add brusnika prod istio ingress config
This commit is contained in:
parent
af4335cd9b
commit
cdde226e40
@ -1,9 +1,27 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- ../../../infrastructure/istio-base
|
||||
- ../../../infrastructure/istio-pilot
|
||||
- ../../../infrastructure/istio-gateway
|
||||
- ../../../infrastructure/istio-config
|
||||
- ../../../infrastructure/vault
|
||||
- ./vault-ingress.yaml
|
||||
patches:
|
||||
- path: ./patches/istio-gateway.yaml
|
||||
target:
|
||||
group: helm.toolkit.fluxcd.io
|
||||
version: v2
|
||||
kind: HelmRelease
|
||||
name: ingressgateway
|
||||
namespace: istio-system
|
||||
- path: ./patches/istio-config.yaml
|
||||
target:
|
||||
group: helm.toolkit.fluxcd.io
|
||||
version: v2
|
||||
kind: HelmRelease
|
||||
name: istio-config
|
||||
namespace: default
|
||||
- path: ./patches/vault.yaml
|
||||
target:
|
||||
group: helm.toolkit.fluxcd.io
|
||||
|
||||
611
clusters/brusnika-prod/infrastructure/patches/istio-config.yaml
Normal file
611
clusters/brusnika-prod/infrastructure/patches/istio-config.yaml
Normal file
@ -0,0 +1,611 @@
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: istio-config
|
||||
namespace: default
|
||||
spec:
|
||||
values:
|
||||
global:
|
||||
env: brusnika-prod
|
||||
environments:
|
||||
brusnika-prod:
|
||||
namespaces: []
|
||||
certManager:
|
||||
clusterIssuers: {}
|
||||
certificates:
|
||||
argocd-secret-name:
|
||||
namespace: ingress-nginx
|
||||
dnsNames:
|
||||
- argocd.brusnika.onprem.sarex.io
|
||||
issuerRef:
|
||||
name: letsencrypt
|
||||
kind: ClusterIssuer
|
||||
camunda-identity-tls:
|
||||
namespace: ingress-nginx
|
||||
dnsNames:
|
||||
- identity.camunda.cde.brusnika.ru
|
||||
issuerRef:
|
||||
name: letsencrypt
|
||||
kind: ClusterIssuer
|
||||
keycloak.camunda.cde.brusnika.ru-tls:
|
||||
namespace: ingress-nginx
|
||||
dnsNames:
|
||||
- keycloak.camunda.cde.brusnika.ru
|
||||
issuerRef:
|
||||
name: letsencrypt
|
||||
kind: ClusterIssuer
|
||||
camunda-platform-operate-tls:
|
||||
namespace: ingress-nginx
|
||||
dnsNames:
|
||||
- operate.camunda.cde.brusnika.ru
|
||||
issuerRef:
|
||||
name: letsencrypt
|
||||
kind: ClusterIssuer
|
||||
camunda-optimize-tls:
|
||||
namespace: ingress-nginx
|
||||
dnsNames:
|
||||
- optimize.camunda.cde.brusnika.ru
|
||||
issuerRef:
|
||||
name: letsencrypt
|
||||
kind: ClusterIssuer
|
||||
camunda-platform-tasklist-tls:
|
||||
namespace: ingress-nginx
|
||||
dnsNames:
|
||||
- tasklist.camunda.cde.brusnika.ru
|
||||
issuerRef:
|
||||
name: letsencrypt
|
||||
kind: ClusterIssuer
|
||||
yet-another-nginx-secret-name:
|
||||
namespace: ingress-nginx
|
||||
dnsNames:
|
||||
- document-link.cde.brusnika.ru
|
||||
- cde.brusnika.ru
|
||||
- rabbitmq.cde.brusnika.ru
|
||||
issuerRef:
|
||||
name: letsencrypt
|
||||
kind: ClusterIssuer
|
||||
tls-secret-for-qr:
|
||||
namespace: ingress-nginx
|
||||
dnsNames:
|
||||
- stamp-verification.cde.brusnika.ru
|
||||
issuerRef:
|
||||
name: letsencrypt
|
||||
kind: ClusterIssuer
|
||||
gitea-prod-tls:
|
||||
namespace: ingress-nginx
|
||||
dnsNames:
|
||||
- gitea.prod.brusnika.sarex.lonsdaleites.ru
|
||||
issuerRef:
|
||||
name: letsencrypt
|
||||
kind: ClusterIssuer
|
||||
jupyter-cert-secret:
|
||||
namespace: ingress-nginx
|
||||
dnsNames:
|
||||
- jupyter.brusnika.onprem.sarex.io
|
||||
issuerRef:
|
||||
name: letsencrypt
|
||||
kind: ClusterIssuer
|
||||
dashboard-secret-name:
|
||||
namespace: ingress-nginx
|
||||
dnsNames:
|
||||
- dashboard.brusnika.onprem.sarex.io
|
||||
issuerRef:
|
||||
name: letsencrypt
|
||||
kind: ClusterIssuer
|
||||
brusnika-secret-name:
|
||||
namespace: ingress-nginx
|
||||
dnsNames:
|
||||
- minio.brusnika.onprem.sarex.io
|
||||
issuerRef:
|
||||
name: letsencrypt
|
||||
kind: ClusterIssuer
|
||||
projects-secret-name:
|
||||
namespace: ingress-nginx
|
||||
dnsNames:
|
||||
- sso.brusnika.onprem.sarex.io
|
||||
issuerRef:
|
||||
name: letsencrypt
|
||||
kind: ClusterIssuer
|
||||
superset-tls-secret:
|
||||
namespace: ingress-nginx
|
||||
dnsNames:
|
||||
- superset.cde.brusnika.ru
|
||||
issuerRef:
|
||||
name: letsencrypt
|
||||
kind: ClusterIssuer
|
||||
vault-prod-tls:
|
||||
namespace: ingress-nginx
|
||||
dnsNames:
|
||||
- vault.prod.brusnika.sarex.lonsdaleites.ru
|
||||
issuerRef:
|
||||
name: letsencrypt
|
||||
kind: ClusterIssuer
|
||||
istio:
|
||||
envoyFilters: {}
|
||||
authorizationPolicies: {}
|
||||
requestAuthentications: {}
|
||||
gateways:
|
||||
argocd:
|
||||
name: argocd-gw
|
||||
namespace: ingress-nginx
|
||||
selector:
|
||||
istio: ingressgateway
|
||||
servers:
|
||||
- hosts:
|
||||
- argocd.brusnika.onprem.sarex.io
|
||||
tls:
|
||||
credentialName: argocd-secret-name
|
||||
camunda-identity:
|
||||
name: camunda-identity-gw
|
||||
namespace: ingress-nginx
|
||||
selector:
|
||||
istio: ingressgateway
|
||||
servers:
|
||||
- hosts:
|
||||
- identity.camunda.cde.brusnika.ru
|
||||
tls:
|
||||
credentialName: camunda-identity-tls
|
||||
camunda-keycloak:
|
||||
name: camunda-keycloak-gw
|
||||
namespace: ingress-nginx
|
||||
selector:
|
||||
istio: ingressgateway
|
||||
servers:
|
||||
- hosts:
|
||||
- keycloak.camunda.cde.brusnika.ru
|
||||
tls:
|
||||
credentialName: keycloak.camunda.cde.brusnika.ru-tls
|
||||
camunda-operate:
|
||||
name: camunda-operate-gw
|
||||
namespace: ingress-nginx
|
||||
selector:
|
||||
istio: ingressgateway
|
||||
servers:
|
||||
- hosts:
|
||||
- operate.camunda.cde.brusnika.ru
|
||||
tls:
|
||||
credentialName: camunda-platform-operate-tls
|
||||
camunda-optimize:
|
||||
name: camunda-optimize-gw
|
||||
namespace: ingress-nginx
|
||||
selector:
|
||||
istio: ingressgateway
|
||||
servers:
|
||||
- hosts:
|
||||
- optimize.camunda.cde.brusnika.ru
|
||||
tls:
|
||||
credentialName: camunda-optimize-tls
|
||||
camunda-tasklist:
|
||||
name: camunda-tasklist-gw
|
||||
namespace: ingress-nginx
|
||||
selector:
|
||||
istio: ingressgateway
|
||||
servers:
|
||||
- hosts:
|
||||
- tasklist.camunda.cde.brusnika.ru
|
||||
tls:
|
||||
credentialName: camunda-platform-tasklist-tls
|
||||
document-link:
|
||||
name: document-link-gw
|
||||
namespace: ingress-nginx
|
||||
selector:
|
||||
istio: ingressgateway
|
||||
servers:
|
||||
- hosts:
|
||||
- document-link.cde.brusnika.ru
|
||||
tls:
|
||||
credentialName: yet-another-nginx-secret-name
|
||||
stamp-verification:
|
||||
name: stamp-verification-gw
|
||||
namespace: ingress-nginx
|
||||
selector:
|
||||
istio: ingressgateway
|
||||
servers:
|
||||
- hosts:
|
||||
- stamp-verification.cde.brusnika.ru
|
||||
tls:
|
||||
credentialName: tls-secret-for-qr
|
||||
gitea:
|
||||
name: gitea-gw
|
||||
namespace: ingress-nginx
|
||||
selector:
|
||||
istio: ingressgateway
|
||||
servers:
|
||||
- hosts:
|
||||
- gitea.prod.brusnika.sarex.lonsdaleites.ru
|
||||
tls:
|
||||
credentialName: gitea-prod-tls
|
||||
global-cde:
|
||||
name: global-cde-gw
|
||||
namespace: ingress-nginx
|
||||
selector:
|
||||
istio: ingressgateway
|
||||
servers:
|
||||
- hosts:
|
||||
- cde.brusnika.ru
|
||||
tls:
|
||||
credentialName: yet-another-nginx-secret-name
|
||||
jupyter:
|
||||
name: jupyter-gw
|
||||
namespace: ingress-nginx
|
||||
selector:
|
||||
istio: ingressgateway
|
||||
servers:
|
||||
- hosts:
|
||||
- jupyter.brusnika.onprem.sarex.io
|
||||
tls:
|
||||
credentialName: jupyter-cert-secret
|
||||
dashboard:
|
||||
name: dashboard-gw
|
||||
namespace: ingress-nginx
|
||||
selector:
|
||||
istio: ingressgateway
|
||||
servers:
|
||||
- hosts:
|
||||
- dashboard.brusnika.onprem.sarex.io
|
||||
tls:
|
||||
credentialName: dashboard-secret-name
|
||||
minio:
|
||||
name: minio-gw
|
||||
namespace: ingress-nginx
|
||||
selector:
|
||||
istio: ingressgateway
|
||||
servers:
|
||||
- hosts:
|
||||
- minio.brusnika.onprem.sarex.io
|
||||
tls:
|
||||
credentialName: brusnika-secret-name
|
||||
sso-check:
|
||||
name: sso-check-gw
|
||||
namespace: ingress-nginx
|
||||
selector:
|
||||
istio: ingressgateway
|
||||
servers:
|
||||
- hosts:
|
||||
- sso.brusnika.onprem.sarex.io
|
||||
tls:
|
||||
credentialName: projects-secret-name
|
||||
superset:
|
||||
name: superset-gw
|
||||
namespace: ingress-nginx
|
||||
selector:
|
||||
istio: ingressgateway
|
||||
servers:
|
||||
- hosts:
|
||||
- superset.cde.brusnika.ru
|
||||
tls:
|
||||
credentialName: superset-tls-secret
|
||||
vault:
|
||||
name: vault-gw
|
||||
namespace: ingress-nginx
|
||||
selector:
|
||||
istio: ingressgateway
|
||||
servers:
|
||||
- hosts:
|
||||
- vault.prod.brusnika.sarex.lonsdaleites.ru
|
||||
tls:
|
||||
credentialName: vault-prod-tls
|
||||
rabbitmq:
|
||||
name: rabbitmq-gw
|
||||
namespace: ingress-nginx
|
||||
selector:
|
||||
istio: ingressgateway
|
||||
servers:
|
||||
- hosts:
|
||||
- rabbitmq.cde.brusnika.ru
|
||||
tls:
|
||||
credentialName: yet-another-nginx-secret-name
|
||||
virtualServices:
|
||||
argocd-vs:
|
||||
namespace: argocd
|
||||
hosts:
|
||||
- argocd.brusnika.onprem.sarex.io
|
||||
gateways:
|
||||
- ingress-nginx/argocd-gw
|
||||
cors:
|
||||
allowOrigins:
|
||||
- regex: ".*"
|
||||
routes:
|
||||
- match:
|
||||
- port: 80
|
||||
uri:
|
||||
prefix: /
|
||||
redirect:
|
||||
scheme: https
|
||||
redirectCode: 308
|
||||
- path:
|
||||
prefix: /
|
||||
service: argocd-server.argocd.svc.cluster.local
|
||||
port: 80
|
||||
camunda-identity-vs:
|
||||
namespace: camunda
|
||||
hosts:
|
||||
- identity.camunda.cde.brusnika.ru
|
||||
gateways:
|
||||
- ingress-nginx/camunda-identity-gw
|
||||
routes:
|
||||
- path:
|
||||
prefix: /
|
||||
service: camunda-identity.camunda.svc.cluster.local
|
||||
port: 80
|
||||
camunda-keycloak-vs:
|
||||
namespace: camunda
|
||||
hosts:
|
||||
- keycloak.camunda.cde.brusnika.ru
|
||||
gateways:
|
||||
- ingress-nginx/camunda-keycloak-gw
|
||||
routes:
|
||||
- match:
|
||||
- port: 80
|
||||
uri:
|
||||
prefix: /auth/
|
||||
redirect:
|
||||
scheme: https
|
||||
redirectCode: 308
|
||||
- path:
|
||||
prefix: /auth/
|
||||
service: camunda-keycloak.camunda.svc.cluster.local
|
||||
port: 80
|
||||
camunda-operate-vs:
|
||||
namespace: camunda
|
||||
hosts:
|
||||
- operate.camunda.cde.brusnika.ru
|
||||
gateways:
|
||||
- ingress-nginx/camunda-operate-gw
|
||||
routes:
|
||||
- path:
|
||||
prefix: /
|
||||
service: camunda-operate.camunda.svc.cluster.local
|
||||
port: 80
|
||||
camunda-optimize-vs:
|
||||
namespace: camunda
|
||||
hosts:
|
||||
- optimize.camunda.cde.brusnika.ru
|
||||
gateways:
|
||||
- ingress-nginx/camunda-optimize-gw
|
||||
routes:
|
||||
- path:
|
||||
prefix: /
|
||||
service: camunda-optimize.camunda.svc.cluster.local
|
||||
port: 80
|
||||
camunda-tasklist-vs:
|
||||
namespace: camunda
|
||||
hosts:
|
||||
- tasklist.camunda.cde.brusnika.ru
|
||||
gateways:
|
||||
- ingress-nginx/camunda-tasklist-gw
|
||||
routes:
|
||||
- path:
|
||||
prefix: /
|
||||
service: camunda-tasklist.camunda.svc.cluster.local
|
||||
port: 80
|
||||
document-link-vs:
|
||||
namespace: documentations
|
||||
hosts:
|
||||
- document-link.cde.brusnika.ru
|
||||
gateways:
|
||||
- ingress-nginx/document-link-gw
|
||||
cors:
|
||||
allowOrigins:
|
||||
- regex: ".*"
|
||||
routes:
|
||||
- match:
|
||||
- port: 80
|
||||
uri:
|
||||
prefix: /
|
||||
redirect:
|
||||
scheme: https
|
||||
redirectCode: 308
|
||||
- path:
|
||||
prefix: /
|
||||
service: frontend-service-public-link.documentations.svc.cluster.local
|
||||
port: 80
|
||||
stamp-verification-vs:
|
||||
namespace: documentations
|
||||
hosts:
|
||||
- stamp-verification.cde.brusnika.ru
|
||||
gateways:
|
||||
- ingress-nginx/stamp-verification-gw
|
||||
cors:
|
||||
allowOrigins:
|
||||
- regex: ".*"
|
||||
routes:
|
||||
- match:
|
||||
- port: 80
|
||||
uri:
|
||||
prefix: /
|
||||
redirect:
|
||||
scheme: https
|
||||
redirectCode: 308
|
||||
- path:
|
||||
prefix: /
|
||||
service: stamp-verification-frontend-service.documentations.svc.cluster.local
|
||||
port: 8080
|
||||
gitea-vs:
|
||||
namespace: gitea
|
||||
hosts:
|
||||
- gitea.prod.brusnika.sarex.lonsdaleites.ru
|
||||
gateways:
|
||||
- ingress-nginx/gitea-gw
|
||||
routes:
|
||||
- match:
|
||||
- port: 80
|
||||
uri:
|
||||
prefix: /
|
||||
redirect:
|
||||
scheme: https
|
||||
redirectCode: 308
|
||||
- path:
|
||||
prefix: /
|
||||
service: gitea.gitea.svc.cluster.local
|
||||
port: 3000
|
||||
global-cde-vs:
|
||||
namespace: global-ingress
|
||||
hosts:
|
||||
- cde.brusnika.ru
|
||||
gateways:
|
||||
- ingress-nginx/global-cde-gw
|
||||
cors:
|
||||
allowOrigins:
|
||||
- exact: https://cde.brusnika.ru
|
||||
- exact: https://stamp-verification.cde.brusnika.ru
|
||||
- exact: https://document-link.cde.brusnika.ru
|
||||
routes:
|
||||
- match:
|
||||
- port: 80
|
||||
uri:
|
||||
prefix: /
|
||||
redirect:
|
||||
scheme: https
|
||||
redirectCode: 308
|
||||
- path:
|
||||
prefix: /integration/
|
||||
service: yet-another-nginx-service.global-ingress.svc.cluster.local
|
||||
port: 80
|
||||
- path:
|
||||
prefix: /
|
||||
service: nginx-service.global-ingress.svc.cluster.local
|
||||
port: 80
|
||||
jupyter-vs:
|
||||
namespace: jupyter
|
||||
hosts:
|
||||
- jupyter.brusnika.onprem.sarex.io
|
||||
gateways:
|
||||
- ingress-nginx/jupyter-gw
|
||||
cors:
|
||||
allowOrigins:
|
||||
- regex: ".*"
|
||||
routes:
|
||||
- match:
|
||||
- port: 80
|
||||
uri:
|
||||
prefix: /
|
||||
redirect:
|
||||
scheme: https
|
||||
redirectCode: 308
|
||||
- path:
|
||||
prefix: /
|
||||
service: jupyter.jupyter.svc.cluster.local
|
||||
port: 8888
|
||||
dashboard-vs:
|
||||
namespace: kubernetes-dashboard
|
||||
hosts:
|
||||
- dashboard.brusnika.onprem.sarex.io
|
||||
gateways:
|
||||
- ingress-nginx/dashboard-gw
|
||||
cors:
|
||||
allowOrigins:
|
||||
- regex: ".*"
|
||||
routes:
|
||||
- match:
|
||||
- port: 80
|
||||
uri:
|
||||
prefix: /
|
||||
redirect:
|
||||
scheme: https
|
||||
redirectCode: 308
|
||||
- path:
|
||||
prefix: /
|
||||
service: kubernetes-dashboard.kubernetes-dashboard.svc.cluster.local
|
||||
port: 80
|
||||
minio-vs:
|
||||
namespace: minio
|
||||
hosts:
|
||||
- minio.brusnika.onprem.sarex.io
|
||||
gateways:
|
||||
- ingress-nginx/minio-gw
|
||||
cors:
|
||||
allowOrigins:
|
||||
- regex: ".*"
|
||||
routes:
|
||||
- match:
|
||||
- port: 80
|
||||
uri:
|
||||
prefix: /
|
||||
redirect:
|
||||
scheme: https
|
||||
redirectCode: 308
|
||||
- path:
|
||||
prefix: /
|
||||
service: minio-console-service.minio.svc.cluster.local
|
||||
port: 80
|
||||
sso-check-vs:
|
||||
namespace: sso-check
|
||||
hosts:
|
||||
- sso.brusnika.onprem.sarex.io
|
||||
gateways:
|
||||
- ingress-nginx/sso-check-gw
|
||||
cors:
|
||||
allowOrigins:
|
||||
- regex: ".*"
|
||||
routes:
|
||||
- match:
|
||||
- port: 80
|
||||
uri:
|
||||
prefix: /
|
||||
redirect:
|
||||
scheme: https
|
||||
redirectCode: 308
|
||||
- path:
|
||||
prefix: /
|
||||
service: gatekeeper-service.sso-check.svc.cluster.local
|
||||
port: 80
|
||||
superset-vs:
|
||||
namespace: superset
|
||||
hosts:
|
||||
- superset.cde.brusnika.ru
|
||||
gateways:
|
||||
- ingress-nginx/superset-gw
|
||||
routes:
|
||||
- match:
|
||||
- port: 80
|
||||
uri:
|
||||
prefix: /
|
||||
redirect:
|
||||
scheme: https
|
||||
redirectCode: 308
|
||||
- path:
|
||||
prefix: /
|
||||
service: superset.superset.svc.cluster.local
|
||||
port: 8088
|
||||
vault-vs:
|
||||
namespace: vault
|
||||
hosts:
|
||||
- vault.prod.brusnika.sarex.lonsdaleites.ru
|
||||
gateways:
|
||||
- ingress-nginx/vault-gw
|
||||
routes:
|
||||
- match:
|
||||
- port: 80
|
||||
uri:
|
||||
prefix: /
|
||||
redirect:
|
||||
scheme: https
|
||||
redirectCode: 308
|
||||
- path:
|
||||
prefix: /
|
||||
service: vault-vault-contour.vault.svc.cluster.local
|
||||
port: 8200
|
||||
rabbitmq-vs:
|
||||
namespace: workflow
|
||||
hosts:
|
||||
- rabbitmq.cde.brusnika.ru
|
||||
gateways:
|
||||
- ingress-nginx/rabbitmq-gw
|
||||
cors:
|
||||
allowOrigins:
|
||||
- exact: https://cde.brusnika.ru
|
||||
- exact: https://stamp-verification.cde.brusnika.ru
|
||||
- exact: https://document-link.cde.brusnika.ru
|
||||
routes:
|
||||
- match:
|
||||
- port: 80
|
||||
uri:
|
||||
prefix: /
|
||||
redirect:
|
||||
scheme: https
|
||||
redirectCode: 308
|
||||
- path:
|
||||
prefix: /
|
||||
service: rabbitmq-service.workflow.svc.cluster.local
|
||||
port: 15672
|
||||
@ -0,0 +1,62 @@
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: ingressgateway
|
||||
namespace: istio-system
|
||||
spec:
|
||||
targetNamespace: ingress-nginx
|
||||
postRenderers:
|
||||
- kustomize:
|
||||
patches:
|
||||
- target:
|
||||
version: v1
|
||||
kind: Deployment
|
||||
name: istio-ingressgateway
|
||||
namespace: ingress-nginx
|
||||
patch: |-
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: istio-ingressgateway
|
||||
namespace: ingress-nginx
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
affinity: null
|
||||
dependsOn:
|
||||
- name: istio-base
|
||||
namespace: istio-system
|
||||
- name: istiod
|
||||
namespace: istio-system
|
||||
values:
|
||||
_internal_defaults_do_not_set:
|
||||
name: istio-ingressgateway
|
||||
labels:
|
||||
app: istio-ingressgateway
|
||||
istio: ingressgateway
|
||||
replicaCount: 2
|
||||
affinity: null
|
||||
tolerations: []
|
||||
hostPorts: []
|
||||
podAnnotations:
|
||||
prometheus.io/port: "15020"
|
||||
prometheus.io/scrape: "true"
|
||||
prometheus.io/path: /stats/prometheus
|
||||
inject.istio.io/templates: gateway
|
||||
sidecar.istio.io/inject: "true"
|
||||
service:
|
||||
type: ClusterIP
|
||||
externalTrafficPolicy: ""
|
||||
ports:
|
||||
- name: status-port
|
||||
port: 15021
|
||||
protocol: TCP
|
||||
targetPort: 15021
|
||||
- name: http
|
||||
port: 80
|
||||
protocol: TCP
|
||||
targetPort: 80
|
||||
- name: https
|
||||
port: 443
|
||||
protocol: TCP
|
||||
targetPort: 443
|
||||
Loading…
Reference in New Issue
Block a user