From 6c7e6787b189b70451f5afc388f8235439ef24b6 Mon Sep 17 00:00:00 2001 From: xcad2k <28359525+xcad2k@users.noreply.github.com> Date: Mon, 29 Nov 2021 08:41:39 +0100 Subject: [PATCH] traefik and portainer updates --- .../README.md} | 0 .../portainer/templates/portainer-ingress.yml | 17 ++++ .../values.yml} | 0 kubernetes/research/nginx.yaml | 21 ---- .../templates/cm-and-secrets/mysql-deploy.yml | 5 +- .../cm-and-secrets/nginx-http-cm.yml | 3 + .../cm-and-secrets/nginx-https-deploy.yml | 32 ++++++- kubernetes/traefik/templates/ingress.yml | 30 ++++++ kubernetes/traefik/values.yml | 96 +++++++++++++++++-- 9 files changed, 171 insertions(+), 33 deletions(-) rename kubernetes/{certificates/letsencrypt-issuer-prod.yaml => portainer/README.md} (100%) create mode 100644 kubernetes/portainer/templates/portainer-ingress.yml rename kubernetes/{certificates/letsencrypt-issuer-staging.yaml => portainer/values.yml} (100%) delete mode 100644 kubernetes/research/nginx.yaml create mode 100644 kubernetes/traefik/templates/ingress.yml diff --git a/kubernetes/certificates/letsencrypt-issuer-prod.yaml b/kubernetes/portainer/README.md similarity index 100% rename from kubernetes/certificates/letsencrypt-issuer-prod.yaml rename to kubernetes/portainer/README.md diff --git a/kubernetes/portainer/templates/portainer-ingress.yml b/kubernetes/portainer/templates/portainer-ingress.yml new file mode 100644 index 0000000..2d6bd62 --- /dev/null +++ b/kubernetes/portainer/templates/portainer-ingress.yml @@ -0,0 +1,17 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: nginx + namespace: wp-clcreative +spec: + rules: + - host: portainer.your-domain.com + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: portainer + port: + number: 9000 \ No newline at end of file diff --git a/kubernetes/certificates/letsencrypt-issuer-staging.yaml b/kubernetes/portainer/values.yml similarity index 100% rename from kubernetes/certificates/letsencrypt-issuer-staging.yaml rename to kubernetes/portainer/values.yml diff --git a/kubernetes/research/nginx.yaml b/kubernetes/research/nginx.yaml deleted file mode 100644 index 48187fd..0000000 --- a/kubernetes/research/nginx.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: nginx - labels: - app: nginx -spec: - replicas: 2 - selector: - matchLabels: - app: nginx - template: - metadata: - labels: - app: nginx - spec: - containers: - - name: nginx - image: nginx - ports: - - containerPort: 80 diff --git a/kubernetes/templates/cm-and-secrets/mysql-deploy.yml b/kubernetes/templates/cm-and-secrets/mysql-deploy.yml index 0fc0684..fb098ea 100644 --- a/kubernetes/templates/cm-and-secrets/mysql-deploy.yml +++ b/kubernetes/templates/cm-and-secrets/mysql-deploy.yml @@ -17,7 +17,10 @@ spec: name: mysql env: - name: MYSQL_ROOT_PASSWORD - value: "password-in-cleartext" + valueFrom: + secretKeyRef: + name: mysql-secret + key: root-pass ports: - name: mysql containerPort: 3306 diff --git a/kubernetes/templates/cm-and-secrets/nginx-http-cm.yml b/kubernetes/templates/cm-and-secrets/nginx-http-cm.yml index 6fb4668..672f5e6 100644 --- a/kubernetes/templates/cm-and-secrets/nginx-http-cm.yml +++ b/kubernetes/templates/cm-and-secrets/nginx-http-cm.yml @@ -21,5 +21,8 @@ data: root /usr/share/nginx/html; index index.html index.htm; } + location /test { + return 401; + } } } \ No newline at end of file diff --git a/kubernetes/templates/cm-and-secrets/nginx-https-deploy.yml b/kubernetes/templates/cm-and-secrets/nginx-https-deploy.yml index 0a6330c..b58b7bb 100644 --- a/kubernetes/templates/cm-and-secrets/nginx-https-deploy.yml +++ b/kubernetes/templates/cm-and-secrets/nginx-https-deploy.yml @@ -16,6 +16,8 @@ spec: - name: nginx-https image: nginx ports: + - name: web + containerPort: 80 - name: secureweb containerPort: 443 volumeMounts: @@ -35,4 +37,32 @@ spec: secretName: nginx-https-secret - name: nginx-https-vol hostPath: - path: /var/nginxserver \ No newline at end of file + path: /var/nginxserver +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: nginx-https-cm +data: + nginx.conf: | + user nginx; + worker_processes 1; + events { + worker_connections 10240; + } + http { + server { + listen 80; + listen 443 ssl; + + server_name _; + + ssl_certificate /etc/nginx/ssl/server-cert.pem; + ssl_certificate_key /etc/nginx/ssl/server-key.pem; + + location / { + root /usr/share/nginx/html; + index index.html index.htm; + } + } + } diff --git a/kubernetes/traefik/templates/ingress.yml b/kubernetes/traefik/templates/ingress.yml new file mode 100644 index 0000000..e046257 --- /dev/null +++ b/kubernetes/traefik/templates/ingress.yml @@ -0,0 +1,30 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: wp-clcreative + namespace: wp-clcreative + annotations: + # (Optional): Annotations for the Ingress Controller + # --- + # General: + # kubernetes.io/ingress.class: traefik + # + # TLS configuration: + # traefik.ingress.kubernetes.io/router.entrypoints: web, websecure + # traefik.ingress.kubernetes.io/router.tls: "true" + # + # Middleware: + # traefik.ingress.kubernetes.io/router.middlewares:your-middleware@kubernetescrd +spec: + rules: + - host: "your-hostname.com" # Your hostname + http: + paths: + # Path-based routing settings: + - path: / + pathType: Prefix + backend: + service: + name: your-service-name # The name of the service + port: + number: 80 # Service Portnumber \ No newline at end of file diff --git a/kubernetes/traefik/values.yml b/kubernetes/traefik/values.yml index a0831a3..9883243 100644 --- a/kubernetes/traefik/values.yml +++ b/kubernetes/traefik/values.yml @@ -1,20 +1,96 @@ additionalArguments: - - --certificatesresolvers.staging.acme.email=your-email@example.com - - --certificatesresolvers.staging.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory - - --certificatesresolvers.staging.acme.httpChallenge.entryPoint=web - - --certificatesresolvers.staging.acme.storage=/ssl-certs/acme-staging.json - - --certificatesresolvers.production.acme.email=your-email@example.com - - --certificatesresolvers.production.acme.caServer=https://acme-v02.api.letsencrypt.org/directory - - --certificatesresolvers.production.acme.httpChallenge.entryPoint=web - - --certificatesresolvers.production.acme.storage=/ssl-certs/acme-production.json +# Configure your CertificateResolver here... +# +# HTTP Challenge +# --- +# Generic Example: +# - --certificatesresolvers.generic.acme.email=your-email@example.com +# - --certificatesresolvers.generic.acme.caServer=https://acme-v02.api.letsencrypt.org/directory +# - --certificatesresolvers.generic.acme.httpChallenge.entryPoint=web +# - --certificatesresolvers.generic.acme.storage=/ssl-certs/acme-generic.json +# +# Prod / Staging Example: +# - --certificatesresolvers.staging.acme.email=your-email@example.com +# - --certificatesresolvers.staging.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory +# - --certificatesresolvers.staging.acme.httpChallenge.entryPoint=web +# - --certificatesresolvers.staging.acme.storage=/ssl-certs/acme-staging.json +# - --certificatesresolvers.production.acme.email=your-email@example.com +# - --certificatesresolvers.production.acme.caServer=https://acme-v02.api.letsencrypt.org/directory +# - --certificatesresolvers.production.acme.httpChallenge.entryPoint=web +# - --certificatesresolvers.production.acme.storage=/ssl-certs/acme-production.json +# +# DNS Challenge +# --- +# Cloudflare Example: +# - --certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare +# - --certificatesresolvers.cloudflare.acme.email=your-email@example.com +# - --certificatesresolvers.cloudflare.acme.dnschallenge.resolvers=1.1.1.1 +# - --certificatesresolvers.cloudflare.acme.storage=/ssl-certs/acme-cloudflare.json +# +# Generic (replace with your DNS provider): +# - --certificatesresolvers.generic.acme.dnschallenge.provider=generic +# - --certificatesresolvers.generic.acme.email=your-email@example.com +# - --certificatesresolvers.generic.acme.storage=/ssl-certs/acme-generic.json + +logs: +# Configure log settings here... + general: + level: ERROR + ports: +# Configure your entrypoints here... web: - redirectTo: websecure + # (optional) Permanent Redirect to HTTPS + # redirectTo: websecure + websecure: + tls: + enabled: true + # (optional) Set a Default CertResolver + # certResolver: cloudflare + + +env: +# Set your environment variables here... +# +# DNS Challenge Credentials +# --- +# Cloudflare Example: +# - name: CF_API_EMAIL +# valueFrom: +# secretKeyRef: +# key: email +# name: cloudflare-credentials +# - name: CF_API_KEY +# valueFrom: +# secretKeyRef: +# key: apiKey +# name: cloudflare-credentials + +# Disable Dashboard ingressRoute: dashboard: enabled: false + +# Persistent Storage persistence: enabled: true name: ssl-certs - size: 128Mi + size: 1Gi path: /ssl-certs + +deployment: + initContainers: + # The "volume-permissions" init container is required if you run into permission issues. + # Related issue: https://github.com/containous/traefik/issues/6972 + - name: volume-permissions + image: busybox:1.31.1 + command: ["sh", "-c", "chmod -Rv 600 /ssl-certs/*"] + volumeMounts: + - name: ssl-certs + mountPath: /ssl-certs + +# Set Traefik as your default Ingress Controller, according to Kubernetes 1.19+ changes. +ingressClass: + enabled: true + isDefaultClass: true +