phfroidmont/self-hosting
1
0
Fork 0
mirror of https://github.com/phfroidmont/self-hosting.git synced 2025-12-25 05:36:59 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add k8s manifests for cert-manager issuers and searx

Browse source
This commit is contained in:
Paul-Henri Froidmont 2019-08-22 05:15:45 +02:00
parent 64ca891810
commit 43dd47e761
9 changed files with 28 additions and 336 deletions
Download patch file Download diff file Expand all files Collapse all files

2
roles/k8s-manifests/defaults/main.yml
View file

@ -1,4 +1,4 @@
--- ---
letsencrypt_email: letsencrypt.account@banditlair.com letsencrypt_email: letsencrypt.account@banditlair.com
traefik_domain: "traefik.{{banditlair_domain}}" traefik_domain: "traefik.{{banditlair_domain}}"
searx_domain: "searx.{{banditlair_domain}}" searx_domain: "searx.{{banditlair_domain}}"

22
roles/k8s-manifests/tasks/cert-manager.yml
View file

@ -1,27 +1,25 @@
- name: cert-manager issuers - name: cert-manager issuers
k8s: k8s:
state: present state: present
namespace: "{{item.1}}" namespace: "{{item.name}}"
definition: definition:
apiVersion: certmanager.k8s.io/v1alpha1 apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer kind: ClusterIssuer
metadata: metadata:
name: "{{item.0.name}}" name: "{{item.name}}"
spec: spec:
acme: acme:
# The ACME server URL # The ACME server URL
server: "{{item.0.server}}" server: "{{item.server}}"
# Email address used for ACME registration # Email address used for ACME registration
email: "{{letsencrypt_email}}" email: "{{letsencrypt_email}}"
# Name of a secret used to store the ACME account private key # Name of a secret used to store the ACME account private key
privateKeySecretRef: privateKeySecretRef:
name: "{{item.0.name}}" name: "{{item.name}}"
# Enable HTTP01 validations # Enable HTTP01 validations
http01: {} http01: {}
with_nested: with_items:
- - name: letsencrypt-production - name: letsencrypt-production
server: https://acme-v02.api.letsencrypt.org/directory server: https://acme-v02.api.letsencrypt.org/directory
- name: letsencrypt-staging - name: letsencrypt-staging
server: https://acme-staging-v02.api.letsencrypt.org/directory server: https://acme-staging-v02.api.letsencrypt.org/directory
- - default
- kube-system

3
roles/k8s-manifests/tasks/main.yml
View file

@ -5,8 +5,5 @@
- import_tasks: cert-manager.yml - import_tasks: cert-manager.yml
tags: cert-manager tags: cert-manager
- import_tasks: traefik.yml
tags: traefik
- import_tasks: searx.yml - import_tasks: searx.yml
tags: searx tags: searx

11
roles/k8s-manifests/tasks/prerequisites.yml
View file

@ -1,9 +1,14 @@
- name: Install pip - name: Install pip
package: package:
name: python3-pip name:
- python3-pip
- python3-setuptools
state: present state: present
- name: Install openshift python client - name: Install python dependencies
pip: pip:
name: openshift name:
- openshift
# - pyhelm
# - grpcio
state: present state: present

37
roles/k8s-manifests/tasks/searx.yml
View file

@ -19,7 +19,7 @@
spec: spec:
containers: containers:
- name: searx - name: searx
image: wonderfall/searx:latest image: hoellen/searx
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
ports: ports:
- containerPort: 8888 - containerPort: 8888
@ -58,11 +58,11 @@
kind: Ingress kind: Ingress
metadata: metadata:
name: searx name: searx
annotation: annotations:
traefik.ingress.kubernetes.io/redirect-entry-point: https kubernetes.io/ingress.class: nginx
traefik.ingress.kubernetes.io/redirect-permanent: "true" certmanager.k8s.io/cluster-issuer: "{{cert_manager_issuer}}"
ingress.kubernetes.io/ssl-redirect: "true" # ingress.kubernetes.io/ssl-redirect: "true"
ingress.kubernetes.io/ssl-temporary-redirect: "false" # ingress.kubernetes.io/ssl-temporary-redirect: "false"
spec: spec:
rules: rules:
- host: "{{searx_domain}}" - host: "{{searx_domain}}"
@ -73,25 +73,6 @@
serviceName: searx serviceName: searx
servicePort: 80 servicePort: 80
tls: tls:
- secretName: searx-cert - hosts:
- "{{searx_domain}}"
- name: Searx certificate secretName: letsencrypt-staging
k8s:
namespace: default
state: present
definition:
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: searx-cert
spec:
secretName: traefik-cert
issuerRef:
name: "{{cert_manager_issuer}}"
commonName: "{{searx_domain}}"
acme:
config:
- http01:
ingressClass: traefik
domains:
- "{{searx_domain}}"

232
roles/k8s-manifests/tasks/traefik.yml
View file

@ -1,232 +0,0 @@
- name: Traefik cluster role
k8s:
state: present
definition:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
- name: Traefik cluster role binding
k8s:
state: present
definition:
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller
namespace: kube-system
- name: Traefik service account
k8s:
state: present
definition:
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-ingress-controller
namespace: kube-system
# - name: Traefik configuration
# k8s:
# state: present
# definition:
# apiVersion: v1
# kind: ConfigMap
# metadata:
# name: traefik-conf
# namespace: kube-system
# data:
# traefik.toml: |
# defaultEntryPoints = ["http", "https"]
# logLevel = "INFO"
# [entryPoints]
# [entryPoints.http]
# address = ":80"
# [entryPoints.http.redirect]
# entryPoint = "https"
# [entryPoints.https]
# address = ":443"
# [entryPoints.https.tls]
# [entryPoints.api]
# address = ":8080"
# [api]
# entryPoint = "api"
# dashboard = true
# debug = false
# [kubernetes]
- name: Traefik daemon set
k8s:
state: present
definition:
kind: DaemonSet
apiVersion: extensions/v1beta1
metadata:
name: traefik-ingress-controller
namespace: kube-system
labels:
k8s-app: traefik-ingress-lb
spec:
template:
metadata:
labels:
k8s-app: traefik-ingress-lb
name: traefik-ingress-lb
spec:
serviceAccountName: traefik-ingress-controller
terminationGracePeriodSeconds: 60
containers:
- image: traefik
name: traefik-ingress-lb
# volumeMounts:
# - mountPath: /config
# name: traefik-config
ports:
- name: http
containerPort: 80
hostPort: 80
- name: admin
containerPort: 8080
securityContext:
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
args:
- --api
- --kubernetes
- --logLevel=INFO
# volumes:
# - name: traefik-config
# configMap:
# name: traefik-conf
- name: Traefik service
k8s:
state: present
definition:
kind: Service
apiVersion: v1
metadata:
name: traefik-ingress-service
namespace: kube-system
spec:
selector:
k8s-app: traefik-ingress-lb
ports:
- protocol: TCP
port: 80
name: web
- protocol: TCP
port: 8080
name: admin
- name: Traefik UI service
k8s:
state: present
definition:
apiVersion: v1
kind: Service
metadata:
name: traefik-web-ui
namespace: kube-system
spec:
selector:
k8s-app: traefik-ingress-lb
ports:
- name: web
port: 80
targetPort: 8080
- name: Traefik UI basic auth secret
k8s:
state: present
definition:
apiVersion: v1
data:
auth: "{{('admin:' + traefik_dashboard_password_hash) | b64encode}}"
kind: Secret
metadata:
name: traefik-auth
namespace: kube-system
- name: Traefik UI ingress
k8s:
state: present
definition:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: traefik-web-ui
namespace: kube-system
annotations:
traefik.ingress.kubernetes.io/auth-type: "basic"
traefik.ingress.kubernetes.io/auth-secret: "traefik-auth"
traefik.ingress.kubernetes.io/redirect-entry-point: https
traefik.ingress.kubernetes.io/redirect-permanent: "true"
ingress.kubernetes.io/ssl-redirect: "true"
ingress.kubernetes.io/ssl-temporary-redirect: "false"
spec:
rules:
- host: "{{traefik_domain}}"
http:
paths:
- path: /
backend:
serviceName: traefik-web-ui
servicePort: web
tls:
- secretName: traefik-cert
- name: Traefik UI certificate
k8s:
state: present
definition:
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: traefik-cert
namespace: kube-system
spec:
secretName: traefik-cert
issuerRef:
name: "{{cert_manager_issuer}}"
commonName: "{{traefik_domain}}"
acme:
config:
- http01:
ingressClass: traefik
domains:
- "{{traefik_domain}}"

18
roles/k8s-manifests/templates/letsencrypt-production-issuer.yml.j2
View file

@ -1,18 +0,0 @@
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: letsencrypt-production
spec:
acme:
# The ACME production api URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: "{{letsencrypt_email}}"
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-production
# Enable the HTTP-01 challenge provider
http01: {}

18
roles/k8s-manifests/templates/letsencrypt-staging-issuer.yml.j2
View file

@ -1,18 +0,0 @@
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
# The ACME server URL
server: https://acme-staging-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: "{{letsencrypt_email}}"
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-staging
# Enable the HTTP-01 challenge provider
http01: {}

21
roles/k8s-manifests/templates/searx-ingress.yml.j2
View file

@ -1,21 +0,0 @@
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: searx-ingress
annotations:
ingress.kubernetes.io/ssl-redirect: "true"
certmanager.k8s.io/cluster-issuer: "{{searx_issuer}}"
kubernetes.io/ingress.class: "nginx"
spec:
tls:
- hosts:
- searx.{{dns_domain}}
secretName: searx-{{searx_issuer}}
rules:
- host: searx.{{dns_domain}}
http:
paths:
- backend:
serviceName: searx
servicePort: 80