alpha
/
dotfiles
1
0
Fork 0
Code Issues 15 Pull Requests Packages Projects Releases Wiki Activity

[meta] move k8s manifests into terraform

Browse Source
pull/37/head
Alpha Chen 3 years ago
parent 612abf362f
commit 964c858507
11 changed files with 223 additions and 18320 deletions
Show Stats Download Patch File Download Diff File

2
meta/lotus-land-story/.gitignore vendored
Unescape View File

@ -1,3 +1,5 @@
.kube .kube
.terraform* .terraform*
terraform.tfstate* terraform.tfstate*
terraform.tfvars
tf.log

27
meta/lotus-land-story/README.md
Unescape View File

@ -7,36 +7,13 @@
# Install tooling # Install tooling
brew install helm kubernetes-cli terraform brew install helm kubernetes-cli terraform
# One-time initialization # Bootstrapping
terraform init (cd bootstrap && terraform init && terraform apply)
# Terraform commands # Terraform commands
terraform plan terraform plan
terraform apply terraform apply
terraform destroy terraform destroy
# cert-manager
helm repo add jetstack https://charts.jetstack.io
kubectl create namespace cert-manager
helm template \
cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--version v1.6.1 \
--set installCRDs=true \
> manifests/cert-manager.yml
kubectl apply -f manifests/cert-manager.yml
cat manifests/letsencrypt-staging.yml | envsubst | kubectl apply -f -
cat manifests/letsencrypt-prod.yml | envsubst | kubectl apply -f -
# nginx
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm template quickstart ingress-nginx/ingress-nginx > manifests/ingress-nginx.yml
kubectl apply -f manifests/ingress-nginx.yml
# kuard
cat manifests/kuard.yml | envsubst | kubectl apply -f -
``` ```
## References ## References

27
meta/lotus-land-story/bootstrap/main.tf
Unescape View File

@ -0,0 +1,27 @@
terraform {
required_providers {
linode = {
source = "linode/linode"
version = "1.24.0"
}
}
}
provider "linode" {
}
resource "linode_lke_cluster" "lotus_land_story" {
label = "lotus-land-story"
k8s_version = "1.22"
region = "us-west"
pool {
type = "g6-standard-1"
count = 1
}
}
output "kubeconfig" {
value = linode_lke_cluster.lotus_land_story.kubeconfig
sensitive = true
}

2
meta/lotus-land-story/output.tf → meta/lotus-land-story/bootstrap/output.tf
Unescape View File

@ -1,6 +1,6 @@
resource "local_file" "kubeconfig" { resource "local_file" "kubeconfig" {
depends_on = [linode_lke_cluster.lotus_land_story] depends_on = [linode_lke_cluster.lotus_land_story]
filename = ".kube/config" filename = "../.kube/config"
file_permission = "0700" file_permission = "0700"
content = base64decode(linode_lke_cluster.lotus_land_story.kubeconfig) content = base64decode(linode_lke_cluster.lotus_land_story.kubeconfig)
} }

191
meta/lotus-land-story/main.tf
Unescape View File

@ -1,22 +1,191 @@
terraform { terraform {
required_providers { required_providers {
linode = { kubernetes = {
source = "linode/linode" source = "hashicorp/kubernetes"
version = "1.24.0"
} }
helm = {
source = "hashicorp/helm"
}
}
}
provider "helm" {
kubernetes {
config_path = ".kube/config"
} }
} }
provider "linode" { provider "kubernetes" {
config_path = ".kube/config"
} }
resource "linode_lke_cluster" "lotus_land_story" { resource "kubernetes_namespace" "cert_manager" {
label = "lotus-land-story" metadata {
k8s_version = "1.22" name = "cert-manager"
region = "us-west" }
}
pool { resource "helm_release" "cert_manager" {
type = "g6-standard-1" name = "cert-manager"
count = 1 repository = "https://charts.jetstack.io"
chart = "cert-manager"
version = "1.6.1"
namespace = kubernetes_namespace.cert_manager.metadata[0].name
set {
name = "installCRDs"
value = "true"
}
}
resource "kubernetes_manifest" "letsencrypt_staging" {
manifest = {
apiVersion = "cert-manager.io/v1"
kind = "Issuer"
metadata = {
name = "letsencrypt-staging"
namespace = "default"
}
spec = {
acme = {
server = "https://acme-staging-v02.api.letsencrypt.org/directory"
email = var.letsencrypt_email
privateKeySecretRef = {
name = "letsencrypt-staging"
}
solvers = [
{
selector = {}
http01 = {
ingress = {
class = "nginx"
}
}
}
]
}
}
}
}
resource "kubernetes_manifest" "letsencrypt_prod" {
manifest = {
apiVersion = "cert-manager.io/v1"
kind = "Issuer"
metadata = {
name = "letsencrypt-prod"
namespace = "default"
}
spec = {
acme = {
server = "https://acme-v02.api.letsencrypt.org/directory"
email = var.letsencrypt_email
privateKeySecretRef = {
name = "letsencrypt-prod"
}
solvers = [
{
selector = {}
http01 = {
ingress = {
class = "nginx"
}
}
}
]
}
}
}
}
resource "helm_release" "ingress_nginx" {
name = "ingress-nginx"
repository = "https://kubernetes.github.io/ingress-nginx"
chart = "ingress-nginx"
version = "4.0.13"
}
resource "kubernetes_deployment" "kuard" {
metadata {
name = "kuard"
}
spec {
selector {
match_labels = {
app = "kuard"
}
}
replicas = 1
template {
metadata {
labels = {
app = "kuard"
}
}
spec {
container {
image = "gcr.io/kuar-demo/kuard-amd64:1"
image_pull_policy = "Always"
name = "kuard"
port {
container_port = 8080
}
}
}
}
}
}
resource "kubernetes_service" "kuard" {
metadata {
name = "kuard"
}
spec {
port {
port = 80
target_port = 8080
protocol = "TCP"
}
selector = {
app = "kuard"
}
}
}
resource "kubernetes_ingress_v1" "kuard" {
metadata {
name = "kuard"
annotations = {
"kubernetes.io/ingress.class" = "nginx"
"cert-manager.io/issuer" = "letsencrypt-prod"
}
}
spec {
tls {
hosts = [
"kuard.${var.domain}"
]
secret_name = "kuard-tls"
}
rule {
host = "kuard.${var.domain}"
http {
path {
path = "/"
path_type = "Prefix"
backend {
service {
name = "kuard"
port {
number = 80
}
}
}
}
}
}
} }
} }

17521
meta/lotus-land-story/manifests/cert-manager.yml
View File

File diff suppressed because it is too large Load Diff

674
meta/lotus-land-story/manifests/ingress-nginx.yml
Unescape View File

@ -1,674 +0,0 @@
---
# Source: ingress-nginx/templates/controller-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
helm.sh/chart: ingress-nginx-4.0.13
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: quickstart
app.kubernetes.io/version: "1.1.0"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: quickstart-ingress-nginx
namespace: default
automountServiceAccountToken: true
---
# Source: ingress-nginx/templates/controller-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
labels:
helm.sh/chart: ingress-nginx-4.0.13
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: quickstart
app.kubernetes.io/version: "1.1.0"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: quickstart-ingress-nginx-controller
namespace: default
data:
allow-snippet-annotations: "true"
---
# Source: ingress-nginx/templates/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
helm.sh/chart: ingress-nginx-4.0.13
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: quickstart
app.kubernetes.io/version: "1.1.0"
app.kubernetes.io/managed-by: Helm
name: quickstart-ingress-nginx
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- nodes
- pods
- secrets
- namespaces
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
---
# Source: ingress-nginx/templates/clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
helm.sh/chart: ingress-nginx-4.0.13
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: quickstart
app.kubernetes.io/version: "1.1.0"
app.kubernetes.io/managed-by: Helm
name: quickstart-ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: quickstart-ingress-nginx
subjects:
- kind: ServiceAccount
name: quickstart-ingress-nginx
namespace: "default"
---
# Source: ingress-nginx/templates/controller-role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
helm.sh/chart: ingress-nginx-4.0.13
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: quickstart
app.kubernetes.io/version: "1.1.0"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: quickstart-ingress-nginx
namespace: default
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- apiGroups:
- ""
resources:
- configmaps
- pods
- secrets
- endpoints
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- configmaps
resourceNames:
- ingress-controller-leader
verbs:
- get
- update
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
---
# Source: ingress-nginx/templates/controller-rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
helm.sh/chart: ingress-nginx-4.0.13
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: quickstart
app.kubernetes.io/version: "1.1.0"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: quickstart-ingress-nginx
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: quickstart-ingress-nginx
subjects:
- kind: ServiceAccount
name: quickstart-ingress-nginx
namespace: "default"
---
# Source: ingress-nginx/templates/controller-service-webhook.yaml
apiVersion: v1
kind: Service
metadata:
labels:
helm.sh/chart: ingress-nginx-4.0.13
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: quickstart
app.kubernetes.io/version: "1.1.0"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: quickstart-ingress-nginx-controller-admission
namespace: default
spec:
type: ClusterIP
ports:
- name: https-webhook
port: 443
targetPort: webhook
appProtocol: https
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: quickstart
app.kubernetes.io/component: controller
---
# Source: ingress-nginx/templates/controller-service.yaml
apiVersion: v1
kind: Service
metadata:
annotations:
labels:
helm.sh/chart: ingress-nginx-4.0.13
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: quickstart
app.kubernetes.io/version: "1.1.0"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: quickstart-ingress-nginx-controller
namespace: default
spec:
type: LoadBalancer
ipFamilyPolicy: SingleStack
ipFamilies:
- IPv4
ports:
- name: http
port: 80
protocol: TCP
targetPort: http
appProtocol: http
- name: https
port: 443
protocol: TCP
targetPort: https
appProtocol: https
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: quickstart
app.kubernetes.io/component: controller
---
# Source: ingress-nginx/templates/controller-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
helm.sh/chart: ingress-nginx-4.0.13
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: quickstart
app.kubernetes.io/version: "1.1.0"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: quickstart-ingress-nginx-controller
namespace: default
spec:
selector:
matchLabels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: quickstart
app.kubernetes.io/component: controller
replicas: 1
revisionHistoryLimit: 10
minReadySeconds: 0
template:
metadata:
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: quickstart
app.kubernetes.io/component: controller
spec:
dnsPolicy: ClusterFirst
containers:
- name: controller
image: "k8s.gcr.io/ingress-nginx/controller:v1.1.0@sha256:f766669fdcf3dc26347ed273a55e754b427eb4411ee075a53f30718b4499076a"
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- /wait-shutdown
args:
- /nginx-ingress-controller
- --publish-service=$(POD_NAMESPACE)/quickstart-ingress-nginx-controller
- --election-id=ingress-controller-leader
- --controller-class=k8s.io/ingress-nginx
- --configmap=$(POD_NAMESPACE)/quickstart-ingress-nginx-controller
- --validating-webhook=:8443
- --validating-webhook-certificate=/usr/local/certificates/cert
- --validating-webhook-key=/usr/local/certificates/key
securityContext:
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
runAsUser: 101
allowPrivilegeEscalation: true
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: LD_PRELOAD
value: /usr/local/lib/libmimalloc.so
livenessProbe:
failureThreshold: 5
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
ports:
- name: http
containerPort: 80
protocol: TCP
- name: https
containerPort: 443
protocol: TCP
- name: webhook
containerPort: 8443
protocol: TCP
volumeMounts:
- name: webhook-cert
mountPath: /usr/local/certificates/
readOnly: true
resources:
requests:
cpu: 100m
memory: 90Mi
nodeSelector:
kubernetes.io/os: linux
serviceAccountName: quickstart-ingress-nginx
terminationGracePeriodSeconds: 300
volumes:
- name: webhook-cert
secret:
secretName: quickstart-ingress-nginx-admission
---
# Source: ingress-nginx/templates/controller-ingressclass.yaml
# We don't support namespaced ingressClass yet
# So a ClusterRole and a ClusterRoleBinding is required
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
labels:
helm.sh/chart: ingress-nginx-4.0.13
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: quickstart
app.kubernetes.io/version: "1.1.0"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: nginx
spec:
controller: k8s.io/ingress-nginx
---
# Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
# before changing this value, check the required kubernetes version
# https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
labels:
helm.sh/chart: ingress-nginx-4.0.13
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: quickstart
app.kubernetes.io/version: "1.1.0"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
name: quickstart-ingress-nginx-admission
webhooks:
- name: validate.nginx.ingress.kubernetes.io
matchPolicy: Equivalent
rules:
- apiGroups:
- networking.k8s.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- ingresses
failurePolicy: Fail
sideEffects: None
admissionReviewVersions:
- v1
clientConfig:
service:
namespace: "default"
name: quickstart-ingress-nginx-controller-admission
path: /networking/v1/ingresses
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: quickstart-ingress-nginx-admission
namespace: default
annotations:
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
labels:
helm.sh/chart: ingress-nginx-4.0.13
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: quickstart
app.kubernetes.io/version: "1.1.0"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: quickstart-ingress-nginx-admission
annotations:
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
labels:
helm.sh/chart: ingress-nginx-4.0.13
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: quickstart
app.kubernetes.io/version: "1.1.0"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
rules:
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
verbs:
- get
- update
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: quickstart-ingress-nginx-admission
annotations:
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
labels:
helm.sh/chart: ingress-nginx-4.0.13
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: quickstart
app.kubernetes.io/version: "1.1.0"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: quickstart-ingress-nginx-admission
subjects:
- kind: ServiceAccount
name: quickstart-ingress-nginx-admission
namespace: "default"
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: quickstart-ingress-nginx-admission
namespace: default
annotations:
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
labels:
helm.sh/chart: ingress-nginx-4.0.13
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: quickstart
app.kubernetes.io/version: "1.1.0"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- create
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: quickstart-ingress-nginx-admission
namespace: default
annotations:
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
labels:
helm.sh/chart: ingress-nginx-4.0.13
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: quickstart
app.kubernetes.io/version: "1.1.0"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: quickstart-ingress-nginx-admission
subjects:
- kind: ServiceAccount
name: quickstart-ingress-nginx-admission
namespace: "default"
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
apiVersion: batch/v1
kind: Job
metadata:
name: quickstart-ingress-nginx-admission-create
namespace: default
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
labels:
helm.sh/chart: ingress-nginx-4.0.13
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: quickstart
app.kubernetes.io/version: "1.1.0"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
spec:
template:
metadata:
name: quickstart-ingress-nginx-admission-create
labels:
helm.sh/chart: ingress-nginx-4.0.13
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: quickstart
app.kubernetes.io/version: "1.1.0"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
spec:
containers:
- name: create
image: "k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660"
imagePullPolicy: IfNotPresent
args:
- create
- --host=quickstart-ingress-nginx-controller-admission,quickstart-ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
- --namespace=$(POD_NAMESPACE)
- --secret-name=quickstart-ingress-nginx-admission
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
securityContext:
allowPrivilegeEscalation: false
restartPolicy: OnFailure
serviceAccountName: quickstart-ingress-nginx-admission
nodeSelector:
kubernetes.io/os: linux
securityContext:
runAsNonRoot: true
runAsUser: 2000
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
apiVersion: batch/v1
kind: Job
metadata:
name: quickstart-ingress-nginx-admission-patch
namespace: default
annotations:
"helm.sh/hook": post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
labels:
helm.sh/chart: ingress-nginx-4.0.13
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: quickstart
app.kubernetes.io/version: "1.1.0"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
spec:
template:
metadata:
name: quickstart-ingress-nginx-admission-patch
labels:
helm.sh/chart: ingress-nginx-4.0.13
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: quickstart
app.kubernetes.io/version: "1.1.0"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
spec:
containers:
- name: patch
image: "k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660"
imagePullPolicy: IfNotPresent
args:
- patch
- --webhook-name=quickstart-ingress-nginx-admission
- --namespace=$(POD_NAMESPACE)
- --patch-mutating=false
- --secret-name=quickstart-ingress-nginx-admission
- --patch-failure-policy=Fail
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
securityContext:
allowPrivilegeEscalation: false
restartPolicy: OnFailure
serviceAccountName: quickstart-ingress-nginx-admission
nodeSelector:
kubernetes.io/os: linux
securityContext:
runAsNonRoot: true
runAsUser: 2000

56
meta/lotus-land-story/manifests/kuard.yml
Unescape View File

@ -1,56 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: kuard
spec:
selector:
matchLabels:
app: kuard
replicas: 1
template:
metadata:
labels:
app: kuard
spec:
containers:
- image: gcr.io/kuar-demo/kuard-amd64:1
imagePullPolicy: Always
name: kuard
ports:
- containerPort: 8080
---
apiVersion: v1
kind: Service
metadata:
name: kuard
spec:
ports:
- port: 80
targetPort: 8080
protocol: TCP
selector:
app: kuard
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: kuard
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/issuer: letsencrypt-prod
spec:
tls:
- hosts:
- kuard.$DOMAIN
secretName: kuard-tls
rules:
- host: kuard.$DOMAIN
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: kuard
port:
number: 80

16
meta/lotus-land-story/manifests/letsencrypt-prod.yml
Unescape View File

@ -1,16 +0,0 @@
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-prod
namespace: default
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: $LETS_ENCRYPT_EMAIL
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- selector: {}
http01:
ingress:
class: nginx

16
meta/lotus-land-story/manifests/letsencrypt-staging.yml
Unescape View File

@ -1,16 +0,0 @@
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-staging
namespace: default
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: $LETS_ENCRYPT_EMAIL
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- selector: {}
http01:
ingress:
class: nginx

11
meta/lotus-land-story/variables.tf
Unescape View File

@ -0,0 +1,11 @@
variable "domain" {
type = string
nullable = false
sensitive = true
}
variable "letsencrypt_email" {
type = string
nullable = false
sensitive = true
}
Write Preview
Loading…
Cancel
Save