diff --git a/examples/kind-with-nginx/README.md b/examples/kind-with-nginx/README.md
index abcc85c..fb608d2 100644
--- a/examples/kind-with-nginx/README.md
+++ b/examples/kind-with-nginx/README.md
@@ -46,4 +46,43 @@ export TF_BIN=tofu # change to `terraform` if you want to use Terraform instead
$TF_BIN destroy
```
-and all the resources will be deleted.
\ No newline at end of file
+and all the resources will be deleted.
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [helm](#requirement\_helm) | 2.17.0 |
+| [kind](#requirement\_kind) | 0.7.0 |
+| [kubernetes](#requirement\_kubernetes) | 2.35.1 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [helm](#provider\_helm) | 2.17.0 |
+| [kubernetes](#provider\_kubernetes) | 2.35.1 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [kind](#module\_kind) | ../../modules/kind-cluster | n/a |
+| [nginx\_ingress](#module\_nginx\_ingress) | ../../modules/nginx-ingress | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [helm_release.nextcloud](https://registry.terraform.io/providers/hashicorp/helm/2.17.0/docs/resources/release) | resource |
+| [kubernetes_ingress_v1.nextcloud](https://registry.terraform.io/providers/hashicorp/kubernetes/2.35.1/docs/resources/ingress_v1) | resource |
+| [kubernetes_namespace_v1.workshop](https://registry.terraform.io/providers/hashicorp/kubernetes/2.35.1/docs/resources/namespace_v1) | resource |
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+No outputs.
+
\ No newline at end of file
diff --git a/modules/cilium-mesh/README.md b/modules/cilium-mesh/README.md
index e88d68b..4a2c047 100644
--- a/modules/cilium-mesh/README.md
+++ b/modules/cilium-mesh/README.md
@@ -42,7 +42,7 @@ No modules.
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [helm\_repository](#input\_helm\_repository) | Helm Chart Repository URL | `string` | `"https://helm.cilium.io/"` | no |
-| [helm\_version](#input\_helm\_version) | The version of the Cilium Helm Chart to be installed | `string` | `"1.16.5"` | no |
+| [helm\_version](#input\_helm\_version) | The version of the Cilium Helm Chart to be installed | `string` | `"1.16.6"` | no |
| [node\_port\_http](#input\_node\_port\_http) | The NodePort for HTTP traffic | `number` | `30000` | no |
| [node\_port\_https](#input\_node\_port\_https) | The NodePort for HTTPS traffic | `number` | `30001` | no |
diff --git a/modules/cilium-mesh/variables.tf b/modules/cilium-mesh/variables.tf
index ac9c18f..d09246c 100644
--- a/modules/cilium-mesh/variables.tf
+++ b/modules/cilium-mesh/variables.tf
@@ -1,7 +1,7 @@
variable "helm_version" {
description = "The version of the Cilium Helm Chart to be installed"
type = string
- default = "1.16.5"
+ default = "1.16.6"
validation {
condition = can(regex("^[0-9]+.[0-9]+.[0-9]+$", var.helm_version))
error_message = "The Helm version must be in the format x.y.z"
@@ -13,8 +13,8 @@ variable "helm_repository" {
description = "Helm Chart Repository URL"
default = "https://helm.cilium.io/"
validation {
- condition = can(regex("https://.*", var.helm_repository))
- error_message = "The Helm Repository URL must start with https://"
+ condition = can(regex("https://.*", var.helm_repository)) || can(regex("oci://.*", var.helm_repository))
+ error_message = "The Helm Repository URL must start with https:// or oci://"
}
}
diff --git a/modules/istio-mesh/variables.tf b/modules/istio-mesh/variables.tf
index 6db9ae8..20ab5eb 100644
--- a/modules/istio-mesh/variables.tf
+++ b/modules/istio-mesh/variables.tf
@@ -23,8 +23,8 @@ variable "helm_repository" {
description = "Helm Chart Repository URL"
default = "https://istio-release.storage.googleapis.com/charts"
validation {
- condition = can(regex("https://.*", var.helm_repository))
- error_message = "The Helm Repository URL must start with https://"
+ condition = can(regex("https://.*", var.helm_repository)) || can(regex("oci://.*", var.helm_repository))
+ error_message = "The Helm Repository URL must start with https:// or oci://"
}
}
diff --git a/modules/kind-cluster/README.md b/modules/kind-cluster/README.md
index 098f080..f531ac1 100644
--- a/modules/kind-cluster/README.md
+++ b/modules/kind-cluster/README.md
@@ -10,7 +10,7 @@ Clone this repository and set the path to this module in your Project.
module "kind" {
source = "path/to/this/module"
- kubernetes_version = "1.31.4"
+ kubernetes_version = "1.32.1"
cluster_name = "my_local_cluster"
worker_nodes = 2 # Create two worker nodes
kubeconfig_save_path = "./kubeconfig"
@@ -44,7 +44,7 @@ No modules.
|------|-------------|------|---------|:--------:|
| [cluster\_name](#input\_cluster\_name) | Defines the name of the cluster | `string` | `"local-cluster"` | no |
| [kubeconfig\_save\_path](#input\_kubeconfig\_save\_path) | Defines the path to save the kubeconfig file | `string` | `"kubeconfig"` | no |
-| [kubernetes\_version](#input\_kubernetes\_version) | Defines the kubernetes version to be used | `string` | `"v1.31.4"` | no |
+| [kubernetes\_version](#input\_kubernetes\_version) | Defines the kubernetes version to be used | `string` | `"v1.32.1"` | no |
| [worker\_nodes](#input\_worker\_nodes) | Defines the number of worker nodes to be created | `number` | `1` | no |
## Outputs
diff --git a/modules/kind-cluster/variables.tf b/modules/kind-cluster/variables.tf
index 98111a4..658f100 100644
--- a/modules/kind-cluster/variables.tf
+++ b/modules/kind-cluster/variables.tf
@@ -1,6 +1,6 @@
variable "kubernetes_version" {
type = string
- default = "v1.31.4"
+ default = "v1.32.1"
description = "Defines the kubernetes version to be used"
validation {
condition = can(regex("v[0-9]+.[0-9]+.[0-9]+", var.kubernetes_version))
diff --git a/modules/nginx-ingress/README.md b/modules/nginx-ingress/README.md
index f860756..67bdaef 100644
--- a/modules/nginx-ingress/README.md
+++ b/modules/nginx-ingress/README.md
@@ -9,7 +9,7 @@ Clone this repository and set the path to this module in your Project.
´´´hcl
module "nginx_ingress" {
source = "path/to/this/module"
- ingress_nginx_version = "1.11.3"
+ helm_version = "4.12.0"
}
´´´
@@ -22,6 +22,7 @@ No requirements.
| Name | Version |
|------|---------|
+| [helm](#provider\_helm) | n/a |
| [kubernetes](#provider\_kubernetes) | n/a |
## Modules
@@ -32,38 +33,18 @@ No modules.
| Name | Type |
|------|------|
-| [kubernetes_cluster_role_binding_v1.ingress_nginx](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role_binding_v1) | resource |
-| [kubernetes_cluster_role_binding_v1.ingress_nginx_admission](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role_binding_v1) | resource |
-| [kubernetes_cluster_role_v1.ingress_nginx](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role_v1) | resource |
-| [kubernetes_cluster_role_v1.ingress_nginx_admission](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role_v1) | resource |
-| [kubernetes_config_map_v1.ingress_nginx_controller](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map_v1) | resource |
-| [kubernetes_deployment_v1.ingress_nginx_controller](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/deployment_v1) | resource |
-| [kubernetes_ingress_class_v1.ingressclass_nginx](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/ingress_class_v1) | resource |
-| [kubernetes_job_v1.ingress_nginx_admission_create](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/job_v1) | resource |
-| [kubernetes_job_v1.ingress_nginx_admission_patch](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/job_v1) | resource |
+| [helm_release.ingress_nginx](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [kubernetes_namespace_v1.ingress_nginx](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace_v1) | resource |
-| [kubernetes_role_binding_v1.ingress_nginx](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding_v1) | resource |
-| [kubernetes_role_binding_v1.ingress_nginx_admission](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding_v1) | resource |
-| [kubernetes_role_v1.ingress_nginx](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_v1) | resource |
-| [kubernetes_role_v1.ingress_nginx_admission](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_v1) | resource |
-| [kubernetes_secret_v1.service_account_ingress_nginx](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret_v1) | resource |
-| [kubernetes_secret_v1.service_account_ingress_nginx_admission](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret_v1) | resource |
-| [kubernetes_service_account_v1.ingress_nginx](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service_account_v1) | resource |
-| [kubernetes_service_account_v1.ingress_nginx_admission](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service_account_v1) | resource |
-| [kubernetes_service_v1.ingress_nginx_controller](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service_v1) | resource |
-| [kubernetes_service_v1.ingress_nginx_controller_admission](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service_v1) | resource |
-| [kubernetes_validating_webhook_configuration_v1.ingress_nginx_admission](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/validating_webhook_configuration_v1) | resource |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
-| [ingress\_nginx\_sha256\_digest](#input\_ingress\_nginx\_sha256\_digest) | The sha256 digest of the NGINX Ingress to be installed | `string` | `"d56f135b6462cfc476447cfe564b83a45e8bb7da2774963b00d12161112270b7"` | no |
-| [ingress\_nginx\_version](#input\_ingress\_nginx\_version) | The version of the NGINX Ingress to be installed | `string` | `"1.11.3"` | no |
-| [ingress\_webhook\_certgen\_sha256\_digest](#input\_ingress\_webhook\_certgen\_sha256\_digest) | The sha256 digest of the NGINX Webhook Certificate generator to be installed | `string` | `"a9f03b34a3cbfbb26d103a14046ab2c5130a80c3d69d526ff8063d2b37b9fd3f"` | no |
-| [ingress\_webhook\_certgen\_version](#input\_ingress\_webhook\_certgen\_version) | The version of the NGINX Webhook Certificate generator to be installed | `string` | `"1.4.4"` | no |
+| [helm\_repository](#input\_helm\_repository) | Helm Chart Repository URL | `string` | `"https://kubernetes.github.io/ingress-nginx"` | no |
+| [helm\_version](#input\_helm\_version) | The version of the nginx Ingress Controller Helm Chart to be installed | `string` | `"4.12.0"` | no |
| [local\_node\_ports](#input\_local\_node\_ports) | Defines the node ports to use with the local cluster (kind) | list(object({
app_protocol = string
name = string
target_port = string
protocol = string
port = number
node_port = number
})) | [
{
"app_protocol": "http",
"name": "http",
"node_port": 30000,
"port": 80,
"protocol": "TCP",
"target_port": "http"
},
{
"app_protocol": "https",
"name": "https",
"node_port": 30001,
"port": 443,
"protocol": "TCP",
"target_port": "https"
}
]
| no |
| [namespace](#input\_namespace) | Namespace where to install the services | `string` | `"ingress-nginx"` | no |
+| [toleration\_label](#input\_toleration\_label) | Defines label to be used for toleration when deploying the Ingress Controller | `string` | `"node-role.kubernetes.io/control-plane"` | no |
## Outputs
diff --git a/modules/nginx-ingress/admission-controller.tf b/modules/nginx-ingress/admission-controller.tf
deleted file mode 100644
index 4b79911..0000000
--- a/modules/nginx-ingress/admission-controller.tf
+++ /dev/null
@@ -1,262 +0,0 @@
-
-resource "kubernetes_service_account_v1" "ingress_nginx_admission" {
- metadata {
- name = "ingress-nginx-admission"
- namespace = kubernetes_namespace_v1.ingress_nginx.metadata.0.name
- labels = local.admission_labels
- }
-
- automount_service_account_token = true
-}
-
-resource "kubernetes_secret_v1" "service_account_ingress_nginx_admission" {
- metadata {
- namespace = kubernetes_namespace_v1.ingress_nginx.metadata.0.name
- annotations = {
- "kubernetes.io/service-account.name" = kubernetes_service_account_v1.ingress_nginx_admission.metadata.0.name
- }
- labels = local.admission_labels
- generate_name = "${kubernetes_service_account_v1.ingress_nginx_admission.metadata.0.name}-"
- }
-
- type = "kubernetes.io/service-account-token"
- wait_for_service_account_token = true
-}
-
-resource "kubernetes_role_v1" "ingress_nginx_admission" {
- metadata {
- name = "ingress-nginx-admission"
- namespace = kubernetes_namespace_v1.ingress_nginx.metadata.0.name
- labels = local.admission_labels
- }
-
- rule {
- api_groups = [""]
- resources = ["secrets"]
- verbs = ["get", "create"]
- }
-}
-
-resource "kubernetes_cluster_role_v1" "ingress_nginx_admission" {
- metadata {
- name = "ingress-nginx-admission"
- labels = local.admission_labels
- }
-
- rule {
- api_groups = ["admissionregistration.k8s.io"]
- resources = ["validatingwebhookconfigurations"]
- verbs = ["get", "update"]
- }
-}
-
-
-resource "kubernetes_role_binding_v1" "ingress_nginx_admission" {
- metadata {
- name = "ingress-nginx-admission"
- namespace = kubernetes_namespace_v1.ingress_nginx.metadata.0.name
- labels = local.admission_labels
- }
- role_ref {
- api_group = "rbac.authorization.k8s.io"
- kind = "Role"
- name = kubernetes_role_v1.ingress_nginx_admission.metadata.0.name
- }
- subject {
- kind = "ServiceAccount"
- name = kubernetes_service_account_v1.ingress_nginx_admission.metadata.0.name
- namespace = kubernetes_namespace_v1.ingress_nginx.metadata.0.name
- }
-}
-
-resource "kubernetes_cluster_role_binding_v1" "ingress_nginx_admission" {
- metadata {
- name = "ingress-nginx-admission"
- labels = local.admission_labels
- }
- role_ref {
- api_group = "rbac.authorization.k8s.io"
- kind = "ClusterRole"
- name = kubernetes_cluster_role_v1.ingress_nginx_admission.metadata.0.name
- }
- subject {
- kind = "ServiceAccount"
- name = kubernetes_service_account_v1.ingress_nginx_admission.metadata.0.name
- namespace = kubernetes_namespace_v1.ingress_nginx.metadata.0.name
- }
-}
-
-resource "kubernetes_service_v1" "ingress_nginx_controller_admission" {
- metadata {
- name = "ingress-nginx-controller-admission"
- namespace = kubernetes_namespace_v1.ingress_nginx.metadata.0.name
- labels = local.admission_labels
- }
- spec {
- port {
- app_protocol = "https"
- name = "https-webhook"
- port = 443
- target_port = "webhook"
- }
-
- selector = {
- "app.kubernetes.io/component" = "controller"
- "app.kubernetes.io/instance" = "ingress-nginx"
- "app.kubernetes.io/name" = "ingress-nginx"
- }
- type = "ClusterIP"
- }
-}
-
-resource "kubernetes_job_v1" "ingress_nginx_admission_create" {
- metadata {
- name = "ingress-nginx-admission-create"
- namespace = kubernetes_namespace_v1.ingress_nginx.metadata.0.name
- labels = local.admission_labels
- }
- spec {
- template {
- metadata {
- labels = local.admission_labels
- name = "ingress-nginx-admission-create"
- }
- spec {
- container {
- args = [
- "create",
- "--host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc",
- "--namespace=$(POD_NAMESPACE)",
- "--secret-name=ingress-nginx-admission",
- ]
- env {
- name = "POD_NAMESPACE"
- value_from {
- field_ref {
- field_path = "metadata.namespace"
- }
- }
- }
- image = "registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20231226-1a7112e06@sha256:25d6a5f11211cc5c3f9f2bf552b585374af287b4debf693cacbe2da47daa5084"
- image_pull_policy = "IfNotPresent"
- name = "create"
- security_context {
- allow_privilege_escalation = false
- capabilities {
- drop = [
- "ALL",
- ]
- }
- read_only_root_filesystem = true
- run_as_non_root = true
- run_as_user = 65532
- seccomp_profile {
- type = "RuntimeDefault"
- }
- }
- }
- node_selector = {
- "kubernetes.io/os" = "linux"
- }
- restart_policy = "OnFailure"
- service_account_name = kubernetes_service_account_v1.ingress_nginx_admission.metadata.0.name
- }
- }
- }
- wait_for_completion = true
- timeouts {
- create = "120s"
- }
-}
-
-resource "kubernetes_job_v1" "ingress_nginx_admission_patch" {
- metadata {
- name = "ingress-nginx-admission-patch"
- namespace = kubernetes_namespace_v1.ingress_nginx.metadata.0.name
- labels = local.admission_labels
- }
- spec {
- template {
- metadata {
- labels = local.admission_labels
- name = "ingress-nginx-admission-patch"
-
- }
- spec {
- container {
- args = [
- "patch",
- "--webhook-name=ingress-nginx-admission",
- "--namespace=$(POD_NAMESPACE)",
- "--patch-mutating=false",
- "--secret-name=ingress-nginx-admission",
- "--patch-failure-policy=Fail",
- ]
- env {
- name = "POD_NAMESPACE"
- value_from {
- field_ref {
- field_path = "metadata.namespace"
- }
- }
- }
- image = "registry.k8s.io/ingress-nginx/kube-webhook-certgen:v${var.ingress_webhook_certgen_version}@sha256:${var.ingress_webhook_certgen_sha256_digest}"
- image_pull_policy = "IfNotPresent"
- name = "patch"
- security_context {
- allow_privilege_escalation = false
- capabilities {
- drop = [
- "ALL",
- ]
- }
- read_only_root_filesystem = true
- run_as_non_root = true
- run_as_user = 65532
- seccomp_profile {
- type = "RuntimeDefault"
- }
- }
- }
- node_selector = {
- "kubernetes.io/os" = "linux"
- }
- restart_policy = "OnFailure"
- service_account_name = kubernetes_service_account_v1.ingress_nginx_admission.metadata.0.name
- }
- }
- }
-
- depends_on = [kubernetes_job_v1.ingress_nginx_admission_create]
- wait_for_completion = true
- timeouts {
- create = "120s"
- }
-}
-
-resource "kubernetes_validating_webhook_configuration_v1" "ingress_nginx_admission" {
- metadata {
- labels = local.admission_labels
- name = "ingress-nginx-admission"
- }
- webhook {
- admission_review_versions = ["v1"]
- client_config {
- service {
- name = kubernetes_service_v1.ingress_nginx_controller_admission.metadata.0.name
- namespace = kubernetes_namespace_v1.ingress_nginx.metadata.0.name
- path = "/networking/v1/ingresses"
- }
- }
- failure_policy = "Fail"
- match_policy = "Equivalent"
- name = "validate.nginx.ingress.kubernetes.io"
- rule {
- api_groups = ["networking.k8s.io"]
- api_versions = ["v1"]
- operations = ["CREATE", "UPDATE"]
- resources = ["ingresses"]
- }
- side_effects = "None"
- }
-}
diff --git a/modules/nginx-ingress/controller.tf b/modules/nginx-ingress/controller.tf
deleted file mode 100644
index bd1eaac..0000000
--- a/modules/nginx-ingress/controller.tf
+++ /dev/null
@@ -1,404 +0,0 @@
-
-resource "kubernetes_service_account_v1" "ingress_nginx" {
- metadata {
- name = "ingress-nginx"
- namespace = kubernetes_namespace_v1.ingress_nginx.metadata.0.name
- labels = local.controller_labels
- }
-
- automount_service_account_token = true
-}
-
-resource "kubernetes_secret_v1" "service_account_ingress_nginx" {
- metadata {
- namespace = kubernetes_namespace_v1.ingress_nginx.metadata.0.name
- annotations = {
- "kubernetes.io/service-account.name" = kubernetes_service_account_v1.ingress_nginx.metadata.0.name
- }
- labels = local.controller_labels
- generate_name = "${kubernetes_service_account_v1.ingress_nginx.metadata.0.name}-"
- }
-
- type = "kubernetes.io/service-account-token"
- wait_for_service_account_token = true
-}
-
-
-resource "kubernetes_role_v1" "ingress_nginx" {
- metadata {
- name = "ingress-nginx"
- namespace = kubernetes_namespace_v1.ingress_nginx.metadata.0.name
- labels = local.controller_labels
- }
-
- rule {
- api_groups = [""]
- resources = ["namespaces"]
- verbs = ["get"]
- }
- rule {
- api_groups = [""]
- resources = ["configmaps", "pods", "secrets", "endpoints"]
- verbs = ["get", "list", "watch"]
- }
- rule {
- api_groups = [""]
- resources = ["services"]
- verbs = ["get", "list", "watch"]
- }
- rule {
- api_groups = ["networking.k8s.io"]
- resources = ["ingresses"]
- verbs = ["get", "list", "watch"]
- }
- rule {
- api_groups = ["networking.k8s.io"]
- resources = ["ingresses/status"]
- verbs = ["update"]
- }
- rule {
- api_groups = ["networking.k8s.io"]
- resources = ["ingressclasses"]
- verbs = ["get", "list", "watch"]
- }
- rule {
- api_groups = ["coordination.k8s.io"]
- resource_names = ["ingress-nginx-leader"]
- resources = ["leases"]
- verbs = ["get", "update"]
- }
- rule {
- api_groups = ["coordination.k8s.io"]
- resources = ["leases"]
- verbs = ["create"]
- }
- rule {
- api_groups = [""]
- resources = ["events"]
- verbs = ["create", "patch"]
- }
- rule {
- api_groups = ["discovery.k8s.io"]
- resources = ["endpointslices"]
- verbs = ["list", "watch", "get"]
- }
-}
-
-resource "kubernetes_cluster_role_v1" "ingress_nginx" {
- metadata {
- name = "ingress-nginx"
- labels = local.controller_labels
- }
-
- rule {
- api_groups = [""]
- resources = ["configmaps", "endpoints", "nodes", "pods", "secrets", "namespaces"]
- verbs = ["list", "watch"]
- }
-
- rule {
- api_groups = [""]
- resources = ["nodes"]
- verbs = ["get"]
- }
- rule {
- api_groups = [""]
- resources = ["services"]
- verbs = ["get", "list", "watch"]
- }
- rule {
- api_groups = ["coordination.k8s.io"]
- resources = ["leases"]
- verbs = ["list", "watch"]
- }
- rule {
- api_groups = ["networking.k8s.io"]
- resources = ["ingresses"]
- verbs = ["get", "list", "watch"]
- }
- rule {
- api_groups = ["networking.k8s.io"]
- resources = ["ingressclasses"]
- verbs = ["get", "list", "watch"]
- }
- rule {
- api_groups = ["networking.k8s.io"]
- resources = ["ingresses/status"]
- verbs = ["update"]
- }
- rule {
- api_groups = [""]
- resources = ["events"]
- verbs = ["create", "patch"]
- }
- rule {
- api_groups = ["discovery.k8s.io"]
- resources = ["endpointslices"]
- verbs = ["list", "watch", "get"]
- }
-}
-
-resource "kubernetes_role_binding_v1" "ingress_nginx" {
- metadata {
- name = "ingress-nginx"
- namespace = kubernetes_namespace_v1.ingress_nginx.metadata.0.name
- labels = local.controller_labels
- }
- role_ref {
- api_group = "rbac.authorization.k8s.io"
- kind = "Role"
- name = kubernetes_role_v1.ingress_nginx.metadata.0.name
- }
- subject {
- kind = "ServiceAccount"
- name = kubernetes_service_account_v1.ingress_nginx.metadata.0.name
- namespace = kubernetes_namespace_v1.ingress_nginx.metadata.0.name
- }
-}
-
-resource "kubernetes_cluster_role_binding_v1" "ingress_nginx" {
- metadata {
- name = "ingress-nginx"
- labels = local.controller_labels
- }
- role_ref {
- api_group = "rbac.authorization.k8s.io"
- kind = "ClusterRole"
- name = kubernetes_cluster_role_v1.ingress_nginx.metadata.0.name
- }
- subject {
- kind = "ServiceAccount"
- name = kubernetes_service_account_v1.ingress_nginx.metadata.0.name
- namespace = kubernetes_namespace_v1.ingress_nginx.metadata.0.name
- }
-}
-
-resource "kubernetes_config_map_v1" "ingress_nginx_controller" {
- metadata {
- name = "ingress-nginx-controller"
- namespace = kubernetes_namespace_v1.ingress_nginx.metadata.0.name
- labels = local.controller_labels
- }
-
- data = {
- allow-snippet-annotations = "false"
- }
-}
-
-
-
-resource "kubernetes_service_v1" "ingress_nginx_controller" {
- metadata {
- name = "ingress-nginx-controller"
- namespace = kubernetes_namespace_v1.ingress_nginx.metadata.0.name
- labels = local.controller_labels
- }
- spec {
- ip_families = ["IPv4"]
-
- ip_family_policy = "SingleStack"
-
- dynamic "port" {
- for_each = var.local_node_ports
- content {
- app_protocol = port.value.app_protocol
- name = port.value.name
- port = port.value.port
- protocol = port.value.protocol
- target_port = port.value.target_port
- node_port = port.value.node_port
- }
- }
-
- selector = {
- "app.kubernetes.io/component" = "controller"
- "app.kubernetes.io/instance" = "ingress-nginx"
- "app.kubernetes.io/name" = "ingress-nginx"
- }
- type = "NodePort"
- }
-}
-
-
-resource "kubernetes_deployment_v1" "ingress_nginx_controller" {
- metadata {
- name = "ingress-nginx-controller"
- namespace = kubernetes_namespace_v1.ingress_nginx.metadata.0.name
- labels = local.controller_labels
- }
-
- spec {
- min_ready_seconds = 0
- revision_history_limit = 10
- selector {
- match_labels = {
- "app.kubernetes.io/component" = "controller"
- "app.kubernetes.io/instance" = "ingress-nginx"
- "app.kubernetes.io/name" = "ingress-nginx"
- }
- }
- strategy {
- rolling_update {
- max_unavailable = 1
- }
- type = "RollingUpdate"
- }
- template {
- metadata {
- labels = {
- "app.kubernetes.io/component" = "controller"
- "app.kubernetes.io/instance" = "ingress-nginx"
- "app.kubernetes.io/name" = "ingress-nginx"
- }
- }
- spec {
- container {
- args = [
- "/nginx-ingress-controller",
- "--election-id=ingress-nginx-leader",
- "--controller-class=k8s.io/ingress-nginx",
- "--ingress-class=nginx",
- "--configmap=$(POD_NAMESPACE)/ingress-nginx-controller",
- "--validating-webhook=:8443",
- "--validating-webhook-certificate=/usr/local/certificates/cert",
- "--validating-webhook-key=/usr/local/certificates/key",
- "--watch-ingress-without-class=true",
- "--publish-status-address=localhost",
- ]
- env {
- name = "POD_NAME"
- value_from {
- field_ref {
- field_path = "metadata.name"
- }
- }
- }
- env {
- name = "POD_NAMESPACE"
- value_from {
- field_ref {
- field_path = "metadata.namespace"
- }
- }
- }
- env {
- name = "LD_PRELOAD"
- value = "/usr/local/lib/libmimalloc.so"
- }
- image = "registry.k8s.io/ingress-nginx/controller:v${var.ingress_nginx_version}@sha256:${var.ingress_nginx_sha256_digest}"
- image_pull_policy = "IfNotPresent"
- lifecycle {
- pre_stop {
- exec {
- command = [
- "/wait-shutdown",
- ]
- }
- }
- }
- liveness_probe {
- failure_threshold = 5
- http_get {
- path = "/healthz"
- port = 10254
- scheme = "HTTP"
- }
- initial_delay_seconds = 10
- period_seconds = 10
- success_threshold = 1
- timeout_seconds = 1
- }
- name = "controller"
- port {
- container_port = 80
- host_port = 80
- name = "http"
- protocol = "TCP"
- }
- port {
- container_port = 443
- host_port = 443
- name = "https"
- protocol = "TCP"
- }
- port {
- container_port = 8443
- name = "webhook"
- protocol = "TCP"
- }
- readiness_probe {
- failure_threshold = 3
- http_get {
- path = "/healthz"
- port = 10254
- scheme = "HTTP"
- }
-
- initial_delay_seconds = 10
- period_seconds = 10
- success_threshold = 1
- timeout_seconds = 1
- }
- resources {
- requests = {
- cpu = "100m"
- memory = "90Mi"
- }
- }
- security_context {
- allow_privilege_escalation = false
- capabilities {
- add = [
- "NET_BIND_SERVICE",
- ]
- drop = [
- "ALL",
- ]
- }
- read_only_root_filesystem = false
- run_as_non_root = true
- run_as_user = 101
- seccomp_profile {
- type = "RuntimeDefault"
- }
-
- }
- volume_mount {
- mount_path = "/usr/local/certificates/"
- name = "webhook-cert"
- read_only = true
- }
- }
- dns_policy = "ClusterFirst"
- node_selector = {
- "ingress-ready" = "true"
- "kubernetes.io/os" = "linux"
- }
-
- service_account_name = kubernetes_service_account_v1.ingress_nginx.metadata.0.name
- termination_grace_period_seconds = 0
-
- toleration {
- effect = "NoSchedule"
- key = "node-role.kubernetes.io/master"
- operator = "Equal"
- }
-
- toleration {
- effect = "NoSchedule"
- key = "node-role.kubernetes.io/control-plane"
- operator = "Equal"
- }
-
- volume {
- name = "webhook-cert"
- secret {
- secret_name = "ingress-nginx-admission"
- }
- }
- }
- }
- }
-
- depends_on = [kubernetes_job_v1.ingress_nginx_admission_create, kubernetes_job_v1.ingress_nginx_admission_patch]
-}
diff --git a/modules/nginx-ingress/main.tf b/modules/nginx-ingress/main.tf
index e101a4e..8bf97a0 100644
--- a/modules/nginx-ingress/main.tf
+++ b/modules/nginx-ingress/main.tf
@@ -1,37 +1,52 @@
-locals {
- controller_labels = {
- "app.kubernetes.io/component" = "controller"
- "app.kubernetes.io/instance" = "ingress-nginx"
- "app.kubernetes.io/name" = "ingress-nginx"
- "app.kubernetes.io/part-of" = "ingress-nginx"
- "app.kubernetes.io/version" = "${var.ingress_nginx_version}"
- }
-
- admission_labels = {
- "app.kubernetes.io/component" = "admission-webhook"
- "app.kubernetes.io/instance" = "ingress-nginx"
- "app.kubernetes.io/name" = "ingress-nginx"
- "app.kubernetes.io/part-of" = "ingress-nginx"
- "app.kubernetes.io/version" = "${var.ingress_nginx_version}"
- }
-}
-
resource "kubernetes_namespace_v1" "ingress_nginx" {
metadata {
name = var.namespace
labels = {
- "app.kubernetes.io/instance" = "ingress-nginx"
- "app.kubernetes.io/name" = "ingress-nginx"
+ "kubernetes.io/metadata.name" : "ingress-nginx"
+ "name" : "ingress-nginx"
+ "pod-security.kubernetes.io/warn" : "restricted"
+ "pod-security.kubernetes.io/warn-version" : "v1.32"
}
}
}
-resource "kubernetes_ingress_class_v1" "ingressclass_nginx" {
- metadata {
- labels = local.controller_labels
- name = "nginx"
- }
- spec {
- controller = "k8s.io/ingress-nginx"
- }
+locals {
+ target_namespace = kubernetes_namespace_v1.ingress_nginx.metadata[0].name
+}
+
+resource "helm_release" "ingress_nginx" {
+ name = "ingress-nginx"
+ chart = "ingress-nginx"
+ repository = var.helm_repository
+ version = var.helm_version
+ namespace = local.target_namespace
+ lint = true
+ atomic = true
+ wait = true
+
+ timeout = 120
+
+ values = [< 0
+ error_message = "The toleration label must not be empty"
}
}