From 01b960e529fd2f4d7ec03f514a91a3a703d2c128 Mon Sep 17 00:00:00 2001 From: Branden Rolston Date: Fri, 12 Jun 2020 16:45:55 -0700 Subject: [PATCH 1/6] Bump traefik addon revision This adds a missing bump to a prior revision of the Traefik addon. --- addons/traefik/1.7.x/traefik-11.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/addons/traefik/1.7.x/traefik-11.yaml b/addons/traefik/1.7.x/traefik-11.yaml index 50525208..8dcec7dd 100644 --- a/addons/traefik/1.7.x/traefik-11.yaml +++ b/addons/traefik/1.7.x/traefik-11.yaml @@ -7,7 +7,7 @@ metadata: kubeaddons.mesosphere.io/name: traefik kubeaddons.mesosphere.io/provides: ingresscontroller annotations: - catalog.kubeaddons.mesosphere.io/addon-revision: "1.7.23-10" + catalog.kubeaddons.mesosphere.io/addon-revision: "1.7.23-11" appversion.kubeaddons.mesosphere.io/traefik: "1.7.23" endpoint.kubeaddons.mesosphere.io/traefik: "/ops/portal/traefik" docs.kubeaddons.mesosphere.io/traefik: "https://docs.traefik.io/v1.7" From 3d27b433c02a69dcd17670f23ac670fa2111229e Mon Sep 17 00:00:00 2001 From: Branden Rolston Date: Fri, 12 Jun 2020 16:45:33 -0700 Subject: [PATCH 2/6] Add new traefik addon revision --- addons/traefik/1.7.x/traefik-12.yaml | 105 +++++++++++++++++++++++++++ 1 file changed, 105 insertions(+) create mode 100644 addons/traefik/1.7.x/traefik-12.yaml diff --git a/addons/traefik/1.7.x/traefik-12.yaml b/addons/traefik/1.7.x/traefik-12.yaml new file mode 100644 index 00000000..8dcec7dd --- /dev/null +++ b/addons/traefik/1.7.x/traefik-12.yaml @@ -0,0 +1,105 @@ +--- +apiVersion: kubeaddons.mesosphere.io/v1beta1 +kind: ClusterAddon +metadata: + name: traefik + labels: + kubeaddons.mesosphere.io/name: traefik + kubeaddons.mesosphere.io/provides: ingresscontroller + annotations: + catalog.kubeaddons.mesosphere.io/addon-revision: "1.7.23-11" + appversion.kubeaddons.mesosphere.io/traefik: "1.7.23" + endpoint.kubeaddons.mesosphere.io/traefik: "/ops/portal/traefik" + docs.kubeaddons.mesosphere.io/traefik: "https://docs.traefik.io/v1.7" + values.chart.helm.kubeaddons.mesosphere.io/traefik: "https://raw.githubusercontent.com/mesosphere/charts/00b019ef3610ca8221a8cf283b4d7046a50702c4/staging/traefik/values.yaml" +spec: + kubernetes: + minSupportedVersion: v1.15.6 + requires: + - matchLabels: + kubeaddons.mesosphere.io/name: cert-manager + chartReference: + chart: traefik + repo: https://mesosphere.github.io/charts/staging + version: 1.72.19 + values: | + --- + replicas: 2 + service: + labels: + servicemonitor.kubeaddons.mesosphere.io/path: "metrics" + resources: + limits: + cpu: 1000m + requests: + cpu: 500m + rbac: + enabled: true + metrics: + prometheus: + enabled: true + dashboard: + enabled: true + domain: "" + serviceType: ClusterIP + ingress: + path: /ops/portal/traefik + annotations: + kubernetes.io/ingress.class: traefik + traefik.frontend.rule.type: PathPrefixStrip + traefik.ingress.kubernetes.io/auth-response-headers: X-Forwarded-User,Authorization,Impersonate-User,Impersonate-Group + traefik.ingress.kubernetes.io/auth-type: forward + traefik.ingress.kubernetes.io/auth-url: http://traefik-forward-auth-kubeaddons.kubeaddons.svc.cluster.local:4181/ + traefik.ingress.kubernetes.io/priority: "2" + kubernetes: + ingressEndpoint: + publishedService: "kubeaddons/traefik-kubeaddons" + ssl: + enabled: true + enforced: true + # TODO: This comment is no longer true. + # dex service is exposed with TLS certificate signed by self signed root + # Dex CA certificate. It is not clear if traefik supports configuring + # trusted certificates per backend. This should be investiaged in a + # separate issue. + # See: https://jira.mesosphere.com/browse/DCOS-56033 + insecureSkipVerify: true + # We use cert-manager to automate certificate management thus we + # do not need the default cert secret. + useCertManager: true + deploymentAnnotations: + # Watching this CM will trigger traefik init container that updates certificate + # object with new DNS names. That will cascade secret update which will trigger + # another reload. + configmap.reloader.stakater.com/reload: konvoyconfig-kubeaddons + secret.reloader.stakater.com/reload: traefik-kubeaddons-certificate + + initContainers: + - name: initialize-traefik-certificate + image: mesosphere/kubeaddons-addon-initializer:v0.2.10 + args: ["traefik"] + env: + - name: "TRAEFIK_INGRESS_NAMESPACE" + value: "kubeaddons" + - name: "TRAEFIK_INGRESS_SERVICE_NAME" + value: "traefik-kubeaddons" + - name: "TRAEFIK_INGRESS_CERTIFICATE_NAME" + value: "traefik-kubeaddons" + - name: "TRAEFIK_INGRESS_CERTIFICATE_ISSUER" + value: "kubernetes-ca" + - name: "TRAEFIK_INGRESS_CERTIFICATE_SECRET_NAME" + value: "traefik-kubeaddons-certificate" + - name: "TRAEFIK_KONVOY_ADDONS_CONFIG_MAP" + value: "konvoyconfig-kubeaddons" + - name: "TRAEFIK_CLUSTER_HOSTNAME_KEY" + value: "clusterHostname" + + initCertJobImage: mesosphere/kubeaddons-addon-initializer:v0.2.10 + extraServicePorts: + - name: velero-minio + port: 9000 + protocol: TCP + targetPort: 9000 + extraSSLEntrypoints: + velero-minio: + address: ":9000" From 4f48772db6442aa374a51362bdafd490967abf54 Mon Sep 17 00:00:00 2001 From: Branden Rolston Date: Mon, 15 Jun 2020 17:06:18 -0700 Subject: [PATCH 3/6] Bump traefik addon revision --- addons/traefik/1.7.x/traefik-12.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/addons/traefik/1.7.x/traefik-12.yaml b/addons/traefik/1.7.x/traefik-12.yaml index 8dcec7dd..3e7761dc 100644 --- a/addons/traefik/1.7.x/traefik-12.yaml +++ b/addons/traefik/1.7.x/traefik-12.yaml @@ -7,7 +7,7 @@ metadata: kubeaddons.mesosphere.io/name: traefik kubeaddons.mesosphere.io/provides: ingresscontroller annotations: - catalog.kubeaddons.mesosphere.io/addon-revision: "1.7.23-11" + catalog.kubeaddons.mesosphere.io/addon-revision: "1.7.23-12" appversion.kubeaddons.mesosphere.io/traefik: "1.7.23" endpoint.kubeaddons.mesosphere.io/traefik: "/ops/portal/traefik" docs.kubeaddons.mesosphere.io/traefik: "https://docs.traefik.io/v1.7" From a7f4bef4ab6a850f65343dc431761c349d0bd92a Mon Sep 17 00:00:00 2001 From: Branden Rolston Date: Fri, 12 Jun 2020 19:22:31 -0700 Subject: [PATCH 4/6] Configure Traefik for HA --- addons/traefik/1.7.x/traefik-12.yaml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/addons/traefik/1.7.x/traefik-12.yaml b/addons/traefik/1.7.x/traefik-12.yaml index 3e7761dc..34ffc082 100644 --- a/addons/traefik/1.7.x/traefik-12.yaml +++ b/addons/traefik/1.7.x/traefik-12.yaml @@ -24,7 +24,32 @@ spec: version: 1.72.19 values: | --- + # Configure Traefik for HA. replicas: 2 + podDisruptionBudget: + minAvailable: 1 + # Distribute pods to tolerate node or zone failure. + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: release + operator: In + values: + - traefik-kubeaddons + topologyKey: kubernetes.io/hostname + - weight: 1 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: release + operator: In + values: + - traefik-kubeaddons + topologyKey: topology.kubernetes.io/zone service: labels: servicemonitor.kubeaddons.mesosphere.io/path: "metrics" From 392e19e7c5215ea203fcfed551362450be7f8873 Mon Sep 17 00:00:00 2001 From: Branden Rolston Date: Mon, 15 Jun 2020 17:07:55 -0700 Subject: [PATCH 5/6] Use deprecated zone label This label is deprecated in k8s 1.17, but is supported on older versions that are supported by this addon. --- addons/traefik/1.7.x/traefik-12.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/addons/traefik/1.7.x/traefik-12.yaml b/addons/traefik/1.7.x/traefik-12.yaml index 34ffc082..330bbb11 100644 --- a/addons/traefik/1.7.x/traefik-12.yaml +++ b/addons/traefik/1.7.x/traefik-12.yaml @@ -49,7 +49,7 @@ spec: operator: In values: - traefik-kubeaddons - topologyKey: topology.kubernetes.io/zone + topologyKey: failure-domain.beta.kubernetes.io/zone service: labels: servicemonitor.kubeaddons.mesosphere.io/path: "metrics" From be789c5163a47942b356fdaefad7775a173f94e9 Mon Sep 17 00:00:00 2001 From: Branden Rolston Date: Mon, 15 Jun 2020 17:18:43 -0700 Subject: [PATCH 6/6] Set custom label to use for affinity --- addons/traefik/1.7.x/traefik-12.yaml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/addons/traefik/1.7.x/traefik-12.yaml b/addons/traefik/1.7.x/traefik-12.yaml index 330bbb11..32f2f25e 100644 --- a/addons/traefik/1.7.x/traefik-12.yaml +++ b/addons/traefik/1.7.x/traefik-12.yaml @@ -36,20 +36,23 @@ spec: podAffinityTerm: labelSelector: matchExpressions: - - key: release + - key: kubeaddons.mesosphere.io/name operator: In values: - - traefik-kubeaddons + - traefik topologyKey: kubernetes.io/hostname - weight: 1 podAffinityTerm: labelSelector: matchExpressions: - - key: release + - key: kubeaddons.mesosphere.io/name operator: In values: - - traefik-kubeaddons + - traefik topologyKey: failure-domain.beta.kubernetes.io/zone + deployment: + podLabels: + kubeaddons.mesosphere.io/name: traefik service: labels: servicemonitor.kubeaddons.mesosphere.io/path: "metrics"