switch to NAS for NC & nodeport to fix certs

master
Paul Walko 2020-11-05 19:10:26 -05:00
parent 5b2054ab8c
commit 10e26768b9
7 changed files with 157 additions and 257 deletions

View File

@ -0,0 +1,4 @@
# helm create namespace cert-manager
# helm repo add jetstack https://charts.jetstack.io && helm repo update
# helm install cert-manager jetstack/cert-manager --namespace cert-manager --version v1.0.3 -f cert-manager.yml
installCRDs: true

View File

@ -1,2 +0,0 @@
# cert-manager
kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.0.3/cert-manager.yaml

View File

@ -28,7 +28,7 @@ spec:
- name: SSH_DOMAIN
value: "git.seaturtle.pw"
- name: SSH_PORT
value: "2223"
value: "22"
- name: ROOT_URL
value: "https://git.seaturtle.pw/"
- name: LFS_START
@ -84,7 +84,7 @@ spec:
port: 3000
protocol: TCP
- name: ssh
port: 2223
port: 22
protocol: TCP
---

View File

@ -0,0 +1,11 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: tcpservices
namespace: haproxy
data:
22:
pew/gitea:22
25565:
pew/minecraft:25565

View File

@ -1,252 +1,32 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: pew
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: haproxy-ingress-service-account
namespace: pew
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: haproxy-ingress-cluster-role
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- nodes
- pods
- services
- namespaces
- events
- serviceaccounts
verbs:
- get
- list
- watch
- apiGroups:
- "extensions"
resources:
- ingresses
- ingresses/status
verbs:
- get
- list
- watch
- update
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- create
- patch
- update
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: haproxy-ingress-cluster-role-binding
namespace: pew
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: haproxy-ingress-cluster-role
subjects:
- kind: ServiceAccount
name: haproxy-ingress-service-account
namespace: pew
---
apiVersion: v1
kind: ConfigMap
metadata:
name: haproxy
namespace: pew
data:
---
apiVersion: v1
kind: ConfigMap
metadata:
name: tcpservices
namespace: pew
data:
2223:
pew/gitea:2223
25565:
pew/minecraft:25565
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
run: haproxy-ingress
name: haproxy-ingress
namespace: pew
spec:
replicas: 1
selector:
matchLabels:
run: haproxy-ingress
template:
metadata:
labels:
run: haproxy-ingress
spec:
serviceAccountName: haproxy-ingress-service-account
containers:
- name: haproxy-ingress
image: haproxytech/kubernetes-ingress:1.4.9
args:
- --configmap=pew/haproxy
- --configmap-tcp-services=pew/tcpservices
ports:
- name: http
containerPort: 80
- name: https
containerPort: 443
# k create namespace haproxy
# Create tcp services configmap:
# k apply -f haproxy-tcp.yml
# helm repo add haproxytech https://haproxytech.github.io/helm-charts && helm repo update
# helm install haproxy haproxytech/kubernetes-ingress --namespace haproxy -f haproxy.yml
controller:
replicaCount: 1
extraArgs:
- --configmap-tcp-services=haproxy/tcpservices
service:
type: NodePort
nodePorts:
http: 30080
https: 30443
enablePorts:
http: true
https: true
stat: true
ssh: true
minecraft: true
tcpPorts:
- name: ssh
containerPort: 2223
- name: minecraft
containerPort: 25565
---
apiVersion: v1
kind: Service
metadata:
labels:
run: haproxy-ingress
name: haproxy-ingress
namespace: pew
spec:
selector:
run: haproxy-ingress
ports:
- name: http
port: 80
protocol: TCP
- name: https
port: 443
protocol: TCP
- name: ssh
port: 2223
protocol: TCP
port: 22
targetPort: 22
nodePort: 30022
- name: minecraft
port: 25565
protocol: TCP
externalIPs:
- 10.42.0.203
targetPort: 25565
nodePort: 30565
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
# set to false if doing letsencrypt validation
ingress.kubernetes.io/ssl-redirect: "true"
cert-manager.io/cluster-issuer: letsencrypt-prod
name: haproxy-ingress
namespace: pew
spec:
rules:
- host: seaturtle.pw
http:
paths:
- path: /
pathType: "Exact"
backend:
service:
name: nginx
port:
number: 80
- path: /files
pathType: "Exact"
backend:
service:
name: nginx
port:
number: 80
- path: /grafana
pathType: "Exact"
backend:
service:
name: grafana
port:
number: 3000
- host: airsonic.seaturtle.pw
http:
paths:
- path: /
pathType: "Exact"
backend:
service:
name: airsonic
port:
number: 4040
- host: git.seaturtle.pw
http:
paths:
- path: /
pathType: "Exact"
backend:
service:
name: gitea
port:
number: 3000
- host: nc.seaturtle.pw
http:
paths:
- path: /
pathType: "Exact"
backend:
service:
name: nextcloud
port:
number: 80
- host: plex.seaturtle.pw
http:
paths:
- path: /
pathType: "Exact"
backend:
service:
name: plex
port:
number: 32400
tls:
- secretName: pew-cert
hosts:
- seaturtle.pw
- airsonic.seaturtle.pw
- git.seaturtle.pw
- plex.seaturtle.pw
---
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
email: paulsw.pw@gmail.com
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: pew-account-key
# Add a ACME HTTP01 challenge solver
solvers:
- http01:
ingress: {}
defaultBackend:
replicaCount: 1

107
fogcutter/k8s/ingress.yml Normal file
View File

@ -0,0 +1,107 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
# set to false if doing letsencrypt validation
ingress.kubernetes.io/ssl-redirect: "true"
cert-manager.io/cluster-issuer: letsencrypt-prod
name: haproxy-ingress
namespace: pew
spec:
rules:
- host: seaturtle.pw
http:
paths:
- path: /
pathType: "Exact"
backend:
service:
name: nginx
port:
number: 80
- path: /files
pathType: "Exact"
backend:
service:
name: nginx
port:
number: 80
- host: airsonic.seaturtle.pw
http:
paths:
- path: /
pathType: "Exact"
backend:
service:
name: airsonic
port:
number: 4040
- host: git.seaturtle.pw
http:
paths:
- path: /
pathType: "Exact"
backend:
service:
name: gitea
port:
number: 3000
- host: nc.seaturtle.pw
http:
paths:
- path: /
pathType: "Exact"
backend:
service:
name: nextcloud
port:
number: 80
- host: plex.seaturtle.pw
http:
paths:
- path: /
pathType: "Exact"
backend:
service:
name: plex
port:
number: 32400
tls:
- secretName: pew-cert
hosts:
- seaturtle.pw
- airsonic.seaturtle.pw
- git.seaturtle.pw
- nc.seaturtle.pw
- plex.seaturtle.pw
---
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
email: paulsw.pw@gmail.com
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: pew-account-key
solvers:
- http01:
ingress: {}
---
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
email: paulsw.pw@gmail.com
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: pew-account-key
solvers:
- http01:
ingress: {}

View File

@ -48,7 +48,7 @@ spec:
volumes:
- name: nextcloud-data
hostPath:
path: /opt/NEXTCLOUD-K8S/data
path: /bigdata/k8s-config/nextcloud/data
---
apiVersion: v1
@ -106,7 +106,7 @@ spec:
volumes:
- name: nextcloud-mariadb
hostPath:
path: /opt/NEXTCLOUD-K8S/mariadb
path: /bigdata/k8s-config/nextcloud/mariadb
---
apiVersion: v1