Created
February 21, 2018 09:38
-
-
Save eljefedelrodeodeljefe/900fad8c84579d5dde6f08f0701149f8 to your computer and use it in GitHub Desktop.
HAProxy Kubernetes Auth Ingress
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| apiVersion: v1 | |
| kind: ServiceAccount | |
| metadata: | |
| name: ingress-controller | |
| namespace: monitoring | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1beta1 | |
| kind: ClusterRole | |
| metadata: | |
| name: ingress-controller | |
| namespace: monitoring | |
| rules: | |
| - apiGroups: | |
| - "" | |
| resources: | |
| - configmaps | |
| - endpoints | |
| - nodes | |
| - pods | |
| - secrets | |
| verbs: | |
| - list | |
| - watch | |
| - apiGroups: | |
| - "" | |
| resources: | |
| - nodes | |
| verbs: | |
| - get | |
| - apiGroups: | |
| - "" | |
| resources: | |
| - services | |
| verbs: | |
| - get | |
| - list | |
| - watch | |
| - apiGroups: | |
| - "extensions" | |
| resources: | |
| - ingresses | |
| verbs: | |
| - get | |
| - list | |
| - watch | |
| - apiGroups: | |
| - "" | |
| resources: | |
| - events | |
| verbs: | |
| - create | |
| - patch | |
| - apiGroups: | |
| - "extensions" | |
| resources: | |
| - ingresses/status | |
| verbs: | |
| - update | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1beta1 | |
| kind: Role | |
| metadata: | |
| name: ingress-controller | |
| namespace: monitoring | |
| rules: | |
| - apiGroups: | |
| - "" | |
| resources: | |
| - configmaps | |
| - pods | |
| - secrets | |
| - namespaces | |
| verbs: | |
| - get | |
| - apiGroups: | |
| - "" | |
| resources: | |
| - configmaps | |
| verbs: | |
| - get | |
| - update | |
| - apiGroups: | |
| - "" | |
| resources: | |
| - configmaps | |
| verbs: | |
| - create | |
| - apiGroups: | |
| - "" | |
| resources: | |
| - endpoints | |
| verbs: | |
| - get | |
| - create | |
| - update | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1beta1 | |
| kind: ClusterRoleBinding | |
| metadata: | |
| name: ingress-controller | |
| namespace: monitoring | |
| roleRef: | |
| apiGroup: rbac.authorization.k8s.io | |
| kind: ClusterRole | |
| name: ingress-controller | |
| subjects: | |
| - kind: ServiceAccount | |
| name: ingress-controller | |
| namespace: monitoring | |
| - apiGroup: rbac.authorization.k8s.io | |
| kind: User | |
| name: ingress-controller | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1beta1 | |
| kind: RoleBinding | |
| metadata: | |
| name: ingress-controller | |
| namespace: monitoring | |
| roleRef: | |
| apiGroup: rbac.authorization.k8s.io | |
| kind: Role | |
| name: ingress-controller | |
| subjects: | |
| - kind: ServiceAccount | |
| name: ingress-controller | |
| namespace: monitoring | |
| - apiGroup: rbac.authorization.k8s.io | |
| kind: User | |
| name: ingress-controller | |
| --- | |
| apiVersion: v1 | |
| data: | |
| haproxy.tmpl: | | |
| global | |
| daemon | |
| maxconn 16 | |
| defaults | |
| mode http | |
| timeout connect 25000ms | |
| timeout client 60000ms | |
| timeout server 60000ms | |
| timeout queue 60000ms | |
| timeout http-request 15000ms | |
| timeout http-keep-alive 15000ms | |
| option redispatch | |
| option forwardfor | |
| option http-server-close | |
| frontend http-in | |
| acl auth_ok http_auth(cluster_users) | |
| bind *:80 | |
| http-request auth unless auth_ok | |
| default_backend prometheus-k8s | |
| backend prometheus-k8s | |
| http-request del-header Authorization | |
| server prom prometheus-k8s.monitoring.svc.cluster.local:9090 | |
| userlist cluster_users | |
| user promuser insecure-password "${PROM_USER_PASSWORD}" | |
| kind: ConfigMap | |
| metadata: | |
| name: haproxy-config | |
| namespace: monitoring | |
| --- | |
| apiVersion: v1 | |
| kind: Secret | |
| metadata: | |
| name: haproxy-secrets | |
| namespace: monitoring | |
| type: Opaque | |
| data: | |
| promuser-password: "" | |
| --- | |
| apiVersion: extensions/v1beta1 | |
| kind: Ingress | |
| metadata: | |
| name: haproxy-ingress | |
| namespace: monitoring | |
| spec: | |
| rules: | |
| - host: prom.tillhub.io | |
| http: | |
| paths: | |
| - path: / | |
| backend: | |
| serviceName: haproxy-ingress-service | |
| servicePort: 80 | |
| --- | |
| kind: Service | |
| apiVersion: v1 | |
| metadata: | |
| name: haproxy-ingress-service | |
| namespace: monitoring | |
| spec: | |
| selector: | |
| app: haproxy-ingress | |
| ports: | |
| - protocol: TCP | |
| port: 80 | |
| targetPort: 80 | |
| type: LoadBalancer | |
| --- | |
| apiVersion: apps/v1beta2 | |
| kind: Deployment | |
| metadata: | |
| labels: | |
| run: haproxy-ingress | |
| name: haproxy-ingress | |
| namespace: monitoring | |
| spec: | |
| selector: | |
| matchLabels: | |
| run: haproxy-ingress | |
| template: | |
| metadata: | |
| labels: | |
| run: haproxy-ingress | |
| spec: | |
| serviceAccountName: ingress-controller | |
| containers: | |
| - name: haproxy-ingress | |
| image: quay.io/jcmoraisjr/haproxy-ingress | |
| args: | |
| - --default-backend-service=$(POD_NAMESPACE)/prometheus-k8s | |
| - --configmap=$(POD_NAMESPACE)/haproxy-config | |
| volumeMounts: | |
| - name: haproxy-config-volume | |
| mountPath: /etc/haproxy/template | |
| ports: | |
| - name: http | |
| containerPort: 80 | |
| - name: https | |
| containerPort: 443 | |
| - name: stat | |
| containerPort: 1936 | |
| env: | |
| - name: POD_NAME | |
| valueFrom: | |
| fieldRef: | |
| fieldPath: metadata.name | |
| - name: POD_NAMESPACE | |
| valueFrom: | |
| fieldRef: | |
| fieldPath: metadata.namespace | |
| - name: PROM_USER_PASSWORD | |
| valueFrom: | |
| secretKeyRef: | |
| name: haproxy-secrets | |
| key: promuser-password | |
| volumes: | |
| - name: haproxy-config-volume | |
| configMap: | |
| name: haproxy-config | |
| items: | |
| - key: haproxy.tmpl | |
| path: haproxy.tmpl |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment