apiVersion: v1 kind: Namespace metadata: name: nginx-gateway --- apiVersion: v1 automountServiceAccountToken: false kind: ServiceAccount metadata: labels: app.kubernetes.io/instance: nginx-gateway app.kubernetes.io/name: nginx-gateway app.kubernetes.io/version: edge name: nginx-gateway namespace: nginx-gateway --- apiVersion: v1 kind: ServiceAccount metadata: labels: app.kubernetes.io/instance: nginx-gateway app.kubernetes.io/name: nginx-gateway app.kubernetes.io/version: edge name: nginx-gateway-cert-generator namespace: nginx-gateway --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: app.kubernetes.io/instance: nginx-gateway app.kubernetes.io/name: nginx-gateway app.kubernetes.io/version: edge name: nginx-gateway-cert-generator namespace: nginx-gateway rules: - apiGroups: - "" resources: - secrets verbs: - create - update - get --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app.kubernetes.io/instance: nginx-gateway app.kubernetes.io/name: nginx-gateway app.kubernetes.io/version: edge name: nginx-gateway rules: - apiGroups: - "" - apps resources: - secrets - configmaps - serviceaccounts - services - deployments - daemonsets verbs: - create - update - delete - list - get - watch - apiGroups: - "" resources: - namespaces - pods verbs: - get - list - watch - apiGroups: - apps resources: - replicasets verbs: - get - list - apiGroups: - "" resources: - nodes verbs: - list - apiGroups: - "" resources: - events verbs: - create - patch - apiGroups: - discovery.k8s.io resources: - endpointslices verbs: - list - watch - apiGroups: - authentication.k8s.io resources: - tokenreviews verbs: - create - apiGroups: - gateway.networking.k8s.io resources: - gatewayclasses - gateways - httproutes - referencegrants - grpcroutes verbs: - list - watch - apiGroups: - gateway.networking.k8s.io resources: - httproutes/status - gateways/status - gatewayclasses/status - grpcroutes/status verbs: - update - apiGroups: - gateway.nginx.org resources: - nginxgateways verbs: - get - list - watch - apiGroups: - gateway.nginx.org resources: - nginxproxies - clientsettingspolicies - observabilitypolicies - upstreamsettingspolicies - snippetsfilters verbs: - list - watch - apiGroups: - gateway.nginx.org resources: - nginxgateways/status - clientsettingspolicies/status - observabilitypolicies/status - upstreamsettingspolicies/status - snippetsfilters/status verbs: - update - apiGroups: - coordination.k8s.io resources: - leases verbs: - create - get - update - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - list - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: app.kubernetes.io/instance: nginx-gateway app.kubernetes.io/name: nginx-gateway app.kubernetes.io/version: edge name: nginx-gateway-cert-generator namespace: nginx-gateway roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: nginx-gateway-cert-generator subjects: - kind: ServiceAccount name: nginx-gateway-cert-generator namespace: nginx-gateway --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: app.kubernetes.io/instance: nginx-gateway app.kubernetes.io/name: nginx-gateway app.kubernetes.io/version: edge name: nginx-gateway roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: nginx-gateway subjects: - kind: ServiceAccount name: nginx-gateway namespace: nginx-gateway --- apiVersion: v1 kind: Service metadata: labels: app.kubernetes.io/instance: nginx-gateway app.kubernetes.io/name: nginx-gateway app.kubernetes.io/version: edge name: nginx-gateway namespace: nginx-gateway spec: ports: - name: agent-grpc port: 443 protocol: TCP targetPort: 8443 selector: app.kubernetes.io/instance: nginx-gateway app.kubernetes.io/name: nginx-gateway type: ClusterIP --- apiVersion: apps/v1 kind: Deployment metadata: labels: app.kubernetes.io/instance: nginx-gateway app.kubernetes.io/name: nginx-gateway app.kubernetes.io/version: edge name: nginx-gateway namespace: nginx-gateway spec: replicas: 1 selector: matchLabels: app.kubernetes.io/instance: nginx-gateway app.kubernetes.io/name: nginx-gateway template: metadata: annotations: prometheus.io/port: "9113" prometheus.io/scrape: "true" labels: app.kubernetes.io/instance: nginx-gateway app.kubernetes.io/name: nginx-gateway spec: automountServiceAccountToken: true containers: - args: - controller - --gateway-ctlr-name=gateway.nginx.org/nginx-gateway-controller - --gatewayclass=nginx - --config=nginx-gateway-config - --service=nginx-gateway - --agent-tls-secret=agent-tls - --metrics-port=9113 - --health-port=8081 - --leader-election-lock-name=nginx-gateway-leader-election - --snippets-filters env: - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_UID valueFrom: fieldRef: fieldPath: metadata.uid - name: INSTANCE_NAME valueFrom: fieldRef: fieldPath: metadata.labels['app.kubernetes.io/instance'] - name: IMAGE_NAME value: ghcr.io/nginx/nginx-gateway-fabric:edge image: ghcr.io/nginx/nginx-gateway-fabric:edge imagePullPolicy: Always name: nginx-gateway ports: - containerPort: 8443 name: agent-grpc - containerPort: 9113 name: metrics - containerPort: 8081 name: health readinessProbe: httpGet: path: /readyz port: health initialDelaySeconds: 3 periodSeconds: 1 securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true runAsGroup: 1001 runAsUser: 101 seccompProfile: type: RuntimeDefault volumeMounts: - mountPath: /var/run/secrets/ngf name: nginx-agent-tls securityContext: fsGroup: 1001 runAsNonRoot: true serviceAccountName: nginx-gateway terminationGracePeriodSeconds: 30 volumes: - name: nginx-agent-tls secret: secretName: server-tls --- apiVersion: batch/v1 kind: Job metadata: labels: app.kubernetes.io/instance: nginx-gateway app.kubernetes.io/name: nginx-gateway app.kubernetes.io/version: edge name: nginx-gateway-cert-generator namespace: nginx-gateway spec: template: metadata: annotations: null spec: containers: - args: - generate-certs - --service=nginx-gateway - --cluster-domain=cluster.local - --server-tls-secret=server-tls - --agent-tls-secret=agent-tls env: - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace image: ghcr.io/nginx/nginx-gateway-fabric:edge imagePullPolicy: Always name: cert-generator securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true runAsGroup: 1001 runAsUser: 101 seccompProfile: type: RuntimeDefault restartPolicy: Never securityContext: fsGroup: 1001 runAsNonRoot: true serviceAccountName: nginx-gateway-cert-generator ttlSecondsAfterFinished: 30 --- apiVersion: gateway.networking.k8s.io/v1 kind: GatewayClass metadata: labels: app.kubernetes.io/instance: nginx-gateway app.kubernetes.io/name: nginx-gateway app.kubernetes.io/version: edge name: nginx spec: controllerName: gateway.nginx.org/nginx-gateway-controller parametersRef: group: gateway.nginx.org kind: NginxProxy name: nginx-gateway-proxy-config namespace: nginx-gateway --- apiVersion: gateway.nginx.org/v1alpha1 kind: NginxGateway metadata: labels: app.kubernetes.io/instance: nginx-gateway app.kubernetes.io/name: nginx-gateway app.kubernetes.io/version: edge name: nginx-gateway-config namespace: nginx-gateway spec: logging: level: info --- apiVersion: gateway.nginx.org/v1alpha2 kind: NginxProxy metadata: labels: app.kubernetes.io/instance: nginx-gateway app.kubernetes.io/name: nginx-gateway app.kubernetes.io/version: edge name: nginx-gateway-proxy-config namespace: nginx-gateway spec: kubernetes: deployment: container: image: pullPolicy: Always repository: ghcr.io/nginx/nginx-gateway-fabric/nginx tag: edge replicas: 1 service: externalTrafficPolicy: Local type: LoadBalancer