kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: cpx-ingress-k8s-role rules: - apiGroups: [""] resources: ["endpoints", "ingresses", "pods", "secrets", "nodes", "routes", "namespaces", "configmaps"] verbs: ["get", "list", "watch"] # services/status is needed to update the loadbalancer IP in service status for integrating # service of type LoadBalancer with external-dns - apiGroups: [""] resources: ["services/status"] verbs: ["patch"] - apiGroups: [""] resources: ["services"] verbs: ["get", "list", "watch", "patch"] - apiGroups: [""] resources: ["events"] verbs: ["create"] - apiGroups: ["extensions", "networking.k8s.io"] resources: ["ingresses", "ingressclasses"] verbs: ["get", "list", "watch"] - apiGroups: ["extensions", "networking.k8s.io"] resources: ["ingresses/status"] verbs: ["patch"] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["get", "list", "watch"] - apiGroups: ["apps"] resources: ["deployments"] verbs: ["get", "list", "watch"] - apiGroups: ["citrix.com"] resources: ["rewritepolicies", "continuousdeployments", "authpolicies", "ratelimits", "listeners", "httproutes", "wafs", "apigatewaypolicies", "bots"] verbs: ["get", "list", "watch", "create", "delete", "patch"] - apiGroups: ["citrix.com"] resources: ["rewritepolicies/status", "continuousdeployments/status", "authpolicies/status", "ratelimits/status", "listeners/status", "httproutes/status", "wafs/status", "apigatewaypolicies/status", "bots/status"] verbs: ["get", "list", "patch"] - apiGroups: ["citrix.com"] resources: ["vips"] verbs: ["get", "list", "watch", "create", "delete"] - apiGroups: ["route.openshift.io"] resources: ["routes"] verbs: ["get", "list", "watch"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: cpx-ingress-k8s-role roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cpx-ingress-k8s-role subjects: - kind: ServiceAccount name: cpx-ingress-k8s-role namespace: default --- apiVersion: v1 kind: ServiceAccount metadata: name: cpx-ingress-k8s-role namespace: default --- apiVersion: apps/v1 kind: Deployment metadata: name: cpx-ingress-es spec: selector: matchLabels: app: cpx-ingress-es replicas: 1 template: metadata: name: cpx-ingress-es labels: app: cpx-ingress-es annotations: spec: serviceAccountName: cpx-ingress-k8s-role containers: - name: cpx-ingress-es image: "quay.io/citrix/citrix-k8s-cpx-ingress:13.0-76.29" volumeMounts: - mountPath: /var/deviceinfo name: shared-data securityContext: privileged: true env: - name: "EULA" value: "yes" - name: "KUBERNETES_TASK_ID" value: "" imagePullPolicy: Always # Add cic as a sidecar - name: cic image: "quay.io/citrix/citrix-k8s-ingress-controller:1.13.20" volumeMounts: - mountPath: /var/deviceinfo name: shared-data env: - name: "EULA" value: "yes" - name: "NS_IP" value: "127.0.0.1" - name: "NS_PROTOCOL" value: "HTTP" - name: "NS_PORT" value: "80" - name: "NS_DEPLOYMENT_MODE" value: "SIDECAR" - name: "NS_ENABLE_MONITORING" value: "YES" - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace envFrom: - configMapRef: name: cic-configmap args: - --ingress-classes webserver-ingress imagePullPolicy: Always volumes: - name: shared-data emptyDir: {} --- apiVersion: v1 kind: Service metadata: name: cpx-ingress-es labels: app: cpx-ingress-es spec: type: NodePort ports: - port: 80 protocol: TCP name: http - port: 443 protocol: TCP name: https selector: app: cpx-ingress-es