├── .github
└── assets
│ └── img
│ └── dap.png
├── .gitignore
├── README.md
├── ansible.cfg
├── front-proxy-playbook.yml
├── harbor-playbook.yml
├── inventory
└── main.yml
├── kubernetes-playbook.yml
└── roles
├── cert-manager
├── tasks
│ └── main.yml
└── templates
│ ├── cert-manager.yml.j2
│ ├── issuer-prd.yml.j2
│ └── issuer-stg.yml.j2
├── commons
└── tasks
│ └── main.yml
├── contour
├── tasks
│ └── main.yml
└── templates
│ └── contour.yml.j2
├── docker
└── tasks
│ └── main.yml
├── front-proxy
├── tasks
│ └── main.yml
└── templates
│ ├── envoy.system.j2
│ └── envoy.yaml.j2
├── harbor
├── tasks
│ └── main.yml
└── templates
│ └── harbor.yml.j2
├── kubernetes
└── tasks
│ └── main.yml
├── letsencrypt
└── tasks
│ └── main.yml
├── linkerd
├── tasks
│ ├── dashboard.yml
│ ├── main.yml
│ └── setup.yml
└── templates
│ ├── dashboard.yml.j2
│ └── linkerd.yml.j2
├── masters
├── tasks
│ ├── flannel.yml
│ ├── main.yml
│ ├── setup.yml
│ └── token.yml
└── templates
│ ├── kube-flannel.yml.j2
│ └── kubelet-config.yml.j2
└── nodes
└── tasks
└── main.yml
/.github/assets/img/dap.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/msfidelis/cncf-platform-stack/064b431cc7ef4ee63a2033cfa33ff5d1684e0613/.github/assets/img/dap.png
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | cncf_key*
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | Welcome to Cloud Native Computing Foundation Platform Stack 👋
2 |
3 | 
4 |
5 | 
6 |
7 |
8 | 
9 |
10 |
11 | 
12 |
13 |
14 |
15 | > Application Platform using only CNCF Stack
16 |
17 | ## Architecture
18 |
19 | 
20 |
21 | ## Videos / Playlists
22 |
23 | * [Playlist completa](https://www.youtube.com/playlist?list=PLsyPhquWMjqEBjY0neO8R7qGIRP0Kkwm3)
24 |
25 | * [[CNCF Challenge] Cap. 1 - Intro](https://www.youtube.com/watch?v=pFstphlh5A8&list=PLsyPhquWMjqGk4yowFg-9vvpgwjZH_PBt&index=2&t=0s) - [Exemplos](https://github.com/msfidelis/cncf-platform-stack/tree/cap01_intro)
26 |
27 | * [[CNCF Challenge] Cap. 2 - Commons](https://www.youtube.com/watch?v=rpHuIlN46zg&list=PLsyPhquWMjqFIP7jcBz52tqJpgRjuxDKo) - [Exemplos](https://github.com/msfidelis/cncf-platform-stack/tree/cap02_commons)
28 |
29 | * [[CNCF Challenge] Cap. 3 - Harbor como Registry](https://www.youtube.com/watch?v=c-1Xw7TcrCs&list=PLsyPhquWMjqEdJHownusV1NMtCycZELEI) - [Exemplos](https://github.com/msfidelis/cncf-platform-stack/tree/cap03_harbor)
30 |
31 | * [[CNCF Challenge] Cap. 4 - Kubernetes](https://www.youtube.com/watch?v=p4cUYARKlxA&list=PLsyPhquWMjqGKDaalHH-BAZjkLRT_hDvH) - [Exemplos](https://github.com/msfidelis/cncf-platform-stack/tree/cap04_k8s)
32 |
33 | * [[CNCF Challenge] Cap. 5 - Contour Como Ingress Controller](https://www.youtube.com/playlist?list=PLsyPhquWMjqGN8d-ETwiw28p0xFfy9vJC) - [Exemplos](https://github.com/msfidelis/cncf-platform-stack/tree/cap05_contour)
34 |
35 | * [[CNCF Challenge] Cap. 6 - Service Mesh com Linkerd](https://www.youtube.com/playlist?list=PLsyPhquWMjqGe0E8SiWh3Rv_B0lxwmL2O) - [Exemplos](https://github.com/msfidelis/cncf-platform-stack/tree/cap06_linkerd)
36 |
37 | * [[CNCF Challenge] Cap. 7 - Cert-Manager no Kubernetes](https://www.youtube.com/playlist?list=PLsyPhquWMjqFlrDXS0_DUsUntOb0BADrh) - [Exemplos](https://github.com/msfidelis/cncf-platform-stack/tree/cap07_cert_manager)
38 |
39 | * [[CNCF Challenge] Cap. 8 - Front Proxy com Envoy](https://www.youtube.com/playlist?list=PLsyPhquWMjqE7g-cebsM0vfOQaF9CJJx_) - [Exemplos](https://github.com/msfidelis/cncf-platform-stack/tree/cap08_front_proxy)
40 |
41 | ## Stack
42 |
43 | | Component | Project / Technology |
44 | | --------------------------|-------------------------------------------|
45 | | Automation Tool | [Ansible](https://www.ansible.com) |
46 | | Container runtime | [Docker](https://www.docker.com) |
47 | | Container orchestration | [Kubernetes](https://kubernetes.io) |
48 | | Registry | [Harbor](https://goharbor.io) |
49 | | Ingress Controller | [Contour](https://projectcontour.io) |
50 | | Service Mesh | [Linkerd](https://linkerd.io) |
51 | | HTTPS Certs Manager | [cert-manager](https://cert-manager.io/) |
52 | | Front Proxy | [Envoy Proxy](https://www.envoyproxy.io) |
53 |
54 | ### 🏠 [Homepage](/)
55 |
56 | ### ✨ [Demo](/)
57 |
58 | ## Referencias
59 |
60 | * O Formato deste curso é baseado totalmente na didática do [curso de Golang](https://www.youtube.com/watch?v=WiGU_ZB-u0w&list=PLCKpcjBB_VlBsxJ9IseNxFllf-UFEXOdg) da Ellen Körbes
61 |
62 | * [Home da CNCF](https://www.cncf.io)
63 | * [Projetos da CNCF](https://www.cncf.io/projects)
64 | * [Docs do Harbor](https://goharbor.io/docs/1.10/)
65 | * [Certbot](https://certbot.eff.org/docs/)
66 | * [Docs Clair](https://github.com/quay/clair/tree/master/Documentation)
67 | * [Algoritmos de Load Balancing do Envoy](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/load_balancers)
68 | * [Repositório com exemplos de uso do Envoy](https://github.com/msfidelis/envoy-proxy-examples)
69 |
70 | ## Microserviços utilizados na aula pra testes
71 |
72 | * [Whois Microservice](https://github.com/msfidelis/microservice-nadave-whois)
73 | * [Faker Person Generator Microservice](https://github.com/msfidelis/microservice-nadave-fake-person)
74 | * [Chip](https://github.com/msfidelis/chip)
75 |
76 | ## Install
77 |
78 | ```sh
79 | git clone $
80 | ```
81 |
82 | ## Usage
83 |
84 | ### Harbor Setup
85 |
86 | ```sh
87 | ansible-playbook -i harbor-playbook.yml
88 | ```
89 |
90 | ### Kubernetes Setup
91 |
92 | ```sh
93 | ansible-playbook -i kubernetes-playbook.yml
94 | ```
95 |
96 | ### Front Proxy Setup
97 |
98 | ```sh
99 | ansible-playbook -i front-proxy-playbook.yml
100 | ```
101 |
102 | ## Author
103 |
104 | 👤 **Matheus Scarpato Fidelis**
105 |
106 | * Website: https://raj.ninja
107 | * Twitter: [@fidelissauro](https://twitter.com/fidelissauro)
108 | * Github: [@msfidelis](https://github.com/msfidelis)
109 | * LinkedIn: [@msfidelis](https://linkedin.com/in/msfidelis)
110 |
111 | ## 🤝 Contributing
112 |
113 | Contributions, issues and feature requests are welcome!
Feel free to check [issues page](/issues).
114 |
115 | ## Show your support
116 |
117 | Give a ⭐️ if this project helped you!
118 |
119 | ## 📝 License
120 |
121 | Copyright © 2020 [Matheus Scarpato Fidelis](https://github.com/msfidelis).
122 | This project is [MIT](/LICENSE) licensed.
123 |
124 | ***
125 | _This README was generated with ❤️ by [readme-md-generator](https://github.com/kefranabg/readme-md-generator)_
--------------------------------------------------------------------------------
/ansible.cfg:
--------------------------------------------------------------------------------
1 | [defaults]
2 | inventory=./inventory/main.yml
3 | host_key_checking=false
4 | private_key_file=./cncf_key
5 | deprecation_warnings=False
--------------------------------------------------------------------------------
/front-proxy-playbook.yml:
--------------------------------------------------------------------------------
1 | - hosts: front-proxy
2 | gather_facts: False
3 | remote_user: matheus
4 | become: yes
5 | become_user: root
6 | roles:
7 | - { role: commons }
8 | - { role: front-proxy }
--------------------------------------------------------------------------------
/harbor-playbook.yml:
--------------------------------------------------------------------------------
1 | - hosts: harbor
2 | gather_facts: False
3 | remote_user: matheus
4 | become: yes
5 | become_user: root
6 | roles:
7 | - { role: commons }
8 | - { role: docker }
9 | - { role: letsencrypt }
10 | - { role: harbor }
--------------------------------------------------------------------------------
/inventory/main.yml:
--------------------------------------------------------------------------------
1 | all:
2 | vars:
3 | ansible_ssh_user: matheus
4 | harbor_admin: cncfdemo
5 | cert_domain_name: registry.cncf.raj.ninja
6 | cert_admin_email: matheus@nanoshots.com.br
7 | children:
8 | kubernetes:
9 | children:
10 | masters:
11 | vars:
12 | linkerd_url: linkerd.raj.ninja
13 | hosts:
14 | 35.224.41.89:
15 | nodes:
16 | hosts:
17 | 104.154.132.181:
18 | 34.67.154.18:
19 | 35.232.137.196:
20 | harbor:
21 | hosts:
22 | 34.71.192.242
23 |
24 | front-proxy:
25 | hosts:
26 | 104.155.154.113
27 |
--------------------------------------------------------------------------------
/kubernetes-playbook.yml:
--------------------------------------------------------------------------------
1 | - hosts: kubernetes
2 | gather_facts: true
3 | remote_user: matheus
4 | become: yes
5 | become_user: root
6 | roles:
7 | - { role: commons }
8 | - { role: docker }
9 | - { role: kubernetes }
10 |
11 | - hosts: masters
12 | gather_facts: true
13 | remote_user: matheus
14 | become: yes
15 | become_user: root
16 | roles:
17 | - { role: masters }
18 | - { role: contour }
19 | - { role: linkerd }
20 |
21 | - hosts: nodes
22 | gather_facts: true
23 | remote_user: matheus
24 | become: yes
25 | become_user: root
26 | roles:
27 | - { role: nodes }
28 |
29 | - hosts: masters
30 | gather_facts: true
31 | remote_user: matheus
32 | become: yes
33 | become_user: root
34 | roles:
35 | - { role: cert-manager }
--------------------------------------------------------------------------------
/roles/cert-manager/tasks/main.yml:
--------------------------------------------------------------------------------
1 | - name: Put cert-manager template
2 | template:
3 | src: cert-manager.yml.j2
4 | dest: /tmp/cert-manager.yml
5 | mode: 0777
6 |
7 | - name: cert-manager apply
8 | shell: 'kubectl apply -f /tmp/cert-manager.yml'
9 |
10 | - name: Put issuer-stg template
11 | template:
12 | src: issuer-stg.yml.j2
13 | dest: /tmp/issuer-stg.yml
14 | mode: 0777
15 |
16 | - name: issuer-stg apply
17 | shell: 'kubectl apply -f /tmp/issuer-stg.yml'
18 |
19 | - name: Put issuer-prd template
20 | template:
21 | src: issuer-prd.yml.j2
22 | dest: /tmp/issuer-prd.yml
23 | mode: 0777
24 |
25 | - name: issuer-prd apply
26 | shell: 'kubectl apply -f /tmp/issuer-prd.yml'
--------------------------------------------------------------------------------
/roles/cert-manager/templates/issuer-prd.yml.j2:
--------------------------------------------------------------------------------
1 | apiVersion: cert-manager.io/v1alpha2
2 | kind: ClusterIssuer
3 | metadata:
4 | name: letsencrypt-prod
5 | namespace: cert-manager
6 | spec:
7 | spec:
8 | acme:
9 | email: {{ cert_admin_email }}
10 | privateKeySecretRef:
11 | name: letsencrypt-prod
12 | server: https://acme-v02.api.letsencrypt.org/directory
13 | solvers:
14 | - http01:
15 | ingress:
16 | class: contour
--------------------------------------------------------------------------------
/roles/cert-manager/templates/issuer-stg.yml.j2:
--------------------------------------------------------------------------------
1 | apiVersion: cert-manager.io/v1alpha2
2 | kind: ClusterIssuer
3 | metadata:
4 | name: letsencrypt-staging
5 | namespace: cert-manager
6 | spec:
7 | acme:
8 | email: {{ cert_admin_email }}
9 | privateKeySecretRef:
10 | name: letsencrypt-staging
11 | server: https://acme-staging-v02.api.letsencrypt.org/directory
12 | solvers:
13 | - http01:
14 | ingress:
15 | class: contour
--------------------------------------------------------------------------------
/roles/commons/tasks/main.yml:
--------------------------------------------------------------------------------
1 | - name: update apt
2 | apt:
3 | update_cache: yes
4 | cache_valid_time: 3600
5 |
6 | - name: install required packages
7 | apt:
8 | name: "{{ packages }}"
9 | update_cache: true
10 | state: present
11 | vars:
12 | packages:
13 | - python-minimal
14 | - curl
15 | - wget
16 | - python-pip
17 | - python3-pip
--------------------------------------------------------------------------------
/roles/contour/tasks/main.yml:
--------------------------------------------------------------------------------
1 | - name: Put contour template
2 | template:
3 | src: contour.yml.j2
4 | dest: /tmp/contour.yml
5 | owner: root
6 | group: root
7 | mode: "0777"
8 |
9 | - name: Setup contour
10 | shell: kubectl apply -f /tmp/contour.yml
--------------------------------------------------------------------------------
/roles/contour/templates/contour.yml.j2:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: v1
3 | kind: Namespace
4 | metadata:
5 | name: projectcontour
6 | ---
7 | apiVersion: v1
8 | kind: ServiceAccount
9 | metadata:
10 | name: contour
11 | namespace: projectcontour
12 | ---
13 | apiVersion: v1
14 | kind: ServiceAccount
15 | metadata:
16 | name: envoy
17 | namespace: projectcontour
18 | ---
19 | apiVersion: v1
20 | kind: ConfigMap
21 | metadata:
22 | name: contour
23 | namespace: projectcontour
24 | data:
25 | contour.yaml: |
26 | # should contour expect to be running inside a k8s cluster
27 | # incluster: true
28 | #
29 | # path to kubeconfig (if not running inside a k8s cluster)
30 | # kubeconfig: /path/to/.kube/config
31 | #
32 | # Client request timeout to be passed to Envoy
33 | # as the connection manager request_timeout.
34 | # Defaults to 0, which Envoy interprets as disabled.
35 | # Note that this is the timeout for the whole request,
36 | # not an idle timeout.
37 | # request-timeout: 0s
38 | # disable ingressroute permitInsecure field
39 | disablePermitInsecure: false
40 | tls:
41 | # minimum TLS version that Contour will negotiate
42 | # minimum-protocol-version: "1.1"
43 | # The following config shows the defaults for the leader election.
44 | # leaderelection:
45 | # configmap-name: leader-elect
46 | # configmap-namespace: projectcontour
47 | ### Logging options
48 | # Default setting
49 | accesslog-format: envoy
50 | # To enable JSON logging in Envoy
51 | # accesslog-format: json
52 | # The default fields that will be logged are specified below.
53 | # To customise this list, just add or remove entries.
54 | # The canonical list is available at
55 | # https://godoc.org/github.com/projectcontour/contour/internal/envoy#JSONFields
56 | # json-fields:
57 | # - "@timestamp"
58 | # - "authority"
59 | # - "bytes_received"
60 | # - "bytes_sent"
61 | # - "downstream_local_address"
62 | # - "downstream_remote_address"
63 | # - "duration"
64 | # - "method"
65 | # - "path"
66 | # - "protocol"
67 | # - "request_id"
68 | # - "requested_server_name"
69 | # - "response_code"
70 | # - "response_flags"
71 | # - "uber_trace_id"
72 | # - "upstream_cluster"
73 | # - "upstream_host"
74 | # - "upstream_local_address"
75 | # - "upstream_service_time"
76 | # - "user_agent"
77 | # - "x_forwarded_for"
78 | ---
79 | apiVersion: apiextensions.k8s.io/v1beta1
80 | kind: CustomResourceDefinition
81 | metadata:
82 | annotations:
83 | controller-gen.kubebuilder.io/version: v0.2.4
84 | creationTimestamp: null
85 | name: ingressroutes.contour.heptio.com
86 | spec:
87 | additionalPrinterColumns:
88 | - JSONPath: .spec.virtualhost.fqdn
89 | description: Fully qualified domain name
90 | name: FQDN
91 | type: string
92 | - JSONPath: .spec.virtualhost.tls.secretName
93 | description: Secret with TLS credentials
94 | name: TLS Secret
95 | type: string
96 | - JSONPath: .spec.routes[0].match
97 | description: First routes defined
98 | name: First route
99 | type: string
100 | - JSONPath: .status.currentStatus
101 | description: The current status of the HTTPProxy
102 | name: Status
103 | type: string
104 | - JSONPath: .status.description
105 | description: Description of the current status
106 | name: Status Description
107 | type: string
108 | group: contour.heptio.com
109 | names:
110 | kind: IngressRoute
111 | listKind: IngressRouteList
112 | plural: ingressroutes
113 | singular: ingressroute
114 | scope: Namespaced
115 | subresources: {}
116 | validation:
117 | openAPIV3Schema:
118 | description: IngressRoute is an Ingress CRD specificiation
119 | properties:
120 | apiVersion:
121 | description: 'APIVersion defines the versioned schema of this representation
122 | of an object. Servers should convert recognized schemas to the latest
123 | internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
124 | type: string
125 | kind:
126 | description: 'Kind is a string value representing the REST resource this
127 | object represents. Servers may infer this from the endpoint the client
128 | submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
129 | type: string
130 | metadata:
131 | type: object
132 | spec:
133 | description: IngressRouteSpec defines the spec of the CRD
134 | properties:
135 | routes:
136 | description: Routes are the ingress routes. If TCPProxy is present,
137 | Routes is ignored.
138 | items:
139 | description: Route contains the set of routes for a virtual host
140 | properties:
141 | delegate:
142 | description: Delegate specifies that this route should be delegated
143 | to another IngressRoute
144 | properties:
145 | name:
146 | description: Name of the IngressRoute
147 | type: string
148 | namespace:
149 | description: Namespace of the IngressRoute. Defaults to the
150 | current namespace if not supplied.
151 | type: string
152 | required:
153 | - name
154 | type: object
155 | enableWebsockets:
156 | description: Enables websocket support for the route
157 | type: boolean
158 | match:
159 | description: Match defines the prefix match
160 | type: string
161 | permitInsecure:
162 | description: Allow this path to respond to insecure requests over
163 | HTTP which are normally not permitted when a `virtualhost.tls`
164 | block is present.
165 | type: boolean
166 | prefixRewrite:
167 | description: Indicates that during forwarding, the matched prefix
168 | (or path) should be swapped with this value
169 | type: string
170 | retryPolicy:
171 | description: The retry policy for this route
172 | properties:
173 | count:
174 | description: NumRetries is maximum allowed number of retries.
175 | If not supplied, the number of retries is one.
176 | format: int64
177 | minimum: 0
178 | type: integer
179 | perTryTimeout:
180 | description: PerTryTimeout specifies the timeout per retry
181 | attempt. Ignored if NumRetries is not supplied.
182 | type: string
183 | type: object
184 | services:
185 | description: Services are the services to proxy traffic
186 | items:
187 | description: Service defines an upstream to proxy traffic to
188 | properties:
189 | healthCheck:
190 | description: HealthCheck defines optional healthchecks on
191 | the upstream service
192 | properties:
193 | healthyThresholdCount:
194 | description: The number of healthy health checks required
195 | before a host is marked healthy
196 | format: int64
197 | minimum: 0
198 | type: integer
199 | host:
200 | description: The value of the host header in the HTTP
201 | health check request. If left empty (default value),
202 | the name "contour-envoy-healthcheck" will be used.
203 | type: string
204 | intervalSeconds:
205 | description: The interval (seconds) between health checks
206 | format: int64
207 | type: integer
208 | path:
209 | description: HTTP endpoint used to perform health checks
210 | on upstream service
211 | type: string
212 | timeoutSeconds:
213 | description: The time to wait (seconds) for a health
214 | check response
215 | format: int64
216 | type: integer
217 | unhealthyThresholdCount:
218 | description: The number of unhealthy health checks required
219 | before a host is marked unhealthy
220 | format: int64
221 | minimum: 0
222 | type: integer
223 | required:
224 | - path
225 | type: object
226 | name:
227 | description: Name is the name of Kubernetes service to proxy
228 | traffic. Names defined here will be used to look up corresponding
229 | endpoints which contain the ips to route.
230 | type: string
231 | port:
232 | description: Port (defined as Integer) to proxy traffic
233 | to since a service can have multiple defined
234 | type: integer
235 | strategy:
236 | description: LB Algorithm to apply (see https://github.com/projectcontour/contour/blob/master/design/ingressroute-design.md#load-balancing)
237 | type: string
238 | validation:
239 | description: UpstreamValidation defines how to verify the
240 | backend service's certificate
241 | properties:
242 | caSecret:
243 | description: Name of the Kubernetes secret be used to
244 | validate the certificate presented by the backend
245 | type: string
246 | subjectName:
247 | description: Key which is expected to be present in
248 | the 'subjectAltName' of the presented certificate
249 | type: string
250 | required:
251 | - caSecret
252 | - subjectName
253 | type: object
254 | weight:
255 | description: Weight defines percentage of traffic to balance
256 | traffic
257 | format: int64
258 | minimum: 0
259 | type: integer
260 | required:
261 | - name
262 | - port
263 | type: object
264 | type: array
265 | timeoutPolicy:
266 | description: The timeout policy for this route
267 | properties:
268 | request:
269 | description: Timeout for receiving a response from the server
270 | after processing a request from client. If not supplied
271 | the timeout duration is undefined.
272 | type: string
273 | type: object
274 | required:
275 | - match
276 | type: object
277 | type: array
278 | tcpproxy:
279 | description: TCPProxy holds TCP proxy information.
280 | properties:
281 | delegate:
282 | description: Delegate specifies that this tcpproxy should be delegated
283 | to another IngressRoute
284 | properties:
285 | name:
286 | description: Name of the IngressRoute
287 | type: string
288 | namespace:
289 | description: Namespace of the IngressRoute. Defaults to the
290 | current namespace if not supplied.
291 | type: string
292 | required:
293 | - name
294 | type: object
295 | services:
296 | description: Services are the services to proxy traffic
297 | items:
298 | description: Service defines an upstream to proxy traffic to
299 | properties:
300 | healthCheck:
301 | description: HealthCheck defines optional healthchecks on
302 | the upstream service
303 | properties:
304 | healthyThresholdCount:
305 | description: The number of healthy health checks required
306 | before a host is marked healthy
307 | format: int64
308 | minimum: 0
309 | type: integer
310 | host:
311 | description: The value of the host header in the HTTP
312 | health check request. If left empty (default value),
313 | the name "contour-envoy-healthcheck" will be used.
314 | type: string
315 | intervalSeconds:
316 | description: The interval (seconds) between health checks
317 | format: int64
318 | type: integer
319 | path:
320 | description: HTTP endpoint used to perform health checks
321 | on upstream service
322 | type: string
323 | timeoutSeconds:
324 | description: The time to wait (seconds) for a health check
325 | response
326 | format: int64
327 | type: integer
328 | unhealthyThresholdCount:
329 | description: The number of unhealthy health checks required
330 | before a host is marked unhealthy
331 | format: int64
332 | minimum: 0
333 | type: integer
334 | required:
335 | - path
336 | type: object
337 | name:
338 | description: Name is the name of Kubernetes service to proxy
339 | traffic. Names defined here will be used to look up corresponding
340 | endpoints which contain the ips to route.
341 | type: string
342 | port:
343 | description: Port (defined as Integer) to proxy traffic to
344 | since a service can have multiple defined
345 | type: integer
346 | strategy:
347 | description: LB Algorithm to apply (see https://github.com/projectcontour/contour/blob/master/design/ingressroute-design.md#load-balancing)
348 | type: string
349 | validation:
350 | description: UpstreamValidation defines how to verify the
351 | backend service's certificate
352 | properties:
353 | caSecret:
354 | description: Name of the Kubernetes secret be used to
355 | validate the certificate presented by the backend
356 | type: string
357 | subjectName:
358 | description: Key which is expected to be present in the
359 | 'subjectAltName' of the presented certificate
360 | type: string
361 | required:
362 | - caSecret
363 | - subjectName
364 | type: object
365 | weight:
366 | description: Weight defines percentage of traffic to balance
367 | traffic
368 | format: int64
369 | minimum: 0
370 | type: integer
371 | required:
372 | - name
373 | - port
374 | type: object
375 | type: array
376 | type: object
377 | virtualhost:
378 | description: Virtualhost appears at most once. If it is present, the
379 | object is considered to be a "root".
380 | properties:
381 | fqdn:
382 | description: The fully qualified domain name of the root of the
383 | ingress tree all leaves of the DAG rooted at this object relate
384 | to the fqdn
385 | type: string
386 | tls:
387 | description: If present describes tls properties. The SNI names
388 | that will be matched on are described in fqdn, the tls.secretName
389 | secret must contain a matching certificate
390 | properties:
391 | clientValidation:
392 | description: 'ClientValidation defines how to verify the client
393 | certificate when an external client establishes a TLS connection
394 | to Envoy. This setting: 1. Enables TLS client certificate
395 | validation. 2. Requires clients to present a TLS certificate
396 | (i.e. not optional validation). 3. Specifies how the client
397 | certificate will be validated.'
398 | properties:
399 | caSecret:
400 | description: Name of a Kubernetes secret that contains a
401 | CA certificate bundle. The client certificate must validate
402 | against the certificates in the bundle.
403 | minLength: 1
404 | type: string
405 | required:
406 | - caSecret
407 | type: object
408 | minimumProtocolVersion:
409 | description: Minimum TLS version this vhost should negotiate
410 | type: string
411 | passthrough:
412 | description: If Passthrough is set to true, the SecretName will
413 | be ignored and the encrypted handshake will be passed through
414 | to the backing cluster.
415 | type: boolean
416 | secretName:
417 | description: required, the name of a secret in the current namespace
418 | type: string
419 | type: object
420 | required:
421 | - fqdn
422 | type: object
423 | type: object
424 | status:
425 | description: Status reports the current state of the HTTPProxy.
426 | properties:
427 | currentStatus:
428 | type: string
429 | description:
430 | type: string
431 | type: object
432 | required:
433 | - metadata
434 | - spec
435 | type: object
436 | version: v1beta1
437 | versions:
438 | - name: v1beta1
439 | served: true
440 | storage: true
441 | status:
442 | acceptedNames:
443 | kind: ""
444 | plural: ""
445 | conditions: []
446 | storedVersions: []
447 | ---
448 | apiVersion: apiextensions.k8s.io/v1beta1
449 | kind: CustomResourceDefinition
450 | metadata:
451 | annotations:
452 | controller-gen.kubebuilder.io/version: v0.2.4
453 | creationTimestamp: null
454 | name: tlscertificatedelegations.contour.heptio.com
455 | spec:
456 | group: contour.heptio.com
457 | names:
458 | kind: TLSCertificateDelegation
459 | listKind: TLSCertificateDelegationList
460 | plural: tlscertificatedelegations
461 | singular: tlscertificatedelegation
462 | scope: Namespaced
463 | validation:
464 | openAPIV3Schema:
465 | description: TLSCertificateDelegation is an TLS Certificate Delegation CRD specificiation.
466 | See design/tls-certificate-delegation.md for details.
467 | properties:
468 | apiVersion:
469 | description: 'APIVersion defines the versioned schema of this representation
470 | of an object. Servers should convert recognized schemas to the latest
471 | internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
472 | type: string
473 | kind:
474 | description: 'Kind is a string value representing the REST resource this
475 | object represents. Servers may infer this from the endpoint the client
476 | submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
477 | type: string
478 | metadata:
479 | type: object
480 | spec:
481 | description: TLSCertificateDelegationSpec defines the spec of the CRD
482 | properties:
483 | delegations:
484 | items:
485 | description: CertificateDelegation maps the authority to reference
486 | a secret in the current namespace to a set of namespaces.
487 | properties:
488 | secretName:
489 | description: required, the name of a secret in the current namespace.
490 | type: string
491 | targetNamespaces:
492 | description: required, the namespaces the authority to reference
493 | the the secret will be delegated to. If TargetNamespaces is
494 | nil or empty, the CertificateDelegation' is ignored. If the
495 | TargetNamespace list contains the character, "*" the secret
496 | will be delegated to all namespaces.
497 | items:
498 | type: string
499 | type: array
500 | required:
501 | - secretName
502 | - targetNamespaces
503 | type: object
504 | type: array
505 | required:
506 | - delegations
507 | type: object
508 | required:
509 | - metadata
510 | - spec
511 | type: object
512 | version: v1beta1
513 | versions:
514 | - name: v1beta1
515 | served: true
516 | storage: true
517 | status:
518 | acceptedNames:
519 | kind: ""
520 | plural: ""
521 | conditions: []
522 | storedVersions: []
523 | ---
524 | apiVersion: apiextensions.k8s.io/v1beta1
525 | kind: CustomResourceDefinition
526 | metadata:
527 | annotations:
528 | controller-gen.kubebuilder.io/version: v0.2.4
529 | creationTimestamp: null
530 | name: httpproxies.projectcontour.io
531 | spec:
532 | additionalPrinterColumns:
533 | - JSONPath: .spec.virtualhost.fqdn
534 | description: Fully qualified domain name
535 | name: FQDN
536 | type: string
537 | - JSONPath: .spec.virtualhost.tls.secretName
538 | description: Secret with TLS credentials
539 | name: TLS Secret
540 | type: string
541 | - JSONPath: .status.currentStatus
542 | description: The current status of the HTTPProxy
543 | name: Status
544 | type: string
545 | - JSONPath: .status.description
546 | description: Description of the current status
547 | name: Status Description
548 | type: string
549 | group: projectcontour.io
550 | names:
551 | kind: HTTPProxy
552 | listKind: HTTPProxyList
553 | plural: httpproxies
554 | shortNames:
555 | - proxy
556 | - proxies
557 | singular: httpproxy
558 | scope: Namespaced
559 | subresources: {}
560 | validation:
561 | openAPIV3Schema:
562 | description: HTTPProxy is an Ingress CRD specification
563 | properties:
564 | apiVersion:
565 | description: 'APIVersion defines the versioned schema of this representation
566 | of an object. Servers should convert recognized schemas to the latest
567 | internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
568 | type: string
569 | kind:
570 | description: 'Kind is a string value representing the REST resource this
571 | object represents. Servers may infer this from the endpoint the client
572 | submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
573 | type: string
574 | metadata:
575 | type: object
576 | spec:
577 | description: HTTPProxySpec defines the spec of the CRD.
578 | properties:
579 | includes:
580 | description: Includes allow for specific routing configuration to be
581 | appended to another HTTPProxy in another namespace.
582 | items:
583 | description: Include describes a set of policies that can be applied
584 | to an HTTPProxy in a namespace.
585 | properties:
586 | conditions:
587 | description: Conditions are a set of routing properties that is
588 | applied to an HTTPProxy in a namespace.
589 | items:
590 | description: Condition are policies that are applied on top
591 | of HTTPProxies. One of Prefix or Header must be provided.
592 | properties:
593 | header:
594 | description: Header specifies the header condition to match.
595 | properties:
596 | contains:
597 | description: Contains specifies a substring that must
598 | be present in the header value.
599 | type: string
600 | exact:
601 | description: Exact specifies a string that the header
602 | value must be equal to.
603 | type: string
604 | name:
605 | description: Name is the name of the header to match
606 | against. Name is required. Header names are case insensitive.
607 | type: string
608 | notcontains:
609 | description: NotContains specifies a substring that
610 | must not be present in the header value.
611 | type: string
612 | notexact:
613 | description: NoExact specifies a string that the header
614 | value must not be equal to. The condition is true
615 | if the header has any other value.
616 | type: string
617 | present:
618 | description: Present specifies that condition is true
619 | when the named header is present, regardless of its
620 | value. Note that setting Present to false does not
621 | make the condition true if the named header is absent.
622 | type: boolean
623 | required:
624 | - name
625 | type: object
626 | prefix:
627 | description: Prefix defines a prefix match for a request.
628 | type: string
629 | type: object
630 | type: array
631 | name:
632 | description: Name of the HTTPProxy
633 | type: string
634 | namespace:
635 | description: Namespace of the HTTPProxy to include. Defaults to
636 | the current namespace if not supplied.
637 | type: string
638 | required:
639 | - name
640 | type: object
641 | type: array
642 | routes:
643 | description: Routes are the ingress routes. If TCPProxy is present,
644 | Routes is ignored.
645 | items:
646 | description: Route contains the set of routes for a virtual host.
647 | properties:
648 | conditions:
649 | description: Conditions are a set of routing properties that is
650 | applied to an HTTPProxy in a namespace.
651 | items:
652 | description: Condition are policies that are applied on top
653 | of HTTPProxies. One of Prefix or Header must be provided.
654 | properties:
655 | header:
656 | description: Header specifies the header condition to match.
657 | properties:
658 | contains:
659 | description: Contains specifies a substring that must
660 | be present in the header value.
661 | type: string
662 | exact:
663 | description: Exact specifies a string that the header
664 | value must be equal to.
665 | type: string
666 | name:
667 | description: Name is the name of the header to match
668 | against. Name is required. Header names are case insensitive.
669 | type: string
670 | notcontains:
671 | description: NotContains specifies a substring that
672 | must not be present in the header value.
673 | type: string
674 | notexact:
675 | description: NoExact specifies a string that the header
676 | value must not be equal to. The condition is true
677 | if the header has any other value.
678 | type: string
679 | present:
680 | description: Present specifies that condition is true
681 | when the named header is present, regardless of its
682 | value. Note that setting Present to false does not
683 | make the condition true if the named header is absent.
684 | type: boolean
685 | required:
686 | - name
687 | type: object
688 | prefix:
689 | description: Prefix defines a prefix match for a request.
690 | type: string
691 | type: object
692 | type: array
693 | enableWebsockets:
694 | description: Enables websocket support for the route.
695 | type: boolean
696 | healthCheckPolicy:
697 | description: The health check policy for this route.
698 | properties:
699 | healthyThresholdCount:
700 | description: The number of healthy health checks required
701 | before a host is marked healthy
702 | format: int64
703 | minimum: 0
704 | type: integer
705 | host:
706 | description: The value of the host header in the HTTP health
707 | check request. If left empty (default value), the name "contour-envoy-healthcheck"
708 | will be used.
709 | type: string
710 | intervalSeconds:
711 | description: The interval (seconds) between health checks
712 | format: int64
713 | type: integer
714 | path:
715 | description: HTTP endpoint used to perform health checks on
716 | upstream service
717 | type: string
718 | timeoutSeconds:
719 | description: The time to wait (seconds) for a health check
720 | response
721 | format: int64
722 | type: integer
723 | unhealthyThresholdCount:
724 | description: The number of unhealthy health checks required
725 | before a host is marked unhealthy
726 | format: int64
727 | minimum: 0
728 | type: integer
729 | required:
730 | - path
731 | type: object
732 | loadBalancerPolicy:
733 | description: The load balancing policy for this route.
734 | properties:
735 | strategy:
736 | description: Strategy specifies the policy used to balance
737 | requests across the pool of backend pods. Valid policy names
738 | are `Random`, `RoundRobin`, `WeightedLeastRequest`, `Random`
739 | and `Cookie`. If an unknown strategy name is specified or
740 | no policy is supplied, the default `RoundRobin` policy is
741 | used.
742 | type: string
743 | type: object
744 | pathRewritePolicy:
745 | description: The policy for rewriting the path of the request
746 | URL after the request has been routed to a Service.
747 | properties:
748 | replacePrefix:
749 | description: ReplacePrefix describes how the path prefix should
750 | be replaced.
751 | items:
752 | description: ReplacePrefix describes a path prefix replacement.
753 | properties:
754 | prefix:
755 | description: "Prefix specifies the URL path prefix to
756 | be replaced. \n If Prefix is specified, it must exactly
757 | match the Condition prefix that is rendered by the
758 | chain of including HTTPProxies and only that path
759 | prefix will be replaced by Replacement. This allows
760 | HTTPProxies that are included through multiple roots
761 | to only replace specific path prefixes, leaving others
762 | unmodified. \n If Prefix is not specified, all routing
763 | prefixes rendered by the include chain will be replaced."
764 | minLength: 1
765 | type: string
766 | replacement:
767 | description: Replacement is the string that the routing
768 | path prefix will be replaced with. This must not be
769 | empty.
770 | minLength: 1
771 | type: string
772 | required:
773 | - replacement
774 | type: object
775 | type: array
776 | type: object
777 | permitInsecure:
778 | description: Allow this path to respond to insecure requests over
779 | HTTP which are normally not permitted when a `virtualhost.tls`
780 | block is present.
781 | type: boolean
782 | requestHeadersPolicy:
783 | description: The policy for managing request headers during proxying
784 | properties:
785 | remove:
786 | description: Remove specifies a list of HTTP header names
787 | to remove
788 | items:
789 | type: string
790 | type: array
791 | set:
792 | description: Set specifies a list of HTTP header values that
793 | will be set in the HTTP header
794 | items:
795 | description: HeaderValue represents a header name/value
796 | pair
797 | properties:
798 | name:
799 | description: Name represents a key of a header
800 | minLength: 1
801 | type: string
802 | value:
803 | description: Value represents the value of a header
804 | specified by a key
805 | minLength: 1
806 | type: string
807 | required:
808 | - name
809 | - value
810 | type: object
811 | type: array
812 | type: object
813 | responseHeadersPolicy:
814 | description: The policy for managing response headers during proxying
815 | properties:
816 | remove:
817 | description: Remove specifies a list of HTTP header names
818 | to remove
819 | items:
820 | type: string
821 | type: array
822 | set:
823 | description: Set specifies a list of HTTP header values that
824 | will be set in the HTTP header
825 | items:
826 | description: HeaderValue represents a header name/value
827 | pair
828 | properties:
829 | name:
830 | description: Name represents a key of a header
831 | minLength: 1
832 | type: string
833 | value:
834 | description: Value represents the value of a header
835 | specified by a key
836 | minLength: 1
837 | type: string
838 | required:
839 | - name
840 | - value
841 | type: object
842 | type: array
843 | type: object
844 | retryPolicy:
845 | description: The retry policy for this route.
846 | properties:
847 | count:
848 | description: NumRetries is maximum allowed number of retries.
849 | If not supplied, the number of retries is one.
850 | format: int64
851 | minimum: 0
852 | type: integer
853 | perTryTimeout:
854 | description: PerTryTimeout specifies the timeout per retry
855 | attempt. Ignored if NumRetries is not supplied.
856 | type: string
857 | type: object
858 | services:
859 | description: Services are the services to proxy traffic.
860 | items:
861 | description: Service defines an Kubernetes Service to proxy
862 | traffic.
863 | properties:
864 | mirror:
865 | description: If Mirror is true the Service will receive
866 | a read only mirror of the traffic for this route.
867 | type: boolean
868 | name:
869 | description: Name is the name of Kubernetes service to proxy
870 | traffic. Names defined here will be used to look up corresponding
871 | endpoints which contain the ips to route.
872 | type: string
873 | port:
874 | description: Port (defined as Integer) to proxy traffic
875 | to since a service can have multiple defined.
876 | type: integer
877 | protocol:
878 | description: Protocol may be used to specify (or override)
879 | the protocol used to reach this Service. Values may be
880 | tls, h2, h2c. If omitted, protocol-selection falls back
881 | on Service annotations.
882 | enum:
883 | - h2
884 | - h2c
885 | - tls
886 | type: string
887 | requestHeadersPolicy:
888 | description: The policy for managing request headers during
889 | proxying
890 | properties:
891 | remove:
892 | description: Remove specifies a list of HTTP header
893 | names to remove
894 | items:
895 | type: string
896 | type: array
897 | set:
898 | description: Set specifies a list of HTTP header values
899 | that will be set in the HTTP header
900 | items:
901 | description: HeaderValue represents a header name/value
902 | pair
903 | properties:
904 | name:
905 | description: Name represents a key of a header
906 | minLength: 1
907 | type: string
908 | value:
909 | description: Value represents the value of a header
910 | specified by a key
911 | minLength: 1
912 | type: string
913 | required:
914 | - name
915 | - value
916 | type: object
917 | type: array
918 | type: object
919 | responseHeadersPolicy:
920 | description: The policy for managing response headers during
921 | proxying
922 | properties:
923 | remove:
924 | description: Remove specifies a list of HTTP header
925 | names to remove
926 | items:
927 | type: string
928 | type: array
929 | set:
930 | description: Set specifies a list of HTTP header values
931 | that will be set in the HTTP header
932 | items:
933 | description: HeaderValue represents a header name/value
934 | pair
935 | properties:
936 | name:
937 | description: Name represents a key of a header
938 | minLength: 1
939 | type: string
940 | value:
941 | description: Value represents the value of a header
942 | specified by a key
943 | minLength: 1
944 | type: string
945 | required:
946 | - name
947 | - value
948 | type: object
949 | type: array
950 | type: object
951 | validation:
952 | description: UpstreamValidation defines how to verify the
953 | backend service's certificate
954 | properties:
955 | caSecret:
956 | description: Name of the Kubernetes secret be used to
957 | validate the certificate presented by the backend
958 | type: string
959 | subjectName:
960 | description: Key which is expected to be present in
961 | the 'subjectAltName' of the presented certificate
962 | type: string
963 | required:
964 | - caSecret
965 | - subjectName
966 | type: object
967 | weight:
968 | description: Weight defines percentage of traffic to balance
969 | traffic
970 | format: int64
971 | minimum: 0
972 | type: integer
973 | required:
974 | - name
975 | - port
976 | type: object
977 | minItems: 1
978 | type: array
979 | timeoutPolicy:
980 | description: The timeout policy for this route.
981 | properties:
982 | idle:
983 | description: Timeout after which if there are no active requests
984 | for this route, the connection between Envoy and the backend
985 | will be closed. If not specified, there is no per-route
986 | idle timeout.
987 | type: string
988 | response:
989 | description: Timeout for receiving a response from the server
990 | after processing a request from client. If not supplied
991 | the timeout duration is undefined.
992 | type: string
993 | type: object
994 | required:
995 | - services
996 | type: object
997 | type: array
998 | tcpproxy:
999 | description: TCPProxy holds TCP proxy information.
1000 | properties:
1001 | healthCheckPolicy:
1002 | description: The health check policy for this tcp proxy
1003 | properties:
1004 | healthyThresholdCount:
1005 | description: The number of healthy health checks required before
1006 | a host is marked healthy
1007 | format: int32
1008 | type: integer
1009 | intervalSeconds:
1010 | description: The interval (seconds) between health checks
1011 | format: int64
1012 | type: integer
1013 | timeoutSeconds:
1014 | description: The time to wait (seconds) for a health check response
1015 | format: int64
1016 | type: integer
1017 | unhealthyThresholdCount:
1018 | description: The number of unhealthy health checks required
1019 | before a host is marked unhealthy
1020 | format: int32
1021 | type: integer
1022 | type: object
1023 | include:
1024 | description: Include specifies that this tcpproxy should be delegated
1025 | to another HTTPProxy.
1026 | properties:
1027 | name:
1028 | description: Name of the child HTTPProxy
1029 | type: string
1030 | namespace:
1031 | description: Namespace of the HTTPProxy to include. Defaults
1032 | to the current namespace if not supplied.
1033 | type: string
1034 | required:
1035 | - name
1036 | type: object
1037 | includes:
1038 | description: "IncludesDeprecated allow for specific routing configuration
1039 | to be appended to another HTTPProxy in another namespace. \n Exists
1040 | due to a mistake when developing HTTPProxy and the field was marked
1041 | plural when it should have been singular. This field should stay
1042 | to not break backwards compatibility to v1 users."
1043 | properties:
1044 | name:
1045 | description: Name of the child HTTPProxy
1046 | type: string
1047 | namespace:
1048 | description: Namespace of the HTTPProxy to include. Defaults
1049 | to the current namespace if not supplied.
1050 | type: string
1051 | required:
1052 | - name
1053 | type: object
1054 | loadBalancerPolicy:
1055 | description: The load balancing policy for the backend services.
1056 | properties:
1057 | strategy:
1058 | description: Strategy specifies the policy used to balance requests
1059 | across the pool of backend pods. Valid policy names are `Random`,
1060 | `RoundRobin`, `WeightedLeastRequest`, `Random` and `Cookie`.
1061 | If an unknown strategy name is specified or no policy is supplied,
1062 | the default `RoundRobin` policy is used.
1063 | type: string
1064 | type: object
1065 | services:
1066 | description: Services are the services to proxy traffic
1067 | items:
1068 | description: Service defines an Kubernetes Service to proxy traffic.
1069 | properties:
1070 | mirror:
1071 | description: If Mirror is true the Service will receive a
1072 | read only mirror of the traffic for this route.
1073 | type: boolean
1074 | name:
1075 | description: Name is the name of Kubernetes service to proxy
1076 | traffic. Names defined here will be used to look up corresponding
1077 | endpoints which contain the ips to route.
1078 | type: string
1079 | port:
1080 | description: Port (defined as Integer) to proxy traffic to
1081 | since a service can have multiple defined.
1082 | type: integer
1083 | protocol:
1084 | description: Protocol may be used to specify (or override)
1085 | the protocol used to reach this Service. Values may be tls,
1086 | h2, h2c. If omitted, protocol-selection falls back on Service
1087 | annotations.
1088 | enum:
1089 | - h2
1090 | - h2c
1091 | - tls
1092 | type: string
1093 | requestHeadersPolicy:
1094 | description: The policy for managing request headers during
1095 | proxying
1096 | properties:
1097 | remove:
1098 | description: Remove specifies a list of HTTP header names
1099 | to remove
1100 | items:
1101 | type: string
1102 | type: array
1103 | set:
1104 | description: Set specifies a list of HTTP header values
1105 | that will be set in the HTTP header
1106 | items:
1107 | description: HeaderValue represents a header name/value
1108 | pair
1109 | properties:
1110 | name:
1111 | description: Name represents a key of a header
1112 | minLength: 1
1113 | type: string
1114 | value:
1115 | description: Value represents the value of a header
1116 | specified by a key
1117 | minLength: 1
1118 | type: string
1119 | required:
1120 | - name
1121 | - value
1122 | type: object
1123 | type: array
1124 | type: object
1125 | responseHeadersPolicy:
1126 | description: The policy for managing response headers during
1127 | proxying
1128 | properties:
1129 | remove:
1130 | description: Remove specifies a list of HTTP header names
1131 | to remove
1132 | items:
1133 | type: string
1134 | type: array
1135 | set:
1136 | description: Set specifies a list of HTTP header values
1137 | that will be set in the HTTP header
1138 | items:
1139 | description: HeaderValue represents a header name/value
1140 | pair
1141 | properties:
1142 | name:
1143 | description: Name represents a key of a header
1144 | minLength: 1
1145 | type: string
1146 | value:
1147 | description: Value represents the value of a header
1148 | specified by a key
1149 | minLength: 1
1150 | type: string
1151 | required:
1152 | - name
1153 | - value
1154 | type: object
1155 | type: array
1156 | type: object
1157 | validation:
1158 | description: UpstreamValidation defines how to verify the
1159 | backend service's certificate
1160 | properties:
1161 | caSecret:
1162 | description: Name of the Kubernetes secret be used to
1163 | validate the certificate presented by the backend
1164 | type: string
1165 | subjectName:
1166 | description: Key which is expected to be present in the
1167 | 'subjectAltName' of the presented certificate
1168 | type: string
1169 | required:
1170 | - caSecret
1171 | - subjectName
1172 | type: object
1173 | weight:
1174 | description: Weight defines percentage of traffic to balance
1175 | traffic
1176 | format: int64
1177 | minimum: 0
1178 | type: integer
1179 | required:
1180 | - name
1181 | - port
1182 | type: object
1183 | minItems: 1
1184 | type: array
1185 | required:
1186 | - services
1187 | type: object
1188 | virtualhost:
1189 | description: Virtualhost appears at most once. If it is present, the
1190 | object is considered to be a "root".
1191 | properties:
1192 | fqdn:
1193 | description: The fully qualified domain name of the root of the
1194 | ingress tree all leaves of the DAG rooted at this object relate
1195 | to the fqdn
1196 | type: string
1197 | tls:
1198 | description: If present describes tls properties. The SNI names
1199 | that will be matched on are described in fqdn, the tls.secretName
1200 | secret must contain a matching certificate
1201 | properties:
1202 | clientValidation:
1203 | description: 'ClientValidation defines how to verify the client
1204 | certificate when an external client establishes a TLS connection
1205 | to Envoy. This setting: 1. Enables TLS client certificate
1206 | validation. 2. Requires clients to present a TLS certificate
1207 | (i.e. not optional validation). 3. Specifies how the client
1208 | certificate will be validated.'
1209 | properties:
1210 | caSecret:
1211 | description: Name of a Kubernetes secret that contains a
1212 | CA certificate bundle. The client certificate must validate
1213 | against the certificates in the bundle.
1214 | minLength: 1
1215 | type: string
1216 | required:
1217 | - caSecret
1218 | type: object
1219 | minimumProtocolVersion:
1220 | description: Minimum TLS version this vhost should negotiate
1221 | type: string
1222 | passthrough:
1223 | description: If Passthrough is set to true, the SecretName will
1224 | be ignored and the encrypted handshake will be passed through
1225 | to the backing cluster.
1226 | type: boolean
1227 | secretName:
1228 | description: required, the name of a secret in the current namespace
1229 | type: string
1230 | type: object
1231 | required:
1232 | - fqdn
1233 | type: object
1234 | type: object
1235 | status:
1236 | description: Status reports the current state of the HTTPProxy.
1237 | properties:
1238 | currentStatus:
1239 | type: string
1240 | description:
1241 | type: string
1242 | type: object
1243 | required:
1244 | - metadata
1245 | - spec
1246 | type: object
1247 | version: v1
1248 | versions:
1249 | - name: v1
1250 | served: true
1251 | storage: true
1252 | status:
1253 | acceptedNames:
1254 | kind: ""
1255 | plural: ""
1256 | conditions: []
1257 | storedVersions: []
1258 | ---
1259 | apiVersion: apiextensions.k8s.io/v1beta1
1260 | kind: CustomResourceDefinition
1261 | metadata:
1262 | annotations:
1263 | controller-gen.kubebuilder.io/version: v0.2.4
1264 | creationTimestamp: null
1265 | name: tlscertificatedelegations.projectcontour.io
1266 | spec:
1267 | group: projectcontour.io
1268 | names:
1269 | kind: TLSCertificateDelegation
1270 | listKind: TLSCertificateDelegationList
1271 | plural: tlscertificatedelegations
1272 | shortNames:
1273 | - tlscerts
1274 | singular: tlscertificatedelegation
1275 | scope: Namespaced
1276 | validation:
1277 | openAPIV3Schema:
1278 | description: TLSCertificateDelegation is an TLS Certificate Delegation CRD specificiation.
1279 | See design/tls-certificate-delegation.md for details.
1280 | properties:
1281 | apiVersion:
1282 | description: 'APIVersion defines the versioned schema of this representation
1283 | of an object. Servers should convert recognized schemas to the latest
1284 | internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
1285 | type: string
1286 | kind:
1287 | description: 'Kind is a string value representing the REST resource this
1288 | object represents. Servers may infer this from the endpoint the client
1289 | submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
1290 | type: string
1291 | metadata:
1292 | type: object
1293 | spec:
1294 | description: TLSCertificateDelegationSpec defines the spec of the CRD
1295 | properties:
1296 | delegations:
1297 | items:
1298 | description: CertificateDelegation maps the authority to reference
1299 | a secret in the current namespace to a set of namespaces.
1300 | properties:
1301 | secretName:
1302 | description: required, the name of a secret in the current namespace.
1303 | type: string
1304 | targetNamespaces:
1305 | description: required, the namespaces the authority to reference
1306 | the the secret will be delegated to. If TargetNamespaces is
1307 | nil or empty, the CertificateDelegation' is ignored. If the
1308 | TargetNamespace list contains the character, "*" the secret
1309 | will be delegated to all namespaces.
1310 | items:
1311 | type: string
1312 | type: array
1313 | required:
1314 | - secretName
1315 | - targetNamespaces
1316 | type: object
1317 | type: array
1318 | required:
1319 | - delegations
1320 | type: object
1321 | required:
1322 | - metadata
1323 | - spec
1324 | type: object
1325 | version: v1
1326 | versions:
1327 | - name: v1
1328 | served: true
1329 | storage: true
1330 | status:
1331 | acceptedNames:
1332 | kind: ""
1333 | plural: ""
1334 | conditions: []
1335 | storedVersions: []
1336 | ---
1337 | apiVersion: v1
1338 | kind: ServiceAccount
1339 | metadata:
1340 | name: contour-certgen
1341 | namespace: projectcontour
1342 | ---
1343 | apiVersion: rbac.authorization.k8s.io/v1beta1
1344 | kind: RoleBinding
1345 | metadata:
1346 | name: contour
1347 | namespace: projectcontour
1348 | roleRef:
1349 | apiGroup: rbac.authorization.k8s.io
1350 | kind: Role
1351 | name: contour-certgen
1352 | subjects:
1353 | - kind: ServiceAccount
1354 | name: contour-certgen
1355 | namespace: projectcontour
1356 | ---
1357 | apiVersion: rbac.authorization.k8s.io/v1beta1
1358 | kind: Role
1359 | metadata:
1360 | name: contour-certgen
1361 | namespace: projectcontour
1362 | rules:
1363 | - apiGroups:
1364 | - ""
1365 | resources:
1366 | - secrets
1367 | verbs:
1368 | - list
1369 | - watch
1370 | - create
1371 | - get
1372 | - put
1373 | - post
1374 | - patch
1375 | ---
1376 | apiVersion: batch/v1
1377 | kind: Job
1378 | metadata:
1379 | name: contour-certgen
1380 | namespace: projectcontour
1381 | spec:
1382 | ttlSecondsAfterFinished: 0
1383 | template:
1384 | metadata:
1385 | labels:
1386 | app: "contour-certgen"
1387 | spec:
1388 | containers:
1389 | - name: contour
1390 | # This version is set to latest because Job specs are immutable;
1391 | # if we change this on each version, you can no longer upgrade
1392 | # just by applying the deployment YAML.
1393 | # See #2423, #2395, #2150, and #2030 for earlier questions about this.
1394 | image: docker.io/projectcontour/contour:latest
1395 | imagePullPolicy: IfNotPresent
1396 | command:
1397 | - contour
1398 | - certgen
1399 | - --incluster
1400 | - --kube
1401 | - --namespace=$(CONTOUR_NAMESPACE)
1402 | env:
1403 | - name: CONTOUR_NAMESPACE
1404 | valueFrom:
1405 | fieldRef:
1406 | fieldPath: metadata.namespace
1407 | restartPolicy: Never
1408 | serviceAccountName: contour-certgen
1409 | securityContext:
1410 | runAsNonRoot: true
1411 | runAsUser: 65534
1412 | runAsGroup: 65534
1413 | parallelism: 1
1414 | completions: 1
1415 | backoffLimit: 1
1416 | ---
1417 | apiVersion: rbac.authorization.k8s.io/v1beta1
1418 | kind: ClusterRoleBinding
1419 | metadata:
1420 | name: contour
1421 | roleRef:
1422 | apiGroup: rbac.authorization.k8s.io
1423 | kind: ClusterRole
1424 | name: contour
1425 | subjects:
1426 | - kind: ServiceAccount
1427 | name: contour
1428 | namespace: projectcontour
1429 | ---
1430 | apiVersion: rbac.authorization.k8s.io/v1beta1
1431 | kind: ClusterRole
1432 | metadata:
1433 | name: contour
1434 | rules:
1435 | - apiGroups:
1436 | - ""
1437 | resources:
1438 | - configmaps
1439 | - endpoints
1440 | - nodes
1441 | - pods
1442 | - secrets
1443 | verbs:
1444 | - list
1445 | - watch
1446 | - apiGroups:
1447 | - ""
1448 | resources:
1449 | - nodes
1450 | verbs:
1451 | - get
1452 | - apiGroups:
1453 | - ""
1454 | resources:
1455 | - services
1456 | verbs:
1457 | - get
1458 | - list
1459 | - watch
1460 | - apiGroups:
1461 | - "networking.k8s.io"
1462 | resources:
1463 | - ingresses
1464 | verbs:
1465 | - get
1466 | - list
1467 | - watch
1468 | - apiGroups:
1469 | - "networking.k8s.io"
1470 | resources:
1471 | - "ingresses/status"
1472 | verbs:
1473 | - get
1474 | - list
1475 | - watch
1476 | - patch
1477 | - post
1478 | - update
1479 | - apiGroups: ["contour.heptio.com"]
1480 | resources: ["ingressroutes", "tlscertificatedelegations"]
1481 | verbs:
1482 | - get
1483 | - list
1484 | - watch
1485 | - put
1486 | - post
1487 | - patch
1488 | - apiGroups: ["projectcontour.io"]
1489 | resources: ["httpproxies", "tlscertificatedelegations"]
1490 | verbs:
1491 | - get
1492 | - list
1493 | - watch
1494 | - put
1495 | - post
1496 | - patch
1497 | - apiGroups: ["networking.x.k8s.io"]
1498 | resources: ["gatewayclasses", "gateways", "httproutes", "tcproutes"]
1499 | verbs:
1500 | - get
1501 | - list
1502 | - watch
1503 | - put
1504 | - post
1505 | - patch
1506 | ---
1507 | apiVersion: rbac.authorization.k8s.io/v1beta1
1508 | kind: Role
1509 | metadata:
1510 | name: contour-leaderelection
1511 | namespace: projectcontour
1512 | rules:
1513 | - apiGroups:
1514 | - ""
1515 | resources:
1516 | - configmaps
1517 | verbs:
1518 | - create
1519 | - get
1520 | - list
1521 | - watch
1522 | - update
1523 | - apiGroups:
1524 | - ""
1525 | resources:
1526 | - events
1527 | verbs:
1528 | - create
1529 | - update
1530 | - patch
1531 | ---
1532 | apiVersion: rbac.authorization.k8s.io/v1beta1
1533 | kind: RoleBinding
1534 | metadata:
1535 | name: contour-leaderelection
1536 | namespace: projectcontour
1537 | roleRef:
1538 | apiGroup: rbac.authorization.k8s.io
1539 | kind: Role
1540 | name: contour-leaderelection
1541 | subjects:
1542 | - kind: ServiceAccount
1543 | name: contour
1544 | namespace: projectcontour
1545 | ---
1546 | apiVersion: v1
1547 | kind: Service
1548 | metadata:
1549 | name: contour
1550 | namespace: projectcontour
1551 | spec:
1552 | ports:
1553 | - port: 8001
1554 | name: xds
1555 | protocol: TCP
1556 | targetPort: 8001
1557 | selector:
1558 | app: contour
1559 | type: ClusterIP
1560 | ---
1561 | apiVersion: v1
1562 | kind: Service
1563 | metadata:
1564 | name: envoy
1565 | namespace: projectcontour
1566 | annotations:
1567 | # This annotation puts the AWS ELB into "TCP" mode so that it does not
1568 | # do HTTP negotiation for HTTPS connections at the ELB edge.
1569 | # The downside of this is the remote IP address of all connections will
1570 | # appear to be the internal address of the ELB. See docs/proxy-proto.md
1571 | # for information about enabling the PROXY protocol on the ELB to recover
1572 | # the original remote IP address.
1573 | service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
1574 | spec:
1575 | externalTrafficPolicy: Local
1576 | ports:
1577 | - port: 80
1578 | name: http
1579 | protocol: TCP
1580 | nodePort: 30000
1581 | - port: 443
1582 | name: https
1583 | protocol: TCP
1584 | nodePort: 30001
1585 | selector:
1586 | app: envoy
1587 | # type: LoadBalancer
1588 | type: NodePort
1589 | ---
1590 | apiVersion: apps/v1
1591 | kind: Deployment
1592 | metadata:
1593 | labels:
1594 | app: contour
1595 | name: contour
1596 | namespace: projectcontour
1597 | spec:
1598 | replicas: 2
1599 | strategy:
1600 | type: RollingUpdate
1601 | rollingUpdate:
1602 | # This value of maxSurge means that during a rolling update
1603 | # the new ReplicaSet will be created first.
1604 | maxSurge: 50%
1605 | selector:
1606 | matchLabels:
1607 | app: contour
1608 | template:
1609 | metadata:
1610 | annotations:
1611 | prometheus.io/scrape: "true"
1612 | prometheus.io/port: "8000"
1613 | labels:
1614 | app: contour
1615 | spec:
1616 | affinity:
1617 | podAntiAffinity:
1618 | preferredDuringSchedulingIgnoredDuringExecution:
1619 | - podAffinityTerm:
1620 | labelSelector:
1621 | matchLabels:
1622 | app: contour
1623 | topologyKey: kubernetes.io/hostname
1624 | weight: 100
1625 | containers:
1626 | - args:
1627 | - serve
1628 | - --incluster
1629 | - --xds-address=0.0.0.0
1630 | - --xds-port=8001
1631 | - --envoy-service-http-port=80
1632 | - --envoy-service-https-port=443
1633 | - --contour-cafile=/ca/cacert.pem
1634 | - --contour-cert-file=/certs/tls.crt
1635 | - --contour-key-file=/certs/tls.key
1636 | - --config-path=/config/contour.yaml
1637 | command: ["contour"]
1638 | image: docker.io/projectcontour/contour:v1.4.0
1639 | imagePullPolicy: IfNotPresent
1640 | name: contour
1641 | ports:
1642 | - containerPort: 8001
1643 | name: xds
1644 | protocol: TCP
1645 | - containerPort: 8000
1646 | name: debug
1647 | protocol: TCP
1648 | livenessProbe:
1649 | httpGet:
1650 | path: /healthz
1651 | port: 8000
1652 | readinessProbe:
1653 | tcpSocket:
1654 | port: 8001
1655 | initialDelaySeconds: 15
1656 | periodSeconds: 10
1657 | volumeMounts:
1658 | - name: contourcert
1659 | mountPath: /certs
1660 | readOnly: true
1661 | - name: cacert
1662 | mountPath: /ca
1663 | readOnly: true
1664 | - name: contour-config
1665 | mountPath: /config
1666 | readOnly: true
1667 | env:
1668 | - name: CONTOUR_NAMESPACE
1669 | valueFrom:
1670 | fieldRef:
1671 | apiVersion: v1
1672 | fieldPath: metadata.namespace
1673 | - name: POD_NAME
1674 | valueFrom:
1675 | fieldRef:
1676 | apiVersion: v1
1677 | fieldPath: metadata.name
1678 | dnsPolicy: ClusterFirst
1679 | serviceAccountName: contour
1680 | securityContext:
1681 | runAsNonRoot: true
1682 | runAsUser: 65534
1683 | runAsGroup: 65534
1684 | volumes:
1685 | - name: contourcert
1686 | secret:
1687 | secretName: contourcert
1688 | - name: cacert
1689 | secret:
1690 | secretName: cacert
1691 | - name: contour-config
1692 | configMap:
1693 | name: contour
1694 | defaultMode: 0644
1695 | items:
1696 | - key: contour.yaml
1697 | path: contour.yaml
1698 | ---
1699 | apiVersion: apps/v1
1700 | kind: DaemonSet
1701 | metadata:
1702 | labels:
1703 | app: envoy
1704 | name: envoy
1705 | namespace: projectcontour
1706 | spec:
1707 | updateStrategy:
1708 | type: RollingUpdate
1709 | rollingUpdate:
1710 | maxUnavailable: 10%
1711 | selector:
1712 | matchLabels:
1713 | app: envoy
1714 | template:
1715 | metadata:
1716 | annotations:
1717 | prometheus.io/scrape: "true"
1718 | prometheus.io/port: "8002"
1719 | prometheus.io/path: "/stats/prometheus"
1720 | labels:
1721 | app: envoy
1722 | spec:
1723 | containers:
1724 | - command:
1725 | - /bin/contour
1726 | args:
1727 | - envoy
1728 | - shutdown-manager
1729 | image: docker.io/projectcontour/contour:v1.4.0
1730 | imagePullPolicy: IfNotPresent
1731 | lifecycle:
1732 | preStop:
1733 | httpGet:
1734 | path: /shutdown
1735 | port: 8090
1736 | scheme: HTTP
1737 | livenessProbe:
1738 | httpGet:
1739 | path: /healthz
1740 | port: 8090
1741 | initialDelaySeconds: 3
1742 | periodSeconds: 10
1743 | name: shutdown-manager
1744 | - args:
1745 | - -c
1746 | - /config/envoy.json
1747 | - --service-cluster $(CONTOUR_NAMESPACE)
1748 | - --service-node $(ENVOY_POD_NAME)
1749 | - --log-level info
1750 | command:
1751 | - envoy
1752 | image: docker.io/envoyproxy/envoy:v1.14.1
1753 | imagePullPolicy: IfNotPresent
1754 | name: envoy
1755 | env:
1756 | - name: CONTOUR_NAMESPACE
1757 | valueFrom:
1758 | fieldRef:
1759 | apiVersion: v1
1760 | fieldPath: metadata.namespace
1761 | - name: ENVOY_POD_NAME
1762 | valueFrom:
1763 | fieldRef:
1764 | apiVersion: v1
1765 | fieldPath: metadata.name
1766 | ports:
1767 | - containerPort: 80
1768 | hostPort: 80
1769 | name: http
1770 | protocol: TCP
1771 | - containerPort: 443
1772 | hostPort: 443
1773 | name: https
1774 | protocol: TCP
1775 | readinessProbe:
1776 | httpGet:
1777 | path: /ready
1778 | port: 8002
1779 | initialDelaySeconds: 3
1780 | periodSeconds: 4
1781 | volumeMounts:
1782 | - name: envoy-config
1783 | mountPath: /config
1784 | - name: envoycert
1785 | mountPath: /certs
1786 | - name: cacert
1787 | mountPath: /ca
1788 | lifecycle:
1789 | preStop:
1790 | httpGet:
1791 | path: /shutdown
1792 | port: 8090
1793 | scheme: HTTP
1794 | initContainers:
1795 | - args:
1796 | - bootstrap
1797 | - /config/envoy.json
1798 | - --xds-address=contour
1799 | - --xds-port=8001
1800 | - --envoy-cafile=/ca/cacert.pem
1801 | - --envoy-cert-file=/certs/tls.crt
1802 | - --envoy-key-file=/certs/tls.key
1803 | command:
1804 | - contour
1805 | image: docker.io/projectcontour/contour:v1.4.0
1806 | imagePullPolicy: IfNotPresent
1807 | name: envoy-initconfig
1808 | volumeMounts:
1809 | - name: envoy-config
1810 | mountPath: /config
1811 | - name: envoycert
1812 | mountPath: /certs
1813 | readOnly: true
1814 | - name: cacert
1815 | mountPath: /ca
1816 | readOnly: true
1817 | env:
1818 | - name: CONTOUR_NAMESPACE
1819 | valueFrom:
1820 | fieldRef:
1821 | fieldPath: metadata.namespace
1822 | serviceAccountName: envoy
1823 | terminationGracePeriodSeconds: 300
1824 | volumes:
1825 | - name: envoy-config
1826 | emptyDir: {}
1827 | - name: envoycert
1828 | secret:
1829 | secretName: envoycert
1830 | - name: cacert
1831 | secret:
1832 | secretName: cacert
1833 | restartPolicy: Always
--------------------------------------------------------------------------------
/roles/docker/tasks/main.yml:
--------------------------------------------------------------------------------
1 | - pip:
2 | name:
3 | - docker
4 |
5 | - name: Remove swap file
6 | mount:
7 | name: swap
8 | fstype: swap
9 | state: absent
10 |
11 | - name: Disable Swap
12 | command: swapoff -a
13 |
14 | - name: Installing Docker
15 | apt:
16 | name: "{{ packages }}"
17 | update_cache: false
18 | state: present
19 | vars:
20 | packages:
21 | - docker.io
22 |
23 | - name: Download Docker Compose
24 | get_url:
25 | url: https://github.com/docker/compose/releases/download/1.25.5/docker-compose-Linux-x86_64
26 | dest: /usr/local/bin/docker-compose
27 | mode: '0777'
28 |
29 | - name: Reload configs
30 | systemd: daemon_reload=yes
31 |
32 | - name: Enable Docker Service
33 | systemd:
34 | name: docker
35 | enabled: yes
--------------------------------------------------------------------------------
/roles/front-proxy/tasks/main.yml:
--------------------------------------------------------------------------------
1 | - name: "Install envoy proxy requirements"
2 | apt:
3 | name: "{{ packages }}"
4 | update_cache: yes
5 | state: present
6 | vars:
7 | packages:
8 | - apt-transport-https
9 | - ca-certificates
10 | - gnupg-agent
11 | - software-properties-common
12 |
13 | - name: "Get envoy apt key"
14 | apt_key:
15 | url: https://getenvoy.io/gpg
16 | state: present
17 |
18 | - name: "Add Envoy repo"
19 | apt_repository:
20 | repo: deb [arch=amd64] https://dl.bintray.com/tetrate/getenvoy-deb bionic stable
21 | state: present
22 | filename: envoy
23 |
24 | - name: "Install envoy CLI"
25 | apt:
26 | name: "{{ packages }}"
27 | state: present
28 | update_cache: yes
29 | vars:
30 | packages:
31 | - getenvoy-envoy
32 |
33 | - name: "Create envoy directory"
34 | file:
35 | path: /etc/envoy/
36 | state: directory
37 | owner: root
38 | group: root
39 | mode: "0777"
40 |
41 | - name: "Put envoy template"
42 | template:
43 | src: envoy.yaml.j2
44 | dest: /etc/envoy/envoy.yaml
45 | owner: root
46 | group: root
47 | mode: "0777"
48 |
49 | - name: "Create envoy service file"
50 | template:
51 | src: envoy.system.j2
52 | dest: /etc/systemd/system/envoy.service
53 | owner: root
54 | group: root
55 | mode: "0777"
56 |
57 | - name: "Enable envoy service"
58 | systemd:
59 | name: envoy
60 | enabled: yes
61 |
62 | - name: "Restart envoy proxy"
63 | systemd:
64 | state: restarted
65 | daemon_reload: yes
66 | name: envoy
67 |
--------------------------------------------------------------------------------
/roles/front-proxy/templates/envoy.system.j2:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Envoy Proxy
3 |
4 | [Service]
5 | User=root
6 | Group=root
7 | ExecStart=/usr/bin/envoy -c /etc/envoy/envoy.yaml
8 | ExecReload=/bin/kill -HUP $MAINPID
9 | ExecStop=/bin/kill -TERM $MAINPID
10 | Restart=always
11 | RestartSec=30
12 |
13 | [Install]
14 | WantedBy=multi-user.target
--------------------------------------------------------------------------------
/roles/front-proxy/templates/envoy.yaml.j2:
--------------------------------------------------------------------------------
1 | static_resources:
2 | listeners:
3 | - address:
4 | socket_address:
5 | address: 0.0.0.0
6 | port_value: 80
7 |
8 | # TCP Filter
9 | filter_chains:
10 | - filters:
11 | - name: envoy.tcp_proxy
12 | config:
13 | stat_prefix: ingress_tcp
14 | cluster: k8s_cluster_http
15 | access_log:
16 | - name: envoy.file_access_log
17 | config:
18 | path: /dev/null
19 |
20 | - address:
21 | socket_address:
22 | address: 0.0.0.0
23 | port_value: 443
24 |
25 | # TCP Filter
26 | filter_chains:
27 | - filters:
28 | - name: envoy.tcp_proxy
29 | config:
30 | stat_prefix: ingress_tcp
31 | cluster: k8s_cluster_https
32 | access_log:
33 | - name: envoy.file_access_log
34 | config:
35 | path: /dev/null
36 |
37 | clusters:
38 | - name: "k8s_cluster_http"
39 | connect_timeout: "30s"
40 | type: "strict_dns"
41 | lb_policy: "LEAST_REQUEST"
42 | # lb_policy: "ROUND_ROBIN"
43 | # lb_policy: "RING_HASH"
44 | # lb_policy: "MAGLEV"
45 | hosts:
46 |
47 | {% for host in groups['nodes'] %}
48 |
49 | - socket_address:
50 | address: {{ host }}
51 | port_value: 80
52 |
53 | {% endfor %}
54 |
55 | - name: "k8s_cluster_https"
56 | connect_timeout: "30s"
57 | type: "strict_dns"
58 | lb_policy: "LEAST_REQUEST"
59 | # lb_policy: "ROUND_ROBIN"
60 | # lb_policy: "RING_HASH"
61 | # lb_policy: "MAGLEV"
62 | hosts:
63 |
64 | {% for host in groups['nodes'] %}
65 |
66 | - socket_address:
67 | address: {{ host }}
68 | port_value: 443
69 |
70 | {% endfor %}
--------------------------------------------------------------------------------
/roles/harbor/tasks/main.yml:
--------------------------------------------------------------------------------
1 | - name: Download harbor package
2 | get_url:
3 | url: https://storage.googleapis.com/harbor-releases/release-1.8.0/harbor-offline-installer-v1.8.1.tgz
4 | dest: /tmp/harbor.tgz
5 | mode: '0777'
6 |
7 | - name: Extract /tmp/harbor.tgz
8 | unarchive:
9 | src: /tmp/harbor.tgz
10 | dest: /tmp
11 | remote_src: yes
12 | args:
13 | creates: /tmp/harbor
14 |
15 | - name: Put harbor template
16 | template:
17 | src: harbor.yml.j2
18 | dest: /tmp/harbor/harbor.yml
19 | owner: root
20 | group: root
21 | mode: '0777'
22 |
23 | - name: Install harbor with clair
24 | shell: "/tmp/harbor/install.sh --with-clair"
25 | args:
26 | chdir: /tmp/
27 | creates: harbor-install.log
--------------------------------------------------------------------------------
/roles/harbor/templates/harbor.yml.j2:
--------------------------------------------------------------------------------
1 | hostname: {{ cert_domain_name }}
2 |
3 | http:
4 | # port for http, default is 80. If https enabled, this port will redirect to https port
5 | port: 80
6 |
7 | https:
8 | port: 443
9 | certificate: /etc/letsencrypt/live/{{ cert_domain_name }}/fullchain.pem
10 | private_key: /etc/letsencrypt/live/{{ cert_domain_name }}/privkey.pem
11 | external_url: https://{{ cert_domain_name }}
12 |
13 | harbor_admin_password: {{ harbor_admin }}
14 |
15 | # Harbor DB configuration
16 | database:
17 | # The password for the root user of Harbor DB. Change this before any production use.
18 | password: root123
19 |
20 | # The default data volume
21 | data_volume: /data
22 |
23 | # Harbor Storage settings by default is using /data dir on local filesystem
24 | # Uncomment storage_service setting If you want to using external storage
25 | # storage_service:
26 | # # ca_bundle is the path to the custom root ca certificate, which will be injected into the truststore
27 | # # of registry's and chart repository's containers. This is usually needed when the user hosts a internal storage with self signed certificate.
28 | # ca_bundle:
29 |
30 | # # storage backend, default is filesystem, options include filesystem, azure, gcs, s3, swift and oss
31 | # # for more info about this configuration please refer https://docs.docker.com/registry/configuration/
32 | # filesystem:
33 | # maxthreads: 100
34 | # # set disable to true when you want to disable registry redirect
35 | # redirect:
36 | # disabled: false
37 |
38 | # Clair configuration
39 | clair:
40 | updaters_interval: 12
41 | http_proxy:
42 | https_proxy:
43 | no_proxy: 127.0.0.1,localhost,core,registry
44 |
45 | jobservice:
46 | max_job_workers: 10
47 |
48 | chart:
49 | absolute_url: disabled
50 |
51 | log:
52 | level: info
53 | rotate_count: 50
54 | rotate_size: 200M
55 | location: /var/log/harbor
56 |
57 | #This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY!
58 | _version: 1.8.0
59 |
60 | # Uncomment external_database if using external database.
61 | # external_database:
62 | # harbor:
63 | # host: harbor_db_host
64 | # port: harbor_db_port
65 | # db_name: harbor_db_name
66 | # username: harbor_db_username
67 | # password: harbor_db_password
68 | # ssl_mode: disable
69 | # clair:
70 | # host: clair_db_host
71 | # port: clair_db_port
72 | # db_name: clair_db_name
73 | # username: clair_db_username
74 | # password: clair_db_password
75 | # ssl_mode: disable
76 | # notary_signer:
77 | # host: notary_signer_db_host
78 | # port: notary_signer_db_port
79 | # db_name: notary_signer_db_name
80 | # username: notary_signer_db_username
81 | # password: notary_signer_db_password
82 | # ssl_mode: disable
83 | # notary_server:
84 | # host: notary_server_db_host
85 | # port: notary_server_db_port
86 | # db_name: notary_server_db_name
87 | # username: notary_server_db_username
88 | # password: notary_server_db_password
89 | # ssl_mode: disable
90 |
91 | # Uncomment external_redis if using external Redis server
92 | # external_redis:
93 | # host: redis
94 | # port: 6379
95 | # password:
96 | # # db_index 0 is for core, it's unchangeable
97 | # registry_db_index: 1
98 | # jobservice_db_index: 2
99 | # chartmuseum_db_index: 3
100 |
101 | # Uncomment uaa for trusting the certificate of uaa instance that is hosted via self-signed cert.
102 | # uaa:
103 | # ca_file: /path/to/ca
--------------------------------------------------------------------------------
/roles/kubernetes/tasks/main.yml:
--------------------------------------------------------------------------------
1 | - name: Get Kubernetes apt-key
2 | apt_key:
3 | url: https://packages.cloud.google.com/apt/doc/apt-key.gpg
4 | state: present
5 |
6 | - name: Add kubernetes repo
7 | apt_repository:
8 | repo: deb http://apt.kubernetes.io/ kubernetes-xenial main
9 | state: present
10 | filename: kubernetes
11 |
12 | - name: Install kubernetes packages
13 | apt:
14 | name: "{{ packages }}"
15 | update_cache: true
16 | state: present
17 | vars:
18 | packages:
19 | - kubelet
20 | - kubeadm
--------------------------------------------------------------------------------
/roles/letsencrypt/tasks/main.yml:
--------------------------------------------------------------------------------
1 | - name: Add certbot PPA
2 | apt_repository:
3 | repo: 'ppa:certbot/certbot'
4 |
5 | - name: Install Certbot for Nginx
6 | apt:
7 | name: 'python-certbot-nginx'
8 | state: present
9 |
10 | - name: check if certificate exists
11 | stat:
12 | path: /etc/letsencrypt/live/{{ cert_domain_name }}/cert.pem
13 | register: cert_exists
14 |
15 | - name: check if service is running on port 80
16 | wait_for:
17 | port: 80
18 | timeout: 10
19 | state: stopped
20 | msg: "Port 80 already allocated"
21 | register: service_status
22 | ignore_errors: yes
23 |
24 | - name: debug cert_exists
25 | debug:
26 | var: cert_exists
27 |
28 | - name: debug service_status
29 | debug:
30 | var: service_status
31 |
32 | - name: Generate new certificate for {{ cert_domain_name }}
33 | shell: "certbot certonly --standalone --noninteractive --agree-tos --email {{ cert_admin_email }} -d {{ cert_domain_name }}"
34 | when:
35 | - cert_exists.stat.exists == false
36 | - service_status.state == "stopped"
--------------------------------------------------------------------------------
/roles/linkerd/tasks/dashboard.yml:
--------------------------------------------------------------------------------
1 | - name: Put linkerd dashboard template
2 | template:
3 | src: dashboard.yml.j2
4 | dest: /tmp/linkerd-dashboard.yml
5 | mode: 0777
6 |
7 | - name: Deploy linkerd dashboard
8 | shell: 'kubectl apply -f /tmp/linkerd-dashboard.yml'
--------------------------------------------------------------------------------
/roles/linkerd/tasks/main.yml:
--------------------------------------------------------------------------------
1 | - include_tasks: "setup.yml"
2 | - include_tasks: "dashboard.yml"
--------------------------------------------------------------------------------
/roles/linkerd/tasks/setup.yml:
--------------------------------------------------------------------------------
1 | - name: Download Linkerd Script
2 | get_url:
3 | url: https://run.linkerd.io/install
4 | dest: /tmp/linkerd-install.sh
5 | mode: 0777
6 |
7 | - name: Install Linkerd CLI
8 | shell: 'sh /tmp/linkerd-install.sh'
9 |
10 | - name: Create linkerd symlink
11 | file:
12 | src: $HOME/.linkerd2/bin/linkerd
13 | dest: /usr/local/bin/linkerd
14 | mode: 0777
15 | owner: root
16 | group: root
17 | state: link
18 |
19 | - name: Put linkerd template
20 | template:
21 | src: linkerd.yml.j2
22 | dest: /tmp/linkerd.yml
23 | mode: 0777
24 |
25 | - name: Linkerd Apply
26 | shell: 'kubectl apply -f /tmp/linkerd.yml'
--------------------------------------------------------------------------------
/roles/linkerd/templates/dashboard.yml.j2:
--------------------------------------------------------------------------------
1 | apiVersion: projectcontour.io/v1
2 | kind: HTTPProxy
3 | metadata:
4 | name: linkerd-web
5 | namespace: linkerd
6 | spec:
7 | virtualhost:
8 | fqdn: {{ linkerd_url }}
9 | routes:
10 | - services:
11 | - name: linkerd-web
12 | port: 8084
13 | - conditions:
14 | - prefix: /api/tap
15 | enableWebsockets: true
16 | services:
17 | - name: linkerd-web
18 | port: 8084
--------------------------------------------------------------------------------
/roles/masters/tasks/flannel.yml:
--------------------------------------------------------------------------------
1 | - name: Put flannel template
2 | template:
3 | src: kube-flannel.yml.j2
4 | dest: /tmp/flannel.yml
5 | owner: root
6 | group: root
7 | mode: "0777"
8 |
9 | - name: Setup flannel
10 | shell: kubectl -n kube-system apply -f /tmp/flannel.yml >> flannel-apply.log
11 | args:
12 | chdir: $HOME
13 | creates: flannel-apply.log
--------------------------------------------------------------------------------
/roles/masters/tasks/main.yml:
--------------------------------------------------------------------------------
1 | - include_tasks: "setup.yml"
2 | - include_tasks: "flannel.yml"
3 | - include_tasks: "token.yml"
--------------------------------------------------------------------------------
/roles/masters/tasks/setup.yml:
--------------------------------------------------------------------------------
1 | - name: Initialize Kubernetes Cluster
2 | shell: kubeadm init --pod-network-cidr 10.244.0.0/16 --ignore-preflight-errors=NumCPU >> cluster_init.log
3 | args:
4 | chdir: $HOME
5 | creates: cluster_init.log
6 |
7 | - name: Create .kube directory
8 | file:
9 | path: $HOME/.kube
10 | state: directory
11 | owner: root
12 | group: root
13 | mode: 0775
14 |
15 | - name: Copy default cluster configuration
16 | shell: cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
17 | args:
18 | chdir: $HOME
19 | creates: $HOME/.kube/config
20 |
21 | - name: Change config mode
22 | file:
23 | path: $HOME/.kube/config
24 | state: file
25 | owner: root
26 | group: root
27 | mode: 0660
28 |
29 | - name: Put template kubelet file
30 | template:
31 | src: kubelet-config.yml.j2
32 | dest: /var/lib/kubelet/config.yaml
33 | owner: root
34 | group: root
35 | mode: 0777
--------------------------------------------------------------------------------
/roles/masters/tasks/token.yml:
--------------------------------------------------------------------------------
1 | - name: Create token to join cluster
2 | shell: kubeadm token create --print-join-command
3 | register: join_command_raw
4 | - debug: msg="join command is {{ join_command_raw.stdout }}"
5 |
6 | - name: Set join command as fact
7 | set_fact: join_command="{{ join_command_raw.stdout }}"
--------------------------------------------------------------------------------
/roles/masters/templates/kube-flannel.yml.j2:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: policy/v1beta1
3 | kind: PodSecurityPolicy
4 | metadata:
5 | name: psp.flannel.unprivileged
6 | annotations:
7 | seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
8 | seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
9 | apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
10 | apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
11 | spec:
12 | privileged: false
13 | volumes:
14 | - configMap
15 | - secret
16 | - emptyDir
17 | - hostPath
18 | allowedHostPaths:
19 | - pathPrefix: "/etc/cni/net.d"
20 | - pathPrefix: "/etc/kube-flannel"
21 | - pathPrefix: "/run/flannel"
22 | readOnlyRootFilesystem: false
23 | # Users and groups
24 | runAsUser:
25 | rule: RunAsAny
26 | supplementalGroups:
27 | rule: RunAsAny
28 | fsGroup:
29 | rule: RunAsAny
30 | # Privilege Escalation
31 | allowPrivilegeEscalation: false
32 | defaultAllowPrivilegeEscalation: false
33 | # Capabilities
34 | allowedCapabilities: ['NET_ADMIN']
35 | defaultAddCapabilities: []
36 | requiredDropCapabilities: []
37 | # Host namespaces
38 | hostPID: false
39 | hostIPC: false
40 | hostNetwork: true
41 | hostPorts:
42 | - min: 0
43 | max: 65535
44 | # SELinux
45 | seLinux:
46 | # SELinux is unused in CaaSP
47 | rule: 'RunAsAny'
48 | ---
49 | kind: ClusterRole
50 | apiVersion: rbac.authorization.k8s.io/v1beta1
51 | metadata:
52 | name: flannel
53 | rules:
54 | - apiGroups: ['extensions']
55 | resources: ['podsecuritypolicies']
56 | verbs: ['use']
57 | resourceNames: ['psp.flannel.unprivileged']
58 | - apiGroups:
59 | - ""
60 | resources:
61 | - pods
62 | verbs:
63 | - get
64 | - apiGroups:
65 | - ""
66 | resources:
67 | - nodes
68 | verbs:
69 | - list
70 | - watch
71 | - apiGroups:
72 | - ""
73 | resources:
74 | - nodes/status
75 | verbs:
76 | - patch
77 | ---
78 | kind: ClusterRoleBinding
79 | apiVersion: rbac.authorization.k8s.io/v1beta1
80 | metadata:
81 | name: flannel
82 | roleRef:
83 | apiGroup: rbac.authorization.k8s.io
84 | kind: ClusterRole
85 | name: flannel
86 | subjects:
87 | - kind: ServiceAccount
88 | name: flannel
89 | namespace: kube-system
90 | ---
91 | apiVersion: v1
92 | kind: ServiceAccount
93 | metadata:
94 | name: flannel
95 | namespace: kube-system
96 | ---
97 | kind: ConfigMap
98 | apiVersion: v1
99 | metadata:
100 | name: kube-flannel-cfg
101 | namespace: kube-system
102 | labels:
103 | tier: node
104 | app: flannel
105 | data:
106 | cni-conf.json: |
107 | {
108 | "name": "cbr0",
109 | "cniVersion": "0.3.1",
110 | "plugins": [
111 | {
112 | "type": "flannel",
113 | "delegate": {
114 | "hairpinMode": true,
115 | "isDefaultGateway": true
116 | }
117 | },
118 | {
119 | "type": "portmap",
120 | "capabilities": {
121 | "portMappings": true
122 | }
123 | }
124 | ]
125 | }
126 | net-conf.json: |
127 | {
128 | "Network": "10.244.0.0/16",
129 | "Backend": {
130 | "Type": "vxlan"
131 | }
132 | }
133 | ---
134 | apiVersion: apps/v1
135 | kind: DaemonSet
136 | metadata:
137 | name: kube-flannel-ds-amd64
138 | namespace: kube-system
139 | labels:
140 | tier: node
141 | app: flannel
142 | spec:
143 | selector:
144 | matchLabels:
145 | app: flannel
146 | template:
147 | metadata:
148 | labels:
149 | tier: node
150 | app: flannel
151 | spec:
152 | affinity:
153 | nodeAffinity:
154 | requiredDuringSchedulingIgnoredDuringExecution:
155 | nodeSelectorTerms:
156 | - matchExpressions:
157 | - key: beta.kubernetes.io/os
158 | operator: In
159 | values:
160 | - linux
161 | - key: beta.kubernetes.io/arch
162 | operator: In
163 | values:
164 | - amd64
165 | hostNetwork: true
166 | tolerations:
167 | - operator: Exists
168 | effect: NoSchedule
169 | serviceAccountName: flannel
170 | initContainers:
171 | - name: install-cni
172 | image: quay.io/coreos/flannel:v0.11.0-amd64
173 | command:
174 | - cp
175 | args:
176 | - -f
177 | - /etc/kube-flannel/cni-conf.json
178 | - /etc/cni/net.d/10-flannel.conflist
179 | volumeMounts:
180 | - name: cni
181 | mountPath: /etc/cni/net.d
182 | - name: flannel-cfg
183 | mountPath: /etc/kube-flannel/
184 | containers:
185 | - name: kube-flannel
186 | image: quay.io/coreos/flannel:v0.11.0-amd64
187 | command:
188 | - /opt/bin/flanneld
189 | args:
190 | - --ip-masq
191 | - --kube-subnet-mgr
192 | resources:
193 | requests:
194 | cpu: "100m"
195 | memory: "50Mi"
196 | limits:
197 | cpu: "100m"
198 | memory: "50Mi"
199 | securityContext:
200 | privileged: false
201 | capabilities:
202 | add: ["NET_ADMIN"]
203 | env:
204 | - name: POD_NAME
205 | valueFrom:
206 | fieldRef:
207 | fieldPath: metadata.name
208 | - name: POD_NAMESPACE
209 | valueFrom:
210 | fieldRef:
211 | fieldPath: metadata.namespace
212 | volumeMounts:
213 | - name: run
214 | mountPath: /run/flannel
215 | - name: flannel-cfg
216 | mountPath: /etc/kube-flannel/
217 | volumes:
218 | - name: run
219 | hostPath:
220 | path: /run/flannel
221 | - name: cni
222 | hostPath:
223 | path: /etc/cni/net.d
224 | - name: flannel-cfg
225 | configMap:
226 | name: kube-flannel-cfg
227 | ---
228 | apiVersion: apps/v1
229 | kind: DaemonSet
230 | metadata:
231 | name: kube-flannel-ds-arm64
232 | namespace: kube-system
233 | labels:
234 | tier: node
235 | app: flannel
236 | spec:
237 | selector:
238 | matchLabels:
239 | app: flannel
240 | template:
241 | metadata:
242 | labels:
243 | tier: node
244 | app: flannel
245 | spec:
246 | affinity:
247 | nodeAffinity:
248 | requiredDuringSchedulingIgnoredDuringExecution:
249 | nodeSelectorTerms:
250 | - matchExpressions:
251 | - key: beta.kubernetes.io/os
252 | operator: In
253 | values:
254 | - linux
255 | - key: beta.kubernetes.io/arch
256 | operator: In
257 | values:
258 | - arm64
259 | hostNetwork: true
260 | tolerations:
261 | - operator: Exists
262 | effect: NoSchedule
263 | serviceAccountName: flannel
264 | initContainers:
265 | - name: install-cni
266 | image: quay.io/coreos/flannel:v0.11.0-arm64
267 | command:
268 | - cp
269 | args:
270 | - -f
271 | - /etc/kube-flannel/cni-conf.json
272 | - /etc/cni/net.d/10-flannel.conflist
273 | volumeMounts:
274 | - name: cni
275 | mountPath: /etc/cni/net.d
276 | - name: flannel-cfg
277 | mountPath: /etc/kube-flannel/
278 | containers:
279 | - name: kube-flannel
280 | image: quay.io/coreos/flannel:v0.11.0-arm64
281 | command:
282 | - /opt/bin/flanneld
283 | args:
284 | - --ip-masq
285 | - --kube-subnet-mgr
286 | resources:
287 | requests:
288 | cpu: "100m"
289 | memory: "50Mi"
290 | limits:
291 | cpu: "100m"
292 | memory: "50Mi"
293 | securityContext:
294 | privileged: false
295 | capabilities:
296 | add: ["NET_ADMIN"]
297 | env:
298 | - name: POD_NAME
299 | valueFrom:
300 | fieldRef:
301 | fieldPath: metadata.name
302 | - name: POD_NAMESPACE
303 | valueFrom:
304 | fieldRef:
305 | fieldPath: metadata.namespace
306 | volumeMounts:
307 | - name: run
308 | mountPath: /run/flannel
309 | - name: flannel-cfg
310 | mountPath: /etc/kube-flannel/
311 | volumes:
312 | - name: run
313 | hostPath:
314 | path: /run/flannel
315 | - name: cni
316 | hostPath:
317 | path: /etc/cni/net.d
318 | - name: flannel-cfg
319 | configMap:
320 | name: kube-flannel-cfg
321 | ---
322 | apiVersion: apps/v1
323 | kind: DaemonSet
324 | metadata:
325 | name: kube-flannel-ds-arm
326 | namespace: kube-system
327 | labels:
328 | tier: node
329 | app: flannel
330 | spec:
331 | selector:
332 | matchLabels:
333 | app: flannel
334 | template:
335 | metadata:
336 | labels:
337 | tier: node
338 | app: flannel
339 | spec:
340 | affinity:
341 | nodeAffinity:
342 | requiredDuringSchedulingIgnoredDuringExecution:
343 | nodeSelectorTerms:
344 | - matchExpressions:
345 | - key: beta.kubernetes.io/os
346 | operator: In
347 | values:
348 | - linux
349 | - key: beta.kubernetes.io/arch
350 | operator: In
351 | values:
352 | - arm
353 | hostNetwork: true
354 | tolerations:
355 | - operator: Exists
356 | effect: NoSchedule
357 | serviceAccountName: flannel
358 | initContainers:
359 | - name: install-cni
360 | image: quay.io/coreos/flannel:v0.11.0-arm
361 | command:
362 | - cp
363 | args:
364 | - -f
365 | - /etc/kube-flannel/cni-conf.json
366 | - /etc/cni/net.d/10-flannel.conflist
367 | volumeMounts:
368 | - name: cni
369 | mountPath: /etc/cni/net.d
370 | - name: flannel-cfg
371 | mountPath: /etc/kube-flannel/
372 | containers:
373 | - name: kube-flannel
374 | image: quay.io/coreos/flannel:v0.11.0-arm
375 | command:
376 | - /opt/bin/flanneld
377 | args:
378 | - --ip-masq
379 | - --kube-subnet-mgr
380 | resources:
381 | requests:
382 | cpu: "100m"
383 | memory: "50Mi"
384 | limits:
385 | cpu: "100m"
386 | memory: "50Mi"
387 | securityContext:
388 | privileged: false
389 | capabilities:
390 | add: ["NET_ADMIN"]
391 | env:
392 | - name: POD_NAME
393 | valueFrom:
394 | fieldRef:
395 | fieldPath: metadata.name
396 | - name: POD_NAMESPACE
397 | valueFrom:
398 | fieldRef:
399 | fieldPath: metadata.namespace
400 | volumeMounts:
401 | - name: run
402 | mountPath: /run/flannel
403 | - name: flannel-cfg
404 | mountPath: /etc/kube-flannel/
405 | volumes:
406 | - name: run
407 | hostPath:
408 | path: /run/flannel
409 | - name: cni
410 | hostPath:
411 | path: /etc/cni/net.d
412 | - name: flannel-cfg
413 | configMap:
414 | name: kube-flannel-cfg
415 | ---
416 | apiVersion: apps/v1
417 | kind: DaemonSet
418 | metadata:
419 | name: kube-flannel-ds-ppc64le
420 | namespace: kube-system
421 | labels:
422 | tier: node
423 | app: flannel
424 | spec:
425 | selector:
426 | matchLabels:
427 | app: flannel
428 | template:
429 | metadata:
430 | labels:
431 | tier: node
432 | app: flannel
433 | spec:
434 | affinity:
435 | nodeAffinity:
436 | requiredDuringSchedulingIgnoredDuringExecution:
437 | nodeSelectorTerms:
438 | - matchExpressions:
439 | - key: beta.kubernetes.io/os
440 | operator: In
441 | values:
442 | - linux
443 | - key: beta.kubernetes.io/arch
444 | operator: In
445 | values:
446 | - ppc64le
447 | hostNetwork: true
448 | tolerations:
449 | - operator: Exists
450 | effect: NoSchedule
451 | serviceAccountName: flannel
452 | initContainers:
453 | - name: install-cni
454 | image: quay.io/coreos/flannel:v0.11.0-ppc64le
455 | command:
456 | - cp
457 | args:
458 | - -f
459 | - /etc/kube-flannel/cni-conf.json
460 | - /etc/cni/net.d/10-flannel.conflist
461 | volumeMounts:
462 | - name: cni
463 | mountPath: /etc/cni/net.d
464 | - name: flannel-cfg
465 | mountPath: /etc/kube-flannel/
466 | containers:
467 | - name: kube-flannel
468 | image: quay.io/coreos/flannel:v0.11.0-ppc64le
469 | command:
470 | - /opt/bin/flanneld
471 | args:
472 | - --ip-masq
473 | - --kube-subnet-mgr
474 | resources:
475 | requests:
476 | cpu: "100m"
477 | memory: "50Mi"
478 | limits:
479 | cpu: "100m"
480 | memory: "50Mi"
481 | securityContext:
482 | privileged: false
483 | capabilities:
484 | add: ["NET_ADMIN"]
485 | env:
486 | - name: POD_NAME
487 | valueFrom:
488 | fieldRef:
489 | fieldPath: metadata.name
490 | - name: POD_NAMESPACE
491 | valueFrom:
492 | fieldRef:
493 | fieldPath: metadata.namespace
494 | volumeMounts:
495 | - name: run
496 | mountPath: /run/flannel
497 | - name: flannel-cfg
498 | mountPath: /etc/kube-flannel/
499 | volumes:
500 | - name: run
501 | hostPath:
502 | path: /run/flannel
503 | - name: cni
504 | hostPath:
505 | path: /etc/cni/net.d
506 | - name: flannel-cfg
507 | configMap:
508 | name: kube-flannel-cfg
509 | ---
510 | apiVersion: apps/v1
511 | kind: DaemonSet
512 | metadata:
513 | name: kube-flannel-ds-s390x
514 | namespace: kube-system
515 | labels:
516 | tier: node
517 | app: flannel
518 | spec:
519 | selector:
520 | matchLabels:
521 | app: flannel
522 | template:
523 | metadata:
524 | labels:
525 | tier: node
526 | app: flannel
527 | spec:
528 | affinity:
529 | nodeAffinity:
530 | requiredDuringSchedulingIgnoredDuringExecution:
531 | nodeSelectorTerms:
532 | - matchExpressions:
533 | - key: beta.kubernetes.io/os
534 | operator: In
535 | values:
536 | - linux
537 | - key: beta.kubernetes.io/arch
538 | operator: In
539 | values:
540 | - s390x
541 | hostNetwork: true
542 | tolerations:
543 | - operator: Exists
544 | effect: NoSchedule
545 | serviceAccountName: flannel
546 | initContainers:
547 | - name: install-cni
548 | image: quay.io/coreos/flannel:v0.11.0-s390x
549 | command:
550 | - cp
551 | args:
552 | - -f
553 | - /etc/kube-flannel/cni-conf.json
554 | - /etc/cni/net.d/10-flannel.conflist
555 | volumeMounts:
556 | - name: cni
557 | mountPath: /etc/cni/net.d
558 | - name: flannel-cfg
559 | mountPath: /etc/kube-flannel/
560 | containers:
561 | - name: kube-flannel
562 | image: quay.io/coreos/flannel:v0.11.0-s390x
563 | command:
564 | - /opt/bin/flanneld
565 | args:
566 | - --ip-masq
567 | - --kube-subnet-mgr
568 | resources:
569 | requests:
570 | cpu: "100m"
571 | memory: "50Mi"
572 | limits:
573 | cpu: "100m"
574 | memory: "50Mi"
575 | securityContext:
576 | privileged: false
577 | capabilities:
578 | add: ["NET_ADMIN"]
579 | env:
580 | - name: POD_NAME
581 | valueFrom:
582 | fieldRef:
583 | fieldPath: metadata.name
584 | - name: POD_NAMESPACE
585 | valueFrom:
586 | fieldRef:
587 | fieldPath: metadata.namespace
588 | volumeMounts:
589 | - name: run
590 | mountPath: /run/flannel
591 | - name: flannel-cfg
592 | mountPath: /etc/kube-flannel/
593 | volumes:
594 | - name: run
595 | hostPath:
596 | path: /run/flannel
597 | - name: cni
598 | hostPath:
599 | path: /etc/cni/net.d
600 | - name: flannel-cfg
601 | configMap:
602 | name: kube-flannel-cfg
--------------------------------------------------------------------------------
/roles/masters/templates/kubelet-config.yml.j2:
--------------------------------------------------------------------------------
1 | address: 0.0.0.0
2 | apiVersion: kubelet.config.k8s.io/v1beta1
3 | authentication:
4 | anonymous:
5 | enabled: false
6 | webhook:
7 | cacheTTL: 2m0s
8 | enabled: true
9 | x509:
10 | clientCAFile: /etc/kubernetes/pki/ca.crt
11 | authorization:
12 | mode: Webhook
13 | webhook:
14 | cacheAuthorizedTTL: 5m0s
15 | cacheUnauthorizedTTL: 30s
16 | cgroupDriver: cgroupfs
17 | cgroupsPerQOS: true
18 | clusterDNS:
19 | - 10.96.0.10
20 | clusterDomain: cluster.local
21 | configMapAndSecretChangeDetectionStrategy: Watch
22 | containerLogMaxFiles: 5
23 | containerLogMaxSize: 10Mi
24 | contentType: application/vnd.kubernetes.protobuf
25 | cpuCFSQuota: true
26 | cpuCFSQuotaPeriod: 100ms
27 | cpuManagerPolicy: none
28 | cpuManagerReconcilePeriod: 10s
29 | enableControllerAttachDetach: true
30 | enableDebuggingHandlers: true
31 | enforceNodeAllocatable:
32 | - pods
33 | eventBurst: 10
34 | eventRecordQPS: 5
35 | evictionHard:
36 | imagefs.available: 15%
37 | memory.available: 100Mi
38 | nodefs.available: 10%
39 | nodefs.inodesFree: 5%
40 | evictionPressureTransitionPeriod: 5m0s
41 | failSwapOn: true
42 | fileCheckFrequency: 20s
43 | hairpinMode: promiscuous-bridge
44 | healthzBindAddress: 127.0.0.1
45 | healthzPort: 10248
46 | httpCheckFrequency: 20s
47 | imageGCHighThresholdPercent: 85
48 | imageGCLowThresholdPercent: 80
49 | imageMinimumGCAge: 2m0s
50 | iptablesDropBit: 15
51 | iptablesMasqueradeBit: 14
52 | kind: KubeletConfiguration
53 | kubeAPIBurst: 10
54 | kubeAPIQPS: 5
55 | makeIPTablesUtilChains: true
56 | maxOpenFiles: 1000000
57 | maxPods: 110
58 | nodeLeaseDurationSeconds: 40
59 | nodeStatusReportFrequency: 1m0s
60 | nodeStatusUpdateFrequency: 10s
61 | oomScoreAdj: -999
62 | podPidsLimit: -1
63 | port: 10250
64 | registryBurst: 10
65 | registryPullQPS: 5
66 | resolvConf: /etc/resolv.conf
67 | rotateCertificates: true
68 | runtimeRequestTimeout: 2m0s
69 | serializeImagePulls: true
70 | staticPodPath: /etc/kubernetes/manifests
71 | streamingConnectionIdleTimeout: 4h0m0s
72 | syncFrequency: 1m0s
73 | volumeStatsAggPeriod: 1m0s
--------------------------------------------------------------------------------
/roles/nodes/tasks/main.yml:
--------------------------------------------------------------------------------
1 | - name: Kubeadm reset
2 | shell: kubeadm reset -f >> reset.log
3 | args:
4 | chdir: $HOME
5 | creates: reset.log
6 |
7 | - name: Join node to cluster
8 | shell: "{{ hostvars[groups['masters'][0]]['join_command'] }} >> node.log"
9 | ignore_errors: yes
10 | args:
11 | chdir: $HOME
12 | creates: node.log
--------------------------------------------------------------------------------