Update the Pod template example for new deployments supporting TLS.

WIP: undeployment currently not working correctly.

examples/varnish_pod_template/cli-args.yaml

@@ -13,6 +13,8 @@ spec:
         app: varnish-ingress
         example: cli-args
     spec:
+      securityContext:
+        fsGroup: 998
       containers:
       - image: varnish-ingress/varnish
         imagePullPolicy: IfNotPresent
@@ -22,14 +24,14 @@ spec:
           containerPort: 80
         - name: k8s
           containerPort: 8080
-        - name: varnishadm
-          containerPort: 6081
         volumeMounts:
         - name: adm-secret
           mountPath: "/var/run/varnish"
           readOnly: true
         - name: varnish-home
           mountPath: "/var/run/varnish-home"
+        - name: offload
+          mountPath: "/var/run/offload"
         livenessProbe:
           exec:
             command:
@@ -54,6 +56,37 @@ spec:
           - "900"
           - -p
           - workspace_client=256k
+      - image: varnish-ingress/haproxy
+        imagePullPolicy: IfNotPresent
+        name: varnish-ingress-offloader
+        ports:
+        - name: tls
+          containerPort: 443
+        - name: k8s
+          containerPort: 8443
+        volumeMounts:
+        - name: tls-cert
+          mountPath: "/etc/ssl/private"
+          readOnly: true
+        - name: offload
+          mountPath: "/var/run/offload"
+        env:
+          - name: SECRET_DATAPLANEAPI
+            valueFrom:
+              secretKeyRef:
+                name: adm-secret
+                key: dataplaneapi
+        livenessProbe:
+          exec:
+            command:
+            - /usr/bin/pgrep
+            - -P
+            - "0"
+            - haproxy
+        readinessProbe:
+          httpGet:
+            path: /healthz
+            port: k8s
       volumes:
       - name: adm-secret
         secret:
@@ -61,6 +94,12 @@ spec:
           items:
           - key: admin
             path: _.secret
+      - name: tls-cert
+        secret:
+          secretName: tls-cert
+          defaultMode: 0440
       - name: varnish-home
         emptyDir:
           medium: "Memory"
+      - name: offload
+        emptyDir: {}

examples/varnish_pod_template/deploy_env.sh

@@ -4,4 +4,11 @@ kubectl apply -f ../hello/cafe.yaml
 
 kubectl apply -f ../hello/cafe-ingress.yaml
 
+kubectl delete -f ../../deploy/admin-svc.yaml
+
+kubectl delete deploy varnish
+
+echo Waiting until example varnish-ingress Pods are deleted
+kubectl wait --timeout=2m pod -l app=varnish-ingress --for=delete
+
 kubectl apply -f env.yaml

examples/varnish_pod_template/env.yaml

@@ -13,6 +13,8 @@ spec:
         app: varnish-ingress
         example: env
     spec:
+      securityContext:
+        fsGroup: 998
       containers:
       - image: varnish-ingress/varnish
         imagePullPolicy: IfNotPresent
@@ -22,14 +24,14 @@ spec:
           containerPort: 80
         - name: k8s
           containerPort: 8000
-        - name: varnishadm
-          containerPort: 7000
         volumeMounts:
         - name: adm-secret
           mountPath: "/var/secret"
           readOnly: true
         - name: varnish-home
           mountPath: "/var/run/varnish-home"
+        - name: offload
+          mountPath: "/var/run/offload"
         livenessProbe:
           exec:
             command:
@@ -76,6 +78,39 @@ spec:
         - name: SECRET_FILE
           value: adm.secret
 
+      - image: varnish-ingress/haproxy
+        imagePullPolicy: IfNotPresent
+        name: varnish-ingress-offloader
+        ports:
+        - name: tls
+          containerPort: 443
+        - name: k8s
+          containerPort: 8443
+        volumeMounts:
+        - name: tls-cert
+          mountPath: "/etc/ssl/private"
+          readOnly: true
+        - name: offload
+          mountPath: "/var/run/offload"
+        env:
+          - name: SECRET_DATAPLANEAPI
+            valueFrom:
+              secretKeyRef:
+                name: adm-secret
+                key: dataplaneapi
+          - name: VARNISH_READY_PORT
+            value: "8000"
+        livenessProbe:
+          exec:
+            command:
+            - /usr/bin/pgrep
+            - -P
+            - "0"
+            - haproxy
+        readinessProbe:
+          httpGet:
+            path: /healthz
+            port: k8s
       volumes:
       - name: adm-secret
         secret:
@@ -83,9 +118,15 @@ spec:
           items:
           - key: admin
             path: adm.secret
+      - name: tls-cert
+        secret:
+          secretName: tls-cert
+          defaultMode: 0440
       - name: varnish-home
         emptyDir:
           medium: "Memory"
+      - name: offload
+        emptyDir: {}
 ---
 apiVersion: v1
 kind: Service
@@ -98,10 +139,6 @@ metadata:
 spec:
   type: NodePort 
   ports:
-  - port: 7000
-    targetPort: 7000
-    protocol: TCP
-    name: varnishadm
   - port: 81
     targetPort: 81
     protocol: TCP
@@ -109,3 +146,31 @@ spec:
   selector:
     app: varnish-ingress
   publishNotReadyAddresses: true
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: varnish-ingress-env-admin
+  labels:
+    app: varnish-ingress
+spec:
+  clusterIP: None
+  ports:
+  - port: 7000
+    targetPort: 7000
+    protocol: TCP
+    name: varnishadm
+  - port: 5555
+    targetPort: 5555
+    protocol: TCP
+    name: dataplane
+  - port: 5556
+    targetPort: 5556
+    protocol: TCP
+    name: faccess
+  - port: 9443
+    targetPort: 9443
+    protocol: TCP
+    name: stats
+  selector:
+    app: varnish-ingress

examples/varnish_pod_template/proxy.yaml

@@ -13,6 +13,8 @@ spec:
         app: varnish-ingress
         example: proxy
     spec:
+      securityContext:
+        fsGroup: 998
       containers:
       - image: varnish-ingress/varnish
         imagePullPolicy: IfNotPresent
@@ -22,14 +24,14 @@ spec:
           containerPort: 80
         - name: k8s
           containerPort: 8080
-        - name: varnishadm
-          containerPort: 6081
         volumeMounts:
         - name: adm-secret
           mountPath: "/var/run/varnish"
           readOnly: true
         - name: varnish-home
           mountPath: "/var/run/varnish-home"
+        - name: offload
+          mountPath: "/var/run/offload"
         livenessProbe:
           exec:
             command:
@@ -50,6 +52,37 @@ spec:
         # see: https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
         - name: PROTO
           value: PROXY
+      - image: varnish-ingress/haproxy
+        imagePullPolicy: IfNotPresent
+        name: varnish-ingress-offloader
+        ports:
+        - name: tls
+          containerPort: 443
+        - name: k8s
+          containerPort: 8443
+        volumeMounts:
+        - name: tls-cert
+          mountPath: "/etc/ssl/private"
+          readOnly: true
+        - name: offload
+          mountPath: "/var/run/offload"
+        env:
+          - name: SECRET_DATAPLANEAPI
+            valueFrom:
+              secretKeyRef:
+                name: adm-secret
+                key: dataplaneapi
+        livenessProbe:
+          exec:
+            command:
+            - /usr/bin/pgrep
+            - -P
+            - "0"
+            - haproxy
+        readinessProbe:
+          httpGet:
+            path: /healthz
+            port: k8s
       volumes:
       - name: adm-secret
         secret:
@@ -57,6 +90,12 @@ spec:
           items:
           - key: admin
             path: _.secret
+      - name: tls-cert
+        secret:
+          secretName: tls-cert
+          defaultMode: 0440
       - name: varnish-home
         emptyDir:
           medium: "Memory"
+      - name: offload
+        emptyDir: {}

examples/varnish_pod_template/undeploy.sh

 #! /bin/bash -ex
 
+kubectl delete svc varnish-ingress-env-admin
+
 kubectl delete svc varnish-ingress
 
 kubectl delete deploy varnish
@@ -15,5 +17,7 @@ kubectl apply -f ../../deploy/varnish.yaml
 
 kubectl apply -f ../../deploy/nodeport.yaml
 
+kubectl apply -f ../../deploy/admin-svc.yaml
+
 echo Waiting until varnish-ingress Pods are running
 kubectl wait --timeout=2m pod -l app=varnish-ingress --for=condition=Initialized