nginx · sjberman · May 27, 2025 · May 22, 2025 · May 22, 2025 · May 22, 2025
@@ -359,13 +359,22 @@ const (
 )
 
 // KubernetesSpec contains the configuration for the NGINX Deployment and Service Kubernetes objects.
+//
+// +kubebuilder:validation:XValidation:message="only one of deployment or daemonSet can be set",rule="(!has(self.deployment) && !has(self.daemonSet)) || ((has(self.deployment) && !has(self.daemonSet)) || (!has(self.deployment) && has(self.daemonSet)))"
+//
+//nolint:lll
 type KubernetesSpec struct {
 // Deployment is the configuration for the NGINX Deployment.
 // This is the default deployment option.
 //
 // +optional
 Deployment *DeploymentSpec `json:"deployment,omitempty"`
 
+// DaemonSet is the configuration for the NGINX DaemonSet.
+//
+// +optional
+DaemonSet *DaemonSetSpec `json:"daemonSet,omitempty"`
+
 // Service is the configuration for the NGINX Service.
 //
 // +optional
@@ -382,12 +391,25 @@ type DeploymentSpec struct {
 // Pod defines Pod-specific fields.
 //
 // +optional
-Pod PodSpec `json:"pod,omitempty"`
+Pod PodSpec `json:"pod"`
+
+// Container defines container fields for the NGINX container.
+//
+// +optional
+Container ContainerSpec `json:"container"`
+}
+
+// DaemonSet is the configuration for the NGINX DaemonSet.
+type DaemonSetSpec struct {
+// Pod defines Pod-specific fields.
+//
+// +optional
+Pod PodSpec `json:"pod"`
 
 // Container defines container fields for the NGINX container.
 //
 // +optional
-Container ContainerSpec `json:"container,omitempty"`
+Container ContainerSpec `json:"container"`
 }
 
 // PodSpec defines Pod-specific fields.

@@ -14,6 +14,7 @@ rules:
  - serviceaccounts
  - services
  - deployments
+ - daemonsets
  verbs:
  - create
  - update

@@ -27,6 +27,22 @@ spec:
  debug: {{ .Values.nginx.debug }}
  {{- end }}
  {{- end }}
+ {{- if eq .Values.nginx.kind "daemonSet" }}
+ daemonSet:
+ {{- if .Values.nginx.pod }}
+ pod:
+ {{- toYaml .Values.nginx.pod | nindent 8 }}
+ {{- end }}
+ container:
+ {{- if .Values.nginx.container }}
+ {{- toYaml .Values.nginx.container | nindent 8 }}
+ {{- end }}
+ image:
+ {{- toYaml .Values.nginx.image | nindent 10 }}
+ {{- if .Values.nginx.debug }}
+ debug: {{ .Values.nginx.debug }}
+ {{- end }}
+ {{- end }}
  {{- if .Values.nginx.service }}
  service:
  {{- with .Values.nginx.service }}

@@ -337,7 +337,8 @@
  "default": "deployment",
  "description": "The kind of NGINX deployment.",
  "enum": [
- "deployment"
+ "deployment",
+ "daemonSet"
  ],
  "required": [],
  "title": "kind"

@@ -185,6 +185,7 @@ nginx:
  # @schema
  # enum:
  # - deployment
+ # - daemonSet
  # @schema
  # -- The kind of NGINX deployment.
  kind: deployment

@@ -60,6 +60,7 @@ rules:
  - serviceaccounts
  - services
  - deployments
+ - daemonsets
  verbs:
  - create
  - update

@@ -60,6 +60,7 @@ rules:
  - serviceaccounts
  - services
  - deployments
+ - daemonsets
  verbs:
  - create
  - update

@@ -60,6 +60,7 @@ rules:
  - serviceaccounts
  - services
  - deployments
+ - daemonsets
  verbs:
  - create
  - update

@@ -60,6 +60,7 @@ rules:
  - serviceaccounts
  - services
  - deployments
+ - daemonsets
  verbs:
  - create
  - update

@@ -60,6 +60,7 @@ rules:
  - serviceaccounts
  - services
  - deployments
+ - daemonsets
  verbs:
  - create
  - update

@@ -60,6 +60,7 @@ rules:
  - serviceaccounts
  - services
  - deployments
+ - daemonsets
  verbs:
  - create
  - update

@@ -60,6 +60,7 @@ rules:
  - serviceaccounts
  - services
  - deployments
+ - daemonsets
  verbs:
  - create
  - update

@@ -60,6 +60,7 @@ rules:
  - serviceaccounts
  - services
  - deployments
+ - daemonsets
  verbs:
  - create
  - update

@@ -60,6 +60,7 @@ rules:
  - serviceaccounts
  - services
  - deployments
+ - daemonsets
  verbs:
  - create
  - update

@@ -2,21 +2,10 @@ package controller
 
 import (
 "fmt"
-
-metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-"k8s.io/apimachinery/pkg/types"
 )
 
 // CreateNginxResourceName creates the base resource name for all nginx resources
 // created by the control plane.
 func CreateNginxResourceName(prefix, suffix string) string {
 return fmt.Sprintf("%s-%s", prefix, suffix)
 }
-
-// ObjectMetaToNamespacedName converts ObjectMeta to NamespacedName.
-func ObjectMetaToNamespacedName(meta metav1.ObjectMeta) types.NamespacedName {
-return types.NamespacedName{
-Namespace: meta.Namespace,
-Name: meta.Name,
-}
-}
@@ -447,11 +447,15 @@ func (cs *commandService) getPodOwner(podName string) (types.NamespacedName, err
 return types.NamespacedName{}, fmt.Errorf("expected one owner reference of the nginx Pod, got %d", len(podOwnerRefs))
 }
 
-if podOwnerRefs[0].Kind != "ReplicaSet" {
-err := fmt.Errorf("expected pod owner reference to be ReplicaSet, got %s", podOwnerRefs[0].Kind)
+if podOwnerRefs[0].Kind != "ReplicaSet" && podOwnerRefs[0].Kind != "DaemonSet" {
+err := fmt.Errorf("expected pod owner reference to be ReplicaSet or DaemonSet, got %s", podOwnerRefs[0].Kind)
 return types.NamespacedName{}, err
 }
 
+if podOwnerRefs[0].Kind == "DaemonSet" {
+return types.NamespacedName{Namespace: pod.Namespace, Name: podOwnerRefs[0].Name}, nil
+}
+
 var replicaSet appsv1.ReplicaSet
 var replicaSetErr error
 if err := wait.PollUntilContextCancel(

@@ -690,7 +690,7 @@ func TestGetPodOwner(t *testing.T) {
 expected types.NamespacedName
 }{
 {
-name: "successfully gets pod owner",
+name: "successfully gets pod owner; ReplicaSet",
 podName: "nginx-pod",
 podList: &v1.PodList{
 Items: []v1.Pod{
@@ -725,6 +725,31 @@ func TestGetPodOwner(t *testing.T) {
 Name: "nginx-deployment",
 },
 },
+{
+name: "successfully gets pod owner; DaemonSet",
+podName: "nginx-pod",
+podList: &v1.PodList{
+Items: []v1.Pod{
+{
+ObjectMeta: metav1.ObjectMeta{
+Name: "nginx-pod",
+Namespace: "test",
+OwnerReferences: []metav1.OwnerReference{
+{
+Kind: "DaemonSet",
+Name: "nginx-daemonset",
+},
+},
+},
+},
+},
+},
+replicaSet: &appsv1.ReplicaSet{},
+expected: types.NamespacedName{
+Namespace: "test",
+Name: "nginx-daemonset",
+},
+},
 {
 name: "error listing pods",
 podName: "nginx-pod",
@@ -745,7 +770,7 @@ func TestGetPodOwner(t *testing.T) {
 errString: "should only be one pod with name",
 },
 {
-name: "pod owner reference is not ReplicaSet",
+name: "pod owner reference is not ReplicaSet or DaemonSet",
 podName: "nginx-pod",
 podList: &v1.PodList{
 Items: []v1.Pod{
@@ -763,7 +788,7 @@ func TestGetPodOwner(t *testing.T) {
 },
 },
 replicaSet: &appsv1.ReplicaSet{},
-errString: "expected pod owner reference to be ReplicaSet",
+errString: "expected pod owner reference to be ReplicaSet or DaemonSet",
 },
 {
 name: "pod has multiple owners",

@@ -73,6 +73,18 @@ func newEventLoop(
 ),
 },
 },
+{
+objectType: &appsv1.DaemonSet{},
+options: []controller.Option{
+controller.WithK8sPredicate(
+k8spredicate.And(
+k8spredicate.GenerationChangedPredicate{},
+nginxResourceLabelPredicate,
+predicate.RestartDeploymentAnnotationPredicate{},
+),
+),
+},
+},
 {
 objectType: &corev1.Service{},
 options: []controller.Option{

@@ -61,7 +61,8 @@ func (h *eventHandler) HandleEventBatch(ctx context.Context, logger logr.Logger,
 switch obj := e.Resource.(type) {
 case *gatewayv1.Gateway:
 h.store.updateGateway(obj)
-case *appsv1.Deployment, *corev1.ServiceAccount, *corev1.ConfigMap, *rbacv1.Role, *rbacv1.RoleBinding:
+case *appsv1.Deployment, *appsv1.DaemonSet, *corev1.ServiceAccount,
+*corev1.ConfigMap, *rbacv1.Role, *rbacv1.RoleBinding:
 objLabels := labels.Set(obj.GetLabels())
 if h.labelSelector.Matches(objLabels) {
 gatewayName := objLabels.Get(controller.GatewayLabel)
@@ -116,7 +117,7 @@ func (h *eventHandler) HandleEventBatch(ctx context.Context, logger logr.Logger,
 logger.Error(err, "error deprovisioning nginx resources")
 }
 h.store.deleteGateway(e.NamespacedName)
-case *appsv1.Deployment, *corev1.Service, *corev1.ServiceAccount,
+case *appsv1.Deployment, *appsv1.DaemonSet, *corev1.Service, *corev1.ServiceAccount,
 *corev1.ConfigMap, *rbacv1.Role, *rbacv1.RoleBinding:
 if err := h.reprovisionResources(ctx, e); err != nil {
 logger.Error(err, "error re-provisioning nginx resources")
@@ -267,40 +268,25 @@ func (h *eventHandler) deprovisionSecretsForAllGateways(ctx context.Context, sec
 
 switch {
 case strings.HasSuffix(resources.AgentTLSSecret.Name, secret):
-if err := h.provisioner.deleteSecret(
-ctx,
-controller.ObjectMetaToNamespacedName(resources.AgentTLSSecret),
-); err != nil {
+if err := h.provisioner.deleteObject(ctx, &corev1.Secret{ObjectMeta: resources.AgentTLSSecret}); err != nil {
 allErrs = append(allErrs, err)
 }
 case strings.HasSuffix(resources.PlusJWTSecret.Name, secret):
-if err := h.provisioner.deleteSecret(
-ctx,
-controller.ObjectMetaToNamespacedName(resources.PlusJWTSecret),
-); err != nil {
+if err := h.provisioner.deleteObject(ctx, &corev1.Secret{ObjectMeta: resources.PlusJWTSecret}); err != nil {
 allErrs = append(allErrs, err)
 }
 case strings.HasSuffix(resources.PlusCASecret.Name, secret):
-if err := h.provisioner.deleteSecret(
-ctx,
-controller.ObjectMetaToNamespacedName(resources.PlusCASecret),
-); err != nil {
+if err := h.provisioner.deleteObject(ctx, &corev1.Secret{ObjectMeta: resources.PlusCASecret}); err != nil {
 allErrs = append(allErrs, err)
 }
 case strings.HasSuffix(resources.PlusClientSSLSecret.Name, secret):
-if err := h.provisioner.deleteSecret(
-ctx,
-controller.ObjectMetaToNamespacedName(resources.PlusClientSSLSecret),
-); err != nil {
+if err := h.provisioner.deleteObject(ctx, &corev1.Secret{ObjectMeta: resources.PlusClientSSLSecret}); err != nil {
 allErrs = append(allErrs, err)
 }
 default:
 for _, dockerSecret := range resources.DockerSecrets {
 if strings.HasSuffix(dockerSecret.Name, secret) {
-if err := h.provisioner.deleteSecret(
-ctx,
-controller.ObjectMetaToNamespacedName(dockerSecret),
-); err != nil {
+if err := h.provisioner.deleteObject(ctx, &corev1.Secret{ObjectMeta: dockerSecret}); err != nil {
 allErrs = append(allErrs, err)
 }
 }