├── README.md
├── argocd
├── argo-ingress.yaml
├── argo-storage.yaml
├── install.yaml
└── install.yaml.bak
├── gitlab
├── gitlab-deploy.yaml
├── gitlab-postgresql.yaml
├── gitlab-redis.yaml
└── gitlab-storage.yaml
├── ingress
├── nginx
│ └── ingress-nginx.yaml
└── traefik
│ ├── .helmignore
│ ├── Chart.yaml
│ ├── Guidelines.md
│ ├── LICENSE
│ ├── README.md
│ ├── crds
│ ├── ingressroute.yaml
│ ├── ingressroutetcp.yaml
│ ├── ingressrouteudp.yaml
│ ├── middlewares.yaml
│ ├── tlsoptions.yaml
│ ├── tlsstores.yaml
│ └── traefikservices.yaml
│ ├── templates
│ ├── _helpers.tpl
│ ├── dashboard-hook-ingressroute.yaml
│ ├── deployment.yaml
│ ├── hpa.yaml
│ ├── ingressclass.yaml
│ ├── poddisruptionbudget.yaml
│ ├── pvc.yaml
│ ├── rbac
│ │ ├── clusterrole.yaml
│ │ ├── clusterrolebinding.yaml
│ │ ├── podsecuritypolicy.yaml
│ │ ├── role.yaml
│ │ ├── rolebinding.yaml
│ │ └── serviceaccount.yaml
│ ├── service.yaml
│ └── tlsoption.yaml
│ └── values.yaml
├── jenkins
├── jenkins-deploy.yaml
├── jenkins-maven-cache.yaml
├── jenkins-rbac.yaml
└── jenkins-storage.yaml
├── nfs
├── nfs-client.yaml
└── nfs-storage.yaml
└── sonarqube
├── sonarqube-deploy.yaml
├── sonarqube-postgresql-deploy.yaml
└── sonarqube-storage.yaml
/README.md:
--------------------------------------------------------------------------------
1 | # kubernetes-software-yaml
2 | 在kubernetes中安装软件的Yaml清单
3 |
--------------------------------------------------------------------------------
/argocd/argo-ingress.yaml:
--------------------------------------------------------------------------------
1 | #apiVersion: traefik.containo.us/v1alpha1
2 | #kind: IngressRoute
3 | #metadata:
4 | # name: argocd-server
5 | # namespace: devops
6 | #spec:
7 | # entryPoints:
8 | # - web
9 | # routes:
10 | # - match: Host(`argo-test.xxxx.cn`)
11 | # kind: Rule
12 | # services:
13 | # - name: argocd-server
14 | # port: 80
15 | ---
16 | apiVersion: traefik.containo.us/v1alpha1
17 | kind: IngressRoute
18 | metadata:
19 | name: argocd-server
20 | namespace: devops
21 | spec:
22 | entryPoints:
23 | - websecure
24 | routes:
25 | - kind: Rule
26 | match: Host(`argo-test.xxxx.cn`)
27 | priority: 10
28 | services:
29 | - name: argocd-server
30 | port: 80
31 | - kind: Rule
32 | match: Host(`argo-test.xxxx.cn`) && Headers(`Content-Type`, `application/grpc`)
33 | priority: 11
34 | services:
35 | - name: argocd-server
36 | port: 80
37 | scheme: h2c
38 | tls:
39 | certResolver: default
40 | options: {}
41 |
--------------------------------------------------------------------------------
/argocd/argo-storage.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: PersistentVolumeClaim
3 | metadata:
4 | name: argocd-server-pvc
5 | namespace: devops
6 | spec:
7 | storageClassName: nfs-client-storageclass
8 | accessModes:
9 | - ReadWriteMany
10 | resources:
11 | requests:
12 | storage: 1Gi
13 | ---
14 | apiVersion: v1
15 | kind: PersistentVolumeClaim
16 | metadata:
17 | name: argocd-repo-server-pvc
18 | namespace: devops
19 | spec:
20 | storageClassName: nfs-client-storageclass
21 | accessModes:
22 | - ReadWriteMany
23 | resources:
24 | requests:
25 | storage: 1Gi
26 | ---
27 | apiVersion: v1
28 | kind: PersistentVolumeClaim
29 | metadata:
30 | name: argocd-application-controller-pvc
31 | namespace: devops
32 | spec:
33 | storageClassName: nfs-client-storageclass
34 | accessModes:
35 | - ReadWriteMany
36 | resources:
37 | requests:
38 | storage: 1Gi
39 |
--------------------------------------------------------------------------------
/gitlab/gitlab-deploy.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: gitlab
5 | namespace: devops
6 | labels:
7 | name: gitlab
8 | spec:
9 | selector:
10 | matchLabels:
11 | name: gitlab
12 | template:
13 | metadata:
14 | name: gitlab
15 | labels:
16 | name: gitlab
17 | spec:
18 | containers:
19 | - name: gitlab
20 | image: sameersbn/gitlab:11.8.1
21 | imagePullPolicy: IfNotPresent
22 | env:
23 | - name: TZ
24 | value: Asia/Shanghai
25 | - name: GITLAB_TIMEZONE
26 | value: Beijing
27 | - name: GITLAB_SECRETS_DB_KEY_BASE
28 | value: long-and-random-alpha-numeric-string
29 | - name: GITLAB_SECRETS_SECRET_KEY_BASE
30 | value: long-and-random-alpha-numeric-string
31 | - name: GITLAB_SECRETS_OTP_KEY_BASE
32 | value: long-and-random-alpha-numeric-string
33 | - name: GITLAB_ROOT_PASSWORD
34 | value: admin@123456
35 | - name: GITLAB_ROOT_EMAIL
36 | value: coolops@163.com
37 | - name: GITLAB_HOST
38 | value: gitlab-test.coolops.cn
39 | - name: GITLAB_PORT
40 | value: "32080"
41 | - name: GITLAB_SSH_PORT
42 | value: "30022"
43 | - name: GITLAB_NOTIFY_ON_BROKEN_BUILDS
44 | value: "true"
45 | - name: GITLAB_NOTIFY_PUSHER
46 | value: "false"
47 | - name: GITLAB_BACKUP_SCHEDULE
48 | value: daily
49 | - name: GITLAB_BACKUP_TIME
50 | value: 01:00
51 | - name: DB_TYPE
52 | value: postgres
53 | - name: DB_HOST
54 | value: postgresql
55 | - name: DB_PORT
56 | value: "5432"
57 | - name: DB_USER
58 | value: gitlab
59 | - name: DB_PASS
60 | value: passw0rd
61 | - name: DB_NAME
62 | value: gitlab_production
63 | - name: REDIS_HOST
64 | value: redis
65 | - name: REDIS_PORT
66 | value: "6379"
67 | ports:
68 | - name: http
69 | containerPort: 80
70 | - name: ssh
71 | containerPort: 22
72 | volumeMounts:
73 | - mountPath: /home/git/data
74 | name: data
75 | livenessProbe:
76 | httpGet:
77 | path: /
78 | port: 80
79 | initialDelaySeconds: 180
80 | timeoutSeconds: 5
81 | readinessProbe:
82 | httpGet:
83 | path: /
84 | port: 80
85 | initialDelaySeconds: 5
86 | timeoutSeconds: 1
87 | volumes:
88 | - name: data
89 | persistentVolumeClaim:
90 | claimName: gitlab-pvc
91 |
92 | ---
93 | apiVersion: v1
94 | kind: Service
95 | metadata:
96 | name: gitlab
97 | namespace: devops
98 | labels:
99 | name: gitlab
100 | spec:
101 | type: NodePort
102 | ports:
103 | - name: http
104 | port: 80
105 | targetPort: http
106 | - name: ssh
107 | port: 22
108 | targetPort: ssh
109 | nodePort: 30022
110 | selector:
111 | name: gitlab
112 |
113 | ---
114 | apiVersion: traefik.containo.us/v1alpha1
115 | kind: IngressRoute
116 | metadata:
117 | name: argocd-server
118 | namespace: devops
119 | spec:
120 | entryPoints:
121 | - web
122 | routes:
123 | - match: Host(`gitlab-test.xxxx.cn`)
124 | kind: Rule
125 | services:
126 | - name: gitlab
127 | port: 80
128 |
129 |
--------------------------------------------------------------------------------
/gitlab/gitlab-postgresql.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: postgresql
5 | namespace: devops
6 | labels:
7 | name: postgresql
8 | spec:
9 | selector:
10 | matchLabels:
11 | name: postgresql
12 | template:
13 | metadata:
14 | name: postgresql
15 | labels:
16 | name: postgresql
17 | spec:
18 | containers:
19 | - name: postgresql
20 | image: sameersbn/postgresql:10
21 | imagePullPolicy: IfNotPresent
22 | env:
23 | - name: DB_USER
24 | value: gitlab
25 | - name: DB_PASS
26 | value: passw0rd
27 | - name: DB_NAME
28 | value: gitlab_production
29 | - name: DB_EXTENSION
30 | value: pg_trgm
31 | ports:
32 | - name: postgres
33 | containerPort: 5432
34 | volumeMounts:
35 | - mountPath: /var/lib/postgresql
36 | name: data
37 | livenessProbe:
38 | exec:
39 | command:
40 | - pg_isready
41 | - -h
42 | - localhost
43 | - -U
44 | - postgres
45 | initialDelaySeconds: 30
46 | timeoutSeconds: 5
47 | readinessProbe:
48 | exec:
49 | command:
50 | - pg_isready
51 | - -h
52 | - localhost
53 | - -U
54 | - postgres
55 | initialDelaySeconds: 5
56 | timeoutSeconds: 1
57 | volumes:
58 | - name: data
59 | persistentVolumeClaim:
60 | claimName: gitlab-postgresql-pvc
61 |
62 | ---
63 | apiVersion: v1
64 | kind: Service
65 | metadata:
66 | name: postgresql
67 | namespace: devops
68 | labels:
69 | name: postgresql
70 | spec:
71 | ports:
72 | - name: postgres
73 | port: 5432
74 | targetPort: postgres
75 | selector:
76 | name: postgresql
77 |
--------------------------------------------------------------------------------
/gitlab/gitlab-redis.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: redis
5 | namespace: devops
6 | labels:
7 | name: redis
8 | spec:
9 | selector:
10 | matchLabels:
11 | name: redis
12 | template:
13 | metadata:
14 | name: redis
15 | labels:
16 | name: redis
17 | spec:
18 | containers:
19 | - name: redis
20 | image: sameersbn/redis
21 | imagePullPolicy: IfNotPresent
22 | ports:
23 | - name: redis
24 | containerPort: 6379
25 | volumeMounts:
26 | - mountPath: /var/lib/redis
27 | name: data
28 | livenessProbe:
29 | exec:
30 | command:
31 | - redis-cli
32 | - ping
33 | initialDelaySeconds: 30
34 | timeoutSeconds: 5
35 | readinessProbe:
36 | exec:
37 | command:
38 | - redis-cli
39 | - ping
40 | initialDelaySeconds: 5
41 | timeoutSeconds: 1
42 | volumes:
43 | - name: data
44 | persistentVolumeClaim:
45 | claimName: gitlab-redis-pvc
46 |
47 | ---
48 | apiVersion: v1
49 | kind: Service
50 | metadata:
51 | name: redis
52 | namespace: devops
53 | labels:
54 | name: redis
55 | spec:
56 | ports:
57 | - name: redis
58 | port: 6379
59 | targetPort: redis
60 | selector:
61 | name: redis
62 |
--------------------------------------------------------------------------------
/gitlab/gitlab-storage.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: PersistentVolumeClaim
3 | metadata:
4 | name: gitlab-redis-pvc
5 | namespace: devops
6 | spec:
7 | storageClassName: nfs-client-storageclass
8 | accessModes:
9 | - ReadWriteMany
10 | resources:
11 | requests:
12 | storage: 1Gi
13 | ---
14 | apiVersion: v1
15 | kind: PersistentVolumeClaim
16 | metadata:
17 | name: gitlab-postgresql-pvc
18 | namespace: devops
19 | spec:
20 | storageClassName: nfs-client-storageclass
21 | accessModes:
22 | - ReadWriteMany
23 | resources:
24 | requests:
25 | storage: 5Gi
26 | ---
27 | apiVersion: v1
28 | kind: PersistentVolumeClaim
29 | metadata:
30 | name: gitlab-pvc
31 | namespace: devops
32 | spec:
33 | storageClassName: nfs-client-storageclass
34 | accessModes:
35 | - ReadWriteMany
36 | resources:
37 | requests:
38 | storage: 5Gi
39 |
--------------------------------------------------------------------------------
/ingress/nginx/ingress-nginx.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | labels:
5 | app.kubernetes.io/instance: ingress-nginx
6 | app.kubernetes.io/name: ingress-nginx
7 | name: ingress-nginx
8 | ---
9 | apiVersion: v1
10 | automountServiceAccountToken: true
11 | kind: ServiceAccount
12 | metadata:
13 | labels:
14 | app.kubernetes.io/component: controller
15 | app.kubernetes.io/instance: ingress-nginx
16 | app.kubernetes.io/name: ingress-nginx
17 | app.kubernetes.io/part-of: ingress-nginx
18 | app.kubernetes.io/version: 1.3.0
19 | name: ingress-nginx
20 | namespace: ingress-nginx
21 | ---
22 | apiVersion: v1
23 | kind: ServiceAccount
24 | metadata:
25 | labels:
26 | app.kubernetes.io/component: admission-webhook
27 | app.kubernetes.io/instance: ingress-nginx
28 | app.kubernetes.io/name: ingress-nginx
29 | app.kubernetes.io/part-of: ingress-nginx
30 | app.kubernetes.io/version: 1.3.0
31 | name: ingress-nginx-admission
32 | namespace: ingress-nginx
33 | ---
34 | apiVersion: rbac.authorization.k8s.io/v1
35 | kind: Role
36 | metadata:
37 | labels:
38 | app.kubernetes.io/component: controller
39 | app.kubernetes.io/instance: ingress-nginx
40 | app.kubernetes.io/name: ingress-nginx
41 | app.kubernetes.io/part-of: ingress-nginx
42 | app.kubernetes.io/version: 1.3.0
43 | name: ingress-nginx
44 | namespace: ingress-nginx
45 | rules:
46 | - apiGroups:
47 | - ""
48 | resources:
49 | - namespaces
50 | verbs:
51 | - get
52 | - apiGroups:
53 | - ""
54 | resources:
55 | - configmaps
56 | - pods
57 | - secrets
58 | - endpoints
59 | verbs:
60 | - get
61 | - list
62 | - watch
63 | - apiGroups:
64 | - ""
65 | resources:
66 | - services
67 | verbs:
68 | - get
69 | - list
70 | - watch
71 | - apiGroups:
72 | - networking.k8s.io
73 | resources:
74 | - ingresses
75 | verbs:
76 | - get
77 | - list
78 | - watch
79 | - apiGroups:
80 | - networking.k8s.io
81 | resources:
82 | - ingresses/status
83 | verbs:
84 | - update
85 | - apiGroups:
86 | - networking.k8s.io
87 | resources:
88 | - ingressclasses
89 | verbs:
90 | - get
91 | - list
92 | - watch
93 | - apiGroups:
94 | - ""
95 | resourceNames:
96 | - ingress-controller-leader
97 | resources:
98 | - configmaps
99 | verbs:
100 | - get
101 | - update
102 | - apiGroups:
103 | - ""
104 | resources:
105 | - configmaps
106 | verbs:
107 | - create
108 | - apiGroups:
109 | - coordination.k8s.io
110 | resourceNames:
111 | - ingress-controller-leader
112 | resources:
113 | - leases
114 | verbs:
115 | - get
116 | - update
117 | - apiGroups:
118 | - coordination.k8s.io
119 | resources:
120 | - leases
121 | verbs:
122 | - create
123 | - apiGroups:
124 | - ""
125 | resources:
126 | - events
127 | verbs:
128 | - create
129 | - patch
130 | ---
131 | apiVersion: rbac.authorization.k8s.io/v1
132 | kind: Role
133 | metadata:
134 | labels:
135 | app.kubernetes.io/component: admission-webhook
136 | app.kubernetes.io/instance: ingress-nginx
137 | app.kubernetes.io/name: ingress-nginx
138 | app.kubernetes.io/part-of: ingress-nginx
139 | app.kubernetes.io/version: 1.3.0
140 | name: ingress-nginx-admission
141 | namespace: ingress-nginx
142 | rules:
143 | - apiGroups:
144 | - ""
145 | resources:
146 | - secrets
147 | verbs:
148 | - get
149 | - create
150 | ---
151 | apiVersion: rbac.authorization.k8s.io/v1
152 | kind: ClusterRole
153 | metadata:
154 | labels:
155 | app.kubernetes.io/instance: ingress-nginx
156 | app.kubernetes.io/name: ingress-nginx
157 | app.kubernetes.io/part-of: ingress-nginx
158 | app.kubernetes.io/version: 1.3.0
159 | name: ingress-nginx
160 | rules:
161 | - apiGroups:
162 | - ""
163 | resources:
164 | - configmaps
165 | - endpoints
166 | - nodes
167 | - pods
168 | - secrets
169 | - namespaces
170 | verbs:
171 | - list
172 | - watch
173 | - apiGroups:
174 | - coordination.k8s.io
175 | resources:
176 | - leases
177 | verbs:
178 | - list
179 | - watch
180 | - apiGroups:
181 | - ""
182 | resources:
183 | - nodes
184 | verbs:
185 | - get
186 | - apiGroups:
187 | - ""
188 | resources:
189 | - services
190 | verbs:
191 | - get
192 | - list
193 | - watch
194 | - apiGroups:
195 | - networking.k8s.io
196 | resources:
197 | - ingresses
198 | verbs:
199 | - get
200 | - list
201 | - watch
202 | - apiGroups:
203 | - ""
204 | resources:
205 | - events
206 | verbs:
207 | - create
208 | - patch
209 | - apiGroups:
210 | - networking.k8s.io
211 | resources:
212 | - ingresses/status
213 | verbs:
214 | - update
215 | - apiGroups:
216 | - networking.k8s.io
217 | resources:
218 | - ingressclasses
219 | verbs:
220 | - get
221 | - list
222 | - watch
223 | ---
224 | apiVersion: rbac.authorization.k8s.io/v1
225 | kind: ClusterRole
226 | metadata:
227 | labels:
228 | app.kubernetes.io/component: admission-webhook
229 | app.kubernetes.io/instance: ingress-nginx
230 | app.kubernetes.io/name: ingress-nginx
231 | app.kubernetes.io/part-of: ingress-nginx
232 | app.kubernetes.io/version: 1.3.0
233 | name: ingress-nginx-admission
234 | rules:
235 | - apiGroups:
236 | - admissionregistration.k8s.io
237 | resources:
238 | - validatingwebhookconfigurations
239 | verbs:
240 | - get
241 | - update
242 | ---
243 | apiVersion: rbac.authorization.k8s.io/v1
244 | kind: RoleBinding
245 | metadata:
246 | labels:
247 | app.kubernetes.io/component: controller
248 | app.kubernetes.io/instance: ingress-nginx
249 | app.kubernetes.io/name: ingress-nginx
250 | app.kubernetes.io/part-of: ingress-nginx
251 | app.kubernetes.io/version: 1.3.0
252 | name: ingress-nginx
253 | namespace: ingress-nginx
254 | roleRef:
255 | apiGroup: rbac.authorization.k8s.io
256 | kind: Role
257 | name: ingress-nginx
258 | subjects:
259 | - kind: ServiceAccount
260 | name: ingress-nginx
261 | namespace: ingress-nginx
262 | ---
263 | apiVersion: rbac.authorization.k8s.io/v1
264 | kind: RoleBinding
265 | metadata:
266 | labels:
267 | app.kubernetes.io/component: admission-webhook
268 | app.kubernetes.io/instance: ingress-nginx
269 | app.kubernetes.io/name: ingress-nginx
270 | app.kubernetes.io/part-of: ingress-nginx
271 | app.kubernetes.io/version: 1.3.0
272 | name: ingress-nginx-admission
273 | namespace: ingress-nginx
274 | roleRef:
275 | apiGroup: rbac.authorization.k8s.io
276 | kind: Role
277 | name: ingress-nginx-admission
278 | subjects:
279 | - kind: ServiceAccount
280 | name: ingress-nginx-admission
281 | namespace: ingress-nginx
282 | ---
283 | apiVersion: rbac.authorization.k8s.io/v1
284 | kind: ClusterRoleBinding
285 | metadata:
286 | labels:
287 | app.kubernetes.io/instance: ingress-nginx
288 | app.kubernetes.io/name: ingress-nginx
289 | app.kubernetes.io/part-of: ingress-nginx
290 | app.kubernetes.io/version: 1.3.0
291 | name: ingress-nginx
292 | roleRef:
293 | apiGroup: rbac.authorization.k8s.io
294 | kind: ClusterRole
295 | name: ingress-nginx
296 | subjects:
297 | - kind: ServiceAccount
298 | name: ingress-nginx
299 | namespace: ingress-nginx
300 | ---
301 | apiVersion: rbac.authorization.k8s.io/v1
302 | kind: ClusterRoleBinding
303 | metadata:
304 | labels:
305 | app.kubernetes.io/component: admission-webhook
306 | app.kubernetes.io/instance: ingress-nginx
307 | app.kubernetes.io/name: ingress-nginx
308 | app.kubernetes.io/part-of: ingress-nginx
309 | app.kubernetes.io/version: 1.3.0
310 | name: ingress-nginx-admission
311 | roleRef:
312 | apiGroup: rbac.authorization.k8s.io
313 | kind: ClusterRole
314 | name: ingress-nginx-admission
315 | subjects:
316 | - kind: ServiceAccount
317 | name: ingress-nginx-admission
318 | namespace: ingress-nginx
319 | ---
320 | apiVersion: v1
321 | data:
322 | allow-snippet-annotations: "true"
323 | kind: ConfigMap
324 | metadata:
325 | labels:
326 | app.kubernetes.io/component: controller
327 | app.kubernetes.io/instance: ingress-nginx
328 | app.kubernetes.io/name: ingress-nginx
329 | app.kubernetes.io/part-of: ingress-nginx
330 | app.kubernetes.io/version: 1.3.0
331 | name: ingress-nginx-controller
332 | namespace: ingress-nginx
333 | ---
334 | apiVersion: v1
335 | kind: Service
336 | metadata:
337 | labels:
338 | app.kubernetes.io/component: controller
339 | app.kubernetes.io/instance: ingress-nginx
340 | app.kubernetes.io/name: ingress-nginx
341 | app.kubernetes.io/part-of: ingress-nginx
342 | app.kubernetes.io/version: 1.3.0
343 | annotations:
344 | lb.kubesphere.io/v1alpha1: openelb
345 | protocol.openelb.kubesphere.io/v1alpha1: layer2
346 | eip.openelb.kubesphere.io/v1alpha2: eip-pool
347 | name: ingress-nginx-controller
348 | namespace: ingress-nginx
349 | spec:
350 | externalTrafficPolicy: Local
351 | ports:
352 | - appProtocol: http
353 | name: http
354 | port: 80
355 | protocol: TCP
356 | targetPort: http
357 | - appProtocol: https
358 | name: https
359 | port: 443
360 | protocol: TCP
361 | targetPort: https
362 | selector:
363 | app.kubernetes.io/component: controller
364 | app.kubernetes.io/instance: ingress-nginx
365 | app.kubernetes.io/name: ingress-nginx
366 | type: LoadBalancer
367 | ---
368 | apiVersion: v1
369 | kind: Service
370 | metadata:
371 | labels:
372 | app.kubernetes.io/component: controller
373 | app.kubernetes.io/instance: ingress-nginx
374 | app.kubernetes.io/name: ingress-nginx
375 | app.kubernetes.io/part-of: ingress-nginx
376 | app.kubernetes.io/version: 1.3.0
377 | name: ingress-nginx-controller-admission
378 | namespace: ingress-nginx
379 | spec:
380 | ports:
381 | - appProtocol: https
382 | name: https-webhook
383 | port: 443
384 | targetPort: webhook
385 | selector:
386 | app.kubernetes.io/component: controller
387 | app.kubernetes.io/instance: ingress-nginx
388 | app.kubernetes.io/name: ingress-nginx
389 | type: ClusterIP
390 | ---
391 | apiVersion: apps/v1
392 | kind: Deployment
393 | metadata:
394 | labels:
395 | app.kubernetes.io/component: controller
396 | app.kubernetes.io/instance: ingress-nginx
397 | app.kubernetes.io/name: ingress-nginx
398 | app.kubernetes.io/part-of: ingress-nginx
399 | app.kubernetes.io/version: 1.3.0
400 | name: ingress-nginx-controller
401 | namespace: ingress-nginx
402 | spec:
403 | minReadySeconds: 0
404 | revisionHistoryLimit: 10
405 | selector:
406 | matchLabels:
407 | app.kubernetes.io/component: controller
408 | app.kubernetes.io/instance: ingress-nginx
409 | app.kubernetes.io/name: ingress-nginx
410 | template:
411 | metadata:
412 | labels:
413 | app.kubernetes.io/component: controller
414 | app.kubernetes.io/instance: ingress-nginx
415 | app.kubernetes.io/name: ingress-nginx
416 | spec:
417 | containers:
418 | - args:
419 | - /nginx-ingress-controller
420 | - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
421 | - --election-id=ingress-controller-leader
422 | - --controller-class=k8s.io/ingress-nginx
423 | - --ingress-class=nginx
424 | - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
425 | - --validating-webhook=:8443
426 | - --validating-webhook-certificate=/usr/local/certificates/cert
427 | - --validating-webhook-key=/usr/local/certificates/key
428 | env:
429 | - name: POD_NAME
430 | valueFrom:
431 | fieldRef:
432 | fieldPath: metadata.name
433 | - name: POD_NAMESPACE
434 | valueFrom:
435 | fieldRef:
436 | fieldPath: metadata.namespace
437 | - name: LD_PRELOAD
438 | value: /usr/local/lib/libmimalloc.so
439 | image: registry.cn-hangzhou.aliyuncs.com/rookieops/ingress-nginx-controller:v1.3.0
440 | imagePullPolicy: IfNotPresent
441 | lifecycle:
442 | preStop:
443 | exec:
444 | command:
445 | - /wait-shutdown
446 | livenessProbe:
447 | failureThreshold: 5
448 | httpGet:
449 | path: /healthz
450 | port: 10254
451 | scheme: HTTP
452 | initialDelaySeconds: 10
453 | periodSeconds: 10
454 | successThreshold: 1
455 | timeoutSeconds: 1
456 | name: controller
457 | ports:
458 | - containerPort: 80
459 | name: http
460 | protocol: TCP
461 | - containerPort: 443
462 | name: https
463 | protocol: TCP
464 | - containerPort: 8443
465 | name: webhook
466 | protocol: TCP
467 | readinessProbe:
468 | failureThreshold: 3
469 | httpGet:
470 | path: /healthz
471 | port: 10254
472 | scheme: HTTP
473 | initialDelaySeconds: 10
474 | periodSeconds: 10
475 | successThreshold: 1
476 | timeoutSeconds: 1
477 | resources:
478 | requests:
479 | cpu: 100m
480 | memory: 90Mi
481 | securityContext:
482 | allowPrivilegeEscalation: true
483 | capabilities:
484 | add:
485 | - NET_BIND_SERVICE
486 | drop:
487 | - ALL
488 | runAsUser: 101
489 | volumeMounts:
490 | - mountPath: /usr/local/certificates/
491 | name: webhook-cert
492 | readOnly: true
493 | dnsPolicy: ClusterFirst
494 | nodeSelector:
495 | kubernetes.io/os: linux
496 | serviceAccountName: ingress-nginx
497 | terminationGracePeriodSeconds: 300
498 | volumes:
499 | - name: webhook-cert
500 | secret:
501 | secretName: ingress-nginx-admission
502 | ---
503 | apiVersion: batch/v1
504 | kind: Job
505 | metadata:
506 | labels:
507 | app.kubernetes.io/component: admission-webhook
508 | app.kubernetes.io/instance: ingress-nginx
509 | app.kubernetes.io/name: ingress-nginx
510 | app.kubernetes.io/part-of: ingress-nginx
511 | app.kubernetes.io/version: 1.3.0
512 | name: ingress-nginx-admission-create
513 | namespace: ingress-nginx
514 | spec:
515 | template:
516 | metadata:
517 | labels:
518 | app.kubernetes.io/component: admission-webhook
519 | app.kubernetes.io/instance: ingress-nginx
520 | app.kubernetes.io/name: ingress-nginx
521 | app.kubernetes.io/part-of: ingress-nginx
522 | app.kubernetes.io/version: 1.3.0
523 | name: ingress-nginx-admission-create
524 | spec:
525 | containers:
526 | - args:
527 | - create
528 | - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
529 | - --namespace=$(POD_NAMESPACE)
530 | - --secret-name=ingress-nginx-admission
531 | env:
532 | - name: POD_NAMESPACE
533 | valueFrom:
534 | fieldRef:
535 | fieldPath: metadata.namespace
536 | image: registry.cn-hangzhou.aliyuncs.com/rookieops/kube-webhook-certgen:v1.1.1
537 | imagePullPolicy: IfNotPresent
538 | name: create
539 | securityContext:
540 | allowPrivilegeEscalation: false
541 | nodeSelector:
542 | kubernetes.io/os: linux
543 | restartPolicy: OnFailure
544 | securityContext:
545 | fsGroup: 2000
546 | runAsNonRoot: true
547 | runAsUser: 2000
548 | serviceAccountName: ingress-nginx-admission
549 | ---
550 | apiVersion: batch/v1
551 | kind: Job
552 | metadata:
553 | labels:
554 | app.kubernetes.io/component: admission-webhook
555 | app.kubernetes.io/instance: ingress-nginx
556 | app.kubernetes.io/name: ingress-nginx
557 | app.kubernetes.io/part-of: ingress-nginx
558 | app.kubernetes.io/version: 1.3.0
559 | name: ingress-nginx-admission-patch
560 | namespace: ingress-nginx
561 | spec:
562 | template:
563 | metadata:
564 | labels:
565 | app.kubernetes.io/component: admission-webhook
566 | app.kubernetes.io/instance: ingress-nginx
567 | app.kubernetes.io/name: ingress-nginx
568 | app.kubernetes.io/part-of: ingress-nginx
569 | app.kubernetes.io/version: 1.3.0
570 | name: ingress-nginx-admission-patch
571 | spec:
572 | containers:
573 | - args:
574 | - patch
575 | - --webhook-name=ingress-nginx-admission
576 | - --namespace=$(POD_NAMESPACE)
577 | - --patch-mutating=false
578 | - --secret-name=ingress-nginx-admission
579 | - --patch-failure-policy=Fail
580 | env:
581 | - name: POD_NAMESPACE
582 | valueFrom:
583 | fieldRef:
584 | fieldPath: metadata.namespace
585 | image: registry.cn-hangzhou.aliyuncs.com/rookieops/kube-webhook-certgen:v1.1.1
586 | imagePullPolicy: IfNotPresent
587 | name: patch
588 | securityContext:
589 | allowPrivilegeEscalation: false
590 | nodeSelector:
591 | kubernetes.io/os: linux
592 | restartPolicy: OnFailure
593 | securityContext:
594 | fsGroup: 2000
595 | runAsNonRoot: true
596 | runAsUser: 2000
597 | serviceAccountName: ingress-nginx-admission
598 | ---
599 | apiVersion: networking.k8s.io/v1
600 | kind: IngressClass
601 | metadata:
602 | labels:
603 | app.kubernetes.io/component: controller
604 | app.kubernetes.io/instance: ingress-nginx
605 | app.kubernetes.io/name: ingress-nginx
606 | app.kubernetes.io/part-of: ingress-nginx
607 | app.kubernetes.io/version: 1.3.0
608 | name: nginx
609 | spec:
610 | controller: k8s.io/ingress-nginx
611 | ---
612 | apiVersion: admissionregistration.k8s.io/v1
613 | kind: ValidatingWebhookConfiguration
614 | metadata:
615 | labels:
616 | app.kubernetes.io/component: admission-webhook
617 | app.kubernetes.io/instance: ingress-nginx
618 | app.kubernetes.io/name: ingress-nginx
619 | app.kubernetes.io/part-of: ingress-nginx
620 | app.kubernetes.io/version: 1.3.0
621 | name: ingress-nginx-admission
622 | webhooks:
623 | - admissionReviewVersions:
624 | - v1
625 | clientConfig:
626 | service:
627 | name: ingress-nginx-controller-admission
628 | namespace: ingress-nginx
629 | path: /networking/v1/ingresses
630 | failurePolicy: Fail
631 | matchPolicy: Equivalent
632 | name: validate.nginx.ingress.kubernetes.io
633 | rules:
634 | - apiGroups:
635 | - networking.k8s.io
636 | apiVersions:
637 | - v1
638 | operations:
639 | - CREATE
640 | - UPDATE
641 | resources:
642 | - ingresses
643 | sideEffects: None
644 |
--------------------------------------------------------------------------------
/ingress/traefik/.helmignore:
--------------------------------------------------------------------------------
1 | tests/
2 |
--------------------------------------------------------------------------------
/ingress/traefik/Chart.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v2
2 | appVersion: 2.3.3
3 | description: A Traefik based Kubernetes ingress controller
4 | home: https://traefik.io/
5 | icon: https://raw.githubusercontent.com/traefik/traefik/v2.3/docs/content/assets/img/traefik.logo.png
6 | keywords:
7 | - traefik
8 | - ingress
9 | maintainers:
10 | - email: emile@vauge.com
11 | name: emilevauge
12 | - email: daniel.tomcej@gmail.com
13 | name: dtomcej
14 | - email: ldez@traefik.io
15 | name: ldez
16 | name: traefik
17 | sources:
18 | - https://github.com/traefik/traefik
19 | - https://github.com/traefik/traefik-helm-chart
20 | type: application
21 | version: 9.11.0
22 |
--------------------------------------------------------------------------------
/ingress/traefik/Guidelines.md:
--------------------------------------------------------------------------------
1 | # Traefik Helm Chart Guidelines
2 |
3 | This document outlines the guidelines for developing, managing and extending the Traefik helm chart.
4 |
5 | Optionallity
6 | All non-critical features (Features not mandatory to starting Traefik) in the helm chart must be optional. All non-critical features should be disabled (commented out) in the values.yaml file. All optional non-critical features should be disabled (commented out) in the values.yaml file, and have a comment # (Optional) in the line above. This allows minimal configuration, and ease of extension.
7 |
8 | ## Critical Feature Example
9 |
10 | ```yaml
11 | image:
12 | name: traefik
13 | ```
14 |
15 | This feature is critical, and therefore is defined clearly in the values.yaml file.
16 |
17 | ## Non-Critical Feature Example
18 |
19 | ```yaml
20 | # storage:
21 | # controlNode:
22 | # type: emptyDir
23 | ```
24 |
25 | This feature is non-critical, and therefore is commented out by default in the values.yaml file.
26 |
27 | To allow this, template blocks that use this need to recursively test for existence of values before using them:
28 |
29 | ```yaml
30 | {{- if .Values.storage}}
31 | {{- if .Values.storage.controlNode }}
32 | //code
33 | {{ .Values.storage.controlNode.type }}
34 | {{- end }}
35 | {{- end }}
36 | ```
37 |
38 | The non-critical feature defaults should be populated so that they can be enabled by simply uncommenting the section in the values.yaml file.
39 |
40 | ## Optional Non-Critical Feature Example
41 |
42 | ```yaml
43 | # storage:
44 | # controlNode:
45 | # type: emptyDir
46 | # # (Optional)
47 | # # volume: 1Gi
48 | ```
49 |
50 | The volume option is clearly optional, and non-critical. It is commented out (apart from the storage section comment block), and is also preceeded by a comment of # (Optional) in the preceeding line. This facilitates configuration, when the storage section is uncommented, the optional features are still disabled by default.
51 |
52 | Similar to non-critical feaures, these options need to be tested for existance before use in the template.
53 |
54 | Note
55 | There can be optional values in critical features. These should just be added as an uncommented non-critical feature:
56 |
57 | ```yaml
58 | image:
59 | name: traefik
60 | tag: 2.0.0
61 | # (Optional)
62 | # pullPolicy: IfNotPresent
63 | ```
64 |
65 | Also, the first value under the primary value key does not require an optional comment:
66 |
67 | ```yaml
68 | # ports:
69 | # http: 80
70 | # # (Optional)
71 | # # https: 443
72 | ```
73 |
74 | This is because if the main subkey is not defined, the entirety of the feature is optional.
75 |
76 | ## Whitespace
77 |
78 | Extra whitespace is to be avoided in templating. Conditionals should chomp whitespace:
79 |
80 | ```yaml
81 | {{- if .Values }}
82 | {{- end }}
83 | ```
84 |
85 | There should be an empty commented line between each primary key in the values.yaml file to separate features from each other.
86 |
87 | ## Values YAML Design
88 |
89 | The values.yaml file is designed to be user-friendly. It does not have to resemble the templated configuration if it is not conducive. Similarly, value names to not have to correspond to fields in the tempate if it is not condusive.
90 |
91 | ## Comments
92 |
93 | The values.yaml file should not contain comments or explainations of what options are, or what values are available. The values table in the README file is for this purpose.
94 |
--------------------------------------------------------------------------------
/ingress/traefik/LICENSE:
--------------------------------------------------------------------------------
1 | Apache License
2 | Version 2.0, January 2004
3 | http://www.apache.org/licenses/
4 |
5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
6 |
7 | 1. Definitions.
8 |
9 | "License" shall mean the terms and conditions for use, reproduction,
10 | and distribution as defined by Sections 1 through 9 of this document.
11 |
12 | "Licensor" shall mean the copyright owner or entity authorized by
13 | the copyright owner that is granting the License.
14 |
15 | "Legal Entity" shall mean the union of the acting entity and all
16 | other entities that control, are controlled by, or are under common
17 | control with that entity. For the purposes of this definition,
18 | "control" means (i) the power, direct or indirect, to cause the
19 | direction or management of such entity, whether by contract or
20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the
21 | outstanding shares, or (iii) beneficial ownership of such entity.
22 |
23 | "You" (or "Your") shall mean an individual or Legal Entity
24 | exercising permissions granted by this License.
25 |
26 | "Source" form shall mean the preferred form for making modifications,
27 | including but not limited to software source code, documentation
28 | source, and configuration files.
29 |
30 | "Object" form shall mean any form resulting from mechanical
31 | transformation or translation of a Source form, including but
32 | not limited to compiled object code, generated documentation,
33 | and conversions to other media types.
34 |
35 | "Work" shall mean the work of authorship, whether in Source or
36 | Object form, made available under the License, as indicated by a
37 | copyright notice that is included in or attached to the work
38 | (an example is provided in the Appendix below).
39 |
40 | "Derivative Works" shall mean any work, whether in Source or Object
41 | form, that is based on (or derived from) the Work and for which the
42 | editorial revisions, annotations, elaborations, or other modifications
43 | represent, as a whole, an original work of authorship. For the purposes
44 | of this License, Derivative Works shall not include works that remain
45 | separable from, or merely link (or bind by name) to the interfaces of,
46 | the Work and Derivative Works thereof.
47 |
48 | "Contribution" shall mean any work of authorship, including
49 | the original version of the Work and any modifications or additions
50 | to that Work or Derivative Works thereof, that is intentionally
51 | submitted to Licensor for inclusion in the Work by the copyright owner
52 | or by an individual or Legal Entity authorized to submit on behalf of
53 | the copyright owner. For the purposes of this definition, "submitted"
54 | means any form of electronic, verbal, or written communication sent
55 | to the Licensor or its representatives, including but not limited to
56 | communication on electronic mailing lists, source code control systems,
57 | and issue tracking systems that are managed by, or on behalf of, the
58 | Licensor for the purpose of discussing and improving the Work, but
59 | excluding communication that is conspicuously marked or otherwise
60 | designated in writing by the copyright owner as "Not a Contribution."
61 |
62 | "Contributor" shall mean Licensor and any individual or Legal Entity
63 | on behalf of whom a Contribution has been received by Licensor and
64 | subsequently incorporated within the Work.
65 |
66 | 2. Grant of Copyright License. Subject to the terms and conditions of
67 | this License, each Contributor hereby grants to You a perpetual,
68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable
69 | copyright license to reproduce, prepare Derivative Works of,
70 | publicly display, publicly perform, sublicense, and distribute the
71 | Work and such Derivative Works in Source or Object form.
72 |
73 | 3. Grant of Patent License. Subject to the terms and conditions of
74 | this License, each Contributor hereby grants to You a perpetual,
75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable
76 | (except as stated in this section) patent license to make, have made,
77 | use, offer to sell, sell, import, and otherwise transfer the Work,
78 | where such license applies only to those patent claims licensable
79 | by such Contributor that are necessarily infringed by their
80 | Contribution(s) alone or by combination of their Contribution(s)
81 | with the Work to which such Contribution(s) was submitted. If You
82 | institute patent litigation against any entity (including a
83 | cross-claim or counterclaim in a lawsuit) alleging that the Work
84 | or a Contribution incorporated within the Work constitutes direct
85 | or contributory patent infringement, then any patent licenses
86 | granted to You under this License for that Work shall terminate
87 | as of the date such litigation is filed.
88 |
89 | 4. Redistribution. You may reproduce and distribute copies of the
90 | Work or Derivative Works thereof in any medium, with or without
91 | modifications, and in Source or Object form, provided that You
92 | meet the following conditions:
93 |
94 | (a) You must give any other recipients of the Work or
95 | Derivative Works a copy of this License; and
96 |
97 | (b) You must cause any modified files to carry prominent notices
98 | stating that You changed the files; and
99 |
100 | (c) You must retain, in the Source form of any Derivative Works
101 | that You distribute, all copyright, patent, trademark, and
102 | attribution notices from the Source form of the Work,
103 | excluding those notices that do not pertain to any part of
104 | the Derivative Works; and
105 |
106 | (d) If the Work includes a "NOTICE" text file as part of its
107 | distribution, then any Derivative Works that You distribute must
108 | include a readable copy of the attribution notices contained
109 | within such NOTICE file, excluding those notices that do not
110 | pertain to any part of the Derivative Works, in at least one
111 | of the following places: within a NOTICE text file distributed
112 | as part of the Derivative Works; within the Source form or
113 | documentation, if provided along with the Derivative Works; or,
114 | within a display generated by the Derivative Works, if and
115 | wherever such third-party notices normally appear. The contents
116 | of the NOTICE file are for informational purposes only and
117 | do not modify the License. You may add Your own attribution
118 | notices within Derivative Works that You distribute, alongside
119 | or as an addendum to the NOTICE text from the Work, provided
120 | that such additional attribution notices cannot be construed
121 | as modifying the License.
122 |
123 | You may add Your own copyright statement to Your modifications and
124 | may provide additional or different license terms and conditions
125 | for use, reproduction, or distribution of Your modifications, or
126 | for any such Derivative Works as a whole, provided Your use,
127 | reproduction, and distribution of the Work otherwise complies with
128 | the conditions stated in this License.
129 |
130 | 5. Submission of Contributions. Unless You explicitly state otherwise,
131 | any Contribution intentionally submitted for inclusion in the Work
132 | by You to the Licensor shall be under the terms and conditions of
133 | this License, without any additional terms or conditions.
134 | Notwithstanding the above, nothing herein shall supersede or modify
135 | the terms of any separate license agreement you may have executed
136 | with Licensor regarding such Contributions.
137 |
138 | 6. Trademarks. This License does not grant permission to use the trade
139 | names, trademarks, service marks, or product names of the Licensor,
140 | except as required for reasonable and customary use in describing the
141 | origin of the Work and reproducing the content of the NOTICE file.
142 |
143 | 7. Disclaimer of Warranty. Unless required by applicable law or
144 | agreed to in writing, Licensor provides the Work (and each
145 | Contributor provides its Contributions) on an "AS IS" BASIS,
146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
147 | implied, including, without limitation, any warranties or conditions
148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
149 | PARTICULAR PURPOSE. You are solely responsible for determining the
150 | appropriateness of using or redistributing the Work and assume any
151 | risks associated with Your exercise of permissions under this License.
152 |
153 | 8. Limitation of Liability. In no event and under no legal theory,
154 | whether in tort (including negligence), contract, or otherwise,
155 | unless required by applicable law (such as deliberate and grossly
156 | negligent acts) or agreed to in writing, shall any Contributor be
157 | liable to You for damages, including any direct, indirect, special,
158 | incidental, or consequential damages of any character arising as a
159 | result of this License or out of the use or inability to use the
160 | Work (including but not limited to damages for loss of goodwill,
161 | work stoppage, computer failure or malfunction, or any and all
162 | other commercial damages or losses), even if such Contributor
163 | has been advised of the possibility of such damages.
164 |
165 | 9. Accepting Warranty or Additional Liability. While redistributing
166 | the Work or Derivative Works thereof, You may choose to offer,
167 | and charge a fee for, acceptance of support, warranty, indemnity,
168 | or other liability obligations and/or rights consistent with this
169 | License. However, in accepting such obligations, You may act only
170 | on Your own behalf and on Your sole responsibility, not on behalf
171 | of any other Contributor, and only if You agree to indemnify,
172 | defend, and hold each Contributor harmless for any liability
173 | incurred by, or claims asserted against, such Contributor by reason
174 | of your accepting any such warranty or additional liability.
175 |
176 | END OF TERMS AND CONDITIONS
177 |
178 | APPENDIX: How to apply the Apache License to your work.
179 |
180 | To apply the Apache License to your work, attach the following
181 | boilerplate notice, with the fields enclosed by brackets "[]"
182 | replaced with your own identifying information. (Don't include
183 | the brackets!) The text should be enclosed in the appropriate
184 | comment syntax for the file format. We also recommend that a
185 | file or class name and description of purpose be included on the
186 | same "printed page" as the copyright notice for easier
187 | identification within third-party archives.
188 |
189 | Copyright 2020 Containous
190 | Copyright 2020 Traefik Labs
191 |
192 | Licensed under the Apache License, Version 2.0 (the "License");
193 | you may not use this file except in compliance with the License.
194 | You may obtain a copy of the License at
195 |
196 | http://www.apache.org/licenses/LICENSE-2.0
197 |
198 | Unless required by applicable law or agreed to in writing, software
199 | distributed under the License is distributed on an "AS IS" BASIS,
200 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
201 | See the License for the specific language governing permissions and
202 | limitations under the License.
203 |
--------------------------------------------------------------------------------
/ingress/traefik/README.md:
--------------------------------------------------------------------------------
1 | # Traefik
2 |
3 | [Traefik](https://traefik.io/) is a modern HTTP reverse proxy and load balancer made to deploy
4 | microservices with ease.
5 |
6 | ## Introduction
7 |
8 | This chart bootstraps Traefik version 2 as a Kubernetes ingress controller,
9 | using Custom Resources `IngressRoute`: .
10 |
11 | ### Philosophy
12 |
13 | The Traefik HelmChart is focused on Traefik deployment configuration.
14 |
15 | To keep this HelmChart as generic as possible we tend
16 | to avoid integrating any third party solutions nor any specific use cases.
17 |
18 | Accordingly, the encouraged approach to fulfill your needs:
19 | 1. override the default Traefik configuration values ([yaml file or cli](https://helm.sh/docs/chart_template_guide/values_files/))
20 | 2. append your own configurations (`kubectl apply -f myconf.yaml`)
21 | 3. extend this HelmChart ([as a Subchart](https://helm.sh/docs/chart_template_guide/subcharts_and_globals/))
22 |
23 | ## Installing
24 |
25 | ### Prerequisites
26 |
27 | With the command `helm version`, make sure that you have:
28 | - Helm v3 [installed](https://helm.sh/docs/using_helm/#installing-helm)
29 |
30 | Add Traefik's chart repository to Helm:
31 |
32 | ```bash
33 | helm repo add traefik https://helm.traefik.io/traefik
34 | ```
35 |
36 | You can update the chart repository by running:
37 |
38 | ```bash
39 | helm repo update
40 | ```
41 |
42 | ### Deploying Traefik
43 |
44 | ```bash
45 | helm install traefik traefik/traefik
46 | ```
47 |
48 | #### Warning
49 |
50 | If you are using Helm v2
51 |
52 | You have to deploy CRDs manually with the following command:
53 |
54 | ```
55 | kubectl apply -f traefik/crds
56 | ```
57 |
58 | ### Exposing the Traefik dashboard
59 |
60 | This HelmChart does not expose the Traefik dashboard by default, for security concerns.
61 | Thus, there are multiple ways to expose the dashboard.
62 | For instance, the dashboard access could be achieved through a port-forward :
63 |
64 | ```
65 | kubectl port-forward $(kubectl get pods --selector "app.kubernetes.io/name=traefik" --output=name) 9000:9000
66 | ```
67 |
68 | Another way would be to apply your own configuration, for instance,
69 | by defining and applying an IngressRoute CRD (`kubectl apply -f dashboard.yaml`):
70 |
71 | ```yaml
72 | # dashboard.yaml
73 | apiVersion: traefik.containo.us/v1alpha1
74 | kind: IngressRoute
75 | metadata:
76 | name: dashboard
77 | spec:
78 | entryPoints:
79 | - web
80 | routes:
81 | - match: Host(`traefik.localhost`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))
82 | kind: Rule
83 | services:
84 | - name: api@internal
85 | kind: TraefikService
86 | ```
87 |
88 | ## Contributing
89 |
90 | If you want to contribute to this chart, please read the [Contributing Guide](../CONTRIBUTING.md).
91 |
--------------------------------------------------------------------------------
/ingress/traefik/crds/ingressroute.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apiextensions.k8s.io/v1beta1
2 | kind: CustomResourceDefinition
3 | metadata:
4 | name: ingressroutes.traefik.containo.us
5 | spec:
6 | group: traefik.containo.us
7 | version: v1alpha1
8 | names:
9 | kind: IngressRoute
10 | plural: ingressroutes
11 | singular: ingressroute
12 | scope: Namespaced
13 |
--------------------------------------------------------------------------------
/ingress/traefik/crds/ingressroutetcp.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apiextensions.k8s.io/v1beta1
2 | kind: CustomResourceDefinition
3 | metadata:
4 | name: ingressroutetcps.traefik.containo.us
5 | spec:
6 | group: traefik.containo.us
7 | version: v1alpha1
8 | names:
9 | kind: IngressRouteTCP
10 | plural: ingressroutetcps
11 | singular: ingressroutetcp
12 | scope: Namespaced
13 |
--------------------------------------------------------------------------------
/ingress/traefik/crds/ingressrouteudp.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apiextensions.k8s.io/v1beta1
2 | kind: CustomResourceDefinition
3 | metadata:
4 | name: ingressrouteudps.traefik.containo.us
5 |
6 | spec:
7 | group: traefik.containo.us
8 | version: v1alpha1
9 | names:
10 | kind: IngressRouteUDP
11 | plural: ingressrouteudps
12 | singular: ingressrouteudp
13 | scope: Namespaced
14 |
--------------------------------------------------------------------------------
/ingress/traefik/crds/middlewares.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apiextensions.k8s.io/v1beta1
2 | kind: CustomResourceDefinition
3 | metadata:
4 | name: middlewares.traefik.containo.us
5 | spec:
6 | group: traefik.containo.us
7 | version: v1alpha1
8 | names:
9 | kind: Middleware
10 | plural: middlewares
11 | singular: middleware
12 | scope: Namespaced
13 |
--------------------------------------------------------------------------------
/ingress/traefik/crds/tlsoptions.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apiextensions.k8s.io/v1beta1
2 | kind: CustomResourceDefinition
3 | metadata:
4 | name: tlsoptions.traefik.containo.us
5 | spec:
6 | group: traefik.containo.us
7 | version: v1alpha1
8 | names:
9 | kind: TLSOption
10 | plural: tlsoptions
11 | singular: tlsoption
12 | scope: Namespaced
13 |
--------------------------------------------------------------------------------
/ingress/traefik/crds/tlsstores.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apiextensions.k8s.io/v1beta1
2 | kind: CustomResourceDefinition
3 | metadata:
4 | name: tlsstores.traefik.containo.us
5 |
6 | spec:
7 | group: traefik.containo.us
8 | version: v1alpha1
9 | names:
10 | kind: TLSStore
11 | plural: tlsstores
12 | singular: tlsstore
13 | scope: Namespaced
14 |
--------------------------------------------------------------------------------
/ingress/traefik/crds/traefikservices.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apiextensions.k8s.io/v1beta1
2 | kind: CustomResourceDefinition
3 | metadata:
4 | name: traefikservices.traefik.containo.us
5 | spec:
6 | group: traefik.containo.us
7 | version: v1alpha1
8 | names:
9 | kind: TraefikService
10 | plural: traefikservices
11 | singular: traefikservice
12 | scope: Namespaced
13 |
--------------------------------------------------------------------------------
/ingress/traefik/templates/_helpers.tpl:
--------------------------------------------------------------------------------
1 | {{/* vim: set filetype=mustache: */}}
2 |
3 | {{/*
4 | Expand the name of the chart.
5 | */}}
6 | {{- define "traefik.name" -}}
7 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
8 | {{- end -}}
9 |
10 | {{/*
11 | Create chart name and version as used by the chart label.
12 | */}}
13 | {{- define "traefik.chart" -}}
14 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
15 | {{- end -}}
16 |
17 | {{/*
18 | Create a default fully qualified app name.
19 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
20 | If release name contains chart name it will be used as a full name.
21 | */}}
22 | {{- define "traefik.fullname" -}}
23 | {{- if .Values.fullnameOverride -}}
24 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
25 | {{- else -}}
26 | {{- $name := default .Chart.Name .Values.nameOverride -}}
27 | {{- if contains $name .Release.Name -}}
28 | {{- .Release.Name | trunc 63 | trimSuffix "-" -}}
29 | {{- else -}}
30 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
31 | {{- end -}}
32 | {{- end -}}
33 | {{- end -}}
34 |
35 | {{/*
36 | The name of the service account to use
37 | */}}
38 | {{- define "traefik.serviceAccountName" -}}
39 | {{- default (include "traefik.fullname" .) .Values.serviceAccount.name -}}
40 | {{- end -}}
41 |
42 | {{/*
43 | Construct the path for the providers.kubernetesingress.ingressendpoint.publishedservice.
44 | By convention this will simply use the / to match the name of the
45 | service generated.
46 | Users can provide an override for an explicit service they want bound via `.Values.providers.kubernetesIngress.publishedService.pathOverride`
47 | */}}
48 | {{- define "providers.kubernetesIngress.publishedServicePath" -}}
49 | {{- $defServiceName := printf "%s/%s" .Release.Namespace (include "traefik.fullname" .) -}}
50 | {{- $servicePath := default $defServiceName .Values.providers.kubernetesIngress.publishedService.pathOverride }}
51 | {{- print $servicePath | trimSuffix "-" -}}
52 | {{- end -}}
53 |
54 | {{/*
55 | Construct a comma-separated list of whitelisted namespaces
56 | */}}
57 | {{- define "providers.kubernetesIngress.namespaces" -}}
58 | {{- default .Release.Namespace (join "," .Values.providers.kubernetesIngress.namespaces) }}
59 | {{- end -}}
60 | {{- define "providers.kubernetesCRD.namespaces" -}}
61 | {{- default .Release.Namespace (join "," .Values.providers.kubernetesCRD.namespaces) }}
62 | {{- end -}}
--------------------------------------------------------------------------------
/ingress/traefik/templates/dashboard-hook-ingressroute.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.ingressRoute.dashboard.enabled -}}
2 | apiVersion: traefik.containo.us/v1alpha1
3 | kind: IngressRoute
4 | metadata:
5 | name: {{ template "traefik.fullname" . }}-dashboard
6 | annotations:
7 | helm.sh/hook: "post-install,post-upgrade"
8 | {{- with .Values.ingressRoute.dashboard.annotations }}
9 | {{- toYaml . | nindent 4 }}
10 | {{- end }}
11 | labels:
12 | app.kubernetes.io/name: {{ template "traefik.name" . }}
13 | helm.sh/chart: {{ template "traefik.chart" . }}
14 | app.kubernetes.io/managed-by: {{ .Release.Service }}
15 | app.kubernetes.io/instance: {{ .Release.Name }}
16 | {{- with .Values.ingressRoute.dashboard.labels }}
17 | {{- toYaml . | nindent 4 }}
18 | {{- end }}
19 | spec:
20 | entryPoints:
21 | - traefik
22 | routes:
23 | - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`)
24 | kind: Rule
25 | services:
26 | - name: api@internal
27 | kind: TraefikService
28 | {{- end -}}
29 |
--------------------------------------------------------------------------------
/ingress/traefik/templates/deployment.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.deployment.enabled -}}
2 | {{- if gt (int .Values.deployment.replicas) 1 -}}
3 | {{- with .Values.additionalArguments -}}
4 | {{- range . -}}
5 | {{- if contains ".acme." . -}}
6 | {{- fail (printf "You can not enabled acme if you set more than one traefik replica") -}}
7 | {{- end -}}
8 | {{- end -}}
9 | {{- end -}}
10 | {{- end -}}
11 |
12 | ---
13 | apiVersion: apps/v1
14 | kind: Deployment
15 | metadata:
16 | name: {{ template "traefik.fullname" . }}
17 | labels:
18 | app.kubernetes.io/name: {{ template "traefik.name" . }}
19 | helm.sh/chart: {{ template "traefik.chart" . }}
20 | app.kubernetes.io/managed-by: {{ .Release.Service }}
21 | app.kubernetes.io/instance: {{ .Release.Name }}
22 | annotations:
23 | {{- with .Values.deployment.annotations }}
24 | {{- toYaml . | nindent 4 }}
25 | {{- end }}
26 | spec:
27 | {{- if not .Values.autoscaling.enabled }}
28 | replicas: {{ default 1 .Values.deployment.replicas }}
29 | {{- end }}
30 | selector:
31 | matchLabels:
32 | app.kubernetes.io/name: {{ template "traefik.name" . }}
33 | app.kubernetes.io/instance: {{ .Release.Name }}
34 | strategy:
35 | type: RollingUpdate
36 | rollingUpdate:
37 | {{- with .Values.rollingUpdate }}
38 | {{- toYaml . | nindent 6 }}
39 | {{- end }}
40 | template:
41 | metadata:
42 | annotations:
43 | {{- with .Values.deployment.podAnnotations }}
44 | {{- toYaml . | nindent 8 }}
45 | {{- end }}
46 | labels:
47 | app.kubernetes.io/name: {{ template "traefik.name" . }}
48 | helm.sh/chart: {{ template "traefik.chart" . }}
49 | app.kubernetes.io/managed-by: {{ .Release.Service }}
50 | app.kubernetes.io/instance: {{ .Release.Name }}
51 | {{- with .Values.deployment.podLabels }}
52 | {{- toYaml . | nindent 8 }}
53 | {{- end }}
54 | spec:
55 | {{- with .Values.deployment.imagePullSecrets }}
56 | imagePullSecrets:
57 | {{- toYaml . | nindent 8 }}
58 | {{- end }}
59 | serviceAccountName: {{ include "traefik.serviceAccountName" . }}
60 | terminationGracePeriodSeconds: 60
61 | hostNetwork: {{ .Values.hostNetwork }}
62 | {{- with .Values.deployment.dnsPolicy }}
63 | dnsPolicy: {{ . }}
64 | {{- end }}
65 | {{- with .Values.deployment.initContainers }}
66 | initContainers:
67 | {{- toYaml . | nindent 6 }}
68 | {{- end }}
69 | containers:
70 | - image: "{{ .Values.image.name }}:{{ default .Chart.AppVersion .Values.image.tag }}"
71 | imagePullPolicy: {{ .Values.image.pullPolicy }}
72 | name: {{ template "traefik.fullname" . }}
73 | resources:
74 | {{- with .Values.resources }}
75 | {{- toYaml . | nindent 10 }}
76 | {{- end }}
77 | readinessProbe:
78 | httpGet:
79 | path: /ping
80 | port: {{ .Values.ports.traefik.port }}
81 | failureThreshold: 1
82 | initialDelaySeconds: 10
83 | periodSeconds: 10
84 | successThreshold: 1
85 | timeoutSeconds: 2
86 | livenessProbe:
87 | httpGet:
88 | path: /ping
89 | port: {{ .Values.ports.traefik.port }}
90 | failureThreshold: 3
91 | initialDelaySeconds: 10
92 | periodSeconds: 10
93 | successThreshold: 1
94 | timeoutSeconds: 2
95 | ports:
96 | {{- range $name, $config := .Values.ports }}
97 | {{- if $config }}
98 | - name: {{ $name | quote }}
99 | containerPort: {{ $config.port }}
100 | {{- if $config.hostPort }}
101 | hostPort: {{ $config.hostPort }}
102 | {{- end }}
103 | {{- if $config.hostIP }}
104 | hostIP: {{ $config.hostIP }}
105 | {{- end }}
106 | protocol: {{ default "TCP" $config.protocol | quote }}
107 | {{- end }}
108 | {{- end }}
109 | {{- with .Values.securityContext }}
110 | securityContext:
111 | {{- toYaml . | nindent 10 }}
112 | {{- end }}
113 | volumeMounts:
114 | - name: data
115 | mountPath: {{ .Values.persistence.path }}
116 | {{- if .Values.persistence.subPath }}
117 | subPath: {{ .Values.persistence.subPath }}
118 | {{- end }}
119 | - name: tmp
120 | mountPath: /tmp
121 | {{- $root := . }}
122 | {{- range .Values.volumes }}
123 | - name: {{ tpl (.name) $root }}
124 | mountPath: {{ .mountPath }}
125 | readOnly: true
126 | {{- end }}
127 | {{- if .Values.experimental.plugins.enabled }}
128 | - name: plugins
129 | mountPath: "/plugins-storage"
130 | {{- end }}
131 | {{- if .Values.additionalVolumeMounts }}
132 | {{- toYaml .Values.additionalVolumeMounts | nindent 10 }}
133 | {{- end }}
134 | args:
135 | {{- with .Values.globalArguments }}
136 | {{- range . }}
137 | - {{ . | quote }}
138 | {{- end }}
139 | {{- end }}
140 | {{- range $name, $config := .Values.ports }}
141 | {{- if $config }}
142 | - "--entryPoints.{{$name}}.address=:{{ $config.port }}/{{ default "tcp" $config.protocol | lower }}"
143 | {{- end }}
144 | {{- end }}
145 | - "--api.dashboard=true"
146 | - "--ping=true"
147 | {{- if .Values.providers.kubernetesCRD.enabled }}
148 | - "--providers.kubernetescrd"
149 | {{- end }}
150 | {{- if .Values.providers.kubernetesIngress.enabled }}
151 | - "--providers.kubernetesingress"
152 | {{- if and .Values.service.enabled .Values.providers.kubernetesIngress.publishedService.enabled }}
153 | - "--providers.kubernetesingress.ingressendpoint.publishedservice={{ template "providers.kubernetesIngress.publishedServicePath" . }}"
154 | {{- end }}
155 | {{- end }}
156 | {{- if and .Values.rbac.enabled .Values.rbac.namespaced }}
157 | - "--providers.kubernetescrd.namespaces={{ template "providers.kubernetesCRD.namespaces" . }}"
158 | - "--providers.kubernetesingress.namespaces={{ template "providers.kubernetesIngress.namespaces" . }}"
159 | {{- end }}
160 | {{- range $entrypoint, $config := $.Values.ports }}
161 | {{- if $config.redirectTo }}
162 | {{- $toPort := index $.Values.ports $config.redirectTo }}
163 | - "--entrypoints.{{ $entrypoint }}.http.redirections.entryPoint.to=:{{ $toPort.exposedPort }}"
164 | - "--entrypoints.{{ $entrypoint }}.http.redirections.entryPoint.scheme=https"
165 | {{- end }}
166 | {{- if $config.tls }}
167 | {{- if $config.tls.enabled }}
168 | - "--entrypoints.{{ $entrypoint }}.http.tls=true"
169 | {{- if $config.tls.options }}
170 | - "--entrypoints.{{ $entrypoint }}.http.tls.options={{ $config.tls.options }}"
171 | {{- end }}
172 | {{- if $config.tls.certResolver }}
173 | - "--entrypoints.{{ $entrypoint }}.http.tls.certResolver={{ $config.tls.certResolver }}"
174 | {{- end }}
175 | {{- if $config.tls.domains }}
176 | {{- range $index, $domain := $config.tls.domains }}
177 | {{- if $domain.main }}
178 | - "--entrypoints.{{ $entrypoint }}.http.tls.domains[{{ $index }}].main={{ $domain.main }}"
179 | {{- end }}
180 | {{- if $domain.sans }}
181 | - "--entrypoints.{{ $entrypoint }}.http.tls.domains[{{ $index }}].sans={{ join "," $domain.sans }}"
182 | {{- end }}
183 | {{- end }}
184 | {{- end }}
185 | {{- end }}
186 | {{- end }}
187 | {{- end }}
188 | {{- with .Values.logs }}
189 | {{- if .general.format }}
190 | - "--log.format={{ .general.format }}"
191 | {{- end }}
192 | {{- if ne .general.level "ERROR" }}
193 | - "--log.level={{ .general.level | upper }}"
194 | {{- end }}
195 | {{- if .access.enabled }}
196 | - "--accesslog=true"
197 | {{- if .access.format }}
198 | - "--accesslog.format={{ .access.format }}"
199 | {{- end }}
200 | {{- if .access.bufferingsize }}
201 | - "--accesslog.bufferingsize={{ .access.bufferingsize }}"
202 | {{- end }}
203 | {{- if .access.filters }}
204 | {{- if .access.filters.statuscodes }}
205 | - "--accesslog.filters.statuscodes={{ .access.filters.statuscodes }}"
206 | {{- end }}
207 | {{- if .access.filters.retryattempts }}
208 | - "--accesslog.filters.retryattempts"
209 | {{- end }}
210 | {{- if .access.filters.minduration }}
211 | - "--accesslog.filters.minduration={{ .access.filters.minduration }}"
212 | {{- end }}
213 | {{- end }}
214 | - "--accesslog.fields.defaultmode={{ .access.fields.general.defaultmode }}"
215 | {{- range $fieldname, $fieldaction := .access.fields.general.names }}
216 | - "--accesslog.fields.names.{{ $fieldname }}={{ $fieldaction }}"
217 | {{- end }}
218 | - "--accesslog.fields.headers.defaultmode={{ .access.fields.headers.defaultmode }}"
219 | {{- range $fieldname, $fieldaction := .access.fields.headers.names }}
220 | - "--accesslog.fields.headers.names.{{ $fieldname }}={{ $fieldaction }}"
221 | {{- end }}
222 | {{- end }}
223 | {{- end }}
224 | {{- if .Values.pilot.enabled }}
225 | - "--pilot.token={{ .Values.pilot.token }}"
226 | {{- end }}
227 | {{- with .Values.additionalArguments }}
228 | {{- range . }}
229 | - {{ . | quote }}
230 | {{- end }}
231 | {{- end }}
232 | {{- with .Values.env }}
233 | env:
234 | {{- toYaml . | nindent 10 }}
235 | {{- end }}
236 | {{- with .Values.envFrom }}
237 | envFrom:
238 | {{- toYaml . | nindent 10 }}
239 | {{- end }}
240 | {{- if .Values.deployment.additionalContainers }}
241 | {{- toYaml .Values.deployment.additionalContainers | nindent 6 }}
242 | {{- end }}
243 | volumes:
244 | - name: data
245 | {{- if .Values.persistence.enabled }}
246 | persistentVolumeClaim:
247 | claimName: {{ default (include "traefik.fullname" .) .Values.persistence.existingClaim }}
248 | {{- else }}
249 | emptyDir: {}
250 | {{- end }}
251 | - name: tmp
252 | emptyDir: {}
253 | {{- $root := . }}
254 | {{- range .Values.volumes }}
255 | - name: {{ tpl (.name) $root }}
256 | {{- if eq .type "secret" }}
257 | secret:
258 | secretName: {{ tpl (.name) $root }}
259 | {{- else if eq .type "configMap" }}
260 | configMap:
261 | name: {{ tpl (.name) $root }}
262 | {{- end }}
263 | {{- end }}
264 | {{- if .Values.deployment.additionalVolumes }}
265 | {{- toYaml .Values.deployment.additionalVolumes | nindent 8 }}
266 | {{- end }}
267 | {{- if .Values.experimental.plugins.enabled }}
268 | - name: plugins
269 | emptyDir: {}
270 | {{- end }}
271 | {{- with .Values.affinity }}
272 | affinity:
273 | {{- toYaml . | nindent 8 }}
274 | {{- end }}
275 | {{- with .Values.tolerations }}
276 | tolerations:
277 | {{- toYaml . | nindent 8 }}
278 | {{- end }}
279 | {{- with .Values.nodeSelector }}
280 | nodeSelector:
281 | {{- toYaml . | nindent 8 }}
282 | {{- end }}
283 | {{- if .Values.priorityClassName }}
284 | priorityClassName: {{ .Values.priorityClassName }}
285 | {{- end }}
286 | {{- with .Values.podSecurityContext }}
287 | securityContext:
288 | {{- toYaml . | nindent 8 }}
289 | {{- end }}
290 | {{- end -}}
291 |
--------------------------------------------------------------------------------
/ingress/traefik/templates/hpa.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.autoscaling.enabled }}
2 | apiVersion: autoscaling/v2beta1
3 | kind: HorizontalPodAutoscaler
4 | metadata:
5 | name: {{ template "traefik.fullname" . }}
6 | labels:
7 | app.kubernetes.io/name: {{ template "traefik.name" . }}
8 | helm.sh/chart: {{ template "traefik.chart" . }}
9 | app.kubernetes.io/managed-by: {{ .Release.Service }}
10 | app.kubernetes.io/instance: {{ .Release.Name }}
11 | spec:
12 | scaleTargetRef:
13 | apiVersion: apps/v1
14 | kind: Deployment
15 | name: {{ template "traefik.fullname" . }}
16 | minReplicas: {{ .Values.autoscaling.minReplicas }}
17 | maxReplicas: {{ .Values.autoscaling.maxReplicas }}
18 | metrics:
19 | {{ toYaml .Values.autoscaling.metrics | indent 4 }}
20 | {{- end }}
21 |
--------------------------------------------------------------------------------
/ingress/traefik/templates/ingressclass.yaml:
--------------------------------------------------------------------------------
1 | {{- if and .Values.ingressClass.enabled (semverCompare ">=2.3.0" (default .Chart.AppVersion .Values.image.tag)) -}}
2 | {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/IngressClass" }}
3 | apiVersion: networking.k8s.io/v1
4 | {{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/IngressClass" }}
5 | apiVersion: networking.k8s.io/v1beta1
6 | {{- else }}
7 | {{- fail "\n\n ERROR: You must have atleast networking.k8s.io/v1beta1 to use ingressClass" }}
8 | {{- end }}
9 | kind: IngressClass
10 | metadata:
11 | annotations:
12 | ingressclass.kubernetes.io/is-default-class: {{ .Values.ingressClass.isDefaultClass | quote }}
13 | labels:
14 | app.kubernetes.io/name: {{ template "traefik.name" . }}
15 | helm.sh/chart: {{ template "traefik.chart" . }}
16 | app.kubernetes.io/managed-by: {{ .Release.Service }}
17 | app.kubernetes.io/instance: {{ .Release.Name }}
18 | name: {{ template "traefik.fullname" . }}
19 | spec:
20 | controller: traefik.io/ingress-controller
21 | {{- end }}
22 |
--------------------------------------------------------------------------------
/ingress/traefik/templates/poddisruptionbudget.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.podDisruptionBudget.enabled -}}
2 | apiVersion: policy/v1beta1
3 | kind: PodDisruptionBudget
4 | metadata:
5 | name: {{ template "traefik.fullname" . }}
6 | labels:
7 | app.kubernetes.io/name: {{ template "traefik.name" . }}
8 | helm.sh/chart: {{ template "traefik.chart" . }}
9 | app.kubernetes.io/managed-by: {{ .Release.Service }}
10 | app.kubernetes.io/instance: {{ .Release.Name }}
11 | spec:
12 | selector:
13 | matchLabels:
14 | app.kubernetes.io/name: {{ template "traefik.name" . }}
15 | app.kubernetes.io/instance: {{ .Release.Name }}
16 | {{- if .Values.podDisruptionBudget.minAvailable }}
17 | minAvailable: {{ .Values.podDisruptionBudget.minAvailable | int }}
18 | {{- end }}
19 | {{- if .Values.podDisruptionBudget.maxUnavailable }}
20 | maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable | int }}
21 | {{- end }}
22 | {{- end -}}
23 |
--------------------------------------------------------------------------------
/ingress/traefik/templates/pvc.yaml:
--------------------------------------------------------------------------------
1 | {{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}}
2 | apiVersion: v1
3 | kind: PersistentVolumeClaim
4 | metadata:
5 | name: {{ template "traefik.fullname" . }}
6 | annotations:
7 | {{- with .Values.persistence.annotations }}
8 | {{ toYaml . | indent 4 }}
9 | {{- end }}
10 | labels:
11 | app.kubernetes.io/name: {{ template "traefik.name" . }}
12 | helm.sh/chart: {{ template "traefik.chart" . }}
13 | app.kubernetes.io/managed-by: {{ .Release.Service }}
14 | app.kubernetes.io/instance: {{ .Release.Name }}
15 | spec:
16 | accessModes:
17 | - {{ .Values.persistence.accessMode | quote }}
18 | resources:
19 | requests:
20 | storage: {{ .Values.persistence.size | quote }}
21 | {{- if .Values.persistence.storageClass }}
22 | storageClassName: {{ .Values.persistence.storageClass | quote }}
23 | {{- end }}
24 | {{- end -}}
25 |
26 |
--------------------------------------------------------------------------------
/ingress/traefik/templates/rbac/clusterrole.yaml:
--------------------------------------------------------------------------------
1 | {{- if and .Values.rbac.enabled (not .Values.rbac.namespaced) -}}
2 | kind: ClusterRole
3 | apiVersion: rbac.authorization.k8s.io/v1
4 | metadata:
5 | name: {{ template "traefik.fullname" . }}
6 | labels:
7 | app.kubernetes.io/name: {{ template "traefik.name" . }}
8 | helm.sh/chart: {{ template "traefik.chart" . }}
9 | app.kubernetes.io/managed-by: {{ .Release.Service }}
10 | app.kubernetes.io/instance: {{ .Release.Name }}
11 | rules:
12 | - apiGroups:
13 | - ""
14 | resources:
15 | - services
16 | - endpoints
17 | - secrets
18 | verbs:
19 | - get
20 | - list
21 | - watch
22 | - apiGroups:
23 | - extensions
24 | - networking.k8s.io
25 | resources:
26 | - ingresses
27 | - ingressclasses
28 | verbs:
29 | - get
30 | - list
31 | - watch
32 | - apiGroups:
33 | - extensions
34 | - networking.k8s.io
35 | resources:
36 | - ingresses/status
37 | verbs:
38 | - update
39 | - apiGroups:
40 | - traefik.containo.us
41 | resources:
42 | - ingressroutes
43 | - ingressroutetcps
44 | - ingressrouteudps
45 | - middlewares
46 | - tlsoptions
47 | - tlsstores
48 | - traefikservices
49 | verbs:
50 | - get
51 | - list
52 | - watch
53 | {{- if .Values.podSecurityPolicy.enabled }}
54 | - apiGroups:
55 | - policy
56 | resourceNames:
57 | - {{ template "traefik.fullname" . }}
58 | resources:
59 | - podsecuritypolicies
60 | verbs:
61 | - use
62 | {{- end -}}
63 | {{- end -}}
64 |
--------------------------------------------------------------------------------
/ingress/traefik/templates/rbac/clusterrolebinding.yaml:
--------------------------------------------------------------------------------
1 | {{- if and .Values.rbac.enabled (not .Values.rbac.namespaced) }}
2 | kind: ClusterRoleBinding
3 | apiVersion: rbac.authorization.k8s.io/v1
4 | metadata:
5 | name: {{ template "traefik.fullname" . }}
6 | labels:
7 | app.kubernetes.io/name: {{ template "traefik.name" . }}
8 | helm.sh/chart: {{ template "traefik.chart" . }}
9 | app.kubernetes.io/managed-by: {{ .Release.Service }}
10 | app.kubernetes.io/instance: {{ .Release.Name }}
11 | roleRef:
12 | apiGroup: rbac.authorization.k8s.io
13 | kind: ClusterRole
14 | name: {{ template "traefik.fullname" . }}
15 | subjects:
16 | - kind: ServiceAccount
17 | name: {{ include "traefik.serviceAccountName" . }}
18 | namespace: {{ .Release.Namespace }}
19 | {{- end -}}
20 |
--------------------------------------------------------------------------------
/ingress/traefik/templates/rbac/podsecuritypolicy.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.podSecurityPolicy.enabled }}
2 | ---
3 | apiVersion: policy/v1beta1
4 | kind: PodSecurityPolicy
5 | metadata:
6 | annotations:
7 | seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default
8 | seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default
9 | name: {{ template "traefik.fullname" . }}
10 | labels:
11 | app.kubernetes.io/name: {{ template "traefik.name" . }}
12 | helm.sh/chart: {{ template "traefik.chart" . }}
13 | app.kubernetes.io/managed-by: {{ .Release.Service }}
14 | app.kubernetes.io/instance: {{ .Release.Name }}
15 | spec:
16 | privileged: false
17 | allowPrivilegeEscalation: false
18 | requiredDropCapabilities:
19 | - ALL
20 | {{- if not .Values.securityContext.runAsNonRoot }}
21 | allowedCapabilities:
22 | - NET_BIND_SERVICE
23 | {{- end }}
24 | hostNetwork: {{ .Values.hostNetwork }}
25 | hostIPC: false
26 | hostPID: false
27 | fsGroup:
28 | {{- if .Values.securityContext.runAsNonRoot }}
29 | ranges:
30 | - max: 65535
31 | min: 1
32 | rule: MustRunAs
33 | {{- else }}
34 | rule: RunAsAny
35 | {{- end }}
36 | {{- if .Values.hostNetwork }}
37 | hostPorts:
38 | - max: 65535
39 | min: 1
40 | {{- end }}
41 | readOnlyRootFilesystem: true
42 | runAsUser:
43 | {{- if .Values.securityContext.runAsNonRoot }}
44 | rule: MustRunAsNonRoot
45 | {{- else }}
46 | rule: RunAsAny
47 | {{- end }}
48 | seLinux:
49 | rule: RunAsAny
50 | supplementalGroups:
51 | {{- if .Values.securityContext.runAsNonRoot }}
52 | ranges:
53 | - max: 65535
54 | min: 1
55 | rule: MustRunAs
56 | {{- else }}
57 | rule: RunAsAny
58 | {{- end }}
59 | volumes:
60 | - configMap
61 | - downwardAPI
62 | - secret
63 | - emptyDir
64 | - projected
65 | {{- if .Values.persistence.enabled }}
66 | - persistentVolumeClaim
67 | {{- end -}}
68 | {{- end -}}
--------------------------------------------------------------------------------
/ingress/traefik/templates/rbac/role.yaml:
--------------------------------------------------------------------------------
1 | {{- if and .Values.rbac.enabled .Values.rbac.namespaced }}
2 | kind: Role
3 | apiVersion: rbac.authorization.k8s.io/v1
4 | metadata:
5 | name: {{ template "traefik.fullname" . }}
6 | labels:
7 | app.kubernetes.io/name: {{ template "traefik.name" . }}
8 | helm.sh/chart: {{ template "traefik.chart" . }}
9 | app.kubernetes.io/managed-by: {{ .Release.Service }}
10 | app.kubernetes.io/instance: {{ .Release.Name }}
11 | rules:
12 | - apiGroups:
13 | - ""
14 | resources:
15 | - services
16 | - endpoints
17 | - secrets
18 | verbs:
19 | - get
20 | - list
21 | - watch
22 | - apiGroups:
23 | - extensions
24 | resources:
25 | - ingresses
26 | verbs:
27 | - get
28 | - list
29 | - watch
30 | - apiGroups:
31 | - extensions
32 | resources:
33 | - ingresses/status
34 | verbs:
35 | - update
36 | - apiGroups:
37 | - traefik.containo.us
38 | resources:
39 | - ingressroutes
40 | - ingressroutetcps
41 | - ingressrouteudps
42 | - middlewares
43 | - tlsoptions
44 | - tlsstores
45 | - traefikservices
46 | verbs:
47 | - get
48 | - list
49 | - watch
50 | {{- if .Values.podSecurityPolicy.enabled }}
51 | - apiGroups:
52 | - extensions
53 | resourceNames:
54 | - {{ template "traefik.fullname" . }}
55 | resources:
56 | - podsecuritypolicies
57 | verbs:
58 | - use
59 | {{- end -}}
60 | {{- end -}}
61 |
--------------------------------------------------------------------------------
/ingress/traefik/templates/rbac/rolebinding.yaml:
--------------------------------------------------------------------------------
1 | {{- if and .Values.rbac.enabled .Values.rbac.namespaced }}
2 | kind: RoleBinding
3 | apiVersion: rbac.authorization.k8s.io/v1
4 | metadata:
5 | name: {{ template "traefik.fullname" . }}
6 | labels:
7 | app.kubernetes.io/name: {{ template "traefik.name" . }}
8 | helm.sh/chart: {{ template "traefik.chart" . }}
9 | app.kubernetes.io/managed-by: {{ .Release.Service }}
10 | app.kubernetes.io/instance: {{ .Release.Name }}
11 | roleRef:
12 | apiGroup: rbac.authorization.k8s.io
13 | kind: Role
14 | name: {{ template "traefik.fullname" . }}
15 | subjects:
16 | - kind: ServiceAccount
17 | name: {{ include "traefik.serviceAccountName" . }}
18 | namespace: {{ .Release.Namespace }}
19 | {{- end -}}
20 |
--------------------------------------------------------------------------------
/ingress/traefik/templates/rbac/serviceaccount.yaml:
--------------------------------------------------------------------------------
1 | {{- if not .Values.serviceAccount.name -}}
2 | kind: ServiceAccount
3 | apiVersion: v1
4 | metadata:
5 | name: {{ include "traefik.serviceAccountName" . }}
6 | labels:
7 | app.kubernetes.io/name: {{ template "traefik.name" . }}
8 | helm.sh/chart: {{ template "traefik.chart" . }}
9 | app.kubernetes.io/managed-by: {{ .Release.Service }}
10 | app.kubernetes.io/instance: {{ .Release.Name }}
11 | annotations:
12 | {{- with .Values.serviceAccountAnnotations }}
13 | {{- toYaml . | nindent 4 }}
14 | {{- end }}
15 | {{- end -}}
16 |
--------------------------------------------------------------------------------
/ingress/traefik/templates/service.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.service.enabled -}}
2 |
3 | {{ $tcpPorts := dict }}
4 | {{ $udpPorts := dict }}
5 | {{- range $name, $config := .Values.ports }}
6 | {{- if eq (toString $config.protocol) "UDP" }}
7 | {{ $_ := set $udpPorts $name $config }}
8 | {{- else }}
9 | {{ $_ := set $tcpPorts $name $config }}
10 | {{- end }}
11 | {{- end }}
12 |
13 | apiVersion: v1
14 | kind: List
15 | items:
16 | {{- if $tcpPorts }}
17 | - apiVersion: v1
18 | kind: Service
19 | metadata:
20 | name: {{ template "traefik.fullname" . }}
21 | labels:
22 | app.kubernetes.io/name: {{ template "traefik.name" . }}
23 | helm.sh/chart: {{ template "traefik.chart" . }}
24 | app.kubernetes.io/managed-by: {{ .Release.Service }}
25 | app.kubernetes.io/instance: {{ .Release.Name }}
26 | {{- with .Values.service.labels }}
27 | {{- toYaml . | nindent 8 }}
28 | {{- end }}
29 | annotations:
30 | {{- with .Values.service.annotations }}
31 | {{- toYaml . | nindent 8 }}
32 | {{- end }}
33 | spec:
34 | {{- $type := default "LoadBalancer" .Values.service.type }}
35 | type: {{ $type }}
36 | {{- with .Values.service.spec }}
37 | {{- toYaml . | nindent 6 }}
38 | {{- end }}
39 | selector:
40 | app.kubernetes.io/name: {{ template "traefik.name" . }}
41 | app.kubernetes.io/instance: {{ .Release.Name }}
42 | ports:
43 | {{- range $name, $config := $tcpPorts }}
44 | {{- if $config.expose }}
45 | - port: {{ default $config.port $config.exposedPort }}
46 | name: {{ $name }}
47 | targetPort: {{ $name | quote }}
48 | protocol: {{ default "TCP" $config.protocol | quote }}
49 | {{- if $config.nodePort }}
50 | nodePort: {{ $config.nodePort }}
51 | {{- end }}
52 | {{- end }}
53 | {{- end }}
54 | {{- if eq $type "LoadBalancer" }}
55 | {{- with .Values.service.loadBalancerSourceRanges }}
56 | loadBalancerSourceRanges:
57 | {{- toYaml . | nindent 6 }}
58 | {{- end -}}
59 | {{- end -}}
60 | {{- with .Values.service.externalIPs }}
61 | externalIPs:
62 | {{- toYaml . | nindent 6 }}
63 | {{- end -}}
64 | {{- end }}
65 |
66 | {{- if $udpPorts }}
67 | - apiVersion: v1
68 | kind: Service
69 | metadata:
70 | name: {{ template "traefik.fullname" . }}-udp
71 | labels:
72 | app.kubernetes.io/name: {{ template "traefik.name" . }}
73 | helm.sh/chart: {{ template "traefik.chart" . }}
74 | app.kubernetes.io/managed-by: {{ .Release.Service }}
75 | app.kubernetes.io/instance: {{ .Release.Name }}
76 | annotations:
77 | {{- with .Values.service.annotations }}
78 | {{- toYaml . | nindent 8 }}
79 | {{- end }}
80 | spec:
81 | {{- $type := default "LoadBalancer" .Values.service.type }}
82 | type: {{ $type }}
83 | {{- with .Values.service.spec }}
84 | {{- toYaml . | nindent 6 }}
85 | {{- end }}
86 | selector:
87 | app.kubernetes.io/name: {{ template "traefik.name" . }}
88 | app.kubernetes.io/instance: {{ .Release.Name }}
89 | ports:
90 | {{- range $name, $config := $udpPorts }}
91 | {{- if $config.expose }}
92 | - port: {{ default $config.port $config.exposedPort }}
93 | name: {{ $name }}
94 | targetPort: {{ $name | quote }}
95 | protocol: {{ default "UDP" $config.protocol | quote }}
96 | {{- if $config.nodePort }}
97 | nodePort: {{ $config.nodePort }}
98 | {{- end }}
99 | {{- end }}
100 | {{- end }}
101 | {{- if eq $type "LoadBalancer" }}
102 | {{- with .Values.service.loadBalancerSourceRanges }}
103 | loadBalancerSourceRanges:
104 | {{- toYaml . | nindent 6 }}
105 | {{- end -}}
106 | {{- end -}}
107 | {{- with .Values.service.externalIPs }}
108 | externalIPs:
109 | {{- toYaml . | nindent 6 }}
110 | {{- end -}}
111 | {{- end }}
112 | {{- end -}}
113 |
--------------------------------------------------------------------------------
/ingress/traefik/templates/tlsoption.yaml:
--------------------------------------------------------------------------------
1 | {{- range $name, $config := .Values.tlsOptions }}
2 | apiVersion: traefik.containo.us/v1alpha1
3 | kind: TLSOption
4 | metadata:
5 | name: {{ $name }}
6 | labels:
7 | app.kubernetes.io/name: {{ template "traefik.name" $ }}
8 | helm.sh/chart: {{ template "traefik.chart" $ }}
9 | app.kubernetes.io/managed-by: {{ $.Release.Service }}
10 | app.kubernetes.io/instance: {{ $.Release.Name }}
11 | spec:
12 | {{- toYaml $config | nindent 2 }}
13 | ---
14 | {{- end -}}
15 |
--------------------------------------------------------------------------------
/ingress/traefik/values.yaml:
--------------------------------------------------------------------------------
1 | # Default values for Traefik
2 | image:
3 | name: traefik
4 | # defaults to appVersion
5 | tag: ""
6 | pullPolicy: IfNotPresent
7 |
8 | #
9 | # Configure the deployment
10 | #
11 | deployment:
12 | enabled: true
13 | # Number of pods of the deployment
14 | replicas: 1
15 | # Additional deployment annotations (e.g. for jaeger-operator sidecar injection)
16 | annotations: {}
17 | # Additional pod annotations (e.g. for mesh injection or prometheus scraping)
18 | podAnnotations: {}
19 | # Additional Pod labels (e.g. for filtering Pod by custom labels)
20 | podLabels: {}
21 | # Additional containers (e.g. for metric offloading sidecars)
22 | additionalContainers: []
23 | # https://docs.datadoghq.com/developers/dogstatsd/unix_socket/?tab=host
24 | # - name: socat-proxy
25 | # image: alpine/socat:1.0.5
26 | # args: ["-s", "-u", "udp-recv:8125", "unix-sendto:/socket/socket"]
27 | # volumeMounts:
28 | # - name: dsdsocket
29 | # mountPath: /socket
30 | # Additional volumes available for use with initContainers and additionalContainers
31 | additionalVolumes: []
32 | # - name: dsdsocket
33 | # hostPath:
34 | # path: /var/run/statsd-exporter
35 | # Additional initContainers (e.g. for setting file permission as shown below)
36 | initContainers: []
37 | # The "volume-permissions" init container is required if you run into permission issues.
38 | # Related issue: https://github.com/traefik/traefik/issues/6972
39 | # - name: volume-permissions
40 | # image: busybox:1.31.1
41 | # command: ["sh", "-c", "chmod -Rv 600 /data/*"]
42 | # volumeMounts:
43 | # - name: data
44 | # mountPath: /data
45 | # Custom pod DNS policy. Apply if `hostNetwork: true`
46 | # dnsPolicy: ClusterFirstWithHostNet
47 | # Additional imagePullSecrets
48 | imagePullSecrets: []
49 | # - name: myRegistryKeySecretName
50 |
51 | # Pod disruption budget
52 | podDisruptionBudget:
53 | enabled: false
54 | # maxUnavailable: 1
55 | # minAvailable: 0
56 |
57 | # Use ingressClass. Ignored if Traefik version < 2.3 / kubernetes < 1.18.x
58 | ingressClass:
59 | # true is not unit-testable yet, pending https://github.com/rancher/helm-unittest/pull/12
60 | enabled: false
61 | isDefaultClass: false
62 |
63 | # Activate Pilot integration
64 | pilot:
65 | enabled: false
66 | token: ""
67 |
68 | # Enable experimental features
69 | experimental:
70 | plugins:
71 | enabled: false
72 |
73 | # Create an IngressRoute for the dashboard
74 | ingressRoute:
75 | dashboard:
76 | enabled: true
77 | # Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class)
78 | annotations: {}
79 | # Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels)
80 | labels: {}
81 |
82 | rollingUpdate:
83 | maxUnavailable: 1
84 | maxSurge: 1
85 |
86 |
87 | #
88 | # Configure providers
89 | #
90 | providers:
91 | kubernetesCRD:
92 | enabled: true
93 | namespaces: []
94 | # - "default"
95 | kubernetesIngress:
96 | enabled: true
97 | namespaces: []
98 | # - "default"
99 | # IP used for Kubernetes Ingress endpoints
100 | publishedService:
101 | enabled: false
102 | # Published Kubernetes Service to copy status from. Format: namespace/servicename
103 | # By default this Traefik service
104 | # pathOverride: ""
105 |
106 | #
107 | # Add volumes to the traefik pod. The volume name will be passed to tpl.
108 | # This can be used to mount a cert pair or a configmap that holds a config.toml file.
109 | # After the volume has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg:
110 | # additionalArguments:
111 | # - "--providers.file.filename=/config/dynamic.toml"
112 | volumes: []
113 | # - name: public-cert
114 | # mountPath: "/certs"
115 | # type: secret
116 | # - name: '{{ printf "%s-configs" .Release.Name }}'
117 | # mountPath: "/config"
118 | # type: configMap
119 |
120 | # Additional volumeMounts to add to the Traefik container
121 | additionalVolumeMounts: []
122 | # For instance when using a logshipper for access logs
123 | # - name: traefik-logs
124 | # mountPath: /var/log/traefik
125 |
126 | # Logs
127 | # https://docs.traefik.io/observability/logs/
128 | logs:
129 | # Traefik logs concern everything that happens to Traefik itself (startup, configuration, events, shutdown, and so on).
130 | general:
131 | # By default, the logs use a text format (common), but you can
132 | # also ask for the json format in the format option
133 | # format: json
134 | # By default, the level is set to ERROR. Alternative logging levels are DEBUG, PANIC, FATAL, ERROR, WARN, and INFO.
135 | level: ERROR
136 | access:
137 | # To enable access logs
138 | enabled: false
139 | # By default, logs are written using the Common Log Format (CLF).
140 | # To write logs in JSON, use json in the format option.
141 | # If the given format is unsupported, the default (CLF) is used instead.
142 | # format: json
143 | # To write the logs in an asynchronous fashion, specify a bufferingSize option.
144 | # This option represents the number of log lines Traefik will keep in memory before writing
145 | # them to the selected output. In some cases, this option can greatly help performances.
146 | # bufferingSize: 100
147 | # Filtering https://docs.traefik.io/observability/access-logs/#filtering
148 | filters: {}
149 | # statuscodes: "200,300-302"
150 | # retryattempts: true
151 | # minduration: 10ms
152 | # Fields
153 | # https://docs.traefik.io/observability/access-logs/#limiting-the-fieldsincluding-headers
154 | fields:
155 | general:
156 | defaultmode: keep
157 | names: {}
158 | # Examples:
159 | # ClientUsername: drop
160 | headers:
161 | defaultmode: drop
162 | names: {}
163 | # Examples:
164 | # User-Agent: redact
165 | # Authorization: drop
166 | # Content-Type: keep
167 |
168 | globalArguments:
169 | - "--global.checknewversion"
170 | - "--global.sendanonymoususage"
171 |
172 | #
173 | # Configure Traefik static configuration
174 | # Additional arguments to be passed at Traefik's binary
175 | # All available options available on https://docs.traefik.io/reference/static-configuration/cli/
176 | ## Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress.ingressclass=traefik-internal,--log.level=DEBUG}"`
177 | additionalArguments: []
178 | # - "--providers.kubernetesingress.ingressclass=traefik-internal"
179 | # - "--log.level=DEBUG"
180 |
181 | # Environment variables to be passed to Traefik's binary
182 | env: []
183 | # - name: SOME_VAR
184 | # value: some-var-value
185 | # - name: SOME_VAR_FROM_CONFIG_MAP
186 | # valueFrom:
187 | # configMapRef:
188 | # name: configmap-name
189 | # key: config-key
190 | # - name: SOME_SECRET
191 | # valueFrom:
192 | # secretKeyRef:
193 | # name: secret-name
194 | # key: secret-key
195 |
196 | envFrom: []
197 | # - configMapRef:
198 | # name: config-map-name
199 | # - secretRef:
200 | # name: secret-name
201 |
202 | # Configure ports
203 | ports:
204 | # The name of this one can't be changed as it is used for the readiness and
205 | # liveness probes, but you can adjust its config to your liking
206 | traefik:
207 | port: 9000
208 | # Use hostPort if set.
209 | # hostPort: 9000
210 | # nodePort: 9000
211 | #
212 | # Use hostIP if set. If not set, Kubernetes will default to 0.0.0.0, which
213 | # means it's listening on all your interfaces and all your IPs. You may want
214 | # to set this value if you need traefik to listen on specific interface
215 | # only.
216 | # hostIP: 192.168.100.10
217 |
218 | # Defines whether the port is exposed if service.type is LoadBalancer or
219 | # NodePort.
220 | #
221 | # You SHOULD NOT expose the traefik port on production deployments.
222 | # If you want to access it from outside of your cluster,
223 | # use `kubectl port-forward` or create a secure ingress
224 | expose: true
225 | # The exposed port for this service
226 | exposedPort: 9000
227 | # The port protocol (TCP/UDP)
228 | protocol: TCP
229 | web:
230 | port: 8000
231 | # hostPort: 8000
232 | expose: true
233 | exposedPort: 80
234 | # The port protocol (TCP/UDP)
235 | protocol: TCP
236 | # Use nodeport if set. This is useful if you have configured Traefik in a
237 | # LoadBalancer
238 | nodePort: 32080
239 | # Port Redirections
240 | # Added in 2.2, you can make permanent redirects via entrypoints.
241 | # https://docs.traefik.io/routing/entrypoints/#redirection
242 | # redirectTo: websecure
243 | websecure:
244 | port: 8443
245 | # hostPort: 8443
246 | expose: true
247 | exposedPort: 443
248 | # The port protocol (TCP/UDP)
249 | protocol: TCP
250 | nodePort: 32443
251 | # Set TLS at the entrypoint
252 | # https://doc.traefik.io/traefik/routing/entrypoints/#tls
253 | tls:
254 | enabled: false
255 | # this is the name of a TLSOption definition
256 | options: ""
257 | certResolver: ""
258 | domains: []
259 | # - main: example.com
260 | # sans:
261 | # - foo.example.com
262 | # - bar.example.com
263 |
264 | # TLS Options are created as TLSOption CRDs
265 | # https://doc.traefik.io/traefik/https/tls/#tls-options
266 | # Example:
267 | # tlsOptions:
268 | # default:
269 | # sniStrict: true
270 | # preferServerCipherSuites: true
271 | # foobar:
272 | # curvePreferences:
273 | # - CurveP521
274 | # - CurveP384
275 | tlsOptions: {}
276 |
277 | # Options for the main traefik service, where the entrypoints traffic comes
278 | # from.
279 | service:
280 | enabled: true
281 | type: LoadBalancer
282 | # Additional annotations (e.g. for cloud provider specific config)
283 | annotations: {}
284 | # Additional service labels (e.g. for filtering Service by custom labels)
285 | labels: {}
286 | # Additional entries here will be added to the service spec. Cannot contains
287 | # type, selector or ports entries.
288 | spec: {}
289 | # externalTrafficPolicy: Cluster
290 | # loadBalancerIP: "1.2.3.4"
291 | # clusterIP: "2.3.4.5"
292 | loadBalancerSourceRanges: []
293 | # - 192.168.0.1/32
294 | # - 172.16.0.0/16
295 | externalIPs: []
296 | # - 1.2.3.4
297 |
298 | ## Create HorizontalPodAutoscaler object.
299 | ##
300 | autoscaling:
301 | enabled: false
302 | # minReplicas: 1
303 | # maxReplicas: 10
304 | # metrics:
305 | # - type: Resource
306 | # resource:
307 | # name: cpu
308 | # targetAverageUtilization: 60
309 | # - type: Resource
310 | # resource:
311 | # name: memory
312 | # targetAverageUtilization: 60
313 |
314 | # Enable persistence using Persistent Volume Claims
315 | # ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
316 | # After the pvc has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg:
317 | # additionalArguments:
318 | # - "--certificatesresolvers.le.acme.storage=/data/acme.json"
319 | # It will persist TLS certificates.
320 | persistence:
321 | enabled: false
322 | # existingClaim: ""
323 | accessMode: ReadWriteOnce
324 | size: 128Mi
325 | # storageClass: ""
326 | path: /data
327 | annotations: {}
328 | # subPath: "" # only mount a subpath of the Volume into the pod
329 |
330 | # If hostNetwork is true, runs traefik in the host network namespace
331 | # To prevent unschedulabel pods due to port collisions, if hostNetwork=true
332 | # and replicas>1, a pod anti-affinity is recommended and will be set if the
333 | # affinity is left as default.
334 | hostNetwork: false
335 |
336 | # Whether Role Based Access Control objects like roles and rolebindings should be created
337 | rbac:
338 | enabled: true
339 |
340 | # If set to false, installs ClusterRole and ClusterRoleBinding so Traefik can be used across namespaces.
341 | # If set to true, installs namespace-specific Role and RoleBinding and requires provider configuration be set to that same namespace
342 | namespaced: false
343 |
344 | # Enable to create a PodSecurityPolicy and assign it to the Service Account via RoleBindin or ClusterRoleBinding
345 | podSecurityPolicy:
346 | enabled: false
347 |
348 | # The service account the pods will use to interact with the Kubernetes API
349 | serviceAccount:
350 | # If set, an existing service account is used
351 | # If not set, a service account is created automatically using the fullname template
352 | name: ""
353 |
354 | # Additional serviceAccount annotations (e.g. for oidc authentication)
355 | serviceAccountAnnotations: {}
356 |
357 | resources: {}
358 | # requests:
359 | # cpu: "100m"
360 | # memory: "50Mi"
361 | # limits:
362 | # cpu: "300m"
363 | # memory: "150Mi"
364 | affinity: {}
365 | # # This example pod anti-affinity forces the scheduler to put traefik pods
366 | # # on nodes where no other traefik pods are scheduled.
367 | # # It should be used when hostNetwork: true to prevent port conflicts
368 | # podAntiAffinity:
369 | # requiredDuringSchedulingIgnoredDuringExecution:
370 | # - labelSelector:
371 | # matchExpressions:
372 | # - key: app
373 | # operator: In
374 | # values:
375 | # - {{ template "traefik.name" . }}
376 | # topologyKey: failure-domain.beta.kubernetes.io/zone
377 | nodeSelector: {}
378 | tolerations: []
379 |
380 | # Pods can have priority.
381 | # Priority indicates the importance of a Pod relative to other Pods.
382 | priorityClassName: ""
383 |
384 | # Set the container security context
385 | # To run the container with ports below 1024 this will need to be adjust to run as root
386 | securityContext:
387 | capabilities:
388 | drop: [ALL]
389 | readOnlyRootFilesystem: true
390 | runAsGroup: 65532
391 | runAsNonRoot: true
392 | runAsUser: 65532
393 |
394 | podSecurityContext:
395 | fsGroup: 65532
396 |
--------------------------------------------------------------------------------
/jenkins/jenkins-deploy.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: jenkins
6 | namespace: devops
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: jenkins
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: jenkins
16 | spec:
17 | terminationGracePeriodSeconds: 10
18 | serviceAccount: jenkins-sa
19 | containers:
20 | - name: jenkins
21 | image: registry.cn-hangzhou.aliyuncs.com/rookieops/jenkins:2.18.2
22 | imagePullPolicy: IfNotPresent
23 | env:
24 | - name: JAVA_OPTS
25 | value: -XshowSettings:vm -Dhudson.slaves.NodeProvisioner.initialDelay=0 -Dhudson.slaves.NodeProvisioner.MARGIN=50 -Dhudson.slaves.NodeProvisioner.MARGIN0=0.85 -Duser.timezone=Asia/Shanghai
26 | ports:
27 | - containerPort: 8080
28 | name: web
29 | protocol: TCP
30 | - containerPort: 50000
31 | name: agent
32 | protocol: TCP
33 | resources:
34 | limits:
35 | cpu: 1000m
36 | memory: 1Gi
37 | requests:
38 | cpu: 500m
39 | memory: 512Mi
40 | livenessProbe:
41 | httpGet:
42 | path: /login
43 | port: 8080
44 | initialDelaySeconds: 130
45 | timeoutSeconds: 5
46 | failureThreshold: 12
47 | readinessProbe:
48 | httpGet:
49 | path: /login
50 | port: 8080
51 | initialDelaySeconds: 120
52 | timeoutSeconds: 5
53 | failureThreshold: 12
54 | volumeMounts:
55 | - name: jenkinshome
56 | mountPath: /var/jenkins_home
57 | securityContext:
58 | fsGroup: 1000
59 | volumes:
60 | - name: jenkinshome
61 | persistentVolumeClaim:
62 | claimName: jenkins-pvc
63 |
64 | ---
65 | apiVersion: v1
66 | kind: Service
67 | metadata:
68 | name: jenkins
69 | namespace: devops
70 | labels:
71 | app: jenkins
72 | spec:
73 | selector:
74 | app: jenkins
75 | type: NodePort
76 | ports:
77 | - name: web
78 | port: 8080
79 | targetPort: web
80 | nodePort: 30002
81 | - name: agent
82 | port: 50000
83 | targetPort: agent
84 |
85 | ---
86 | apiVersion: traefik.containo.us/v1alpha1
87 | kind: IngressRoute
88 | metadata:
89 | name: jenkins
90 | namespace: devops
91 | spec:
92 | entryPoints:
93 | - web
94 | routes:
95 | - match: Host(`jenkins-test.xxxx.cn`)
96 | kind: Rule
97 | services:
98 | - name: jenkins
99 | port: 8080
100 |
--------------------------------------------------------------------------------
/jenkins/jenkins-maven-cache.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: PersistentVolumeClaim
3 | metadata:
4 | name: maven-cache-pvc
5 | namespace: devops
6 | annotations:
7 | volume.beta.kubernetes.io/storage-class: "nfs-client-storageclass"
8 | spec:
9 | accessModes:
10 | - ReadWriteMany
11 | resources:
12 | requests:
13 | storage: 5Gi
14 |
--------------------------------------------------------------------------------
/jenkins/jenkins-rbac.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: ServiceAccount
3 | metadata:
4 | name: jenkins-sa
5 | namespace: devops
6 |
7 | ---
8 | apiVersion: rbac.authorization.k8s.io/v1beta1
9 | kind: ClusterRole
10 | metadata:
11 | name: jenkins-cr
12 | rules:
13 | - apiGroups: ["extensions", "apps"]
14 | resources: ["deployments"]
15 | verbs: ["create", "delete", "get", "list", "watch", "patch", "update"]
16 | - apiGroups: [""]
17 | resources: ["services"]
18 | verbs: ["create", "delete", "get", "list", "watch", "patch", "update"]
19 | - apiGroups: [""]
20 | resources: ["pods"]
21 | verbs: ["create","delete","get","list","patch","update","watch"]
22 | - apiGroups: [""]
23 | resources: ["pods/exec"]
24 | verbs: ["create","delete","get","list","patch","update","watch"]
25 | - apiGroups: [""]
26 | resources: ["pods/log"]
27 | verbs: ["get","list","watch"]
28 | - apiGroups: [""]
29 | resources: ["secrets"]
30 | verbs: ["get"]
31 |
32 | ---
33 | apiVersion: rbac.authorization.k8s.io/v1beta1
34 | kind: ClusterRoleBinding
35 | metadata:
36 | name: jenkins-crd
37 | roleRef:
38 | kind: ClusterRole
39 | name: jenkins-cr
40 | apiGroup: rbac.authorization.k8s.io
41 | subjects:
42 | - kind: ServiceAccount
43 | name: jenkins-sa
44 | namespace: devops
45 |
--------------------------------------------------------------------------------
/jenkins/jenkins-storage.yaml:
--------------------------------------------------------------------------------
1 | #---
2 | #apiVersion: v1
3 | #kind: PersistentVolume
4 | #metadata:
5 | # name: jenkins-pv
6 | #spec:
7 | # capacity:
8 | # storage: 5Gi
9 | # accessModes:
10 | # - ReadWriteMany
11 | # persistentVolumeReclaimPolicy: Delete
12 | # nfs:
13 | # server: 192.168.0.177
14 | # path: /data/k8s/jenkins
15 | #
16 | #---
17 | #apiVersion: v1
18 | #kind: PersistentVolumeClaim
19 | #metadata:
20 | # name: jenkins-pvc
21 | # namespace: devops
22 | #spec:
23 | # accessModes:
24 | # - ReadWriteMany
25 | # resources:
26 | # requests:
27 | # storage: 5Gi
28 |
29 | ---
30 | apiVersion: v1
31 | kind: PersistentVolumeClaim
32 | metadata:
33 | name: jenkins-pvc
34 | namespace: devops
35 | annotations:
36 | volume.beta.kubernetes.io/storage-class: "nfs-client-storageclass"
37 | spec:
38 | accessModes:
39 | - ReadWriteMany
40 | resources:
41 | requests:
42 | storage: 5Gi
43 |
--------------------------------------------------------------------------------
/nfs/nfs-client.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: v1
3 | kind: ServiceAccount
4 | metadata:
5 | name: nfs-client-provisioner
6 |
7 | ---
8 | apiVersion: rbac.authorization.k8s.io/v1
9 | kind: ClusterRole
10 | metadata:
11 | name: nfs-client-provisioner-clusterrole
12 | rules:
13 | - apiGroups: [""]
14 | resources: ["persistentvolumes"]
15 | verbs: ["get", "list", "watch", "create", "delete"]
16 | - apiGroups: [""]
17 | resources: ["persistentvolumeclaims"]
18 | verbs: ["get", "list", "watch", "update"]
19 | - apiGroups: ["storage.k8s.io"]
20 | resources: ["storageclasses"]
21 | verbs: ["get", "list", "watch"]
22 | - apiGroups: [""]
23 | resources: ["events"]
24 | verbs: ["list", "watch", "create", "update", "patch"]
25 | - apiGroups: [""]
26 | resources: ["endpoints"]
27 | verbs: ["create", "delete", "get", "list", "watch", "patch", "update"]
28 |
29 | ---
30 | apiVersion: rbac.authorization.k8s.io/v1
31 | kind: ClusterRoleBinding
32 | metadata:
33 | name: nfs-client-provisioner-clusterrolebinding
34 | subjects:
35 | - kind: ServiceAccount
36 | name: nfs-client-provisioner
37 | namespace: default
38 | roleRef:
39 | kind: ClusterRole
40 | name: nfs-client-provisioner-clusterrole
41 | apiGroup: rbac.authorization.k8s.io
42 |
43 | ---
44 | apiVersion: apps/v1
45 | kind: Deployment
46 | metadata:
47 | name: nfs-client-prosioner
48 | spec:
49 | replicas: 1
50 | strategy:
51 | type: Recreate
52 | selector:
53 | matchLabels:
54 | app: nfs-client-prosioner
55 | template:
56 | metadata:
57 | labels:
58 | app: nfs-client-prosioner
59 | spec:
60 | serviceAccountName: nfs-client-provisioner
61 | containers:
62 | - name: nfs-client-prosioner
63 | image: registry.cn-hangzhou.aliyuncs.com/rookieops/nfs-client-provisioner:v0.1
64 | imagePullPolicy: IfNotPresent
65 | volumeMounts:
66 | - name: nfs-client-root
67 | mountPath: /data/pv
68 | env:
69 | - name: PROVISIONER_NAME
70 | value: rookieops/nfs
71 | - name: NFS_SERVER
72 | value: 192.168.0.177
73 | - name: NFS_PATH
74 | value: /data/k8s
75 | volumes:
76 | - name: nfs-client-root
77 | nfs:
78 | server: 192.168.0.177
79 | path: /data/k8s
80 |
--------------------------------------------------------------------------------
/nfs/nfs-storage.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: storage.k8s.io/v1
2 | kind: StorageClass
3 | metadata:
4 | name: nfs-client-storageclass
5 | provisioner: rookieops/nfs
6 |
--------------------------------------------------------------------------------
/sonarqube/sonarqube-deploy.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: sonarqube
5 | namespace: devops
6 | spec:
7 | selector:
8 | matchLabels:
9 | name: sonarqube
10 | replicas: 1
11 | template:
12 | metadata:
13 | name: sonarqube
14 | labels:
15 | name: sonarqube
16 | spec:
17 | initContainers: #设置初始化镜像,执行 system 命令
18 | - name: init-sysctl
19 | image: busybox
20 | imagePullPolicy: IfNotPresent
21 | command: ["sysctl", "-w", "vm.max_map_count=262144"] #必须设置vm.max_map_count这个值调整内存权限,否则启动可能报错
22 | securityContext:
23 | privileged: true #赋予权限能执行系统命令
24 | containers:
25 | - image: sonarqube:latest
26 | lifecycle:
27 | postStart:
28 | exec:
29 | command:
30 | - touch
31 | - /opt/sonarqube/logs/es.log
32 | args:
33 | - -Dsonar.web.context=/
34 | name: sonarqube
35 | env:
36 | - name: SONARQUBE_JDBC_PASSWORD
37 | valueFrom:
38 | secretKeyRef:
39 | name: postgres-pwd
40 | key: password
41 | - name: SONARQUBE_JDBC_URL
42 | value: jdbc:postgresql://sonar-postgres:5432/sonar
43 | - name: SONARQUBE_JDBC_USERNAME
44 | value: sonar
45 | ports:
46 | - containerPort: 9000
47 | name: sonarqube
48 | volumeMounts:
49 | - mountPath: "/opt/sonarqube/data/"
50 | name: sonar-data
51 | - mountPath: "/opt/sonarqube/extensions/"
52 | name: sonar-extensions
53 | volumes:
54 | - name: sonar-data
55 | persistentVolumeClaim:
56 | claimName: sonar-data
57 | - name: sonar-extensions
58 | persistentVolumeClaim:
59 | claimName: sonar-extensions
60 | ---
61 | apiVersion: v1
62 | kind: Service
63 | metadata:
64 | labels:
65 | name: sonar
66 | name: sonar
67 | namespace: devops
68 | spec:
69 | type: NodePort
70 | ports:
71 | - port: 9000
72 | targetPort: 9000
73 | name: sonarport
74 | selector:
75 | name: sonarqube
76 | ---
77 | apiVersion: traefik.containo.us/v1alpha1
78 | kind: IngressRoute
79 | metadata:
80 | name: sonarqube
81 | namespace: devops
82 | spec:
83 | entryPoints:
84 | - web
85 | routes:
86 | - match: Host(`sonarqube-test.xxxx.cn`)
87 | kind: Rule
88 | services:
89 | - name: sonar
90 | port: 9000
91 |
--------------------------------------------------------------------------------
/sonarqube/sonarqube-postgresql-deploy.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: sonar-postgres
5 | namespace: devops
6 | spec:
7 | selector:
8 | matchLabels:
9 | name: sonar-postgres
10 | replicas: 1
11 | template:
12 | metadata:
13 | name: sonar-postgres
14 | labels:
15 | name: sonar-postgres
16 | spec:
17 | containers:
18 | - image: postgres:latest
19 | name: sonar-postgres
20 | env:
21 | - name: POSTGRES_PASSWORD
22 | valueFrom:
23 | secretKeyRef:
24 | name: postgres-pwd
25 | key: password
26 | - name: POSTGRES_USER
27 | value: sonar
28 | - name: POSTGRES_DB
29 | value: sonar
30 | ports:
31 | - containerPort: 5432
32 | name: postgresport
33 | volumeMounts:
34 | # This name must match the volumes.name below.
35 | - name: data-disk
36 | mountPath: /var/lib/postgresql/data
37 | volumes:
38 | - name: data-disk
39 | persistentVolumeClaim:
40 | claimName: claim-postgres
41 | ---
42 | apiVersion: v1
43 | kind: Service
44 | metadata:
45 | labels:
46 | name: sonar-postgres
47 | name: sonar-postgres
48 | namespace: devops
49 | spec:
50 | ports:
51 | - port: 5432
52 | selector:
53 | name: sonar-postgres
54 |
--------------------------------------------------------------------------------
/sonarqube/sonarqube-storage.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: PersistentVolumeClaim
3 | metadata:
4 | name: claim-postgres
5 | namespace: devops
6 | spec:
7 | accessModes: ["ReadWriteOnce"]
8 | storageClassName: nfs-client-storageclass
9 | resources:
10 | requests:
11 | storage: 5Gi
12 | ---
13 | apiVersion: v1
14 | kind: PersistentVolumeClaim
15 | metadata:
16 | name: sonar-data
17 | namespace: devops
18 | spec:
19 | accessModes:
20 | - ReadWriteOnce
21 | storageClassName: nfs-client-storageclass
22 | resources:
23 | requests:
24 | storage: 1Gi
25 | ---
26 | apiVersion: v1
27 | kind: PersistentVolumeClaim
28 | metadata:
29 | name: sonar-extensions
30 | namespace: devops
31 | spec:
32 | accessModes:
33 | - ReadWriteOnce
34 | storageClassName: nfs-client-storageclass
35 | resources:
36 | requests:
37 | storage: 1Gi
38 |
--------------------------------------------------------------------------------