Skip to content

Instantly share code, notes, and snippets.

@unya

unya/example-app.yml

Created July 27, 2017 10:21
Show Gist options
  • Save unya/d5512d93c4cbadac2b112d682f9491d8 to your computer and use it in GitHub Desktop.
Save unya/d5512d93c4cbadac2b112d682f9491d8 to your computer and use it in GitHub Desktop.
Download ZIP
Example Ingress + Let's encrypt setup to use with nginx-ingress-controller on GKE
Raw
example-app.yml
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: example
spec:
replicas: 2
selector:
matchLabels:
app: example
template:
metadata:
name: example
labels:
app: example
spec:
containers:
- name: example
image: example:v1
imagePullPolicy: Always
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: example
labels:
app: example
spec:
ports:
- port: 80
targetPort: 80
name: http
protocol: TCP
selector:
app: example
type: NodePort
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: example
annotations:
kubernetes.io/ingress.class: "nginx"
kubernetes.io/tls-acme: "true"
staticIPNameKey: "kubernetes-lb"
kubernetes.io/ingress.allow-http: "true"
ingress.kubernetes.io/ssl-redirect: "true"
spec:
tls:
- hosts:
- example.com
- www.example.com
secretName: example-ssl
rules:
- host: www.example.com
http: &example
paths:
- backend:
serviceName: example
servicePort: 80
path: /
- host: example.com
http: *example
Raw
infra-dhparams-secret.yml
apiVersion: v1
data:
dhparam.pem: # Here is dhparams generated for nginx
kind: Secret
metadata:
name: dhparam-secret
namespace: infra
Raw
infra-infra.namespace.yml
---
apiVersion: v1
kind: Namespace
metadata:
name: infra
Raw
infra-kube-lego.yml
apiVersion: v1
metadata:
name: kube-lego
kind: Namespace
---
apiVersion: v1
metadata:
name: kube-lego
namespace: kube-lego
data:
# modify this to specify your address
lego.email: "[email protected]"
# configre letencrypt's production api
lego.url: "https://acme-v01.api.letsencrypt.org/directory"
kind: ConfigMap
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: kube-lego
namespace: kube-lego
spec:
replicas: 1
template:
metadata:
labels:
# Required for the auto-create kube-lego-nginx service to work.
app: kube-lego
spec:
containers:
- name: kube-lego
image: jetstack/kube-lego:0.1.3
imagePullPolicy: Always
ports:
- containerPort: 8080
env:
- name: LEGO_EMAIL
valueFrom:
configMapKeyRef:
name: kube-lego
key: lego.email
- name: LEGO_URL
valueFrom:
configMapKeyRef:
name: kube-lego
key: lego.url
- name: LEGO_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: LEGO_CHECK_INTERVAL
value: 4h
- name: LEGO_LOG_LEVEL
value: debug
- name: LEGO_POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
readinessProbe:
httpGet:
path: /healthz
port: 8080
initialDelaySeconds: 5
timeoutSeconds: 1
Raw
infra-l7-lb-svc.yml
---
apiVersion: v1
kind: Service
metadata:
name: l7-load-balancer
namespace: infra
labels:
app: nginx-ingress-lb
spec:
ports:
- port: 80
targetPort: 80
name: http
protocol: TCP
- port: 443
targetPort: 443
name: https
protocol: TCP
# - port: 8080
# targetPort: 8080
# protocol: TCP
# name: http-proxy
selector:
app: nginx-ingress-lb
type: LoadBalancer
loadBalancerIP: 192.0.2.1 # Insert your external IP here
Raw
infra-nginx-lb.yml
apiVersion: v1
data:
proxy-connect-timeout: "15"
proxy-read-timeout: "600"
proxy-send-imeout: "600"
hsts-include-subdomains: "false"
hsts: "false"
ssl-redirect: "false"
body-size: "64m"
server-name-hash-bucket-size: "256"
# ssl: "off"
kind: ConfigMap
metadata:
namespace: infra
name: nginx
---
apiVersion: v1
kind: Service
metadata:
name: default-http-backend
namespace: infra
labels:
app: default-http-backend
spec:
ports:
- port: 80
targetPort: 8080
protocol: TCP
name: http
selector:
app: default-http-backend
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: default-http-backend
namespace: infra
spec:
replicas: 1
selector:
matchLabels:
app: default-http-backend
template:
metadata:
labels:
app: default-http-backend
spec:
terminationGracePeriodSeconds: 60
nodeSelector:
nodetype: baseline
containers:
- name: default-http-backend
# Any image is permissable as long as:
# 1. It serves a 404 page at /
# 2. It serves 200 on a /healthz endpoint
image: gcr.io/google_containers/defaultbackend:1.0
livenessProbe:
httpGet:
path: /healthz
port: 8080
scheme: HTTP
initialDelaySeconds: 30
timeoutSeconds: 5
ports:
- containerPort: 8080
resources:
limits:
cpu: 10m
memory: 20Mi
requests:
cpu: 10m
memory: 20Mi
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: nginx-ingress-controller
namespace: infra
labels:
app: nginx-ingress-lb
spec:
replicas: 3
selector:
matchLabels:
app: nginx-ingress-lb
template:
metadata:
labels:
app: nginx-ingress-lb
name: nginx-ingress-lb
spec:
terminationGracePeriodSeconds: 60
volumes:
- name: dhparam-secret
secret:
secretName: dhparam-secret
containers:
- image: gcr.io/google_containers/nginx-ingress-controller:0.8.3
name: nginx-ingress-lb
imagePullPolicy: Always
# readinessProbe:
# httpGet:
# path: /ingress-controller-healthz
# port: 80
# scheme: HTTP
# livenessProbe:
# httpGet:
# path: /ingress-controller-healthz
# port: 80
# scheme: HTTP
# initialDelaySeconds: 10
# timeoutSeconds: 1
volumeMounts:
- mountPath: /etc/nginx-ssl/dhparam
name: dhparam-secret
# use downward API
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
ports:
- containerPort: 80
hostPort: 80
- containerPort: 443
hostPort: 443
# we expose 18080 to access nginx stats in url /nginx-status
# this is optional
- containerPort: 18080
hostPort: 8080
args:
- /nginx-ingress-controller
- --default-backend-service=$(POD_NAMESPACE)/default-http-backend
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment