imfreedom/k8s-cluster
Clone
Summary
Browse
Changes
Graph
Redirect some stuff that pidgin links to. Fixes NEST-21
2020-01-21, Gary Kramlich
ad9548cab441
Redirect some stuff that pidgin links to. Fixes NEST-21
# This cluster uses a single ingress for everything. This means we only use
# 1 ip address and thus 1 load balancer which keeps costs down.
#
# This ingress controller is a little bit more convoluted than your typical
# one as it's also handling not http tcp services.
---
apiVersion
:
v1
kind
:
ConfigMap
metadata
:
name
:
ingress-custom-headers
namespace
:
kube-public
data
:
X-Frame-Options
:
sameorigin
---
apiVersion
:
v1
kind
:
ConfigMap
metadata
:
name
:
ingress-tcp-services
namespace
:
kube-public
labels
:
app
:
ingress
role
:
controller
data
:
22
:
imfreedom/keep:22222
5222
:
imfreedom/prosody:5222
5269
:
imfreedom/prosody:5269
---
apiVersion
:
v1
kind
:
ConfigMap
metadata
:
name
:
ingress-configuration
namespace
:
kube-public
labels
:
app
:
ingress
role
:
controller
data
:
proxy-set-headers
:
"kube-public/ingress-custom-headers"
use-forwarded-headers
:
"true"
---
apiVersion
:
v1
kind
:
ServiceAccount
metadata
:
name
:
ingress-serviceaccount
namespace
:
kube-public
labels
:
app
:
ingress
role
:
controller
---
apiVersion
:
rbac.authorization.k8s.io/v1beta1
kind
:
ClusterRole
metadata
:
name
:
ingress-clusterrole
labels
:
app
:
ingress
role
:
controller
rules
:
-
apiGroups
:
-
""
resources
:
-
configmaps
-
endpoints
-
nodes
-
pods
-
secrets
verbs
:
-
list
-
watch
-
apiGroups
:
-
""
resources
:
-
nodes
verbs
:
-
get
-
apiGroups
:
-
""
resources
:
-
services
verbs
:
-
get
-
list
-
watch
-
apiGroups
:
-
"extensions"
resources
:
-
ingresses
verbs
:
-
get
-
list
-
watch
-
apiGroups
:
-
""
resources
:
-
events
verbs
:
-
create
-
patch
-
apiGroups
:
-
"extensions"
resources
:
-
ingresses/status
verbs
:
-
update
---
apiVersion
:
rbac.authorization.k8s.io/v1beta1
kind
:
ClusterRoleBinding
metadata
:
name
:
ingress-clusterrole-nisa-binding
labels
:
app
:
ingress
role
:
controller
roleRef
:
apiGroup
:
rbac.authorization.k8s.io
kind
:
ClusterRole
name
:
ingress-clusterrole
subjects
:
-
kind
:
ServiceAccount
name
:
ingress-serviceaccount
namespace
:
kube-public
---
apiVersion
:
rbac.authorization.k8s.io/v1beta1
kind
:
Role
metadata
:
name
:
ingress-role
namespace
:
kube-public
labels
:
app
:
ingress
role
:
controller
rules
:
-
apiGroups
:
-
""
resources
:
-
configmaps
-
pods
-
secrets
-
namespaces
verbs
:
-
get
-
apiGroups
:
-
""
resources
:
-
configmaps
resourceNames
:
# Defaults to "<election-id>-<ingress-class>"
# Here: "<ingress-controller-leader>-<nginx>"
# This has to be adapted if you change either parameter
# when launching the nginx-ingress-controller.
-
"ingress-controller-leader-nginx"
verbs
:
-
get
-
update
-
apiGroups
:
-
""
resources
:
-
configmaps
verbs
:
-
create
-
apiGroups
:
-
""
resources
:
-
endpoints
verbs
:
-
get
---
apiVersion
:
rbac.authorization.k8s.io/v1beta1
kind
:
RoleBinding
metadata
:
name
:
ingress-role-nisa-binding
namespace
:
kube-public
labels
:
app
:
ingress
role
:
controller
roleRef
:
apiGroup
:
rbac.authorization.k8s.io
kind
:
Role
name
:
ingress-role
subjects
:
-
kind
:
ServiceAccount
name
:
ingress-serviceaccount
namespace
:
kube-public
---
apiVersion
:
apps/v1
kind
:
Deployment
metadata
:
name
:
ingress-controller
namespace
:
kube-public
labels
:
app
:
ingress
role
:
public
spec
:
replicas
:
2
selector
:
matchLabels
:
app
:
ingress
role
:
controller
template
:
metadata
:
annotations
:
fluentbit.io/parser
:
ingress-nginx
labels
:
app
:
ingress
role
:
controller
spec
:
affinity
:
podAntiAffinity
:
preferredDuringSchedulingIgnoredDuringExecution
:
-
podAffinityTerm
:
labelSelector
:
matchExpressions
:
-
key
:
app
operator
:
In
values
:
-
ingress
-
key
:
role
operator
:
In
values
:
-
controller
topologyKey
:
failure-domain.beta.kubernetes.io/region
weight
:
100
serviceAccountName
:
ingress-serviceaccount
containers
:
-
name
:
nginx-ingress-controller
image
:
quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.24.1
args
:
-
/nginx-ingress-controller
-
--configmap=$(POD_NAMESPACE)/ingress-configuration
-
--publish-service=$(POD_NAMESPACE)/ingress
-
--annotations-prefix=nginx.ingress.kubernetes.io
-
--tcp-services-configmap=$(POD_NAMESPACE)/ingress-tcp-services
securityContext
:
capabilities
:
drop
:
-
ALL
add
:
-
NET_BIND_SERVICE
# www-data -> 33
runAsUser
:
33
env
:
-
name
:
POD_NAME
valueFrom
:
fieldRef
:
fieldPath
:
metadata.name
-
name
:
POD_NAMESPACE
valueFrom
:
fieldRef
:
fieldPath
:
metadata.namespace
ports
:
-
name
:
keep-ssh
containerPort
:
22
-
name
:
http
containerPort
:
80
-
name
:
https
containerPort
:
443
-
name
:
xmpp-c2s
containerPort
:
5222
-
name
:
xmpp-s2s
containerPort
:
5269
livenessProbe
:
failureThreshold
:
3
httpGet
:
path
:
/healthz
port
:
10254
scheme
:
HTTP
initialDelaySeconds
:
10
periodSeconds
:
10
successThreshold
:
1
timeoutSeconds
:
1
readinessProbe
:
failureThreshold
:
3
httpGet
:
path
:
/healthz
port
:
10254
scheme
:
HTTP
periodSeconds
:
10
successThreshold
:
1
timeoutSeconds
:
1
---
apiVersion
:
v1
kind
:
Service
metadata
:
name
:
ingress
namespace
:
kube-public
labels
:
app
:
ingress
role
:
controller
# annotations:
# service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true"
spec
:
selector
:
app
:
ingress
role
:
controller
type
:
LoadBalancer
externalTrafficPolicy
:
Cluster
ports
:
-
name
:
hgkeeper
port
:
22
targetPort
:
keep-ssh
-
name
:
http
port
:
80
targetPort
:
http
-
name
:
https
port
:
443
targetPort
:
https
-
name
:
xmpp-c2s
port
:
5222
targetPort
:
xmpp-c2s
-
name
:
xmpp-s2s
port
:
5269
targetPort
:
xmpp-s2s
---