diff --git a/charts/nginx-ingress/templates/controller-networkpolicy.yaml b/charts/nginx-ingress/templates/controller-networkpolicy.yaml new file mode 100644 index 0000000000..49b3ecd171 --- /dev/null +++ b/charts/nginx-ingress/templates/controller-networkpolicy.yaml @@ -0,0 +1,47 @@ +{{- /* +NetworkPolicy for the controller. +Uses only .Values.controller.networkPolicy. +Defaults podSelector to controller selectorLabels when empty. +*/ -}} +{{- $np := .Values.controller.networkPolicy -}} +{{- if and $np $np.enabled }} + +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "nginx-ingress.fullname" . }}-controller-netpol + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +spec: + podSelector: + {{- if $np.podSelector }} + {{- toYaml $np.podSelector | nindent 4 }} + {{- else }} + matchLabels: + {{- include "nginx-ingress.selectorLabels" . | nindent 6 }} + {{- end }} + + {{- if $np.policyTypes }} + policyTypes: + {{- toYaml $np.policyTypes | nindent 2 }} + {{- end }} + + {{- if and $np.policyTypes (has "Ingress" $np.policyTypes) }} + {{- if $np.ingress }} + ingress: + {{- toYaml $np.ingress | nindent 2 }} + {{- else }} + ingress: [] + {{- end }} + {{- end }} + + {{- if and $np.policyTypes (has "Egress" $np.policyTypes) }} + {{- if $np.egress }} + egress: + {{- toYaml $np.egress | nindent 2 }} + {{- else }} + egress: [] + {{- end }} + {{- end }} + +{{- end }} diff --git a/charts/nginx-ingress/values.schema.json b/charts/nginx-ingress/values.schema.json index 2acdefa40d..f3fdeac30c 100644 --- a/charts/nginx-ingress/values.schema.json +++ b/charts/nginx-ingress/values.schema.json @@ -1922,6 +1922,92 @@ "examples": [ false ] + }, + "networkPolicy": { + "type": "object", + "default": {}, + "title": "Optional NetworkPolicy for the Ingress Controller pods", + "required": [ + "enabled" + ], + "properties": { + "enabled": { + "type": "boolean", + "default": false, + "title": "Create a NetworkPolicy that targets the controller pods" + }, + "policyTypes": { + "type": "array", + "title": "List of policy types to apply", + "items": { + "type": "string", + "enum": [ + "Ingress", + "Egress" + ] + }, + "default": [ + "Ingress", + "Egress" + ] + }, + "podSelector": { + "type": "object", + "default": {}, + "title": "Override selector for targeted pods (empty -> controller selector)", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.33.1/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector" + }, + "ingress": { + "type": "array", + "default": [], + "title": "Ingress rules", + "items": { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.33.1/_definitions.json#/definitions/io.k8s.api.networking.v1.NetworkPolicyIngressRule" + } + }, + "egress": { + "type": "array", + "default": [], + "title": "Egress rules", + "items": { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.33.1/_definitions.json#/definitions/io.k8s.api.networking.v1.NetworkPolicyEgressRule" + } + } + }, + "examples": [ + { + "enabled": true, + "policyTypes": [ + "Ingress", + "Egress" + ], + "podSelector": {}, + "ingress": [ + { + "ports": [ + { + "protocol": "TCP", + "port": 80 + }, + { + "protocol": "TCP", + "port": 443 + } + ] + } + ], + "egress": [ + { + "ports": [ + { + "protocol": "UDP", + "port": 53 + } + ] + } + ] + } + ] } }, "examples": [ diff --git a/charts/nginx-ingress/values.yaml b/charts/nginx-ingress/values.yaml index 8dc7579c25..c5489058dd 100644 --- a/charts/nginx-ingress/values.yaml +++ b/charts/nginx-ingress/values.yaml @@ -622,6 +622,28 @@ controller: ## variable_hash_bucket_size, and variable_hash_max_size in the ConfigMap based on the number of two-way splits. enableWeightChangesDynamicReload: false + # Default values for nginx-ingress with optional NetworkPolicy + networkPolicy: + enabled: false + # If empty, the template will default to the controller selectorLabels + podSelector: {} + policyTypes: + - Ingress + - Egress + # Default examples (safe, minimal). Feel free to keep them commented out + ingress: + - from: [] # e.g. - namespaceSelector: { matchLabels: { name: ingress-allow } } + ports: + - protocol: TCP + port: 80 + - protocol: TCP + port: 443 + egress: + - to: [] + ports: + - protocol: UDP + port: 53 + rbac: ## Configures RBAC. create: true diff --git a/charts/tests/__snapshots__/helmunit_test.snap b/charts/tests/__snapshots__/helmunit_test.snap index 78c8844e67..abd853d520 100755 --- a/charts/tests/__snapshots__/helmunit_test.snap +++ b/charts/tests/__snapshots__/helmunit_test.snap @@ -30,16 +30,127 @@ data: {} /-/-/-/ # Source: nginx-ingress/templates/controller-configmap.yaml +--- + +[TestHelmNICTemplate/appProtectWAF - 1] +/-/-/-/ +# Source: nginx-ingress/templates/controller-serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: appprotect-waf-nginx-ingress + namespace: appprotect-waf + labels: + helm.sh/chart: nginx-ingress-2.3.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: appprotect-waf + app.kubernetes.io/version: "5.2.0" + app.kubernetes.io/managed-by: Helm /-/-/-/ +# Source: nginx-ingress/templates/controller-configmap.yaml apiVersion: v1 kind: ConfigMap metadata: - name: appprotect-dos-nginx-ingress-mgmt - namespace: appprotect-dos + name: appprotect-waf-nginx-ingress + namespace: appprotect-waf labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: appprotect-dos + app.kubernetes.io/instance: appprotect-waf + app.kubernetes.io/version: "5.2.0" + app.kubernetes.io/managed-by: Helm +data: + {} +/-/-/-/ +# Source: nginx-ingress/templates/controller-configmap.yaml +--- + +[TestHelmNICTemplate/appProtectWAFV4AgentV2 - 1] +/-/-/-/ +# Source: nginx-ingress/templates/controller-serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: app-protect-waf-agentv2-nginx-ingress + namespace: default + labels: + helm.sh/chart: nginx-ingress-2.3.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: app-protect-waf-agentv2 + app.kubernetes.io/version: "5.2.0" + app.kubernetes.io/managed-by: Helm +/-/-/-/ +# Source: nginx-ingress/templates/controller-configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: app-protect-waf-agentv2-nginx-ingress + namespace: default + labels: + helm.sh/chart: nginx-ingress-2.3.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: app-protect-waf-agentv2 + app.kubernetes.io/version: "5.2.0" + app.kubernetes.io/managed-by: Helm +data: + {} +/-/-/-/ +# Source: nginx-ingress/templates/controller-configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: app-protect-waf-agentv2-nginx-ingress-agent-config + namespace: default + labels: + helm.sh/chart: nginx-ingress-2.3.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: app-protect-waf-agentv2 + app.kubernetes.io/version: "5.2.0" + app.kubernetes.io/managed-by: Helm +data: + nginx-agent.conf: |- + + log: + level: info + path: "" + server: + host: nim.example.com + grpcPort: 443 + metrics: nim.example.com + command: nim.example.com + tls: + enable: true + skip_verify: false + ca: "/etc/ssl/nms/ca.crt" + cert: "/etc/ssl/nms/tls.crt" + key: "/etc/ssl/nms/tls.key" + features: + - registration + - nginx-counting + - metrics-sender + - dataplane-status + extensions: + - nginx-app-protect + - nap-monitoring + nginx_app_protect: + report_interval: 15s + precompiled_publication: true + nap_monitoring: + collector_buffer_size: 50001 + processor_buffer_size: 50002 + syslog_ip: 127.0.0.2 + syslog_port: 514 +/-/-/-/ +# Source: nginx-ingress/templates/controller-configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: app-protect-waf-agentv2-nginx-ingress-mgmt + namespace: default + labels: + helm.sh/chart: nginx-ingress-2.3.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: app-protect-waf-agentv2 app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm data: @@ -49,12 +160,12 @@ data: apiVersion: v1 kind: ConfigMap metadata: - name: appprotect-dos-nginx-ingress-leader-election - namespace: appprotect-dos + name: app-protect-waf-agentv2-nginx-ingress-leader-election + namespace: default labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: appprotect-dos + app.kubernetes.io/instance: app-protect-waf-agentv2 app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm /-/-/-/ @@ -62,11 +173,11 @@ metadata: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: appprotect-dos-nginx-ingress + name: app-protect-waf-agentv2-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: appprotect-dos + app.kubernetes.io/instance: app-protect-waf-agentv2 app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm rules: @@ -151,15 +262,15 @@ rules: verbs: - update - apiGroups: - - appprotectdos.f5.com + - appprotect.f5.com resources: - - apdospolicies - - apdoslogconfs - - dosprotectedresources + - appolicies + - aplogconfs + - apusersigs verbs: - - get - - watch - - list + - get + - watch + - list - apiGroups: - k8s.nginx.org resources: @@ -186,34 +297,34 @@ rules: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: appprotect-dos-nginx-ingress + name: app-protect-waf-agentv2-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: appprotect-dos + app.kubernetes.io/instance: app-protect-waf-agentv2 app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm subjects: - kind: ServiceAccount - name: appprotect-dos-nginx-ingress - namespace: appprotect-dos + name: app-protect-waf-agentv2-nginx-ingress + namespace: default roleRef: kind: ClusterRole - name: appprotect-dos-nginx-ingress + name: app-protect-waf-agentv2-nginx-ingress apiGroup: rbac.authorization.k8s.io /-/-/-/ # Source: nginx-ingress/templates/controller-role.yaml kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: appprotect-dos-nginx-ingress + name: app-protect-waf-agentv2-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: appprotect-dos + app.kubernetes.io/instance: app-protect-waf-agentv2 app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm - namespace: appprotect-dos + namespace: default rules: - apiGroups: - "" @@ -251,7 +362,7 @@ rules: resources: - leases resourceNames: - - appprotect-dos-nginx-ingress-leader-election + - app-protect-waf-agentv2-nginx-ingress-leader-election verbs: - get - update @@ -266,33 +377,33 @@ rules: kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: appprotect-dos-nginx-ingress + name: app-protect-waf-agentv2-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: appprotect-dos + app.kubernetes.io/instance: app-protect-waf-agentv2 app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm - namespace: appprotect-dos + namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: appprotect-dos-nginx-ingress + name: app-protect-waf-agentv2-nginx-ingress subjects: - kind: ServiceAccount - name: appprotect-dos-nginx-ingress - namespace: appprotect-dos + name: app-protect-waf-agentv2-nginx-ingress + namespace: default /-/-/-/ # Source: nginx-ingress/templates/controller-service.yaml apiVersion: v1 kind: Service metadata: - name: appprotect-dos-nginx-ingress-controller - namespace: appprotect-dos + name: app-protect-waf-agentv2-nginx-ingress-controller + namespace: default labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: appprotect-dos + app.kubernetes.io/instance: app-protect-waf-agentv2 app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm spec: @@ -311,18 +422,18 @@ spec: nodePort: selector: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: appprotect-dos + app.kubernetes.io/instance: app-protect-waf-agentv2 /-/-/-/ # Source: nginx-ingress/templates/controller-deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: - name: appprotect-dos-nginx-ingress-controller - namespace: appprotect-dos + name: app-protect-waf-agentv2-nginx-ingress-controller + namespace: default labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: appprotect-dos + app.kubernetes.io/instance: app-protect-waf-agentv2 app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm spec: @@ -330,19 +441,33 @@ spec: selector: matchLabels: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: appprotect-dos + app.kubernetes.io/instance: app-protect-waf-agentv2 template: metadata: labels: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: appprotect-dos + app.kubernetes.io/instance: app-protect-waf-agentv2 + agent-configuration-revision-hash: "c215996e" annotations: prometheus.io/scrape: "true" prometheus.io/port: "9113" prometheus.io/scheme: "http" spec: - volumes: [] - serviceAccountName: appprotect-dos-nginx-ingress + volumes: + + - name: agent-conf + configMap: + name: app-protect-waf-agentv2-nginx-ingress-agent-config + - name: agent-dynamic + emptyDir: {} + - name: nginx-agent-tls + projected: + sources: + - secret: + name: tls-secret + - secret: + name: ca-secret + serviceAccountName: app-protect-waf-agentv2-nginx-ingress automountServiceAccountToken: true securityContext: seccompProfile: @@ -385,7 +510,16 @@ spec: - ALL add: - NET_BIND_SERVICE - volumeMounts: [] + volumeMounts: + + - name: agent-conf + mountPath: /etc/nginx-agent/nginx-agent.conf + subPath: nginx-agent.conf + - name: agent-dynamic + mountPath: /var/lib/nginx-agent + - name: nginx-agent-tls + mountPath: /etc/ssl/nms + readOnly: true env: - name: POD_NAMESPACE valueFrom: @@ -399,15 +533,10 @@ spec: - -nginx-plus=true - -nginx-reload-timeout=60000 - - -enable-app-protect=false - - -enable-app-protect-dos=true - - -app-protect-dos-debug=true - - -app-protect-dos-max-daemons=10 - - -app-protect-dos-max-workers=5 - - -app-protect-dos-memory=1024 - - - -nginx-configmaps=$(POD_NAMESPACE)/appprotect-dos-nginx-ingress - - -mgmt-configmap=$(POD_NAMESPACE)/appprotect-dos-nginx-ingress-mgmt + - -enable-app-protect=true + - -enable-app-protect-dos=false + - -nginx-configmaps=$(POD_NAMESPACE)/app-protect-waf-agentv2-nginx-ingress + - -mgmt-configmap=$(POD_NAMESPACE)/app-protect-waf-agentv2-nginx-ingress-mgmt - -ingress-class=nginx - -health-status=false - -health-status-uri=/nginx-health @@ -418,9 +547,9 @@ spec: - -nginx-status-port=8080 - -nginx-status-allow-cidrs=127.0.0.1 - -report-ingress-status - - -external-service=appprotect-dos-nginx-ingress-controller + - -external-service=app-protect-waf-agentv2-nginx-ingress-controller - -enable-leader-election=true - - -leader-election-lock-name=appprotect-dos-nginx-ingress-leader-election + - -leader-election-lock-name=app-protect-waf-agentv2-nginx-ingress-leader-election - -enable-prometheus-metrics=true - -prometheus-metrics-listen-port=9113 - -prometheus-tls-secret= @@ -442,6 +571,8 @@ spec: - -ssl-dynamic-reload=true - -enable-telemetry-reporting=true - -weight-changes-dynamic-reload=false + - -agent=true + - -agent-instance-group=app-protect-waf-agentv2-nginx-ingress-controller /-/-/-/ # Source: nginx-ingress/templates/controller-ingress-class.yaml apiVersion: networking.k8s.io/v1 @@ -451,7 +582,7 @@ metadata: labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: appprotect-dos + app.kubernetes.io/instance: app-protect-waf-agentv2 app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm spec: @@ -461,28 +592,28 @@ spec: apiVersion: coordination.k8s.io/v1 kind: Lease metadata: - name: appprotect-dos-nginx-ingress-leader-election - namespace: appprotect-dos + name: app-protect-waf-agentv2-nginx-ingress-leader-election + namespace: default labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: appprotect-dos + app.kubernetes.io/instance: app-protect-waf-agentv2 app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm --- -[TestHelmNICTemplate/appProtectWAF - 1] +[TestHelmNICTemplate/appProtectWAFV5 - 1] /-/-/-/ # Source: nginx-ingress/templates/controller-serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: - name: appprotect-waf-nginx-ingress - namespace: appprotect-waf + name: appprotect-wafv5-nginx-ingress + namespace: appprotect-wafv5 labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: appprotect-waf + app.kubernetes.io/instance: appprotect-wafv5 app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm /-/-/-/ @@ -490,43 +621,121 @@ metadata: apiVersion: v1 kind: ConfigMap metadata: - name: appprotect-waf-nginx-ingress - namespace: appprotect-waf + name: appprotect-wafv5-nginx-ingress + namespace: appprotect-wafv5 labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: appprotect-waf + app.kubernetes.io/instance: appprotect-wafv5 app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm data: {} /-/-/-/ # Source: nginx-ingress/templates/controller-configmap.yaml +--- + +[TestHelmNICTemplate/appProtectWAFV5AgentV2 - 1] /-/-/-/ +# Source: nginx-ingress/templates/controller-serviceaccount.yaml apiVersion: v1 -kind: ConfigMap +kind: ServiceAccount metadata: - name: appprotect-waf-nginx-ingress-mgmt - namespace: appprotect-waf + name: app-protect-wafv5-agentv2-nginx-ingress + namespace: default labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: appprotect-waf + app.kubernetes.io/instance: app-protect-wafv5-agentv2 app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm -data: - license-token-secret-name: license-token /-/-/-/ -# Source: nginx-ingress/templates/controller-leader-election-configmap.yaml +# Source: nginx-ingress/templates/controller-configmap.yaml apiVersion: v1 kind: ConfigMap metadata: - name: appprotect-waf-nginx-ingress-leader-election - namespace: appprotect-waf + name: app-protect-wafv5-agentv2-nginx-ingress + namespace: default labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: appprotect-waf + app.kubernetes.io/instance: app-protect-wafv5-agentv2 + app.kubernetes.io/version: "5.2.0" + app.kubernetes.io/managed-by: Helm +data: + {} +/-/-/-/ +# Source: nginx-ingress/templates/controller-configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: app-protect-wafv5-agentv2-nginx-ingress-agent-config + namespace: default + labels: + helm.sh/chart: nginx-ingress-2.3.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: app-protect-wafv5-agentv2 + app.kubernetes.io/version: "5.2.0" + app.kubernetes.io/managed-by: Helm +data: + nginx-agent.conf: |- + + log: + level: info + path: "" + server: + host: nim.example.com + grpcPort: 443 + metrics: nim.example.com + command: nim.example.com + tls: + enable: true + skip_verify: false + ca: "/etc/ssl/nms/ca.crt" + cert: "/etc/ssl/nms/tls.crt" + key: "/etc/ssl/nms/tls.key" + features: + - registration + - nginx-counting + - metrics-sender + - dataplane-status + extensions: + - nginx-app-protect + - nap-monitoring + nginx_app_protect: + report_interval: 15s + precompiled_publication: true + nap_monitoring: + collector_buffer_size: 50000 + processor_buffer_size: 50000 + syslog_ip: 127.0.0.1 + syslog_port: 1514 +/-/-/-/ +# Source: nginx-ingress/templates/controller-configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: app-protect-wafv5-agentv2-nginx-ingress-mgmt + namespace: default + labels: + helm.sh/chart: nginx-ingress-2.3.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: app-protect-wafv5-agentv2 + app.kubernetes.io/version: "5.2.0" + app.kubernetes.io/managed-by: Helm +data: + license-token-secret-name: license-token +/-/-/-/ +# Source: nginx-ingress/templates/controller-leader-election-configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: app-protect-wafv5-agentv2-nginx-ingress-leader-election + namespace: default + labels: + helm.sh/chart: nginx-ingress-2.3.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: app-protect-wafv5-agentv2 app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm /-/-/-/ @@ -534,11 +743,11 @@ metadata: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: appprotect-waf-nginx-ingress + name: app-protect-wafv5-agentv2-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: appprotect-waf + app.kubernetes.io/instance: app-protect-wafv5-agentv2 app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm rules: @@ -658,34 +867,34 @@ rules: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: appprotect-waf-nginx-ingress + name: app-protect-wafv5-agentv2-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: appprotect-waf + app.kubernetes.io/instance: app-protect-wafv5-agentv2 app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm subjects: - kind: ServiceAccount - name: appprotect-waf-nginx-ingress - namespace: appprotect-waf + name: app-protect-wafv5-agentv2-nginx-ingress + namespace: default roleRef: kind: ClusterRole - name: appprotect-waf-nginx-ingress + name: app-protect-wafv5-agentv2-nginx-ingress apiGroup: rbac.authorization.k8s.io /-/-/-/ # Source: nginx-ingress/templates/controller-role.yaml kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: appprotect-waf-nginx-ingress + name: app-protect-wafv5-agentv2-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: appprotect-waf + app.kubernetes.io/instance: app-protect-wafv5-agentv2 app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm - namespace: appprotect-waf + namespace: default rules: - apiGroups: - "" @@ -723,7 +932,7 @@ rules: resources: - leases resourceNames: - - appprotect-waf-nginx-ingress-leader-election + - app-protect-wafv5-agentv2-nginx-ingress-leader-election verbs: - get - update @@ -738,33 +947,33 @@ rules: kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: appprotect-waf-nginx-ingress + name: app-protect-wafv5-agentv2-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: appprotect-waf + app.kubernetes.io/instance: app-protect-wafv5-agentv2 app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm - namespace: appprotect-waf + namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: appprotect-waf-nginx-ingress + name: app-protect-wafv5-agentv2-nginx-ingress subjects: - kind: ServiceAccount - name: appprotect-waf-nginx-ingress - namespace: appprotect-waf + name: app-protect-wafv5-agentv2-nginx-ingress + namespace: default /-/-/-/ # Source: nginx-ingress/templates/controller-service.yaml apiVersion: v1 kind: Service metadata: - name: appprotect-waf-nginx-ingress-controller - namespace: appprotect-waf + name: app-protect-wafv5-agentv2-nginx-ingress-controller + namespace: default labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: appprotect-waf + app.kubernetes.io/instance: app-protect-wafv5-agentv2 app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm spec: @@ -783,18 +992,18 @@ spec: nodePort: selector: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: appprotect-waf + app.kubernetes.io/instance: app-protect-wafv5-agentv2 /-/-/-/ # Source: nginx-ingress/templates/controller-deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: - name: appprotect-waf-nginx-ingress-controller - namespace: appprotect-waf + name: app-protect-wafv5-agentv2-nginx-ingress-controller + namespace: default labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: appprotect-waf + app.kubernetes.io/instance: app-protect-wafv5-agentv2 app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm spec: @@ -802,19 +1011,39 @@ spec: selector: matchLabels: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: appprotect-waf + app.kubernetes.io/instance: app-protect-wafv5-agentv2 template: metadata: labels: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: appprotect-waf + app.kubernetes.io/instance: app-protect-wafv5-agentv2 + agent-configuration-revision-hash: "435782fd" annotations: prometheus.io/scrape: "true" prometheus.io/port: "9113" prometheus.io/scheme: "http" spec: - volumes: [] - serviceAccountName: appprotect-waf-nginx-ingress + volumes: + + - emptyDir: {} + name: app-protect-bd-config + - emptyDir: {} + name: app-protect-config + - emptyDir: {} + name: app-protect-bundles + - name: agent-conf + configMap: + name: app-protect-wafv5-agentv2-nginx-ingress-agent-config + - name: agent-dynamic + emptyDir: {} + - name: nginx-agent-tls + projected: + sources: + - secret: + name: tls-secret + - secret: + name: ca-secret + serviceAccountName: app-protect-wafv5-agentv2-nginx-ingress automountServiceAccountToken: true securityContext: seccompProfile: @@ -857,7 +1086,24 @@ spec: - ALL add: - NET_BIND_SERVICE - volumeMounts: [] + volumeMounts: + + - name: app-protect-bd-config + mountPath: /opt/app_protect/bd_config + - name: app-protect-config + mountPath: /opt/app_protect/config + # app-protect-bundles is mounted so that Ingress Controller + # can verify that referenced bundles are present + - name: app-protect-bundles + mountPath: /etc/app_protect/bundles + - name: agent-conf + mountPath: /etc/nginx-agent/nginx-agent.conf + subPath: nginx-agent.conf + - name: agent-dynamic + mountPath: /var/lib/nginx-agent + - name: nginx-agent-tls + mountPath: /etc/ssl/nms + readOnly: true env: - name: POD_NAMESPACE valueFrom: @@ -872,9 +1118,10 @@ spec: - -nginx-plus=true - -nginx-reload-timeout=60000 - -enable-app-protect=true + - -app-protect-enforcer-address="localhost:50001" - -enable-app-protect-dos=false - - -nginx-configmaps=$(POD_NAMESPACE)/appprotect-waf-nginx-ingress - - -mgmt-configmap=$(POD_NAMESPACE)/appprotect-waf-nginx-ingress-mgmt + - -nginx-configmaps=$(POD_NAMESPACE)/app-protect-wafv5-agentv2-nginx-ingress + - -mgmt-configmap=$(POD_NAMESPACE)/app-protect-wafv5-agentv2-nginx-ingress-mgmt - -ingress-class=nginx - -health-status=false - -health-status-uri=/nginx-health @@ -885,9 +1132,9 @@ spec: - -nginx-status-port=8080 - -nginx-status-allow-cidrs=127.0.0.1 - -report-ingress-status - - -external-service=appprotect-waf-nginx-ingress-controller + - -external-service=app-protect-wafv5-agentv2-nginx-ingress-controller - -enable-leader-election=true - - -leader-election-lock-name=appprotect-waf-nginx-ingress-leader-election + - -leader-election-lock-name=app-protect-wafv5-agentv2-nginx-ingress-leader-election - -enable-prometheus-metrics=true - -prometheus-metrics-listen-port=9113 - -prometheus-tls-secret= @@ -909,6 +1156,38 @@ spec: - -ssl-dynamic-reload=true - -enable-telemetry-reporting=true - -weight-changes-dynamic-reload=false + - -agent=true + - -agent-instance-group=app-protect-wafv5-agentv2-nginx-ingress-controller + + - name: waf-enforcer + image: my.private.reg/nap/waf-enforcer:5.6.0 + imagePullPolicy: "IfNotPresent" + env: + - name: ENFORCER_PORT + value: "50001" + - name: ENFORCER_CONFIG_TIMEOUT + value: "0" + volumeMounts: + - name: app-protect-bd-config + mountPath: /opt/app_protect/bd_config + - name: waf-config-mgr + image: my.private.reg/nap/waf-config-mgr:5.6.0 + imagePullPolicy: "IfNotPresent" + securityContext: + + allowPrivilegeEscalation: false + capabilities: + drop: + - all + runAsNonRoot: true + runAsUser: 101 + volumeMounts: + - name: app-protect-bd-config + mountPath: /opt/app_protect/bd_config + - name: app-protect-config + mountPath: /opt/app_protect/config + - name: app-protect-bundles + mountPath: /etc/app_protect/bundles /-/-/-/ # Source: nginx-ingress/templates/controller-ingress-class.yaml apiVersion: networking.k8s.io/v1 @@ -918,7 +1197,7 @@ metadata: labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: appprotect-waf + app.kubernetes.io/instance: app-protect-wafv5-agentv2 app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm spec: @@ -928,28 +1207,28 @@ spec: apiVersion: coordination.k8s.io/v1 kind: Lease metadata: - name: appprotect-waf-nginx-ingress-leader-election - namespace: appprotect-waf + name: app-protect-wafv5-agentv2-nginx-ingress-leader-election + namespace: default labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: appprotect-waf + app.kubernetes.io/instance: app-protect-wafv5-agentv2 app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm --- -[TestHelmNICTemplate/appProtectWAFV4AgentV2 - 1] +[TestHelmNICTemplate/customResources - 1] /-/-/-/ # Source: nginx-ingress/templates/controller-serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: - name: app-protect-waf-agentv2-nginx-ingress - namespace: default + name: custom-resources-nginx-ingress + namespace: custom-resources labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: app-protect-waf-agentv2 + app.kubernetes.io/instance: custom-resources app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm /-/-/-/ @@ -957,88 +1236,27 @@ metadata: apiVersion: v1 kind: ConfigMap metadata: - name: app-protect-waf-agentv2-nginx-ingress - namespace: default + name: custom-resources-nginx-ingress + namespace: custom-resources labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: app-protect-waf-agentv2 + app.kubernetes.io/instance: custom-resources app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm data: {} /-/-/-/ -# Source: nginx-ingress/templates/controller-configmap.yaml +# Source: nginx-ingress/templates/controller-leader-election-configmap.yaml apiVersion: v1 kind: ConfigMap metadata: - name: app-protect-waf-agentv2-nginx-ingress-agent-config - namespace: default + name: custom-resources-nginx-ingress-leader-election + namespace: custom-resources labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: app-protect-waf-agentv2 - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm -data: - nginx-agent.conf: |- - - log: - level: info - path: "" - server: - host: nim.example.com - grpcPort: 443 - metrics: nim.example.com - command: nim.example.com - tls: - enable: true - skip_verify: false - ca: "/etc/ssl/nms/ca.crt" - cert: "/etc/ssl/nms/tls.crt" - key: "/etc/ssl/nms/tls.key" - features: - - registration - - nginx-counting - - metrics-sender - - dataplane-status - extensions: - - nginx-app-protect - - nap-monitoring - nginx_app_protect: - report_interval: 15s - precompiled_publication: true - nap_monitoring: - collector_buffer_size: 50001 - processor_buffer_size: 50002 - syslog_ip: 127.0.0.2 - syslog_port: 514 -/-/-/-/ -# Source: nginx-ingress/templates/controller-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: app-protect-waf-agentv2-nginx-ingress-mgmt - namespace: default - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: app-protect-waf-agentv2 - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm -data: - license-token-secret-name: license-token -/-/-/-/ -# Source: nginx-ingress/templates/controller-leader-election-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: app-protect-waf-agentv2-nginx-ingress-leader-election - namespace: default - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: app-protect-waf-agentv2 + app.kubernetes.io/instance: custom-resources app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm /-/-/-/ @@ -1046,11 +1264,11 @@ metadata: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: app-protect-waf-agentv2-nginx-ingress + name: custom-resources-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: app-protect-waf-agentv2 + app.kubernetes.io/instance: custom-resources app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm rules: @@ -1134,70 +1352,39 @@ rules: - ingresses/status verbs: - update -- apiGroups: - - appprotect.f5.com - resources: - - appolicies - - aplogconfs - - apusersigs - verbs: - - get - - watch - - list -- apiGroups: - - k8s.nginx.org - resources: - - virtualservers - - virtualserverroutes - - globalconfigurations - - transportservers - - policies - verbs: - - list - - watch - - get -- apiGroups: - - k8s.nginx.org - resources: - - virtualservers/status - - virtualserverroutes/status - - policies/status - - transportservers/status - verbs: - - update /-/-/-/ # Source: nginx-ingress/templates/clusterrolebinding.yaml kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: app-protect-waf-agentv2-nginx-ingress + name: custom-resources-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: app-protect-waf-agentv2 + app.kubernetes.io/instance: custom-resources app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm subjects: - kind: ServiceAccount - name: app-protect-waf-agentv2-nginx-ingress - namespace: default + name: custom-resources-nginx-ingress + namespace: custom-resources roleRef: kind: ClusterRole - name: app-protect-waf-agentv2-nginx-ingress + name: custom-resources-nginx-ingress apiGroup: rbac.authorization.k8s.io /-/-/-/ # Source: nginx-ingress/templates/controller-role.yaml kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: app-protect-waf-agentv2-nginx-ingress + name: custom-resources-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: app-protect-waf-agentv2 + app.kubernetes.io/instance: custom-resources app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm - namespace: default + namespace: custom-resources rules: - apiGroups: - "" @@ -1235,7 +1422,7 @@ rules: resources: - leases resourceNames: - - app-protect-waf-agentv2-nginx-ingress-leader-election + - custom-resources-nginx-ingress-leader-election verbs: - get - update @@ -1250,33 +1437,33 @@ rules: kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: app-protect-waf-agentv2-nginx-ingress + name: custom-resources-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: app-protect-waf-agentv2 + app.kubernetes.io/instance: custom-resources app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm - namespace: default + namespace: custom-resources roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: app-protect-waf-agentv2-nginx-ingress + name: custom-resources-nginx-ingress subjects: - kind: ServiceAccount - name: app-protect-waf-agentv2-nginx-ingress - namespace: default + name: custom-resources-nginx-ingress + namespace: custom-resources /-/-/-/ # Source: nginx-ingress/templates/controller-service.yaml apiVersion: v1 kind: Service metadata: - name: app-protect-waf-agentv2-nginx-ingress-controller - namespace: default + name: custom-resources-nginx-ingress-controller + namespace: custom-resources labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: app-protect-waf-agentv2 + app.kubernetes.io/instance: custom-resources app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm spec: @@ -1295,18 +1482,18 @@ spec: nodePort: selector: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: app-protect-waf-agentv2 + app.kubernetes.io/instance: custom-resources /-/-/-/ # Source: nginx-ingress/templates/controller-deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: - name: app-protect-waf-agentv2-nginx-ingress-controller - namespace: default + name: custom-resources-nginx-ingress-controller + namespace: custom-resources labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: app-protect-waf-agentv2 + app.kubernetes.io/instance: custom-resources app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm spec: @@ -1314,33 +1501,19 @@ spec: selector: matchLabels: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: app-protect-waf-agentv2 + app.kubernetes.io/instance: custom-resources template: metadata: labels: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: app-protect-waf-agentv2 - agent-configuration-revision-hash: "58428611" + app.kubernetes.io/instance: custom-resources annotations: prometheus.io/scrape: "true" prometheus.io/port: "9113" prometheus.io/scheme: "http" spec: - volumes: - - - name: agent-conf - configMap: - name: app-protect-waf-agentv2-nginx-ingress-agent-config - - name: agent-dynamic - emptyDir: {} - - name: nginx-agent-tls - projected: - sources: - - secret: - name: tls-secret - - secret: - name: ca-secret - serviceAccountName: app-protect-waf-agentv2-nginx-ingress + volumes: [] + serviceAccountName: custom-resources-nginx-ingress automountServiceAccountToken: true securityContext: seccompProfile: @@ -1383,16 +1556,7 @@ spec: - ALL add: - NET_BIND_SERVICE - volumeMounts: - - - name: agent-conf - mountPath: /etc/nginx-agent/nginx-agent.conf - subPath: nginx-agent.conf - - name: agent-dynamic - mountPath: /var/lib/nginx-agent - - name: nginx-agent-tls - mountPath: /etc/ssl/nms - readOnly: true + volumeMounts: [] env: - name: POD_NAMESPACE valueFrom: @@ -1404,12 +1568,11 @@ spec: fieldPath: metadata.name args: - - -nginx-plus=true + - -nginx-plus=false - -nginx-reload-timeout=60000 - - -enable-app-protect=true + - -enable-app-protect=false - -enable-app-protect-dos=false - - -nginx-configmaps=$(POD_NAMESPACE)/app-protect-waf-agentv2-nginx-ingress - - -mgmt-configmap=$(POD_NAMESPACE)/app-protect-waf-agentv2-nginx-ingress-mgmt + - -nginx-configmaps=$(POD_NAMESPACE)/custom-resources-nginx-ingress - -ingress-class=nginx - -health-status=false - -health-status-uri=/nginx-health @@ -1420,32 +1583,24 @@ spec: - -nginx-status-port=8080 - -nginx-status-allow-cidrs=127.0.0.1 - -report-ingress-status - - -external-service=app-protect-waf-agentv2-nginx-ingress-controller + - -external-service=custom-resources-nginx-ingress-controller - -enable-leader-election=true - - -leader-election-lock-name=app-protect-waf-agentv2-nginx-ingress-leader-election + - -leader-election-lock-name=custom-resources-nginx-ingress-leader-election - -enable-prometheus-metrics=true - -prometheus-metrics-listen-port=9113 - -prometheus-tls-secret= - -enable-service-insight=false - -service-insight-listen-port=9114 - -service-insight-tls-secret= - - -enable-custom-resources=true + - -enable-custom-resources=false - -enable-snippets=false - -disable-ipv6=false - - -enable-tls-passthrough=false - - -enable-cert-manager=false - - -enable-oidc=false - - -enable-external-dns=false - - -default-http-listener-port=80 - - -default-https-listener-port=443 - -ready-status=true - -ready-status-port=8081 - -enable-latency-metrics=false - -ssl-dynamic-reload=true - -enable-telemetry-reporting=true - -weight-changes-dynamic-reload=false - - -agent=true - - -agent-instance-group=app-protect-waf-agentv2-nginx-ingress-controller /-/-/-/ # Source: nginx-ingress/templates/controller-ingress-class.yaml apiVersion: networking.k8s.io/v1 @@ -1455,38 +1610,41 @@ metadata: labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: app-protect-waf-agentv2 + app.kubernetes.io/instance: custom-resources app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm spec: controller: nginx.org/ingress-controller /-/-/-/ +# Source: nginx-ingress/templates/controller-configmap.yaml +/-/-/-/ +/-/-/-/ # Source: nginx-ingress/templates/controller-lease.yaml apiVersion: coordination.k8s.io/v1 kind: Lease metadata: - name: app-protect-waf-agentv2-nginx-ingress-leader-election - namespace: default + name: custom-resources-nginx-ingress-leader-election + namespace: custom-resources labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: app-protect-waf-agentv2 + app.kubernetes.io/instance: custom-resources app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm --- -[TestHelmNICTemplate/appProtectWAFV5 - 1] +[TestHelmNICTemplate/daemonset - 1] /-/-/-/ # Source: nginx-ingress/templates/controller-serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: - name: appprotect-wafv5-nginx-ingress - namespace: appprotect-wafv5 + name: daemonset-nginx-ingress + namespace: default labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: appprotect-wafv5 + app.kubernetes.io/instance: daemonset app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm /-/-/-/ @@ -1494,43 +1652,27 @@ metadata: apiVersion: v1 kind: ConfigMap metadata: - name: appprotect-wafv5-nginx-ingress - namespace: appprotect-wafv5 + name: daemonset-nginx-ingress + namespace: default labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: appprotect-wafv5 + app.kubernetes.io/instance: daemonset app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm data: {} /-/-/-/ -# Source: nginx-ingress/templates/controller-configmap.yaml -/-/-/-/ -apiVersion: v1 -kind: ConfigMap -metadata: - name: appprotect-wafv5-nginx-ingress-mgmt - namespace: appprotect-wafv5 - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: appprotect-wafv5 - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm -data: - license-token-secret-name: license-token -/-/-/-/ # Source: nginx-ingress/templates/controller-leader-election-configmap.yaml apiVersion: v1 kind: ConfigMap metadata: - name: appprotect-wafv5-nginx-ingress-leader-election - namespace: appprotect-wafv5 + name: daemonset-nginx-ingress-leader-election + namespace: default labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: appprotect-wafv5 + app.kubernetes.io/instance: daemonset app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm /-/-/-/ @@ -1538,11 +1680,11 @@ metadata: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: appprotect-wafv5-nginx-ingress + name: daemonset-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: appprotect-wafv5 + app.kubernetes.io/instance: daemonset app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm rules: @@ -1626,16 +1768,6 @@ rules: - ingresses/status verbs: - update -- apiGroups: - - appprotect.f5.com - resources: - - appolicies - - aplogconfs - - apusersigs - verbs: - - get - - watch - - list - apiGroups: - k8s.nginx.org resources: @@ -1662,34 +1794,34 @@ rules: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: appprotect-wafv5-nginx-ingress + name: daemonset-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: appprotect-wafv5 + app.kubernetes.io/instance: daemonset app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm subjects: - kind: ServiceAccount - name: appprotect-wafv5-nginx-ingress - namespace: appprotect-wafv5 + name: daemonset-nginx-ingress + namespace: default roleRef: kind: ClusterRole - name: appprotect-wafv5-nginx-ingress + name: daemonset-nginx-ingress apiGroup: rbac.authorization.k8s.io /-/-/-/ # Source: nginx-ingress/templates/controller-role.yaml kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: appprotect-wafv5-nginx-ingress + name: daemonset-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: appprotect-wafv5 + app.kubernetes.io/instance: daemonset app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm - namespace: appprotect-wafv5 + namespace: default rules: - apiGroups: - "" @@ -1727,7 +1859,7 @@ rules: resources: - leases resourceNames: - - appprotect-wafv5-nginx-ingress-leader-election + - daemonset-nginx-ingress-leader-election verbs: - get - update @@ -1742,33 +1874,33 @@ rules: kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: appprotect-wafv5-nginx-ingress + name: daemonset-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: appprotect-wafv5 + app.kubernetes.io/instance: daemonset app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm - namespace: appprotect-wafv5 + namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: appprotect-wafv5-nginx-ingress + name: daemonset-nginx-ingress subjects: - kind: ServiceAccount - name: appprotect-wafv5-nginx-ingress - namespace: appprotect-wafv5 + name: daemonset-nginx-ingress + namespace: default /-/-/-/ # Source: nginx-ingress/templates/controller-service.yaml apiVersion: v1 kind: Service metadata: - name: appprotect-wafv5-nginx-ingress-controller - namespace: appprotect-wafv5 + name: daemonset-nginx-ingress-controller + namespace: default labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: appprotect-wafv5 + app.kubernetes.io/instance: daemonset app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm spec: @@ -1787,55 +1919,47 @@ spec: nodePort: selector: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: appprotect-wafv5 + app.kubernetes.io/instance: daemonset /-/-/-/ -# Source: nginx-ingress/templates/controller-deployment.yaml +# Source: nginx-ingress/templates/controller-daemonset.yaml apiVersion: apps/v1 -kind: Deployment +kind: DaemonSet metadata: - name: appprotect-wafv5-nginx-ingress-controller - namespace: appprotect-wafv5 + name: daemonset-nginx-ingress-controller + namespace: default labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: appprotect-wafv5 + app.kubernetes.io/instance: daemonset app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm spec: - replicas: 1 selector: matchLabels: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: appprotect-wafv5 + app.kubernetes.io/instance: daemonset template: metadata: labels: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: appprotect-wafv5 + app.kubernetes.io/instance: daemonset annotations: prometheus.io/scrape: "true" prometheus.io/port: "9113" prometheus.io/scheme: "http" - spec: - volumes: - - - emptyDir: {} - name: app-protect-bd-config - - emptyDir: {} - name: app-protect-config - - emptyDir: {} - name: app-protect-bundles - serviceAccountName: appprotect-wafv5-nginx-ingress + spec: + serviceAccountName: daemonset-nginx-ingress automountServiceAccountToken: true securityContext: seccompProfile: type: RuntimeDefault - terminationGracePeriodSeconds: 30 + terminationGracePeriodSeconds: 30 + volumes: [] hostNetwork: false dnsPolicy: ClusterFirst containers: - - image: nginx/nginx-ingress:5.2.0 - name: nginx-ingress + - name: nginx-ingress + image: nginx/nginx-ingress:5.2.0 imagePullPolicy: "IfNotPresent" ports: - name: http @@ -1844,6 +1968,7 @@ spec: - name: https containerPort: 443 protocol: TCP + - name: prometheus containerPort: 9113 - name: readiness-port @@ -1854,10 +1979,6 @@ spec: port: readiness-port periodSeconds: 1 initialDelaySeconds: 0 - resources: - requests: - cpu: 100m - memory: 128Mi securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: false @@ -1868,16 +1989,7 @@ spec: - ALL add: - NET_BIND_SERVICE - volumeMounts: - - - name: app-protect-bd-config - mountPath: /opt/app_protect/bd_config - - name: app-protect-config - mountPath: /opt/app_protect/config - # app-protect-bundles is mounted so that Ingress Controller - # can verify that referenced bundles are present - - name: app-protect-bundles - mountPath: /etc/app_protect/bundles + volumeMounts: [] env: - name: POD_NAMESPACE valueFrom: @@ -1887,15 +1999,17 @@ spec: valueFrom: fieldRef: fieldPath: metadata.name + resources: + requests: + cpu: 100m + memory: 128Mi args: - - -nginx-plus=true + - -nginx-plus=false - -nginx-reload-timeout=60000 - - -enable-app-protect=true - - -app-protect-enforcer-address="localhost:50001" + - -enable-app-protect=false - -enable-app-protect-dos=false - - -nginx-configmaps=$(POD_NAMESPACE)/appprotect-wafv5-nginx-ingress - - -mgmt-configmap=$(POD_NAMESPACE)/appprotect-wafv5-nginx-ingress-mgmt + - -nginx-configmaps=$(POD_NAMESPACE)/daemonset-nginx-ingress - -ingress-class=nginx - -health-status=false - -health-status-uri=/nginx-health @@ -1906,9 +2020,9 @@ spec: - -nginx-status-port=8080 - -nginx-status-allow-cidrs=127.0.0.1 - -report-ingress-status - - -external-service=appprotect-wafv5-nginx-ingress-controller + - -external-service=daemonset-nginx-ingress-controller - -enable-leader-election=true - - -leader-election-lock-name=appprotect-wafv5-nginx-ingress-leader-election + - -leader-election-lock-name=daemonset-nginx-ingress-leader-election - -enable-prometheus-metrics=true - -prometheus-metrics-listen-port=9113 - -prometheus-tls-secret= @@ -1930,36 +2044,6 @@ spec: - -ssl-dynamic-reload=true - -enable-telemetry-reporting=true - -weight-changes-dynamic-reload=false - - - name: waf-enforcer - image: my.private.reg/nap/waf-enforcer:5.6.0 - imagePullPolicy: "IfNotPresent" - env: - - name: ENFORCER_PORT - value: "50001" - - name: ENFORCER_CONFIG_TIMEOUT - value: "0" - volumeMounts: - - name: app-protect-bd-config - mountPath: /opt/app_protect/bd_config - - name: waf-config-mgr - image: my.private.reg/nap/waf-config-mgr:5.6.0 - imagePullPolicy: "IfNotPresent" - securityContext: - - allowPrivilegeEscalation: false - capabilities: - drop: - - all - runAsNonRoot: true - runAsUser: 101 - volumeMounts: - - name: app-protect-bd-config - mountPath: /opt/app_protect/bd_config - - name: app-protect-config - mountPath: /opt/app_protect/config - - name: app-protect-bundles - mountPath: /etc/app_protect/bundles /-/-/-/ # Source: nginx-ingress/templates/controller-ingress-class.yaml apiVersion: networking.k8s.io/v1 @@ -1969,38 +2053,41 @@ metadata: labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: appprotect-wafv5 + app.kubernetes.io/instance: daemonset app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm spec: controller: nginx.org/ingress-controller /-/-/-/ +# Source: nginx-ingress/templates/controller-configmap.yaml +/-/-/-/ +/-/-/-/ # Source: nginx-ingress/templates/controller-lease.yaml apiVersion: coordination.k8s.io/v1 kind: Lease metadata: - name: appprotect-wafv5-nginx-ingress-leader-election - namespace: appprotect-wafv5 + name: daemonset-nginx-ingress-leader-election + namespace: default labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: appprotect-wafv5 + app.kubernetes.io/instance: daemonset app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm --- -[TestHelmNICTemplate/appProtectWAFV5AgentV2 - 1] +[TestHelmNICTemplate/default_values_file - 1] /-/-/-/ # Source: nginx-ingress/templates/controller-serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: - name: app-protect-wafv5-agentv2-nginx-ingress + name: default-nginx-ingress namespace: default labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: app-protect-wafv5-agentv2 + app.kubernetes.io/instance: default app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm /-/-/-/ @@ -2008,88 +2095,27 @@ metadata: apiVersion: v1 kind: ConfigMap metadata: - name: app-protect-wafv5-agentv2-nginx-ingress + name: default-nginx-ingress namespace: default labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: app-protect-wafv5-agentv2 + app.kubernetes.io/instance: default app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm data: {} /-/-/-/ -# Source: nginx-ingress/templates/controller-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: app-protect-wafv5-agentv2-nginx-ingress-agent-config - namespace: default - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: app-protect-wafv5-agentv2 - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm -data: - nginx-agent.conf: |- - - log: - level: info - path: "" - server: - host: nim.example.com - grpcPort: 443 - metrics: nim.example.com - command: nim.example.com - tls: - enable: true - skip_verify: false - ca: "/etc/ssl/nms/ca.crt" - cert: "/etc/ssl/nms/tls.crt" - key: "/etc/ssl/nms/tls.key" - features: - - registration - - nginx-counting - - metrics-sender - - dataplane-status - extensions: - - nginx-app-protect - - nap-monitoring - nginx_app_protect: - report_interval: 15s - precompiled_publication: true - nap_monitoring: - collector_buffer_size: 50000 - processor_buffer_size: 50000 - syslog_ip: 127.0.0.1 - syslog_port: 1514 -/-/-/-/ -# Source: nginx-ingress/templates/controller-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: app-protect-wafv5-agentv2-nginx-ingress-mgmt - namespace: default - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: app-protect-wafv5-agentv2 - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm -data: - license-token-secret-name: license-token -/-/-/-/ # Source: nginx-ingress/templates/controller-leader-election-configmap.yaml apiVersion: v1 kind: ConfigMap metadata: - name: app-protect-wafv5-agentv2-nginx-ingress-leader-election + name: default-nginx-ingress-leader-election namespace: default labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: app-protect-wafv5-agentv2 + app.kubernetes.io/instance: default app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm /-/-/-/ @@ -2097,11 +2123,11 @@ metadata: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: app-protect-wafv5-agentv2-nginx-ingress + name: default-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: app-protect-wafv5-agentv2 + app.kubernetes.io/instance: default app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm rules: @@ -2185,16 +2211,6 @@ rules: - ingresses/status verbs: - update -- apiGroups: - - appprotect.f5.com - resources: - - appolicies - - aplogconfs - - apusersigs - verbs: - - get - - watch - - list - apiGroups: - k8s.nginx.org resources: @@ -2221,31 +2237,31 @@ rules: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: app-protect-wafv5-agentv2-nginx-ingress + name: default-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: app-protect-wafv5-agentv2 + app.kubernetes.io/instance: default app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm subjects: - kind: ServiceAccount - name: app-protect-wafv5-agentv2-nginx-ingress + name: default-nginx-ingress namespace: default roleRef: kind: ClusterRole - name: app-protect-wafv5-agentv2-nginx-ingress + name: default-nginx-ingress apiGroup: rbac.authorization.k8s.io /-/-/-/ # Source: nginx-ingress/templates/controller-role.yaml kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: app-protect-wafv5-agentv2-nginx-ingress + name: default-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: app-protect-wafv5-agentv2 + app.kubernetes.io/instance: default app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm namespace: default @@ -2286,7 +2302,7 @@ rules: resources: - leases resourceNames: - - app-protect-wafv5-agentv2-nginx-ingress-leader-election + - default-nginx-ingress-leader-election verbs: - get - update @@ -2301,33 +2317,33 @@ rules: kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: app-protect-wafv5-agentv2-nginx-ingress + name: default-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: app-protect-wafv5-agentv2 + app.kubernetes.io/instance: default app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: app-protect-wafv5-agentv2-nginx-ingress + name: default-nginx-ingress subjects: - kind: ServiceAccount - name: app-protect-wafv5-agentv2-nginx-ingress + name: default-nginx-ingress namespace: default /-/-/-/ # Source: nginx-ingress/templates/controller-service.yaml apiVersion: v1 kind: Service metadata: - name: app-protect-wafv5-agentv2-nginx-ingress-controller + name: default-nginx-ingress-controller namespace: default labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: app-protect-wafv5-agentv2 + app.kubernetes.io/instance: default app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm spec: @@ -2346,18 +2362,18 @@ spec: nodePort: selector: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: app-protect-wafv5-agentv2 + app.kubernetes.io/instance: default /-/-/-/ # Source: nginx-ingress/templates/controller-deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: - name: app-protect-wafv5-agentv2-nginx-ingress-controller + name: default-nginx-ingress-controller namespace: default labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: app-protect-wafv5-agentv2 + app.kubernetes.io/instance: default app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm spec: @@ -2365,39 +2381,19 @@ spec: selector: matchLabels: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: app-protect-wafv5-agentv2 + app.kubernetes.io/instance: default template: metadata: labels: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: app-protect-wafv5-agentv2 - agent-configuration-revision-hash: "a8989f3a" + app.kubernetes.io/instance: default annotations: prometheus.io/scrape: "true" prometheus.io/port: "9113" prometheus.io/scheme: "http" spec: - volumes: - - - emptyDir: {} - name: app-protect-bd-config - - emptyDir: {} - name: app-protect-config - - emptyDir: {} - name: app-protect-bundles - - name: agent-conf - configMap: - name: app-protect-wafv5-agentv2-nginx-ingress-agent-config - - name: agent-dynamic - emptyDir: {} - - name: nginx-agent-tls - projected: - sources: - - secret: - name: tls-secret - - secret: - name: ca-secret - serviceAccountName: app-protect-wafv5-agentv2-nginx-ingress + volumes: [] + serviceAccountName: default-nginx-ingress automountServiceAccountToken: true securityContext: seccompProfile: @@ -2440,24 +2436,7 @@ spec: - ALL add: - NET_BIND_SERVICE - volumeMounts: - - - name: app-protect-bd-config - mountPath: /opt/app_protect/bd_config - - name: app-protect-config - mountPath: /opt/app_protect/config - # app-protect-bundles is mounted so that Ingress Controller - # can verify that referenced bundles are present - - name: app-protect-bundles - mountPath: /etc/app_protect/bundles - - name: agent-conf - mountPath: /etc/nginx-agent/nginx-agent.conf - subPath: nginx-agent.conf - - name: agent-dynamic - mountPath: /var/lib/nginx-agent - - name: nginx-agent-tls - mountPath: /etc/ssl/nms - readOnly: true + volumeMounts: [] env: - name: POD_NAMESPACE valueFrom: @@ -2469,13 +2448,11 @@ spec: fieldPath: metadata.name args: - - -nginx-plus=true + - -nginx-plus=false - -nginx-reload-timeout=60000 - - -enable-app-protect=true - - -app-protect-enforcer-address="localhost:50001" + - -enable-app-protect=false - -enable-app-protect-dos=false - - -nginx-configmaps=$(POD_NAMESPACE)/app-protect-wafv5-agentv2-nginx-ingress - - -mgmt-configmap=$(POD_NAMESPACE)/app-protect-wafv5-agentv2-nginx-ingress-mgmt + - -nginx-configmaps=$(POD_NAMESPACE)/default-nginx-ingress - -ingress-class=nginx - -health-status=false - -health-status-uri=/nginx-health @@ -2486,9 +2463,9 @@ spec: - -nginx-status-port=8080 - -nginx-status-allow-cidrs=127.0.0.1 - -report-ingress-status - - -external-service=app-protect-wafv5-agentv2-nginx-ingress-controller + - -external-service=default-nginx-ingress-controller - -enable-leader-election=true - - -leader-election-lock-name=app-protect-wafv5-agentv2-nginx-ingress-leader-election + - -leader-election-lock-name=default-nginx-ingress-leader-election - -enable-prometheus-metrics=true - -prometheus-metrics-listen-port=9113 - -prometheus-tls-secret= @@ -2510,38 +2487,6 @@ spec: - -ssl-dynamic-reload=true - -enable-telemetry-reporting=true - -weight-changes-dynamic-reload=false - - -agent=true - - -agent-instance-group=app-protect-wafv5-agentv2-nginx-ingress-controller - - - name: waf-enforcer - image: my.private.reg/nap/waf-enforcer:5.6.0 - imagePullPolicy: "IfNotPresent" - env: - - name: ENFORCER_PORT - value: "50001" - - name: ENFORCER_CONFIG_TIMEOUT - value: "0" - volumeMounts: - - name: app-protect-bd-config - mountPath: /opt/app_protect/bd_config - - name: waf-config-mgr - image: my.private.reg/nap/waf-config-mgr:5.6.0 - imagePullPolicy: "IfNotPresent" - securityContext: - - allowPrivilegeEscalation: false - capabilities: - drop: - - all - runAsNonRoot: true - runAsUser: 101 - volumeMounts: - - name: app-protect-bd-config - mountPath: /opt/app_protect/bd_config - - name: app-protect-config - mountPath: /opt/app_protect/config - - name: app-protect-bundles - mountPath: /etc/app_protect/bundles /-/-/-/ # Source: nginx-ingress/templates/controller-ingress-class.yaml apiVersion: networking.k8s.io/v1 @@ -2551,38 +2496,41 @@ metadata: labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: app-protect-wafv5-agentv2 + app.kubernetes.io/instance: default app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm spec: controller: nginx.org/ingress-controller /-/-/-/ +# Source: nginx-ingress/templates/controller-configmap.yaml +/-/-/-/ +/-/-/-/ # Source: nginx-ingress/templates/controller-lease.yaml apiVersion: coordination.k8s.io/v1 kind: Lease metadata: - name: app-protect-wafv5-agentv2-nginx-ingress-leader-election + name: default-nginx-ingress-leader-election namespace: default labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: app-protect-wafv5-agentv2 + app.kubernetes.io/instance: default app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm --- -[TestHelmNICTemplate/customResources - 1] +[TestHelmNICTemplate/globalConfig - 1] /-/-/-/ # Source: nginx-ingress/templates/controller-serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: - name: custom-resources-nginx-ingress - namespace: custom-resources + name: global-configuration-nginx-ingress + namespace: gc labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: custom-resources + app.kubernetes.io/instance: global-configuration app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm /-/-/-/ @@ -2590,12 +2538,12 @@ metadata: apiVersion: v1 kind: ConfigMap metadata: - name: custom-resources-nginx-ingress - namespace: custom-resources + name: global-configuration-nginx-ingress + namespace: gc labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: custom-resources + app.kubernetes.io/instance: global-configuration app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm data: @@ -2605,12 +2553,12 @@ data: apiVersion: v1 kind: ConfigMap metadata: - name: custom-resources-nginx-ingress-leader-election - namespace: custom-resources + name: global-configuration-nginx-ingress-leader-election + namespace: gc labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: custom-resources + app.kubernetes.io/instance: global-configuration app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm /-/-/-/ @@ -2618,11 +2566,11 @@ metadata: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: custom-resources-nginx-ingress + name: global-configuration-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: custom-resources + app.kubernetes.io/instance: global-configuration app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm rules: @@ -2706,39 +2654,60 @@ rules: - ingresses/status verbs: - update +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers + - virtualserverroutes + - globalconfigurations + - transportservers + - policies + verbs: + - list + - watch + - get +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers/status + - virtualserverroutes/status + - policies/status + - transportservers/status + verbs: + - update /-/-/-/ # Source: nginx-ingress/templates/clusterrolebinding.yaml kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: custom-resources-nginx-ingress + name: global-configuration-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: custom-resources + app.kubernetes.io/instance: global-configuration app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm subjects: - kind: ServiceAccount - name: custom-resources-nginx-ingress - namespace: custom-resources + name: global-configuration-nginx-ingress + namespace: gc roleRef: kind: ClusterRole - name: custom-resources-nginx-ingress + name: global-configuration-nginx-ingress apiGroup: rbac.authorization.k8s.io /-/-/-/ # Source: nginx-ingress/templates/controller-role.yaml kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: custom-resources-nginx-ingress + name: global-configuration-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: custom-resources + app.kubernetes.io/instance: global-configuration app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm - namespace: custom-resources + namespace: gc rules: - apiGroups: - "" @@ -2776,7 +2745,7 @@ rules: resources: - leases resourceNames: - - custom-resources-nginx-ingress-leader-election + - global-configuration-nginx-ingress-leader-election verbs: - get - update @@ -2791,33 +2760,33 @@ rules: kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: custom-resources-nginx-ingress + name: global-configuration-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: custom-resources + app.kubernetes.io/instance: global-configuration app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm - namespace: custom-resources + namespace: gc roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: custom-resources-nginx-ingress + name: global-configuration-nginx-ingress subjects: - kind: ServiceAccount - name: custom-resources-nginx-ingress - namespace: custom-resources + name: global-configuration-nginx-ingress + namespace: gc /-/-/-/ # Source: nginx-ingress/templates/controller-service.yaml apiVersion: v1 kind: Service metadata: - name: custom-resources-nginx-ingress-controller - namespace: custom-resources + name: global-configuration-nginx-ingress-controller + namespace: gc labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: custom-resources + app.kubernetes.io/instance: global-configuration app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm spec: @@ -2836,18 +2805,18 @@ spec: nodePort: selector: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: custom-resources + app.kubernetes.io/instance: global-configuration /-/-/-/ # Source: nginx-ingress/templates/controller-deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: - name: custom-resources-nginx-ingress-controller - namespace: custom-resources + name: global-configuration-nginx-ingress-controller + namespace: gc labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: custom-resources + app.kubernetes.io/instance: global-configuration app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm spec: @@ -2855,19 +2824,19 @@ spec: selector: matchLabels: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: custom-resources + app.kubernetes.io/instance: global-configuration template: metadata: labels: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: custom-resources + app.kubernetes.io/instance: global-configuration annotations: prometheus.io/scrape: "true" prometheus.io/port: "9113" prometheus.io/scheme: "http" spec: volumes: [] - serviceAccountName: custom-resources-nginx-ingress + serviceAccountName: global-configuration-nginx-ingress automountServiceAccountToken: true securityContext: seccompProfile: @@ -2926,7 +2895,7 @@ spec: - -nginx-reload-timeout=60000 - -enable-app-protect=false - -enable-app-protect-dos=false - - -nginx-configmaps=$(POD_NAMESPACE)/custom-resources-nginx-ingress + - -nginx-configmaps=$(POD_NAMESPACE)/global-configuration-nginx-ingress - -ingress-class=nginx - -health-status=false - -health-status-uri=/nginx-health @@ -2937,18 +2906,25 @@ spec: - -nginx-status-port=8080 - -nginx-status-allow-cidrs=127.0.0.1 - -report-ingress-status - - -external-service=custom-resources-nginx-ingress-controller + - -external-service=global-configuration-nginx-ingress-controller - -enable-leader-election=true - - -leader-election-lock-name=custom-resources-nginx-ingress-leader-election + - -leader-election-lock-name=global-configuration-nginx-ingress-leader-election - -enable-prometheus-metrics=true - -prometheus-metrics-listen-port=9113 - -prometheus-tls-secret= - -enable-service-insight=false - -service-insight-listen-port=9114 - -service-insight-tls-secret= - - -enable-custom-resources=false + - -enable-custom-resources=true - -enable-snippets=false - -disable-ipv6=false + - -enable-tls-passthrough=false + - -enable-cert-manager=false + - -enable-oidc=false + - -enable-external-dns=false + - -default-http-listener-port=80 + - -default-https-listener-port=443 + - -global-configuration=$(POD_NAMESPACE)/global-configuration-nginx-ingress-controller - -ready-status=true - -ready-status-port=8081 - -enable-latency-metrics=false @@ -2964,7 +2940,7 @@ metadata: labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: custom-resources + app.kubernetes.io/instance: global-configuration app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm spec: @@ -2973,32 +2949,53 @@ spec: # Source: nginx-ingress/templates/controller-configmap.yaml /-/-/-/ /-/-/-/ +# Source: nginx-ingress/templates/controller-globalconfiguration.yaml +apiVersion: k8s.nginx.org/v1 +kind: GlobalConfiguration +metadata: + name: global-configuration-nginx-ingress-controller + namespace: gc + labels: + helm.sh/chart: nginx-ingress-2.3.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: global-configuration + app.kubernetes.io/version: "5.2.0" + app.kubernetes.io/managed-by: Helm +spec: + listeners: + - name: dns-udp + port: 5353 + protocol: UDP + - name: dns-tcp + port: 5353 + protocol: TCP +/-/-/-/ # Source: nginx-ingress/templates/controller-lease.yaml apiVersion: coordination.k8s.io/v1 kind: Lease metadata: - name: custom-resources-nginx-ingress-leader-election - namespace: custom-resources + name: global-configuration-nginx-ingress-leader-election + namespace: gc labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: custom-resources + app.kubernetes.io/instance: global-configuration app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm --- -[TestHelmNICTemplate/daemonset - 1] +[TestHelmNICTemplate/ingressClass - 1] /-/-/-/ # Source: nginx-ingress/templates/controller-serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: - name: daemonset-nginx-ingress + name: ingress-class-nginx-ingress namespace: default labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: daemonset + app.kubernetes.io/instance: ingress-class app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm /-/-/-/ @@ -3006,12 +3003,12 @@ metadata: apiVersion: v1 kind: ConfigMap metadata: - name: daemonset-nginx-ingress + name: ingress-class-nginx-ingress namespace: default labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: daemonset + app.kubernetes.io/instance: ingress-class app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm data: @@ -3021,12 +3018,12 @@ data: apiVersion: v1 kind: ConfigMap metadata: - name: daemonset-nginx-ingress-leader-election + name: ingress-class-nginx-ingress-leader-election namespace: default labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: daemonset + app.kubernetes.io/instance: ingress-class app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm /-/-/-/ @@ -3034,11 +3031,11 @@ metadata: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: daemonset-nginx-ingress + name: ingress-class-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: daemonset + app.kubernetes.io/instance: ingress-class app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm rules: @@ -3148,31 +3145,31 @@ rules: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: daemonset-nginx-ingress + name: ingress-class-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: daemonset + app.kubernetes.io/instance: ingress-class app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm subjects: - kind: ServiceAccount - name: daemonset-nginx-ingress + name: ingress-class-nginx-ingress namespace: default roleRef: kind: ClusterRole - name: daemonset-nginx-ingress + name: ingress-class-nginx-ingress apiGroup: rbac.authorization.k8s.io /-/-/-/ # Source: nginx-ingress/templates/controller-role.yaml kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: daemonset-nginx-ingress + name: ingress-class-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: daemonset + app.kubernetes.io/instance: ingress-class app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm namespace: default @@ -3213,7 +3210,7 @@ rules: resources: - leases resourceNames: - - daemonset-nginx-ingress-leader-election + - ingress-class-nginx-ingress-leader-election verbs: - get - update @@ -3228,33 +3225,33 @@ rules: kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: daemonset-nginx-ingress + name: ingress-class-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: daemonset + app.kubernetes.io/instance: ingress-class app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: daemonset-nginx-ingress + name: ingress-class-nginx-ingress subjects: - kind: ServiceAccount - name: daemonset-nginx-ingress + name: ingress-class-nginx-ingress namespace: default /-/-/-/ # Source: nginx-ingress/templates/controller-service.yaml apiVersion: v1 kind: Service metadata: - name: daemonset-nginx-ingress-controller + name: ingress-class-nginx-ingress-controller namespace: default labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: daemonset + app.kubernetes.io/instance: ingress-class app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm spec: @@ -3273,47 +3270,48 @@ spec: nodePort: selector: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: daemonset + app.kubernetes.io/instance: ingress-class /-/-/-/ -# Source: nginx-ingress/templates/controller-daemonset.yaml +# Source: nginx-ingress/templates/controller-deployment.yaml apiVersion: apps/v1 -kind: DaemonSet +kind: Deployment metadata: - name: daemonset-nginx-ingress-controller + name: ingress-class-nginx-ingress-controller namespace: default labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: daemonset + app.kubernetes.io/instance: ingress-class app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm spec: + replicas: 1 selector: matchLabels: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: daemonset + app.kubernetes.io/instance: ingress-class template: metadata: labels: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: daemonset + app.kubernetes.io/instance: ingress-class annotations: prometheus.io/scrape: "true" prometheus.io/port: "9113" prometheus.io/scheme: "http" - spec: - serviceAccountName: daemonset-nginx-ingress + spec: + volumes: [] + serviceAccountName: ingress-class-nginx-ingress automountServiceAccountToken: true securityContext: seccompProfile: type: RuntimeDefault - terminationGracePeriodSeconds: 30 - volumes: [] + terminationGracePeriodSeconds: 30 hostNetwork: false dnsPolicy: ClusterFirst containers: - - name: nginx-ingress - image: nginx/nginx-ingress:5.2.0 + - image: nginx/nginx-ingress:5.2.0 + name: nginx-ingress imagePullPolicy: "IfNotPresent" ports: - name: http @@ -3322,7 +3320,6 @@ spec: - name: https containerPort: 443 protocol: TCP - - name: prometheus containerPort: 9113 - name: readiness-port @@ -3333,6 +3330,10 @@ spec: port: readiness-port periodSeconds: 1 initialDelaySeconds: 0 + resources: + requests: + cpu: 100m + memory: 128Mi securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: false @@ -3353,18 +3354,14 @@ spec: valueFrom: fieldRef: fieldPath: metadata.name - resources: - requests: - cpu: 100m - memory: 128Mi args: - -nginx-plus=false - -nginx-reload-timeout=60000 - -enable-app-protect=false - -enable-app-protect-dos=false - - -nginx-configmaps=$(POD_NAMESPACE)/daemonset-nginx-ingress - - -ingress-class=nginx + - -nginx-configmaps=$(POD_NAMESPACE)/ingress-class-nginx-ingress + - -ingress-class=changed - -health-status=false - -health-status-uri=/nginx-health - -nginx-debug=false @@ -3374,9 +3371,9 @@ spec: - -nginx-status-port=8080 - -nginx-status-allow-cidrs=127.0.0.1 - -report-ingress-status - - -external-service=daemonset-nginx-ingress-controller + - -external-service=ingress-class-nginx-ingress-controller - -enable-leader-election=true - - -leader-election-lock-name=daemonset-nginx-ingress-leader-election + - -leader-election-lock-name=ingress-class-nginx-ingress-leader-election - -enable-prometheus-metrics=true - -prometheus-metrics-listen-port=9113 - -prometheus-tls-secret= @@ -3403,13 +3400,15 @@ spec: apiVersion: networking.k8s.io/v1 kind: IngressClass metadata: - name: nginx + name: changed labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: daemonset + app.kubernetes.io/instance: ingress-class app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm + annotations: + ingressclass.kubernetes.io/is-default-class: "true" spec: controller: nginx.org/ingress-controller /-/-/-/ @@ -3420,28 +3419,28 @@ spec: apiVersion: coordination.k8s.io/v1 kind: Lease metadata: - name: daemonset-nginx-ingress-leader-election + name: ingress-class-nginx-ingress-leader-election namespace: default labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: daemonset + app.kubernetes.io/instance: ingress-class app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm --- -[TestHelmNICTemplate/default_values_file - 1] +[TestHelmNICTemplate/namespace - 1] /-/-/-/ # Source: nginx-ingress/templates/controller-serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: - name: default-nginx-ingress - namespace: default + name: namespace-nginx-ingress + namespace: nginx-ingress labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: default + app.kubernetes.io/instance: namespace app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm /-/-/-/ @@ -3449,12 +3448,12 @@ metadata: apiVersion: v1 kind: ConfigMap metadata: - name: default-nginx-ingress - namespace: default + name: namespace-nginx-ingress + namespace: nginx-ingress labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: default + app.kubernetes.io/instance: namespace app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm data: @@ -3464,12 +3463,12 @@ data: apiVersion: v1 kind: ConfigMap metadata: - name: default-nginx-ingress-leader-election - namespace: default + name: namespace-nginx-ingress-leader-election + namespace: nginx-ingress labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: default + app.kubernetes.io/instance: namespace app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm /-/-/-/ @@ -3477,11 +3476,11 @@ metadata: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: default-nginx-ingress + name: namespace-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: default + app.kubernetes.io/instance: namespace app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm rules: @@ -3591,34 +3590,34 @@ rules: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: default-nginx-ingress + name: namespace-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: default + app.kubernetes.io/instance: namespace app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm subjects: - kind: ServiceAccount - name: default-nginx-ingress - namespace: default + name: namespace-nginx-ingress + namespace: nginx-ingress roleRef: kind: ClusterRole - name: default-nginx-ingress + name: namespace-nginx-ingress apiGroup: rbac.authorization.k8s.io /-/-/-/ # Source: nginx-ingress/templates/controller-role.yaml kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: default-nginx-ingress + name: namespace-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: default + app.kubernetes.io/instance: namespace app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm - namespace: default + namespace: nginx-ingress rules: - apiGroups: - "" @@ -3656,7 +3655,7 @@ rules: resources: - leases resourceNames: - - default-nginx-ingress-leader-election + - namespace-nginx-ingress-leader-election verbs: - get - update @@ -3671,33 +3670,33 @@ rules: kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: default-nginx-ingress + name: namespace-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: default + app.kubernetes.io/instance: namespace app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm - namespace: default + namespace: nginx-ingress roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: default-nginx-ingress + name: namespace-nginx-ingress subjects: - kind: ServiceAccount - name: default-nginx-ingress - namespace: default + name: namespace-nginx-ingress + namespace: nginx-ingress /-/-/-/ # Source: nginx-ingress/templates/controller-service.yaml apiVersion: v1 kind: Service metadata: - name: default-nginx-ingress-controller - namespace: default + name: namespace-nginx-ingress-controller + namespace: nginx-ingress labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: default + app.kubernetes.io/instance: namespace app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm spec: @@ -3716,18 +3715,18 @@ spec: nodePort: selector: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: default + app.kubernetes.io/instance: namespace /-/-/-/ # Source: nginx-ingress/templates/controller-deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: - name: default-nginx-ingress-controller - namespace: default + name: namespace-nginx-ingress-controller + namespace: nginx-ingress labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: default + app.kubernetes.io/instance: namespace app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm spec: @@ -3735,19 +3734,19 @@ spec: selector: matchLabels: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: default + app.kubernetes.io/instance: namespace template: metadata: labels: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: default + app.kubernetes.io/instance: namespace annotations: prometheus.io/scrape: "true" prometheus.io/port: "9113" prometheus.io/scheme: "http" spec: volumes: [] - serviceAccountName: default-nginx-ingress + serviceAccountName: namespace-nginx-ingress automountServiceAccountToken: true securityContext: seccompProfile: @@ -3806,7 +3805,7 @@ spec: - -nginx-reload-timeout=60000 - -enable-app-protect=false - -enable-app-protect-dos=false - - -nginx-configmaps=$(POD_NAMESPACE)/default-nginx-ingress + - -nginx-configmaps=$(POD_NAMESPACE)/namespace-nginx-ingress - -ingress-class=nginx - -health-status=false - -health-status-uri=/nginx-health @@ -3817,9 +3816,9 @@ spec: - -nginx-status-port=8080 - -nginx-status-allow-cidrs=127.0.0.1 - -report-ingress-status - - -external-service=default-nginx-ingress-controller + - -external-service=namespace-nginx-ingress-controller - -enable-leader-election=true - - -leader-election-lock-name=default-nginx-ingress-leader-election + - -leader-election-lock-name=namespace-nginx-ingress-leader-election - -enable-prometheus-metrics=true - -prometheus-metrics-listen-port=9113 - -prometheus-tls-secret= @@ -3850,7 +3849,7 @@ metadata: labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: default + app.kubernetes.io/instance: namespace app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm spec: @@ -3863,28 +3862,28 @@ spec: apiVersion: coordination.k8s.io/v1 kind: Lease metadata: - name: default-nginx-ingress-leader-election - namespace: default + name: namespace-nginx-ingress-leader-election + namespace: nginx-ingress labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: default + app.kubernetes.io/instance: namespace app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm --- -[TestHelmNICTemplate/globalConfig - 1] +[TestHelmNICTemplate/netpol-disabled - 1] /-/-/-/ # Source: nginx-ingress/templates/controller-serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: - name: global-configuration-nginx-ingress - namespace: gc + name: netpol-disabled-nginx-ingress + namespace: default labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: global-configuration + app.kubernetes.io/instance: netpol-disabled app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm /-/-/-/ @@ -3892,12 +3891,12 @@ metadata: apiVersion: v1 kind: ConfigMap metadata: - name: global-configuration-nginx-ingress - namespace: gc + name: netpol-disabled-nginx-ingress + namespace: default labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: global-configuration + app.kubernetes.io/instance: netpol-disabled app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm data: @@ -3907,12 +3906,12 @@ data: apiVersion: v1 kind: ConfigMap metadata: - name: global-configuration-nginx-ingress-leader-election - namespace: gc + name: netpol-disabled-nginx-ingress-leader-election + namespace: default labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: global-configuration + app.kubernetes.io/instance: netpol-disabled app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm /-/-/-/ @@ -3920,11 +3919,11 @@ metadata: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: global-configuration-nginx-ingress + name: netpol-disabled-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: global-configuration + app.kubernetes.io/instance: netpol-disabled app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm rules: @@ -4034,34 +4033,34 @@ rules: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: global-configuration-nginx-ingress + name: netpol-disabled-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: global-configuration + app.kubernetes.io/instance: netpol-disabled app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm subjects: - kind: ServiceAccount - name: global-configuration-nginx-ingress - namespace: gc + name: netpol-disabled-nginx-ingress + namespace: default roleRef: kind: ClusterRole - name: global-configuration-nginx-ingress + name: netpol-disabled-nginx-ingress apiGroup: rbac.authorization.k8s.io /-/-/-/ # Source: nginx-ingress/templates/controller-role.yaml kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: global-configuration-nginx-ingress + name: netpol-disabled-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: global-configuration + app.kubernetes.io/instance: netpol-disabled app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm - namespace: gc + namespace: default rules: - apiGroups: - "" @@ -4099,7 +4098,7 @@ rules: resources: - leases resourceNames: - - global-configuration-nginx-ingress-leader-election + - netpol-disabled-nginx-ingress-leader-election verbs: - get - update @@ -4114,33 +4113,33 @@ rules: kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: global-configuration-nginx-ingress + name: netpol-disabled-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: global-configuration + app.kubernetes.io/instance: netpol-disabled app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm - namespace: gc + namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: global-configuration-nginx-ingress + name: netpol-disabled-nginx-ingress subjects: - kind: ServiceAccount - name: global-configuration-nginx-ingress - namespace: gc + name: netpol-disabled-nginx-ingress + namespace: default /-/-/-/ # Source: nginx-ingress/templates/controller-service.yaml apiVersion: v1 kind: Service metadata: - name: global-configuration-nginx-ingress-controller - namespace: gc + name: netpol-disabled-nginx-ingress-controller + namespace: default labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: global-configuration + app.kubernetes.io/instance: netpol-disabled app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm spec: @@ -4159,18 +4158,18 @@ spec: nodePort: selector: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: global-configuration + app.kubernetes.io/instance: netpol-disabled /-/-/-/ # Source: nginx-ingress/templates/controller-deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: - name: global-configuration-nginx-ingress-controller - namespace: gc + name: netpol-disabled-nginx-ingress-controller + namespace: default labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: global-configuration + app.kubernetes.io/instance: netpol-disabled app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm spec: @@ -4178,19 +4177,19 @@ spec: selector: matchLabels: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: global-configuration + app.kubernetes.io/instance: netpol-disabled template: metadata: labels: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: global-configuration + app.kubernetes.io/instance: netpol-disabled annotations: prometheus.io/scrape: "true" prometheus.io/port: "9113" prometheus.io/scheme: "http" spec: volumes: [] - serviceAccountName: global-configuration-nginx-ingress + serviceAccountName: netpol-disabled-nginx-ingress automountServiceAccountToken: true securityContext: seccompProfile: @@ -4249,7 +4248,7 @@ spec: - -nginx-reload-timeout=60000 - -enable-app-protect=false - -enable-app-protect-dos=false - - -nginx-configmaps=$(POD_NAMESPACE)/global-configuration-nginx-ingress + - -nginx-configmaps=$(POD_NAMESPACE)/netpol-disabled-nginx-ingress - -ingress-class=nginx - -health-status=false - -health-status-uri=/nginx-health @@ -4260,9 +4259,9 @@ spec: - -nginx-status-port=8080 - -nginx-status-allow-cidrs=127.0.0.1 - -report-ingress-status - - -external-service=global-configuration-nginx-ingress-controller + - -external-service=netpol-disabled-nginx-ingress-controller - -enable-leader-election=true - - -leader-election-lock-name=global-configuration-nginx-ingress-leader-election + - -leader-election-lock-name=netpol-disabled-nginx-ingress-leader-election - -enable-prometheus-metrics=true - -prometheus-metrics-listen-port=9113 - -prometheus-tls-secret= @@ -4278,7 +4277,6 @@ spec: - -enable-external-dns=false - -default-http-listener-port=80 - -default-https-listener-port=443 - - -global-configuration=$(POD_NAMESPACE)/global-configuration-nginx-ingress-controller - -ready-status=true - -ready-status-port=8081 - -enable-latency-metrics=false @@ -4294,7 +4292,7 @@ metadata: labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: global-configuration + app.kubernetes.io/instance: netpol-disabled app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm spec: @@ -4303,53 +4301,59 @@ spec: # Source: nginx-ingress/templates/controller-configmap.yaml /-/-/-/ /-/-/-/ -# Source: nginx-ingress/templates/controller-globalconfiguration.yaml -apiVersion: k8s.nginx.org/v1 -kind: GlobalConfiguration +# Source: nginx-ingress/templates/controller-lease.yaml +apiVersion: coordination.k8s.io/v1 +kind: Lease metadata: - name: global-configuration-nginx-ingress-controller - namespace: gc + name: netpol-disabled-nginx-ingress-leader-election + namespace: default labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: global-configuration + app.kubernetes.io/instance: netpol-disabled app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm -spec: - listeners: - - name: dns-udp - port: 5353 - protocol: UDP - - name: dns-tcp - port: 5353 - protocol: TCP +--- + +[TestHelmNICTemplate/netpol-enabled-custom - 1] /-/-/-/ -# Source: nginx-ingress/templates/controller-lease.yaml -apiVersion: coordination.k8s.io/v1 -kind: Lease +# Source: nginx-ingress/templates/controller-networkpolicy.yaml +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy metadata: - name: global-configuration-nginx-ingress-leader-election - namespace: gc + name: netpol-enabled-custom-nginx-ingress-controller-netpol labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: global-configuration + app.kubernetes.io/instance: netpol-enabled-custom app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm ---- - -[TestHelmNICTemplate/ingressClass - 1] +spec: + podSelector: + matchLabels: + app.kubernetes.io/component: controller + app.kubernetes.io/name: nginx-ingress + policyTypes: + - Ingress + ingress: + - from: + - namespaceSelector: + matchLabels: + name: ingress-allow + ports: + - port: 443 + protocol: TCP /-/-/-/ # Source: nginx-ingress/templates/controller-serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: - name: ingress-class-nginx-ingress + name: netpol-enabled-custom-nginx-ingress namespace: default labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: ingress-class + app.kubernetes.io/instance: netpol-enabled-custom app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm /-/-/-/ @@ -4357,12 +4361,12 @@ metadata: apiVersion: v1 kind: ConfigMap metadata: - name: ingress-class-nginx-ingress + name: netpol-enabled-custom-nginx-ingress namespace: default labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: ingress-class + app.kubernetes.io/instance: netpol-enabled-custom app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm data: @@ -4372,12 +4376,12 @@ data: apiVersion: v1 kind: ConfigMap metadata: - name: ingress-class-nginx-ingress-leader-election + name: netpol-enabled-custom-nginx-ingress-leader-election namespace: default labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: ingress-class + app.kubernetes.io/instance: netpol-enabled-custom app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm /-/-/-/ @@ -4385,11 +4389,11 @@ metadata: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: ingress-class-nginx-ingress + name: netpol-enabled-custom-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: ingress-class + app.kubernetes.io/instance: netpol-enabled-custom app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm rules: @@ -4499,31 +4503,31 @@ rules: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: ingress-class-nginx-ingress + name: netpol-enabled-custom-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: ingress-class + app.kubernetes.io/instance: netpol-enabled-custom app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm subjects: - kind: ServiceAccount - name: ingress-class-nginx-ingress + name: netpol-enabled-custom-nginx-ingress namespace: default roleRef: kind: ClusterRole - name: ingress-class-nginx-ingress + name: netpol-enabled-custom-nginx-ingress apiGroup: rbac.authorization.k8s.io /-/-/-/ # Source: nginx-ingress/templates/controller-role.yaml kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: ingress-class-nginx-ingress + name: netpol-enabled-custom-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: ingress-class + app.kubernetes.io/instance: netpol-enabled-custom app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm namespace: default @@ -4564,7 +4568,7 @@ rules: resources: - leases resourceNames: - - ingress-class-nginx-ingress-leader-election + - netpol-enabled-custom-nginx-ingress-leader-election verbs: - get - update @@ -4579,33 +4583,33 @@ rules: kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: ingress-class-nginx-ingress + name: netpol-enabled-custom-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: ingress-class + app.kubernetes.io/instance: netpol-enabled-custom app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: ingress-class-nginx-ingress + name: netpol-enabled-custom-nginx-ingress subjects: - kind: ServiceAccount - name: ingress-class-nginx-ingress + name: netpol-enabled-custom-nginx-ingress namespace: default /-/-/-/ # Source: nginx-ingress/templates/controller-service.yaml apiVersion: v1 kind: Service metadata: - name: ingress-class-nginx-ingress-controller + name: netpol-enabled-custom-nginx-ingress-controller namespace: default labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: ingress-class + app.kubernetes.io/instance: netpol-enabled-custom app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm spec: @@ -4624,18 +4628,18 @@ spec: nodePort: selector: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: ingress-class + app.kubernetes.io/instance: netpol-enabled-custom /-/-/-/ # Source: nginx-ingress/templates/controller-deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: - name: ingress-class-nginx-ingress-controller + name: netpol-enabled-custom-nginx-ingress-controller namespace: default labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: ingress-class + app.kubernetes.io/instance: netpol-enabled-custom app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm spec: @@ -4643,19 +4647,19 @@ spec: selector: matchLabels: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: ingress-class + app.kubernetes.io/instance: netpol-enabled-custom template: metadata: labels: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: ingress-class + app.kubernetes.io/instance: netpol-enabled-custom annotations: prometheus.io/scrape: "true" prometheus.io/port: "9113" prometheus.io/scheme: "http" spec: volumes: [] - serviceAccountName: ingress-class-nginx-ingress + serviceAccountName: netpol-enabled-custom-nginx-ingress automountServiceAccountToken: true securityContext: seccompProfile: @@ -4714,8 +4718,8 @@ spec: - -nginx-reload-timeout=60000 - -enable-app-protect=false - -enable-app-protect-dos=false - - -nginx-configmaps=$(POD_NAMESPACE)/ingress-class-nginx-ingress - - -ingress-class=changed + - -nginx-configmaps=$(POD_NAMESPACE)/netpol-enabled-custom-nginx-ingress + - -ingress-class=nginx - -health-status=false - -health-status-uri=/nginx-health - -nginx-debug=false @@ -4725,9 +4729,9 @@ spec: - -nginx-status-port=8080 - -nginx-status-allow-cidrs=127.0.0.1 - -report-ingress-status - - -external-service=ingress-class-nginx-ingress-controller + - -external-service=netpol-enabled-custom-nginx-ingress-controller - -enable-leader-election=true - - -leader-election-lock-name=ingress-class-nginx-ingress-leader-election + - -leader-election-lock-name=netpol-enabled-custom-nginx-ingress-leader-election - -enable-prometheus-metrics=true - -prometheus-metrics-listen-port=9113 - -prometheus-tls-secret= @@ -4754,15 +4758,13 @@ spec: apiVersion: networking.k8s.io/v1 kind: IngressClass metadata: - name: changed + name: nginx labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: ingress-class + app.kubernetes.io/instance: netpol-enabled-custom app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm - annotations: - ingressclass.kubernetes.io/is-default-class: "true" spec: controller: nginx.org/ingress-controller /-/-/-/ @@ -4773,28 +4775,60 @@ spec: apiVersion: coordination.k8s.io/v1 kind: Lease metadata: - name: ingress-class-nginx-ingress-leader-election + name: netpol-enabled-custom-nginx-ingress-leader-election namespace: default labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: ingress-class + app.kubernetes.io/instance: netpol-enabled-custom app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm --- -[TestHelmNICTemplate/namespace - 1] +[TestHelmNICTemplate/netpol-enabled-defaults - 1] +/-/-/-/ +# Source: nginx-ingress/templates/controller-networkpolicy.yaml +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: netpol-enabled-defaults-nginx-ingress-controller-netpol + labels: + helm.sh/chart: nginx-ingress-2.3.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: netpol-enabled-defaults + app.kubernetes.io/version: "5.2.0" + app.kubernetes.io/managed-by: Helm +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: netpol-enabled-defaults + policyTypes: + - Ingress + - Egress + ingress: + - from: [] + ports: + - port: 80 + protocol: TCP + - port: 443 + protocol: TCP + egress: + - ports: + - port: 53 + protocol: UDP + to: [] /-/-/-/ # Source: nginx-ingress/templates/controller-serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: - name: namespace-nginx-ingress - namespace: nginx-ingress + name: netpol-enabled-defaults-nginx-ingress + namespace: default labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: namespace + app.kubernetes.io/instance: netpol-enabled-defaults app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm /-/-/-/ @@ -4802,12 +4836,12 @@ metadata: apiVersion: v1 kind: ConfigMap metadata: - name: namespace-nginx-ingress - namespace: nginx-ingress + name: netpol-enabled-defaults-nginx-ingress + namespace: default labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: namespace + app.kubernetes.io/instance: netpol-enabled-defaults app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm data: @@ -4817,12 +4851,12 @@ data: apiVersion: v1 kind: ConfigMap metadata: - name: namespace-nginx-ingress-leader-election - namespace: nginx-ingress + name: netpol-enabled-defaults-nginx-ingress-leader-election + namespace: default labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: namespace + app.kubernetes.io/instance: netpol-enabled-defaults app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm /-/-/-/ @@ -4830,11 +4864,11 @@ metadata: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: namespace-nginx-ingress + name: netpol-enabled-defaults-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: namespace + app.kubernetes.io/instance: netpol-enabled-defaults app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm rules: @@ -4944,34 +4978,34 @@ rules: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: namespace-nginx-ingress + name: netpol-enabled-defaults-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: namespace + app.kubernetes.io/instance: netpol-enabled-defaults app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm subjects: - kind: ServiceAccount - name: namespace-nginx-ingress - namespace: nginx-ingress + name: netpol-enabled-defaults-nginx-ingress + namespace: default roleRef: kind: ClusterRole - name: namespace-nginx-ingress + name: netpol-enabled-defaults-nginx-ingress apiGroup: rbac.authorization.k8s.io /-/-/-/ # Source: nginx-ingress/templates/controller-role.yaml kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: namespace-nginx-ingress + name: netpol-enabled-defaults-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: namespace + app.kubernetes.io/instance: netpol-enabled-defaults app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm - namespace: nginx-ingress + namespace: default rules: - apiGroups: - "" @@ -5009,7 +5043,7 @@ rules: resources: - leases resourceNames: - - namespace-nginx-ingress-leader-election + - netpol-enabled-defaults-nginx-ingress-leader-election verbs: - get - update @@ -5024,33 +5058,33 @@ rules: kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: namespace-nginx-ingress + name: netpol-enabled-defaults-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: namespace + app.kubernetes.io/instance: netpol-enabled-defaults app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm - namespace: nginx-ingress + namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: namespace-nginx-ingress + name: netpol-enabled-defaults-nginx-ingress subjects: - kind: ServiceAccount - name: namespace-nginx-ingress - namespace: nginx-ingress + name: netpol-enabled-defaults-nginx-ingress + namespace: default /-/-/-/ # Source: nginx-ingress/templates/controller-service.yaml apiVersion: v1 kind: Service metadata: - name: namespace-nginx-ingress-controller - namespace: nginx-ingress + name: netpol-enabled-defaults-nginx-ingress-controller + namespace: default labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: namespace + app.kubernetes.io/instance: netpol-enabled-defaults app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm spec: @@ -5069,18 +5103,18 @@ spec: nodePort: selector: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: namespace + app.kubernetes.io/instance: netpol-enabled-defaults /-/-/-/ # Source: nginx-ingress/templates/controller-deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: - name: namespace-nginx-ingress-controller - namespace: nginx-ingress + name: netpol-enabled-defaults-nginx-ingress-controller + namespace: default labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: namespace + app.kubernetes.io/instance: netpol-enabled-defaults app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm spec: @@ -5088,19 +5122,19 @@ spec: selector: matchLabels: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: namespace + app.kubernetes.io/instance: netpol-enabled-defaults template: metadata: labels: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: namespace + app.kubernetes.io/instance: netpol-enabled-defaults annotations: prometheus.io/scrape: "true" prometheus.io/port: "9113" prometheus.io/scheme: "http" spec: volumes: [] - serviceAccountName: namespace-nginx-ingress + serviceAccountName: netpol-enabled-defaults-nginx-ingress automountServiceAccountToken: true securityContext: seccompProfile: @@ -5159,7 +5193,7 @@ spec: - -nginx-reload-timeout=60000 - -enable-app-protect=false - -enable-app-protect-dos=false - - -nginx-configmaps=$(POD_NAMESPACE)/namespace-nginx-ingress + - -nginx-configmaps=$(POD_NAMESPACE)/netpol-enabled-defaults-nginx-ingress - -ingress-class=nginx - -health-status=false - -health-status-uri=/nginx-health @@ -5170,9 +5204,9 @@ spec: - -nginx-status-port=8080 - -nginx-status-allow-cidrs=127.0.0.1 - -report-ingress-status - - -external-service=namespace-nginx-ingress-controller + - -external-service=netpol-enabled-defaults-nginx-ingress-controller - -enable-leader-election=true - - -leader-election-lock-name=namespace-nginx-ingress-leader-election + - -leader-election-lock-name=netpol-enabled-defaults-nginx-ingress-leader-election - -enable-prometheus-metrics=true - -prometheus-metrics-listen-port=9113 - -prometheus-tls-secret= @@ -5203,7 +5237,7 @@ metadata: labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: namespace + app.kubernetes.io/instance: netpol-enabled-defaults app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm spec: @@ -5216,12 +5250,12 @@ spec: apiVersion: coordination.k8s.io/v1 kind: Lease metadata: - name: namespace-nginx-ingress-leader-election - namespace: nginx-ingress + name: netpol-enabled-defaults-nginx-ingress-leader-election + namespace: default labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: namespace + app.kubernetes.io/instance: netpol-enabled-defaults app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm --- @@ -5578,7 +5612,7 @@ spec: labels: app.kubernetes.io/name: nginx-ingress app.kubernetes.io/instance: oss-agent - agent-configuration-revision-hash: "e150cd8a" + agent-configuration-revision-hash: "064c5ae8" annotations: prometheus.io/scrape: "true" prometheus.io/port: "9113" @@ -5753,444 +5787,119 @@ data: {} /-/-/-/ # Source: nginx-ingress/templates/controller-configmap.yaml +--- + +[TestHelmNICTemplate/plus-debug - 1] /-/-/-/ +# Source: nginx-ingress/templates/controller-serviceaccount.yaml apiVersion: v1 -kind: ConfigMap +kind: ServiceAccount metadata: - name: plus-nginx-ingress-mgmt + name: plus-debug-nginx-ingress namespace: default labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus + app.kubernetes.io/instance: plus-debug app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm -data: - license-token-secret-name: license-token /-/-/-/ -# Source: nginx-ingress/templates/controller-leader-election-configmap.yaml +# Source: nginx-ingress/templates/controller-configmap.yaml apiVersion: v1 kind: ConfigMap metadata: - name: plus-nginx-ingress-leader-election + name: plus-debug-nginx-ingress namespace: default labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus + app.kubernetes.io/instance: plus-debug app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm +data: + {} /-/-/-/ -# Source: nginx-ingress/templates/clusterrole.yaml -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 +# Source: nginx-ingress/templates/controller-configmap.yaml +--- + +[TestHelmNICTemplate/plus-mgmt - 1] +/-/-/-/ +# Source: nginx-ingress/templates/controller-serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount metadata: - name: plus-nginx-ingress + name: plus-mgmt-nginx-ingress + namespace: default labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus + app.kubernetes.io/instance: plus-mgmt app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm -rules: -- apiGroups: - - "" - resources: - - configmaps - - namespaces - - pods - - secrets - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - list -- apiGroups: - - "" - resources: - - services - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - list - - watch -- apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: - - get - - list - - watch -- apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - nodes - verbs: - - list -- apiGroups: - - "apps" - resources: - - replicasets - - daemonsets - verbs: - - get -- apiGroups: - - networking.k8s.io - resources: - - ingressclasses - verbs: - - get - - list -- apiGroups: - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update -- apiGroups: - - k8s.nginx.org - resources: - - virtualservers - - virtualserverroutes - - globalconfigurations - - transportservers - - policies - verbs: - - list - - watch - - get -- apiGroups: - - k8s.nginx.org - resources: - - virtualservers/status - - virtualserverroutes/status - - policies/status - - transportservers/status - verbs: - - update /-/-/-/ -# Source: nginx-ingress/templates/clusterrolebinding.yaml -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 +# Source: nginx-ingress/templates/controller-configmap.yaml +apiVersion: v1 +kind: ConfigMap metadata: - name: plus-nginx-ingress + name: plus-mgmt-nginx-ingress + namespace: default labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus + app.kubernetes.io/instance: plus-mgmt app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm -subjects: -- kind: ServiceAccount - name: plus-nginx-ingress - namespace: default -roleRef: - kind: ClusterRole - name: plus-nginx-ingress - apiGroup: rbac.authorization.k8s.io +data: + {} /-/-/-/ -# Source: nginx-ingress/templates/controller-role.yaml -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 +# Source: nginx-ingress/templates/controller-configmap.yaml +--- + +[TestHelmNICTemplate/plus-mgmt-custom-endpoint - 1] +/-/-/-/ +# Source: nginx-ingress/templates/controller-serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount metadata: - name: plus-nginx-ingress + name: plus-mgmt-custom-endpoint-nginx-ingress + namespace: default labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus + app.kubernetes.io/instance: plus-mgmt-custom-endpoint app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm +/-/-/-/ +# Source: nginx-ingress/templates/controller-configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: plus-mgmt-custom-endpoint-nginx-ingress namespace: default -rules: -- apiGroups: - - "" - resources: - - configmaps - - pods - - secrets - - services - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - namespaces - verbs: - - get -- apiGroups: - - "" - resources: - - pods - verbs: - - update -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - list -- apiGroups: - - coordination.k8s.io - resources: - - leases - resourceNames: - - plus-nginx-ingress-leader-election - verbs: - - get - - update -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create -/-/-/-/ -# Source: nginx-ingress/templates/controller-rolebinding.yaml -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: plus-nginx-ingress - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm - namespace: default -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: plus-nginx-ingress -subjects: -- kind: ServiceAccount - name: plus-nginx-ingress - namespace: default -/-/-/-/ -# Source: nginx-ingress/templates/controller-service.yaml -apiVersion: v1 -kind: Service -metadata: - name: plus-nginx-ingress-controller - namespace: default - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm -spec: - externalTrafficPolicy: Local - type: LoadBalancer - ports: - - port: 80 - targetPort: 80 - protocol: TCP - name: http - nodePort: - - port: 443 - targetPort: 443 - protocol: TCP - name: https - nodePort: - selector: - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus -/-/-/-/ -# Source: nginx-ingress/templates/controller-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: plus-nginx-ingress-controller - namespace: default - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus - template: - metadata: - labels: - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "9113" - prometheus.io/scheme: "http" - spec: - volumes: [] - serviceAccountName: plus-nginx-ingress - automountServiceAccountToken: true - securityContext: - seccompProfile: - type: RuntimeDefault - terminationGracePeriodSeconds: 30 - hostNetwork: false - dnsPolicy: ClusterFirst - containers: - - image: nginx/nginx-ingress:5.2.0 - name: nginx-ingress - imagePullPolicy: "IfNotPresent" - ports: - - name: http - containerPort: 80 - protocol: TCP - - name: https - containerPort: 443 - protocol: TCP - - name: prometheus - containerPort: 9113 - - name: readiness-port - containerPort: 8081 - readinessProbe: - httpGet: - path: /nginx-ready - port: readiness-port - periodSeconds: 1 - initialDelaySeconds: 0 - resources: - requests: - cpu: 100m - memory: 128Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: false - runAsUser: 101 #nginx - runAsNonRoot: true - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - volumeMounts: [] - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - args: - - - -nginx-plus=true - - -nginx-reload-timeout=60000 - - -enable-app-protect=false - - -enable-app-protect-dos=false - - -nginx-configmaps=$(POD_NAMESPACE)/plus-nginx-ingress - - -mgmt-configmap=$(POD_NAMESPACE)/plus-nginx-ingress-mgmt - - -ingress-class=nginx - - -health-status=false - - -health-status-uri=/nginx-health - - -nginx-debug=false - - -log-level=info - - -log-format=glog - - -nginx-status=true - - -nginx-status-port=8080 - - -nginx-status-allow-cidrs=127.0.0.1 - - -report-ingress-status - - -external-service=plus-nginx-ingress-controller - - -enable-leader-election=true - - -leader-election-lock-name=plus-nginx-ingress-leader-election - - -enable-prometheus-metrics=true - - -prometheus-metrics-listen-port=9113 - - -prometheus-tls-secret= - - -enable-service-insight=false - - -service-insight-listen-port=9114 - - -service-insight-tls-secret= - - -enable-custom-resources=true - - -enable-snippets=false - - -disable-ipv6=false - - -enable-tls-passthrough=false - - -enable-cert-manager=false - - -enable-oidc=false - - -enable-external-dns=false - - -default-http-listener-port=80 - - -default-https-listener-port=443 - - -ready-status=true - - -ready-status-port=8081 - - -enable-latency-metrics=false - - -ssl-dynamic-reload=true - - -enable-telemetry-reporting=true - - -weight-changes-dynamic-reload=false -/-/-/-/ -# Source: nginx-ingress/templates/controller-ingress-class.yaml -apiVersion: networking.k8s.io/v1 -kind: IngressClass -metadata: - name: nginx labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus + app.kubernetes.io/instance: plus-mgmt-custom-endpoint app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm -spec: - controller: nginx.org/ingress-controller +data: + {} /-/-/-/ -# Source: nginx-ingress/templates/controller-lease.yaml -apiVersion: coordination.k8s.io/v1 -kind: Lease -metadata: - name: plus-nginx-ingress-leader-election - namespace: default - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm +# Source: nginx-ingress/templates/controller-configmap.yaml --- -[TestHelmNICTemplate/plus-debug - 1] +[TestHelmNICTemplate/plus-mgmt-proxy-host - 1] /-/-/-/ # Source: nginx-ingress/templates/controller-serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: - name: plus-debug-nginx-ingress + name: plus-mgmt-proxy-host-nginx-ingress namespace: default labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-debug + app.kubernetes.io/instance: plus-mgmt-proxy-host app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm /-/-/-/ @@ -6198,2313 +5907,51 @@ metadata: apiVersion: v1 kind: ConfigMap metadata: - name: plus-debug-nginx-ingress + name: plus-mgmt-proxy-host-nginx-ingress namespace: default labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-debug + app.kubernetes.io/instance: plus-mgmt-proxy-host app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm data: {} /-/-/-/ # Source: nginx-ingress/templates/controller-configmap.yaml +--- + +[TestHelmNICTemplate/plus-mgmt-proxy-host-auth - 1] /-/-/-/ +# Source: nginx-ingress/templates/controller-serviceaccount.yaml apiVersion: v1 -kind: ConfigMap +kind: ServiceAccount metadata: - name: plus-debug-nginx-ingress-mgmt + name: plus-mgmt-proxy-host-auth-nginx-ingress namespace: default labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-debug + app.kubernetes.io/instance: plus-mgmt-proxy-host-auth app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm -data: - license-token-secret-name: license-token /-/-/-/ -# Source: nginx-ingress/templates/controller-leader-election-configmap.yaml +# Source: nginx-ingress/templates/controller-configmap.yaml apiVersion: v1 kind: ConfigMap metadata: - name: plus-debug-nginx-ingress-leader-election + name: plus-mgmt-proxy-host-auth-nginx-ingress namespace: default labels: helm.sh/chart: nginx-ingress-2.3.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-debug + app.kubernetes.io/instance: plus-mgmt-proxy-host-auth app.kubernetes.io/version: "5.2.0" app.kubernetes.io/managed-by: Helm +data: + {} /-/-/-/ -# Source: nginx-ingress/templates/clusterrole.yaml -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: plus-debug-nginx-ingress - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-debug - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm -rules: -- apiGroups: - - "" - resources: - - configmaps - - namespaces - - pods - - secrets - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - list -- apiGroups: - - "" - resources: - - services - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - list - - watch -- apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: - - get - - list - - watch -- apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - nodes - verbs: - - list -- apiGroups: - - "apps" - resources: - - replicasets - - daemonsets - verbs: - - get -- apiGroups: - - networking.k8s.io - resources: - - ingressclasses - verbs: - - get - - list -- apiGroups: - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update -- apiGroups: - - k8s.nginx.org - resources: - - virtualservers - - virtualserverroutes - - globalconfigurations - - transportservers - - policies - verbs: - - list - - watch - - get -- apiGroups: - - k8s.nginx.org - resources: - - virtualservers/status - - virtualserverroutes/status - - policies/status - - transportservers/status - verbs: - - update -/-/-/-/ -# Source: nginx-ingress/templates/clusterrolebinding.yaml -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: plus-debug-nginx-ingress - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-debug - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm -subjects: -- kind: ServiceAccount - name: plus-debug-nginx-ingress - namespace: default -roleRef: - kind: ClusterRole - name: plus-debug-nginx-ingress - apiGroup: rbac.authorization.k8s.io -/-/-/-/ -# Source: nginx-ingress/templates/controller-role.yaml -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: plus-debug-nginx-ingress - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-debug - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm - namespace: default -rules: -- apiGroups: - - "" - resources: - - configmaps - - pods - - secrets - - services - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - namespaces - verbs: - - get -- apiGroups: - - "" - resources: - - pods - verbs: - - update -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - list -- apiGroups: - - coordination.k8s.io - resources: - - leases - resourceNames: - - plus-debug-nginx-ingress-leader-election - verbs: - - get - - update -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create -/-/-/-/ -# Source: nginx-ingress/templates/controller-rolebinding.yaml -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: plus-debug-nginx-ingress - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-debug - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm - namespace: default -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: plus-debug-nginx-ingress -subjects: -- kind: ServiceAccount - name: plus-debug-nginx-ingress - namespace: default -/-/-/-/ -# Source: nginx-ingress/templates/controller-service.yaml -apiVersion: v1 -kind: Service -metadata: - name: plus-debug-nginx-ingress-controller - namespace: default - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-debug - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm -spec: - externalTrafficPolicy: Local - type: LoadBalancer - ports: - - port: 80 - targetPort: 80 - protocol: TCP - name: http - nodePort: - - port: 443 - targetPort: 443 - protocol: TCP - name: https - nodePort: - selector: - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-debug -/-/-/-/ -# Source: nginx-ingress/templates/controller-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: plus-debug-nginx-ingress-controller - namespace: default - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-debug - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-debug - template: - metadata: - labels: - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-debug - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "9113" - prometheus.io/scheme: "http" - spec: - volumes: [] - serviceAccountName: plus-debug-nginx-ingress - automountServiceAccountToken: true - securityContext: - seccompProfile: - type: RuntimeDefault - terminationGracePeriodSeconds: 30 - hostNetwork: false - dnsPolicy: ClusterFirst - containers: - - image: nginx/nginx-ingress:5.2.0 - name: nginx-ingress - imagePullPolicy: "IfNotPresent" - ports: - - name: http - containerPort: 80 - protocol: TCP - - name: https - containerPort: 443 - protocol: TCP - - name: prometheus - containerPort: 9113 - - name: readiness-port - containerPort: 8081 - readinessProbe: - httpGet: - path: /nginx-ready - port: readiness-port - periodSeconds: 1 - initialDelaySeconds: 0 - resources: - requests: - cpu: 100m - memory: 128Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: false - runAsUser: 101 #nginx - runAsNonRoot: true - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - volumeMounts: [] - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - args: - - - --listen=:2345 - - --headless=true - - --log=true - - --log-output=debugger,debuglineerr,gdbwire,lldbout,rpc,dap,fncall,minidump,stack - - --accept-multiclient - - --api-version=2 - - exec - - ./nginx-ingress - - --continue - - -- - - -nginx-plus=true - - -nginx-reload-timeout=60000 - - -enable-app-protect=false - - -enable-app-protect-dos=false - - -nginx-configmaps=$(POD_NAMESPACE)/plus-debug-nginx-ingress - - -mgmt-configmap=$(POD_NAMESPACE)/plus-debug-nginx-ingress-mgmt - - -ingress-class=nginx - - -health-status=false - - -health-status-uri=/nginx-health - - -nginx-debug=false - - -log-level=info - - -log-format=glog - - -nginx-status=true - - -nginx-status-port=8080 - - -nginx-status-allow-cidrs=127.0.0.1 - - -report-ingress-status - - -external-service=plus-debug-nginx-ingress-controller - - -enable-leader-election=true - - -leader-election-lock-name=plus-debug-nginx-ingress-leader-election - - -enable-prometheus-metrics=true - - -prometheus-metrics-listen-port=9113 - - -prometheus-tls-secret= - - -enable-service-insight=false - - -service-insight-listen-port=9114 - - -service-insight-tls-secret= - - -enable-custom-resources=true - - -enable-snippets=false - - -disable-ipv6=false - - -enable-tls-passthrough=false - - -enable-cert-manager=false - - -enable-oidc=false - - -enable-external-dns=false - - -default-http-listener-port=80 - - -default-https-listener-port=443 - - -ready-status=true - - -ready-status-port=8081 - - -enable-latency-metrics=false - - -ssl-dynamic-reload=true - - -enable-telemetry-reporting=true - - -weight-changes-dynamic-reload=false -/-/-/-/ -# Source: nginx-ingress/templates/controller-ingress-class.yaml -apiVersion: networking.k8s.io/v1 -kind: IngressClass -metadata: - name: nginx - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-debug - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm -spec: - controller: nginx.org/ingress-controller -/-/-/-/ -# Source: nginx-ingress/templates/controller-lease.yaml -apiVersion: coordination.k8s.io/v1 -kind: Lease -metadata: - name: plus-debug-nginx-ingress-leader-election - namespace: default - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-debug - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm ---- - -[TestHelmNICTemplate/plus-mgmt - 1] -/-/-/-/ -# Source: nginx-ingress/templates/controller-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: plus-mgmt-nginx-ingress - namespace: default - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm -/-/-/-/ -# Source: nginx-ingress/templates/controller-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: plus-mgmt-nginx-ingress - namespace: default - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm -data: - {} -/-/-/-/ -# Source: nginx-ingress/templates/controller-configmap.yaml -/-/-/-/ -apiVersion: v1 -kind: ConfigMap -metadata: - name: plus-mgmt-nginx-ingress-mgmt - namespace: default - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm -data: - license-token-secret-name: license - ssl-verify: "false" - enforce-initial-report: "true" - usage-report-endpoint: "11.22.33.44" - usage-report-interval: "7h" - usage-report-proxy-host: "44.55.66.77:88" - ssl-trusted-certificate-secret-name: "ssl-trusted" - ssl-certificate-secret-name: "ssl-cert" - resolver-addresses: "example.com" - resolver-ipv6: "false" - resolver-valid: "15s" -/-/-/-/ -# Source: nginx-ingress/templates/controller-leader-election-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: plus-mgmt-nginx-ingress-leader-election - namespace: default - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm -/-/-/-/ -# Source: nginx-ingress/templates/clusterrole.yaml -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: plus-mgmt-nginx-ingress - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm -rules: -- apiGroups: - - "" - resources: - - configmaps - - namespaces - - pods - - secrets - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - list -- apiGroups: - - "" - resources: - - services - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - list - - watch -- apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: - - get - - list - - watch -- apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - nodes - verbs: - - list -- apiGroups: - - "apps" - resources: - - replicasets - - daemonsets - verbs: - - get -- apiGroups: - - networking.k8s.io - resources: - - ingressclasses - verbs: - - get - - list -- apiGroups: - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update -- apiGroups: - - k8s.nginx.org - resources: - - virtualservers - - virtualserverroutes - - globalconfigurations - - transportservers - - policies - verbs: - - list - - watch - - get -- apiGroups: - - k8s.nginx.org - resources: - - virtualservers/status - - virtualserverroutes/status - - policies/status - - transportservers/status - verbs: - - update -/-/-/-/ -# Source: nginx-ingress/templates/clusterrolebinding.yaml -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: plus-mgmt-nginx-ingress - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm -subjects: -- kind: ServiceAccount - name: plus-mgmt-nginx-ingress - namespace: default -roleRef: - kind: ClusterRole - name: plus-mgmt-nginx-ingress - apiGroup: rbac.authorization.k8s.io -/-/-/-/ -# Source: nginx-ingress/templates/controller-role.yaml -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: plus-mgmt-nginx-ingress - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm - namespace: default -rules: -- apiGroups: - - "" - resources: - - configmaps - - pods - - secrets - - services - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - namespaces - verbs: - - get -- apiGroups: - - "" - resources: - - pods - verbs: - - update -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - list -- apiGroups: - - coordination.k8s.io - resources: - - leases - resourceNames: - - plus-mgmt-nginx-ingress-leader-election - verbs: - - get - - update -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create -/-/-/-/ -# Source: nginx-ingress/templates/controller-rolebinding.yaml -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: plus-mgmt-nginx-ingress - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm - namespace: default -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: plus-mgmt-nginx-ingress -subjects: -- kind: ServiceAccount - name: plus-mgmt-nginx-ingress - namespace: default -/-/-/-/ -# Source: nginx-ingress/templates/controller-service.yaml -apiVersion: v1 -kind: Service -metadata: - name: plus-mgmt-nginx-ingress-controller - namespace: default - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm -spec: - externalTrafficPolicy: Local - type: LoadBalancer - ports: - - port: 80 - targetPort: 80 - protocol: TCP - name: http - nodePort: - - port: 443 - targetPort: 443 - protocol: TCP - name: https - nodePort: - selector: - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt -/-/-/-/ -# Source: nginx-ingress/templates/controller-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: plus-mgmt-nginx-ingress-controller - namespace: default - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt - template: - metadata: - labels: - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "9113" - prometheus.io/scheme: "http" - spec: - volumes: [] - serviceAccountName: plus-mgmt-nginx-ingress - automountServiceAccountToken: true - securityContext: - seccompProfile: - type: RuntimeDefault - terminationGracePeriodSeconds: 30 - hostNetwork: false - dnsPolicy: ClusterFirst - containers: - - image: nginx/nginx-ingress:5.2.0 - name: nginx-ingress - imagePullPolicy: "IfNotPresent" - ports: - - name: http - containerPort: 80 - protocol: TCP - - name: https - containerPort: 443 - protocol: TCP - - name: prometheus - containerPort: 9113 - - name: readiness-port - containerPort: 8081 - readinessProbe: - httpGet: - path: /nginx-ready - port: readiness-port - periodSeconds: 1 - initialDelaySeconds: 0 - resources: - requests: - cpu: 100m - memory: 128Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: false - runAsUser: 101 #nginx - runAsNonRoot: true - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - volumeMounts: [] - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: PROXY_USER - valueFrom: - secretKeyRef: - name: proxy-credentials - key: username - - name: PROXY_PASS - valueFrom: - secretKeyRef: - name: proxy-credentials - key: password - args: - - - -nginx-plus=true - - -nginx-reload-timeout=60000 - - -enable-app-protect=false - - -enable-app-protect-dos=false - - -nginx-configmaps=$(POD_NAMESPACE)/plus-mgmt-nginx-ingress - - -mgmt-configmap=$(POD_NAMESPACE)/plus-mgmt-nginx-ingress-mgmt - - -ingress-class=nginx - - -health-status=false - - -health-status-uri=/nginx-health - - -nginx-debug=false - - -log-level=info - - -log-format=glog - - -nginx-status=true - - -nginx-status-port=8080 - - -nginx-status-allow-cidrs=127.0.0.1 - - -report-ingress-status - - -external-service=plus-mgmt-nginx-ingress-controller - - -enable-leader-election=true - - -leader-election-lock-name=plus-mgmt-nginx-ingress-leader-election - - -enable-prometheus-metrics=true - - -prometheus-metrics-listen-port=9113 - - -prometheus-tls-secret= - - -enable-service-insight=false - - -service-insight-listen-port=9114 - - -service-insight-tls-secret= - - -enable-custom-resources=true - - -enable-snippets=false - - -disable-ipv6=false - - -enable-tls-passthrough=false - - -enable-cert-manager=false - - -enable-oidc=false - - -enable-external-dns=false - - -default-http-listener-port=80 - - -default-https-listener-port=443 - - -ready-status=true - - -ready-status-port=8081 - - -enable-latency-metrics=false - - -ssl-dynamic-reload=true - - -enable-telemetry-reporting=true - - -weight-changes-dynamic-reload=false -/-/-/-/ -# Source: nginx-ingress/templates/controller-ingress-class.yaml -apiVersion: networking.k8s.io/v1 -kind: IngressClass -metadata: - name: nginx - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm -spec: - controller: nginx.org/ingress-controller -/-/-/-/ -# Source: nginx-ingress/templates/controller-lease.yaml -apiVersion: coordination.k8s.io/v1 -kind: Lease -metadata: - name: plus-mgmt-nginx-ingress-leader-election - namespace: default - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm ---- - -[TestHelmNICTemplate/plus-mgmt-custom-endpoint - 1] -/-/-/-/ -# Source: nginx-ingress/templates/controller-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: plus-mgmt-custom-endpoint-nginx-ingress - namespace: default - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-custom-endpoint - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm -/-/-/-/ -# Source: nginx-ingress/templates/controller-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: plus-mgmt-custom-endpoint-nginx-ingress - namespace: default - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-custom-endpoint - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm -data: - {} -/-/-/-/ -# Source: nginx-ingress/templates/controller-configmap.yaml -/-/-/-/ -apiVersion: v1 -kind: ConfigMap -metadata: - name: plus-mgmt-custom-endpoint-nginx-ingress-mgmt - namespace: default - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-custom-endpoint - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm -data: - license-token-secret-name: license-token - usage-report-endpoint: "11.22.33.44" -/-/-/-/ -# Source: nginx-ingress/templates/controller-leader-election-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: plus-mgmt-custom-endpoint-nginx-ingress-leader-election - namespace: default - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-custom-endpoint - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm -/-/-/-/ -# Source: nginx-ingress/templates/clusterrole.yaml -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: plus-mgmt-custom-endpoint-nginx-ingress - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-custom-endpoint - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm -rules: -- apiGroups: - - "" - resources: - - configmaps - - namespaces - - pods - - secrets - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - list -- apiGroups: - - "" - resources: - - services - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - list - - watch -- apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: - - get - - list - - watch -- apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - nodes - verbs: - - list -- apiGroups: - - "apps" - resources: - - replicasets - - daemonsets - verbs: - - get -- apiGroups: - - networking.k8s.io - resources: - - ingressclasses - verbs: - - get - - list -- apiGroups: - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update -- apiGroups: - - k8s.nginx.org - resources: - - virtualservers - - virtualserverroutes - - globalconfigurations - - transportservers - - policies - verbs: - - list - - watch - - get -- apiGroups: - - k8s.nginx.org - resources: - - virtualservers/status - - virtualserverroutes/status - - policies/status - - transportservers/status - verbs: - - update -/-/-/-/ -# Source: nginx-ingress/templates/clusterrolebinding.yaml -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: plus-mgmt-custom-endpoint-nginx-ingress - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-custom-endpoint - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm -subjects: -- kind: ServiceAccount - name: plus-mgmt-custom-endpoint-nginx-ingress - namespace: default -roleRef: - kind: ClusterRole - name: plus-mgmt-custom-endpoint-nginx-ingress - apiGroup: rbac.authorization.k8s.io -/-/-/-/ -# Source: nginx-ingress/templates/controller-role.yaml -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: plus-mgmt-custom-endpoint-nginx-ingress - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-custom-endpoint - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm - namespace: default -rules: -- apiGroups: - - "" - resources: - - configmaps - - pods - - secrets - - services - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - namespaces - verbs: - - get -- apiGroups: - - "" - resources: - - pods - verbs: - - update -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - list -- apiGroups: - - coordination.k8s.io - resources: - - leases - resourceNames: - - plus-mgmt-custom-endpoint-nginx-ingress-leader-election - verbs: - - get - - update -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create -/-/-/-/ -# Source: nginx-ingress/templates/controller-rolebinding.yaml -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: plus-mgmt-custom-endpoint-nginx-ingress - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-custom-endpoint - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm - namespace: default -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: plus-mgmt-custom-endpoint-nginx-ingress -subjects: -- kind: ServiceAccount - name: plus-mgmt-custom-endpoint-nginx-ingress - namespace: default -/-/-/-/ -# Source: nginx-ingress/templates/controller-service.yaml -apiVersion: v1 -kind: Service -metadata: - name: plus-mgmt-custom-endpoint-nginx-ingress-controller - namespace: default - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-custom-endpoint - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm -spec: - externalTrafficPolicy: Local - type: LoadBalancer - ports: - - port: 80 - targetPort: 80 - protocol: TCP - name: http - nodePort: - - port: 443 - targetPort: 443 - protocol: TCP - name: https - nodePort: - selector: - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-custom-endpoint -/-/-/-/ -# Source: nginx-ingress/templates/controller-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: plus-mgmt-custom-endpoint-nginx-ingress-controller - namespace: default - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-custom-endpoint - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-custom-endpoint - template: - metadata: - labels: - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-custom-endpoint - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "9113" - prometheus.io/scheme: "http" - spec: - volumes: [] - serviceAccountName: plus-mgmt-custom-endpoint-nginx-ingress - automountServiceAccountToken: true - securityContext: - seccompProfile: - type: RuntimeDefault - terminationGracePeriodSeconds: 30 - hostNetwork: false - dnsPolicy: ClusterFirst - containers: - - image: nginx/nginx-ingress:5.2.0 - name: nginx-ingress - imagePullPolicy: "IfNotPresent" - ports: - - name: http - containerPort: 80 - protocol: TCP - - name: https - containerPort: 443 - protocol: TCP - - name: prometheus - containerPort: 9113 - - name: readiness-port - containerPort: 8081 - readinessProbe: - httpGet: - path: /nginx-ready - port: readiness-port - periodSeconds: 1 - initialDelaySeconds: 0 - resources: - requests: - cpu: 100m - memory: 128Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: false - runAsUser: 101 #nginx - runAsNonRoot: true - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - volumeMounts: [] - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - args: - - - -nginx-plus=true - - -nginx-reload-timeout=60000 - - -enable-app-protect=false - - -enable-app-protect-dos=false - - -nginx-configmaps=$(POD_NAMESPACE)/plus-mgmt-custom-endpoint-nginx-ingress - - -mgmt-configmap=$(POD_NAMESPACE)/plus-mgmt-custom-endpoint-nginx-ingress-mgmt - - -ingress-class=nginx - - -health-status=false - - -health-status-uri=/nginx-health - - -nginx-debug=false - - -log-level=info - - -log-format=glog - - -nginx-status=true - - -nginx-status-port=8080 - - -nginx-status-allow-cidrs=127.0.0.1 - - -report-ingress-status - - -external-service=plus-mgmt-custom-endpoint-nginx-ingress-controller - - -enable-leader-election=true - - -leader-election-lock-name=plus-mgmt-custom-endpoint-nginx-ingress-leader-election - - -enable-prometheus-metrics=true - - -prometheus-metrics-listen-port=9113 - - -prometheus-tls-secret= - - -enable-service-insight=false - - -service-insight-listen-port=9114 - - -service-insight-tls-secret= - - -enable-custom-resources=true - - -enable-snippets=false - - -disable-ipv6=false - - -enable-tls-passthrough=false - - -enable-cert-manager=false - - -enable-oidc=false - - -enable-external-dns=false - - -default-http-listener-port=80 - - -default-https-listener-port=443 - - -ready-status=true - - -ready-status-port=8081 - - -enable-latency-metrics=false - - -ssl-dynamic-reload=true - - -enable-telemetry-reporting=true - - -weight-changes-dynamic-reload=false -/-/-/-/ -# Source: nginx-ingress/templates/controller-ingress-class.yaml -apiVersion: networking.k8s.io/v1 -kind: IngressClass -metadata: - name: nginx - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-custom-endpoint - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm -spec: - controller: nginx.org/ingress-controller -/-/-/-/ -# Source: nginx-ingress/templates/controller-lease.yaml -apiVersion: coordination.k8s.io/v1 -kind: Lease -metadata: - name: plus-mgmt-custom-endpoint-nginx-ingress-leader-election - namespace: default - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-custom-endpoint - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm ---- - -[TestHelmNICTemplate/plus-mgmt-proxy-host - 1] -/-/-/-/ -# Source: nginx-ingress/templates/controller-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: plus-mgmt-proxy-host-nginx-ingress - namespace: default - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-proxy-host - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm -/-/-/-/ -# Source: nginx-ingress/templates/controller-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: plus-mgmt-proxy-host-nginx-ingress - namespace: default - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-proxy-host - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm -data: - {} -/-/-/-/ -# Source: nginx-ingress/templates/controller-configmap.yaml -/-/-/-/ -apiVersion: v1 -kind: ConfigMap -metadata: - name: plus-mgmt-proxy-host-nginx-ingress-mgmt - namespace: default - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-proxy-host - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm -data: - license-token-secret-name: license-token - usage-report-proxy-host: "44.55.66.77:88" -/-/-/-/ -# Source: nginx-ingress/templates/controller-leader-election-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: plus-mgmt-proxy-host-nginx-ingress-leader-election - namespace: default - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-proxy-host - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm -/-/-/-/ -# Source: nginx-ingress/templates/clusterrole.yaml -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: plus-mgmt-proxy-host-nginx-ingress - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-proxy-host - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm -rules: -- apiGroups: - - "" - resources: - - configmaps - - namespaces - - pods - - secrets - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - list -- apiGroups: - - "" - resources: - - services - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - list - - watch -- apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: - - get - - list - - watch -- apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - nodes - verbs: - - list -- apiGroups: - - "apps" - resources: - - replicasets - - daemonsets - verbs: - - get -- apiGroups: - - networking.k8s.io - resources: - - ingressclasses - verbs: - - get - - list -- apiGroups: - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update -- apiGroups: - - k8s.nginx.org - resources: - - virtualservers - - virtualserverroutes - - globalconfigurations - - transportservers - - policies - verbs: - - list - - watch - - get -- apiGroups: - - k8s.nginx.org - resources: - - virtualservers/status - - virtualserverroutes/status - - policies/status - - transportservers/status - verbs: - - update -/-/-/-/ -# Source: nginx-ingress/templates/clusterrolebinding.yaml -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: plus-mgmt-proxy-host-nginx-ingress - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-proxy-host - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm -subjects: -- kind: ServiceAccount - name: plus-mgmt-proxy-host-nginx-ingress - namespace: default -roleRef: - kind: ClusterRole - name: plus-mgmt-proxy-host-nginx-ingress - apiGroup: rbac.authorization.k8s.io -/-/-/-/ -# Source: nginx-ingress/templates/controller-role.yaml -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: plus-mgmt-proxy-host-nginx-ingress - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-proxy-host - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm - namespace: default -rules: -- apiGroups: - - "" - resources: - - configmaps - - pods - - secrets - - services - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - namespaces - verbs: - - get -- apiGroups: - - "" - resources: - - pods - verbs: - - update -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - list -- apiGroups: - - coordination.k8s.io - resources: - - leases - resourceNames: - - plus-mgmt-proxy-host-nginx-ingress-leader-election - verbs: - - get - - update -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create -/-/-/-/ -# Source: nginx-ingress/templates/controller-rolebinding.yaml -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: plus-mgmt-proxy-host-nginx-ingress - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-proxy-host - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm - namespace: default -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: plus-mgmt-proxy-host-nginx-ingress -subjects: -- kind: ServiceAccount - name: plus-mgmt-proxy-host-nginx-ingress - namespace: default -/-/-/-/ -# Source: nginx-ingress/templates/controller-service.yaml -apiVersion: v1 -kind: Service -metadata: - name: plus-mgmt-proxy-host-nginx-ingress-controller - namespace: default - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-proxy-host - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm -spec: - externalTrafficPolicy: Local - type: LoadBalancer - ports: - - port: 80 - targetPort: 80 - protocol: TCP - name: http - nodePort: - - port: 443 - targetPort: 443 - protocol: TCP - name: https - nodePort: - selector: - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-proxy-host -/-/-/-/ -# Source: nginx-ingress/templates/controller-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: plus-mgmt-proxy-host-nginx-ingress-controller - namespace: default - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-proxy-host - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-proxy-host - template: - metadata: - labels: - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-proxy-host - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "9113" - prometheus.io/scheme: "http" - spec: - volumes: [] - serviceAccountName: plus-mgmt-proxy-host-nginx-ingress - automountServiceAccountToken: true - securityContext: - seccompProfile: - type: RuntimeDefault - terminationGracePeriodSeconds: 30 - hostNetwork: false - dnsPolicy: ClusterFirst - containers: - - image: nginx/nginx-ingress:5.2.0 - name: nginx-ingress - imagePullPolicy: "IfNotPresent" - ports: - - name: http - containerPort: 80 - protocol: TCP - - name: https - containerPort: 443 - protocol: TCP - - name: prometheus - containerPort: 9113 - - name: readiness-port - containerPort: 8081 - readinessProbe: - httpGet: - path: /nginx-ready - port: readiness-port - periodSeconds: 1 - initialDelaySeconds: 0 - resources: - requests: - cpu: 100m - memory: 128Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: false - runAsUser: 101 #nginx - runAsNonRoot: true - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - volumeMounts: [] - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - args: - - - -nginx-plus=true - - -nginx-reload-timeout=60000 - - -enable-app-protect=false - - -enable-app-protect-dos=false - - -nginx-configmaps=$(POD_NAMESPACE)/plus-mgmt-proxy-host-nginx-ingress - - -mgmt-configmap=$(POD_NAMESPACE)/plus-mgmt-proxy-host-nginx-ingress-mgmt - - -ingress-class=nginx - - -health-status=false - - -health-status-uri=/nginx-health - - -nginx-debug=false - - -log-level=info - - -log-format=glog - - -nginx-status=true - - -nginx-status-port=8080 - - -nginx-status-allow-cidrs=127.0.0.1 - - -report-ingress-status - - -external-service=plus-mgmt-proxy-host-nginx-ingress-controller - - -enable-leader-election=true - - -leader-election-lock-name=plus-mgmt-proxy-host-nginx-ingress-leader-election - - -enable-prometheus-metrics=true - - -prometheus-metrics-listen-port=9113 - - -prometheus-tls-secret= - - -enable-service-insight=false - - -service-insight-listen-port=9114 - - -service-insight-tls-secret= - - -enable-custom-resources=true - - -enable-snippets=false - - -disable-ipv6=false - - -enable-tls-passthrough=false - - -enable-cert-manager=false - - -enable-oidc=false - - -enable-external-dns=false - - -default-http-listener-port=80 - - -default-https-listener-port=443 - - -ready-status=true - - -ready-status-port=8081 - - -enable-latency-metrics=false - - -ssl-dynamic-reload=true - - -enable-telemetry-reporting=true - - -weight-changes-dynamic-reload=false -/-/-/-/ -# Source: nginx-ingress/templates/controller-ingress-class.yaml -apiVersion: networking.k8s.io/v1 -kind: IngressClass -metadata: - name: nginx - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-proxy-host - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm -spec: - controller: nginx.org/ingress-controller -/-/-/-/ -# Source: nginx-ingress/templates/controller-lease.yaml -apiVersion: coordination.k8s.io/v1 -kind: Lease -metadata: - name: plus-mgmt-proxy-host-nginx-ingress-leader-election - namespace: default - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-proxy-host - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm ---- - -[TestHelmNICTemplate/plus-mgmt-proxy-host-auth - 1] -/-/-/-/ -# Source: nginx-ingress/templates/controller-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: plus-mgmt-proxy-host-auth-nginx-ingress - namespace: default - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-proxy-host-auth - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm -/-/-/-/ -# Source: nginx-ingress/templates/controller-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: plus-mgmt-proxy-host-auth-nginx-ingress - namespace: default - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-proxy-host-auth - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm -data: - {} -/-/-/-/ -# Source: nginx-ingress/templates/controller-configmap.yaml -/-/-/-/ -apiVersion: v1 -kind: ConfigMap -metadata: - name: plus-mgmt-proxy-host-auth-nginx-ingress-mgmt - namespace: default - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-proxy-host-auth - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm -data: - license-token-secret-name: license-token - usage-report-proxy-host: "44.55.66.77:88" -/-/-/-/ -# Source: nginx-ingress/templates/controller-leader-election-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: plus-mgmt-proxy-host-auth-nginx-ingress-leader-election - namespace: default - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-proxy-host-auth - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm -/-/-/-/ -# Source: nginx-ingress/templates/clusterrole.yaml -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: plus-mgmt-proxy-host-auth-nginx-ingress - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-proxy-host-auth - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm -rules: -- apiGroups: - - "" - resources: - - configmaps - - namespaces - - pods - - secrets - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - list -- apiGroups: - - "" - resources: - - services - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - list - - watch -- apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: - - get - - list - - watch -- apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - nodes - verbs: - - list -- apiGroups: - - "apps" - resources: - - replicasets - - daemonsets - verbs: - - get -- apiGroups: - - networking.k8s.io - resources: - - ingressclasses - verbs: - - get - - list -- apiGroups: - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update -- apiGroups: - - k8s.nginx.org - resources: - - virtualservers - - virtualserverroutes - - globalconfigurations - - transportservers - - policies - verbs: - - list - - watch - - get -- apiGroups: - - k8s.nginx.org - resources: - - virtualservers/status - - virtualserverroutes/status - - policies/status - - transportservers/status - verbs: - - update -/-/-/-/ -# Source: nginx-ingress/templates/clusterrolebinding.yaml -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: plus-mgmt-proxy-host-auth-nginx-ingress - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-proxy-host-auth - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm -subjects: -- kind: ServiceAccount - name: plus-mgmt-proxy-host-auth-nginx-ingress - namespace: default -roleRef: - kind: ClusterRole - name: plus-mgmt-proxy-host-auth-nginx-ingress - apiGroup: rbac.authorization.k8s.io -/-/-/-/ -# Source: nginx-ingress/templates/controller-role.yaml -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: plus-mgmt-proxy-host-auth-nginx-ingress - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-proxy-host-auth - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm - namespace: default -rules: -- apiGroups: - - "" - resources: - - configmaps - - pods - - secrets - - services - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - namespaces - verbs: - - get -- apiGroups: - - "" - resources: - - pods - verbs: - - update -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - list -- apiGroups: - - coordination.k8s.io - resources: - - leases - resourceNames: - - plus-mgmt-proxy-host-auth-nginx-ingress-leader-election - verbs: - - get - - update -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create -/-/-/-/ -# Source: nginx-ingress/templates/controller-rolebinding.yaml -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: plus-mgmt-proxy-host-auth-nginx-ingress - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-proxy-host-auth - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm - namespace: default -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: plus-mgmt-proxy-host-auth-nginx-ingress -subjects: -- kind: ServiceAccount - name: plus-mgmt-proxy-host-auth-nginx-ingress - namespace: default -/-/-/-/ -# Source: nginx-ingress/templates/controller-service.yaml -apiVersion: v1 -kind: Service -metadata: - name: plus-mgmt-proxy-host-auth-nginx-ingress-controller - namespace: default - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-proxy-host-auth - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm -spec: - externalTrafficPolicy: Local - type: LoadBalancer - ports: - - port: 80 - targetPort: 80 - protocol: TCP - name: http - nodePort: - - port: 443 - targetPort: 443 - protocol: TCP - name: https - nodePort: - selector: - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-proxy-host-auth -/-/-/-/ -# Source: nginx-ingress/templates/controller-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: plus-mgmt-proxy-host-auth-nginx-ingress-controller - namespace: default - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-proxy-host-auth - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-proxy-host-auth - template: - metadata: - labels: - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-proxy-host-auth - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "9113" - prometheus.io/scheme: "http" - spec: - volumes: [] - serviceAccountName: plus-mgmt-proxy-host-auth-nginx-ingress - automountServiceAccountToken: true - securityContext: - seccompProfile: - type: RuntimeDefault - terminationGracePeriodSeconds: 30 - hostNetwork: false - dnsPolicy: ClusterFirst - containers: - - image: nginx/nginx-ingress:5.2.0 - name: nginx-ingress - imagePullPolicy: "IfNotPresent" - ports: - - name: http - containerPort: 80 - protocol: TCP - - name: https - containerPort: 443 - protocol: TCP - - name: prometheus - containerPort: 9113 - - name: readiness-port - containerPort: 8081 - readinessProbe: - httpGet: - path: /nginx-ready - port: readiness-port - periodSeconds: 1 - initialDelaySeconds: 0 - resources: - requests: - cpu: 100m - memory: 128Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: false - runAsUser: 101 #nginx - runAsNonRoot: true - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - volumeMounts: [] - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: PROXY_USER - valueFrom: - secretKeyRef: - name: custom-credentials - key: username - - name: PROXY_PASS - valueFrom: - secretKeyRef: - name: custom-credentials - key: password - args: - - - -nginx-plus=true - - -nginx-reload-timeout=60000 - - -enable-app-protect=false - - -enable-app-protect-dos=false - - -nginx-configmaps=$(POD_NAMESPACE)/plus-mgmt-proxy-host-auth-nginx-ingress - - -mgmt-configmap=$(POD_NAMESPACE)/plus-mgmt-proxy-host-auth-nginx-ingress-mgmt - - -ingress-class=nginx - - -health-status=false - - -health-status-uri=/nginx-health - - -nginx-debug=false - - -log-level=info - - -log-format=glog - - -nginx-status=true - - -nginx-status-port=8080 - - -nginx-status-allow-cidrs=127.0.0.1 - - -report-ingress-status - - -external-service=plus-mgmt-proxy-host-auth-nginx-ingress-controller - - -enable-leader-election=true - - -leader-election-lock-name=plus-mgmt-proxy-host-auth-nginx-ingress-leader-election - - -enable-prometheus-metrics=true - - -prometheus-metrics-listen-port=9113 - - -prometheus-tls-secret= - - -enable-service-insight=false - - -service-insight-listen-port=9114 - - -service-insight-tls-secret= - - -enable-custom-resources=true - - -enable-snippets=false - - -disable-ipv6=false - - -enable-tls-passthrough=false - - -enable-cert-manager=false - - -enable-oidc=false - - -enable-external-dns=false - - -default-http-listener-port=80 - - -default-https-listener-port=443 - - -ready-status=true - - -ready-status-port=8081 - - -enable-latency-metrics=false - - -ssl-dynamic-reload=true - - -enable-telemetry-reporting=true - - -weight-changes-dynamic-reload=false -/-/-/-/ -# Source: nginx-ingress/templates/controller-ingress-class.yaml -apiVersion: networking.k8s.io/v1 -kind: IngressClass -metadata: - name: nginx - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-proxy-host-auth - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm -spec: - controller: nginx.org/ingress-controller -/-/-/-/ -# Source: nginx-ingress/templates/controller-lease.yaml -apiVersion: coordination.k8s.io/v1 -kind: Lease -metadata: - name: plus-mgmt-proxy-host-auth-nginx-ingress-leader-election - namespace: default - labels: - helm.sh/chart: nginx-ingress-2.3.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-proxy-host-auth - app.kubernetes.io/version: "5.2.0" - app.kubernetes.io/managed-by: Helm +# Source: nginx-ingress/templates/controller-configmap.yaml --- [TestHelmNICTemplate/plusAgentV3 - 1] @@ -8874,7 +6321,7 @@ spec: labels: app.kubernetes.io/name: nginx-ingress app.kubernetes.io/instance: plus-agent - agent-configuration-revision-hash: "e150cd8a" + agent-configuration-revision-hash: "064c5ae8" annotations: prometheus.io/scrape: "true" prometheus.io/port: "9113" @@ -9386,7 +6833,7 @@ spec: labels: app.kubernetes.io/name: nginx-ingress app.kubernetes.io/instance: plus-agent-all - agent-configuration-revision-hash: "8c900020" + agent-configuration-revision-hash: "736fc2d4" annotations: prometheus.io/scrape: "true" prometheus.io/port: "9113" diff --git a/charts/tests/helmunit_test.go b/charts/tests/helmunit_test.go index 94a8029982..7cc6ee8217 100644 --- a/charts/tests/helmunit_test.go +++ b/charts/tests/helmunit_test.go @@ -136,6 +136,21 @@ func TestHelmNICTemplate(t *testing.T) { releaseName: "startupstatus", namespace: "default", }, + "netpol-disabled": { + valuesFile: "testdata/netpol-disabled.yaml", + releaseName: "netpol-disabled", + namespace: "default", + }, + "netpol-enabled-defaults": { + valuesFile: "testdata/netpol-enabled-defaults.yaml", + releaseName: "netpol-enabled-defaults", + namespace: "default", + }, + "netpol-enabled-custom": { + valuesFile: "testdata/netpol-enabled-custom.yaml", + releaseName: "netpol-enabled-custom", + namespace: "default", + }, } // Path to the helm chart we will test diff --git a/charts/tests/testdata/netpol-disabled.yaml b/charts/tests/testdata/netpol-disabled.yaml new file mode 100644 index 0000000000..4782b6dab4 --- /dev/null +++ b/charts/tests/testdata/netpol-disabled.yaml @@ -0,0 +1,3 @@ +controller: + networkPolicy: + enabled: false \ No newline at end of file diff --git a/charts/tests/testdata/netpol-enabled-custom.yaml b/charts/tests/testdata/netpol-enabled-custom.yaml new file mode 100644 index 0000000000..6544c9c54d --- /dev/null +++ b/charts/tests/testdata/netpol-enabled-custom.yaml @@ -0,0 +1,14 @@ +controller: + networkPolicy: + enabled: true + policyTypes: [Ingress] + podSelector: + matchLabels: + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/component: controller + ingress: + - from: + - namespaceSelector: + matchLabels: { name: ingress-allow } + ports: + - { protocol: TCP, port: 443 } \ No newline at end of file diff --git a/charts/tests/testdata/netpol-enabled-defaults.yaml b/charts/tests/testdata/netpol-enabled-defaults.yaml new file mode 100644 index 0000000000..570e00567f --- /dev/null +++ b/charts/tests/testdata/netpol-enabled-defaults.yaml @@ -0,0 +1,14 @@ +controller: + networkPolicy: + enabled: true + podSelector: {} + policyTypes: [Ingress, Egress] + ingress: + - from: [] + ports: + - { protocol: TCP, port: 80 } + - { protocol: TCP, port: 443 } + egress: + - to: [] + ports: + - { protocol: UDP, port: 53 } \ No newline at end of file