switch to NAS for NC & nodeport to fix certs

master
Paul Walko 2020-11-05 19:10:26 -05:00
parent 5b2054ab8c
commit 10e26768b9
7 changed files with 157 additions and 257 deletions

View File

@ -0,0 +1,4 @@
# helm create namespace cert-manager
# helm repo add jetstack https://charts.jetstack.io && helm repo update
# helm install cert-manager jetstack/cert-manager --namespace cert-manager --version v1.0.3 -f cert-manager.yml
installCRDs: true

View File

@ -1,2 +0,0 @@
# cert-manager
kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.0.3/cert-manager.yaml

View File

@ -28,7 +28,7 @@ spec:
- name: SSH_DOMAIN - name: SSH_DOMAIN
value: "git.seaturtle.pw" value: "git.seaturtle.pw"
- name: SSH_PORT - name: SSH_PORT
value: "2223" value: "22"
- name: ROOT_URL - name: ROOT_URL
value: "https://git.seaturtle.pw/" value: "https://git.seaturtle.pw/"
- name: LFS_START - name: LFS_START
@ -84,7 +84,7 @@ spec:
port: 3000 port: 3000
protocol: TCP protocol: TCP
- name: ssh - name: ssh
port: 2223 port: 22
protocol: TCP protocol: TCP
--- ---

View File

@ -0,0 +1,11 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: tcpservices
namespace: haproxy
data:
22:
pew/gitea:22
25565:
pew/minecraft:25565

View File

@ -1,252 +1,32 @@
--- # k create namespace haproxy
apiVersion: v1 # Create tcp services configmap:
kind: Namespace # k apply -f haproxy-tcp.yml
metadata: # helm repo add haproxytech https://haproxytech.github.io/helm-charts && helm repo update
name: pew # helm install haproxy haproxytech/kubernetes-ingress --namespace haproxy -f haproxy.yml
controller:
--- replicaCount: 1
apiVersion: v1 extraArgs:
kind: ServiceAccount - --configmap-tcp-services=haproxy/tcpservices
metadata: service:
name: haproxy-ingress-service-account type: NodePort
namespace: pew nodePorts:
http: 30080
--- https: 30443
kind: ClusterRole enablePorts:
apiVersion: rbac.authorization.k8s.io/v1 http: true
metadata: https: true
name: haproxy-ingress-cluster-role stat: true
rules: ssh: true
- apiGroups: minecraft: true
- "" tcpPorts:
resources:
- configmaps
- endpoints
- nodes
- pods
- services
- namespaces
- events
- serviceaccounts
verbs:
- get
- list
- watch
- apiGroups:
- "extensions"
resources:
- ingresses
- ingresses/status
verbs:
- get
- list
- watch
- update
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- create
- patch
- update
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: haproxy-ingress-cluster-role-binding
namespace: pew
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: haproxy-ingress-cluster-role
subjects:
- kind: ServiceAccount
name: haproxy-ingress-service-account
namespace: pew
---
apiVersion: v1
kind: ConfigMap
metadata:
name: haproxy
namespace: pew
data:
---
apiVersion: v1
kind: ConfigMap
metadata:
name: tcpservices
namespace: pew
data:
2223:
pew/gitea:2223
25565:
pew/minecraft:25565
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
run: haproxy-ingress
name: haproxy-ingress
namespace: pew
spec:
replicas: 1
selector:
matchLabels:
run: haproxy-ingress
template:
metadata:
labels:
run: haproxy-ingress
spec:
serviceAccountName: haproxy-ingress-service-account
containers:
- name: haproxy-ingress
image: haproxytech/kubernetes-ingress:1.4.9
args:
- --configmap=pew/haproxy
- --configmap-tcp-services=pew/tcpservices
ports:
- name: http
containerPort: 80
- name: https
containerPort: 443
- name: ssh - name: ssh
containerPort: 2223 port: 22
- name: minecraft targetPort: 22
containerPort: 25565 nodePort: 30022
---
apiVersion: v1
kind: Service
metadata:
labels:
run: haproxy-ingress
name: haproxy-ingress
namespace: pew
spec:
selector:
run: haproxy-ingress
ports:
- name: http
port: 80
protocol: TCP
- name: https
port: 443
protocol: TCP
- name: ssh
port: 2223
protocol: TCP
- name: minecraft - name: minecraft
port: 25565 port: 25565
protocol: TCP targetPort: 25565
externalIPs: nodePort: 30565
- 10.42.0.203
--- defaultBackend:
apiVersion: networking.k8s.io/v1 replicaCount: 1
kind: Ingress
metadata:
annotations:
# set to false if doing letsencrypt validation
ingress.kubernetes.io/ssl-redirect: "true"
cert-manager.io/cluster-issuer: letsencrypt-prod
name: haproxy-ingress
namespace: pew
spec:
rules:
- host: seaturtle.pw
http:
paths:
- path: /
pathType: "Exact"
backend:
service:
name: nginx
port:
number: 80
- path: /files
pathType: "Exact"
backend:
service:
name: nginx
port:
number: 80
- path: /grafana
pathType: "Exact"
backend:
service:
name: grafana
port:
number: 3000
- host: airsonic.seaturtle.pw
http:
paths:
- path: /
pathType: "Exact"
backend:
service:
name: airsonic
port:
number: 4040
- host: git.seaturtle.pw
http:
paths:
- path: /
pathType: "Exact"
backend:
service:
name: gitea
port:
number: 3000
- host: nc.seaturtle.pw
http:
paths:
- path: /
pathType: "Exact"
backend:
service:
name: nextcloud
port:
number: 80
- host: plex.seaturtle.pw
http:
paths:
- path: /
pathType: "Exact"
backend:
service:
name: plex
port:
number: 32400
tls:
- secretName: pew-cert
hosts:
- seaturtle.pw
- airsonic.seaturtle.pw
- git.seaturtle.pw
- plex.seaturtle.pw
---
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
email: paulsw.pw@gmail.com
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: pew-account-key
# Add a ACME HTTP01 challenge solver
solvers:
- http01:
ingress: {}

107
fogcutter/k8s/ingress.yml Normal file
View File

@ -0,0 +1,107 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
# set to false if doing letsencrypt validation
ingress.kubernetes.io/ssl-redirect: "true"
cert-manager.io/cluster-issuer: letsencrypt-prod
name: haproxy-ingress
namespace: pew
spec:
rules:
- host: seaturtle.pw
http:
paths:
- path: /
pathType: "Exact"
backend:
service:
name: nginx
port:
number: 80
- path: /files
pathType: "Exact"
backend:
service:
name: nginx
port:
number: 80
- host: airsonic.seaturtle.pw
http:
paths:
- path: /
pathType: "Exact"
backend:
service:
name: airsonic
port:
number: 4040
- host: git.seaturtle.pw
http:
paths:
- path: /
pathType: "Exact"
backend:
service:
name: gitea
port:
number: 3000
- host: nc.seaturtle.pw
http:
paths:
- path: /
pathType: "Exact"
backend:
service:
name: nextcloud
port:
number: 80
- host: plex.seaturtle.pw
http:
paths:
- path: /
pathType: "Exact"
backend:
service:
name: plex
port:
number: 32400
tls:
- secretName: pew-cert
hosts:
- seaturtle.pw
- airsonic.seaturtle.pw
- git.seaturtle.pw
- nc.seaturtle.pw
- plex.seaturtle.pw
---
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
email: paulsw.pw@gmail.com
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: pew-account-key
solvers:
- http01:
ingress: {}
---
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
email: paulsw.pw@gmail.com
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: pew-account-key
solvers:
- http01:
ingress: {}

View File

@ -48,7 +48,7 @@ spec:
volumes: volumes:
- name: nextcloud-data - name: nextcloud-data
hostPath: hostPath:
path: /opt/NEXTCLOUD-K8S/data path: /bigdata/k8s-config/nextcloud/data
--- ---
apiVersion: v1 apiVersion: v1
@ -106,7 +106,7 @@ spec:
volumes: volumes:
- name: nextcloud-mariadb - name: nextcloud-mariadb
hostPath: hostPath:
path: /opt/NEXTCLOUD-K8S/mariadb path: /bigdata/k8s-config/nextcloud/mariadb
--- ---
apiVersion: v1 apiVersion: v1