diff --git a/charts/nginx-gateway-fabric/README.md b/charts/nginx-gateway-fabric/README.md index 49e62768d6..e59f8f5beb 100644 --- a/charts/nginx-gateway-fabric/README.md +++ b/charts/nginx-gateway-fabric/README.md @@ -252,7 +252,7 @@ The following table lists the configurable parameters of the NGINX Gateway Fabri | Key | Description | Type | Default | |-----|-------------|------|---------| -| `certGenerator` | The certGenerator section contains the configuration for the cert-generator Job. | object | `{"affinity":{},"agentTLSSecretName":"agent-tls","annotations":{},"nodeSelector":{},"overwrite":false,"serverTLSSecretName":"server-tls","tolerations":[],"topologySpreadConstraints":[]}` | +| `certGenerator` | The certGenerator section contains the configuration for the cert-generator Job. | object | `{"affinity":{},"agentTLSSecretName":"agent-tls","annotations":{},"nodeSelector":{},"overwrite":false,"serverTLSSecretName":"server-tls","tolerations":[],"topologySpreadConstraints":[],"ttlSecondsAfterFinished":30}` | | `certGenerator.affinity` | The affinity of the cert-generator pod. | object | `{}` | | `certGenerator.agentTLSSecretName` | The name of the base Secret containing TLS CA, certificate, and key for the NGINX Agent to securely communicate with the NGINX Gateway Fabric control plane. Must exist in the same namespace that the NGINX Gateway Fabric control plane is running in (default namespace: nginx-gateway). | string | `"agent-tls"` | | `certGenerator.annotations` | The annotations of the cert-generator Job. | object | `{}` | @@ -261,6 +261,7 @@ The following table lists the configurable parameters of the NGINX Gateway Fabri | `certGenerator.serverTLSSecretName` | The name of the Secret containing TLS CA, certificate, and key for the NGINX Gateway Fabric control plane to securely communicate with the NGINX Agent. Must exist in the same namespace that the NGINX Gateway Fabric control plane is running in (default namespace: nginx-gateway). | string | `"server-tls"` | | `certGenerator.tolerations` | Tolerations for the cert-generator pod. | list | `[]` | | `certGenerator.topologySpreadConstraints` | The topology spread constraints for the cert-generator pod. | list | `[]` | +| `certGenerator.ttlSecondsAfterFinished` | How long to wait after the cert generator job has finished before it is removed by the job controller. | int | `30` | | `clusterDomain` | The DNS cluster domain of your Kubernetes cluster. | string | `"cluster.local"` | | `gateways` | A list of Gateway objects. View https://gateway-api.sigs.k8s.io/reference/spec/#gateway for full Gateway reference. | list | `[]` | | `nginx` | The nginx section contains the configuration for all NGINX data plane deployments installed by the NGINX Gateway Fabric control plane. | object | `{"config":{},"container":{},"debug":false,"image":{"pullPolicy":"Always","repository":"ghcr.io/nginx/nginx-gateway-fabric/nginx","tag":"edge"},"imagePullSecret":"","imagePullSecrets":[],"kind":"deployment","plus":false,"pod":{},"replicas":1,"service":{"externalTrafficPolicy":"Local","loadBalancerClass":"","loadBalancerIP":"","loadBalancerSourceRanges":[],"nodePorts":[],"type":"LoadBalancer"},"usage":{"caSecretName":"","clientSSLSecretName":"","endpoint":"","resolver":"","secretName":"nplus-license","skipVerify":false}}` | diff --git a/charts/nginx-gateway-fabric/templates/certs-job.yaml b/charts/nginx-gateway-fabric/templates/certs-job.yaml index 79953b24a2..430fa0de3f 100644 --- a/charts/nginx-gateway-fabric/templates/certs-job.yaml +++ b/charts/nginx-gateway-fabric/templates/certs-job.yaml @@ -169,4 +169,4 @@ spec: nodeSelector: {{- toYaml .Values.certGenerator.nodeSelector | nindent 8 }} {{- end }} - ttlSecondsAfterFinished: 0 + ttlSecondsAfterFinished: {{ .Values.certGenerator.ttlSecondsAfterFinished }} diff --git a/charts/nginx-gateway-fabric/values.schema.json b/charts/nginx-gateway-fabric/values.schema.json index 5601513083..9a6d4d4e71 100644 --- a/charts/nginx-gateway-fabric/values.schema.json +++ b/charts/nginx-gateway-fabric/values.schema.json @@ -60,6 +60,13 @@ "required": [], "title": "topologySpreadConstraints", "type": "array" + }, + "ttlSecondsAfterFinished": { + "default": 30, + "description": "How long to wait after the cert generator job has finished before it is removed by the job controller.", + "required": [], + "title": "ttlSecondsAfterFinished", + "type": "integer" } }, "required": [], diff --git a/charts/nginx-gateway-fabric/values.yaml b/charts/nginx-gateway-fabric/values.yaml index b44bf18cc7..00061b1640 100644 --- a/charts/nginx-gateway-fabric/values.yaml +++ b/charts/nginx-gateway-fabric/values.yaml @@ -479,6 +479,9 @@ certGenerator: # -- Overwrite existing TLS Secrets on startup. overwrite: false + # -- How long to wait after the cert generator job has finished before it is removed by the job controller. + ttlSecondsAfterFinished: 30 + # -- Tolerations for the cert-generator pod. tolerations: [] diff --git a/deploy/azure/deploy.yaml b/deploy/azure/deploy.yaml index af50f0d94f..7e29ea1c66 100644 --- a/deploy/azure/deploy.yaml +++ b/deploy/azure/deploy.yaml @@ -367,7 +367,7 @@ spec: fsGroup: 1001 runAsNonRoot: true serviceAccountName: nginx-gateway-cert-generator - ttlSecondsAfterFinished: 0 + ttlSecondsAfterFinished: 30 --- apiVersion: gateway.networking.k8s.io/v1 kind: GatewayClass diff --git a/deploy/default/deploy.yaml b/deploy/default/deploy.yaml index f7c612ad87..199131b2a4 100644 --- a/deploy/default/deploy.yaml +++ b/deploy/default/deploy.yaml @@ -365,7 +365,7 @@ spec: fsGroup: 1001 runAsNonRoot: true serviceAccountName: nginx-gateway-cert-generator - ttlSecondsAfterFinished: 0 + ttlSecondsAfterFinished: 30 --- apiVersion: gateway.networking.k8s.io/v1 kind: GatewayClass diff --git a/deploy/experimental-nginx-plus/deploy.yaml b/deploy/experimental-nginx-plus/deploy.yaml index 74a6c9e7ad..46844c4e47 100644 --- a/deploy/experimental-nginx-plus/deploy.yaml +++ b/deploy/experimental-nginx-plus/deploy.yaml @@ -373,7 +373,7 @@ spec: fsGroup: 1001 runAsNonRoot: true serviceAccountName: nginx-gateway-cert-generator - ttlSecondsAfterFinished: 0 + ttlSecondsAfterFinished: 30 --- apiVersion: gateway.networking.k8s.io/v1 kind: GatewayClass diff --git a/deploy/experimental/deploy.yaml b/deploy/experimental/deploy.yaml index c4c7f61138..0dbeac7329 100644 --- a/deploy/experimental/deploy.yaml +++ b/deploy/experimental/deploy.yaml @@ -370,7 +370,7 @@ spec: fsGroup: 1001 runAsNonRoot: true serviceAccountName: nginx-gateway-cert-generator - ttlSecondsAfterFinished: 0 + ttlSecondsAfterFinished: 30 --- apiVersion: gateway.networking.k8s.io/v1 kind: GatewayClass diff --git a/deploy/nginx-plus/deploy.yaml b/deploy/nginx-plus/deploy.yaml index 4499122bd7..73e985ebc2 100644 --- a/deploy/nginx-plus/deploy.yaml +++ b/deploy/nginx-plus/deploy.yaml @@ -368,7 +368,7 @@ spec: fsGroup: 1001 runAsNonRoot: true serviceAccountName: nginx-gateway-cert-generator - ttlSecondsAfterFinished: 0 + ttlSecondsAfterFinished: 30 --- apiVersion: gateway.networking.k8s.io/v1 kind: GatewayClass diff --git a/deploy/nodeport/deploy.yaml b/deploy/nodeport/deploy.yaml index 214d4a9aa7..a2725a6473 100644 --- a/deploy/nodeport/deploy.yaml +++ b/deploy/nodeport/deploy.yaml @@ -365,7 +365,7 @@ spec: fsGroup: 1001 runAsNonRoot: true serviceAccountName: nginx-gateway-cert-generator - ttlSecondsAfterFinished: 0 + ttlSecondsAfterFinished: 30 --- apiVersion: gateway.networking.k8s.io/v1 kind: GatewayClass diff --git a/deploy/openshift/deploy.yaml b/deploy/openshift/deploy.yaml index 2c9732221a..99485c69bd 100644 --- a/deploy/openshift/deploy.yaml +++ b/deploy/openshift/deploy.yaml @@ -387,7 +387,7 @@ spec: fsGroup: 1001 runAsNonRoot: true serviceAccountName: nginx-gateway-cert-generator - ttlSecondsAfterFinished: 0 + ttlSecondsAfterFinished: 30 --- apiVersion: gateway.networking.k8s.io/v1 kind: GatewayClass diff --git a/deploy/snippets-filters-nginx-plus/deploy.yaml b/deploy/snippets-filters-nginx-plus/deploy.yaml index 8cb483fbdd..6cc0026877 100644 --- a/deploy/snippets-filters-nginx-plus/deploy.yaml +++ b/deploy/snippets-filters-nginx-plus/deploy.yaml @@ -371,7 +371,7 @@ spec: fsGroup: 1001 runAsNonRoot: true serviceAccountName: nginx-gateway-cert-generator - ttlSecondsAfterFinished: 0 + ttlSecondsAfterFinished: 30 --- apiVersion: gateway.networking.k8s.io/v1 kind: GatewayClass diff --git a/deploy/snippets-filters/deploy.yaml b/deploy/snippets-filters/deploy.yaml index 2a1acf7c09..9bb597289d 100644 --- a/deploy/snippets-filters/deploy.yaml +++ b/deploy/snippets-filters/deploy.yaml @@ -368,7 +368,7 @@ spec: fsGroup: 1001 runAsNonRoot: true serviceAccountName: nginx-gateway-cert-generator - ttlSecondsAfterFinished: 0 + ttlSecondsAfterFinished: 30 --- apiVersion: gateway.networking.k8s.io/v1 kind: GatewayClass