{{- if eq .Values.controller.kind "daemonset" }} apiVersion: apps/v1 kind: DaemonSet metadata: name: {{ include "nginx-ingress.controller.fullname" . }} namespace: {{ .Release.Namespace }} labels: {{- include "nginx-ingress.labels" . | nindent 4 }} {{- if .Values.controller.annotations }} annotations: {{ toYaml .Values.controller.annotations | nindent 4 }} {{- end }} spec: selector: matchLabels: {{- include "nginx-ingress.selectorLabels" . | nindent 6 }} template: metadata: labels: {{- include "nginx-ingress.podLabels" . | nindent 8 }} {{- if or .Values.prometheus.create .Values.controller.pod.annotations }} annotations: {{- if .Values.prometheus.create }} prometheus.io/scrape: "true" prometheus.io/port: "{{ .Values.prometheus.port }}" prometheus.io/scheme: "{{ .Values.prometheus.scheme }}" {{- end }} {{- if .Values.controller.pod.annotations }} {{ toYaml .Values.controller.pod.annotations | indent 8 }} {{- end }} {{- end }} spec: serviceAccountName: {{ include "nginx-ingress.serviceAccountName" . }} automountServiceAccountToken: true securityContext: {{ toYaml .Values.controller.podSecurityContext | indent 8 }} terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} {{- if .Values.controller.nodeSelector }} nodeSelector: {{ toYaml .Values.controller.nodeSelector | indent 8 }} {{- end }} {{- if .Values.controller.tolerations }} tolerations: {{ toYaml .Values.controller.tolerations | indent 6 }} {{- end }} {{- if .Values.controller.affinity }} affinity: {{ toYaml .Values.controller.affinity | indent 8 }} {{- end }} {{- include "nginx-ingress.volumes" . | indent 6 }} {{- if .Values.controller.priorityClassName }} priorityClassName: {{ .Values.controller.priorityClassName }} {{- end }} hostNetwork: {{ .Values.controller.hostNetwork }} dnsPolicy: {{ .Values.controller.dnsPolicy }} {{- if .Values.controller.shareProcessNamespace }} shareProcessNamespace: true {{- end }} containers: - name: {{ include "nginx-ingress.name" . }} image: {{ include "nginx-ingress.image" . }} imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}" {{- if .Values.controller.lifecycle }} lifecycle: {{ toYaml .Values.controller.lifecycle | indent 10 }} {{- end }} ports: {{- range $key, $value := .Values.controller.containerPort }} - name: {{ $key }} containerPort: {{ $value }} protocol: TCP {{- if and $.Values.controller.hostPort.enable (index $.Values.controller.hostPort $key) }} hostPort: {{ index $.Values.controller.hostPort $key }} {{- end }} {{- end }} {{ if .Values.controller.customPorts }} {{ toYaml .Values.controller.customPorts | indent 8 }} {{ end }} {{- if .Values.prometheus.create }} - name: prometheus containerPort: {{ .Values.prometheus.port }} {{- end }} {{- if .Values.serviceInsight.create }} - name: service-insight containerPort: {{ .Values.serviceInsight.port }} {{- end }} {{- if .Values.controller.readyStatus.enable }} - name: readiness-port containerPort: {{ .Values.controller.readyStatus.port }} readinessProbe: httpGet: path: /nginx-ready port: readiness-port periodSeconds: 1 initialDelaySeconds: {{ .Values.controller.readyStatus.initialDelaySeconds }} {{- end }} {{- if .Values.controller.securityContext }} securityContext: {{ toYaml .Values.controller.securityContext | indent 10 }} {{- else }} securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: {{ .Values.controller.readOnlyRootFilesystem }} runAsUser: 101 #nginx runAsNonRoot: true capabilities: drop: - ALL add: - NET_BIND_SERVICE {{- end }} {{- include "nginx-ingress.volumeMounts" . | indent 8 }} env: - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name {{- if .Values.controller.env }} {{ toYaml .Values.controller.env | indent 8 }} {{- end }} {{- if .Values.nginxServiceMesh.enable }} - name: POD_SERVICEACCOUNT valueFrom: fieldRef: fieldPath: spec.serviceAccountName {{- end }} resources: {{ toYaml .Values.controller.resources | indent 10 }} args: {{- include "nginx-ingress.args" . | nindent 10 }} {{- if .Values.controller.extraContainers }} {{ toYaml .Values.controller.extraContainers | nindent 6 }} {{- end }} {{- include "nginx-ingress.appprotect.v5" . | nindent 6 }} {{- if or (eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" ) .Values.controller.initContainers }} initContainers: {{- end }} {{- if eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" }} - name: init-{{ include "nginx-ingress.name" . }} image: {{ include "nginx-ingress.image" . }} imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}" command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc'] {{- if .Values.controller.initContainerResources }} resources: {{ toYaml .Values.controller.initContainerResources | indent 10 }} {{- end }} {{- if .Values.controller.initContainerSecurityContext }} securityContext: {{ toYaml .Values.controller.initContainerSecurityContext | indent 10 }} {{- else }} securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsUser: 101 #nginx runAsNonRoot: true capabilities: drop: - ALL {{- end }} volumeMounts: - mountPath: /mnt/etc name: nginx-etc {{- end }} {{- if .Values.controller.initContainers }} {{ toYaml .Values.controller.initContainers | indent 6 }} {{- end }} {{- if .Values.controller.strategy }} updateStrategy: {{ toYaml .Values.controller.strategy | indent 4 }} {{- end }} {{- if .Values.controller.minReadySeconds }} minReadySeconds: {{ .Values.controller.minReadySeconds }} {{- end }} {{- end }}