imfreedom/k8s-cluster

Add a new deployment for moving the imf wiki to mkdocs

2022-04-10, Gary Kramlich
fc71e853c3aa
Add a new deployment for moving the imf wiki to mkdocs
# this manifest sets up an ingress using hub to the kube-prometheus stack which
# was applied directly from the manifests in github.com/coreos/kube-prometheus.
#
# It uses https://github.com/thomseddon/traefik-forward-auth to do OIDC based
# logins against our JetBrains Hub instance.
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: common-headers
namespace: monitoring
spec:
headers:
customResponseHeaders:
X-Frame-Options: SAMEORIGIN
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: strip-prefixes
namespace: monitoring
spec:
stripPrefix:
forceSlash: false
prefixes:
- "/alertmanager"
- "/grafana"
- "/prometheus"
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: hub-forward-auth
namespace: monitoring
spec:
forwardAuth:
address: http://traefik-forward-auth.monitoring:4181
trustForwardHeader: true
authResponseHeaders:
- X-Forwarded-User
- Authorization
- Set-Cookie
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: common
namespace: monitoring
spec:
chain:
middlewares:
- name: hub-forward-auth
- name: strip-prefixes
- name: common-headers
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: https-redirect
namespace: monitoring
spec:
redirectScheme:
scheme: https
permanent: true
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: monitoring-http
namespace: monitoring
spec:
entryPoints:
- http
routes:
- match: Host(`monitoring.imfreedom.org`)
kind: Rule
services:
- name: traefik-forward-auth
port: 4181
middlewares:
- name: https-redirect
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: monitoring
namespace: monitoring
spec:
entryPoints:
- https
routes:
- match: Host(`monitoring.imfreedom.org`) && PathPrefix(`/alertmanager`)
kind: Rule
services:
- name: alertmanager-main
port: 9093
middlewares:
- name: common
- match: Host(`monitoring.imfreedom.org`) && PathPrefix(`/grafana`)
kind: Rule
services:
- name: grafana
port: 3000
middlewares:
- name: common
- match: Host(`monitoring.imfreedom.org`) && PathPrefix(`/prometheus`)
kind: Rule
services:
- name: prometheus
port: 9090
middlewares:
- name: common
- match: Host(`monitoring.imfreedom.org`) && PathPrefix(`/_oauth`)
kind: Rule
services:
- name: traefik-forward-auth
port: 4181
middlewares:
- name: common
tls:
secretName: monitoring-tls
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
namespace: monitoring
name: monitoring-tls
spec:
secretName: monitoring-tls
issuerRef:
name: letsencrypt
commonName: monitoring.imfreedom.org
dnsNames:
- monitoring.imfreedom.org
---
apiVersion: apps/v1
kind: Deployment
metadata:
namespace: monitoring
name: traefik-forward-auth
labels:
app: traefik-forward-auth
spec:
replicas: 1
selector:
matchLabels:
app: traefik-forward-auth
template:
metadata:
labels:
app: traefik-forward-auth
spec:
containers:
- args:
- --default-provider=oidc
env:
- name: PROVIDERS_OIDC_ISSUER_URL
value: https://hub.imfreedom.org/hub
- name: PROVIDERS_OIDC_CLIENT_ID
valueFrom:
secretKeyRef:
name: monitoring
key: client_id
- name: PROVIDERS_OIDC_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: monitoring
key: client_secret
- name: SECRET
valueFrom:
secretKeyRef:
name: monitoring
key: cookie_secret
image: thomseddon/traefik-forward-auth:2
imagePullPolicy: Always
name: traefik-forward-auth
ports:
- containerPort: 4181
protocol: TCP
---
apiVersion: v1
kind: Service
metadata:
namespace: monitoring
name: traefik-forward-auth
labels:
app: traefik-forward-auth
spec:
ports:
- name: http
port: 4181
protocol: TCP
targetPort: 4181
selector:
app: traefik-forward-auth
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/name: prometheus-operator
app.kubernetes.io/version: 0.45.0
name: prometheus-operator
namespace: monitoring
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/name: prometheus-operator
app.kubernetes.io/version: 0.45.0
name: prometheus-operator-monitoring
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: prometheus-operator
subjects:
- kind: ServiceAccount
name: prometheus-operator
namespace: monitoring
---
apiVersion: monitoring.coreos.com/v1
kind: Prometheus
metadata:
name: prometheus
namespace: monitoring
spec:
serviceAccountName: prometheus-operator
podMonitorSelector:
matchLabels:
monitoring: cluster-wide
resources:
limits:
cpu: 1000m
memory: 512Mi
requests:
cpu: 500m
memory: 256Mi
enableAdminAPI: false
externalUrl: 'https://monitoring.imfreedom.org/prometheus/'
routePrefix: '/'
---
apiVersion: v1
kind: Service
metadata:
namespace: monitoring
name: prometheus
labels:
app: prometheus
spec:
ports:
- port: 9090
protocol: TCP
selector:
app: prometheus
prometheus: prometheus
---