Dustin C. Hatch
61378e9724
I guess I thought `defaultBackend` was scoped to the TLS host, but it appears to be global, across all Ingress resources in the cluster. Thus, it really doesn't make any sense for any Ingress to have a default backend, and certainly not the dynk8s provisioner.
321 lines
7.2 KiB
YAML
321 lines
7.2 KiB
YAML
---
|
|
apiVersion: v1
|
|
kind: Namespace
|
|
metadata:
|
|
name: dynk8s
|
|
labels:
|
|
kubernetes.io/metadata.name: dynk8s
|
|
|
|
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: dynk8s-provisioner
|
|
namespace: dynk8s
|
|
labels:
|
|
app.kubernetes.io/name: dynk8s-provisioner
|
|
app.kubernetes.io/instance: default
|
|
app.kubernetes.io/component: http-api
|
|
app.kubernetes.io/part-of: dynk8s-provisioner
|
|
automountServiceAccountToken: true
|
|
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: dynk8s-provisioner
|
|
namespace: dynk8s
|
|
labels:
|
|
app.kubernetes.io/name: dynk8s-provisioner
|
|
app.kubernetes.io/instance: default
|
|
app.kubernetes.io/component: http-api
|
|
app.kubernetes.io/part-of: dynk8s-provisioner
|
|
rules:
|
|
- apiGroups:
|
|
- ''
|
|
resources:
|
|
- secrets
|
|
verbs:
|
|
- '*'
|
|
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: dynk8s-provisioner
|
|
namespace: kube-system
|
|
labels:
|
|
app.kubernetes.io/name: dynk8s-provisioner
|
|
app.kubernetes.io/instance: default
|
|
app.kubernetes.io/component: http-api
|
|
app.kubernetes.io/part-of: dynk8s-provisioner
|
|
rules:
|
|
- apiGroups:
|
|
- ''
|
|
resources:
|
|
- secrets
|
|
verbs:
|
|
- '*'
|
|
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: dynk8s-provisioner
|
|
namespace: kube-public
|
|
labels:
|
|
app.kubernetes.io/name: dynk8s-provisioner
|
|
app.kubernetes.io/instance: default
|
|
app.kubernetes.io/component: http-api
|
|
app.kubernetes.io/part-of: dynk8s-provisioner
|
|
rules:
|
|
- apiGroups:
|
|
- ''
|
|
resources:
|
|
- configmaps
|
|
resourceNames:
|
|
- cluster-info
|
|
verbs:
|
|
- get
|
|
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: dynk8s-provisioner
|
|
labels:
|
|
app.kubernetes.io/name: dynk8s-provisioner
|
|
app.kubernetes.io/instance: default
|
|
app.kubernetes.io/component: http-api
|
|
app.kubernetes.io/part-of: dynk8s-provisioner
|
|
rules:
|
|
- apiGroups:
|
|
- ''
|
|
resources:
|
|
- nodes
|
|
verbs:
|
|
- list
|
|
- get
|
|
- delete
|
|
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: dynk8s-provisioner
|
|
namespace: dynk8s
|
|
labels:
|
|
app.kubernetes.io/name: dynk8s-provisioner
|
|
app.kubernetes.io/instance: default
|
|
app.kubernetes.io/part-of: dynk8s-provisioner
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: Role
|
|
name: dynk8s-provisioner
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: dynk8s-provisioner
|
|
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: dynk8s-provisioner
|
|
namespace: kube-system
|
|
labels:
|
|
app.kubernetes.io/name: dynk8s-provisioner
|
|
app.kubernetes.io/instance: default
|
|
app.kubernetes.io/part-of: dynk8s-provisioner
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: Role
|
|
name: dynk8s-provisioner
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: dynk8s-provisioner
|
|
namespace: dynk8s
|
|
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: dynk8s-provisioner
|
|
namespace: kube-public
|
|
labels:
|
|
app.kubernetes.io/name: dynk8s-provisioner
|
|
app.kubernetes.io/instance: default
|
|
app.kubernetes.io/part-of: dynk8s-provisioner
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: Role
|
|
name: dynk8s-provisioner
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: dynk8s-provisioner
|
|
namespace: dynk8s
|
|
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: dynk8s-provisioner
|
|
labels:
|
|
app.kubernetes.io/name: dynk8s-provisioner
|
|
app.kubernetes.io/instance: default
|
|
app.kubernetes.io/part-of: dynk8s-provisioner
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: dynk8s-provisioner
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: dynk8s-provisioner
|
|
namespace: dynk8s
|
|
|
|
---
|
|
apiVersion: v1
|
|
kind: PersistentVolumeClaim
|
|
metadata:
|
|
name: dynk8s-provisioner-pvc
|
|
namespace: dynk8s
|
|
labels:
|
|
app.kubernetes.io/name: dynk8s-provisioner-pvc
|
|
app.kubernetes.io/instance: default
|
|
app.kubernetes.io/component: storage
|
|
app.kubernetes.io/part-of: dynk8s-provisioner
|
|
spec:
|
|
accessModes:
|
|
- ReadWriteOnce
|
|
resources:
|
|
requests:
|
|
storage: 1Gi
|
|
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: StatefulSet
|
|
metadata:
|
|
name: dynk8s-provisioner
|
|
namespace: dynk8s
|
|
labels:
|
|
app.kubernetes.io/name: dynk8s-provisioner
|
|
app.kubernetes.io/instance: default
|
|
app.kubernetes.io/component: http-api
|
|
app.kubernetes.io/part-of: dynk8s-provisioner
|
|
spec:
|
|
serviceName: dynk8s-provisioner
|
|
selector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: dynk8s-provisioner
|
|
app.kubernetes.io/instance: default
|
|
app.kubernetes.io/component: http-api
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/name: dynk8s-provisioner
|
|
app.kubernetes.io/instance: default
|
|
app.kubernetes.io/component: http-api
|
|
spec:
|
|
containers:
|
|
- env:
|
|
- name: ROCKET_ADDRESS
|
|
value: 0.0.0.0
|
|
- name: ROCKET_LOG_LEVEL
|
|
value: normal
|
|
image: git.pyrocufflink.net/packages/dynk8s-provisioner:master
|
|
imagePullPolicy: Always
|
|
name: dynk8s-provisioner
|
|
ports:
|
|
- containerPort: 8000
|
|
name: http
|
|
startupProbe:
|
|
failureThreshold: 3
|
|
httpGet:
|
|
path: /
|
|
port: 8000
|
|
initialDelaySeconds: 1
|
|
periodSeconds: 2
|
|
successThreshold: 1
|
|
timeoutSeconds: 1
|
|
volumeMounts:
|
|
- mountPath: /data
|
|
name: dynk8s-provisioner
|
|
workingDir: /data
|
|
imagePullSecrets:
|
|
- name: ocipull
|
|
serviceAccountName: dynk8s-provisioner
|
|
volumes:
|
|
- name: dynk8s-provisioner
|
|
persistentVolumeClaim:
|
|
claimName: dynk8s-provisioner-pvc
|
|
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: dynk8s-provisioner
|
|
namespace: dynk8s
|
|
labels:
|
|
app.kubernetes.io/name: dynk8s-provisioner
|
|
app.kubernetes.io/instance: default
|
|
app.kubernetes.io/component: http-api
|
|
app.kubernetes.io/part-of: dynk8s-provisioner
|
|
spec:
|
|
selector:
|
|
app.kubernetes.io/name: dynk8s-provisioner
|
|
app.kubernetes.io/instance: default
|
|
app.kubernetes.io/component: http-api
|
|
ports:
|
|
- port: 8000
|
|
name: http
|
|
|
|
---
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: Ingress
|
|
metadata:
|
|
name: dynk8s-provisioner
|
|
namespace: dynk8s
|
|
labels:
|
|
app.kubernetes.io/name: dynk8s-provisioner
|
|
app.kubernetes.io/instance: default
|
|
app.kubernetes.io/component: http-api
|
|
app.kubernetes.io/part-of: dynk8s-provisioner
|
|
spec:
|
|
ingressClassName: nginx
|
|
tls:
|
|
- hosts:
|
|
- dynk8s-provisioner.pyrocufflink.net
|
|
rules:
|
|
- host: dynk8s-provisioner.pyrocufflink.net
|
|
http:
|
|
paths:
|
|
- path: /
|
|
pathType: Prefix
|
|
backend:
|
|
service:
|
|
name: dynk8s-provisioner
|
|
port:
|
|
name: http
|
|
|
|
---
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: wireguard-config-0
|
|
namespace: dynk8s
|
|
labels:
|
|
app.kubernetes.io/part-of: dynk8s-provisioner
|
|
dynk8s.du5t1n.me/ec2-instance-id: ''
|
|
type: dynk8s.du5t1n.me/wireguard-config
|
|
stringData:
|
|
wireguard-config: |+
|
|
[Interface]
|
|
Address = 172.30.0.178/28
|
|
DNS = 172.30.0.1
|
|
PrivateKey = gGieVWS8SUQxC7L0NKmHlpvBTANNNaucsm9K1ioHPXU=
|
|
|
|
[Peer]
|
|
PublicKey = 85BW2bagvhOZnvFD6gmjnT+uUj5NaF4z+YFBV/br9BA=
|
|
PresharedKey = bZgUN82zDW7Q+558omOyRrZ0rw3bUohmIjEaxgtZCv8=
|
|
Endpoint = vpn.pyrocufflink.net:19998
|
|
AllowedIPs = 172.30.0.0/26, 172.30.0.160/28, 172.31.1.0/24
|