HGKeeper

imfreedom/k8s-cluster

move 20-ingress to kustomize

2021-06-17, Gary Kramlich

2a80a8c7c4bd

Parents 05053591ada4
Children 7a38982c1148

move 20-ingress to kustomize

6 files changed, 356 insertions(+), 378 deletions(-)

+0 -378

20-ingress.yaml

+92 -0

20-ingress/crd.yaml

+8 -0

20-ingress/kustomization.yaml

+167 -0

20-ingress/manifest.yaml

+18 -0

20-ingress/prometheus.yaml

+71 -0

20-ingress/rbac.yaml

~~--- a/20-ingress.yaml Thu Jun 17 04:25:47 2021 -0500~~

+++ /dev/null Thu Jan 01 00:00:00 1970 +0000

@@ -1,378 +0,0 @@

~~-# The most recent CRDs and RBAC configurations can be found at~~

~~-# https://doc.traefik.io/traefik/reference/dynamic-configuration/kubernetes-crd/#definitions~~

~~----~~

~~-apiVersion: apiextensions.k8s.io/v1beta1~~

~~-kind: CustomResourceDefinition~~

~~-metadata:~~

~~- name: ingressroutes.traefik.containo.us~~

~~-spec:~~

~~- group: traefik.containo.us~~

~~- version: v1alpha1~~

~~- names:~~

~~- kind: IngressRoute~~

~~- plural: ingressroutes~~

~~- singular: ingressroute~~

~~- scope: Namespaced~~

~~----~~

~~-apiVersion: apiextensions.k8s.io/v1beta1~~

~~-kind: CustomResourceDefinition~~

~~-metadata:~~

~~- name: ingressroutetcps.traefik.containo.us~~

~~-spec:~~

~~- group: traefik.containo.us~~

~~- version: v1alpha1~~

~~- names:~~

~~- kind: IngressRouteTCP~~

~~- plural: ingressroutetcps~~

~~- singular: ingressroutetcp~~

~~- scope: Namespaced~~

~~----~~

~~-apiVersion: apiextensions.k8s.io/v1beta1~~

~~-kind: CustomResourceDefinition~~

~~-metadata:~~

~~- name: middlewares.traefik.containo.us~~

~~-spec:~~

~~- group: traefik.containo.us~~

~~- version: v1alpha1~~

~~- names:~~

~~- kind: Middleware~~

~~- plural: middlewares~~

~~- singular: middleware~~

~~- scope: Namespaced~~

~~----~~

~~-apiVersion: apiextensions.k8s.io/v1beta1~~

~~-kind: CustomResourceDefinition~~

~~-metadata:~~

~~- name: tlsoptions.traefik.containo.us~~

~~-spec:~~

~~- group: traefik.containo.us~~

~~- version: v1alpha1~~

~~- names:~~

~~- kind: TLSOption~~

~~- plural: tlsoptions~~

~~- singular: tlsoption~~

~~- scope: Namespaced~~

~~----~~

~~-apiVersion: apiextensions.k8s.io/v1beta1~~

~~-kind: CustomResourceDefinition~~

~~-metadata:~~

~~- name: traefikservices.traefik.containo.us~~

~~-spec:~~

~~- group: traefik.containo.us~~

~~- version: v1alpha1~~

~~- names:~~

~~- kind: TraefikService~~

~~- plural: traefikservices~~

~~- singular: traefikservice~~

~~- scope: Namespaced~~

~~----~~

~~-apiVersion: apiextensions.k8s.io/v1beta1~~

~~-kind: CustomResourceDefinition~~

~~-metadata:~~

~~- name: tlsstores.traefik.containo.us~~

~~-spec:~~

~~- group: traefik.containo.us~~

~~- version: v1alpha1~~

~~- names:~~

~~- kind: TLSStore~~

~~- plural: tlsstores~~

~~- singular: tlsstore~~

~~- scope: Namespaced~~

~~----~~

~~-apiVersion: apiextensions.k8s.io/v1beta1~~

~~-kind: CustomResourceDefinition~~

~~-metadata:~~

~~- name: ingressrouteudps.traefik.containo.us~~

~~-spec:~~

~~- group: traefik.containo.us~~

~~- version: v1alpha1~~

~~- names:~~

~~- kind: IngressRouteUDP~~

~~- plural: ingressrouteudps~~

~~- singular: ingressrouteudp~~

~~- scope: Namespaced~~

~~----~~

~~-apiVersion: v1~~

~~-kind: ServiceAccount~~

~~-metadata:~~

~~- name: traefik-service-account~~

~~- namespace: kube-public~~

~~- labels:~~

~~- app: traefik~~

~~- role: controller~~

~~----~~

~~-kind: ClusterRole~~

~~-apiVersion: rbac.authorization.k8s.io/v1beta1~~

~~-metadata:~~

~~- name: traefik-cluster-role~~

~~-rules:~~

~~- - apiGroups:~~

~~- - ""~~

~~- resources:~~

~~- - services~~

~~- - endpoints~~

~~- - secrets~~

~~- verbs:~~

~~- - get~~

~~- - list~~

~~- - watch~~

~~- - apiGroups:~~

~~- - extensions~~

~~- - networking.k8s.io~~

~~- resources:~~

~~- - ingresses~~

~~- - ingressclasses~~

~~- verbs:~~

~~- - get~~

~~- - list~~

~~- - watch~~

~~- - apiGroups:~~

~~- - extensions~~

~~- resources:~~

~~- - ingresses/status~~

~~- verbs:~~

~~- - update~~

~~- - apiGroups:~~

~~- - traefik.containo.us~~

~~- resources:~~

~~- - middlewares~~

~~- - ingressroutes~~

~~- - traefikservices~~

~~- - ingressroutetcps~~

~~- - ingressrouteudps~~

~~- - tlsoptions~~

~~- - tlsstores~~

~~- verbs:~~

~~- - get~~

~~- - list~~

~~- - watch~~

~~----~~

~~-apiVersion: rbac.authorization.k8s.io/v1~~

~~-kind: ClusterRoleBinding~~

~~-metadata:~~

~~- name: traefik-cluster-role-binding~~

~~- labels:~~

~~- app: traefik~~

~~- role: controller~~

~~-roleRef:~~

~~- apiGroup: rbac.authorization.k8s.io~~

~~- kind: ClusterRole~~

~~- name: traefik-cluster-role~~

~~-subjects:~~

~~- - kind: ServiceAccount~~

~~- name: traefik-service-account~~

~~- namespace: kube-public~~

~~----~~

~~-apiVersion: traefik.containo.us/v1alpha1~~

~~-kind: TLSOption~~

~~-metadata:~~

~~- name: default~~

~~- namespace: kube-public~~

~~-spec:~~

~~- minVersion: VersionTLS12~~

~~- maxVersion: VersionTLS13~~

~~- cipherSuites:~~

~~- - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256~~

~~- - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384~~

~~- sniStrict: true~~

~~----~~

~~-apiVersion: policy/v1beta1~~

~~-kind: PodDisruptionBudget~~

~~-metadata:~~

~~- name: traefik~~

~~- namespace: kube-public~~

~~-spec:~~

~~- minAvailable: 1~~

~~- selector:~~

~~- matchLabels:~~

~~- app: traefik~~

~~- role: controller~~

~~----~~

~~-apiVersion: apps/v1~~

~~-kind: Deployment~~

~~-metadata:~~

~~- name: traefik~~

~~- namespace: kube-public~~

~~- labels:~~

~~- app: traefik~~

~~- role: controller~~

~~-spec:~~

~~- replicas: 2~~

~~- selector:~~

~~- matchLabels:~~

~~- app: traefik~~

~~- role: controller~~

~~- template:~~

~~- metadata:~~

~~- labels:~~

~~- app: traefik~~

~~- role: controller~~

~~- prometheus: cluster-wide~~

~~- spec:~~

~~- affinity:~~

~~- podAntiAffinity:~~

~~- preferredDuringSchedulingIgnoredDuringExecution:~~

~~- - podAffinityTerm:~~

~~- labelSelector:~~

~~- matchExpressions:~~

~~- - key: app~~

~~- operator: In~~

~~- values:~~

~~- - traefik~~

~~- - key: role~~

~~- operator: In~~

~~- values:~~

~~- - controller~~

~~- topologyKey: failure-domain.beta.kubernetes.io/region~~

~~- weight: 100~~

~~- serviceAccountName: traefik-service-account~~

~~- containers:~~

~~- - name: traefik-ingress-controller~~

~~- image: docker.io/traefik:v2.3.6~~

~~- args:~~

~~- - "--global.checknewversion=false"~~

~~- - "--global.sendanonymoususage=false"~~

~~- - "--api.dashboard=true"~~

~~- - "--api.insecure=true"~~

~~- - "--ping=true"~~

~~- - "--providers.kubernetescrd=true"~~

~~- - "--providers.kubernetesingress=true"~~

~~- - "--metrics.prometheus=true"~~

~~- - "--log.level=error"~~

~~- - "--entryPoints.traefik.address=:9000"~~

~~- - "--entryPoints.https.address=:8443"~~

~~- - "--entryPoints.http.address=:8080"~~

~~- - "--entryPoints.keep-ssh.address=:22222"~~

~~- - "--entryPoints.xmpp-c2s.address=:5222"~~

~~- - "--entryPoints.xmpp-s2s.address=:5269"~~

~~- readinessProbe:~~

~~- httpGet:~~

~~- path: /ping~~

~~- port: 9000~~

~~- failureThreshold: 1~~

~~- initialDelaySeconds: 10~~

~~- periodSeconds: 10~~

~~- successThreshold: 1~~

~~- timeoutSeconds: 2~~

~~- livenessProbe:~~

~~- httpGet:~~

~~- path: /ping~~

~~- port: 9000~~

~~- failureThreshold: 3~~

~~- initialDelaySeconds: 10~~

~~- periodSeconds: 10~~

~~- successThreshold: 1~~

~~- timeoutSeconds: 2~~

~~- ports:~~

~~- - name: traefik~~

~~- containerPort: 9000~~

~~- - name: keep-ssh~~

~~- containerPort: 22222~~

~~- - name: http~~

~~- containerPort: 8080~~

~~- - name: https~~

~~- containerPort: 8443~~

~~- - name: xmpp-c2s~~

~~- containerPort: 5222~~

~~- - name: xmpp-s2s~~

~~- containerPort: 5269~~

~~- resources:~~

~~- limits:~~

~~- cpu: 300m~~

~~- memory: 150Mi~~

~~- requests:~~

~~- cpu: 100m~~

~~- memory: 50Mi~~

~~----~~

~~-apiVersion: v1~~

~~-kind: Service~~

~~-metadata:~~

~~- name: ingress~~

~~- namespace: kube-public~~

~~- labels:~~

~~- app: ingress~~

~~- role: controller~~

~~-spec:~~

~~- selector:~~

~~- app: traefik~~

~~- role: controller~~

~~- type: LoadBalancer~~

~~- externalTrafficPolicy: Cluster~~

~~- ports:~~

~~- - name: http~~

~~- port: 80~~

~~- targetPort: http~~

~~- - name: https~~

~~- port: 443~~

~~- targetPort: https~~

~~- - name: hgkeeper~~

~~- port: 22~~

~~- targetPort: keep-ssh~~

~~- - name: xmpp-c2s~~

~~- port: 5222~~

~~- targetPort: xmpp-c2s~~

~~- - name: xmpp-s2s~~

~~- port: 5269~~

~~- targetPort: xmpp-s2s~~

~~----~~

~~-apiVersion: v1~~

~~-kind: Service~~

~~-metadata:~~

~~- name: traefik-dashboard~~

~~- namespace: kube-public~~

~~- labels:~~

~~- app: ingress~~

~~- role: dashboard~~

~~-spec:~~

~~- selector:~~

~~- app: traefik~~

~~- role: controller~~

~~- ports:~~

~~- - port: 9000~~

~~- name: traefik~~

~~- protocol: TCP~~

~~----~~

~~-apiVersion: networking.k8s.io/v1~~

~~-kind: NetworkPolicy~~

~~-metadata:~~

~~- namespace: kube-public~~

~~- name: traefik~~

~~- labels:~~

~~- app: traefik~~

~~- role: controller~~

~~-spec:~~

~~- podSelector:~~

~~- matchLabels:~~

~~- app: traefik~~

~~- role: controller~~

~~- ingress:~~

~~- - from:~~

~~- - namespaceSelector:~~

~~- matchLabels:~~

~~- name: monitoring~~

~~- podSelector:~~

~~- matchLabels:~~

~~- app: prometheus~~

~~- prometheus: k8s~~

~~- ports:~~

~~- - port: traefik~~

~~- protocol: TCP~~

~~----~~

~~-apiVersion: monitoring.coreos.com/v1~~

~~-kind: ServiceMonitor~~

~~-metadata:~~

~~- namespace: kube-public~~

~~- name: traefik~~

~~- labels:~~

~~- app: traefik~~

~~- role: controller~~

~~- prometheus: cluster-wide~~

~~-spec:~~

~~- selector:~~

~~- matchLabels:~~

~~- app: ingress~~

~~- role: dashboard~~

~~- endpoints:~~

~~- - port: traefik~~

~~- interval: 15s~~

~~----~~

~~--- /dev/null Thu Jan 01 00:00:00 1970 +0000~~

+++ b/20-ingress/crd.yaml Thu Jun 17 04:33:14 2021 -0500

@@ -0,0 +1,92 @@

+---

+apiVersion: apiextensions.k8s.io/v1beta1

+kind: CustomResourceDefinition

+metadata:

+ name: ingressroutes.traefik.containo.us

+spec:

+ group: traefik.containo.us

+ version: v1alpha1

+ names:

+ kind: IngressRoute

+ plural: ingressroutes

+ singular: ingressroute

+ scope: Namespaced

+---

+apiVersion: apiextensions.k8s.io/v1beta1

+kind: CustomResourceDefinition

+metadata:

+ name: ingressroutetcps.traefik.containo.us

+spec:

+ group: traefik.containo.us

+ version: v1alpha1

+ names:

+ kind: IngressRouteTCP

+ plural: ingressroutetcps

+ singular: ingressroutetcp

+ scope: Namespaced

+---

+apiVersion: apiextensions.k8s.io/v1beta1

+kind: CustomResourceDefinition

+metadata:

+ name: middlewares.traefik.containo.us

+spec:

+ group: traefik.containo.us

+ version: v1alpha1

+ names:

+ kind: Middleware

+ plural: middlewares

+ singular: middleware

+ scope: Namespaced

+---

+apiVersion: apiextensions.k8s.io/v1beta1

+kind: CustomResourceDefinition

+metadata:

+ name: tlsoptions.traefik.containo.us

+spec:

+ group: traefik.containo.us

+ version: v1alpha1

+ names:

+ kind: TLSOption

+ plural: tlsoptions

+ singular: tlsoption

+ scope: Namespaced

+---

+apiVersion: apiextensions.k8s.io/v1beta1

+kind: CustomResourceDefinition

+metadata:

+ name: traefikservices.traefik.containo.us

+spec:

+ group: traefik.containo.us

+ version: v1alpha1

+ names:

+ kind: TraefikService

+ plural: traefikservices

+ singular: traefikservice

+ scope: Namespaced

+---

+apiVersion: apiextensions.k8s.io/v1beta1

+kind: CustomResourceDefinition

+metadata:

+ name: tlsstores.traefik.containo.us

+spec:

+ group: traefik.containo.us

+ version: v1alpha1

+ names:

+ kind: TLSStore

+ plural: tlsstores

+ singular: tlsstore

+ scope: Namespaced

+---

+apiVersion: apiextensions.k8s.io/v1beta1

+kind: CustomResourceDefinition

+metadata:

+ name: ingressrouteudps.traefik.containo.us

+spec:

+ group: traefik.containo.us

+ version: v1alpha1

+ names:

+ kind: IngressRouteUDP

+ plural: ingressrouteudps

+ singular: ingressrouteudp

+ scope: Namespaced

+---

~~--- /dev/null Thu Jan 01 00:00:00 1970 +0000~~

+++ b/20-ingress/kustomization.yaml Thu Jun 17 04:33:14 2021 -0500

@@ -0,0 +1,8 @@

+---

+namespace: kube-public

+resources:

+ - crd.yaml

+ - rbac.yaml

+ - manifest.yaml

+ - prometheus.yaml

+---

~~--- /dev/null Thu Jan 01 00:00:00 1970 +0000~~

+++ b/20-ingress/manifest.yaml Thu Jun 17 04:33:14 2021 -0500

@@ -0,0 +1,167 @@

+# The most recent CRDs and RBAC configurations can be found at

+# https://doc.traefik.io/traefik/reference/dynamic-configuration/kubernetes-crd/#definitions

+---

+apiVersion: traefik.containo.us/v1alpha1

+kind: TLSOption

+metadata:

+ name: default

+spec:

+ minVersion: VersionTLS12

+ maxVersion: VersionTLS13

+ cipherSuites:

+ - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

+ - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

+ sniStrict: true

+---

+apiVersion: policy/v1beta1

+kind: PodDisruptionBudget

+metadata:

+ name: traefik

+spec:

+ minAvailable: 1

+ selector:

+ matchLabels:

+ app: traefik

+ role: controller

+---

+apiVersion: apps/v1

+kind: Deployment

+metadata:

+ name: traefik

+ labels:

+ app: traefik

+ role: controller

+spec:

+ replicas: 2

+ selector:

+ matchLabels:

+ app: traefik

+ role: controller

+ template:

+ metadata:

+ labels:

+ app: traefik

+ role: controller

+ prometheus: cluster-wide

+ spec:

+ affinity:

+ podAntiAffinity:

+ preferredDuringSchedulingIgnoredDuringExecution:

+ - podAffinityTerm:

+ labelSelector:

+ matchExpressions:

+ - key: app

+ operator: In

+ values:

+ - traefik

+ - key: role

+ operator: In

+ values:

+ - controller

+ topologyKey: failure-domain.beta.kubernetes.io/region

+ weight: 100

+ serviceAccountName: traefik-service-account

+ containers:

+ - name: traefik-ingress-controller

+ image: docker.io/traefik:v2.3.6

+ args:

+ - "--global.checknewversion=false"

+ - "--global.sendanonymoususage=false"

+ - "--api.dashboard=true"

+ - "--api.insecure=true"

+ - "--ping=true"

+ - "--providers.kubernetescrd=true"

+ - "--providers.kubernetesingress=true"

+ - "--metrics.prometheus=true"

+ - "--log.level=error"

+ - "--entryPoints.traefik.address=:9000"

+ - "--entryPoints.https.address=:8443"

+ - "--entryPoints.http.address=:8080"

+ - "--entryPoints.keep-ssh.address=:22222"

+ - "--entryPoints.xmpp-c2s.address=:5222"

+ - "--entryPoints.xmpp-s2s.address=:5269"

+ readinessProbe:

+ httpGet:

+ path: /ping

+ port: 9000

+ failureThreshold: 1

+ initialDelaySeconds: 10

+ periodSeconds: 10

+ successThreshold: 1

+ timeoutSeconds: 2

+ livenessProbe:

+ httpGet:

+ path: /ping

+ port: 9000

+ failureThreshold: 3

+ initialDelaySeconds: 10

+ periodSeconds: 10

+ successThreshold: 1

+ timeoutSeconds: 2

+ ports:

+ - name: traefik

+ containerPort: 9000

+ - name: keep-ssh

+ containerPort: 22222

+ - name: http

+ containerPort: 8080

+ - name: https

+ containerPort: 8443

+ - name: xmpp-c2s

+ containerPort: 5222

+ - name: xmpp-s2s

+ containerPort: 5269

+ resources:

+ limits:

+ cpu: 300m

+ memory: 150Mi

+ requests:

+ cpu: 100m

+ memory: 50Mi

+---

+apiVersion: v1

+kind: Service

+metadata:

+ name: ingress

+ labels:

+ app: ingress

+ role: controller

+spec:

+ selector:

+ app: traefik

+ role: controller

+ type: LoadBalancer

+ externalTrafficPolicy: Cluster

+ ports:

+ - name: http

+ port: 80

+ targetPort: http

+ - name: https

+ port: 443

+ targetPort: https

+ - name: hgkeeper

+ port: 22

+ targetPort: keep-ssh

+ - name: xmpp-c2s

+ port: 5222

+ targetPort: xmpp-c2s

+ - name: xmpp-s2s

+ port: 5269

+ targetPort: xmpp-s2s

+---

+apiVersion: v1

+kind: Service

+metadata:

+ name: traefik-dashboard

+ labels:

+ app: ingress

+ role: dashboard

+spec:

+ selector:

+ app: traefik

+ role: controller

+ ports:

+ - port: 9000

+ name: traefik

+ protocol: TCP

+---

~~--- /dev/null Thu Jan 01 00:00:00 1970 +0000~~

+++ b/20-ingress/prometheus.yaml Thu Jun 17 04:33:14 2021 -0500

@@ -0,0 +1,18 @@

+---

+apiVersion: monitoring.coreos.com/v1

+kind: ServiceMonitor

+metadata:

+ name: traefik

+ labels:

+ app: traefik

+ role: controller

+ prometheus: cluster-wide

+spec:

+ selector:

+ matchLabels:

+ app: ingress

+ role: dashboard

+ endpoints:

+ - port: traefik

+ interval: 15s

+---

~~--- /dev/null Thu Jan 01 00:00:00 1970 +0000~~

+++ b/20-ingress/rbac.yaml Thu Jun 17 04:33:14 2021 -0500

@@ -0,0 +1,71 @@

+---

+apiVersion: v1

+kind: ServiceAccount

+metadata:

+ name: traefik-service-account

+ labels:

+ app: traefik

+ role: controller

+---

+kind: ClusterRole

+apiVersion: rbac.authorization.k8s.io/v1beta1

+metadata:

+ name: traefik-cluster-role

+rules:

+ - apiGroups:

+ - ""

+ resources:

+ - services

+ - endpoints

+ - secrets

+ verbs:

+ - get

+ - list

+ - watch

+ - apiGroups:

+ - extensions

+ - networking.k8s.io

+ resources:

+ - ingresses

+ - ingressclasses

+ verbs:

+ - get

+ - list

+ - watch

+ - apiGroups:

+ - extensions

+ resources:

+ - ingresses/status

+ verbs:

+ - update

+ - apiGroups:

+ - traefik.containo.us

+ resources:

+ - middlewares

+ - ingressroutes

+ - traefikservices

+ - ingressroutetcps

+ - ingressrouteudps

+ - tlsoptions

+ - tlsstores

+ verbs:

+ - get

+ - list

+ - watch

+---

+apiVersion: rbac.authorization.k8s.io/v1

+kind: ClusterRoleBinding

+metadata:

+ name: traefik-cluster-role-binding

+ labels:

+ app: traefik

+ role: controller

+roleRef:

+ apiGroup: rbac.authorization.k8s.io

+ kind: ClusterRole

+ name: traefik-cluster-role

+subjects:

+ - kind: ServiceAccount

+ name: traefik-service-account

+ namespace: kube-public

+---