HGKeeper

update a ton of stuff to the new traefik ingress controller as well as the new roost namespace

2020-02-11, Gary Kramlich

585a58194c6e

Parents 9b71c5a1ade0
Children 951a7052a1f8

update a ton of stuff to the new traefik ingress controller as well as the new roost namespace

8 files changed, 348 insertions(+), 215 deletions(-)

+13 -0

40-roost-middleware.yaml

+29 -19

50-carrier.pidgin.im.yaml

+91 -54

50-docs.pidgin.im.yaml

+29 -22

50-gaim.pidgin.im.yaml

+47 -57

50-imfreedom.org.yaml

+51 -28

50-keep.imfreedom.org.yaml

+47 -25

50-nest.pidgin.im.yaml

+41 -10

50-xmpp.imfreedom.org.yaml

~~--- /dev/null Thu Jan 01 00:00:00 1970 +0000~~

+++ b/40-roost-middleware.yaml Tue Feb 11 03:35:54 2020 -0600

@@ -0,0 +1,13 @@

+# This file contains common traefik middleware for the roost namespace.

+---

+apiVersion: traefik.containo.us/v1alpha1

+kind: Middleware

+metadata:

+ name: common-headers

+ namespace: roost

+spec:

+ headers:

+ customResponseHeaders:

+ X-Frame-Options: SAMEORIGIN

+---

+

~~--- a/50-carrier.pidgin.im.yaml Tue Feb 11 03:34:52 2020 -0600~~

+++ b/50-carrier.pidgin.im.yaml Tue Feb 11 03:35:54 2020 -0600

@@ -1,26 +1,36 @@

# carrier is a simple web app that handles web hooks for us and acts on them.

---

~~-apiVersion: extensions/v1beta1~~

~~-kind: Ingress~~

+apiVersion: traefik.containo.us/v1alpha1

+kind: IngressRoute

+metadata:

+ name: carrier

+ namespace: roost

+spec:

+ entryPoints:

+ - https

+ routes:

+ - match: Host(`carrier.pidgin.im`)

+ kind: Rule

+ services:

+ - name: carrier

+ port: 3333

+ middlewares:

+ - name: common-headers

+ tls:

+ secretName: carrier-tls

+---

+apiVersion: cert-manager.io/v1alpha2

+kind: Certificate

metadata:

namespace: roost

~~- name: carrier~~

~~- annotations:~~

~~- cert-manager.io/issuer: letsencrypt~~

~~- labels:~~

~~- app: carrier~~

+ name: carrier-tls

spec:

~~- rules:~~

~~- - host: carrier.pidgin.im~~

~~- http:~~

~~- paths:~~

~~- - backend:~~

~~- serviceName: carrier~~

~~- servicePort: 3333~~

~~- tls:~~

~~- - hosts:~~

~~- - carrier.pidgin.im~~

~~- secretName: carrier-tls~~

+ secretName: carrier-tls

+ issuerRef:

+ name: letsencrypt

+ commonName: carrier.pidgin.im

+ dnsNames:

+ - carrier.pidgin.im

---

apiVersion: v1

kind: Service

@@ -54,7 +64,7 @@

podSelector:

matchLabels:

~~- app: ingress~~

+ app: traefik

role: controller

ports:

- port: 3333

~~--- a/50-docs.pidgin.im.yaml Tue Feb 11 03:34:52 2020 -0600~~

+++ b/50-docs.pidgin.im.yaml Tue Feb 11 03:35:54 2020 -0600

@@ -1,57 +1,94 @@

# this manifest contains an ingress that does path based matching to route to

# individual services that are runnings the docs via a simple http server.

---

~~-apiVersion: extensions/v1beta1~~

~~-kind: Ingress~~

+apiVersion: traefik.containo.us/v1alpha1

+kind: Middleware

+metadata:

+ name: docs-strip-prefix

+ namespace: roost

+spec:

+ stripPrefix:

+ forceSlash: false

+ prefixes:

+ - /gplugin/latest

+ - /gplugin-gtk/latest

+ - /libgnt/latest

+ - /libgnt/next

+ - /pidgin/2.x.y

+ - /talkatu/latest

+---

+apiVersion: traefik.containo.us/v1alpha1

+kind: IngressRoute

+metadata:

+ name: docs-pidgin-im

+ namespace: roost

+spec:

+ entryPoints:

+ - https

+ routes:

+ - match: Host(`docs.pidgin.im`) && PathPrefix(`/pidgin/2.x.y`)

+ kind: Rule

+ services:

+ - name: docs-pidgin-2-x-y

+ port: 3000

+ middlewares:

+ - name: docs-strip-prefix

+ - name: common-headers

+ - match: Host(`docs.pidgin.im`) && PathPrefix(`/gplugin/latest`)

+ kind: Rule

+ services:

+ - name: docs-gplugin-latest

+ port: 3000

+ middlewares:

+ - name: docs-strip-prefix

+ - name: common-headers

+ - match: Host(`docs.pidgin.im`) && PathPrefix(`/gplugin-gtk/latest`)

+ kind: Rule

+ services:

+ - name: docs-gplugin-gtk-latest

+ port: 3000

+ middlewares:

+ - name: docs-strip-prefix

+ - name: common-headers

+ - match: Host(`docs.pidgin.im`) && PathPrefix(`/libgnt/latest`)

+ kind: Rule

+ services:

+ - name: docs-libgnt-latest

+ port: 3000

+ middlewares:

+ - name: docs-strip-prefix

+ - name: common-headers

+ - match: Host(`docs.pidgin.im`) && PathPrefix(`/libgnt/next`)

+ kind: Rule

+ services:

+ - name: docs-libgnt-next

+ port: 3000

+ middlewares:

+ - name: docs-strip-prefix

+ - name: common-headers

+ - match: Host(`docs.pidgin.im`) && PathPrefix(`/talkatu/latest`)

+ kind: Rule

+ services:

+ - name: docs-talkatu-latest

+ port: 3000

+ middlewares:

+ - name: docs-strip-prefix

+ - name: common-headers

+ tls:

+ secretName: docs-tls

+---

+apiVersion: cert-manager.io/v1alpha2

+kind: Certificate

metadata:

namespace: roost

~~- name: docs~~

~~- annotations:~~

~~- cert-manager.io/issuer: letsencrypt~~

~~- nginx.ingress.kubernetes.io/rewrite-target: /$2~~

~~- nginx.ingress.kubernetes.io/configuration-snippet: |~~

~~- more_set_headers "X-Frame-Options: SAMEORIGIN";~~

~~- rewrite ^(/gplugin/latest)$ $1/ redirect;~~

~~- rewrite ^(/gplugin-gtk/latest)$ $1/ redirect;~~

~~- rewrite ^(/libgnt/latest)$ $1/ redirect;~~

~~- rewrite ^(/libgnt/next)$ $1/ redirect;~~

~~- rewrite ^(/pidgin/2.x.y)$ $1/ redirect;~~

~~- rewrite ^(/talkatu/latest)$ $1/ redirect;~~

~~- labels:~~

~~- app: docs~~

+ name: docs-tls

spec:

~~- rules:~~

~~- - host: docs.pidgin.im~~

~~- http:~~

~~- paths:~~

~~- - backend:~~

~~- serviceName: docs-gplugin-latest~~

~~- servicePort: 3000~~

~~- path: /gplugin/latest(/|$)(.*)~~

~~- - backend:~~

~~- serviceName: docs-gplugin-gtk-latest~~

~~- servicePort: 3000~~

~~- path: /gplugin-gtk/latest(/|$)(.*)~~

~~- - backend:~~

~~- serviceName: docs-libgnt-latest~~

~~- servicePort: 3000~~

~~- path: /libgnt/latest(/|$)(.*)~~

~~- - backend:~~

~~- serviceName: docs-libgnt-next~~

~~- servicePort: 3000~~

~~- path: /libgnt/next(/|$)(.*)~~

~~- - backend:~~

~~- serviceName: docs-pidgin-2-x-y~~

~~- servicePort: 3000~~

~~- path: /pidgin/2.x.y(/|$)(.*)~~

~~- - backend:~~

~~- serviceName: docs-talkatu-latest~~

~~- servicePort: 3000~~

~~- path: /talkatu/latest(/|$)(.*)~~

~~- tls:~~

~~- - hosts:~~

~~- - docs.pidgin.im~~

~~- secretName: docs-tls~~

+ secretName: docs-tls

+ issuerRef:

+ name: letsencrypt

+ commonName: docs.pidgin.im

+ dnsNames:

+ - docs.pidgin.im

---

apiVersion: v1

kind: Service

@@ -89,7 +126,7 @@

podSelector:

matchLabels:

~~- app: ingress~~

+ app: traefik

role: controller

ports:

- port: 3000

@@ -181,7 +218,7 @@

podSelector:

matchLabels:

~~- app: ingress~~

+ app: traefik

role: controller

ports:

- port: 3000

@@ -273,7 +310,7 @@

podSelector:

matchLabels:

~~- app: ingress~~

+ app: traefik

role: controller

ports:

- port: 3000

@@ -365,7 +402,7 @@

podSelector:

matchLabels:

~~- app: ingress~~

+ app: traefik

role: controller

ports:

- port: 3000

@@ -457,7 +494,7 @@

podSelector:

matchLabels:

~~- app: ingress~~

+ app: traefik

role: controller

ports:

- port: 3000

@@ -549,7 +586,7 @@

podSelector:

matchLabels:

~~- app: ingress~~

+ app: traefik

role: controller

ports:

- port: 3000

~~--- a/50-gaim.pidgin.im.yaml Tue Feb 11 03:34:52 2020 -0600~~

+++ b/50-gaim.pidgin.im.yaml Tue Feb 11 03:35:54 2020 -0600

@@ -1,28 +1,35 @@

---

~~-apiVersion: extensions/v1beta1~~

~~-kind: Ingress~~

+apiVersion: traefik.containo.us/v1alpha1

+kind: IngressRoute

+metadata:

+ name: gaim

+ namespace: roost

+spec:

+ entryPoints:

+ - https

+ routes:

+ - match: Host(`gaim.pidgin.im`)

+ kind: Rule

+ services:

+ - name: gaim

+ port: 80

+ middlewares:

+ - name: common-headers

+ tls:

+ secretName: gaim-tls

+---

+apiVersion: cert-manager.io/v1alpha2

+kind: Certificate

metadata:

namespace: roost

~~- name: gaim~~

~~- annotations:~~

~~- cert-manager.io/issuer: letsencrypt~~

~~- nginx.ingress.kubernetes.io/configuration-snippet: |~~

~~- more_set_headers "X-Frame-Options: SAMEORIGIN";~~

~~- labels:~~

~~- app: gaim~~

+ name: gaim-tls

spec:

~~- rules:~~

~~- - host: gaim.pidgin.im~~

~~- http:~~

~~- paths:~~

~~- - backend:~~

~~- serviceName: gaim~~

~~- servicePort: 80~~

~~- path: /~~

~~- tls:~~

~~- - hosts:~~

~~- - gaim.pidgin.im~~

~~- secretName: gaim-tls~~

+ secretName: gaim-tls

+ issuerRef:

+ name: letsencrypt

+ commonName: gaim.pidgin.im

+ dnsNames:

+ - gaim.pidgin.im

---

apiVersion: v1

kind: Service

@@ -56,7 +63,7 @@

podSelector:

matchLabels:

~~- app: ingress~~

+ app: traefik

role: controller

ports:

- port: 80

~~--- a/50-imfreedom.org.yaml Tue Feb 11 03:34:52 2020 -0600~~

+++ b/50-imfreedom.org.yaml Tue Feb 11 03:35:54 2020 -0600

@@ -1,84 +1,74 @@

---

~~-apiVersion: extensions/v1beta1~~

~~-kind: Ingress~~

+apiVersion: traefik.containo.us/v1alpha1

+kind: IngressRoute

metadata:

~~- namespace: imfreedom~~

~~- name: www~~

~~- annotations:~~

~~- cert-manager.io/issuer: letsencrypt~~

~~- nginx.ingress.kubernetes.io/configuration-snippet: |~~

~~- more_set_headers "X-Frame-Options: SAMEORIGIN";~~

~~- # proxy_buffering off;~~

~~- tcp_nodelay on;~~

~~- labels:~~

~~- app: www~~

+ name: imfreedom

+ namespace: roost

spec:

~~- rules:~~

~~- - host: imfreedom.org~~

~~- http:~~

~~- paths:~~

~~- - backend:~~

~~- serviceName: www~~

~~- servicePort: 3000~~

~~- path: /~~

~~- - host: www.imfreedom.org~~

~~- http:~~

~~- paths:~~

~~- - backend:~~

~~- serviceName: www~~

~~- servicePort: 3000~~

~~- path: /~~

~~- - host: xmpp.imfreedom.org~~

~~- http:~~

~~- paths:~~

~~- - backend:~~

~~- serviceName: prosody~~

~~- servicePort: 5280~~

~~- path: /~~

~~- - host: conference.imfreedom.org~~

~~- http:~~

~~- paths:~~

~~- - backend:~~

~~- serviceName: prosody~~

~~- servicePort: 5280~~

+ entryPoints:

+ - https

+ routes:

+ - match: Host(`imfreedom.org`) || Host(`www.imfreedom.org`)

+ kind: Rule

+ services:

+ - name: imfreedom-org

+ port: 3000

+ middlewares:

+ - name: common-headers

+ - match: Host(`xmpp.imfreedom.org`) || Host(`conference.imfreedom.org`)

+ kind: Rule

+ services:

+ - name: prosody

+ port: 5280

tls:

~~- - hosts:~~

~~- - imfreedom.org~~

~~- - www.imfreedom.org~~

~~- - xmpp.imfreedom.org~~

~~- - conference.imfreedom.org~~

~~- secretName: www-tls~~

+ secretName: imfreedom-tls

+---

+apiVersion: cert-manager.io/v1alpha2

+kind: Certificate

+metadata:

+ namespace: roost

+ name: imfreedom-tls

+spec:

+ secretName: imfreedom-tls

+ issuerRef:

+ name: letsencrypt

+ commonName: imfreedom.org

+ dnsNames:

+ - imfreedom.org

+ - www.imfreedom.org

+ - xmpp.imfreedom.org

+ - conference.imfreedom.org

---

apiVersion: v1

kind: Service

metadata:

~~- namespace: imfreedom~~

+ namespace: roost

labels:

~~- app: www~~

~~- name: www~~

+ app: imfreedom-org

+ name: imfreedom-org

spec:

ports:

- port: 3000

protocol: TCP

selector:

~~- app: www~~

+ app: imfreedom-org

---

apiVersion: apps/v1

kind: Deployment

metadata:

~~- namespace: imfreedom~~

~~- name: www~~

+ namespace: roost

+ name: imfreedom-org

labels:

~~- app: www~~

+ app: imfreedom-org

spec:

replicas: 2

selector:

matchLabels:

~~- app: www~~

+ app: imfreedom-org

template:

metadata:

labels:

~~- app: www~~

+ app: imfreedom-org

spec:

affinity:

podAntiAffinity:

@@ -89,11 +79,11 @@

- key: app

operator: In

values:

~~- - www~~

+ - imfreedom-org

topologyKey: failure-domain.beta.kubernetes.io/region

weight: 100

containers:

~~- - name: www~~

+ - name: http

image: imfreedom/www:latest

imagePullPolicy: Always

ports:

~~--- a/50-keep.imfreedom.org.yaml Tue Feb 11 03:34:52 2020 -0600~~

+++ b/50-keep.imfreedom.org.yaml Tue Feb 11 03:35:54 2020 -0600

@@ -1,33 +1,55 @@

---

~~-apiVersion: extensions/v1beta1~~

~~-kind: Ingress~~

+apiVersion: traefik.containo.us/v1alpha1

+kind: IngressRouteTCP

metadata:

~~- namespace: imfreedom~~

~~- name: keep~~

~~- annotations:~~

~~- cert-manager.io/issuer: letsencrypt~~

~~- nginx.ingress.kubernetes.io/configuration-snippet: |~~

~~- more_set_headers "X-Frame-Options: SAMEORIGIN";~~

~~- labels:~~

~~- app: keep~~

+ name: keep-ssh

+ namespace: roost

+spec:

+ entryPoints:

+ - keep-ssh

+ routes:

+ - match: HostSNI(`*`)

+ kind: Rule

+ services:

+ - name: keep

+ port: 22222

+---

+apiVersion: traefik.containo.us/v1alpha1

+kind: IngressRoute

+metadata:

+ name: keep-http

+ namespace: roost

spec:

~~- rules:~~

~~- - host: keep.imfreedom.org~~

~~- http:~~

~~- paths:~~

~~- - backend:~~

~~- serviceName: keep-http~~

~~- servicePort: 8080~~

~~- path: /~~

+ entryPoints:

+ - https

+ routes:

+ - match: Host(`keep.imfreedom.org`)

+ kind: Rule

+ services:

+ - name: keep-http

+ port: 8080

+ middlewares:

+ - name: common-headers

tls:

~~- - hosts:~~

~~- - keep.imfreedom.org~~

~~- secretName: keep-tls~~

+ secretName: keep-tls

+---

+apiVersion: cert-manager.io/v1alpha2

+kind: Certificate

+metadata:

+ namespace: roost

+ name: keep-tls

+spec:

+ secretName: keep-tls

+ issuerRef:

+ name: letsencrypt

+ commonName: keep.imfreedom.org

+ dnsNames:

+ - keep.imfreedom.org

---

apiVersion: v1

kind: Service

metadata:

~~- namespace: imfreedom~~

+ namespace: roost

labels:

app: hgkeeper

@@ -41,7 +63,7 @@

apiVersion: v1

kind: Service

metadata:

~~- namespace: imfreedom~~

+ namespace: roost

labels:

app: hgkeeper

@@ -56,7 +78,7 @@

kind: ConfigMap

metadata:

~~- namespace: imfreedom~~

+ namespace: roost

data:

admin-pubkey: |

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP/mCAuMfKq4ukgGufiERyddsPIj2/KNXzB+gDTjHBGl grim@spectre

@@ -64,7 +86,7 @@

apiVersion: networking.k8s.io/v1

kind: NetworkPolicy

metadata:

~~- namespace: imfreedom~~

+ namespace: roost

labels:

app: hgkeeper

@@ -79,7 +101,7 @@

podSelector:

matchLabels:

~~- app: ingress~~

+ app: traefik

role: controller

ports:

- port: 8080

@@ -90,7 +112,7 @@

apiVersion: apps/v1

kind: Deployment

metadata:

~~- namespace: imfreedom~~

+ namespace: roost

labels:

app: hgkeeper

@@ -178,7 +200,7 @@

apiVersion: v1

kind: PersistentVolumeClaim

metadata:

~~- namespace: imfreedom~~

+ namespace: roost

labels:

app: hgkeeper

@@ -188,4 +210,5 @@

resources:

requests:

storage: 30Gi

+ volumeName: pvc-fdabb9b0-68d2-4c13-9d6f-6a6dbcd34a38

---

~~--- a/50-nest.pidgin.im.yaml Tue Feb 11 03:34:52 2020 -0600~~

+++ b/50-nest.pidgin.im.yaml Tue Feb 11 03:35:54 2020 -0600

@@ -1,3 +1,48 @@

+---

+apiVersion: traefik.containo.us/v1alpha1

+kind: Middleware

+metadata:

+ name: nest-redirects

+ namespace: roost

+spec:

+ redirectRegex:

+ regex: ^https?:\/\/[^\/]+(\/.+)?

+ replacement: https://pidgin.im${1}

+ permanent: true

+---

+apiVersion: traefik.containo.us/v1alpha1

+kind: IngressRoute

+metadata:

+ name: nest-redirects

+ namespace: roost

+spec:

+ entryPoints:

+ - https

+ routes:

+ - match: Host(`nest.pidgin.im`) || Host(`pidg.in`) || Host(`www.pidg.in`)

+ kind: Rule

+ services:

+ - name: nest

+ port: 3000

+ middlewares:

+ - name: nest-redirects

+ tls:

+ secretName: nest-redirects-tls

+---

+apiVersion: cert-manager.io/v1alpha2

+kind: Certificate

+metadata:

+ namespace: roost

+ name: nest-redirects-tls

+spec:

+ secretName: nest-redirects-tls

+ issuerRef:

+ name: letsencrypt

+ commonName: pidg.in

+ dnsNames:

+ - pidg.in

+ - www.pidg.in

+ - nest.pidgin.im

---

apiVersion: extensions/v1beta1

kind: Ingress

@@ -51,29 +96,6 @@

- www.pidgin.im

secretName: nest-tls

---

~~-apiVersion: extensions/v1beta1~~

~~-kind: Ingress~~

~~-metadata:~~

~~- namespace: roost~~

~~- name: nest-redirects~~

~~- annotations:~~

~~- cert-manager.io/issuer: letsencrypt~~

~~- nginx.ingress.kubernetes.io/server-snippet: |~~

~~- return 301 https://pidgin.im$request_uri;~~

~~- labels:~~

~~- app: nest~~

~~-spec:~~

~~- rules:~~

~~- - host: pidg.in~~

~~- - host: www.pidg.in~~

~~- - host: nest.pidgin.im~~

~~- tls:~~

~~- - hosts:~~

~~- - pidg.in~~

~~- - www.pidg.in~~

~~- - nest.pidgin.im~~

~~- secretName: nest-redirects-tls~~

~~----~~

apiVersion: v1

kind: Service

metadata:

@@ -106,7 +128,7 @@

podSelector:

matchLabels:

~~- app: ingress~~

+ app: traefik

role: controller

ports:

- port: 3000

@@ -188,7 +210,7 @@

podSelector:

matchLabels:

~~- app: ingress~~

+ app: traefik

role: controller

ports:

- port: 80

~~--- a/50-xmpp.imfreedom.org.yaml Tue Feb 11 03:34:52 2020 -0600~~

+++ b/50-xmpp.imfreedom.org.yaml Tue Feb 11 03:35:54 2020 -0600

@@ -1,10 +1,40 @@

# Prosody is an xmpp server. This manifest creates a deployment for it. It

# handles virtualhosts for adium.im, imfreedom.org, as well as pidgin.im.

---

+apiVersion: traefik.containo.us/v1alpha1

+kind: IngressRouteTCP

+metadata:

+ name: prosody-c2s

+ namespace: roost

+spec:

+ entryPoints:

+ - xmpp-c2s

+ routes:

+ - match: HostSNI(`*`)

+ kind: Rule

+ services:

+ - name: prosody

+ port: 5222

+---

+apiVersion: traefik.containo.us/v1alpha1

+kind: IngressRouteTCP

+metadata:

+ name: prosody-s2s

+ namespace: roost

+spec:

+ entryPoints:

+ - xmpp-s2s

+ routes:

+ - match: HostSNI(`*`)

+ kind: Rule

+ services:

+ - name: prosody

+ port: 5269

+---

apiVersion: v1

kind: Service

metadata:

~~- namespace: imfreedom~~

+ namespace: roost

labels:

app: prosody

role: app

@@ -30,7 +60,7 @@

apiVersion: networking.k8s.io/v1

kind: NetworkPolicy

metadata:

~~- namespace: imfreedom~~

+ namespace: roost

labels:

app: prosody

@@ -47,7 +77,7 @@

podSelector:

matchLabels:

~~- app: ingress~~

+ app: traefik

role: controller

ports:

- port: 5222

@@ -72,7 +102,7 @@

kind: ConfigMap

metadata:

~~- namespace: imfreedom~~

+ namespace: roost

data:

imfreedom.cfg.lua: |

VirtualHost "imfreedom.org"

@@ -132,7 +162,7 @@

apiVersion: apps/v1

kind: Deployment

metadata:

~~- namespace: imfreedom~~

+ namespace: roost

labels:

app: prosody

@@ -185,7 +215,7 @@

readOnly: true

- mountPath: /etc/prosody/certs/imfreedom/

~~- name: www-tls~~

+ name: imfreedom-tls

readOnly: true

securityContext:

fsGroup: 101

@@ -200,14 +230,14 @@

- name: config

configMap:

~~- - name: www-tls~~

+ - name: imfreedom-tls

secret:

~~- secretName: www-tls~~

+ secretName: imfreedom-tls

---

apiVersion: v1

kind: PersistentVolumeClaim

metadata:

~~- namespace: imfreedom~~

+ namespace: roost

labels:

app: prosody

@@ -218,11 +248,12 @@

resources:

requests:

storage: 2Gi

+ volumeName: pvc-415a206e-5484-4cf0-a655-908d18339f62

---

apiVersion: monitoring.coreos.com/v1

kind: ServiceMonitor

metadata:

~~- namespace: imfreedom~~

+ namespace: roost

labels:

app: prosody

imfreedom/k8s-cluster