steffen/DockerComposeTemplates
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

packer and kubernetes changes

Browse Source
This commit is contained in:
Christian
2022-03-11 14:56:55 +01:00
parent e4fa5990f4
commit ebab652abf
55 changed files with 538 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
kubernetes/certmanager/README.md
View File

@@ -1,32 +0,0 @@
# Installation
## Deployment
1. Add the Helm Repository & Update
```bash
helm repo add jetstack https://charts.jetstack.io
helm repo update
```
2. Install Cert-Manager with Helm & CRDs
```bash
helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --set installCRDs=true
```
## Configuration
Add your Issuer or ClusterIssuer Objects, Credentails and Certificates.
*For more info visit:* [Official Cert-Manager Documentation](https://cert-manager.io/docs/)
# Best-Practices & Post-Installation
## Troubleshooting
You can troubleshoot issues and inspect log entries for the Certificate Objects with the `kubectl describe` command.
*For more info visit:* [Official Cert-Manager Troubleshooting Guide](https://cert-manager.io/docs/faq/troubleshooting/)
# Additional Referfences
[Official Cert-Manager Documentation](https://cert-manager.io/docs/)

516
kubernetes/certmanager/default-values.yml
View File

@@ -1,516 +0,0 @@
# Default values for cert-manager.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
global:
## Reference to one or more secrets to be used when pulling images
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
##
imagePullSecrets: []
# - name: "image-pull-secret"
# Optional priority class to be used for the cert-manager pods
priorityClassName: ""
rbac:
create: true
podSecurityPolicy:
enabled: false
useAppArmor: true
# Set the verbosity of cert-manager. Range of 0 - 6 with 6 being the most verbose.
logLevel: 2
leaderElection:
# Override the namespace used to store the ConfigMap for leader election
namespace: "kube-system"
# The duration that non-leader candidates will wait after observing a
# leadership renewal until attempting to acquire leadership of a led but
# unrenewed leader slot. This is effectively the maximum duration that a
# leader can be stopped before it is replaced by another candidate.
# leaseDuration: 60s
# The interval between attempts by the acting master to renew a leadership
# slot before it stops leading. This must be less than or equal to the
# lease duration.
# renewDeadline: 40s
# The duration the clients should wait between attempting acquisition and
# renewal of a leadership.
# retryPeriod: 15s
installCRDs: false
replicaCount: 1
strategy: {}
# type: RollingUpdate
# rollingUpdate:
# maxSurge: 0
# maxUnavailable: 1
# Comma separated list of feature gates that should be enabled on the
# controller pod.
featureGates: ""
image:
repository: quay.io/jetstack/cert-manager-controller
# You can manage a registry with
# registry: quay.io
# repository: jetstack/cert-manager-controller
# Override the image tag to deploy by setting this variable.
# If no value is set, the chart's appVersion will be used.
# tag: canary
# Setting a digest will override any tag
# digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
pullPolicy: IfNotPresent
# Override the namespace used to store DNS provider credentials etc. for ClusterIssuer
# resources. By default, the same namespace as cert-manager is deployed within is
# used. This namespace will not be automatically created by the Helm chart.
clusterResourceNamespace: ""
serviceAccount:
# Specifies whether a service account should be created
create: true
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
# name: ""
# Optional additional annotations to add to the controller's ServiceAccount
# annotations: {}
# Automount API credentials for a Service Account.
automountServiceAccountToken: true
# Additional command line flags to pass to cert-manager controller binary.
# To see all available flags run docker run quay.io/jetstack/cert-manager-controller:<version> --help
extraArgs: []
# When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted
# - --enable-certificate-owner-ref=true
# Use this flag to enabled or disable arbitrary controllers, for example, disable the CertificiateRequests approver
# - --controllers=*,-certificaterequests-approver
extraEnv: []
# - name: SOME_VAR
# value: 'some value'
resources: {}
# requests:
# cpu: 10m
# memory: 32Mi
# Pod Security Context
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
securityContext:
runAsNonRoot: true
# legacy securityContext parameter format: if enabled is set to true, only fsGroup and runAsUser are supported
# securityContext:
# enabled: false
# fsGroup: 1001
# runAsUser: 1001
# to support additional securityContext parameters, omit the `enabled` parameter and simply specify the parameters
# you want to set, e.g.
# securityContext:
# fsGroup: 1000
# runAsUser: 1000
# runAsNonRoot: true
# Container Security Context to be set on the controller component container
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
containerSecurityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
volumes: []
volumeMounts: []
# Optional additional annotations to add to the controller Deployment
# deploymentAnnotations: {}
# Optional additional annotations to add to the controller Pods
# podAnnotations: {}
podLabels: {}
# Optional annotations to add to the controller Service
# serviceAnnotations: {}
# Optional additional labels to add to the controller Service
# serviceLabels: {}
# Optional DNS settings, useful if you have a public and private DNS zone for
# the same domain on Route 53. What follows is an example of ensuring
# cert-manager can access an ingress or DNS TXT records at all times.
# NOTE: This requires Kubernetes 1.10 or `CustomPodDNS` feature gate enabled for
# the cluster to work.
# podDnsPolicy: "None"
# podDnsConfig:
# nameservers:
# - "1.1.1.1"
# - "8.8.8.8"
nodeSelector: {}
ingressShim: {}
# defaultIssuerName: ""
# defaultIssuerKind: ""
# defaultIssuerGroup: ""
prometheus:
enabled: true
servicemonitor:
enabled: false
prometheusInstance: default
targetPort: 9402
path: /metrics
interval: 60s
scrapeTimeout: 30s
labels: {}
honorLabels: false
# Use these variables to configure the HTTP_PROXY environment variables
# http_proxy: "http://proxy:8080"
# https_proxy: "https://proxy:8080"
# no_proxy: 127.0.0.1,localhost
# expects input structure as per specification https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#affinity-v1-core
# for example:
# affinity:
# nodeAffinity:
# requiredDuringSchedulingIgnoredDuringExecution:
# nodeSelectorTerms:
# - matchExpressions:
# - key: foo.bar.com/role
# operator: In
# values:
# - master
affinity: {}
# expects input structure as per specification https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#toleration-v1-core
# for example:
# tolerations:
# - key: foo.bar.com/role
# operator: Equal
# value: master
# effect: NoSchedule
tolerations: []
webhook:
replicaCount: 1
timeoutSeconds: 10
# Used to configure options for the webhook pod.
# This allows setting options that'd usually be provided via flags.
# An APIVersion and Kind must be specified in your values.yaml file.
# Flags will override options that are set here.
config:
# apiVersion: webhook.config.cert-manager.io/v1alpha1
# kind: WebhookConfiguration
# The port that the webhook should listen on for requests.
# In GKE private clusters, by default kubernetes apiservers are allowed to
# talk to the cluster nodes only on 443 and 10250. so configuring
# securePort: 10250, will work out of the box without needing to add firewall
# rules or requiring NET_BIND_SERVICE capabilities to bind port numbers <1000.
# This should be uncommented and set as a default by the chart once we graduate
# the apiVersion of WebhookConfiguration past v1alpha1.
# securePort: 10250
strategy: {}
# type: RollingUpdate
# rollingUpdate:
# maxSurge: 0
# maxUnavailable: 1
# Pod Security Context to be set on the webhook component Pod
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
securityContext:
runAsNonRoot: true
# Container Security Context to be set on the webhook component container
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
containerSecurityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# Optional additional annotations to add to the webhook Deployment
# deploymentAnnotations: {}
# Optional additional annotations to add to the webhook Pods
# podAnnotations: {}
# Optional additional annotations to add to the webhook Service
# serviceAnnotations: {}
# Optional additional annotations to add to the webhook MutatingWebhookConfiguration
# mutatingWebhookConfigurationAnnotations: {}
# Optional additional annotations to add to the webhook ValidatingWebhookConfiguration
# validatingWebhookConfigurationAnnotations: {}
# Additional command line flags to pass to cert-manager webhook binary.
# To see all available flags run docker run quay.io/jetstack/cert-manager-webhook:<version> --help
extraArgs: []
# Path to a file containing a WebhookConfiguration object used to configure the webhook
# - --config=<path-to-config-file>
resources: {}
# requests:
# cpu: 10m
# memory: 32Mi
## Liveness and readiness probe values
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
##
livenessProbe:
failureThreshold: 3
initialDelaySeconds: 60
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
readinessProbe:
failureThreshold: 3
initialDelaySeconds: 5
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 1
nodeSelector: {}
affinity: {}
tolerations: []
# Optional additional labels to add to the Webhook Pods
podLabels: {}
# Optional additional labels to add to the Webhook Service
serviceLabels: {}
image:
repository: quay.io/jetstack/cert-manager-webhook
# You can manage a registry with
# registry: quay.io
# repository: jetstack/cert-manager-webhook
# Override the image tag to deploy by setting this variable.
# If no value is set, the chart's appVersion will be used.
# tag: canary
# Setting a digest will override any tag
# digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
pullPolicy: IfNotPresent
serviceAccount:
# Specifies whether a service account should be created
create: true
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
# name: ""
# Optional additional annotations to add to the controller's ServiceAccount
# annotations: {}
# Automount API credentials for a Service Account.
automountServiceAccountToken: true
# The port that the webhook should listen on for requests.
# In GKE private clusters, by default kubernetes apiservers are allowed to
# talk to the cluster nodes only on 443 and 10250. so configuring
# securePort: 10250, will work out of the box without needing to add firewall
# rules or requiring NET_BIND_SERVICE capabilities to bind port numbers <1000
securePort: 10250
# Specifies if the webhook should be started in hostNetwork mode.
#
# Required for use in some managed kubernetes clusters (such as AWS EKS) with custom
# CNI (such as calico), because control-plane managed by AWS cannot communicate
# with pods' IP CIDR and admission webhooks are not working
#
# Since the default port for the webhook conflicts with kubelet on the host
# network, `webhook.securePort` should be changed to an available port if
# running in hostNetwork mode.
hostNetwork: false
# Specifies how the service should be handled. Useful if you want to expose the
# webhook to outside of the cluster. In some cases, the control plane cannot
# reach internal services.
serviceType: ClusterIP
# loadBalancerIP:
# Overrides the mutating webhook and validating webhook so they reach the webhook
# service using the `url` field instead of a service.
url: {}
# host:
cainjector:
enabled: true
replicaCount: 1
strategy: {}
# type: RollingUpdate
# rollingUpdate:
# maxSurge: 0
# maxUnavailable: 1
# Pod Security Context to be set on the cainjector component Pod
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
securityContext:
runAsNonRoot: true
# Container Security Context to be set on the cainjector component container
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
containerSecurityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# Optional additional annotations to add to the cainjector Deployment
# deploymentAnnotations: {}
# Optional additional annotations to add to the cainjector Pods
# podAnnotations: {}
# Additional command line flags to pass to cert-manager cainjector binary.
# To see all available flags run docker run quay.io/jetstack/cert-manager-cainjector:<version> --help
extraArgs: []
# Enable profiling for cainjector
# - --enable-profiling=true
resources: {}
# requests:
# cpu: 10m
# memory: 32Mi
nodeSelector: {}
affinity: {}
tolerations: []
# Optional additional labels to add to the CA Injector Pods
podLabels: {}
image:
repository: quay.io/jetstack/cert-manager-cainjector
# You can manage a registry with
# registry: quay.io
# repository: jetstack/cert-manager-cainjector
# Override the image tag to deploy by setting this variable.
# If no value is set, the chart's appVersion will be used.
# tag: canary
# Setting a digest will override any tag
# digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
pullPolicy: IfNotPresent
serviceAccount:
# Specifies whether a service account should be created
create: true
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
# name: ""
# Optional additional annotations to add to the controller's ServiceAccount
# annotations: {}
# Automount API credentials for a Service Account.
automountServiceAccountToken: true
# This startupapicheck is a Helm post-install hook that waits for the webhook
# endpoints to become available.
# The check is implemented using a Kubernetes Job- if you are injecting mesh
# sidecar proxies into cert-manager pods, you probably want to ensure that they
# are not injected into this Job's pod. Otherwise the installation may time out
# due to the Job never being completed because the sidecar proxy does not exit.
# See https://github.com/jetstack/cert-manager/pull/4414 for context.
startupapicheck:
enabled: true
# Pod Security Context to be set on the startupapicheck component Pod
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
securityContext:
runAsNonRoot: true
# Timeout for 'kubectl check api' command
timeout: 1m
# Job backoffLimit
backoffLimit: 4
# Optional additional annotations to add to the startupapicheck Job
jobAnnotations:
helm.sh/hook: post-install
helm.sh/hook-weight: "1"
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
# Optional additional annotations to add to the startupapicheck Pods
# podAnnotations: {}
# Additional command line flags to pass to startupapicheck binary.
# To see all available flags run docker run quay.io/jetstack/cert-manager-ctl:<version> --help
extraArgs: []
resources: {}
# requests:
# cpu: 10m
# memory: 32Mi
nodeSelector: {}
affinity: {}
tolerations: []
# Optional additional labels to add to the startupapicheck Pods
podLabels: {}
image:
repository: quay.io/jetstack/cert-manager-ctl
# You can manage a registry with
# registry: quay.io
# repository: jetstack/cert-manager-ctl
# Override the image tag to deploy by setting this variable.
# If no value is set, the chart's appVersion will be used.
# tag: canary
# Setting a digest will override any tag
# digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
pullPolicy: IfNotPresent
rbac:
# annotations for the startup API Check job RBAC and PSP resources
annotations:
helm.sh/hook: post-install
helm.sh/hook-weight: "-5"
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
serviceAccount:
# Specifies whether a service account should be created
create: true
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
# name: ""
# Optional additional annotations to add to the Job's ServiceAccount
annotations:
helm.sh/hook: post-install
helm.sh/hook-weight: "-5"
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
# Automount API credentials for a Service Account.
automountServiceAccountToken: true

52
kubernetes/certmanager/templates/clusterissuer-acme.yml
View File

@@ -1,52 +0,0 @@
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: acme-issuer
# (Optional) Metadata
# ---
# namespace: your-namespace
spec:
acme:
# Configure your email here...
# ---
# email: your-email@address
# Configure your server here...
# ---
# Letsencrypt Production
# server: https://acme-v02.api.letsencrypt.org/directory
# - or -
# Letsencrypt Staging
# server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: example-issuer-account-key
solvers:
# Configure DNS or HTTP Challenge here...
# ---
# DNS Challenge:
# - dns01:
# Configure your DNS Provider here...
# ---
# cloudflare:
# email: your-email@address
# API Key:
# apiKeySecretRef:
# name: cloudflare-api-key-secret
# key: api-key
# - or -
# API Token:
# apiTokenSecretRef:
# name: cloudflare-api-token-secret
# key: api-token
# (Optional) Add DNS selectors
# ---
# selector:
# dnsNames:
# - 'your-domain'
# - '*.your-domain'
# HTTP Challenge:
# - http01:
# ingress:
# class: traefik

9
kubernetes/certmanager/templates/clusterissuer-selfsigned.yml
View File

@@ -1,9 +0,0 @@
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: selfsigned-issuer
# (Optional) Metadata
# ---
# namespace: your-namespace
spec:
selfSigned: {}

52
kubernetes/certmanager/templates/issuer-acme.yml
View File

@@ -1,52 +0,0 @@
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: acme-issuer
# (Optional) Metadata
# ---
# namespace: your-namespace
spec:
acme:
# Configure your email here...
# ---
# email: your-email@address
# Configure your server here...
# ---
# Letsencrypt Production
# server: https://acme-v02.api.letsencrypt.org/directory
# - or -
# Letsencrypt Staging
# server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: example-issuer-account-key
solvers:
# Configure DNS or HTTP Challenge here...
# ---
# DNS Challenge:
# - dns01:
# Configure your DNS Provider here...
# ---
# cloudflare:
# email: your-email@address
# API Key:
# apiKeySecretRef:
# name: cloudflare-api-key-secret
# key: api-key
# - or -
# API Token:
# apiTokenSecretRef:
# name: cloudflare-api-token-secret
# key: api-token
# (Optional) Add DNS selectors
# ---
# selector:
# dnsNames:
# - 'your-domain'
# - '*.your-domain'
# HTTP Challenge:
# - http01:
# ingress:
# class: traefik

9
kubernetes/certmanager/templates/issuer-selfsigned.yml
View File

@@ -1,9 +0,0 @@
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: selfsigned-issuer
# (Optional) Metadata
# ---
# namespace: your-namespace
spec:
selfSigned: {}

14
kubernetes/certmanager/templates/secret-cloudflare.yml
View File

@@ -1,14 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: cloudflare-api-key-secret
namespace: cert-manager
type: Opaque
stringData:
# Configure your API Key or Credentials here...
# ---
# API Key:
# api-key: your-api-key
# - or -
# Token:
# api-token: your-api-token

0
kubernetes/portainer/README.md
View File

17
kubernetes/portainer/templates/portainer-ingress.yml
View File

@@ -1,17 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nginx
namespace: wp-clcreative
spec:
rules:
- host: portainer.your-domain.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: portainer
port:
number: 9000

0
kubernetes/portainer/values.yml
View File

0
kubernetes/templates/certificate.yaml
View File

33
kubernetes/templates/cm-and-secrets/mysql-deploy.yml
View File

@@ -1,33 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: mysql
spec:
replicas: 1
selector:
matchLabels:
app: mysql
template:
metadata:
labels:
app: mysql
spec:
containers:
- image: mysql:5.6
name: mysql
env:
- name: MYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: mysql-secret
key: root-pass
ports:
- name: mysql
containerPort: 3306
# volumeMounts:
# - name: mysql-vol
# mountPath: /var/lib/mysql
# volumes:
# - name: mysql-vol
# hostPath:
# path: /var/mysql-data

7
kubernetes/templates/cm-and-secrets/mysql-secret.yml
View File

@@ -1,7 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: mysql-secret
type: Opaque
stringData:
root-pass: test123

28
kubernetes/templates/cm-and-secrets/nginx-http-cm.yml
View File

@@ -1,28 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-http-cm
data:
# key: value
# file: |
# content
# ---
nginx.conf: |
user nginx;
worker_processes 1;
events {
worker_connections 10240;
}
http {
server {
listen 80;
server_name _;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
location /test {
return 401;
}
}
}

32
kubernetes/templates/cm-and-secrets/nginx-http-deploy.yml
View File

@@ -1,32 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-http
spec:
replicas: 1
selector:
matchLabels:
app: nginx-http
template:
metadata:
labels:
app: nginx-http
spec:
containers:
- name: nginx-http
image: nginx
ports:
- name: web
containerPort: 80
volumeMounts:
- name: nginx-http-cm
mountPath: /etc/nginx
- name: nginx-http-vol
mountPath: /usr/share/nginx/html
volumes:
- name: nginx-http-cm
configMap:
name: nginx-http-cm
- name: nginx-http-vol
hostPath:
path: /var/nginxserver

15
kubernetes/templates/cm-and-secrets/nginx-http-svc.yml
View File

@@ -1,15 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: nginx-http-svc
labels:
app: nginx-http
spec:
type: LoadBalancer
ports:
- port: 30080
targetPort: 80
protocol: TCP
name: http
selector:
app: nginx-http

27
kubernetes/templates/cm-and-secrets/nginx-https-cm.yml
View File

@@ -1,27 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-https-cm
data:
nginx.conf: |
user nginx;
worker_processes 1;
events {
worker_connections 10240;
}
http {
server {
listen 80;
listen 443 ssl;
server_name _;
ssl_certificate /etc/nginx/ssl/server-cert.pem;
ssl_certificate_key /etc/nginx/ssl/server-key.pem;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}
}

68
kubernetes/templates/cm-and-secrets/nginx-https-deploy.yml
View File

@@ -1,68 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-https
spec:
replicas: 1
selector:
matchLabels:
app: nginx-https
template:
metadata:
labels:
app: nginx-https
spec:
containers:
- name: nginx-https
image: nginx
ports:
- name: web
containerPort: 80
- name: secureweb
containerPort: 443
volumeMounts:
- name: nginx-https-cm
mountPath: /etc/nginx
- name: nginx-https-secret
mountPath: /etc/nginx/ssl
readOnly: true
- name: nginx-https-vol
mountPath: /usr/share/nginx/html
volumes:
- name: nginx-https-cm
configMap:
name: nginx-https-cm
- name: nginx-https-secret
secret:
secretName: nginx-https-secret
- name: nginx-https-vol
hostPath:
path: /var/nginxserver
---
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-https-cm
data:
nginx.conf: |
user nginx;
worker_processes 1;
events {
worker_connections 10240;
}
http {
server {
listen 80;
listen 443 ssl;
server_name _;
ssl_certificate /etc/nginx/ssl/server-cert.pem;
ssl_certificate_key /etc/nginx/ssl/server-key.pem;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}
}

12
kubernetes/templates/cm-and-secrets/nginx-https-secret-blank.yml
View File

@@ -1,12 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: nginx-https-secret
type: Opaque
stringData:
server-cert.pem: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
server-key.pem: |

19
kubernetes/templates/cm-and-secrets/nginx-https-svc.yml
View File

@@ -1,19 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: nginx-https-svc
labels:
app: nginx-https
spec:
type: LoadBalancer
ports:
- port: 31080
targetPort: 80
protocol: TCP
name: http
- port: 31443
targetPort: 443
protocol: TCP
name: https
selector:
app: nginx-https

41
kubernetes/templates/deployment.yaml
View File

@@ -1,41 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: appname # Name of the deployment
namespace: namespace # Name of the namespace
labels:
app: appname # Name of your application
spec:
selector:
matchLabels:
app: appname # Name of your application
replicas: 1 # Number of replicas
template:
metadata:
labels:
app: appname # Name of your application
spec:
containers:
# Containers are the individual pieces of your application that you want
# to run.
- name: helloworld # Name of the container
image: helloworld:latest # The image you want to run
# resources:
# limits:
# memory: 512Mi
# cpu: "1"
# requests:
# memory: 256Mi
# cpu: "0.2"
ports:
# Ports are the ports that your application uses.
- containerPort: 8080 # The port that your application uses
volumeMounts:
# VolumeMounts are the volumes that your application uses.
- mountPath: /var/www/html # The path that your application uses
name: vol0 # Name of the volume
volumes:
# Volumes are the persistent storage that your application uses.
- name: vol0 # Name of the volume
persistentVolumeClaim:
claimName: pvc0 # Name of the persistent volume claim

0
kubernetes/templates/ingress.yaml
View File

0
kubernetes/templates/ingressroute-http.yaml
View File

0
kubernetes/templates/ingressroute-https.yaml
View File

0
kubernetes/templates/ingressroute-redirectscheme.yaml
View File

29
kubernetes/templates/persistentvolumeclaim.yaml
View File

@@ -1,29 +0,0 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: pvc0
namespace: namespace
labels:
app: namespace
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 20Gi
# ---
# Digital Ocean
# storageClassName: do-block-storage
# ---
# AWS
# storageClassName: aws-ebs
# ---
# Azure
# storageClassName: azure-disk
# ---
# GCE PD
# storageClassName: gce-pd
# ---
# CIVO
# storageClassName: civo-volume
# ---

11
kubernetes/templates/pv-and-pvc/civo-pvc.yml
View File

@@ -1,11 +0,0 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: civo
spec:
accessModes:
- ReadWriteOnce
storageClassName: civo-volume
resources:
requests:
storage: 1Gi

27
kubernetes/templates/pv-and-pvc/civo-web.yml
View File

@@ -1,27 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: civo-web
spec:
replicas: 1
selector:
matchLabels:
app: civo-web
template:
metadata:
labels:
app: civo-web
spec:
containers:
- name: civo-web
image: nginx
ports:
- name: web
containerPort: 80
volumeMounts:
- name: civo
mountPath: /usr/share/nginx/html
volumes:
- name: civo
persistentVolumeClaim:
claimName: civo

27
kubernetes/templates/pv-and-pvc/local-web.yml
View File

@@ -1,27 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: local-web
spec:
replicas: 1
selector:
matchLabels:
app: local-web
template:
metadata:
labels:
app: local-web
spec:
containers:
- name: local-web
image: nginx
ports:
- name: web
containerPort: 80
volumeMounts:
- name: local
mountPath: /usr/share/nginx/html
volumes:
- name: local
hostPath:
path: /var/nginxserver

13
kubernetes/templates/pv-and-pvc/nfs-pv.yml
View File

@@ -1,13 +0,0 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: nfs
spec:
capacity:
storage: 500Mi
accessModes:
- ReadWriteMany
storageClassName: nfs
nfs:
server: 192.168.1.7
path: "/srv/nfs"

11
kubernetes/templates/pv-and-pvc/nfs-pvc.yml
View File

@@ -1,11 +0,0 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nfs
spec:
accessModes:
- ReadWriteMany
storageClassName: nfs
resources:
requests:
storage: 100Mi

27
kubernetes/templates/pv-and-pvc/nfs-web.yml
View File

@@ -1,27 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: nfs-web
spec:
replicas: 1
selector:
matchLabels:
app: nfs-web
template:
metadata:
labels:
app: nfs-web
spec:
containers:
- name: nfs-web
image: nginx
ports:
- name: web
containerPort: 80
volumeMounts:
- name: nfs
mountPath: /usr/share/nginx/html
volumes:
- name: nfs
persistentVolumeClaim:
claimName: nfs

32
kubernetes/templates/service.yaml
View File

@@ -1,32 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: servicename
namespace: namespace
spec:
selector:
app: appname
# ---
# type: ClusterIP
# ClusterIP means this service can be accessed by any pod in the cluster
# ports:
# - name: http
# port: 8080
# targetPort: 80
# protocol: TCP # optional protocol
# ---
# type: NodePort
# NodePort means this service is only accessible by pods in the same namespace
# ports:
# - name: http
# port: 80
# nodePort: 30001
# protocol: TCP # optional protocol
# ---
# type: LoadBalancer
# LoadBalancer means this service is load-balanced across all nodes in the cluster
# ports:
# - name: http
# port: 80
# targetPort: 30001
# protocol: TCP # optional protocol

5
kubernetes/traefik/README.md
View File

@@ -1,5 +0,0 @@
# Traefik Helm Deployment
This Deployment uses the official Helm Chart from traefik.io https://github.com/traefik/traefik-helm-chart.
These are templates to modify the deployment.

30
kubernetes/traefik/templates/ingress.yml
View File

@@ -1,30 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: wp-clcreative
namespace: wp-clcreative
annotations:
# (Optional): Annotations for the Ingress Controller
# ---
# General:
# kubernetes.io/ingress.class: traefik
#
# TLS configuration:
# traefik.ingress.kubernetes.io/router.entrypoints: web, websecure
# traefik.ingress.kubernetes.io/router.tls: "true"
#
# Middleware:
# traefik.ingress.kubernetes.io/router.middlewares:your-middleware@kubernetescrd
spec:
rules:
- host: "your-hostname.com" # Your hostname
http:
paths:
# Path-based routing settings:
- path: /
pathType: Prefix
backend:
service:
name: your-service-name # The name of the service
port:
number: 80 # Service Portnumber

96
kubernetes/traefik/values.yml
View File

@@ -1,96 +0,0 @@
additionalArguments:
# Configure your CertificateResolver here...
#
# HTTP Challenge
# ---
# Generic Example:
# - --certificatesresolvers.generic.acme.email=your-email@example.com
# - --certificatesresolvers.generic.acme.caServer=https://acme-v02.api.letsencrypt.org/directory
# - --certificatesresolvers.generic.acme.httpChallenge.entryPoint=web
# - --certificatesresolvers.generic.acme.storage=/ssl-certs/acme-generic.json
#
# Prod / Staging Example:
# - --certificatesresolvers.staging.acme.email=your-email@example.com
# - --certificatesresolvers.staging.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory
# - --certificatesresolvers.staging.acme.httpChallenge.entryPoint=web
# - --certificatesresolvers.staging.acme.storage=/ssl-certs/acme-staging.json
# - --certificatesresolvers.production.acme.email=your-email@example.com
# - --certificatesresolvers.production.acme.caServer=https://acme-v02.api.letsencrypt.org/directory
# - --certificatesresolvers.production.acme.httpChallenge.entryPoint=web
# - --certificatesresolvers.production.acme.storage=/ssl-certs/acme-production.json
#
# DNS Challenge
# ---
# Cloudflare Example:
# - --certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare
# - --certificatesresolvers.cloudflare.acme.email=your-email@example.com
# - --certificatesresolvers.cloudflare.acme.dnschallenge.resolvers=1.1.1.1
# - --certificatesresolvers.cloudflare.acme.storage=/ssl-certs/acme-cloudflare.json
#
# Generic (replace with your DNS provider):
# - --certificatesresolvers.generic.acme.dnschallenge.provider=generic
# - --certificatesresolvers.generic.acme.email=your-email@example.com
# - --certificatesresolvers.generic.acme.storage=/ssl-certs/acme-generic.json
logs:
# Configure log settings here...
general:
level: ERROR
ports:
# Configure your entrypoints here...
web:
# (optional) Permanent Redirect to HTTPS
# redirectTo: websecure
websecure:
tls:
enabled: true
# (optional) Set a Default CertResolver
# certResolver: cloudflare
env:
# Set your environment variables here...
#
# DNS Challenge Credentials
# ---
# Cloudflare Example:
# - name: CF_API_EMAIL
# valueFrom:
# secretKeyRef:
# key: email
# name: cloudflare-credentials
# - name: CF_API_KEY
# valueFrom:
# secretKeyRef:
# key: apiKey
# name: cloudflare-credentials
# Disable Dashboard
ingressRoute:
dashboard:
enabled: false
# Persistent Storage
persistence:
enabled: true
name: ssl-certs
size: 1Gi
path: /ssl-certs
deployment:
initContainers:
# The "volume-permissions" init container is required if you run into permission issues.
# Related issue: https://github.com/containous/traefik/issues/6972
- name: volume-permissions
image: busybox:1.31.1
command: ["sh", "-c", "chmod -Rv 600 /ssl-certs/*"]
volumeMounts:
- name: ssl-certs
mountPath: /ssl-certs
# Set Traefik as your default Ingress Controller, according to Kubernetes 1.19+ changes.
ingressClass:
enabled: true
isDefaultClass: true