mirror of
https://github.com/phfroidmont/self-hosting.git
synced 2025-12-25 13:46:59 +01:00
Use treafik ingress controller instead of nginx
This commit is contained in:
Paul-Henri Froidmont
parent
ed24aa4f8d
commit
d8d9733ed9
25 changed files with 187 additions and 325 deletions
|
|
@ -15,7 +15,7 @@ spec:
|
|||
terminationGracePeriodSeconds: 60
|
||||
containers:
|
||||
- name: default-http-backend
|
||||
# Any image is permissable as long as:
|
||||
# Any image is permissible as long as:
|
||||
# 1. It serves a 404 page at /
|
||||
# 2. It serves 200 on a /healthz endpoint
|
||||
image: {{ image_default_backend }}:{{ version_default_backend }}
|
||||
|
|
|
|||
|
|
@ -1,14 +0,0 @@
|
|||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: system:ingress
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources: ["configmaps","secrets","endpoints","events","services"]
|
||||
verbs: ["list","watch","create","update","delete","get"]
|
||||
- apiGroups:
|
||||
- ""
|
||||
- "extensions"
|
||||
resources: ["services","nodes","ingresses","pods","ingresses/status"]
|
||||
verbs: ["list","watch","create","update","delete","get"]
|
||||
|
|
@ -1,10 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: nginx-ingress-cfg
|
||||
namespace: kube-system
|
||||
labels:
|
||||
app: nginx-ingress-cfg
|
||||
data:
|
||||
enable-sticky-sessions: 'true' ## use ROUTE cookie to provide session affinity
|
||||
enable-vts-status: 'true' ## Allows the replacement of the default status page nginx-module-vts
|
||||
|
|
@ -1,66 +0,0 @@
|
|||
apiVersion: extensions/v1beta1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: nginx-ingress-controller
|
||||
labels:
|
||||
k8s-app: nginx-ingress-controller
|
||||
namespace: kube-system
|
||||
spec:
|
||||
# on replica per proxy
|
||||
replicas: {{ groups['k8s_proxy'] | length }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: nginx-ingress-controller
|
||||
annotations:
|
||||
prometheus.io/port: '10254'
|
||||
prometheus.io/scrape: 'true'
|
||||
spec:
|
||||
# hostNetwork makes it possible to use ipv6 and to preserve the source IP correctly regardless of docker configuration
|
||||
# however, it is not a hard dependency of the nginx-ingress-controller itself and it may cause issues if port 10254 already is taken on the host
|
||||
# that said, since hostPort is broken on CNI (https://github.com/kubernetes/kubernetes/issues/31307) we have to use hostNetwork where CNI is used
|
||||
# like with kubeadm
|
||||
# hostNetwork: true
|
||||
serviceAccountName: ingress
|
||||
terminationGracePeriodSeconds: 60
|
||||
#https://github.com/kubernetes/contrib/issues/2135
|
||||
# CNI and hostPort does not work using hostNetwork
|
||||
hostNetwork: true
|
||||
containers:
|
||||
- image: {{ nginx_ingress_controller_image }}:{{ nginx_ingress_controller_version }}
|
||||
name: nginx-ingress-controller
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /healthz
|
||||
port: 10254
|
||||
scheme: HTTP
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /healthz
|
||||
port: 10254
|
||||
scheme: HTTP
|
||||
initialDelaySeconds: 10
|
||||
timeoutSeconds: 1
|
||||
ports:
|
||||
- containerPort: 80
|
||||
#hostPort: 80
|
||||
- containerPort: 443
|
||||
#hostPort: 443
|
||||
- containerPort: 18080
|
||||
env:
|
||||
- name: POD_NAME
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.name
|
||||
- name: POD_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
args:
|
||||
- /nginx-ingress-controller
|
||||
- --default-backend-service=$(POD_NAMESPACE)/default-http-backend
|
||||
- --configmap=$(POD_NAMESPACE)/nginx-ingress-cfg
|
||||
nodeSelector:
|
||||
# node must be labelled with roles=ingress-controller
|
||||
role: ingress-controller
|
||||
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: ingress
|
||||
namespace: kube-system
|
||||
|
|
@ -1,15 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: nginx-ingress
|
||||
namespace: kube-system
|
||||
spec:
|
||||
ports:
|
||||
- port: 80
|
||||
name: http
|
||||
- port: 443
|
||||
name: https
|
||||
- port: 18080
|
||||
name: http-mgmt
|
||||
selector:
|
||||
k8s-app: nginx-ingress-controller
|
||||
23
roles/ingress/templates/traefik-ingress-clusterole.yml.j2
Normal file
23
roles/ingress/templates/traefik-ingress-clusterole.yml.j2
Normal file
|
|
@ -0,0 +1,23 @@
|
|||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
metadata:
|
||||
name: traefik-ingress-controller
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- services
|
||||
- endpoints
|
||||
- secrets
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- extensions
|
||||
resources:
|
||||
- ingresses
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
|
|
@ -1,12 +1,12 @@
|
|||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
metadata:
|
||||
name: ingress
|
||||
name: traefik-ingress-controller
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: system:ingress
|
||||
name: traefik-ingress-controller
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: ingress
|
||||
namespace: kube-system
|
||||
- kind: ServiceAccount
|
||||
name: traefik-ingress-controller
|
||||
namespace: kube-system
|
||||
45
roles/ingress/templates/traefik-ingress-configmap.yml.j2
Normal file
45
roles/ingress/templates/traefik-ingress-configmap.yml.j2
Normal file
|
|
@ -0,0 +1,45 @@
|
|||
kind: ConfigMap
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
name: traefik-config
|
||||
namespace: kube-system
|
||||
labels:
|
||||
app: traefik-ingress-controller
|
||||
data:
|
||||
traefik.toml: |-
|
||||
checkNewVersion = false
|
||||
IdleTimeout = "180s"
|
||||
MaxIdleConnsPerHost = 500
|
||||
logLevel = "INFO"
|
||||
defaultEntryPoints = ["http", "https"]
|
||||
|
||||
[retry]
|
||||
attempts = 3
|
||||
|
||||
[kubernetes]
|
||||
|
||||
[web]
|
||||
address = ":8081"
|
||||
|
||||
[acme]
|
||||
email = "letsencrypt.account@banditlair.com"
|
||||
storage = "traefik/acme/account"
|
||||
entryPoint = "https"
|
||||
OnHostRule = true
|
||||
onDemand = true
|
||||
acmeLogging = true
|
||||
# TODO Remove this line when going to prod
|
||||
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
|
||||
|
||||
[[acme.domains]]
|
||||
main = "{{ scaleway_reverse_ipaddr }}"
|
||||
|
||||
[entryPoints]
|
||||
[entryPoints.http]
|
||||
address = ":80"
|
||||
compress = true
|
||||
[entryPoints.http.redirect]
|
||||
entryPoint = "https"
|
||||
[entryPoints.https]
|
||||
address = ":443"
|
||||
[entryPoints.https.tls]
|
||||
59
roles/ingress/templates/traefik-ingress-ds.yml.j2
Normal file
59
roles/ingress/templates/traefik-ingress-ds.yml.j2
Normal file
|
|
@ -0,0 +1,59 @@
|
|||
kind: DaemonSet
|
||||
apiVersion: extensions/v1beta1
|
||||
metadata:
|
||||
name: traefik-ingress-controller
|
||||
namespace: kube-system
|
||||
labels:
|
||||
k8s-app: traefik-ingress-lb
|
||||
spec:
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: traefik-ingress-lb
|
||||
name: traefik-ingress-lb
|
||||
spec:
|
||||
serviceAccountName: traefik-ingress-controller
|
||||
terminationGracePeriodSeconds: 60
|
||||
containers:
|
||||
- image: traefik
|
||||
name: traefik-ingress-lb
|
||||
resources:
|
||||
limits:
|
||||
cpu: 200m
|
||||
memory: 30Mi
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 20Mi
|
||||
ports:
|
||||
- name: http
|
||||
containerPort: 80
|
||||
hostPort: 80
|
||||
- name: https
|
||||
hostPort: 443
|
||||
containerPort: 443
|
||||
- name: admin
|
||||
containerPort: 8081
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
add:
|
||||
- NET_BIND_SERVICE
|
||||
volumeMounts:
|
||||
- mountPath: "/config"
|
||||
name: "config"
|
||||
args:
|
||||
- --api
|
||||
- --configfile=/config/traefik.toml
|
||||
- --kubernetes
|
||||
- --logLevel=INFO
|
||||
volumes:
|
||||
- name: config
|
||||
configMap:
|
||||
name: traefik-config
|
||||
items:
|
||||
- key: traefik.toml
|
||||
path: traefik.toml
|
||||
nodeSelector:
|
||||
# node must be labelled with roles=ingress-controller
|
||||
role: ingress-controller
|
||||
5
roles/ingress/templates/traefik-ingress-sa.yml.j2
Normal file
5
roles/ingress/templates/traefik-ingress-sa.yml.j2
Normal file
|
|
@ -0,0 +1,5 @@
|
|||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: traefik-ingress-controller
|
||||
namespace: kube-system
|
||||
18
roles/ingress/templates/traefik-ingress-service.yml.j2
Normal file
18
roles/ingress/templates/traefik-ingress-service.yml.j2
Normal file
|
|
@ -0,0 +1,18 @@
|
|||
kind: Service
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
name: traefik-web-ui
|
||||
namespace: kube-system
|
||||
spec:
|
||||
selector:
|
||||
k8s-app: traefik-ingress-lb
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 80
|
||||
name: http
|
||||
- protocol: TCP
|
||||
port: 443
|
||||
name: https
|
||||
- protocol: TCP
|
||||
port: 8080
|
||||
name: admin
|
||||
Loading…
Add table
Add a link
Reference in a new issue