sparse-intern-71089
11/19/2020, 11:04 PMgentle-diamond-70147
11/19/2020, 11:12 PMbusy-soccer-65968
11/19/2020, 11:14 PMbusy-soccer-65968
11/19/2020, 11:23 PMexport class Deployment extends helm.v3.Chart {
constructor(name: string, args: ingressControllerArgs, opts: ComponentResourceOptions) {
let annotations: { [key: string]: pulumi.Output<string> | string } = {
'<http://service.beta.kubernetes.io/aws-load-balancer-backend-protocol|service.beta.kubernetes.io/aws-load-balancer-backend-protocol>': 'http',
'<http://service.beta.kubernetes.io/aws-load-balancer-ssl-cert|service.beta.kubernetes.io/aws-load-balancer-ssl-cert>': pulumi.interpolate`${args.certificate.arn}`,
'<http://service.beta.kubernetes.io/aws-load-balancer-ssl-ports|service.beta.kubernetes.io/aws-load-balancer-ssl-ports>': 'websecure',
'<http://service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout|service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout>': '3600'
}
super(
`${name}-traefik`,
{
chart: 'traefik',
repo: 'traefik',
namespace: args.namespace,
version: '9',
values: {
providers: {
kubernetesIngress: {
publishedService: {
enabled: true
}
}
},
ports: {
// TODO secure traefik ingress recommended <https://github.com/traefik/traefik-helm-chart/blob/master/traefik/values.yaml#L205>
traefik: {
expose: true
},
web: {
redirectTo: 'websecure'
}
},
metrics: {
datadog: {
address: 'datadog-statsd:8125'
}
},
logs: {
general: {
level: 'INFO',
format: 'json'
},
access: {
enabled: true,
fields: {
headers: {
defaultmode: 'keep'
}
}
}
},
resources: {
limits: {
cpu: '256m',
memory: '512Mi'
},
requests: {
cpu: '256m',
memory: '512Mi'
}
},
// TODO potentially secure further with middlewares. Currently the API is exposed to anyone in sourceRange (VPN, NATs)
additionalArguments: [
'--api',
'--api.insecure'
],
service: {
annotations: annotations,
loadBalancerSourceRanges: args.whitelist
},
//------------------------------ADDING THIS--------------------------------------
affinity: {
podAntiAffinity: {
requiredDuringSchedulingIgnoredDuringExecution: [
{
labelSelector: {
matchExpressions: [
{
key: 'app',
operator: 'In',
values: [`${name}-traefik`]
}
]
},
topologyKey: '<http://failure-domain.beta.kubernetes.io/zone|failure-domain.beta.kubernetes.io/zone>'
}
]
}
},
podDisruptionBudget: {
enabled: true,
minAvailable: 2
},
//-------------------------------------------------------------------------------
replicas: 3
},
transformations: [
(manifest: any) => {
if (manifest.kind === 'Service')
manifest.metadata['namespace'] = args.namespace
}
]
},
opts
)
new kube.networking.v1beta1.Ingress(
'dashboard',
{
metadata: {
namespace: args.namespace
},
spec: {
rules: [
{
host: `my-secret-host.${args.env}.<http://top-secret-host.com|top-secret-host.com>`,
http: {
paths: [
{
backend: {
serviceName: 'my-secret-service',
servicePort: 9000
}
}
]
}
}
]
}
},
{ parent: this }
)
}
}
busy-soccer-65968
11/19/2020, 11:23 PMbusy-soccer-65968
11/19/2020, 11:24 PMdiff
busy-soccer-65968
11/19/2020, 11:25 PMbusy-soccer-65968
11/19/2020, 11:28 PMbusy-soccer-65968
11/19/2020, 11:36 PMexternal-dns
seemed to notice the diffbusy-soccer-65968
11/19/2020, 11:36 PMbusy-soccer-65968
11/19/2020, 11:41 PMgentle-diamond-70147
11/19/2020, 11:42 PMgentle-diamond-70147
11/19/2020, 11:42 PMbusy-soccer-65968
11/19/2020, 11:43 PMbusy-soccer-65968
11/19/2020, 11:59 PM