07-18 it every few days spikes up to 250Mi or even 500Mi.
              # Thus set a request, not a limit!
              # When nodes are in disk pressure, pods that are in excess of their
              # ephemeral-storage requests will be evicted before any others.
            ephemeral-storage: 100Mi
          limits:
            memory: 8000Mi
      hostNetwork: false
      serviceAccountName: nginx-ingress
      volumes:
      - name: webhook-cert
        secret:
          secretName: ingress-nginx-admission
      - name: geoip-db
        emptyDir: {}
      - name: modules
        emptyDir: {}
	---
	apiVersion: apps/v1
	kind: Deployment
	metadata:
	name: nginx-ingress-controller
	namespace: 'ingress'
	annotations:
	velo/managed: 'true'
	velo/project: nginx-ingress
	velo/tenant: cluster:k8s-prod
	velo/step: manifests/controller
	velo/version: 750ff8ecad0801c9d31661c5ebf69170f1b46f0a
	velo/updated: '20240410155405'
	configmap.reloader.stakater.com/reload: nginx-configuration,default-upstream-headers,default-downstream-headers
	labels:
	velo/project: nginx-ingress
	app: nginx-ingress
	owner: 'infra'
	component: "controller"
	spec:
	replicas: 3
	selector:
	matchLabels:
	app: nginx-ingress
	component: "controller"
	revisionHistoryLimit: 10
	strategy:
	type: RollingUpdate
	rollingUpdate:
	maxSurge: 2
	maxUnavailable: 0
	minReadySeconds: 5
	template:
	metadata:
	labels:
	velo/project: nginx-ingress
	app: nginx-ingress
	owner: 'infra'
	component: "controller"
	annotations:
	velo/managed: 'true'
	velo/project: nginx-ingress
	velo/tenant: cluster:k8s-prod
	velo/step: manifests/controller
	cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
	spec:
	priorityClassName: high-priority-nonpreempting
	nodeSelector:
	node-pool-group: standard
	tolerations:
	- key: node-pool-group
	operator: Equal
	value: standard
	effect: NoSchedule
	dnsPolicy: ClusterFirst
	topologySpreadConstraints:
	# Spread replicas in different nodes
	- maxSkew: 1
	topologyKey: kubernetes.io/hostname
	whenUnsatisfiable: DoNotSchedule
	labelSelector:
	matchLabels:
	app: nginx-ingress
	component: "controller"
	# Spread replicas in different zones
	- maxSkew: 1
	topologyKey: topology.kubernetes.io/zone
	whenUnsatisfiable: DoNotSchedule
	labelSelector:
	matchLabels:
	app: nginx-ingress
	component: "controller"
	terminationGracePeriodSeconds: 300
	initContainers:
	- name: opentelemetry
	image:
	registry.k8s.io/ingress-nginx/opentelemetry:v20230527@sha256:fd7ec835f31b7b37187238eb4fdad4438806e69f413a203796263131f4f02ed0
	command: ['sh', '-c', '/usr/local/bin/init_module.sh']
	securityContext:
	allowPrivilegeEscalation: false
	volumeMounts:
	- name: modules
	mountPath: /modules_mount
	- name: sysctl
	image: alpine:3.10
	securityContext:
	privileged: true
	command:
	- "sh"
	- "-c"
	- "sysctl -w net.core.somaxconn=32768; sysctl -w net.ipv4.ip_local_port_range='1024
	65000'"
	- name: geoip-database-download
	# renovate: datasource=docker depName=google-cloud-sdk packageName=google/cloud-sdk
	image: google/cloud-sdk:453.0.0-slim
	env:
	- name: BUCKET_NAME
	value: <redacted>
	volumeMounts:
	- name: geoip-db
	mountPath: /geoip-db
	args:
	- /bin/bash
	- -c
	- \|
	/bin/bash <<'EOF'
	set -e
	gsutil rsync -r gs://$BUCKET_NAME /geoip-db
	EOF
	containers:
	- name: nginx-ingress-controller
	# Remove the controller- part of the version as the image only have semver (with v prefix)
	image: registry.k8s.io/ingress-nginx/controller:v1.9.5
	imagePullPolicy: "IfNotPresent"
	lifecycle:
	preStop:
	exec:
	command:
	- /wait-shutdown
	command:
	- "sh"
	- "-c"
	args:
	- /nginx-ingress-controller --configmap=$(POD_NAMESPACE)/nginx-configuration
	--publish-service=$(POD_NAMESPACE)/nginx-ingress-controller --annotations-prefix=nginx.ingress.kubernetes.io
	--controller-class=k8s.io/nginx-ingress --default-backend-service=$(POD_NAMESPACE)/nginx-ingress-default-backend
	--election-id=ingress-controller-leader --enable-ssl-chain-completion=false
	--update-status --ingress-class=nginx --validating-webhook=:8443 --validating-webhook-certificate=/usr/local/certificates/cert
	--validating-webhook-key=/usr/local/certificates/key --default-ssl-certificate=$(POD_NAMESPACE)/default-tls
	securityContext:
	capabilities:
	drop:
	- ALL
	add:
	- NET_BIND_SERVICE
	runAsUser: 101
	allowPrivilegeEscalation: true
	env:
	- name: HOST_IP
	valueFrom:
	fieldRef:
	fieldPath: status.hostIP
	- name: OTEL_EXPORTER_OTLP_ENDPOINT
	value: $(HOST_IP):4317
	- name: POD_NAME
	valueFrom:
	fieldRef:
	fieldPath: metadata.name
	- name: POD_NAMESPACE
	valueFrom:
	fieldRef:
	fieldPath: metadata.namespace
	- name: LD_PRELOAD
	value: /usr/local/lib/libmimalloc.so
	livenessProbe:
	httpGet:
	path: /healthz
	port: 10254
	scheme: HTTP
	initialDelaySeconds: 10
	periodSeconds: 10
	timeoutSeconds: 5
	successThreshold: 1
	failureThreshold: 5
	readinessProbe:
	httpGet:
	path: /healthz
	port: 10254
	scheme: HTTP
	initialDelaySeconds: 10
	periodSeconds: 10
	timeoutSeconds: 5
	successThreshold: 1
	failureThreshold: 5
	ports:
	- name: http
	containerPort: 80
	protocol: TCP
	- name: https
	containerPort: 443
	protocol: TCP
	- name: webhook
	containerPort: 8443
	- name: metrics
	containerPort: 10254
	protocol: TCP
	volumeMounts:
	- name: webhook-cert
	mountPath: /usr/local/certificates/
	readOnly: true
	- name: geoip-db
	mountPath: /etc/nginx/geoip/
	readOnly: true
	- name: modules
	mountPath: /modules_mount
	resources:
	requests:
	cpu: 5000m
	memory: 8000Mi
	# ephemeral-storage is usually 35Mi per pod. But as of
	# 2023-07-18 it every few days spikes up to 250Mi or even 500Mi.
	# Thus set a request, not a limit!
	# When nodes are in disk pressure, pods that are in excess of their
	# ephemeral-storage requests will be evicted before any others.
	ephemeral-storage: 100Mi
	limits:
	memory: 8000Mi
	hostNetwork: false
	serviceAccountName: nginx-ingress
	volumes:
	- name: webhook-cert
	secret:
	secretName: ingress-nginx-admission
	- name: geoip-db
	emptyDir: {}
	- name: modules
	emptyDir: {}