feat(whoami): Adding simple service to test Traefik

2025-10-30 17:37:59 +00:00 · 2022-10-06 22:14:44 +02:00
parent b33d362088
commit 7a50d59336
10 changed files with 98 additions and 2701 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -28,5 +28,6 @@ override.tf.json
 # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
 # example: *tfplan*
 .terraform.lock.hcl
 .idea
 certs/
--- a/QUICKSTART.md
+++ b/QUICKSTART.md
@@ -35,7 +35,9 @@ cilium install
 # Load Balancer
 ## Install MetalLB for LoadBalancing
 https://raw.githubusercontent.com/metallb/metallb/v0.13.5/config/manifests/metallb-native.yaml
 ```shell
 kubectl apply -f metallb/00-manifest.yml
 ```
@@ -50,16 +52,16 @@ kubectl apply -f metallb/01-configuration.yml
 https://doc.traefik.io/traefik/v2.8/user-guides/crd-acme/
-## Create persistent volume for certs
+## Run Terraform-script
 This will create a cert-storage `StorageClass` and a traefik-cert-pv `PersistentVolume` for use by Traefik before
 installing Traefik in the `kube-system` namespace using the official Traefik Helm chart which binds to the
 traefik-cert-pv `PersistentVolume` for persistent storage of certificates using the traefik `PersistentVolumeClaim`.
 ```shell
-kubectl appy -f volumes/volumes.yml
+terraform init
-```
+terraform plan
-
+terraform apply
 ## Install using Helm
 ```shell
 helm install --values=helm/traefik-values.yaml traefik traefik/traefik
 ```
 ## Create test application "whoami" with IngressRoutes
--- a/helm/traefik-values.yaml
+++ b/helm/traefik-values.yaml
@@ -27,4 +27,4 @@ certResolvers:
    tlsChallenge: true
    storage: /data/acme.json
    # Remove staging server when it's working
-    caServer: https://acme-staging-v02.api.letsencrypt.org/directory
+    #caServer: https://acme-staging-v02.api.letsencrypt.org/directory
--- a/helm/whoami-values.yaml
+++ b/helm/whoami-values.yaml
@@ -0,0 +1,17 @@
 resources:
  - apiVersion: traefik.containo.us/v1alpha1
    kind: IngressRoute
    metadata:
      name: whoami
      namespace: whoami
    spec:
      entryPoints:
        - websecure
      routes:
        - match: Host(`whoami.stonegarden.dev`)
          kind: Rule
          services:
            - name: whoami
              port: 80
      tls:
        certResolver: letsencrypt
--- a/main.tf
+++ b/main.tf
@@ -43,7 +43,7 @@ resource "kubernetes_storage_class" "cert-storage" {
    name = "cert-storage"
  }
  storage_provisioner = "kubernetes.io/no-provisioner"
-  volume_binding_mode = "WaitForFirstCustomer"
+  volume_binding_mode = "WaitForFirstConsumer"
 }
 ## Create PersistentVolume for Traefik certs
@@ -87,9 +87,75 @@ resource "helm_release" "traefik" {
  namespace  = kubernetes_namespace.traefik.metadata.0.name
  #version    = "10.30.1"
-  values = [file("traefik2/custom-values.yaml")]
+  values = [file("helm/traefik-values.yaml")]
 }
 # --- whoami
 resource "kubernetes_namespace" "whoami" {
  metadata {
    name = "whoami"
  }
 }
 resource "kubernetes_service" "whoami" {
  metadata {
    name = "whoami"
    namespace = kubernetes_namespace.whoami.metadata.0.name
  }
  spec {
    selector = {
      app = kubernetes_deployment.whoami.spec.0.template.0.metadata.0.labels.app
    }
    type = "LoadBalancer"
    port {
      protocol = "TCP"
      name = "web"
      port = 80
    }
  }
 }
 resource "kubernetes_deployment" "whoami" {
  metadata {
    name = "whoami"
    namespace = kubernetes_namespace.whoami.metadata.0.name
  }
  spec {
    replicas = "2"
    selector {
      match_labels = {
        app = "whoami"
      }
    }
    template {
      metadata {
        labels = {
          app = "whoami"
        }
      }
      spec {
        container {
          name = "whoami"
          image = "traefik/whoami"
          port {
            name = "web"
            container_port = 80
          }
        }
      }
    }
  }
 }
 resource "helm_release" "whoami" {
  name       = "whoami"
  repository = "https://charts.itscontained.io"
  chart      = "raw"
  version    = "0.2.5"
  values = [file("helm/whoami-values.yaml")]
 }
 //resource "kubernetes_namespace" "test" {
 //  metadata {
--- a/traefik2/00-crd-definition.yml
+++ b/traefik2/00-crd-definition.yml
--- a/traefik2/01-crd-rbac.yml
+++ b/traefik2/01-crd-rbac.yml
@@ -1,65 +0,0 @@
 # https://raw.githubusercontent.com/traefik/traefik/v2.8/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: traefik-ingress-controller
 rules:
  - apiGroups:
      - ""
    resources:
      - services
      - endpoints
      - secrets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
      - networking.k8s.io
    resources:
      - ingresses
      - ingressclasses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
      - networking.k8s.io
    resources:
      - ingresses/status
    verbs:
      - update
  - apiGroups:
      - traefik.containo.us
    resources:
      - middlewares
      - middlewaretcps
      - ingressroutes
      - traefikservices
      - ingressroutetcps
      - ingressrouteudps
      - tlsoptions
      - tlsstores
      - serverstransports
    verbs:
      - get
      - list
      - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: traefik-ingress-controller
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: traefik-ingress-controller
 subjects:
  - kind: ServiceAccount
    name: traefik-ingress-controller
    namespace: default
--- a/traefik2/02-service.yml
+++ b/traefik2/02-service.yml
@@ -1,21 +0,0 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: traefik
 spec:
  type: LoadBalancer
  ports:
    - protocol: TCP
      name: web
      port: 80
      targetPort: 8000
    - protocol: TCP
      name: admin
      port: 8080
    - protocol: TCP
      name: websecure
      port: 443
      targetPort: 8443
  selector:
    app: traefik
--- a/traefik2/03-deployment.yml
+++ b/traefik2/03-deployment.yml
@@ -1,49 +0,0 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  namespace: default
  name: traefik-ingress-controller
 ---
 kind: Deployment
 apiVersion: apps/v1
 metadata:
  namespace: default
  name: traefik
  labels:
    app: traefik
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: traefik
  template:
    metadata:
      labels:
        app: traefik
    spec:
      serviceAccountName: traefik-ingress-controller
      containers:
        - name: traefik
          image: traefik:v2.8
          args:
            - "--log.level=DEBUG"
            - --api.insecure
            - --accesslog
            - --entrypoints.web.Address=:8000
            - --entrypoints.websecure.Address=:8443
            - --providers.kubernetescrd
            - --certificatesresolvers.letsencrypt.acme.tlschallenge
            - --certificatesresolvers.letsencrypt.acme.email=veghag@gmail.com
            - --certificatesresolvers.letsencrypt.acme.storage=acme.json
            # Please note that this is the staging Let's Encrypt server.
            # Once you get things working, you should remove that whole line altogether.
            #- --certificatesresolvers.letsencrypt.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
          ports:
            - name: web
              containerPort: 8000
            - name: websecure
              containerPort: 8443
            - name: admin
              containerPort: 8080
--- a/traefik2/values.yaml
+++ b/traefik2/values.yaml
@@ -1,288 +0,0 @@
 # Default values for Traefik
 image:
  name: traefik
  # defaults to appVersion
  tag: ""
  pullPolicy: IfNotPresent
 #
 # Configure the deployment
 #
 deployment:
  enabled: true
  # Can be either Deployment or DaemonSet
  kind: Deployment
  # Number of pods of the deployment (only applies when kind == Deployment)
  replicas: 1
  # Number of old history to retain to allow rollback (If not set, default Kubernetes value is set to 10)
  # revisionHistoryLimit: 1
  # Amount of time (in seconds) before Kubernetes will send the SIGKILL signal if Traefik does not shut down
  terminationGracePeriodSeconds: 60
  # The minimum number of seconds Traefik needs to be up and running before the DaemonSet/Deployment controller considers it available
  minReadySeconds: 0
  # Additional deployment annotations (e.g. for jaeger-operator sidecar injection)
  annotations: {}
  # Additional deployment labels (e.g. for filtering deployment by custom labels)
  labels: {}
  # Additional pod annotations (e.g. for mesh injection or prometheus scraping)
  podAnnotations: {}
  # Additional Pod labels (e.g. for filtering Pod by custom labels)
  podLabels: {}
  # Additional containers (e.g. for metric offloading sidecars)
  additionalContainers: []
    # https://docs.datadoghq.com/developers/dogstatsd/unix_socket/?tab=host
    # - name: socat-proxy
    # image: alpine/socat:1.0.5
    # args: ["-s", "-u", "udp-recv:8125", "unix-sendto:/socket/socket"]
    # volumeMounts:
    #   - name: dsdsocket
  #     mountPath: /socket
  # Additional volumes available for use with initContainers and additionalContainers
  additionalVolumes: []
    # - name: dsdsocket
    #   hostPath:
  #     path: /var/run/statsd-exporter
  # Additional initContainers (e.g. for setting file permission as shown below)
  initContainers: []
    # The "volume-permissions" init container is required if you run into permission issues.
    # Related issue: https://github.com/traefik/traefik/issues/6972
    # - name: volume-permissions
    #   image: busybox:1.31.1
    #   command: ["sh", "-c", "chmod -Rv 600 /data/*"]
    #   volumeMounts:
    #     - name: data
  #       mountPath: /data
  # Use process namespace sharing
  shareProcessNamespace: false
  # Custom pod DNS policy. Apply if `hostNetwork: true`
  # dnsPolicy: ClusterFirstWithHostNet
  # Additional imagePullSecrets
  imagePullSecrets: []
  # - name: myRegistryKeySecretName
  # Pod lifecycle actions
  lifecycle: {}
    # preStop:
    #   exec:
    #     command: ["/bin/sh", "-c", "sleep 40"]
    # postStart:
    #   httpGet:
    #     path: /ping
    #     port: 9000
    #     host: localhost
  #     scheme: HTTP
 # Pod disruption budget
 podDisruptionBudget:
  enabled: false
  # maxUnavailable: 1
  # maxUnavailable: 33%
  # minAvailable: 0
  # minAvailable: 25%
 # Use ingressClass. Ignored if Traefik version < 2.3 / kubernetes < 1.18.x
 ingressClass:
  # true is not unit-testable yet, pending https://github.com/rancher/helm-unittest/pull/12
  enabled: false
  isDefaultClass: false
  # Use to force a networking.k8s.io API Version for certain CI/CD applications. E.g. "v1beta1"
  fallbackApiVersion: ""
 # Activate Pilot integration
 pilot:
  enabled: false
  token: ""
  # Toggle Pilot Dashboard
  # dashboard: false
 # Enable experimental features
 experimental:
  http3:
    enabled: false
  plugins:
    enabled: false
  kubernetesGateway:
    enabled: false
    gateway:
      enabled: true
    # certificate:
    #   group: "core"
    #   kind: "Secret"
    #   name: "mysecret"
    # By default, Gateway would be created to the Namespace you are deploying Traefik to.
    # You may create that Gateway in another namespace, setting its name below:
    # namespace: default
 # Create an IngressRoute for the dashboard
 ingressRoute:
  dashboard:
    enabled: true
    # Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class)
    annotations: {}
    # Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels)
    labels: {}
 rollingUpdate:
  maxUnavailable: 1
  maxSurge: 1
 # Customize liveness and readiness probe values.
 readinessProbe:
  failureThreshold: 1
  initialDelaySeconds: 10
  periodSeconds: 10
  successThreshold: 1
  timeoutSeconds: 2
 livenessProbe:
  failureThreshold: 3
  initialDelaySeconds: 10
  periodSeconds: 10
  successThreshold: 1
  timeoutSeconds: 2
 #
 # Configure providers
 #
 providers:
  kubernetesCRD:
    enabled: true
    allowCrossNamespace: false
    allowExternalNameServices: false
    allowEmptyServices: false
    # ingressClass: traefik-internal
    # labelSelector: environment=production,method=traefik
    namespaces: []
    # - "default"
  kubernetesIngress:
    enabled: true
    allowExternalNameServices: false
    allowEmptyServices: false
    # ingressClass: traefik-internal
    # labelSelector: environment=production,method=traefik
    namespaces: []
    # - "default"
    # IP used for Kubernetes Ingress endpoints
    publishedService:
      enabled: false
      # Published Kubernetes Service to copy status from. Format: namespace/servicename
      # By default this Traefik service
      # pathOverride: ""
 #
 # Add volumes to the traefik pod. The volume name will be passed to tpl.
 # This can be used to mount a cert pair or a configmap that holds a config.toml file.
 # After the volume has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg:
 # additionalArguments:
 # - "--providers.file.filename=/config/dynamic.toml"
 # - "--ping"
 # - "--ping.entrypoint=web"
 volumes: []
 # - name: public-cert
 #   mountPath: "/certs"
 #   type: secret
 # - name: '{{ printf "%s-configs" .Release.Name }}'
 #   mountPath: "/config"
 #   type: configMap
 # Additional volumeMounts to add to the Traefik container
 additionalVolumeMounts: []
  # For instance when using a logshipper for access logs
  # - name: traefik-logs
 #   mountPath: /var/log/traefik
 # Logs
 # https://docs.traefik.io/observability/logs/
 logs:
  # Traefik logs concern everything that happens to Traefik itself (startup, configuration, events, shutdown, and so on).
  general:
    # By default, the logs use a text format (common), but you can
    # also ask for the json format in the format option
    # format: json
    # By default, the level is set to ERROR. Alternative logging levels are DEBUG, PANIC, FATAL, ERROR, WARN, and INFO.
    level: ERROR
  access:
    # To enable access logs
    enabled: false
    # By default, logs are written using the Common Log Format (CLF).
    # To write logs in JSON, use json in the format option.
    # If the given format is unsupported, the default (CLF) is used instead.
    # format: json
    # To write the logs in an asynchronous fashion, specify a bufferingSize option.
    # This option represents the number of log lines Traefik will keep in memory before writing
    # them to the selected output. In some cases, this option can greatly help performances.
    # bufferingSize: 100
    # Filtering https://docs.traefik.io/observability/access-logs/#filtering
    filters: {}
      # statuscodes: "200,300-302"
      # retryattempts: true
    # minduration: 10ms
    # Fields
    # https://docs.traefik.io/observability/access-logs/#limiting-the-fieldsincluding-headers
    fields:
      general:
        defaultmode: keep
        names: {}
          # Examples:
        # ClientUsername: drop
      headers:
        defaultmode: drop
        names: {}
          # Examples:
          # User-Agent: redact
          # Authorization: drop
        # Content-Type: keep
 metrics:
  # datadog:
  #   address: 127.0.0.1:8125
  # influxdb:
  #   address: localhost:8089
  #   protocol: udp
  prometheus:
    entryPoint: metrics
  #  addRoutersLabels: true
  # statsd:
  #   address: localhost:8125
 tracing: {}
  # instana:
  #   localAgentHost: 127.0.0.1
  #   localAgentPort: 42699
  #   logLevel: info
  #   enableAutoProfile: true
  # datadog:
  #   localAgentHostPort: 127.0.0.1:8126
  #   debug: false
  #   globalTag: ""
  #   prioritySampling: false
  # jaeger:
  #   samplingServerURL: http://localhost:5778/sampling
  #   samplingType: const
  #   samplingParam: 1.0
  #   localAgentHostPort: 127.0.0.1:6831
  #   gen128Bit: false
  #   propagation: jaeger
  #   traceContextHeaderName: uber-trace-id
  #   disableAttemptReconnecting: true
  #   collector:
  #      endpoint: ""
  #      user: ""
  #      password: ""
  # zipkin:
  #   httpEndpoint: http://localhost:9411/api/v2/spans
  #   sameSpan: false
  #   id128Bit: true
  #   sampleRate: 1.0
  # haystack:
  #   localAgentHost: 127.0.0.1
  #   localAgentPort: 35000
  #   globalTag: ""
  #   traceIDHeaderName: ""
  #   parentIDHeaderName: ""
  #   spanIDHeaderName: ""
  #   baggagePrefixHeaderName: ""
  # elastic:
  #   serverURL: http://localhost:8200
  #   secretToken: ""
 #   serviceEnvironment: ""