From 10e26768b936b65758fe66639d6792743d8daf04 Mon Sep 17 00:00:00 2001 From: Paul Walko Date: Thu, 5 Nov 2020 19:10:26 -0500 Subject: [PATCH] switch to NAS for NC & nodeport to fix certs --- fogcutter/k8s/cert-manager.yml | 4 + fogcutter/k8s/cloud.txt | 2 - fogcutter/k8s/gitea.yml | 4 +- fogcutter/k8s/haproxy-tcp.yml | 11 ++ fogcutter/k8s/haproxy.yml | 282 ++++----------------------------- fogcutter/k8s/ingress.yml | 107 +++++++++++++ fogcutter/k8s/nextcloud.yml | 4 +- 7 files changed, 157 insertions(+), 257 deletions(-) create mode 100644 fogcutter/k8s/cert-manager.yml delete mode 100644 fogcutter/k8s/cloud.txt create mode 100644 fogcutter/k8s/haproxy-tcp.yml create mode 100644 fogcutter/k8s/ingress.yml diff --git a/fogcutter/k8s/cert-manager.yml b/fogcutter/k8s/cert-manager.yml new file mode 100644 index 0000000..9005678 --- /dev/null +++ b/fogcutter/k8s/cert-manager.yml @@ -0,0 +1,4 @@ +# helm create namespace cert-manager +# helm repo add jetstack https://charts.jetstack.io && helm repo update +# helm install cert-manager jetstack/cert-manager --namespace cert-manager --version v1.0.3 -f cert-manager.yml +installCRDs: true diff --git a/fogcutter/k8s/cloud.txt b/fogcutter/k8s/cloud.txt deleted file mode 100644 index 60e2d71..0000000 --- a/fogcutter/k8s/cloud.txt +++ /dev/null @@ -1,2 +0,0 @@ -# cert-manager -kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.0.3/cert-manager.yaml diff --git a/fogcutter/k8s/gitea.yml b/fogcutter/k8s/gitea.yml index d7bd044..70bea2a 100644 --- a/fogcutter/k8s/gitea.yml +++ b/fogcutter/k8s/gitea.yml @@ -28,7 +28,7 @@ spec: - name: SSH_DOMAIN value: "git.seaturtle.pw" - name: SSH_PORT - value: "2223" + value: "22" - name: ROOT_URL value: "https://git.seaturtle.pw/" - name: LFS_START @@ -84,7 +84,7 @@ spec: port: 3000 protocol: TCP - name: ssh - port: 2223 + port: 22 protocol: TCP --- diff --git a/fogcutter/k8s/haproxy-tcp.yml b/fogcutter/k8s/haproxy-tcp.yml new file mode 100644 index 0000000..fe11252 --- /dev/null +++ b/fogcutter/k8s/haproxy-tcp.yml @@ -0,0 +1,11 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: tcpservices + namespace: haproxy +data: + 22: + pew/gitea:22 + 25565: + pew/minecraft:25565 diff --git a/fogcutter/k8s/haproxy.yml b/fogcutter/k8s/haproxy.yml index 5faacd3..d52c109 100644 --- a/fogcutter/k8s/haproxy.yml +++ b/fogcutter/k8s/haproxy.yml @@ -1,252 +1,32 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: pew +# k create namespace haproxy +# Create tcp services configmap: +# k apply -f haproxy-tcp.yml +# helm repo add haproxytech https://haproxytech.github.io/helm-charts && helm repo update +# helm install haproxy haproxytech/kubernetes-ingress --namespace haproxy -f haproxy.yml +controller: + replicaCount: 1 + extraArgs: + - --configmap-tcp-services=haproxy/tcpservices + service: + type: NodePort + nodePorts: + http: 30080 + https: 30443 + enablePorts: + http: true + https: true + stat: true + ssh: true + minecraft: true + tcpPorts: + - name: ssh + port: 22 + targetPort: 22 + nodePort: 30022 + - name: minecraft + port: 25565 + targetPort: 25565 + nodePort: 30565 ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: haproxy-ingress-service-account - namespace: pew - ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: haproxy-ingress-cluster-role -rules: - - apiGroups: - - "" - resources: - - configmaps - - endpoints - - nodes - - pods - - services - - namespaces - - events - - serviceaccounts - verbs: - - get - - list - - watch - - apiGroups: - - "extensions" - resources: - - ingresses - - ingresses/status - verbs: - - get - - list - - watch - - update - - apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch - - create - - patch - - update - ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: haproxy-ingress-cluster-role-binding - namespace: pew -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: haproxy-ingress-cluster-role -subjects: -- kind: ServiceAccount - name: haproxy-ingress-service-account - namespace: pew - ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: haproxy - namespace: pew -data: - ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: tcpservices - namespace: pew -data: - 2223: - pew/gitea:2223 - 25565: - pew/minecraft:25565 - ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - run: haproxy-ingress - name: haproxy-ingress - namespace: pew -spec: - replicas: 1 - selector: - matchLabels: - run: haproxy-ingress - template: - metadata: - labels: - run: haproxy-ingress - spec: - serviceAccountName: haproxy-ingress-service-account - containers: - - name: haproxy-ingress - image: haproxytech/kubernetes-ingress:1.4.9 - args: - - --configmap=pew/haproxy - - --configmap-tcp-services=pew/tcpservices - ports: - - name: http - containerPort: 80 - - name: https - containerPort: 443 - - name: ssh - containerPort: 2223 - - name: minecraft - containerPort: 25565 - ---- -apiVersion: v1 -kind: Service -metadata: - labels: - run: haproxy-ingress - name: haproxy-ingress - namespace: pew -spec: - selector: - run: haproxy-ingress - ports: - - name: http - port: 80 - protocol: TCP - - name: https - port: 443 - protocol: TCP - - name: ssh - port: 2223 - protocol: TCP - - name: minecraft - port: 25565 - protocol: TCP - externalIPs: - - 10.42.0.203 - ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - annotations: - # set to false if doing letsencrypt validation - ingress.kubernetes.io/ssl-redirect: "true" - cert-manager.io/cluster-issuer: letsencrypt-prod - name: haproxy-ingress - namespace: pew -spec: - rules: - - host: seaturtle.pw - http: - paths: - - path: / - pathType: "Exact" - backend: - service: - name: nginx - port: - number: 80 - - path: /files - pathType: "Exact" - backend: - service: - name: nginx - port: - number: 80 - - path: /grafana - pathType: "Exact" - backend: - service: - name: grafana - port: - number: 3000 - - host: airsonic.seaturtle.pw - http: - paths: - - path: / - pathType: "Exact" - backend: - service: - name: airsonic - port: - number: 4040 - - host: git.seaturtle.pw - http: - paths: - - path: / - pathType: "Exact" - backend: - service: - name: gitea - port: - number: 3000 - - host: nc.seaturtle.pw - http: - paths: - - path: / - pathType: "Exact" - backend: - service: - name: nextcloud - port: - number: 80 - - host: plex.seaturtle.pw - http: - paths: - - path: / - pathType: "Exact" - backend: - service: - name: plex - port: - number: 32400 - tls: - - secretName: pew-cert - hosts: - - seaturtle.pw - - airsonic.seaturtle.pw - - git.seaturtle.pw - - plex.seaturtle.pw - ---- -apiVersion: cert-manager.io/v1alpha2 -kind: ClusterIssuer -metadata: - name: letsencrypt-prod -spec: - acme: - email: paulsw.pw@gmail.com - server: https://acme-v02.api.letsencrypt.org/directory - privateKeySecretRef: - name: pew-account-key - # Add a ACME HTTP01 challenge solver - solvers: - - http01: - ingress: {} +defaultBackend: + replicaCount: 1 diff --git a/fogcutter/k8s/ingress.yml b/fogcutter/k8s/ingress.yml new file mode 100644 index 0000000..28141ac --- /dev/null +++ b/fogcutter/k8s/ingress.yml @@ -0,0 +1,107 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + # set to false if doing letsencrypt validation + ingress.kubernetes.io/ssl-redirect: "true" + cert-manager.io/cluster-issuer: letsencrypt-prod + name: haproxy-ingress + namespace: pew +spec: + rules: + - host: seaturtle.pw + http: + paths: + - path: / + pathType: "Exact" + backend: + service: + name: nginx + port: + number: 80 + - path: /files + pathType: "Exact" + backend: + service: + name: nginx + port: + number: 80 + - host: airsonic.seaturtle.pw + http: + paths: + - path: / + pathType: "Exact" + backend: + service: + name: airsonic + port: + number: 4040 + - host: git.seaturtle.pw + http: + paths: + - path: / + pathType: "Exact" + backend: + service: + name: gitea + port: + number: 3000 + - host: nc.seaturtle.pw + http: + paths: + - path: / + pathType: "Exact" + backend: + service: + name: nextcloud + port: + number: 80 + - host: plex.seaturtle.pw + http: + paths: + - path: / + pathType: "Exact" + backend: + service: + name: plex + port: + number: 32400 + tls: + - secretName: pew-cert + hosts: + - seaturtle.pw + - airsonic.seaturtle.pw + - git.seaturtle.pw + - nc.seaturtle.pw + - plex.seaturtle.pw + +--- +apiVersion: cert-manager.io/v1alpha2 +kind: ClusterIssuer +metadata: + name: letsencrypt-staging +spec: + acme: + email: paulsw.pw@gmail.com + server: https://acme-staging-v02.api.letsencrypt.org/directory + privateKeySecretRef: + name: pew-account-key + solvers: + - http01: + ingress: {} + +--- +apiVersion: cert-manager.io/v1alpha2 +kind: ClusterIssuer +metadata: + name: letsencrypt-prod +spec: + acme: + email: paulsw.pw@gmail.com + server: https://acme-v02.api.letsencrypt.org/directory + privateKeySecretRef: + name: pew-account-key + solvers: + - http01: + ingress: {} diff --git a/fogcutter/k8s/nextcloud.yml b/fogcutter/k8s/nextcloud.yml index 3caeeef..2d3b2b2 100644 --- a/fogcutter/k8s/nextcloud.yml +++ b/fogcutter/k8s/nextcloud.yml @@ -48,7 +48,7 @@ spec: volumes: - name: nextcloud-data hostPath: - path: /opt/NEXTCLOUD-K8S/data + path: /bigdata/k8s-config/nextcloud/data --- apiVersion: v1 @@ -106,7 +106,7 @@ spec: volumes: - name: nextcloud-mariadb hostPath: - path: /opt/NEXTCLOUD-K8S/mariadb + path: /bigdata/k8s-config/nextcloud/mariadb --- apiVersion: v1