Merge pull request 'k8s' (#3) from k8s into main

Reviewed-on: #3

README.md

@@ -3,52 +3,92 @@ https://origin-akashop.akamai-lab.com
 
 ## How to use HTTPS ##
 - traefik/02-traefik.yml
-```
+```yml
 - --certificatesresolvers.le.acme.email=learn@akamai.com
 - --certificatesresolvers.le.acme.storage=acme.json
 - --certificatesresolvers.le.acme.tlschallenge=true
 - --certificatesresolvers.le.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory
 # change caServer to production https://acme-v02.api.letsencrypt.org/directory
 ```
-- akashop/ingress.yml
+- akashop/traefik-ingressR.yml
-```
+```yml
-traefik.ingress.kubernetes.io/router.entrypoints: websecure
+apiVersion: traefik.io/v1alpha1
-traefik.ingress.kubernetes.io/router.tls: "true"
+kind: IngressRoute
-traefik.ingress.kubernetes.io/router.tls.certresolver: le
+metadata:
+  name: akashop-https
+  namespace: akashop
+spec:
+  entryPoints:
+    - websecure  
+  tls:
+    certResolver: le
 ```
 
 ## How to redirect HTTP to HTTPS ##
-- akashop/redirect.yml
+- akashop/traefik-ingressR.yml
-- akashop/ingress.yml
+```yml
-```
+apiVersion: traefik.io/v1alpha1
-traefik.ingress.kubernetes.io/router.middlewares: "http-to-https-redirecte@kubernetescrd"
+kind: Middleware
+metadata:
+  name: akashop-redir
+  namespace: akashop
+spec:
+  redirectScheme:
+    scheme: https
+    permanent: true
+
+---
+
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: akashop-http
+  namespace: akashop
+  ......
+    middlewares:
+    - name: akashop-redir
 ```
 
 ## How to maintain Session Stickyness ##
 - akashop/ingress.yml
-```
+```yml
-traefik.ingress.kubernetes.io/router.sticky.cookie: "sticky"
+apiVersion: traefik.io/v1alpha1
-```
+kind: IngressRoute
-- origin code (functions.php)
+metadata:
-```php
+  name: akashop-https
-// Define cookie name and value
+  namespace: akashop
-$cookie_name = "sticky";
+  ......
-$cookie_value = time();
+    services:
-
+    - name: wp
-// Set expiration time (optional, defaults to session end)
+      port: 80
-$expire = time() + 60 * 60 * 24; // Expires in 24 hours
+      sticky:
-
+        cookie:
-if(!isset($_COOKIE[$cookie_name])) {
+          httpOnly: true
-  // Set cookie with secure flag (recommended)
-  setcookie($cookie_name, $cookie_value, $expire, "/", "", true);
-}
 ```
 
 ## How to use ReadWriteMany pvc ##
 - akashop/pv.yml
+```yml
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: wp-data
+  namespace: akashop
+spec:
+......
+  nfs:
+    path: /nfs/share/akashop/volumes/wp
+    server: 10.0.0.5
 ```
-nfs:
+
-  path: /nfs/share/akashop/volumes/db
-  server: 10.0.0.5
-```
 - akashop/pvc.yml
+```yml  
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: wp-data-pvc
+spec:
+  accessModes:
+    - ReadWriteMany
+    ......
+```

akashop/ingress.yml

@@ -1,45 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: wp-https
-  namespace: akashop
-  annotations:
-    traefik.ingress.kubernetes.io/router.entrypoints: websecure
-    traefik.ingress.kubernetes.io/router.tls: "true"
-    traefik.ingress.kubernetes.io/router.tls.certresolver: le
-    traefik.ingress.kubernetes.io/router.sticky.cookie: "sticky"
-spec:
-  rules:
-  - host: whoami.172.233.168.9.nip.io
-    http:
-      paths:
-      - path: / 
-        pathType: Prefix
-        backend:
-          service: 
-            name: wp
-            port:
-              number: 80 
-
----
-
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: wp-http
-  namespace: akashop
-  annotations:
-    traefik.ingress.kubernetes.io/router.entrypoints: web
-    traefik.ingress.kubernetes.io/router.middlewares: "http-to-https-redirecte@kubernetescrd"
-spec:
-  rules:
-  - host: whoami.172.233.168.9.nip.io
-    http:
-      paths:
-      - path: / 
-        pathType: Prefix
-        backend:
-          service: 
-            name: wp
-            port:
-              number: 80 

akashop/redirect.yml

@@ -1,8 +0,0 @@
-apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
-  name: http-to-https-redirect
-spec:
-  redirectScheme:
-    scheme: https
-    permanent: true  # Set to true for permanent (301) redirect

akashop/traefik-ingressR.yml

@@ -0,0 +1,62 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: akashop-redir
+  namespace: akashop
+spec:
+  redirectScheme:
+    scheme: https
+    permanent: true  # Set to true for permanent (301) redirect
+
+---
+
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: akashop-http
+  namespace: akashop
+
+spec:
+  entryPoints:
+    - web
+
+  routes:
+  - match: Host(`whoami.172.233.169.31.nip.io`) && PathPrefix(`/`)
+    kind: Rule
+    services:
+    - name: wp
+      port: 80
+
+    middlewares:
+    - name: akashop-redir
+
+---
+
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: akashop-https
+  namespace: akashop
+
+spec:
+  entryPoints:
+    - websecure
+  
+  tls:
+    certResolver: le
+
+  routes:
+  - match: Host(`whoami.172.233.169.31.nip.io`) && PathPrefix(`/`)
+    kind: Rule
+    services:
+    - name: wp
+      port: 80
+      sticky:
+        cookie:
+          httpOnly: true
+          # name: cookie
+          # secure: true
+          # sameSite: none
+      # strategy: RoundRobin
+      # weight: 10
+      # nativeLB: true  

docker/compose.yaml

@@ -1,56 +0,0 @@
-version: '3.8'
-
-services:
-  traefik:
-    image: traefik:latest
-    container_name: "traefik"
-    command: 
-      - "--providers.docker=true"
-      - "--api.dashboard=true"
-      - "--api.insecure=true"
-      - "--providers.docker.exposedbydefault=false"
-      - "--entrypoints.web.address=:80"
-      - "--entrypoints.websecure.address=:443"
-      - "--certificatesresolvers.letsencrypt.acme.email=learn@akamai.com"
-      - "--certificatesresolvers.letsencrypt.acme.storage=/etc/traefik/acme/acme.json"
-      - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web"
-    ports:
-      - "80:80"  
-      - "443:443"  
-      - "8080:8080" # /dashboard/
-    volumes:
-      - "/var/run/docker.sock:/var/run/docker.sock:ro"
-      - "../volumes/acme:/etc/traefik/acme"
-
-  wp:
-    image: wordpress
-    scale: 3
-    restart: always
-    environment:
-      WORDPRESS_DB_HOST: db
-      WORDPRESS_DB_USER: wordpress
-      WORDPRESS_DB_PASSWORD: examplepass
-      WORDPRESS_DB_NAME: wordpress
-    volumes:
-      - ../volumes/wp:/var/www/html
-    labels:
-      - "traefik.enable=true"  # Enable Traefik
-      - "traefik.http.routers.wp.rule=Host(`origin-akashop.akamai-lab.com`)"
-      - "traefik.http.routers.wp.tls=true"
-      - "traefik.http.routers.wp.tls.certresolver=letsencrypt"
-      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https" # HTTP to HTTPS redirect
-      - "traefik.http.middlewares.redirect-to-https.redirectscheme.permanent=true"
-      - "traefik.http.routers.redirs.rule=hostregexp(`{host:.+}`)"
-      - "traefik.http.routers.redirs.entrypoints=web"
-      - "traefik.http.routers.redirs.middlewares=redirect-to-https"
-
-  db:
-    image: mysql
-    restart: always
-    environment:
-      MYSQL_DATABASE: wordpress
-      MYSQL_USER: wordpress
-      MYSQL_PASSWORD: examplepass
-      MYSQL_RANDOM_ROOT_PASSWORD: '1'
-    volumes:
-      - ../volumes/db:/var/lib/mysql

traefik/00-account.yml

@@ -1,4 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: traefik-account

traefik/00-role.yml

@@ -1,33 +0,0 @@
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: traefik-role
-
-rules:
-  - apiGroups:
-      - ""
-    resources:
-      - services
-      - endpoints
-      - secrets
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - extensions
-      - networking.k8s.io
-    resources:
-      - ingresses
-      - ingressclasses
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - extensions
-      - networking.k8s.io
-    resources:
-      - ingresses/status
-    verbs:
-      - update

traefik/01-role-binding.yml

@@ -1,14 +0,0 @@
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: traefik-role-binding
-
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: traefik-role
-subjects:
-  - kind: ServiceAccount
-    name: traefik-account
-    # namespace: traefik
-    namespace: akashop

traefik/02-traefik.yml

@@ -15,7 +15,8 @@ spec:
       labels:
         app: traefik
     spec:
-      serviceAccountName: traefik-account
+      # serviceAccountName: traefik-account
+      serviceAccountName: traefik-ingress-controller
       containers:
         - name: traefik
           image: traefik:latest
@@ -23,16 +24,17 @@ spec:
             - --api.insecure
             - --accesslog
             - --log.level=DEBUG
-            - --providers.kubernetesingress
+            # - --providers.kubernetesingress
-            - --providers.kubernetesingress.allowexternalnameservices=true
+            # - --providers.kubernetesingress.allowexternalnameservices=true
-            # - --providers.kubernetescrd
+            - --providers.kubernetescrd
-            # - --providers.kubernetescrd.allowCrossNamespace=true
+            - --providers.kubernetescrd.allowCrossNamespace=true
             - --entrypoints.web.address=:80
             - --entrypoints.websecure.address=:443
             - --certificatesresolvers.le.acme.email=learn@akamai.com
             - --certificatesresolvers.le.acme.storage=acme.json
             - --certificatesresolvers.le.acme.tlschallenge=true
             - --certificatesresolvers.le.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory
+            # change caServer to production https://acme-v02.api.letsencrypt.org/directory
           ports:
             - name: web
               containerPort: 80

traefik/kubernetes-crd-rbac.yml

@@ -0,0 +1,75 @@
+# Check the latest version at https://doc.traefik.io/traefik/providers/kubernetes-crd/#configuration-requirements
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: traefik-ingress-controller
+
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - services
+      - endpoints
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+      - networking.k8s.io
+    resources:
+      - ingresses
+      - ingressclasses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+      - networking.k8s.io
+    resources:
+      - ingresses/status
+    verbs:
+      - update
+  - apiGroups:
+      - traefik.io
+      - traefik.containo.us
+    resources:
+      - middlewares
+      - middlewaretcps
+      - ingressroutes
+      - traefikservices
+      - ingressroutetcps
+      - ingressrouteudps
+      - tlsoptions
+      - tlsstores
+      - serverstransports
+    verbs:
+      - get
+      - list
+      - watch
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: traefik-ingress-controller
+
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: traefik-ingress-controller
+subjects:
+  - kind: ServiceAccount
+    name: traefik-ingress-controller
+    namespace: default
+
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: traefik-ingress-controller
+  namespace: default