Refactor Kubernetes configuration to use Traefik for dashboard routing
This commit is contained in:
@@ -0,0 +1,74 @@
|
|||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
namespace: default
|
||||||
|
name: traefik-ingress-controller
|
||||||
|
|
||||||
|
---
|
||||||
|
kind: Deployment
|
||||||
|
apiVersion: apps/v1
|
||||||
|
metadata:
|
||||||
|
namespace: default
|
||||||
|
name: traefik
|
||||||
|
labels:
|
||||||
|
app: traefik
|
||||||
|
|
||||||
|
spec:
|
||||||
|
replicas: 1
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app: traefik
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app: traefik
|
||||||
|
spec:
|
||||||
|
serviceAccountName: traefik-ingress-controller
|
||||||
|
containers:
|
||||||
|
- name: traefik
|
||||||
|
image: traefik:v3.0
|
||||||
|
args:
|
||||||
|
- --api.insecure
|
||||||
|
- --accesslog
|
||||||
|
- --entryPoints.web.Address=:8000
|
||||||
|
- --entryPoints.websecure.Address=:4443
|
||||||
|
- --providers.kubernetescrd
|
||||||
|
- --certificatesresolvers.myresolver.acme.tlschallenge
|
||||||
|
- --certificatesresolvers.myresolver.acme.email=furyx@hotmail.com
|
||||||
|
- --certificatesresolvers.myresolver.acme.storage=acme.json
|
||||||
|
# Please note that this is the staging Let's Encrypt server.
|
||||||
|
# Once you get things working, you should remove that whole line altogether.
|
||||||
|
- --certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
|
||||||
|
ports:
|
||||||
|
- name: web
|
||||||
|
containerPort: 8000
|
||||||
|
- name: websecure
|
||||||
|
containerPort: 4443
|
||||||
|
- name: admin
|
||||||
|
containerPort: 8080
|
||||||
|
|
||||||
|
---
|
||||||
|
kind: Deployment
|
||||||
|
apiVersion: apps/v1
|
||||||
|
metadata:
|
||||||
|
namespace: default
|
||||||
|
name: whoami
|
||||||
|
labels:
|
||||||
|
app: whoami
|
||||||
|
|
||||||
|
spec:
|
||||||
|
replicas: 2
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app: whoami
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app: whoami
|
||||||
|
spec:
|
||||||
|
containers:
|
||||||
|
- name: whoami
|
||||||
|
image: traefik/whoami
|
||||||
|
ports:
|
||||||
|
- name: web
|
||||||
|
containerPort: 80
|
||||||
@@ -0,0 +1,32 @@
|
|||||||
|
apiVersion: traefik.io/v1alpha1
|
||||||
|
kind: IngressRoute
|
||||||
|
metadata:
|
||||||
|
name: simpleingressroute
|
||||||
|
namespace: default
|
||||||
|
spec:
|
||||||
|
entryPoints:
|
||||||
|
- web
|
||||||
|
routes:
|
||||||
|
- match: Host(`mac`) && PathPrefix(`/notls`)
|
||||||
|
kind: Rule
|
||||||
|
services:
|
||||||
|
- name: whoami
|
||||||
|
port: 80
|
||||||
|
|
||||||
|
---
|
||||||
|
apiVersion: traefik.io/v1alpha1
|
||||||
|
kind: IngressRoute
|
||||||
|
metadata:
|
||||||
|
name: ingressroutetls
|
||||||
|
namespace: default
|
||||||
|
spec:
|
||||||
|
entryPoints:
|
||||||
|
- websecure
|
||||||
|
routes:
|
||||||
|
- match: Host(`mac`) && PathPrefix(`/tls`)
|
||||||
|
kind: Rule
|
||||||
|
services:
|
||||||
|
- name: whoami
|
||||||
|
port: 80
|
||||||
|
tls:
|
||||||
|
certResolver: myresolver
|
||||||
@@ -0,0 +1,17 @@
|
|||||||
|
---
|
||||||
|
apiVersion: traefik.io/v1alpha1
|
||||||
|
kind: TLSOption
|
||||||
|
metadata:
|
||||||
|
name: default
|
||||||
|
namespace: default
|
||||||
|
spec:
|
||||||
|
minVersion: VersionTLS12
|
||||||
|
cipherSuites:
|
||||||
|
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 # TLS 1.2
|
||||||
|
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 # TLS 1.2
|
||||||
|
- TLS_AES_256_GCM_SHA384 # TLS 1.3
|
||||||
|
- TLS_CHACHA20_POLY1305_SHA256 # TLS 1.3
|
||||||
|
curvePreferences:
|
||||||
|
- CurveP521
|
||||||
|
- CurveP384
|
||||||
|
sniStrict: true
|
||||||
@@ -1,7 +1,7 @@
|
|||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
clusters:
|
clusters:
|
||||||
- cluster:
|
- cluster:
|
||||||
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJkakNDQVIyZ0F3SUJBZ0lCQURBS0JnZ3Foa2pPUFFRREFqQWpNU0V3SHdZRFZRUUREQmhyTTNNdGMyVnkKZG1WeUxXTmhRREUzTWpFd05ESTBPVEl3SGhjTk1qUXdOekUxTVRFeU1UTXlXaGNOTXpRd056RXpNVEV5TVRNeQpXakFqTVNFd0h3WURWUVFEREJock0zTXRjMlZ5ZG1WeUxXTmhRREUzTWpFd05ESTBPVEl3V1RBVEJnY3Foa2pPClBRSUJCZ2dxaGtqT1BRTUJCd05DQUFTbjRUazdMRUZYMUM3UmtDRlRoTGNSK2RVL0g5ZmRHWHE5cVc0dmZ1MnoKUnJXVGowR1F0OHlyWUtPbnE1QWdOSGtlSGlpWkVOenhOY2tGL3dOSFNZME9vMEl3UURBT0JnTlZIUThCQWY4RQpCQU1DQXFRd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVTRqS1FQOFEzaXBEdXlZNUVQeHo1CkttaXRxelV3Q2dZSUtvWkl6ajBFQXdJRFJ3QXdSQUlnQ3dvQ1FscTFXLzVVM2kvN3dueGhGU3hodklmKzRiREgKK2ViYmJMci8xNkVDSUcwRDExa1hBWC9YeElIQk9ydytmdStzWEpUZ2crWVR6WXNWRkEwaHdmNXkKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
|
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJkekNDQVIyZ0F3SUJBZ0lCQURBS0JnZ3Foa2pPUFFRREFqQWpNU0V3SHdZRFZRUUREQmhyTTNNdGMyVnkKZG1WeUxXTmhRREUzTWpFd05EVXhOREF3SGhjTk1qUXdOekUxTVRJd05UUXdXaGNOTXpRd056RXpNVEl3TlRRdwpXakFqTVNFd0h3WURWUVFEREJock0zTXRjMlZ5ZG1WeUxXTmhRREUzTWpFd05EVXhOREF3V1RBVEJnY3Foa2pPClBRSUJCZ2dxaGtqT1BRTUJCd05DQUFTdk56Rk9Ub1E5bVpGakxrSDVIeDUzZW9McHFkSGxqdURITHkydDRQMVIKMUF2OERrSXZubE4yYlIwc0RHZERMK0orOUJ6OFQ3ZzBKWERkS0FTVzZnMlJvMEl3UURBT0JnTlZIUThCQWY4RQpCQU1DQXFRd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVWxBSy9DcHpQUndpUXUzUFQ0U2F4CnpWUzZDT013Q2dZSUtvWkl6ajBFQXdJRFNBQXdSUUloQUlHSzZndXA3TEtsTDB3MkpXak1rY0l6VmxsTmpLNncKQ2lDQ3JVQzloTFhjQWlCYTQrWmNNclBWcGQ3SDBzNEhFeHNFYVFVVUFLUTNUa3ozTVhZeTRrV3RYZz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
|
||||||
server: https://127.0.0.1:6443
|
server: https://127.0.0.1:6443
|
||||||
name: default
|
name: default
|
||||||
contexts:
|
contexts:
|
||||||
@@ -15,5 +15,5 @@ preferences: {}
|
|||||||
users:
|
users:
|
||||||
- name: default
|
- name: default
|
||||||
user:
|
user:
|
||||||
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJrakNDQVRlZ0F3SUJBZ0lJRTd0dmVwSXpxK0F3Q2dZSUtvWkl6ajBFQXdJd0l6RWhNQjhHQTFVRUF3d1kKYXpOekxXTnNhV1Z1ZEMxallVQXhOekl4TURReU5Ea3lNQjRYRFRJME1EY3hOVEV4TWpFek1sb1hEVEkxTURjeApOVEV4TWpFek1sb3dNREVYTUJVR0ExVUVDaE1PYzNsemRHVnRPbTFoYzNSbGNuTXhGVEFUQmdOVkJBTVRESE41CmMzUmxiVHBoWkcxcGJqQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJLVEtmWlE4Uy8yaTQ4NzAKVUJjcmFLakg3L2hxUHNsTmVZY3I3c2NSenpNWFd6SHJnQS9mUEUwUk9NMXNHUmtWeUt5YTdseFBoK01sVGVvWQpUTk03R1ZDalNEQkdNQTRHQTFVZER3RUIvd1FFQXdJRm9EQVRCZ05WSFNVRUREQUtCZ2dyQmdFRkJRY0RBakFmCkJnTlZIU01FR0RBV2dCUzFNWlpIOVY1MytvQWxJcnBMNDVWREgwekVhVEFLQmdncWhrak9QUVFEQWdOSkFEQkcKQWlFQXFjQkNtbmxncTNtWUhmNVAvQm1LWEpzcmFKbTJudVFWRzlSb0FLYUtKVXNDSVFEZmtWdGFSWW4wd3U2awp3UHVBNTZ2REtBUU5QM0VaTHBuL1k1ZndiNitXUGc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQpNSUlCZGpDQ0FSMmdBd0lCQWdJQkFEQUtCZ2dxaGtqT1BRUURBakFqTVNFd0h3WURWUVFEREJock0zTXRZMnhwClpXNTBMV05oUURFM01qRXdOREkwT1RJd0hoY05NalF3TnpFMU1URXlNVE15V2hjTk16UXdOekV6TVRFeU1UTXkKV2pBak1TRXdId1lEVlFRRERCaHJNM010WTJ4cFpXNTBMV05oUURFM01qRXdOREkwT1RJd1dUQVRCZ2NxaGtqTwpQUUlCQmdncWhrak9QUU1CQndOQ0FBUUJ1REdJdGlYVFd2UGM5L2pnM2pMajYvZUtKTWtEYUxBcXRvdnZ6TE1GCmJMNU8xTkhlcU1ucmZmYmJoa3JxUy96SUsrYVg5a3J5enprUjNSSGQ4MVhtbzBJd1FEQU9CZ05WSFE4QkFmOEUKQkFNQ0FxUXdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QWRCZ05WSFE0RUZnUVV0VEdXUi9WZWQvcUFKU0s2UytPVgpReDlNeEdrd0NnWUlLb1pJemowRUF3SURSd0F3UkFJZ0U0c254Z3hJOWNTOE9aeHpPckV3eEVLZUx4b1R2UWhpCmttZWJOeFdualFjQ0lBdDhPeG1yQVg0STFRNDBIVmRPQzFkaW5wMEFoZHlkcjAyMW92eGxIaDM2Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
|
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJrVENDQVRlZ0F3SUJBZ0lJTkV4VjZYcGc5b293Q2dZSUtvWkl6ajBFQXdJd0l6RWhNQjhHQTFVRUF3d1kKYXpOekxXTnNhV1Z1ZEMxallVQXhOekl4TURRMU1UUXdNQjRYRFRJME1EY3hOVEV5TURVME1Gb1hEVEkxTURjeApOVEV5TURVME1Gb3dNREVYTUJVR0ExVUVDaE1PYzNsemRHVnRPbTFoYzNSbGNuTXhGVEFUQmdOVkJBTVRESE41CmMzUmxiVHBoWkcxcGJqQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJFWmNaUzRxdHphZWFIUXIKN3hHMElydnc2N1Q2TXp3aWt2REZLYnF5S0JjeGVSdG40TVhXS243K3hJWDdVM0VKbURXOXVHQ0Irak1iU2lZegoyTTNhMWRPalNEQkdNQTRHQTFVZER3RUIvd1FFQXdJRm9EQVRCZ05WSFNVRUREQUtCZ2dyQmdFRkJRY0RBakFmCkJnTlZIU01FR0RBV2dCUmNiek90S3NNM2dJZG5DZzFoTC9JSVRTeGE4akFLQmdncWhrak9QUVFEQWdOSUFEQkYKQWlFQWdZTGprdzhtSElWK3JnUThBRHRhT0J0NncwK1BRNTdQUmZMSEcrSHI4MG9DSUV1VGFJMng5QkNLdUdlRgp3c3hPb0dCNGJPOUYzMkw0bGI5UFg1QkRJYTFyCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJkekNDQVIyZ0F3SUJBZ0lCQURBS0JnZ3Foa2pPUFFRREFqQWpNU0V3SHdZRFZRUUREQmhyTTNNdFkyeHAKWlc1MExXTmhRREUzTWpFd05EVXhOREF3SGhjTk1qUXdOekUxTVRJd05UUXdXaGNOTXpRd056RXpNVEl3TlRRdwpXakFqTVNFd0h3WURWUVFEREJock0zTXRZMnhwWlc1MExXTmhRREUzTWpFd05EVXhOREF3V1RBVEJnY3Foa2pPClBRSUJCZ2dxaGtqT1BRTUJCd05DQUFRTS9MU2Q2OThBWVZsNGlVTnQ1b3lSc2hMNTYyZXJhRHY2ZUg5YmliYVAKM0pPeHdYS0NjNVFTNTBPUTJnc1J5QTdyN0xhTThHYmg1S2l4TzBiVzkwWmtvMEl3UURBT0JnTlZIUThCQWY4RQpCQU1DQXFRd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVVhHOHpyU3JETjRDSFp3b05ZUy95CkNFMHNXdkl3Q2dZSUtvWkl6ajBFQXdJRFNBQXdSUUloQUlZSWgzeUNpZytDbTNCVGZjUFU3dlJaSHIzTWhPQngKS0gxV2llVGRtR2ErQWlCN09aekRrOVYvRzlNL1laNmZmZlo0a1RtZUM4eDNPRTBMdlpuL0JudUJhZz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
|
||||||
client-key-data: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSU55ZFM4ckZGYTR5L1pXKzNkL3R4cmZXbnNuakVLSnBZdGFSeFA0d0p3NlFvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFcE1wOWxEeEwvYUxqenZSUUZ5dG9xTWZ2K0dvK3lVMTVoeXZ1eHhIUE14ZGJNZXVBRDk4OApUUkU0eld3WkdSWElySnJ1WEUrSDR5Vk42aGhNMHpzWlVBPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
|
client-key-data: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUg5bzdENmFQNUZ0bXVxd3FDdlJaTlJDRWtHV2UxYXcyNUhTMTFNZ2RzN09vQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFUmx4bExpcTNOcDVvZEN2dkViUWl1L0RydFBvelBDS1M4TVVwdXJJb0Z6RjVHMmZneGRZcQpmdjdFaGZ0VGNRbVlOYjI0WUlINk14dEtKalBZemRyVjB3PT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
|
||||||
|
|||||||
+4
-3
@@ -1,5 +1,6 @@
|
|||||||
# to run define K3S_TOKEN, K3S_VERSION is optional, eg:
|
# to run define K3S_TOKEN, K3S_VERSION is optional, eg:
|
||||||
# K3S_TOKEN=${RANDOM}${RANDOM}${RANDOM} docker compose -f k3s.yml up -d
|
# export K3S_TOKEN=${RANDOM}${RANDOM}${RANDOM}
|
||||||
|
# docker compose -f k3s.yml up -d
|
||||||
services:
|
services:
|
||||||
server:
|
server:
|
||||||
image: "rancher/k3s:${K3S_VERSION:-latest}"
|
image: "rancher/k3s:${K3S_VERSION:-latest}"
|
||||||
@@ -28,8 +29,8 @@ services:
|
|||||||
- k3s-server:/var/lib/rancher/k3s
|
- k3s-server:/var/lib/rancher/k3s
|
||||||
ports:
|
ports:
|
||||||
- 6443:6443
|
- 6443:6443
|
||||||
- 80:80 # Ingress controller port 80
|
# - 80:80 # Ingress controller port 80
|
||||||
- 443:443 # Ingress controller port 443
|
# - 443:443 # Ingress controller port 443
|
||||||
|
|
||||||
node:
|
node:
|
||||||
image: "rancher/k3s:${K3S_VERSION:-latest}"
|
image: "rancher/k3s:${K3S_VERSION:-latest}"
|
||||||
|
|||||||
@@ -0,0 +1,15 @@
|
|||||||
|
# cli
|
||||||
|
|
||||||
|
```bash
|
||||||
|
export K3S_TOKEN=${RANDOM}${RANDOM}${RANDOM}
|
||||||
|
docker compose -f k3s.yml up -d
|
||||||
|
kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.0/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
|
||||||
|
kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.0/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
|
||||||
|
kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.0/docs/content/user-guides/crd-acme/02-services.yml
|
||||||
|
kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.0/docs/content/user-guides/crd-acme/03-deployments.yml
|
||||||
|
kubectl port-forward --address 0.0.0.0 service/traefik 8000:8000 8080:8080 443:4443 -n default
|
||||||
|
kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.0/docs/content/user-guides/crd-acme/04-ingressroutes.yml
|
||||||
|
curl [-k] https://your.example.com/tls
|
||||||
|
curl http://your.example.com:8000/notls
|
||||||
|
|
||||||
|
```
|
||||||
Reference in New Issue
Block a user