athens-school/K3s-cluster
3
0
Fork 0
Code Issues 11 Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: athens-school:515ee92abedc6dae96c2f7b57132400823071948
Branches Tags
athens-school:master
athens-school:dev
...
compare: athens-school:10079bf0914df7e9e457630a2dbf69b3d2085034
Branches Tags
athens-school:dev
athens-school:master

5 Commits
515ee92abe ... 10079bf091

Author SHA1 Message Date
Tanguy Herbron
10079bf091 feat(longhorn): Update backups and ingress 2024-12-21 22:35:00 +01:00
Tanguy Herbron
3948296901 feat(apps): Update general configuration 2024-12-21 22:32:28 +01:00
Tanguy Herbron
3588e8bd7d feat(environment): Add prod configuration 2024-12-21 22:30:39 +01:00
Tanguy Herbron
93b25589b0 feat(traefik): Add traefik ingress controller configuration 2024-12-21 22:27:07 +01:00
Tanguy Herbron
a964118922 feat(nginx): Add nginx ingress controller 2024-12-21 22:26:14 +01:00
49 changed files with 2022 additions and 190 deletions
Show Stats Expand all files Collapse all files

11
Makefile
View File

@ -4,4 +4,13 @@ dev:
kubectl apply -k environments/dev --prune=true --all
prod:
kubectl apply -k environments/prod --prune=true --all
kubectl taint node -l type=outbound type=services:NoSchedule --overwrite
kubectl apply -k environments/prod/bootstrap --all
kubectl apply -k environments/prod --all
monitor:
kubectl apply -f nginx/external/servicemonitor.yaml
kubectl apply -f nginx/internal/servicemonitor.yaml
kubectl apply -f argo/servicemonitor.yaml
kubectl apply -f cloudnativepg/podmonitor.yaml

2
apps/gitea.yaml
View File

@ -8,7 +8,7 @@ metadata:
spec:
project: default
source:
repoURL: https://git.halis.io/athens-school/gitea.git
repoURL: https://git.halis.io/athens-school/gitea
targetRevision: k3s
path: manifests
syncPolicy:

24
apps/headlamp.yaml Normal file
View File

@ -0,0 +1,24 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: headlamp
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
source:
repoURL: https://git.halis.io/athens-school/headlamp
targetRevision: master
path: manifests
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=false
- ApplyOutOfSyncOnly=true
- PruneLast=true
destination:
server: https://kubernetes.default.svc
namespace: headlamp

2
apps/monitoring.yaml
View File

@ -8,7 +8,7 @@ metadata:
spec:
project: default
source:
repoURL: https://git.halis.io/athens-school/monitoring.git
repoURL: https://git.halis.io/athens-school/monitoring
targetRevision: master
path: manifests
syncPolicy:

24
apps/synapse.yaml Normal file
View File

@ -0,0 +1,24 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: synapse
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
source:
repoURL: https://git.halis.io/athens-school/synapse.git
targetRevision: master
path: manifests
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=false
- ApplyOutOfSyncOnly=true
- PruneLast=true
destination:
server: https://kubernetes.default.svc
namespace: synapse

16
environments/dev/bootstrap/kustomization.yaml
View File

@ -3,16 +3,16 @@ kind: Kustomization
resources:
# MetalLB installation and configuration
- https://raw.githubusercontent.com/metallb/metallb/v0.13.7/config/manifests/metallb-native.yaml
- github.com/metallb/metallb/config/native?ref=v0.14.3
# Traefik CRD
- https://raw.githubusercontent.com/traefik/traefik/v2.9/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
- https://raw.githubusercontent.com/traefik/traefik/v2.9/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
- https://raw.githubusercontent.com/traefik/traefik/v2.9/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
- https://raw.githubusercontent.com/traefik/traefik/v2.9/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
# Longhorn CRD
- https://raw.githubusercontent.com/longhorn/longhorn/v1.5.2/deploy/longhorn.yaml
- https://raw.githubusercontent.com/longhorn/longhorn/v1.7.2/deploy/longhorn.yaml
# SOPS secrets operator CRDs
- https://raw.githubusercontent.com/isindir/sops-secrets-operator/master/config/crd/bases/isindir.github.com_sopssecrets.yaml
- https://raw.githubusercontent.com/isindir/sops-secrets-operator/master/config/crd/bases/isindir.github.com_sopssecrets.yaml
# Install CoudNativePG operator
- https://raw.githubusercontent.com/cloudnative-pg/cloudnative-pg/release-1.20/releases/cnpg-1.19.1.yaml
- https://raw.githubusercontent.com/cloudnative-pg/cloudnative-pg/release-1.20/releases/cnpg-1.19.1.yaml
patchesStrategicMerge:
- ./metallb-patch.yaml
patches:
- path: ./metallb-patch.yaml

20
environments/dev/kustomization.yaml
View File

@ -1,22 +1,18 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
# MetalLB configuration
- ../../metallb
# Miscellanous basic configuration
- ../../res
# NFS client configuration
- ../../nfs-provisioner
# Longhorn installation and configuration
- ../../longhorn
# SOPS operator for secret management on the fly
- ../../sops-operator
# Traefik configuration
- ../../traefik
# Argo installation and configuration
- ../../argo
patchesStrategicMerge:
#- ../../environments/dev/traefik-internal-service.yaml
#- ../../environments/dev/traefik-external-service.yaml
resources:
- ../../metallb
- ../../res
- ../../nfs-provisioner
- ../../longhorn
- ../../sops-operator
- ../../traefik
- ../../argo

13
environments/dev/postgres-operator-patch.yaml
View File

@ -1,13 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: postgres-operator-ui
namespace: default
spec:
template:
spec:
containers:
- name: "service"
env:
- name: "TARGET_NAMESPACE"
value: "*"

2
environments/dev/traefik-internal-service.yaml
View File

@ -4,4 +4,4 @@ metadata:
name: traefik-internal
namespace: default
spec:
loadBalancerIP: 10.10.0.26
loadBalancerIP: 10.10.0.35

20
environments/prod/bootstrap/kustomization.yaml Normal file
View File

@ -0,0 +1,20 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
# MetalLB installation and configuration
- github.com/metallb/metallb/config/native?ref=v0.14.3
# Traefik CRD
#- https://raw.githubusercontent.com/traefik/traefik/v3.2/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
#- https://raw.githubusercontent.com/traefik/traefik/v3.2/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
# Cert manager CRD
- https://github.com/cert-manager/cert-manager/releases/download/v1.16.1/cert-manager.crds.yaml
# Longhorn CRD
- https://raw.githubusercontent.com/longhorn/longhorn/v1.7.2/deploy/longhorn.yaml
# SOPS secrets operator CRDs
- https://raw.githubusercontent.com/isindir/sops-secrets-operator/master/config/crd/bases/isindir.github.com_sopssecrets.yaml
# Install CoudNativePG operator
- https://github.com/cloudnative-pg/cloudnative-pg/raw/refs/heads/main/releases/cnpg-1.24.1.yaml
patches:
- path: ./metallb-patch.yaml

13
environments/prod/bootstrap/metallb-patch.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: speaker
namespace: metallb-system
spec:
template:
spec:
tolerations:
- key: "type"
operator: "Equal"
value: "services"
effect: "NoSchedule"

21
environments/prod/kustomization.yaml
View File

@ -1,10 +1,19 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
# MetalLB configuration
# Miscellanous basic configuration
# NFS client configuration
# Longhorn installation and configuration
# SOPS operator for secret management on the fly
# Traefik configuration
# Argo installation and configuration
resources:
- https://raw.githubusercontent.com/metallb/metallb/v0.13.7/config/manifests/metallb-native.yaml
- ../../metallb
- ../../res
- https://raw.githubusercontent.com/longhorn/longhorn/master/deploy/longhorn.yaml
- ../../longhorn
- ../../traefik
- ../../metallb
- ../../res
- ../../longhorn
- ../../sops-operator
#- ../../traefik
- ../../cert-manager
- ../../argo
#- ../../calico

34
longhorn/ingress.yaml
View File

@ -1,24 +1,18 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: longhorn-frontend
namespace: longhorn-system
annotations:
kubernetes.io/ingress.class: "traefik-inter"
name: longhorn-frontend
namespace: longhorn-system
spec:
tls:
- secretName: longhorn-beta-tls
hosts:
- longhorn.beta.entos
rules:
- host: longhorn.beta.entos
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: longhorn-frontend
port:
number: 80
ingressClassName: nginx-internal
rules:
- host: longhorn.entos
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: longhorn-frontend
port:
number: 80

3
longhorn/kustomization.yaml
View File

@ -3,3 +3,6 @@ kind: Kustomization
resources:
- ingress.yaml
- recurrent-backup.yaml
- secrets.yaml
- servicemonitor.yaml

15
longhorn/recurrent-backup.yaml Normal file
View File

@ -0,0 +1,15 @@
apiVersion: longhorn.io/v1beta1
kind: RecurringJob
metadata:
name: hourly-backup
namespace: longhorn-system
spec:
cron: "0 * * * *"
task: backup
groups:
- standard-pvc
retain: 10
concurrency: 10
labels:
recurrence: hourly
group: standard-pvc

24
longhorn/secrets.yaml Normal file
View File

@ -0,0 +1,24 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: longhorn-s3-secrets
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
source:
repoURL: https://git.halis.io/athens-school/k3s-secrets
targetRevision: prod-migration
path: longhorn
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=false
- ApplyOutOfSyncOnly=true
- PruneLast=true
destination:
server: https://kubernetes.default.svc
namespace: longhorn-system

13
longhorn/servicemonitor.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: longhorn
namespace: longhorn-system
labels:
team: core
spec:
selector:
matchLabels:
app: longhorn-manager
endpoints:
- port: manager

20
nginx/deployment.yaml
View File

@ -1,20 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx
ports:
- containerPort: 80

678
nginx/external/deploy.yaml vendored Normal file
View File

@ -0,0 +1,678 @@
apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: controller-external
app.kubernetes.io/instance: nginx-external-ingress
app.kubernetes.io/name: nginx-external-ingress
app.kubernetes.io/part-of: nginx-external-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-external-ingress
namespace: nginx-ingress
---
apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: nginx-external-ingress
app.kubernetes.io/name: nginx-external-ingress
app.kubernetes.io/part-of: nginx-external-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-external-ingress-admission
namespace: nginx-ingress
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: controller-external
app.kubernetes.io/instance: nginx-external-ingress
app.kubernetes.io/name: nginx-external-ingress
app.kubernetes.io/part-of: nginx-external-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-external-ingress
namespace: nginx-ingress
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- apiGroups:
- ""
resources:
- configmaps
- pods
- secrets
- endpoints
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- coordination.k8s.io
resourceNames:
- nginx-external-ingress-leader
resources:
- leases
verbs:
- get
- update
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- list
- watch
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: nginx-external-ingress
app.kubernetes.io/name: nginx-external-ingress
app.kubernetes.io/part-of: nginx-external-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-external-ingress-admission
namespace: nginx-ingress
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/instance: nginx-external-ingress
app.kubernetes.io/name: nginx-external-ingress
app.kubernetes.io/part-of: nginx-external-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-external-ingress
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- nodes
- pods
- secrets
- namespaces
verbs:
- list
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- list
- watch
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: nginx-external-ingress
app.kubernetes.io/name: nginx-external-ingress
app.kubernetes.io/part-of: nginx-external-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-external-ingress-admission
rules:
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
verbs:
- get
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: controller-external
app.kubernetes.io/instance: nginx-external-ingress
app.kubernetes.io/name: nginx-external-ingress
app.kubernetes.io/part-of: nginx-external-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-external-ingress
namespace: nginx-ingress
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: nginx-external-ingress
subjects:
- kind: ServiceAccount
name: nginx-external-ingress
namespace: nginx-ingress
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: nginx-external-ingress
app.kubernetes.io/name: nginx-external-ingress
app.kubernetes.io/part-of: nginx-external-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-external-ingress-admission
namespace: nginx-ingress
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: nginx-external-ingress-admission
subjects:
- kind: ServiceAccount
name: nginx-external-ingress-admission
namespace: nginx-ingress
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/instance: nginx-external-ingress
app.kubernetes.io/name: nginx-external-ingress
app.kubernetes.io/part-of: nginx-external-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-external-ingress
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: nginx-external-ingress
subjects:
- kind: ServiceAccount
name: nginx-external-ingress
namespace: nginx-ingress
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: nginx-external-ingress
app.kubernetes.io/name: nginx-external-ingress
app.kubernetes.io/part-of: nginx-external-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-external-ingress-admission
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: nginx-external-ingress-admission
subjects:
- kind: ServiceAccount
name: nginx-external-ingress-admission
namespace: nginx-ingress
---
apiVersion: v1
data:
allow-snippet-annotations: "true"
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: controller-external
app.kubernetes.io/instance: nginx-external-ingress
app.kubernetes.io/name: nginx-external-ingress
app.kubernetes.io/part-of: nginx-external-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-external-ingress-controller
namespace: nginx-ingress
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: controller-external
app.kubernetes.io/instance: nginx-external-ingress
app.kubernetes.io/name: nginx-external-ingress
app.kubernetes.io/part-of: nginx-external-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-external-ingress-controller
namespace: nginx-ingress
spec:
ipFamilies:
- IPv4
ipFamilyPolicy: SingleStack
ports:
- appProtocol: http
name: http
port: 80
protocol: TCP
targetPort: http
- appProtocol: https
name: https
port: 443
protocol: TCP
targetPort: https
- name: prometheus
port: 10254
protocol: TCP
targetPort: prometheus
selector:
app.kubernetes.io/component: controller-external
app.kubernetes.io/instance: nginx-external-ingress
app.kubernetes.io/name: nginx-external-ingress
type: NodePort
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: controller-external
app.kubernetes.io/instance: nginx-external-ingress
app.kubernetes.io/name: nginx-external-ingress
app.kubernetes.io/part-of: nginx-external-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-external-ingress-controller-admission
namespace: nginx-ingress
spec:
ports:
- appProtocol: https
name: https-webhook
port: 443
targetPort: webhook
selector:
app.kubernetes.io/component: controller-external
app.kubernetes.io/instance: nginx-external-ingress
app.kubernetes.io/name: nginx-external-ingress
type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: controller-external
app.kubernetes.io/instance: nginx-external-ingress
app.kubernetes.io/name: nginx-external-ingress
app.kubernetes.io/part-of: nginx-external-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-external-ingress-controller
namespace: nginx-ingress
spec:
minReadySeconds: 0
revisionHistoryLimit: 10
selector:
matchLabels:
app.kubernetes.io/component: controller-external
app.kubernetes.io/instance: nginx-external-ingress
app.kubernetes.io/name: nginx-external-ingress
strategy:
rollingUpdate:
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
annotations:
prometheus.io/port: "10254"
prometheus.io/scrape: "true"
labels:
app.kubernetes.io/component: controller-external
app.kubernetes.io/instance: nginx-external-ingress
app.kubernetes.io/name: nginx-external-ingress
app.kubernetes.io/part-of: nginx-external-ingress
app.kubernetes.io/version: 1.11.3
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: ingress
operator: In
values:
- external
tolerations:
- key: "type"
operator: "Equal"
value: "services"
effect: "NoSchedule"
containers:
- args:
- /nginx-ingress-controller
- --election-id=nginx-external-ingress-leader
- --controller-class=k8s.io/nginx-external-ingress
- --ingress-class=nginx-external
- --configmap=$(POD_NAMESPACE)/nginx-external-ingress-controller
- --validating-webhook=:8443
- --validating-webhook-certificate=/usr/local/certificates/cert
- --validating-webhook-key=/usr/local/certificates/key
- --enable-metrics=true
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: LD_PRELOAD
value: /usr/local/lib/libmimalloc.so
image: registry.k8s.io/ingress-nginx/controller:v1.11.3@sha256:d56f135b6462cfc476447cfe564b83a45e8bb7da2774963b00d12161112270b7
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- /wait-shutdown
livenessProbe:
failureThreshold: 5
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
name: controller
ports:
- containerPort: 80
name: http
protocol: TCP
- containerPort: 443
name: https
protocol: TCP
- containerPort: 8443
name: webhook
protocol: TCP
- containerPort: 10254
name: prometheus
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources:
requests:
cpu: 100m
memory: 90Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_BIND_SERVICE
drop:
- ALL
readOnlyRootFilesystem: false
runAsNonRoot: true
runAsUser: 101
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /usr/local/certificates/
name: webhook-cert
readOnly: true
dnsPolicy: ClusterFirst
nodeSelector:
kubernetes.io/os: linux
serviceAccountName: nginx-external-ingress
terminationGracePeriodSeconds: 300
volumes:
- name: webhook-cert
secret:
secretName: nginx-external-ingress-admission
---
apiVersion: batch/v1
kind: Job
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: nginx-external-ingress
app.kubernetes.io/name: nginx-external-ingress
app.kubernetes.io/part-of: nginx-external-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-external-ingress-admission-create
namespace: nginx-ingress
spec:
template:
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: nginx-external-ingress
app.kubernetes.io/name: nginx-external-ingress
app.kubernetes.io/part-of: nginx-external-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-external-ingress-admission-create
spec:
containers:
- args:
- create
- --host=nginx-external-ingress-controller-admission,nginx-external-ingress-controller-admission.$(POD_NAMESPACE).svc
- --namespace=$(POD_NAMESPACE)
- --secret-name=nginx-external-ingress-admission
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.4@sha256:a9f03b34a3cbfbb26d103a14046ab2c5130a80c3d69d526ff8063d2b37b9fd3f
imagePullPolicy: IfNotPresent
name: create
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
nodeSelector:
kubernetes.io/os: linux
restartPolicy: OnFailure
serviceAccountName: nginx-external-ingress-admission
---
apiVersion: batch/v1
kind: Job
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: nginx-external-ingress
app.kubernetes.io/name: nginx-external-ingress
app.kubernetes.io/part-of: nginx-external-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-external-ingress-admission-patch
namespace: nginx-ingress
spec:
template:
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: nginx-external-ingress
app.kubernetes.io/name: nginx-external-ingress
app.kubernetes.io/part-of: nginx-external-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-external-ingress-admission-patch
spec:
containers:
- args:
- patch
- --webhook-name=nginx-external-ingress-admission
- --namespace=$(POD_NAMESPACE)
- --patch-mutating=false
- --secret-name=nginx-external-ingress-admission
- --patch-failure-policy=Fail
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.4@sha256:a9f03b34a3cbfbb26d103a14046ab2c5130a80c3d69d526ff8063d2b37b9fd3f
imagePullPolicy: IfNotPresent
name: patch
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
nodeSelector:
kubernetes.io/os: linux
restartPolicy: OnFailure
serviceAccountName: nginx-external-ingress-admission
---
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
labels:
app.kubernetes.io/component: controller-external
app.kubernetes.io/instance: nginx-external-ingress
app.kubernetes.io/name: nginx-external-ingress
app.kubernetes.io/part-of: nginx-external-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-external
spec:
controller: k8s.io/nginx-external-ingress
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: nginx-external-ingress
app.kubernetes.io/name: nginx-external-ingress
app.kubernetes.io/part-of: nginx-external-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-external-ingress-admission
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
service:
name: nginx-external-ingress-controller-admission
namespace: nginx-ingress
path: /networking/v1/ingresses
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: validate.nginx.ingress.kubernetes.io
rules:
- apiGroups:
- networking.k8s.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- ingresses
sideEffects: None

7
nginx/external/kustomization.yaml vendored Normal file
View File

@ -0,0 +1,7 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- deploy.yaml
- loadbalancer.yaml
- networkpolicy.yaml

21
nginx/external/loadbalancer.yaml vendored Normal file
View File

@ -0,0 +1,21 @@
apiVersion: v1
kind: Service
metadata:
name: nginx-external-ingress-controller-loadbalancer
namespace: nginx-ingress
spec:
selector:
app.kubernetes.io/component: controller-external
app.kubernetes.io/instance: nginx-external-ingress
app.kubernetes.io/name: nginx-external-ingress
ports:
- name: http
port: 80
protocol: TCP
targetPort: 80
- name: https
port: 443
protocol: TCP
targetPort: 443
type: LoadBalancer
externalTrafficPolicy: Local

28
nginx/external/networkpolicy.yaml vendored Normal file
View File

@ -0,0 +1,28 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: nginx-scrapper-blocker
namespace: nginx-ingress
spec:
podSelector: {} # Applies to all pods in the namespace
ingress:
- from:
- ipBlock:
cidr: 0.0.0.0/0
except:
- 57.141.0.0/24 # Facebook crawler
- 85.208.96.0/24 # Semrush crawler
- 185.191.171.0/24 # Random crawler
- 44.192.0.0/10 # AWS crawler
- 3.0.0.0/9 # AWS crawler
- 34.192.0.0/10 # AWS crawler
- 100.24.0.0/13 # AWS crawler
- 216.244.64.0/19 # Random crawler
- 54.224.0.0/11 # Random crawler
ports:
- protocol: TCP
port: 80
- protocol: TCP
port: 443
- protocol: TCP
port: 8443

14
nginx/external/servicemonitor.yaml vendored Normal file
View File

@ -0,0 +1,14 @@
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: nginx-external
namespace: nginx-ingress
labels:
app.kubernetes.io/name: nginx-external-ingress
spec:
selector:
matchLabels:
app.kubernetes.io/name: nginx-external-ingress
endpoints:
- port: prometheus
path: /metrics

23
nginx/ingress.yaml
View File

@ -1,23 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nginx-ingress
annotations:
kubernetes.io/ingress.class: "traefik"
spec:
tls:
- secretName: nginx-beta-tls
hosts:
- nginx.beta.halia.dev
rules:
- host: nginx.beta.halia.dev
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: nginx-svc
port:
number: 80

678
nginx/internal/deploy.yaml Normal file
View File

@ -0,0 +1,678 @@
apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: controller-internal
app.kubernetes.io/instance: nginx-internal-ingress
app.kubernetes.io/name: nginx-internal-ingress
app.kubernetes.io/part-of: nginx-internal-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-internal-ingress
namespace: nginx-ingress
---
apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: nginx-internal-ingress
app.kubernetes.io/name: nginx-internal-ingress
app.kubernetes.io/part-of: nginx-internal-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-internal-ingress-admission
namespace: nginx-ingress
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: controller-internal
app.kubernetes.io/instance: nginx-internal-ingress
app.kubernetes.io/name: nginx-internal-ingress
app.kubernetes.io/part-of: nginx-internal-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-internal-ingress
namespace: nginx-ingress
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- apiGroups:
- ""
resources:
- configmaps
- pods
- secrets
- endpoints
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- coordination.k8s.io
resourceNames:
- nginx-internal-ingress-leader
resources:
- leases
verbs:
- get
- update
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- list
- watch
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: nginx-internal-ingress
app.kubernetes.io/name: nginx-internal-ingress
app.kubernetes.io/part-of: nginx-internal-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-internal-ingress-admission
namespace: nginx-ingress
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/instance: nginx-internal-ingress
app.kubernetes.io/name: nginx-internal-ingress
app.kubernetes.io/part-of: nginx-internal-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-internal-ingress
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- nodes
- pods
- secrets
- namespaces
verbs:
- list
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- list
- watch
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: nginx-internal-ingress
app.kubernetes.io/name: nginx-internal-ingress
app.kubernetes.io/part-of: nginx-internal-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-internal-ingress-admission
rules:
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
verbs:
- get
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: controller-internal
app.kubernetes.io/instance: nginx-internal-ingress
app.kubernetes.io/name: nginx-internal-ingress
app.kubernetes.io/part-of: nginx-internal-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-internal-ingress
namespace: nginx-ingress
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: nginx-internal-ingress
subjects:
- kind: ServiceAccount
name: nginx-internal-ingress
namespace: nginx-ingress
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: nginx-internal-ingress
app.kubernetes.io/name: nginx-internal-ingress
app.kubernetes.io/part-of: nginx-internal-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-internal-ingress-admission
namespace: nginx-ingress
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: nginx-internal-ingress-admission
subjects:
- kind: ServiceAccount
name: nginx-internal-ingress-admission
namespace: nginx-ingress
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/instance: nginx-internal-ingress
app.kubernetes.io/name: nginx-internal-ingress
app.kubernetes.io/part-of: nginx-internal-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-internal-ingress
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: nginx-internal-ingress
subjects:
- kind: ServiceAccount
name: nginx-internal-ingress
namespace: nginx-ingress
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: nginx-internal-ingress
app.kubernetes.io/name: nginx-internal-ingress
app.kubernetes.io/part-of: nginx-internal-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-internal-ingress-admission
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: nginx-internal-ingress-admission
subjects:
- kind: ServiceAccount
name: nginx-internal-ingress-admission
namespace: nginx-ingress
---
apiVersion: v1
data:
allow-snippet-annotations: "false"
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: controller-internal
app.kubernetes.io/instance: nginx-internal-ingress
app.kubernetes.io/name: nginx-internal-ingress
app.kubernetes.io/part-of: nginx-internal-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-internal-ingress-controller
namespace: nginx-ingress
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: controller-internal
app.kubernetes.io/instance: nginx-internal-ingress
app.kubernetes.io/name: nginx-internal-ingress
app.kubernetes.io/part-of: nginx-internal-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-internal-ingress-controller
namespace: nginx-ingress
spec:
ipFamilies:
- IPv4
ipFamilyPolicy: SingleStack
ports:
- appProtocol: http
name: http
port: 80
protocol: TCP
targetPort: http
- appProtocol: https
name: https
port: 443
protocol: TCP
targetPort: https
- name: prometheus
port: 10254
protocol: TCP
targetPort: prometheus
selector:
app.kubernetes.io/component: controller-internal
app.kubernetes.io/instance: nginx-internal-ingress
app.kubernetes.io/name: nginx-internal-ingress
type: NodePort
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: controller-internal
app.kubernetes.io/instance: nginx-internal-ingress
app.kubernetes.io/name: nginx-internal-ingress
app.kubernetes.io/part-of: nginx-internal-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-internal-ingress-controller-admission
namespace: nginx-ingress
spec:
ports:
- appProtocol: https
name: https-webhook
port: 443
targetPort: webhook
selector:
app.kubernetes.io/component: controller-internal
app.kubernetes.io/instance: nginx-internal-ingress
app.kubernetes.io/name: nginx-internal-ingress
type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: controller-internal
app.kubernetes.io/instance: nginx-internal-ingress
app.kubernetes.io/name: nginx-internal-ingress
app.kubernetes.io/part-of: nginx-internal-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-internal-ingress-controller
namespace: nginx-ingress
spec:
minReadySeconds: 0
revisionHistoryLimit: 10
selector:
matchLabels:
app.kubernetes.io/component: controller-internal
app.kubernetes.io/instance: nginx-internal-ingress
app.kubernetes.io/name: nginx-internal-ingress
strategy:
rollingUpdate:
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
annotations:
prometheus.io/port: "10254"
prometheus.io/scrape: "true"
labels:
app.kubernetes.io/component: controller-internal
app.kubernetes.io/instance: nginx-internal-ingress
app.kubernetes.io/name: nginx-internal-ingress
app.kubernetes.io/part-of: nginx-internal-ingress
app.kubernetes.io/version: 1.11.3
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: ingress
operator: In
values:
- internal
tolerations:
- key: "type"
operator: "Equal"
value: "services"
effect: "NoSchedule"
containers:
- args:
- /nginx-ingress-controller
- --election-id=nginx-internal-ingress-leader
- --controller-class=k8s.io/nginx-internal-ingress
- --ingress-class=nginx-internal
- --configmap=$(POD_NAMESPACE)/nginx-internal-ingress-controller
- --validating-webhook=:8443
- --validating-webhook-certificate=/usr/local/certificates/cert
- --validating-webhook-key=/usr/local/certificates/key
- --enable-metrics=true
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: LD_PRELOAD
value: /usr/local/lib/libmimalloc.so
image: registry.k8s.io/ingress-nginx/controller:v1.11.3@sha256:d56f135b6462cfc476447cfe564b83a45e8bb7da2774963b00d12161112270b7
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- /wait-shutdown
livenessProbe:
failureThreshold: 5
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
name: controller
ports:
- containerPort: 80
name: http
protocol: TCP
- containerPort: 443
name: https
protocol: TCP
- containerPort: 8443
name: webhook
protocol: TCP
- containerPort: 10254
name: prometheus
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources:
requests:
cpu: 100m
memory: 90Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_BIND_SERVICE
drop:
- ALL
readOnlyRootFilesystem: false
runAsNonRoot: true
runAsUser: 101
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /usr/local/certificates/
name: webhook-cert
readOnly: true
dnsPolicy: ClusterFirst
nodeSelector:
kubernetes.io/os: linux
serviceAccountName: nginx-internal-ingress
terminationGracePeriodSeconds: 300
volumes:
- name: webhook-cert
secret:
secretName: nginx-internal-ingress-admission
---
apiVersion: batch/v1
kind: Job
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: nginx-internal-ingress
app.kubernetes.io/name: nginx-internal-ingress
app.kubernetes.io/part-of: nginx-internal-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-internal-ingress-admission-create
namespace: nginx-ingress
spec:
template:
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: nginx-internal-ingress
app.kubernetes.io/name: nginx-internal-ingress
app.kubernetes.io/part-of: nginx-internal-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-internal-ingress-admission-create
spec:
containers:
- args:
- create
- --host=nginx-internal-ingress-controller-admission,nginx-internal-ingress-controller-admission.$(POD_NAMESPACE).svc
- --namespace=$(POD_NAMESPACE)
- --secret-name=nginx-internal-ingress-admission
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.4@sha256:a9f03b34a3cbfbb26d103a14046ab2c5130a80c3d69d526ff8063d2b37b9fd3f
imagePullPolicy: IfNotPresent
name: create
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
nodeSelector:
kubernetes.io/os: linux
restartPolicy: OnFailure
serviceAccountName: nginx-internal-ingress-admission
---
apiVersion: batch/v1
kind: Job
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: nginx-internal-ingress
app.kubernetes.io/name: nginx-internal-ingress
app.kubernetes.io/part-of: nginx-internal-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-internal-ingress-admission-patch
namespace: nginx-ingress
spec:
template:
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: nginx-internal-ingress
app.kubernetes.io/name: nginx-internal-ingress
app.kubernetes.io/part-of: nginx-internal-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-internal-ingress-admission-patch
spec:
containers:
- args:
- patch
- --webhook-name=nginx-internal-ingress-admission
- --namespace=$(POD_NAMESPACE)
- --patch-mutating=false
- --secret-name=nginx-internal-ingress-admission
- --patch-failure-policy=Fail
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.4@sha256:a9f03b34a3cbfbb26d103a14046ab2c5130a80c3d69d526ff8063d2b37b9fd3f
imagePullPolicy: IfNotPresent
name: patch
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
nodeSelector:
kubernetes.io/os: linux
restartPolicy: OnFailure
serviceAccountName: nginx-internal-ingress-admission
---
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
labels:
app.kubernetes.io/component: controller-internal
app.kubernetes.io/instance: nginx-internal-ingress
app.kubernetes.io/name: nginx-internal-ingress
app.kubernetes.io/part-of: nginx-internal-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-internal
spec:
controller: k8s.io/nginx-internal-ingress
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: nginx-internal-ingress
app.kubernetes.io/name: nginx-internal-ingress
app.kubernetes.io/part-of: nginx-internal-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-internal-ingress-admission
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
service:
name: nginx-internal-ingress-controller-admission
namespace: nginx-ingress
path: /networking/v1/ingresses
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: validate.nginx.ingress.kubernetes.io
rules:
- apiGroups:
- networking.k8s.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- ingresses
sideEffects: None

6
nginx/internal/kustomization.yaml Normal file
View File

@ -0,0 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- deploy.yaml
- loadbalancer.yaml

22
nginx/internal/loadbalancer.yaml Normal file
View File

@ -0,0 +1,22 @@
apiVersion: v1
kind: Service
metadata:
name: nginx-internal-ingress-controller-loadbalancer
namespace: nginx-ingress
spec:
selector:
app.kubernetes.io/component: controller-internal
app.kubernetes.io/instance: nginx-internal-ingress
app.kubernetes.io/name: nginx-internal-ingress
ports:
- name: http
port: 80
protocol: TCP
targetPort: 80
- name: https
port: 443
protocol: TCP
targetPort: 443
type: LoadBalancer
externalTrafficPolicy: Local
loadBalancerIP: 10.10.0.16

14
nginx/internal/servicemonitor.yaml Normal file
View File

@ -0,0 +1,14 @@
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: nginx-internal
namespace: nginx-ingress
labels:
app.kubernetes.io/name: nginx-internal-ingress
spec:
selector:
matchLabels:
app.kubernetes.io/name: nginx-internal-ingress
endpoints:
- port: prometheus
path: /metrics

7
nginx/kustomization.yaml Normal file
View File

@ -0,0 +1,7 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- internal
- external

7
nginx/namespace.yaml Normal file
View File

@ -0,0 +1,7 @@
apiVersion: v1
kind: Namespace
metadata:
labels:
app.kubernetes.io/instance: nginx-ingress
app.kubernetes.io/name: nginx-ingress
name: nginx-ingress

14
nginx/service.yaml
View File

@ -1,14 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: nginx-svc
labels:
app: nginx
spec:
type: ClusterIP
ports:
- name: http
port: 80
selector:
app: nginx

230
traefik/flannel.yaml Normal file
View File

@ -0,0 +1,230 @@
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: psp.flannel.unprivileged
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
spec:
privileged: false
volumes:
- configMap
- secret
- emptyDir
- hostPath
allowedHostPaths:
- pathPrefix: "/etc/cni/net.d"
- pathPrefix: "/etc/kube-flannel"
- pathPrefix: "/run/flannel"
readOnlyRootFilesystem: false
# Users and groups
runAsUser:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
fsGroup:
rule: RunAsAny
# Privilege Escalation
allowPrivilegeEscalation: false
defaultAllowPrivilegeEscalation: false
# Capabilities
allowedCapabilities: ['NET_ADMIN']
defaultAddCapabilities: []
requiredDropCapabilities: []
# Host namespaces
hostPID: false
hostIPC: false
hostNetwork: true
hostPorts:
- min: 0
max: 65535
# SELinux
seLinux:
# SELinux is unused in CaaSP
rule: 'RunAsAny'
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: flannel
rules:
- apiGroups: ['extensions']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames: ['psp.flannel.unprivileged']
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- apiGroups:
- ""
resources:
- nodes
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes/status
verbs:
- patch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: flannel
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: flannel
subjects:
- kind: ServiceAccount
name: flannel
namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: flannel
namespace: kube-system
---
kind: ConfigMap
apiVersion: v1
metadata:
name: kube-flannel-cfg
namespace: kube-system
labels:
tier: node
app: flannel
data:
cni-conf.json: |
{
"name": "cbr0",
"cniVersion": "0.3.1",
"plugins": [
{
"type": "flannel",
"delegate": {
"hairpinMode": true,
"isDefaultGateway": true
}
},
{
"type": "portmap",
"capabilities": {
"portMappings": true
}
}
]
}
net-conf.json: |
{
"Network": "${flannel_cidr}",
"Backend": {
"Type": "vxlan"
}
}
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: kube-flannel-ds-amd64
namespace: kube-system
labels:
tier: node
app: flannel
spec:
selector:
matchLabels:
app: flannel
template:
metadata:
labels:
tier: node
app: flannel
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/os
operator: In
values:
- linux
- key: kubernetes.io/arch
operator: In
values:
- amd64
hostNetwork: true
tolerations:
- operator: Exists
effect: NoSchedule
serviceAccountName: flannel
initContainers:
- name: install-cni
image: quay.io/coreos/flannel:v0.12.0-amd64
command:
- cp
args:
- -f
- /etc/kube-flannel/cni-conf.json
- /etc/cni/net.d/10-flannel.conflist
volumeMounts:
- name: cni
mountPath: /etc/cni/net.d
- name: flannel-cfg
mountPath: /etc/kube-flannel/
containers:
- name: kube-flannel
image: quay.io/coreos/flannel:v0.12.0-amd64
command:
- /opt/bin/flanneld
args:
- --ip-masq=false
- --kube-subnet-mgr
- --iface=${interface}
resources:
requests:
cpu: "50m"
memory: "50Mi"
limits:
cpu: "50m"
memory: "50Mi"
securityContext:
privileged: false
capabilities:
add: ["NET_ADMIN"]
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
volumeMounts:
- name: run
mountPath: /run/flannel
- name: flannel-cfg
mountPath: /etc/kube-flannel/
volumes:
- name: run
hostPath:
path: /run/flannel
- name: cni
hostPath:
path: /etc/cni/net.d
- name: flannel-cfg
configMap:
name: kube-flannel-cfg
---

22
traefik/rbac/clusterrole.yaml
View File

@ -1,5 +1,3 @@
---
# Source: traefik/templates/rbac/clusterrole.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
@ -12,12 +10,19 @@ rules:
- ""
resources:
- services
- endpoints
- secrets
- nodes
verbs:
- get
- list
- watch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
@ -36,17 +41,18 @@ rules:
verbs:
- update
- apiGroups:
- traefik.containo.us
- traefik.io
resources:
- ingressroutes
- ingressroutetcps
- ingressrouteudps
- middlewares
- middlewaretcps
- ingressroutes
- traefikservices
- ingressroutetcps
- ingressrouteudps
- tlsoptions
- tlsstores
- traefikservices
- serverstransports
- serverstransporttcps
verbs:
- get
- list

2
traefik/rbac/clusterrolebinding.yaml
View File

@ -14,5 +14,3 @@ roleRef:
subjects:
- kind: ServiceAccount
name: traefik
namespace: default

2
traefik/rbac/serviceaccount.yaml
View File

@ -5,5 +5,3 @@ metadata:
labels:
app.kubernetes.io/name: traefik
app.kubernetes.io/instance: traefik
annotations:

27
traefik/traefik-external/deployment.yaml
View File

@ -1,5 +1,4 @@
---
# Source: traefik/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
@ -7,9 +6,8 @@ metadata:
labels:
app.kubernetes.io/name: traefik
app.kubernetes.io/instance: traefik
annotations:
spec:
replicas: 1
replicas: 2
selector:
matchLabels:
app.kubernetes.io/name: traefik
@ -30,11 +28,18 @@ spec:
app.kubernetes.io/name: traefik
app.kubernetes.io/instance: traefik
spec:
topologySpreadConstraints:
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: DoNotSchedule
labelSelector:
matchLabels:
app.kubernetes.io/name: traefik
serviceAccountName: traefik
terminationGracePeriodSeconds: 60
hostNetwork: false
hostNetwork: true
containers:
- image: "traefik:2.8.4"
- image: "traefik:3.2.1"
imagePullPolicy: IfNotPresent
name: traefik
resources:
@ -89,13 +94,20 @@ spec:
- name: tmp
mountPath: /tmp
args:
- "--global.checknewversion"
- "--entrypoints.admin.address=:8080/tcp"
- "--entrypoints.metrics.address=:9100/tcp"
- "--entrypoints.minecrafttcp.address=:25565/tcp"
- "--entrypoints.traefik.address=:9000/tcp"
- "--entrypoints.web.address=:8000/tcp"
- "--entrypoints.websecure.address=:8443/tcp"
#- "--entryPoints.web.proxyProtocol.insecure=true"
#- "--entryPoints.web.forwardedHeaders.insecure=true"
- "--entryPoints.web.proxyProtocol.trustedIPs=10.20.0.0/24,51.15.80.73/32,192.168.113.0/24"
- "--entryPoints.web.forwardedHeaders.trustedIPs=10.20.0.0/24,51.15.80.73/32,192.168.113.0/24"
#- "--entryPoints.websecure.proxyProtocol.insecure=true"
#- "--entryPoints.websecure.forwardedHeaders.insecure=true"
- "--entryPoints.websecure.proxyProtocol.trustedIPs=10.20.0.0/24,51.15.80.73/32,192.168.113.0/24"
- "--entryPoints.websecure.forwardedHeaders.trustedIPs=10.20.0.0/24,51.15.80.73/32,192.168.113.0/24"
- "--api.dashboard=true"
- "--ping=true"
- "--metrics.prometheus=true"
@ -108,8 +120,7 @@ spec:
- "--accesslog=true"
- "--entrypoints.websecure.http.tls=true"
- "--entrypoints.websecure.http.tls.certresolver=letsencrypt"
- "--entrypoints.websecure.http.tls.domains[0].main=beta.halia.dev"
- "--entrypoints.websecure.http.tls.domains[0].sans=*.beta.halia.dev"
- "--entrypoints.websecure.http.tls.domains[0].sans=*.halis.io"
- "--certificatesresolvers.letsencrypt.acme.tlschallenge=true"
- "--certificatesresolvers.letsencrypt.acme.dnschallenge=true"
- "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=ovh"

3
traefik/traefik-external/kustomization.yaml
View File

@ -5,4 +5,5 @@ resources:
- pvc.yaml
- deployment.yaml
- service.yaml
- servicemonitor.yaml
- loadbalancer.yaml
#- servicemonitor.yaml

28
traefik/traefik-external/loadbalancer.yaml Normal file
View File

@ -0,0 +1,28 @@
apiVersion: v1
kind: Service
metadata:
name: traefik-external
labels:
app.kubernetes.io/name: traefik-external
app.kubernetes.io/instance: traefik-external
spec:
type: LoadBalancer
loadBalancerIP: 51.15.80.73
loadBalancerSourceRanges:
- 0.0.0.0/0
selector:
app.kubernetes.io/name: traefik
app.kubernetes.io/instance: traefik
ports:
- port: 25565
name: minecrafttcp
targetPort: "minecrafttcp"
protocol: TCP
- port: 80
name: web
targetPort: "web"
protocol: TCP
- port: 443
name: websecure
targetPort: "websecure"
protocol: TCP

7
traefik/traefik-external/pvc.yaml
View File

@ -1,18 +1,15 @@
---
# Source: traefik/templates/pvc.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: traefik
annotations:
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/name: traefik
app.kubernetes.io/instance: traefik
spec:
accessModes:
- "ReadWriteOnce"
- "ReadWriteMany"
resources:
requests:
storage: "128Mi"
storageClassName: "local-path"
storageClassName: "redundant-storage-class"

1
traefik/traefik-external/service-dashboard.yaml
View File

@ -2,7 +2,6 @@ apiVersion: v1
kind: Service
metadata:
name: traefik-dashboard-svc
namespace: default
spec:
ports:
- name: admin

18
traefik/traefik-external/service.yaml
View File

@ -1,32 +1,16 @@
---
# Source: traefik/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
name: traefik-external
name: traefik-external-metrics
labels:
app.kubernetes.io/name: traefik-external
app.kubernetes.io/instance: traefik-external
annotations:
spec:
type: LoadBalancer
loadBalancerIP: 51.15.80.73
selector:
app.kubernetes.io/name: traefik
app.kubernetes.io/instance: traefik
ports:
- port: 25565
name: minecrafttcp
targetPort: "minecrafttcp"
protocol: TCP
- port: 80 # Change port here to accomodate for internal only services
name: web
targetPort: "web"
protocol: TCP
- port: 443
name: websecure
targetPort: "websecure"
protocol: TCP
- port: 9100
name: metrics
targetPort: "metrics"

3
traefik/traefik-external/servicemonitor.yaml
View File

@ -2,8 +2,7 @@ apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: traefik-external
labels:
team: core
namespace: traefik
spec:
selector:
matchLabels:

7
traefik/traefik-internal/config-map-dev.yaml Normal file
View File

@ -0,0 +1,7 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: general-purpose-dev-config
data:
lb-ip: 10.10.0.32

17
traefik/traefik-internal/deployment.yaml
View File

@ -1,5 +1,4 @@
---
# Source: traefik/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
@ -7,9 +6,8 @@ metadata:
labels:
app.kubernetes.io/name: traefik-inter
app.kubernetes.io/instance: traefik-inter
annotations:
spec:
replicas: 1
replicas: 2
selector:
matchLabels:
app.kubernetes.io/name: traefik-inter
@ -30,11 +28,18 @@ spec:
app.kubernetes.io/name: traefik-inter
app.kubernetes.io/instance: traefik-inter
spec:
topologySpreadConstraints:
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: DoNotSchedule
labelSelector:
matchLabels:
app.kubernetes.io/name: traefik-inter
serviceAccountName: traefik
terminationGracePeriodSeconds: 60
hostNetwork: false
containers:
- image: "traefik:2.8.4"
- image: "traefik:3.2.1"
imagePullPolicy: IfNotPresent
name: traefik-inter
resources:
@ -92,6 +97,10 @@ spec:
- "--entrypoints.traefik.address=:9000/tcp"
- "--entrypoints.web.address=:8000/tcp"
- "--entrypoints.websecure.address=:8443/tcp"
- "--entryPoints.web.proxyProtocol.insecure"
- "--entryPoints.web.forwardedHeaders.insecure"
- "--entryPoints.websecure.proxyProtocol.insecure"
- "--entryPoints.websecure.forwardedHeaders.insecure"
- "--api.dashboard=true"
- "--api.insecure=true"
- "--ping=true"

3
traefik/traefik-internal/kustomization.yaml
View File

@ -5,4 +5,5 @@ resources:
- pvc.yaml
- deployment.yaml
- service.yaml
- servicemonitor.yaml
- loadbalancer.yaml
#- servicemonitor.yaml

22
traefik/traefik-internal/loadbalancer.yaml Normal file
View File

@ -0,0 +1,22 @@
apiVersion: v1
kind: Service
metadata:
name: traefik-internal
labels:
app.kubernetes.io/name: traefik-inter
app.kubernetes.io/instance: traefik-inter
spec:
type: LoadBalancer
loadBalancerIP: 10.10.0.16
selector:
app.kubernetes.io/name: traefik-inter
app.kubernetes.io/instance: traefik-inter
ports:
- port: 80
name: web
targetPort: "web"
protocol: TCP
- port: 443
name: websecure
targetPort: "websecure"
protocol: TCP

7
traefik/traefik-internal/pvc.yaml
View File

@ -1,18 +1,15 @@
---
# Source: traefik/templates/pvc.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: traefik-inter
annotations:
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/name: traefik-inter
app.kubernetes.io/instance: traefik-inter
spec:
accessModes:
- "ReadWriteOnce"
- "ReadWriteMany"
resources:
requests:
storage: "128Mi"
storageClassName: "local-path"
storageClassName: "redundant-storage-class"

13
traefik/traefik-internal/service.yaml
View File

@ -1,26 +1,15 @@
apiVersion: v1
kind: Service
metadata:
name: traefik-internal
namespace: default
name: traefik-internal-metrics
labels:
app.kubernetes.io/name: traefik-inter
app.kubernetes.io/instance: traefik-inter
spec:
type: LoadBalancer
loadBalancerIP: 192.168.56.101
selector:
app.kubernetes.io/name: traefik-inter
app.kubernetes.io/instance: traefik-inter
ports:
- port: 80
name: web
targetPort: "web"
protocol: TCP
- port: 443
name: websecure
targetPort: "websecure"
protocol: TCP
- port: 9100
name: metrics
targetPort: "metrics"

4
traefik/traefik-internal/servicemonitor.yaml
View File

@ -2,12 +2,12 @@ apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: traefik-inter
labels:
team: core
namespace: traefik
spec:
selector:
matchLabels:
app.kubernetes.io/name: traefik-inter
app.kubernetes.io/instance: traefik-inter
endpoints:
- port: metrics
path: /metrics