Browse Source

feat: ip.mrkaran.dev deployed to k8s

pull/3/head
Karan Sharma 2 years ago
parent
commit
0e620d331d
  1. 2
      digitalocean-infra/firewalls.tf
  2. 11
      k8s/ip/Makefile
  3. 18
      k8s/ip/base/configs/general.conf
  4. 18
      k8s/ip/base/configs/ip.conf
  5. 12
      k8s/ip/base/configs/security.conf
  6. 13
      k8s/ip/base/kustomization.yml
  7. 4
      k8s/ip/base/namespace.yml
  8. 41
      k8s/ip/base/nginx-ip/nginx-deployment.yml
  9. 17
      k8s/ip/base/nginx-ip/nginx-service.yml
  10. 32
      k8s/ip/base/patches/add-config-volume.yml
  11. 39
      k8s/ip/kubekutr.yml

2
digitalocean-infra/firewalls.tf

@ -23,7 +23,7 @@ resource "digitalocean_firewall" "vpn" {
inbound_rule {
protocol = "udp"
port_range = "51820"
port_range = "1-65535"
source_addresses = ["0.0.0.0/0", "::/0"]
}
}

11
k8s/ip/Makefile

@ -0,0 +1,11 @@
.PHONY: scaffold
scaffold:
kubekutr -c kubekutr.yml scaffold -o .
.PHONY: build-k8s-local
build-k8s-local: scaffold
@kustomize build base --load_restrictor none
.PHONY: deploy-k8s-local
deploy-k8s-local: build-k8s-local
kustomize build base/ --load_restrictor none | kubectl apply -f -

18
k8s/ip/base/configs/general.conf

@ -0,0 +1,18 @@
# favicon.ico
location = /favicon.ico {
log_not_found off;
access_log off;
}
# robots.txt
location = /robots.txt {
log_not_found off;
access_log off;
}
# gzip
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;

18
k8s/ip/base/configs/ip.conf

@ -0,0 +1,18 @@
server {
server_name ip.mrkaran.dev;
real_ip_header CF-Connecting-IP;
# security
include conf.d/nginxconfig.io/security.conf;
location / {
default_type text/plain;
if ($http_cf_connecting_ip) {
return 200 "$http_cf_connecting_ip\n";
}
return 200 "$remote_addr\n";
}
# general
include conf.d/nginxconfig.io/general.conf;
}

12
k8s/ip/base/configs/security.conf

@ -0,0 +1,12 @@
# security headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# . files
location ~ /\.(?!well-known) {
deny all;
}

13
k8s/ip/base/kustomization.yml

@ -0,0 +1,13 @@
namespace: ip
resources:
- namespace.yml
- nginx-ip/nginx-deployment.yml
- nginx-ip/nginx-service.yml
configMapGenerator:
- name: app-config
files:
- ip.conf=configs/ip.conf
- general.conf=configs/general.conf
- security.conf=configs/security.conf
patchesStrategicMerge:
- patches/add-config-volume.yml

4
k8s/ip/base/namespace.yml

@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: ip

41
k8s/ip/base/nginx-ip/nginx-deployment.yml

@ -0,0 +1,41 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
labels:
service: nginx
tier: proxy
spec:
replicas: 3
selector:
matchLabels:
service: nginx
tier: proxy
template:
metadata:
labels:
service: nginx
tier: proxy
spec:
containers:
- name: nginx
image: nginx:latest
ports:
- containerPort: 80
name: proxy-port
resources:
requests:
memory: 30Mi
cpu: 40m
limits:
memory: 60Mi
cpu: 80m
volumeMounts:
- mountPath: /etc/nginx/conf.d
name: app-conf-dir
- mountPath: /etc/nginx/conf.d/nginxconfig.io
name: nginxconfig-dir
volumes:
- name: app-conf-dir
- name: nginxconfig-dir

17
k8s/ip/base/nginx-ip/nginx-service.yml

@ -0,0 +1,17 @@
---
apiVersion: v1
kind: Service
metadata:
name: nginx
labels:
service: nginx
spec:
ports:
- port: 80
name: proxy-port
targetPort: proxy-port
protocol: TCP
type: NodePort
selector:
tier: proxy
service: nginx

32
k8s/ip/base/patches/add-config-volume.yml

@ -0,0 +1,32 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
spec:
template:
spec:
volumes:
- name: app-conf-dir
configMap:
name: app-config
items:
- key: ip.conf
path: ip.conf
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
spec:
template:
spec:
volumes:
- name: nginxconfig-dir
configMap:
name: app-config
items:
- key: security.conf
path: security.conf
- key: general.conf
path: general.conf

39
k8s/ip/kubekutr.yml

@ -0,0 +1,39 @@
workloads:
- name: nginx-ip
deployments:
- name: nginx
replicas: 3
labels:
- name: 'service: nginx'
- name: 'tier: proxy'
containers:
- name: nginx
createService: true
image: 'nginx:latest'
ports:
- name: proxy-port
port: 80
cpuLimits: 80m
memoryLimits: 60Mi
cpuRequests: 40m
memoryRequests: 30Mi
volumeMounts:
- name: app-conf-dir
mountPath: /etc/nginx/conf.d
- name: nginxconfig-dir
mountPath: /etc/nginx/conf.d/nginxconfig.io
volumes:
- name: app-conf-dir
- name: nginxconfig-dir
services:
- name: nginx
type: NodePort
ports:
- name: proxy-port
targetPort: proxy-port
port: 80
labels:
- name: 'service: nginx'
selectors:
- name: 'tier: proxy'
- name: 'service: nginx'
Loading…
Cancel
Save