diff --git a/README.md b/README.md index 3e88c77..25558ee 100644 --- a/README.md +++ b/README.md @@ -189,8 +189,7 @@ In order to get a cluster up and running fast, an extra Ansible playbook is prov - Deploy [Hetzner CSI Driver v1.4.0](https://github.com/hetznercloud/csi-driver) - Container Storage Interface for persistent volumes - Deploy [cbeneke's Hetzner FIP controller v0.3.5](https://github.com/cbeneke/hcloud-fip-controller) - Assigns the cluster floating IP to the node running the controller, effectively keeping the cluster resources HA - Deploy [Jetstack cert-manager v1.0.1](https://github.com/jetstack/cert-manager) -- Deploy [Traefik](https://github.com/containous/traefik/) -- Deploy Traefik Dashboard - with LetsEncrypt cert available on traefik.(cluster-domain), eg. traefik.default.cluster.example.com +- Deploy [Traefik Proxy v2.3.0](https://github.com/traefik/traefik) - Deploy [Kubernetes Dashboard v2.0.4](https://github.com/kubernetes/dashboard) - available through `kubectl proxy` Running the playbook requires the Ansible variables that Terraform generates. diff --git a/k8s/provision-k8s.yml b/k8s/provision-k8s.yml index 84fedab..b829ba6 100644 --- a/k8s/provision-k8s.yml +++ b/k8s/provision-k8s.yml @@ -9,4 +9,3 @@ - ansible-role-k8s-traefik - ansible-role-k8s-cert-manager - ansible-role-k8s-kubernetes-dashboard - - ansible-role-k8s-traefik-dashboard \ No newline at end of file diff --git a/k8s/roles/ansible-role-k8s-traefik-dashboard/tasks/main.yml b/k8s/roles/ansible-role-k8s-traefik-dashboard/tasks/main.yml deleted file mode 100644 index f6a4979..0000000 --- a/k8s/roles/ansible-role-k8s-traefik-dashboard/tasks/main.yml +++ /dev/null @@ -1,25 +0,0 @@ ---- -- name: Apply certificate - k8s: - state: present - definition: "{{ lookup('template', '00-certificate.yml') }}" - -- name: Apply secret - k8s: - state: present - definition: "{{ lookup('template', '01-secret.yml') }}" - -- name: Apply service - k8s: - state: present - definition: "{{ lookup('template', '02-service.yml') }}" - -- name: Apply Traefik middleware - k8s: - state: present - definition: "{{ lookup('template', '03-traefik-middleware.yml') }}" - -- name: Apply Traefik ingress routes - k8s: - state: present - definition: "{{ lookup('template', '04-traefik-ingress-route.yml') }}" \ No newline at end of file diff --git a/k8s/roles/ansible-role-k8s-traefik-dashboard/templates/00-certificate.yml b/k8s/roles/ansible-role-k8s-traefik-dashboard/templates/00-certificate.yml deleted file mode 100644 index d3c3b27..0000000 --- a/k8s/roles/ansible-role-k8s-traefik-dashboard/templates/00-certificate.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: certmanager.k8s.io/v1alpha1 -kind: Certificate - -metadata: - name: traefik-dashboard-cert - namespace: traefik -spec: - secretName: traefik-dashboard-cert - issuerRef: - name: letsencrypt-production - kind: ClusterIssuer - commonName: traefik.{{ cluster_domain }} diff --git a/k8s/roles/ansible-role-k8s-traefik-dashboard/templates/01-secret.yml b/k8s/roles/ansible-role-k8s-traefik-dashboard/templates/01-secret.yml deleted file mode 100644 index 9dfaaaa..0000000 --- a/k8s/roles/ansible-role-k8s-traefik-dashboard/templates/01-secret.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -apiVersion: v1 -kind: Secret - -metadata: - name: traefik-dashboard-auth-secret - namespace: traefik -type: Opaque -data: - users: {{ traefik_dashboard_users }} diff --git a/k8s/roles/ansible-role-k8s-traefik-dashboard/templates/02-service.yml b/k8s/roles/ansible-role-k8s-traefik-dashboard/templates/02-service.yml deleted file mode 100644 index 55489ed..0000000 --- a/k8s/roles/ansible-role-k8s-traefik-dashboard/templates/02-service.yml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: v1 -kind: Service - -metadata: - name: traefik-dashboard - namespace: traefik -spec: - selector: - k8s-app: traefik-ingress-controller - ports: - - protocol: TCP - name: dashboard - port: 8080 \ No newline at end of file diff --git a/k8s/roles/ansible-role-k8s-traefik-dashboard/templates/03-traefik-middleware.yml b/k8s/roles/ansible-role-k8s-traefik-dashboard/templates/03-traefik-middleware.yml deleted file mode 100644 index c313ccd..0000000 --- a/k8s/roles/ansible-role-k8s-traefik-dashboard/templates/03-traefik-middleware.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- -apiVersion: traefik.containo.us/v1alpha1 -kind: Middleware - -metadata: - name: traefik-dashboard-auth-middleware - namespace: traefik -spec: - basicAuth: - secret: traefik-dashboard-auth-secret - ---- -apiVersion: traefik.containo.us/v1alpha1 -kind: Middleware - -metadata: - name: redirect-https - namespace: traefik -spec: - redirectScheme: - scheme: https \ No newline at end of file diff --git a/k8s/roles/ansible-role-k8s-traefik-dashboard/templates/04-traefik-ingress-route.yml b/k8s/roles/ansible-role-k8s-traefik-dashboard/templates/04-traefik-ingress-route.yml deleted file mode 100644 index bd5bedf..0000000 --- a/k8s/roles/ansible-role-k8s-traefik-dashboard/templates/04-traefik-ingress-route.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRoute - -metadata: - name: traefik-dashboard-http # Redirect to HTTPS - namespace: traefik -spec: - entryPoints: - - http - routes: - - match: Host(`traefik.{{ cluster_domain }}`) && PathPrefix(`/`) - kind: Rule - middlewares: - - name: redirect-https - services: - - name: traefik-dashboard - namespace: traefik - port: 8080 - ---- -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRoute - -metadata: - name: traefik-dashboard-https - namespace: traefik -spec: - entryPoints: - - https - tls: - secretName: traefik-dashboard-cert - routes: - - match: Host(`traefik.{{ cluster_domain }}`) && PathPrefix(`/`) - kind: Rule - middlewares: - - name: traefik-dashboard-auth-middleware - services: - - name: traefik-dashboard - namespace: traefik - port: 8080 diff --git a/k8s/roles/ansible-role-k8s-traefik/tasks/main.yml b/k8s/roles/ansible-role-k8s-traefik/tasks/main.yml index 4fcd6f9..1b6412d 100644 --- a/k8s/roles/ansible-role-k8s-traefik/tasks/main.yml +++ b/k8s/roles/ansible-role-k8s-traefik/tasks/main.yml @@ -14,7 +14,12 @@ state: present definition: "{{ lookup('template', '02-rbac.yml') }}" +- name: Apply Service + k8s: + state: present + definition: "{{ lookup('template', '03-service.yml') }}" + - name: Apply Daemon Set k8s: state: present - definition: "{{ lookup('template', '03-daemon-set.yml') }}" \ No newline at end of file + definition: "{{ lookup('template', '04-daemon-set.yml') }}" \ No newline at end of file diff --git a/k8s/roles/ansible-role-k8s-traefik/templates/01-crd.yml b/k8s/roles/ansible-role-k8s-traefik/templates/01-crd.yml index 273b293..5d00b9c 100644 --- a/k8s/roles/ansible-role-k8s-traefik/templates/01-crd.yml +++ b/k8s/roles/ansible-role-k8s-traefik/templates/01-crd.yml @@ -32,6 +32,22 @@ spec: apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition +metadata: + name: ingressrouteudps.traefik.containo.us + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: IngressRouteUDP + plural: ingressrouteudps + singular: ingressrouteudp + scope: Namespaced + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition + metadata: name: middlewares.traefik.containo.us spec: @@ -56,4 +72,35 @@ spec: kind: TLSOption plural: tlsoptions singular: tlsoption - scope: Namespaced \ No newline at end of file + scope: Namespaced + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition + +metadata: + name: tlsstores.traefik.containo.us + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: TLSStore + plural: tlsstores + singular: tlsstore + scope: Namespaced + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition + +metadata: + name: traefikservices.traefik.containo.us +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: TraefikService + plural: traefikservices + singular: traefikservice + scope: Namespaced diff --git a/k8s/roles/ansible-role-k8s-traefik/templates/02-rbac.yml b/k8s/roles/ansible-role-k8s-traefik/templates/02-rbac.yml index 3829337..42fffdf 100644 --- a/k8s/roles/ansible-role-k8s-traefik/templates/02-rbac.yml +++ b/k8s/roles/ansible-role-k8s-traefik/templates/02-rbac.yml @@ -1,9 +1,12 @@ --- +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: - name: traefik-ingress-controller + name: traefik + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: traefik rules: - apiGroups: - "" @@ -29,52 +32,37 @@ rules: - ingresses/status verbs: - update - - apiGroups: - - traefik.containo.us - resources: - - middlewares - verbs: - - get - - list - - watch - apiGroups: - traefik.containo.us resources: - ingressroutes - verbs: - - get - - list - - watch - - apiGroups: - - traefik.containo.us - resources: - ingressroutetcps - verbs: - - get - - list - - watch - - apiGroups: - - traefik.containo.us - resources: + - ingressrouteudps + - middlewares - tlsoptions + - tlsstores + - traefikservices verbs: - get - list - watch --- +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: - name: traefik-ingress-controller + name: traefik + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: traefik roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: traefik-ingress-controller + name: traefik subjects: - kind: ServiceAccount - name: traefik-ingress-controller + name: traefik namespace: traefik --- @@ -82,5 +70,9 @@ apiVersion: v1 kind: ServiceAccount metadata: + name: traefik namespace: traefik - name: traefik-ingress-controller \ No newline at end of file + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: traefik + annotations: diff --git a/k8s/roles/ansible-role-k8s-traefik/templates/03-daemon-set.yml b/k8s/roles/ansible-role-k8s-traefik/templates/03-daemon-set.yml deleted file mode 100644 index dd2f91c..0000000 --- a/k8s/roles/ansible-role-k8s-traefik/templates/03-daemon-set.yml +++ /dev/null @@ -1,42 +0,0 @@ ---- -kind: DaemonSet -apiVersion: extensions/v1beta1 - -metadata: - name: traefik-ingress-controller - namespace: traefik - labels: - k8s-app: traefik-ingress-controller -spec: - template: - metadata: - labels: - k8s-app: traefik-ingress-controller - name: traefik-ingress-controller - spec: - serviceAccountName: traefik-ingress-controller - hostNetwork: true - terminationGracePeriodSeconds: 60 - containers: - - name: traefik - image: traefik:v2.0 - args: - - --api - - --api.insecure - - --api.dashboard - - --entryPoints.http.address=:80 - - --entryPoints.https.address=:443 - - --providers.kubernetescrd - - --providers.kubernetesingress=true - - --ping - - --accesslog=true - - --log=true - ports: - - name: http - containerPort: 80 - hostPort: 80 - - name: https - containerPort: 443 - hostPort: 443 - - name: dashboard - containerPort: 8080 \ No newline at end of file diff --git a/k8s/roles/ansible-role-k8s-traefik/templates/03-service.yml b/k8s/roles/ansible-role-k8s-traefik/templates/03-service.yml new file mode 100644 index 0000000..2cc89e1 --- /dev/null +++ b/k8s/roles/ansible-role-k8s-traefik/templates/03-service.yml @@ -0,0 +1,19 @@ +--- +apiVersion: v1 +kind: Service + +metadata: + name: traefik + namespace: traefik + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: traefik + annotations: +spec: + selector: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: traefik + ports: + - port: 9000 + name: dashboard + protocol: TCP diff --git a/k8s/roles/ansible-role-k8s-traefik/templates/04-daemon-set.yml b/k8s/roles/ansible-role-k8s-traefik/templates/04-daemon-set.yml new file mode 100644 index 0000000..fc42cd3 --- /dev/null +++ b/k8s/roles/ansible-role-k8s-traefik/templates/04-daemon-set.yml @@ -0,0 +1,72 @@ +--- +kind: DaemonSet +apiVersion: extensions/v1beta1 + +metadata: + name: traefik + namespace: traefik + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: traefik +spec: + template: + metadata: + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: traefik + spec: + serviceAccountName: traefik + hostNetwork: true + terminationGracePeriodSeconds: 60 + containers: + - name: traefik + image: traefik:v2.3.0 + imagePullPolicy: IfNotPresent + readinessProbe: + httpGet: + path: /ping + port: 9000 + failureThreshold: 1 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + livenessProbe: + httpGet: + path: /ping + port: 9000 + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + args: + - --api + - --api.insecure + - --api.dashboard + - --entryPoints.traefik.address=:9000/tcp + - --entryPoints.http.address=:80/tcp + - --entryPoints.https.address=:443/tcp + - --providers.kubernetescrd + - --providers.kubernetesingress + - --ping + - --accesslog=true + - --log=true + ports: + - name: traefik + containerPort: 9000 + protocol: TCP + - name: http + containerPort: 80 + hostPort: 80 + - name: https + containerPort: 443 + hostPort: 443