From 9e799be10e396a4a6823959bb49ed567adbb67a2 Mon Sep 17 00:00:00 2001 From: Benjamin Jee Date: Tue, 6 May 2025 12:00:56 -0700 Subject: [PATCH 1/2] Remove unused service annotations --- apis/v1alpha2/nginxproxy_types.go | 5 ----- apis/v1alpha2/zz_generated.deepcopy.go | 7 ------- charts/nginx-gateway-fabric/README.md | 5 ++--- charts/nginx-gateway-fabric/values.schema.json | 6 ------ charts/nginx-gateway-fabric/values.yaml | 3 --- config/crd/bases/gateway.nginx.org_nginxproxies.yaml | 5 ----- deploy/crds.yaml | 5 ----- 7 files changed, 2 insertions(+), 34 deletions(-) diff --git a/apis/v1alpha2/nginxproxy_types.go b/apis/v1alpha2/nginxproxy_types.go index 13013d81cf..99daf4cfa9 100644 --- a/apis/v1alpha2/nginxproxy_types.go +++ b/apis/v1alpha2/nginxproxy_types.go @@ -523,11 +523,6 @@ type ServiceSpec struct { // +optional LoadBalancerClass *string `json:"loadBalancerClass,omitempty"` - // Annotations contain any Service-specific annotations. - // - // +optional - Annotations map[string]string `json:"annotations,omitempty"` - // LoadBalancerSourceRanges are the IP ranges (CIDR) that are allowed to access the load balancer. // Requires service type to be LoadBalancer. // diff --git a/apis/v1alpha2/zz_generated.deepcopy.go b/apis/v1alpha2/zz_generated.deepcopy.go index bd6d81bca2..c0ddf4ed6e 100644 --- a/apis/v1alpha2/zz_generated.deepcopy.go +++ b/apis/v1alpha2/zz_generated.deepcopy.go @@ -550,13 +550,6 @@ func (in *ServiceSpec) DeepCopyInto(out *ServiceSpec) { *out = new(string) **out = **in } - if in.Annotations != nil { - in, out := &in.Annotations, &out.Annotations - *out = make(map[string]string, len(*in)) - for key, val := range *in { - (*out)[key] = val - } - } if in.LoadBalancerSourceRanges != nil { in, out := &in.LoadBalancerSourceRanges, &out.LoadBalancerSourceRanges *out = make([]string, len(*in)) diff --git a/charts/nginx-gateway-fabric/README.md b/charts/nginx-gateway-fabric/README.md index 8ed532ea95..7904cbaacc 100644 --- a/charts/nginx-gateway-fabric/README.md +++ b/charts/nginx-gateway-fabric/README.md @@ -258,7 +258,7 @@ The following table lists the configurable parameters of the NGINX Gateway Fabri | `certGenerator.overwrite` | Overwrite existing TLS Secrets on startup. | bool | `false` | | `certGenerator.serverTLSSecretName` | The name of the Secret containing TLS CA, certificate, and key for the NGINX Gateway Fabric control plane to securely communicate with the NGINX Agent. Must exist in the same namespace that the NGINX Gateway Fabric control plane is running in (default namespace: nginx-gateway). | string | `"server-tls"` | | `clusterDomain` | The DNS cluster domain of your Kubernetes cluster. | string | `"cluster.local"` | -| `nginx` | The nginx section contains the configuration for all NGINX data plane deployments installed by the NGINX Gateway Fabric control plane. | object | `{"config":{},"container":{},"debug":false,"image":{"pullPolicy":"Always","repository":"ghcr.io/nginx/nginx-gateway-fabric/nginx","tag":"edge"},"imagePullSecret":"","imagePullSecrets":[],"kind":"deployment","plus":false,"pod":{},"replicas":1,"service":{"annotations":{},"externalTrafficPolicy":"Local","loadBalancerClass":"","loadBalancerIP":"","loadBalancerSourceRanges":[],"nodePorts":[],"type":"LoadBalancer"},"usage":{"caSecretName":"","clientSSLSecretName":"","endpoint":"","resolver":"","secretName":"nplus-license","skipVerify":false}}` | +| `nginx` | The nginx section contains the configuration for all NGINX data plane deployments installed by the NGINX Gateway Fabric control plane. | object | `{"config":{},"container":{},"debug":false,"image":{"pullPolicy":"Always","repository":"ghcr.io/nginx/nginx-gateway-fabric/nginx","tag":"edge"},"imagePullSecret":"","imagePullSecrets":[],"kind":"deployment","plus":false,"pod":{},"replicas":1,"service":{"externalTrafficPolicy":"Local","loadBalancerClass":"","loadBalancerIP":"","loadBalancerSourceRanges":[],"nodePorts":[],"type":"LoadBalancer"},"usage":{"caSecretName":"","clientSSLSecretName":"","endpoint":"","resolver":"","secretName":"nplus-license","skipVerify":false}}` | | `nginx.config` | The configuration for the data plane that is contained in the NginxProxy resource. This is applied globally to all Gateways managed by this instance of NGINX Gateway Fabric. | object | `{}` | | `nginx.container` | The container configuration for the NGINX container. This is applied globally to all Gateways managed by this instance of NGINX Gateway Fabric. | object | `{}` | | `nginx.debug` | Enable debugging for NGINX. Uses the nginx-debug binary. The NGINX error log level should be set to debug in the NginxProxy resource. | bool | `false` | @@ -269,8 +269,7 @@ The following table lists the configurable parameters of the NGINX Gateway Fabri | `nginx.plus` | Is NGINX Plus image being used. | bool | `false` | | `nginx.pod` | The pod configuration for the NGINX data plane pod. This is applied globally to all Gateways managed by this instance of NGINX Gateway Fabric. | object | `{}` | | `nginx.replicas` | The number of replicas of the NGINX Deployment. | int | `1` | -| `nginx.service` | The service configuration for the NGINX data plane. This is applied globally to all Gateways managed by this instance of NGINX Gateway Fabric. | object | `{"annotations":{},"externalTrafficPolicy":"Local","loadBalancerClass":"","loadBalancerIP":"","loadBalancerSourceRanges":[],"nodePorts":[],"type":"LoadBalancer"}` | -| `nginx.service.annotations` | The annotations of the NGINX data plane service. | object | `{}` | +| `nginx.service` | The service configuration for the NGINX data plane. This is applied globally to all Gateways managed by this instance of NGINX Gateway Fabric. | object | `{"externalTrafficPolicy":"Local","loadBalancerClass":"","loadBalancerIP":"","loadBalancerSourceRanges":[],"nodePorts":[],"type":"LoadBalancer"}` | | `nginx.service.externalTrafficPolicy` | The externalTrafficPolicy of the service. The value Local preserves the client source IP. | string | `"Local"` | | `nginx.service.loadBalancerClass` | LoadBalancerClass is the class of the load balancer implementation this Service belongs to. Requires nginx.service.type set to LoadBalancer. | string | `""` | | `nginx.service.loadBalancerIP` | The static IP address for the load balancer. Requires nginx.service.type set to LoadBalancer. | string | `""` | diff --git a/charts/nginx-gateway-fabric/values.schema.json b/charts/nginx-gateway-fabric/values.schema.json index 806512fce8..67250a526f 100644 --- a/charts/nginx-gateway-fabric/values.schema.json +++ b/charts/nginx-gateway-fabric/values.schema.json @@ -356,12 +356,6 @@ "service": { "description": "The service configuration for the NGINX data plane. This is applied globally to all Gateways managed by this\ninstance of NGINX Gateway Fabric.", "properties": { - "annotations": { - "description": "The annotations of the NGINX data plane service.", - "required": [], - "title": "annotations", - "type": "object" - }, "externalTrafficPolicy": { "default": "Local", "description": "The externalTrafficPolicy of the service. The value Local preserves the client source IP.", diff --git a/charts/nginx-gateway-fabric/values.yaml b/charts/nginx-gateway-fabric/values.yaml index 077faeff80..a42779b1c2 100644 --- a/charts/nginx-gateway-fabric/values.yaml +++ b/charts/nginx-gateway-fabric/values.yaml @@ -425,9 +425,6 @@ nginx: # -- The externalTrafficPolicy of the service. The value Local preserves the client source IP. externalTrafficPolicy: Local - # -- The annotations of the NGINX data plane service. - annotations: {} - # -- The static IP address for the load balancer. Requires nginx.service.type set to LoadBalancer. loadBalancerIP: "" diff --git a/config/crd/bases/gateway.nginx.org_nginxproxies.yaml b/config/crd/bases/gateway.nginx.org_nginxproxies.yaml index a74ea35b32..2e961a2c10 100644 --- a/config/crd/bases/gateway.nginx.org_nginxproxies.yaml +++ b/config/crd/bases/gateway.nginx.org_nginxproxies.yaml @@ -3467,11 +3467,6 @@ spec: service: description: Service is the configuration for the NGINX Service. properties: - annotations: - additionalProperties: - type: string - description: Annotations contain any Service-specific annotations. - type: object externalTrafficPolicy: default: Local description: |- diff --git a/deploy/crds.yaml b/deploy/crds.yaml index abb653ccc4..3f37a7e7bb 100644 --- a/deploy/crds.yaml +++ b/deploy/crds.yaml @@ -4052,11 +4052,6 @@ spec: service: description: Service is the configuration for the NGINX Service. properties: - annotations: - additionalProperties: - type: string - description: Annotations contain any Service-specific annotations. - type: object externalTrafficPolicy: default: Local description: |- From 20f29a39f6b14b162a7d86a3ae6640c96f869e4b Mon Sep 17 00:00:00 2001 From: Benjamin Jee Date: Wed, 7 May 2025 09:59:44 -0700 Subject: [PATCH 2/2] Remove files for aws-nlb that rely on service annotations --- deploy/aws-nlb/deploy.yaml | 421 ------------------------------ examples/helm/README.md | 1 - examples/helm/aws-nlb/values.yaml | 8 - 3 files changed, 430 deletions(-) delete mode 100644 deploy/aws-nlb/deploy.yaml delete mode 100644 examples/helm/aws-nlb/values.yaml diff --git a/deploy/aws-nlb/deploy.yaml b/deploy/aws-nlb/deploy.yaml deleted file mode 100644 index 3f82b66bce..0000000000 --- a/deploy/aws-nlb/deploy.yaml +++ /dev/null @@ -1,421 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: nginx-gateway ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/instance: nginx-gateway - app.kubernetes.io/name: nginx-gateway - app.kubernetes.io/version: edge - name: nginx-gateway - namespace: nginx-gateway ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/instance: nginx-gateway - app.kubernetes.io/name: nginx-gateway - app.kubernetes.io/version: edge - name: nginx-gateway-cert-generator - namespace: nginx-gateway ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - app.kubernetes.io/instance: nginx-gateway - app.kubernetes.io/name: nginx-gateway - app.kubernetes.io/version: edge - name: nginx-gateway-cert-generator - namespace: nginx-gateway -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - create - - update - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/instance: nginx-gateway - app.kubernetes.io/name: nginx-gateway - app.kubernetes.io/version: edge - name: nginx-gateway -rules: -- apiGroups: - - "" - - apps - resources: - - secrets - - configmaps - - serviceaccounts - - services - - deployments - verbs: - - create - - update - - delete - - list - - get - - watch -- apiGroups: - - "" - resources: - - namespaces - - pods - verbs: - - get - - list - - watch -- apiGroups: - - apps - resources: - - replicasets - verbs: - - get - - list -- apiGroups: - - "" - resources: - - nodes - verbs: - - list -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch -- apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: - - list - - watch -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - gateway.networking.k8s.io - resources: - - gatewayclasses - - gateways - - httproutes - - referencegrants - - grpcroutes - verbs: - - list - - watch -- apiGroups: - - gateway.networking.k8s.io - resources: - - httproutes/status - - gateways/status - - gatewayclasses/status - - grpcroutes/status - verbs: - - update -- apiGroups: - - gateway.nginx.org - resources: - - nginxgateways - verbs: - - get - - list - - watch -- apiGroups: - - gateway.nginx.org - resources: - - nginxproxies - - clientsettingspolicies - - observabilitypolicies - - upstreamsettingspolicies - verbs: - - list - - watch -- apiGroups: - - gateway.nginx.org - resources: - - nginxgateways/status - - clientsettingspolicies/status - - observabilitypolicies/status - - upstreamsettingspolicies/status - verbs: - - update -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create - - get - - update -- apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app.kubernetes.io/instance: nginx-gateway - app.kubernetes.io/name: nginx-gateway - app.kubernetes.io/version: edge - name: nginx-gateway-cert-generator - namespace: nginx-gateway -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: nginx-gateway-cert-generator -subjects: -- kind: ServiceAccount - name: nginx-gateway-cert-generator - namespace: nginx-gateway ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/instance: nginx-gateway - app.kubernetes.io/name: nginx-gateway - app.kubernetes.io/version: edge - name: nginx-gateway -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: nginx-gateway -subjects: -- kind: ServiceAccount - name: nginx-gateway - namespace: nginx-gateway ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/instance: nginx-gateway - app.kubernetes.io/name: nginx-gateway - app.kubernetes.io/version: edge - name: nginx-gateway - namespace: nginx-gateway -spec: - ports: - - name: agent-grpc - port: 443 - protocol: TCP - targetPort: 8443 - selector: - app.kubernetes.io/instance: nginx-gateway - app.kubernetes.io/name: nginx-gateway - type: ClusterIP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app.kubernetes.io/instance: nginx-gateway - app.kubernetes.io/name: nginx-gateway - app.kubernetes.io/version: edge - name: nginx-gateway - namespace: nginx-gateway -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: nginx-gateway - app.kubernetes.io/name: nginx-gateway - template: - metadata: - annotations: - prometheus.io/port: "9113" - prometheus.io/scrape: "true" - labels: - app.kubernetes.io/instance: nginx-gateway - app.kubernetes.io/name: nginx-gateway - spec: - containers: - - args: - - controller - - --gateway-ctlr-name=gateway.nginx.org/nginx-gateway-controller - - --gatewayclass=nginx - - --config=nginx-gateway-config - - --service=nginx-gateway - - --agent-tls-secret=agent-tls - - --metrics-port=9113 - - --health-port=8081 - - --leader-election-lock-name=nginx-gateway-leader-election - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - - name: INSTANCE_NAME - valueFrom: - fieldRef: - fieldPath: metadata.labels['app.kubernetes.io/instance'] - - name: IMAGE_NAME - value: ghcr.io/nginx/nginx-gateway-fabric:edge - image: ghcr.io/nginx/nginx-gateway-fabric:edge - imagePullPolicy: Always - name: nginx-gateway - ports: - - containerPort: 8443 - name: agent-grpc - - containerPort: 9113 - name: metrics - - containerPort: 8081 - name: health - readinessProbe: - httpGet: - path: /readyz - port: health - initialDelaySeconds: 3 - periodSeconds: 1 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsGroup: 1001 - runAsUser: 101 - seccompProfile: - type: RuntimeDefault - volumeMounts: - - mountPath: /var/run/secrets/ngf - name: nginx-agent-tls - securityContext: - fsGroup: 1001 - runAsNonRoot: true - serviceAccountName: nginx-gateway - terminationGracePeriodSeconds: 30 - volumes: - - name: nginx-agent-tls - secret: - secretName: server-tls ---- -apiVersion: batch/v1 -kind: Job -metadata: - labels: - app.kubernetes.io/instance: nginx-gateway - app.kubernetes.io/name: nginx-gateway - app.kubernetes.io/version: edge - name: nginx-gateway-cert-generator - namespace: nginx-gateway -spec: - template: - metadata: - annotations: null - spec: - containers: - - args: - - generate-certs - - --service=nginx-gateway - - --cluster-domain=cluster.local - - --server-tls-secret=server-tls - - --agent-tls-secret=agent-tls - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: ghcr.io/nginx/nginx-gateway-fabric:edge - imagePullPolicy: Always - name: cert-generator - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsGroup: 1001 - runAsUser: 101 - seccompProfile: - type: RuntimeDefault - restartPolicy: Never - securityContext: - fsGroup: 1001 - runAsNonRoot: true - serviceAccountName: nginx-gateway-cert-generator - ttlSecondsAfterFinished: 0 ---- -apiVersion: gateway.networking.k8s.io/v1 -kind: GatewayClass -metadata: - labels: - app.kubernetes.io/instance: nginx-gateway - app.kubernetes.io/name: nginx-gateway - app.kubernetes.io/version: edge - name: nginx -spec: - controllerName: gateway.nginx.org/nginx-gateway-controller - parametersRef: - group: gateway.nginx.org - kind: NginxProxy - name: nginx-gateway-proxy-config - namespace: nginx-gateway ---- -apiVersion: gateway.nginx.org/v1alpha1 -kind: NginxGateway -metadata: - labels: - app.kubernetes.io/instance: nginx-gateway - app.kubernetes.io/name: nginx-gateway - app.kubernetes.io/version: edge - name: nginx-gateway-config - namespace: nginx-gateway -spec: - logging: - level: info ---- -apiVersion: gateway.nginx.org/v1alpha2 -kind: NginxProxy -metadata: - labels: - app.kubernetes.io/instance: nginx-gateway - app.kubernetes.io/name: nginx-gateway - app.kubernetes.io/version: edge - name: nginx-gateway-proxy-config - namespace: nginx-gateway -spec: - kubernetes: - deployment: - container: - image: - pullPolicy: Always - repository: ghcr.io/nginx/nginx-gateway-fabric/nginx - tag: edge - replicas: 1 - service: - annotations: - service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip - service.beta.kubernetes.io/aws-load-balancer-type: external - externalTrafficPolicy: Local - type: LoadBalancer diff --git a/examples/helm/README.md b/examples/helm/README.md index 7d66f2ee4a..e6b6edfcc7 100644 --- a/examples/helm/README.md +++ b/examples/helm/README.md @@ -14,7 +14,6 @@ This directory contains examples of Helm charts that can be used to deploy NGINX The secret must be created in the same namespace as the NGINX Gateway Fabric deployment. - [Experimental](./experimental) - deploys NGINX Gateway Fabric with the Gateway API experimental features enabled and NGINX OSS as the data plane. - [Experimental with NGINX Plus](./experimental-nginx-plus) - deploys NGINX Gateway Fabric with the Gateway API experimental features enabled and NGINX Plus as the data plane. The image is pulled from the NGINX Plus Docker registry, and the `imagePullSecretName` is the name of the secret to use to pull the image. The secret must be created in the same namespace as the NGINX Gateway Fabric deployment. -- [AWS NLB](./aws-nlb) - deploys NGINX Gateway Fabric with NGINX OSS using a Service of type `LoadBalancer` to allocate an AWS Network Load Balancer (NLB). - [Azure](./azure) - deploys NGINX Gateway Fabric with NGINX OSS using a nodeSelector to deploy the gateway on Linux nodes in an Azure Kubernetes Service (AKS) cluster. - [NodePort](./nodeport) - deploys NGINX Gateway Fabric with NGINX OSS using a Service of type `NodePort` to expose the gateway on a specific port on each node. diff --git a/examples/helm/aws-nlb/values.yaml b/examples/helm/aws-nlb/values.yaml deleted file mode 100644 index 3034ca995f..0000000000 --- a/examples/helm/aws-nlb/values.yaml +++ /dev/null @@ -1,8 +0,0 @@ -nginxGateway: - name: nginx-gateway -nginx: - service: - type: LoadBalancer - annotations: - service.beta.kubernetes.io/aws-load-balancer-type: "external" - service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip"