Add template files for modifying service-provider-template repo
This commit is contained in:
parent
73fcc2ea89
commit
69fe5284bd
@ -1,3 +1,6 @@
|
||||
target_host: ""
|
||||
gpg_key_id: ""
|
||||
vault_passphrase: ""
|
||||
org_id: ""
|
||||
location_id: ""
|
||||
dns_domain: ""
|
||||
|
16
service-provider-setup/templates/control-firewalld.yml.j2
Normal file
16
service-provider-setup/templates/control-firewalld.yml.j2
Normal file
@ -0,0 +1,16 @@
|
||||
---
|
||||
firewalld_add:
|
||||
- name: public
|
||||
interfaces:
|
||||
- enp9s0
|
||||
services:
|
||||
- http
|
||||
- https
|
||||
ports:
|
||||
- 6443/tcp
|
||||
|
||||
- name: trusted
|
||||
sources:
|
||||
- 10.42.0.0/16
|
||||
- 10.43.0.0/16
|
||||
- "{{ cluster_control_ip }}"
|
16
service-provider-setup/templates/daemon-firewalld.yml.j2
Normal file
16
service-provider-setup/templates/daemon-firewalld.yml.j2
Normal file
@ -0,0 +1,16 @@
|
||||
---
|
||||
firewalld_add:
|
||||
- name: public
|
||||
interfaces:
|
||||
- ens3
|
||||
services:
|
||||
- http
|
||||
- https
|
||||
ports:
|
||||
- 26657/tcp
|
||||
- 26656/tcp
|
||||
- 1317/tcp
|
||||
|
||||
- name: trusted
|
||||
sources:
|
||||
- "{{ cluster_control_ip }}"
|
12
service-provider-setup/templates/hosts.j2
Normal file
12
service-provider-setup/templates/hosts.j2
Normal file
@ -0,0 +1,12 @@
|
||||
[all]
|
||||
{{ org_id }}-daemon ansible_host={{ cluster_control_ip }}
|
||||
{{ org_id }}-{{ country_id }}-cluster-control ansible_host={{ cluster_control_ip }}
|
||||
|
||||
[so]
|
||||
{{ org_id }}-daemon
|
||||
|
||||
[{{ org_id }}-{{ country_id }}]
|
||||
{{ org_id }}-{{ country_id }}-cluster-control k8s_node_type=bootstrap k8s_pod_limit=1024 k8s_external_ip={{ cluster_control_ip }}
|
||||
|
||||
[k8s:children]
|
||||
{{ org_id }}-{{ country_id }}
|
55
service-provider-setup/templates/k8s.yml.j2
Normal file
55
service-provider-setup/templates/k8s.yml.j2
Normal file
@ -0,0 +1,55 @@
|
||||
---
|
||||
# default context is used for stack orchestrator deployments, for testing a custom context name can be usefull
|
||||
#k8s_cluster_name: "{{ org_id }}-{{ country_id }}-cluster"
|
||||
k8s_cluster_name: default
|
||||
k8s_cluster_url: "{{ org_id }}-{{ country_id }}-cluster-control.{{ dns_domain }}.com"
|
||||
k8s_taint_servers: false
|
||||
|
||||
k8s_acme_email: "{{ support_email }}"
|
||||
|
||||
# k3s bundles traefik as the default ingress controller, we will disable it and use nginx instead
|
||||
k8s_disable:
|
||||
- traefik
|
||||
|
||||
# secrets can be stored in a file or as a template, the template secrets gets dynamically base64 encoded while file based secrets must be encoded by hand
|
||||
k8s_secrets:
|
||||
- name: digitalocean-dns
|
||||
type: file
|
||||
source: secret-digitalocean-dns.yaml
|
||||
|
||||
k8s_manifests:
|
||||
# ingress controller, replaces traefik which is explicitly disabled
|
||||
- name: ingress-nginx
|
||||
type: url
|
||||
source: https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.10.1/deploy/static/provider/cloud/deploy.yaml
|
||||
|
||||
# cert-manager, required for letsencrypt
|
||||
- name: cert-manager
|
||||
type: url
|
||||
source: https://github.com/cert-manager/cert-manager/releases/download/v1.15.1/cert-manager.yaml
|
||||
|
||||
# issuer for basic http certs
|
||||
- name: letsencrypt-prod
|
||||
type: template
|
||||
source: shared/clusterissuer-acme.yaml
|
||||
server: https://acme-v02.api.letsencrypt.org/directory
|
||||
solvers:
|
||||
- type: http
|
||||
ingress: nginx
|
||||
|
||||
# issuer for wildcard dns certs
|
||||
- name: letsencrypt-prod-wild
|
||||
type: template
|
||||
source: shared/clusterissuer-acme.yaml
|
||||
server: https://acme-v02.api.letsencrypt.org/directory
|
||||
solvers:
|
||||
- type: dns
|
||||
provider: digitalocean
|
||||
tokenref: tokenSecretRef
|
||||
secret_name: digitalocean-dns
|
||||
secret_key: access-token
|
||||
|
||||
# initiate wildcard cert
|
||||
- name: "pwa.{{ dns_domain }}.com"
|
||||
type: file
|
||||
source: "wildcard-pwa-{{ dns_domain }}.yaml"
|
21
service-provider-setup/templates/nginx.yml.j2
Normal file
21
service-provider-setup/templates/nginx.yml.j2
Normal file
@ -0,0 +1,21 @@
|
||||
---
|
||||
nginx_packages_intall: false
|
||||
nginx_server_name_hash: 64
|
||||
nginx_proxy_read_timeout: 1200
|
||||
nginx_proxy_send_timeout: 1200
|
||||
nginx_proxy_connection_timeout: 75
|
||||
|
||||
nginx_sites:
|
||||
- name: "{{ org_id }}-console"
|
||||
url: "{{ org_id }}-console.{{ dns_domain }}.com"
|
||||
upstream: http://localhost:8080
|
||||
template: basic-proxy
|
||||
ssl: true
|
||||
|
||||
- name: "{{ org_id }}-daemon"
|
||||
url: "{{ org_id }}-daemon.{{ dns_domain }}.com"
|
||||
upstream: http://localhost:9473
|
||||
configs:
|
||||
- rewrite "^/deployer(/.*)? https://webapp-deployer.pwa.{{domain}}.com" permanent
|
||||
template: websocket-proxy
|
||||
ssl: true
|
15
service-provider-setup/templates/wildcard-pwa-example.yml.j2
Normal file
15
service-provider-setup/templates/wildcard-pwa-example.yml.j2
Normal file
@ -0,0 +1,15 @@
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: "pwa.{{ dns_domain }}.com"
|
||||
namespace: default
|
||||
spec:
|
||||
secretName: "pwa.{{ dns_domain }}.com"
|
||||
issuerRef:
|
||||
name: letsencrypt-prod-wild
|
||||
kind: ClusterIssuer
|
||||
group: cert-manager.io
|
||||
commonName: "*.pwa.{{ dns_domain }}.com"
|
||||
dnsNames:
|
||||
- "pwa.{{ dns_domain }}.com"
|
||||
- "*.pwa.{{ dns_domain }}.com"
|
Loading…
Reference in New Issue
Block a user