diff --git a/kubernetes/03-deployments.yml b/kubernetes/03-deployments.yml new file mode 100644 index 0000000..e6921bd --- /dev/null +++ b/kubernetes/03-deployments.yml @@ -0,0 +1,74 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: default + name: traefik-ingress-controller + +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + namespace: default + name: traefik + labels: + app: traefik + +spec: + replicas: 1 + selector: + matchLabels: + app: traefik + template: + metadata: + labels: + app: traefik + spec: + serviceAccountName: traefik-ingress-controller + containers: + - name: traefik + image: traefik:v3.0 + args: + - --api.insecure + - --accesslog + - --entryPoints.web.Address=:8000 + - --entryPoints.websecure.Address=:4443 + - --providers.kubernetescrd + - --certificatesresolvers.myresolver.acme.tlschallenge + - --certificatesresolvers.myresolver.acme.email=furyx@hotmail.com + - --certificatesresolvers.myresolver.acme.storage=acme.json + # Please note that this is the staging Let's Encrypt server. + # Once you get things working, you should remove that whole line altogether. + - --certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory + ports: + - name: web + containerPort: 8000 + - name: websecure + containerPort: 4443 + - name: admin + containerPort: 8080 + +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + namespace: default + name: whoami + labels: + app: whoami + +spec: + replicas: 2 + selector: + matchLabels: + app: whoami + template: + metadata: + labels: + app: whoami + spec: + containers: + - name: whoami + image: traefik/whoami + ports: + - name: web + containerPort: 80 \ No newline at end of file diff --git a/kubernetes/04-ingressroutes.yml b/kubernetes/04-ingressroutes.yml new file mode 100644 index 0000000..f1c3e30 --- /dev/null +++ b/kubernetes/04-ingressroutes.yml @@ -0,0 +1,32 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: simpleingressroute + namespace: default +spec: + entryPoints: + - web + routes: + - match: Host(`mac`) && PathPrefix(`/notls`) + kind: Rule + services: + - name: whoami + port: 80 + +--- +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: ingressroutetls + namespace: default +spec: + entryPoints: + - websecure + routes: + - match: Host(`mac`) && PathPrefix(`/tls`) + kind: Rule + services: + - name: whoami + port: 80 + tls: + certResolver: myresolver \ No newline at end of file diff --git a/kubernetes/05-tlsoption.yml b/kubernetes/05-tlsoption.yml new file mode 100644 index 0000000..3febee6 --- /dev/null +++ b/kubernetes/05-tlsoption.yml @@ -0,0 +1,17 @@ +--- +apiVersion: traefik.io/v1alpha1 +kind: TLSOption +metadata: + name: default + namespace: default +spec: + minVersion: VersionTLS12 + cipherSuites: + - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 # TLS 1.2 + - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 # TLS 1.2 + - TLS_AES_256_GCM_SHA384 # TLS 1.3 + - TLS_CHACHA20_POLY1305_SHA256 # TLS 1.3 + curvePreferences: + - CurveP521 + - CurveP384 + sniStrict: true \ No newline at end of file diff --git a/kubernetes/config/kubeconfig.yaml b/kubernetes/config/kubeconfig.yaml index 5eeac03..be49172 100644 --- a/kubernetes/config/kubeconfig.yaml +++ b/kubernetes/config/kubeconfig.yaml @@ -1,7 +1,7 @@ apiVersion: v1 clusters: - cluster: - certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJkakNDQVIyZ0F3SUJBZ0lCQURBS0JnZ3Foa2pPUFFRREFqQWpNU0V3SHdZRFZRUUREQmhyTTNNdGMyVnkKZG1WeUxXTmhRREUzTWpFd05ESTBPVEl3SGhjTk1qUXdOekUxTVRFeU1UTXlXaGNOTXpRd056RXpNVEV5TVRNeQpXakFqTVNFd0h3WURWUVFEREJock0zTXRjMlZ5ZG1WeUxXTmhRREUzTWpFd05ESTBPVEl3V1RBVEJnY3Foa2pPClBRSUJCZ2dxaGtqT1BRTUJCd05DQUFTbjRUazdMRUZYMUM3UmtDRlRoTGNSK2RVL0g5ZmRHWHE5cVc0dmZ1MnoKUnJXVGowR1F0OHlyWUtPbnE1QWdOSGtlSGlpWkVOenhOY2tGL3dOSFNZME9vMEl3UURBT0JnTlZIUThCQWY4RQpCQU1DQXFRd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVTRqS1FQOFEzaXBEdXlZNUVQeHo1CkttaXRxelV3Q2dZSUtvWkl6ajBFQXdJRFJ3QXdSQUlnQ3dvQ1FscTFXLzVVM2kvN3dueGhGU3hodklmKzRiREgKK2ViYmJMci8xNkVDSUcwRDExa1hBWC9YeElIQk9ydytmdStzWEpUZ2crWVR6WXNWRkEwaHdmNXkKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJkekNDQVIyZ0F3SUJBZ0lCQURBS0JnZ3Foa2pPUFFRREFqQWpNU0V3SHdZRFZRUUREQmhyTTNNdGMyVnkKZG1WeUxXTmhRREUzTWpFd05EVXhOREF3SGhjTk1qUXdOekUxTVRJd05UUXdXaGNOTXpRd056RXpNVEl3TlRRdwpXakFqTVNFd0h3WURWUVFEREJock0zTXRjMlZ5ZG1WeUxXTmhRREUzTWpFd05EVXhOREF3V1RBVEJnY3Foa2pPClBRSUJCZ2dxaGtqT1BRTUJCd05DQUFTdk56Rk9Ub1E5bVpGakxrSDVIeDUzZW9McHFkSGxqdURITHkydDRQMVIKMUF2OERrSXZubE4yYlIwc0RHZERMK0orOUJ6OFQ3ZzBKWERkS0FTVzZnMlJvMEl3UURBT0JnTlZIUThCQWY4RQpCQU1DQXFRd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVWxBSy9DcHpQUndpUXUzUFQ0U2F4CnpWUzZDT013Q2dZSUtvWkl6ajBFQXdJRFNBQXdSUUloQUlHSzZndXA3TEtsTDB3MkpXak1rY0l6VmxsTmpLNncKQ2lDQ3JVQzloTFhjQWlCYTQrWmNNclBWcGQ3SDBzNEhFeHNFYVFVVUFLUTNUa3ozTVhZeTRrV3RYZz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K server: https://127.0.0.1:6443 name: default contexts: @@ -15,5 +15,5 @@ preferences: {} users: - name: default user: - client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJrakNDQVRlZ0F3SUJBZ0lJRTd0dmVwSXpxK0F3Q2dZSUtvWkl6ajBFQXdJd0l6RWhNQjhHQTFVRUF3d1kKYXpOekxXTnNhV1Z1ZEMxallVQXhOekl4TURReU5Ea3lNQjRYRFRJME1EY3hOVEV4TWpFek1sb1hEVEkxTURjeApOVEV4TWpFek1sb3dNREVYTUJVR0ExVUVDaE1PYzNsemRHVnRPbTFoYzNSbGNuTXhGVEFUQmdOVkJBTVRESE41CmMzUmxiVHBoWkcxcGJqQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJLVEtmWlE4Uy8yaTQ4NzAKVUJjcmFLakg3L2hxUHNsTmVZY3I3c2NSenpNWFd6SHJnQS9mUEUwUk9NMXNHUmtWeUt5YTdseFBoK01sVGVvWQpUTk03R1ZDalNEQkdNQTRHQTFVZER3RUIvd1FFQXdJRm9EQVRCZ05WSFNVRUREQUtCZ2dyQmdFRkJRY0RBakFmCkJnTlZIU01FR0RBV2dCUzFNWlpIOVY1MytvQWxJcnBMNDVWREgwekVhVEFLQmdncWhrak9QUVFEQWdOSkFEQkcKQWlFQXFjQkNtbmxncTNtWUhmNVAvQm1LWEpzcmFKbTJudVFWRzlSb0FLYUtKVXNDSVFEZmtWdGFSWW4wd3U2awp3UHVBNTZ2REtBUU5QM0VaTHBuL1k1ZndiNitXUGc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQpNSUlCZGpDQ0FSMmdBd0lCQWdJQkFEQUtCZ2dxaGtqT1BRUURBakFqTVNFd0h3WURWUVFEREJock0zTXRZMnhwClpXNTBMV05oUURFM01qRXdOREkwT1RJd0hoY05NalF3TnpFMU1URXlNVE15V2hjTk16UXdOekV6TVRFeU1UTXkKV2pBak1TRXdId1lEVlFRRERCaHJNM010WTJ4cFpXNTBMV05oUURFM01qRXdOREkwT1RJd1dUQVRCZ2NxaGtqTwpQUUlCQmdncWhrak9QUU1CQndOQ0FBUUJ1REdJdGlYVFd2UGM5L2pnM2pMajYvZUtKTWtEYUxBcXRvdnZ6TE1GCmJMNU8xTkhlcU1ucmZmYmJoa3JxUy96SUsrYVg5a3J5enprUjNSSGQ4MVhtbzBJd1FEQU9CZ05WSFE4QkFmOEUKQkFNQ0FxUXdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QWRCZ05WSFE0RUZnUVV0VEdXUi9WZWQvcUFKU0s2UytPVgpReDlNeEdrd0NnWUlLb1pJemowRUF3SURSd0F3UkFJZ0U0c254Z3hJOWNTOE9aeHpPckV3eEVLZUx4b1R2UWhpCmttZWJOeFdualFjQ0lBdDhPeG1yQVg0STFRNDBIVmRPQzFkaW5wMEFoZHlkcjAyMW92eGxIaDM2Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K - client-key-data: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSU55ZFM4ckZGYTR5L1pXKzNkL3R4cmZXbnNuakVLSnBZdGFSeFA0d0p3NlFvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFcE1wOWxEeEwvYUxqenZSUUZ5dG9xTWZ2K0dvK3lVMTVoeXZ1eHhIUE14ZGJNZXVBRDk4OApUUkU0eld3WkdSWElySnJ1WEUrSDR5Vk42aGhNMHpzWlVBPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo= + client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJrVENDQVRlZ0F3SUJBZ0lJTkV4VjZYcGc5b293Q2dZSUtvWkl6ajBFQXdJd0l6RWhNQjhHQTFVRUF3d1kKYXpOekxXTnNhV1Z1ZEMxallVQXhOekl4TURRMU1UUXdNQjRYRFRJME1EY3hOVEV5TURVME1Gb1hEVEkxTURjeApOVEV5TURVME1Gb3dNREVYTUJVR0ExVUVDaE1PYzNsemRHVnRPbTFoYzNSbGNuTXhGVEFUQmdOVkJBTVRESE41CmMzUmxiVHBoWkcxcGJqQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJFWmNaUzRxdHphZWFIUXIKN3hHMElydnc2N1Q2TXp3aWt2REZLYnF5S0JjeGVSdG40TVhXS243K3hJWDdVM0VKbURXOXVHQ0Irak1iU2lZegoyTTNhMWRPalNEQkdNQTRHQTFVZER3RUIvd1FFQXdJRm9EQVRCZ05WSFNVRUREQUtCZ2dyQmdFRkJRY0RBakFmCkJnTlZIU01FR0RBV2dCUmNiek90S3NNM2dJZG5DZzFoTC9JSVRTeGE4akFLQmdncWhrak9QUVFEQWdOSUFEQkYKQWlFQWdZTGprdzhtSElWK3JnUThBRHRhT0J0NncwK1BRNTdQUmZMSEcrSHI4MG9DSUV1VGFJMng5QkNLdUdlRgp3c3hPb0dCNGJPOUYzMkw0bGI5UFg1QkRJYTFyCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJkekNDQVIyZ0F3SUJBZ0lCQURBS0JnZ3Foa2pPUFFRREFqQWpNU0V3SHdZRFZRUUREQmhyTTNNdFkyeHAKWlc1MExXTmhRREUzTWpFd05EVXhOREF3SGhjTk1qUXdOekUxTVRJd05UUXdXaGNOTXpRd056RXpNVEl3TlRRdwpXakFqTVNFd0h3WURWUVFEREJock0zTXRZMnhwWlc1MExXTmhRREUzTWpFd05EVXhOREF3V1RBVEJnY3Foa2pPClBRSUJCZ2dxaGtqT1BRTUJCd05DQUFRTS9MU2Q2OThBWVZsNGlVTnQ1b3lSc2hMNTYyZXJhRHY2ZUg5YmliYVAKM0pPeHdYS0NjNVFTNTBPUTJnc1J5QTdyN0xhTThHYmg1S2l4TzBiVzkwWmtvMEl3UURBT0JnTlZIUThCQWY4RQpCQU1DQXFRd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVVhHOHpyU3JETjRDSFp3b05ZUy95CkNFMHNXdkl3Q2dZSUtvWkl6ajBFQXdJRFNBQXdSUUloQUlZSWgzeUNpZytDbTNCVGZjUFU3dlJaSHIzTWhPQngKS0gxV2llVGRtR2ErQWlCN09aekRrOVYvRzlNL1laNmZmZlo0a1RtZUM4eDNPRTBMdlpuL0JudUJhZz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + client-key-data: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUg5bzdENmFQNUZ0bXVxd3FDdlJaTlJDRWtHV2UxYXcyNUhTMTFNZ2RzN09vQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFUmx4bExpcTNOcDVvZEN2dkViUWl1L0RydFBvelBDS1M4TVVwdXJJb0Z6RjVHMmZneGRZcQpmdjdFaGZ0VGNRbVlOYjI0WUlINk14dEtKalBZemRyVjB3PT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo= diff --git a/kubernetes/k3s.yml b/kubernetes/k3s.yml index ed4129a..57a568e 100644 --- a/kubernetes/k3s.yml +++ b/kubernetes/k3s.yml @@ -1,5 +1,6 @@ # to run define K3S_TOKEN, K3S_VERSION is optional, eg: -# K3S_TOKEN=${RANDOM}${RANDOM}${RANDOM} docker compose -f k3s.yml up -d +# export K3S_TOKEN=${RANDOM}${RANDOM}${RANDOM} +# docker compose -f k3s.yml up -d services: server: image: "rancher/k3s:${K3S_VERSION:-latest}" @@ -28,8 +29,8 @@ services: - k3s-server:/var/lib/rancher/k3s ports: - 6443:6443 - - 80:80 # Ingress controller port 80 - - 443:443 # Ingress controller port 443 + # - 80:80 # Ingress controller port 80 + # - 443:443 # Ingress controller port 443 node: image: "rancher/k3s:${K3S_VERSION:-latest}" diff --git a/kubernetes/readme.md b/kubernetes/readme.md new file mode 100644 index 0000000..8a3c9a1 --- /dev/null +++ b/kubernetes/readme.md @@ -0,0 +1,15 @@ +# cli + +```bash +export K3S_TOKEN=${RANDOM}${RANDOM}${RANDOM} +docker compose -f k3s.yml up -d +kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.0/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml +kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.0/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml +kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.0/docs/content/user-guides/crd-acme/02-services.yml +kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.0/docs/content/user-guides/crd-acme/03-deployments.yml +kubectl port-forward --address 0.0.0.0 service/traefik 8000:8000 8080:8080 443:4443 -n default +kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.0/docs/content/user-guides/crd-acme/04-ingressroutes.yml +curl [-k] https://your.example.com/tls +curl http://your.example.com:8000/notls + +``` \ No newline at end of file