Created
April 15, 2020 23:55
-
-
Save undeadops/410c1ff771b757d19e2ac7515ccc097f to your computer and use it in GitHub Desktop.
Kubernetes ALB + Traefik Daemon Set Ingress Controller
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Traefik Ingress controller ALB | |
| resource "aws_lb" "traefik" { | |
| name = "traefik-alb" | |
| internal = false | |
| load_balancer_type = "application" | |
| security_groups = [aws_security_group.traefik-ingress.id] | |
| subnets = data.terraform_remote_state.vpc.outputs.vpc-public-subnets | |
| enable_deletion_protection = true | |
| enable_cross_zone_load_balancing = false | |
| enable_http2 = true | |
| ip_address_type = "ipv4" | |
| access_logs { | |
| bucket = <s3_bucket> | |
| prefix = "ingress/traefik-ingress" | |
| enabled = true | |
| } | |
| tags = { | |
| Name = "traefik-ingress" | |
| } | |
| } | |
| resource "aws_lb_target_group" "traefik-http" { | |
| name = "traefik-http" | |
| port = 80 | |
| protocol = "HTTP" | |
| vpc_id = data.terraform_remote_state.vpc.outputs.vpc-id | |
| target_type = "instance" | |
| tags = { | |
| Name = "traefik-http" | |
| env = "dev" | |
| application_name = "traefik-ingress-controller" | |
| owner = "sre" | |
| } | |
| health_check { | |
| enabled = true | |
| interval = 30 | |
| healthy_threshold = 2 | |
| unhealthy_threshold = 2 | |
| protocol = "HTTP" | |
| port = "8080" | |
| path = "/ping" | |
| } | |
| } | |
| resource "aws_lb_target_group" "traefik-https" { | |
| name = "traefik-https" | |
| port = 443 | |
| protocol = "HTTPS" | |
| vpc_id = data.terraform_remote_state.vpc.outputs.vpc-id | |
| tags = { | |
| Name = "traefik-https" | |
| env = "dev" | |
| application_name = "traefik-ingress-controller" | |
| owner = "sre" | |
| } | |
| health_check { | |
| enabled = true | |
| interval = 30 | |
| healthy_threshold = 2 | |
| unhealthy_threshold = 2 | |
| protocol = "HTTP" | |
| port = "8080" | |
| path = "/ping" | |
| } | |
| } | |
| // Port 80 ALB Forward -> https [443] | |
| resource "aws_lb_listener" "traefik-http" { | |
| load_balancer_arn = aws_lb.traefik.arn | |
| port = "80" | |
| protocol = "HTTP" | |
| default_action { | |
| type = "redirect" | |
| redirect { | |
| port = "443" | |
| protocol = "HTTPS" | |
| status_code = "HTTP_301" | |
| } | |
| } | |
| } | |
| // HTTPS Listener | |
| resource "aws_lb_listener" "traefik-https" { | |
| load_balancer_arn = aws_lb.traefik.arn | |
| port = "443" | |
| protocol = "HTTPS" | |
| ssl_policy = "ELBSecurityPolicy-TLS-1-2-Ext-2018-06" | |
| certificate_arn = "<default_certificate_arn>" | |
| default_action { | |
| type = "forward" | |
| target_group_arn = aws_lb_target_group.traefik-http.arn | |
| } | |
| } | |
| // Additional HTTPS Certs | |
| resource "aws_lb_listener_certificate" "wildcard-foobar" { | |
| listener_arn = aws_lb_listener.traefik-https.arn | |
| certificate_arn = "<certificate_ARN>" | |
| } | |
| resource "aws_lb_listener_certificate" "wildcard-cert" { | |
| listener_arn = aws_lb_listener.traefik-https.arn | |
| certificate_arn = "<certificate_ARN>" | |
| } | |
| resource "aws_lb_listener_certificate" "example-cert" { | |
| listener_arn = aws_lb_listener.traefik-https.arn | |
| certificate_arn = "<certificate_ARN>" | |
| } | |
| // Security Group | |
| resource "aws_security_group" "traefik-ingress" { | |
| name = "traefik-ingress" | |
| description = "Traefik Ingress" | |
| vpc_id = data.terraform_remote_state.vpc.outputs.vpc-id | |
| ingress { | |
| from_port = 80 | |
| to_port = 80 | |
| protocol = "tcp" | |
| cidr_blocks = ["0.0.0.0/0"] | |
| ipv6_cidr_blocks = ["::/0"] | |
| } | |
| ingress { | |
| from_port = 443 | |
| to_port = 443 | |
| protocol = "tcp" | |
| cidr_blocks = ["0.0.0.0/0"] | |
| ipv6_cidr_blocks = ["::/0"] | |
| } | |
| egress { | |
| from_port = 0 | |
| to_port = 0 | |
| protocol = "-1" | |
| cidr_blocks = ["0.0.0.0/0"] | |
| } | |
| tags = { | |
| Name = "traefik-ingress" | |
| } | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| kind: DaemonSet | |
| apiVersion: apps/v1 | |
| metadata: | |
| name: traefik-ingress-controller | |
| namespace: traefik | |
| labels: | |
| k8s-app: traefik-ingress | |
| spec: | |
| selector: | |
| matchLabels: | |
| k8s-app: traefik-ingress | |
| name: traefik-ingress | |
| template: | |
| metadata: | |
| labels: | |
| k8s-app: traefik-ingress | |
| name: traefik-ingress | |
| spec: | |
| serviceAccountName: traefik | |
| terminationGracePeriodSeconds: 60 | |
| hostNetwork: true | |
| containers: | |
| - image: traefik:v2.2 | |
| name: traefik | |
| ports: | |
| - name: http | |
| containerPort: 80 | |
| hostPort: 80 | |
| - name: https | |
| containerPort: 443 | |
| hostPort: 443 | |
| - name: admin | |
| containerPort: 8080 | |
| hostPort: 8080 | |
| securityContext: | |
| capabilities: | |
| drop: | |
| - ALL | |
| add: | |
| - NET_BIND_SERVICE | |
| args: | |
| - --api | |
| - --api.dashboard=true | |
| - --api.insecure=true | |
| - --ping=true | |
| - --providers.kubernetesingress=true | |
| - --providers.kubernetesingress.ingressclass=traefik | |
| - --providers.kubernetesingress.ingressendpoint.hostname=<ALB ENDPOINT DNS NAME> | |
| - --providers.kubernetescrd.ingressclass=traefik | |
| - --entryPoints.web.address=:80 | |
| - --entryPoints.web.forwardedHeaders.trustedIPs=127.0.0.1/32,10.1.0.0/24,10.1.1.0/24,10.1.2.0/24 | |
| - --metrics.prometheus=true | |
| #- --log.level=INFO | |
| - --log.level=DEBUG | |
| - --log.format=json | |
| # enable access log | |
| - --accesslog=true | |
| - --accesslog.fields.defaultmode=keep | |
| - --accesslog.fields.headers.defaultmode=keep | |
| # write logs into container STDOUT | |
| # - --accesslog.filepath=/dev/stdout | |
| - --accesslog.format=json | |
| # Check for updates | |
| - --global.checknewversion=true | |
| readinessProbe: | |
| httpGet: | |
| path: /ping | |
| port: 8080 | |
| initialDelaySeconds: 2 | |
| timeoutSeconds: 2 | |
| periodSeconds: 10 | |
| failureThreshold: 4 | |
| livenessProbe: | |
| httpGet: | |
| path: /ping | |
| port: 8080 | |
| initialDelaySeconds: 6 | |
| timeoutSeconds: 2 | |
| periodSeconds: 10 | |
| failureThreshold: 6 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| apiVersion: networking.k8s.io/v1beta1 | |
| kind: Ingress | |
| metadata: | |
| name: webby | |
| namespace: webby | |
| annotations: | |
| kubernetes.io/ingress.class: "traefik" | |
| traefik.ingress.kubernetes.io/router.middlewares: webby-ratelimit@kubernetescrd | |
| spec: | |
| rules: | |
| - host: webby.example.com | |
| http: | |
| paths: | |
| - backend: | |
| serviceName: webby | |
| servicePort: 80 | |
| - host: webby.foobar.xyz | |
| http: | |
| paths: | |
| - backend: | |
| serviceName: webby | |
| servicePort: 80 | |
| --- | |
| apiVersion: traefik.containo.us/v1alpha1 | |
| kind: Middleware | |
| metadata: | |
| name: ratelimit | |
| namespace: webby | |
| spec: | |
| rateLimit: | |
| average: 1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment