SEANK.H.LIAO

kubernetes cluster 19 part 2

19th attempt to get a k8s setup working

Goals

tldr

config: seankhliao/kluster @ v0.19.0

use with:

ingress / sign in

ingress

traefik still easier to setup than ambassador or contour

set default TLS cert

1apiVersion: traefik.containo.us/v1alpha1
2kind: TLSStore
3metadata:
4  name: default
5spec:
6  defaultCertificate:
7    secretName: api-seankhliao-com-tls

auth

Running pomerium because I can't find anything else in the same space?

pomerium config

 1insecure_server: true
 2grpc_insecure: true
 3address: :80
 4
 5authenticate_service_url: https://auth.api.seankhliao.com
 6forward_auth_url: http://pomerium.networking.svc.cluster.local
 7
 8idp_provider: "google"
 9idp_client_id: CHANGE_ME
10idp_client_secret: CHANGE_ME
11
12shared_secret: CHANGE_ME
13cookie_secret: CHANGE_ME
14
15metrics_address: ":9090"
16
17tracing_provider: jaeger
18tracing_debug: true
19tracing_jaeger_agent_endpoint: jaeger-agent.monitor.svc.cluster.local:6831
20
21policy:
22  - from: https://traefik.api.seankhliao.com
23    to: http://example.com
24    allowed_users:
25      - admin@example.com

IngressRoute config

 1apiVersion: traefik.containo.us/v1alpha1
 2kind: IngressRoute
 3metadata:
 4  name: pomerium
 5spec:
 6  entryPoints:
 7    - https
 8  routes:
 9    - kind: Rule
10      match: Host(`auth.api.seankhliao.com`)
11      services:
12        - kind: Service
13          name: pomerium
14          port: 80
15    - kind: Rule
16      match: PathPrefix(`/.pomerium/`)
17      priority: 100
18      services:
19        - kind: Service
20          name: pomerium
21          port: 80
22  tls: {}

Use with Middleware, ex for traefik's dashboard

 1apiVersion: traefik.containo.us/v1alpha1
 2kind: IngressRoute
 3metadata:
 4  name: traefik
 5spec:
 6  entryPoints:
 7    - https
 8  routes:
 9    - kind: Rule
10      match: Host(`traefik.api.seankhliao.com`)
11      middlewares:
12        - name: auth-traefik
13      services:
14        - kind: Service
15          name: traefik
16          port: 9000
17  tls: {}
18---
19apiVersion: traefik.containo.us/v1alpha1
20kind: Middleware
21metadata:
22  name: auth-traefik
23spec:
24  forwardAuth:
25    address: http://pomerium.networking.svc.cluster.local/?uri=https://traefik.api.seankhliao.com