akamai
/
akashop
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

new file: traefik/kubernetes-crd-rbac.yml

This commit is contained in:
Sangmin Kim 2024-04-04 15:09:53 +09:00
parent a4dd3492fe
commit af159dff03
12 changed files with 5074 additions and 3991 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

100
README.md
View File

@ -3,52 +3,92 @@ https://origin-akashop.akamai-lab.com
## How to use HTTPS ##
- traefik/02-traefik.yml
```
```yml
- --certificatesresolvers.le.acme.email=learn@akamai.com
- --certificatesresolvers.le.acme.storage=acme.json
- --certificatesresolvers.le.acme.tlschallenge=true
- --certificatesresolvers.le.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory
# change caServer to production https://acme-v02.api.letsencrypt.org/directory
```
- akashop/ingress.yml
```
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
traefik.ingress.kubernetes.io/router.tls.certresolver: le
- akashop/traefik-ingressR.yml
```yml
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: akashop-https
namespace: akashop
spec:
entryPoints:
- websecure
tls:
certResolver: le
```
## How to redirect HTTP to HTTPS ##
- akashop/redirect.yml
- akashop/ingress.yml
```
traefik.ingress.kubernetes.io/router.middlewares: "http-to-https-redirecte@kubernetescrd"
- akashop/traefik-ingressR.yml
```yml
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: akashop-redir
namespace: akashop
spec:
redirectScheme:
scheme: https
permanent: true
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: akashop-http
namespace: akashop
......
middlewares:
- name: akashop-redir
```
## How to maintain Session Stickyness ##
- akashop/ingress.yml
```
traefik.ingress.kubernetes.io/router.sticky.cookie: "sticky"
```
- origin code (functions.php)
```php
// Define cookie name and value
$cookie_name = "sticky";
$cookie_value = time();
// Set expiration time (optional, defaults to session end)
$expire = time() + 60 * 60 * 24; // Expires in 24 hours
if(!isset($_COOKIE[$cookie_name])) {
// Set cookie with secure flag (recommended)
setcookie($cookie_name, $cookie_value, $expire, "/", "", true);
}
```yml
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: akashop-https
namespace: akashop
......
services:
- name: wp
port: 80
sticky:
cookie:
httpOnly: true
```
## How to use ReadWriteMany pvc ##
- akashop/pv.yml
```yml
apiVersion: v1
kind: PersistentVolume
metadata:
name: wp-data
namespace: akashop
spec:
......
nfs:
path: /nfs/share/akashop/volumes/wp
server: 10.0.0.5
```
nfs:
path: /nfs/share/akashop/volumes/db
server: 10.0.0.5
- akashop/pvc.yml
```yml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: wp-data-pvc
spec:
accessModes:
- ReadWriteMany
......
```
- akashop/pvc.yml

45
akashop/ingress.yml
View File

@ -1,45 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: wp-https
namespace: akashop
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
traefik.ingress.kubernetes.io/router.tls.certresolver: le
traefik.ingress.kubernetes.io/router.sticky.cookie: "sticky"
spec:
rules:
- host: whoami.172.233.168.9.nip.io
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: wp
port:
number: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: wp-http
namespace: akashop
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: web
traefik.ingress.kubernetes.io/router.middlewares: "http-to-https-redirecte@kubernetescrd"
spec:
rules:
- host: whoami.172.233.168.9.nip.io
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: wp
port:
number: 80

8
akashop/redirect.yml
View File

@ -1,8 +0,0 @@
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: http-to-https-redirect
spec:
redirectScheme:
scheme: https
permanent: true # Set to true for permanent (301) redirect

3796
akashop/temp.log
View File

File diff suppressed because it is too large Load Diff

62
akashop/traefik-ingressR.yml Normal file
View File

@ -0,0 +1,62 @@
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: akashop-redir
namespace: akashop
spec:
redirectScheme:
scheme: https
permanent: true # Set to true for permanent (301) redirect
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: akashop-http
namespace: akashop
spec:
entryPoints:
- web
routes:
- match: Host(`whoami.172.233.169.31.nip.io`) && PathPrefix(`/`)
kind: Rule
services:
- name: wp
port: 80
middlewares:
- name: akashop-redir
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: akashop-https
namespace: akashop
spec:
entryPoints:
- websecure
tls:
certResolver: le
routes:
- match: Host(`whoami.172.233.169.31.nip.io`) && PathPrefix(`/`)
kind: Rule
services:
- name: wp
port: 80
sticky:
cookie:
httpOnly: true
# name: cookie
# secure: true
# sameSite: none
# strategy: RoundRobin
# weight: 10
# nativeLB: true

56
docker/compose.yaml
View File

@ -1,56 +0,0 @@
version: '3.8'
services:
traefik:
image: traefik:latest
container_name: "traefik"
command:
- "--providers.docker=true"
- "--api.dashboard=true"
- "--api.insecure=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--certificatesresolvers.letsencrypt.acme.email=learn@akamai.com"
- "--certificatesresolvers.letsencrypt.acme.storage=/etc/traefik/acme/acme.json"
- "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web"
ports:
- "80:80"
- "443:443"
- "8080:8080" # /dashboard/
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- "../volumes/acme:/etc/traefik/acme"
wp:
image: wordpress
scale: 3
restart: always
environment:
WORDPRESS_DB_HOST: db
WORDPRESS_DB_USER: wordpress
WORDPRESS_DB_PASSWORD: examplepass
WORDPRESS_DB_NAME: wordpress
volumes:
- ../volumes/wp:/var/www/html
labels:
- "traefik.enable=true" # Enable Traefik
- "traefik.http.routers.wp.rule=Host(`origin-akashop.akamai-lab.com`)"
- "traefik.http.routers.wp.tls=true"
- "traefik.http.routers.wp.tls.certresolver=letsencrypt"
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https" # HTTP to HTTPS redirect
- "traefik.http.middlewares.redirect-to-https.redirectscheme.permanent=true"
- "traefik.http.routers.redirs.rule=hostregexp(`{host:.+}`)"
- "traefik.http.routers.redirs.entrypoints=web"
- "traefik.http.routers.redirs.middlewares=redirect-to-https"
db:
image: mysql
restart: always
environment:
MYSQL_DATABASE: wordpress
MYSQL_USER: wordpress
MYSQL_PASSWORD: examplepass
MYSQL_RANDOM_ROOT_PASSWORD: '1'
volumes:
- ../volumes/db:/var/lib/mysql

4
traefik/00-account.yml
View File

@ -1,4 +0,0 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-account

33
traefik/00-role.yml
View File

@ -1,33 +0,0 @@
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: traefik-role
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update

14
traefik/01-role-binding.yml
View File

@ -1,14 +0,0 @@
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: traefik-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-role
subjects:
- kind: ServiceAccount
name: traefik-account
# namespace: traefik
namespace: akashop

11
traefik/02-traefik.yml
View File

@ -15,7 +15,8 @@ spec:
labels:
app: traefik
spec:
serviceAccountName: traefik-account
# serviceAccountName: traefik-account
serviceAccountName: traefik-ingress-controller
containers:
- name: traefik
image: traefik:latest
@ -23,10 +24,10 @@ spec:
- --api.insecure
- --accesslog
- --log.level=DEBUG
- --providers.kubernetesingress
- --providers.kubernetesingress.allowexternalnameservices=true
# - --providers.kubernetescrd
# - --providers.kubernetescrd.allowCrossNamespace=true
# - --providers.kubernetesingress
# - --providers.kubernetesingress.allowexternalnameservices=true
- --providers.kubernetescrd
- --providers.kubernetescrd.allowCrossNamespace=true
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --certificatesresolvers.le.acme.email=learn@akamai.com

4861
traefik/kubernetes-crd-definition-v1.yml Normal file
View File

File diff suppressed because it is too large Load Diff

75
traefik/kubernetes-crd-rbac.yml Normal file
View File

@ -0,0 +1,75 @@
# Check the latest version at https://doc.traefik.io/traefik/providers/kubernetes-crd/#configuration-requirements
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: traefik-ingress-controller
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- traefik.io
- traefik.containo.us
resources:
- middlewares
- middlewaretcps
- ingressroutes
- traefikservices
- ingressroutetcps
- ingressrouteudps
- tlsoptions
- tlsstores
- serverstransports
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: traefik-ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller
namespace: default
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-ingress-controller
namespace: default