Get working with external acccess using linode DNS and Let's Encrypt

setup/11-Others/dyndns.yaml

@@ -2,7 +2,7 @@
 #apiVersion: v1
 #kind: Secret
 #metadata:
-#  name: dyndns
+#  name: linode-dynamic-dns
 #  namespace: infra
 #type: Opaque
 #data:
@@ -11,20 +11,20 @@
 apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
-  name: dyndns
+  name: linode-dynamic-dns
   namespace: infra
   labels:
-    app: dyndns
+    app: linode-dynamic-dns
 spec:
   replicas: 1
   revisionHistoryLimit: 2
   selector:
     matchLabels:
-      app: dyndns
+      app: linode-dynamic-dns
   template:
     metadata:
       labels:
-        app: dyndns
+        app: linode-dynamic-dns
     spec:
       containers:
         - name: dyndns
@@ -39,5 +39,5 @@ spec:
             - name: TOKEN
               valueFrom:
                 secretKeyRef:
-                  name: dyndns
+                  name: linode-dynamic-dns
                   key: token

setup/11-Others/forecastle.yaml

@@ -112,15 +112,11 @@ kind: Ingress
 metadata:
   name: forecastle
   namespace: infra
+  annotations:
+    traefik.ingress.kubernetes.io/redirect-entry-point: https
+    traefik.ingress.kubernetes.io/redirect-permanent: "true"
 spec:
   rules:
-    - host: launchpad.cluster.local
-      http:
-        paths:
-          - path: /
-            backend:
-              serviceName: forecastle
-              servicePort: 80
     - host: launchpad.cluster.rebelinblue.com
       http:
         paths:

setup/11-Others/kubeview.yaml

@@ -87,14 +87,16 @@ metadata:
   name: kubeview
   namespace: infra
   annotations:
+    traefik.ingress.kubernetes.io/redirect-entry-point: https
+    traefik.ingress.kubernetes.io/redirect-permanent: "true"
     kubernetes.io/ingress.class: traefik
     forecastle.stakater.com/expose: "true"
     forecastle.stakater.com/group: "Miscellaneous"
     forecastle.stakater.com/icon: "https://raw.githubusercontent.com/benc-uk/kubeview/master/web/client/src/assets/logo.png"
     forecastle.stakater.com/appName: KubeView
 spec:
   rules:
-    - host: kubeview.cluster.local
+    - host: kubeview.cluster.rebelinblue.com
       http:
         paths:
           - path: /

setup/12-Secrets/vault.yaml

@@ -1,5 +1,16 @@
 ---
 apiVersion: v1
+kind: Secret
+metadata:
+  name: consul-gossip-key
+  namespace: vault
+  labels:
+    app: consul
+type: Opaque
+data:
+  gossip-key: c1BsdW1QL1cyOUh6U2xjdlBxME1uR3d4YWtRbTRHR29acHZaajJXeDl6cz0K
+---
+apiVersion: v1
 kind: ConfigMap
 metadata:
   name: vault-config
@@ -162,6 +173,16 @@ spec:
                 secretKeyRef:
                   name: vault-unseal-keys
                   key: VAULT_UNSEAL_KEY_3
+            - name: VAULT_UNSEAL_KEY_4
+              valueFrom:
+                secretKeyRef:
+                  name: vault-unseal-keys
+                  key: VAULT_UNSEAL_KEY_4
+            - name: VAULT_UNSEAL_KEY_5
+              valueFrom:
+                secretKeyRef:
+                  name: vault-unseal-keys
+                  key: VAULT_UNSEAL_KEY_5
           livenessProbe:
             httpGet:
               path: /v1/sys/health?standbyok=true&uninitcode=204&sealedcode=204&
@@ -222,6 +243,8 @@ spec:
               value: "dc1"
             - name: CONSUL_DOMAIN
               value: "cluster.local"
+            - name: CONSUL_HOST
+              value: "consul.infra.svc"
           command:
             - "consul"
           args:
@@ -233,7 +256,7 @@ spec:
             - "-data-dir=/var/lib/consul"
             - "-config-dir=/consul/config"
             - "-domain=$(CONSUL_DOMAIN)"
-            - "-retry-join=$(CONSUL_SERVICE_HOST)"
+            - "-retry-join=$(CONSUL_HOST)"
             - "-disable-host-node-id"
             - "-encrypt=$(CONSUL_GOSSIP_ENCRYPTION_KEY)"
           resources:
@@ -269,14 +292,16 @@ metadata:
   labels:
     app: vault
   annotations:
+    traefik.ingress.kubernetes.io/redirect-entry-point: https
+    traefik.ingress.kubernetes.io/redirect-permanent: "true"
     kubernetes.io/ingress.class: traefik
     forecastle.stakater.com/expose: "true"
     forecastle.stakater.com/group: "Secrets"
     forecastle.stakater.com/icon: "https://cdn.freebiesupply.com/logos/large/2x/vault-enterprise-logo-png-transparent.png"
     forecastle.stakater.com/appName: Vault
 spec:
   rules:
-    - host: vault.cluster.local
+    - host: vault.cluster.rebelinblue.com
       http:
         paths:
           - backend:

setup/12-Secrets/consul.yaml → setup/2-Consul/consul.yaml

@@ -3,7 +3,7 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: consul-gossip-key
-  namespace: vault
+  namespace: infra
   labels:
     app: consul
 type: Opaque
@@ -14,7 +14,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: consul-config
-  namespace: vault
+  namespace: infra
   labels:
     app: consul
 data:
@@ -41,7 +41,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: consul
-  namespace: vault
+  namespace: infra
   labels:
     app: consul
   annotations:
@@ -79,7 +79,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: consul-ui
-  namespace: vault
+  namespace: infra
   labels:
     app: consul
 spec:
@@ -94,7 +94,7 @@ apiVersion: apps/v1beta1
 kind: StatefulSet
 metadata:
   name: consul
-  namespace: vault
+  namespace: infra
   labels:
     app: consul
 spec:
@@ -248,18 +248,20 @@ apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
   name: consul-ui
-  namespace: vault
+  namespace: infra
   labels:
     app: consul
   annotations:
+    traefik.ingress.kubernetes.io/redirect-entry-point: https
+    traefik.ingress.kubernetes.io/redirect-permanent: "true"
     kubernetes.io/ingress.class: traefik
     forecastle.stakater.com/expose: "true"
     forecastle.stakater.com/group: "Secrets"
     forecastle.stakater.com/icon: "https://www.consul.io/assets/images/og-image-6ef0ad8b.png"
     forecastle.stakater.com/appName: Consul
 spec:
   rules:
-    - host: consul.cluster.local
+    - host: consul.cluster.rebelinblue.com
       http:
         paths:
           - backend:

setup/3-Traefik/configmap.yaml

@@ -6,19 +6,40 @@ metadata:
   namespace: infra
 data:
   traefik.toml: |
-    defaultEntryPoints = ["http","https"]
+    defaultEntryPoints = ["http", "https"]
 
-    [entryPoints]
+    [acme]
+      email = "letsencrypt@stephen.rebelinblue.com"
+      entryPoint = "https"
+      acmeLogging = true
+      storage = "traefik-external-certificates/acme/account"
+      OnHostRule = true
+
+      [acme.httpChallenge]
+        entryPoint = "http"
+
+      #[acme.dnsChallenge]
+      #  provider = "linodev4"
+
+      #[[acme.domains]]
+      #  main = "*.cluster.rebelinblue.com"
 
+    [consul]
+      endpoint = "consul.infra.svc:8500"
+      watch = true
+      prefix = "traefik"
+
+    [entryPoints]
       [entryPoints.http]
-      address = ":80"
+        address = ":80"
 
       [entryPoints.https]
-      address = ":443"
+        address = ":443"
+
         [entryPoints.https.tls]
-          [[entryPoints.https.tls.certificates]]
-          CertFile = "/ssl/tls.crt"
-          KeyFile = "/ssl/tls.key"
+        #  [[entryPoints.https.tls.certificates]]
+        #  CertFile = "/ssl/tls.crt"
+        #  KeyFile = "/ssl/tls.key"
 
       [entryPoints.traefik]
         address = ":8080"
@@ -28,10 +49,10 @@ data:
         publishedService = "infra/traefik-ingress-controller-http-service"
 
     [ping]
-    entryPoint = "http"
+      entryPoint = "http"
 
     [api]
-    entryPoint = "traefik"
+      entryPoint = "traefik"
 
     [metrics]
       [metrics.prometheus]

setup/3-Traefik/deployment.yaml

@@ -26,15 +26,21 @@ spec:
       serviceAccountName: traefik-ingress-serviceaccount
       terminationGracePeriodSeconds: 35
       volumes:
-        - name: traefik-ui-tls-cert
-          secret:
-            secretName: traefik-ui-tls-cert
+        #- name: traefik-ui-tls-cert
+        #  secret:
+        #    secretName: traefik-ui-tls-cert
         - name: traefik-ingress-configmap
           configMap:
             name: traefik-ingress-configmap
       containers:
         - image: traefik:maroilles
           name: traefik-ingress-controller
+          env:
+            - name: LINODE_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: linode-dynamic-dns
+                  key: token
           imagePullPolicy: Always
           resources:
             limits:
@@ -59,8 +65,8 @@ spec:
               scheme: HTTP
             periodSeconds: 5
           volumeMounts:
-            - mountPath: "/ssl"
-              name: "traefik-ui-tls-cert"
+            #- mountPath: "/ssl"
+            #  name: "traefik-ui-tls-cert"
             - mountPath: "/config"
               name: "traefik-ingress-configmap"
           ports:

setup/3-Traefik/ingress.yaml

@@ -5,6 +5,8 @@ metadata:
   name: traefik-ingress-controller-dashboard-ingress
   namespace: infra
   annotations:
+    traefik.ingress.kubernetes.io/redirect-entry-point: https
+    traefik.ingress.kubernetes.io/redirect-permanent: "true"
     kubernetes.io/ingress.class: traefik
     forecastle.stakater.com/expose: "true"
     forecastle.stakater.com/group: "Dashboards"
@@ -15,7 +17,7 @@ metadata:
     # traefik.ingress.kubernetes.io/redirect-permanent: "true"
 spec:
   rules:
-    - host: traefik.cluster.local
+    - host: traefik.cluster.rebelinblue.com
       http:
         paths:
         - path: /

setup/4-Dashboard/dashboard.yaml

@@ -164,7 +164,6 @@ metadata:
   namespace: kube-system
   annotations:
     kubernetes.io/ingress.class: traefik
-    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
     traefik.ingress.kubernetes.io/redirect-entry-point: https
     traefik.ingress.kubernetes.io/redirect-permanent: "true"
     forecastle.stakater.com/expose: "true"
@@ -173,7 +172,7 @@ metadata:
     forecastle.stakater.com/icon: "https://raw.githubusercontent.com/stakater/ForecastleIcons/master/kubernetes.png"
 spec:
   rules:
-    - host: dashboard.cluster.local
+    - host: dashboard.cluster.rebelinblue.com
       http:
         paths:
           - backend:

setup/8-Logging/promtail.yaml

@@ -209,13 +209,15 @@ metadata:
   labels:
     k8s-app: promtail
   annotations:
+    traefik.ingress.kubernetes.io/redirect-entry-point: https
+    traefik.ingress.kubernetes.io/redirect-permanent: "true"
     kubernetes.io/ingress.class: traefik
     forecastle.stakater.com/expose: "true"
     forecastle.stakater.com/group: "Miscellaneous"
     forecastle.stakater.com/icon: "https://raw.githubusercontent.com/grafana/loki/master/docs/logo.png"
 spec:
   rules:
-    - host: promtail.cluster.local
+    - host: promtail.cluster.rebelinblue.com
       http:
         paths:
           - path: /

setup/9-Monitoring/alertmanager.yaml

@@ -112,7 +112,7 @@ spec:
           args:
             - --config.file=/etc/alertmanager/config.yml
             - --storage.path=/alertmanager
-            - --web.external-url=http://alertmanager.cluster.local
+            - --web.external-url=http://alertmanager.cluster.rebelinblue.com
           ports:
             - name: alertmanager
               containerPort: 9093
@@ -170,14 +170,16 @@ metadata:
   labels:
     name: alertmanager
   annotations:
+    traefik.ingress.kubernetes.io/redirect-entry-point: https
+    traefik.ingress.kubernetes.io/redirect-permanent: "true"
     kubernetes.io/ingress.class: traefik
     forecastle.stakater.com/expose: "true"
     forecastle.stakater.com/appName: "Alert Manager"
     forecastle.stakater.com/group: "Prometheus"
     forecastle.stakater.com/icon: "https://raw.githubusercontent.com/stakater/ForecastleIcons/master/prometheus.png"
 spec:
   rules:
-    - host: alertmanager.cluster.local
+    - host: alertmanager.cluster.rebelinblue.com
       http:
         paths:
           - path: /