traefik and portainer updates

2024-11-22 00:03:16 +01:00 · 2021-11-29 08:41:39 +01:00 · 2021-11-29 08:41:39 +01:00 · 6c7e6787b1
commit 6c7e6787b1
parent 07c6afcbed
9 changed files with 171 additions and 33 deletions
--- a/kubernetes/certificates/letsencrypt-issuer-prod.yaml
+++ b/kubernetes/certificates/letsencrypt-issuer-prod.yaml
--- a/kubernetes/portainer/templates/portainer-ingress.yml
+++ b/kubernetes/portainer/templates/portainer-ingress.yml
@ -0,0 +1,17 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: nginx
+  namespace: wp-clcreative
+spec:
+  rules:
+  - host: portainer.your-domain.com
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: portainer
+            port:
+              number: 9000
--- a/kubernetes/certificates/letsencrypt-issuer-staging.yaml
+++ b/kubernetes/certificates/letsencrypt-issuer-staging.yaml
--- a/kubernetes/research/nginx.yaml
+++ b/kubernetes/research/nginx.yaml
@ -1,21 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: nginx
-  labels:
-    app: nginx
-spec:
-  replicas: 2
-  selector:
-    matchLabels:
-      app: nginx
-  template:
-    metadata:
-      labels:
-        app: nginx
-    spec:
-      containers:
-      - name: nginx
-        image: nginx
-        ports:
-        - containerPort: 80
--- a/kubernetes/templates/cm-and-secrets/mysql-deploy.yml
+++ b/kubernetes/templates/cm-and-secrets/mysql-deploy.yml
@ -17,7 +17,10 @@ spec:
        name: mysql
        env:
        - name: MYSQL_ROOT_PASSWORD
-          value: "password-in-cleartext"
+          valueFrom:
+            secretKeyRef:
+              name: mysql-secret
+              key: root-pass
        ports:
        - name: mysql
          containerPort: 3306
--- a/kubernetes/templates/cm-and-secrets/nginx-http-cm.yml
+++ b/kubernetes/templates/cm-and-secrets/nginx-http-cm.yml
@ -21,5 +21,8 @@ data:
          root   /usr/share/nginx/html;
          index  index.html index.htm;
        }
+        location /test {
+          return 401;
+        }
      }
    }
--- a/kubernetes/templates/cm-and-secrets/nginx-https-deploy.yml
+++ b/kubernetes/templates/cm-and-secrets/nginx-https-deploy.yml
@ -16,6 +16,8 @@ spec:
      - name: nginx-https
        image: nginx
        ports:
+        - name: web
+          containerPort: 80
        - name: secureweb
          containerPort: 443
        volumeMounts:
@ -35,4 +37,32 @@ spec:
          secretName: nginx-https-secret
      - name: nginx-https-vol
        hostPath:
-          path: /var/nginxserver
+          path: /var/nginxserver
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: nginx-https-cm
+data:
+  nginx.conf: |
+    user nginx;
+    worker_processes 1;
+    events {
+      worker_connections  10240;
+    }
+    http {
+      server {
+        listen       80;
+        listen       443 ssl;
+
+        server_name  _;
+
+        ssl_certificate     /etc/nginx/ssl/server-cert.pem;
+        ssl_certificate_key /etc/nginx/ssl/server-key.pem;
+
+        location / {
+            root   /usr/share/nginx/html;
+            index  index.html index.htm;
+        }
+      }
+    }
--- a/kubernetes/traefik/templates/ingress.yml
+++ b/kubernetes/traefik/templates/ingress.yml
@ -0,0 +1,30 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: wp-clcreative
+  namespace: wp-clcreative
+  annotations:
+    # (Optional): Annotations for the Ingress Controller
+    # ---
+    # General:
+    # kubernetes.io/ingress.class: traefik
+    # 
+    # TLS configuration:
+    # traefik.ingress.kubernetes.io/router.entrypoints: web, websecure
+    # traefik.ingress.kubernetes.io/router.tls: "true"
+    # 
+    # Middleware:
+    # traefik.ingress.kubernetes.io/router.middlewares:your-middleware@kubernetescrd
+spec:
+  rules:
+  - host: "your-hostname.com"  # Your hostname
+    http:
+      paths:
+      # Path-based routing settings:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: your-service-name  # The name of the service
+            port:
+              number: 80  # Service Portnumber
--- a/kubernetes/traefik/values.yml
+++ b/kubernetes/traefik/values.yml
@ -1,20 +1,96 @@
 additionalArguments:
-  - --certificatesresolvers.staging.acme.email=your-email@example.com
-  - --certificatesresolvers.staging.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory
-  - --certificatesresolvers.staging.acme.httpChallenge.entryPoint=web
-  - --certificatesresolvers.staging.acme.storage=/ssl-certs/acme-staging.json
-  - --certificatesresolvers.production.acme.email=your-email@example.com
-  - --certificatesresolvers.production.acme.caServer=https://acme-v02.api.letsencrypt.org/directory
-  - --certificatesresolvers.production.acme.httpChallenge.entryPoint=web
-  - --certificatesresolvers.production.acme.storage=/ssl-certs/acme-production.json
+# Configure your CertificateResolver here...
+# 
+# HTTP Challenge
+# ---
+# Generic Example:
+#   - --certificatesresolvers.generic.acme.email=your-email@example.com
+#   - --certificatesresolvers.generic.acme.caServer=https://acme-v02.api.letsencrypt.org/directory
+#   - --certificatesresolvers.generic.acme.httpChallenge.entryPoint=web
+#   - --certificatesresolvers.generic.acme.storage=/ssl-certs/acme-generic.json
+#
+# Prod / Staging Example:
+#   - --certificatesresolvers.staging.acme.email=your-email@example.com
+#   - --certificatesresolvers.staging.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory
+#   - --certificatesresolvers.staging.acme.httpChallenge.entryPoint=web
+#   - --certificatesresolvers.staging.acme.storage=/ssl-certs/acme-staging.json
+#   - --certificatesresolvers.production.acme.email=your-email@example.com
+#   - --certificatesresolvers.production.acme.caServer=https://acme-v02.api.letsencrypt.org/directory
+#   - --certificatesresolvers.production.acme.httpChallenge.entryPoint=web
+#   - --certificatesresolvers.production.acme.storage=/ssl-certs/acme-production.json
+#
+# DNS Challenge
+# ---
+# Cloudflare Example:
+#  - --certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare
+#  - --certificatesresolvers.cloudflare.acme.email=your-email@example.com
+#  - --certificatesresolvers.cloudflare.acme.dnschallenge.resolvers=1.1.1.1
+#  - --certificatesresolvers.cloudflare.acme.storage=/ssl-certs/acme-cloudflare.json
+#
+# Generic (replace with your DNS provider):
+#  - --certificatesresolvers.generic.acme.dnschallenge.provider=generic
+#  - --certificatesresolvers.generic.acme.email=your-email@example.com
+#  - --certificatesresolvers.generic.acme.storage=/ssl-certs/acme-generic.json
+
+logs:
+# Configure log settings here...
+  general:
+    level: ERROR
+
 ports:
+# Configure your entrypoints here...
  web:
-    redirectTo: websecure
+    # (optional) Permanent Redirect to HTTPS
+    # redirectTo: websecure
+  websecure:
+    tls:
+      enabled: true
+      # (optional) Set a Default CertResolver
+      # certResolver: cloudflare
+  
+
+env:
+# Set your environment variables here...
+# 
+# DNS Challenge Credentials
+# ---
+# Cloudflare Example:
+#   - name: CF_API_EMAIL
+#     valueFrom:
+#       secretKeyRef:
+#         key: email
+#         name: cloudflare-credentials
+#   - name: CF_API_KEY
+#     valueFrom:
+#       secretKeyRef:
+#         key: apiKey
+#         name: cloudflare-credentials
+
+# Disable Dashboard
 ingressRoute:
  dashboard:
    enabled: false
+
+# Persistent Storage
 persistence:
  enabled: true
  name: ssl-certs
-  size: 128Mi
+  size: 1Gi
  path: /ssl-certs
+
+deployment:
+  initContainers:
+    # The "volume-permissions" init container is required if you run into permission issues.
+    # Related issue: https://github.com/containous/traefik/issues/6972
+    - name: volume-permissions
+      image: busybox:1.31.1
+      command: ["sh", "-c", "chmod -Rv 600 /ssl-certs/*"]
+      volumeMounts:
+        - name: ssl-certs
+          mountPath: /ssl-certs
+
+# Set Traefik as your default Ingress Controller, according to Kubernetes 1.19+ changes.
+ingressClass:
+  enabled: true
+  isDefaultClass: true
+