From 31de4c739d50d2ec0d4c29ec3b043ea2dd83250a Mon Sep 17 00:00:00 2001
From: Rob Watson <rob@netflux.io>
Date: Sat, 26 Apr 2025 12:01:19 +0200
Subject: [PATCH] refactor: extract ingress-nginx to minimal-base, provision to
 OVH

---
 deploy/base/kustomization.yaml                | 20 -----------------
 .../job-patch/clusterrole.yaml                |  0
 .../job-patch/clusterrolebinding.yaml         |  0
 .../job-patch/job-createSecret.yaml           |  0
 .../job-patch/job-patchWebhook.yaml           |  0
 .../admission-webhooks/job-patch/role.yaml    |  0
 .../job-patch/rolebinding.yaml                |  0
 .../job-patch/serviceaccount.yaml             |  0
 .../validating-webhook.yaml                   |  0
 .../ingress-nginx/templates/clusterrole.yaml  |  0
 .../templates/clusterrolebinding.yaml         |  0
 .../templates/controller-configmap.yaml       |  0
 .../templates/controller-deployment.yaml      |  0
 .../templates/controller-ingressclass.yaml    |  0
 .../controller-poddisruptionbudget.yaml       |  0
 .../templates/controller-role.yaml            |  0
 .../templates/controller-rolebinding.yaml     |  0
 .../templates/controller-service-metrics.yaml |  0
 .../templates/controller-service-webhook.yaml |  0
 .../templates/controller-service.yaml         |  0
 .../templates/controller-serviceaccount.yaml  |  0
 deploy/minimal-base/kustomization.yaml        | 20 +++++++++++++++++
 deploy/prod-ovh/deploy-ingress-nginx.yaml     | 16 ++++++++++++++
 .../job-ingress-nginx-admission-create.yaml   |  7 ++++++
 .../job-ingress-nginx-admission-patch.yaml    |  7 ++++++
 deploy/prod-ovh/kustomization.yaml            | 22 +++++++++++++++++++
 26 files changed, 72 insertions(+), 20 deletions(-)
 rename deploy/{base => minimal-base}/inflated/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml (100%)
 rename deploy/{base => minimal-base}/inflated/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml (100%)
 rename deploy/{base => minimal-base}/inflated/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml (100%)
 rename deploy/{base => minimal-base}/inflated/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml (100%)
 rename deploy/{base => minimal-base}/inflated/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml (100%)
 rename deploy/{base => minimal-base}/inflated/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml (100%)
 rename deploy/{base => minimal-base}/inflated/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml (100%)
 rename deploy/{base => minimal-base}/inflated/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml (100%)
 rename deploy/{base => minimal-base}/inflated/ingress-nginx/templates/clusterrole.yaml (100%)
 rename deploy/{base => minimal-base}/inflated/ingress-nginx/templates/clusterrolebinding.yaml (100%)
 rename deploy/{base => minimal-base}/inflated/ingress-nginx/templates/controller-configmap.yaml (100%)
 rename deploy/{base => minimal-base}/inflated/ingress-nginx/templates/controller-deployment.yaml (100%)
 rename deploy/{base => minimal-base}/inflated/ingress-nginx/templates/controller-ingressclass.yaml (100%)
 rename deploy/{base => minimal-base}/inflated/ingress-nginx/templates/controller-poddisruptionbudget.yaml (100%)
 rename deploy/{base => minimal-base}/inflated/ingress-nginx/templates/controller-role.yaml (100%)
 rename deploy/{base => minimal-base}/inflated/ingress-nginx/templates/controller-rolebinding.yaml (100%)
 rename deploy/{base => minimal-base}/inflated/ingress-nginx/templates/controller-service-metrics.yaml (100%)
 rename deploy/{base => minimal-base}/inflated/ingress-nginx/templates/controller-service-webhook.yaml (100%)
 rename deploy/{base => minimal-base}/inflated/ingress-nginx/templates/controller-service.yaml (100%)
 rename deploy/{base => minimal-base}/inflated/ingress-nginx/templates/controller-serviceaccount.yaml (100%)
 create mode 100644 deploy/prod-ovh/deploy-ingress-nginx.yaml
 create mode 100644 deploy/prod-ovh/job-ingress-nginx-admission-create.yaml
 create mode 100644 deploy/prod-ovh/job-ingress-nginx-admission-patch.yaml

diff --git a/deploy/base/kustomization.yaml b/deploy/base/kustomization.yaml
index 444e24b..b8654b7 100644
--- a/deploy/base/kustomization.yaml
+++ b/deploy/base/kustomization.yaml
@@ -1,26 +1,6 @@
 ---
 resources:
 - ../minimal-base
-# ingress-nginx
-- inflated/ingress-nginx/templates/controller-deployment.yaml
-- inflated/ingress-nginx/templates/controller-serviceaccount.yaml
-- inflated/ingress-nginx/templates/controller-rolebinding.yaml
-- inflated/ingress-nginx/templates/controller-ingressclass.yaml
-- inflated/ingress-nginx/templates/controller-service-metrics.yaml
-- inflated/ingress-nginx/templates/clusterrole.yaml
-- inflated/ingress-nginx/templates/controller-service.yaml
-- inflated/ingress-nginx/templates/controller-service-webhook.yaml
-- inflated/ingress-nginx/templates/controller-role.yaml
-- inflated/ingress-nginx/templates/controller-configmap.yaml
-- inflated/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
-- inflated/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
-- inflated/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
-- inflated/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml
-- inflated/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
-- inflated/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
-- inflated/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
-- inflated/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
-- inflated/ingress-nginx/templates/clusterrolebinding.yaml
 # Prometheus
 - inflated/prometheus/charts/prometheus-node-exporter/templates/daemonset.yaml
 - inflated/prometheus/charts/prometheus-node-exporter/templates/serviceaccount.yaml
diff --git a/deploy/base/inflated/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml b/deploy/minimal-base/inflated/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
similarity index 100%
rename from deploy/base/inflated/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
rename to deploy/minimal-base/inflated/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
diff --git a/deploy/base/inflated/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml b/deploy/minimal-base/inflated/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
similarity index 100%
rename from deploy/base/inflated/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
rename to deploy/minimal-base/inflated/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
diff --git a/deploy/base/inflated/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml b/deploy/minimal-base/inflated/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
similarity index 100%
rename from deploy/base/inflated/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
rename to deploy/minimal-base/inflated/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
diff --git a/deploy/base/inflated/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml b/deploy/minimal-base/inflated/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
similarity index 100%
rename from deploy/base/inflated/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
rename to deploy/minimal-base/inflated/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
diff --git a/deploy/base/inflated/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml b/deploy/minimal-base/inflated/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
similarity index 100%
rename from deploy/base/inflated/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
rename to deploy/minimal-base/inflated/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
diff --git a/deploy/base/inflated/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml b/deploy/minimal-base/inflated/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml
similarity index 100%
rename from deploy/base/inflated/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml
rename to deploy/minimal-base/inflated/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml
diff --git a/deploy/base/inflated/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml b/deploy/minimal-base/inflated/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
similarity index 100%
rename from deploy/base/inflated/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
rename to deploy/minimal-base/inflated/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
diff --git a/deploy/base/inflated/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml b/deploy/minimal-base/inflated/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
similarity index 100%
rename from deploy/base/inflated/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
rename to deploy/minimal-base/inflated/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
diff --git a/deploy/base/inflated/ingress-nginx/templates/clusterrole.yaml b/deploy/minimal-base/inflated/ingress-nginx/templates/clusterrole.yaml
similarity index 100%
rename from deploy/base/inflated/ingress-nginx/templates/clusterrole.yaml
rename to deploy/minimal-base/inflated/ingress-nginx/templates/clusterrole.yaml
diff --git a/deploy/base/inflated/ingress-nginx/templates/clusterrolebinding.yaml b/deploy/minimal-base/inflated/ingress-nginx/templates/clusterrolebinding.yaml
similarity index 100%
rename from deploy/base/inflated/ingress-nginx/templates/clusterrolebinding.yaml
rename to deploy/minimal-base/inflated/ingress-nginx/templates/clusterrolebinding.yaml
diff --git a/deploy/base/inflated/ingress-nginx/templates/controller-configmap.yaml b/deploy/minimal-base/inflated/ingress-nginx/templates/controller-configmap.yaml
similarity index 100%
rename from deploy/base/inflated/ingress-nginx/templates/controller-configmap.yaml
rename to deploy/minimal-base/inflated/ingress-nginx/templates/controller-configmap.yaml
diff --git a/deploy/base/inflated/ingress-nginx/templates/controller-deployment.yaml b/deploy/minimal-base/inflated/ingress-nginx/templates/controller-deployment.yaml
similarity index 100%
rename from deploy/base/inflated/ingress-nginx/templates/controller-deployment.yaml
rename to deploy/minimal-base/inflated/ingress-nginx/templates/controller-deployment.yaml
diff --git a/deploy/base/inflated/ingress-nginx/templates/controller-ingressclass.yaml b/deploy/minimal-base/inflated/ingress-nginx/templates/controller-ingressclass.yaml
similarity index 100%
rename from deploy/base/inflated/ingress-nginx/templates/controller-ingressclass.yaml
rename to deploy/minimal-base/inflated/ingress-nginx/templates/controller-ingressclass.yaml
diff --git a/deploy/base/inflated/ingress-nginx/templates/controller-poddisruptionbudget.yaml b/deploy/minimal-base/inflated/ingress-nginx/templates/controller-poddisruptionbudget.yaml
similarity index 100%
rename from deploy/base/inflated/ingress-nginx/templates/controller-poddisruptionbudget.yaml
rename to deploy/minimal-base/inflated/ingress-nginx/templates/controller-poddisruptionbudget.yaml
diff --git a/deploy/base/inflated/ingress-nginx/templates/controller-role.yaml b/deploy/minimal-base/inflated/ingress-nginx/templates/controller-role.yaml
similarity index 100%
rename from deploy/base/inflated/ingress-nginx/templates/controller-role.yaml
rename to deploy/minimal-base/inflated/ingress-nginx/templates/controller-role.yaml
diff --git a/deploy/base/inflated/ingress-nginx/templates/controller-rolebinding.yaml b/deploy/minimal-base/inflated/ingress-nginx/templates/controller-rolebinding.yaml
similarity index 100%
rename from deploy/base/inflated/ingress-nginx/templates/controller-rolebinding.yaml
rename to deploy/minimal-base/inflated/ingress-nginx/templates/controller-rolebinding.yaml
diff --git a/deploy/base/inflated/ingress-nginx/templates/controller-service-metrics.yaml b/deploy/minimal-base/inflated/ingress-nginx/templates/controller-service-metrics.yaml
similarity index 100%
rename from deploy/base/inflated/ingress-nginx/templates/controller-service-metrics.yaml
rename to deploy/minimal-base/inflated/ingress-nginx/templates/controller-service-metrics.yaml
diff --git a/deploy/base/inflated/ingress-nginx/templates/controller-service-webhook.yaml b/deploy/minimal-base/inflated/ingress-nginx/templates/controller-service-webhook.yaml
similarity index 100%
rename from deploy/base/inflated/ingress-nginx/templates/controller-service-webhook.yaml
rename to deploy/minimal-base/inflated/ingress-nginx/templates/controller-service-webhook.yaml
diff --git a/deploy/base/inflated/ingress-nginx/templates/controller-service.yaml b/deploy/minimal-base/inflated/ingress-nginx/templates/controller-service.yaml
similarity index 100%
rename from deploy/base/inflated/ingress-nginx/templates/controller-service.yaml
rename to deploy/minimal-base/inflated/ingress-nginx/templates/controller-service.yaml
diff --git a/deploy/base/inflated/ingress-nginx/templates/controller-serviceaccount.yaml b/deploy/minimal-base/inflated/ingress-nginx/templates/controller-serviceaccount.yaml
similarity index 100%
rename from deploy/base/inflated/ingress-nginx/templates/controller-serviceaccount.yaml
rename to deploy/minimal-base/inflated/ingress-nginx/templates/controller-serviceaccount.yaml
diff --git a/deploy/minimal-base/kustomization.yaml b/deploy/minimal-base/kustomization.yaml
index 29c1ee0..481113e 100644
--- a/deploy/minimal-base/kustomization.yaml
+++ b/deploy/minimal-base/kustomization.yaml
@@ -11,3 +11,23 @@ resources:
 - inflated/metrics-server/templates/service.yaml
 - inflated/metrics-server/templates/clusterrole.yaml
 - inflated/metrics-server/templates/clusterrolebinding.yaml
+# ingress-nginx
+- inflated/ingress-nginx/templates/controller-deployment.yaml
+- inflated/ingress-nginx/templates/controller-serviceaccount.yaml
+- inflated/ingress-nginx/templates/controller-rolebinding.yaml
+- inflated/ingress-nginx/templates/controller-ingressclass.yaml
+- inflated/ingress-nginx/templates/controller-service-metrics.yaml
+- inflated/ingress-nginx/templates/clusterrole.yaml
+- inflated/ingress-nginx/templates/controller-service.yaml
+- inflated/ingress-nginx/templates/controller-service-webhook.yaml
+- inflated/ingress-nginx/templates/controller-role.yaml
+- inflated/ingress-nginx/templates/controller-configmap.yaml
+- inflated/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
+- inflated/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
+- inflated/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
+- inflated/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml
+- inflated/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
+- inflated/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
+- inflated/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
+- inflated/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
+- inflated/ingress-nginx/templates/clusterrolebinding.yaml
diff --git a/deploy/prod-ovh/deploy-ingress-nginx.yaml b/deploy/prod-ovh/deploy-ingress-nginx.yaml
new file mode 100644
index 0000000..b853815
--- /dev/null
+++ b/deploy/prod-ovh/deploy-ingress-nginx.yaml
@@ -0,0 +1,16 @@
+---
+- op: replace
+  path: /spec/template/spec/containers/0/args/1
+  value: "--publish-service=$(POD_NAMESPACE)/prod-ingress-nginx-controller"
+- op: replace
+  path: /spec/template/spec/containers/0/args/5
+  value: "--configmap=$(POD_NAMESPACE)/prod-ingress-nginx-controller"
+- op: add
+  path: /spec/template/spec/containers/0/args/-
+  value: "--tcp-services-configmap=$(POD_NAMESPACE)/prod-ingress-nginx-tcp-services"
+- op: add
+  path: /spec/template/spec/containers/0/args/-
+  value: "--default-ssl-certificate=$(POD_NAMESPACE)/prod-ingress-tls"
+- op: replace
+  path: /spec/template/spec/volumes/0/secret/secretName
+  value: prod-ingress-nginx-admission
diff --git a/deploy/prod-ovh/job-ingress-nginx-admission-create.yaml b/deploy/prod-ovh/job-ingress-nginx-admission-create.yaml
new file mode 100644
index 0000000..1b92709
--- /dev/null
+++ b/deploy/prod-ovh/job-ingress-nginx-admission-create.yaml
@@ -0,0 +1,7 @@
+---
+- op: replace
+  path: /spec/template/spec/containers/0/args/1
+  value: "--host=prod-ingress-nginx-controller-admission,prod-ingress-nginx-controller-admission.$(POD_NAMESPACE).svc"
+- op: replace
+  path: /spec/template/spec/containers/0/args/3
+  value: "--secret-name=prod-ingress-nginx-admission"
diff --git a/deploy/prod-ovh/job-ingress-nginx-admission-patch.yaml b/deploy/prod-ovh/job-ingress-nginx-admission-patch.yaml
new file mode 100644
index 0000000..23eef8b
--- /dev/null
+++ b/deploy/prod-ovh/job-ingress-nginx-admission-patch.yaml
@@ -0,0 +1,7 @@
+---
+- op: replace
+  path: /spec/template/spec/containers/0/args/1
+  value: "--webhook-name=prod-ingress-nginx-admission"
+- op: replace
+  path: /spec/template/spec/containers/0/args/4
+  value: "--secret-name=prod-ingress-nginx-admission"
diff --git a/deploy/prod-ovh/kustomization.yaml b/deploy/prod-ovh/kustomization.yaml
index 10627c9..d636e58 100644
--- a/deploy/prod-ovh/kustomization.yaml
+++ b/deploy/prod-ovh/kustomization.yaml
@@ -2,3 +2,25 @@
 namePrefix: prod-
 resources:
 - ../minimal-base
+
+patches:
+# Patch the ingress-nginx deployment to allow it to use a service with a
+# namePrefix. See https://github.com/kubernetes/ingress-nginx/issues/2599#issuecomment-601170289.
+- target:
+    kind: Deployment
+    name: ingress-nginx-controller
+  path: deploy-ingress-nginx.yaml
+
+# Patch the ingress-nginx-admission-create job to reference its webhook with a
+# namePrefix.
+- target:
+    kind: Job
+    name: ingress-nginx-admission-create
+  path: job-ingress-nginx-admission-create.yaml
+
+# Patch the ingress-nginx-admission-patch job to reference its webhook with a
+# namePrefix.
+- target:
+    kind: Job
+    name: ingress-nginx-admission-patch
+  path: job-ingress-nginx-admission-patch.yaml