rosstimson/cheese.yml

## cheese.yml
# Deployments
# --------------------------------------------------------------------

---
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
  name: stilton
  namespace: dev
  labels:
    app: cheese
    cheese: stilton
spec:
  replicas: 1
  selector:
    matchLabels:
      app: cheese
      task: stilton
  template:
    metadata:
      labels:
        app: cheese
        task: stilton
        version: v0.0.1
    spec:
      containers:
      - name: cheese
        image: errm/cheese:stilton
        resources:
          requests:
            cpu: 100m
            memory: 50Mi
          limits:
            cpu: 100m
            memory: 50Mi
        ports:
        - containerPort: 80


---
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
  name: cheddar
  namespace: dev
  labels:
    app: cheese
    cheese: cheddar
spec:
  replicas: 1
  selector:
    matchLabels:
      app: cheese
      task: cheddar
  template:
    metadata:
      labels:
        app: cheese
        task: cheddar
        version: v0.0.1
    spec:
      containers:
      - name: cheese
        image: errm/cheese:cheddar
        resources:
          requests:
            cpu: 100m
            memory: 50Mi
          limits:
            cpu: 100m
            memory: 50Mi
        ports:
        - containerPort: 80


---
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
  name: wensleydale
  namespace: dev
  labels:
    app: cheese
    cheese: wensleydale
spec:
  replicas: 1
  selector:
    matchLabels:
      app: cheese
      task: wensleydale
  template:
    metadata:
      labels:
        app: cheese
        task: wensleydale
        version: v0.0.1
    spec:
      containers:
      - name: cheese
        image: errm/cheese:wensleydale
        resources:
          requests:
            cpu: 100m
            memory: 50Mi
          limits:
            cpu: 100m
            memory: 50Mi
        ports:
        - containerPort: 80

# Services
# --------------------------------------------------------------------

---
apiVersion: v1
kind: Service
metadata:
  name: stilton
  namespace: dev
spec:
  ports:
  - name: http
    targetPort: 80
    port: 80
  selector:
    app: cheese
    task: stilton


---
apiVersion: v1
kind: Service
metadata:
  name: cheddar
  namespace: dev
spec:
  ports:
  - name: http
    targetPort: 80
    port: 80
  selector:
    app: cheese
    task: cheddar


---
apiVersion: v1
kind: Service
metadata:
  name: wensleydale
  namespace: dev
spec:
  ports:
  - name: http
    targetPort: 80
    port: 80
  selector:
    app: cheese
    task: wensleydale


# Services
# --------------------------------------------------------------------

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: cheese
  namespace: dev
spec:
  rules:
  - host: stilton.example.com
    http:
      paths:
      - path: /
        backend:
          serviceName: stilton
          servicePort: http
  - host: cheddar.example.com
    http:
      paths:
      - path: /
        backend:
          serviceName: cheddar
          servicePort: http
  - host: wensleydale.example.com
    http:
      paths:
      - path: /
        backend:
          serviceName: wensleydale
          servicePort: http

## external-dns.yml
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: external-dns
  namespace: kube-system


---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: external-dns
  namespace: kube-system
rules:
- apiGroups: [""]
  resources: ["services"]
  verbs: ["get","watch","list"]
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get","watch","list"]
- apiGroups: ["extensions"]
  resources: ["ingresses"]
  verbs: ["get","watch","list"]
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["list"]


---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: external-dns-viewer
  namespace: kube-system
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: external-dns
subjects:
- kind: ServiceAccount
  name: external-dns
  namespace: kube-system


---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: external-dns
  namespace: kube-system
spec:
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: external-dns
    spec:
      serviceAccountName: external-dns
      containers:
      - env:
        - name: AWS_ACCESS_KEY_ID
          valueFrom:
            secretKeyRef:
              name: external-dns
              key: aws_access_key_id
        - name: AWS_SECRET_ACCESS_KEY
          valueFrom:
            secretKeyRef:
              name: external-dns
              key: aws_secret_access_key
        name: external-dns
        image: quay.io/xxxxx/k8s-external-dns:0.5.6
        args:
        - --source=service
        - --source=ingress
#        - --domain-filter=example.com # will make ExternalDNS see only the hosted zones matching provided domain, omit to process all available hosted zones
        - --provider=aws
        - --aws-zone-type=public # only look at public hosted zones (valid values are public, private or no value for both)
        - --registry=txt
        - --txt-owner-id=k8s
        - --log-level=debug
      imagePullSecrets:
      - name: quayio-pull-secret

## traefik.yml
# RBAC
# -----------------------------------------------------

---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller
rules:
  - apiGroups:
      - ""
    resources:
      - services
      - endpoints
      - secrets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
    - extensions
    resources:
      - ingresses/status
    verbs:
      - update


---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
  name: traefik-ingress-controller
  namespace: kube-system


# Daemonset and Service
# -----------------------------------------------------

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: traefik-ingress-controller
  namespace: kube-system

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: traefik-conf
  namespace: kube-system
data:
  traefik.toml: |
    [kubernetes]
    [kubernetes.ingressEndpoint]
    publishedService = "kube-system/traefik-ingress-controller"


---
kind: DaemonSet
apiVersion: extensions/v1beta1
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
  labels:
    k8s-app: traefik-ingress-lb
spec:
  template:
    metadata:
      labels:
        k8s-app: traefik-ingress-lb
        name: traefik-ingress-lb
    spec:
      serviceAccountName: traefik-ingress-controller
      terminationGracePeriodSeconds: 60
      volumes:
        - name: config
          configMap:
            name: traefik-conf
      containers:
      - image: traefik:1.6.6
        name: traefik-ingress-lb
        volumeMounts:
          - mountPath: "/config"
            name: "config"
        ports:
        - name: http
          containerPort: 80
          hostPort: 80
        - name: admin
          containerPort: 8080
          hostPort: 8080
        securityContext:
          capabilities:
            drop:
            - ALL
            add:
            - NET_BIND_SERVICE
        args:
        - --configfile=/config/traefik.toml
        - --api
        - --kubernetes
        - --logLevel=INFO
  updateStrategy:
    type: RollingUpdate


---
kind: Service
apiVersion: v1
metadata:
  name: traefik-ingress-service
  namespace: kube-system
  annotations:
    #service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-west-2:xxxxxxx:certificate/xxxxxxxxxxxxxxx
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: 443,8080
spec:
  type: LoadBalancer
  selector:
    k8s-app: traefik-ingress-lb
  ports:
    - protocol: TCP
      port: 80
      name: web
    - protocol: TCP
      port: 443
      targetPort: 80
      name: tls-web
    - protocol: TCP
      port: 8080
      name: admin


# Traefik UI/Dashboard
# -----------------------------------------------------

---
apiVersion: v1
kind: Service
metadata:
  name: traefik-web-ui
  namespace: kube-system
spec:
  selector:
    k8s-app: traefik-ingress-lb
  ports:
  - name: web
    port: 80
    targetPort: 8080


---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: traefik-web-ui
  namespace: kube-system
spec:
  rules:
  - host: traefik-ui.example.com
    http:
      paths:
      - path: /
        backend:
          serviceName: traefik-web-ui
          servicePort: web
	# Deployments
	# --------------------------------------------------------------------

	---
	kind: Deployment
	apiVersion: extensions/v1beta1
	metadata:
	name: stilton
	namespace: dev
	labels:
	app: cheese
	cheese: stilton
	spec:
	replicas: 1
	selector:
	matchLabels:
	app: cheese
	task: stilton
	template:
	metadata:
	labels:
	app: cheese
	task: stilton
	version: v0.0.1
	spec:
	containers:
	- name: cheese
	image: errm/cheese:stilton
	resources:
	requests:
	cpu: 100m
	memory: 50Mi
	limits:
	cpu: 100m
	memory: 50Mi
	ports:
	- containerPort: 80


	---
	kind: Deployment
	apiVersion: extensions/v1beta1
	metadata:
	name: cheddar
	namespace: dev
	labels:
	app: cheese
	cheese: cheddar
	spec:
	replicas: 1
	selector:
	matchLabels:
	app: cheese
	task: cheddar
	template:
	metadata:
	labels:
	app: cheese
	task: cheddar
	version: v0.0.1
	spec:
	containers:
	- name: cheese
	image: errm/cheese:cheddar
	resources:
	requests:
	cpu: 100m
	memory: 50Mi
	limits:
	cpu: 100m
	memory: 50Mi
	ports:
	- containerPort: 80


	---
	kind: Deployment
	apiVersion: extensions/v1beta1
	metadata:
	name: wensleydale
	namespace: dev
	labels:
	app: cheese
	cheese: wensleydale
	spec:
	replicas: 1
	selector:
	matchLabels:
	app: cheese
	task: wensleydale
	template:
	metadata:
	labels:
	app: cheese
	task: wensleydale
	version: v0.0.1
	spec:
	containers:
	- name: cheese
	image: errm/cheese:wensleydale
	resources:
	requests:
	cpu: 100m
	memory: 50Mi
	limits:
	cpu: 100m
	memory: 50Mi
	ports:
	- containerPort: 80

	# Services
	# --------------------------------------------------------------------

	---
	apiVersion: v1
	kind: Service
	metadata:
	name: stilton
	namespace: dev
	spec:
	ports:
	- name: http
	targetPort: 80
	port: 80
	selector:
	app: cheese
	task: stilton


	---
	apiVersion: v1
	kind: Service
	metadata:
	name: cheddar
	namespace: dev
	spec:
	ports:
	- name: http
	targetPort: 80
	port: 80
	selector:
	app: cheese
	task: cheddar


	---
	apiVersion: v1
	kind: Service
	metadata:
	name: wensleydale
	namespace: dev
	spec:
	ports:
	- name: http
	targetPort: 80
	port: 80
	selector:
	app: cheese
	task: wensleydale


	# Services
	# --------------------------------------------------------------------

	apiVersion: extensions/v1beta1
	kind: Ingress
	metadata:
	name: cheese
	namespace: dev
	spec:
	rules:
	- host: stilton.example.com
	http:
	paths:
	- path: /
	backend:
	serviceName: stilton
	servicePort: http
	- host: cheddar.example.com
	http:
	paths:
	- path: /
	backend:
	serviceName: cheddar
	servicePort: http
	- host: wensleydale.example.com
	http:
	paths:
	- path: /
	backend:
	serviceName: wensleydale
	servicePort: http
	---
	apiVersion: v1
	kind: ServiceAccount
	metadata:
	name: external-dns
	namespace: kube-system


	---
	apiVersion: rbac.authorization.k8s.io/v1beta1
	kind: ClusterRole
	metadata:
	name: external-dns
	namespace: kube-system
	rules:
	- apiGroups: [""]
	resources: ["services"]
	verbs: ["get","watch","list"]
	- apiGroups: [""]
	resources: ["pods"]
	verbs: ["get","watch","list"]
	- apiGroups: ["extensions"]
	resources: ["ingresses"]
	verbs: ["get","watch","list"]
	- apiGroups: [""]
	resources: ["nodes"]
	verbs: ["list"]


	---
	apiVersion: rbac.authorization.k8s.io/v1beta1
	kind: ClusterRoleBinding
	metadata:
	name: external-dns-viewer
	namespace: kube-system
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: ClusterRole
	name: external-dns
	subjects:
	- kind: ServiceAccount
	name: external-dns
	namespace: kube-system


	---
	apiVersion: extensions/v1beta1
	kind: Deployment
	metadata:
	name: external-dns
	namespace: kube-system
	spec:
	strategy:
	type: Recreate
	template:
	metadata:
	labels:
	app: external-dns
	spec:
	serviceAccountName: external-dns
	containers:
	- env:
	- name: AWS_ACCESS_KEY_ID
	valueFrom:
	secretKeyRef:
	name: external-dns
	key: aws_access_key_id
	- name: AWS_SECRET_ACCESS_KEY
	valueFrom:
	secretKeyRef:
	name: external-dns
	key: aws_secret_access_key
	name: external-dns
	image: quay.io/xxxxx/k8s-external-dns:0.5.6
	args:
	- --source=service
	- --source=ingress
	# - --domain-filter=example.com # will make ExternalDNS see only the hosted zones matching provided domain, omit to process all available hosted zones
	- --provider=aws
	- --aws-zone-type=public # only look at public hosted zones (valid values are public, private or no value for both)
	- --registry=txt
	- --txt-owner-id=k8s
	- --log-level=debug
	imagePullSecrets:
	- name: quayio-pull-secret
	# RBAC
	# -----------------------------------------------------

	---
	kind: ClusterRole
	apiVersion: rbac.authorization.k8s.io/v1beta1
	metadata:
	name: traefik-ingress-controller
	rules:
	- apiGroups:
	- ""
	resources:
	- services
	- endpoints
	- secrets
	verbs:
	- get
	- list
	- watch
	- apiGroups:
	- extensions
	resources:
	- ingresses
	verbs:
	- get
	- list
	- watch
	- apiGroups:
	- extensions
	resources:
	- ingresses/status
	verbs:
	- update


	---
	kind: ClusterRoleBinding
	apiVersion: rbac.authorization.k8s.io/v1beta1
	metadata:
	name: traefik-ingress-controller
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: ClusterRole
	name: traefik-ingress-controller
	subjects:
	- kind: ServiceAccount
	name: traefik-ingress-controller
	namespace: kube-system


	# Daemonset and Service
	# -----------------------------------------------------

	---
	apiVersion: v1
	kind: ServiceAccount
	metadata:
	name: traefik-ingress-controller
	namespace: kube-system

	---
	apiVersion: v1
	kind: ConfigMap
	metadata:
	name: traefik-conf
	namespace: kube-system
	data:
	traefik.toml: \|
	[kubernetes]
	[kubernetes.ingressEndpoint]
	publishedService = "kube-system/traefik-ingress-controller"


	---
	kind: DaemonSet
	apiVersion: extensions/v1beta1
	metadata:
	name: traefik-ingress-controller
	namespace: kube-system
	labels:
	k8s-app: traefik-ingress-lb
	spec:
	template:
	metadata:
	labels:
	k8s-app: traefik-ingress-lb
	name: traefik-ingress-lb
	spec:
	serviceAccountName: traefik-ingress-controller
	terminationGracePeriodSeconds: 60
	volumes:
	- name: config
	configMap:
	name: traefik-conf
	containers:
	- image: traefik:1.6.6
	name: traefik-ingress-lb
	volumeMounts:
	- mountPath: "/config"
	name: "config"
	ports:
	- name: http
	containerPort: 80
	hostPort: 80
	- name: admin
	containerPort: 8080
	hostPort: 8080
	securityContext:
	capabilities:
	drop:
	- ALL
	add:
	- NET_BIND_SERVICE
	args:
	- --configfile=/config/traefik.toml
	- --api
	- --kubernetes
	- --logLevel=INFO
	updateStrategy:
	type: RollingUpdate


	---
	kind: Service
	apiVersion: v1
	metadata:
	name: traefik-ingress-service
	namespace: kube-system
	annotations:
	#service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
	service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-west-2:xxxxxxx:certificate/xxxxxxxxxxxxxxx
	service.beta.kubernetes.io/aws-load-balancer-ssl-ports: 443,8080
	spec:
	type: LoadBalancer
	selector:
	k8s-app: traefik-ingress-lb
	ports:
	- protocol: TCP
	port: 80
	name: web
	- protocol: TCP
	port: 443
	targetPort: 80
	name: tls-web
	- protocol: TCP
	port: 8080
	name: admin


	# Traefik UI/Dashboard
	# -----------------------------------------------------

	---
	apiVersion: v1
	kind: Service
	metadata:
	name: traefik-web-ui
	namespace: kube-system
	spec:
	selector:
	k8s-app: traefik-ingress-lb
	ports:
	- name: web
	port: 80
	targetPort: 8080


	---
	apiVersion: extensions/v1beta1
	kind: Ingress
	metadata:
	name: traefik-web-ui
	namespace: kube-system
	spec:
	rules:
	- host: traefik-ui.example.com
	http:
	paths:
	- path: /
	backend:
	serviceName: traefik-web-ui
	servicePort: web