Ingress en tls, ajout auth, etc

2022-08-19 14:53:02 +02:00 · 2022-08-19 14:53:02 +02:00 · 2ebc7cec77
commit 2ebc7cec77
parent a5644f9f13
14 changed files with 70 additions and 175 deletions
--- a/blog/blog-ingress.yaml
+++ b/blog/blog-ingress.yaml
@ -2,7 +2,14 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: blog-ingr
  annotations:
    kubernetes.io/tls-acme: "true"
    cert-manager.io/cluster-issuer: letsencrypt-prod
 spec:
  tls:
    - secretName: blog-tls
      hosts:
        - cptrthgs.fr
  ingressClassName: nginx
  rules:
    - host: cptrthgs.fr
--- a/freshrss/freshrss-ingress.yaml
+++ b/freshrss/freshrss-ingress.yaml
@ -2,7 +2,14 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: freshrss-ingr
  annotations:
    kubernetes.io/tls-acme: "true"
    cert-manager.io/cluster-issuer: letsencrypt-prod
 spec:
  tls:
    - secretName: freshrss-tls
      hosts:
        - rss.squi.fr
  ingressClassName: nginx
  rules:
    - host: rss.squi.fr
--- a/gitea/gitea-ingress.yaml
+++ b/gitea/gitea-ingress.yaml
@ -2,7 +2,14 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: gitea-ingr
  annotations:
    kubernetes.io/tls-acme: "true"
    cert-manager.io/cluster-issuer: letsencrypt-prod
 spec:
  tls:
    - secretName: gitea-tls
      hosts:
        - gitea.squi.fr
  ingressClassName: nginx
  rules:
    - host: gitea.squi.fr
--- a/mediawiki/mediawiki-ingress.yaml
+++ b/mediawiki/mediawiki-ingress.yaml
@ -2,7 +2,14 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: mediawiki-ingr
  annotations:
    kubernetes.io/tls-acme: "true"
    cert-manager.io/cluster-issuer: letsencrypt-prod
 spec:
  tls:
    - secretName: mediawiki-tls
      hosts:
        - wiki.squi.fr
  ingressClassName: nginx
  rules:
    - host: wiki.squi.fr
--- a/monitoring/grafpromstack/graf-ingress.yaml
+++ b/monitoring/grafpromstack/graf-ingress.yaml
@ -3,7 +3,14 @@ kind: Ingress
 metadata:
  name: grafana-ingr
  namespace: monitoring
  annotations:
    kubernetes.io/tls-acme: "true"
    cert-manager.io/cluster-issuer: letsencrypt-prod
 spec:
  tls:
    - secretName: grafana-tls
      hosts:
        - graf.squi.fr
  ingressClassName: nginx
  rules:
    - host: graf.squi.fr
--- a/nginx-ingress/auth
+++ b/nginx-ingress/auth
@ -0,0 +1 @@
 squip:$apr1$e0QTsUBf$rVuHisO/pKnOKTBAwcYiT0
--- a/nginx-ingress/secret.yaml
+++ b/nginx-ingress/secret.yaml
@ -0,0 +1,8 @@
 apiVersion: v1
 data:
  auth: c3F1aXA6JGFwcjEkZTBRVHNVQmYkclZ1SGlzTy9wS25PS1RCQXdjWWlUMAo=
 kind: Secret
 metadata:
  name: basic-auth
  namespace: default
 type: Opaque
--- a/persosite/site-ingress.yaml
+++ b/persosite/site-ingress.yaml
@ -2,7 +2,14 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: site-ingr
  annotations:
    kubernetes.io/tls-acme: "true"
    cert-manager.io/cluster-issuer: letsencrypt-staging
 spec:
  tls:
    - secretName: siteperso-tls
      hosts:
        - justinepelletreau.com
  ingressClassName: nginx
  rules:
    - host: justinepelletreau.com
--- a/sqnotes/notes-ingress.yaml
+++ b/sqnotes/notes-ingress.yaml
@ -3,8 +3,17 @@ kind: Ingress
 metadata:
  name: notes-ingr
  annotations:
    nginx.ingress.kubernetes.io/auth-type: basic
    nginx.ingress.kubernetes.io/auth-secret: basic-auth
    nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - you fool'
    kubernetes.io/ingress.class: "nginx"
    kubernetes.io/tls-acme: "true"
    cert-manager.io/cluster-issuer: letsencrypt-prod
 spec:
  tls:
    - secretName: notes-tls
      hosts:
        - notes.squi.fr
  rules:
    - host: notes.squi.fr
      http:
--- a/sqtasks/tasks-ingress.yaml
+++ b/sqtasks/tasks-ingress.yaml
@ -2,7 +2,17 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: tasks-ingr
  annotations:
    kubernetes.io/tls-acme: "true"
    nginx.ingress.kubernetes.io/auth-type: basic
    nginx.ingress.kubernetes.io/auth-secret: basic-auth
    nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - you fool'
    cert-manager.io/cluster-issuer: letsencrypt-prod
 spec:
  tls:
    - secretName: todo-tls
      hosts:
        - todo.squi.fr
  ingressClassName: nginx
  rules:
    - host: todo.squi.fr
--- a/testpod/testpod-depl.yaml
+++ b/testpod/testpod-depl.yaml
@ -1,15 +0,0 @@
 apiVersion: v1
 kind: Pod
 metadata:
  name: dnsutils
  namespace: default
 spec:
  nodeName: swarm2
  containers:
  - name: dnsutils
    image: k8s.gcr.io/e2e-test-images/jessie-dnsutils:1.3
    command:
      - sleep
      - "3600"
    imagePullPolicy: IfNotPresent
  restartPolicy: Always
--- a/upgrade-plans/system-upgrade-controller.yaml
+++ b/upgrade-plans/system-upgrade-controller.yaml
@ -1,117 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: system-upgrade
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: system-upgrade
  namespace: system-upgrade
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: system-upgrade
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
 subjects:
 - kind: ServiceAccount
  name: system-upgrade
  namespace: system-upgrade
 ---
 apiVersion: v1
 data:
  SYSTEM_UPGRADE_CONTROLLER_DEBUG: "false"
  SYSTEM_UPGRADE_CONTROLLER_THREADS: "2"
  SYSTEM_UPGRADE_JOB_ACTIVE_DEADLINE_SECONDS: "900"
  SYSTEM_UPGRADE_JOB_BACKOFF_LIMIT: "99"
  SYSTEM_UPGRADE_JOB_IMAGE_PULL_POLICY: Always
  SYSTEM_UPGRADE_JOB_KUBECTL_IMAGE: rancher/kubectl:v1.21.9
  SYSTEM_UPGRADE_JOB_PRIVILEGED: "true"
  SYSTEM_UPGRADE_JOB_TTL_SECONDS_AFTER_FINISH: "900"
  SYSTEM_UPGRADE_PLAN_POLLING_INTERVAL: 15m
 kind: ConfigMap
 metadata:
  name: default-controller-env
  namespace: system-upgrade
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: system-upgrade-controller
  namespace: system-upgrade
 spec:
  selector:
    matchLabels:
      upgrade.cattle.io/controller: system-upgrade-controller
  template:
    metadata:
      labels:
        upgrade.cattle.io/controller: system-upgrade-controller
    spec:
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
            - matchExpressions:
              - key: node-role.kubernetes.io/master
                operator: Exists
      containers:
      - env:
        - name: SYSTEM_UPGRADE_CONTROLLER_NAME
          valueFrom:
            fieldRef:
              fieldPath: metadata.labels['upgrade.cattle.io/controller']
        - name: SYSTEM_UPGRADE_CONTROLLER_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        envFrom:
        - configMapRef:
            name: default-controller-env
        image: rancher/system-upgrade-controller:v0.9.1
        imagePullPolicy: IfNotPresent
        name: system-upgrade-controller
        volumeMounts:
        - mountPath: /etc/ssl
          name: etc-ssl
        - mountPath: /etc/pki
          name: etc-pki
        - mountPath: /etc/ca-certificates
          name: etc-ca-certificates
        - mountPath: /tmp
          name: tmp
      serviceAccountName: system-upgrade
      tolerations:
      - key: CriticalAddonsOnly
        operator: Exists
      - effect: NoSchedule
        key: node-role.kubernetes.io/master
        operator: Exists
      - effect: NoSchedule
        key: node-role.kubernetes.io/controlplane
        operator: Exists
      - effect: NoSchedule
        key: node-role.kubernetes.io/control-plane
        operator: Exists
      - effect: NoExecute
        key: node-role.kubernetes.io/etcd
        operator: Exists
      volumes:
      - hostPath:
          path: /etc/ssl
          type: Directory
        name: etc-ssl
      - hostPath:
          path: /etc/pki
          type: DirectoryOrCreate
        name: etc-pki
      - hostPath:
          path: /etc/ca-certificates
          type: DirectoryOrCreate
        name: etc-ca-certificates
      - emptyDir: {}
        name: tmp
--- a/upgrade-plans/upgrade-agent.yaml
+++ b/upgrade-plans/upgrade-agent.yaml
@ -1,24 +0,0 @@
 ---
 # Agent plan
 apiVersion: upgrade.cattle.io/v1
 kind: Plan
 metadata:
  name: agent-plan
  namespace: system-upgrade
 spec:
  concurrency: 1
  cordon: true
  nodeSelector:
    matchExpressions:
    - key: node-role.kubernetes.io/master
      operator: DoesNotExist
  prepare:
    args:
    - prepare
    - server-plan
    image: rancher/k3s-upgrade
  serviceAccountName: system-upgrade
  upgrade:
    image: rancher/k3s-upgrade
  version: stable
--- a/upgrade-plans/upgrade-master.yaml
+++ b/upgrade-plans/upgrade-master.yaml
@ -1,19 +0,0 @@
 # Server plan
 apiVersion: upgrade.cattle.io/v1
 kind: Plan
 metadata:
  name: server-plan
  namespace: system-upgrade
 spec:
  concurrency: 1
  cordon: true
  nodeSelector:
    matchExpressions:
    - key: node-role.kubernetes.io/master
      operator: In
      values:
      - "true"
  serviceAccountName: system-upgrade
  upgrade:
    image: rancher/k3s-upgrade
  channel: stable