imfreedom/k8s-cluster

Add the new traefik ingress controller

2020-02-11, Gary Kramlich
6579a55ddcba
Add the new traefik ingress controller
# This cluster uses a single ingress for everything. This means we only use
# 1 ip address and thus 1 load balancer which keeps costs down.
#
# This ingress controller is a little bit more convoluted than your typical
# one as it's also handling not http tcp services.
---
apiVersion: v1
kind: ConfigMap
metadata:
name: ingress-custom-headers
namespace: kube-public
data:
X-Frame-Options: sameorigin
---
apiVersion: v1
kind: ConfigMap
metadata:
name: ingress-tcp-services
namespace: kube-public
labels:
app: ingress
role: controller
data:
22: imfreedom/keep:22222
5222: imfreedom/prosody:5222
5269: imfreedom/prosody:5269
---
apiVersion: v1
kind: ConfigMap
metadata:
name: ingress-configuration
namespace: kube-public
labels:
app: ingress
role: controller
data:
proxy-set-headers: "kube-public/ingress-custom-headers"
use-forwarded-headers: "true"
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: ingress-serviceaccount
namespace: kube-public
labels:
app: ingress
role: controller
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: ingress-clusterrole
labels:
app: ingress
role: controller
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- nodes
- pods
- secrets
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- "extensions"
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- "extensions"
resources:
- ingresses/status
verbs:
- update
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: ingress-clusterrole-nisa-binding
labels:
app: ingress
role: controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ingress-clusterrole
subjects:
- kind: ServiceAccount
name: ingress-serviceaccount
namespace: kube-public
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: ingress-role
namespace: kube-public
labels:
app: ingress
role: controller
rules:
- apiGroups:
- ""
resources:
- configmaps
- pods
- secrets
- namespaces
verbs:
- get
- apiGroups:
- ""
resources:
- configmaps
resourceNames:
# Defaults to "<election-id>-<ingress-class>"
# Here: "<ingress-controller-leader>-<nginx>"
# This has to be adapted if you change either parameter
# when launching the nginx-ingress-controller.
- "ingress-controller-leader-nginx"
verbs:
- get
- update
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- apiGroups:
- ""
resources:
- endpoints
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: ingress-role-nisa-binding
namespace: kube-public
labels:
app: ingress
role: controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ingress-role
subjects:
- kind: ServiceAccount
name: ingress-serviceaccount
namespace: kube-public
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: ingress-controller
namespace: kube-public
labels:
app: ingress
role: public
spec:
replicas: 2
selector:
matchLabels:
app: ingress
role: controller
template:
metadata:
annotations:
fluentbit.io/parser: ingress-nginx
labels:
app: ingress
role: controller
spec:
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: app
operator: In
values:
- ingress
- key: role
operator: In
values:
- controller
topologyKey: failure-domain.beta.kubernetes.io/region
weight: 100
serviceAccountName: ingress-serviceaccount
containers:
- name: nginx-ingress-controller
image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.24.1
args:
- /nginx-ingress-controller
- --configmap=$(POD_NAMESPACE)/ingress-configuration
- --publish-service=$(POD_NAMESPACE)/ingress
- --annotations-prefix=nginx.ingress.kubernetes.io
- --tcp-services-configmap=$(POD_NAMESPACE)/ingress-tcp-services
securityContext:
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
# www-data -> 33
runAsUser: 33
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
ports:
- name: keep-ssh
containerPort: 22
- name: http
containerPort: 80
- name: https
containerPort: 443
- name: xmpp-c2s
containerPort: 5222
- name: xmpp-s2s
containerPort: 5269
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
---
apiVersion: v1
kind: Service
metadata:
name: ingress
namespace: kube-public
labels:
app: ingress
role: controller
# annotations:
# service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true"
spec:
selector:
app: ingress
role: controller
type: LoadBalancer
externalTrafficPolicy: Cluster
ports:
- name: hgkeeper
port: 22
targetPort: keep-ssh
- name: http
port: 80
targetPort: http
- name: https
port: 443
targetPort: https
- name: xmpp-c2s
port: 5222
targetPort: xmpp-c2s
- name: xmpp-s2s
port: 5269
targetPort: xmpp-s2s
---