add traefik base
parent
3bdb4657ff
commit
20dd36cff4
@ -1,3 +1,6 @@
|
||||
infra/.terraform*
|
||||
infra/terraform-gcp-service-account.json
|
||||
infra/terraform.tfstate*
|
||||
traefik/*service-account.json
|
||||
traefik/deployment.yml
|
||||
traefik/*.htpass
|
@ -0,0 +1,3 @@
|
||||
# README
|
||||
|
||||
This folder contains the traefik configuration to set it up in the GKE cluster in GCP.
|
@ -0,0 +1,93 @@
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1beta1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
name: ingressroutes.traefik.containo.us
|
||||
spec:
|
||||
group: traefik.containo.us
|
||||
version: v1alpha1
|
||||
names:
|
||||
kind: IngressRoute
|
||||
plural: ingressroutes
|
||||
singular: ingressroute
|
||||
scope: Namespaced
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1beta1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
name: middlewares.traefik.containo.us
|
||||
|
||||
spec:
|
||||
group: traefik.containo.us
|
||||
version: v1alpha1
|
||||
names:
|
||||
kind: Middleware
|
||||
plural: middlewares
|
||||
singular: middleware
|
||||
scope: Namespaced
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1beta1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
name: ingressroutetcps.traefik.containo.us
|
||||
spec:
|
||||
group: traefik.containo.us
|
||||
version: v1alpha1
|
||||
names:
|
||||
kind: IngressRouteTCP
|
||||
plural: ingressroutetcps
|
||||
singular: ingressroutetcp
|
||||
scope: Namespaced
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1beta1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
name: ingressrouteudps.traefik.containo.us
|
||||
spec:
|
||||
group: traefik.containo.us
|
||||
version: v1alpha1
|
||||
names:
|
||||
kind: IngressRouteUDP
|
||||
plural: ingressrouteudps
|
||||
singular: ingressrouteudp
|
||||
scope: Namespaced
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1beta1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
name: tlsoptions.traefik.containo.us
|
||||
spec:
|
||||
group: traefik.containo.us
|
||||
version: v1alpha1
|
||||
names:
|
||||
kind: TLSOption
|
||||
plural: tlsoptions
|
||||
singular: tlsoption
|
||||
scope: Namespaced
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1beta1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
name: tlsstores.traefik.containo.us
|
||||
spec:
|
||||
group: traefik.containo.us
|
||||
version: v1alpha1
|
||||
names:
|
||||
kind: TLSStore
|
||||
plural: tlsstores
|
||||
singular: tlsstore
|
||||
scope: Namespaced
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1beta1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
name: traefikservices.traefik.containo.us
|
||||
spec:
|
||||
group: traefik.containo.us
|
||||
version: v1alpha1
|
||||
names:
|
||||
kind: TraefikService
|
||||
plural: traefikservices
|
||||
singular: traefikservice
|
||||
scope: Namespaced
|
||||
---
|
@ -0,0 +1,34 @@
|
||||
if ENV['GCE_PROJECT'] && ENV['GCE_DOMAIN'] && ENV['DNS_EMAIL'] && ENV['GCE_REGION']
|
||||
if !File.exist?('traefik-service-account.json')
|
||||
puts "File traefik-service-account.json is missing"
|
||||
exit 1
|
||||
end
|
||||
|
||||
if !File.exist?('traefik.htpass')
|
||||
puts "File traefik.htpass is missing"
|
||||
exit 1
|
||||
end
|
||||
puts "Get credentials"
|
||||
system("gcloud container clusters get-credentials app-cluster --region #{ENV['GCE_REGION']}")
|
||||
|
||||
puts "Create namespace in cluster"
|
||||
system("HTTPS_PROXY=localhost:8888 kubectl create namespace traefik")
|
||||
|
||||
puts "Handle the custom resource definitions"
|
||||
system("HTTPS_PROXY=localhost:8888 kubectl apply -f crd.yml")
|
||||
|
||||
puts "Handle the Role-Based Access Control needed by traefik"
|
||||
system("HTTPS_PROXY=localhost:8888 kubectl apply -f rbac.yml")
|
||||
|
||||
puts "Create kubernetes secrets for traefik"
|
||||
system("HTTPS_PROXY=localhost:8888 kubectl create secret generic traefik-auth --from-file traefik.htpass --namespace=traefik")
|
||||
system("HTTPS_PROXY=localhost:8888 kubectl create secret generic traefik-service-account --from-file=traefik-service-account.json=traefik-service-account.json --namespace=traefik")
|
||||
|
||||
puts "Deploy traefik itself"
|
||||
system("envsubst < deployment_base.yml > deployment.yml")
|
||||
system("HTTPS_PROXY=localhost:8888 kubectl apply -f deployment.yml")
|
||||
|
||||
else
|
||||
puts "Missing env vars, did you define GCE_PROJECT, GCE_DOMAIN, GCE_REGION and DNS_EMAIL ?"
|
||||
exit 1
|
||||
end
|
@ -0,0 +1,153 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
namespace: traefik
|
||||
name: traefik
|
||||
labels:
|
||||
app.kubernetes.io/name: traefik
|
||||
spec:
|
||||
type: LoadBalancer
|
||||
selector:
|
||||
app.kubernetes.io/name: traefik
|
||||
ports:
|
||||
- protocol: TCP
|
||||
name: http
|
||||
port: 80
|
||||
- protocol: TCP
|
||||
name: https
|
||||
port: 443
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: StatefulSet
|
||||
metadata:
|
||||
namespace: traefik
|
||||
name: traefik
|
||||
labels:
|
||||
app.kubernetes.io/name: traefik
|
||||
spec:
|
||||
replicas: 1
|
||||
serviceName: traefik
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: traefik
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/name: traefik
|
||||
spec:
|
||||
serviceAccountName: traefik-ingress-controller
|
||||
containers:
|
||||
- name: traefik
|
||||
image: traefik:v2.3.5
|
||||
args:
|
||||
- --ping
|
||||
- --api.dashboard
|
||||
- --api.insecure=false
|
||||
- --entrypoints.http.Address=:80
|
||||
- --entrypoints.https.Address=:443
|
||||
- --providers.kubernetesingress
|
||||
- --providers.kubernetescrd
|
||||
- --certificatesResolvers.letsencrypt.acme.storage=/acme/acme.json
|
||||
- --certificatesResolvers.letsencrypt.acme.email=${DNS_EMAIL}
|
||||
- --certificatesResolvers.letsencrypt.acme.dnsChallenge.provider=gcloud
|
||||
env:
|
||||
- name: GCE_PROJECT
|
||||
value: ${GCE_PROJECT}
|
||||
- name: GCE_DOMAIN
|
||||
value: ${GCE_DOMAIN}
|
||||
- name: GCE_SERVICE_ACCOUNT_FILE
|
||||
value: /service-account/traefik-service-account.json
|
||||
ports:
|
||||
- name: http
|
||||
containerPort: 80
|
||||
- name: https
|
||||
containerPort: 443
|
||||
volumeMounts:
|
||||
- name: acme
|
||||
mountPath: /acme
|
||||
- name: traefik-service-account
|
||||
mountPath: /service-account
|
||||
readOnly: true
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /ping
|
||||
port: 8080
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /ping
|
||||
port: 8080
|
||||
volumes:
|
||||
- name: traefik-service-account
|
||||
secret:
|
||||
secretName: traefik-service-account
|
||||
volumeClaimTemplates:
|
||||
- metadata:
|
||||
name: acme
|
||||
spec:
|
||||
accessModes: [ "ReadWriteOnce" ]
|
||||
resources:
|
||||
requests:
|
||||
storage: 1Gi
|
||||
---
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: Middleware
|
||||
metadata:
|
||||
namespace: traefik
|
||||
name: traefik-auth
|
||||
spec:
|
||||
basicAuth:
|
||||
secret: traefik-auth
|
||||
---
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: IngressRoute
|
||||
metadata:
|
||||
namespace: traefik
|
||||
name: traefik-dashboard
|
||||
labels:
|
||||
app.kubernetes.io/name: traefik-dashboard
|
||||
spec:
|
||||
entryPoints:
|
||||
- https
|
||||
routes:
|
||||
- match: Host(`traefik.${GCE_DOMAIN}`)
|
||||
kind: Rule
|
||||
services:
|
||||
- name: api@internal
|
||||
kind: TraefikService
|
||||
middlewares:
|
||||
- name: traefik-auth
|
||||
tls:
|
||||
certResolver: letsencrypt
|
||||
domains:
|
||||
- main: "*.${GCE_DOMAIN}"
|
||||
---
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: Middleware
|
||||
metadata:
|
||||
name: redirect-https
|
||||
namespace: traefik
|
||||
spec:
|
||||
redirectScheme:
|
||||
scheme: https
|
||||
permanent: true
|
||||
port: "443"
|
||||
---
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: IngressRoute
|
||||
metadata:
|
||||
name: http-to-https
|
||||
namespace: traefik
|
||||
spec:
|
||||
entryPoints:
|
||||
- http
|
||||
routes:
|
||||
- match: HostRegexp(`{any:.+}`)
|
||||
kind: Rule
|
||||
services:
|
||||
- name: noop@internal
|
||||
kind: TraefikService
|
||||
middlewares:
|
||||
- name: redirect-https
|
||||
namespace: traefik
|
||||
---
|
@ -0,0 +1,67 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
namespace: whoami
|
||||
name: whoami-branch1
|
||||
labels:
|
||||
app.kubernetes.io/name: whoami
|
||||
app.kubernetes.io/instance: branch1
|
||||
spec:
|
||||
selector:
|
||||
app.kubernetes.io/name: whoami
|
||||
app.kubernetes.io/instance: branch1
|
||||
ports:
|
||||
- protocol: TCP
|
||||
name: http
|
||||
port: 80
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
namespace: whoami
|
||||
name: whoami-branch1
|
||||
labels:
|
||||
app.kubernetes.io/name: whoami
|
||||
app.kubernetes.io/instance: branch1
|
||||
spec:
|
||||
replicas: 3
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: whoami
|
||||
app.kubernetes.io/instance: branch1
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/name: whoami
|
||||
app.kubernetes.io/instance: branch1
|
||||
spec:
|
||||
containers:
|
||||
- name: whoami
|
||||
image: containous/whoami
|
||||
ports:
|
||||
- name: http
|
||||
containerPort: 80
|
||||
---
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: IngressRoute
|
||||
metadata:
|
||||
namespace: whoami
|
||||
name: whoami-branch1
|
||||
labels:
|
||||
app.kubernetes.io/name: whoami
|
||||
app.kubernetes.io/instance: branch1
|
||||
spec:
|
||||
entryPoints:
|
||||
- https
|
||||
routes:
|
||||
- match: Host(`branch1.whoami.[DOMAIN]`)
|
||||
kind: Rule
|
||||
services:
|
||||
- namespace: whoami
|
||||
name: whoami-branch1
|
||||
port: 80
|
||||
tls:
|
||||
certResolver: letsencrypt
|
||||
domains:
|
||||
- main: "*.pw.rails.imfiny.com"
|
@ -0,0 +1,66 @@
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: traefik-ingress-controller
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- services
|
||||
- endpoints
|
||||
- secrets
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- extensions
|
||||
- networking.k8s.io
|
||||
resources:
|
||||
- ingresses
|
||||
- ingressclasses
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- extensions
|
||||
resources:
|
||||
- ingresses/status
|
||||
verbs:
|
||||
- update
|
||||
- apiGroups:
|
||||
- traefik.containo.us
|
||||
resources:
|
||||
- middlewares
|
||||
- ingressroutes
|
||||
- traefikservices
|
||||
- ingressroutetcps
|
||||
- ingressrouteudps
|
||||
- tlsoptions
|
||||
- tlsstores
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: traefik-ingress-controller
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: traefik-ingress-controller
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
namespace: traefik
|
||||
name: traefik-ingress-controller
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
namespace: traefik
|
||||
name: traefik-ingress-controller
|
||||
---
|
Loading…
Reference in New Issue