From 95f40ec209c45c3687b3bba27697f5ca81850046 Mon Sep 17 00:00:00 2001 From: ducoterra Date: Wed, 6 May 2020 20:22:50 -0400 Subject: [PATCH] attempt internal and external --- {k8s => external}/deploy.yaml | 17 ++++----- {k8s => external}/pvc/pvc.yaml | 4 +-- {k8s => external}/rbac.yaml | 10 +++--- {k8s => external}/service.yaml | 4 +-- internal/deploy.yaml | 54 ++++++++++++++++++++++++++++ internal/pvc/pvc.yaml | 14 ++++++++ internal/rbac.yaml | 64 ++++++++++++++++++++++++++++++++++ internal/service.yaml | 18 ++++++++++ 8 files changed, 168 insertions(+), 17 deletions(-) rename {k8s => external}/deploy.yaml (78%) rename {k8s => external}/pvc/pvc.yaml (75%) rename {k8s => external}/rbac.yaml (84%) rename {k8s => external}/service.yaml (78%) create mode 100644 internal/deploy.yaml create mode 100644 internal/pvc/pvc.yaml create mode 100644 internal/rbac.yaml create mode 100644 internal/service.yaml diff --git a/k8s/deploy.yaml b/external/deploy.yaml similarity index 78% rename from k8s/deploy.yaml rename to external/deploy.yaml index 4691b54..acd5858 100644 --- a/k8s/deploy.yaml +++ b/external/deploy.yaml @@ -1,21 +1,21 @@ kind: Deployment apiVersion: apps/v1 metadata: - name: traefik-custom-controller + name: traefik-external-controller labels: - app: traefik-custom-controller + app: traefik-external-controller namespace: kube-system spec: replicas: 1 selector: matchLabels: - app: traefik-custom-controller + app: traefik-external-controller template: metadata: labels: - app: traefik-custom-controller + app: traefik-external-controller spec: - serviceAccountName: traefik-custom-controller + serviceAccountName: traefik-external-controller containers: - name: traefik image: traefik:v2.2 @@ -23,6 +23,7 @@ spec: - secretRef: name: namedotcom args: + - --providers.kubernetescrd.ingressclass=traefik-internal - --log.level=DEBUG - --api - --api.insecure @@ -39,7 +40,7 @@ spec: - --certificatesresolvers.myresolver.acme.dnschallenge.delaybeforecheck=0 volumeMounts: - mountPath: /acme - name: traefik-acme + name: traefik-external-acme ports: - name: web containerPort: 9080 @@ -48,6 +49,6 @@ spec: - name: admin containerPort: 8080 volumes: - - name: traefik-acme + - name: traefik-external-acme persistentVolumeClaim: - claimName: traefik-acme \ No newline at end of file + claimName: traefik-external-acme \ No newline at end of file diff --git a/k8s/pvc/pvc.yaml b/external/pvc/pvc.yaml similarity index 75% rename from k8s/pvc/pvc.yaml rename to external/pvc/pvc.yaml index a0594da..5befc05 100644 --- a/k8s/pvc/pvc.yaml +++ b/external/pvc/pvc.yaml @@ -1,9 +1,9 @@ apiVersion: v1 kind: PersistentVolumeClaim metadata: - name: traefik-acme + name: traefik-external-acme labels: - app: traefik-custom-controller + app: traefik-external-controller namespace: kube-system spec: storageClassName: nfs-encrypted diff --git a/k8s/rbac.yaml b/external/rbac.yaml similarity index 84% rename from k8s/rbac.yaml rename to external/rbac.yaml index fe4bbeb..f15a68d 100644 --- a/k8s/rbac.yaml +++ b/external/rbac.yaml @@ -1,14 +1,14 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: traefik-custom-controller + name: traefik-external-controller namespace: kube-system --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: - name: traefik-custom-controller + name: traefik-external-controller rules: - apiGroups: - "" @@ -53,12 +53,12 @@ rules: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: - name: traefik-custom-controller + name: traefik-external-controller roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: traefik-custom-controller + name: traefik-external-controller subjects: - kind: ServiceAccount - name: traefik-custom-controller + name: traefik-external-controller namespace: kube-system \ No newline at end of file diff --git a/k8s/service.yaml b/external/service.yaml similarity index 78% rename from k8s/service.yaml rename to external/service.yaml index 0aed03d..5bf4d0a 100644 --- a/k8s/service.yaml +++ b/external/service.yaml @@ -1,12 +1,12 @@ apiVersion: v1 kind: Service metadata: - name: traefik-custom-controller + name: traefik-external-controller namespace: kube-system spec: type: LoadBalancer selector: - app: traefik-custom-controller + app: traefik-external-controller ports: - protocol: TCP port: 9080 diff --git a/internal/deploy.yaml b/internal/deploy.yaml new file mode 100644 index 0000000..80c3bdb --- /dev/null +++ b/internal/deploy.yaml @@ -0,0 +1,54 @@ +kind: Deployment +apiVersion: apps/v1 +metadata: + name: traefik-internal-controller + labels: + app: traefik-internal-controller + namespace: kube-system +spec: + replicas: 1 + selector: + matchLabels: + app: traefik-internal-controller + template: + metadata: + labels: + app: traefik-internal-controller + spec: + serviceAccountName: traefik-internal-controller + containers: + - name: traefik + image: traefik:v2.2 + envFrom: + - secretRef: + name: namedotcom + args: + - --providers.kubernetescrd.ingressclass=traefik-internal + - --log.level=DEBUG + - --api + - --api.insecure + - --entrypoints.web.address=:80 + - --entrypoints.websecure.address=:443 + - --entrypoints.websecure.http.tls=true + - --providers.kubernetescrd + - --metrics.statsd=true + - --metrics.statsd.address=graphite.ducoterra.net:8125 + - --certificatesresolvers.myresolver.acme.email=ducoterra@icloud.com + - --certificatesresolvers.myresolver.acme.storage=/acme/acme.json + - --certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web + - --certificatesresolvers.myresolver.acme.dnschallenge.provider=namedotcom + - --certificatesresolvers.myresolver.acme.dnschallenge.delaybeforecheck=0 + volumeMounts: + - mountPath: /acme + name: traefik-internal-acme + ports: + - name: web + containerPort: 80 + - name: websecure + containerPort: 443 + - name: admin + containerPort: 8080 + volumes: + - name: traefik-internal-acme + persistentVolumeClaim: + claimName: traefik-internal-acme \ No newline at end of file diff --git a/internal/pvc/pvc.yaml b/internal/pvc/pvc.yaml new file mode 100644 index 0000000..5e93b0c --- /dev/null +++ b/internal/pvc/pvc.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: traefik-internal-acme + labels: + app: traefik-internal-controller + namespace: kube-system +spec: + storageClassName: nfs-encrypted + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi \ No newline at end of file diff --git a/internal/rbac.yaml b/internal/rbac.yaml new file mode 100644 index 0000000..799c62e --- /dev/null +++ b/internal/rbac.yaml @@ -0,0 +1,64 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: traefik-internal-controller + namespace: kube-system +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: traefik-internal-controller +rules: + - apiGroups: + - "" + resources: + - services + - endpoints + - secrets + verbs: + - get + - list + - watch + - apiGroups: + - extensions + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - extensions + resources: + - ingresses/status + verbs: + - update + - apiGroups: + - traefik.containo.us + resources: + - middlewares + - ingressroutes + - traefikservices + - ingressroutetcps + - ingressrouteudps + - tlsoptions + - tlsstores + verbs: + - get + - list + - watch + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: traefik-internal-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: traefik-internal-controller +subjects: + - kind: ServiceAccount + name: traefik-internal-controller + namespace: kube-system \ No newline at end of file diff --git a/internal/service.yaml b/internal/service.yaml new file mode 100644 index 0000000..9c76747 --- /dev/null +++ b/internal/service.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Service +metadata: + name: traefik-internal-controller + namespace: kube-system +spec: + type: LoadBalancer + selector: + app: traefik-internal-controller + ports: + - protocol: TCP + port: 9080 + name: web + targetPort: 9080 + - protocol: TCP + port: 9443 + name: websecure + targetPort: 9443 \ No newline at end of file