feat(whoami): Adding simple service to test Traefik

.gitignore

@@ -28,5 +28,6 @@ override.tf.json
 # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
 # example: *tfplan*
 
+.terraform.lock.hcl
 .idea
 certs/

QUICKSTART.md

@@ -24,7 +24,7 @@ sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config && sudo chown $(id -u):
 kubectl taint nodes --all node-role.kubernetes.io/control-plane-
 ```
 
-# Cilium 
+# Cilium
 
 ## Install Cilium as a CNI
 
@@ -35,7 +35,9 @@ cilium install
 # Load Balancer
 
 ## Install MetalLB for LoadBalancing
+
 https://raw.githubusercontent.com/metallb/metallb/v0.13.5/config/manifests/metallb-native.yaml
+
 ```shell
 kubectl apply -f metallb/00-manifest.yml
 ```
@@ -50,16 +52,16 @@ kubectl apply -f metallb/01-configuration.yml
 
 https://doc.traefik.io/traefik/v2.8/user-guides/crd-acme/
 
-## Create persistent volume for certs
+## Run Terraform-script
+
+This will create a cert-storage `StorageClass` and a traefik-cert-pv `PersistentVolume` for use by Traefik before
+installing Traefik in the `kube-system` namespace using the official Traefik Helm chart which binds to the
+traefik-cert-pv `PersistentVolume` for persistent storage of certificates using the traefik `PersistentVolumeClaim`.
 
 ```shell
-kubectl appy -f volumes/volumes.yml
-```
-
-## Install using Helm
-
-```shell
-helm install --values=helm/traefik-values.yaml traefik traefik/traefik
+terraform init
+terraform plan
+terraform apply
 ```
 
 ## Create test application "whoami" with IngressRoutes

helm/traefik-values.yaml

@@ -27,4 +27,4 @@ certResolvers:
     tlsChallenge: true
     storage: /data/acme.json
     # Remove staging server when it's working
-    caServer: https://acme-staging-v02.api.letsencrypt.org/directory
+    #caServer: https://acme-staging-v02.api.letsencrypt.org/directory

helm/whoami-values.yaml

@@ -0,0 +1,17 @@
+resources:
+  - apiVersion: traefik.containo.us/v1alpha1
+    kind: IngressRoute
+    metadata:
+      name: whoami
+      namespace: whoami
+    spec:
+      entryPoints:
+        - websecure
+      routes:
+        - match: Host(`whoami.stonegarden.dev`)
+          kind: Rule
+          services:
+            - name: whoami
+              port: 80
+      tls:
+        certResolver: letsencrypt

main.tf

@@ -43,7 +43,7 @@ resource "kubernetes_storage_class" "cert-storage" {
     name = "cert-storage"
   }
   storage_provisioner = "kubernetes.io/no-provisioner"
-  volume_binding_mode = "WaitForFirstCustomer"
+  volume_binding_mode = "WaitForFirstConsumer"
 }
 
 ## Create PersistentVolume for Traefik certs
@@ -87,9 +87,75 @@ resource "helm_release" "traefik" {
   namespace  = kubernetes_namespace.traefik.metadata.0.name
   #version    = "10.30.1"
 
-  values = [file("traefik2/custom-values.yaml")]
+  values = [file("helm/traefik-values.yaml")]
 }
 
+# --- whoami
+resource "kubernetes_namespace" "whoami" {
+  metadata {
+    name = "whoami"
+  }
+}
+
+resource "kubernetes_service" "whoami" {
+  metadata {
+    name = "whoami"
+    namespace = kubernetes_namespace.whoami.metadata.0.name
+  }
+  spec {
+    selector = {
+      app = kubernetes_deployment.whoami.spec.0.template.0.metadata.0.labels.app
+    }
+
+    type = "LoadBalancer"
+    port {
+      protocol = "TCP"
+      name = "web"
+      port = 80
+    }
+  }
+}
+
+resource "kubernetes_deployment" "whoami" {
+  metadata {
+    name = "whoami"
+    namespace = kubernetes_namespace.whoami.metadata.0.name
+  }
+  spec {
+    replicas = "2"
+    selector {
+      match_labels = {
+        app = "whoami"
+      }
+    }
+    template {
+      metadata {
+        labels = {
+          app = "whoami"
+        }
+      }
+      spec {
+        container {
+          name = "whoami"
+          image = "traefik/whoami"
+          port {
+            name = "web"
+            container_port = 80
+          }
+        }
+      }
+    }
+  }
+}
+
+resource "helm_release" "whoami" {
+  name       = "whoami"
+  repository = "https://charts.itscontained.io"
+  chart      = "raw"
+  version    = "0.2.5"
+
+  values = [file("helm/whoami-values.yaml")]
+}
 
 //resource "kubernetes_namespace" "test" {
 //  metadata {

traefik2/01-crd-rbac.yml

@@ -1,65 +0,0 @@
-# https://raw.githubusercontent.com/traefik/traefik/v2.8/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: traefik-ingress-controller
-
-rules:
-  - apiGroups:
-      - ""
-    resources:
-      - services
-      - endpoints
-      - secrets
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - extensions
-      - networking.k8s.io
-    resources:
-      - ingresses
-      - ingressclasses
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - extensions
-      - networking.k8s.io
-    resources:
-      - ingresses/status
-    verbs:
-      - update
-  - apiGroups:
-      - traefik.containo.us
-    resources:
-      - middlewares
-      - middlewaretcps
-      - ingressroutes
-      - traefikservices
-      - ingressroutetcps
-      - ingressrouteudps
-      - tlsoptions
-      - tlsstores
-      - serverstransports
-    verbs:
-      - get
-      - list
-      - watch
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: traefik-ingress-controller
-
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: traefik-ingress-controller
-subjects:
-  - kind: ServiceAccount
-    name: traefik-ingress-controller
-    namespace: default

traefik2/02-service.yml

@@ -1,21 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: traefik
-
-spec:
-  type: LoadBalancer
-  ports:
-    - protocol: TCP
-      name: web
-      port: 80
-      targetPort: 8000
-    - protocol: TCP
-      name: admin
-      port: 8080
-    - protocol: TCP
-      name: websecure
-      port: 443
-      targetPort: 8443
-  selector:
-    app: traefik

traefik2/03-deployment.yml

@@ -1,49 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  namespace: default
-  name: traefik-ingress-controller
-
----
-kind: Deployment
-apiVersion: apps/v1
-metadata:
-  namespace: default
-  name: traefik
-  labels:
-    app: traefik
-
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: traefik
-  template:
-    metadata:
-      labels:
-        app: traefik
-    spec:
-      serviceAccountName: traefik-ingress-controller
-      containers:
-        - name: traefik
-          image: traefik:v2.8
-          args:
-            - "--log.level=DEBUG"
-            - --api.insecure
-            - --accesslog
-            - --entrypoints.web.Address=:8000
-            - --entrypoints.websecure.Address=:8443
-            - --providers.kubernetescrd
-            - --certificatesresolvers.letsencrypt.acme.tlschallenge
-            - --certificatesresolvers.letsencrypt.acme.email=veghag@gmail.com
-            - --certificatesresolvers.letsencrypt.acme.storage=acme.json
-            # Please note that this is the staging Let's Encrypt server.
-            # Once you get things working, you should remove that whole line altogether.
-            #- --certificatesresolvers.letsencrypt.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
-          ports:
-            - name: web
-              containerPort: 8000
-            - name: websecure
-              containerPort: 8443
-            - name: admin
-              containerPort: 8080

traefik2/values.yaml

@@ -1,288 +0,0 @@
-# Default values for Traefik
-image:
-  name: traefik
-  # defaults to appVersion
-  tag: ""
-  pullPolicy: IfNotPresent
-
-#
-# Configure the deployment
-#
-deployment:
-  enabled: true
-  # Can be either Deployment or DaemonSet
-  kind: Deployment
-  # Number of pods of the deployment (only applies when kind == Deployment)
-  replicas: 1
-  # Number of old history to retain to allow rollback (If not set, default Kubernetes value is set to 10)
-  # revisionHistoryLimit: 1
-  # Amount of time (in seconds) before Kubernetes will send the SIGKILL signal if Traefik does not shut down
-  terminationGracePeriodSeconds: 60
-  # The minimum number of seconds Traefik needs to be up and running before the DaemonSet/Deployment controller considers it available
-  minReadySeconds: 0
-  # Additional deployment annotations (e.g. for jaeger-operator sidecar injection)
-  annotations: {}
-  # Additional deployment labels (e.g. for filtering deployment by custom labels)
-  labels: {}
-  # Additional pod annotations (e.g. for mesh injection or prometheus scraping)
-  podAnnotations: {}
-  # Additional Pod labels (e.g. for filtering Pod by custom labels)
-  podLabels: {}
-  # Additional containers (e.g. for metric offloading sidecars)
-  additionalContainers: []
-    # https://docs.datadoghq.com/developers/dogstatsd/unix_socket/?tab=host
-    # - name: socat-proxy
-    # image: alpine/socat:1.0.5
-    # args: ["-s", "-u", "udp-recv:8125", "unix-sendto:/socket/socket"]
-    # volumeMounts:
-    #   - name: dsdsocket
-  #     mountPath: /socket
-  # Additional volumes available for use with initContainers and additionalContainers
-  additionalVolumes: []
-    # - name: dsdsocket
-    #   hostPath:
-  #     path: /var/run/statsd-exporter
-  # Additional initContainers (e.g. for setting file permission as shown below)
-  initContainers: []
-    # The "volume-permissions" init container is required if you run into permission issues.
-    # Related issue: https://github.com/traefik/traefik/issues/6972
-    # - name: volume-permissions
-    #   image: busybox:1.31.1
-    #   command: ["sh", "-c", "chmod -Rv 600 /data/*"]
-    #   volumeMounts:
-    #     - name: data
-  #       mountPath: /data
-  # Use process namespace sharing
-  shareProcessNamespace: false
-  # Custom pod DNS policy. Apply if `hostNetwork: true`
-  # dnsPolicy: ClusterFirstWithHostNet
-  # Additional imagePullSecrets
-  imagePullSecrets: []
-  # - name: myRegistryKeySecretName
-  # Pod lifecycle actions
-  lifecycle: {}
-    # preStop:
-    #   exec:
-    #     command: ["/bin/sh", "-c", "sleep 40"]
-    # postStart:
-    #   httpGet:
-    #     path: /ping
-    #     port: 9000
-    #     host: localhost
-  #     scheme: HTTP
-
-# Pod disruption budget
-podDisruptionBudget:
-  enabled: false
-  # maxUnavailable: 1
-  # maxUnavailable: 33%
-  # minAvailable: 0
-  # minAvailable: 25%
-
-# Use ingressClass. Ignored if Traefik version < 2.3 / kubernetes < 1.18.x
-ingressClass:
-  # true is not unit-testable yet, pending https://github.com/rancher/helm-unittest/pull/12
-  enabled: false
-  isDefaultClass: false
-  # Use to force a networking.k8s.io API Version for certain CI/CD applications. E.g. "v1beta1"
-  fallbackApiVersion: ""
-
-# Activate Pilot integration
-pilot:
-  enabled: false
-  token: ""
-  # Toggle Pilot Dashboard
-  # dashboard: false
-
-# Enable experimental features
-experimental:
-  http3:
-    enabled: false
-  plugins:
-    enabled: false
-  kubernetesGateway:
-    enabled: false
-    gateway:
-      enabled: true
-    # certificate:
-    #   group: "core"
-    #   kind: "Secret"
-    #   name: "mysecret"
-    # By default, Gateway would be created to the Namespace you are deploying Traefik to.
-    # You may create that Gateway in another namespace, setting its name below:
-    # namespace: default
-
-# Create an IngressRoute for the dashboard
-ingressRoute:
-  dashboard:
-    enabled: true
-    # Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class)
-    annotations: {}
-    # Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels)
-    labels: {}
-
-rollingUpdate:
-  maxUnavailable: 1
-  maxSurge: 1
-
-# Customize liveness and readiness probe values.
-readinessProbe:
-  failureThreshold: 1
-  initialDelaySeconds: 10
-  periodSeconds: 10
-  successThreshold: 1
-  timeoutSeconds: 2
-
-livenessProbe:
-  failureThreshold: 3
-  initialDelaySeconds: 10
-  periodSeconds: 10
-  successThreshold: 1
-  timeoutSeconds: 2
-
-#
-# Configure providers
-#
-providers:
-  kubernetesCRD:
-    enabled: true
-    allowCrossNamespace: false
-    allowExternalNameServices: false
-    allowEmptyServices: false
-    # ingressClass: traefik-internal
-    # labelSelector: environment=production,method=traefik
-    namespaces: []
-    # - "default"
-
-  kubernetesIngress:
-    enabled: true
-    allowExternalNameServices: false
-    allowEmptyServices: false
-    # ingressClass: traefik-internal
-    # labelSelector: environment=production,method=traefik
-    namespaces: []
-    # - "default"
-    # IP used for Kubernetes Ingress endpoints
-    publishedService:
-      enabled: false
-      # Published Kubernetes Service to copy status from. Format: namespace/servicename
-      # By default this Traefik service
-      # pathOverride: ""
-
-#
-# Add volumes to the traefik pod. The volume name will be passed to tpl.
-# This can be used to mount a cert pair or a configmap that holds a config.toml file.
-# After the volume has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg:
-# additionalArguments:
-# - "--providers.file.filename=/config/dynamic.toml"
-# - "--ping"
-# - "--ping.entrypoint=web"
-volumes: []
-# - name: public-cert
-#   mountPath: "/certs"
-#   type: secret
-# - name: '{{ printf "%s-configs" .Release.Name }}'
-#   mountPath: "/config"
-#   type: configMap
-
-# Additional volumeMounts to add to the Traefik container
-additionalVolumeMounts: []
-  # For instance when using a logshipper for access logs
-  # - name: traefik-logs
-#   mountPath: /var/log/traefik
-
-# Logs
-# https://docs.traefik.io/observability/logs/
-logs:
-  # Traefik logs concern everything that happens to Traefik itself (startup, configuration, events, shutdown, and so on).
-  general:
-    # By default, the logs use a text format (common), but you can
-    # also ask for the json format in the format option
-    # format: json
-    # By default, the level is set to ERROR. Alternative logging levels are DEBUG, PANIC, FATAL, ERROR, WARN, and INFO.
-    level: ERROR
-  access:
-    # To enable access logs
-    enabled: false
-    # By default, logs are written using the Common Log Format (CLF).
-    # To write logs in JSON, use json in the format option.
-    # If the given format is unsupported, the default (CLF) is used instead.
-    # format: json
-    # To write the logs in an asynchronous fashion, specify a bufferingSize option.
-    # This option represents the number of log lines Traefik will keep in memory before writing
-    # them to the selected output. In some cases, this option can greatly help performances.
-    # bufferingSize: 100
-    # Filtering https://docs.traefik.io/observability/access-logs/#filtering
-    filters: {}
-      # statuscodes: "200,300-302"
-      # retryattempts: true
-    # minduration: 10ms
-    # Fields
-    # https://docs.traefik.io/observability/access-logs/#limiting-the-fieldsincluding-headers
-    fields:
-      general:
-        defaultmode: keep
-        names: {}
-          # Examples:
-        # ClientUsername: drop
-      headers:
-        defaultmode: drop
-        names: {}
-          # Examples:
-          # User-Agent: redact
-          # Authorization: drop
-        # Content-Type: keep
-
-metrics:
-  # datadog:
-  #   address: 127.0.0.1:8125
-  # influxdb:
-  #   address: localhost:8089
-  #   protocol: udp
-  prometheus:
-    entryPoint: metrics
-  #  addRoutersLabels: true
-  # statsd:
-  #   address: localhost:8125
-
-tracing: {}
-  # instana:
-  #   localAgentHost: 127.0.0.1
-  #   localAgentPort: 42699
-  #   logLevel: info
-  #   enableAutoProfile: true
-  # datadog:
-  #   localAgentHostPort: 127.0.0.1:8126
-  #   debug: false
-  #   globalTag: ""
-  #   prioritySampling: false
-  # jaeger:
-  #   samplingServerURL: http://localhost:5778/sampling
-  #   samplingType: const
-  #   samplingParam: 1.0
-  #   localAgentHostPort: 127.0.0.1:6831
-  #   gen128Bit: false
-  #   propagation: jaeger
-  #   traceContextHeaderName: uber-trace-id
-  #   disableAttemptReconnecting: true
-  #   collector:
-  #      endpoint: ""
-  #      user: ""
-  #      password: ""
-  # zipkin:
-  #   httpEndpoint: http://localhost:9411/api/v2/spans
-  #   sameSpan: false
-  #   id128Bit: true
-  #   sampleRate: 1.0
-  # haystack:
-  #   localAgentHost: 127.0.0.1
-  #   localAgentPort: 35000
-  #   globalTag: ""
-  #   traceIDHeaderName: ""
-  #   parentIDHeaderName: ""
-  #   spanIDHeaderName: ""
-  #   baggagePrefixHeaderName: ""
-  # elastic:
-  #   serverURL: http://localhost:8200
-  #   secretToken: ""
-#   serviceEnvironment: ""