Add Traefik manifest files
This commit is contained in:
Родитель
dbe04d514f
Коммит
ae7e3c0c3f
|
@ -0,0 +1,18 @@
|
|||
apiVersion: aadpodidentity.k8s.io/v1
|
||||
kind: AzureIdentity
|
||||
metadata:
|
||||
name: podmi-ingress-controller-identity
|
||||
namespace: a0008
|
||||
spec:
|
||||
type: 0
|
||||
resourceID: /subscriptions/82e70289-bf40-45f9-8476-eab93d2031f4/resourcegroups/rg-BU0001A0008-westus2/providers/Microsoft.ManagedIdentity/userAssignedIdentities/podmi-ingress-controller
|
||||
clientID: 7674499a-ea58-48fc-89c3-b6063699bd94
|
||||
---
|
||||
apiVersion: aadpodidentity.k8s.io/v1
|
||||
kind: AzureIdentityBinding
|
||||
metadata:
|
||||
name: podmi-ingress-controller-binding
|
||||
namespace: a0008
|
||||
spec:
|
||||
azureIdentity: podmi-ingress-controller-identity
|
||||
selector: podmi-ingress-controller
|
|
@ -0,0 +1,22 @@
|
|||
apiVersion: secrets-store.csi.x-k8s.io/v1
|
||||
kind: SecretProviderClass
|
||||
metadata:
|
||||
name: aks-ingress-tls-secret-csi-akv
|
||||
namespace: a0008
|
||||
spec:
|
||||
provider: azure
|
||||
parameters:
|
||||
usePodIdentity: "true"
|
||||
useVMManagedIdentity: "false"
|
||||
keyvaultName: kv-aks-q3h7s2lbcnc62
|
||||
objects: |
|
||||
array:
|
||||
- |
|
||||
objectName: traefik-ingress-internal-aks-ingress-tls
|
||||
objectAlias: tls.crt
|
||||
objectType: cert
|
||||
- |
|
||||
objectName: traefik-ingress-internal-aks-ingress-tls
|
||||
objectAlias: tls.key
|
||||
objectType: secret
|
||||
tenantId: 449fbe1d-9c99-4509-9014-4fd5cf25b014
|
|
@ -0,0 +1,305 @@
|
|||
kind: ServiceAccount
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
name: traefik-ingress-controller
|
||||
namespace: a0008
|
||||
labels:
|
||||
app.kubernetes.io/name: traefik-ingress-ilb
|
||||
app.kubernetes.io/instance: traefik-ingress-ilb
|
||||
---
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: traefik-ingress-controller
|
||||
namespace: a0008
|
||||
labels:
|
||||
app.kubernetes.io/name: traefik-ingress-ilb
|
||||
app.kubernetes.io/instance: traefik-ingress-ilb
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- services
|
||||
- endpoints
|
||||
- secrets
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- extensions
|
||||
- networking.k8s.io
|
||||
resources:
|
||||
- ingresses
|
||||
- ingressclasses
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- extensions
|
||||
- networking.k8s.io
|
||||
resources:
|
||||
- ingresses/status
|
||||
verbs:
|
||||
- update
|
||||
- apiGroups:
|
||||
- traefik.containo.us
|
||||
resources:
|
||||
- middlewares
|
||||
- middlewaretcps
|
||||
- ingressroutes
|
||||
- traefikservices
|
||||
- ingressroutetcps
|
||||
- ingressrouteudps
|
||||
- tlsoptions
|
||||
- tlsstores
|
||||
- serverstransports
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
---
|
||||
kind: ClusterRoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: traefik-watch-workloads
|
||||
namespace: a0008
|
||||
labels:
|
||||
app.kubernetes.io/name: traefik-ingress-ilb
|
||||
app.kubernetes.io/instance: traefik-ingress-ilb
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: traefik-ingress-controller
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: traefik-ingress-controller
|
||||
namespace: a0008
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: traefik-ingress-config
|
||||
namespace: a0008
|
||||
labels:
|
||||
app.kubernetes.io/name: traefik-ingress-ilb
|
||||
app.kubernetes.io/instance: traefik-ingress-ilb
|
||||
data:
|
||||
traefik.toml: |
|
||||
[metrics]
|
||||
[metrics.prometheus]
|
||||
entryPoint = "metrics"
|
||||
addEntryPointsLabels = true
|
||||
addServicesLabels = true
|
||||
[accessLog]
|
||||
filePath = "/data/access.log"
|
||||
bufferingSize = 100
|
||||
[global]
|
||||
# prevent Traefik from checking newer versions in production
|
||||
checknewversion = false
|
||||
# prevent Traefik from collecting and sending stats from production
|
||||
sendanonymoususage = false
|
||||
[log]
|
||||
level = "ERROR"
|
||||
format = "json"
|
||||
[api]
|
||||
dashboard = false
|
||||
[providers]
|
||||
# Configuration reload frequency:
|
||||
# * duration that Traefik waits for, after a configuration reload, before taking into account any new configuration refresh event
|
||||
# * the most recent one is taken into account, and all the previous others are dropped.
|
||||
providersThrottleDuration = 10
|
||||
[providers.file]
|
||||
filename = "/config/traefik.toml"
|
||||
watch = true
|
||||
# Traefik provider that supports the native Kubernetes Ingress specification
|
||||
# and derives the corresponding dynamic configuration from it. https://kubernetes.io/docs/concepts/services-networking/ingress/
|
||||
[providers.kubernetesingress]
|
||||
ingressClass = "traefik-internal"
|
||||
namespaces = ["a0008"]
|
||||
[providers.kubernetesIngress.ingressEndpoint]
|
||||
publishedService = "a0008/traefik-ingress-service"
|
||||
# Enable gzip compression
|
||||
[http.middlewares]
|
||||
[http.middlewares.gzip-compress.compress]
|
||||
[http.middlewares.app-gateway-snet.ipWhiteList]
|
||||
sourceRange = ["10.240.5.0/24"]
|
||||
[entryPoints]
|
||||
[entryPoints.metrics]
|
||||
address = ":8082"
|
||||
[entryPoints.traefik]
|
||||
address = ":9000"
|
||||
[entryPoints.websecure]
|
||||
address = ":8443"
|
||||
[entryPoints.websecure.forwardedHeaders]
|
||||
trustedIPs = ["10.240.5.0/24"]
|
||||
[entryPoints.websecure.http.tls]
|
||||
options = "default"
|
||||
[ping]
|
||||
entryPoint = "traefik"
|
||||
[tls]
|
||||
# without duplicating this cert config and with SNI enabled, Traefik won't
|
||||
# find the certificates for your host. It may be a Traefik's issue.
|
||||
[[tls.certificates]]
|
||||
certFile = "/certs/tls.crt"
|
||||
keyFile = "/certs/tls.key"
|
||||
stores = ["default"]
|
||||
[tls.stores]
|
||||
[tls.stores.default]
|
||||
[tls.stores.default.defaultCertificate]
|
||||
# without specifying in here your certs, Traefik will create its own
|
||||
# certificate
|
||||
certFile = "/certs/tls.crt"
|
||||
keyFile = "/certs/tls.key"
|
||||
[tls.options.default]
|
||||
minVersion = "VersionTLS12"
|
||||
sniStrict = true
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: traefik-ingress-service
|
||||
namespace: a0008
|
||||
labels:
|
||||
app.kubernetes.io/name: traefik-ingress-ilb
|
||||
app.kubernetes.io/instance: traefik-ingress-ilb
|
||||
annotations:
|
||||
service.beta.kubernetes.io/azure-load-balancer-internal: "true"
|
||||
service.beta.kubernetes.io/azure-load-balancer-internal-subnet: "snet-clusteringressservices"
|
||||
spec:
|
||||
type: LoadBalancer
|
||||
loadBalancerIP: 10.240.4.4
|
||||
externalTrafficPolicy: Local
|
||||
selector:
|
||||
app.kubernetes.io/name: traefik-ingress-ilb
|
||||
app.kubernetes.io/instance: traefik-ingress-ilb
|
||||
ports:
|
||||
- port: 443
|
||||
name: "https"
|
||||
targetPort: "websecure"
|
||||
protocol: "TCP"
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: traefik-ingress-controller
|
||||
namespace: a0008
|
||||
labels:
|
||||
app.kubernetes.io/name: traefik-ingress-ilb
|
||||
app.kubernetes.io/instance: traefik-ingress-ilb
|
||||
aadpodidbinding: podmi-ingress-controller
|
||||
spec:
|
||||
replicas: 2
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: traefik-ingress-ilb
|
||||
app.kubernetes.io/instance: traefik-ingress-ilb
|
||||
strategy:
|
||||
type: RollingUpdate
|
||||
rollingUpdate:
|
||||
maxSurge: 1
|
||||
maxUnavailable: 1
|
||||
template:
|
||||
metadata:
|
||||
annotations:
|
||||
prometheus.io/scrape: "true"
|
||||
prometheus.io/port: "8082"
|
||||
labels:
|
||||
app.kubernetes.io/name: traefik-ingress-ilb
|
||||
app.kubernetes.io/instance: traefik-ingress-ilb
|
||||
aadpodidbinding: podmi-ingress-controller
|
||||
spec:
|
||||
hostNetwork: false
|
||||
serviceAccountName: traefik-ingress-controller
|
||||
terminationGracePeriodSeconds: 60
|
||||
affinity:
|
||||
podAntiAffinity:
|
||||
requiredDuringSchedulingIgnoredDuringExecution:
|
||||
- labelSelector:
|
||||
matchExpressions:
|
||||
- key: app.kubernetes.io/name
|
||||
operator: In
|
||||
values:
|
||||
- traefik-ingress-ilb
|
||||
topologyKey: "kubernetes.io/hostname"
|
||||
containers:
|
||||
# PRODUCTION READINESS CHANGE REQUIRED
|
||||
# This image should be sourced from a non-public container registry, such as the
|
||||
# one deployed along side of this reference implementation.
|
||||
# az acr import --source docker.io/library/traefik:v2.5.3 -n <your-acr-instance-name>
|
||||
# and then set this to
|
||||
# image: <your-acr-instance-name>.azurecr.io/library/traefik:v2.5.3
|
||||
# in order to use the public image, replace the image setting with the following line
|
||||
# - image: docker.io/library/traefik:v2.5.3
|
||||
- image: acraksq3h7s2lbcnc62.azurecr.io/library/traefik:v2.5.3
|
||||
name: traefik-ingress-controller
|
||||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 64Mi
|
||||
limits:
|
||||
cpu: 200m
|
||||
memory: 128Mi
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /ping
|
||||
port: "traefik"
|
||||
failureThreshold: 1
|
||||
initialDelaySeconds: 10
|
||||
periodSeconds: 10
|
||||
successThreshold: 1
|
||||
timeoutSeconds: 2
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /ping
|
||||
port: "traefik"
|
||||
failureThreshold: 3
|
||||
initialDelaySeconds: 10
|
||||
periodSeconds: 10
|
||||
successThreshold: 1
|
||||
timeoutSeconds: 2
|
||||
ports:
|
||||
- name: "traefik"
|
||||
containerPort: 9000
|
||||
protocol: TCP
|
||||
- name: "websecure"
|
||||
containerPort: 8443
|
||||
protocol: TCP
|
||||
- name: "metrics"
|
||||
containerPort: 8082
|
||||
protocol: TCP
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 65532
|
||||
runAsNonRoot: true
|
||||
runAsUser: 65532
|
||||
volumeMounts:
|
||||
- name: data
|
||||
mountPath: /data
|
||||
- name: config
|
||||
mountPath: /config
|
||||
readOnly: true
|
||||
- name: ssl-csi
|
||||
mountPath: /certs
|
||||
readOnly: true
|
||||
args:
|
||||
- --configfile=/config/traefik.toml
|
||||
volumes:
|
||||
- name: config
|
||||
configMap:
|
||||
name: traefik-ingress-config
|
||||
- name: ssl-csi
|
||||
csi:
|
||||
driver: secrets-store.csi.k8s.io
|
||||
readOnly: true
|
||||
volumeAttributes:
|
||||
secretProviderClass: aks-ingress-tls-secret-csi-akv
|
||||
- name: data
|
||||
emptyDir: {}
|
||||
nodeSelector:
|
||||
agentpool: npuser01
|
Загрузка…
Ссылка в новой задаче