196 lines
5.2 KiB
YAML
196 lines
5.2 KiB
YAML
apiVersion: v1
|
|
kind: Namespace
|
|
metadata:
|
|
name: ingress-shim
|
|
annotations:
|
|
wildcard-tls.kn8v.com/copy: "true"
|
|
---
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: "haproxy-server"
|
|
namespace: "ingress-shim"
|
|
data:
|
|
haproxy.cfg: |
|
|
global
|
|
log stdout format raw local0
|
|
stats timeout 30s
|
|
user haproxy
|
|
group haproxy
|
|
|
|
defaults
|
|
log global
|
|
mode http
|
|
option httplog
|
|
option dontlognull
|
|
balance source
|
|
timeout connect 5000
|
|
timeout client 50000
|
|
timeout server 50000
|
|
http-reuse never
|
|
option disable-h2-upgrade
|
|
|
|
frontend http80
|
|
bind *:80
|
|
http-request capture req.hdr(Host) len 255
|
|
http-request redirect scheme https
|
|
|
|
frontend https443
|
|
bind *:443 ssl crt /ssl-tmp/tls.pem
|
|
http-request capture req.hdr(Host) len 255
|
|
http-request set-header X-Forwarded-Proto https
|
|
http-response replace-value Location http(://.*[.]werts[.]us/.*) https\1
|
|
http-response replace-value Location http(://.*[.]strudelline[.]net/.*) https\1
|
|
default_backend httpnodes
|
|
|
|
frontend rtmp1935
|
|
bind *:1935
|
|
mode tcp
|
|
default_backend wertube1935
|
|
|
|
frontend proxy4443
|
|
bind *:4443 ssl crt /ssl-tmp/tls.pem accept-proxy
|
|
http-request capture req.hdr(Host) len 255
|
|
http-request set-header X-Forwarded-Proto https
|
|
http-response replace-value Location http(://.*[.]werts[.]us/.*) https\1
|
|
http-response replace-value Location http(://.*[.]strudelline[.]net/.*) https\1
|
|
default_backend httpnodes
|
|
|
|
backend wertube1935
|
|
mode tcp
|
|
balance leastconn
|
|
server s1 peertube-werts.peertube-werts.svc:1935 check
|
|
|
|
backend httpnodes
|
|
option forwardfor
|
|
#server s1 istio-ingressgateway.istio-system.svc.cluster.local:443 check ssl verify none
|
|
#server s2 172.16.17.5:443 check ssl verify none
|
|
# USE THE FRONTING PROXY PORT IN HAPROXY-INGRESS
|
|
server s1 172.16.17.82:81 check
|
|
|
|
frontend stats
|
|
mode http
|
|
option httplog
|
|
bind *:8404
|
|
http-request capture req.hdr(X-Forwarded-For) len 64
|
|
http-request capture req.hdr(Host) len 255
|
|
stats enable
|
|
stats uri /
|
|
stats refresh 10s
|
|
stats admin if LOCALHOST
|
|
---
|
|
# This is a daemonset so that we can use local traffic policies.
|
|
# The whole point of this pod is to gather and preserve client IPs
|
|
# so local traffic policies are a must (kube-proxy will change the
|
|
# origin IP).
|
|
apiVersion: apps/v1
|
|
kind: DaemonSet
|
|
metadata:
|
|
name: "haproxy-server"
|
|
namespace: "ingress-shim"
|
|
annotations:
|
|
"reloader.stakater.com/auto": "true"
|
|
spec:
|
|
selector:
|
|
matchLabels:
|
|
app: "haproxy-server"
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: "haproxy-server"
|
|
spec:
|
|
terminationGracePeriodSeconds: 0
|
|
initContainers:
|
|
- name: combine-certs
|
|
command: ["bash", "-c"]
|
|
args:
|
|
- |
|
|
cat /ssl/tls.crt /ssl/tls.key > /ssl-tmp/tls.pem
|
|
image: debian:11
|
|
volumeMounts:
|
|
- mountPath: /ssl
|
|
name: ssl
|
|
- mountPath: /ssl-tmp
|
|
name: ssl-tmp
|
|
containers:
|
|
- image: haproxy:latest
|
|
name: haproxy
|
|
volumeMounts:
|
|
- mountPath: /usr/local/etc/haproxy/haproxy.cfg
|
|
name: config
|
|
subPath: haproxy.cfg
|
|
- mountPath: /ssl
|
|
name: ssl
|
|
- mountPath: /ssl-tmp
|
|
name: ssl-tmp
|
|
ports:
|
|
- containerPort: 80
|
|
name: http
|
|
protocol: TCP
|
|
- containerPort: 443
|
|
name: https
|
|
protocol: TCP
|
|
- containerPort: 1935
|
|
name: rtmp
|
|
protocol: TCP
|
|
- containerPort: 4443
|
|
name: proxys
|
|
protocol: TCP
|
|
- containerPort: 8404
|
|
name: stats
|
|
protocol: TCP
|
|
restartPolicy: Always
|
|
volumes:
|
|
- name: config
|
|
configMap:
|
|
name: "haproxy-server"
|
|
- name: ssl
|
|
secret:
|
|
secretName: wildcard-tls
|
|
optional: false
|
|
- name: ssl-tmp
|
|
emptyDir:
|
|
medium: Memory
|
|
sizeLimit: 5Mi
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: "haproxy-server"
|
|
namespace: "ingress-shim"
|
|
annotations:
|
|
metallb.universe.tf/allow-shared-ip: 172.16.17.80
|
|
metallb.universe.tf/loadBalancerIPs: 172.16.17.80
|
|
spec:
|
|
allocateLoadBalancerNodePorts: true
|
|
# PRESERVE CLIENT IPS! THIS IS THE WHOLE POINT!
|
|
externalTrafficPolicy: Local
|
|
internalTrafficPolicy: Local
|
|
ipFamilies:
|
|
- IPv4
|
|
ipFamilyPolicy: SingleStack
|
|
ports:
|
|
- name: http-80
|
|
port: 80
|
|
protocol: TCP
|
|
targetPort: http
|
|
- name: rtmp-1935
|
|
port: 1935
|
|
protocol: TCP
|
|
targetPort: rtmp
|
|
- name: https-443
|
|
port: 443
|
|
protocol: TCP
|
|
targetPort: https
|
|
- name: https-4443
|
|
port: 4443
|
|
protocol: TCP
|
|
targetPort: proxys
|
|
- name: https-8404
|
|
port: 8404
|
|
protocol: TCP
|
|
targetPort: stats
|
|
selector:
|
|
app: "haproxy-server"
|
|
type: LoadBalancer
|