ingress: Use Deployment+Service with externalIPs

Now that we have `keepalived` managing the "virtual" IP address for the ingress controller, we can change _ingress-nginx_ to run as a Deployment rather than a DaemonSet. It no longer needs to use the host network namespace, as `kube-proxy` will route all traffic sent to the configured external IP address to the controller pods. Using the _Local_ external traffic policy disables NAT, so incoming traffic is seen by the nginx unmodified.
2024-11-22 22:32:02 -06:00 · 2024-11-22 22:32:02 -06:00 · fefbaa9991
parent e7ea2b0659
commit fefbaa9991
2 changed files with 8 additions and 37 deletions
--- a/ingress/kustomization.yaml
+++ b/ingress/kustomization.yaml
@ -5,56 +5,34 @@ namespace: ingress-nginx

 resources:
 - https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.3.0/deploy/static/provider/cloud/deploy.yaml
- tcp-services.yaml
+
+replicas:
+- name: ingress-nginx-controller
+  count: 2

 patches:
 - patch: |-
-    $patch: delete
    apiVersion: v1
    kind: Service
    metadata:
      name: ingress-nginx-controller
      namespace: ingress-nginx
+    spec:
+      externalIPs:
+      - 172.30.0.147
+      externalTrafficPolicy: Local

 - patch: |-
-    - op: replace
-      path: /kind
-      value: DaemonSet
-    - op: remove
-      path: /spec/template/spec/containers/0/args/1
-    - op: add
-      path: /spec/template/spec/containers/0/args/-
-      value: >-
-        --report-node-internal-ip-address
    - op: add
      path: /spec/template/spec/containers/0/args/-
      value: >-
        --default-ssl-certificate=default/pyrocufflink-cert
-    - op: add
-      path: /spec/template/spec/containers/0/args/-
-      value: >-
-        --tcp-services-configmap=ingress-nginx/tcp-services
  target:
    group: apps
    kind: Deployment
    name: ingress-nginx-controller
    version: v1

- patch: |-
-    apiVersion: apps/v1
-    kind: DaemonSet
-    metadata:
-      name: ingress-nginx-controller
-      namespace: ingress-nginx
-    spec:
-      template:
-        spec:
-          dnsPolicy: ClusterFirstWithHostNet
-          hostNetwork: true
-          nodeSelector:
-            kubernetes.io/role: ingress
-
-
 - patch: |-
    apiVersion: networking.k8s.io/v1
    kind: IngressClass
--- a/ingress/tcp-services.yaml
+++ b/ingress/tcp-services.yaml
@ -1,7 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: tcp-services
-data:
-  '8883': home-assistant/mosquitto:8883
-  '5671': rabbitmq/rabbitmq:5671