Update the "cluster-wide and namespace-wide" Ingress example.

1753a084 · Geoff Simmons · b2d1b90d · 1753a084 · 1753a084 · 1753a084
Commit 1753a084 authored Apr 30, 2020 by Geoff Simmons
14 changed files
--- a/examples/architectures/cluster-and-ns-wide/adm-secret-coffee.yaml
+++ b/examples/architectures/cluster-and-ns-wide/adm-secret-coffee.yaml
@@ -8,3 +8,4 @@ metadata:
 type: Opaque
 data:
  admin: ByIQphD6z6UY3nEXAVS+AlrQUXgzg2dcT1Zd1rG1l4M=
+  dataplaneapi: MmIxNTM3NDMtN2ViMS00ODI0LWE5ZmQtYmU5ODM2Mjc3Zjc3
--- a/examples/architectures/cluster-and-ns-wide/adm-secret-system.yaml
+++ b/examples/architectures/cluster-and-ns-wide/adm-secret-system.yaml
@@ -8,3 +8,4 @@ metadata:
 type: Opaque
 data:
  admin: f/y/Vt0O7rnL3m5LM2upu/ImjA6paITHmvYYEQ1Qrfg=
+  dataplaneapi: N2JkMWI5MzUtM2I5YS00NzgyLWI2MjMtOTE5NDE2YzNjMjQ5
--- a/examples/architectures/cluster-and-ns-wide/admin-svc-coffee.yaml
+++ b/examples/architectures/cluster-and-ns-wide/admin-svc-coffee.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: varnish-ingress-admin
+  namespace: cafe
+  labels:
+    app: varnish-ingress
+spec:
+  clusterIP: None
+  ports:
+  - port: 6081
+    targetPort: 6081
+    protocol: TCP
+    name: varnishadm
+  - port: 5555
+    targetPort: 5555
+    protocol: TCP
+    name: dataplane
+  - port: 5556
+    targetPort: 5556
+    protocol: TCP
+    name: faccess
+  - port: 9443
+    targetPort: 9443
+    protocol: TCP
+    name: stats
+  selector:
+    app: varnish-ingress
--- a/examples/architectures/cluster-and-ns-wide/admin-svc-system.yaml
+++ b/examples/architectures/cluster-and-ns-wide/admin-svc-system.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: varnish-ingress-admin
+  namespace: kube-system
+  labels:
+    app: varnish-ingress
+spec:
+  clusterIP: None
+  ports:
+  - port: 6081
+    targetPort: 6081
+    protocol: TCP
+    name: varnishadm
+  - port: 5555
+    targetPort: 5555
+    protocol: TCP
+    name: dataplane
+  - port: 5556
+    targetPort: 5556
+    protocol: TCP
+    name: faccess
+  - port: 9443
+    targetPort: 9443
+    protocol: TCP
+    name: stats
+  selector:
+    app: varnish-ingress
--- a/examples/architectures/cluster-and-ns-wide/deploy.sh
+++ b/examples/architectures/cluster-and-ns-wide/deploy.sh
@@ -10,12 +10,20 @@ kubectl apply -f other.yaml

 kubectl apply -f adm-secret-system.yaml

+kubectl apply -f tls-cert-secret-system.yaml
+
+kubectl apply -f admin-svc-system.yaml
+
 kubectl apply -f nodeport-system.yaml

 kubectl apply -f varnish-system.yaml

+kubectl apply -f tls-cert-secret-coffee.yaml
+
 kubectl apply -f adm-secret-coffee.yaml

+kubectl apply -f admin-svc-coffee.yaml
+
 kubectl apply -f nodeport-coffee.yaml

 kubectl apply -f varnish-coffee.yaml

--- a/examples/architectures/cluster-and-ns-wide/nodeport-coffee.yaml
+++ b/examples/architectures/cluster-and-ns-wide/nodeport-coffee.yaml
@@ -10,14 +10,14 @@ metadata:
 spec:
  type: NodePort 
  ports:
-  - port: 6081
-    targetPort: 6081
-    protocol: TCP
-    name: varnishadm
  - port: 80
    targetPort: 80
    protocol: TCP
    name: http
+  - port: 443
+    targetPort: 443
+    protocol: TCP
+    name: tls
  selector:
    app: varnish-ingress
  publishNotReadyAddresses: true
--- a/examples/architectures/cluster-and-ns-wide/nodeport-system.yaml
+++ b/examples/architectures/cluster-and-ns-wide/nodeport-system.yaml
@@ -10,14 +10,14 @@ metadata:
 spec:
  type: NodePort 
  ports:
-  - port: 6081
-    targetPort: 6081
-    protocol: TCP
-    name: varnishadm
  - port: 80
    targetPort: 80
    protocol: TCP
    name: http
+  - port: 443
+    targetPort: 443
+    protocol: TCP
+    name: tls
  selector:
    app: varnish-ingress
  publishNotReadyAddresses: true
--- a/examples/architectures/cluster-and-ns-wide/other-ingress.yaml
+++ b/examples/architectures/cluster-and-ns-wide/other-ingress.yaml
@@ -5,7 +5,7 @@ metadata:
  namespace: other
  annotations:
    kubernetes.io/ingress.class: "varnish"
-    ingress.varnish-cache.org/varnish-svc: "kube-system/varnish-ingress"
+    ingress.varnish-cache.org/varnish-svc: "kube-system/varnish-ingress-admin"
 spec:
  backend:
    serviceName: other-svc

--- a/examples/architectures/cluster-and-ns-wide/tea-ingress.yaml
+++ b/examples/architectures/cluster-and-ns-wide/tea-ingress.yaml
@@ -5,7 +5,7 @@ metadata:
  namespace: cafe
  annotations:
    kubernetes.io/ingress.class: "varnish"
-    ingress.varnish-cache.org/varnish-svc: "kube-system/varnish-ingress"
+    ingress.varnish-cache.org/varnish-svc: "kube-system/varnish-ingress-admin"
 spec:
  rules:
  - host: tea.example.com

--- a/examples/architectures/cluster-and-ns-wide/tls-cert-secret-coffee.yaml
+++ b/examples/architectures/cluster-and-ns-wide/tls-cert-secret-coffee.yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: tls-cert
+  namespace: cafe
+  labels:
+    app: varnish-ingress
+type: Opaque
--- a/examples/architectures/cluster-and-ns-wide/tls-cert-secret-system.yaml
+++ b/examples/architectures/cluster-and-ns-wide/tls-cert-secret-system.yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: tls-cert
+  namespace: kube-system
+  labels:
+    app: varnish-ingress
+type: Opaque
--- a/examples/architectures/cluster-and-ns-wide/undeploy.sh
+++ b/examples/architectures/cluster-and-ns-wide/undeploy.sh
@@ -10,8 +10,12 @@ kubectl delete -f varnish-coffee.yaml

 kubectl delete -f nodeport-coffee.yaml

+kubectl delete -f admin-svc-coffee.yaml
+
 kubectl delete -f adm-secret-coffee.yaml

+kubectl delete -f tls-cert-secret-coffee.yaml
+
 kubectl delete -f varnish-system.yaml

 kubectl wait --timeout=2m pod -l app=varnish-ingress -n kube-system \
@@ -19,6 +23,10 @@ kubectl wait --timeout=2m pod -l app=varnish-ingress -n kube-system \

 kubectl delete -f nodeport-system.yaml

+kubectl delete -f admin-svc-system.yaml
+
+kubectl delete -f tls-cert-secret-system.yaml
+
 kubectl delete -f adm-secret-system.yaml

 kubectl delete -f other.yaml

--- a/examples/architectures/cluster-and-ns-wide/varnish-coffee.yaml
+++ b/examples/architectures/cluster-and-ns-wide/varnish-coffee.yaml
@@ -13,6 +13,8 @@ spec:
      labels:
        app: varnish-ingress
    spec:
+      securityContext:
+        fsGroup: 998
      containers:
      - image: varnish-ingress/varnish
        imagePullPolicy: IfNotPresent
@@ -22,14 +24,14 @@ spec:
          containerPort: 80
        - name: k8s
          containerPort: 8080
-        - name: varnishadm
-          containerPort: 6081
        volumeMounts:
        - name: adm-secret
          mountPath: "/var/run/varnish"
          readOnly: true
        - name: varnish-home
          mountPath: "/var/run/varnish-home"
+        - name: offload
+          mountPath: "/var/run/offload"
        livenessProbe:
          exec:
            command:
@@ -44,6 +46,37 @@ spec:
        args:
          - -n
          - /var/run/varnish-home
+      - image: varnish-ingress/haproxy
+        imagePullPolicy: IfNotPresent
+        name: varnish-ingress-offloader
+        ports:
+        - name: tls
+          containerPort: 443
+        - name: k8s
+          containerPort: 8443
+        volumeMounts:
+        - name: tls-cert
+          mountPath: "/etc/ssl/private"
+          readOnly: true
+        - name: offload
+          mountPath: "/var/run/offload"
+        env:
+          - name: SECRET_DATAPLANEAPI
+            valueFrom:
+              secretKeyRef:
+                name: adm-secret
+                key: dataplaneapi
+        livenessProbe:
+          exec:
+            command:
+            - /usr/bin/pgrep
+            - -P
+            - "0"
+            - haproxy
+        readinessProbe:
+          httpGet:
+            path: /healthz
+            port: k8s
      volumes:
      - name: adm-secret
        secret:
@@ -51,6 +84,12 @@ spec:
          items:
          - key: admin
            path: _.secret
+      - name: tls-cert
+        secret:
+          secretName: tls-cert
+          defaultMode: 0440
      - name: varnish-home
        emptyDir:
          medium: "Memory"
+      - name: offload
+        emptyDir: {}
--- a/examples/architectures/cluster-and-ns-wide/varnish-system.yaml
+++ b/examples/architectures/cluster-and-ns-wide/varnish-system.yaml
@@ -13,6 +13,8 @@ spec:
      labels:
        app: varnish-ingress
    spec:
+      securityContext:
+        fsGroup: 998
      containers:
      - image: varnish-ingress/varnish
        imagePullPolicy: IfNotPresent
@@ -22,14 +24,14 @@ spec:
          containerPort: 80
        - name: k8s
          containerPort: 8080
-        - name: varnishadm
-          containerPort: 6081
        volumeMounts:
        - name: adm-secret
          mountPath: "/var/run/varnish"
          readOnly: true
        - name: varnish-home
          mountPath: "/var/run/varnish-home"
+        - name: offload
+          mountPath: "/var/run/offload"
        livenessProbe:
          exec:
            command:
@@ -44,6 +46,37 @@ spec:
        args:
          - -n
          - /var/run/varnish-home
+      - image: varnish-ingress/haproxy
+        imagePullPolicy: IfNotPresent
+        name: varnish-ingress-offloader
+        ports:
+        - name: tls
+          containerPort: 443
+        - name: k8s
+          containerPort: 8443
+        volumeMounts:
+        - name: tls-cert
+          mountPath: "/etc/ssl/private"
+          readOnly: true
+        - name: offload
+          mountPath: "/var/run/offload"
+        env:
+          - name: SECRET_DATAPLANEAPI
+            valueFrom:
+              secretKeyRef:
+                name: adm-secret
+                key: dataplaneapi
+        livenessProbe:
+          exec:
+            command:
+            - /usr/bin/pgrep
+            - -P
+            - "0"
+            - haproxy
+        readinessProbe:
+          httpGet:
+            path: /healthz
+            port: k8s
      volumes:
      - name: adm-secret
        secret:
@@ -51,6 +84,12 @@ spec:
          items:
          - key: admin
            path: _.secret
+      - name: tls-cert
+        secret:
+          secretName: tls-cert
+          defaultMode: 0440
      - name: varnish-home
        emptyDir:
          medium: "Memory"
+      - name: offload
+        emptyDir: {}