add ingress shim -- figure out XFF later
This commit is contained in:
parent
37a80e9db6
commit
2b5b0cd94b
160
ingress-shim/deploy.yaml
Normal file
160
ingress-shim/deploy.yaml
Normal file
|
@ -0,0 +1,160 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: ingress-shim
|
||||
annotations:
|
||||
wildcard-tls.kn8v.com/copy: "true"
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: "haproxy-server"
|
||||
namespace: "ingress-shim"
|
||||
data:
|
||||
haproxy.cfg: |
|
||||
global
|
||||
log stdout format raw local0
|
||||
stats timeout 30s
|
||||
user haproxy
|
||||
group haproxy
|
||||
|
||||
defaults
|
||||
log global
|
||||
mode http
|
||||
option httplog
|
||||
option dontlognull
|
||||
balance source
|
||||
timeout connect 5000
|
||||
timeout client 50000
|
||||
timeout server 50000
|
||||
http-reuse never
|
||||
option disable-h2-upgrade
|
||||
|
||||
frontend http80
|
||||
bind *:80
|
||||
http-request redirect scheme https
|
||||
|
||||
frontend https443
|
||||
bind *:443 ssl crt /ssl-tmp/tls.pem
|
||||
default_backend httpnodes
|
||||
|
||||
frontend proxy443
|
||||
bind *:4443 ssl crt /ssl-tmp/tls.pem accept-proxy
|
||||
default_backend httpnodes
|
||||
|
||||
backend httpnodes
|
||||
server s1 istio-ingressgateway.istio-system.svc.cluster.local:80 check
|
||||
|
||||
frontend stats
|
||||
mode http
|
||||
option httplog
|
||||
bind *:8404
|
||||
stats enable
|
||||
stats uri /
|
||||
stats refresh 10s
|
||||
stats admin if LOCALHOST
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: "haproxy-server"
|
||||
namespace: "ingress-shim"
|
||||
annotations:
|
||||
"reloader.stakater.com/auto": "true"
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: "haproxy-server"
|
||||
strategy:
|
||||
type: RollingUpdate
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: "haproxy-server"
|
||||
spec:
|
||||
initContainers:
|
||||
- name: combine-certs
|
||||
command: ["bash", "-c"]
|
||||
args:
|
||||
- |
|
||||
cat /ssl/tls.crt /ssl/tls.key > /ssl-tmp/tls.pem
|
||||
image: debian:11
|
||||
volumeMounts:
|
||||
- mountPath: /ssl
|
||||
name: ssl
|
||||
- mountPath: /ssl-tmp
|
||||
name: ssl-tmp
|
||||
containers:
|
||||
- image: haproxy:latest
|
||||
name: haproxy
|
||||
volumeMounts:
|
||||
- mountPath: /usr/local/etc/haproxy/haproxy.cfg
|
||||
name: config
|
||||
subPath: haproxy.cfg
|
||||
- mountPath: /ssl
|
||||
name: ssl
|
||||
- mountPath: /ssl-tmp
|
||||
name: ssl-tmp
|
||||
ports:
|
||||
- containerPort: 80
|
||||
name: http
|
||||
protocol: TCP
|
||||
- containerPort: 443
|
||||
name: https
|
||||
protocol: TCP
|
||||
- containerPort: 4443
|
||||
name: proxys
|
||||
protocol: TCP
|
||||
- containerPort: 8404
|
||||
name: stats
|
||||
protocol: TCP
|
||||
restartPolicy: Always
|
||||
volumes:
|
||||
- name: config
|
||||
configMap:
|
||||
name: "haproxy-server"
|
||||
- name: ssl
|
||||
secret:
|
||||
secretName: wildcard-tls
|
||||
optional: false
|
||||
- name: ssl-tmp
|
||||
emptyDir:
|
||||
medium: Memory
|
||||
sizeLimit: 5Mi
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: "haproxy-server"
|
||||
namespace: "ingress-shim"
|
||||
annotations:
|
||||
metallb.universe.tf/allow-shared-ip: 172.16.17.80
|
||||
metallb.universe.tf/loadBalancerIPs: 172.16.17.80
|
||||
spec:
|
||||
allocateLoadBalancerNodePorts: true
|
||||
externalTrafficPolicy: Local
|
||||
internalTrafficPolicy: Local
|
||||
ipFamilies:
|
||||
- IPv4
|
||||
ipFamilyPolicy: SingleStack
|
||||
ports:
|
||||
- name: http-80
|
||||
port: 80
|
||||
protocol: TCP
|
||||
targetPort: http
|
||||
- name: https-443
|
||||
port: 443
|
||||
protocol: TCP
|
||||
targetPort: https
|
||||
- name: https-4443
|
||||
port: 4443
|
||||
protocol: TCP
|
||||
targetPort: proxys
|
||||
- name: https-8404
|
||||
port: 8404
|
||||
protocol: TCP
|
||||
targetPort: stats
|
||||
selector:
|
||||
app: "haproxy-server"
|
||||
type: LoadBalancer
|
Loading…
Reference in New Issue
Block a user