imfreedom/k8s-cluster
Clone
Summary
Browse
Changes
Graph
Add a deployment for lists.pidgin.im
18 months ago, Gary Kramlich
58df72dc379a
Add a deployment for lists.pidgin.im
Currently this is just running on liststest.pidgin.im until we are ready to
migrate production.
# this manifest sets up an ingress using hub to the kube-prometheus stack which
# was applied directly from the manifests in github.com/coreos/kube-prometheus.
#
# It uses https://github.com/thomseddon/traefik-forward-auth to do OIDC based
# logins against our JetBrains Hub instance.
---
apiVersion
:
traefik.containo.us/v1alpha1
kind
:
Middleware
metadata
:
name
:
common-headers
namespace
:
monitoring
spec
:
headers
:
customResponseHeaders
:
X-Frame-Options
:
SAMEORIGIN
---
apiVersion
:
traefik.containo.us/v1alpha1
kind
:
Middleware
metadata
:
name
:
strip-prefixes
namespace
:
monitoring
spec
:
stripPrefix
:
forceSlash
:
false
prefixes
:
-
"/alertmanager"
-
"/grafana"
-
"/prometheus"
---
apiVersion
:
traefik.containo.us/v1alpha1
kind
:
Middleware
metadata
:
name
:
hub-forward-auth
namespace
:
monitoring
spec
:
forwardAuth
:
address
:
http://traefik-forward-auth.monitoring:4181
trustForwardHeader
:
true
authResponseHeaders
:
-
X-Forwarded-User
-
Authorization
-
Set-Cookie
---
apiVersion
:
traefik.containo.us/v1alpha1
kind
:
Middleware
metadata
:
name
:
common
namespace
:
monitoring
spec
:
chain
:
middlewares
:
-
name
:
hub-forward-auth
-
name
:
strip-prefixes
-
name
:
common-headers
---
apiVersion
:
traefik.containo.us/v1alpha1
kind
:
Middleware
metadata
:
name
:
https-redirect
namespace
:
monitoring
spec
:
redirectScheme
:
scheme
:
https
permanent
:
true
---
apiVersion
:
traefik.containo.us/v1alpha1
kind
:
IngressRoute
metadata
:
name
:
monitoring-http
namespace
:
monitoring
spec
:
entryPoints
:
-
http
routes
:
-
match
:
Host(`monitoring.imfreedom.org`)
kind
:
Rule
services
:
-
name
:
traefik-forward-auth
port
:
4181
middlewares
:
-
name
:
https-redirect
---
apiVersion
:
traefik.containo.us/v1alpha1
kind
:
IngressRoute
metadata
:
name
:
monitoring
namespace
:
monitoring
spec
:
entryPoints
:
-
https
routes
:
-
match
:
Host(`monitoring.imfreedom.org`) && PathPrefix(`/alertmanager`)
kind
:
Rule
services
:
-
name
:
alertmanager-main
port
:
9093
middlewares
:
-
name
:
common
-
match
:
Host(`monitoring.imfreedom.org`) && PathPrefix(`/grafana`)
kind
:
Rule
services
:
-
name
:
grafana
port
:
3000
middlewares
:
-
name
:
common
-
match
:
Host(`monitoring.imfreedom.org`) && PathPrefix(`/prometheus`)
kind
:
Rule
services
:
-
name
:
prometheus
port
:
9090
middlewares
:
-
name
:
common
-
match
:
Host(`monitoring.imfreedom.org`) && PathPrefix(`/_oauth`)
kind
:
Rule
services
:
-
name
:
traefik-forward-auth
port
:
4181
middlewares
:
-
name
:
common
tls
:
secretName
:
monitoring-tls
---
apiVersion
:
cert-manager.io/v1
kind
:
Certificate
metadata
:
namespace
:
monitoring
name
:
monitoring-tls
spec
:
secretName
:
monitoring-tls
issuerRef
:
name
:
letsencrypt
commonName
:
monitoring.imfreedom.org
dnsNames
:
-
monitoring.imfreedom.org
---
apiVersion
:
apps/v1
kind
:
Deployment
metadata
:
namespace
:
monitoring
name
:
traefik-forward-auth
labels
:
app
:
traefik-forward-auth
spec
:
replicas
:
1
selector
:
matchLabels
:
app
:
traefik-forward-auth
template
:
metadata
:
labels
:
app
:
traefik-forward-auth
spec
:
containers
:
-
args
:
-
--default-provider=oidc
env
:
-
name
:
PROVIDERS_OIDC_ISSUER_URL
value
:
https://hub.imfreedom.org/hub
-
name
:
PROVIDERS_OIDC_CLIENT_ID
valueFrom
:
secretKeyRef
:
name
:
monitoring
key
:
client_id
-
name
:
PROVIDERS_OIDC_CLIENT_SECRET
valueFrom
:
secretKeyRef
:
name
:
monitoring
key
:
client_secret
-
name
:
SECRET
valueFrom
:
secretKeyRef
:
name
:
monitoring
key
:
cookie_secret
image
:
thomseddon/traefik-forward-auth:2
imagePullPolicy
:
Always
name
:
traefik-forward-auth
ports
:
-
containerPort
:
4181
protocol
:
TCP
---
apiVersion
:
v1
kind
:
Service
metadata
:
namespace
:
monitoring
name
:
traefik-forward-auth
labels
:
app
:
traefik-forward-auth
spec
:
ports
:
-
name
:
http
port
:
4181
protocol
:
TCP
targetPort
:
4181
selector
:
app
:
traefik-forward-auth
---
apiVersion
:
v1
kind
:
ServiceAccount
metadata
:
labels
:
app.kubernetes.io/component
:
controller
app.kubernetes.io/name
:
prometheus-operator
app.kubernetes.io/version
:
0.45.0
name
:
prometheus-operator
namespace
:
monitoring
---
apiVersion
:
rbac.authorization.k8s.io/v1
kind
:
ClusterRoleBinding
metadata
:
labels
:
app.kubernetes.io/component
:
controller
app.kubernetes.io/name
:
prometheus-operator
app.kubernetes.io/version
:
0.45.0
name
:
prometheus-operator-monitoring
roleRef
:
apiGroup
:
rbac.authorization.k8s.io
kind
:
ClusterRole
name
:
prometheus-operator
subjects
:
-
kind
:
ServiceAccount
name
:
prometheus-operator
namespace
:
monitoring
---
apiVersion
:
monitoring.coreos.com/v1
kind
:
Prometheus
metadata
:
name
:
prometheus
namespace
:
monitoring
spec
:
serviceAccountName
:
prometheus-operator
podMonitorSelector
:
matchLabels
:
monitoring
:
cluster-wide
resources
:
limits
:
cpu
:
1000m
memory
:
512Mi
requests
:
cpu
:
500m
memory
:
256Mi
enableAdminAPI
:
false
externalUrl
:
'https://monitoring.imfreedom.org/prometheus/'
routePrefix
:
'/'
---
apiVersion
:
v1
kind
:
Service
metadata
:
namespace
:
monitoring
name
:
prometheus
labels
:
app
:
prometheus
spec
:
ports
:
-
port
:
9090
protocol
:
TCP
selector
:
app
:
prometheus
prometheus
:
prometheus
---