Update the "cluster-wide Ingress" example.

b2d1b90d · Geoff Simmons · 4fa59971 · b2d1b90d · b2d1b90d · b2d1b90d
Commit b2d1b90d authored Apr 30, 2020 by Geoff Simmons
7 changed files
--- a/examples/architectures/clusterwide/adm-secret.yaml
+++ b/examples/architectures/clusterwide/adm-secret.yaml
@@ -8,3 +8,4 @@ metadata:
 type: Opaque
 data:
  admin: f/y/Vt0O7rnL3m5LM2upu/ImjA6paITHmvYYEQ1Qrfg=
+  dataplaneapi: ZjllNmFmNTItMWMzNS00MDdkLTljZGEtMjNiMDkwNjFiZWY1
--- a/examples/architectures/clusterwide/admin-svc.yaml
+++ b/examples/architectures/clusterwide/admin-svc.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: varnish-ingress-admin
+  namespace: kube-system
+  labels:
+    app: varnish-ingress
+spec:
+  clusterIP: None
+  ports:
+  - port: 6081
+    targetPort: 6081
+    protocol: TCP
+    name: varnishadm
+  - port: 5555
+    targetPort: 5555
+    protocol: TCP
+    name: dataplane
+  - port: 5556
+    targetPort: 5556
+    protocol: TCP
+    name: faccess
+  - port: 9443
+    targetPort: 9443
+    protocol: TCP
+    name: stats
+  selector:
+    app: varnish-ingress
--- a/examples/architectures/clusterwide/deploy.sh
+++ b/examples/architectures/clusterwide/deploy.sh
 #! /bin/bash -ex

-# Delete the Varnish Service in namespace default.
+# Delete the Varnish admin Service in namespace default.
 # Otherwise the Service in kube-system is not unique in the cluster,
 # and a Service for the Ingresses in the other namespaces cannot be
 # determined.
-kubectl delete -f ../../../deploy/nodeport.yaml
+kubectl delete -f ../../../deploy/admin-svc.yaml

 kubectl apply -f namespace.yaml

@@ -16,6 +16,10 @@ kubectl apply -f other.yaml

 kubectl apply -f adm-secret.yaml

+kubectl apply -f tls-cert-secret.yaml
+
+kubectl apply -f admin-svc.yaml
+
 kubectl apply -f nodeport.yaml

 kubectl apply -f varnish.yaml

--- a/examples/architectures/clusterwide/nodeport.yaml
+++ b/examples/architectures/clusterwide/nodeport.yaml
@@ -10,14 +10,14 @@ metadata:
 spec:
  type: NodePort 
  ports:
-  - port: 6081
-    targetPort: 6081
-    protocol: TCP
-    name: varnishadm
  - port: 80
    targetPort: 80
    protocol: TCP
    name: http
+  - port: 443
+    targetPort: 443
+    protocol: TCP
+    name: tls
  selector:
    app: varnish-ingress
  publishNotReadyAddresses: true
--- a/examples/architectures/clusterwide/tls-cert-secret.yaml
+++ b/examples/architectures/clusterwide/tls-cert-secret.yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: tls-cert
+  namespace: kube-system
+  labels:
+    app: varnish-ingress
+type: Opaque
--- a/examples/architectures/clusterwide/undeploy.sh
+++ b/examples/architectures/clusterwide/undeploy.sh
@@ -10,6 +10,10 @@ kubectl delete -f varnish.yaml

 kubectl delete -f nodeport.yaml

+kubectl delete -f admin-svc.yaml
+
+kubectl delete -f tls-cert-secret.yaml
+
 kubectl delete -f adm-secret.yaml

 kubectl delete -f other.yaml
@@ -20,8 +24,8 @@ kubectl delete -f coffee.yaml

 kubectl delete -f namespace.yaml

-# Restores the Varnish Service in namespace default.
-kubectl apply -f ../../../deploy/nodeport.yaml
+# Restores the Varnish admin Service in namespace default.
+kubectl apply -f ../../../deploy/admin-svc.yaml

 echo Waiting until varnish-ingress Pods are running
 kubectl wait --timeout=2m pod -l app=varnish-ingress --for=condition=Initialized
--- a/examples/architectures/clusterwide/varnish.yaml
+++ b/examples/architectures/clusterwide/varnish.yaml
@@ -13,6 +13,8 @@ spec:
      labels:
        app: varnish-ingress
    spec:
+      securityContext:
+        fsGroup: 998
      containers:
      - image: varnish-ingress/varnish
        imagePullPolicy: IfNotPresent
@@ -22,14 +24,14 @@ spec:
          containerPort: 80
        - name: k8s
          containerPort: 8080
-        - name: varnishadm
-          containerPort: 6081
        volumeMounts:
        - name: adm-secret
          mountPath: "/var/run/varnish"
          readOnly: true
        - name: varnish-home
          mountPath: "/var/run/varnish-home"
+        - name: offload
+          mountPath: "/var/run/offload"
        livenessProbe:
          exec:
            command:
@@ -44,6 +46,37 @@ spec:
        args:
          - -n
          - /var/run/varnish-home
+      - image: varnish-ingress/haproxy
+        imagePullPolicy: IfNotPresent
+        name: varnish-ingress-offloader
+        ports:
+        - name: tls
+          containerPort: 443
+        - name: k8s
+          containerPort: 8443
+        volumeMounts:
+        - name: tls-cert
+          mountPath: "/etc/ssl/private"
+          readOnly: true
+        - name: offload
+          mountPath: "/var/run/offload"
+        env:
+          - name: SECRET_DATAPLANEAPI
+            valueFrom:
+              secretKeyRef:
+                name: adm-secret
+                key: dataplaneapi
+        livenessProbe:
+          exec:
+            command:
+            - /usr/bin/pgrep
+            - -P
+            - "0"
+            - haproxy
+        readinessProbe:
+          httpGet:
+            path: /healthz
+            port: k8s
      volumes:
      - name: adm-secret
        secret:
@@ -51,6 +84,12 @@ spec:
          items:
          - key: admin
            path: _.secret
+      - name: tls-cert
+        secret:
+          secretName: tls-cert
+          defaultMode: 0440
      - name: varnish-home
        emptyDir:
          medium: "Memory"
+      - name: offload
+        emptyDir: {}