From 19cb94822f474caef5bb717d2748fa4c3a89177f Mon Sep 17 00:00:00 2001 From: Tanguy Herbron Date: Thu, 15 Sep 2022 00:18:06 +0200 Subject: [PATCH] feat(traefik): Move traefik to manifests Remove helm configuration in favor of manifests only configuration system --- traefik/dashboard-hook-ingressroute.yaml | 22 ++++ traefik/dashboard.yaml | 27 ++++ traefik/deployment.yaml | 151 +++++++++++++++++++++++ traefik/pvc.yaml | 20 +++ traefik/rbac/clusterrole.yaml | 55 +++++++++ traefik/rbac/clusterrolebinding.yaml | 19 +++ traefik/rbac/serviceaccount.yaml | 12 ++ traefik/service.yaml | 39 ++++++ 8 files changed, 345 insertions(+) create mode 100644 traefik/dashboard-hook-ingressroute.yaml create mode 100644 traefik/dashboard.yaml create mode 100644 traefik/deployment.yaml create mode 100644 traefik/pvc.yaml create mode 100644 traefik/rbac/clusterrole.yaml create mode 100644 traefik/rbac/clusterrolebinding.yaml create mode 100644 traefik/rbac/serviceaccount.yaml create mode 100644 traefik/service.yaml diff --git a/traefik/dashboard-hook-ingressroute.yaml b/traefik/dashboard-hook-ingressroute.yaml new file mode 100644 index 0000000..858b5c3 --- /dev/null +++ b/traefik/dashboard-hook-ingressroute.yaml @@ -0,0 +1,22 @@ +--- +# Source: traefik/templates/dashboard-hook-ingressroute.yaml +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: traefik-dashboard + annotations: + helm.sh/hook: "post-install,post-upgrade" + labels: + app.kubernetes.io/name: traefik + helm.sh/chart: traefik-10.24.2 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/instance: traefik +spec: + entryPoints: + - traefik + routes: + - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) + kind: Rule + services: + - name: api@internal + kind: TraefikService diff --git a/traefik/dashboard.yaml b/traefik/dashboard.yaml new file mode 100644 index 0000000..34d8abb --- /dev/null +++ b/traefik/dashboard.yaml @@ -0,0 +1,27 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: internal-ipwhitelist +spec: + ipWhiteList: + sourceRange: + - 10.10.0.1/24 + - 10.20.0.1/24 + - 10.42.1.1/24 + ipStrategy: + depth: 0 + +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: traefik-dashboard +spec: + entryPoints: + - websecure + routes: + - kind: Rule + match: Host(`traefik.k3s.beta`) + services: + - name: api@internal + kind: TraefikService diff --git a/traefik/deployment.yaml b/traefik/deployment.yaml new file mode 100644 index 0000000..fafe8a6 --- /dev/null +++ b/traefik/deployment.yaml @@ -0,0 +1,151 @@ +--- +# Source: traefik/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: traefik + labels: + app.kubernetes.io/name: traefik + helm.sh/chart: traefik-10.24.2 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/instance: traefik + annotations: +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: traefik + strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 1 + maxUnavailable: 1 + minReadySeconds: 0 + template: + metadata: + annotations: + prometheus.io/scrape: "true" + prometheus.io/path: "/metrics" + prometheus.io/port: "9100" + labels: + app.kubernetes.io/name: traefik + helm.sh/chart: traefik-10.24.2 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/instance: traefik + spec: + serviceAccountName: traefik + terminationGracePeriodSeconds: 60 + hostNetwork: false + containers: + - image: "traefik:2.8.4" + imagePullPolicy: IfNotPresent + name: traefik + resources: + readinessProbe: + httpGet: + path: /ping + port: 9000 + failureThreshold: 1 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + livenessProbe: + httpGet: + path: /ping + port: 9000 + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + ports: + - name: "admin" + containerPort: 8080 + protocol: "TCP" + - name: "metrics" + containerPort: 9100 + protocol: "TCP" + - name: "minecrafttcp" + containerPort: 25565 + protocol: "TCP" + - name: "traefik" + containerPort: 9000 + protocol: "TCP" + - name: "web" + containerPort: 8000 + protocol: "TCP" + - name: "websecure" + containerPort: 8443 + protocol: "TCP" + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + volumeMounts: + - name: data + mountPath: /certs + - name: tmp + mountPath: /tmp + args: + - "--global.checknewversion" + - "--global.sendanonymoususage" + - "--entrypoints.admin.address=:8080/tcp" + - "--entrypoints.metrics.address=:9100/tcp" + - "--entrypoints.minecrafttcp.address=:25565/tcp" + - "--entrypoints.traefik.address=:9000/tcp" + - "--entrypoints.web.address=:8000/tcp" + - "--entrypoints.websecure.address=:8443/tcp" + - "--api.dashboard=true" + - "--ping=true" + - "--metrics.prometheus=true" + - "--metrics.prometheus.entrypoint=metrics" + - "--providers.kubernetescrd" + - "--providers.kubernetesingress" + - "--entrypoints.web.http.redirections.entryPoint.to=:443" + - "--entrypoints.web.http.redirections.entryPoint.scheme=https" + - "--log.level=DEBUG" + - "--entrypoints.websecure.http.tls=true" + - "--entrypoints.websecure.http.tls.certresolver=letsencrypt" + - "--entrypoints.websecure.http.tls.domains[0].main=beta.halia.dev" + - "--entrypoints.websecure.http.tls.domains[0].sans=*.beta.halia.dev" + - "--certificatesresolvers.letsencrypt.acme.tlschallenge=true" + - "--certificatesresolvers.letsencrypt.acme.dnschallenge=true" + - "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=ovh" + - "--certificatesresolvers.letsencrypt.acme.dnschallenge.resolvers=1.1.1.1" + - "--certificatesresolvers.letsencrypt.acme.email=tanguy.herbron@outlook.com" + - "--certificatesresolvers.letsencrypt.acme.storage=/certs/acme.json" + env: + - name: OVH_APPLICATION_KEY + valueFrom: + secretKeyRef: + key: appKey + name: ovh-api-credentials + - name: OVH_APPLICATION_SECRET + valueFrom: + secretKeyRef: + key: appSecret + name: ovh-api-credentials + - name: OVH_CONSUMER_KEY + valueFrom: + secretKeyRef: + key: consumerKey + name: ovh-api-credentials + - name: OVH_ENDPOINT + valueFrom: + secretKeyRef: + key: endpoint + name: ovh-api-credentials + volumes: + - name: data + persistentVolumeClaim: + claimName: traefik + - name: tmp + emptyDir: {} + securityContext: + fsGroup: 65532 diff --git a/traefik/pvc.yaml b/traefik/pvc.yaml new file mode 100644 index 0000000..78df611 --- /dev/null +++ b/traefik/pvc.yaml @@ -0,0 +1,20 @@ +--- +# Source: traefik/templates/pvc.yaml +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: traefik + annotations: + helm.sh/resource-policy: keep + labels: + app.kubernetes.io/name: traefik + helm.sh/chart: traefik-10.24.2 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/instance: traefik +spec: + accessModes: + - "ReadWriteOnce" + resources: + requests: + storage: "128Mi" + storageClassName: "local-path" diff --git a/traefik/rbac/clusterrole.yaml b/traefik/rbac/clusterrole.yaml new file mode 100644 index 0000000..3df9cdb --- /dev/null +++ b/traefik/rbac/clusterrole.yaml @@ -0,0 +1,55 @@ +--- +# Source: traefik/templates/rbac/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: traefik + labels: + app.kubernetes.io/name: traefik + helm.sh/chart: traefik-10.24.2 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/instance: traefik +rules: + - apiGroups: + - "" + resources: + - services + - endpoints + - secrets + verbs: + - get + - list + - watch + - apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses + - ingressclasses + verbs: + - get + - list + - watch + - apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update + - apiGroups: + - traefik.containo.us + resources: + - ingressroutes + - ingressroutetcps + - ingressrouteudps + - middlewares + - middlewaretcps + - tlsoptions + - tlsstores + - traefikservices + - serverstransports + verbs: + - get + - list + - watch diff --git a/traefik/rbac/clusterrolebinding.yaml b/traefik/rbac/clusterrolebinding.yaml new file mode 100644 index 0000000..e66fb24 --- /dev/null +++ b/traefik/rbac/clusterrolebinding.yaml @@ -0,0 +1,19 @@ +--- +# Source: traefik/templates/rbac/clusterrolebinding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: traefik + labels: + app.kubernetes.io/name: traefik + helm.sh/chart: traefik-10.24.2 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/instance: traefik +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: traefik +subjects: + - kind: ServiceAccount + name: traefik + namespace: default diff --git a/traefik/rbac/serviceaccount.yaml b/traefik/rbac/serviceaccount.yaml new file mode 100644 index 0000000..6555ba0 --- /dev/null +++ b/traefik/rbac/serviceaccount.yaml @@ -0,0 +1,12 @@ +--- +# Source: traefik/templates/rbac/serviceaccount.yaml +kind: ServiceAccount +apiVersion: v1 +metadata: + name: traefik + labels: + app.kubernetes.io/name: traefik + helm.sh/chart: traefik-10.24.2 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/instance: traefik + annotations: diff --git a/traefik/service.yaml b/traefik/service.yaml new file mode 100644 index 0000000..86d98c5 --- /dev/null +++ b/traefik/service.yaml @@ -0,0 +1,39 @@ +--- +# Source: traefik/templates/service.yaml +apiVersion: v1 +kind: List +metadata: + name: traefik +items: + - apiVersion: v1 + kind: Service + metadata: + name: traefik + labels: + app.kubernetes.io/name: traefik + helm.sh/chart: traefik-10.24.2 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/instance: traefik + annotations: + spec: + type: LoadBalancer + selector: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: traefik + ports: + - port: 8080 + name: admin + targetPort: "admin" + protocol: TCP + - port: 25565 + name: minecrafttcp + targetPort: "minecrafttcp" + protocol: TCP + - port: 80 + name: web + targetPort: "web" + protocol: TCP + - port: 443 + name: websecure + targetPort: "websecure" + protocol: TCP