services/traefik
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

helmify

Browse Source
This commit is contained in:
ducoterra
2020-10-14 15:15:48 -04:00
parent f6679ea207
commit 6fb4ac3fca
21 changed files with 270 additions and 349 deletions
Download Patch File Download Diff File Expand all files Collapse all files

59
external/deploy.yaml vendored
View File

@@ -1,59 +0,0 @@
kind: Deployment
apiVersion: apps/v1
metadata:
name: traefik-external-controller
labels:
app: traefik-external-controller
namespace: kube-system
spec:
replicas: 1
selector:
matchLabels:
app: traefik-external-controller
template:
metadata:
labels:
app: traefik-external-controller
spec:
serviceAccountName: traefik-external-controller
containers:
- name: traefik
image: traefik:v2.2
args:
- --providers.kubernetescrd.ingressclass=traefik-external
- --log.level=ERROR
- --accesslog=true
- --api
- --api.insecure
- --entrypoints.web.address=:9080
- --entrypoints.websecure.address=:9443
- --entrypoints.websecure.http.tls=true
- --providers.kubernetescrd
- --metrics.statsd=true
- --metrics.statsd.address=graphite.ducoterra.net:8125
- --metrics.statsd.addEntryPointsLabels=true
- --metrics.statsd.addServicesLabels=true
- --metrics.statsd.prefix="traefik-external"
- --certificatesresolvers.myresolver.acme.tlschallenge
- --certificatesresolvers.myresolver.acme.email=ducoterra@icloud.com
- --certificatesresolvers.myresolver.acme.storage=/acme/acme.json
- --tracing=true
- --tracing.serviceName=traefik-external-controller
- --tracing.spanNameLimit=0
- --tracing.zipkin=true
- --tracing.zipkin.httpEndpoint=http://zipkin:9411/api/v2/spans
- --tracing.zipkin.sampleRate=1.0
volumeMounts:
- mountPath: /acme
name: traefik-external-acme
ports:
- name: web
containerPort: 9080
- name: websecure
containerPort: 9443
- name: admin
containerPort: 8080
volumes:
- name: traefik-external-acme
persistentVolumeClaim:
claimName: traefik-external-acme

14
external/pvc/pvc.yaml vendored
View File

@@ -1,14 +0,0 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: traefik-external-acme
labels:
app: traefik-external-controller
namespace: kube-system
spec:
storageClassName: nvme
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi

64
external/rbac.yaml vendored
View File

@@ -1,64 +0,0 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-external-controller
namespace: kube-system
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-external-controller
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- traefik.containo.us
resources:
- middlewares
- ingressroutes
- traefikservices
- ingressroutetcps
- ingressrouteudps
- tlsoptions
- tlsstores
verbs:
- get
- list
- watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-external-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-external-controller
subjects:
- kind: ServiceAccount
name: traefik-external-controller
namespace: kube-system

32
external/service.yaml vendored
View File

@@ -1,32 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: traefik-external-controller
namespace: kube-system
spec:
type: LoadBalancer
selector:
app: traefik-external-controller
ports:
- protocol: TCP
port: 9080
name: web
targetPort: 9080
- protocol: TCP
port: 9443
name: websecure
targetPort: 9443
---
apiVersion: v1
kind: Service
metadata:
name: traefik-external-admin
namespace: kube-system
spec:
selector:
app: traefik-external-controller
ports:
- protocol: TCP
port: 8080
name: admin
targetPort: 8080

23
helm/.helmignore Normal file
View File

@@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

23
helm/Chart.yaml Normal file
View File

@@ -0,0 +1,23 @@
apiVersion: v2
name: internal
description: A Helm chart for Kubernetes
# A chart can be either an 'application' or a 'library' chart.
#
# Application charts are a collection of templates that can be packaged into versioned archives
# to be deployed.
#
# Library charts provide useful utilities or functions for the chart developer. They're included as
# a dependency of application charts to inject those utilities and functions into the rendering
# pipeline. Library charts do not define any templates and therefore cannot be deployed.
type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.0
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
appVersion: 1.16.0

84
helm/templates/deploy.yaml Normal file
View File

@@ -0,0 +1,84 @@
kind: Deployment
apiVersion: apps/v1
metadata:
name: {{ .Release.Name }}
labels:
app: {{ .Release.Name }}
namespace: kube-system
spec:
replicas: 1
selector:
matchLabels:
app: {{ .Release.Name }}
template:
metadata:
labels:
app: {{ .Release.Name }}
spec:
serviceAccountName: {{ .Release.Name }}
containers:
- name: traefik
image: {{ .Values.image }}
args:
- --providers.kubernetescrd.ingressclass={{ .Values.config.ingressclass }}
- --log.level=ERROR
- --accesslog=true
- --api
- --api.insecure
- --entrypoints.web.address=:{{ .Values.config.http_port }}
- --entrypoints.websecure.address=:{{ .Values.config.https_port }}
- --entrypoints.websecure.http.tls=true
- --providers.kubernetescrd
{{ if .Values.enable.statsd }}
- --metrics.statsd=true
- --metrics.statsd.address={{ .Values.config.statsd_endpoint }}
- --metrics.statsd.addEntryPointsLabels=true
- --metrics.statsd.addServicesLabels=true
- --metrics.statsd.prefix={{ .Release.Name }}
{{ end }}
{{ if .Values.enable.dnschallenge }}
- --certificatesresolvers.myresolver.acme.dnschallenge=true
- --certificatesresolvers.myresolver.acme.dnschallenge.provider={{ .Values.config.dnschallenge_provider }}
- --certificatesresolvers.myresolver.acme.email={{ .Values.config.acme_email }}
- --certificatesresolvers.myresolver.acme.storage=/acme/acme.json
- --certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1
{{ end }}
{{ if .Values.enable.tlschallenge }}
- --certificatesresolvers.myresolver.acme.tlschallenge
- --certificatesresolvers.myresolver.acme.email={{ .Values.config.acme_email }}
- --certificatesresolvers.myresolver.acme.storage=/acme/acme.json
{{ end }}
{{ if .Values.enable.tracing }}
- --tracing=true
- --tracing.serviceName={{ .Release.Name }}
- --tracing.spanNameLimit=0
- --tracing.zipkin=true
- --tracing.zipkin.httpEndpoint={{ .Values.config.tracing_endpoint}}
- --tracing.zipkin.sampleRate=1.0
{{ end }}
volumeMounts:
- mountPath: /acme
name: acme-certs
ports:
- name: web
containerPort: {{ .Values.config.http_port }}
- name: websecure
containerPort: {{ .Values.config.https_port }}
- name: admin
containerPort: {{ .Values.config.admin_port }}
envFrom:
{{ if .Values.enable.dnschallenge }}
- secretRef:
name: {{ .Values.config.dnschallenge_provider_secret }}
{{ end }}
resources:
requests:
memory: 128Mi
cpu: 250m
limits:
memory: 1Gi
cpu: "1"
volumes:
- name: acme-certs
persistentVolumeClaim:
claimName: {{ .Release.Name }}

16
external/ingress.yaml → helm/templates/ingress.yaml
View File

@@ -1,10 +1,10 @@
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: traefik-external-tls
name: {{ .Release.Name }}-tls
namespace: kube-system
annotations:
kubernetes.io/ingress.class: traefik-internal
kubernetes.io/ingress.class: {{ .Values.config.ingressclass }}
spec:
entryPoints:
- websecure
@@ -13,10 +13,10 @@ spec:
domains:
- main: "*.ducoterra.net"
routes:
- match: Host(`traefik-external.ducoterra.net`)
- match: Host(`{{ .Release.Name }}.ducoterra.net`)
kind: Rule
services:
- name: traefik-external-admin
- name: {{ .Release.Name }}-admin
port: 8080
middlewares:
- name: basic-auth
@@ -26,18 +26,18 @@ spec:
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: traefik-external-web
name: {{ .Release.Name }}-web
namespace: kube-system
annotations:
kubernetes.io/ingress.class: traefik-internal
kubernetes.io/ingress.class: {{ .Values.config.ingressclass }}
spec:
entryPoints:
- web
routes:
- match: Host(`traefik-external.ducoterra.net`)
- match: Host(`{{ .Release.Name }}.ducoterra.net`)
kind: Rule
services:
- name: traefik-external-admin
- name: {{ .Release.Name }}-admin
port: 8080
middlewares:
- name: httpsredirect

35
helm/templates/middleware.yaml Normal file
View File

@@ -0,0 +1,35 @@
{{ if .Values.middleware.basicauth }}
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: basic-auth
namespace: kube-system
spec:
basicAuth:
secret: authsecret
removeHeader: true
{{ end }}
---
{{ if .Values.middleware.redirectscheme }}
# Redirect to https
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: httpsredirect
namespace: kube-system
spec:
redirectScheme:
scheme: https
permanent: true
{{ end }}
---
{{ if .Values.middleware.stricttransport }}
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: stricttransport
namespace: kube-system
spec:
headers:
stsSeconds: 15552000
{{ end }}

5
internal/pvc/pvc.yaml → helm/templates/pvc.yaml
View File

@@ -1,12 +1,11 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: traefik-internal-acme
name: {{ .Release.Name }}
labels:
app: traefik-internal-controller
app: {{ .Release.Name }}
namespace: kube-system
spec:
storageClassName: nvme
accessModes:
- ReadWriteOnce
resources:

10
internal/rbac.yaml → helm/templates/rbac.yaml
View File

@@ -1,14 +1,14 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-internal-controller
name: {{ .Release.Name }}
namespace: kube-system
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-internal-controller
name: {{ .Release.Name }}
rules:
- apiGroups:
- ""
@@ -53,12 +53,12 @@ rules:
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-internal-controller
name: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-internal-controller
name: {{ .Release.Name }}
subjects:
- kind: ServiceAccount
name: traefik-internal-controller
name: {{ .Release.Name }}
namespace: kube-system

2
k8s/resourcedefinition.yaml → helm/templates/resourcedefinition.yaml
View File

@@ -1,3 +1,4 @@
{{ if .Values.install.resourcedefinition }}
# All resources definition must be declared
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
@@ -102,3 +103,4 @@ spec:
plural: traefikservices
singular: traefikservice
scope: Namespaced
{{ end }}

32
helm/templates/service.yaml Normal file
View File

@@ -0,0 +1,32 @@
apiVersion: v1
kind: Service
metadata:
name: {{ .Release.Name }}
namespace: kube-system
spec:
type: LoadBalancer
selector:
app: {{ .Release.Name }}
ports:
- protocol: TCP
port: {{ .Values.config.http_port }}
name: web
targetPort: {{ .Values.config.http_port }}
- protocol: TCP
port: {{ .Values.config.https_port }}
name: websecure
targetPort: {{ .Values.config.https_port }}
---
apiVersion: v1
kind: Service
metadata:
name: {{ .Release.Name }}-admin
namespace: kube-system
spec:
selector:
app: {{ .Release.Name }}
ports:
- protocol: TCP
port: {{ .Values.config.admin_port }}
name: admin
targetPort: {{ .Values.config.admin_port }}

64
internal/deploy.yaml
View File

@@ -1,64 +0,0 @@
kind: Deployment
apiVersion: apps/v1
metadata:
name: traefik-internal-controller
labels:
app: traefik-internal-controller
namespace: kube-system
spec:
replicas: 1
selector:
matchLabels:
app: traefik-internal-controller
template:
metadata:
labels:
app: traefik-internal-controller
spec:
serviceAccountName: traefik-internal-controller
containers:
- name: traefik
image: traefik:v2.2
args:
- --providers.kubernetescrd.ingressclass=traefik-internal
- --log.level=ERROR
- --accesslog=true
- --api
- --api.insecure
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --entrypoints.websecure.http.tls=true
- --providers.kubernetescrd
- --metrics.statsd=true
- --metrics.statsd.address=graphite.ducoterra.net:8125
- --metrics.statsd.addEntryPointsLabels=true
- --metrics.statsd.addServicesLabels=true
- --metrics.statsd.prefix="traefik-internal"
- --certificatesresolvers.myresolver.acme.dnschallenge=true
- --certificatesresolvers.myresolver.acme.dnschallenge.provider=namedotcom
- --certificatesresolvers.myresolver.acme.email=ducoterra@icloud.com
- --certificatesresolvers.myresolver.acme.storage=/acme/acme.json
- --certificatesresolvers.myresolver.acme.dnschallenge.resolvers=8.8.8.8:53
- --tracing=true
- --tracing.serviceName=traefik-internal-controller
- --tracing.spanNameLimit=0
- --tracing.zipkin=true
- --tracing.zipkin.httpEndpoint=http://zipkin:9411/api/v2/spans
- --tracing.zipkin.sampleRate=1.0
volumeMounts:
- mountPath: /acme
name: traefik-internal-acme
ports:
- name: web
containerPort: 80
- name: websecure
containerPort: 443
- name: admin
containerPort: 8080
envFrom:
- secretRef:
name: namedotcom
volumes:
- name: traefik-internal-acme
persistentVolumeClaim:
claimName: traefik-internal-acme

43
internal/ingress.yaml
View File

@@ -1,43 +0,0 @@
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: traefik-internal-tls
namespace: kube-system
annotations:
kubernetes.io/ingress.class: traefik-internal
spec:
entryPoints:
- websecure
tls:
certResolver: myresolver
domains:
- main: "*.ducoterra.net"
routes:
- match: Host(`traefik-internal.ducoterra.net`)
kind: Rule
services:
- name: traefik-internal-admin
port: 8080
middlewares:
- name: basic-auth
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: traefik-internal-web
namespace: kube-system
annotations:
kubernetes.io/ingress.class: traefik-internal
spec:
entryPoints:
- web
routes:
- match: Host(`traefik-internal.ducoterra.net`)
kind: Rule
services:
- name: traefik-internal-admin
port: 8080
middlewares:
- name: httpsredirect

32
internal/service.yaml
View File

@@ -1,32 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: traefik-internal-controller
namespace: kube-system
spec:
type: LoadBalancer
selector:
app: traefik-internal-controller
ports:
- protocol: TCP
port: 80
name: web
targetPort: 80
- protocol: TCP
port: 443
name: websecure
targetPort: 443
---
apiVersion: v1
kind: Service
metadata:
name: traefik-internal-admin
namespace: kube-system
spec:
selector:
app: traefik-internal-controller
ports:
- protocol: TCP
port: 8080
name: admin
targetPort: 8080

8
middleware/basicauth.yaml
View File

@@ -1,8 +0,0 @@
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: basic-auth
spec:
basicAuth:
secret: authsecret
removeHeader: true

9
middleware/redirectscheme.yaml
View File

@@ -1,9 +0,0 @@
# Redirect to https
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: httpsredirect
spec:
redirectScheme:
scheme: https
permanent: true

7
middleware/stricttransport.yaml
View File

@@ -1,7 +0,0 @@
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: stricttransport
spec:
headers:
stsSeconds: 15552000

26
values-external.yaml Normal file
View File

@@ -0,0 +1,26 @@
image: traefik:v2.2
install:
resourcedefinition: false
enable:
dnschallenge: false
tlschallenge: true
tracing: true
statsd: true
middleware:
basicauth: false
redirectscheme: false
stricttransport: false
config:
ingressclass: traefik-external
http_port: 9080
https_port: 9443
admin_port: 8080
# statsd reporting
statsd_endpoint: graphite.ducoterra.net:8125
acme_email: ducoterra@icloud.com
# zipkin tracing
tracing_endpoint: http://zipkin:9411/api/v2/spans

29
values-internal.yaml Normal file
View File

@@ -0,0 +1,29 @@
image: traefik:v2.2
install:
resourcedefinition: true
enable:
dnschallenge: true
tlschallenge: false
tracing: true
statsd: true
middleware:
basicauth: true
redirectscheme: true
stricttransport: true
config:
ingressclass: traefik-internal
http_port: 80
https_port: 443
admin_port: 8080
# statsd reporting
statsd_endpoint: graphite.ducoterra.net:8125
acme_email: ducoterra@icloud.com
# letsencrypt dns challenge for wildcard cert
dnschallenge_provider: namedotcom
dnschallenge_provider_secret: namedotcom
# zipkin tracing
tracing_endpoint: http://zipkin:9411/api/v2/spans