helmify

2020-10-14 15:15:48 -04:00
parent f6679ea207
commit 6fb4ac3fca
21 changed files with 270 additions and 349 deletions
--- a/helm/.helmignore
+++ b/helm/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
--- a/helm/Chart.yaml
+++ b/helm/Chart.yaml
@@ -0,0 +1,23 @@
+apiVersion: v2
+name: internal
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+appVersion: 1.16.0
--- a/helm/templates/deploy.yaml
+++ b/helm/templates/deploy.yaml
@@ -0,0 +1,84 @@
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: {{ .Release.Name }}
+  labels:
+    app: {{ .Release.Name }}
+  namespace: kube-system
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app: {{ .Release.Name }}
+    spec:
+      serviceAccountName: {{ .Release.Name }}
+      containers:
+        - name: traefik
+          image: {{ .Values.image }}
+          args:
+            - --providers.kubernetescrd.ingressclass={{ .Values.config.ingressclass }}
+            - --log.level=ERROR
+            - --accesslog=true
+            - --api
+            - --api.insecure
+            - --entrypoints.web.address=:{{ .Values.config.http_port }}
+            - --entrypoints.websecure.address=:{{ .Values.config.https_port }}
+            - --entrypoints.websecure.http.tls=true
+            - --providers.kubernetescrd
+{{ if .Values.enable.statsd }}
+            - --metrics.statsd=true
+            - --metrics.statsd.address={{ .Values.config.statsd_endpoint }}
+            - --metrics.statsd.addEntryPointsLabels=true
+            - --metrics.statsd.addServicesLabels=true
+            - --metrics.statsd.prefix={{ .Release.Name }}
+{{ end }}
+{{ if .Values.enable.dnschallenge }}
+            - --certificatesresolvers.myresolver.acme.dnschallenge=true
+            - --certificatesresolvers.myresolver.acme.dnschallenge.provider={{ .Values.config.dnschallenge_provider }}
+            - --certificatesresolvers.myresolver.acme.email={{ .Values.config.acme_email }}
+            - --certificatesresolvers.myresolver.acme.storage=/acme/acme.json
+            - --certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1
+{{ end }}
+{{ if .Values.enable.tlschallenge }}
+            - --certificatesresolvers.myresolver.acme.tlschallenge
+            - --certificatesresolvers.myresolver.acme.email={{ .Values.config.acme_email }}
+            - --certificatesresolvers.myresolver.acme.storage=/acme/acme.json
+{{ end }}
+{{ if .Values.enable.tracing }}
+            - --tracing=true
+            - --tracing.serviceName={{ .Release.Name }}
+            - --tracing.spanNameLimit=0
+            - --tracing.zipkin=true
+            - --tracing.zipkin.httpEndpoint={{ .Values.config.tracing_endpoint}}
+            - --tracing.zipkin.sampleRate=1.0
+{{ end }}
+          volumeMounts:
+          - mountPath: /acme
+            name: acme-certs
+          ports:
+            - name: web
+              containerPort: {{ .Values.config.http_port }}
+            - name: websecure
+              containerPort: {{ .Values.config.https_port }}
+            - name: admin
+              containerPort: {{ .Values.config.admin_port }}
+          envFrom:
+{{ if .Values.enable.dnschallenge }}
+            - secretRef:
+                name: {{ .Values.config.dnschallenge_provider_secret }}
+{{ end }}
+          resources:
+            requests:
+              memory: 128Mi
+              cpu: 250m
+            limits:
+              memory: 1Gi
+              cpu: "1"
+      volumes:
+        - name: acme-certs
+          persistentVolumeClaim:
+              claimName: {{ .Release.Name }}
--- a/helm/templates/ingress.yaml
+++ b/helm/templates/ingress.yaml
@@ -0,0 +1,43 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: {{ .Release.Name }}-tls
+  namespace: kube-system
+  annotations:
+    kubernetes.io/ingress.class: {{ .Values.config.ingressclass }}
+spec:
+  entryPoints:
+    - websecure
+  tls:
+    certResolver: myresolver
+    domains:
+    - main: "*.ducoterra.net"
+  routes:
+  - match: Host(`{{ .Release.Name }}.ducoterra.net`)
+    kind: Rule
+    services:
+    - name: {{ .Release.Name }}-admin
+      port: 8080
+    middlewares:
+      - name: basic-auth
+
+---
+
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: {{ .Release.Name }}-web
+  namespace: kube-system
+  annotations:
+    kubernetes.io/ingress.class: {{ .Values.config.ingressclass }}
+spec:
+  entryPoints:
+    - web
+  routes:
+  - match: Host(`{{ .Release.Name }}.ducoterra.net`)
+    kind: Rule
+    services:
+    - name: {{ .Release.Name }}-admin
+      port: 8080
+    middlewares:
+      - name: httpsredirect
--- a/helm/templates/middleware.yaml
+++ b/helm/templates/middleware.yaml
@@ -0,0 +1,35 @@
+{{ if .Values.middleware.basicauth }}
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: basic-auth
+  namespace: kube-system
+spec:
+  basicAuth:
+    secret: authsecret
+    removeHeader: true
+{{ end }}
+---
+{{ if .Values.middleware.redirectscheme }}
+# Redirect to https
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: httpsredirect
+  namespace: kube-system
+spec:
+  redirectScheme:
+    scheme: https
+    permanent: true
+{{ end }}
+---
+{{ if .Values.middleware.stricttransport }}
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: stricttransport
+  namespace: kube-system
+spec:
+  headers:
+    stsSeconds: 15552000
+{{ end }}
--- a/helm/templates/pvc.yaml
+++ b/helm/templates/pvc.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: {{ .Release.Name }}
+  labels:
+    app: {{ .Release.Name }}
+  namespace: kube-system
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
--- a/helm/templates/rbac.yaml
+++ b/helm/templates/rbac.yaml
@@ -0,0 +1,64 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Release.Name }}
+  namespace: kube-system
+---
+
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: {{ .Release.Name }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - services
+      - endpoints
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+    resources:
+      - ingresses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+    resources:
+      - ingresses/status
+    verbs:
+      - update
+  - apiGroups:
+      - traefik.containo.us
+    resources:
+      - middlewares
+      - ingressroutes
+      - traefikservices
+      - ingressroutetcps
+      - ingressrouteudps
+      - tlsoptions
+      - tlsstores
+    verbs:
+      - get
+      - list
+      - watch
+
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: {{ .Release.Name }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Release.Name }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Release.Name }}
+    namespace: kube-system
--- a/helm/templates/resourcedefinition.yaml
+++ b/helm/templates/resourcedefinition.yaml
@@ -0,0 +1,106 @@
+{{ if .Values.install.resourcedefinition }}
+# All resources definition must be declared
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: ingressroutes.traefik.containo.us
+  namespace: kube-system
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: IngressRoute
+    plural: ingressroutes
+    singular: ingressroute
+  scope: Namespaced
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: middlewares.traefik.containo.us
+  namespace: kube-system
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: Middleware
+    plural: middlewares
+    singular: middleware
+  scope: Namespaced
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: ingressroutetcps.traefik.containo.us
+  namespace: kube-system
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: IngressRouteTCP
+    plural: ingressroutetcps
+    singular: ingressroutetcp
+  scope: Namespaced
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: ingressrouteudps.traefik.containo.us
+  namespace: kube-system
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: IngressRouteUDP
+    plural: ingressrouteudps
+    singular: ingressrouteudp
+  scope: Namespaced
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: tlsoptions.traefik.containo.us
+  namespace: kube-system
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: TLSOption
+    plural: tlsoptions
+    singular: tlsoption
+  scope: Namespaced
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: tlsstores.traefik.containo.us
+  namespace: kube-system
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: TLSStore
+    plural: tlsstores
+    singular: tlsstore
+  scope: Namespaced
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: traefikservices.traefik.containo.us
+  namespace: kube-system
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: TraefikService
+    plural: traefikservices
+    singular: traefikservice
+  scope: Namespaced
+{{ end }}
--- a/helm/templates/service.yaml
+++ b/helm/templates/service.yaml
@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Release.Name }}
+  namespace: kube-system
+spec:
+  type: LoadBalancer
+  selector:
+    app: {{ .Release.Name }}
+  ports:
+    - protocol: TCP
+      port: {{ .Values.config.http_port }}
+      name: web
+      targetPort: {{ .Values.config.http_port }}
+    - protocol: TCP
+      port: {{ .Values.config.https_port }}
+      name: websecure
+      targetPort: {{ .Values.config.https_port }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Release.Name }}-admin
+  namespace: kube-system
+spec:
+  selector:
+    app: {{ .Release.Name }}
+  ports:
+    - protocol: TCP
+      port: {{ .Values.config.admin_port }}
+      name: admin
+      targetPort: {{ .Values.config.admin_port }}