setup ingress for hello-world to use https only

2022-08-05 08:04:37 -04:00
parent b1470afd80
commit bbc6b7818d
10 changed files with 107 additions and 9 deletions
--- a/ansible-5/roles/ns.xai-corp.net/templates/xai-corp.net.internal.j2
+++ b/ansible-5/roles/ns.xai-corp.net/templates/xai-corp.net.internal.j2
@@ -58,6 +58,7 @@ dkmanager               IN A    192.168.4.11

 ; service domains
 cik                      IN CNAME    dkhost
+stash                    IN CNAME    dkhost
 ;fs                      IN CNAME    dkhost
 git                     IN CNAME    dkhost
 ;dkui                    IN CNAME    dkhost
--- a/ansible-5/roles/prod.k3s/files/cert-manager/certificate.xai-corp.prod.yaml
+++ b/ansible-5/roles/prod.k3s/files/cert-manager/certificate.xai-corp.prod.yaml
@@ -2,11 +2,11 @@
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: xai-corp
+  name: xai-corp-production-tls
  namespace: default
 spec:
  # Secret names are always required.
-  secretName: xai-corp-staging-tls
+  secretName: xai-corp-production-tls
  issuerRef:
    name: letsencrypt-production
    kind: ClusterIssuer
@@ -19,6 +19,7 @@ spec:
    - xaibox.xai-corp.net
    - sql.xai-corp.net
    - cik.xai-corp.net
+    - stash.xai-corp.net
  acme:
    config:
      - http01:
--- a/ansible-5/roles/prod.k3s/files/cert-manager/certificate.xai-corp.stg.yaml
+++ b/ansible-5/roles/prod.k3s/files/cert-manager/certificate.xai-corp.stg.yaml
@@ -2,7 +2,7 @@
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: xai-corp
+  name: xai-corp-staging-tls
  namespace: default
 spec:
  # Secret names are always required.
@@ -21,8 +21,3 @@ spec:
          ingressClass: traefik
        domains:
          - xai-corp.net
-#      - http01:
-#          ingress: certs-ingress
-#        domains:
-#          - hello.xai-corp.net
-#          - sql.xai-corp.net
--- a/ansible-5/roles/prod.k3s/files/hello-world/configmap.yaml
+++ b/ansible-5/roles/prod.k3s/files/hello-world/configmap.yaml
@@ -0,0 +1,15 @@
+---
+#configmap
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: hello-world
+  namespace: default
+data:
+  index.html: |
+    <html>
+    <head>
+        <title>Hello World!</title>
+    </head>
+    <body>Hello World!</body>
+    </html>
--- a/ansible-5/roles/prod.k3s/files/hello-world/deployment.yaml
+++ b/ansible-5/roles/prod.k3s/files/hello-world/deployment.yaml
@@ -0,0 +1,28 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: hello-world-nginx
+  namespace: default
+spec:
+  selector:
+    matchLabels:
+      app: hello-world
+  replicas: 3
+  template:
+    metadata:
+      labels:
+        app: hello-world
+    spec:
+      containers:
+        - name: nginx
+          image: nginx
+          ports:
+            - containerPort: 80
+          volumeMounts:
+            - name: hello-world-volume
+              mountPath: /usr/share/nginx/html
+      volumes:
+        - name: hello-world-volume
+          configMap:
+            name: hello-world
--- a/ansible-5/roles/prod.k3s/files/hello-world/hello-world.html
+++ b/ansible-5/roles/prod.k3s/files/hello-world/hello-world.html
@@ -0,0 +1,6 @@
+<html>
+<head>
+    <title>Hello World!</title>
+</head>
+<body>Hello World!</body>
+</html>
--- a/ansible-5/roles/prod.k3s/files/hello-world/ingress.yaml
+++ b/ansible-5/roles/prod.k3s/files/hello-world/ingress.yaml
@@ -0,0 +1,25 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: hello-world
+  namespace: default
+  annotations:
+    kubernetes.io/ingress.class: "traefik"
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
+spec:
+  rules:
+    - host: www.xai-corp.net
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: hello-world
+                port:
+                  number: 80
+
+  tls: # < placing a host in the TLS config will determine what ends up in the cert's subjectAltNames
+    - secretName: xai-corp-production-tls
--- a/ansible-5/roles/prod.k3s/files/hello-world/service.yaml
+++ b/ansible-5/roles/prod.k3s/files/hello-world/service.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: hello-world
+  namespace: default
+spec:
+  ports:
+    - port: 80
+      protocol: TCP
+  selector:
+    app:  hello-world
--- a/ansible-5/roles/prod.k3s/tasks/hello-world.yaml
+++ b/ansible-5/roles/prod.k3s/tasks/hello-world.yaml
@@ -0,0 +1,14 @@
+---
+# https://www.jeffgeerling.com/blog/2022/quick-hello-world-http-deployment-testing-k3s-and-traefik
+
+- name: create hello world resources
+  kubernetes.core.k8s:
+    kubeconfig: "/etc/rancher/k3s/k3s.yaml"
+    state: present
+    definition: "{{ lookup('file', item) | from_yaml }}"
+  loop:
+    - hello-world/configmap.yaml
+    - hello-world/ingress.yaml
+    - hello-world/service.yaml
+    - hello-world/deployment.yaml
+  become: true
--- a/ansible-5/roles/prod.k3s/tasks/main.yml
+++ b/ansible-5/roles/prod.k3s/tasks/main.yml
@@ -7,9 +7,10 @@
 # add helm repositories
 #- include_tasks: add_repos.yml

-
 - include_tasks: cert_manager.yml

+- include_tasks: hello-world.yaml
+
 # https://artifacthub.io/packages/helm/twuni/docker-registry
 #- name: Deploy latest version of docker-registry in dev-tools namespace
 #  local_action: