This commit is contained in:
github-actions[bot] 2022-07-30 16:01:11 +00:00
Родитель dbe04d514f
Коммит ae7e3c0c3f
3 изменённых файлов: 345 добавлений и 0 удалений

Просмотреть файл

@ -0,0 +1,18 @@
apiVersion: aadpodidentity.k8s.io/v1
kind: AzureIdentity
metadata:
name: podmi-ingress-controller-identity
namespace: a0008
spec:
type: 0
resourceID: /subscriptions/82e70289-bf40-45f9-8476-eab93d2031f4/resourcegroups/rg-BU0001A0008-westus2/providers/Microsoft.ManagedIdentity/userAssignedIdentities/podmi-ingress-controller
clientID: 7674499a-ea58-48fc-89c3-b6063699bd94
---
apiVersion: aadpodidentity.k8s.io/v1
kind: AzureIdentityBinding
metadata:
name: podmi-ingress-controller-binding
namespace: a0008
spec:
azureIdentity: podmi-ingress-controller-identity
selector: podmi-ingress-controller

Просмотреть файл

@ -0,0 +1,22 @@
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: aks-ingress-tls-secret-csi-akv
namespace: a0008
spec:
provider: azure
parameters:
usePodIdentity: "true"
useVMManagedIdentity: "false"
keyvaultName: kv-aks-q3h7s2lbcnc62
objects: |
array:
- |
objectName: traefik-ingress-internal-aks-ingress-tls
objectAlias: tls.crt
objectType: cert
- |
objectName: traefik-ingress-internal-aks-ingress-tls
objectAlias: tls.key
objectType: secret
tenantId: 449fbe1d-9c99-4509-9014-4fd5cf25b014

Просмотреть файл

@ -0,0 +1,305 @@
kind: ServiceAccount
apiVersion: v1
metadata:
name: traefik-ingress-controller
namespace: a0008
labels:
app.kubernetes.io/name: traefik-ingress-ilb
app.kubernetes.io/instance: traefik-ingress-ilb
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: traefik-ingress-controller
namespace: a0008
labels:
app.kubernetes.io/name: traefik-ingress-ilb
app.kubernetes.io/instance: traefik-ingress-ilb
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- traefik.containo.us
resources:
- middlewares
- middlewaretcps
- ingressroutes
- traefikservices
- ingressroutetcps
- ingressrouteudps
- tlsoptions
- tlsstores
- serverstransports
verbs:
- get
- list
- watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: traefik-watch-workloads
namespace: a0008
labels:
app.kubernetes.io/name: traefik-ingress-ilb
app.kubernetes.io/instance: traefik-ingress-ilb
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller
namespace: a0008
---
apiVersion: v1
kind: ConfigMap
metadata:
name: traefik-ingress-config
namespace: a0008
labels:
app.kubernetes.io/name: traefik-ingress-ilb
app.kubernetes.io/instance: traefik-ingress-ilb
data:
traefik.toml: |
[metrics]
[metrics.prometheus]
entryPoint = "metrics"
addEntryPointsLabels = true
addServicesLabels = true
[accessLog]
filePath = "/data/access.log"
bufferingSize = 100
[global]
# prevent Traefik from checking newer versions in production
checknewversion = false
# prevent Traefik from collecting and sending stats from production
sendanonymoususage = false
[log]
level = "ERROR"
format = "json"
[api]
dashboard = false
[providers]
# Configuration reload frequency:
# * duration that Traefik waits for, after a configuration reload, before taking into account any new configuration refresh event
# * the most recent one is taken into account, and all the previous others are dropped.
providersThrottleDuration = 10
[providers.file]
filename = "/config/traefik.toml"
watch = true
# Traefik provider that supports the native Kubernetes Ingress specification
# and derives the corresponding dynamic configuration from it. https://kubernetes.io/docs/concepts/services-networking/ingress/
[providers.kubernetesingress]
ingressClass = "traefik-internal"
namespaces = ["a0008"]
[providers.kubernetesIngress.ingressEndpoint]
publishedService = "a0008/traefik-ingress-service"
# Enable gzip compression
[http.middlewares]
[http.middlewares.gzip-compress.compress]
[http.middlewares.app-gateway-snet.ipWhiteList]
sourceRange = ["10.240.5.0/24"]
[entryPoints]
[entryPoints.metrics]
address = ":8082"
[entryPoints.traefik]
address = ":9000"
[entryPoints.websecure]
address = ":8443"
[entryPoints.websecure.forwardedHeaders]
trustedIPs = ["10.240.5.0/24"]
[entryPoints.websecure.http.tls]
options = "default"
[ping]
entryPoint = "traefik"
[tls]
# without duplicating this cert config and with SNI enabled, Traefik won't
# find the certificates for your host. It may be a Traefik's issue.
[[tls.certificates]]
certFile = "/certs/tls.crt"
keyFile = "/certs/tls.key"
stores = ["default"]
[tls.stores]
[tls.stores.default]
[tls.stores.default.defaultCertificate]
# without specifying in here your certs, Traefik will create its own
# certificate
certFile = "/certs/tls.crt"
keyFile = "/certs/tls.key"
[tls.options.default]
minVersion = "VersionTLS12"
sniStrict = true
---
apiVersion: v1
kind: Service
metadata:
name: traefik-ingress-service
namespace: a0008
labels:
app.kubernetes.io/name: traefik-ingress-ilb
app.kubernetes.io/instance: traefik-ingress-ilb
annotations:
service.beta.kubernetes.io/azure-load-balancer-internal: "true"
service.beta.kubernetes.io/azure-load-balancer-internal-subnet: "snet-clusteringressservices"
spec:
type: LoadBalancer
loadBalancerIP: 10.240.4.4
externalTrafficPolicy: Local
selector:
app.kubernetes.io/name: traefik-ingress-ilb
app.kubernetes.io/instance: traefik-ingress-ilb
ports:
- port: 443
name: "https"
targetPort: "websecure"
protocol: "TCP"
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: traefik-ingress-controller
namespace: a0008
labels:
app.kubernetes.io/name: traefik-ingress-ilb
app.kubernetes.io/instance: traefik-ingress-ilb
aadpodidbinding: podmi-ingress-controller
spec:
replicas: 2
selector:
matchLabels:
app.kubernetes.io/name: traefik-ingress-ilb
app.kubernetes.io/instance: traefik-ingress-ilb
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
template:
metadata:
annotations:
prometheus.io/scrape: "true"
prometheus.io/port: "8082"
labels:
app.kubernetes.io/name: traefik-ingress-ilb
app.kubernetes.io/instance: traefik-ingress-ilb
aadpodidbinding: podmi-ingress-controller
spec:
hostNetwork: false
serviceAccountName: traefik-ingress-controller
terminationGracePeriodSeconds: 60
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values:
- traefik-ingress-ilb
topologyKey: "kubernetes.io/hostname"
containers:
# PRODUCTION READINESS CHANGE REQUIRED
# This image should be sourced from a non-public container registry, such as the
# one deployed along side of this reference implementation.
# az acr import --source docker.io/library/traefik:v2.5.3 -n <your-acr-instance-name>
# and then set this to
# image: <your-acr-instance-name>.azurecr.io/library/traefik:v2.5.3
# in order to use the public image, replace the image setting with the following line
# - image: docker.io/library/traefik:v2.5.3
- image: acraksq3h7s2lbcnc62.azurecr.io/library/traefik:v2.5.3
name: traefik-ingress-controller
resources:
requests:
cpu: 100m
memory: 64Mi
limits:
cpu: 200m
memory: 128Mi
readinessProbe:
httpGet:
path: /ping
port: "traefik"
failureThreshold: 1
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 2
livenessProbe:
httpGet:
path: /ping
port: "traefik"
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 2
ports:
- name: "traefik"
containerPort: 9000
protocol: TCP
- name: "websecure"
containerPort: 8443
protocol: TCP
- name: "metrics"
containerPort: 8082
protocol: TCP
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
volumeMounts:
- name: data
mountPath: /data
- name: config
mountPath: /config
readOnly: true
- name: ssl-csi
mountPath: /certs
readOnly: true
args:
- --configfile=/config/traefik.toml
volumes:
- name: config
configMap:
name: traefik-ingress-config
- name: ssl-csi
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: aks-ingress-tls-secret-csi-akv
- name: data
emptyDir: {}
nodeSelector:
agentpool: npuser01