resource "kubernetes_manifest" "namespace_ingress_nginx" { manifest = { "apiVersion" = "v1" "kind" = "Namespace" "metadata" = { "labels" = { "app.kubernetes.io/instance" = "ingress-nginx" "app.kubernetes.io/name" = "ingress-nginx" } "name" = "ingress-nginx" } } } resource "kubernetes_manifest" "serviceaccount_ingress_nginx_ingress_nginx" { manifest = { "apiVersion" = "v1" "automountServiceAccountToken" = true "kind" = "ServiceAccount" "metadata" = { "labels" = { "app.kubernetes.io/component" = "controller" "app.kubernetes.io/instance" = "ingress-nginx" "app.kubernetes.io/name" = "ingress-nginx" "app.kubernetes.io/part-of" = "ingress-nginx" "app.kubernetes.io/version" = "1.12.0" } "name" = "ingress-nginx" "namespace" = kubernetes_manifest.namespace_ingress_nginx.manifest.metadata.name } } } resource "kubernetes_manifest" "serviceaccount_ingress_nginx_ingress_nginx_admission" { manifest = { "apiVersion" = "v1" "automountServiceAccountToken" = true "kind" = "ServiceAccount" "metadata" = { "labels" = { "app.kubernetes.io/component" = "admission-webhook" "app.kubernetes.io/instance" = "ingress-nginx" "app.kubernetes.io/name" = "ingress-nginx" "app.kubernetes.io/part-of" = "ingress-nginx" "app.kubernetes.io/version" = "1.12.0" } "name" = "ingress-nginx-admission" "namespace" = kubernetes_manifest.namespace_ingress_nginx.manifest.metadata.name } } } resource "kubernetes_manifest" "role_ingress_nginx_ingress_nginx" { manifest = { "apiVersion" = "rbac.authorization.k8s.io/v1" "kind" = "Role" "metadata" = { "labels" = { "app.kubernetes.io/component" = "controller" "app.kubernetes.io/instance" = "ingress-nginx" "app.kubernetes.io/name" = "ingress-nginx" "app.kubernetes.io/part-of" = "ingress-nginx" "app.kubernetes.io/version" = "1.12.0" } "name" = "ingress-nginx" "namespace" = kubernetes_manifest.namespace_ingress_nginx.manifest.metadata.name } "rules" = [ { "apiGroups" = [ "", ] "resources" = [ "namespaces", ] "verbs" = [ "get", ] }, { "apiGroups" = [ "", ] "resources" = [ "configmaps", "pods", "secrets", "endpoints", ] "verbs" = [ "get", "list", "watch", ] }, { "apiGroups" = [ "", ] "resources" = [ "services", ] "verbs" = [ "get", "list", "watch", ] }, { "apiGroups" = [ "networking.k8s.io", ] "resources" = [ "ingresses", ] "verbs" = [ "get", "list", "watch", ] }, { "apiGroups" = [ "networking.k8s.io", ] "resources" = [ "ingresses/status", ] "verbs" = [ "update", ] }, { "apiGroups" = [ "networking.k8s.io", ] "resources" = [ "ingressclasses", ] "verbs" = [ "get", "list", "watch", ] }, { "apiGroups" = [ "coordination.k8s.io", ] "resourceNames" = [ "ingress-nginx-leader", ] "resources" = [ "leases", ] "verbs" = [ "get", "update", ] }, { "apiGroups" = [ "coordination.k8s.io", ] "resources" = [ "leases", ] "verbs" = [ "create", ] }, { "apiGroups" = [ "", ] "resources" = [ "events", ] "verbs" = [ "create", "patch", ] }, { "apiGroups" = [ "discovery.k8s.io", ] "resources" = [ "endpointslices", ] "verbs" = [ "list", "watch", "get", ] }, ] } } resource "kubernetes_manifest" "role_ingress_nginx_ingress_nginx_admission" { manifest = { "apiVersion" = "rbac.authorization.k8s.io/v1" "kind" = "Role" "metadata" = { "labels" = { "app.kubernetes.io/component" = "admission-webhook" "app.kubernetes.io/instance" = "ingress-nginx" "app.kubernetes.io/name" = "ingress-nginx" "app.kubernetes.io/part-of" = "ingress-nginx" "app.kubernetes.io/version" = "1.12.0" } "name" = "ingress-nginx-admission" "namespace" = kubernetes_manifest.namespace_ingress_nginx.manifest.metadata.name } "rules" = [ { "apiGroups" = [ "", ] "resources" = [ "secrets", ] "verbs" = [ "get", "create", ] }, ] } } resource "kubernetes_manifest" "clusterrole_ingress_nginx" { manifest = { "apiVersion" = "rbac.authorization.k8s.io/v1" "kind" = "ClusterRole" "metadata" = { "labels" = { "app.kubernetes.io/instance" = "ingress-nginx" "app.kubernetes.io/name" = "ingress-nginx" "app.kubernetes.io/part-of" = "ingress-nginx" "app.kubernetes.io/version" = "1.12.0" } "name" = "ingress-nginx" } "rules" = [ { "apiGroups" = [ "", ] "resources" = [ "configmaps", "endpoints", "nodes", "pods", "secrets", "namespaces", ] "verbs" = [ "list", "watch", ] }, { "apiGroups" = [ "coordination.k8s.io", ] "resources" = [ "leases", ] "verbs" = [ "list", "watch", ] }, { "apiGroups" = [ "", ] "resources" = [ "nodes", ] "verbs" = [ "get", ] }, { "apiGroups" = [ "", ] "resources" = [ "services", ] "verbs" = [ "get", "list", "watch", ] }, { "apiGroups" = [ "networking.k8s.io", ] "resources" = [ "ingresses", ] "verbs" = [ "get", "list", "watch", ] }, { "apiGroups" = [ "", ] "resources" = [ "events", ] "verbs" = [ "create", "patch", ] }, { "apiGroups" = [ "networking.k8s.io", ] "resources" = [ "ingresses/status", ] "verbs" = [ "update", ] }, { "apiGroups" = [ "networking.k8s.io", ] "resources" = [ "ingressclasses", ] "verbs" = [ "get", "list", "watch", ] }, { "apiGroups" = [ "discovery.k8s.io", ] "resources" = [ "endpointslices", ] "verbs" = [ "list", "watch", "get", ] }, ] } } resource "kubernetes_manifest" "clusterrole_ingress_nginx_admission" { manifest = { "apiVersion" = "rbac.authorization.k8s.io/v1" "kind" = "ClusterRole" "metadata" = { "labels" = { "app.kubernetes.io/component" = "admission-webhook" "app.kubernetes.io/instance" = "ingress-nginx" "app.kubernetes.io/name" = "ingress-nginx" "app.kubernetes.io/part-of" = "ingress-nginx" "app.kubernetes.io/version" = "1.12.0" } "name" = "ingress-nginx-admission" } "rules" = [ { "apiGroups" = [ "admissionregistration.k8s.io", ] "resources" = [ "validatingwebhookconfigurations", ] "verbs" = [ "get", "update", ] }, ] } } resource "kubernetes_manifest" "rolebinding_ingress_nginx_ingress_nginx" { manifest = { "apiVersion" = "rbac.authorization.k8s.io/v1" "kind" = "RoleBinding" "metadata" = { "labels" = { "app.kubernetes.io/component" = "controller" "app.kubernetes.io/instance" = "ingress-nginx" "app.kubernetes.io/name" = "ingress-nginx" "app.kubernetes.io/part-of" = "ingress-nginx" "app.kubernetes.io/version" = "1.12.0" } "name" = "ingress-nginx" "namespace" = kubernetes_manifest.namespace_ingress_nginx.manifest.metadata.name } "roleRef" = { "apiGroup" = "rbac.authorization.k8s.io" "kind" = "Role" "name" = "ingress-nginx" } "subjects" = [ { "kind" = "ServiceAccount" "name" = "ingress-nginx" "namespace" = kubernetes_manifest.namespace_ingress_nginx.manifest.metadata.name }, ] } } resource "kubernetes_manifest" "rolebinding_ingress_nginx_ingress_nginx_admission" { manifest = { "apiVersion" = "rbac.authorization.k8s.io/v1" "kind" = "RoleBinding" "metadata" = { "labels" = { "app.kubernetes.io/component" = "admission-webhook" "app.kubernetes.io/instance" = "ingress-nginx" "app.kubernetes.io/name" = "ingress-nginx" "app.kubernetes.io/part-of" = "ingress-nginx" "app.kubernetes.io/version" = "1.12.0" } "name" = "ingress-nginx-admission" "namespace" = kubernetes_manifest.namespace_ingress_nginx.manifest.metadata.name } "roleRef" = { "apiGroup" = "rbac.authorization.k8s.io" "kind" = "Role" "name" = "ingress-nginx-admission" } "subjects" = [ { "kind" = "ServiceAccount" "name" = "ingress-nginx-admission" "namespace" = kubernetes_manifest.namespace_ingress_nginx.manifest.metadata.name }, ] } } resource "kubernetes_manifest" "clusterrolebinding_ingress_nginx" { manifest = { "apiVersion" = "rbac.authorization.k8s.io/v1" "kind" = "ClusterRoleBinding" "metadata" = { "labels" = { "app.kubernetes.io/instance" = "ingress-nginx" "app.kubernetes.io/name" = "ingress-nginx" "app.kubernetes.io/part-of" = "ingress-nginx" "app.kubernetes.io/version" = "1.12.0" } "name" = "ingress-nginx" } "roleRef" = { "apiGroup" = "rbac.authorization.k8s.io" "kind" = "ClusterRole" "name" = "ingress-nginx" } "subjects" = [ { "kind" = "ServiceAccount" "name" = "ingress-nginx" "namespace" = kubernetes_manifest.namespace_ingress_nginx.manifest.metadata.name }, ] } } resource "kubernetes_manifest" "clusterrolebinding_ingress_nginx_admission" { manifest = { "apiVersion" = "rbac.authorization.k8s.io/v1" "kind" = "ClusterRoleBinding" "metadata" = { "labels" = { "app.kubernetes.io/component" = "admission-webhook" "app.kubernetes.io/instance" = "ingress-nginx" "app.kubernetes.io/name" = "ingress-nginx" "app.kubernetes.io/part-of" = "ingress-nginx" "app.kubernetes.io/version" = "1.12.0" } "name" = "ingress-nginx-admission" } "roleRef" = { "apiGroup" = "rbac.authorization.k8s.io" "kind" = "ClusterRole" "name" = "ingress-nginx-admission" } "subjects" = [ { "kind" = "ServiceAccount" "name" = "ingress-nginx-admission" "namespace" = kubernetes_manifest.namespace_ingress_nginx.manifest.metadata.name }, ] } } resource "kubernetes_manifest" "configmap_ingress_nginx_ingress_nginx_controller" { manifest = { "apiVersion" = "v1" "kind" = "ConfigMap" "metadata" = { "labels" = { "app.kubernetes.io/component" = "controller" "app.kubernetes.io/instance" = "ingress-nginx" "app.kubernetes.io/name" = "ingress-nginx" "app.kubernetes.io/part-of" = "ingress-nginx" "app.kubernetes.io/version" = "1.12.0" } "name" = "ingress-nginx-controller" "namespace" = kubernetes_manifest.namespace_ingress_nginx.manifest.metadata.name } } } resource "kubernetes_manifest" "service_ingress_nginx_ingress_nginx_controller" { manifest = { "apiVersion" = "v1" "kind" = "Service" "metadata" = { "annotations" = { "networking.gke.io/load-balancer-type" = var.public_ingress ? "External" : "Internal" } "labels" = { "app.kubernetes.io/component" = "controller" "app.kubernetes.io/instance" = "ingress-nginx" "app.kubernetes.io/name" = "ingress-nginx" "app.kubernetes.io/part-of" = "ingress-nginx" "app.kubernetes.io/version" = "1.12.0" } "name" = "ingress-nginx-controller" "namespace" = kubernetes_manifest.namespace_ingress_nginx.manifest.metadata.name } "spec" = { "externalTrafficPolicy" = "Local" "ipFamilies" = [ "IPv4", ] "ipFamilyPolicy" = "SingleStack" "ports" = [ { "appProtocol" = "http" "name" = "http" "port" = 80 "protocol" = "TCP" "targetPort" = "http" }, { "appProtocol" = "https" "name" = "https" "port" = 443 "protocol" = "TCP" "targetPort" = "https" }, ] "selector" = { "app.kubernetes.io/component" = "controller" "app.kubernetes.io/instance" = "ingress-nginx" "app.kubernetes.io/name" = "ingress-nginx" } "type" = "LoadBalancer" } } } resource "kubernetes_manifest" "service_ingress_nginx_ingress_nginx_controller_admission" { manifest = { "apiVersion" = "v1" "kind" = "Service" "metadata" = { "labels" = { "app.kubernetes.io/component" = "controller" "app.kubernetes.io/instance" = "ingress-nginx" "app.kubernetes.io/name" = "ingress-nginx" "app.kubernetes.io/part-of" = "ingress-nginx" "app.kubernetes.io/version" = "1.12.0" } "name" = "ingress-nginx-controller-admission" "namespace" = kubernetes_manifest.namespace_ingress_nginx.manifest.metadata.name } "spec" = { "ports" = [ { "appProtocol" = "https" "name" = "https-webhook" "port" = 443 "targetPort" = "webhook" }, ] "selector" = { "app.kubernetes.io/component" = "controller" "app.kubernetes.io/instance" = "ingress-nginx" "app.kubernetes.io/name" = "ingress-nginx" } "type" = "ClusterIP" } } } resource "kubernetes_manifest" "deployment_ingress_nginx_ingress_nginx_controller" { computed_fields = ["metadata.annotations", "metadata.labels", "spec.template.metadata.labels"] manifest = { "apiVersion" = "apps/v1" "kind" = "Deployment" "metadata" = { "labels" = { "app.kubernetes.io/component" = "controller" "app.kubernetes.io/instance" = "ingress-nginx" "app.kubernetes.io/name" = "ingress-nginx" "app.kubernetes.io/part-of" = "ingress-nginx" "app.kubernetes.io/version" = "1.12.0" } "name" = "ingress-nginx-controller" "namespace" = kubernetes_manifest.namespace_ingress_nginx.manifest.metadata.name } "spec" = { "revisionHistoryLimit" = 10 "selector" = { "matchLabels" = { "app.kubernetes.io/component" = "controller" "app.kubernetes.io/instance" = "ingress-nginx" "app.kubernetes.io/name" = "ingress-nginx" } } "strategy" = { "rollingUpdate" = { "maxUnavailable" = 1 } "type" = "RollingUpdate" } "template" = { "metadata" = { "labels" = { "app.kubernetes.io/component" = "controller" "app.kubernetes.io/instance" = "ingress-nginx" "app.kubernetes.io/name" = "ingress-nginx" "app.kubernetes.io/part-of" = "ingress-nginx" "app.kubernetes.io/version" = "1.12.0" } } "spec" = { "containers" = [ { "args" = [ "/nginx-ingress-controller", "--publish-service=$(POD_NAMESPACE)/ingress-nginx-controller", "--election-id=ingress-nginx-leader", "--controller-class=k8s.io/ingress-nginx", "--ingress-class=nginx", "--configmap=$(POD_NAMESPACE)/ingress-nginx-controller", "--validating-webhook=:8443", "--validating-webhook-certificate=/usr/local/certificates/cert", "--validating-webhook-key=/usr/local/certificates/key", ] "env" = [ { "name" = "POD_NAME" "valueFrom" = { "fieldRef" = { "fieldPath" = "metadata.name" } } }, { "name" = "POD_NAMESPACE" "valueFrom" = { "fieldRef" = { "fieldPath" = "metadata.namespace" } } }, { "name" = "LD_PRELOAD" "value" = "/usr/local/lib/libmimalloc.so" }, ] "image" = "registry.k8s.io/ingress-nginx/controller:v1.12.0@sha256:e6b8de175acda6ca913891f0f727bca4527e797d52688cbe9fec9040d6f6b6fa" "imagePullPolicy" = "IfNotPresent" "lifecycle" = { "preStop" = { "exec" = { "command" = [ "/wait-shutdown", ] } } } "livenessProbe" = { "failureThreshold" = 5 "httpGet" = { "path" = "/healthz" "port" = 10254 "scheme" = "HTTP" } "initialDelaySeconds" = 10 "periodSeconds" = 10 "successThreshold" = 1 "timeoutSeconds" = 1 } "name" = "controller" "ports" = [ { "containerPort" = 80 "name" = "http" "protocol" = "TCP" }, { "containerPort" = 443 "name" = "https" "protocol" = "TCP" }, { "containerPort" = 8443 "name" = "webhook" "protocol" = "TCP" }, ] "readinessProbe" = { "failureThreshold" = 3 "httpGet" = { "path" = "/healthz" "port" = 10254 "scheme" = "HTTP" } "initialDelaySeconds" = 10 "periodSeconds" = 10 "successThreshold" = 1 "timeoutSeconds" = 1 } "resources" = { "requests" = { "cpu" = "100m" "memory" = "90Mi" } } "securityContext" = { "allowPrivilegeEscalation" = false "capabilities" = { "add" = [ "NET_BIND_SERVICE", ] "drop" = [ "ALL", ] } "readOnlyRootFilesystem" = false "runAsGroup" = 82 "runAsNonRoot" = true "runAsUser" = 101 "seccompProfile" = { "type" = "RuntimeDefault" } } "volumeMounts" = [ { "mountPath" = "/usr/local/certificates/" "name" = "webhook-cert" "readOnly" = true }, ] }, ] "dnsPolicy" = "ClusterFirst" "nodeSelector" = { "kubernetes.io/os" = "linux" } "serviceAccountName" = "ingress-nginx" "terminationGracePeriodSeconds" = 300 "volumes" = [ { "name" = "webhook-cert" "secret" = { "secretName" = "ingress-nginx-admission" } }, ] } } } } } resource "kubernetes_manifest" "job_ingress_nginx_ingress_nginx_admission_create" { computed_fields = ["metadata.annotations", "metadata.labels", "spec.template.metadata.labels"] manifest = { "apiVersion" = "batch/v1" "kind" = "Job" "metadata" = { "labels" = { "app.kubernetes.io/component" = "admission-webhook" "app.kubernetes.io/instance" = "ingress-nginx" "app.kubernetes.io/name" = "ingress-nginx" "app.kubernetes.io/part-of" = "ingress-nginx" "app.kubernetes.io/version" = "1.12.0" } "name" = "ingress-nginx-admission-create" "namespace" = kubernetes_manifest.namespace_ingress_nginx.manifest.metadata.name } "spec" = { "template" = { "metadata" = { "labels" = { "app.kubernetes.io/component" = "admission-webhook" "app.kubernetes.io/instance" = "ingress-nginx" "app.kubernetes.io/name" = "ingress-nginx" "app.kubernetes.io/part-of" = "ingress-nginx" "app.kubernetes.io/version" = "1.12.0" } "name" = "ingress-nginx-admission-create" } "spec" = { "containers" = [ { "args" = [ "create", "--host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc", "--namespace=$(POD_NAMESPACE)", "--secret-name=ingress-nginx-admission", ] "env" = [ { "name" = "POD_NAMESPACE" "valueFrom" = { "fieldRef" = { "fieldPath" = "metadata.namespace" } } }, ] "image" = "registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.0@sha256:aaafd456bda110628b2d4ca6296f38731a3aaf0bf7581efae824a41c770a8fc4" "imagePullPolicy" = "IfNotPresent" "name" = "create" "securityContext" = { "allowPrivilegeEscalation" = false "capabilities" = { "drop" = [ "ALL", ] } "readOnlyRootFilesystem" = true "runAsGroup" = 65532 "runAsNonRoot" = true "runAsUser" = 65532 "seccompProfile" = { "type" = "RuntimeDefault" } } }, ] "nodeSelector" = { "kubernetes.io/os" = "linux" } "restartPolicy" = "OnFailure" "serviceAccountName" = "ingress-nginx-admission" } } } } } resource "kubernetes_manifest" "job_ingress_nginx_ingress_nginx_admission_patch" { computed_fields = ["metadata.annotations", "metadata.labels", "spec.template.metadata.labels"] manifest = { "apiVersion" = "batch/v1" "kind" = "Job" "metadata" = { "labels" = { "app.kubernetes.io/component" = "admission-webhook" "app.kubernetes.io/instance" = "ingress-nginx" "app.kubernetes.io/name" = "ingress-nginx" "app.kubernetes.io/part-of" = "ingress-nginx" "app.kubernetes.io/version" = "1.12.0" } "name" = "ingress-nginx-admission-patch" "namespace" = kubernetes_manifest.namespace_ingress_nginx.manifest.metadata.name } "spec" = { "template" = { "metadata" = { "labels" = { "app.kubernetes.io/component" = "admission-webhook" "app.kubernetes.io/instance" = "ingress-nginx" "app.kubernetes.io/name" = "ingress-nginx" "app.kubernetes.io/part-of" = "ingress-nginx" "app.kubernetes.io/version" = "1.12.0" } "name" = "ingress-nginx-admission-patch" } "spec" = { "containers" = [ { "args" = [ "patch", "--webhook-name=ingress-nginx-admission", "--namespace=$(POD_NAMESPACE)", "--patch-mutating=false", "--secret-name=ingress-nginx-admission", "--patch-failure-policy=Fail", ] "env" = [ { "name" = "POD_NAMESPACE" "valueFrom" = { "fieldRef" = { "fieldPath" = "metadata.namespace" } } }, ] "image" = "registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.0@sha256:aaafd456bda110628b2d4ca6296f38731a3aaf0bf7581efae824a41c770a8fc4" "imagePullPolicy" = "IfNotPresent" "name" = "patch" "securityContext" = { "allowPrivilegeEscalation" = false "capabilities" = { "drop" = [ "ALL", ] } "readOnlyRootFilesystem" = true "runAsGroup" = 65532 "runAsNonRoot" = true "runAsUser" = 65532 "seccompProfile" = { "type" = "RuntimeDefault" } } }, ] "nodeSelector" = { "kubernetes.io/os" = "linux" } "restartPolicy" = "OnFailure" "serviceAccountName" = "ingress-nginx-admission" } } } } } resource "kubernetes_manifest" "ingressclass_nginx" { manifest = { "apiVersion" = "networking.k8s.io/v1" "kind" = "IngressClass" "metadata" = { "labels" = { "app.kubernetes.io/component" = "controller" "app.kubernetes.io/instance" = "ingress-nginx" "app.kubernetes.io/name" = "ingress-nginx" "app.kubernetes.io/part-of" = "ingress-nginx" "app.kubernetes.io/version" = "1.12.0" } "name" = "nginx" } "spec" = { "controller" = "k8s.io/ingress-nginx" } } } resource "kubernetes_manifest" "validatingwebhookconfiguration_ingress_nginx_admission" { manifest = { "apiVersion" = "admissionregistration.k8s.io/v1" "kind" = "ValidatingWebhookConfiguration" "metadata" = { "labels" = { "app.kubernetes.io/component" = "admission-webhook" "app.kubernetes.io/instance" = "ingress-nginx" "app.kubernetes.io/name" = "ingress-nginx" "app.kubernetes.io/part-of" = "ingress-nginx" "app.kubernetes.io/version" = "1.12.0" } "name" = "ingress-nginx-admission" } "webhooks" = [ { "admissionReviewVersions" = [ "v1", ] "clientConfig" = { "service" = { "name" = "ingress-nginx-controller-admission" "namespace" = kubernetes_manifest.namespace_ingress_nginx.manifest.metadata.name "path" = "/networking/v1/ingresses" "port" = 443 } } "failurePolicy" = "Fail" "matchPolicy" = "Equivalent" "name" = "validate.nginx.ingress.kubernetes.io" "rules" = [ { "apiGroups" = [ "networking.k8s.io", ] "apiVersions" = [ "v1", ] "operations" = [ "CREATE", "UPDATE", ] "resources" = [ "ingresses", ] }, ] "sideEffects" = "None" }, ] } }