-
Notifications
You must be signed in to change notification settings - Fork 4
/
ingress_nginx.tf
129 lines (120 loc) · 4.58 KB
/
ingress_nginx.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
locals {
ingress_nginx_namespace = var.ingress_nginx_enabled ? {
apiVersion = "v1"
kind = "Namespace"
metadata = {
name = data.helm_template.ingress_nginx[0].namespace
}
} : null
ingress_nginx_replicas = coalesce(
var.ingress_nginx_replicas,
local.worker_sum < 4 ? 2 : 3
)
ingress_nginx_service_load_balancer_required = (
var.ingress_nginx_enabled &&
length(var.ingress_load_balancer_pools) == 0
)
ingress_nginx_service_type = (
local.ingress_nginx_service_load_balancer_required ?
"LoadBalancer" :
"NodePort"
)
ingress_nginx_service_node_port_http = 30000
ingress_nginx_service_node_port_https = 30001
}
data "helm_template" "ingress_nginx" {
count = var.ingress_nginx_enabled ? 1 : 0
name = "ingress-nginx"
namespace = "ingress-nginx"
repository = var.ingress_nginx_helm_repository
chart = var.ingress_nginx_helm_chart
version = var.ingress_nginx_helm_version
kube_version = var.kubernetes_version
set {
name = "controller.admissionWebhooks.certManager.enabled"
value = true
}
values = [
yamlencode({
controller = {
kind = var.ingress_nginx_kind
replicaCount = local.ingress_nginx_replicas
topologySpreadConstraints = [
{
topologyKey = "kubernetes.io/hostname"
maxSkew = 1
whenUnsatisfiable = (
local.worker_sum > local.ingress_nginx_replicas ?
"DoNotSchedule" :
"ScheduleAnyway"
)
labelSelector = {
matchLabels = {
"app.kubernetes.io/instance" = "ingress-nginx"
"app.kubernetes.io/name" = "ingress-nginx"
"app.kubernetes.io/component" = "controller"
}
}
}
]
enableTopologyAwareRouting = var.ingress_nginx_topology_aware_routing
watchIngressWithoutClass = true
service = merge(
{
type = local.ingress_nginx_service_type
externalTrafficPolicy = var.ingress_nginx_service_external_traffic_policy
},
local.ingress_nginx_service_type == "NodePort" ?
{
nodePorts = {
http = local.ingress_nginx_service_node_port_http,
https = local.ingress_nginx_service_node_port_https
}
} : {},
local.ingress_nginx_service_type == "LoadBalancer" ?
{
annotations = {
"load-balancer.hetzner.cloud/algorithm-type" = var.ingress_load_balancer_algorithm
"load-balancer.hetzner.cloud/disable-private-ingress" = true
"load-balancer.hetzner.cloud/disable-public-network" = !var.ingress_load_balancer_public_network_enabled
"load-balancer.hetzner.cloud/health-check-interval" = "${var.ingress_load_balancer_health_check_interval}s"
"load-balancer.hetzner.cloud/health-check-retries" = var.ingress_load_balancer_health_check_retries
"load-balancer.hetzner.cloud/health-check-timeout" = "${var.ingress_load_balancer_health_check_timeout}s"
"load-balancer.hetzner.cloud/hostname" = local.ingress_service_load_balancer_hostname
"load-balancer.hetzner.cloud/ipv6-disabled" = false
"load-balancer.hetzner.cloud/location" = local.ingress_service_load_balancer_location
"load-balancer.hetzner.cloud/name" = local.ingress_service_load_balancer_name
"load-balancer.hetzner.cloud/type" = var.ingress_load_balancer_type
"load-balancer.hetzner.cloud/use-private-ip" = true
"load-balancer.hetzner.cloud/uses-proxyprotocol" = true
}
} : {}
)
config = {
proxy-real-ip-cidr = (
var.ingress_nginx_service_external_traffic_policy == "Local" ?
hcloud_network_subnet.load_balancer.ip_range :
local.node_ipv4_cidr
)
compute-full-forwarded-for = true
use-proxy-protocol = true
}
networkPolicy = {
enabled = true
}
}
}),
yamlencode(var.ingress_nginx_helm_values)
]
depends_on = [hcloud_load_balancer_network.ingress]
}
locals {
ingress_nginx_manifest = var.ingress_nginx_enabled ? {
name = "ingress-nginx"
contents = <<-EOF
${yamlencode(local.ingress_nginx_namespace)}
---
${data.helm_template.ingress_nginx[0].manifest}
EOF
} : null
}